# Hybrid ### Enumeration IPs ``` 10.10.221.54 mail.hybrid.vl 10.10.221.53 dc01.hybrid.vl ``` We have two machines .53 is a Domain controller .54 is a Linux mail server From the nmap scan we can see that NFS is open, to enumerate mount points we can do `showmount -e `
After mounting we see a `backup.tar.gz`
Now we have two directories
In `etc/dovecot` we find possible email credentials
In `etc/sssd` we find a interesting file with references to LDAP and Kerberos, this machine is probably joined to the `hybrid.vl`domain
SSSD is is used to access remote directory service, like Active directory, and provide SSO capabilities to networks based on Unix We also find a passwd file with the users in this machine In `/opt/certs/hybrid.vl` we find two files one is a SSL certificate, maybe, and the other one looks like a private key
Now with the credentials discovered from the file we can try to log in the webmail
``` admin@hybrid.vl:Duckling21 peter.turner@hybrid.vl:PeterIstToll! ``` The Admin's inbox is empty but we find something in Peter's inbox
The junk filter plugin is probably Markasjunk and should be vulnerable to [RCE](https://cyberthint.io/roundcube-markasjunk-command-injection-vulnerability/) We can use this exploit to gain a shell on the machine
Here we download a shell with curl and pipe it to bash ## Privilege escalation Linux This is the other user on the machine
Since we have write access to the share we can create files with Peter's user id We create a new user in the attacking machine with Peter's user id
We also need to edit `/etc/logins.defs` and change the maximum `UID` value From the attacking machine we copy `sh`, or `bash`, to the share and we put the SUID bit on it
Now we are Peter Turner In the home folder we find a keepass database but it requires a password
Maybe we can try the Peter's email password And it works!
Now we have Peter's domain password, that we can use on the Linux machine too since it's domain joined ## Privilege escalation domain Now we enumerate the domain using `bloodhound-python`
Nothing interesting found from this domain dump But we can enumerate AD certificates with Certipy My installation of Certipy gives problems so i used the [docker version](https://github.com/secure-77/Certipy-Docker) from secure-77
Now to view the output of certipy in bloodhound we need to install a [different version](https://github.com/ly4k/BloodHound) Here we can see a custom certificate template
We can mark `MAIL01` as owned and check the shortest path to misconfigured certificate from owned principals
And we can see that `MAIL01` is a part of `DOMAIN COMPUTERS`, and can enroll `HYBRIDCOMPUTERS` To enroll the certificate we need the `MAIL01` machine account hash Is a keytab file in `/etc/krb5.keytab`, then we can use this [tool](https://github.com/sosdave/KeyTabExtract) to extract the NTLM hash
Now we can request the certificate If we receive an error regarding the key size we need to specify the correct key size in the command
We can check the correct key size in bloodhound
We have succesfully requested a certificate
Now to pass the certificate we can use this [tool](https://github.com/AlmondOffSec/PassTheCert) We need to extract the key and the cert from the .pfx file
Then we change the Administrator password
Or directly request the Administrator hash ``` sudo docker run -it -v $(pwd):/tmp certipy:latest certipy auth -pfx 'administrator.pfx' -username 'Administrator' -domain 'hybrid.vl' -dc-ip 10.10.221.53 ```