Puppet is a chain comprising 3 machines. It allows you to familiarize yourself with the C2 sliver, exploit PrintNighmare to perform a local privilege escalation and finally exploit the Puppet management tool to compromise the DC.
Port enumeration
The initial reconnaissance phase identifies potential vulnerabilities on the Linux machine, which is probably the C2 server in view of the scenario description.
|_ssl-date: TLS randomness does not represent time
31337/tcp open ssl/Elite?
The nmap scan shows that several ports are open, in particular port 21, which is used to authenticate in anonymous mode. By connecting to it, we can retrieve a .cfg file, which is the configuration file used to connect to a local C2 server.
By replacing the local IP address with the address of the Linux machine and launching the sliver client, it is possible to connect to the C2 server.
This shows an active beacon:
1 2 3 4 5
sliver > beacons ID Name Transport Hostname Username Operating System Last Check-In Next Check-In ========== ============= =========== ========== ==================== ================== =============== =============== 8ed5ce87 puppet-mtls mtls File01 PUPPET\Bruce.Smith windows/amd64 23s 8s
Printnighmare exploit
By accessing the beacon, after running PrivescCheck.ps1, a script that analyzes the configuration of a Windows machine to identify misconfigurations that could allow privilege escalation.
Description: Package point and print will not be restricted to specific print servers
(default).
Policy : Package Point and print - Approved servers > PackagePointAndPrintServerList
Key : HKLM\SOFTWARE\Policies\Microsoft\Windows
NT\Printers\PackagePointAndPrint\ListOfServers
Value : N/A
Data : (null)
Default : (null)
Expected : N/A
Description: A list of approved Package Point and Print servers is not defined (default).
[*] Status: Vulnerable - Severity: High - Execution time: 00:00:00.127
The script then detects the following elements:
RestrictDriverInstallationToAdministrators 0: Non-admin users can install drivers.
NoWarningNoElevationOnInstall 1: No UAC prompt when installing drivers
UpdatePromptSettings 1: No UAC prompt when updating drivers
TrustedServers 0: No control over authorized servers
InForest 0: Printing allowed outside of
ServerList None: No restriction on authorized servers
PackagePointAndPrintOnly 0: Not limited to verified drivers
All these elements mean that the machine is vulnerable to PrintNightmare, a vulnerability which exploits the printer driver management mechanism (Point and Print) to enable the execution of arbitrary code with SYSTEM privileges.
When a user, even a non-administrator, connects to a remote printer, the server can push a driver to it. If the configuration does not impose any restrictions on the installation of these drivers, an attacker controlling a print server can push a malicious driver which will run on the client machine.
SspiUacBypass” is an “elevation-of-privilege technique” which bypasses UAC (User Account Control) by abusing the operation of the Windows “SSPI” (Security Support Provider Interface) library.
The UAC bypass via SSPI Datagram exploits a peculiarity of the NTLM protocol when used for local authentication to localhost. When a user member of the Administrator group runs a non-high-level process (this is the normal behavior with UAC enabled), this process operates with a restricted token: it cannot perform SYSTEM actions without triggering the UAC prompt.
However, when a process uses NTLM in Datagram mode to initiate a local connection and forces the NTLMSSP_NEGOTIATE_LOCAL_CALL flag, the lsass.exe service, which handles this authentication as a network authentication, will trick LSA. In this case, it returns a full token instead of the restricted token, as `UAC does not filter this type of network authentication.
So, by adding SspiUacBypass to the sliver extensions, you can run it directly on any session you have.
This retrieves the password hash for the svc_puppet_win_t1 account and the list of domain users.
SSH access
Next, using the compromised account, we can access the DC IT folder, where we can find an ssh key to access the linux server:
According to the rules defined in the firewall, ssh connections are not authorized from machines that are not in the network, so you must first make the port forwardind in order to be able to access it:
Then, as the ssh private key is not directly usable because it was generated for a windows machine and Windows machines use \r\n for line endings whereas under linux it’s \n only.
To resolve this error, simply run the following command:
1 2 3
┌──(kali㉿kali)-[~/ctf/vulnlab/puppet]
└─$ sed -i 's/\r$//' ed25519
Then, as the key is protected by a passphrase, you have to break the passphrase to be able to use it:
You can then access the server:
Privilege escalation with puppet
Next, we identify that puppet can be launched with root privileges: A quick search on GTFOBINS yields the following command to set the SUID bit on bash:
You can then obtain root access with bash -p . The -p tells bash not to give up the effective UID if it is different from the real UID.
DC compromise
Once you’re root, list all the machines whose configuration you can manage with puppet:
This shows that the DC is controlled by puppet, which means that by creating a manifiest file containing instructions for the DC, you can have anything run on the DC. For puppet, this file is usually /etc/puppet/code/environments/production/manifests/site.pp. So, by modifying this file (or creating one in our case), and placing the following commands in it, we can take control of the DC.