Hack The Box — APT

Hey folks! Today we have a new interesting machine from HackTheBox “APT”.

This machine was my first INSANE boxes I’ve solved, so I considered it one of my favorite machines, let’s take a look at its info

What we will do ?

As usual, we have some steps which we follow to pwn any machine, our steps are:

  1. Recon / Information gathering
  2. Scanning
  3. Gaining Access
  4. Maintaining Access
  5. Reporting / Analysis

After finishing our steps we will have these informations, stay calm and follow reading :)

1. Information Gathering

In this step we aim to collect all these informations, which we can collect on a specific target like its open ports, security mode of login systems, directories, OS version, services versions, etc

Nmap

We will start this step by scanning all ports to discover the open ports and know where we will get into this machine

nmap -A -T4 10.10.10.213

We have only 2 open ports and after checking the port 80, I didn’t find anything

After a little search about port 135 msrpc pentesting I found this resource from hacktricks

At the end of the blog, there’s a GitHub tool which will get the hidden IP’s behind the port msrpc

After using it, I’ve discovered 2 open ports IPV6

Okay, let’s add them to /etc/hosts and continue our work

After scanning their open ports, the 2 IP’s return the same results as you can see

we have interesting ports here :)

2. Scanning

In this step we aim to scan all collected info from the previous one.

I’ve tried to check the content of SMB servers, and we have a backup file, let’s download it

Unfortunately! It’s protected by password.

Okay, let’s try to crack it using fcrackzip

Great! The password is iloveyousomuch

The content of this file are some registry files

After searching about how to get credentials from ntds files, I found this nice resource

And we have all server users and hashes

I wrote 2 scripts to get the users and the hashed in separated files

Also, you can use cut and sort commands to do the same task, but I prefer using python

for usernames:

#Get all usernames in separated file names = []
with open("hashes.txt", "r") as lines:
for line in lines:
name = line.split(":")[0]
names.append(name)
new_names = []
for line in names:
if line not in new_names:
new_names.append(line)
for line in new_names:
print line

and for hashes:

#Get all hashes
with open("hashes.txt", "r") as lines:
for line in lines:
pass_hash = line.split(":")
first = pass_hash[3]
second = pass_hash[2]
if first:
print first
else:
print second

I think the number of the lines for this file is 8k line, we have very large data

I’ve used kerbrute to check for the valid users, and we have 3 valid users

The given hash for each one of them is invalid, so I need to check for each hash

I’ve used crackmapexec and try each hash with each user by using simple python code

import subprocess
users = ["henry.vinson", "APT$", "Administrator"]
with open("hashed_passwords.txt","r") as hashes:
i = 0
user = users[0]
for hhash in hashes:
user = users[i]
print("[====[" + user + "]====]")
subprocess.call("crackmapexec --verbose smb apt.htb -u " + user + " -H " + hhash, shell=True)
i = i + 1

After a couple of hours, the results are

Now we have valid user and its valid hash, but unfortunately! I can’t login to the server using them, so let’s try some scripts from impacket scripts

Remember we have registry files at the beginning of the scanning process, so let’s try reg.py

At the first I’ve created a ticket using my valid user and hash and then used this ticket to dump registry content

And at the end of the results, you will find this creds

3. Gaining Access

Let’s try to login to the server using our new creds

It works and we have the user.txt :)

4. Maintaining Access

For this step I’ve performed multiple tasks to get the root privileges:

  1. Enumerate the directories and files for any leaked data
  2. Use Exploit-Suggester tools to discover the kernel vulnerabilities
  3. Use automation tools to perform multiple tasks like linPEAS or linenum
  4. Use PsPy to listen for the executed processes to watch and note if there’s any process can lead me to the root flag

After enumerating the files and directories, I’ve found Windows Defender directory and its executables

I saw an exe called MpCmdRun.exe

And remembered a tweet talked about you can scan an external file using this exe

I tried to use it to scan a malicious file but my exe is old

After calling a friend for a hint, he asked me to scan a local file and capture the incoming hash or message

So I made a local directory

and fired up my Responder to capture any incoming data

Active --lm mode to capture an old versions of ntlm hashes

For now let’s try to scan the local file scanme.txt or the main directory apt

The responder:

Great! We have a NTLMv1 for user APT$

Let’s use this tool to generate a new form to crack it because these old versions don’t work with the server

Let’s crack the generated form using crack.sh

After 30s I recieved a mail with the new hash

And after executing secretdump.py using the new hash, I’ve dumped the Admin hash and logged in

Congrats ❤

If you find it helpful, Kindly give me a respect from here eslam3kl — HTB

Stay in touch

LinkedIn | GitHub | Twitter

Offensive Security Enthusiast

Offensive Security Enthusiast