In this writeup I will show the process of reversing a ransomware virus written in C#. Then we will bypass two-factor authentication in TeamCity and get RCE. Then we will use the ESC5 technique to escalate privileges through the Active Directory Certificate Services misconfig.
Our ultimate goal is to capture the root of the Coder machine from the site Hack The Box. Its difficulty level is “insane.”
warning
It is recommended to connect to machines with HTB only via VPN. Do not do this from computers that contain data that is important to you, as you will end up on a shared network with other participants.
Intelligence service
Port scanning
Add the machine's IP address to /
:
И запускаем сканирование портов.
Справка: сканирование портов
Сканирование портов — стандартный первый шаг при любой атаке. Он позволяет атакующему узнать, какие службы на хосте принимают соединение. На основе этой информации выбирается следующий шаг к получению точки входа.
Наиболее известный инструмент для сканирования — это Nmap. Улучшить результаты его работы ты можешь при помощи следующего скрипта:
#!/bin/bash
ports=$(nmap -p- --min-rate=500 $1 | grep ^(0-9) | cut -d '/' -f 1 | tr 'n' ',' | sed s/,$//)
nmap -p$ports -A $1
It works in two stages. The first one performs a regular quick scan, the second one performs a more thorough scan using the available scripts (option -A
).
The scanner found many open ports. It's easy to see that we're dealing with Windows.
- 53 - DNS service;
- 80 (HTTP) - Microsoft IIS/10.0 web server;
- 88 - Kerberos service;
- 135 - remote procedure call service (Microsoft RPC);
- 139 - NetBIOS session service, NetLogon;
- 389 - LDAP service;
- 443 (HTTPS) — Microsoft IIS/10.0 web server;
- 445 - SMB service;
- 464 - Kerberos password change service;
- 593 (HTTP-RPC-EPMAP) - used in DCOM and MS Exchange services;
- 636 - LDAP with SSL or TLS encryption;
- 5985 - WinRM remote management service;
- 9389 - AD DS Web Services.
LDAP reveals the domain and host name, which we immediately add to the file /
.
10.10.11.207 coder.htb dc01.coder.htb
Now we check access to the SMB service on behalf of the guest user and get a list of shared resources. To do this we use the utility CrackMapExec.
cme smb 10.10.11.207 -u 'guest' -p '' --shares
There are several interesting catalogs, but first of all let's look at Development
.
Point of entry
Connect to the SMB resource using the smbclient script from the set impacket.
impacket-smbclient 'guest@10.10.11.207'
use Development
As a result, there are a lot of files available to us, so it is better to copy everything to the local host and then analyze it.
smbclient //10.10.11.207/Development -N
recurse on
prompt off
mget *