Vulnlab — Phantom

ARZ101
5 min readJul 22, 2024

--

Phantom involved enumerating shares to find an email with a password, enumerating domain users by bruteforcing SIDs, password spraying to find a valid user, where we’ll find vyos backup which is an opensource router and firewall, encrypted with veracrypt, after decrypting we’ll get with password in the configuration file, spraying again to find this user has ForceChangePassword acl on a domain user having AddAllowedToAct on domain controller, performing resource based constrained delegation with any domain user.

PORT     STATE SERVICE       VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: phantom.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services

Enumerating smb shares with anonymous login

From the public share, we have tech support mail file

Which has a base64 encoded pdf file

After decoding it from base64, we’ll get a password from this file

We don’t have a username yet, so brute-forcing SIDs for the username using lookupsid from impacket

Spraying the password on all these users, only ibryant will be the account that has this password set

After logging onto Departments Share , there's a backup file in the IT folder

Decrypting veracrypt file

The .hc the extension tells that it's a file from veracrypt software, as the name tells it encrypts data, this password can be cracked with hashcat but it wasn't present in rockyou.txt, so generating a custom wordlist, with company name, year, and a special character as mentioned in the hint from vulnlab wiki

Mounting the image with veracrypt

Password Spray

There’s a vyos backup file, which is an open source OS for router and firewall, from the config file, we can retrieve the password for lstanely

Which didn’t work but we can spray this password against the list of domain users that we have

This user can login through winrm

Enumerating the domain with bloodhound, we can change passwords for domain users with ForceChangePassword

Changing domain user’s password

These users belong to ICT Security group which have AddAllowedToAct on domain controller, through this, we can edit msDS-AllowedToActOnBehalfOfOtherIdentity to add a machine account in this property to perform Resource Based Constrained Delegation (RBCD), with net rpc password can be changed

net rpc password WSILVA -U phantom.vl/svc_sspr -S dc.phantom.vl

Editing the msDS-AllowedToActOnBehalfOfOtherIdentity property

rbcd.py -delegate-to 'DC$' -delegate-from 'WSILVA' -dc-ip 10.10.118.204 -action 'write' 'phantom.vl'/'WSILVA':'Phantom2023!'

Performing resource based delegation with a domain user

To abuse RBCD, we need to know the status of the machine quota in order to create a machine account and then add it to DC’s property but the quota is set to 0

However, we can still perform RBCD through a normal domain user, for this we need a modified branch of getST with U2U kerberos extension

First retrieving TGT with overpass-the-hash, extracting the TGT session key, and replacing it with the domain user’s NTHash

With S4U2Self and U2U, with WSILVA we can obtain a service ticket to itself on behalf of the administrator and then proceed to S4U2proxy to obtain a service ticket to the target the user can delegate to.

KRB5CCNAME=./WSILVA.ccache getST.py -u2u -impersonate "Administrator" -spn "host/dc.phantom.vl" -k -no-pass phantom.vl/WSILVA

References

--

--

ARZ101
ARZ101

Written by ARZ101

Smol Pentester| OSCP | CTF Player | UwU

No responses yet