Just when they thought their hashes were safe…
WindCorp recently had a security-breach. Since then they have hardened their infrastructure, learning from their mistakes. But maybe not enough? You have managed to enter their local network…
Created by @4nqr34z and @theart42
(Give it at least 5 minutes to boot)
So from the description we see the Windcorp Corporation is back for more. I really enjoyed the Ra room and Set so when I saw this sequel come out I was pumped. I’m a sucker for hacking on Windows and I knew this room would be fun.
This challenege reminded me how easy it can be to pass up things like DNS. You’ll notice that without enumerating DNS you won’t get very far. This challenge had a few pieces that had to all had to come together before being able to make any movement.
Off the bat we’ll use Threader3000 to see what ports are open.
Shout out to the mayor. I appreciate all the work he puts in with educational content and assisting people in the community.
PyPI project: Threader3000
Github repo: Threader3000
The nmap results were pretty lengthy. Judging by the ports that are open like LDAP/S, DNS, etc I think it’s safe to assume this is a domain controller. If you’ve done Ra you’ll also notice the fire hostname looks familiar. We also find a few more hostnames:
Let’s add these to our
There’s an old saying that often holds up… It’s always DNS. DNS misconfigurations and even DNS zone transfers are still common in the real world. I won’t be diving into DNS in this writeup but I’ll give you a friendly reminder… it’s always DNS.
🚀 dig windcorp.thm any @$IP
We get our first flag and a really good hint for what we’ll need to do. Allowing unsecured dynamic DNS updates gives any computer regardless of being joined to the domain or not, the ability to modify or create DNS records. Let’s do some more enumeration and see what we could do with being able to update DNS records.
DNS Dynamic Updating Microsoft Article
nsupdate - “…used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server."
If you were curious what the configuration looks like in the DNS MMC snap-in:
/powershell? Navigating to the page we can see this is Microsoft’s powershell web access web app. I was unable to find any known vulnerabilities with this webapp so I moved on. We’ll come back to this when we get some credentials.
We see a few more hints on the homepage in the message from the management team. They are now using certificates everywhere and a new self service portal is being developed. We see a selfservice button on the homepage.
Testing the happy path for self service doesn’t yield anything note worthy. Intercepting the requests in burp we see the NTLMSSP challenge response. Decoding the base64 doesn’t leak anything we don’t already know like a new hostname.
Time to check out the dev site.
Navigating to the webpage we’re greeted with an under construction landing page. Nothing special in the source and I wasn’t expecting something ‘ctfy’ like that for this room.
Shortly after starting the fuzzing we see there’s a
/backup directory. Navigating to the directory there’s a couple files
web.config. Let’s download them locally. Nothing to see with
Windows servers use .pfx files that contain a public key file and the associated private key file. Let’s use
🚀 pfx2john.py cert.pfx > hash
Crack it with john
🚀 john hash --wordlist=/opt/rockyou.txt
Now we can create a public and private key with openssl using
cert.pfx and the password we cracked with john.
🚀 openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes
🚀 openssl pkcs12 -in cert.pfx -out crt.pem -clcerts -nokeys
Since we know we can update DNS records without our machine being joined to the domain we’ll use
nsupdate. Let’s send a request to delete the existing A record for
selfservice.windcorp.thm and then send an update add request for a new A record to have selfservice resolve to our THM IP.
Let’s query the DNS server to see if
selfservice.windcorp.thm will now resolve to our THM IP when a client requests a lookup.
🚀 dig selfservice.windcorp.thm @10.10.114.83
Before you start responder you’ll want to copy the two certs generated earlier to
/usr/share/responder/certs or wherever
/certs lives on your machine.
We’ll want to edit responder’s config for the HTTPS server.
Fire up responder to listen on tun0
🚀 responder -I tun0
We capture a request.
Save the hash and crack it with your tool of choice. I used john.
We can login with the user’s credentials
We find flag 2. From here I opted to get a real shell but you could finish the privesc from the web shell.
I’ve been meaning to try xct’s ‘netcat like reverse shell for linux and windows’ xc. I’ve heard good things about it and after using it I’ve been really enjoying it.
That said you could also just do everything through the webshell, use netcat, etc. Do you! 😁️
pip3 install updog
I’m going to use updog as my web sever to transfer files. I think it’s a nice replacement to a standard python simple http server that has features like ssl transport, passwords, web ui, and the ability upload data to the server. I hacked together something similar a few months ago but it’s nowhere near as polished as this.. and look at the logo!
Here’s a couple of options to privesc. I chose to compile PrintSpoofer from it4m.
- Use PrintSpoofer
- Use SweetPotato which is a collection of various native Windows privilege escalation techniques from service accounts to SYSTEM. This will require you compile an executable
- Use a compiled PrintSpoofer.exe from the mayors github.
One of the first things I like to do when I get a shell is run
whoami /all. We notice we have the SeImpersonatePrivilege and start thinking about the rogue potato exploit and printspoofer.
From here we can upload one of the exploits below. Start an xc or netcat listener then run one of the exploits.
Here’s an example of using PrintSpoofer.exe and an argumentless xc client. Not having to use arguments is such a cool idea.
Somebody who finished the room mentioned they had used https://github.com/CCob/SweetPotato. I tested it and it worked for me as well.