Hacker uses ESC5 technique to reverse ransomware in HTB Coder

In this writeup I will show the process of reversing a ransomware virus written in C#. Then we will bypass two-factor authentication in TeamCity and get RCE. Then we will use the ESC5 technique to escalate privileges through the Active Directory Certificate Services misconfig.

Our ultimate goal is to capture the root of the Coder machine from the site Hack The Box. Its difficulty level is “insane.”

warning

It is recommended to connect to machines with HTB only via VPN. Do not do this from computers that contain data that is important to you, as you will end up on a shared network with other participants.

Intelligence service

Port scanning

Add the machine's IP address to /etc/hosts:

И запус­каем ска­ниро­вание пор­тов.

Справка: сканирование портов

Ска­ниро­вание пор­тов — стан­дар­тный пер­вый шаг при любой ата­ке. Он поз­воля­ет ата­кующе­му узнать, какие служ­бы на хос­те при­нима­ют соеди­нение. На осно­ве этой информа­ции выбира­ется сле­дующий шаг к получе­нию точ­ки вхо­да.

На­ибо­лее извес­тный инс­тру­мент для ска­ниро­вания — это Nmap. Улуч­шить резуль­таты его работы ты можешь при помощи сле­дующе­го скрип­та:

#!/bin/bash

ports=$(nmap -p- --min-rate=500 $1 | grep ^(0-9) | cut -d '/' -f 1 | tr 'n' ',' | sed s/,$//)

nmap -p$ports -A $1

It works in two stages. The first one performs a regular quick scan, the second one performs a more thorough scan using the available scripts (option -A).

The result of the script

The scanner found many open ports. It's easy to see that we're dealing with Windows.

  • 53 - DNS service;
  • 80 (HTTP) - Microsoft IIS/10.0 web server;
  • 88 - Kerberos service;
  • 135 - remote procedure call service (Microsoft RPC);
  • 139 - NetBIOS session service, NetLogon;
  • 389 - LDAP service;
  • 443 (HTTPS) — Microsoft IIS/10.0 web server;
  • 445 - SMB service;
  • 464 - Kerberos password change service;
  • 593 (HTTP-RPC-EPMAP) - used in DCOM and MS Exchange services;
  • 636 - LDAP with SSL or TLS encryption;
  • 5985 - WinRM remote management service;
  • 9389 - AD DS Web Services.

LDAP reveals the domain and host name, which we immediately add to the file /etc/hosts.

10.10.11.207 coder.htb dc01.coder.htb

Now we check access to the SMB service on behalf of the guest user and get a list of shared resources. To do this we use the utility CrackMapExec.

cme smb 10.10.11.207 -u 'guest' -p '' --shares

Shared Resources
Shared Resources

There are several interesting catalogs, but first of all let's look at Development.

Point of entry

Connect to the SMB resource using the smbclient script from the set impacket.

impacket-smbclient 'guest@10.10.11.207'

use Development

Contents of shared resources
Contents of shared resources

As a result, there are a lot of files available to us, so it is better to copy everything to the local host and then analyze it.

smbclient //10.10.11.207/Development -N

recurse on

prompt off

mget *

Recursive file loading
Recursive file loading