HackTheBox - Reel - 10.10.10.77

Reel is a Hard rated Active Directory machine on hackthebox.eu.

Summary

Reel is medium to hard difficulty machine, which requires a client-side attack to bypass the perimeter, and highlights a technique for gaining privileges in an Active Directory environment.

Recon and Scanning

Nmap Results

Based on the open ports I can deduce that this is a Windows Server 2008 R2 domain controller.

Anonymous FTP Recon

As the nmap scan indicated, the FTP server accepts anonymous logon, so I will try that first.

We got three intresting files, AppLocker.docx, readme.txt and Windows Event Forwarding.docx

Documents

AppLocker.docx

• AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.

readme.txt

• please email me any rtf format procedures - I’ll review and convert.
• new format / converted documents will be saved here.

Windows Event Forwarding.docx - ExifTool

From the metadata we get the following email, [email protected] this prompts us to enumerate the smtp, to enumerate valid usernames.

SMTP Enumeration

To enumerate SMTP we will use telnet to attempt to RCPT TO: <[email protected]> and see if the email is valid.

Bingo! we have a valid email, [email protected]

RTF Phishing

After much guessing and research there is a metasploit module that will create a malicious RTF file that could get us a meterpreter session if we phish a user and they open the file. To exploit CVE-2017-0199, we need to get the user to open a malicious RTF file, which will make an HTTP request for an HTA file. This HTA file will execute code to give us a shell.

Metasploit Module

We will use this Metasploit Module, exploit/windows/fileformat/office_word_hta and the sendEmail program to phish the [email protected] user and get a rev shell.

Now we have a lister setup we can send an email with this command

And a minute later, Bingo!

Priv Esc to Tom

On Nico’s desktop there is a file called cred.xml which contains a PSCredential, we can use the Import-CliXml PowerShell Module tp get the user tom’s plaintext password.

Credentials

We can now use the credentials, tom:1ts-mag1c!!! to login over ssh to the box.

Tom to Claire

On Tom’s desktop there is a folder called AD Audit with a Bloodhound acls.csv file, which we can import into Bloodhound. Firstly, we need to get the file of the machine, for this I will use Tom’s credentials with FileZilla.

BloodHound Data Analysis

Now we can import it into Bloodhound with the Upload Data button. Note, you will need Bloodhound V1 instead of V3 to open the data, V1 can be downloaded from GitHub here.

We can see that we have full control over Claire, Claire also has WriteDacl writes over the Backup_Admins group so we can add Claire to that group.

As we have control over Claire, we can use PowerView.ps1 which is already on the box, to:

• Become owner of claire’s ACL’s
• Get the permissions on that ACL
• Use those aquired permissions to change the password of claire
• SSH as Claire

These are the commands we will use to change Claire’s Password:

SSH as Claire

Now that we have changed claires credentials to, claire:password123! we can login as claire over ssh.

Now that we have access to claire’s account we can add ourselves to the Backup_Admins group.

But no access to the root.txt, but we have access to a script called, BackupScript.ps1 which at the top has the admin’s password.

User and Root Flags

We can also now get the root and user flags.

Respect

If you enjoyed my write up or found it useful consider +repping my htb profile linked below:

Categories:

Updated: