Fortigate VPN Access for Sale

[MrXry]

Спойлер: Закрыто на депозит. Closed for deposit.

Hi,

I have access to a Fortigate, but I'm stuck trying to move laterally to other systems in the network. The Active Directory network has the following devices:

SMB         192.168.1.1     445    NONE                           [*] I5OS V6R1M0 (name:) (domain:) (signing:False) (SMBv1:True)
SMB         192.168.1.6     445    SRV-CED                       [*] Windows Server 2012 R2 Standard 9600 x64 (name:SRV-CED) (domain:.local) (signing:False) (SMBv1:True)
SMB         192.168.1.219   445    SRV-CED2022            [*] Windows Server 2022 Standard 20348 x64 (name:SRV-CED2022) (domain:.local) (signing:False) (SMBv1:True)
SMB         192.168.1.28    445    PC-PESA                      [*] Windows 10 / Server 2019 Build 19041 x64 (name:PC-PESA) (domain:.local) (signing:False) (SMBv1:False)
SMB         192.168.1.122   445    NAS02                        [*] Windows 6.1 Build 0 (name:NAS02) (domain:NAS02) (signing:False) (SMBv1:False)
SMB         192.168.1.17    445    PC-                              [*] Windows 11 Build 22621 x64 (name:PC-) (domain:l.local) (signing:False) (SMBv1:False)
SMB         192.168.1.33    445    PC-                              [*] Windows 11 Build 22621 x64 (name:PC-) (domain:.local) (signing:False) (SMBv1:False)
SMB         192.168.1.21    445    NB-                             [*] Windows 11 Build 22621 x64 (name:NB-) (domain:.local) (signing:False) (SMBv1:False)
SMB         192.168.1.101   445    SRV-DC01                 [*] Windows 10 / Server 2019 Build 17763 x64 (name:SRV-DC01) (domain:local) (signing:True) (SMBv1:False)
SMB         192.168.1.24    445                                     [*] Windows 10 / Server 2019 Build 19041 x64 (name:) (domain:.local) (signing:False) (SMBv1:False)
SMB         192.168.1.227   445    SRV-DATABASE         [*] Windows Server 2022 Build 20348 x64 (name:SRV-DATABASE) (domain:.local) (signing:False) (SMBv1:False)
SMB         192.168.1.225   445    APP-PESA                [*] Windows 10 / Server 2019 Build 19041 x64 (name:APP-PESA) (domain:.local) (signing:False) (SMBv1:False)
SMB         192.168.1.228   445    SRV-                        [*] Windows Server 2022 Build 20348 x64 (name:SRV-) (domain:.local) (signing:False) (SMBv1:False)                                                                                                              
SMB         192.168.1.121   445    NAS                            [*] Windows 6.1 Build 0 (name:NAS) (domain:) (signing:False) (SMBv1:False)

The Windows Server 2012 running MSSQL version 11.0.2100.0. Although it’s an old version, I haven’t found any relevant exploits.
Another device is running Apache 2.4.46 on a WampServer 3.2.3, but I haven’t found any exploits for this setup either.
None of the devices seem to have vulnerabilities like EternalBlue, PetitPotam, or anything similar.

In the network, I found a Cisco switch with default credentials, but I'm not sure if that could be useful. I’d like to perform an LLMNR attack, but I believe it’s not possible through the VPN. Is there any way to configure Fortigate to intercept NTLMv2 hashes?

I’ve also tried some exploits to access the QNAP devices, hoping to find some credentials, but none were successful. One of the NAS devices has a folder with read and write access, but it only contains irrelevant photos.

Does anyone have any ideas on what I could do next? Any suggestions would be greatly appreciated.

 

[rwxrwx]

SRV-CED running win2012, old version i would focus on, also try scan port 389 for Domain Controllers then try ZeroLogon on them. Try CrackMapExec (now netexec) for brute smb, brute rdp port 3389, let us know how it goes.

 

[MrXry]

Hi, thanks for your response. There’s only one domain controller, DC01, but it’s not vulnerable to Zerologon. As for the brute force attack over SMB, I already tried it with the "administrator" user I found using Kerberos, and I used a password list similar to the ones stored in Fortigate WiFi configurations, but I didn’t find anything.

Regarding the 2012 server, there’s not much else I can do. I’ve attempted various exploits, but nothing has worked. Anyway, here are the open ports for that server.
This Active Directory is testing my patience.

SERVER 2012==

PORT      STATE  SERVICE            VERSION
80/tcp    open   http               Microsoft IIS httpd 8.5
113/tcp   closed ident
135/tcp   open   msrpc              Microsoft Windows RPC
139/tcp   open   netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open   microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1001/tcp  open   webpush?
1433/tcp  open   ms-sql-s           Microsoft SQL Server 2012 11.00.2100; RTM
1583/tcp  open   psql               Pervasive.SQL Server - Relational Engine (encrypted)
3351/tcp  open   psql-btrieve       Pervasive.SQL Server - Btrieve Engine
3389/tcp  open   ssl/ms-wbt-server?
49154/tcp open   msrpc              Microsoft Windows RPC
49161/tcp open   msrpc              Microsoft Windows RPC


SERVER 2019 DC01====

PORT     STATE  SERVICE       VERSION
53/tcp   open   domain        Simple DNS Plus
88/tcp   open   kerberos-sec  Microsoft Windows Kerberos (server time: 2024-08-13 11:44:25Z)
113/tcp  closed ident
135/tcp  open   msrpc         Microsoft Windows RPC
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open   ldap          Microsoft Windows Active Directory LDAP (Domain: .local, Site: Default-First-Site-Name)
445/tcp  open   microsoft-ds?
464/tcp  open   kpasswd5?
593/tcp  open   ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open   tcpwrapped
3268/tcp open   ldap          Microsoft Windows Active Directory LDAP (Domain:.local0., Site: Default-First-Site-Name)
3269/tcp open   tcpwrapped
3389/tcp open   ms-wbt-server Microsoft Terminal Services

 

[MrXry]

should i move to another forti?

 

[MrXry]

Revenue: 250 Million$
Price:700$
Country: japan

I have created an exploit for the fortigate and I can't do it all by myself, that's why I'm selling access, I'll be publishing more accesses during these days

Network:

QTS
QTS
Windows 6.1
OS 1.00
Windows 10 Pro 18362 x64
OS 1.00
Windows Server 2012 Standard 9200 x64
Unix
Windows 7 Professional 7601 Service Pack 1 x64
Windows Server 2019 Standard 17763 x64
Unix
Windows Server 2012 R2 Standard 9600 x64
Windows Server 2003 R2 3790 Service Pack 1 x32
Windows Server 2003 R2 3790 Service Pack 2 x32
Windows 7 Professional 7601 Service Pack 1 x64
Windows Server 2016 Standard 14393 x64
Windows 5.0 x32
Windows 5.0 x32
Windows Server 2016 Standard 14393 x64
Windows Server 2012 R2 Standard 9600 x64
Windows 5.1 x32
Windows Server 2012 R2 Standard 9600 x64
Windows 6.1 Build 0
Windows 7 / Server 2008 R2 Build 7601 x64
Windows 10 / Server 2019 Build 17763 x64
Windows 6.1 Build 7600
Windows 6.1 Build 7600
Windows 10 / Server 2019 Build 19041 x64
Windows 10 / Server 2019 Build 17763 x64
Windows 6.1 Build 7600

 

[JunndeBoom]

Such revenue should contain much more hosts in network, probably it's testnet, did you check it carefully? All subnets?

 

[admin]

Closed for deposit 700$ https://xss.pro/deposit/