What we will do ?
As usual, we have some steps which we follow to pwn any machine, our steps are:
- Recon / Information gathering
- Scanning
- Gaining Access
- Maintaining Access
- Reporting / Analysis
After finishing our steps we will have these informations, stay calm and follow reading :)
1. Information Gathering
In this step we aim to collect all these informations, which we can collect on a specific target like its open ports, security mode of login systems, directories, OS version, services versions, etc
Nmap
We will start this step by scanning all ports to discover the open ports and know where we will get into this machine
nmap -A -T4 10.10.10.213
We have only 2 open ports and after checking the port 80, I didn’t find anything
After a little search about port 135 msrpc pentesting
I found this resource from hacktricks
At the end of the blog, there’s a GitHub tool which will get the hidden IP’s behind the port msrpc
After using it, I’ve discovered 2 open ports IPV6
Okay, let’s add them to /etc/hosts
and continue our work
After scanning their open ports, the 2 IP’s return the same results as you can see
we have interesting ports here :)
2. Scanning
In this step we aim to scan all collected info from the previous one.
I’ve tried to check the content of SMB servers, and we have a backup file, let’s download it
Unfortunately! It’s protected by password.
Okay, let’s try to crack it using fcrackzip
Great! The password is iloveyousomuch
The content of this file are some registry files
After searching about how to get credentials from ntds
files, I found this nice resource
And we have all server users and hashes
I wrote 2 scripts to get the users and the hashed in separated files
Also, you can use
cut
andsort
commands to do the same task, but I prefer using python
for usernames:
#Get all usernames in separated file names = []
with open("hashes.txt", "r") as lines:
for line in lines:
name = line.split(":")[0]
names.append(name)
new_names = []
for line in names:
if line not in new_names:
new_names.append(line)
for line in new_names:
print line
and for hashes:
#Get all hashes
with open("hashes.txt", "r") as lines:
for line in lines:
pass_hash = line.split(":")
first = pass_hash[3]
second = pass_hash[2]
if first:
print first
else:
print second
I think the number of the lines for this file is 8k line, we have very large data
I’ve used kerbrute
to check for the valid users, and we have 3 valid users
The given hash for each one of them is invalid, so I need to check for each hash
I’ve used crackmapexec
and try each hash with each user by using simple python code
import subprocess
users = ["henry.vinson", "APT$", "Administrator"]
with open("hashed_passwords.txt","r") as hashes:
i = 0
user = users[0]
for hhash in hashes:
user = users[i]
print("[====[" + user + "]====]")
subprocess.call("crackmapexec --verbose smb apt.htb -u " + user + " -H " + hhash, shell=True)
i = i + 1
After a couple of hours, the results are
Now we have valid user and its valid hash, but unfortunately! I can’t login to the server using them, so let’s try some scripts from impacket
scripts
Remember we have registry files at the beginning of the scanning process, so let’s try
reg.py
At the first I’ve created a ticket using my valid user and hash and then used this ticket to dump registry content
And at the end of the results, you will find this creds
3. Gaining Access
Let’s try to login to the server using our new creds
It works and we have the user.txt
:)
4. Maintaining Access
For this step I’ve performed multiple tasks to get the root privileges:
- Enumerate the directories and files for any leaked data
- Use Exploit-Suggester tools to discover the kernel vulnerabilities
- Use automation tools to perform multiple tasks like
linPEAS
orlinenum
- Use
PsPy
to listen for the executed processes to watch and note if there’s any process can lead me to the root flag
After enumerating the files and directories, I’ve found Windows Defender
directory and its executables
I saw an exe
called MpCmdRun.exe
And remembered a tweet talked about you can scan an external file using this exe
I tried to use it to scan a malicious file but my exe
is old
After calling a friend for a hint, he asked me to scan a local file and capture the incoming hash or message
So I made a local directory
and fired up my Responder
to capture any incoming data
Active
--lm
mode to capture an old versions ofntlm
hashes
For now let’s try to scan the local file scanme.txt
or the main directory apt
The responder:
Great! We have a NTLMv1
for user APT$
Let’s use this tool to generate a new form to crack it because these old versions don’t work with the server
Let’s crack the generated form using crack.sh
After 30s I recieved a mail with the new hash
And after executing secretdump.py
using the new hash, I’ve dumped the Admin
hash and logged in
Congrats ❤
If you find it helpful, Kindly give me a respect from here eslam3kl — HTB