Github OSINT - Kerberoasting DC - RDP Access - Unquoted Service Paths PrivEsc
Scanning
Starting off with the Nmap Scan
# Nmap 7.93 scan initiated Tue May 16 21:40:56 2023 as: nmap -sCV -A -p 53,80,88,135,139,389,445,464,593,636,3268,3269,3389,5357,5985,7990,9389,47001,49664,49665,49666,49668,49669,49670,49671,49673,49677,49704,49712,49830 -T4 -vvv -oN nmap.log 10.10.140.25
Nmap scan report for 10.10.140.25
Host is up, received syn-ack (0.27s latency).
Scanned at 2023-05-16 21:40:57 IST for 78s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-05-16 16:11:04Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
|_ssl-date: 2023-05-16T16:12:08+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=LAB-DC.LAB.ENTERPRISE.THM
| Issuer: commonName=LAB-DC.LAB.ENTERPRISE.THM
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-15T15:59:00
| Not valid after: 2023-11-14T15:59:00
| MD5: 53a11abb8d3c19ccdb554d929539ba48
| SHA-1: 8fac486497ee653ecc928e64b6ddef4f6b9c0a14
| -----BEGIN CERTIFICATE-----
| MIIC9jCCAd6gAwIBAgIQTaSQBzXJdJJDfiW3N3HVBTANBgkqhkiG9w0BAQsFADAk
| MSIwIAYDVQQDExlMQUItREMuTEFCLkVOVEVSUFJJU0UuVEhNMB4XDTIzMDUxNTE1
| NTkwMFoXDTIzMTExNDE1NTkwMFowJDEiMCAGA1UEAxMZTEFCLURDLkxBQi5FTlRF
| UlBSSVNFLlRITTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ9jAgCq
| AaJ+hDZENsw0ejDnEB0N0IsdfZ5/sAXwdc6slhdhkvxtVBIlAYtQKLD/k7f99trQ
| CDADPPOGGQGTb5QQ/wgfyC33hllNQAL7CfS6Xqkw/1a+tHx4vAd6ek0sHQdGoqfs
| qKozJ2gSAphSxNoOL3uHTZQnDv2McbGfExTmN3tM5Y61JuP7ck0Y/f2lP3NkEPrf
| oKluxK4LwgWR0wGMard4wrpcH64fmRS6nE6FWcuz6b9+LkucttYo8tLVpuQ2DKoM
| YaZnGqoLu2nGztf9i6k4R+FJEUQBjUg4K4h2YE2fYiYLO5wuDwZB8ZR7fu1iRk6W
| WpyeIfoZ1K72RnkCAwEAAaMkMCIwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0P
| BAQDAgQwMA0GCSqGSIb3DQEBCwUAA4IBAQACWDZ1rLv5UBi3wKgh9LfsC4zJ9O8/
| D0JEGWxpZMeZDw8J/C61AkrQmVxRiBnubySc8LS1lw9tHYjeH+6zjJgeEfrpJh92
| yJQl17JGJZTXfvOl00kHKBGROSdOT+kC74YdCwpWn7EBOyIOJI+Px1PFlsfGV1KR
| hnAMCQyuDFsxqig6ja+mtAuKrTO2hPNEZSoIjs7DD6+3jh6t2RGTwyC+6w3wX97u
| Wdl663cVvyxlw1vu29XWb/DPwtVdYJcjlfaf0a10Jg4GhB6CZctiw0zlsknU6mjS
| Sp/8i/cKZQ5mgsr3LnKX8/hXe2IWLQPeBsecxUNMXezX4EtJBrE4HFZC
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: LAB-ENTERPRISE
| NetBIOS_Domain_Name: LAB-ENTERPRISE
| NetBIOS_Computer_Name: LAB-DC
| DNS_Domain_Name: LAB.ENTERPRISE.THM
| DNS_Computer_Name: LAB-DC.LAB.ENTERPRISE.THM
| DNS_Tree_Name: ENTERPRISE.THM
| Product_Version: 10.0.17763
|_ System_Time: 2023-05-16T16:11:59+00:00
5357/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7990/tcp open http syn-ack Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Log in to continue - Log in with Atlassian account
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
9389/tcp open mc-nmf syn-ack .NET Message Framing
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49669/tcp open msrpc syn-ack Microsoft Windows RPC
49670/tcp open msrpc syn-ack Microsoft Windows RPC
49671/tcp open msrpc syn-ack Microsoft Windows RPC
49673/tcp open msrpc syn-ack Microsoft Windows RPC
49677/tcp open msrpc syn-ack Microsoft Windows RPC
49704/tcp open msrpc syn-ack Microsoft Windows RPC
49712/tcp open msrpc syn-ack Microsoft Windows RPC
49830/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: LAB-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-time:
| date: 2023-05-16T16:12:02
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 19986/tcp): CLEAN (Couldn't connect)
| Check 2 (port 58662/tcp): CLEAN (Couldn't connect)
| Check 3 (port 28504/udp): CLEAN (Failed to receive data)
| Check 4 (port 28658/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 16 21:42:15 2023 -- 1 IP address (1 host up) scanned in 79.46 seconds
Seems like we are dealing with a Domain Controller and there are some interesting ports such as !
Port 53 to enumerate some Reverse DNS lookups
Port 80 and 7990 are running HTTP, 7990 looks INTERESTING :)
Port 88 - Kerberos Auth, Confirming its a DC
Port 139 and 445 are Samba Shares, having anonymous access to list shares !
Port 389 and 3268 are running LDAP and LDAPs
Port 3389 is our initial vector, maybe? As its running RDP
Let's add LAB.ENTERPRISE.THM to our hosts file and start enumerating with the Samba shares !
Let’s connect to the Users Share and download everything for what we have permission
Nothing useful here as we don't have enough permissions to view files, but if we take a closer look we've discovered usernames => Administrator > atlbitbucket > bitbucket > LAB-ADMIN
Looking up for SID's confims that bitbucket and atlbitbucket were legitimate local users on the system :)
Tried AS-REP Roasting with these usernames, but nothing worked ! So quickly without wasting time I moved to the next interesting port 7990
Remainder to all ENTERPRISE-THM Employees, we are moving to GITHUB - Gotto do some OSINT and if its github we really have to check for the commits :)
Checking his repos gives us nothing, a blank username and password field - But checking his commits gives us the credentials :)
Let’s try if this creds are valid for SMB or WinRM This user nik had only the same level of access as of the anonymous user
And he doesn’t have access to the winrm either, Now since we have a valid domain creds, we can enumerate basic info using rcpclient
Next to see if any user has SPN set. If it is then we can request the TGS key since we are already part of the domain with the crednetials we have. The TGS key is encrypted with the password hash of the service. So, if we could crack it, we can get the password for the user
Hurrayyyyy! We roasted a valid local user's account - bitbucket
I tried the creds with smb and winrm but again no luck. At this point i again went back to the nmap port scan results and found the RDP port was also open. I first tried logging in using the nik user which failed and then tried the bitbucket user and this time success
Privilege Escalation
Let's transfer PowerUp.ps1 onto the victim's machine and Invoke-AllChecks
We can modify the service binary for zerotieroneservice which PowerUp so graciously offers an abuse function for us. Thanks, PowerUp! This could also have been done manually, but work smarter, not harder
Abusing Unquoted Service Path Vulnerability
Services have a binary path - it points to the executable that's going to be run when the service is started. In our case, that's ZeroTier One.exe
Our current user (bitbucket) has permission to modify the path and the executable itself because we have "write" privileges over the location of the executable. This can be validated using icacls. The permissions are inherited (I) and write access (W).
So now let's quickly create an exploit using msfvenom and name it as ZeroTier.exe
