HackTheBox - PivotAPI

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on youtube this is ipsec i'm doing pivot api from hack the box which was either a incredibly insane machine or a hard machine depending what route you went down both routes began with a reverse engineering a binary that was in obfuscated.net one will show two different ways to do this and what that gets you is credentials to a microsoft sql service you can either set up a network pivot through mssql and access a winrm port which is the insane path or you can just enable xp command shell and pop the box that way using some unconstrained delegation which we show at the very end of the video the insane path with enabling winrm you get a second set of credentials they can use to ssh into the box and then you have to do a bunch of bloodhound tricks to get to a different user reverse a second binary get credentials to that user and do more bloodhound tricks in order to get into the lapse group which enables you to read the root password of the machine and log in so with all that being said let's jump in as always we'll start off with the nmap so dash sc for default scripts sv enumerate versions oh a output all formats put in the nmap directory and call it pivot api and then the ip address which is 10 10 10 to 40. this can take some time to run so i've already ran it looking at the results we have a ton of ports open and a quick glance whenever i see like kerberos and all these other things open i'm going to think it's going to be a active directory server but i always like starting from the top so let's go through this we see ftp is on port 21 anonymous ftp login is allowed and we have some files so we should obviously download all these files so i'm going to make dirt ftp go in here and i'm just going to use wget to download um i think it's dash m to mirror so i can do ftp 10 10 10 240. and it should already um use anonymous login i don't have to specify anything so the next thing we have is 53 this is dns we have kerberos on 88 msrpc this is remote procedure call 135 139 and 445. so these things i think of like as supporting um smb but a lot of this stuff isn't too interesting we do have ldap on 389 so this is kind of like the active directory server we are thinking uh tcp rap we have ms sql which is certainly interesting and it's leaking the host name which is pivot api and the dns domain name which was up here with the ldap as well as liquidy bellata i don't even know how to pronounce that but it is a domain name so very first thing i'm going to do is uh add this to my host file so sudo vi etsy host and then we should go with um 10 10 10 240 pivot api and then the domain name and then the domain name with uh pivot api beginning with it so we have all the ways to specify this domain so save that and let's go take a look at the files we had downloaded with this wkit so let me just open up a file browser let's go to hdb pivot api ftp and then we can look at each of these files so this one looks like some paper i'd probably like copy and paste a string of this and see if it's on google eicher best paper proceedings that's a funny name but just glancing at this this is a stack based overflow we have a black cat paper from 2009 another buffer overflow paper so there's just a bunch of papers here notes one is some windows internal it looks like about stealing tokens of processes notes 2 shell coding so nothing really too interesting yet we have this one another buffer overflow paper a readme.txt that's just telling people to change the download mode to binary so files are not corrupted and that is probably a hint if you do ftp 10 10 10 240 and then log in with like anonymous and you try to download a file without saying mode binary i think it's mode binary see mode binary what is it ftp switch to binary mode by default ftp ftps in ascii and obviously that's not going to be great do i just type binary okay yep you do that then you can download files but if you don't do that you're in ascii mode and when you get some binary data it may like um end the string prematurely because like a null byte would terminate the file transfer or something weird like that but using wget it didn't seem like we have to worry about that because all the pdfs opened up right now i'm not exactly sure what we are supposed to do with these pdfs so i'm just going to use exif tool to examine them real quick and if i look we do have this creator and author tag and this is leaking potentially usernames so i'm going to do this exif tool again and grep for creator and then backslash pipe to do an or and we can do author and now we have uh potentially more users we also have some junk right here so what i'm going to do is awk print three and then go to users.txt and then let's edit this to fix it up so microsoft and unknown we can probably remove that and one of those had a first and last name i want to say before i did that awk yeah byron gronzeth so let's go here and also since we have his full name i just want to put it in a few different formats because now we're going to find out which of these accounts are valid if any and one does stick out right off the bat this one has a capital first letter which is just interesting but let's go and download curb route so curb route github go here and we could download this release package but i see it's december 15th 2019 but the latest one commit is november 16 2020 so i'm going to just download the source and compile it real quick so git clone it's cloning into curb route so we go here just type go build as long as you have the go lane compiler and it builds just fine so i'm going to copy this up a directory uh let's move curb route to curb route dash source and then copy it to a directory so now i can use curbroot which is a tool that will query active directory over kerberos and it does a like pre-authentication check with user enum so you can validate if a username exists or not you can also like brute force um passwords and other things which is really good because it won't create the um event i think 46.25 maybe the event code failure let's see i know it's a 46. yep 46.25 is um invalid login and like smb logins but with kerberos it doesn't generate that log so if you go to ipsec.rocks and search for an earlier video i did more research before recording it so probably am talking about it better than that however the simple thing we have to do is just specify the location of the domain controller so dash dash dc we can do 10 10 10 240 the domain was like liquor d like that i think and then we want to say user annum and then the user fi a text file and we get a hit it is a valid username kors but in addition to it being a valid username curb root will also attempt to do a kerberos like no pre-authentication check and if it does it can get a hash which is what we see here in active directory for that particular user if the box do not require kerberos pre-authentication is checked then that's when you get this so let's save this hash and we'll do v actually let's go up one v hashes dot text save it and then we have to go over to the kraken to crack it and the main reason i am doing this by ssh into a different machine is because i'm also recording a video and cracking is a high cpu intensive process so um bad things could happen if i just did this on my host machine while recording for you guys um just do it on your host machine don't do it in a vm because vms would be extremely slow so now let's um go into the hashes folder we can put pivot api paste in the hash and then i'm also running the newest version of hashcat i downloaded it before i did this video so the cool thing about hashcat now is gone is the um like having to specify the mode to do the crack now it automatically detects it so if i do hashcat dot bin pivot api upped word list rocky.text it should yep start an auto detect mode and find this hash now the downside about auto detect mode is if you're doing two hashes that like match identically such as md5sum and ntlm are both 32 hex characters auto detect may not work there so it's still important to know how to do hashcat manually and oddly enough there's no hash mode matches the structure of the input hash so i'm going to look at my input hash and it is kbas rep and then encryption type 18. so let's take a look at this and let's do hash cat example hashes less and search for this so we have encryption type 23 and that's actually it so let's see if we can find this real quick um encryption type kerberos 1823. i want to say 23 is md5 and 18 is um aes but we may be able to pull it here let's see because this would be i guess one important benefit of like yeah here it is uh rc for hmac so this is encryption type 23 and then 18 is ascts hmac shot one so um yeah uh the reason why curb route pulled 18 is because it probably defaults to the most secure option which is how windows client should be if your windows clients are pulling rc4h mac then there's a group policy that you can set to enforce strongest encryption you normally wouldn't want to disable rc4h mac because you may just break random programs that are coded poorly because they don't support the better option so what most people recommend is setting the group policy to enforce always choosing a s when available and then setting up some type of log monitoring for whenever a rc4h mac ticket is handled out because that's probably going to be impacted or curb route or something someone doing something bad why hashcat doesn't support mode 18 i'm not exactly sure but um even so i would still probably default to pulling the rc4h mac because it is much much quicker that's why it's deprecated because it was a bad encryption type so let's go back to our curb route so uh i'll probably best to just exit and then we can do dot slash code route and specify dash dash downgrade and this will downgrade to uh encryption and not found uh is it n ftp yeah let's move that out of ftp we can do curb route and users.txt there we go so the reason why curb route would default to the most secure is in case someone has some type of alerting um you won't get alerted for pulling a aes ticket but now that we have this let's go back into the kraken and we can do cd hashcat and then v hashes pivot api replace this hash and let's run hash cat with this so hashes pivot api upped word list rocky.text so it auto detects and it now has successfully detected and cracked it because it has it recovered if we go all the way up we can see the password was roper4155 and i also want to say it should show yep the mode it chose so again if you're doing like ntlm hashcracking and then you're on it you don't get results and you see oh wait it's in mode i want to say zero or one which is just md5 um i wanted 1000 which should be ntlm uh i just want to check this real quick zero md5 and it looks like uh there is no one maybe hash mode 10 is md5's worth assault but yeah zero is md5 and ntlm is 1000. so we have the password what was it i want to say it was like roper and then some numbers i'm gonna do hashes pivot api show and we have the password so let's go v creds dot text k-a-o-r-z roper so now let's run i think crack map exec there we go uh smb we can do 10 10 10 240 dash u k a o r z dash p roper 4155 so we have wait i'm kind of surprised it says windows 10 i thought it would have said like 2016 or 2018 okay um maybe i don't pay attention to that that much but i thought it normally said server uh opt crack mac get pull see poetry install is this how you do it i'm hoping i'm installing it correctly i won't worry about it too much reading error messages it's not how i want to do this video so crash map exec does show this account is valid however um we can't do anything with this we could download files and that's about it because it's not saying like stir opponent and also if we look at let's see 59.85 and 5986 to see if when rm is open i don't think it is but we can do 10 10 10 240. and see if it is no both are filtered so all we have really access to is smb i'm going to add the dash shares and this will list all the file shares for this and we can see [Music] we do have three shares we can read ipc netlogin and sysvol i don't think this net logon is default it may be but the next thing i like doing is just dash capital m and then spyder underscore plus and this is going to crawl all the shares and list all the files in this directory it can take a little while to run so i'm just going to pause the video it'll probably be actually this will tell us how long it takes to run so yeah when i resume the video we'll see how long this took not long at all we can see it took 22 seconds and we have the results here so let's do cd temp spider plus and then we can cat 1010 10 240.json and see we have a bunch of files so the best way to view json of course always is using the jq program and then we can also take this like a step further because i'm not really interested in this timing stuff yet i just want to know all the files so if i do um this single quote period and i want to say we just say keys we can see the key of each thing and this is going to be each file share so that's not really that important so let's get the value of the key and now we have the shared and all the files that are in it without like the noise of um time and size so sysvol we have some group policy stuff that's not two and wait oh these files are in sysvol as well uh netlogon has these so i think netlogin may be default on an active directory server it's been like i don't know um all the share names blend together but this may be related to like running scripts and stuff and then these group policies have them um yeah so i was probably wrong earlier when i said net login wasn't a default but it has some interesting files in it then our ipc has a bunch of things so we probably want to download these files from the share i'm going to just use i'm sure i could use crack map exec to download the files but at this point i'm just going to use smb client dash capital u k a o r z then 10 10 10 to 40 uh slash net log on and then roper four one five five did i type that right i did and let's go into help desk and we can mgit star and mgit's just going to download every file it'll annoyingly ask do you want to download each file but just say yes and we have all the files downside is they're not where we want them so i'm just going to make dirt smb go nsmb and move star dot star i guess into hdb pivot api smb so now we have three files the ones i'm going to focus on first are these dot msg files because focusing on an exe first would take a while so let's go and view this file less server.message binary oh that's ugly so let's file it it is a microsoft outlook message so what i would probably recommend doing is just opening up an outlook but if you don't have outlook handy i just probably google the mime type and search like bash to see how to view it in bash let's see maybe bash convert opening a message file in ubuntu and it talks about installing a bunch of uh these things the main thing is this lib email message i guess it's a dependency but you want to download these files and then you have message convert so if i do now message convert star.msg now we have dot eml extensions so if i look at servermsql.em we can actually read the contents um this looking at the attachment is a application rtf so this is probably just the same thing as the email just um enrich text format so they have like text formatting so i'm not gonna pay too much attention do it good afternoon due to the problems caused by the oracle database installed in 2010 in windows it has been decided to migrate to ms sql at the beginning of 2020. remember that there were problems at the time of restoring oracle service and for this reason a program called resetservice.exe was created in order to log into oracle and restart the service any doubts contact us so that's probably what the restart oracle service is it's just a program that probably has hard-coded binaries to do something to restart this service let's look at winram and it says after the last pen test we've decided to stop externally displaying winrm services several employees and are the creators of evil winrm so we don't want to expose this service we have created a rule to block the exposure of the service and have also blocked tcp udp and even icmp output so that no shells of the type icmp are used so it's just talking about the firewall and we also can look at like the email it is to help desk i don't see a from i don't know who sent this email nothing there less server msql.eml uh we have two cybervaca so we have a another user potentially on this box we could go back here v users.txt add cybervaca and go do a curb route so that was in this pane that has the history user enum and we do have the valid user cyber vaca but there is no um or pre-authentication is required so we don't get his hash but at this point we did validate that that is a user so let's go back into our smb directory and we want to look at this restart oracle service so i'm going to do a file against it we can see it's just a pe32 executable i want to say if it was.net file would be able to tell me it is net so we know this is not net we could run strings against it and see if we get any quick wins i'm just like glancing out the output to see if we have any like human readable strings just a bunch of stuff this is a i think export table import table and doesn't really look like we have anything this is all just some type of uh packing i'm seeing a lot less strings that i'm used to saying and everything's like the same length so i'm guessing it got ran through an obfuscator so let's go and copy this over to a windows box so we can see what it does so python3 dash m http server and then i also want to do an ip80dr and i want my 192 address so i can copy it easily to my windows box so let's go up here when dev go to chrome then 8 000 download restart oracle service and let's copy it over to our desktop did not copy oh there it is so i'm gonna go in a command prompt desktop oh man there we go that's bigger dot slash restart oracle service and we see it does nothing so what i'm going to do is run procmon and this will kind of tell me what the process is doing and one thing that um you should always do before uh reversing something is take a snapshot i did not snapshot my machine so if this was actual malware or something i could like hers the machine and just be sad day all around so running this now uh not seeing anything is this not starting let's see filter let's remove okay we see everything oh i don't have exe so if i filter for exe we can see everything that this program did is there an easy way to change the font size 22 there we go make this bigger okay it's a bit better so now we can see what this process is doing it's doing a bunch of registry stuff loading image again open registry this is just like the program loading and we do have it creating a file in app data local temp and let's make this a bit bigger we can see it creates this e8bf thing and then we can go to it so let's go c colon users ipsec app data local temp and then we want to look for e8bf e8 i'm typing e8 and uh nothing's coming so it looks like it deleted that file already so one thing i'm going to do and again should only do this on like um a machine like a vm i would never do this on a production machine but let's go and remove our ability to delete files so there we go ipsec let's take away full control modify reading executes fine list folder contents read and write that looks good i don't think we can delete files now uh windows really doesn't like when you do this so uh yeah it aired a bunch i just kind of ignored it let's see is there a way to clear this reset filter no see drop filtered events i did not do it don't want to do that again clear there we go so let's run this program again and then we can scroll near the bottom to look for the file it creates five for a e i'm seeing if we can see like the fail on trying to delete it oh well uh five four ae let's see if we can find that sequel colon local temp and then 5 4 ae so now we have some files so if i cut this we have bunch of stuff a lot of base64 and that writes it to oracle.txt so i'm going to copy this again let's go over to our linux machine and i'm going to make dirt dub dub dub which i should have done earlier but i knew i was in the smb director didn't have anything interesting but let's copy this into dub dub dub go into that directory run the server and now um let's do temp bat i guess is the name paste the file in and we should see what this is doing so it's looking if the username is equal to cybervodka frankie tech or evasion and if they are it goes to this which drops oracle.txt otherwise it's going to go all the way to error which goes to nothing so let's get rid of this actually let's just do the echoes we can comment this stuff out and now it's pretty much a bash script so let's rename c colon program data to nothing and now it's just g oracle.txt which is fine and i can run it with bash and we have g oracle.txt if i do file against it it is ascii text because it is just this base64 so we can do base64 dash d g oracle 2 g oracle and now we file it it is a another executable so what was the first one this restart service this is just a pe32 executable this is i guess compiled uh no pe32 executable console um this one is stripped but not too much there so let's move g oracle to g oracle.exe and we can go back to our windev machine and let's execute this so where is my browser i closed it so go back to this download g oracle copy it to my desktop and then let's open up procmon let's go filters we can change this one to be just g oracle dot exe apply it uh [Music] yes add it and then we can execute it so dot slash d oracle it's hanging and just has this restart oracle prompt so we could look at exactly what this does load image drag open key see load image that's ms core reg bunch of stuff so i don't really see it creating files or anything so the one thing i do want to look at out of curiosity is all the images it loads so i'm going to create a filter for this so we'll include load image and here's all the dlls it uses early enough it is pulling a uh net dll ms core i don't think that is normal we can check that by let's go filters photo we can replace this with cmd.exe because that is not a net program we want to leave the dll and here we're not loading any net dlls in our cmd prompt so this is now becoming interesting because the file itself is not.net but it loads a.net dll so it looks like it's some obfuscated form of dotnet so let's see g oracle.exe yes oh wait i wanted that let's see architecture process name g oracle.exe add apply there we go so we can see all the dlls it loads uh i executed it twice so that's why i see it twice so let's open this up in a debugger i can show you generally what i would do in this case so x64 x96 debug release open this up and then file open go back to the desktop g oracle and then we want to go up to main so we're hitting uh tls callback breakpoints i know this is super small uh we won't be too long in here so it goes to entry this is thread entry so this is probably different than what default is so all i did here is i went to options preferences you can set where you want it to break so tls callbacks i was breaking there it's also breaking on exit and entry i don't know what is default i think it's just like this i think that's your default options and 96 debug but it stops so the one thing i would do is just set it to be the exit so i'm going to run the program thread created process stopped with exit code here so the process is running now and we hit the break point if i go again debugging stops so now we stop this program from exiting we can go into the memory map and start pulling things out how do i make this font bigger let's see preference no appearance font general disassembly maybe general there we go so what i want to look at is mapped memory this is all img it's not interesting private map and i'm looking at i glanced first for like read write execute memory and i don't see anything so the next thing i want to look for is um read write memory that is mapped let's see there's a lot of it image where am i text can you sort by this yep so map let's go why are you changing the program stopped follow and dump so this nothing let's go to the next one read write follow and dump and we have a mz header right here so we can see it starts with let's go options appearance font let's see maybe we changed it all to 18 hex dump there we go so we can see the mz header right here so this is a pe which is just a way of saying like windows executable so i'm going to dump memory to file g oracle.bin and we can put it on the desktop and i'm going to rename this to be mem uh g oracle memdump.exe so again the reason why i went down this path quickly in the debugger was i knew this program utilized.net so i wanted to see if i could extract the.net executable it was doing some type of injection with so memdump and now it stopped working username or password is incorrect so at this point we can open up in dnspy which is just a net decompiler and we can do file open and then restart oracle service oh no that's not it file open uh g oracle memdump and we see it's i think app domain is called uh run as and we're just looking at this the program we can see it's calling cmd.exe specifying sc exe stop oracle service and then start it username is svc oracle and we have the password oracle service 2010 so this is all good and i'm going to copy this to my cali machine so svc underscore oracle and this so let's go my parrot machine i should say uh old habits die hard so let's go back into my creds file and then oracle svc there we go so going back into windev we could do this challenge a different way and how i did this extraction wasn't actually the intended way the intended way was to just use api monitor and grab it that way so if we look at this it's just using like the default like process start um thing so if i google api monitor i think it's on like row hit tab or something i probably pronounced it wrong but yeah this program i think i used in another video let's see download this is going to be like process by but it sets up a bunch of hooks we'll monitor like all the windows api calls so let's install this come on bring to install accept complete so since it monitors all the api calls we can see it making this process create thing with credentials so let's see where is api monitor i think it just put it somewhere there we go that's 32 okay download the 32-bit version that's going to be annoying there we go bring to install okay yeah i think i installed only the 32-bit version the first time now i should have 64-bit so api monitor what is it 164. there we go so it's loading we can now file monitor new process and let's specify the desktop and then we want what is it g oracle.exe no arguments okay and oh i think we have to check everything so this is like what we want to hook and i gently hook everything and then filter out afterwards so a bit of clicking here and everything's clicked so let's file so run let's just do this again okay come on restart oracle and there we go so this is the very first one i ran has nothing here now we have it hooked and we can see everything is doing so that's a lot of prints you can okay let's go to the bottom before it shuts down i guess status success uh delete critical section heap free get process clr so clr this is um the.net stuff so i probably passed it if we're already in the clr maybe it's exiting see app help dll let's get process address this is a lot of data to gear through let's try sorting by duration is that easy can i not do that turn by air doesn't look like i can do that i'm going to just look like scroll quickly and look at error so let's see buffer system [Music] couldn't find something say may page up and down's the better way to go about this it's another buffers it's funny when like i can do this statically faster than i can do it dynamically normally this is the faster method see system could not find something nope well there's a lot of errors here in the registry data can't let's see system can't clr i think we're getting close that's open thread so i think we just injected the net program here environment core so yep this is enabling cores get thread open object let's see i'm about to just like use my hindsight and search for this to see exactly where it exists and then work my way back to figure out how i would do it in the future so let's go to the top click here and then we can search for create process with logon and we can see right here in the clr we have create process with log on let's search for the next one sailor here we go so in this we probably would just search for the module clr.dll and it would become more apparent also this is taking longer than mers like 1.6 milliseconds versus whatever this is so if the sorting by duration had worked it probably would have been near the top but we can see the calling here um i bet down here it should show the thing as well we can see the password so this is how you do it with api monitor um really fun program if you want to just like hook things and see this call and stuff um but yeah so you didn't have to do it with a debugger you could have done it this way but let's go back to linux where i'm more familiar with to play with this and as i switched over to linux i realized i forgot something so let's go back to windows and fix the permissions on our temp directory because who knows what we broke with that so if we go into this temp we can no longer delete files and if i would go into properties and try to modify my permissions to enable it uh i'm gonna have issues i think apply yeah because we don't have the ability to modify files so we're in kind of a dilemma uh the easiest way to fix this is just open up a command prompt and let's go well the easiest way to fix it would be revert to your snapshot because you took one right but if you did not uh you can go app data local and then i cackles temp slash inheritance e to enable and now we have re-enabled inheritance on this directory which we had disabled before so if i open a new property go to security ipsec has the permissions of its parent directory which is local and we can now um delete files so what was it five four delete and yep it works so that's how you would restore it so now let's go over to our linux machine and if we cap the creds that we put in we can try using these oracle creds so we can do cme smb 10 1010 240 dash u oracle svc and dash p this credential and it takes a second for a crack map to work and we get nothing so let's go and use the krs credentials so roper4155 [Music] ka orz make sure we have this correct it does i'm gonna do dash dash users t and userlist.text so what we're doing here is using crack map exec to dump a list of all users and we could have done this with like python bloodhound but we're going to be doing that later in the video so i figured i'd show this uh so if we cat what is it useless dot text and then let's do awk print one two three four five we have a list of users v users.txt oh we have to remove this coloring let's see we can just remove everything up until a backslash because we know the domain s star dot like that there we go so everyone is here and we can see the default users administrator because this is a spanish version of windows i believe but with this users.txt we could now spray the password we have and see if we get any hits and with this i would also use crap exact to do a password policy dump to see if there's any um like account lockout so we could do uh shoot dash dash pass paul let's see we just want to specify one was that k yours here we go passport like that and this would tell us that there's no lockout configured so we're free to do all the password spraying we want uh minimum password complexity let's see account lockout threshold is none so we didn't get any cracks from this users.txt so let's see we do have a service msql we don't have that service oracle but we do have service msql so what i probably would do here since there's no lockout is i create a text file of some common passwords and then set a big brute force going with all the users on those so like what we do is like v pass dot text and say like winter 2021 i think this box was a few years ago so a few months ago so we do passwords like this and then uh set this to run and while that goes we could be playing with the service oracle now looking at this we have oracle service 2010 so the email we have let's see when was this sent um cd smb last server msql.email this was set 2020 and they migrated at the beginning of 2020. so the password could potentially be if we just replace oracle with ms sql svc ms sql 2020 so let's try this one so go back to our crack map ms sql svc dash p and try this it's attempting to log in and that does not work let's see what was the account was it mssql or just msql so user.txt users.txt svc underscore msql is that what this was for oracle when dev no oracle uh no svc underscore oracle so i did get that reversed so try this and we get in so let's go and fix our creds because it's svc underscore which makes a lot more sense in normal domain for service accounts you would normally have svc at the beginning so when someone sorts by name they can see all the service accounts so that makes a lot more sense than how i had it but i don't think there was a svc oracle account so nothing else i did was wrong but some people probably upset by that as i was going through so now we have credentials to ms sql so do we have msql.pi we have msqlclient.pi let's see this is where the box got really tough and the unintended route was a lot easier alamo has a msql thing to enable commands which was actually unintended so let's see msql shell let's see let's try this real quick i've not actually ran this is this python two or three uh it's doing from future import print function so i think this is a python 2 script let's see sql.pi set paste we can disable that 10 10 10 240 svc msql then we want to grab the creds go here paste it let's see if it works oh let's see error and then 10 deaf cases python 3 svc underscore ms sql oh we need to do the domain let's see the domain we can pull through crack map exec come on right here so copy paste here still nothing let's try changing the default user or the user to be the default msql user which is sa to see if it logs in this way so python3 sql.pi and we have a login and we can do who am i and we see msql sql express if we do slash all we can see we do have the sc impersonate privilege and from here the um where you can go through the box is pretty self-explanatory if you've watched the other videos of this however um i'm gonna hold off until the very end of the video to show you that way um potentially um if this video just like is too long i get like burned out from recording i'll leave that up to you for an exercise but you can pop the box that way the intended way is much much cooler because it converts microsoft sql into a proxy so you can use the microsoft sql service to pivot to other things on the network or just ports on localhost so i'm going to google ms sql proxy and i think i set an extra s there but this is the repository we want and let's see it uses in packet please read this article which is a blog post and pretty much every command i'm going to be typing is out of this video so it's video they run all the commands and this is what i'll pretty much be typing the only catch is this is two years old and if we looked at it it is python 2. however oxdf has ported it to python 3 if we go to his pull request so let's go to his branch and we can just get clone it so now we'll have a python 3 version so get clone this which just makes it easier to run and we also want to go to the releases which are not on oxds it's on the original branch if we go to releases we can download um i think we just need to download this dll i wonder if we need download assembly.dll i don't think so so we can move downloads rectlidor however you say this into current directory and we can execute a msql client and we'll do what is the domain here it is so python 3 msql client and this may be in in packet now so you may not have to even download this but we definitely need the dll so domain slash user which was svc ms sql oh no yeah then at 10 10 10 240 and they say dash windows auth ah let's see no object name no module name thread see pip3 install thread is it threading or thread see this defense he doesn't seem to be working so i'm going to try to do it with just the version of impact i have on my box so ms ql client dot pi where is this installed use a local bin okay i don't know where i got this from let's see python 3 install thread i don't know if this is something that's just on impact itself or um i had download this and put it there that's a local bin which yeah so i may have put it there threads for package import thread threading so i think it's threading pip3 install threading let's see the msql client from impacted examples let's see python3 import thread no module name thread do we have different version of python 3 only oh we have python3.8 msql let's try 3 8. 3.8 pip 3.8 3.7 here as well my like os needs a complete rebuild it's gotten like absolutely crazy over the years of doing hack the box videos so let's see pip 3 8 install threading i don't think this needs my keyring password i don't even know what that is now cannot find a version that satisfies the requirements threading i guess we can just google the error message and see what comes up so let's google this stack overflow and python 3 instead of import thread import underscore thread so i wonder if rxdf was just working on an old version of python one with this since i think it said it was deprecated yeah for 36 maybe so let's try this a msql client and then search for thread and we can replace it with a underscore so let's do python 3.8 that looks better okay oh we have creds here so let's paste this credential and i think invalid user so let's get rid of this and just try the sa password for the default system administrator and we're in so the very first thing they did in that video was enable ole and then they upload reklidor.dll to c colon windows temp rec spelling it right r-e-c-l-i let's just copy it let's see ls i'm sql proxy here we go let's not make any typos paste it here too see if it uploads air uploading let's see the host to test.text i don't know if we do double backslashes let's see see colon slash windows temp like that maybe we're still getting error uploading which i don't know if that's my ms sql proxy having an issue or not proxy but mssql client or we forgot to do something let's see command download upload and i like how it says you know what this means one i actually don't know what that means i'm sure if i just read the blog post um it would make sense but i don't know why this upload isn't working i'm guessing it's the um client let's see we're essay we logged in and we can't upload i'm starting to think that we did a bad job converting this to python 3. i want to go back to the repel where is it let's just google a massachuel proxy go back here let's look at the pull request commits and see what happens so oxdf is putting thread uh do i get clone i am cloning from him let's see oh he created a new branch so i did not specify the branch when i was doing this so what i'm going to do is move this dll up one directory and let's wipe this out get clone and then dash b for branch python3 and then we can move that back into this and all should be right so if i now just execute this we probably have to specify 3.8 yep it just magically works so let's see creds.txt and i should have remembered all this because back whenever he did this uh february 16th both me and him had ported it together down and troubleshooted it to make it python 3. but let's enable ole and then let's try that upload command again so upload here and watch it's still going to fail and i'm going to go crazy upload there we go that is good so now that we have it uploaded we can do pretty much the same thing well not same thing but keep following that little video that we linked earlier so install clr microsoft sql server proxy dll and then paste the password which i think i had wrong so cat um creds grab this paste the password and no such file the microsoft sql server proxy so i think we have to upload this dll let's see kind of probably pause the video and look through some of my notes to figure out exactly how i did this step because this is something i don't do often and i guess it is complicated so i think i missed the step of uploading that microsoft sql server dll and i want to say it is let's see this this assembly.dll so if i save this file let's move uh assembly.dll here and we can rename it to b microsoft sql server proxy.dll so now when we go in we want to do another upload wait oh i guess it it pulled it from my directory i did not expect that to happen but successfully uploaded and installed so now we can do dash check and we want rectledor i think we don't do a dash there c colon windows i think i'm spelling it wrong see unknown arguments you can add a dash there see what happens copy paste so reckledore is installed so now if i do dash start paste the password again and we are listening on poorly so i think that's just a socks proxy we have so sudo vi etsy proxychains.com and let's see is there a sox 5 or a sucks well i'm guessing this is it uh 12701 elite on sox5 so if i do proxy chains nc 12701 445 okay we got a new connection and we connected to this port so we could do zv so this way it just connects and disconnects and i can do 59.85 and we can see we can now connect to port 5985. it connects and stops if we don't do proxy chains and specify the ip of 10 10 10 240 doesn't connect so what this is doing is it's going through that socks proxy which goes through this application which then goes to the my sequel server so localhost is that box so this is a fun way to pivot through the proxy and now we can do evil win rm uh dash u uh let's see the user svc msql like that i think dash p let's see cat creds paste it and then dash i 10 10 10 240. i did it wrong i url oh wait i should be localhost 12701 and this needs to be proxy chains let's see i is ip dash u is user and dash p is password but i'm guessing i have to put in quotes because this is a comment and that's it so it's copying and now we have successfully pivoted through accessed winram and now we are on the box as the service my sequel user so let's do dir and i probably should have set proxy chains to be quiet because every time i do this it's going to um oh it's not doing it every time i guess maybe my connection died or something i don't know why it decided print okay there but not other places oh well if i do dir and desktop we do have note and credentials.kdbx so let's type note.text to read it long running can cause issues switch to ssh after getting credentials so let's download credentials.kdbx and let's see we can just download it i think that will do it download successful so let's exit this and we have credentials.kdbx which is a keepass database so probably have to run keypass to john on it and we get a hash and i'm going to try seeing if it's in hash cat first so again going back to cracking v hashes slash keypass pacer in and we can try see if hashcat knows how to crack this it's turning its auto mode please be patient come on hash cat and if it doesn't have a um well no it did detect it because we have detection right here 13 400. and it has recovered it already so let's just do show and we can see the password is mahal kira i don't know exactly that probably something in non-english so creds.txt put keypass and put that password so now we have to open this database so i'm going to run keepassx and then we will do database open and specify credentials.kdbx and paste in the password so clicking around keepass we saw something on windows i like just checking everything we have some sample entries michael one two three or three two one this doesn't look like it's anything interesting uh we should go back to the windows and we have ssh credentials for evasion and is ssh on this box did i completely miss that when doing my nmap let's do nmap pivot api i don't see 22 ssh 10 10 10 240. wait what i think my nmap just completely missed ssh what uh let's do sudo nmap dash scsv dash o a nmap pivot api 2 10 10 10 240. just going to run that again and i want to look at this real quick the reason why i jumped to ssh is because the note said please use ssh after getting credentials but we don't see ssh on our nmap so something went odd when we're scanning or maybe nmap just doesn't like this port for whatever reason but i don't think that's the case so let's try this ssh evasion at 10 10 10 240 yes and then we have to do the dash o thing um see ssh do not use uh key login windows is really weird when it comes to ssh logins uh what's happening is if i do dash v we can see it's attempting to use all my public keys and this is actually counting as password attempts so the um public keys fail and it's like nope you can't log in anymore so uh ssh do not use pub key there's a dash o option let's see [Music] here we go we want to add those two that looks better and we can go and pull the password and we're ssh to in awesome so i'm going to go back into creds.txt and we will paste these creds okay and i'm going to clean up real quick let's look at nmap pivot api 2 dot nmap and we see ssh is listening now so my nmap just missed it um and this was a scan running without using scripts so this is why i don't like playing with like dash dash min-rate because nmap will miss things more often than just a regular scan simple dns plus was that is that different nope it's the same but yep uh always be careful with nmap i guess it's not 100 reliable or maybe ssh wasn't running at the time i scanned i don't know but let's clean up my connections so we can just have a good pause thing what if i can do dash stop nope i don't know if there's a way to clean that up so we're just going to leave it there exit exit and here's my normal end map okay so let's cat creds.txt and we'll ssh into this box so ssh oh dash o do i have dash o here uh grab this ssh there we go and then 3v4si0n at 10 10 10 240. paste the password and i'm going to run powershell so now we have like the ls command it's not actually in powershell um i think it's alias to like get child items but just makes life easier so if we go into desktop we can do dir we see user.txt see what else is there if we go to slash there is this developers folder if i go into it uh we don't have permission to do anything in here we do who am i slash all we can see what privileges uh we could do like net user but we've already kind of done this with our crack map exec a long time ago and got a list of users so now's a good time to run like bloodhound so we could upload sharp helm there but one thing i like doing i think i have it on my box bloodhound.pie so if i go into bloodhound.pie let's just clean up all the previous things we can run python3 bloodhound dot pi and we can generate a blood health thing this way as well so dash uh we're going to do doesn't matter which user we do uh we have plenty all the users will get the same data but we can do 3v4si0n at uh let's see do the whole domain okay see we can specify dash ns to do name server so 10 10 10 240 then let's see dash d that dash dash dc we'll do pivot api and this works because we've done our host name all right like our etsy host file if i go into less etsy hosts we can see pivot api and all the domain is there so i think i just need to put the password now and it may work so dash p like that doesn't like the dc you don't have to specify that uh shoot digest mod 3.8 let's see if it works here looks like it does i think i was running python 39 which i didn't install all the dependencies but you can see it is working now and we have some bloodhound data we see that json so i'm going to sudo near 4j console and then we'll run bloodhound we log in with our credentials and then let's go and upload so htb pivot api oh no this is an opt bloodhound dot pi up bloodhound dot pi and we have a few json files so we can upload all these and once it's there we'll be able to play around within bloodhound so it looks like it is all uploaded so now we can just go here go to analysis and we can like find all domain admins see there's two we have cyber vodka and administrator we can also like let's see find shortest path to main administrators is a common one and we don't see any paths so we can kind of click around and see what there is but at this point we should mark all the users that we have as owned so we have evasion so let's mark him as owned wait what mark user is owned there we go we have the service account for ms sql we can mark him as owned and then we also have keywords mark as owned so that lets us do shortest path from owned principles which is a nice query so if we look at msql there's nothing let's look at carers there's nothing and then we can go to evasion and we have nothing let me see looks like i didn't collect something by default i think hold on let's do um evasion ev so i'm looking at this and i don't have any like uh things here i should see well group memberships i'm going to try collection all with bloodhound so let's do c all and we'll see if this gets us anything extra the output looks kind of the same but we'll see if there's other data now in this come on lslaster.js uh this one is considerably bigger than this one so there's definitely more information here so we can just run bloodhound again and then upload the new files and we'll see what extra data we have so now if i go to analysis let's go own principal evasion we actually have data here so we can also uh source path to domain admin it's now showing some groups before it just showed users so there's nothing really there but let's do let's see own principles is there anything in msql it can win rm into the box so nothing really there let's do principles chaors there's nothing for him and evasion pretty much the same thing except he's just uh got generic all over doctor's house so having generic all over doctors else means we could reset his password so we can mark him as own two because we know we have that and the other way you can kind of find this if you click on your user and then scroll down we can see first degree object control and we can see i have generic all over a lot of users so we could own any one of these manual qwerty oscar oxdf or even myself ipsec so we can reset any of those passwords so let's go back into our ssh and if i do like net user ipsec password one two three bang i'm guessing that means the command is completed successfully if we try like cyber vodka which we know is a user it gets error axis 9 because we don't have generic all over that user but the really interesting one is dr zaus because that had a shortest path so let's go back to that and look at this so shortest path own principle c uh evasion so he can reset dr zaus's password who is a member of winner m that can winter i'm into the box so evasion itself was not a winner am user let's see what dr zaus can do so let's do your analysis uh which what is shortest path from earned principles doctors else dr zaus doesn't really have too much he can win rm into the box if we look at his first degree object controls he does have generic all over two different users the first one is super fume and the second one is manual corty well the squirty user we could already control because we have access to it from evasion and i'm looking at him just looking at this first degree group membership he's just a member of i think that's domain users so it's not too interesting let's go to that second user so clicking all the way back i wish there was like a back button just go to the previous screen we can look at super few and if i look at the groups here he's a member of three groups we have developers winrm and domain users so this one user is more interesting because he's a member of that developers group and evasion there is this developer's folder that we can't access so i'm guessing the super fume user can now access this so let's reset the password for um doctors else so dr is that hit let's see d-a-z-a-i-u-s-s okay uh that's by user not found z-a-i-u-s-s z-a-i u-s-s there we go so now we want to win our m as him because we can't ssh i don't think as him so if i tried doctor z-a-i-u that's right i think password one oh shoot i have a typo in that password thankfully i noticed so copy paste can't log in so let's go back to evasion and we can say dash capital l 5985 localhost 59.85 so what this is going to do is use ssh to do the port forward instead of doing winrm all right instead of using that um msql thing so let's cat creds grab evasion's password and then let's see we can evonrm as this user evil when rm dash i 12701 dash u dr zaus dash p he at sswrd123bang see if that works if not we'll try resetting his password again cnc zv localhost 59.85 that works it's having trouble locally see the requested host name is invalid h so way to specify hostname realm scripts ip let's do sudo vi etsy hosts and let's try 127.001 actually we can just yank this line and try this hi pivot api see if this works net user doctor ss wrd123bang maybe my hardest part is going to be typing these users let's try this see if this works there we go finally in i think i was mistyping this user's name so now we have a shell as doctors else and he could reset superfume's password so net user superfume two three bang and then we can do evil winrm dash i pivot api superfume dash p password one two three bang so now we're in as super fume so let's do cd developers and there's two directories drawery and superfume so if i do dir on jari guessing oh i can't access it we have program.cs and restartmssql.exe if we do dir on superfume there's nothing here so let's go into jarty's directory and i'm just going to look at program.cs to see what this is and do we have a credential so it looks very similar to restart oracle except it's doing uh rc4 so we could probably just download this program and then have it print out the data so i'm going to download restart msql.exe and we'll copy it over to windows so let's go see is this where it is yep so we can cp restart ms sql to dub dub dub okay i think i still have the web server running maybe i don't let's do python 3 m http.server and then jump over to our windows machine close out of api monitor and go here refresh the page download mssql uh i think wants us to trust it let's keep it and i think it's in downloads unconfirmed still is it common let's see keep keep anyway there we go copy this over to my desktop and i switched away from chrome like i did a cut because i noticed whenever i was going into chrome on this windows machine like my mic was giving me issues which is weird so that was happening earlier in the video when i was doing any reversing sorry about that but we want to go back to dnspy now and we can open the new exe we downloaded the restart ms sql and funnily enough i think i think it's called app domain or whatever the class or whatever it's called is restart oracle not mssql so super similar source we can see um yeah the namespace that's what it's called namespace right here but now it has that rc4 piece so we can right click edit method and we want to display this byte array so let's copy this console right line and then we can just change this to be encoding default get string and then the array like that and then click compile and now we have edited this so we can just uh before we save it let's go cd desktop we can execute restart mssql and we don't see anything it's gonna do a wait for our sleep for five seconds and then return back so now if i save the module and execute it again we get a second string and this is the password for jari which is the username here so i'm going to switch back to my vm and we can go v creds dot sh or dot text jari and then this password but we probably should have uh validated it's correct so cme smb 10 10 10 240 u jerry p and we'll put the password in let this run and hopefully it says we component but it doesn't it just says valid credential we have nothing else so let's go back over to bloodhound and do we mark dr zelsa as owned oh we can mark superfume as owned let's make sure he was owned he is and also jari is owned so let's mark him as owned i'm going to click on him as well and see what the jury user can do he is in first degree groups let's see developer winrm i think the remote desktop users maybe i don't know and that's domain users i just see the remote thing so i don't know exactly what this user can do he does have force change password against two users gibdeon and storm q so let's look at what these users are i can mark both of these as owned because we can change passwords so we know we can log into them and what we should do let's do actually let's go back to analysis and we can just do path from owned shortest path own principles let's look at gibbean let's see he is a member of this generic all to win rm and he can ps remote okay let's look at the storm user what can you do oh shoot i forgot to do analysis uh shortest path from earned storm nothing so no data return for him i'm going to look back at gibdy and see if he owns anything uh let's see click here explicit object controls see let's go back to groups what are you a member of unrolled group memberships this is a mess i don't know what this group is let's copy this let's go to translate.google.com and see what this is don't know what that means let's see getting started with group managed service accounts i think this is domain users let's see what this means always challenging when like troubleshooting something in a language that's not your native or that you know at all let's see what is this domain users so that one translates well this one not so much i'm guessing maybe oh description that'll be good what is your description members that can manage domain users and group accounts so this is lapse so this group is important so we're a member of it so let's switch over to him if i go back into here who am i i think all my sessions died who am i yeah well we don't need to start the chain at dr zalce because we have a credential we have jury so let's go cat creds.txt and we'll log in with joey so this jerry okay and then we want to change the password for is it gibb dion like that i'll find out net user give dn p at s s w o ord one two three bang am i allowed let's see net user i think i spelled that correctly gibden so that is access denied so let's see gibben let's go back to jari let's see to hear from owned shorts path two here uh we can go back to gibbedian and then if we do shortest path two here from owned there we go so joey has forced password change we can do help on this edge abuse info set domain user password i wonder if the net user command or net what i'm doing if that just doesn't work for this see slash domain i didn't do it before so i don't think it's needed so i'm going to try to use power view to change this password so i think to do this i need to copy power view to a directory so i'm going to copy it to ps so cp opt power view and let's see up power split if i do get branch you can see i checked out the dev branch so let's go back to this cp and then the directory is recon power view dot ps1 and i'm going to copy it to the ps directory so now with my evo winrm command i'm going to specify dash s and we'll do home hdb pivot api ps so this should load all the scripts i have in here so if i do menu we should well let's bypass amsi i think we can now load power view if we just type power view dot ps1 once this works it's patched power view dot ps1 let's see if it loads it's been a while since i used evil winrm to do this and now that it's loaded i think i type the menu command and see the extra features i have which are from the power view module so the function we actually want which was referenced by bloodhound is uh what is it like set got where is it here we go help let's see abuse force change set domain user password is what we want so if i look at this uh we have it right here so to use this we have to create a password that's a secure string so i'm going to call pwd i'm going to say convert to secure string password one two three bang and then as plain text force so now pwd is a secure string that we can use with set domain user password dash identity account password pwd and let's see if we can now win our m here so i called it uh password123 with no lead establishing is it going to say bad password or is it going to let me in taking its sweet time come on i don't think it's going to work so let's see set domain user password identity gibbedian the password was this try copy and pasting it authorization error like that what gets me is it didn't give me any error or output at all from the set domain user password command so i'm not exactly sure see who am i we are this user we should be able to does he not have winrm let's look at the groups he's in see first degree group memberships oh he is not in winrm so maybe that's why we can't notice he doesn't have any like can ps remote two things so we may have to do commands on his behalf which is going to get a little bit more tricky so let's see let's work off of a text file because this gets tricky so let's see atk we'll call this um gibdian path dot ps1 i guess uh if i do dot sh i think we'll have syntax highlighting actually there we go so the first thing we do is set gibden's password then what we want to do is create a credential object for gibbedian so we can do cred is equal to new object uh system management automation ps credential and then the domain uh l o l-i-c-o-r-d-e-b-l-o-t a hopefully that is correct and that should have been in quotes i'm gonna do single quotes i hope i don't have to like escape that slash that's why i switched to single quotes because double quotes that looked different so we'll do it as single quotes and then the password is pwd so that should set the cred object so with this we should be able to add 80 group member identity labs admin members are we give dan obijari where jari okay so we can add the member gibbedian and then dash credential cred and let's add lapse read as well so if we copy all these commands let's see what happens so paste i did not copy everything and now everything's erroring so copy this let's just paste it again and if we do net user gibbedian does it tell us the groups he is now lapse admin labs read so now we should be able to get the lapse password which is in get 80 computer because the password is stored with the computer object and i'm just going to do filter star property star and i don't think i specified the correct user say pwd expiration let's see let's do dash credentials and we called it cred i think right is it credit creds cred there we go that is gibbians credentials cred oh is it credential okay so now we run this as gimdian and let's see we got mcs password expiration time there should be one for labs what i'm not saying let's see properties is it ms mcs adm pwd i think sam account i don't know why this isn't showing it dash properties weird i could have sorted this should pull laps let's see net user gibbedian he is a member of lapse dash properties ms mcs adm pwd let's see laps get password powershell i wonder if like it's just not a part of um this version of get 80 computer that is on the box because that's not in packet yeah ms mcs adm pwd so this should get it let's just copy this paste and got the expiration time but we don't have the actual password so that's a bummer thankfully there's more than one way to uh skin the cat so we can always just revert back to like a python module to grab it so github lapse export uh python let's see what this brings us we have this lapse dumper script and we need username password ldap server and domain okay so go over here v lapse.pi paste this in python3 it going to tell us yep so user gibbedian password uh what is it i think we had it here cat gabdy and path that is why i created that text file okay and then what else do we need domain can't find my history but i did find it in this output because we typed it once so we can do that and then let's see we need dash ldap server 101010 240 and this should have dot htb i believe and that weird python error let's do python three eight wait ldap bind error see gibden i wonder if the password reverted for him by now so let's pwd where's the set password let's see get convert who am i set domain password there it is try this again and we have the password so this is probably not the machine account this password script makes it look like it's the machine account but this is going to be the default administrator password because you only do like one lapse account per machine so this machine's random password is this so we can do ps exec.pi and then the catcher is this is a um box in spanish so if we analysis find all domain admins the domain admin is actually administered or not administrator see if we try administrator first i don't think it's going to work administrator at 10 10 10 240. and then copy this paste yeah it fails administra is it just a d there we go and we have a shell on the box so if we do cd users we can go into administrator so cd administra store go to desktop and there is no flag but the other domain admin user was cyber vodka so if we go into his directory cd dot slash dot dot slash cyber vodka desktop we can get root.text this way so that is the box doing it mostly the intended way i'm going to clean up these sessions and then probably tomorrow finish up the video doing the unintended way so i hope you guys could follow that and hopefully i didn't screw it up too much because that was a lot of stuff to do so um yeah the unintended way which has a lot less steps you don't have to do all that fancy sql proxying stuff because there is that alimon script that has the ability to execute codes on the sql server and you are nt service sql express and you have a bunch of privileges so if i do who am i slash all we can see we do have sc impersonate but i think there is stuff that kind of like makes rogue potato tough or impossible to do uh but the easier way is through kerberos because sql servers generally have unconstrained delegation to the domain controller especially if you install sql on the domain controller itself so if you don't know what script i just ran it was earlier in the video but i'm sure you can just google alimot sql shell and then the modification we made was pretty much just the server and credentials so that gets us a shell on the box so we want to go into program data because this is a good spot to just write files to i don't think we can actually write in system 32 as nt service but program data is generally writable by all users and then the next thing is we have to get rubios now i'm just going to locate rubio.exe and find out where it is on my machine i would highly highly recommend if you don't know what sharp collection framework is or the github repo uh going over to it because it has just a bunch of net tooling if you ever want to play with it like print nightmares here certify better safety cats there's just tons and tons of things now the downside is if you want to do this on a pen test and you're having troubles with av you won't really be able to use this because the best way to bypass that is to download the source code and change all the like variable names and namespace in the source code itself because net makes it really easy for avia edr to see those things running but for this we just pretty much can upload rubius so i'm going to do upload and then i'm going to specify rubius.exe and we have an error base64 has no attribute in code string so i'm going to look at sql.buy search for encode string and this is probably a python 2 thing i don't know exactly what library it is but it's base64.b64 in code to encode a string so hopefully that's the only change i have to make i'm going to go back into program data and we'll try uploading looks like we are uploading now so it's gonna take a second and then once this runs we will run rubius with tgt delegate or d-e-l-e-g short for delegation to get a ticket and then we'll copy that ticket back to our box and use ticket converter to um like make a ticket so we can use it with secret stump and md5 hash does not match uh-oh so it looks like we still had some type of error uploading the file so um that sucks well you know let's see i think we can go into users let's see is there evasion can we go into his directory no i don't know exactly how to fix the uploading of files i'm guessing the script just needs to be updated you can probably pull a different sql shell script i'm not going to waste too much time doing that because this is the unintended way instead i'm just going to upload rubius through scp so i'm going to search for a dash o because we definitely need this preferred authentication to disable pub key so i'm going to get rid of the port forward here and change ssh to be scp put it in um let's see slash program data i think we can just do that and we'd specify the file so i'm going to go locate again and let's copy this and this is going to be the other thing maybe it was av that was deleting the file so if scp doesn't um work for me then we're going to have to go through that obfuscation path which will be a pain but i'm going to copy the password and then hopefully it sends it looks like it is so now i'm going to go back to this sql shell if i go into program data we can see rubio.exe so i'm going to try to execute it just to make sure like defender doesn't flag or something and it looks good i always like using slash no wrap to prevent the base64 blobs from being line wrapped so we can show it with and without that real quick rubio.exe tgt deleg and you can see the base64 is a bit weird if i copy this i'd have to remove all the spaces to decode it which that's easy to do but just a hassle i always like using rubius dot exe tgt delag slash no wrap and now we have it like this and it's still putting on separate lines because this shell is weird so we're gonna have to clean that up but you can copy that then let's go to a new thing let's call this ticket dot kirby dot i guess b64 because base64 encoded and oh we have spaces all over this is annoying this should not have happened when i did no wrap but looks like it's fine i'm going gonna see if base64 complains about bad characters so let's see d it did not say anything but bad characters i don't have a terminal back because it just okay control c fixed it um if you ever don't i normally hit ctrl c then type reset and that generally does a good job but let's base64 decode it into ticket.kirby and then we can run a program called ticketconverter and we just say ticket dot kirby to krbi i misspelled that but and then ticket dot cc cash or c cash and that's generally uh i guess we need to move ticket dot kirby to ticket dot kirby i think that will fix i think that's the extension it looks for unknown file format let's see base64 ticket dot kirby we i'm just going to try to redo this real quick remove all ticket.kirbys let's copy this again so copy i'm not sure if i like highlighted or i used t mux before to copy so maybe i just highlighted and that was bad v ticket dot kirby dot b64 paste that looks a bit better i'm just going to delete all these line breaks by hitting home and backspace put this all in one line that looks better base64 d ticket kirby to this without b64 so let's try running this take a converter command again there we go that worked so it is very picky on how you do the format so now all we have to do is export kob 5 cc name is equal to the path of this so home ipsec htb pivot api then ticket dot cc or c cache i always say cc cache but it's just c cache and there we go and this isn't going to work right away um the issue we're going to have is if we look at our nmap we will see um a time drift so let's see uh clock skew info we're about six minutes off of the server and i think for kerberos to work you have to be within five minutes so let's try running this secret stump command real quick so secrets dump dot pi always specify the domain so this dot hdb slash pivot api is the host name and we put a dollar sign at the end because it's the machine account and then specify the dc's fully qualified domain name dash dc ip give it 10 10 10 to 40 specify no pass and we also want to put dash k and dash k is going to be i believe what uses the um kb5 cc name variable so if i try running this it just cleans up and i think that's because the date times is screwed up so what i'm going to do is sudo well before we do this um let's try running crack map exec because this actually does support this option as well so smb k 10 10 10 240. i want to say that's all we have to do let's see what happens here uh no see is it dash k after the ip connection refuse wait cme connection refused is not what i expected let's try adding the host file and putting the ip correctly i don't think that would be it but who knows let's try this and still nothing we're supposed to get a better error message i'm going to try doing it again kb5 cc name is equal to home ipsec hdb pivot api maybe i forgot the hdb um and then ticket dot cc cache there we go run crack map again and see what happens okay so this is giving us a better error message saying the clock skew is too great um if we went back and did the secret stump command again that looks right this probably won't even give us an error message right so let's do sudo ntp date dash u 10 10 10 240 and what this is going to do is update our time to be that of the domain controllers active directory has a ntp server so we can see it just updated our time so if now if i go to crack map exec it will tell me the authentication was successful i hope uh server not found in kerberos database well that's not great but on the plus side uh it didn't say clock skew is wrong so i'll take a win where i got it okay it just needs a host name because when it's trying kerberos authentication it's saying trying to authenticate as 10 10 10 240 and it's like i don't know who you are so you need to specify the actual hostname that makes sense but let's go back to the secret stump we can see we can now dump all the hashes so i just control c because we don't actually need them all we just need this administrators so we can do uh ps exec dot pi and what if we can just do k if we even need the hash administrator at pivot api see if we need it uh let's see i think it was dash no pass so dash n o dash pass let's see what happens no we can't so we want to do a password and i'm going to do the hash colon the hash see if that works that's what i did for the password and it does not look like it worked more processing request i'm actually not sure what oh probably because i have the k there still bad authentication see ps exec dot pi dash h how do we specify a hash dash hashes so let's try this dash hashes and log in and here we go now we are admin or local system on this box yeah local system so i hope you guys enjoyed this take care and i will see you all next week
Info
Channel: IppSec
Views: 19,675
Rating: undefined out of 5
Keywords:
Id: FbTxPz_GA4o
Channel Id: undefined
Length: 133min 53sec (8033 seconds)
Published: Sat Nov 06 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.