Start with some DNS enumeration after adding the IP of VM to /etc/resolv.conf:
Port 80
There is a list of (probably corporate) emails that we can quickly extract by looking at the page source:
As you can see, the icons next to each user are not loading correctly. Looking at the corresponding HTML we notice that a subdomain (fire.windcorp.thm) is used to display the status of users via XMPP protocol. We then add the following entries to the /etc/hosts file:
There is also this section on the website that report some comments of employees about corp:
Looking at the HTML source code for this section we notice that we can infer the naming convention used for Active Directory users, and in addition we also have the name of employee Lily Levesque's dog: Sparky!
fire.windcorp.thm/reset.asp
Exploitation (Lily Levesque)
Now we can try to reset the password of this user:
Great, we have an internal user account and can continue our enumeration!
Enumeration (phase 2)
Port 445
Detect version and confirm domain name using Metasploit:
Using the stealed credentials we can try to enumerate some share with smbmap:
Users
Access denied for all folders present...
Shared
Then using smbclient we will obtain the first Flag connecting to Shared share:
We see that there are also some installers of Spark (an IM client) for different platforms. Let's download and try to install the client. Then login using Lily Levesque credentials.
In order to avoid some errors such as checking the hostname in the certificate, by selecting Advanced we can bypass some security checks
By going to the web page we can find the list of IT users currently online:
After Googling “Spark Instant Messenger exploit” you’ll eventually come across CVE-2020-12772
An issue was discovered in Ignite Realtime Spark 2.8.3 (and the ROAR plugin for it) on Windows. A chat message can include an IMG element with a SRC attribute referencing an external host's IP address. Upon access to this external host, the (NT)LM hashes of the user are sent with the HTTP request. This allows an attacker to collect these hashes, crack them, and potentially compromise the computer. (ROAR can be configured for automatic access. Also, access can occur if the user clicks.)
If we try to send a simple message like “hello” we get no response, but trying to exploit the vulnerability found and sending the payload so formatted we get a response on the Python server listening on our machine. This means that the URL is resolved by the Spark client of the buse user:
Privilege Escalation (Buse Candan)
So now try to steal the NTLM hash using Responder:
Using the following payload:
We can now crack this hash using Hashcat:
buse:uzunLM+3131
With these credentials we can try to access the previous inaccessible share Users and get the second Flag:
Enumeration (phase 3)
Using buse credentials we can run Bloodhound to find some Privilege Escalation path:
Note how the buse user belongs to the Account Operators group.
Account Operators can modify user objects (in particular for our interest the PASSWORD!) for any user that is not a member of one of the protected groups (Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups).
RDP is allowed using the rdp_check.py script but then this error message is shown:
Try to access the Domain Controller using evil-winrm:
If we explore the file system a bit, we will find the classic folder inetpub containing also check.asp file with reset password code previously exploited:
and there is a folder C:\Scripts with an interesting powershell in it:
reading this comment:
There would appear to be a scheduled task that runs this script but unfortunately we cannot list scheduled tasks:
The code is interesting because right in the first few lines it can be exploited because of the presence of the Invoke-Expression:
If we could control the variable $p, we could perform a command injection and get a shell with the privileges of the person who is executing the task.
The variable $p is populated using the powershell built-in variable $_, which in turn is populated with the contents of the internal hosts.txt file. Assuming that this file contains lines with the IP addresses of the machines to be verified and lines containing a # character to add comments, lines containing a # are excluded with the Where-Object. Below is an example of what the hosts.txt file may look like and what the script commands do:
Privilege Escalation (Domain Admin/Administrator)
So now let's change the domain password of user brittanycr and modify the hosts.txt file in order to get a reverse shell impersonating service principal running the scheduled task.
Try to login using evil-winrm:
But unfortunately this user doesn't have permissions to WinRM on Domain Controller:
neither using RDP.
So we have to create a hosts.txt file on Kali and then upload it via smbclient. I saved the below in hosts.txt :
In this way the variable $p will be:
Now upload the file:
This is the original hosts.txt file:
Upload the new file:
After a few minutes we become Domain Admins and a new user evil is created:
Now we can RDP as buse and psexec as evil user (local Administrator) in order to dump the Flag3:
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>Windcorp.</title>
<!-- Bootstrap core CSS -->
<link href="vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
<!-- Custom fonts for this template -->
<link href="vendor/fontawesome-free/css/all.min.css" rel="stylesheet">
<link href="vendor/simple-line-icons/css/simple-line-icons.css" rel="stylesheet" type="text/css">
<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700,300italic,400italic,700italic" rel="stylesheet" type="text/css">
<!-- Custom styles for this template -->
<link href="css/landing-page.min.css" rel="stylesheet">
</head>
<body>
<div class="jumbotron" style="height:100vh;">
<%
Dim name, age
username = Request.Form("username")
secret = Request.Form("secret")
question = Request.Form("question")
if username = "lilyle" AND secret = "Sparky" AND question = 3 then
Response.Write("<h4 class='display-3'>Your password has been reset to: <b>ChangeMe#1234</b><br></h4>")
Response.Write("Remember to change it after logging in!")
dim fs,f
set fs=Server.CreateObject("Scripting.FileSystemObject")
set f=fs.CreateTextFile("C:\inetpub\wwwroot\32d9027af1d9c4e85e3eb65954af2cc375a25313\1",true)
f.write("1")
f.close
set f=nothing
set fs=nothing
else
Response.write "<h1 class='display-4'>Wrong username and/or secret!</h1>"
end if
%>
</div>
</body>
</html>
# reset the lists of hosts prior to looping
$OutageHosts = $Null
# specify the time you want email notifications resent for hosts that are down
$EmailTimeOut = 30
# specify the time you want to cycle through your host lists.
$SleepTimeOut = 45
# specify the maximum hosts that can be down before the script is aborted
$MaxOutageCount = 10
# specify who gets notified
$notificationto = "[email protected]"
# specify where the notifications come from
$notificationfrom = "[email protected]"
# specify the SMTP server
$smtpserver = "relay.windcorp.thm"
# start looping here
Do{
$available = $Null
$notavailable = $Null
Write-Host (Get-Date)
# Read the File with the Hosts every cycle, this way to can add/remove hosts
# from the list without touching the script/scheduled task,
# also hash/comment (#) out any hosts that are going for maintenance or are down.
get-content C:\Users\brittanycr\hosts.txt | Where-Object {!($_ -match "#")} |
ForEach-Object {
$p = "Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue"
Invoke-Expression $p
if($p)
{
# if the Host is available then just write it to the screen
write-host "Available host ---> "$_ -BackgroundColor Green -ForegroundColor White
[Array]$available += $_
}
else
{
# If the host is unavailable, give a warning to screen
write-host "Unavailable host ------------> "$_ -BackgroundColor Magenta -ForegroundColor White
$p = Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue
if(!($p))
{
# If the host is still unavailable for 4 full pings, write error and send email
write-host "Unavailable host ------------> "$_ -BackgroundColor Red -ForegroundColor White
[Array]$notavailable += $_
if ($OutageHosts -ne $Null)
{
if (!$OutageHosts.ContainsKey($_))
{
# First time down add to the list and send email
Write-Host "$_ Is not in the OutageHosts list, first time down"
$OutageHosts.Add($_,(get-date))
$Now = Get-date
$Body = "$_ has not responded for 5 pings at $Now"
Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom `
-Subject "Host $_ is down" -SmtpServer $smtpserver
}
else
{
# If the host is in the list do nothing for 1 hour and then remove from the list.
Write-Host "$_ Is in the OutageHosts list"
if (((Get-Date) - $OutageHosts.Item($_)).TotalMinutes -gt $EmailTimeOut)
{$OutageHosts.Remove($_)}
}
}
else
{
# First time down create the list and send email
Write-Host "Adding $_ to OutageHosts."
$OutageHosts = @{$_=(get-date)}
$Body = "$_ has not responded for 5 pings at $Now"
Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom `
-Subject "Host $_ is down" -SmtpServer $smtpserver
}
}
}
}
# Report to screen the details
$log = "Last run: $(Get-Date)"
write-host $log
Set-Content -Path C:\scripts\log.txt -Value $log
Write-Host "Available count:"$available.count
Write-Host "Not available count:"$notavailable.count
Write-Host "Not available hosts:"
$OutageHosts
Write-Host ""
Write-Host "Sleeping $SleepTimeOut seconds"
sleep $SleepTimeOut
if ($OutageHosts.Count -gt $MaxOutageCount)
{
# If there are more than a certain number of host down in an hour abort the script.
$Exit = $True
$body = $OutageHosts | Out-String
Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom `
-Subject "More than $MaxOutageCount Hosts down, monitoring aborted" -SmtpServer $smtpServer
}
}
while ($Exit -ne $True)
# Read the File with the Hosts every cycle, this way to can add/remove hosts
# from the list without touching the script/scheduled task,
