- Регистрация
- 20.01.2011
- Сообщения
- 7,665
- Розыгрыши
- 0
- Реакции
- 135
Reflection is a medium Active Directory chain from Vulnlab, consisting of 3 machines. It involves MSSQL, NTLM relay attacks, reading LAPS password, Resource-Based Constrained Delegation (RBCD), and password reuse.
Based on the Nmap scan results, it is evident that this machine is a domain controller, as it has DNS, LDAP, and Kerberos services running. Additionally, there is an MSSQL service running on port 1433, which is particularly noteworthy
MS01 also has an MSSQL service running on port 1433
Finally, there’s WS01, which is nearly identical to MS01, except it doesn’t have the MSSQL service running
Для просмотра ссылки Войдиили Зарегистрируйся
или Зарегистрируйся
Для просмотра ссылки Войдиили Зарегистрируйся
There is a non-standard share named staging. We can connect to it using Impacket’s smbclient and list the files within the staging share
Для просмотра ссылки Войдиили Зарегистрируйся
Great! We’ve obtained some database credentials
Для просмотра ссылки Войдиили Зарегистрируйся
Для просмотра ссылки Войдиили Зарегистрируйся
Let’s connect to MSSQL using Impacket’s mssqlclient.
Для просмотра ссылки Войдиили Зарегистрируйся
Для просмотра ссылки Войдиили Зарегистрируйся
As you can see, that was successful. However, the hash couldn’t be cracked. So, what can we do in this situation?
Для просмотра ссылки Войдиили Зарегистрируйся
Indeed, SMB signing is disabled on all three machines, including the DC. In this case, we can even relay the authentication to the DC and access its shares.
First, let’s set up a relay server using Impacket’s ntlmrelayx
Для просмотра ссылки Войдиили Зарегистрируйся
Next, use the same xp_dirtree command that we used earlier.
Для просмотра ссылки Войдиили Зарегистрируйся
As you can see, we’ve successfully received the authentication, and it’s indicating that the attack is targeting the domain controller
Для просмотра ссылки Войдиили Зарегистрируйся
Since We used the -socks option with ntlmrelayx, We need to add the following entry to our /etc/proxychains4.conf file
Для просмотра ссылки Войдиили Зарегистрируйся
Now, using proxychains, we should be able to list the SMB shares on the DC. There’s a share named prod
Для просмотра ссылки Войдиили Зарегистрируйся
We can use smbclient to connect to the prod share and download the prod_db.conf file, which provides us with additional credentials, this time for the prod database
Для просмотра ссылки Войдиили Зарегистрируйся
Since the prod share was on the DC, we can attempt to authenticate to the MSSQL instance running on the DC
Для просмотра ссылки Войдиили Зарегистрируйся
We can perform some MSSQL enumeration to list the databases and tables. The prod database has a table called users, which contains what appear to be credentials for some domain users
Для просмотра ссылки Войдиили Зарегистрируйся
To confirm that these are domain user credentials, we can use Netexec. This confirms that these are indeed valid domain user credentials
Для просмотра ссылки Войдиили Зарегистрируйся
With valid credentials in hand, we can run Bloodhound to gain a better understanding of the network and the permissions our users have
Для просмотра ссылки Войдиили Зарегистрируйся
Для просмотра ссылки Войдиили Зарегистрируйся
I’ve already covered how to abuse GenericAll in my blog. One of the first techniques we can use is Для просмотра ссылки Войдиили Зарегистрируйся. Unfortunately, MachineAccountQuota is set to 0. However, we can still perform another attack known as SPN-less RBCD, which I also covered in Для просмотра ссылки Войди или Зарегистрируйся. A third option is to Для просмотра ссылки Войди или Зарегистрируйся if laps is enabled on the target, which is the case here.
To achieve this, we can use the --laps option in Netexec. As you can see, we retrieved the local administrator password immediately
Для просмотра ссылки Войдиили Зарегистрируйся
Now, we can connect to MS01 using evil-winrm and grab our first flag
Для просмотра ссылки Войдиили Зарегистрируйся
Для просмотра ссылки Войдиили Зарегистрируйся
Another option we can try is the --dpapi option, which will dump the Для просмотра ссылки Войдиили Зарегистрируйся. It appears that there is a scheduled task being executed as the user Georgia.Price, which reveals her credentials
Для просмотра ссылки Войдиили Зарегистрируйся
Для просмотра ссылки Войдиили Зарегистрируйся
We can attempt to read the LAPS password again, this time on WS01 as the Georgia.Price user. Unfortunately, LAPS is not configured on WS01. In this situation, we can exploit Resource-Based Constrained Delegation (RBCD) since we already own a machine (MS01), allowing us to use it to carry out our attack
To obtain the machine account hash, we can use Impacket’s secretsdump tool
Для просмотра ссылки Войдиили Зарегистрируйся
Another way to retrieve the hash is by using Mimikatz. First, let’s disable Windows Defender and upload Mimikatz
Для просмотра ссылки Войдиили Зарегистрируйся
Now, we can run Mimikatz with the following command to dump the machine account hash
Для просмотра ссылки Войдиили Зарегистрируйся
Для просмотра ссылки Войдиили Зарегистрируйся
или Зарегистрируйся, or you can check out this Для просмотра ссылки Войди или Зарегистрируйся
We can read the msDs-AllowedToActOnBehalfOfOtherIdentity attribute, but it’s currently empty.
Для просмотра ссылки Войдиили Зарегистрируйся
Now, We want to write this attribute using Impacket’s rbcd tool.
Для просмотра ссылки Войдиили Зарегистрируйся
Next, we need to request a service ticket while impersonating the Administrator user
Для просмотра ссылки Войдиили Зарегистрируйся
Finally, We can use this ticket to authenticate to WS01. which, as you can see, is successful
Для просмотра ссылки Войдиили Зарегистрируйся
Для просмотра ссылки Войдиили Зарегистрируйся
With this new password, we can perform a credential spraying attack to check for any password reuse. First, let’s dump all the domain users
Для просмотра ссылки Войдиили Зарегистрируйся
We do a little bit of cleaning
Для просмотра ссылки Войдиили Зарегистрируйся
Для просмотра ссылки Войдиили Зарегистрируйся
The latter is a domain admin. We can login via winrm or directly read the flag using Netexec
Для просмотра ссылки Войдиили Зарегистрируйся
That concludes this chain. I hope you learned something new!
Для просмотра ссылки Войдиили Зарегистрируйся
NMAP
DC01
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | Nmap scan report for 10.10.185.165 Host is up (0.081s latency). Not shown: 987 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-18 16:41:52Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: reflection.vl0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM | ms-sql-info: | 10.10.185.165:1433: | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | ms-sql-ntlm-info: | 10.10.185.165:1433: | Target_Name: REFLECTION | NetBIOS_Domain_Name: REFLECTION | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: reflection.vl | DNS_Computer_Name: dc01.reflection.vl | DNS_Tree_Name: reflection.vl |_ Product_Version: 10.0.20348 |_ssl-date: 2024-08-18T16:42:37+00:00; -1s from scanner time. | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2024-08-18T16:41:30 |_Not valid after: 2054-08-18T16:41:30 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: reflection.vl0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=dc01.reflection.vl |
Based on the Nmap scan results, it is evident that this machine is a domain controller, as it has DNS, LDAP, and Kerberos services running. Additionally, there is an MSSQL service running on port 1433, which is particularly noteworthy
MS01
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | Nmap scan report for 10.10.185.166 Host is up (0.071s latency). Not shown: 996 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM | ms-sql-info: | 10.10.185.166:1433: | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | ms-sql-ntlm-info: | 10.10.185.166:1433: | Target_Name: REFLECTION | NetBIOS_Domain_Name: REFLECTION | NetBIOS_Computer_Name: MS01 | DNS_Domain_Name: reflection.vl | DNS_Computer_Name: ms01.reflection.vl | DNS_Tree_Name: reflection.vl |_ Product_Version: 10.0.20348 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2024-08-18T16:39:00 |_Not valid after: 2054-08-18T16:39:00 |_ssl-date: 2024-08-18T16:42:37+00:00; -1s from scanner time. 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=ms01.reflection.vl |
MS01 also has an MSSQL service running on port 1433
WS01
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | Nmap scan report for 10.10.185.167 Host is up (0.073s latency). Not shown: 997 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=ws01.reflection.vl | Not valid before: 2024-08-17T16:41:15 |_Not valid after: 2025-02-16T16:41:15 |_ssl-date: 2024-08-18T16:42:36+00:00; -2s from scanner time. | rdp-ntlm-info: | Target_Name: REFLECTION | NetBIOS_Domain_Name: REFLECTION | NetBIOS_Computer_Name: WS01 | DNS_Domain_Name: reflection.vl | DNS_Computer_Name: ws01.reflection.vl | DNS_Tree_Name: reflection.vl | Product_Version: 10.0.19041 |_ System_Time: 2024-08-18T16:41:56+00:00 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows |
Finally, there’s WS01, which is nearly identical to MS01, except it doesn’t have the MSSQL service running
Enumeration
SMB
I always prefer to start with SMB enumeration. Let’s run Netexec on the three IPs we haveДля просмотра ссылки Войди
MS01
It appears that MS01 allows guest authentication. If you’re interested in learning more about guest and null sessions, you can read Для просмотра ссылки ВойдиДля просмотра ссылки Войди
There is a non-standard share named staging. We can connect to it using Impacket’s smbclient and list the files within the staging share
Для просмотра ссылки Войди
Great! We’ve obtained some database credentials
Для просмотра ссылки Войди
MSSQL
We can test these credentials on both DC01 and MS01 (using the --local-auth parameter). Netexec confirms a valid login on MS01Для просмотра ссылки Войди
Let’s connect to MSSQL using Impacket’s mssqlclient.
Для просмотра ссылки Войди
NTLMv2 Hash
Since we’re authenticated to MSSQL, we can attempt to obtain the hash of the user running the database by using the xp_dirtree command. We’ll point it to our machine with a UNC path and then try to crack the hashДля просмотра ссылки Войди
As you can see, that was successful. However, the hash couldn’t be cracked. So, what can we do in this situation?
NTLM Relaying
Another approach we can try is relaying the NTLM authentication. But first, we need to verify that SMB signing is disabledДля просмотра ссылки Войди
Indeed, SMB signing is disabled on all three machines, including the DC. In this case, we can even relay the authentication to the DC and access its shares.
First, let’s set up a relay server using Impacket’s ntlmrelayx
Для просмотра ссылки Войди
Next, use the same xp_dirtree command that we used earlier.
Для просмотра ссылки Войди
As you can see, we’ve successfully received the authentication, and it’s indicating that the attack is targeting the domain controller
Для просмотра ссылки Войди
Since We used the -socks option with ntlmrelayx, We need to add the following entry to our /etc/proxychains4.conf file
Для просмотра ссылки Войди
Now, using proxychains, we should be able to list the SMB shares on the DC. There’s a share named prod
Для просмотра ссылки Войди
We can use smbclient to connect to the prod share and download the prod_db.conf file, which provides us with additional credentials, this time for the prod database
Для просмотра ссылки Войди
Since the prod share was on the DC, we can attempt to authenticate to the MSSQL instance running on the DC
Для просмотра ссылки Войди
We can perform some MSSQL enumeration to list the databases and tables. The prod database has a table called users, which contains what appear to be credentials for some domain users
Для просмотра ссылки Войди
To confirm that these are domain user credentials, we can use Netexec. This confirms that these are indeed valid domain user credentials
Для просмотра ссылки Войди
With valid credentials in hand, we can run Bloodhound to gain a better understanding of the network and the permissions our users have
Для просмотра ссылки Войди
GenericAll - 1
The user Abbie.Smith has GenericAll over MS01Для просмотра ссылки Войди
I’ve already covered how to abuse GenericAll in my blog. One of the first techniques we can use is Для просмотра ссылки Войди
To achieve this, we can use the --laps option in Netexec. As you can see, we retrieved the local administrator password immediately
Для просмотра ссылки Войди
Now, we can connect to MS01 using evil-winrm and grab our first flag
Для просмотра ссылки Войди
Credential Dumps
Let’s attempt to dump the credentials from MS01 using the --lsa option in Netexec. However, nothing of interest was foundДля просмотра ссылки Войди
Another option we can try is the --dpapi option, which will dump the Для просмотра ссылки Войди
Для просмотра ссылки Войди
WS01
GenericAll - 2
Reviewing the privileges of this new user, we can see that she has GenericAll permissions over WS01Для просмотра ссылки Войди
We can attempt to read the LAPS password again, this time on WS01 as the Georgia.Price user. Unfortunately, LAPS is not configured on WS01. In this situation, we can exploit Resource-Based Constrained Delegation (RBCD) since we already own a machine (MS01), allowing us to use it to carry out our attack
To obtain the machine account hash, we can use Impacket’s secretsdump tool
Для просмотра ссылки Войди
Another way to retrieve the hash is by using Mimikatz. First, let’s disable Windows Defender and upload Mimikatz
Для просмотра ссылки Войди
Now, we can run Mimikatz with the following command to dump the machine account hash
Для просмотра ссылки Войди
Для просмотра ссылки Войди
Resource-Based Constrained Delegation (RBCD)
I’ve already covered this attack in a Для просмотра ссылки ВойдиWe can read the msDs-AllowedToActOnBehalfOfOtherIdentity attribute, but it’s currently empty.
Для просмотра ссылки Войди
Now, We want to write this attribute using Impacket’s rbcd tool.
Для просмотра ссылки Войди
Next, we need to request a service ticket while impersonating the Administrator user
Для просмотра ссылки Войди
Finally, We can use this ticket to authenticate to WS01. which, as you can see, is successful
Для просмотра ссылки Войди
Credential Dumps
Just like with MS01, we can dump the LSA secrets from WS01, which reveals the credentials for a new domain user named Rhys.GarnerДля просмотра ссылки Войди
With this new password, we can perform a credential spraying attack to check for any password reuse. First, let’s dump all the domain users
Для просмотра ссылки Войди
We do a little bit of cleaning
Для просмотра ссылки Войди
DC01
Next, we perform the password spraying. Fortunately, the Rhys.Garner user has reused his password with another account named dom_rgarnerДля просмотра ссылки Войди
The latter is a domain admin. We can login via winrm or directly read the flag using Netexec
Для просмотра ссылки Войди
That concludes this chain. I hope you learned something new!
Для просмотра ссылки Войди