Phantom involved enumerating shares to find an email with a password, enumerating domain users by bruteforcing SIDs, password spraying to find a valid user, where we’ll find vyos backup which is an opensource router and firewall, encrypted with veracrypt, after decrypting we’ll get with password in the configuration file, spraying again to find this user has ForceChangePassword acl on a domain user having AddAllowedToAct on domain controller, performing resource based constrained delegation with any domain user.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: phantom.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal ServicesEnumerating smb shares with anonymous login
From the public share, we have tech support mail file
Which has a base64 encoded pdf file
After decoding it from base64, we’ll get a password from this file
We don’t have a username yet, so brute-forcing SIDs for the username using lookupsid from impacket
Spraying the password on all these users, only ibryant will be the account that has this password set
After logging onto Departments Share , there's a backup file in the IT folder
Decrypting veracrypt file
The .hc the extension tells that it's a file from veracrypt software, as the name tells it encrypts data, this password can be cracked with hashcat but it wasn't present in rockyou.txt, so generating a custom wordlist, with company name, year, and a special character as mentioned in the hint from vulnlab wiki
Mounting the image with veracrypt
Password Spray
There’s a vyos backup file, which is an open source OS for router and firewall, from the config file, we can retrieve the password for lstanely
Which didn’t work but we can spray this password against the list of domain users that we have
This user can login through winrm
Enumerating the domain with bloodhound, we can change passwords for domain users with ForceChangePassword
Changing domain user’s password
These users belong to ICT Security group which have AddAllowedToAct on domain controller, through this, we can edit msDS-AllowedToActOnBehalfOfOtherIdentity to add a machine account in this property to perform Resource Based Constrained Delegation (RBCD), with net rpc password can be changed
net rpc password WSILVA -U phantom.vl/svc_sspr -S dc.phantom.vlEditing the msDS-AllowedToActOnBehalfOfOtherIdentity property
rbcd.py -delegate-to 'DC$' -delegate-from 'WSILVA' -dc-ip 10.10.118.204 -action 'write' 'phantom.vl'/'WSILVA':'Phantom2023!'Performing resource based delegation with a domain user
To abuse RBCD, we need to know the status of the machine quota in order to create a machine account and then add it to DC’s property but the quota is set to 0
However, we can still perform RBCD through a normal domain user, for this we need a modified branch of getST with U2U kerberos extension
First retrieving TGT with overpass-the-hash, extracting the TGT session key, and replacing it with the domain user’s NTHash
With S4U2Self and U2U, with WSILVA we can obtain a service ticket to itself on behalf of the administrator and then proceed to S4U2proxy to obtain a service ticket to the target the user can delegate to.
KRB5CCNAME=./WSILVA.ccache getST.py -u2u -impersonate "Administrator" -spn "host/dc.phantom.vl" -k -no-pass phantom.vl/WSILVA